WO2011140919A1 - Method, device, server and system for accessing service wholesale network - Google Patents

Method, device, server and system for accessing service wholesale network Download PDF

Info

Publication number
WO2011140919A1
WO2011140919A1 PCT/CN2011/073409 CN2011073409W WO2011140919A1 WO 2011140919 A1 WO2011140919 A1 WO 2011140919A1 CN 2011073409 W CN2011073409 W CN 2011073409W WO 2011140919 A1 WO2011140919 A1 WO 2011140919A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipoe
authentication
user terminal
information
bras
Prior art date
Application number
PCT/CN2011/073409
Other languages
French (fr)
Chinese (zh)
Inventor
钱国锋
赵志旺
李猛
陈艺彪
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011140919A1 publication Critical patent/WO2011140919A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • H04L12/2872Termination of subscriber connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • FIG. 17 is a schematic structural diagram of an example 6 of a BRAS according to an embodiment of the present invention.
  • the PE performs the first-level authentication of the NSP network on the IPOE user terminal, and triggers the BRAS to perform the second-level authentication, because the PE passes the IPOE authentication letter.
  • the VPN tunnel corresponding to the information sends the IPOE authentication information to the BRAS. Therefore, it can meet the requirements of forwarding the packet to the BRAS through the VPN tunnel in the service wholesale network, and it is also explicitly allocated by the BRAS to the IPOE user terminal after completing the secondary authentication.
  • the IP address thus completing the access processing of the IPOE user terminal in the service wholesale network, ensures that the IPOE user terminal can access the service wholesale network.
  • the PE sends the user first packet to the BRASc through the VPN tunnel corresponding to the IPOE information in the first packet of the user according to the correspondence between the pre-configured IPOE information and the VPN tunnel.
  • the PE After receiving the user information, the PE performs a first-level authentication on the IPOE user terminal according to the user information, and the password authentication succeeds, and the browser performs the 404, the password authentication fails, and executes 403.
  • the authentication process is as follows: The PE is based on the pre-configured legal user information (the legal user information can be configured according to the requirements of the NSP network) to determine whether the user information is legal. If yes, the authentication succeeds. Otherwise, Authentication failed.
  • the PE sends the user information to the BRAS through the VPN tunnel corresponding to the user information according to the correspondence between the pre-configured user information and the VPN tunnel.
  • the foregoing method for implementing two-level operator management for an IPOE user terminal may be implemented by assigning an IP address to the IPOE user terminal in the first embodiment and the second embodiment, and the IPOE user terminal accessing the service wholesale network is successful.
  • the third state maintenance module 1001 is configured to periodically send a status query message to the BRAS, and perform state switching on the IPOE user terminal according to the status of the IPOE user terminal carried in the received status query response message.
  • the connection between modules/submodules in the figures shows only one of the simplest examples. Of course, there may be other connection relationships between modules/sub-modules in the drawing.
  • the first/second/three-state maintenance module (801, 901, 1001) may also be connected to the first authentication module 502. This is no longer the case - the description, the drawing is no longer - shown.

Abstract

The embodiments of the invention provide a method, device, server and system for accessing a service wholesale network. The method includes: a provider edge device receives Internet Protocol over Ethernet (IPOE) authentication information transferred from an IPOE user terminal; the provider edge device performs a first level authentication to the IPOE user terminal according to the received IPOE authentication information; after a successful first level authentication, the provider edge device transfers the IPOE authentication information through the virtual private network tunnel corresponding to the IPOE authentication information, in order to trigger that a broadband remote access server (BRAS) performs a second level authentication and allocates an IP address for accessing the service wholesale network to the IPOE user terminal after a successful second level authentication. The present invention can ensure the IPOE user terminal to access the service wholesale network, and enable the IPOE user terminal to enjoy the service of multiple Internet Service Providers (ISP) in the service wholesale network.

Description

接入业务批发网络的方法、 设备、 服务器和系统 本申请要求于 2010 年 8 月 20 日提交中国专利局、 申请号为 201010261207.6、 发明名称为 "接入业务批发网络的方法、 设备、 服务器和 系统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method, device, server and system for accessing the wholesale network of the service The present application claims to be filed on August 20, 2010, the Chinese Patent Office, the application number is 201010261207.6, and the invention is entitled "Access Method Wholesale Network Method, Equipment, Server and System" The priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field
本发明实施例涉及通信技术, 尤其涉及接入业务批发网络的方法、设备、 服务器和系统。 背景技术  The embodiments of the present invention relate to communication technologies, and in particular, to a method, device, server, and system for accessing a service wholesale network. Background technique
目前, 通信网络中出现了业务批发( Service Wholesale )技术。 图 1是在 现有技术中业务批发网络的架构图。 参见图 1, 业务批发网络是指在同一个 网络服务提供商 (Network Service Provider, 简称: NSP )的物理网络上, 存 在多个因特网服务提供商 ( Internet Service Provider, 简称: ISP ) , 多个 ISP 租用 NSP的物理网络进行业务运营, 从而实现对多 ISP业务的支持。  Currently, Service Wholesale technology has emerged in communication networks. Figure 1 is a block diagram of a business wholesale network in the prior art. Referring to Figure 1, the service wholesale network refers to multiple Internet Service Providers (ISPs) on the physical network of the same Network Service Provider (NSP). The physical network of the NSP is leased to perform business operations, thereby supporting multi-ISP services.
参见图 1, 在业务批发技术中, 用户终端连接到 NSP网络中的运营商边 缘设备(Provider Edge, 简称: PE ) , PE接收用户的业务报文, 不再根据用 户的业务报文的目的 IP地址进行传统的路由转发, 而是根据用户所属的 ISP 信息通过虚拟专用网络( Virtual Private Network, 简称: VPN )隧道将 文转 发到 ISP 中的接入设备即宽带远程接入服务器 (Broadband Remote Access Server, 简称: BRAS ) , BRAS进行相应的业务处理。 因此, 在业务批发网 络中, 存在两级运营商, 一级运营商为 NSP, 二级运营商为 ISP。  Referring to FIG. 1 , in the service wholesale technology, the user terminal is connected to the Provider Edge (PE) in the NSP network, and the PE receives the service packet of the user, and is no longer based on the destination IP address of the service packet of the user. The address is forwarded by the traditional remote routing server. The access device that forwards the text to the ISP through the virtual private network (VPN) tunnel is the broadband remote access server (Broadband Remote Access Server). , referred to as: BRAS), BRAS carries out corresponding business processing. Therefore, in the service wholesale network, there are two levels of operators, the first level operator is NSP, and the second level operator is ISP.
目前, 伴随着接入网络的方式向基于以太网的方式迁移, 在接入设备用户 侧出现了基于以太网的因特网协议 ( Internet Protocol over Ethernet, 简称: IPOE )的接口方式。采用 IPOE接口技术的系统中目前只有一级运营商, IPOE 用户终端接入网络的过程主要包括: IPOE用户终端将用户首包发送给接入设 备, 接入设备进行认证, 认证完成后直接给 IPOE用户终端分配 IP地址, 并 确定 IPOE用户终端使用的三层网络权限。 At present, the Ethernet network-based Internet Protocol over Ethernet (IPOE) interface method appears on the user side of the access device. Currently, there is only one level operator in the system using IPOE interface technology, IPOE The process of the user terminal accessing the network mainly includes: the IPOE user terminal sends the user first packet to the access device, and the access device performs authentication. After the authentication is completed, the IPOE user terminal is directly assigned an IP address, and the third layer used by the IPOE user terminal is determined. Network permissions.
发明人在实施本发明的过程中发现, 虽然业务批发技术和 IPOE接口技术 都具有良好的发展前景,但是, IPOE用户终端目前却无法接入业务批发网络, 比如, 针对业务批发网络中存在两级运营商的特点, 对 IPOE用户终端目前 没有任何适应性的接入处理, 从而无法为 IPOE用户终端提供业务批发网络 中的多 ISP的服务。 发明内容  In the process of implementing the present invention, the inventor found that although the business wholesale technology and the IPOE interface technology have good development prospects, the IPOE user terminal is currently unable to access the service wholesale network, for example, there are two levels in the service wholesale network. The characteristics of the operator do not currently have any adaptive access processing for the IPOE user terminal, so that the IPOE user terminal cannot provide multiple ISP services in the service wholesale network. Summary of the invention
本发明实施例提供接入业务批发网络的方法、 设备、 服务器和系统, 解 决现有技术中 IPOE用户终端无法接入业务批发网络的问题。  The embodiment of the invention provides a method, a device, a server and a system for accessing a wholesale network, and solves the problem that the IPOE user terminal cannot access the service wholesale network in the prior art.
本发明实施例提供的接入业务批发网络的方法, 包括:  The method for accessing a wholesale network of services provided by the embodiments of the present invention includes:
NSP网络中的 PE接收基于 IPOE用户终端发来的 IPOE议认证信息; 所述 PE根据接收到的所述 IPOE认证信息对所述 IPOE用户终端进行一 级认证;  The PE in the NSP network receives the IPOE protocol authentication information sent by the IPOE user terminal; the PE performs the first-level authentication on the IPOE user terminal according to the received IPOE authentication information;
一级认证成功后, 所述 PE通过与所述 IPOE认证信息对应的 VPN隧道 向 BRAS发送该 IPOE认证信息, 以触发 BRAS进行二级认证和在二级认证 成功后为所述 IPOE用户终端分配 IP地址。  After the primary authentication succeeds, the PE sends the IPOE authentication information to the BRAS through the VPN tunnel corresponding to the IPOE authentication information, to trigger the BRAS to perform the secondary authentication, and assign the IP to the IPOE user terminal after the secondary authentication succeeds. address.
本发明实施例提供的 PE, 包括:  The PE provided by the embodiment of the present invention includes:
第一接收模块, 用于接收 IPOE用户终端发来的 IPOE认证信息; 第一认证模块,用于根据 IPOE议认证信息对所述 IPOE用户终端进行一 级认证;  a first receiving module, configured to receive IPOE authentication information sent by the IPOE user terminal, and a first authentication module, configured to perform first-level authentication on the IPOE user terminal according to the IPOE negotiation authentication information;
第一发送模块, 用于在一级认证成功后, 通过与 IPOE认证信息对应的 VPN隧道向 BRAS发送该 IPOE认证信息。  The first sending module is configured to send the IPOE authentication information to the BRAS through the VPN tunnel corresponding to the IPOE authentication information after the first level authentication succeeds.
本发明实施例提供的 BRAS, 包括: 第二接收模块, 用于通过 VPN隧道接收 PE发来的 IPOE认证信息; 第二认证模块,用于根据 IPOE议认证信息对 IPOE用户终端进行二级认 证; The BRAS provided by the embodiment of the present invention includes: a second receiving module, configured to receive IPOE authentication information sent by the PE through the VPN tunnel; and a second authentication module, configured to perform secondary authentication on the IPOE user terminal according to the IPOE negotiation authentication information;
分配模块, 用于在二级认证成功后为所述 IPOE用户终端分配 IP地址。 本发明实施例提供的接入业务批发网络的系统, 包括本发明实施例提供 的 PE和本发明实施例提供的 BRAS。  And an allocating module, configured to allocate an IP address to the IPOE user terminal after the second level authentication succeeds. The system for accessing the wholesale network of the service provided by the embodiment of the present invention includes the PE provided by the embodiment of the present invention and the BRAS provided by the embodiment of the present invention.
本发明实施例提出的接入业务批发网络的方法、 PE、 BRAS和接入业务 批发网络的系统, 由 PE对 IPOE用户终端进行 NSP网络的一级认证, 并触 发 BRAS进行二级认证, 由于 PE通过与 IPOE认证信息对应的 VPN隧道将 IPOE认证信息发送给 BRAS, 因此, 能够满足业务批发网络中通过 VPN隧 道将报文转发到 BRAS的要求, 并且还明确由 BRAS在完成二级认证后, 为 IPOE用户终端分配 IP地址,从而完成了 IPOE用户终端的在业务批发网络中 的接入处理, 保证了 IPOE用户终端能够接入业务批发网络。 附图说明  The method for accessing the wholesale network of the service, the PE, the BRAS, and the system for accessing the wholesale network of the service provided by the embodiment of the present invention, the PE performs the first-level authentication of the NSP network on the IPOE user terminal, and triggers the BRAS to perform the second-level authentication, because the PE The IPOE authentication information is sent to the BRAS through the VPN tunnel corresponding to the IPOE authentication information. Therefore, the request for forwarding the packet to the BRAS through the VPN tunnel in the service wholesale network can be satisfied, and it is also clear that the BRAS after completing the secondary authentication is The IPOE user terminal allocates an IP address, thereby completing the access processing of the IPOE user terminal in the service wholesale network, and ensuring that the IPOE user terminal can access the service wholesale network. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下 面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在 不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图 1是在现有技术中业务批发网络的架构图;  1 is an architectural diagram of a service wholesale network in the prior art;
图 2是本发明实施例提出的接入网络的方法的流程图;  2 is a flowchart of a method for accessing a network according to an embodiment of the present invention;
图 3是本发明示例 1中 IPOE用户终端接入业务批发网络的流程图; 图 4是本发明示例 2中 IPOE用户终端接入业务批发网络的流程图; 图 5是本发明实施例提出的 PE的结构示意图;  3 is a flow chart of an IPOE user terminal access service wholesale network in Example 1 of the present invention; FIG. 4 is a flow chart of an IPOE user terminal access service wholesale network in Example 2 of the present invention; FIG. 5 is a PE according to an embodiment of the present invention; Schematic diagram of the structure;
图 6是本发明实施例提出的 PE的示例 1的结构示意图;  6 is a schematic structural diagram of an example 1 of a PE according to an embodiment of the present invention;
图 7是本发明实施例提出的 PE的示例 2的结构示意图; 图 8是本发明实施例提出的 PE的示例 3的结构示意图; 7 is a schematic structural diagram of an example 2 of a PE according to an embodiment of the present invention; 8 is a schematic structural diagram of an example 3 of a PE according to an embodiment of the present invention;
图 9是本发明实施例提出的 PE的示例 4的结构示意图;  FIG. 9 is a schematic structural diagram of an example 4 of a PE according to an embodiment of the present invention;
图 10是本发明实施例提出的 PE的示例 5的结构示意图;  FIG. 10 is a schematic structural diagram of an example 5 of a PE according to an embodiment of the present invention;
图 11是本发明实施例提出的 BRAS的结构示意图;  11 is a schematic structural diagram of a BRAS according to an embodiment of the present invention;
图 12是本发明实施例提出的 BRAS的示例 1的结构示意图;  12 is a schematic structural diagram of an example 1 of a BRAS according to an embodiment of the present invention;
图 13是本发明实施例提出的 BRAS的示例 2的结构示意图;  13 is a schematic structural diagram of an example 2 of a BRAS according to an embodiment of the present invention;
图 14是本发明实施例提出的 BRAS的示例 3的结构示意图;  14 is a schematic structural diagram of an example 3 of a BRAS according to an embodiment of the present invention;
图 15是本发明实施例提出的 BRAS的示例 4的结构示意图;  15 is a schematic structural diagram of an example 4 of a BRAS according to an embodiment of the present invention;
图 16是本发明实施例提出的 BRAS的示例 5的结构示意图;  16 is a schematic structural diagram of an example 5 of a BRAS according to an embodiment of the present invention;
图 17是本发明实施例提出的 BRAS的示例 6的结构示意图;  17 is a schematic structural diagram of an example 6 of a BRAS according to an embodiment of the present invention;
图 18是本发明实施例提出的接入业务批发网络的系统的示意图。 具体实施方式  FIG. 18 is a schematic diagram of a system for accessing a wholesale network of services according to an embodiment of the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提出了一种接入网络的方法, 参见图 2, 该方法主要包括: 201: NSP网络中的 PE接收 IPOE用户终端发送的 IPOE认证信息。 202: PE才艮据接收到的 IPOE认证信息对 IPOE用户终端进行一级认证。 203:一级认证成功后, PE通过与 IPOE认证信息对应的 VPN隧道将 IPOE 认证信息发送给 BRAS,触发 BRAS对 IPOE用户终端进行二级认证并在上述 二级认证成功后由 BRAS为 IPOE用户终端分配 IP地址。  The embodiment of the present invention provides a method for accessing a network. Referring to FIG. 2, the method mainly includes: 201: A PE in an NSP network receives IPOE authentication information sent by an IPOE user terminal. 202: The PE performs the first-level authentication on the IPOE user terminal according to the received IPOE authentication information. 203: After the primary authentication succeeds, the PE sends the IPOE authentication information to the BRAS through the VPN tunnel corresponding to the IPOE authentication information, triggering the BRAS to perform the secondary authentication on the IPOE user terminal, and after the secondary authentication succeeds, the BRAS is the IPOE user terminal. Assign an IP address.
可见, 本发明实施例提出的方法中, 由 PE对 IPOE用户终端进行 NSP 网络的一级认证, 并触发 BRAS进行二级认证, 由于 PE通过与 IPOE认证信 息对应的 VPN隧道将 IPOE认证信息发送给 BRAS, 因此, 能够满足业务批 发网络中通过 VPN隧道将报文转发到 BRAS的要求, 并且还明确由 BRAS 在完成二级认证后, 为 IPOE用户终端分配 IP地址, 从而完成了 IPOE用户 终端的在业务批发网络中的接入处理, 保证了 IPOE 用户终端能够接入业务 批发网络。 It can be seen that, in the method provided by the embodiment of the present invention, the PE performs the first-level authentication of the NSP network on the IPOE user terminal, and triggers the BRAS to perform the second-level authentication, because the PE passes the IPOE authentication letter. The VPN tunnel corresponding to the information sends the IPOE authentication information to the BRAS. Therefore, it can meet the requirements of forwarding the packet to the BRAS through the VPN tunnel in the service wholesale network, and it is also explicitly allocated by the BRAS to the IPOE user terminal after completing the secondary authentication. The IP address, thus completing the access processing of the IPOE user terminal in the service wholesale network, ensures that the IPOE user terminal can access the service wholesale network.
可选的, 在本发明实施例的实现中, IPOE认证信息可以采用两种方式: 方式一、将用户首包中携带的 IPOE信息作为 IPOE认证信息进行一级认 证和二级认证。  Optionally, in the implementation of the embodiment of the present invention, the IPOE authentication information may be in two ways: Method 1: The IPOE information carried in the first packet of the user is used as the IPOE authentication information for the first level authentication and the second level authentication.
方式二、 将用户输入的用户信息作为 IPOE认证信息进行一级认证和二 级认证。  Method 2: The user information input by the user is used as the IPOE authentication information for the first level authentication and the second level authentication.
下面针对上述两种认证方式分别举一个具体示例进行详细说明。  The following two specific authentication methods are respectively described in detail for each of the above two authentication methods.
示例 1 :  Example 1 :
本示例中,将用户首包中携带的 IPOE信息作为 IPOE认证信息进行一级 认证和二级认证。 参见图 3, 在本示例中, IPOE用户终端接入业务批发网络 的过程主要包括:  In this example, the IPOE information carried in the first packet of the user is used as the IPOE authentication information for primary authentication and secondary authentication. Referring to FIG. 3, in this example, the process of the IPOE user terminal accessing the service wholesale network mainly includes:
301 : IPOE用户终端将携带 IPOE信息的用户首包发送给 NSP网络中的 301: The IPOE user terminal sends the first packet of the user carrying the IPOE information to the NSP network.
PE。 PE.
本示例中,用于认证的 IPOE信息可以包括 IPOE用户终端的媒质接入控 制 (Media Access Control, 简称: MAC )地址, 和 /或, IPOE用户终端使用 的虚拟局域网 ( Virtual Local Area Network, 简称: VLAN )标识。 并且, 在 用户首包为动态主机分配协议 ( Dynamic Host Configuration Protocol, 简称: DHCP )首包时, 用于认证的 IPOE信息可以是 OPTION82字段、 IPOE用户 终端的 MAC地址和 IPOE用户终端使用的 VLAN标识中的任意一个或多个。  In this example, the IPOE information used for authentication may include a Media Access Control (MAC) address of the IPOE user terminal, and/or a Virtual Local Area Network (Virtual Local Area Network) used by the IPOE user terminal. VLAN) identification. In addition, when the first packet of the user is the first packet of the dynamic host allocation protocol (DHCP), the IPOE information used for authentication may be the OPTION82 field, the MAC address of the IPOE user terminal, and the VLAN identifier used by the IPOE user terminal. Any one or more of them.
302: PE接收到用户首包后, 根据该用户首包中的 IPOE信息对 IPOE用 户终端进行一级认证,如果认证成功, 则执行 304,如果认证失败,执行 303。  302: After receiving the first packet of the user, the PE performs the first-level authentication on the IPOE user terminal according to the IPOE information in the first packet of the user. If the authentication succeeds, the process performs 304. If the authentication fails, the process proceeds to 303.
可选的, 对 IPOE用户终端的一级认证可以采用本地认证方式或者远程 认证方式进行, 其中, Optionally, the primary authentication for the IPOE user terminal can be local authentication or remote. The authentication method is carried out, among them,
当为本地认证方式时, 认证过程具体为: PE根据预先配置的合法 IPOE 信息 (该合法 IPOE信息可以根据 NSP网络的要求进行配置) , 判断用户首 包中的 IPOE信息是否合法, 如果是, 则认证成功, 否则, 认证失败。  When the local authentication mode is adopted, the authentication process is specifically as follows: The PE determines whether the IPOE information in the first packet of the user is legal according to the pre-configured legal IPOE information (the legal IPOE information can be configured according to the requirements of the NSP network). If yes, The authentication is successful, otherwise the authentication fails.
当为远程认证方式时, 认证过程具体为: PE将用户首包中的 IPOE信息 发送给远端的采用远程用户拨号认证服务( Remote Authentication Dial In User Service, 简称: RADIUS )协议的认证服务器, 该认证服务器根据预先配置 的合法 IPOE信息, 判断 PE发来的 IPOE信息是否合法, 如果是, 则通知 PE 认证成功, 否则, 通知 PE认证失败。  The authentication process is specifically as follows: The PE sends the IPOE information in the first packet of the user to the remote authentication server that uses the Remote Authentication Dial In User Service (RADIUS) protocol. The authentication server determines whether the IPOE information sent by the PE is legal according to the pre-configured legal IPOE information. If yes, the PE is successfully authenticated. Otherwise, the PE authentication fails.
303: 拒绝 IPOE用户终端接入业务批发网络, 结束当前流程。  303: Reject the IPOE user terminal to access the service wholesale network, and end the current process.
304: PE才艮据预先配置的 IPOE信息与 VPN隧道的对应关系, 通过与用 户首包中的 IPOE信息对应的 VPN隧道将用户首包发送给 BRASc  304: The PE sends the user first packet to the BRASc through the VPN tunnel corresponding to the IPOE information in the first packet of the user according to the correspondence between the pre-configured IPOE information and the VPN tunnel.
305: BRAS接收到用户首包后,才艮据该用户首包中的 IPOE信息对 IPOE 用户终端进行二级认证, 如果认证成功, 则执行 306, 如果认证失败, 执行 303。 其中,  305: After receiving the first packet of the user, the BRAS performs secondary authentication on the IPOE user terminal according to the IPOE information in the first packet of the user. If the authentication succeeds, the process is performed 306. If the authentication fails, perform 303. among them,
当为本地认证方式时,认证过程具体为: BRAS根据预先配置的合法 IPOE 信息(该合法 IPOE信息可以根据 ISP网络的要求进行配置), 判断用户首包 中的 IPOE信息是否合法, 如果是, 则认证成功, 否则, 认证失败。  When the local authentication mode is used, the authentication process is specifically as follows: The BRAS determines whether the IPOE information in the first packet of the user is legal according to the pre-configured legal IPOE information (the legal IPOE information can be configured according to the requirements of the ISP network). If yes, The authentication is successful, otherwise the authentication fails.
当为远程认证方式时,认证过程具体为: BRAS将用户首包中的 IPOE信 息发送给远端的采用 RADIUS协议的认证服务器, 该认证服务器根据预先配 置的合法 IPOE信息, 判断 BRAS发来的 IPOE信息是否合法, 如果是, 则通 知 BRAS认证成功, 否则, 通知 BRAS认证失败。  In the remote authentication mode, the authentication process is specifically as follows: The BRAS sends the IPOE information in the first packet of the user to the remote authentication server using the RADIUS protocol. The authentication server determines the IPOE sent by the BRAS according to the pre-configured legal IPOE information. Whether the information is legal. If yes, the BRAS authentication is successful. Otherwise, the BRAS authentication fails.
306: BRAS为 IPOE用户终端分配 IP地址;可选的, BRAS还可以向 IPOE 用户终端返回认证成功通知。 至此, IPOE用户终端接入业务批发网络成功。 306: The BRAS allocates an IP address to the IPOE user terminal; optionally, the BRAS may also return an authentication success notification to the IPOE user terminal. At this point, the IPOE user terminal accesses the service wholesale network successfully.
通过上述图 3所示流程可以看到, 由 PE才艮据用户首包中携带的 IPOE信 息进行 NSP网络的一级认证, 由 BRAS根据用户首包中携带的 IPOE信息进 行二级认证, 并且通过与用户首包中的 IPOE信息对应的 VPN隧道将用户首 包发送给 BRAS, 因此, 能够满足业务批发网络中通过 VPN隧道将报文转发 到 BRAS的要求, 并且, BRAS在完成二级认证后, 为 IPOE用户终端分配 IP地址, 完成了 IPOE用户终端在业务批发网络中的接入处理, 保证了 IPOE 用户终端能够接入业务批发网络, 从而使得 IPOE用户终端能够享受业务批 发网络中的多 ISP的服务。  Through the process shown in Figure 3 above, it can be seen that the PE performs the primary authentication of the NSP network according to the IPOE information carried in the first packet of the user, and the BRAS performs the secondary authentication according to the IPOE information carried in the first packet of the user, and passes the The VPN tunnel corresponding to the IPOE information in the first packet of the user sends the user first packet to the BRAS, so that the request for forwarding the message to the BRAS through the VPN tunnel in the service wholesale network can be satisfied, and after the BRAS completes the secondary authentication, Assigning an IP address to the IPOE user terminal completes the access processing of the IPOE user terminal in the service wholesale network, ensuring that the IPOE user terminal can access the service wholesale network, thereby enabling the IPOE user terminal to enjoy multiple ISPs in the service wholesale network. service.
示例 2:  Example 2:
本示例中, 将用户输入的用户信息作为 IPOE认证信息进行一级认证和 二级认证。 参见图 4, 在本示例中, IPOE用户终端接入业务批发网络的过程 主要包括:  In this example, the user information entered by the user is used as the IPOE authentication information for the first level and the second level. Referring to FIG. 4, in this example, the process of accessing the service wholesale network by the IPOE user terminal mainly includes:
401: IPOE用户终端将用于认证的用户信息发送给 NSP网络中的 PE。 本实施例中, 用于认证的用户信息可以包括用户名、 用户密码及用户域 名中的任意一个或多个。  401: The IPOE user terminal sends the user information used for authentication to the PE in the NSP network. In this embodiment, the user information for authentication may include any one or more of a username, a user password, and a user domain name.
402: PE接收到用户信息后,根据该用户信息对 IPOE用户终端进行一级 认证, ^口果认证成功, 贝' J执行 404, ^口果认证失败, 执行 403。 当为本地认证方式时, 认证过程具体为: PE根据预先配置的合法用户信 息(该合法用户信息可以根据 NSP网络的要求进行配置) , 判断用户信息是 否合法, 如果是, 则认证成功, 否则, 认证失败。  402: After receiving the user information, the PE performs a first-level authentication on the IPOE user terminal according to the user information, and the password authentication succeeds, and the browser performs the 404, the password authentication fails, and executes 403. The authentication process is as follows: The PE is based on the pre-configured legal user information (the legal user information can be configured according to the requirements of the NSP network) to determine whether the user information is legal. If yes, the authentication succeeds. Otherwise, Authentication failed.
当为远程认证方式时, 认证过程具体为: PE将用户信息发送给远端的采 用 RADIUS协议的认证服务器,该认证服务器根据预先配置的合法用户信息, 判断 PE发来的用户信息是否合法, 如果是, 则通知 PE认证成功, 否则, 通 知 PE认证失败。 403: 拒绝 IPOE用户终端接入业务批发网络, 结束当前流程。 In the case of the remote authentication mode, the authentication process is specifically as follows: The PE sends the user information to the remote RADIUS authentication server. The authentication server determines whether the user information sent by the PE is legal according to the pre-configured legal user information. If yes, the PE is successfully authenticated. Otherwise, the PE authentication fails. 403: The IPOE user terminal is denied access to the wholesale network of services, and the current process is terminated.
404: PE 艮据预先配置的用户信息与 VPN隧道的对应关系, 通过与用户 信息对应的 VPN隧道将用户信息发送给 BRAS。  404: The PE sends the user information to the BRAS through the VPN tunnel corresponding to the user information according to the correspondence between the pre-configured user information and the VPN tunnel.
405: BRAS接收到用户信息后, 对 IPOE用户终端进行二级认证, 如果 认证成功, 贝' J执行 406, ^口果认证失败, 执行 403。  405: After receiving the user information, the BRAS performs secondary authentication on the IPOE user terminal. If the authentication succeeds, the shell performs a 406, the password authentication fails, and the execution 403 is performed.
可选的, 当 BRAS接收到的用户信息是明文(即未经加密的信息) 时, 可以直接根据用户信息进行二级认证; 当 BRAS接收到的用户信息经过加密 时, BRAS首先需要使用与 IPOE用户终端进行密钥协商,使用协商出的密钥 对用户信息进行解密, 然后再根据解密后的用户信息对 IPOE用户终端进行 二级认证。  Optionally, when the user information received by the BRAS is plaintext (that is, unencrypted information), the secondary authentication may be directly performed according to the user information; when the user information received by the BRAS is encrypted, the BRAS first needs to use the IPOE. The user terminal performs key negotiation, decrypts the user information by using the negotiated key, and then performs secondary authentication on the IPOE user terminal according to the decrypted user information.
可选的, BRAS与 IPOE用户终端进行密钥协商的过程可以是:  Optionally, the process of performing key negotiation between the BRAS and the IPOE user terminal may be:
BRAS在接收到 PE发来的用户信息后, 向 IPOE用户终端发起认证重协 商指示。 或者,  After receiving the user information sent by the PE, the BRAS initiates an authentication re-consultation indication to the IPOE user terminal. Or,
BRAS在接收到 PE发来的用户信息后, 等待接收 PE转发来的 IPOE用 户终端的 DHCP首包、 IP首包或者地址解析协议( ARP )首包, 一旦接收到 上述首包, 就可以利用响应消息( DHCP响应消息、 IP响应消息或者 ARP响 应消息) 的方式, 向 IPOE用户终端发起认证重协商指示。  After receiving the user information sent by the PE, the BRAS waits to receive the DHCP first packet, the IP first packet, or the address resolution protocol (ARP) first packet of the IPOE user terminal forwarded by the PE, and can receive the response after receiving the first packet. In the manner of a message (a DHCP response message, an IP response message, or an ARP response message), an authentication re-negotiation indication is initiated to the IPOE user terminal.
经过上述密钥协商的过程, IPOE用户终端使用协商出的密钥, 对用户信 息进行加密, 然后再次发送给 BRAS。  After the above key negotiation process, the IPOE user terminal encrypts the user information using the negotiated key and then sends it to the BRAS again.
BRAS收到加密的用户信息后,使用与 IPOE用户终端协商出的密钥对用 户信息进行解密, 然后再根据解密后的用户信息对 IPOE用户终端进行二级 认证。 式进行, 其中,  After receiving the encrypted user information, the BRAS decrypts the user information using the key negotiated with the IPOE user terminal, and then performs secondary authentication on the IPOE user terminal according to the decrypted user information. In the way, where
当为本地认证方式时, 认证过程具体为: BRAS 根据预先配置的合法用 户信息, 判断 PE发来的用户信息是否合法, 如果是, 则认证成功, 否则, 认 证失败。 When the local authentication mode is used, the authentication process is as follows: The BRAS determines whether the user information sent by the PE is legal according to the pre-configured legal user information. If yes, the authentication succeeds. Otherwise, the authentication is successful. The certificate failed.
当为远程认证方式时, 认证过程具体为: BRAS将 PE发来的用户信息发 送给远端的采用 RADIUS协议的认证服务器, 该认证服务器根据预先配置的 合法用户信息, 判断接收到的用户信息是否合法, 如果是, 则通知 BRAS认 证成功, 否则, 通知 BRAS认证失败。  When the remote authentication mode is used, the authentication process is specifically as follows: The BRAS sends the user information sent by the PE to the remote RADIUS authentication server. The authentication server determines whether the received user information is based on the pre-configured legal user information. Legitimate, if yes, notify the BRAS that the authentication is successful, otherwise, notify the BRAS that the authentication failed.
406: BRAS为 IPOE用户终端分配 IP地址;可选的, BRAS还可以向 IPOE 用户终端返回认证成功通知。  406: The BRAS allocates an IP address to the IPOE user terminal; optionally, the BRAS may also return an authentication success notification to the IPOE user terminal.
至此, IPOE用户终端接入业务批发网络成功。  At this point, the IPOE user terminal accesses the service wholesale network successfully.
通过上述图 4所示流程可以看到, 由 PE根据用户信息进行 NSP网络的 一级认证, 由 BRAS根据用户信息进行二级认证, 并且由于通过与用户信息 对应的 VPN隧道将用户信息发送给 BRAS, 因此, 能够满足业务批发网络中 通过 VPN隧道将报文转发到 BRAS的要求,并且, BRAS在完成二级认证后, 为 IPOE用户终端分配 IP地址, 完成了 IPOE用户终端在业务批发网络中的 接入处理, 保证了 IPOE用户终端能够接入业务批发网络, 从而使得 IPOE用 户终端能够享受业务批发网络中的多 ISP的服务。  It can be seen from the foregoing process shown in FIG. 4 that the PE performs the primary authentication of the NSP network according to the user information, the secondary authentication by the BRAS according to the user information, and the user information is sent to the BRAS through the VPN tunnel corresponding to the user information. Therefore, the requirements for forwarding the message to the BRAS through the VPN tunnel in the service wholesale network can be satisfied, and after completing the secondary authentication, the BRAS allocates an IP address to the IPOE user terminal, and completes the IPOE user terminal in the service wholesale network. The access processing ensures that the IPOE user terminal can access the service wholesale network, so that the IPOE user terminal can enjoy the services of multiple ISPs in the service wholesale network.
经过上面的介绍, 可以看到, 由于业务批发网络中存在两级运营商, 两 级运营商都需要对 IPOE用户终端进行管理, 因此, 在经过诸如 上述图 3和 图 4所示流程之后, 本发明实施例中还进一步提供了针对 IPOE用户终端实 现两级运营商管理的方法, 可以包括两种方式:  After the above description, it can be seen that since there are two levels of operators in the service wholesale network, the two-level operators need to manage the IPOE user terminals, and therefore, after passing through the processes shown in FIG. 3 and FIG. 4 above, the present invention The method for implementing two-level operator management for an IPOE user terminal is further provided in the embodiment, and may include two methods:
方式 1、 独立管理。  Method 1, independent management.
独立管理是指 NSP网络和 ISP网络独立管理用户, 各自维护 IPOE用户 终端的状态。 比如, 允许 IPOE用户终端在 NSP网络中为上线状态, 而在 ISP 网络中为离线状态。 具体实现为: PE与 BRAS分别独立监视和维护 IPOE用 户终端的状态, 即, PE只维护 IPOE用户终端在 NSP网络中的状态; BRAS 只维护 IPOE用户终端在 ISP网络中的状态。在独立管理方式中, PE与 BRAS 上所维护的 IPOE用户终端的状态可能不同。 方式 2、 联合管理。 Independent management means that the NSP network and the ISP network independently manage users, and each maintains the state of the IPOE user terminal. For example, the IPOE user terminal is allowed to be in an online state in the NSP network and offline in the ISP network. The specific implementation is as follows: The PE and the BRAS independently monitor and maintain the state of the IPOE user terminal, that is, the PE only maintains the state of the IPOE user terminal in the NSP network; the BRAS only maintains the state of the IPOE user terminal in the ISP network. In the independent management mode, the status of the IPOE user terminal maintained on the PE and BRAS may be different. Mode 2, joint management.
联合管理是指 NSP网络和 ISP网络共同管理用户, 共同维护 IPOE用户 终端的状态。 比如, IPOE用户终端在 NSP网络和 ISP网络的状态相同, 均 为离线状态或者均为在线状态。 示例性的, 实现联合管理的方法可以有以下 两种:  Joint management means that the NSP network and the ISP network jointly manage users and jointly maintain the state of the IPOE user terminals. For example, an IPOE user terminal has the same state in the NSP network and the ISP network, and both are offline or online. Exemplarily, there are two ways to implement federated management:
2A、 通过一级运营商的 PE监视二级运营商的 BRAS所维护的 IPOE用 户终端状态, 来实现两级运营商维护的状态统一。  2A. The PE of the Level 1 carrier monitors the status of the IPOE user terminal maintained by the Level 2 carrier's BRAS to achieve the unified state of the two-level operator maintenance.
例如: BRAS在二级认证成功后, 将 IPOE用户终端在 ISP网络中的状态 置为上线, PE在一级认证成功后, 监听 BRAS向 IPOE用户终端发送的认证 成功通知, 如果监听到, 则将 IPOE用户终端在 NSP网络中的状态置为上线; 后续, PE和 BRAS在监听到 IPOE用户终端释放 IP地址后, 分别置 IPOE用 户终端为下线状态。 这样一级运营商和二级运营商的设备基本上不需要任何 交互。  For example: After the secondary authentication succeeds, the BRAS sets the status of the IPOE user terminal in the ISP network to go online. After the primary authentication succeeds, the PE listens to the authentication success notification sent by the BRAS to the IPOE user terminal. If it is monitored, it will The state of the IPOE user terminal in the NSP network is set to go online. Subsequently, after the IP and the BRAS listen to the IPOE user terminal to release the IP address, the IPOE user terminal is respectively set to the offline state. In this way, the equipment of the Level 1 carrier and the Level 2 carrier basically does not require any interaction.
2B、 通过信息交互实现两级运营商维护的状态统一。  2B. The state of maintenance maintained by the two-level operators is unified through information interaction.
例如: PE周期性地向 BRAS发送状态查询消息, 该状态查询消息可以是 预先定义的新的协议消息。状态查询消息中包含 IPOE用户终端的 IPOE信息 (比如 MAC地址, VLAN信息, option82字段, IP地址等;), BRAS接收到 状态查询消息后,向 PE返回状态查询响应消息,其中携带 BRAS维护的 IPOE 用户终端的状态, 比如在线, 空闲, 下线, 欠费等等; PE根据接收到的状态 查询响应消息中的 IPOE用户终端的状态, 对 IPOE用户终端进行状态切换。  For example: The PE periodically sends a status query message to the BRAS, which may be a predefined new protocol message. The status query message includes the IPOE information of the IPOE user terminal (such as MAC address, VLAN information, option82 field, IP address, etc.). After receiving the status query message, the BRAS returns a status query response message to the PE, which carries the IPOE maintained by the BRAS. The status of the user terminal, such as online, idle, offline, arrears, etc.; the PE performs state switching on the IPOE user terminal according to the status of the IPOE user terminal in the received status query response message.
上述针对 IPOE用户终端实现两级运营商管理的方法, 可以在实施例 1 和实施例 2中 BRAS为 IPOE用户终端分配 IP地址, IPOE用户终端接入业务 批发网络成功之后来实现。  The foregoing method for implementing two-level operator management for an IPOE user terminal may be implemented by assigning an IP address to the IPOE user terminal in the first embodiment and the second embodiment, and the IPOE user terminal accessing the service wholesale network is successful.
本发明实施例还提出了一种 PE, 参见图 5, 该 PE中包括:  An embodiment of the present invention further provides a PE. Referring to FIG. 5, the PE includes:
第一接收模块 501, 用于接收 IPOE用户终端发来的 IPOE认证信息; 第一认证模块 502, 用于根据接收到的 IPOE认证信息对所述 IPOE用户 终端进行一级认证; The first receiving module 501 is configured to receive IPOE authentication information sent by the IPOE user terminal, and the first authentication module 502 is configured to: use the received IPOE authentication information to the IPOE user. The terminal performs the first level authentication;
第一发送模块 503, 用于在一级认证成功后, 通过与 IPOE认证信息对应 的 VPN隧道向 BRAS发送该 IPOE认证信息。  The first sending module 503 is configured to send the IPOE authentication information to the BRAS through the VPN tunnel corresponding to the IPOE authentication information after the first level authentication succeeds.
可选的,上述 IPOE认证信息可以是用户首包中携带的 IPOE信息,或者, 是户输入的用户信息。  Optionally, the foregoing IPOE authentication information may be the IPOE information carried in the first packet of the user, or the user information input by the user.
可选的, 参见图 6, 上述第一接收模块 501中可以包括:  Optionally, referring to FIG. 6, the foregoing first receiving module 501 may include:
第一接收子模块 601, 用于接收 IPOE用户终端发来的用户首包, 该用户 首包中携带 IPOE信息;  The first receiving submodule 601 is configured to receive a first user packet sent by the IPOE user terminal, where the first packet carries IPOE information;
所述第一认证模块 502中可以包括:  The first authentication module 502 can include:
第一认证子模块 602, 用于根据第一接收子模块 601接收到的用户首包 中的 IPOE信息对所述 IPOE用户终端进行一级认证。  The first authentication sub-module 602 is configured to perform first-level authentication on the IPOE user terminal according to the IPOE information in the first packet of the user received by the first receiving sub-module 601.
可选的, 参见图 7, 上述第一接收模块 501中可以包括:  Optionally, referring to FIG. 7, the foregoing first receiving module 501 may include:
第二接收子模块 701, 用于接收 IPOE用户终端发来的用户信息; 所述第一认证模块 502中可以包括:  The second receiving sub-module 701 is configured to receive user information sent by the IPOE user terminal. The first authentication module 502 may include:
第二认证子模块 702, 用于根据第二接收子模块 701接收到的用户信息 对所述 IPOE用户终端进行一级认证。  The second authentication sub-module 702 is configured to perform first-level authentication on the IPOE user terminal according to the user information received by the second receiving sub-module 701.
可选的, 参见图 8〜图 10, 上述 PE中还可以进一步包括:  Optionally, referring to FIG. 8 to FIG. 10, the foregoing PE may further include:
第一状态维护模块 801, 用于维护所述 IPOE用户终端在 NSP网络中的 状态; 或者,  a first state maintenance module 801, configured to maintain a state of the IPOE user terminal in an NSP network; or
第二状态维护模块 901,用于在一级认证成功后,监听 BRAS向所述 IPOE 用户终端发送的认证成功通知, 如果监听到, 则将自身中维护的所述 IPOE 用户终端的状态置为上线; 在监听到所述 IPOE用户终端释放 IP地址后, 将 该 IPOE用户终端的状态置为下线; 或者,  The second state maintenance module 901 is configured to: after the first-level authentication succeeds, monitor the authentication success notification sent by the BRAS to the IPOE user terminal, and if the user listens, set the state of the IPOE user terminal maintained in the user to be online. After listening to the IPOE user terminal releasing the IP address, setting the state of the IPOE user terminal to the offline; or
第三状态维护模块 1001, 用于周期性地向 BRAS发送状态查询消息, 根 据接收到的状态查询响应消息中携带的 IPOE用户终端的状态, 对所述 IPOE 用户终端进行状态切换。 出于简洁的考虑, 附图中各模块 /子模块之间的连接关系仅示出了一种最 简单的示例。 当然, 附图中各模块 /子模块之间还可以有其他的连接关系, 例 如, 第一 /二 /三状态维护模块(801, 901 , 1001 )还可以和第一认证模块 502 相连接。 此处就不再——赘述, 附图中也不再——示出。 The third state maintenance module 1001 is configured to periodically send a status query message to the BRAS, and perform state switching on the IPOE user terminal according to the status of the IPOE user terminal carried in the received status query response message. For the sake of brevity, the connection between modules/submodules in the figures shows only one of the simplest examples. Of course, there may be other connection relationships between modules/sub-modules in the drawing. For example, the first/second/three-state maintenance module (801, 901, 1001) may also be connected to the first authentication module 502. This is no longer the case - the description, the drawing is no longer - shown.
本发明实施例还提出了一种 BRAS, 参见图 11, 该 BRAS中包括: 第二接收模块 1101,用于通过 VPN隧道接收 PE发来的 IPOE认证信息; 第二认证模块 1102,用于根据 IPOE认证信息对 IPOE用户终端进行二级 认证;  The embodiment of the present invention further provides a BRAS. Referring to FIG. 11, the BRAS includes: a second receiving module 1101, configured to receive IPOE authentication information sent by the PE through the VPN tunnel; and a second authentication module 1102, configured to use the IPOE according to the IPOE The authentication information performs secondary authentication on the IPOE user terminal;
分配模块 1103, 用于在二级认证成功后为所述 IPOE用户终端分配 IP地 址。  The allocating module 1103 is configured to allocate an IP address to the IPOE user terminal after the secondary authentication succeeds.
可选的,上述 IPOE认证信息可以是用户首包中携带的 IPOE信息,或者, 用户输入的用户信息作为 IPOE认证信息。  Optionally, the foregoing IPOE authentication information may be IPOE information carried in the first packet of the user, or user information input by the user as IPOE authentication information.
可选的, 参见图 12, 上述第二接收模块 1101中可以包括:  Optionally, referring to FIG. 12, the foregoing second receiving module 1101 may include:
第三接收子模块 1201, 用于通过 VPN隧道接收 PE发来的用户首包, 该 用户首包中携带 IPOE信息;  The third receiving sub-module 1201 is configured to receive, by using a VPN tunnel, a first user packet sent by the PE, where the first packet carries IPOE information;
所述第二认证模块 1102中可以包括:  The second authentication module 1102 can include:
第三认证子模块 1202, 用于根据第三接收子模块 1201接收到的用户首 包中的 IPOE信息对所述 IPOE用户终端进行二级认证。  The third authentication sub-module 1202 is configured to perform secondary authentication on the IPOE user terminal according to the IPOE information in the user first packet received by the third receiving submodule 1201.
可选的, 参见图 13, 上述第二接收模块 1101中可以包括:  Optionally, referring to FIG. 13, the foregoing second receiving module 1101 may include:
第四接收子模块 1301, 用于通过 VPN隧道接收 PE发来的用户信息; 所述第二认证模块 1102中可以包括:  The fourth receiving sub-module 1301 is configured to receive the user information sent by the PE through the VPN tunnel. The second authentication module 1102 may include:
第四认证子模块 1302, 用于根据第四接收子模块 1301接收到的用户信 息对所述 IPOE用户终端进行二级认证。  The fourth authentication sub-module 1302 is configured to perform secondary authentication on the IPOE user terminal according to the user information received by the fourth receiving sub-module 1301.
可选的, 参见图 14, 在图 13所示 BRAS设备结构的基础上, 所述第二 认证模块 1102中可以进一步包括:  Optionally, referring to FIG. 14, on the basis of the BRAS device structure shown in FIG. 13, the second authentication module 1102 may further include:
用户信息处理子模块 1401, 用于在所述第四接收子模块 1301接收到的 用户信息为经过加密的信息后, 向所述 IPOE用户终端发送认证重协商指示, 与该 IPOE用户终端协商出密钥;使用协商出的密钥对所述 IPOE用户终端重 新加密发来的用户信息解密, 将解密后的用户信息发送给所述第四认证子模 块 1302。 The user information processing sub-module 1401 is configured to be received by the fourth receiving submodule 1301. After the user information is the encrypted information, sending an authentication re-negotiation indication to the IPOE user terminal, negotiating a key with the IPOE user terminal, and re-encrypting the sent user information to the IPOE user terminal by using the negotiated key. Decrypting, the decrypted user information is sent to the fourth authentication sub-module 1302.
可选的, 参见图 15〜图 17, 上述 BRAS中可以进一步包括:  Optionally, referring to FIG. 15 to FIG. 17, the foregoing BRAS may further include:
第一状态管理模块 1501, 用于维护所述 IPOE用户终端在 ISP网络中的 状态; 或者  a first state management module 1501, configured to maintain a state of the IPOE user terminal in an ISP network; or
第二状态管理模块 1601, 用于在二级认证成功后, 置所述 IPOE用户终 端的状态为上线状态;在监听到所述 IPOE用户终端释放 IP地址后,置该 IPOE 用户终端的状态为下线状态; 或者  The second state management module 1601 is configured to: after the secondary authentication succeeds, set the state of the IPOE user terminal to an online state; after listening to the IPOE user terminal releasing the IP address, setting the state of the IPOE user terminal to be lower Line state; or
第三状态管理模块 1701, 用于在周期性地接收到 PE发来的状态查询消 息后, 将自身维护的所述用户终端的状态携带在状态查询响应消息中返回给 PE。  The third state management module 1701 is configured to: after periodically receiving the status query message sent by the PE, carry the status of the user terminal maintained by the PE in the status query response message and return it to the PE.
出于简洁的考虑, 附图中各模块 /子模块之间的连接关系仅示出了一种最 简单的示例。 当然, 附图中各模块 /子模块之间还可以有其他的连接关系, 例 如, 第一 /二 /三状态管理模块 ( 1501, 1601 , 1701 )还可以和第二认证模块 1102相连接。 此处就不再——赘述, 附图中也不再——示出。  For the sake of brevity, the connection between modules/submodules in the figures shows only one of the simplest examples. Of course, there may be other connection relationships between modules/sub-modules in the drawing. For example, the first/second/three-state management module (1501, 1601, 1701) may also be connected to the second authentication module 1102. This is no longer the case - the description, the drawing is no longer - shown.
本发明实施例还提出了一种接入网络的系统, 参见图 18, 该系统中包括 PE 1801和 BRAS 1802 , 其中, PE 1801可以采用上述本发明实施例提出的任 意一种结构和功能的 PE, BRAS 1802可以采用上述本发明实施例提出的任意 一种结构和功能的 BRAS。  The embodiment of the present invention further provides a system for accessing a network. Referring to FIG. 18, the system includes a PE 1801 and a BRAS 1802. The PE 1801 may adopt any PE of the foregoing structure and function according to the embodiment of the present invention. The BRAS 1802 can employ any of the BRASs of the structure and function proposed by the embodiments of the present invention.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分处理 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的处理; 而前述 的存储介质包括: ROM, RAM, 磁碟或者光盘等各种可以存储程序代码的介 质。  A person skilled in the art can understand that all or part of the processing of the foregoing method embodiments can be implemented by hardware related to the program instructions. The foregoing program can be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage medium includes: ROM, RAM, magnetic disk or optical disk, and the like, which can store program codes.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, rather than The present invention has been described in detail with reference to the foregoing embodiments, and those skilled in the art should understand that the technical solutions described in the foregoing embodiments may be modified or equivalently substituted for some of the technical features. The modifications and substitutions of the present invention do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利要求 Rights request
1、 一种接入业务批发网络的方法, 其特征在于, 包括: A method for accessing a wholesale network of services, characterized in that:
网络服务提供商 NSP网络中的运营商边缘设备 PE接收基于以太网的因 特网协议 IPOE用户终端发来的 IPOE认证信息;  Network service provider Carrier edge device in the NSP network PE receives IPOE authentication information sent by the Ethernet-based Internet Protocol IPOE user terminal;
所述 PE根据接收到的所述 IPOE认证信息对所述 IPOE用户终端进行一 级认证;  The PE performs first-level authentication on the IPOE user terminal according to the received IPOE authentication information;
一级认证成功后, 所述 PE通过与所述 IPOE认证信息对应的虚拟专用网 络 VPN隧道向宽带远程接入服务器 BRAS发送所述 IPOE认证信息, 以触发 所述 BRAS对所述 IPOE用户终端进行二级认证并在二级认证成功后为所述 IPOE用户终端分配 IP地址。  After the first-level authentication succeeds, the PE sends the IPOE authentication information to the broadband remote access server BRAS through the virtual private network VPN tunnel corresponding to the IPOE authentication information, to trigger the BRAS to perform the second IPOE user terminal. Level authentication and assign an IP address to the IPOE user terminal after the secondary authentication succeeds.
2、 根据权利要求 1所述的方法, 其特征在于, 所述 IPOE认证信息为用 户首包中携带的 IPOE信息;或者所述 IPOE认证信息为用户输入的用户信息。  The method according to claim 1, wherein the IPOE authentication information is IPOE information carried in a user first packet; or the IPOE authentication information is user information input by a user.
3、 根据权利要求 2所述的方法, 其特征在于, 当所述 IPOE认证信息为 用户首包中携带的 IPOE信息时, 所述 IPOE信息为媒质接入控制地址、 虚拟 局域网标识以及 OPTION82字段中的任意一个或多个。  The method according to claim 2, wherein, when the IPOE authentication information is the IPOE information carried in the first packet of the user, the IPOE information is a media access control address, a virtual local area network identifier, and an OPTION 82 field. Any one or more of them.
4、 根据权利要求 2所述的方法, 其特征在于,  4. The method of claim 2, wherein
当所述 IPOE认证信息为用户输入的用户信息时, 所述用户信息为: 用 户名、 用户密码以及用户域名中的任意一个或多个。  When the IPOE authentication information is user information input by the user, the user information is any one or more of a user name, a user password, and a user domain name.
5、根据权利要求 1〜4任一所述的方法,其特征在于,该方法进一步包括: 所述 PE仅维护所述 IPOE用户终端在所述 NSP网络中的状态;所述 BRAS 仅维护所述 IPOE用户终端在因特网服务提供商 ISP网络中的状态。  The method according to any one of claims 1 to 4, further comprising: the PE maintaining only the state of the IPOE user terminal in the NSP network; the BRAS only maintaining the The state of the IPOE user terminal in the Internet Service Provider ISP network.
6、根据权利要求 1〜4任一所述的方法,其特征在于,该方法进一步包括: 所述 BRAS在二级认证成功后, 将所述 IPOE用户终端状态置为上线, 所述 PE在一级认证成功后, 监听所述 BRAS向所述 IPOE用户终端发送的认证成 功通知, 如果监听到, 则将自身中维护的该 IPOE用户终端状态置为上线; 所述 PE和所述 BRAS都在监听到所述 IPOE用户终端释放 IP地址后, 置该 IPOE用户终端为下线状态。 The method according to any one of claims 1 to 4, further comprising: after the secondary authentication succeeds, the BRAS sets the state of the IPOE user terminal to be online, and the PE is in a After the level authentication succeeds, the authentication success notification sent by the BRAS to the IPOE user terminal is monitored, and if it is monitored, the state of the IPOE user terminal maintained in itself is set to go online; After the PE and the BRAS listen to the IPOE user terminal to release the IP address, the IPOE user terminal is placed in the offline state.
7、根据权利要求 1〜4任一所述的方法,其特征在于,该方法进一步包括: 所述 PE周期性地向所述 BRAS发送状态查询消息,所述 BRAS向所述 PE返 回状态查询响应消息, 其中携带所述 BRAS维护的所述 IPOE用户终端的状 态, 所述 PE根据接收到的状态查询响应消息中的 IPOE用户终端的状态, 对 所述 IPOE用户终端进行状态切换。  The method according to any one of claims 1 to 4, wherein the method further comprises: the PE periodically sending a status query message to the BRAS, and the BRAS returns a status query response to the PE The message carries the status of the IPOE user terminal maintained by the BRAS, and the PE performs state switching on the IPOE user terminal according to the status of the IPOE user terminal in the received status inquiry response message.
8、 一种运营商边缘设备 PE, 其特征在于, 包括:  8. A carrier edge device PE, characterized in that:
第一接收模块(501 ) , 用于接收基于以太网的因特网协议 IPOE用户终 端发来的 IPOE认证信息;  a first receiving module (501), configured to receive IPOE authentication information sent by an Ethernet-based Internet Protocol IPOE user terminal;
第一认证模块( 502 ), 用于根据 IPOE议认证信息对所述 IPOE用户终端 进行一级认证;  a first authentication module (502), configured to perform first-level authentication on the IPOE user terminal according to the IPOE negotiation authentication information;
第一发送模块( 503 ) , 用于在一级认证成功后, 通过与 IPOE认证信息 对应的虚拟专用网络 VPN隧道向宽带远程接入服务器 BRAS发送该 IPOE认 证信息。  The first sending module (503) is configured to send the IPOE authentication information to the broadband remote access server BRAS through the virtual private network VPN tunnel corresponding to the IPOE authentication information after the first level authentication succeeds.
9、 根据权利要求 8所述的 PE, 其特征在于, 所述第一接收模块(501 ) 包括:  The PE according to claim 8, wherein the first receiving module (501) comprises:
第一接收子模块( 601 ), 用于接收所述 IPOE用户终端发来的用户首包, 所述用户首包中携带所述 IPOE信息;  a first receiving sub-module (601), configured to receive a user first packet sent by the IPOE user terminal, where the user first packet carries the IPOE information;
所述第一认证模块(502 ) 包括:  The first authentication module (502) includes:
第一认证子模块(602 ) , 用于根据所述第一接收子模块(601 )接收到 的用户首包中的 IPOE信息对所述 IPOE用户终端进行一级认证。  The first authentication sub-module (602) is configured to perform first-level authentication on the IPOE user terminal according to the IPOE information in the first packet of the user received by the first receiving sub-module (601).
10、 根据权利要求 8所述的 PE, 其特征在于, 所述第一接收模块(501 ) 包括:  The PE according to claim 8, wherein the first receiving module (501) comprises:
第二接收子模块(701 ), 用于接收所述 IPOE用户终端发来的用户信息; 所述第一认证模块(502 ) 包括: 第二认证子模块( 702 ), 用于根据所述第二接收子模块接收到的用户信 息对所述 IPOE用户终端进行一级认证。 a second receiving sub-module (701), configured to receive user information sent by the IPOE user terminal; the first authentication module (502) includes: The second authentication sub-module (702) is configured to perform first-level authentication on the IPOE user terminal according to the user information received by the second receiving sub-module.
11、 根据权利要求 8-10中任意一项所述的 PE, 其特征在于, 该 PE进一 步包括:  The PE according to any one of claims 8 to 10, wherein the PE further comprises:
第一状态维护模块(801 ), 用于维护所述 IPOE用户终端在网络服务提 供商 NSP网络中的状态。  The first state maintenance module (801) is configured to maintain a state of the IPOE user terminal in a network service provider NSP network.
12、 根据权利要求 8-10中任意一项所述的 PE, 其特征在于, 该 PE进一 步包括:  The PE according to any one of claims 8 to 10, wherein the PE further comprises:
第二状态维护模块(901 ), 用于在一级认证成功后, 监听所述 BRAS向 所述 IPOE用户终端发送的认证成功通知, 如果监听到, 则将自身中维护的 IPOE用户终端状态置为上线; 在监听到所述 IPOE用户终端释放 IP地址后, 置该 IPOE用户终端为下线状态。  The second state maintenance module (901) is configured to: after the first-level authentication succeeds, monitor the authentication success notification sent by the BRAS to the IPOE user terminal, and if it is monitored, set the state of the IPOE user terminal maintained in the user to After the IPOE user terminal is released to release the IP address, the IPOE user terminal is placed in the offline state.
13、 根据权利要求 8-10中任意一项所述的 PE, 其特征在于, 该 PE进一 步包括:  The PE according to any one of claims 8 to 10, wherein the PE further comprises:
第三状态维护模块( 1001 ),用于周期性地向所述 BRAS发送状态查询消 息,根据接收到的状态查询响应消息中的 IPOE用户终端的状态,对所述 IPOE 用户终端进行状态切换。  The third state maintenance module (1001) is configured to periodically send a status query message to the BRAS, and perform state switching on the IPOE user terminal according to the status of the IPOE user terminal in the received status query response message.
14、 一种宽带远程接入服务器 BRAS, 其特征在于, 包括:  14. A broadband remote access server BRAS, comprising:
第二接收模块( 1101 ), 用于通过虚拟专用网络 VPN隧道接收运营商边 缘设备 PE发来的基于以太网的因特网协议 IPOE认证信息;  a second receiving module (1101), configured to receive, by using a virtual private network VPN tunnel, an Ethernet-based Internet Protocol IPOE authentication information sent by a carrier edge device PE;
第二认证模块( 1102 ), 用于根据 IPOE议认证信息对 IPOE用户终端进 行二级认证;  a second authentication module (1102), configured to perform secondary authentication on the IPOE user terminal according to the IPOE negotiation authentication information;
分配模块(1103 ) , 用于在二级认证成功后为所述 IPOE用户终端分配 IP地址。  The allocating module (1103) is configured to allocate an IP address to the IPOE user terminal after the secondary authentication succeeds.
15、 根据权利要求 14所述的 BRAS, 其特征在于,  15. The BRAS of claim 14 wherein:
所述第二接收模块(1101 ) 包括: 第三接收子模块( 1201 ), 用于通过 VPN隧道接收 PE发来的用户首包, 该用户首包中携带 IPOE信息; The second receiving module (1101) includes: a third receiving sub-module (1201), configured to receive, by using a VPN tunnel, a first user packet sent by the PE, where the first packet of the user carries IPOE information;
所述第二认证模块(1102 ) 包括:  The second authentication module (1102) includes:
第三认证子模块( 1202 ) , 用于根据第三接收子模块接收到的用户首包 中的 IPOE信息对所述 IPOE用户终端进行二级认证。  The third authentication submodule (1202) is configured to perform secondary authentication on the IPOE user terminal according to the IPOE information in the first packet of the user received by the third receiving submodule.
16、 根据权利要求 14所述的 BRAS, 其特征在于,  16. The BRAS of claim 14 wherein:
所述第二接收模块(1101 ) 包括:  The second receiving module (1101) includes:
第四接收子模块( 1301 ), 用于通过 VPN隧道接收 PE发来的用户信息; 所述第二认证模块(1102 ) 包括:  The fourth receiving sub-module (1301) is configured to receive the user information sent by the PE through the VPN tunnel; the second authentication module (1102) includes:
第四认证子模块( 1302 ) , 用于根据第四接收子模块接收到的用户信息 对所述 IPOE用户终端进行二级认证。  The fourth authentication submodule (1302) is configured to perform secondary authentication on the IPOE user terminal according to the user information received by the fourth receiving submodule.
17、 根据权利要求 16 所述的 BRAS , 其特征在于, 所述第二认证模块 ( 1102 ) 中还包括:  The BRAS according to claim 16, wherein the second authentication module (1102) further includes:
用户信息处理子模块( 1401 ), 用于在所述第四接收子模块( 1301 )接收 到的所述用户信息为经过加密的信息后, 向所述 IPOE用户终端发送认证重 协商指示,与所述 IPOE用户终端协商出密钥;使用协商出的密钥对所述 IPOE 用户终端重新加密发来的用户信息解密, 将解密后的用户信息发送给第四认 证子模块( 1302 ) 。  a user information processing sub-module (1401), configured to send an authentication re-negotiation indication to the IPOE user terminal after the user information received by the fourth receiving sub-module (1301) is encrypted information, The IPOE user terminal negotiates a key; decrypts the user information re-encrypted by the IPOE user terminal by using the negotiated key, and sends the decrypted user information to the fourth authentication sub-module (1302).
18、 根据权利要求 14〜17任一所述的 BRAS , 其特征在于, 该 BRAS进 一步包括:  The BRAS according to any one of claims 14 to 17, wherein the BRAS further comprises:
第一状态管理模块(1501 ), 用于维护所述 IPOE用户终端在因特网服务 提供商 ISP网络中的状态。  The first state management module (1501) is configured to maintain a state of the IPOE user terminal in an Internet service provider ISP network.
19、 根据权利要求 14〜17任一所述的 BRAS , 其特征在于, 该 BRAS进 一步包括:  The BRAS according to any one of claims 14 to 17, wherein the BRAS further comprises:
第二状态管理模块( 1601 ), 用于在二级认证成功后, 置所述 IPOE用户 终端的状态为上线状态; 在监听到所述 IPOE用户终端释放 IP地址后, 置该 IPOE用户终端的状态为下线状态。 a second state management module (1601), configured to: after the secondary authentication succeeds, set the state of the IPOE user terminal to an online state; after listening to the IPOE user terminal releasing the IP address, The state of the IPOE user terminal is the offline state.
20、 根据权利要求 14〜17任一所述的 BRAS , 其特征在于, 该 BRAS进 一步包括:  The BRAS according to any one of claims 14 to 17, wherein the BRAS further comprises:
第三状态管理模块( 1701 ), 用于在周期性地接收到 PE发来的状态查询 消息后, 将自身维护的所述 IPOE用户终端的状态携带在状态查询响应消息 中返回给所述 PE。  The third state management module (1701) is configured to: after periodically receiving the status query message sent by the PE, carry the status of the IPOE user terminal maintained by the PE in the status query response message and return the status to the PE.
21、 一种接入业务批发网络的系统, 其特征在于, 包括如权利要求 8〜13 任一所述的运营商边缘设备 PE ( 1801 ), 以及如权利要求 14〜20任一所述的 宽带远程接入服务器 BRAS ( 1802 )。  A system for accessing a wholesale network of services, comprising: the operator edge device PE (1801) according to any one of claims 8 to 13, and the broadband according to any one of claims 14 to 20. Remote access server BRAS (1802).
PCT/CN2011/073409 2010-08-20 2011-04-28 Method, device, server and system for accessing service wholesale network WO2011140919A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010261207.6 2010-08-20
CN2010102612076A CN102143136B (en) 2010-08-20 2010-08-20 Method for accessing service wholesale network, equipment, server and system

Publications (1)

Publication Number Publication Date
WO2011140919A1 true WO2011140919A1 (en) 2011-11-17

Family

ID=44410364

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/073409 WO2011140919A1 (en) 2010-08-20 2011-04-28 Method, device, server and system for accessing service wholesale network

Country Status (2)

Country Link
CN (1) CN102143136B (en)
WO (1) WO2011140919A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017186122A1 (en) * 2016-04-27 2017-11-02 新华三技术有限公司 Traffic scheduling
CN111225377A (en) * 2018-11-23 2020-06-02 财团法人工业技术研究院 Network service system and network service method

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013034108A1 (en) * 2011-09-08 2013-03-14 北京智慧风云科技有限公司 Cloud service establishment system and method
CN103067416A (en) * 2011-10-18 2013-04-24 华为技术有限公司 Virtual private cloud (VPC) access authentication method and correlation apparatus
US8925045B2 (en) 2012-12-28 2014-12-30 Futurewei Technologies, Inc. Electronic rendezvous-based two stage access control for private networks
CN110933591B (en) 2018-09-18 2021-07-16 华为技术有限公司 Authentication method, equipment and system
CN109150925B (en) * 2018-11-08 2021-06-15 网宿科技股份有限公司 IPoE static authentication method and system
CN115835218A (en) * 2019-06-17 2023-03-21 华为技术有限公司 Secondary authentication method and device
CN113055720B (en) * 2019-12-26 2023-05-02 中国电信股份有限公司 IPTV service authentication method, system and access equipment
CN111541719B (en) * 2020-05-19 2021-08-24 北京天融信网络安全技术有限公司 Authentication method and device and information processing equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859133A (en) * 2006-02-21 2006-11-08 华为技术有限公司 System and method for realizing NSP and ISP simultaneously charging
CN101662427A (en) * 2009-09-18 2010-03-03 华为技术有限公司 Method, system and device for distributing and scheduling resource

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7257629B2 (en) * 2001-09-27 2007-08-14 Siemens Communications, Inc. Method and apparatus for providing back-up capability in a communication system
KR20070076156A (en) * 2006-01-18 2007-07-24 에스케이커뮤니케이션즈 주식회사 System and method for providing a user state information to the mobile terminal during the time of ring back tone
CN101127696B (en) * 2006-08-15 2012-06-27 华为技术有限公司 Data forwarding method for layer 2 network and network and node devices
US9824107B2 (en) * 2006-10-25 2017-11-21 Entit Software Llc Tracking changing state data to assist in computer network security
CN101009627A (en) * 2006-12-27 2007-08-01 华为技术有限公司 A service binding method and device
CN101282328B (en) * 2007-04-02 2011-07-06 北京下午茶科技有限公司 Method for accessing internet inner-network Web service
CN101304363B (en) * 2007-05-12 2011-12-07 华为技术有限公司 Method for managing conversation connection as well as apparatus and system
CN101426004A (en) * 2007-10-29 2009-05-06 华为技术有限公司 Three layer conversation access method, system and equipment
CN101741552A (en) * 2009-12-28 2010-06-16 华为技术有限公司 Message transmitting method, equipment and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859133A (en) * 2006-02-21 2006-11-08 华为技术有限公司 System and method for realizing NSP and ISP simultaneously charging
CN101662427A (en) * 2009-09-18 2010-03-03 华为技术有限公司 Method, system and device for distributing and scheduling resource

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017186122A1 (en) * 2016-04-27 2017-11-02 新华三技术有限公司 Traffic scheduling
CN111225377A (en) * 2018-11-23 2020-06-02 财团法人工业技术研究院 Network service system and network service method

Also Published As

Publication number Publication date
CN102143136B (en) 2013-12-04
CN102143136A (en) 2011-08-03

Similar Documents

Publication Publication Date Title
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
JP4727126B2 (en) Providing secure network access for short-range wireless computing devices
US9112909B2 (en) User and device authentication in broadband networks
KR101528410B1 (en) Dynamic host configuration and network access authentication
WO2013056585A1 (en) Virtual private cloud access authentication method and related apparatus
JP6001790B2 (en) Method of operation in fixed access network and UE
WO2013185644A1 (en) Method and device thereof for automatically finding and configuring virtual network
WO2013067904A1 (en) Inter-domain virtual private network interfacing method and device
US20130227673A1 (en) Apparatus and method for cloud networking
WO2016184368A1 (en) Method, device and system for authorizing service of user
WO2009143729A1 (en) Method, system and apparatus for realizing dhcp user service wholesale
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2016192608A2 (en) Authentication method, authentication system and associated device
WO2010048874A1 (en) Method, device and system for identifying ip session
WO2012051868A1 (en) Firewall policy distribution method, client, access server and system
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2015123953A1 (en) Key generation method, device and system
WO2012130128A1 (en) Method, device, and system for implementing network identifier conversion
WO2009074072A1 (en) Method, network system and network equipment of dynamic strategy conversion
WO2015127736A1 (en) Method, device and system for user privacy protection
WO2011147334A1 (en) Method, device and system for providing virtual private network service
WO2011032478A1 (en) Method, device and terminal for obtaining terminal identifier
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices
WO2011131002A1 (en) Method and system for identity management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11780140

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11780140

Country of ref document: EP

Kind code of ref document: A1