CN1798158A - Method for distributing second level address - Google Patents
Method for distributing second level address Download PDFInfo
- Publication number
- CN1798158A CN1798158A CN 200410097049 CN200410097049A CN1798158A CN 1798158 A CN1798158 A CN 1798158A CN 200410097049 CN200410097049 CN 200410097049 CN 200410097049 A CN200410097049 A CN 200410097049A CN 1798158 A CN1798158 A CN 1798158A
- Authority
- CN
- China
- Prior art keywords
- server
- client
- address
- dhcpv6
- ipv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method includes following steps: the client-side interacts with the DHCPv6 server to acquire the IPv6 address allocated by DHCPv6, and adds the subscriber policy for client-side on the access server; after the client side initiates an authentication request, the authentication server authenticates the client-side, and then sends the authentication result to the DHCP v6 server; after acquiring the authentication result, the DHCP v6 indicates the client-side to reset the DHCPv6 process in term of the authentication result; according to the indication from DHCPv6 server, the client-side interacts with the DHCPv6 server to obtain the IPv6 address reallocated by the DHCPv6 server; renews the subscriber policy for client-side on the access server.
Description
Technical field
The present invention relates to the network access technique field of IPv6, be meant a kind of second level address distribution method especially.
Background technology
In IPv6 (procotol, version 6) in, the method that client (Host) end obtains the IP address has two kinds, and a kind of is that stateless address is distributed (Stateless Address Autoconfiguration), mainly adopts the ND agreement and obtains the IP address by RS and RA message; Another is to have state address to distribute (Stateful Address Autoconfiguration), is to obtain the IP address by DHCPv6 (DHCP of IPv6) at present.Because the DHCPv6 agreement is more complete, the function of realization is more, and can use same station server that whole network is carried out unified advantages such as address administration, and therefore, for Network Management and operation, DHCPv6 is preferable selection.
Along with development and the popularization of NGN and IPv6, a lot of electronic products all can be distributed to the IPv6 address, with the easier IPv6 network that inserts at any time, as user's mobile phone etc.This is transplanted to IPv6 for original communication service is that the Internet of bearing protocol also just becomes possibility, and the control how to be strengthened client by network side under IPv6 is realize miscellaneous service essential.Wherein, the primary problem that solves is exactly that the control client has different IPv6 address or authority under different business or scene.
For example, in the different IPv6 address that records on the DHCPv6 server under certain client different situations, be campus network/lan address as IPv6-A, the authority of visit resources of campus network is arranged; IPv6-B has the authority of access the Internet, need pay certain expense when using IPv6-B.The user can visit campus network, internet as required, and under the situation of visit heterogeneous networks, need that this client is carried out the IPv6 address and change accordingly, and the corresponding change that realizes user right.
And, substantially all be based on the situation that client has definite IPv6 address at present to the control of client.And, then all need the user to carry out renewal initiatively for the change of user's IPv6 address, as manual modification client ip v6 address, restart client etc.Network side system can not go that client is carried out active and revise.
Generally speaking, though existing DHCPv6 agreement has been given prominence to the control of server (Server) end to client (Host), also fail safe has been had new raising simultaneously, concrete can be referring to RFC3315.But at present the Server end can't be realized control that the address of Host end is redistributed, and the control that the authority of Host end is changed.
Summary of the invention
In view of this, main purpose of the present invention is to provide the method that the second level address is distributed under a kind of IPv6 network, realizes server end redistributing client address under the IPv6 network.
Second level address of the present invention distribution method is applied to may further comprise the steps in the IPv6 network:
A, client and DHCPv6 server interaction obtain the IPv6 address of DHCPv6 server-assignment;
B, client are initiated authentication request, and certificate server authenticates client, and authentication result is sent to the DHCPv6 server;
Behind C, the DHCPv6 server access authentication result, according to authentication result indication client replacement DHCPv6 process;
D, client obtain the IPv6 address that the DHCPv6 server is redistributed according to the indication of DHCPv6 server with the DHCPv6 server interaction.
Wherein, also comprise an access server, be used for client and insert the IPv6 network; Steps A further comprises: add subscriber policy for client on access server; Step D further comprises: upgrade subscriber policy for client on access server; Described subscriber policy comprises the authority of distributing to the user at least.Wherein, described authority comprises one of at least following: allow the address of visit, the address that does not allow to visit, user flow restriction, allow the business of carrying out.Wherein, described access server comprises: BRAS, three-tier switch, router etc.
One of below wherein, the described authentication result of step B comprises at least: need carry out once more the attribute of address assignment, the attribute that need carry out the client permission modification.
Wherein, the step of the described indication client of step C replacement DHCPv6 process is to initiate solicited message REQUEST by the indication of the RECONFIGURE Option field among replacement message RECONFIGURE client.
Wherein, described certificate server is: aaa server or Radius server.
Wherein, when client withdraws from the IPv6 network, further comprise behind the step D: the IPv6 address that client release steps D obtains.
By said method as can be seen, the present invention expands the DHCPv6 agreement by reasonable utilization and part and finishes the network side server end and the second level address is carried out in the address of Host end distribute and dynamic authorization under the IPv6 network.By the dynamic authorization after second level address distribution or the authentication, realized of the flexible control of network side server end to the Host end.
On the other hand, the present invention can realize that network side initiatively upgrades the IPv6 address or the authority of Host end, thereby user's switching between the different ISP of ISP easily, realize inserting different access networks, and automatically subscription client address, authority are upgraded by network side system, do not need the user manually to upgrade, convenient for users to use.
Description of drawings
Fig. 1 is the schematic diagram of Host access network
The flow chart that Fig. 2 distributes for second level address of the present invention.
Fig. 3 is the embodiment schematic diagram of Host access network
The embodiment flow chart that Fig. 4 distributes for second level address of the present invention.
Embodiment
Generally speaking, client (Host) is to obtain own corresponding IPv6 address by three-layer equipment as the relaying (Relay) of DHCPv6 or server (Server), wherein, described three-layer equipment can be Broadband Remote Access Server (BRAS), three-tier switch (L3Switch), router equipment such as (Router).Show the schematic diagram of Host access network as Fig. 1, in a local area network (LAN) or a metropolitan area network, unify to place a DHCPv6Server (DHCPv6 server), unified management is carried out in address to whole network, also place a certificate server (can be aaa authentication server, RADIUS authentication server etc.), the authority of each Host is managed.Wherein, DHCPv6Server and certificate server can be independent equipment, also can be arranged in other equipment, as are arranged in above-mentioned three-layer equipment.BRAS among Fig. 1 plays the effect of Relay.
The key step that second level address of the present invention is distributed is: first in the accesses network, obtain the IPv6 network address that DHCPv6Server distributes in client; Need more authority to initiate authentication request in limited time the user; Behind the DHCPv6Server access authentication result, require client replacement DHCPv6 process, client is according to the indication of DHCPv6Server, replacement DHCPv6 process, and the IPv6 address that obtains to upgrade is or/and the authority of upgrading.
Below, with the networking diagram shown in Fig. 1, and referring to the flow chart shown in Fig. 2, visiting second network with Host is example, the method that second level address of the present invention is distributed is introduced.May further comprise the steps:
Step 201: when Host starts shooting,, obtain the IPv6 address that DHCPv6Server distributes by the DHCPv6 agreement with the DHCPv6Server interactive information.
DHCPv6Server is when carrying out the configuration of DHCPv6 with Host simultaneously, these user-dependent access rights are sent to the Relay end by the DHCPv6 message, promptly the BRAS equipment end among the figure can be passed through ACL (Access Control List (ACL)) control user's access rights like this at the BRAS end.
Step 202:Host need obtain bigger access rights, initiates authentication to certificate server.Wherein, form of authentication can be WEB authentication, dialing authentication etc.Import right user name and password when initiating authentication as required.
Step 203: certificate server authenticates according to the authentication information of Host, and when authentication success, certificate server sends to DHCPv6Server with this Host authentication result.Wherein, also comprise the current IPv6 address of this Host in this information, be used for DHCPv6Server and discern the pairing Host of this authentication result.
Step 204:DHCPv6Server receives this Host authentication result information, and the replacement message (RECONFIGURE) to this Host sends DHCPv6 requires Host to begin the process of DHCPv6 of resetting.
Wherein, in the RECONFIGURE message, DHCPv6Server can specify Host to initiate REQUEST (request), RENEW (renewal) or INFORMATION-REQUEST (information request) message in the RECONFIGURE Option byte in this message, perhaps the DHCPv6 server is not specified the message that Host will use, but sends one of three above-mentioned messages by Host according to self selection of configuration.
Step 205:Host sends the message of specifying or disposing according to the appointment of Server end or the configuration of Host self after receiving the RECONFIGURE message, initiate DHCPv6 and reset.
Wherein, carry out the address assignment of secondary if desired, then Host directly sends the REQUEST message to Server, requires Server to redistribute the IPv6 address, and Server carries out the relevant parameters configuration.For example, what Host obtained during the starting up first is Local-Link (this locality) address, then can pass through the REQUEST message now, requires DHCPv6Server to redistribute a Global (the whole network) address to the user and visits Internet;
If do not need to carry out the address assignment of secondary, but under the situation of original address, carry out the change of Host authority, then can send RENEW or INFORMATION-REQUEST message, start the layoutprocedure of existing DHCPv6 agreement.
According to present DHCPv6 agreement, after receiving the RECONFIGURE message that the DHCPv6 server sends, Host can only send RENEW or INFORMATION-REQUEST message.That is to say that present DHCPv6 agreement also can only be controlled Host under the situation of not changing former IPv6 address, and the IPv6 address that can not initiatively revise Host.
When step 206:DHCPv6Server and Host reshuffle, corresponding message by DHCPv6 sends relevant control information to BRAS (as DHCPv6Relay equipment) end, if the second level address is distributed, BRAS will be configured new address and corresponding authority; Then only need change accordingly if not the second level address distribution, for example open the authority of this Host visit Internet original IPv6 address authority.
Step 207: when Host need roll off the production line, certificate server obtains the information of user offline in real time and notifies DHCPv6Server, DHCPv6Server will send the RECONFIGURE message again to Host, require reset relevant IPv6 and parameter, the state of Host when returning to step 201 perhaps returns to the state that Host disconnects the network of all connections as required.
Step 208:Host end can send REQUEST, RENEW or INFORMATION-REQUEST message as required, and begins the respective process of DHCPv6 of resetting.This step is the same with the process of step 205, so no longer be repeated in this description.
Step 209:DHCPv6Server sends relevant control information by the DHCPv6 message to BRAS, BRAS is according to the requirement of control information, the address authority deletion of corresponding Host, perhaps also the address authority of Host is adjusted accordingly, such as cancelled the authority that this Host visits Internet.
Be assigned as a specific embodiment with mode combining network address below, the present invention is described in further detail by the WEB authentication.
Show networking diagram as Fig. 3 based on WEB authenticating network address assignment.WEB user inserts BRAS by two-layer equipment L2, in BRAS, portal server (abbreviation Portal server), remote authentication server (being called for short the Radius server), the equal access network of dynamic address allocation server (DHCPv6 server), but built-in address pond among the BRAS wherein, Portal server is used to provide the web certification page.Adopt the DHCPv6 agreement with the communication of DHCPv6 server; Adopt the radius agreement with the communication of Radius server; Adopt the portal agreement with the communication of Portal server.
With reference to the networking of Fig. 3, and, may further comprise the steps with reference to the flow chart shown in Fig. 4:
The user is by DHCPv6 agreement application IPv6 address, and this DHCPv6 message is intercepted and captured by BRAS, and the configuration information in BRAS comprises how handling the request that certain user asks distributing IP v6 address, and is assigned to DHCPv6 server applied address.BRAS selects the DHCPv6 server of appointment according to its configuration information for the user after receiving the DHCPv6 message, and as a DHCPv6 relaying to DHCPv6 server application IPv6 address, obtain a Local-Link (this locality) IPv6 address; Perhaps BRAS also can select an address for the user from its home address pond.
BRAS equipment is when distributing the address for the user, it also is user resource allocation, as user's list item, the address analysis protocol table item, user journal, stream matching list etc., and interpolation subscriber policy, subscriber policy comprises the authority of distributing to the user, for example can visit which website, cannot visit which website, how many flow restriction of user is, allow the user to carry out which business etc., access control list ACL, broadband address limitation CAR, User Priority, service quality QOS etc., for example " allow visit Portal server and web website 1, can not visit web website 2; Force the visit Portal server during web website that user capture does not allow to visit ", make the user before authentication, can only visit the address of appointment, as Portal server or dns server etc.Therefore for above-mentioned subscriber policy,, can be forced to visit Portal server if when the user visits web website 2 before authentication; If user capture web website 1 then allows it to conduct interviews.
The user starts browser, visit Portal server, the access authentication page; If other do not allow the address visited user capture, BRAS force users visit Portal server then, the access authentication page.The user submits authentication request to after importing username and password, sends to Portal server by http protocol and resolves.
Portal server is undertaken alternately by portal protocol and BRAS, makes BRAS obtain username and password.
BRAS carries out local authentication or carries out the radius authentication according to the suffix judgement of user name, when being when carrying out the radius authentication, then delivers to the Radius server with username and password by the radius agreement.
The Radius server authenticates according to this username and password.Finish the back in authentication and produce authentication result, and in authentication result, need comprise the attribute that whether needs to carry out once more address assignment, also comprise user's authorization message, as broadband address limitation CAR, remaining surf time of user, User Priority etc.And notify DHCPv6 server with authentication result.
If authentication success also need carry out address assignment once more, then the DHCPv6 server issues the RECONFIGURE message to user terminal, and the extended byte RECONFIGURE Option designated user terminal in this message is initiated the REQUEST message.
After user terminal is received the RECONFIGURE message, initiate the REQUEST message according to indication, carry out DHCPv6 and reset, the DHCPv6 server-assignment can be visited the IPv6 address and the corresponding authority of other addresses (as web website 2) authority, sends to BRAS.
BRAS returns the new IPv6 address of applying for to the user as relaying.
After the user obtained new IPv6 address, BRAS refreshed subscriber policy for the user, made the user can visit the Gloal of appointment (the whole network) address, and BRAS changes by portal protocol notice Portal server user's IPv6 address.
In the above-described embodiments, the network address of distributing before the authentication is local IPv6 address, reallocation the whole network IPv6 address after authentication.In practice, the network address before and after the authentication also can all be the whole network IPv6 address, to realize the switching of user between different I SP.For example the user gives tacit consent to before authentication and belongs to operator 1, and its network address is distributed by operator 1, and the website that can visit is also by operator's 1 regulation.If this user needs switch operators, then need obtain the authority that operator 2 gives through the authentication of operator 2, therefore after authentication is passed through, should discharge the network address that operator 1 distributes, application operator 2 addresses distributed.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1, a kind of second level address distribution method is applied to it is characterized in that in the IPv6 network that this method may further comprise the steps:
A, client and DHCPv6 server interaction obtain the IPv6 address of DHCPv6 server-assignment;
B, client are initiated authentication request, and certificate server authenticates client, and authentication result is sent to the DHCPv6 server;
Behind C, the DHCPv6 server access authentication result, according to authentication result indication client replacement DHCPv6 process;
D, client obtain the IPv6 address that the DHCPv6 server is redistributed according to the indication of DHCPv6 server with the DHCPv6 server interaction.
2, method according to claim 1 is characterized in that, also comprises an access server, is used for client and inserts the IPv6 network;
Steps A further comprises: add subscriber policy for client on access server;
Step D further comprises: upgrade subscriber policy for client on access server;
Described subscriber policy comprises the authority of distributing to the user at least.
One of 3, method according to claim 2 is characterized in that, below described authority comprises at least:
Allow the address of visit, the address that does not allow to visit, user flow restriction, allow the business of carrying out.
4, method according to claim 2 is characterized in that, described access server includes but not limited to: BRAS, three-tier switch, router.
One of 5, method according to claim 1 is characterized in that, below the described authentication result of step B comprises at least:
Need carry out once more the attribute of address assignment, the attribute that need carry out the client permission modification.
6, method according to claim 1 is characterized in that, the step of the described indication client of step C replacement DHCPv6 process is to initiate solicited message REQUEST by the indication of the RECONFIGURE Option field among replacement message RECONFIGURE client.
7, method according to claim 1 is characterized in that, described certificate server is: aaa server or Radius server.
8, method according to claim 1 is characterized in that, when client withdraws from the IPv6 network, further comprises behind the step D:
The IPv6 address that client release steps D obtains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410097049 CN1798158A (en) | 2004-12-21 | 2004-12-21 | Method for distributing second level address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410097049 CN1798158A (en) | 2004-12-21 | 2004-12-21 | Method for distributing second level address |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1798158A true CN1798158A (en) | 2006-07-05 |
Family
ID=36818912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410097049 Pending CN1798158A (en) | 2004-12-21 | 2004-12-21 | Method for distributing second level address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1798158A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009012709A1 (en) * | 2007-07-25 | 2009-01-29 | Huawei Technologies Co., Ltd. | Method and device for requesting and distributing address of connection point |
| WO2009117960A1 (en) * | 2008-03-26 | 2009-10-01 | 华为技术有限公司 | Method for accessing network, authentication method, communication system and related equipment |
| CN101145907B (en) * | 2006-09-11 | 2010-05-12 | 华为技术有限公司 | Method and system for user authentication based on DHCP |
| CN101945144A (en) * | 2010-09-14 | 2011-01-12 | 中兴通讯股份有限公司 | IP address redistribution method and service node |
| CN101252604B (en) * | 2007-02-23 | 2012-02-08 | 国际商业机器公司 | Equipment and method to add IPV6 and DHCP support to the network support package |
| CN102594939A (en) * | 2012-02-16 | 2012-07-18 | 杭州华三通信技术有限公司 | Secondary address allocation method and device |
| US8464321B2 (en) | 2007-12-27 | 2013-06-11 | Huawei Technologies Co., Ltd. | Method for assigning network addresses, network and network node thereof |
| CN104040985A (en) * | 2012-11-16 | 2014-09-10 | 华为技术有限公司 | Address reconfiguration method, server and client |
| CN104780233A (en) * | 2014-01-14 | 2015-07-15 | 中国电信股份有限公司 | Method, board-band network gateway and system for distributing IPv6 address field |
| CN114401249A (en) * | 2021-12-08 | 2022-04-26 | 云南电网有限责任公司红河供电局 | IPv6 address allocation method and system |
-
2004
- 2004-12-21 CN CN 200410097049 patent/CN1798158A/en active Pending
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101145907B (en) * | 2006-09-11 | 2010-05-12 | 华为技术有限公司 | Method and system for user authentication based on DHCP |
| CN101252604B (en) * | 2007-02-23 | 2012-02-08 | 国际商业机器公司 | Equipment and method to add IPV6 and DHCP support to the network support package |
| US7991863B2 (en) | 2007-07-25 | 2011-08-02 | Huawei Technologies Co., Ltd | Method and device for requesting and allocating connection point address |
| WO2009012709A1 (en) * | 2007-07-25 | 2009-01-29 | Huawei Technologies Co., Ltd. | Method and device for requesting and distributing address of connection point |
| US8464321B2 (en) | 2007-12-27 | 2013-06-11 | Huawei Technologies Co., Ltd. | Method for assigning network addresses, network and network node thereof |
| US9467447B2 (en) | 2008-03-26 | 2016-10-11 | Huawei Technologies Co., Ltd. | Network access method, authentication method, communications system and relevant devices |
| US8925067B2 (en) | 2008-03-26 | 2014-12-30 | Huawei Technologies Co., Ltd | Network access authentication |
| CN101547383B (en) * | 2008-03-26 | 2013-06-05 | 华为技术有限公司 | Access authentication method, access authentication system and related equipment |
| WO2009117960A1 (en) * | 2008-03-26 | 2009-10-01 | 华为技术有限公司 | Method for accessing network, authentication method, communication system and related equipment |
| US8594103B2 (en) | 2008-03-26 | 2013-11-26 | Huawei Technologies Co., Ltd. | Network access method, authentication method, communications systems and relevant devices |
| CN101945144A (en) * | 2010-09-14 | 2011-01-12 | 中兴通讯股份有限公司 | IP address redistribution method and service node |
| CN102594939B (en) * | 2012-02-16 | 2014-11-12 | 杭州华三通信技术有限公司 | Secondary address allocation method and device |
| CN102594939A (en) * | 2012-02-16 | 2012-07-18 | 杭州华三通信技术有限公司 | Secondary address allocation method and device |
| CN104040985B (en) * | 2012-11-16 | 2016-12-28 | 华为技术有限公司 | Address method for reconfiguration, server and client side |
| CN104040985A (en) * | 2012-11-16 | 2014-09-10 | 华为技术有限公司 | Address reconfiguration method, server and client |
| CN104780233A (en) * | 2014-01-14 | 2015-07-15 | 中国电信股份有限公司 | Method, board-band network gateway and system for distributing IPv6 address field |
| CN104780233B (en) * | 2014-01-14 | 2018-07-27 | 中国电信股份有限公司 | Distribute method, wideband network gateway and the system of IPv6 address fields |
| CN114401249A (en) * | 2021-12-08 | 2022-04-26 | 云南电网有限责任公司红河供电局 | IPv6 address allocation method and system |
| CN114401249B (en) * | 2021-12-08 | 2024-01-23 | 云南电网有限责任公司红河供电局 | IPv6 address allocation method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9301151B2 (en) | Frequency spectrum allocation method, device and system | |
| CN102036227B (en) | Method, system and device for acquiring user identifier of data service | |
| US7656873B2 (en) | Method, a user terminal and a server for obtaining access locating information | |
| CN101478576B (en) | Method, apparatus and system for selecting service network | |
| EP1089524A2 (en) | System for supporting multiple Internet service providers on a single network | |
| US10142159B2 (en) | IP address allocation | |
| CN101321073B (en) | Multicast business authorization control method and device | |
| US20190166210A1 (en) | Method for accessing a content hosted on a server selected as a function of the location of the user terminal | |
| CN108737585B (en) | IP address allocation method and device | |
| US7991856B2 (en) | Network system | |
| CN101651537B (en) | Method and device for performing distributed security control in communication network system | |
| CN101056178A (en) | A method and system for controlling the user network access right | |
| WO2020083288A1 (en) | Safety defense method and apparatus for dns server, and communication device and storage medium | |
| WO2018082310A1 (en) | Ip address renewal method and apparatus | |
| US20060047829A1 (en) | Differentiated connectivity in a pay-per-use public data access system | |
| CN1798158A (en) | Method for distributing second level address | |
| CN114257439B (en) | Service scheduling method, AAA server and service supporting system | |
| CN1553341A (en) | Network address distributing method based on customer terminal | |
| KR20070024116A (en) | System for managing network service connection based on terminal aucthentication | |
| US20080201477A1 (en) | Client side replacement of DNS addresses | |
| WO2010022535A1 (en) | Method and device for transferring packet in ipv6 access node | |
| KR100745434B1 (en) | Differentiated connectivity in a pay-per-use public data access system | |
| CN101945144A (en) | IP address redistribution method and service node | |
| KR100625240B1 (en) | Apparatus and method of internet protocol address management in high speed portable internet | |
| WO2009006770A1 (en) | Method of p2p node management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20060705 |