WO2008012471A2 - Method of access by a client to a service through a network, by combined used of a dynamic configuration protocol and of a point-to-point protocol, corresponding equipment and computer program - Google Patents

Method of access by a client to a service through a network, by combined used of a dynamic configuration protocol and of a point-to-point protocol, corresponding equipment and computer program Download PDF

Info

Publication number
WO2008012471A2
WO2008012471A2 PCT/FR2007/051717 FR2007051717W WO2008012471A2 WO 2008012471 A2 WO2008012471 A2 WO 2008012471A2 FR 2007051717 W FR2007051717 W FR 2007051717W WO 2008012471 A2 WO2008012471 A2 WO 2008012471A2
Authority
WO
WIPO (PCT)
Prior art keywords
client
point
protocol
session
access
Prior art date
Application number
PCT/FR2007/051717
Other languages
French (fr)
Other versions
WO2008012471A3 (en
Inventor
Ramzi El Khoury
Thierry Lejkin
Jean Paul Blanc
Original Assignee
France Telecom
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom filed Critical France Telecom
Publication of WO2008012471A2 publication Critical patent/WO2008012471A2/en
Publication of WO2008012471A3 publication Critical patent/WO2008012471A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • a method of client access to a service over a network by combined use of a dynamic configuration protocol and a point-to-point protocol, equipment and corresponding computer program.
  • the field of the invention is that of telecommunications, and more particularly fixed access networks. More specifically, the invention relates to a method of accessing a service by a client connected to an IP type network (for "Internet Protocol").
  • IP type network for "Internet Protocol"
  • ADSL Analog Subscriber Une
  • a first known and widely used protocol for access to the Internet by means of a broadband connection is the point-to-point protocol, called a Point-to-Point Protocol (PPP). point "in French).
  • PPP Point-to-Point Protocol
  • Such a PPP protocol is a connection protocol that provides a method for transporting multi-protocol datagrams over a point-to-point link between two remote elements. It consists of three main components: a method for encapsulating datagrams from several different protocols; a link control phase called “Link Control Protocof (LCP) for the establishment, configuration and test of the data link connection - finally, a phase for the establishment and configuration of several protocols of the layer network, as defined in the Open Systems Interconnection (OSI) model, called "Network Control Protocols" (NCPs), in particular a protocol called IPCP ("Internet Protocol Control Protocol"). used to establish and configure the IP layer and to assign and manage IP addresses.
  • LCP Link Control Protocof
  • NCPs Network Control Protocols
  • IPCP Internet Protocol Control Protocol
  • Such a PPP protocol is used on links carrying data packets between two remote elements and allowing bidirectional simultaneous communication.
  • This protocol proposes a common solution for a connection easy of a wide variety of hosts, bridges and routers.
  • the set of protocols contained in the PPP protocol makes it possible, among other things, access control, of which user authentication is a component, and the assignment of IP addresses to the client terminals, and includes the notion of establishment and termination of sessions between a client and a server.
  • PPP Point-to-Point Protocol
  • PPP protocol There are two types of PPP protocol namely PPPoA for "PPP over ATM” and PPPoE for "PPP over Ethernet”.
  • a point-to-point connection is established between a PPP client 1 and a PPP server called BAS 2 located in the network.
  • BAS Broadband Remote Access Server, or in French, "remote broadband access server”
  • Such a client 1 may consist for example of a residential gateway, or a user modem.
  • the BAS 2 server also more generally called RAS server
  • RAS Remote Access Server or in French, "server of remote access”
  • the BAS server 2 also performs a function for allocating IP addresses and DNS (Domain Name Server) settings, as well as a function for establishing and terminating PPP sessions. .
  • the server BAS 2 can also cooperate with an authentication server 3 in charge of the authentication of the client 1.
  • the server BAS 2 can include a RADIUS client which establishes a dialogue with a RADIUS server 3 (Remote Authentication Dial-ln User Service or in French "remote authentication service of an incoming user") which provides configuration parameters of each PPP client 1 based on the authentication or identification parameters associated with them.
  • RADIUS server 3 Remote Authentication Dial-ln User Service or in French "remote authentication service of an incoming user
  • the server BAS 2 queries the RADIUS server 3 in order to authenticate the PPP client 1 and, if necessary, to open a session. PPP.
  • This authentication phase implements, between client 1 and BAS 2, a PAP (Password Authentication Protocol) or Challenge Handshake Authentication Protocol (CHAP) protocol. 'Challenge Response Authentication').
  • PAP Password Authentication Protocol
  • CHAP Challenge Handshake Authentication Protocol
  • DSLAM Digital Subscriber An Access Multiplexor, or in French “Digital Subscriber Line Multiplexer” or simply “DSL Access Multiplexer” "), constituting a network access node R to which the BAS 2 is connected.
  • Closing a PPP session results in the break of the link established between the PPP client 1 and the BAS server 2.
  • Point-to-point protocols such as PPP therefore have the advantage of enabling the authentication of the client, which allows for example an Internet service provider to customize the type of access provided according to the identity. the customer in question (for example by providing a specific debit or nomadic services).
  • the use of centralized RAS servers does not allow multicast broadcasting of new content or new services because the bandwidth available on the IP collection network is not sufficient.
  • the PPP protocol operates point-to-point between the client and the PPP termination equipment constituted by the BAS server. In this segment, data streams can only be broadcast in unicast mode.
  • point-to-point protocols such as PPP require management of open connection contexts in clients. It is therefore necessary to have a device (namely the BAS) in the network which retains all the information (session identification, connection time, etc.) relating to the sessions opened by the clients. These functions are particularly heavy to manage and penalize very significantly the performance of the BAS servers, and all the more so as the duration of customer sessions tends to increase more and more. It is therefore necessary to increase the number of BAS servers in the network, to cope with the increasing demand from customers, which is problematic, the BAS servers being expensive equipment.
  • DHCP abbreviation for Dynamic Host Configuration Protocol
  • Dynamic Configuration Protocol for Dynamic Host Configuration Protocol 'a host
  • DHCP protocol is widely used and deployed in local and private networks. It is used by some telecom operators for the deployment of services such as ADSL television or video telephony.
  • DHCP is a client-server protocol that allows equipment that connects over a network to obtain configuration parameters such as an IP address allocated for a given lease time.
  • a DHCP protocol is defined in the document referenced RFC 2131 established by NETF (RFC 2131: "Dynamic Host Configuration Protocol” - IETF Network Working Group - Editor: R. Droms).
  • a link is established between a DHCP client 1, embedded in the equipment, and a DHCP server 6 present in the network.
  • the configuration parameters of a DHCP client 1, such as its IP address are assigned for a specified duration called “lease", after which they are released and become available again to other users, which optimizes network resources.
  • a DHCP client 1 that sees its lease expire can request renewal from the DHCP server 6.
  • the DHCP server 6 does not receive a lease renewal request from the DHCP client 1 before the lease expires , or if the lease is not extendable, it makes available, at the end of the lease, the IP address it had assigned to this DHCP client 1.
  • the DHCP server 6 In order to initialize a DHCP lease between a DHCP client 1 and a DHCP server 6, the DHCP server 6 must assign configuration parameters to the DHCP client 1. After assignment, the DHCP server 6 stores the configuration parameters of each DHCP client 1 for the duration of the lease or beyond. As in the case of FIG. 1, the data exchanged between the DHCP client 1 and the DHCP server 6 transit through a node 4, called DSLAM, constituting an access node to the network R to which the DHCP server 6 is connected. .
  • DSLAM node 4
  • Dynamic configuration protocols such as DHCP therefore have the advantage of being lighter to implement, in that they do not require the introduction into the network of equipment (BAS type) intended to manage the contexts of the connections. open and memorize the associated information.
  • BAS type network of equipment
  • RFC31 18 an extension of the DHCP protocol allowing this protocol to offer authentication services through a DHCP option 90 (RFC 31 18: "Authentication for DHCP messages" - IETF Network Working Group - Editors: R. Droms, W. Arbaugh).
  • This protocol extension is based on the use of symmetric cryptographic keys "already shared” and known by the DHCP client and the DHCP server.
  • RADIUS request This RADIUS request, which contains a set of configurable attributes, is passed to a RADIUS authentication server for client authentication.
  • a disadvantage of this technique lies in its lack of security, because the user name and password pass in clear on the network between the client and the network for such authentication is made possible.
  • this technique requires significant licensing costs on BAS equipment (solicited to generate RADIUS requests) and often unacceptable in the context of a generalization of this type of solutions to an operator network with a large number of clients.
  • a technique that combines the performance of a dynamic configuration protocol such as DHCP and the authentication functions of a point-to-point protocol such as PPP, while having a high level of security.
  • Such a technique must be adapted for deployment on a network to which many users are connected. 3. Presentation of the invention
  • the invention responds to this need by proposing a method of access by a client to a service through a network, said client being able to implement, for restoration of an access session to said service, a protocol a point-to-point connection type (PPP) and a dynamic provisioning protocol of at least one configuration parameter, called dynamic configuration protocol (DHCP).
  • PPP point-to-point connection type
  • DHCP dynamic configuration protocol
  • such a method comprises the steps of: receiving a first request for establishing an access session conforming to said point-to-point protocol (PPP), called a point-to-point session, transmitted to the request of said client and intended for an authentication server
  • the invention is based on a completely new and inventive approach to the connection of a client to a network, including an IP type network.
  • the invention proposes to allow the client to attempt to establish an access session in point-to-point mode, and thus to be authenticated by an authentication server, which delivers a set of configuration parameters of the point-to-point session in case of successful authentication.
  • an authentication server which delivers a set of configuration parameters of the point-to-point session in case of successful authentication.
  • the invention offers the client the possibility of attempting to establish a connection according to a dynamic configuration protocol (for example of the DHCP type), by advantageously reusing the configuration parameters previously obtained from the authentication server as part of the establishment of the point-to-point session.
  • a dynamic configuration protocol for example of the DHCP type
  • This reuse is of course conditioned by the verification of the authentication of the client, that is to say that it is verified that the client which connects in DHCP mode is the same as the one which was previously authenticated during the attempt to establish a PPP session.
  • the invention thus also benefits from the advantages of a DHCP type of connectivity, which does not require management of open connection contexts.
  • the method of the invention has a high security, insofar as the username (or login) and password of the client do not transit in clear between the client and the network (indeed, in the In the special case of the PPP protocol, the access server can impose on the clients the use of the CHAP authentication protocol, as will be seen in more detail later).
  • Such a method according to the invention is preferably implemented in an intermediate equipment of the network, located between a BAS access server and an authentication server, as will be seen in more detail in the following. document.
  • PPP and DHCP protocols are cited as a simple illustrative and nonlimiting example.
  • the invention could also apply to any other type of protocol having characteristics similar to or similar to those of PPP and DHCP.
  • the invention applies in particular to any point-to-point protocol having client authentication characteristics and to any dynamic configuration protocol that does not require management of the contexts of the connections opened by the clients.
  • the verification of the authentication of said client implements a comparison of a first identifier of said client, extracted from said first request and stored in relation to said at least one configuration parameter, and a second identifier of said client, extracted from said second request.
  • the intermediate equipment in which is implemented receives the first access request for the authentication server (for example an Access Request request for a server
  • RADIUS Remote Authentication Dial
  • it extracts an identifier of the client that it contains.
  • it receives the authorization issued by the authentication server in the event of successful authentication of the client, it extracts the session configuration parameter (s) allocated by the authentication server to the client.
  • the identifier and the configuration parameters are stored in an open context for this client by the intermediate equipment of the invention.
  • the intermediate equipment On reception of the second access request, for example of the DHCP type, the intermediate equipment again extracts the client identifier that it contains (which is contained for example in option 82 of the DHCP protocol contained in the request. ). It then compares it with the identifier previously stored in the open context for this client.
  • the intermediate equipment is then assured that the second request has been issued by the client previously authenticated by the authentication server, and can therefore transmit the configuration parameter (s) stored in the open context, and accept the second request.
  • said first and second identifiers belong to the group comprising: a client line identifier (CLID for Calling Une Identifie ⁇ ; a username.
  • the CLID can easily be used in the context of the invention because it is inserted in the access requests transmitted by a BAS access server to an authentication server when establishing a PPP session. Similarly, it is also inserted in DHCP option 82 in DHCP requests forwarded from a DHCP client to a DHCP server.
  • the method of the invention comprises a step of opening a context associated with said client comprising at least said first identifier and said at least one configuration parameter, and a step of arming a timer associated with said context, at the end of which said context ceases to be active.
  • the intermediate equipment in which the method of the invention is implemented therefore opens a context containing the first identifier (for example the CLID), the configuration parameter or parameters (for example an IP address), and possibly the name of the device. user (or login) and his password. It then prepares to receive a second request of type DHCP.
  • This context remains active for a predetermined duration, so it is necessary that the second request reaches the intermediate equipment before the end of this predetermined period.
  • the method of the invention also comprises a step of filtering said authorization and a step of sending to said client a refusal to establish said point-to-point session, to trigger the transmission by said client of said second request.
  • the intermediate equipment in which the method of the invention is implemented blocks this authorization, and replaces it with a message of refusal (for example of the Access Rejec ⁇ type that it sends to the BAS access server), which informs the client of the failure to establish the PPP session, so that the client is lured by the intermediate equipment, then takes the initiative to initiate a DHCP connection attempt.
  • the BAS server removes the PPP context associated with the client, which allows the unload.
  • the break of establishment of the session point It could also be initiated voluntarily by the client, or detected by the client after a certain number of PPP connection attempts remained unanswered, or after expiry of a predetermined time delay.
  • said at least one configuration parameter is an IP address allocated to said client for said access session. It is then this IP address, provided by the RADIUS server during the establishment of the PPP session, which is allocated to the client for the duration of the DHCP lease initiated thereafter.
  • These configuration parameters may also include a DNS server address, or any other parameter provided in DHCP exchanges, such as lease data, for example.
  • the invention also relates to an equipment of a network for access to a service by a client able to implement, for the establishment of an access session to said service, a point-to-point connection protocol ( PPP) and a dynamic provisioning protocol of at least one configuration parameter, called dynamic configuration protocol (DHCP).
  • PPP point-to-point connection protocol
  • DHCP dynamic configuration protocol
  • such an equipment comprises: means for receiving a first request for establishing an access session conforming to said point-to-point protocol, called a point-to-point session, sent at the request of said client and intended for an authentication server (RADIUS); means for receiving an authorization issued by said authentication server to said client, in case of authentication of said client by said authentication server; means for storing at least one configuration parameter (@ IP) of said point-to-point session extracted from said authorization; means for receiving a second request for establishing an access session conforming to said dynamic configuration protocol, sent by said client after termination of establishment of said point-to-point session; means for verifying the authentication of said client; means for sending to said client said at least one memorized configuration parameter, for establishing an access session conforming to said dynamic configuration protocol (DHCP).
  • DHCP dynamic configuration protocol
  • said means for verifying the authentication of said client comprise means for comparing a first identifier of said client, extracted from said first request and stored in relation to said at least one configuration parameter, and a second identifier of said client, extracted from said second request.
  • the invention also relates to a residential gateway enabling a client to access a service of a network, said residential gateway comprising means for implementing a point-to-point connection protocol and a protocol for dynamically providing at least one configuration parameter, called dynamic configuration protocol, for establishing an access session to said service.
  • such a residential gateway also comprises: means for transmitting a first request for establishing an access session conforming to said point-to-point protocol, called a point-to-point session; means, activated after termination of establishment of said point-to-point session, of transmission of a second request for establishment of an access session conforming to said dynamic configuration protocol; means for receiving at least one configuration parameter provided by an authentication server during the establishment of said point-to-point session, for establishing an access session conforming to said dynamic configuration protocol.
  • the residential gateway is therefore configured to attempt first to connect in PPP mode and, in case of failure of this attempt (on receipt of a failure message, or after several unsuccessful attempts for example), to attempt to connect in DHCP mode.
  • Such a residential gateway is therefore new and inventive compared to the gateways of the prior art which still only used one or the other of the two PPP and DHCP access methods. Thanks to this new gateway, the customer can benefit from the combined advantages of each of these two protocols.
  • Such a residential gateway may consist of a simple client modem.
  • the invention relates to a computer program comprising program code instructions for executing the steps of the method described above when said program is executed on a computer, as well as a computer-readable recording medium on which is registered such a program.
  • FIG. 3 illustrates the different data flows exchanged between the devices involved in the implementation of the method of the invention
  • FIG. 4 illustrates more precisely the message exchanges constituting the flows of FIG. 3
  • Figure 5 shows in schematic form an intermediate equipment type PRSD according to the invention.
  • the general principle of the invention is based on the sequential use by a client wishing to set up a service access session of two protocols, namely a point-to-point protocol (PPP) and then a dynamic configuration protocol (DHCP), and the reuse of configuration parameters (@ IP), obtained during the establishment of the point-to-point session, for the establishment of the connection according to the dynamic configuration protocol.
  • PPP point-to-point protocol
  • DHCP dynamic configuration protocol
  • IP configuration parameters
  • the invention is not limited to only two PPP and DHCP protocols, In the remainder of this document, reference is made to the description of a particular embodiment of the invention in the context of these two protocols, for the sake of simplification.
  • the invention is therefore based on the introduction of a new device 7 into the network, which is called PRSD, and which fulfills a dual function of RADIUS Proxy and DHCP server.
  • PRSD new device 7 into the network
  • Such equipment 7 is located between the broadband access server BAS 2 (which also acts as a DHCP relay) and the RADIUS server 3, which intervene in the establishment of the PPP session.
  • the technique of the invention can therefore be integrated into any existing network, without it being necessary to modify the equipment already in place, and in particular the servers access type BAS 2 or authentication servers 3 type RADIUS.
  • the technique of the invention is based solely on the addition of a platform PRSD 7, which is independent of the industrial equipment of the network, and on the adaptation of the customer connection kit 1, which is configured to connect first to PPP, then, in case of failure, to DHCP.
  • Client 1 (modem or residential gateway) initiates a PPP dialogue with the BAS 2 access server, using the PPP and PAP / protocols. CHAP. It should be noted that the BAS 2 preferably uses the CHAP protocol, for security reasons, in order to avoid the transmission of sensitive information in the clear on the network.
  • the BAS 2 then initiates a RADIUS dialog 31, and sends an authentication request to the RADIUS server 3.
  • This authentication request 31 is intercepted by the PRSD, which extracts the identifier from the client line CLID to save it in a context that opens 32 for this client.
  • This context is intended to contain at least the following elements: login, password, CLID and @IP.
  • the PRSD 7 is then preparing to process a DHCP request from the same client.
  • the context remains active for a predetermined duration, for example of the order of 60 seconds.
  • the PRSD 7 sends the authentication request, in the form of a RADIUS request, to the RADIUS server 3.
  • the RADIUS server 3 After authentication of the client 1, the RADIUS server 3 sends 34 authorization request RADIUS to the PRSD 7. Upon receipt of the authorization, the PRSD 7 backup the IP address proposed by the RADIUS server 3 in the context previously opened for the client 1. It then blocks the Access Accept and replaces it with a RADIUS Reject Request (Access Reject), which it then sends to BAS 2, to signify a failure of the PPP connection attempt.
  • the BAS 2 which acts as a PPP server, transmits this failure notification to the client 1 in the form of a PPP message 37 of the "PAP / CHAP failure" type. It then removes the PPP context that it had previously opened for that client, thereby offloading this task.
  • the client 1 is informed of the so-called failure of the PPP connection, and decides to initiate a DHCP connection attempt. It then sends a DHCP request 39 to BAS 2, which now acts as a DHCP relay.
  • This DHCP phase must begin no later than 60 seconds after the failure of its first PPP connection, so that the context of client 1 is still open in PRSD 7.
  • BAS 2 simply forward this DHCP request 310 to the PRSD 7, which verifies 31 1 the line identity of client 1, comparing the saved CLID 32 in the context previously opened and the elements identifying the line of client 1 in option 82 of the DHCP request received.
  • the PRSD 7 allocates the saved IP address 35 in the context previously opened. It sends a message 313 of DHCP acknowledgment, which is relayed 314 by the BAS 2 to the client 1.
  • a DHCP connection can therefore be established for the client 1, on the basis of the IP address allocated by the RADIUS server 3.
  • FIG. 4 illustrates in greater detail the different messages that can be exchanged between the client 1, the BAS 2, the PRSD 7 and the RADIUS server 3 in the context of the method of the invention.
  • These different messages are conventional PPP, DHCP or RADIUS protocols and will not be described here in more detail.
  • the steps of the method of the invention are determined by the instructions of a computer program 74 incorporated in the PRSD 7.
  • the program 74 includes program instructions which, when the program is executed by the processor 73 of the PRSD 7 whose operation is then controlled by the execution of the program 74, carry out the steps of the method according to the invention.
  • the invention also applies to a computer program 74, including a computer program recorded on or in a computer-readable information medium and any data processing device, adapted to implement the invention.
  • This program can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code such as in a partially compiled form, or in any other form desirable to implement the method according to the invention.
  • the information carrier may be any entity or device capable of storing the program.
  • the medium may comprise storage means or recording medium 75 on which the computer program 74 according to the invention, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, is recorded. or a USB key, or a magnetic recording means, for example a floppy disk or a hard disk.
  • the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means.
  • the program according to the invention can in particular be downloaded to an Internet type network.
  • the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method according to the invention.
  • the code instructions of the computer program 74 are for example loaded into a RAM 75 before being executed by the processor of the processing unit 73.
  • the latter controls the modules 71 of proxy radius and 72 of DHCP server.
  • the radius proxy module 71 receives and transmits data to the BAS server 2, and also exchanges data with an authentication server 3.
  • the DHCP server module 72 exchanges data with the client 1 , through the DHCP relay constituted by the BAS 2.
  • the memory 75 is also used for the backup of the context associated with the client 1.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Communication Control (AREA)

Abstract

Method of access by a client to a service through a network, by combined use of a dynamic configuration protocol and a point-to-point protocol corresponding equipment and computer program. The invention relates to a method of access by a client (1) to a service through a network, said client being able to implement, for setting up an access session for said service, a connection protocol of PPP type and a DHCP type protocol. According to the invention, such a method comprises steps of: receiving a PPP session setup request, sent at the request of said client and intended for an authentication server (3); in the event of authentication of said client by the authentication server, reception of an authorization sent by said authentication server to said client, and storage of at least one configuration parameter for said point-to-point session extracted from said authorization; reception of a DHCP session setup request, sent by said client after said PPP session setup has been broken, after verification of the authentication of said client, sending to said client of said stored configuration parameter, for setting up a DHCP session.

Description

Procédé d'accès par un client à un service au travers d'un réseau, par utilisation combinée d'un protocole de configuration dynamique et d'un protocole point à point, équipement et programme d'ordinateur correspondants. A method of client access to a service over a network, by combined use of a dynamic configuration protocol and a point-to-point protocol, equipment and corresponding computer program.
1. Domaine de l'invention Le domaine de l'invention est celui des télécommunications, et plus particulièrement des réseaux d'accès fixes. Plus précisément, l'invention concerne un procédé d'accès à un service par un client connecté à un réseau de type IP (pour "Internet Protocol").FIELD OF THE INVENTION The field of the invention is that of telecommunications, and more particularly fixed access networks. More specifically, the invention relates to a method of accessing a service by a client connected to an IP type network (for "Internet Protocol").
Elle s'applique notamment, mais non exclusivement, à l'accès de clients disposant de passerelles résidentielles aux réseaux d'opérateurs et/ou de fournisseurs d'accès Internet, notamment dans le cadre de connexions large bande telles que l'ADSL (de l'abréviation anglaise "Asymmetric Digital Subscriber Une", ou en françaisIt applies in particular, but not exclusively, to the access of customers with residential gateways to networks of operators and / or Internet access providers, particularly in the context of broadband connections such as ADSL (from the abbreviation "Asymmetric Digital Subscriber Une", or in French
"Ligne d'Abonné Numérique Asymétrique")."Asymmetrical Digital Subscriber Line").
2. Art antérieur et ses inconvénients Un premier protocole connu et largement répandu pour l'accès à Internet au moyen d'une connexion large bande est le protocole de type point à point, appelé PPP (Point-to-Point Protocol ou "Protocole point à point" en français).2. PRIOR ART AND ITS DISABILITIES A first known and widely used protocol for access to the Internet by means of a broadband connection is the point-to-point protocol, called a Point-to-Point Protocol (PPP). point "in French).
Un tel protocole PPP est un protocole de connexion qui propose une méthode pour le transport de datagrammes multi-protocoles sur une liaison point à point entre deux éléments distants. Il comprend trois composantes principales : une méthode pour encapsuler des datagrammes issus de plusieurs protocoles différents; une phase de contrôle du lien appelée "Link Control Protocof (LCP) pour l'établissement, la configuration et le test de la connexion de lien de données; - enfin, une phase pour l'établissement et la configuration de plusieurs protocoles de la couche réseau, telle que définie dans le modèle OSI (Open Systems Interconnection ou en français "Interconnexion de Systèmes Ouverts"), appelée "Network Control Protocols" (NCPs). En particulier, un protocole appelé IPCP ("Internet Protocol Control Protocol") est utilisé afin d'établir et de configurer la couche IP et d'attribuer et gérer des adresses IP.Such a PPP protocol is a connection protocol that provides a method for transporting multi-protocol datagrams over a point-to-point link between two remote elements. It consists of three main components: a method for encapsulating datagrams from several different protocols; a link control phase called "Link Control Protocof (LCP) for the establishment, configuration and test of the data link connection - finally, a phase for the establishment and configuration of several protocols of the layer network, as defined in the Open Systems Interconnection (OSI) model, called "Network Control Protocols" (NCPs), in particular a protocol called IPCP ("Internet Protocol Control Protocol"). used to establish and configure the IP layer and to assign and manage IP addresses.
Un tel protocole PPP est utilisé sur des liaisons transportant des paquets de données entre deux éléments distants et permettant une communication simultanée bidirectionnelle. Ce protocole propose une solution commune pour un raccordement aisé d'une grande variété d'hôtes, de ponts et de routeurs. L'ensemble de protocoles contenus dans le protocole PPP permet entre autres, le contrôle d'accès, dont l'authentification des utilisateurs est une composante, et l'attribution d'adresses IP aux terminaux clients, et inclut la notion d'établissement et de terminaison de sessions entre un client et un serveur. Un tel protocole PPP est défini dans le document référencé RFC 1661 (RFC signifiant "requête pour commentaires", ou en anglais Request For Comments) établi par NETF (groupe pour la participation à la standardisation de l'Internet, abréviation des termes anglais Internet Engineering Task Force) (RFC 1661 : "The Point-to-Point Protocol (PPP)" - IETF Network Working Group - Editor: W. Simpson - Date: JuIy 1994).Such a PPP protocol is used on links carrying data packets between two remote elements and allowing bidirectional simultaneous communication. This protocol proposes a common solution for a connection easy of a wide variety of hosts, bridges and routers. The set of protocols contained in the PPP protocol makes it possible, among other things, access control, of which user authentication is a component, and the assignment of IP addresses to the client terminals, and includes the notion of establishment and termination of sessions between a client and a server. Such a PPP protocol is defined in referenced document RFC 1661 (RFC for Request For Comments) established by NETF (group for participation in the standardization of the Internet, abbreviation of the English term Internet Engineering Task Force) (RFC 1661: "The Point-to-Point Protocol (PPP)" - IETF Network Working Group - Editor: W. Simpson - Date: July 1994).
On distingue deux types de protocole PPP à savoir PPPoA pour "PPP over ATM" et PPPoE pour "PPP over Ethernet".There are two types of PPP protocol namely PPPoA for "PPP over ATM" and PPPoE for "PPP over Ethernet".
En référence à la figure 1 , lors de l'établissement d'une session conforme au protocole PPP, dite session PPP, une liaison point-à-point est établie entre un client PPP 1 et un serveur PPP appelé BAS 2 situé dans le réseau (BAS signifiant Broadband Remote Access Server, ou en français, "serveur d'accès large bande à distance").With reference to FIG. 1, during the establishment of a PPP-compliant session, called a PPP session, a point-to-point connection is established between a PPP client 1 and a PPP server called BAS 2 located in the network. (BAS stands for Broadband Remote Access Server, or in French, "remote broadband access server").
Un tel client 1 peut consister par exemple en une passerelle résidentielle, ou en un modem d'utilisateur. Le serveur BAS 2, également appelé de manière plus générale serveur RASSuch a client 1 may consist for example of a residential gateway, or a user modem. The BAS 2 server, also more generally called RAS server
(RAS signifiant Remote Access Server ou en français, "serveur d'accès à distance") remplit une fonction d'identification du client PPP 1 au moyen de mécanismes d'authentification. Le serveur BAS 2 exerce aussi une fonction d'allocation d'adresses IP et de paramètres DNS (Domain Name Server ou en français, "serveur de nom de domaine"), ainsi qu'une fonction d'établissement et de terminaison de sessions PPP.(RAS stands for Remote Access Server or in French, "server of remote access") fulfills a function of identification of the client PPP 1 by means of authentication mechanisms. The BAS server 2 also performs a function for allocating IP addresses and DNS (Domain Name Server) settings, as well as a function for establishing and terminating PPP sessions. .
Le serveur BAS 2 peut également coopérer avec un serveur d'authentification 3 en charge de l'authentification du client 1. Ainsi, le serveur BAS 2 peut inclure un client RADIUS qui établit un dialogue avec un serveur RADIUS 3 (Remote Authentification Dial-ln User Service ou en français "service d'authentification à distance d'un utilisateur entrant") qui fournit des paramètres de configuration de chaque client PPP 1 sur la base des paramètres d'authentification ou d'identification qui leurs sont associés. Ainsi, lors de l'établissement d'une session PPP, le serveur BAS 2 interroge le serveur RADIUS 3 afin d'authentifier le client PPP 1 et, le cas échéant, d'ouvrir une session PPP. Cette phase d'authentification met en œuvre, entre le client 1 et le BAS 2, un protocole de type PAP (Password Authentication Protocol pour "protocole d'authentification par mot de passe") ou CHAP (Challenge Handshake Authentication Protocol pour "protocole d'authentification par défi réponse"). On notera que RADIUS, décrit dans le document RFC 2865 établi par NETF, constitue un exemple parmi d'autres de protocoles d'authentification pouvant être mis en œuvre dans le serveur d'authentification 3.The server BAS 2 can also cooperate with an authentication server 3 in charge of the authentication of the client 1. Thus, the server BAS 2 can include a RADIUS client which establishes a dialogue with a RADIUS server 3 (Remote Authentication Dial-ln User Service or in French "remote authentication service of an incoming user") which provides configuration parameters of each PPP client 1 based on the authentication or identification parameters associated with them. Thus, when establishing a PPP session, the server BAS 2 queries the RADIUS server 3 in order to authenticate the PPP client 1 and, if necessary, to open a session. PPP. This authentication phase implements, between client 1 and BAS 2, a PAP (Password Authentication Protocol) or Challenge Handshake Authentication Protocol (CHAP) protocol. 'Challenge Response Authentication'). It will be noted that RADIUS, described in the document RFC 2865 established by NETF, is one of a number of authentication protocols that can be implemented in the authentication server 3.
Les données échangées entre le client 1 et le BAS 2 transitent au travers d'un nœud 4, appelé DSLAM (Digital Subscriber Une Access Multiplexor, soit en français "Multiplexeur de Ligne d'Abonné Numérique" ou plus simplement "Multiplexeur d'accès DSL"), constituant un nœud d'accès au réseau R auquel est connecté le BAS 2.The data exchanged between the client 1 and the BAS 2 transit through a node 4, called DSLAM (Digital Subscriber An Access Multiplexor, or in French "Digital Subscriber Line Multiplexer" or simply "DSL Access Multiplexer" "), constituting a network access node R to which the BAS 2 is connected.
La clôture d'une session PPP se traduit par la rupture de la liaison établie entre le client PPP 1 et le serveur BAS 2.Closing a PPP session results in the break of the link established between the PPP client 1 and the BAS server 2.
Les protocoles de type point à point tels que PPP présentent donc l'avantage de permettre l'authentification du client, ce qui permet par exemple à un fournisseur d'accès à Internet de personnaliser le type d'accès fourni en fonction de l'identité du client considéré (par exemple en fournissant un débit spécifique ou des services de nomadisme).Point-to-point protocols such as PPP therefore have the advantage of enabling the authentication of the client, which allows for example an Internet service provider to customize the type of access provided according to the identity. the customer in question (for example by providing a specific debit or nomadic services).
Le manque de souplesse du protocole PPP, notamment pour les applications diffusées en multicast et/ou demandant des qualités de services distinctes constitue cependant l'un de ses principaux inconvénients.The lack of flexibility of the PPP protocol, particularly for applications broadcast in multicast and / or requiring distinct service qualities, however, is one of its main drawbacks.
En outre, l'utilisation de serveurs RAS centralisés ne permet pas la diffusion en mode multicast de nouveaux contenus ou de nouveaux services car la bande passante disponible sur le réseau de collecte IP n'est pas suffisante. En effet, par construction, le protocole PPP fonctionne en point à point entre le client et l'équipement de terminaison PPP constitué par le serveur BAS. Dans ce segment, les flux de données ne peuvent donc être diffusés qu'en mode unicast.In addition, the use of centralized RAS servers does not allow multicast broadcasting of new content or new services because the bandwidth available on the IP collection network is not sufficient. Indeed, by construction, the PPP protocol operates point-to-point between the client and the PPP termination equipment constituted by the BAS server. In this segment, data streams can only be broadcast in unicast mode.
Enfin, les protocoles point à point tels que PPP nécessitent une gestion des contextes des connexions ouvertes chez les clients. Il est donc nécessaire de disposer d'un équipement (à savoir le BAS) dans le réseau qui conserve toutes les informations (identification de session, durée de connexion, etc.) relatives aux sessions ouvertes par les clients. Ces fonctions sont particulièrement lourdes à gérer et pénalisent de façon très significative les performances des serveurs BAS, et ce d'autant plus que la durée des sessions des clients a tendance à s'accroître de plus en plus. Il est donc nécessaire d'accroître le nombre de serveurs BAS dans le réseau, pour faire face à la demande croissante des clients, ce qui s'avère problématique, les serveurs BAS étant des équipements onéreux. Une alternative aux protocoles de type point à point tels que PPP réside dans l'utilisation de protocoles de fourniture dynamique de paramètres de configuration, tels que le protocole DHCP (abréviation de Dynamic Host Configuration Protocol, ou en français, "protocole de configuration dynamique d'un hôte"). Un tel protocole DHCP est largement utilisé et déployé dans les réseaux locaux et privés. Il est notamment utilisé par certains opérateurs en télécommunications pour le déploiement de services tels que la télévision par ADSL, ou la visiophonie.Finally, point-to-point protocols such as PPP require management of open connection contexts in clients. It is therefore necessary to have a device (namely the BAS) in the network which retains all the information (session identification, connection time, etc.) relating to the sessions opened by the clients. These functions are particularly heavy to manage and penalize very significantly the performance of the BAS servers, and all the more so as the duration of customer sessions tends to increase more and more. It is therefore necessary to increase the number of BAS servers in the network, to cope with the increasing demand from customers, which is problematic, the BAS servers being expensive equipment. An alternative to point-to-point protocols such as PPP is the use of dynamic provisioning protocols for configuration parameters, such as DHCP (abbreviation for Dynamic Host Configuration Protocol), or "Dynamic Configuration Protocol for Dynamic Host Configuration Protocol". 'a host"). Such a DHCP protocol is widely used and deployed in local and private networks. It is used by some telecom operators for the deployment of services such as ADSL television or video telephony.
Le protocole DHCP est un protocole client-serveur qui permet à un équipement qui se connecte sur un réseau d'obtenir des paramètres de configuration tels qu'une adresse IP allouée pour une durée de bail donnée. Un tel protocole DHCP est défini dans le document référencé RFC 2131 établi par NETF (RFC 2131 : "Dynamic Host Configuration Protocol" - IETF Network Working Group - Editor: R. Droms).DHCP is a client-server protocol that allows equipment that connects over a network to obtain configuration parameters such as an IP address allocated for a given lease time. Such a DHCP protocol is defined in the document referenced RFC 2131 established by NETF (RFC 2131: "Dynamic Host Configuration Protocol" - IETF Network Working Group - Editor: R. Droms).
En référence à la figure 2, lorsqu'un équipement se connecte à un réseau une liaison est établie entre un client DHCP 1 , embarqué dans l'équipement, et un serveur DHCP 6 présent dans le réseau. Lors de la mise en œuvre du protocole DHCP, les paramètres de configuration d'un client DHCP 1 , tels que son adresse IP, sont attribués pour une durée déterminée appelée "bail", à l'issue de laquelle ils sont libérés et redeviennent accessibles aux autres usagers, ce qui permet d'optimiser les ressources du réseau. Cependant, un client DHCP 1 qui voit son bail arriver à expiration peut en demander le renouvellement au serveur DHCP 6. Si le serveur DHCP 6 ne reçoit pas de requête de renouvellement du bail de la part du client DHCP 1 avant l'expiration du bail, ou si le bail n'est pas prolongeable, il rend disponible, à expiration du bail, l'adresse IP qu'il avait attribuée à ce client DHCP 1.With reference to FIG. 2, when a device connects to a network, a link is established between a DHCP client 1, embedded in the equipment, and a DHCP server 6 present in the network. When implementing the DHCP protocol, the configuration parameters of a DHCP client 1, such as its IP address, are assigned for a specified duration called "lease", after which they are released and become available again to other users, which optimizes network resources. However, a DHCP client 1 that sees its lease expire can request renewal from the DHCP server 6. If the DHCP server 6 does not receive a lease renewal request from the DHCP client 1 before the lease expires , or if the lease is not extendable, it makes available, at the end of the lease, the IP address it had assigned to this DHCP client 1.
Afin d'initialiser un bail DHCP entre un client DHCP 1 et un serveur DHCP 6, ce dernier doit procéder à l'affectation de paramètres de configuration au client DHCP 1 . Après affectation, le serveur DHCP 6 mémorise les paramètres de configuration de chaque client DHCP 1 , pour toute la durée du bail, voire au delà. Comme dans le cas de la figure 1 , les données échangées entre le client DHCP 1 et le serveur DHCP 6 transitent au travers d'un nœud 4, appelé DSLAM, constituant un nœud d'accès au réseau R auquel est connecté le serveur DHCP 6.In order to initialize a DHCP lease between a DHCP client 1 and a DHCP server 6, the DHCP server 6 must assign configuration parameters to the DHCP client 1. After assignment, the DHCP server 6 stores the configuration parameters of each DHCP client 1 for the duration of the lease or beyond. As in the case of FIG. 1, the data exchanged between the DHCP client 1 and the DHCP server 6 transit through a node 4, called DSLAM, constituting an access node to the network R to which the DHCP server 6 is connected. .
Les protocoles de configuration dynamique tels que DHCP ont donc pour avantage d'être plus légers à implémenter, en ce sens qu'ils ne nécessitent pas l'introduction dans le réseau d'équipements (de type BAS) destinés à gérer les contextes des connexions ouvertes et à mémoriser les informations associées.Dynamic configuration protocols such as DHCP therefore have the advantage of being lighter to implement, in that they do not require the introduction into the network of equipment (BAS type) intended to manage the contexts of the connections. open and memorize the associated information.
En contrepartie, ce type de protocole présente l'inconvénient de ne pas gérer les aspects d'authentification, de comptage et d'autorisation des connexions des clients, ce qui peut s'avérer pénalisant.In return, this type of protocol has the disadvantage of not managing the aspects of authentication, counting and authorization of client connections, which can be detrimental.
Pour pallier cet inconvénient, l'IETF a publié dans le document référencé RFC31 18 une extension du protocole DHCP permettant à ce protocole d'offrir des services d'authentification à travers une option DHCP 90 (RFC 31 18: "Authentication for DHCP messages" - IETF Network Working Group - Editors: R. Droms, W. Arbaugh). Cette extension de protocole se fonde sur l'utilisation de clefs cryptographiques symétriques "déjà partagées" et connues par le client DHCP et le serveur DHCP.To overcome this drawback, the IETF published in document referenced RFC31 18 an extension of the DHCP protocol allowing this protocol to offer authentication services through a DHCP option 90 (RFC 31 18: "Authentication for DHCP messages" - IETF Network Working Group - Editors: R. Droms, W. Arbaugh). This protocol extension is based on the use of symmetric cryptographic keys "already shared" and known by the DHCP client and the DHCP server.
Cependant, le mécanisme de distribution de ces clefs s'avère très compliqué puisqu'il nécessite la fourniture d'une clef par client. Dans le cas d'un réseau d'opérateur rassemblant plusieurs millions de clients, la gestion de ces clefs s'avère très compliquée. Ainsi, si cette option DHCP 90 s'avère intéressante dans le cadre d'un simple réseau LAN privé, dans lequel on gère un nombre relativement limité de clients, elle n'est pas du tout adapté pour un réseau d'opérateur rassemblant un nombre élevé de clients.However, the distribution mechanism of these keys is very complicated since it requires the provision of a key per client. In the case of an operator network with several million customers, the management of these keys is very complicated. Thus, if this DHCP option 90 is interesting in the context of a simple private LAN network, in which a relatively limited number of customers is managed, it is not at all suitable for an operator network gathering a number high number of customers.
Certains équipementiers, conscients des inconvénients du protocole DHCP liés à l'absence d'authentification, proposent des équipements permettant aux clients de se connecter au réseau au moyen du protocole DHCP, tout en bénéficiant d'une authentification RADIUS. Pour ce faire, un serveur d'accès crée une requête RADIUS dès qu'il détecte qu'un utilisateur s'est connecté en DHCP. Cette requête RADIUS, qui contient un ensemble d'attributs configurables, est transmise à un serveur d'authentification RADIUS pour authentification du client.Some equipment manufacturers, aware of the drawbacks of DHCP due to the lack of authentication, offer equipment that allows clients to connect to the network using DHCP, while benefiting from RADIUS authentication. To do this, an access server creates a RADIUS request as soon as it detects that a user has connected to DHCP. This RADIUS request, which contains a set of configurable attributes, is passed to a RADIUS authentication server for client authentication.
Un inconvénient de cette technique réside dans son manque de sécurité, car le nom de l'utilisateur et son mot de passe transitent en clair sur le réseau entre le client et le réseau pour qu'une telle authentification soit rendue possible. De plus, cette technique nécessite des coûts de licence non négligeables sur les équipements BAS (sollicités pour générer les requêtes RADIUS) et souvent rédhibitoires dans le cadre d'une généralisation de ce type de solutions à un réseau d'opérateur comptant un grand nombre de clients. II existe donc un besoin d'une technique qui permette de pallier ces inconvénients de l'art antérieur. Notamment, il existe un besoin d'une technique qui allie les performances d'un protocole de configuration dynamique tel que DHCP et les fonctions d'authentification d'un protocole point à point tel que PPP, tout en présentant un niveau de sécurité élevé. Une telle technique doit être adaptée pour un déploiement sur un réseau auquel sont connectés de très nombreux usagers. 3. Exposé de l'inventionA disadvantage of this technique lies in its lack of security, because the user name and password pass in clear on the network between the client and the network for such authentication is made possible. In addition, this technique requires significant licensing costs on BAS equipment (solicited to generate RADIUS requests) and often unacceptable in the context of a generalization of this type of solutions to an operator network with a large number of clients. There is therefore a need for a technique that overcomes these disadvantages of the prior art. In particular, there is a need for a technique that combines the performance of a dynamic configuration protocol such as DHCP and the authentication functions of a point-to-point protocol such as PPP, while having a high level of security. Such a technique must be adapted for deployment on a network to which many users are connected. 3. Presentation of the invention
L'invention répond à ce besoin en proposant un procédé d'accès par un client à un service au travers d'un réseau, ledit client étant apte à mettre en œuvre, pour rétablissement d'une session d'accès audit service, un protocole de connexion de type point à point (PPP) et un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique (DHCP). Selon l'invention, un tel procédé comprend des étapes de: réception d'une première requête d'établissement d'une session d'accès conforme audit protocole de type point à point (PPP), dite session point à point, émise à la demande dudit client et destinée à un serveur d'authentificationThe invention responds to this need by proposing a method of access by a client to a service through a network, said client being able to implement, for restoration of an access session to said service, a protocol a point-to-point connection type (PPP) and a dynamic provisioning protocol of at least one configuration parameter, called dynamic configuration protocol (DHCP). According to the invention, such a method comprises the steps of: receiving a first request for establishing an access session conforming to said point-to-point protocol (PPP), called a point-to-point session, transmitted to the request of said client and intended for an authentication server
(RADIUS); en cas d'authentification dudit client par ledit serveur d'authentification, réception d'une autorisation émise par ledit serveur d'authentification à destination dudit client, et mémorisation d'au moins un paramètre de configuration (@ IP) de ladite session point à point extrait de ladite autorisation; réception d'une deuxième requête d'établissement d'une session d'accès conforme audit protocole de configuration dynamique (DHCP), émise par ledit client après rupture d'établissement de ladite session point à point; après vérification de l'authentification dudit client, envoi audit client dudit au moins un paramètre de configuration mémorisé, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique (DHCP). Ainsi, l'invention repose sur une approche tout à fait nouvelle et inventive de la connexion d'un client à un réseau, notamment à un réseau de type IP. En effet, alors que dans l'art antérieur il était toujours nécessaire de faire un choix entre l'une des deux méthodes d'accès, à savoir un accès au réseau à travers une connectivité de type PPP ou un accès au réseau à travers une connectivité de type DHCP, l'invention propose de combiner astucieusement ces deux méthodes, de façon à permettre au client de bénéficier des avantages de chacune.(RADIUS); in case of authentication of said client by said authentication server, reception of an authorization issued by said authentication server to said client, and storage of at least one configuration parameter (@ IP) of said session point to point extracted from said authorization; receiving a second request for establishment of an access session compliant with said dynamic configuration protocol (DHCP), issued by said client after termination of establishment of said point-to-point session; after verifying the authentication of said client, sending said client at least one stored configuration parameter, for establishment of an access session conforming to said dynamic configuration protocol (DHCP). Thus, the invention is based on a completely new and inventive approach to the connection of a client to a network, including an IP type network. Indeed, then that in the prior art it was still necessary to choose between one of the two access methods, namely access to the network through PPP-type connectivity or network access through DHCP-type connectivity , the invention proposes to cleverly combine these two methods, so as to allow the customer to enjoy the benefits of each.
Pour ce faire, l'invention propose de permettre au client de tenter d'établir une session d'accès en mode point à point, et donc de se faire authentifier par un serveur d'authentification, qui délivre un ensemble de paramètres de configuration de la session point à point en cas d'authentification réussie. Le client bénéficie ainsi de tous les avantages de la connectivité de type PPP, liés à l'authentification initiale du client.To do this, the invention proposes to allow the client to attempt to establish an access session in point-to-point mode, and thus to be authenticated by an authentication server, which delivers a set of configuration parameters of the point-to-point session in case of successful authentication. The customer benefits from all the advantages of PPP connectivity, related to the initial authentication of the client.
Après rupture de l'établissement de la session point à point, l'invention offre la possibilité au client de tenter d'établir une connexion selon un protocole de configuration dynamique (par exemple de type DHCP), en réutilisant avantageusement les paramètres de configuration préalablement obtenus du serveur d'authentification dans le cadre de l'établissement de la session point à point. Cette réutilisation est bien sûr conditionnée par la vérification de l'authentification du client, c'est-à-dire qu'il est vérifié que le client qui se connecte en mode DHCP est bien le même que celui qui a été préalablement authentifié lors de la tentative d'établissement d'une session PPP.After termination of the establishment of the point-to-point session, the invention offers the client the possibility of attempting to establish a connection according to a dynamic configuration protocol (for example of the DHCP type), by advantageously reusing the configuration parameters previously obtained from the authentication server as part of the establishment of the point-to-point session. This reuse is of course conditioned by the verification of the authentication of the client, that is to say that it is verified that the client which connects in DHCP mode is the same as the one which was previously authenticated during the attempt to establish a PPP session.
L'établissement de la session point à point ayant préalablement échoué, le contexte ouvert pour ce client dans un équipement de type BAS a donc été refermé, libérant ainsi les ressources du serveur d'accès BAS, qui n'est donc pas surchargé inutilement.The establishment of the point-to-point session having previously failed, the context opened for this client in a BAS type equipment has been closed, releasing the resources of the BAS access server, which is not unnecessarily overloaded.
L'invention permet donc de bénéficier également des avantages d'une connectivité de type DHCP, qui ne nécessite pas de gestion des contextes des connexions ouvertes.The invention thus also benefits from the advantages of a DHCP type of connectivity, which does not require management of open connection contexts.
En outre, le procédé de l'invention présente une sécurité élevée, dans la mesure où les nom d'utilisateur (ou login) et mot de passe du client ne transitent pas en clair entre le client et le réseau (en effet, dans le cas particulier du protocole PPP, le serveur d'accès peut imposer aux clients l'utilisation du protocole d'authentification CHAP, comme on le verra plus en détail par la suite).In addition, the method of the invention has a high security, insofar as the username (or login) and password of the client do not transit in clear between the client and the network (indeed, in the In the special case of the PPP protocol, the access server can impose on the clients the use of the CHAP authentication protocol, as will be seen in more detail later).
Un tel procédé conforme à l'invention est préférentiellement mis en œuvre dans un équipement intermédiaire du réseau, situé entre un serveur d'accès de type BAS et un serveur d'authentification, comme on le verra plus en détail dans la suite de ce document.Such a method according to the invention is preferably implemented in an intermediate equipment of the network, located between a BAS access server and an authentication server, as will be seen in more detail in the following. document.
On notera que les protocoles PPP et DHCP sont cités à titre de simple exemple illustratif et non limitatif. L'invention pourrait également s'appliquer à tout autre type de protocoles présentant des caractéristiques proches ou similaires de celles de PPP et de DHCP. L'invention s'applique notamment à tout protocole de type point à point présentant des caractéristiques d'authentification du client et à tout protocole de configuration dynamique ne nécessitant pas de gestion des contextes des connexions ouvertes par les clients.It will be noted that the PPP and DHCP protocols are cited as a simple illustrative and nonlimiting example. The invention could also apply to any other type of protocol having characteristics similar to or similar to those of PPP and DHCP. The invention applies in particular to any point-to-point protocol having client authentication characteristics and to any dynamic configuration protocol that does not require management of the contexts of the connections opened by the clients.
Avantageusement, la vérification de l'authentification dudit client met en œuvre une comparaison d'un premier identifiant dudit client, extrait de ladite première requête et mémorisé en relation avec ledit au moins un paramètre de configuration, et d'un deuxième identifiant dudit client, extrait de ladite deuxième requête.Advantageously, the verification of the authentication of said client implements a comparison of a first identifier of said client, extracted from said first request and stored in relation to said at least one configuration parameter, and a second identifier of said client, extracted from said second request.
Ainsi, lorsque l'équipement intermédiaire dans lequel est mis en œuvre le procédé de l'invention reçoit la première requête d'accès destinée au serveur d'authentification (par exemple une requête Access Request destinée à un serveurThus, when the intermediate equipment in which is implemented the method of the invention receives the first access request for the authentication server (for example an Access Request request for a server
RADIUS), il en extrait un identifiant du client qu'elle contient. De même, lorsqu'il reçoit l'autorisation émise par le serveur d'authentification en cas de succès de l'authentification du client, il en extrait le ou les paramètres de configuration de la session alloués par le serveur d'authentification au client. L'identifiant et les paramètres de configuration sont mémorisés dans un contexte ouvert pour ce client par l'équipement intermédiaire de l'invention.RADIUS), it extracts an identifier of the client that it contains. Similarly, when it receives the authorization issued by the authentication server in the event of successful authentication of the client, it extracts the session configuration parameter (s) allocated by the authentication server to the client. The identifier and the configuration parameters are stored in an open context for this client by the intermediate equipment of the invention.
Sur réception de la deuxième requête d'accès, par exemple de type DHCP, l'équipement intermédiaire en extrait à nouveau l'identifiant client qu'elle contient (qui est contenu par exemple dans l'option 82 du protocole DHCP contenue dans la requête). Il le compare alors à l'identifiant préalablement mémorisé dans le contexte ouvert pour ce client.On reception of the second access request, for example of the DHCP type, the intermediate equipment again extracts the client identifier that it contains (which is contained for example in option 82 of the DHCP protocol contained in the request. ). It then compares it with the identifier previously stored in the open context for this client.
En cas de conformité, l'équipement intermédiaire est alors assuré que la deuxième requête a bien été émise par le client précédemment authentifié par le serveur d'authentification, et il peut donc lui transmettre le ou les paramètres de configuration mémorisés dans le contexte ouvert, et accepter la deuxième requête.In the event of compliance, the intermediate equipment is then assured that the second request has been issued by the client previously authenticated by the authentication server, and can therefore transmit the configuration parameter (s) stored in the open context, and accept the second request.
Selon une caractéristique avantageuse de l'invention, lesdits premier et deuxième identifiants appartiennent au groupe comprenant: un identifiant de ligne du client (CLID pour Calling Une Identifieή; un nom d'utilisateur.According to an advantageous characteristic of the invention, said first and second identifiers belong to the group comprising: a client line identifier (CLID for Calling Une Identifieή; a username.
En effet, le CLID peut être aisément utilisé dans le cadre de l'invention car il est inséré dans les requêtes d'accès transmises par un serveur d'accès de type BAS vers un serveur d'authentification lors de l'établissement d'une session PPP. De même, il est aussi inséré dans l'option 82 du protocole DHCP dans les requêtes DHCP transmises d'un client DHCP vers un serveur DHCP.Indeed, the CLID can easily be used in the context of the invention because it is inserted in the access requests transmitted by a BAS access server to an authentication server when establishing a PPP session. Similarly, it is also inserted in DHCP option 82 in DHCP requests forwarded from a DHCP client to a DHCP server.
De manière avantageuse, le procédé de l'invention comprend une étape d'ouverture d'un contexte associé audit client comprenant au moins ledit premier identifiant et ledit au moins un paramètre de configuration, et une étape d'armement d'un temporisateur associé audit contexte, à l'expiration duquel ledit contexte cesse d'être actif.Advantageously, the method of the invention comprises a step of opening a context associated with said client comprising at least said first identifier and said at least one configuration parameter, and a step of arming a timer associated with said context, at the end of which said context ceases to be active.
L'équipement intermédiaire dans lequel est mis en œuvre le procédé de l'invention ouvre donc un contexte contenant le premier identifiant (par exemple le CLID), le ou les paramètres de configuration (par exemple une adresse IP), et éventuellement le nom d'utilisateur (ou login) et son mot de passe. Il se prépare alors à recevoir une deuxième requête de type DHCP. Ce contexte reste actif pendant une durée prédéterminée, de sorte qu'il est nécessaire que la deuxième requête parvienne à l'équipement intermédiaire avant la fin de cette durée prédéterminée.The intermediate equipment in which the method of the invention is implemented therefore opens a context containing the first identifier (for example the CLID), the configuration parameter or parameters (for example an IP address), and possibly the name of the device. user (or login) and his password. It then prepares to receive a second request of type DHCP. This context remains active for a predetermined duration, so it is necessary that the second request reaches the intermediate equipment before the end of this predetermined period.
Une telle temporisation permet d'éviter une surcharge inutile de l'équipement intermédiaire, en évitant que des contextes inutilisés ne restent ouverts trop longtemps.Such a delay makes it possible to avoid unnecessary overloading of the intermediate equipment, while avoiding that unused contexts remain open for too long.
Avantageusement, le procédé de l'invention comprend également une étape de filtrage de ladite autorisation et une étape d'envoi vers ledit client d'un refus d'établissement de ladite session point à point, permettant de déclencher l'émission par ledit client de ladite deuxième requête. Ainsi, lorsqu'il reçoit l'autorisation du serveur d'authentification (par exemple de type Access Accept), l'équipement intermédiaire dans lequel est mis en œuvre le procédé de l'invention bloque cette autorisation, et la remplace par un message de refus (par exemple de type Access Rejecή qu'il envoie vers le serveur d'accès de type BAS. Ce dernier informe le client de l'échec de l'établissement de la session PPP, de sorte que le client, leurré par l'équipement intermédiaire, prend alors l'initiative de lancer une tentative de connexion DHCP. En outre, le serveur BAS supprime le contexte PPP associé au client, ce qui permet de le décharger.Advantageously, the method of the invention also comprises a step of filtering said authorization and a step of sending to said client a refusal to establish said point-to-point session, to trigger the transmission by said client of said second request. Thus, when it receives authorization from the authentication server (for example of the Access Accept type), the intermediate equipment in which the method of the invention is implemented blocks this authorization, and replaces it with a message of refusal (for example of the Access Rejecή type that it sends to the BAS access server), which informs the client of the failure to establish the PPP session, so that the client is lured by the intermediate equipment, then takes the initiative to initiate a DHCP connection attempt.In addition, the BAS server removes the PPP context associated with the client, which allows the unload.
On notera qu'à titre de variantes, la rupture d'établissement de la session point à point pourrait aussi être initiée volontairement par le client, ou détectée par le client après un certain nombre de tentatives de connexion PPP restées sans réponse, ou après expiration d'une temporisation de durée prédéterminée.It will be noted that, as variants, the break of establishment of the session point It could also be initiated voluntarily by the client, or detected by the client after a certain number of PPP connection attempts remained unanswered, or after expiry of a predetermined time delay.
De manière préférentielle, ledit au moins un paramètre de configuration est une adresse IP allouée audit client pour ladite session d'accès. C'est alors cette adresse IP, fournie par le serveur RADIUS lors de l'établissement de la session PPP, qui est allouée au client pour toute la durée du bail DHCP initié par la suite. Ces paramètres de configuration peuvent également comprendre une adresse du serveur DNS, ou tout autre paramètre prévu dans les échanges DHCP, tel que les données relatives au bail par exemple.Preferably, said at least one configuration parameter is an IP address allocated to said client for said access session. It is then this IP address, provided by the RADIUS server during the establishment of the PPP session, which is allocated to the client for the duration of the DHCP lease initiated thereafter. These configuration parameters may also include a DNS server address, or any other parameter provided in DHCP exchanges, such as lease data, for example.
L'invention concerne aussi un équipement d'un réseau d'accès à un service par un client apte à mettre en œuvre, pour l'établissement d'une session d'accès audit service, un protocole de connexion de type point à point (PPP) et un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique (DHCP).The invention also relates to an equipment of a network for access to a service by a client able to implement, for the establishment of an access session to said service, a point-to-point connection protocol ( PPP) and a dynamic provisioning protocol of at least one configuration parameter, called dynamic configuration protocol (DHCP).
Selon l'invention, un tel équipement comprend: des moyens de réception d'une première requête d'établissement d'une session d'accès conforme audit protocole de type point à point, dite session point à point, émise à la demande dudit client et destinée à un serveur d'authentification (RADIUS); des moyens de réception d'une autorisation émise par ledit serveur d'authentification à destination dudit client, en cas d'authentification dudit client par ledit serveur d'authentification; des moyens de mémorisation d'au moins un paramètre de configuration (@ IP) de ladite session point à point extrait de ladite autorisation; des moyens de réception d'une deuxième requête d'établissement d'une session d'accès conforme audit protocole de configuration dynamique, émise par ledit client après rupture d'établissement de ladite session point à point; des moyens de vérification de l'authentification dudit client; - des moyens d'envoi audit client dudit au moins un paramètre de configuration mémorisé, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique (DHCP).According to the invention, such an equipment comprises: means for receiving a first request for establishing an access session conforming to said point-to-point protocol, called a point-to-point session, sent at the request of said client and intended for an authentication server (RADIUS); means for receiving an authorization issued by said authentication server to said client, in case of authentication of said client by said authentication server; means for storing at least one configuration parameter (@ IP) of said point-to-point session extracted from said authorization; means for receiving a second request for establishing an access session conforming to said dynamic configuration protocol, sent by said client after termination of establishment of said point-to-point session; means for verifying the authentication of said client; means for sending to said client said at least one memorized configuration parameter, for establishing an access session conforming to said dynamic configuration protocol (DHCP).
Dans le cas particulier d'application de l'invention aux protocoles PPP et DHCP, un tel équipement joue donc le double rôle de proxy RADIUS et de serveur DHCP. On l'appelle donc dans la suite de ce document PRSD (pour Proxy RADIUS Serveur DHCP). Il est situé entre un serveur d'accès de type point à point (BAS) et le serveur d'authentification (RADIUS). Selon une caractéristique avantageuse, lesdits moyens de vérification de l'authentification dudit client comprennent des moyens de comparaison d'un premier identifiant dudit client, extrait de ladite première requête et mémorisé en relation avec ledit au moins un paramètre de configuration, et d'un deuxième identifiant dudit client, extrait de ladite deuxième requête. L'invention concerne également une passerelle résidentielle permettant à un client d'accéder à un service d'un réseau, ladite passerelle résidentielle comprenant des moyens de mise en œuvre d'un protocole de connexion de type point à point et d'un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique, pour l'établissement d'une session d'accès audit service.In the particular case of application of the invention to the PPP and DHCP protocols, such equipment plays the dual role of RADIUS proxy and DHCP server. It is therefore called in the rest of this document PRSD (for Proxy RADIUS DHCP Server). It is located between a point-to-point (BAS) access server and the authentication server (RADIUS). According to an advantageous characteristic, said means for verifying the authentication of said client comprise means for comparing a first identifier of said client, extracted from said first request and stored in relation to said at least one configuration parameter, and a second identifier of said client, extracted from said second request. The invention also relates to a residential gateway enabling a client to access a service of a network, said residential gateway comprising means for implementing a point-to-point connection protocol and a protocol for dynamically providing at least one configuration parameter, called dynamic configuration protocol, for establishing an access session to said service.
Selon l'invention, une telle passerelle résidentielle comprend également: des moyens d'émission d'une première requête d'établissement d'une session d'accès conforme audit protocole de type point à point, dite session point à point; - des moyens, activés après rupture d'établissement de ladite session point à point, d'émission d'une deuxième requête d'établissement d'une session d'accès conforme audit protocole de configuration dynamique; des moyens de réception d'au moins un paramètre de configuration fourni par un serveur d'authentification lors de l'établissement de ladite session point à point, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique.According to the invention, such a residential gateway also comprises: means for transmitting a first request for establishing an access session conforming to said point-to-point protocol, called a point-to-point session; means, activated after termination of establishment of said point-to-point session, of transmission of a second request for establishment of an access session conforming to said dynamic configuration protocol; means for receiving at least one configuration parameter provided by an authentication server during the establishment of said point-to-point session, for establishing an access session conforming to said dynamic configuration protocol.
La passerelle résidentielle est donc configurée pour tenter tout d'abord de se connecter en mode PPP puis, en cas d'échec de cette tentative (sur réception d'un message d'échec, ou après plusieurs tentatives infructueuses par exemple), pour tenter de se connecter en mode DHCP. Une telle passerelle résidentielle est donc nouvelle et inventive par rapport aux passerelles de l'art antérieur qui utilisaient toujours uniquement l'une ou l'autre des deux méthodes d'accès PPP et DHCP. Grâce à cette nouvelle passerelle, le client peut donc bénéficier des avantages combinés de chacun de ces deux protocoles.The residential gateway is therefore configured to attempt first to connect in PPP mode and, in case of failure of this attempt (on receipt of a failure message, or after several unsuccessful attempts for example), to attempt to connect in DHCP mode. Such a residential gateway is therefore new and inventive compared to the gateways of the prior art which still only used one or the other of the two PPP and DHCP access methods. Thanks to this new gateway, the customer can benefit from the combined advantages of each of these two protocols.
On notera qu'une telle passerelle résidentielle peut consister en un simple modem client.Note that such a residential gateway may consist of a simple client modem.
L'invention concerne enfin un programme d'ordinateur comprenant des instructions de code de programme pour l'exécution des étapes du procédé décrit précédemment lorsque ledit programme est exécuté sur un ordinateur, ainsi qu'un support d'enregistrement lisible par un ordinateur sur lequel est enregistré un tel programme.Finally, the invention relates to a computer program comprising program code instructions for executing the steps of the method described above when said program is executed on a computer, as well as a computer-readable recording medium on which is registered such a program.
4. Liste des figures D'autres avantages et caractéristiques de l'invention apparaîtront plus clairement à la lecture de la description suivante d'un mode de réalisation particulier de l'invention, donné à titre de simple exemple illustratif et non limitatif, et des dessins annexés, parmi lesquels : la figure 1 , déjà commentée en relation avec l'art antérieur, présente les différents équipements intervenant dans l'établissement d'une session d'accès de type PPP; la figure 2, déjà commentée en relation avec l'art antérieur, illustre les différents équipements intervenant dans l'établissement d'une session d'accès de type4. List of Figures Other advantages and characteristics of the invention will emerge more clearly on reading the following description of a particular embodiment of the invention, given as a simple illustrative and non-limiting example, and attached drawings, among which: Figure 1, already commented in connection with the prior art, presents the various equipment involved in the establishment of a PPP access session; FIG. 2, already commented on in relation with the prior art, illustrates the different equipment involved in establishing a type access session.
DHCP; - la figure 3 illustre les différents flux de données échangés entre les équipements intervenant dans la mise en œuvre du procédé de l'invention; la figure 4 illustre plus précisément les échanges de messages constituant les flux de la figure 3; la figure 5 présente sous forme schématique un équipement intermédiaire de type PRSD conforme à l'invention.DHCP; FIG. 3 illustrates the different data flows exchanged between the devices involved in the implementation of the method of the invention; FIG. 4 illustrates more precisely the message exchanges constituting the flows of FIG. 3; Figure 5 shows in schematic form an intermediate equipment type PRSD according to the invention.
5. Description d'un mode de réalisation particulier de l'invention5. Description of a particular embodiment of the invention
Le principe général de l'invention repose sur l'utilisation séquentielle, par un client souhaitant établir une session d'accès à un service, de deux protocoles, à savoir un protocole de type point à point (PPP) puis un protocole de configuration dynamique (DHCP), et sur la réutilisation de paramètres de configuration (@ IP), obtenus lors de l'établissement de la session point à point, pour l'établissement de la connexion conforme au protocole de configuration dynamique.The general principle of the invention is based on the sequential use by a client wishing to set up a service access session of two protocols, namely a point-to-point protocol (PPP) and then a dynamic configuration protocol (DHCP), and the reuse of configuration parameters (@ IP), obtained during the establishment of the point-to-point session, for the establishment of the connection according to the dynamic configuration protocol.
Bien que l'invention ne soit pas limitée aux deux seuls protocoles PPP et DHCP, on se limite, dans la suite de ce document, à la description d'un mode de réalisation particulier de l'invention dans le cadre de ces deux protocoles, par souci de simplification. On considère en outre le cas particulier où l'authentification d'un client est réalisée au moyen du protocole RADIUS. En relation avec la figure 3, l'invention repose donc sur l'introduction d'un nouvel équipement 7 dans le réseau, que l'on baptise PRSD, et qui remplit une double fonction de Proxy RADIUS et de serveur DHCP. Un tel équipement 7 se trouve entre le serveur d'accès large bande BAS 2 (qui joue également le rôle de relais DHCP) et le serveur RADIUS 3, qui interviennent dans l'établissement de la session PPP. Contrairement à certaines solutions dites "propriétaires" proposées par des équipementiers, la technique de l'invention peut donc s'intégrer dans n'importe quel réseau existant, sans qu'il soit nécessaire de modifier les équipements déjà en place, et notamment les serveurs d'accès de type BAS 2 ou les serveurs d'authentification 3 de type RADIUS. En effet, la technique de l'invention repose uniquement sur l'adjonction d'une plate-forme PRSD 7, qui est indépendante des équipements industriels du réseau, et sur l'adaptation du kit de connexion client 1 , qui est configuré pour se connecter d'abord en PPP, puis, en cas d'échec, en DHCP.Although the invention is not limited to only two PPP and DHCP protocols, In the remainder of this document, reference is made to the description of a particular embodiment of the invention in the context of these two protocols, for the sake of simplification. We also consider the special case where the authentication of a client is performed using the RADIUS protocol. In relation with FIG. 3, the invention is therefore based on the introduction of a new device 7 into the network, which is called PRSD, and which fulfills a dual function of RADIUS Proxy and DHCP server. Such equipment 7 is located between the broadband access server BAS 2 (which also acts as a DHCP relay) and the RADIUS server 3, which intervene in the establishment of the PPP session. Unlike some so-called "proprietary" solutions offered by equipment manufacturers, the technique of the invention can therefore be integrated into any existing network, without it being necessary to modify the equipment already in place, and in particular the servers access type BAS 2 or authentication servers 3 type RADIUS. Indeed, the technique of the invention is based solely on the addition of a platform PRSD 7, which is independent of the industrial equipment of the network, and on the adaptation of the customer connection kit 1, which is configured to connect first to PPP, then, in case of failure, to DHCP.
Le procédé de l'invention peut être résumé par le diagramme de flux de la figure 3. Le client 1 (modem ou passerelle résidentielle) initie 30 un dialogue PPP avec le serveur d'accès BAS 2, au moyen des protocoles PPP et PAP/CHAP. On notera que le BAS 2 utilise de préférence le protocole CHAP, pour des raisons de sécurité, afin d'éviter la transmission d'informations sensibles en clair sur le réseau. Le BAS 2 amorce alors un dialogue RADIUS 31 , et envoie une demande d'authentification destinée au serveur RADIUS 3. Cette demande d'authentification 31 est interceptée par le PRSD, qui en extrait l'identifiant de la ligne client CLID pour le sauvegarder dans un contexte qu'il ouvre 32 pour ce client. Ce contexte est destiné à contenir au moins les éléments suivants: login, mot de passe, CLID et @IP. Le PRSD 7 se prépare alors à traiter une requête DHCP de ce même client. Le contexte reste actif pendant une durée prédéterminée, par exemple de l'ordre de 60 secondes. Le PRSD 7 fait suivre 33 la demande d'authentification, sous forme d'une requête RADIUS, vers le serveur RADIUS 3.The method of the invention can be summarized by the flow diagram of FIG. 3. Client 1 (modem or residential gateway) initiates a PPP dialogue with the BAS 2 access server, using the PPP and PAP / protocols. CHAP. It should be noted that the BAS 2 preferably uses the CHAP protocol, for security reasons, in order to avoid the transmission of sensitive information in the clear on the network. The BAS 2 then initiates a RADIUS dialog 31, and sends an authentication request to the RADIUS server 3. This authentication request 31 is intercepted by the PRSD, which extracts the identifier from the client line CLID to save it in a context that opens 32 for this client. This context is intended to contain at least the following elements: login, password, CLID and @IP. The PRSD 7 is then preparing to process a DHCP request from the same client. The context remains active for a predetermined duration, for example of the order of 60 seconds. The PRSD 7 sends the authentication request, in the form of a RADIUS request, to the RADIUS server 3.
Après authentification du client 1 , le serveur RADIUS 3 envoie 34 une requête RADIUS d'autorisation vers le PRSD 7. A réception de l'autorisation, le PRSD 7 sauvegarde 35 l'adresse IP proposée par le serveur RADIUS 3 dans le contexte précédemment ouvert pour le client 1 . Il bloque alors l'autorisation (Access Accept) et la remplace 36 par une requête RADIUS de rejet (Access Reject) qu'il émet alors vers le BAS 2, pour lui signifier un échec de la tentative de connexion PPP. Le BAS 2, qui joue le rôle de serveur PPP, transmet cette notification d'échec au client 1 sous forme d'un message PPP 37 de type "PAP/CHAP failure". Il supprime alors le contexte PPP qu'il avait précédemment ouvert pour ce client, se déchargeant ainsi de cette tâche.After authentication of the client 1, the RADIUS server 3 sends 34 authorization request RADIUS to the PRSD 7. Upon receipt of the authorization, the PRSD 7 backup the IP address proposed by the RADIUS server 3 in the context previously opened for the client 1. It then blocks the Access Accept and replaces it with a RADIUS Reject Request (Access Reject), which it then sends to BAS 2, to signify a failure of the PPP connection attempt. The BAS 2, which acts as a PPP server, transmits this failure notification to the client 1 in the form of a PPP message 37 of the "PAP / CHAP failure" type. It then removes the PPP context that it had previously opened for that client, thereby offloading this task.
Lors d'une étape référencée 38, le client 1 est donc informé du soi-disant échec de la connexion PPP, et décide de lancer une tentative de connexion DHCP. Il émet alors une requête DHCP 39 vers le BAS 2, qui joue désormais le rôle de relais DHCP. Cette phase DHCP doit commencer au plus tard 60 secondes après l'échec de sa première connexion PPP, pour que le contexte du client 1 soit encore ouvert dans le PRSD 7. Le BAS 2 se contente de faire suivre cette requête DHCP 310 vers le PRSD 7, qui vérifie 31 1 l'identité de ligne du client 1 , en comparant le CLID sauvegardé 32 dans le contexte précédemment ouvert et les éléments identifiant la ligne du client 1 figurant dans l'option 82 de la requête DHCP reçue.During a step referenced 38, the client 1 is informed of the so-called failure of the PPP connection, and decides to initiate a DHCP connection attempt. It then sends a DHCP request 39 to BAS 2, which now acts as a DHCP relay. This DHCP phase must begin no later than 60 seconds after the failure of its first PPP connection, so that the context of client 1 is still open in PRSD 7. BAS 2 simply forward this DHCP request 310 to the PRSD 7, which verifies 31 1 the line identity of client 1, comparing the saved CLID 32 in the context previously opened and the elements identifying the line of client 1 in option 82 of the DHCP request received.
En cas de succès de la comparaison, le PRSD 7 attribue 312 l'adresse IP sauvegardée 35 dans le contexte précédemment ouvert. Il envoie un message 313 d'acquittement DHCP, qui est relayé 314 par le BAS 2 jusqu'au client 1.In the event of a successful comparison, the PRSD 7 allocates the saved IP address 35 in the context previously opened. It sends a message 313 of DHCP acknowledgment, which is relayed 314 by the BAS 2 to the client 1.
Une connexion DHCP peut donc être établie pour le client 1 , sur la base de l'adresse IP allouée 34 par le serveur RADIUS 3.A DHCP connection can therefore be established for the client 1, on the basis of the IP address allocated by the RADIUS server 3.
La figure 4 illustre plus en détail les différents messages qui peuvent être échangés entre le client 1 , le BAS 2, le PRSD 7 et le serveur RADIUS 3 dans le cadre du procédé de l'invention. Ces différents messages sont classiques des protocoles PPP, DHCP ou RADIUS et ne seront donc pas décrits ici plus en détail.FIG. 4 illustrates in greater detail the different messages that can be exchanged between the client 1, the BAS 2, the PRSD 7 and the RADIUS server 3 in the context of the method of the invention. These different messages are conventional PPP, DHCP or RADIUS protocols and will not be described here in more detail.
Selon une implémentation, illustrée en figure 5, les étapes du procédé de l'invention sont déterminées par les instructions d'un programme d'ordinateur 74 incorporé dans le PRSD 7. Le programme 74 comporte des instructions de programme qui, lorsque le programme est exécuté par le processeur 73 du PRSD 7 dont le fonctionnement est alors commandé par l'exécution du programme 74, réalisent les étapes du procédé selon l'invention. En conséquence, l'invention s'applique également à un programme d'ordinateur 74, notamment un programme d'ordinateur enregistré sur ou dans un support d'informations lisible par un ordinateur et tout dispositif de traitements de données, adapté à mettre en œuvre l'invention. Ce programme peut utiliser n'importe quel langage de programmation, et être sous la forme de code source, code objet, ou de code intermédiaire entre code source et code objet tel que dans une forme partiellement compilée, ou dans n'importe quelle autre forme souhaitable pour implémenter le procédé selon l'invention.According to an implementation, illustrated in FIG. 5, the steps of the method of the invention are determined by the instructions of a computer program 74 incorporated in the PRSD 7. The program 74 includes program instructions which, when the program is executed by the processor 73 of the PRSD 7 whose operation is then controlled by the execution of the program 74, carry out the steps of the method according to the invention. Accordingly, the invention also applies to a computer program 74, including a computer program recorded on or in a computer-readable information medium and any data processing device, adapted to implement the invention. This program can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code such as in a partially compiled form, or in any other form desirable to implement the method according to the invention.
Le support d'informations peut être n'importe quelle entité ou dispositif capable de stocker le programme. Par exemple, le support peut comporter un moyen de stockage ou support d'enregistrement 75 sur lequel est enregistré le programme d'ordinateur 74 selon l'invention, tel qu'une ROM, par exemple un CD ROM ou une ROM de circuit microélectronique, ou encore une clé USB, ou un moyen d'enregistrement magnétique, par exemple une disquette (floppy dise) ou un disque dur.The information carrier may be any entity or device capable of storing the program. For example, the medium may comprise storage means or recording medium 75 on which the computer program 74 according to the invention, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, is recorded. or a USB key, or a magnetic recording means, for example a floppy disk or a hard disk.
D'autre part, le support d'informations peut être un support transmissible tel qu'un signal électrique ou optique, qui peut être acheminé via un câble électrique ou optique, par radio ou par d'autres moyens. Le programme selon l'invention peut être en particulier téléchargé sur un réseau de type internet. Alternativement, le support d'informations peut être un circuit intégré dans lequel le programme est incorporé, le circuit étant adapté pour exécuter ou pour être utilisé dans l'exécution du procédé selon l'invention.On the other hand, the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means. The program according to the invention can in particular be downloaded to an Internet type network. Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method according to the invention.
A l'initialisation, les instructions de code du programme d'ordinateur 74 sont par exemple chargées dans une mémoire RAM 75 avant d'être exécutées par le processeur de l'unité de traitement 73. Ce dernier pilote les modules 71 de proxy radius et 72 de serveur DHCP. Comme indiqué précédemment, le module 71 de proxy radius reçoit et émet des données vers le serveur BAS 2, et échange également des données avec un serveur d'authentification 3. Le module 72 de serveur DHCP échange quant à lui des données avec le client 1 , par le biais du relais DHCP constitué par le BAS 2.At initialization, the code instructions of the computer program 74 are for example loaded into a RAM 75 before being executed by the processor of the processing unit 73. The latter controls the modules 71 of proxy radius and 72 of DHCP server. As previously indicated, the radius proxy module 71 receives and transmits data to the BAS server 2, and also exchanges data with an authentication server 3. The DHCP server module 72 exchanges data with the client 1 , through the DHCP relay constituted by the BAS 2.
La mémoire 75 est également utilisée pour la sauvegarde du contexte associé au client 1 . The memory 75 is also used for the backup of the context associated with the client 1.

Claims

REVENDICATIONS
1. Procédé d'accès par un client (1 ) à un service au travers d'un réseau, ledit client étant apte à mettre en œuvre, pour l'établissement d'une session d'accès audit service, un protocole de connexion de type point à point et un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique, caractérisé en ce qu'il comprend des étapes de: réception d'une première requête (31 ) d'établissement d'une session d'accès conforme audit protocole de type point à point, dite session point à point, émise à la demande dudit client (1 ) et destinée à un serveur d'authentification (3); en cas d'authentification dudit client (1 ) par ledit serveur d'authentification (3), réception d'une autorisation (34) émise par ledit serveur d'authentification à destination dudit client, et mémorisation (35) d'au moins un paramètre de configuration (@ IP) de ladite session point à point extrait de ladite autorisation; - réception d'une deuxième requête (310) d'établissement d'une session d'accès conforme audit protocole de configuration dynamique, émise par ledit client après rupture d'établissement de ladite session point à point; après vérification (31 1 ) de l'authentification dudit client, envoi (313, 314) audit client dudit au moins un paramètre de configuration mémorisé, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique (DHCP).1. A method of access by a client (1) to a service through a network, said client being able to implement, for the establishment of an access session to said service, a connection protocol of a point-to-point type and a protocol for dynamically providing at least one configuration parameter, called a dynamic configuration protocol, characterized in that it comprises the steps of: receiving a first request (31) for setting up an access session conforming to said point-to-point protocol, called a point-to-point session, sent at the request of said client (1) and intended for an authentication server (3); in case of authentication of said client (1) by said authentication server (3), reception of an authorization (34) issued by said authentication server for said client, and storage (35) of at least one configuration parameter (@ IP) of said point-to-point session extracted from said authorization; receiving a second request (310) for establishing an access session conforming to said dynamic configuration protocol, sent by said client after the establishment of said point-to-point session has been terminated; after verifying (31 1) the authentication of said client, sending (313, 314) to said client of said at least one stored configuration parameter, for establishing an access session conforming to said dynamic configuration protocol (DHCP).
2. Procédé d'accès selon la revendication 1 , caractérisé en ce que la vérification de l'authentification dudit client met en œuvre une comparaison d'un premier identifiant dudit client, extrait de ladite première requête et mémorisé en relation avec ledit au moins un paramètre de configuration, et d'un deuxième identifiant dudit client, extrait de ladite deuxième requête.2. Access method according to claim 1, characterized in that the verification of the authentication of said client implements a comparison of a first identifier of said client, extracted from said first request and stored in relation to said at least one configuration parameter, and a second identifier of said client, extracted from said second request.
3. Procédé d'accès selon la revendication 2, caractérisé en ce que lesdits premier et deuxième identifiants appartiennent au groupe comprenant: un identifiant de ligne du client (CLID); - un nom d'utilisateur.3. Access method according to claim 2, characterized in that said first and second identifiers belong to the group comprising: a customer line identifier (CLID); - a user name.
4. Procédé selon l'une quelconque des revendications 2 et 3, caractérisé en ce qu'il comprend une étape d'ouverture d'un contexte associé audit client comprenant au moins ledit premier identifiant et ledit au moins un paramètre de configuration, et une étape d'armement d'un temporisateur associé audit contexte, à l'expiration duquel ledit contexte cesse d'être actif.4. Method according to any one of claims 2 and 3, characterized in that it comprises a step of opening a context associated with said client comprising at least said first identifier and said at least one configuration parameter, and a step of arming a timer associated with said context, at the expiration of which said context ceases to be active.
5. Procédé d'accès selon l'une quelconque des revendications 1 à 3, caractérisé en ce qu'il comprend également une étape de filtrage de ladite autorisation et une étape d'envoi (36) vers ledit client d'un refus d'établissement de ladite session point à point, permettant de déclencher l'émission par ledit client de ladite deuxième requête.5. Access method according to any one of claims 1 to 3, characterized in that it also comprises a step of filtering said authorization and a step of sending (36) to said client a refusal of establishment of said point-to-point session, for triggering the transmission by said client of said second request.
6. Procédé d'accès selon l'une quelconque des revendications 1 à 4, caractérisé en ce que ledit au moins un paramètre de configuration est une adresse IP allouée audit client pour ladite session d'accès. 6. Access method according to any one of claims 1 to 4, characterized in that said at least one configuration parameter is an IP address allocated to said client for said access session.
7. Equipement (7) d'un réseau d'accès à un service par un client (1 ) apte à mettre en œuvre, pour l'établissement d'une session d'accès audit service, un protocole de connexion de type point à point (PPP) et un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique (DHCP), caractérisé en ce qu'il comprend: - des moyens de réception d'une première requête d'établissement d'une session d'accès conforme audit protocole de type point à point, dite session point à point, émise à la demande dudit client et destinée à un serveur d'authentification (RADIUS); des moyens de réception d'une autorisation émise par ledit serveur d'authentification à destination dudit client, en cas d'authentification dudit client par ledit serveur d'authentification; des moyens de mémorisation d'au moins un paramètre de configuration (@ IP) de ladite session point à point extrait de ladite autorisation; des moyens de réception d'une deuxième requête d'établissement d'une session d'accès conforme audit protocole de configuration dynamique, émise par ledit client après rupture d'établissement de ladite session point à point; des moyens de vérification de l'authentification dudit client; des moyens d'envoi audit client dudit au moins un paramètre de configuration mémorisé, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique (DHCP).7. Equipment (7) of a network for accessing a service by a client (1) able to implement, for the establishment of an access session to said service, a connection protocol of type point to point (PPP) and a dynamic provisioning protocol of at least one configuration parameter, called dynamic configuration protocol (DHCP), characterized in that it comprises: - means for receiving a first request for establishment of an access session conforming to said point-to-point protocol, called a point-to-point session, sent at the request of said client and intended for an authentication server (RADIUS); means for receiving an authorization issued by said authentication server to said client, in case of authentication of said client by said authentication server; means for storing at least one configuration parameter (@ IP) of said point-to-point session extracted from said authorization; means for receiving a second request for establishing an access session conforming to said dynamic configuration protocol, sent by said client after termination of establishment of said point-to-point session; means for verifying the authentication of said client; means for sending to said client of said at least one stored configuration parameter, for establishing an access session conforming to said dynamic configuration protocol (DHCP).
8. Equipement selon la revendication 7, caractérisé en ce lesdits moyens de vérification de l'authentification dudit client comprennent des moyens de comparaison d'un premier identifiant dudit client, extrait de ladite première requête et mémorisé en relation avec ledit au moins un paramètre de configuration, et d'un deuxième identifiant dudit client, extrait de ladite deuxième requête.8. Equipment according to claim 7, characterized in that said means for verifying the authentication of said client comprise means for comparing a first identifier of said client, extracted from said first request and stored in memory. relationship with said at least one configuration parameter, and a second identifier of said client, extracted from said second request.
9. Passerelle résidentielle (1 ) permettant à un client d'accéder à un service d'un réseau, ladite passerelle résidentielle comprenant des moyens de mise en œuvre d'un protocole de connexion de type point à point et d'un protocole de fourniture dynamique d'au moins un paramètre de configuration, dit protocole de configuration dynamique, pour l'établissement d'une session d'accès audit service, caractérisé en ce qu'elle comprend également: des moyens d'émission d'une première requête d'établissement d'une session d'accès conforme audit protocole de type point à point, dite session point à point; des moyens, activés après rupture d'établissement de ladite session point à point, d'émission d'une deuxième requête d'établissement d'une session d'accès conforme audit protocole de configuration dynamique; - des moyens de réception d'au moins un paramètre de configuration fourni par un serveur d'authentification lors de l'établissement de ladite session point à point, pour établissement d'une session d'accès conforme audit protocole de configuration dynamique.9. Residential gateway (1) allowing a client to access a service of a network, said residential gateway comprising means for implementing a point-to-point connection protocol and a provisioning protocol dynamic of at least one configuration parameter, called dynamic configuration protocol, for the establishment of an access session to said service, characterized in that it also comprises: means for transmitting a first request d establishing an access session according to said point-to-point protocol, said point-to-point session; means, activated after termination of establishment of said point-to-point session, of sending a second request for establishing an access session conforming to said dynamic configuration protocol; means for receiving at least one configuration parameter provided by an authentication server during the establishment of said point-to-point session, for establishing an access session conforming to said dynamic configuration protocol.
10. Programme d'ordinateur (74) comprenant des instructions de code de programme pour l'exécution des étapes du procédé selon l'une quelconque des revendications 1 à 6 lorsque ledit programme est exécuté sur un ordinateur.A computer program (74) comprising program code instructions for performing the steps of the method according to any one of claims 1 to 6 when said program is run on a computer.
1 1. Support d'enregistrement lisible par un ordinateur sur lequel est enregistré un programme d'ordinateur comprenant des instructions pour l'exécution des étapes du procédé d'accès selon l'une quelconque des revendications 1 à 6. A computer-readable recording medium on which a computer program is recorded including instructions for performing the steps of the access method according to any one of claims 1 to 6.
PCT/FR2007/051717 2006-07-28 2007-07-25 Method of access by a client to a service through a network, by combined used of a dynamic configuration protocol and of a point-to-point protocol, corresponding equipment and computer program WO2008012471A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0653161A FR2904503A1 (en) 2006-07-28 2006-07-28 METHOD OF CUSTOMER ACCESS TO SERVICE THROUGH A NETWORK, BY COMBINED USE OF A DYNAMIC CONFIGURATION PROTOCOL AND POINT-TO-POINT PROTOCOL, CORRESPONDING COMPUTER EQUIPMENT AND PROGRAM
FR0653161 2006-07-28

Publications (2)

Publication Number Publication Date
WO2008012471A2 true WO2008012471A2 (en) 2008-01-31
WO2008012471A3 WO2008012471A3 (en) 2008-03-20

Family

ID=37714536

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FR2007/051717 WO2008012471A2 (en) 2006-07-28 2007-07-25 Method of access by a client to a service through a network, by combined used of a dynamic configuration protocol and of a point-to-point protocol, corresponding equipment and computer program

Country Status (2)

Country Link
FR (1) FR2904503A1 (en)
WO (1) WO2008012471A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2451125A1 (en) * 2009-07-28 2012-05-09 ZTE Corporation Method and system for realizing network topology discovery
CN110855596A (en) * 2018-08-20 2020-02-28 中兴通讯股份有限公司 Communication connection method and device, communication equipment and computer readable storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103825901B (en) * 2014-03-04 2017-11-10 新华三技术有限公司 A kind of method for network access control and equipment
CN107087312A (en) * 2017-05-23 2017-08-22 迈普通信技术股份有限公司 Full-mesh network creating method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023160A1 (en) * 2000-03-20 2002-02-21 Garrett John W. Service selection in a shared access network providing access control
WO2005060208A1 (en) * 2003-12-16 2005-06-30 Telefonaktiebolaget Lm Ericsson (Publ) Ethernet dsl access multiplexer and method providing dynamic service selection and end-user configuration
EP1571781A1 (en) * 2004-03-03 2005-09-07 France Telecom Sa Proccess and system for authenticating a client for access to a virtual network giving access to services.

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023160A1 (en) * 2000-03-20 2002-02-21 Garrett John W. Service selection in a shared access network providing access control
WO2005060208A1 (en) * 2003-12-16 2005-06-30 Telefonaktiebolaget Lm Ericsson (Publ) Ethernet dsl access multiplexer and method providing dynamic service selection and end-user configuration
EP1571781A1 (en) * 2004-03-03 2005-09-07 France Telecom Sa Proccess and system for authenticating a client for access to a virtual network giving access to services.

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2451125A1 (en) * 2009-07-28 2012-05-09 ZTE Corporation Method and system for realizing network topology discovery
EP2451125A4 (en) * 2009-07-28 2014-07-02 Zte Corp Method and system for realizing network topology discovery
CN110855596A (en) * 2018-08-20 2020-02-28 中兴通讯股份有限公司 Communication connection method and device, communication equipment and computer readable storage medium
CN110855596B (en) * 2018-08-20 2022-03-04 中兴通讯股份有限公司 Communication connection method and device, communication equipment and computer readable storage medium

Also Published As

Publication number Publication date
FR2904503A1 (en) 2008-02-01
WO2008012471A3 (en) 2008-03-20

Similar Documents

Publication Publication Date Title
EP1733533B1 (en) System and method for user authorization access management at the local administrative domain during the connection of a user to an ip network
EP1494391B1 (en) Automatic configuration of a DHCP-compatible access router, for specific handling of the IP-dataflows from a client terminal
WO2005096551A1 (en) Method and system of accreditation for a client enabling access to a virtual network for access to services
EP3582467A1 (en) Gateway and method for managing a voip telephone service
WO2018172707A1 (en) Method for recommending a communication stack
EP3476108B1 (en) Method, computer program and device for providing an address by a device to be managed of a network
WO2008012471A2 (en) Method of access by a client to a service through a network, by combined used of a dynamic configuration protocol and of a point-to-point protocol, corresponding equipment and computer program
EP2210396B1 (en) System of interconnection between at least one communication apparatus and at least one remote information system and interconnection method
EP3533202B1 (en) Dynamic and interactive control of a residential gateway connected to a communication network
EP3437305B1 (en) Method for establishing a management session between an item of equipment and a device for management of this item of equipment
EP2266279B1 (en) Multimedia content sharing via audio-video communication
EP2550776A1 (en) Method for managing records in an ims network, and s-cscf server implementing said method
EP3235217A1 (en) Method for data exchange between web browsers, and routing device, terminal, computer program and storage medium therefor
EP3808060A1 (en) Method for processing messages by a device of a voice over ip network
FR2843847A1 (en) Data transmission system for Telnet manageable device e.g. router, has processing device with proxy unit to complete Telnet connection with Telnet device upon receiving request from help desk workstation to gain access to device
EP3459207B1 (en) Remote control of equipment
FR2892248A1 (en) Service e.g. Internet service, accessing method for e.g. fixed access network, involves converting point to point session into session conforming to dynamic host configuration protocol implemented in intermediary network equipment
WO2008031967A2 (en) Method of supervising a session for accessing a service set up by a client terminal by means of a dynamic configuration protocol
WO2023242315A1 (en) Method for communication between two devices, first device, second device and corresponding computer program.
EP4256753A1 (en) Method for detecting a malicious device in a communication network, corresponding communication device and computer program
FR2849310A1 (en) MEDIATION PLATFORM INTENDED TO BE INSTALLED IN A MESSAGE TRANSPORTATION NETWORK ACCORDING TO PROTOCOLS AND NETWORK PROVIDED WITH AT LEAST SUCH A PLATFORM
WO2007074308A1 (en) Method and system for connecting to a service
EP2011273A1 (en) Method and device for adapting a point to point protocol in a telecommunications network
EP2484081A1 (en) System and method for controlling a communication session in a terminal of a local area network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07823634

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07823634

Country of ref document: EP

Kind code of ref document: A2