CN1303790C - Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user - Google Patents
Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user Download PDFInfo
- Publication number
- CN1303790C CN1303790C CNB031375472A CN03137547A CN1303790C CN 1303790 C CN1303790 C CN 1303790C CN B031375472 A CNB031375472 A CN B031375472A CN 03137547 A CN03137547 A CN 03137547A CN 1303790 C CN1303790 C CN 1303790C
- Authority
- CN
- China
- Prior art keywords
- packet
- data packet
- charging
- service
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention belongs to the applied technical field of a computer network, which relates to a method for retransmitting and discarding a data packet of an authentication service protocol for the dialling of remote user. The present invention is characterized in that each threshold T and retransmission number N of each answering time is set for an RADIUS authentication data packet, a charging start data packet, a charging updating data packet and a charging end data packet. When the answering time is larger than T, an NAS end discards the wait for the answering of the sent data packet at this time, and carries out retransmission. When the retransmission exceeds N numbers, the data packet at this time, is discarded. The authentication data packet and the charging end data packet stop or reject the service when the data packet at this time, is discarded. The charging start data packet still needs to send the charging end data packet after the data packet at this time, is discarded. The charging updating data packet does not influence a continuous service when the data packet at this time, is discarded. According to different packet types, the present invention can adopt different kinds of retransmission and discarding strategies to improve the stability, the accuracy and the integrality of authentication charge.
Description
Technical field the invention belongs to applications of computer network technical field, particularly aaa protocol and protocol data transmission method.
The background technology development of internet technology makes the extensive use of internet become possibility, and the open nature of internet increases its application demand day by day simultaneously.But the purpose of Virtual network operator construction network is a profit, can not surmount the unlimited spread bandwidth of profitability, also can not provide free service to the user.Therefore, when carrying out networking, must consider the reasonable utilization of Internet resources (comprising bandwidth, IP address, content service, application service etc.) and to effective management of user
Authentication (Authentication, Authorization, Accounting, AAA) be exactly to answer the commercialization network demand and living management means, respectively the business user discriminated one's identification, distributes authority to give validated user, writes down operation information and computational costs in the diverse network.
Comparatively ripe at present and aaa protocol that be most widely used is remote customer dialing authentication service agreement (RemoteAuthentication Dial In User Service is called for short RADIUS).The purpose of radius protocol is in order to provide network access server (NAS) and PPP phone to dial in the relevant checking of server, to authorize the charging problem.RADIUS works with the Client/Server pattern, defined at network access server (Network Access Server, be called for short NAS) and leave the agreement of certified transmission, mandate and configuration information between the radius server of authentication information concentratedly, it is good to have fail safe, expansion flexibly, be easy to management, book keeping operation characteristics such as function is strong.
Providing in the service process for the user, NAS need carry out authentication and accounting at this user's information, the steps include:
1. at first the NAS end sends the RADIUS authentication packet to certificate server, user profile is submitted to radius server authenticates;
2. the user by authentication is begun to charge, send out RADIUS account to certificate server and begin packet, submit to charge to radius server to begin request;
3. when the user provides service, send out more new data packets of RADIUS account, the variation of state information is upgraded sending to radius server as chargeing to radius server;
4. provide service to finish to the user, send charging end data packet to radius server.
The radius protocol data are surrounded by multiple different type as can be seen from above-mentioned steps, the dissimilar bag NAS consequence that causes of receiving no reply also is not quite similar, in the table 1 labor the different RADIUS consequences that may cause when contracting out existing " NAS does not receive a reply " mistake.
Table 1:RADIUS packet is described and is analyzed:
RADIUS wraps type | The urgency level of the type bag | Server is to the normal process process of this bag | The consequence that " NAS does not receive a reply " mistake causes takes place in the type bag |
Authentication | Common | Return authentication success or authentication refusal bag | The user logins unsuccessful |
Charge and begin | Promptly | Echo reply | Charging can't be carried out, and NAS is ossified; If lose in return course, charging can't finish, and user error is chargeed, and causes user's loss |
Charge and upgrade | Common | Echo reply | Charging to the user makes a mistake; But the loss that changes user under the little situation in service state is little |
Charge and finish | Promptly | Echo reply | Billing error; If lose, charging can't finish, and user error is chargeed, and causes user's loss |
First classifies four kinds of radius protocol type of data packet commonly used as in the table, and secondary series has illustrated four types of different significance levels in actual applications; The 3rd the tabulation bright under normal condition radius server to the processing of these four types of datagrams; Last row are then pointed out if the NAS end is not received the consequence that return results may cause.
RADIUS is that a kind of (he itself does not do concrete regulation to transmission protocol data, and is to use the transmission mechanism of UDP: Best-Effort for User Datagram Protocol, upper-layer protocol UDP) based on User Datagram Protocol.Simultaneously, if radius protocol receive can not identification packet, just simply abandon.Because udp protocol is not stipulated retransmission mechanism, this has just reduced this reliability in using of this agreement.
To this, the simply suggestion about retransmitting, abandoning has been proposed in the radius protocol.Be that transmitting terminal constantly sends packet till receiving response message; Abandon behind the certain number of times of retry sending.And accuracy that the authentication and accounting system itself has relatively high expectations and fail safe, this method can not be satisfied the demand for the higher radius protocol packet of complexity.Such as, radius protocol charge begin to wrap once send the beginning that is equivalent to primary charging, the repeating transmission of this bag is probably caused repeat to charge and the user is suffered a loss, and said method can not be handled it at this situation.
Summary of the invention the objective of the invention is in order to overcome the inherent shortcoming of the radius protocol that extensively adopts at present: the mistake that the unreliability of transmission data causes is chargeed.Propose a kind of repeating transmission of improved Radius protocol data bag and abandon method,, take different repeating transmission, abandoning strategy, can greatly strengthen stability, accuracy and the integrality of authentication and accounting according to different type of data packet.
The repeating transmission of the remote customer dialing authentication service agreement packet that the present invention proposes with abandon method, may further comprise the steps:
At first the NAS end sends authentication data packet to radius server, waits to be certified passing through;
The NAS end sends to charge to radius server and begins bag, wait acknowledge;
The NAS end provides streaming media service to the user, and sends charging update package to radius server in service state (code check, program etc.) when changing;
Service finishes the NAS end and sends the charging end packet to radius server;
Radius server carries out according to the radius protocol regulation fully to the processing of RADIUS message bag in the above-mentioned steps;
The packet of non-expectation and the unsuccessful packet that charges are simply abandoned;
It is characterized in that, set the authentication data packet of RADIUS, charge beginning packet, charge more new data packets and charging end data packet response time threshold values T separately, and retransmit times N; When response time greater than T, NAS end abandons then waiting for that this sends replying of packet, and retransmits, and surpasses N time and then abandons this packet when retransmitting; For described authentication data packet and charging end data packet, NAS end is abandoned this packet and is then stopped or refusing to provide service; Begin packet for described charging, the NAS end is abandoned still need sending charging end data packet behind this packet; For described charging new data packets more, the NAS end is abandoned this packet not to be influenced and continues service.
The present invention begins bag to charging, sets N
Charging begins bag=1.This is to consider sequence problem, if meet with malicious attack, repeatedly chargeing to begin to wrap to mean the beginning of repeatedly chargeing, and causes the user to lose.The selection of other packet N value can generally can be chosen: N according to concrete applicable cases setting
The charging end packet〉=N
The authentication bag〉=N
The charging update package〉=N
Charging begins bag
Should consider that to the selection of T concrete service is provided with flexibly, not influence normal RADIUS bag flow simultaneously as far as possible, general span can be T
Normal<T≤2T
Max, T
NormalBe the normal response time of concrete service, T
MaxMaximum response time for concrete service.For increase offered load span within reason can be T
Max<T≤2T
MaxIn addition, under the overweight situation of offered load, also can suitably increase T, reduce N.
Inventive principle:
Radius protocol is based on udp protocol, and this makes radius protocol that inevitable mortal wound be arranged: unreliable.In order to remedy this defective, must on application layer, take certain measure to go to improve the authentication and accounting system.By urgency level and the processing feature of analyzing different RADIUS message bags, come to determine the repeating transmission of different pieces of information bag and abandon method, make charging process normal as far as possible, after beginning to charge, the user guarantees that charging process is correct, can not cause unnecessary loss, service is provided better user and service provider both sides.
Advantage of the present invention:
1. agreement not being made under the prerequisite of modification, finish application better;
2. can dispose flexiblely and retransmit number of times and interval according to network condition, reduce extra duty network.
3. being not limited to a kind of service provides, and is applicable to all AAA systems based on radius protocol.
Description of drawings:
Fig. 1 is the processing method embodiment FB(flow block) of NAS end of the present invention to the RADIUS message bag.
The repeating transmission of a kind of radius protocol packet that embodiment the present invention proposes reaches accompanying drawing in conjunction with the embodiments with the method for abandoning and is described in detail as follows:
The implementation case operates on the stream media service system, and concrete configuration is as follows:
The nas server configuration:
CPU:Intel?PIII?1GHz
Internal memory: 128M
Operating system: RedHat 8.0Linux Server
Streaming media server: LSMP Streaming Server
The certificate server configuration:
CPU:Intel?PIII?966MHz
Internal memory: 256M
Operating system: RedHat 8.0Linux Server
The accounting server configuration:
CPU:Intel?PIII?966MHz
Internal memory: 256M
Operating system: RedHat 8.0 Linux Server
In the present embodiment, the normal response time T of each packet
Normal50 milliseconds of ≈, maximum response time T
Max≈ 50 seconds.Set RADIUS authentication data packet, the beginning packet that charges, charge more that new data packets and charging end data packet response time threshold values separately are T
The authentication bagBe 60 seconds, T
Charging begins bagBe 100 seconds, T
The charging update packageBe 60 seconds, T
Charge and finishBag is 60 seconds, and retransmits times N
The authentication bagBe 5 times, N
Charging begins bagBe 1 time, N
The charging update packageBe 3 times, N
The charging end packetIt is 6 times;
The present embodiment radius server carries out according to the radius protocol regulation fully to the processing of RADIUS message bag; The packet of non-expectation and the unsuccessful packet that charges are simply abandoned;
Detailed process may further comprise the steps as shown in Figure 1:
1. send authentication data packet, wait acknowledge bag from the NAS end to radius server;
If a) receive that in 60 seconds the authentication success bag continues; If authentication refusal bag then this service provides failure;
B) surpass 60 seconds and do not receive and then resend authentication data packet by response packet;
C) repeat above-mentioned b) process 5 times;
D) surpass 5 then refusing user's accesses, serv-fail is provided;
2., send charging from the NAS end to radius server and begin bag, wait acknowledge bag if authentication is passed through;
If a) receive that in 100 seconds response packet continues service;
B) do not receiving response packet above 100 seconds, refusing user's inserts;
C) send the charging end packet;
D) this service provides failure, and refusing user's inserts;
3. when changing, service state sends charging update package, wait acknowledge bag to radius server from the NAS end;
If a) receive that in 60 seconds response packet continues service;
B) surpass 60 seconds and do not receive and then resend the charging update package by response packet;
C) repeat above-mentioned b) process 3 times;
D) surpass 3 times and continue service;
4. send charging end packet, wait acknowledge bag from NAS end radius server in the time of need stopping to serve;
If a) receive that in 60 seconds response packet continues service;
B) surpass 60 seconds and do not receive and then resend the charging update package by response packet;
C) repeat above-mentioned b) process 6 times;
D) stop this service.
The inventive method with abandon method and carry out pressure test not adopting to retransmit, the result is as follows:
Do not send 1000 service requests 1.NAS there is the time interval, send the authentication and accounting packet to radius server:
Do not use to retransmit and abandon: authentication and accounting success and correct: 890; Authentication and accounting is incorrect to be abandoned: 13; Charging failure: 97;
Use to retransmit and abandon the back: authentication and accounting success and correct: 989; Authentication and accounting is incorrect to be abandoned: 11; Charging failure: 0;
2.NAS the speed with 300 packets of average per second sends the authentication and accounting packet, 400,000 service requests of accumulative total:
Do not use to retransmit and abandon: authentication and accounting success and correct: 210601;
Use to retransmit and abandon the back: authentication and accounting success and correct: 399967.
Claims (3)
1, a kind of repeating transmission of remote customer dialing authentication service agreement packet with abandon method, may further comprise the steps:
At first the network access server end sends authentication data packet to remote customer dialing authentication service agreement server, waits to be certified passing through;
The network access server end sends to charge to remote customer dialing authentication service agreement server and begins bag, wait acknowledge;
The network access server end provides streaming media service to the user, and sends the charging update package to remote customer dialing authentication service agreement server when service state changes;
Service finishes the network access server end and sends the charging end packet to remote customer dialing authentication service agreement server;
Above-mentioned steps medium-long range subscriber dialing authentication service protocol server carries out according to remote customer dialing authentication service agreement regulation fully to the processing of remote customer dialing authentication service agreement packet; The packet of non-expectation and the unsuccessful packet that charges are simply abandoned;
It is characterized in that, set the authentication data packet of remote customer dialing authentication service agreement, charge beginning packet, charge more new data packets and charging end data packet response time threshold values T separately, and retransmit times N; When response time greater than T, the network access server end abandons then waiting for that this sends replying of packet, and retransmits, and surpasses N time and then abandons this packet when retransmitting; For described authentication data packet and charging end data packet, the network access server end is abandoned this packet and is then stopped or refusing to provide service; Begin packet for described charging, the network access server end is abandoned still need sending charging end data packet behind this packet; For described charging new data packets more, the network access server end is abandoned this packet not to be influenced and continues service.
2, the repeating transmission of remote customer dialing authentication service agreement packet as claimed in claim 1 with abandon method, it is characterized in that, set N
Charging begins bag=1, the N value of other packet is N
The charging end packet〉=N
The authentication bag〉=N
The charging update package〉=N
Charging begins bag
3, the repeating transmission of remote customer dialing authentication service agreement packet as claimed in claim 1 with abandon method, it is characterized in that described T span is T
Normal<T≤2T
Max, T
NormalBe the normal response time of concrete service, T
MaxMaximum response time for concrete service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB031375472A CN1303790C (en) | 2003-06-18 | 2003-06-18 | Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB031375472A CN1303790C (en) | 2003-06-18 | 2003-06-18 | Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1463123A CN1463123A (en) | 2003-12-24 |
CN1303790C true CN1303790C (en) | 2007-03-07 |
Family
ID=29748544
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB031375472A Expired - Fee Related CN1303790C (en) | 2003-06-18 | 2003-06-18 | Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1303790C (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100481931C (en) * | 2007-03-16 | 2009-04-22 | 清华大学 | Charging realizing method adapted to flow media |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101123527B (en) * | 2007-02-25 | 2010-10-27 | 华为技术有限公司 | A stream media system, signaling forward device and stream media transmission method |
CN101150853A (en) * | 2007-10-29 | 2008-03-26 | 华为技术有限公司 | A network system, policy management control server and policy management control method |
CN101478409B (en) * | 2009-02-09 | 2011-09-21 | 中兴通讯股份有限公司 | Fee charging control method and wideband access server |
CN104104661A (en) | 2013-04-09 | 2014-10-15 | 中兴通讯股份有限公司 | Client, server, and remote user dialing authentication capability negotiation method and system |
CN103227728A (en) * | 2013-04-19 | 2013-07-31 | 深圳市吉祥腾达科技有限公司 | Method and device for prompting failure of no response to PPPoE dialing |
CN105323836A (en) * | 2015-10-03 | 2016-02-10 | 樊星宇 | Wireless communication method with low power consumption |
CN115002883B (en) * | 2022-05-30 | 2024-02-09 | 珠海格力电器股份有限公司 | Intelligent door lock communication method and device, intelligent door lock and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010028636A1 (en) * | 2000-03-10 | 2001-10-11 | Robert Skog | Method and apparatus for mapping an IP address to an MSISDN number within a service network |
CN1395398A (en) * | 2001-07-10 | 2003-02-05 | 华为技术有限公司 | Method for using Radius pre-payment in radio data service |
-
2003
- 2003-06-18 CN CNB031375472A patent/CN1303790C/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010028636A1 (en) * | 2000-03-10 | 2001-10-11 | Robert Skog | Method and apparatus for mapping an IP address to an MSISDN number within a service network |
CN1395398A (en) * | 2001-07-10 | 2003-02-05 | 华为技术有限公司 | Method for using Radius pre-payment in radio data service |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100481931C (en) * | 2007-03-16 | 2009-04-22 | 清华大学 | Charging realizing method adapted to flow media |
Also Published As
Publication number | Publication date |
---|---|
CN1463123A (en) | 2003-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110995697B (en) | Big data transmission method and system | |
CN1314277C (en) | Method and device for testing first communication side truth and reliability in communication network | |
CN1290287C (en) | Cooperation of ARQ protocols at physical and link layers for wireless communications | |
TWI262676B (en) | Method and system for handling out-of-order segments in a wireless system via direct data placement | |
JP2000502852A (en) | Concatenated error detection coding and packet numbering for hierarchical ARQ scheme | |
CN1645785A (en) | Detection method and device | |
CN1695331A (en) | Method and apparatus for managing the usage of data link resources | |
CN101069382A (en) | Apparatus and method for integrated billing management by real-time session management in wire/wireless integrated service network | |
CN1303790C (en) | Method for retransmiting and discarding data packet of authentication service protocol for dialed from remote user | |
CN1584865A (en) | Comptuer software updating method | |
CN1630248A (en) | SYN flooding attack defence method based on connection request authentication | |
US20020146032A1 (en) | Method to ensure the quality of preferred communication services, a local network, a station, a local network controller and a program module therefor | |
CN1889414A (en) | Method for transmitting status PDU based on missing PDU detection mechanism | |
CN1842073A (en) | Method for realizing external device mapping of network computer | |
CN105519057A (en) | Multicast transmitting device, multicast receiving device and multicast transmission acknowledgement method | |
CN1825845A (en) | Universal mobile inquiring method | |
CN1496641A (en) | Method for connection of data terminal devices to data network | |
CN1802827A (en) | Method and apparatus for supporting access network (AN) authentication | |
CN1881863A (en) | Apparatus and method for confirming re-transmission policy in arrangement | |
CN1520111A (en) | Method for transfering data within local area network | |
CN1893686A (en) | Method for retesting net-element in shortmessage system | |
CN1849003A (en) | Method for right discrimination to user | |
CN1698393A (en) | Communication system | |
CN1315285C (en) | A method for detecting access equipment exception and restarting by authentication server | |
CN1652538A (en) | Agency testing method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070307 Termination date: 20140618 |
|
EXPY | Termination of patent right or utility model |