CN116405314A - Method and device for authenticating source address identity of access network - Google Patents

Method and device for authenticating source address identity of access network Download PDF

Info

Publication number
CN116405314A
CN116405314A CN202310544192.1A CN202310544192A CN116405314A CN 116405314 A CN116405314 A CN 116405314A CN 202310544192 A CN202310544192 A CN 202310544192A CN 116405314 A CN116405314 A CN 116405314A
Authority
CN
China
Prior art keywords
client
access
ipv6 address
authentication
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310544192.1A
Other languages
Chinese (zh)
Inventor
张凤波
刘绍样
张根兵
施卫华
刘林
邓润生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Cernet Huili Security Technology Co ltd
Original Assignee
Beijing Cernet Huili Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Cernet Huili Security Technology Co ltd filed Critical Beijing Cernet Huili Security Technology Co ltd
Priority to CN202310544192.1A priority Critical patent/CN116405314A/en
Publication of CN116405314A publication Critical patent/CN116405314A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method and a device for authenticating the identity of an access network source address, wherein the method comprises the following steps: the method comprises the steps that an admission verification server receives a single authorization data packet sent by an admission client, wherein the data packet carries IPV6 address information of the client; releasing the authentication service for the IPV6 address of the client; receiving an authentication request initiated by a client, after passing the authentication, distributing a corresponding IPV6 address interval for the client, and establishing a corresponding relationship between the client and the address interval; the method comprises the steps that an address interval is sent to an access switch, the access switch establishes a mapping relation table of the MAC address of a client and the port number of an access switch, the corresponding IPV6 address interval is distributed to the client and sent to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of an access network source address. The invention solves the problem that the access admittance equipment is easy to be attacked, and the like, and achieves the effect of verifying the identity of the access network source address.

Description

Method and device for authenticating source address identity of access network
Technical Field
The embodiment of the invention relates to the field of computers, in particular to an access network source address identity authentication method and device.
Background
The technology of the network addressing architecture based on the real IPv6 source address is RFC5210 (Source Address Validation Architecture (SAVA) Testbed and Deployment Experience) approved by IETF, is the RFC of non-information class (information) which occurs very early, and the core is the first Internet RFC which takes Chinese scholars as a main signature in the technical field of non-Chinese related Internet centers. The "one package authorization" technique (Single Packet Authorization) was the first new method of protecting IP-based communications proposed by Cipherdyne creator in 2004, michael flash.
In a conventional IPV4 network, forwarding of data packets is based on destination addresses, while source addresses are not substantially checked, so that fake source address attacks are easy and frequent. Because of the lack of verification of the source address, a trust relationship cannot be established at the network layer. There are thus a number of problems listed, and the present invention aims to solve a number of problems associated with the lack of trust in the current internet. TCP/IP network architecture is largely used in Internet architecture, and a set of identity authentication solution which enhances security protection is provided on authentication flow.
As is clear from this, the related art has a problem that the access admittance apparatus is vulnerable to attack and the like.
In view of the above problems in the related art, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for authenticating the source address identity of an access network, which at least solve the problems that access admittance equipment is easy to attack and the like in the related technology.
According to one embodiment of the present invention, there is provided an access network source address identity authentication method, including: the method comprises the steps that an admission verification server receives a single authorization data packet sent by an admission client, wherein the data packet carries IPV6 address information of the client; releasing the authentication service for the IPV6 address of the client; receiving an authentication request initiated by the client, after passing the authentication, distributing a corresponding IPV6 address interval for the client, and establishing a corresponding relationship between the client and the address interval; the method comprises the steps that an address interval is sent to an access switch, the access switch establishes a mapping relation table of an MAC address of a client and a port number of an access switch, the corresponding IPV6 address interval is distributed to the client and is sent to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of an access network source address.
Further, after sending the IPV6 address interval allocated to the client, the method further includes: when the access switch receives an extensible authentication protocol request from a target client, analyzing the extensible authentication protocol request to obtain the MAC address of the target client and the port number of the switch; filtering the MAC address of the target client and the port number of the switch based on the mapping relation table; and allowing the target client to access the Internet if the filtering is passed, and refusing the target client to access the Internet if the filtering is not passed.
Further, the receiving, by the admission verification server, the single authorization packet sent by the admission client includes: the admission verification server receives a single authorization data packet sent by the client to an authentication verification module of the admission switch; after receiving the client-initiated authentication request, the method further comprises: and the authentication and verification module performs identity verification on the single-authorization data packet, and opens communication between the client and the proxy module of the access switch under the condition that verification passes.
Further, after opening the communication of the client with the proxy module of the admission switch, the method further comprises: an agent module in the switch receives an extensible authentication protocol request sent by the client, wherein the extensible authentication protocol request is constructed by the client according to authentication credentials submitted by a user; and the proxy module packages the extensible authentication protocol request, the IPV6 address of the access switch and the port number of the access switch connected with the client in a remote dial-in user service protocol access request packet and sends the remote dial-in user service protocol access request packet to the access authentication server.
Further, the method further comprises: the admission verification server runs an identity verification module and verifies the identity of the user sent by the client through a user name and a password; if the verification is not passed, sending a receipt of rejecting the packet to a proxy module in the switch, and not allowing the client to access the network; and under the condition that verification is passed, distributing an IPV6 address interval to the client according to the identity information of the user, and attaching the address interval to a remote authentication protocol access receiving packet to be sent to the access switch.
Further, after the address space is appended in a remote authentication protocol access reception packet to the admission switch, the method further comprises: the admission exchanger analyzes an IPV6 address from a remote authentication protocol access receiving packet, sends the IPV6 address to an IPV6 address filtering module to form a corresponding relation, writes the corresponding relation into the mapping relation table, and adds an allocated IPV6 address interval into an extensible authentication protocol success packet to send the IPV6 address interval to the client; the client analyzes the IPV6 address interval in the successful packet of the extensible authentication protocol, configures the IPV6 address interval to an IPV6 packet sending module, sends the IPV6 packet taking the IPV6 address interval as a source address through the IPV6 packet sending module, and filters the packet after the IPV6 address filtering module receives the IPV6 packet.
According to another embodiment of the present invention, there is provided an access network source address identity authentication apparatus, including: the system comprises a first sending unit, a second sending unit and a second sending unit, wherein the first sending unit is used for receiving a single authorization data packet sent by an access client, and the data packet carries IPV6 address information of the client; the verification unit is used for releasing the identity verification service for the IPV6 address of the client; the receiving unit is used for receiving an authentication request initiated by the client, distributing a corresponding IPV6 address interval for the client after the authentication is passed, and establishing a corresponding relationship between the client and the address interval; the second sending unit is used for sending the address interval to the access switch, the access switch establishes a mapping relation table of the MAC address of the client and the port number of the access switch, and sends the corresponding IPV6 address interval allocated to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of the access network source address.
Further, the apparatus further comprises: the analyzing unit is used for analyzing the extensible authentication protocol request when the access switch receives the extensible authentication protocol request from the target client after the corresponding IPV6 address interval allocated for the client is sent to the client, so as to obtain the MAC address of the target client and the port number of the switch; a filtering unit, configured to filter, based on the mapping relation table, a MAC address of the target client and a port number of the switch; and the processing unit is used for allowing the target client to access the Internet under the condition that the filtering is passed, and refusing the target client to access the Internet under the condition that the filtering is not passed.
According to a further embodiment of the invention, there is also provided a computer readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, the admission verification server receives the single authorization data packet sent by the admission client, wherein the data packet carries IPV6 address information of the client; releasing the authentication service for the IPV6 address of the client; receiving an authentication request initiated by a client, after passing the authentication, distributing a corresponding IPV6 address interval for the client, and establishing a corresponding relationship between the client and the address interval; the method comprises the steps that an address interval is sent to an access switch, the access switch establishes a mapping relation table of the MAC address of a client and the port number of an access switch, and sends the corresponding IPV6 address interval allocated to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of an access network source address, so that the problem that access equipment is easy to attack and the like in the related technology can be solved, and the effect of verifying the identity of the access network source address is achieved.
Drawings
Fig. 1 is a hardware block diagram of a mobile terminal of an access network source address identity authentication method according to an embodiment of the present invention;
fig. 2 is a flow chart of an access network source address identity authentication method according to an embodiment of the present invention;
fig. 3 is a network connection topology diagram of the present embodiment;
FIG. 4 is a schematic diagram of the functional modules and business processes of the present embodiment;
FIG. 5 is a schematic diagram of the data flow of the present embodiment;
fig. 6 is a block diagram of an access network source address identity authentication device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the embodiments of the present application may be performed in a mobile terminal, a computer terminal or similar computing device. Taking the operation on a mobile terminal as an example, fig. 1 is a block diagram of a hardware structure of a mobile terminal of an access network source address identity authentication method according to an embodiment of the present invention. As shown in fig. 1, a mobile terminal may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, wherein the mobile terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and not limiting of the structure of the mobile terminal described above. For example, the mobile terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to an access network source address identity authentication method in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the method described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the mobile terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, a method for authenticating an access network source address is provided, and fig. 2 is a flowchart of a method for authenticating an access network source address according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S101, an admission verification server receives a single authorization data packet sent by an admission client, wherein the data packet carries IPV6 address information of the client;
step S102, releasing the authentication service for the IPV6 address of the client;
step S103, receiving an authentication request initiated by a client, after passing the authentication, distributing a corresponding IPV6 address interval for the client, and establishing a corresponding relationship between the client and the address interval;
step S104, the address interval is sent to the access switch, the access switch establishes a mapping relation table of the MAC address of the client and the port number of the access switch, and the corresponding IPV6 address interval is distributed to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of the access network source address.
In the above embodiment, a user logs in to a client through an account, the client sends a single authorization data packet to an admission verification server, the data packet carries IPV6 address information of the client, and the like, the admission verification server releases an authentication service for the IPV6 address of the client to verify the identity of the client, responds to an authentication request of the client to verify the identity information, the authentication process may be based on an account password or the like, allocates a section of IPV6 address interval for the client after authentication, establishes a correspondence between the section of address interval and the client, sends the allocated address interval to an admission switch, and stores the allocated address interval in a mapping table of the MAC address of the client and the port number of an access switch, and the mapping table may store the correspondence between the MAC address of the client, the IPV6 interval and the port number of the access switch, and sends the allocated IPV6 address interval to the access switch for verifying the identity of the access source address. By the method, the identity of the access network source address can be verified, and the problems that access equipment is easy to attack and the like in the related technology can be solved.
Optionally, after the corresponding IPV6 address interval allocated to the client is sent to the client, when the admission switch receives the extensible authentication protocol request from the target client, the extensible authentication protocol request is parsed to obtain the MAC address of the target client and the port number of the switch; filtering the MAC address of the target client and the port number of the switch based on the mapping relation table; and allowing the target client to access the Internet if the filtering is passed, and refusing the target client to access the Internet if the filtering is not passed.
The mapping relation table stores the corresponding relation between the MAC address of the client and the port number of the switch, obtains the MAC address of the client (distinguished from the previous client, herein called the target client) which is to access the network and the port number of the switch by analyzing the extensible authentication protocol request, inquires the mapping relation table, and if the mapping relation table belongs to the MAC address stored in the table and the port number of the switch, the mapping relation table is filtered, and if the mapping relation table does not belong to the port number stored in the table, the mapping relation table is filtered.
It should be noted that, because the MAC address is a unique address identifier of the client, different MAC addresses of the client are different, and the MAC address belongs to the second layer in the network: the data link layer filters through the MAC address faster than the IP address, so the scheme adopts the client MAC address and the switch port number to filter, and the filtering speed is faster.
Further, the receiving, by the admission verification server, the single authorization packet sent by the admission client includes: the admission verification server receives a single authorization data packet sent by a client to an authentication verification module of an admission switch; after receiving an identity verification request initiated by a client, an authentication verification module performs identity verification on the single authorization data packet, and under the condition that verification is passed, the client is opened to communicate with a proxy module of an admission switch.
The authentication and verification module performs identity verification on the single-authorization data packet in a manner of based on account numbers, passwords and the like, and opens communication between the client and the access switch under the condition that verification is passed. In this way security can be improved, with the identity checked before communication.
The single authorization data packet can be understood as a data structure in single packet authentication, and the extension header of the single authorization data packet is customized, so that an identity authentication flow based on a source address can be constructed, and identity verification information is transferred by fully utilizing the load of the IPv6 first packet extension header.
Further, after the open client communicates with the proxy module of the admission switch, the proxy module in the switch receives an extensible authentication protocol request sent by the client, wherein the extensible authentication protocol request is constructed by the client according to authentication credentials submitted by a user; the proxy module packages the extensible authentication protocol request, the IPV6 address of the admission switch and the port number of the access switch connected with the client in a remote dial-in user service protocol access request packet, and sends the remote dial-in user service protocol access request packet to the admission authentication server.
Further, the admission verification server runs an identity verification module, and verifies the identity of the user sent by the client through the user name and the password; if the verification is not passed, sending a receipt of rejecting the packet to an agent module in the switch, and not allowing the client to access the network; and under the condition that verification is passed, distributing an IPV6 address interval for the client according to the identity information of the user, and attaching the address interval to a remote authentication protocol access receiving packet to be sent to an access switch.
The IPV6 address interval allocated for the client is added in a remote authentication protocol, and is sent to an admission switch in an access receiving packet, and the admission switch stores the address interval allocated for the client for subsequent identity authentication.
Further, after the address interval is added in the remote authentication protocol access receiving packet and sent to the access switch, the access switch analyzes the IPV6 address from the remote authentication protocol access receiving packet, sends the IPV6 address to the IPV6 address filtering module to form a corresponding relation and write the corresponding relation into a mapping relation table, and adds the allocated IPV6 address interval in the extensible authentication protocol success packet and sends the extensible authentication protocol success packet to the client; the client analyzes the IPV6 address interval in the successful packet of the extensible authentication protocol, configures the IPV6 address interval to an IPV6 packet sending module, sends the IPV6 packet with the IPV6 address interval as a source address through the IPV6 packet sending module, and filters the packet after the IPV6 address filtering module receives the IPV6 packet.
The client can analyze the IPV6 address interval from the successful packet of the extensible authentication protocol, configure the IPV6 address interval into the IPV6 packet sending module, and the IPV6 address filtering module filters the packet according to the address interval after the IPV6 packet is subsequently received.
The invention also provides a specific mode, and the specific mode is described below.
In the IPV6 network, the extension header can be customized, so that an identity authentication flow based on a source address can be constructed, and an authentication technology for transmitting identity authentication information in the IPv6 head packet extension header load is fully utilized. The invention provides a set of identity authentication solution which enhances the security protection on the authentication flow.
The invention mainly solves the problem that the network addressing system structure based on the real IPv6 source address can be applied to the real floor and the problem that the current access equipment is easy to be attacked by scanning. The invention can effectively solve the following technical problems in the current access network environment by utilizing the technology:
(1) Optimizing the access control method of the real source address access of the existing IPv6 access network.
(2) DDoS attacks such as reflection attack class and the like which falsify source addresses are effectively restrained.
(3) And hiding the external service port when an attacker scans, so that the protection strength is improved.
Based on the layered structure of the TCP/IP network, the source address identity authentication technology is divided into three parts, namely real source address identity authentication of an access network, real source address identity authentication in a domain and real source address identity authentication between domains according to a network area. The invention is realized by a source address identity authentication technology of an access network. The method is suitable for the scene that the user directly accesses the Internet through the Ethernet and the switch.
The source address identity authentication mode for the access network is as follows: the identity authentication is carried out on the user through a system consisting of a real IPv6 address admission authentication server, a real IPv6 address admission switch and a real IPv6 address admission client.
Fig. 3 is a network connection topology diagram of the present embodiment, and fig. 4 is a schematic diagram of functional modules and a service flow of the present embodiment, where as shown in the drawing, an admission client first sends a single data Packet (SPA Packet) to an admission verification server (also called an admission authentication server), where the data Packet carries information such as an IPv6 address of the client. And after receiving the data packet, the admission verification server releases the authentication service for the IPv6 address of the client. The client side continuously initiates an identity to an admission verification server for verification request, after the verification server passes account identity verification, the verification server distributes a corresponding IPv6 address interval for the client side, prepares a section of address space, and establishes a corresponding relation between the client side and the address interval; after the access switch obtains the IPv6 address interval of the user from the server, a mapping table is established for the MAC address of the client and the port number of the access switch of the user, and the access switch sends the IPv6 address (the address interval allocated by the access switch) of the access client to the client; the client analyzes the IPv6 address space (the address interval) from the client and configures the IPv6 address space to an IPv6 packet sending module, and the IPv6 packet sending module sends an IPv6 packet taking the IPv6 address as a source address to an admission switch for filtering. In the subsequent verification process, the admission exchanger acquires the address of the currently accessed client, if the address belongs to one address interval, the admission exchanger filters and passes the access network, and if the admission exchanger does not pass the filtering, the access network is not allowed.
Fig. 5 is a schematic diagram of a data flow in this embodiment, and as shown in fig. 5, a specific implementation process of the technical flow is as follows: the user firstly sends a single authorization data packet to an authentication verification module of the exchanger at the client, and after the exchanger verifies the authorization data packet, the IP address of the client is opened to communicate with an agent module of the client. And then the client submits a networking application in a mode of user name and password, constructs an extensible authentication protocol request according to authentication credentials submitted by a user, and sends the extensible authentication protocol request to an agent module in the switch. After receiving the request, the proxy module encapsulates the request, the switch IPv6 address and the port number of the access switch connected with the client in a remote dial-in user service protocol access request packet, and sends the request, the switch IPv6 address and the port number of the access switch connected with the client to the verification server. The authentication server firstly operates an identity authentication module, authenticates the identity of a user through a user name and a password, and if the authentication server fails, a refusing packet is sent to the proxy module, and access to a network is not allowed; if successful, distributing IPv6 address interval according to user identity information, attaching the address interval to a remote authentication protocol access receiving packet, and transmitting the packet to a corresponding access switch. The switch takes out the allocated IPv6 address from the switch, gives the IPv6 address to the real IPv6 address filtering module to form a corresponding relation and writes the corresponding relation into the binding relation table, attaches the allocated IPv6 address interval to the successful packet of the extensible authentication protocol, sends the successful packet to the client, the client analyzes the IPv6 address interval in the successful packet and configures the IPv6 address interval to the IPv6 packet sending module, and the IPv6 packet sending module sends an IPv6 packet taking the IPv6 address as a source address. And after the real IPv6 address filtering module receives the sent IPv6 packet, the packet is filtered.
In this embodiment, the access network source address authentication technical process uses allocation of IPv6 addresses and port binding, and may be well combined with other existing schemes including the existing 802.1x, so that deployment is convenient, and each port of the switch binds a specific IPv6 address. Compared with a general identity authentication mode, the technical process directly takes the source address of the data packet as a filtering basis, reduces the system performance overhead, and effectively protects the access of the switch networking application module in a single-packet authorization mode before the identity authentication.
In the technical process of realizing the identity authentication based on the source address, the scheme adopts a design method of constructing a real experiment network, connecting a real operation network, operating a real Internet application, simulating the identity authentication and login of a small-scale network user to carry out comprehensive experiment and verification, establishes a source address identity authentication experiment environment based on an IPv6 experiment network of an educational network CERNET2, and carries out experiment and verification on the related technical process.
In experiments, compared with the traditional user identity authentication and internet access, the technical process of the access network based on the source address identity authentication is not reduced in efficiency under the scene of larger user quantity on the premise that the safety is greatly improved compared with the traditional identity authentication. Tests prove that the scheme is practical and effective and can be applied on a large scale.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiment also provides an access network source address identity authentication device, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 6 is a block diagram of an access network source address identity authentication device according to an embodiment of the present invention, as shown in fig. 6, the device includes:
a first sending unit 10, configured to receive, by using an admission verification server, a single authorization packet sent by an admitting client, where the packet carries IPV6 address information of the client;
a verification unit 20, configured to release an authentication service for an IPV6 address of the client;
the receiving unit 30 is configured to receive an authentication request initiated by a client, allocate a corresponding IPV6 address interval to the client after the authentication is passed, and establish a correspondence between the client and the address interval;
the second sending unit 40 is configured to send the address interval to the access switch, where the access switch establishes a mapping relation table of the MAC address of the client and the port number of the access switch, and sends the corresponding IPV6 address interval allocated to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of the source address of the access network.
The first sending unit 10 is configured to receive, by using the admission verification server, a single authorization packet sent by an admitting client, where the packet carries IPV6 address information of the client; a verification unit 20, configured to release an authentication service for an IPV6 address of the client; the receiving unit 30 is configured to receive an authentication request initiated by a client, allocate a corresponding IPV6 address interval to the client after the authentication is passed, and establish a correspondence between the client and the address interval; the second sending unit 40 is configured to send the address interval to the access switch, where the access switch establishes a mapping relation table of the MAC address of the client and the port number of the access switch, and sends the IPV6 address interval corresponding to the allocation of the client to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of the access network source address, so that the problem that the access device is easy to be attacked in the related art can be solved, and an effect of verifying the identity of the access network source address is achieved.
In an exemplary embodiment, the apparatus further comprises: the analysis unit is used for analyzing the extensible authentication protocol request when the admission switch receives the extensible authentication protocol request from the target client after the corresponding IPV6 address interval allocated for the client is sent to the client, so as to obtain the MAC address of the target client and the port number of the switch; the filtering unit is used for filtering the MAC address of the target client and the port number of the switch based on the mapping relation table; and the processing unit is used for allowing the target client to access the Internet under the condition that the filtering is passed, and refusing the target client to access the Internet under the condition that the filtering is not passed.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
In an exemplary embodiment, the electronic apparatus may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An access network source address identity authentication method is characterized by comprising the following steps:
the method comprises the steps that an admission verification server receives a single authorization data packet sent by an admission client, wherein the data packet carries IPV6 address information of the client;
releasing the authentication service for the IPV6 address of the client;
receiving an authentication request initiated by the client, after passing the authentication, distributing a corresponding IPV6 address interval for the client, and establishing a corresponding relationship between the client and the address interval;
the method comprises the steps that an address interval is sent to an access switch, the access switch establishes a mapping relation table of an MAC address of a client and a port number of an access switch, the corresponding IPV6 address interval is distributed to the client and is sent to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of an access network source address.
2. The method of claim 1, wherein after sending the client an allocation of the corresponding IPV6 address interval, the method further comprises:
when the access switch receives an extensible authentication protocol request from a target client, analyzing the extensible authentication protocol request to obtain the MAC address of the target client and the port number of the switch;
filtering the MAC address of the target client and the port number of the switch based on the mapping relation table;
and allowing the target client to access the Internet if the filtering is passed, and refusing the target client to access the Internet if the filtering is not passed.
3. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the receiving, by the admission verification server, the single authorization packet sent by the admission client includes: the admission verification server receives a single authorization data packet sent by the client to an authentication verification module of the admission switch;
after receiving the client-initiated authentication request, the method further comprises: and the authentication and verification module performs identity verification on the single-authorization data packet, and opens communication between the client and the proxy module of the access switch under the condition that verification passes.
4. A method according to claim 3, characterized in that after opening the communication of the client with the proxy module of the admission switch, the method further comprises:
an agent module in the switch receives an extensible authentication protocol request sent by the client, wherein the extensible authentication protocol request is constructed by the client according to authentication credentials submitted by a user;
and the proxy module packages the extensible authentication protocol request, the IPV6 address of the access switch and the port number of the access switch connected with the client in a remote dial-in user service protocol access request packet and sends the remote dial-in user service protocol access request packet to the access authentication server.
5. The method according to claim 4, wherein the method further comprises:
the admission verification server runs an identity verification module and verifies the identity of the user sent by the client through a user name and a password;
if the verification is not passed, sending a receipt of rejecting the packet to a proxy module in the switch, and not allowing the client to access the network;
and under the condition that verification is passed, distributing an IPV6 address interval to the client according to the identity information of the user, and attaching the address interval to a remote authentication protocol access receiving packet to be sent to the access switch.
6. The method of claim 1, wherein after transmitting the address space appended to the remote authentication protocol access reception packet to the admission switch, the method further comprises:
the admission exchanger analyzes an IPV6 address from a remote authentication protocol access receiving packet, sends the IPV6 address to an IPV6 address filtering module to form a corresponding relation, writes the corresponding relation into the mapping relation table, and adds an allocated IPV6 address interval into an extensible authentication protocol success packet to send the IPV6 address interval to the client;
the client analyzes the IPV6 address interval in the successful packet of the extensible authentication protocol, configures the IPV6 address interval to an IPV6 packet sending module, sends the IPV6 packet taking the IPV6 address interval as a source address through the IPV6 packet sending module, and filters the packet after the IPV6 address filtering module receives the IPV6 packet.
7. An access network source address identity authentication device, comprising:
the system comprises a first sending unit, a second sending unit and a second sending unit, wherein the first sending unit is used for receiving a single authorization data packet sent by an access client, and the data packet carries IPV6 address information of the client;
the verification unit is used for releasing the identity verification service for the IPV6 address of the client;
the receiving unit is used for receiving an authentication request initiated by the client, distributing a corresponding IPV6 address interval for the client after the authentication is passed, and establishing a corresponding relationship between the client and the address interval;
the second sending unit is used for sending the address interval to the access switch, the access switch establishes a mapping relation table of the MAC address of the client and the port number of the access switch, and sends the corresponding IPV6 address interval allocated to the client, and the client sends the IPV6 address interval to the access switch for identity authentication of the access network source address.
8. The apparatus of claim 7, wherein the apparatus further comprises:
the analyzing unit is used for analyzing the extensible authentication protocol request when the access switch receives the extensible authentication protocol request from the target client after the corresponding IPV6 address interval allocated for the client is sent to the client, so as to obtain the MAC address of the target client and the port number of the switch;
a filtering unit, configured to filter, based on the mapping relation table, a MAC address of the target client and a port number of the switch;
and the processing unit is used for allowing the target client to access the Internet under the condition that the filtering is passed, and refusing the target client to access the Internet under the condition that the filtering is not passed.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the method of any of the claims 1 to 6 when run.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of the claims 1 to 6.
CN202310544192.1A 2023-05-15 2023-05-15 Method and device for authenticating source address identity of access network Pending CN116405314A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310544192.1A CN116405314A (en) 2023-05-15 2023-05-15 Method and device for authenticating source address identity of access network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310544192.1A CN116405314A (en) 2023-05-15 2023-05-15 Method and device for authenticating source address identity of access network

Publications (1)

Publication Number Publication Date
CN116405314A true CN116405314A (en) 2023-07-07

Family

ID=87018174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310544192.1A Pending CN116405314A (en) 2023-05-15 2023-05-15 Method and device for authenticating source address identity of access network

Country Status (1)

Country Link
CN (1) CN116405314A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1929483A (en) * 2006-09-19 2007-03-14 清华大学 Admittance control method for IPv6 switch-in network true source address access
US20090328178A1 (en) * 2008-06-27 2009-12-31 Microsoft Corporation Techniques to perform federated authentication
US20160119316A1 (en) * 2013-09-30 2016-04-28 Beijing Zhigu Rui Tuo Tech Co., Ltd. Wireless network authentication method and wireless network authentication apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1929483A (en) * 2006-09-19 2007-03-14 清华大学 Admittance control method for IPv6 switch-in network true source address access
US20090328178A1 (en) * 2008-06-27 2009-12-31 Microsoft Corporation Techniques to perform federated authentication
US20160119316A1 (en) * 2013-09-30 2016-04-28 Beijing Zhigu Rui Tuo Tech Co., Ltd. Wireless network authentication method and wireless network authentication apparatus

Similar Documents

Publication Publication Date Title
CN107493280B (en) User authentication method, intelligent gateway and authentication server
CN111586025B (en) SDN-based SDP security group implementation method and security system
US7823194B2 (en) System and methods for identification and tracking of user and/or source initiating communication in a computer network
EP3641266A1 (en) Data processing method and apparatus, terminal, and access point computer
CN100437550C (en) Ethernet confirming access method
US6003084A (en) Secure network proxy for connecting entities
CN108881308B (en) User terminal and authentication method, system and medium thereof
US20040177276A1 (en) System and method for providing access control
US10277586B1 (en) Mobile authentication with URL-redirect
CN102255918A (en) DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
US20060161770A1 (en) Network apparatus and program
CN102710667B (en) Method for realizing Portal authentication server attack prevention and broadband access server
CN104601566B (en) authentication method and device
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
CN101399838A (en) Method, apparatus and system for processing packet
CN103067407B (en) The authentication method and device of accessing user terminal to network
CN102404346A (en) Method and system for controlling access right of internet users
CN101986598A (en) Authentication method, server and system
CN102571811A (en) User access authority control system and method thereof
CN1538706A (en) HTTP relocation method for WEB identification
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
CN106878337A (en) A kind of Web authentication method and system for realizing access network source address validation
CN100471167C (en) Method and apparatus for managing wireless access-in wide-band users
CN116963050B (en) Trusted communication method and system based on end-to-end IPv6 password identification
CN110943992B (en) Entrance authentication system, method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination