WO2014067334A1 - Data packet management method, device and system - Google Patents

Data packet management method, device and system Download PDF

Info

Publication number
WO2014067334A1
WO2014067334A1 PCT/CN2013/082495 CN2013082495W WO2014067334A1 WO 2014067334 A1 WO2014067334 A1 WO 2014067334A1 CN 2013082495 W CN2013082495 W CN 2013082495W WO 2014067334 A1 WO2014067334 A1 WO 2014067334A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
address
network
bng
identification information
Prior art date
Application number
PCT/CN2013/082495
Other languages
French (fr)
Chinese (zh)
Inventor
范亮
王怀滨
梁乾灯
陈勇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014067334A1 publication Critical patent/WO2014067334A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to the field of communications, and in particular, to a data packet management method, apparatus, and system.
  • BACKGROUND With the rapid development of Internet applications and smart terminals, the demand for users to access the Internet for office, communication, and entertainment activities through various intelligent terminals, such as smart phones and tablet computers, is also widely spread.
  • Wireless Local Area Networks (WLAN) access to the network is one of the most important means.
  • 1 is a schematic diagram of a topology of a conventional WLAN network according to the related art
  • FIG. 2 is a schematic diagram of a topology of another conventional WLAN network according to the related art.
  • a conventional WLAN network includes an access point.
  • the user terminal device can access the network through the AP and/or AC after passing the identity authentication.
  • AP Access Controller
  • AAA Authentication Authorization Accounting
  • Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol
  • the WLAN network adopts the 802.1x authentication mode or the "PPPoE+PSK" mode for user identity authentication
  • the AP or the AC device acts as the authentication point of the user.
  • the user is assigned an IP address through the built-in or external DHCP server.
  • FIG. 3 is a schematic diagram of a network topology of a WLAN and a fixed broadband network convergence manner according to the related art
  • FIG. 4 is a schematic diagram of a network topology of another WLAN and fixed broadband network fusion manner according to the related art
  • FIG. 4 According to another network topology diagram of a WLAN and a fixed broadband network convergence manner according to the related art, FIG.
  • FIG. 4 and FIG. 5 respectively describe network topology structures of three WLAN and fixed broadband network fusion modes, and various types of users.
  • the terminal accesses the fixed broadband network through the WLAN network and the wired link, and the refined control of the user service is unified by the broadband network gateway BNG.
  • the WLAN network may also have a network address translation (NAT) function, and the network assigns a private network address to the user. Conversion of address and public IP address.
  • NAT network address translation
  • Embodiments of the present invention provide a data packet management method, apparatus, and system to solve at least the above problems. According to an aspect of the embodiments of the present invention, a data packet management method is provided, where the method includes:
  • the BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds; the BNG device receives the charging start request sent by the WLAN device; wherein the charging start request carries The identification information of the user; the BNG device matches the identification information carried in the charging start request and the identification information of the authenticated user, and after the matching is successful, determines the authorization information according to the identification information of the authenticated user; The device identifies the data packet of the user according to the identification information of the user, and manages the data packet according to the authorization information of the user.
  • the BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds.
  • the BNG device sends the user authentication message to the AAA server.
  • the AAA server After receiving the user authentication message, the AAA server receives the user authentication message.
  • the BNG device receives the authorization information of the authenticated user sent by the AAA server, and stores the identifier information of the authenticated user according to the user authentication message.
  • the method further includes: the BNG device sending the authorization information of the authenticated user to the WLAN device.
  • the method further includes: after receiving the network protocol IP address request of the user, the WLAN device allocates an IP address to the user.
  • assigning the IP address to the user includes: after receiving the IP address request of the user, the WLAN device allocates the IP address to the user in the local address pool; or the WLAN device receives the user. After the IP address is requested, the above user is assigned the above IP address through the dynamic host configuration protocol DHCP server. After the WLAN device receives the IP address request from the user, the assigning the IP address to the user includes: After receiving the IP address request of the user, the WLAN device allocates the IP address assigned by the AAA server to the user through the authorization information to the user.
  • assigning the IP address to the user includes: After receiving the IP address request of the user, the WLAN device allocates a private network IP address for the user and a public network IP for network address translation. Address and port number segment.
  • the method further includes: the WLAN device storing the public network IP address and the port number segment.
  • the BNG device Receiving, by the BNG device, the charging start request sent by the WLAN device, the BNG device receiving the foregoing charging start request sent by the WLAN device, where the charging start request carries the foregoing identification information of the user, where the identification information includes the user The MAC address, and the above public IP address and the above port number segment.
  • the BNG device identifies the data packet of the user according to the identification information of the user, and the BNG device identifies the user according to the IP address in the user data packet.
  • the BNG device identifies the data packet of the user according to the identifier information of the user, and further includes: the BNG device identifies the user according to the IP address and the port number information in the user data packet.
  • the method further includes: when the public network IP address and/or the port number segment is increased, the BNG device receives the charging update message sent by the WLAN device; wherein the charging update message carries the changed identification information.
  • the method further includes: when the public network IP address and/or the port number segment is decreased, or the network address translation NAT generation entry for network address translation is aged, the BNG device receives the charging update message sent by the WLAN device; The charging update message carries the changed identification information.
  • the method further includes: when the NAT generation entry for the network address translation is updated, the BNG device receives the charging update message sent by the WLAN device; wherein the charging update message carries the changed identification information.
  • the WLAN device is an AC or an AP.
  • a data message management apparatus is provided, which is applied to a broadband network gateway BNG device, and the device includes: an authentication module, configured to perform user identity authentication through an AAA server, and After the authentication succeeds, the authorization information and the identification information of the authenticated user are stored; the request receiving module is configured to receive the charging start request sent by the WLAN device; wherein the charging start request carries the identification information of the user; the matching module is set to Matching the identification information carried in the foregoing charging start request and the above-mentioned authenticated The identification information of the user, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; the message identification module is configured to identify the data packet of the user according to the identification information of the user; The method is configured to manage the
  • the above-mentioned authentication module includes: a message sending unit, configured to send a user authentication message to the AAA server; wherein the user authentication message is used to notify the AAA server to perform user identity authentication; and the storage unit is configured to receive the AAA server to send The authorization information of the authenticated user is stored, and the identifier information of the authenticated user is stored according to the user authentication message.
  • the device further includes: an authorization information sending module, configured to send the authorization information of the authenticated user to the WL AN device.
  • the request receiving module includes: a receiving unit, configured to receive the charging start request sent by the WLAN device, where the charging start request carries the identifier information of the user, where the identifier information includes a MAC address of the user, And the public network IP address and port number segment.
  • the packet identification module includes: a first identification unit configured to identify a user according to an IP address in the user data packet.
  • the message identification module further includes: a second identification unit configured to identify the user according to the IP address and the port number information in the user data packet.
  • the device further includes: a first receiving module, configured to receive, after the public network IP address and/or the port number segment, the charging update message sent by the WLAN device; wherein the charging update message carries Identification information after the change.
  • the device further includes: a second receiving module, configured to receive, when the public network IP address and/or the port number segment is reduced, or the network address translation NAT generating entry for network address translation is aged, receiving the WLAN device sending The charging update message; wherein the charging update message carries the changed identification information.
  • the device further includes: a third receiving module, configured to receive, after the NAT generation item update for network address translation, the charging update message sent by the WLAN device; wherein the charging update message carries a change Identification information.
  • the WLAN device is an access controller AC or an access point AP.
  • a data packet management system including: the foregoing management device, further comprising a WLAN device, where the WLAN device includes: an address allocation module, configured to receive an IP address of the user After the request, the above user is assigned an IP address.
  • the address allocation module includes: a first allocating unit configured to: after receiving the IP address request of the user, assign an IP address to the user in a local address pool; or, the second allocating unit is configured to receive the IP of the user After the address request, the above user is assigned an IP address through the dynamic host configuration protocol DHCP server.
  • the address allocation module further includes: a third allocating unit, configured to: after receiving the IP address request of the user, assign the IP address assigned by the authentication and authorization accounting AAA server to the user by using the authorization information.
  • the address allocation module further includes: a fourth allocating unit configured to: after receiving the IP address request of the user, allocate a private network IP address for the user, and a public network IP address and a port number segment for network address translation.
  • the WLAN device further includes: a storage module, configured to store the public network IP address and the port number segment.
  • the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information.
  • the BNG device identifies the data packet of the user according to the identifier information of the user, according to the user
  • the authorization information manages the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed without changing. And the process of the process, quickly deploy BNG equipment to manage user services and traffic, and improve the service quality of WLAN networks.
  • FIG. 1 is a schematic diagram of a topology of a conventional WLAN network according to the related art
  • FIG. 2 is a schematic diagram of a topology of another conventional WLAN network according to the related art
  • 3 is a schematic diagram of a network topology of a WLAN and a fixed broadband network convergence manner according to the related art
  • FIG. 4 is a schematic diagram of another network topology of a WLAN and a fixed broadband network fusion manner according to the related art.
  • FIG. 5 is a schematic diagram of a network topology in which a WLAN and a fixed broadband network are fused according to the related art.
  • FIG. 6 is a flowchart of a method for managing a data packet according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of a method for WLAN user fixed network access according to an embodiment of the present invention
  • FIG. 8 is an AC straight according to Embodiment 1 of the present invention
  • FIG. 9 is a schematic flowchart of data packet encapsulation and forwarding according to the first embodiment of the present invention
  • FIG. 10 is a schematic flowchart of data packet encapsulation and forwarding according to the first embodiment of the present invention
  • FIG. 11 is a schematic flowchart of data packet encapsulation and forwarding according to Embodiment 2 of the present invention
  • FIG. 12 is a flowchart of processing a data packet in a fat AP scenario according to Embodiment 3 of the present invention
  • FIG. 13 is a block diagram showing a data packet encapsulation and forwarding according to a third embodiment of the present invention
  • FIG. 14 is a block diagram showing a structure of a data packet management apparatus according to an embodiment of the present invention
  • FIG. 6 is a flowchart of a method for managing data packets according to an embodiment of the present invention. As shown in FIG. 6, the process includes the following steps (step S602-step S608).
  • the SNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds;
  • Step S604 the BNG device receives the charging start request sent by the WLAN device, where the charging start request carries the identification information of the user.
  • Step S606 The BNG device matches the identification information carried in the charging start request and the authenticated The identification information of the user, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; Step S608, the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user The information is managed by the above data message.
  • the BNG device stores the authorization information and the identification information of the authenticated user, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information and The identification information of the authenticated user is determined, and after the matching is successful, the authorization information is determined according to the identification information of the authenticated user; the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user.
  • the information is used to manage the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed.
  • the BNG device is quickly deployed to implement user service and traffic management and improve the service quality of the WLAN network.
  • the above WLAN device may be an AC or an AP.
  • the BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds.
  • the BNG device obtains the authorization information and the identification information and stores the BNG.
  • the BNG device sends a user authentication message to the AAA server; after receiving the user authentication message, the AAA server performs user identity authentication; after the user identity authentication succeeds, the BNG device receives the above-mentioned authenticated certificate sent by the AAA server.
  • the BNG obtains the authorization information and the identification information respectively, matches the identification information for the subsequent BNG device, and determines the authorization information providing basis based on the identification information.
  • the method further includes: the BNG device sends the authorization information of the authenticated user to the WLAN device.
  • the method further includes: after receiving the IP address request of the user, the WLAN device allocates an IP address to the user.
  • First preferred embodiment After receiving the IP address request of the user, the WLAN device assigns an IP address to the user, including: After the user's IP address is requested, it is used in the local address pool. The user allocates the above IP address; or, after receiving the IP address request of the user, the WLAN device allocates the IP address to the user through the dynamic host configuration protocol DHCP server.
  • the third preferred embodiment after the WLAN device receives the IP address request of the user, assigning the IP address to the user further includes: after receiving the IP address request of the user, the WLAN device allocates a private network IP address to the user, and is used for The public IP address and port number segment of the network address translation. After the WLAN device allocates an IP address to the user, the method further includes: the WLAN device storing the public network IP address and the port number segment.
  • the receiving, by the BNG device, the charging start request sent by the WLAN device includes: the BNG device receiving the charging start request sent by the WLAN device; wherein the charging start request carries the foregoing identification information of the user, where the identifier information includes the MAC of the user Address, and the above public network IP address and the above port number segment.
  • the foregoing BNG device identifies the data packet of the user according to the identifier information of the user, where the BNG device identifies the user according to the IP address in the user data packet.
  • the BNG device identifying the data packet of the user according to the identifier information of the user further includes: the BNG device identifies the user according to the IP address and the port number information in the user data packet.
  • the BNG device when the public network IP address and/or the port number segment is increased, receives the charging update message sent by the WLAN device, where the charging update message carries a change. After the identification information.
  • the BNG device receives the charging update message sent by the WLAN device; wherein, the charging update is performed. The message carries the changed identification information.
  • the BNG device receives the charging update message sent by the WLAN device, where the charging update message carries the changed identification information.
  • the above user identity authentication includes one of the following authentication methods: EAP (Extensible Authentication Protocol) - MD5 (Message Digest Algorithm Revision 5), EAP-SIM (Subscriber Identity Module) , ⁇ - ⁇ (Authentication and Key Agreement), EAP-PEAP (Protected EAP, Protected EAP), EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), PPP and B EAP authentication, Point-to-Point Protocol Protocol, referred to as PPP) and Pre-shared Key (PSK) authentication.
  • EAP Extensible Authentication Protocol
  • MD5 Message Digest Algorithm Revision 5
  • EAP-SIM Subscriber Identity Module
  • ⁇ - ⁇ Authentication and Key Agreement
  • EAP-PEAP Protected EAP, Protected EAP
  • EAP-TLS Transport Layer Security
  • EAP-TTLS Transmission Layer Security
  • PPP and B EAP authentication Point-to-Point Protocol Protocol, referred to
  • FIG. 7 is a schematic diagram of a method for WLAN user fixed network access according to an embodiment of the present invention.
  • the method includes the following steps (step S702-step S710): Step S702, the WLAN device acts as an authenticator, and the user identity is used.
  • the authentication packet is sent to the BNG device.
  • the WLAN device may be an AC or an AP;
  • the user authentication mode includes various EAP authentication modes for 802.1x authentication, such as EAP-MD5, EAP-SIM, EAP-AKA, EAP-PEAP, EAP-TLS. EAP-TTLS, etc.
  • the user authentication mode also includes PPP+EAP authentication and PPP+PSK authentication.
  • Step S704 The BNG device performs authentication of the user identity through the AAA server as the authentication proxy. After the authentication succeeds, the BNG device stores the authorization information and the identification information of the user. Further, the authentication proxy function of the BNG device includes a Radius Proxy function and a Diameter authentication proxy function; further, the BNG device optionally transmits the authorization information of the user to the WLAN device while storing the authorization information of the user; The user's identification information includes the user MAC address and/or the IP address assigned by the AAA server to the user through the authorization information, and/or VPN instance information, and/or the public network IP address and port number assigned by the AAA server to the user through the authorization information. Segment combination. Step S706, the user obtains an IP address through the WLAN device.
  • the WLAN device may allocate an IP address to the user in the local address pool, or apply for a user IP address to the DHCP server, or assign the IP address assigned by the AAA server to the user through the authorization information; further, the WLAN device may The private network address assigned to the user is sent to the user, and a public network IP address and port number segment for performing network address translation for the user is allocated and stored on the WLAN device.
  • Step S708 After the user authentication passes and the IP address is successfully assigned, the WLAN device sends a charging start request to the BNG device, and carries the identification information of the user.
  • the process of authenticating the user and obtaining the IP address is in no particular order; further, when the WLAN device allocates a private network IP address to the user and performs network address translation on the data packet of the user, the WLAN device also needs to have The following features.
  • the WLAN device When the public network address and/or port block used for translation of the user network address is increased (for example, a public network address and a port block are added for the user), the WLAN device notifies the BRAS by using a charging start message or a charging update message. , carrying the changed user identification information.
  • the WLAN device passes the charging.
  • the stop message or the charging update message informs the BRAS to carry the user identification information.
  • the WLAN device notifies the BRAS through the charging update message, and carries the user identification information.
  • the above-mentioned broadband network gateway BNG also includes a BRAS (Broadband Remote Access Server), an SR (Service Router, a full service router), a NAS (Network Access Server), and the like.
  • BRAS Broadband Remote Access Server
  • SR Service Router, a full service router
  • NAS Network Access Server
  • Step S802 user terminal The authentication request is initiated by sending an EAPoL-Start.
  • Step S804 After receiving the EAPoL-Start message, the AC sends an EAP-Request/Identity message to the user terminal, and requests the user terminal to send the username to the BRAS.
  • Step S806 the user terminal sends an EAP-Response/Identity message to the AC, including the username.
  • Step S808 The AC encapsulates the EAP-Response/Identity message into the RADIUS Access-Request message and sends the message to the BRAS. After receiving the Radius Access-Request message sent by the AC, the BRAS sends a new Radius Access-Request message through the Radius Proxy function. Give AAA. Step S810, the AAA generates an EAP-Request, which is carried in the RADIUS Access-Challenge message and sent to the BRAS, and the Radius Proxy function is used to form a new RADIUS Access-Challenge message.
  • Step S812 After receiving the EAP-Request, the user terminal sends the Challenged-Pass-word to the AC.
  • the AC performs the Radius packet encapsulation and sends a BRAS.
  • the BRAS uses the Radius Proxy function to re-encapsulate the Radius packet and send it to the AAA.
  • the AAA determines whether the user is legal. If the authentication succeeds, the authorization information of the user is sent to the BRAS in the authentication success message.
  • Step S816 The BRAS sends an authentication success message to the AC, and stores the user authorization information and the user MAC address information in the authentication message, and the AC sends an 802.1x authentication success message to the user.
  • Step S818 The user sends a DHCP Discover message to the AC to request an IP address, and the AC allocates an IP address to the user in the local address pool or allocates an IP address to the user through the DHCP server.
  • Step S820 the AC sends an accounting start message to the BRAS, carrying the user's MAC address and IP address.
  • Step S822 after receiving the charging start message, the BRAS matches the MAC address of the user and the stored MAC address of the authenticated user, finds the authorization information of the user, and records the IP address information of the user, and the BRAS sends an accounting start message to the AAA. .
  • Step S824 the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AC.
  • Step S826 The user accesses the network, and the BRAS identifies the user according to the IP address information in the received user data packet, and processes the user data packet according to the authorization information of the user. For example, the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message.
  • FIG. 9 is a schematic diagram of a data packet encapsulation and forwarding process according to the first embodiment of the present invention.
  • a flow chart of data packet encapsulation and forwarding is shown in FIG. 9. The process includes the following steps (step S902 - step S908): Step S902, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user.
  • the destination MAC address is the MAC address MAC2 of the user-side interface of the AC
  • the source IP address is the IP address of the user
  • the destination IP address is the service IP address IP2 accessed by the user.
  • Step S904 The AP transparently transmits the user data packet.
  • Step S906 After receiving the data packet, the AC modifies the source MAC address and the destination MAC address of the packet, and the source MAC address is modified to be the MAC address MAC3 of the interface connected to the AC and the BRAS, and the destination MAC address is modified to be the MAC address of the BRAS and the AC interface. Address MAC4.
  • Step S908 After receiving the data packet, the BRAS identifies the user according to the source IP address, and processes the packet according to the authorization information of the user, such as priority mapping, buffering, discarding, etc., for example, the BRAS determines that the processed packet can be After the service network forwards, the source MAC address and the destination MAC address of the packet are changed again. The source MAC address is changed to the MAC address MAC5 of the network side interface of the BRAS, and the destination MAC address is the MAC address MAC6 of the interface connected to the BRAS by the network side device.
  • Embodiment 2 This embodiment describes a method for processing data packets in an AC direct-connection scenario. The AC is between the AP and the BNG.
  • the AC assigns a private network IP address to the user and performs network address translation on the user's data packets.
  • 10 is a flowchart of a method for processing a data packet in an AC direct-hanging scenario according to the second embodiment of the present invention. As shown in FIG. 10, the method includes the following steps (step S1002 - step S1026): Step S1002 to step S1016 The specific process is similar to the step S802 to the step S816 of the foregoing embodiment, and is not described here.
  • Step S1018 The user sends a DHCP Discover message requesting an IP address to the AC, and the AC allocates a private network IP address to the user, and the AC allocates a public network IP address and port number segment for performing network address translation to the user and stores the On the AC device.
  • Step S1020 The AC sends an Accounting Start message to the BRAS, carrying the user's MAC address, public network IP address, and port number segment.
  • Step S1024 the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AC.
  • Step S1026 The user accesses the network, and the BRAS identifies the user according to the IP address and port number information in the received user data packet, and processes the user data packet according to the authorization information of the user. For example, the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message.
  • the AC notifies by using an accounting start message or a charging update message.
  • BRAS carrying the changed user identification information.
  • the public network address and/or port block used for translation of the user network address is reduced (for example, if the user goes offline and reduces a public network address and port block of the user)
  • the AC passes the charging stop message or the charging update message.
  • the AP notifies the BRAS through the charging update message, and carries the user identification information.
  • FIG. 11 is a schematic diagram of a data packet encapsulation and forwarding process according to the second embodiment of the present invention.
  • a flow chart of data packet encapsulation and forwarding is shown in FIG. 11. The process includes the following steps (step S1102-step S1108): Step S1102, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user.
  • the destination MAC address is MAC address MAC2 of the user-side interface of the AC.
  • the source IP address is the IP address of the user's private IP address.
  • the destination IP address is the IP address of the service IP address.
  • the source port is Port1 and the destination port is Port 2.
  • the AP transparently transmits the user data packet.
  • Step S1106 After receiving the data packet, the AC modifies the source MAC address and the destination MAC address of the packet, and the source MAC address is modified to be the MAC address MAC3 of the interface connected between the AC and the BRAS, and the destination MAC address is modified to be the interface between the BRAS and the AC.
  • Step S1108 After receiving the data packet, the BRAS identifies the user according to the source IP address and the port number, and processes the packet according to the authorization information of the user, such as priority mapping, buffering, discarding, etc., for example, the BRAS judges the processed report. If the text can be forwarded to the service network, the source MAC address and destination MAC address of the packet are changed again. The source MAC address is changed to the MAC address MAC5 of the network side interface of the BRAS.
  • the destination MAC address is the MAC address of the interface connected to the BRAS. MAC6.
  • Embodiment 3 A wireless access point (AP) is an important component of a WLAN network, and its working mechanism is similar to a hub (HUB) in a wired network, and the wireless terminal can perform data transmission between the terminals through the AP. It can also communicate with the wired network through the "WAN" port of the AP.
  • APs Generally, the industry divides APs into fat APs and ⁇ APs. Fat APs are commonly used in SOHO home networks or small wireless LANs. After a wired network is connected to the home, a fat AP can be deployed for indoor coverage. The indoor wireless terminal can access the INTERNETS through the fat AP.
  • FIG. 12 is a flowchart of a method for processing a data packet in a fat AP scenario according to a third embodiment of the present invention. As shown in FIG. 12, the method includes the following steps (step S1202-step S1226): Step S1202 User to AP A DHCP Discover message is sent to request an IP address. The AP assigns a private network IP address to the user and sends it to the user.
  • Steps S1204 to S1218 are the authentication process of the user.
  • the specific process is similar to the step S802 to the step S816 of the foregoing embodiment, except that the AP replaces the AC in the step S802 to the step S816 as an authenticator, and details are not described herein again.
  • Step S1220 After the user is authenticated by the identity, the AP allocates a public network IP address and a port number segment for performing network address translation to the AP and stores the same on the AP device. The AP sends an accounting start message to the BRAS, carrying the user's MAC address.
  • Step S1222 after receiving the charging start message, the BRAS matches the user's MAC address and the stored MAC address of the authenticated user, finds the user's authorization information, and records the user's public network.
  • the IP address and the port number segment, and the BRAS sends an accounting start message to the AAA; in step S1224, the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AP; Step S1226
  • the user accesses the network, and the BRAS identifies the user according to the IP address and port number information in the received user data packet, and processes the user data packet according to the authorization information of the user.
  • the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message.
  • the AP when the public network address and/or the port block for the translation of the user network address is increased (for example, a public network address and a port block are added to the user), the AP notifies the charging start message or the charging update message.
  • BRAS carrying the changed user identification information.
  • the public network address and/or port block used for translation of the user network address is reduced (for example, if the user goes offline or reduces a public network address and port block of the user) or the NAT generation entry ages, the AP stops by charging.
  • the message or charging update message informs the BRAS to carry the user identification information.
  • the NAT generation entry for the user network address translation is aged and updated, the AP notifies the BRAS through the charging update message, and carries the user identification information.
  • FIG. 13 is a data according to Embodiment 3 of the present invention. As shown in FIG. 13, the flow includes the following steps (step S1302 - step S1306): Step S1302, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user.
  • the MAC address is the MAC address MAC2 of the user interface of the AC device
  • the source IP address is the private IP address IP1 of the user
  • the destination IP address is the service IP address IP2 accessed by the user
  • the source port is Port1
  • the destination port is Port2 ;
  • the AP modifies the source MAC address and destination MAC address of the packet.
  • the source MAC address is modified to be the MAC address MAC3 of the interface connected between the AP and the BRAS
  • the destination MAC address is modified to be the MAC address MAC4 of the interface connected to the BRAS and the AP.
  • FIG. 14 is a structural block diagram of a data message management apparatus according to an embodiment of the present invention. As shown in FIG. 14, the apparatus includes: an authentication mode Block 10, request receiving module 20, matching module 30, message identification module 40, and management module 50. The structure is described below.
  • the authentication module 10 is configured to perform user identity authentication through the AAA server, and store the authorization information and the identification information of the authenticated user after the user identity authentication succeeds.
  • the request receiving module 20 is connected to the authentication module 10 and configured to receive the WLAN device. a charging start request; wherein the charging start request carries the identification information of the user; the matching module 30 is connected to the request receiving module 20, and is configured to match the identification information carried in the charging start request and the authenticated user. Identifying the information, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; the message identification module 40 is connected to the matching module 30, and configured to perform the data message of the user according to the identification information of the user.
  • the management module 50 is connected to the message identification module 40 and configured to manage the data message according to the authorization information of the user.
  • the BNG device stores the authorization information and the identification information of the authenticated user, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information and The identification information of the authenticated user is determined, and after the matching is successful, the authorization information is determined according to the identification information of the authenticated user; the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user.
  • the information is used to manage the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed.
  • the BNG device is quickly deployed to implement user service and traffic management and improve the service quality of the WLAN network.
  • the above WLAN device may be an AC or an AP.
  • the authentication module 10 includes: a packet sending unit, configured to send a user authentication packet to the AAA server, where the authentication module 10 obtains the authorization information and the identifier information and stores the information.
  • the user authentication message is used to notify the AAA server to perform user identity authentication.
  • the storage unit is configured to receive the authorization information of the authenticated user sent by the AAA server, and store the authenticated user according to the user authentication message. Identification information.
  • the BNG obtains the authorization information and the identification information respectively, matches the identification information for the subsequent BNG device, and determines the basis of the authorization information according to the identification information.
  • the device further includes: an authorization information sending module, configured to send the authorization information of the authenticated user to the WLAN. device.
  • the request receiving module 20 includes: a receiving unit, configured to receive the charging start request sent by the WLAN device, where the charging start request carries the identification information of the user
  • the foregoing identification information includes the MAC address of the user, and a public network IP address and a port number segment.
  • the message identification module 40 includes: a first identification unit configured to identify a user according to an IP address in a user data packet. The message identification module 40 further includes: a second identification unit configured to identify the user according to the IP address and port number information in the user data message.
  • the device further includes: a first receiving module, configured to receive a charging update message sent by the WLAN device if the public network IP address and/or the port number segment are increased; The charging update message carries the changed identification information.
  • the device further includes: a second receiving module, configured to receive, when the public network IP address and/or the port number segment is reduced, or the network address translation NAT generating entry for network address translation is aged, receiving the WLAN device sending The charging update message; wherein the charging update message carries the changed identification information.
  • the device further includes: a third receiving module, configured to receive a charging update message sent by the WLAN device when the NAT for generating a network address is updated, wherein the charging update message carries a change Identification information.
  • FIG. 15 is a structural block diagram of a data packet management system according to an embodiment of the present invention.
  • the system includes the data packet management device introduced in the foregoing embodiment, and further includes a WLAN device, where the WLAN device includes:
  • the address assignment module 60 is configured to assign an IP address to the user after receiving the network protocol IP address request of the user.
  • the address allocation module 60 includes: a first allocating unit, configured to allocate an IP address to the user in the local address pool after receiving the IP address request of the user; or, the second The allocating unit is configured to allocate an IP address to the user through the dynamic host configuration protocol DHCP server after receiving the IP address request of the user.
  • the address allocation module 60 further includes: a third allocating unit, configured to: after receiving the IP address request of the user, assign the IP address assigned by the authentication and authorization charging AAA server to the user by using the authorization information to the user.
  • the address allocation module 60 further includes: a fourth allocating unit configured to: after receiving the IP address request of the user, allocate a private network IP address for the user, and a public network IP address and a port number segment for network address translation.
  • the WLAN device further includes: a storage module, configured to store the public network IP address and the port number segment.
  • the user address allocation process causes the BNG to fail to identify the user, which in turn causes the BNG to fail to perform user service and traffic management according to the user's authorization information, thereby realizing the service and traffic management of the WLAN user accessing the user from the fixed broadband network.
  • a general-purpose computing device which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a data packet management method, device and system, the method comprising: a BNG device authenticates a user identity via an AAA server, and stores the authorization information and identifier information of the authenticated user after the user identity is successfully authenticated; the BNG device receives an accounting start request transmitted by a WLAN device; the BNG device matches the identifier information carried in the accounting start request with the identifier information of the authenticated user, and determines the authorization information according to the identifier information of the authenticated user after the matching succeeds; and the BNG device identifies the data packet of the user according to the identifier information of the user, and manages the data packet according to the authorization information of the user. The present invention can quickly deploy a BNG device to realize user service and traffic management without changing the current WLAN network architecture for user authentication and address allocation, thus improving WLAN network service quality.

Description

数据报文的管理方法、 装置及系统  Data message management method, device and system
技术领域 本发明涉及通信领域, 具体而言, 涉及一种数据报文的管理方法、 装置及系统。 背景技术 随着互联网应用和智能终端的快速发展,用户通过各种智能终端,例如智能手机、 平板电脑等, 随时随地访问互联网进行办公、交流和娱乐活动的需求也随之广泛普及, 用户通过无线局域网络 (Wireless Local Area Networks, 简称为 WLAN)接入网络是最重 要的手段之一。 图 1是根据相关技术的一种传统 WLAN网络的拓扑示意图,图 2是根据相关技术 的另一种传统 WLAN网络的拓扑示意图, 如图 1和图 2所示, 传统的 WLAN网络包 括接入点 (Access Point, 简称为 AP)、 接入控制器 (Access Controller, 简称为 AC)、 认证授权计费服务器 (Authentication Authorization Accounting , 简称为 AAA) 以 及地址分配设备动态主机设置协议 (Dynamic Host Configuration Protocol,简称为 DHCP) 服务器等网元, 用户终端设备在通过身份认证之后可以通过 AP和 /或 AC访 问网络。 当 WLAN网络采用 802.1x认证方式或 "PPPoE+PSK"方式进行用户身份认 证时, AP或 AC设备作为用户的认证点, 用户身份认证通过之后, 通过内置或外置的 DHCP服务器为用户分配 IP地址, 其中, PPPoE (PPP over Ethernet) 为以太网上的点 对点协议 (Point-to-point Protocol, 简称为 PPP), PSK (Pre-Shared Key) 为预共享密 钥。 随着网络融合趋势发展, WLAN网络和固定宽带网络的融合成为了未来的主流趋 势之一, 宽带网络网关(Broadband Network Gateway, 简称为 BNG) 设备在用户管理 方面的巨大优势成为提升 WLAN网络服务质量的有利保障,图 3是根据相关技术的一 种 WLAN和固定宽带网络融合方式的网络拓扑示意图,图 4是根据相关技术的另一种 WLAN和固定宽带网络融合方式的网络拓扑示意图, 图 5 是根据相关技术的又一种 WLAN和固定宽带网络融合方式的网络拓扑示意图, 上述图 3、 图 4和图 5分别介绍 了三种 WLAN和固定宽带网络融合方式的网络拓扑结构, 各种类型的用户终端通过 WLAN网络和有线链路接入到固定宽带网络中, 统一由宽带网络网关 BNG进行用户 业务的精细化控制。 同时 WLAN网络还有可能部署了网络地址转换(Network Address Translate, 简称为 NAT)功能、 网络为用户分配私网地址, 有 AP或 AC设备进行私网 地址和公网 IP地址的转换。 在图 3、 图 4和图 5所示的网络架构中, 如果不改变当前 的 WLAN网络用户认证和地址分配的网络架构和流程, 那么 BNG设备如果不参与用 户的地址分配流程, 会导致 BNG无法识别用户、 进而导致 BNG无法根据用户的授权 信息对用户的业务和流量进行管理。 针对相关技术中 BNG设备不参与用户地址分配流程的情况下 BNG无法识别用户 的问题, 目前尚未提出有效的解决方案。 发明内容 本发明实施例提供了一种数据报文的管理方法、 装置及系统, 以至少解决上述问 题。 根据本发明实施例的一个方面, 提供了一种数据报文的管理方法, 该方法包括:TECHNICAL FIELD The present invention relates to the field of communications, and in particular, to a data packet management method, apparatus, and system. BACKGROUND With the rapid development of Internet applications and smart terminals, the demand for users to access the Internet for office, communication, and entertainment activities through various intelligent terminals, such as smart phones and tablet computers, is also widely spread. Wireless Local Area Networks (WLAN) access to the network is one of the most important means. 1 is a schematic diagram of a topology of a conventional WLAN network according to the related art, and FIG. 2 is a schematic diagram of a topology of another conventional WLAN network according to the related art. As shown in FIG. 1 and FIG. 2, a conventional WLAN network includes an access point. (Access Point, referred to as AP), Access Controller (AC), Authentication Authorization Accounting (AAA), and Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol). Referred to as a network element such as a DHCP server, the user terminal device can access the network through the AP and/or AC after passing the identity authentication. When the WLAN network adopts the 802.1x authentication mode or the "PPPoE+PSK" mode for user identity authentication, the AP or the AC device acts as the authentication point of the user. After the user identity authentication is passed, the user is assigned an IP address through the built-in or external DHCP server. PPPoE (PPP over Ethernet) is a point-to-point protocol (PPP) on the Ethernet, and the PSK (Pre-Shared Key) is a pre-shared key. With the development of network convergence, the convergence of WLAN networks and fixed broadband networks has become one of the mainstream trends in the future. The huge advantage of Broadband Network Gateway (BNG) devices in user management has become the improvement of WLAN network service quality. FIG. 3 is a schematic diagram of a network topology of a WLAN and a fixed broadband network convergence manner according to the related art, and FIG. 4 is a schematic diagram of a network topology of another WLAN and fixed broadband network fusion manner according to the related art, FIG. According to another network topology diagram of a WLAN and a fixed broadband network convergence manner according to the related art, FIG. 3, FIG. 4 and FIG. 5 respectively describe network topology structures of three WLAN and fixed broadband network fusion modes, and various types of users. The terminal accesses the fixed broadband network through the WLAN network and the wired link, and the refined control of the user service is unified by the broadband network gateway BNG. At the same time, the WLAN network may also have a network address translation (NAT) function, and the network assigns a private network address to the user. Conversion of address and public IP address. In the network architecture shown in FIG. 3, FIG. 4, and FIG. 5, if the network architecture and process of the current WLAN network user authentication and address allocation are not changed, if the BNG device does not participate in the user's address allocation process, the BNG cannot be caused. The user is identified, and the BNG cannot manage the user's business and traffic according to the user's authorization information. In view of the problem that the BNG cannot identify the user in the case where the BNG device does not participate in the user address allocation process in the related art, an effective solution has not been proposed yet. SUMMARY OF THE INVENTION Embodiments of the present invention provide a data packet management method, apparatus, and system to solve at least the above problems. According to an aspect of the embodiments of the present invention, a data packet management method is provided, where the method includes:
BNG设备通过 AAA服务器进行用户身份认证, 并在用户身份认证成功后存储已认证 用户的授权信息和标识信息; 上述 BNG设备接收 WLAN设备发送的计费开始请求; 其中, 该计费开始请求中携带有用户的标识信息; 上述 BNG 设备匹配上述计费开始 请求中携带的标识信息和上述已认证用户的标识信息, 并在匹配成功后, 根据上述已 认证用户的标识信息确定上述授权信息; 上述 BNG 设备根据上述用户的标识信息对 上述用户的数据报文进行识别, 根据上述用户的授权信息对上述数据报文进行管理。 The BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds; the BNG device receives the charging start request sent by the WLAN device; wherein the charging start request carries The identification information of the user; the BNG device matches the identification information carried in the charging start request and the identification information of the authenticated user, and after the matching is successful, determines the authorization information according to the identification information of the authenticated user; The device identifies the data packet of the user according to the identification information of the user, and manages the data packet according to the authorization information of the user.
BNG设备通过 AAA服务器进行用户身份认证, 并在用户身份认证成功后存储已 认证用户的授权信息和标识信息包括: BNG设备向 AAA服务器发送用户认证报文; AAA服务器接收到上述用户认证报文后,进行用户身份认证;在用户身份认证成功后, BNG设备接收 AAA服务器发送的上述已认证用户的授权信息, 并根据上述用户认证 报文存储上述已认证用户的标识信息。 The BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds. The BNG device sends the user authentication message to the AAA server. After receiving the user authentication message, the AAA server receives the user authentication message. After the user identity authentication succeeds, the BNG device receives the authorization information of the authenticated user sent by the AAA server, and stores the identifier information of the authenticated user according to the user authentication message.
BNG 设备在用户身份认证成功后存储上述已认证用户的授权信息和标识信息之 后, 上述方法还包括: BNG设备将上述已认证用户的授权信息发送至 WLAN设备。 After the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, the method further includes: the BNG device sending the authorization information of the authenticated user to the WLAN device.
BNG 设备接收 WLAN 设备发送的上述计费开始请求之前, 上述方法还包括: WLAN设备接收到用户的网络协议 IP地址请求后, 为上述用户分配 IP地址。 Before the BNG device receives the foregoing charging start request sent by the WLAN device, the method further includes: after receiving the network protocol IP address request of the user, the WLAN device allocates an IP address to the user.
WLAN设备接收到用户的 IP地址请求后, 为上述用户分配 IP地址包括: WLAN 设备接收到用户的 IP地址请求后, 在本地地址池中为上述用户分配上述 IP地址; 或 者, WLAN设备接收到用户的 IP地址请求后, 通过动态主机配置协议 DHCP服务器 为上述用户分配上述 IP地址。 WLAN设备接收到用户的 IP地址请求后,为上述用户分配 IP地址还包括: WLAN 设备接收到用户的 IP地址请求后, 将 AAA服务器通过上述授权信息为上述用户分配 的 IP地址分配给上述用户。 After the WLAN device receives the IP address request from the user, assigning the IP address to the user includes: after receiving the IP address request of the user, the WLAN device allocates the IP address to the user in the local address pool; or the WLAN device receives the user. After the IP address is requested, the above user is assigned the above IP address through the dynamic host configuration protocol DHCP server. After the WLAN device receives the IP address request from the user, the assigning the IP address to the user includes: After receiving the IP address request of the user, the WLAN device allocates the IP address assigned by the AAA server to the user through the authorization information to the user.
WLAN设备接收到用户的 IP地址请求后,为上述用户分配 IP地址还包括: WLAN 设备接收到用户的 IP地址请求后, 为上述用户分配私网 IP地址, 以及用于网络地址 翻译的公网 IP地址和端口号段。 After the WLAN device receives the IP address request from the user, assigning the IP address to the user includes: After receiving the IP address request of the user, the WLAN device allocates a private network IP address for the user and a public network IP for network address translation. Address and port number segment.
WLAN设备为上述用户分配 IP地址后, 上述方法还包括: WLAN设备存储上述 公网 IP地址和上述端口号段。 After the WLAN device allocates an IP address to the user, the method further includes: the WLAN device storing the public network IP address and the port number segment.
BNG设备接收 WLAN设备发送的计费开始请求包括: BNG设备接收 WLAN设 备发送的上述计费开始请求; 其中, 该计费开始请求中携带有上述用户的上述标识信 息,上述标识信息包括上述用户的 MAC地址, 以及上述公网 IP地址和上述端口号段。 Receiving, by the BNG device, the charging start request sent by the WLAN device, the BNG device receiving the foregoing charging start request sent by the WLAN device, where the charging start request carries the foregoing identification information of the user, where the identification information includes the user The MAC address, and the above public IP address and the above port number segment.
BNG 设备根据上述用户的标识信息对上述用户的数据报文进行识别包括: BNG 设备根据用户数据报文中的 IP地址对用户进行识别。 The BNG device identifies the data packet of the user according to the identification information of the user, and the BNG device identifies the user according to the IP address in the user data packet.
BNG设备根据上述用户的标识信息对上述用户的数据报文进行识别还包括: BNG 设备根据用户数据报文中的 IP地址和端口号信息对用户进行识别。 上述方法还包括:当上述公网 IP地址和 /或端口号段增加时, BNG设备接收 WLAN 设备发送的计费更新消息; 其中, 该计费更新消息中携带有变化后的标识信息。 上述方法还包括: 当上述公网 IP地址和 /或端口号段减少, 或者用于网络地址翻 译的网络地址转换 NAT生成条目老化时, BNG设备接收 WLAN设备发送的计费更新 消息; 其中, 该计费更新消息中携带有变化后的标识信息。 上述方法还包括: 当用于网络地址翻译的 NAT生成条目更新时, BNG设备接收 WLAN设备发送的计费更新消息;其中,该计费更新消息中携带有变化后的标识信息。 上述 WLAN设备为 AC或者 AP。 根据本发明实施例的另一方面, 提供了一种数据报文的管理装置, 应用于宽带网 络网关 BNG设备, 该装置包括: 认证模块, 设置为通过 AAA服务器进行用户身份认 证, 并在用户身份认证成功后存储已认证用户的授权信息和标识信息; 请求接收模块, 设置为接收 WLAN设备发送的计费开始请求; 其中, 该计费开始请求中携带有用户的 标识信息; 匹配模块, 设置为匹配上述计费开始请求中携带的标识信息和上述已认证 用户的标识信息, 并在匹配成功后, 根据上述已认证用户的标识信息确定上述授权信 息; 报文识别模块, 设置为根据上述用户的标识信息对上述用户的数据报文进行识别; 管理模块, 设置为根据上述用户的授权信息对上述数据报文进行管理。 上述认证模块包括: 报文发送单元, 设置为向上述 AAA服务器发送用户认证报 文; 其中, 上述用户认证报文用于通知上述 AAA服务器进行用户身份认证; 存储单 元, 设置为接收上述 AAA服务器发送的上述已认证用户的授权信息, 并根据上述用 户认证报文存储上述已认证用户的标识信息。 上述装置还包括: 授权信息发送模块, 设置为将上述已认证用户的授权信息发送 至上述 WL AN设备。 上述请求接收模块包括: 接收单元, 设置为接收上述 WLAN设备发送的上述计费 开始请求; 其中, 上述计费开始请求中携带有上述用户的上述标识信息, 上述标识信 息包括上述用户的 MAC地址, 以及公网 IP地址和端口号段。 上述报文识别模块包括: 第一识别单元, 设置为根据用户数据报文中的 IP地址对 用户进行识别。 上述报文识别模块还包括: 第二识别单元, 设置为根据用户数据报文中的 IP地址 和端口号信息对用户进行识别。 上述装置还包括: 第一接收模块, 设置为在上述公网 IP地址和 /或端口号段增加 的情况下, 接收上述 WLAN设备发送的计费更新消息; 其中, 上述计费更新消息中携 带有变化后的标识信息。 上述装置还包括: 第二接收模块, 设置为在上述公网 IP地址和 /或端口号段减少, 或者用于网络地址翻译的网络地址转换 NAT生成条目老化的情况下,接收上述 WLAN 设备发送的计费更新消息; 其中, 上述计费更新消息中携带有变化后的标识信息。 上述装置还包括: 第三接收模块, 设置为在用于网络地址翻译的 NAT生成条目更 新的情况下, 接收上述 WLAN设备发送的计费更新消息; 其中, 该计费更新消息中携 带有变化后的标识信息。 上述 WLAN设备为接入控制器 AC或者接入点 AP。 根据本发明实施例的又一方面, 提供了一种数据报文的管理系统, 包括: 上述的 管理装置, 还包括 WLAN设备, 该 WLAN设备包括: 地址分配模块, 设置为接收到 用户的 IP地址请求后, 为上述用户分配 IP地址。 上述地址分配模块包括:第一分配单元,设置为接收到上述用户的 IP地址请求后, 在本地地址池中为上述用户分配 IP地址; 或者, 第二分配单元, 设置为接收到上述用 户的 IP地址请求后, 通过动态主机配置协议 DHCP服务器为上述用户分配 IP地址。 上述地址分配模块还包括: 第三分配单元, 设置为接收到用户的 IP地址请求后, 将认证授权计费 AAA服务器通过上述授权信息为上述用户分配的 IP地址分配给上述 用户。 上述地址分配模块还包括: 第四分配单元, 设置为接收到用户的 IP地址请求后, 为上述用户分配私网 IP地址, 以及用于网络地址翻译的公网 IP地址和端口号段。 上述 WLAN设备还包括: 存储模块, 设置为存储上述公网 IP地址和上述端口号 段。 通过本发明实施例, BNG设备在用户身份认证成功后存储已认证用户的授权信息 和标识信息, BNG设备接收 WLAN设备发送的携带有用户的标识信息的计费开始请 求, BNG设备匹配该标识信息和上述已认证用户的标识信息, 并在匹配成功后, 根据 上述已认证用户的标识信息确定上述授权信息; BNG设备根据上述用户的标识信息对 上述用户的数据报文进行识别, 根据上述用户的授权信息对上述数据报文进行管理, 解决了相关技术中 BNG设备不参与用户地址分配流程的情况下 BNG无法识别用户的 问题,从而能够在不改变当前的 WLAN网络用户认证和地址分配的网络架构和流程的 情况下, 快速部署 BNG设备实现用户业务和流量的管理、 提升 WLAN网络的服务质 The BNG device identifies the data packet of the user according to the identifier information of the user, and further includes: the BNG device identifies the user according to the IP address and the port number information in the user data packet. The method further includes: when the public network IP address and/or the port number segment is increased, the BNG device receives the charging update message sent by the WLAN device; wherein the charging update message carries the changed identification information. The method further includes: when the public network IP address and/or the port number segment is decreased, or the network address translation NAT generation entry for network address translation is aged, the BNG device receives the charging update message sent by the WLAN device; The charging update message carries the changed identification information. The method further includes: when the NAT generation entry for the network address translation is updated, the BNG device receives the charging update message sent by the WLAN device; wherein the charging update message carries the changed identification information. The WLAN device is an AC or an AP. According to another aspect of the present invention, a data message management apparatus is provided, which is applied to a broadband network gateway BNG device, and the device includes: an authentication module, configured to perform user identity authentication through an AAA server, and After the authentication succeeds, the authorization information and the identification information of the authenticated user are stored; the request receiving module is configured to receive the charging start request sent by the WLAN device; wherein the charging start request carries the identification information of the user; the matching module is set to Matching the identification information carried in the foregoing charging start request and the above-mentioned authenticated The identification information of the user, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; the message identification module is configured to identify the data packet of the user according to the identification information of the user; The method is configured to manage the data packet according to the authorization information of the user. The above-mentioned authentication module includes: a message sending unit, configured to send a user authentication message to the AAA server; wherein the user authentication message is used to notify the AAA server to perform user identity authentication; and the storage unit is configured to receive the AAA server to send The authorization information of the authenticated user is stored, and the identifier information of the authenticated user is stored according to the user authentication message. The device further includes: an authorization information sending module, configured to send the authorization information of the authenticated user to the WL AN device. The request receiving module includes: a receiving unit, configured to receive the charging start request sent by the WLAN device, where the charging start request carries the identifier information of the user, where the identifier information includes a MAC address of the user, And the public network IP address and port number segment. The packet identification module includes: a first identification unit configured to identify a user according to an IP address in the user data packet. The message identification module further includes: a second identification unit configured to identify the user according to the IP address and the port number information in the user data packet. The device further includes: a first receiving module, configured to receive, after the public network IP address and/or the port number segment, the charging update message sent by the WLAN device; wherein the charging update message carries Identification information after the change. The device further includes: a second receiving module, configured to receive, when the public network IP address and/or the port number segment is reduced, or the network address translation NAT generating entry for network address translation is aged, receiving the WLAN device sending The charging update message; wherein the charging update message carries the changed identification information. The device further includes: a third receiving module, configured to receive, after the NAT generation item update for network address translation, the charging update message sent by the WLAN device; wherein the charging update message carries a change Identification information. The WLAN device is an access controller AC or an access point AP. According to still another aspect of the embodiments of the present invention, a data packet management system is provided, including: the foregoing management device, further comprising a WLAN device, where the WLAN device includes: an address allocation module, configured to receive an IP address of the user After the request, the above user is assigned an IP address. The address allocation module includes: a first allocating unit configured to: after receiving the IP address request of the user, assign an IP address to the user in a local address pool; or, the second allocating unit is configured to receive the IP of the user After the address request, the above user is assigned an IP address through the dynamic host configuration protocol DHCP server. The address allocation module further includes: a third allocating unit, configured to: after receiving the IP address request of the user, assign the IP address assigned by the authentication and authorization accounting AAA server to the user by using the authorization information. The address allocation module further includes: a fourth allocating unit configured to: after receiving the IP address request of the user, allocate a private network IP address for the user, and a public network IP address and a port number segment for network address translation. The WLAN device further includes: a storage module, configured to store the public network IP address and the port number segment. According to the embodiment of the present invention, the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information. And the identification information of the authenticated user, and after the matching is successful, determining the authorization information according to the identifier information of the authenticated user; the BNG device identifies the data packet of the user according to the identifier information of the user, according to the user The authorization information manages the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed without changing. And the process of the process, quickly deploy BNG equipment to manage user services and traffic, and improve the service quality of WLAN networks.
附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中- 图 1是根据相关技术的一种传统 WLAN网络的拓扑示意图; 图 2是根据相关技术的另一种传统 WLAN网络的拓扑示意图; 图 3是根据相关技术的一种 WLAN和固定宽带网络融合方式的网络拓扑示意图; 图 4是根据相关技术的另一种 WLAN和固定宽带网络融合方式的网络拓扑示意 BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the accompanying drawings, FIG. 1 is a schematic diagram of a topology of a conventional WLAN network according to the related art; FIG. 2 is a schematic diagram of a topology of another conventional WLAN network according to the related art; 3 is a schematic diagram of a network topology of a WLAN and a fixed broadband network convergence manner according to the related art; FIG. 4 is a schematic diagram of another network topology of a WLAN and a fixed broadband network fusion manner according to the related art.
图 5是根据相关技术的又一种 WLAN和固定宽带网络融合方式的网络拓扑示意 FIG. 5 is a schematic diagram of a network topology in which a WLAN and a fixed broadband network are fused according to the related art.
图 6是根据本发明实施例的数据报文的管理方法的流程图; 图 7是根据本发明实施例的 WLAN用户固网接入的方法示意图; 图 8是根据本发明实施例一的 AC直挂场景下的数据报文的处理方法的流程图; 图 9是根据本发明实施例一的数据报文封装和转发示意流程图; 图 10是根据本发明实施例二的 AC直挂场景下的数据报文的处理方法的流程图; 图 11是根据本发明实施例二的数据报文封装和转发示意流程图; 图 12是根据本发明实施例三的胖 AP场景下的数据报文的处理方法的流程图; 图 13是根据本发明实施例三的数据报文封装和转发示意流程图; 图 14是根据本发明实施例的数据报文的管理装置的结构框图; 图 15是根据本发明实施例的数据报文的管理系统的结构框图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 本发明实施例提供了一种数据报文的管理方法、 装置及系统, 下面通过具体实施 例进行详细介绍。 本实施例提供了一种数据报文的管理方法, 图 6是根据本发明实施例的数据报文 的管理方法的流程图, 如图 6所示, 该流程包括以下步骤 (步骤 S602-步骤 S608): 步骤 S602, BNG设备通过 AAA服务器进行用户身份认证, 并在用户身份认证成 功后存储已认证用户的授权信息和标识信息; 步骤 S604, BNG设备接收 WLAN设备发送的计费开始请求; 其中, 该计费开始 请求中携带有用户的标识信息; 步骤 S606, BNG设备匹配上述计费开始请求中携带的标识信息和上述已认证用 户的标识信息, 并在匹配成功后,根据上述已认证用户的标识信息确定上述授权信息; 步骤 S608, BNG设备根据上述用户的标识信息对上述用户的数据报文进行识别, 根据上述用户的授权信息对上述数据报文进行管理。 通过上述实施例, BNG设备在用户身份认证成功后存储已认证用户的授权信息和 标识信息, BNG设备接收 WLAN设备发送的携带有用户的标识信息的计费开始请求, BNG设备匹配该标识信息和上述已认证用户的标识信息, 并在匹配成功后, 根据上述 已认证用户的标识信息确定上述授权信息; BNG设备根据上述用户的标识信息对上述 用户的数据报文进行识别, 根据上述用户的授权信息对上述数据报文进行管理, 解决 了相关技术中 BNG设备不参与用户地址分配流程的情况下 BNG无法识别用户的问 题,从而能够在不改变当前的 WLAN网络用户认证和地址分配的网络架构和流程的情 况下,快速部署 BNG设备实现用户业务和流量的管理、提升 WLAN网络的服务质量。 上述 WLAN设备可以为 AC或者 AP。 BNG设备通过 AAA服务器进行用户身份 认证, 并在用户身份认证成功后存储已认证用户的授权信息和标识信息, 对于 BNG 通过何种方式获取授权信息和标识信息并存储, 本实施例提供了一种优选实施方式, BNG设备向上述 AAA服务器发送用户认证报文; AAA服务器接收到上述用户认证报 文后, 进行用户身份认证; 在用户身份认证成功后, BNG设备接收上述 AAA服务器 发送的上述已认证用户的授权信息, 并根据上述用户认证报文存储在述已认证用户的 标识信息。 通过上述方式, BNG分别获取到授权信息和标识信息, 为后续 BNG设备 匹配标识信息, 并根据标识信息确定授权信息提供基础。 在 BNG 设备在用户身份认证成功后存储在述已认证用户的授权信息和标识信息 之后, 优选地, 上述方法还包括: BNG设备将已认证用户的授权信息发送至 WLAN 设备。 在 BNG设备接收 WLAN设备发送的计费开始请求之前,上述方法还包括: WLAN 设备接收到用户的 IP地址请求后, 为用户分配 IP地址。 对于 WLAN设备为用户分配 IP地址的流程, 能够有以下几种优选实施方式: 第一种优选实施方式: WLAN设备接收到用户的 IP地址请求后, 为上述用户分 配 IP地址包括: WLAN设备接收到用户的 IP地址请求后, 在本地地址池中为上述用 户分配上述 IP地址; 或者, WLAN设备接收到用户的 IP地址请求后, 通过动态主机 配置协议 DHCP服务器为上述用户分配上述 IP地址。 第二种优选实施方式: WLAN设备接收到用户的 IP地址请求后, 为上述用户分 配 IP地址还包括: WLAN设备接收到用户的 IP地址请求后, 将上述 AAA服务器通 过上述授权信息为上述用户分配的 IP地址分配给上述用户。 第三种优选实施方式: WLAN设备接收到用户的 IP地址请求后, 为上述用户分 配 IP地址还包括: WLAN设备接收到用户的 IP地址请求后, 为上述用户分配私网 IP 地址, 以及用于网络地址翻译的公网 IP地址和端口号段。 在 WLAN设备为上述用户分配 IP地址后, 优选地, 上述方法还包括: WLAN设 备存储在述公网 IP地址和上述端口号段。 6 is a flowchart of a method for managing a data packet according to an embodiment of the present invention; FIG. 7 is a schematic diagram of a method for WLAN user fixed network access according to an embodiment of the present invention; FIG. 8 is an AC straight according to Embodiment 1 of the present invention; FIG. 9 is a schematic flowchart of data packet encapsulation and forwarding according to the first embodiment of the present invention; FIG. 10 is a schematic flowchart of data packet encapsulation and forwarding according to the first embodiment of the present invention; FIG. 11 is a schematic flowchart of data packet encapsulation and forwarding according to Embodiment 2 of the present invention; FIG. 12 is a flowchart of processing a data packet in a fat AP scenario according to Embodiment 3 of the present invention; FIG. 13 is a block diagram showing a data packet encapsulation and forwarding according to a third embodiment of the present invention; FIG. 14 is a block diagram showing a structure of a data packet management apparatus according to an embodiment of the present invention; A structural block diagram of a management system for data messages of an embodiment. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The embodiment of the invention provides a method, a device and a system for managing data packets, which are described in detail below through specific embodiments. This embodiment provides a method for managing data packets. FIG. 6 is a flowchart of a method for managing data packets according to an embodiment of the present invention. As shown in FIG. 6, the process includes the following steps (step S602-step S608). The SNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds; Step S604, the BNG device receives the charging start request sent by the WLAN device, where the charging start request carries the identification information of the user. Step S606: The BNG device matches the identification information carried in the charging start request and the authenticated The identification information of the user, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; Step S608, the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user The information is managed by the above data message. After the user identity authentication succeeds, the BNG device stores the authorization information and the identification information of the authenticated user, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information and The identification information of the authenticated user is determined, and after the matching is successful, the authorization information is determined according to the identification information of the authenticated user; the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user. The information is used to manage the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed. In the case of the process, the BNG device is quickly deployed to implement user service and traffic management and improve the service quality of the WLAN network. The above WLAN device may be an AC or an AP. The BNG device performs user identity authentication through the AAA server, and stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds. The BNG device obtains the authorization information and the identification information and stores the BNG. In a preferred embodiment, the BNG device sends a user authentication message to the AAA server; after receiving the user authentication message, the AAA server performs user identity authentication; after the user identity authentication succeeds, the BNG device receives the above-mentioned authenticated certificate sent by the AAA server. Authorization information of the user, and storing the identification information of the authenticated user according to the foregoing user authentication message. In the above manner, the BNG obtains the authorization information and the identification information respectively, matches the identification information for the subsequent BNG device, and determines the authorization information providing basis based on the identification information. After the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, the method further includes: the BNG device sends the authorization information of the authenticated user to the WLAN device. Before the BNG device receives the charging start request sent by the WLAN device, the method further includes: after receiving the IP address request of the user, the WLAN device allocates an IP address to the user. For a process in which a WLAN device allocates an IP address to a user, the following preferred embodiments are available: First preferred embodiment: After receiving the IP address request of the user, the WLAN device assigns an IP address to the user, including: After the user's IP address is requested, it is used in the local address pool. The user allocates the above IP address; or, after receiving the IP address request of the user, the WLAN device allocates the IP address to the user through the dynamic host configuration protocol DHCP server. The second preferred embodiment: after the WLAN device receives the IP address request of the user, the assigning the IP address to the user further includes: after receiving the IP address request of the user, the WLAN device allocates the AAA server to the user by using the authorization information. The IP address is assigned to the above user. The third preferred embodiment: after the WLAN device receives the IP address request of the user, assigning the IP address to the user further includes: after receiving the IP address request of the user, the WLAN device allocates a private network IP address to the user, and is used for The public IP address and port number segment of the network address translation. After the WLAN device allocates an IP address to the user, the method further includes: the WLAN device storing the public network IP address and the port number segment.
BNG设备接收 WLAN设备发送的计费开始请求包括: BNG设备接收 WLAN设 备发送的计费开始请求; 其中, 该计费开始请求中携带有上述用户的上述标识信息, 上述标识信息包括上述用户的 MAC地址, 以及上述公网 IP地址和上述端口号段。 上述 BNG 设备根据上述用户的标识信息对上述用户的数据报文进行识别包括: 上述 BNG设备根据用户数据报文中的 IP地址对用户进行识别。 或者, BNG设备根 据上述用户的标识信息对上述用户的数据报文进行识别还包括: BNG设备根据用户数 据报文中的 IP地址和端口号信息对用户进行识别。 在本实施例的优选实施方式中, 当上述公网 IP地址和 /或端口号段增加时, 上述 BNG设备接收上述 WLAN设备发送的计费更新消息; 其中, 上述计费更新消息中携 带有变化后的标识信息。 当上述公网 IP地址和 /或端口号段减少, 或者用于网络地址翻译的网络地址转换 NAT生成条目老化时, 上述 BNG设备接收上述 WLAN设备发送的计费更新消息; 其 中, 上述计费更新消息中携带有变化后的标识信息。 当用于网络地址翻译的 NAT生成条目更新时,上述 BNG设备接收上述 WLAN设 备发送的计费更新消息; 其中, 上述计费更新消息中携带有变化后的标识信息。 上述用户身份认证包括以下认证方法之一: EAP ( Extensible Authentication Protocol , 扩展认证协议) -MD5 (Message Digest Algorithm Revision 5, 消息摘要算 法第五版)、 EAP-SIM ( Subscriber Identity Module , 用户标识模块)、 ΕΑΡ-ΑΚΑ (Authentication and Key Agreement, 认证与密钥协商)、 EAP-PEAP (Protected EAP, 受保护的 EAP)、EAP-TLS( Transport Layer Security,传输层安全)、 EAP-TTLS( Tunneled Transport Layer Security , 隧道传输层安全)、 PPP 禾 B EAP 认证、 点到点协议 (Point-to-Point Protocol, 简称为 PPP) 和预共享密钥 (Pre-shared Key, 简称为 PSK) 认证。 本实施例介绍的数据报文的管理方法主要涉及数据通信网络的功能领域, 下面对The receiving, by the BNG device, the charging start request sent by the WLAN device includes: the BNG device receiving the charging start request sent by the WLAN device; wherein the charging start request carries the foregoing identification information of the user, where the identifier information includes the MAC of the user Address, and the above public network IP address and the above port number segment. The foregoing BNG device identifies the data packet of the user according to the identifier information of the user, where the BNG device identifies the user according to the IP address in the user data packet. Alternatively, the BNG device identifying the data packet of the user according to the identifier information of the user further includes: the BNG device identifies the user according to the IP address and the port number information in the user data packet. In a preferred embodiment of the present embodiment, when the public network IP address and/or the port number segment is increased, the BNG device receives the charging update message sent by the WLAN device, where the charging update message carries a change. After the identification information. When the public network IP address and/or the port number segment is reduced, or the network address translation NAT generation entry for network address translation is aged, the BNG device receives the charging update message sent by the WLAN device; wherein, the charging update is performed. The message carries the changed identification information. When the NAT generation entry for the network address translation is updated, the BNG device receives the charging update message sent by the WLAN device, where the charging update message carries the changed identification information. The above user identity authentication includes one of the following authentication methods: EAP (Extensible Authentication Protocol) - MD5 (Message Digest Algorithm Revision 5), EAP-SIM (Subscriber Identity Module) , ΕΑΡ-ΑΚΑ (Authentication and Key Agreement), EAP-PEAP (Protected EAP, Protected EAP), EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), PPP and B EAP authentication, Point-to-Point Protocol Protocol, referred to as PPP) and Pre-shared Key (PSK) authentication. The data packet management method introduced in this embodiment mainly relates to the functional field of the data communication network, and the following
WLAN用户固网接入的方法进行介绍。 图 7是根据本发明实施例的 WLAN用户固网 接入的方法示意图, 如图 7所示, 该方法包括以下步骤 (步骤 S702-步骤 S710): 步骤 S702, WLAN设备作为认证器, 将用户身份认证报文发送给 BNG设备。 进一步地, WLAN设备可以是 AC或 AP;进一步的,用户认证方式包括用于 802.1x 认证的各种 EAP认证方式,如 EAP-MD5、EAP-SIM、EAP-AKA、EAP-PEAP、EAP-TLS、 EAP-TTLS等; 进一步的, 用户认证方式还包括 PPP+EAP认证、 PPP+PSK认证。 步骤 S704, BNG设备作为认证代理通过 AAA服务器进行用户身份认证, 认证成 功后 BNG设备存储用户的授权信息和标识信息。 进一步地, BNG设备的认证代理功 能包括 Radius Proxy功能和 Diameter认证代理功能; 进一步地, BNG设备在存储用户 的授权信息的同时, 可选的将用户的授权信息发送给所述 WLAN设备; 进一步地, 用 户的标识信息包括用户 MAC地址和 /或 AAA服务器通过授权信息为用户分配的 IP地 址, 和 /或 VPN实例信息, 和 /或 AAA服务器通过授权信息为用户分配的公网 IP地址 与端口号段组合。 步骤 S706, 用户通过 WLAN设备获取 IP地址。进一步地, WLAN设备可以在本 地地址池中为用户分配 IP地址, 或向 DHCP服务器申请用户 IP地址, 或将 AAA服 务器通过授权信息为用户分配的 IP地址分配给用户; 进一步地, WLAN设备可以将 为用户分配的私网地址发送给用户, 同时分配用于为该用户进行网络地址翻译的公网 IP地址和端口号段, 并存储在 WLAN设备上。 步骤 S708, WLAN设备在用户认证通过且 IP地址分配成功后, 向 BNG设备发送 计费开始请求, 携带用户的标识信息。 进一步地, 用户的身份认证和获取 IP地址过程 不分先后; 进一步地, 当 WLAN设备为用户分配私网 IP地址, 并对用户的数据报文 进行网络地址转换时, 所述 WLAN设备还需要具备以下功能。 当用于该用户网络地址翻译的公网地址和 /或端口块有增加时(例如为用户新增了 一个公网地址和端口块), WLAN设备通过计费开始消息或计费更新消息通知 BRAS, 携带变化后的用户标识信息。 当用于该用户网络地址翻译的公网地址和 /或端口块有减少时(如用户下线或减少 了用户的一个公网地址和端口块) 或 NAT生成条目老化时, WLAN设备通过计费停 止消息或计费更新消息通知 BRAS, 携带用户标识信息。 当用于该用户网络地址翻译的 NAT生成条目老化更新时, WLAN设备通过计费 更新消息通知 BRAS, 携带用户标识信息。 步骤 S710, BNG设备接收到计费开始请求, 通过用户的标识信息找到存储的用 户授权信息, 并根据用户的授权信息和标识信息对用户业务流量进行管理。 上述宽带网络网关 BNG还包括 BRAS (Broadband Remote Access Server, 宽带远 程接入服务器)、 SR ( Service Router, 全业务路由器)、 NAS (Network Access Server, 网络接入服务器) 等。 下面分别介绍本发明实施例在不同应用场景下的三个优选实施例。 当然, 本发明 实施例并不仅限于下述三个实施例, 下述三个实施例只是作为优选实施例进行说明。 实施例一 本实施例介绍 AC直挂场景下的数据报文的处理方法, AC处于 AP和 BNG之间, AC做为用户的 802.1x认证器, 同时为用户分配 IP地址。 图 8是根据本发明实施例一 的 AC直挂场景下的数据报文的处理方法的流程图, 如图 8所示, 该方法包括以下步 骤 (步骤 S802-步骤 S826): 步骤 S802, 用户终端通过发送 EAPoL-Start开始认证请求。 步骤 S804, AC接收到 EAPoL-Start消息后向用户终端发送 EAP-Request/Identity 消息, 要求用户终端将用户名发送给 BRAS。 步骤 S806, 用户终端发送 EAP-Response/Identity消息给 AC, 其中包括用户名。 步骤 S808, AC将 EAP-Response/Identity消息封装到 RADIUS Access-Request消 息中, 发送给 BRAS; BRAS接收到 AC发送的 Radius Access-Request消息后, 通过 Radius Proxy功能组成新的 Radius Access-Request消息发送给 AAA。 步骤 S810, AAA产生一个 EAP-Request, 携带在 RADIUS Access-Challenge消息 中发送给 BRAS,通过 Radius Proxy功能组成新 RADIUS Access-Challenge消息发送给The method of WLAN user fixed network access is introduced. FIG. 7 is a schematic diagram of a method for WLAN user fixed network access according to an embodiment of the present invention. As shown in FIG. 7, the method includes the following steps (step S702-step S710): Step S702, the WLAN device acts as an authenticator, and the user identity is used. The authentication packet is sent to the BNG device. Further, the WLAN device may be an AC or an AP; further, the user authentication mode includes various EAP authentication modes for 802.1x authentication, such as EAP-MD5, EAP-SIM, EAP-AKA, EAP-PEAP, EAP-TLS. EAP-TTLS, etc. Further, the user authentication mode also includes PPP+EAP authentication and PPP+PSK authentication. Step S704: The BNG device performs authentication of the user identity through the AAA server as the authentication proxy. After the authentication succeeds, the BNG device stores the authorization information and the identification information of the user. Further, the authentication proxy function of the BNG device includes a Radius Proxy function and a Diameter authentication proxy function; further, the BNG device optionally transmits the authorization information of the user to the WLAN device while storing the authorization information of the user; The user's identification information includes the user MAC address and/or the IP address assigned by the AAA server to the user through the authorization information, and/or VPN instance information, and/or the public network IP address and port number assigned by the AAA server to the user through the authorization information. Segment combination. Step S706, the user obtains an IP address through the WLAN device. Further, the WLAN device may allocate an IP address to the user in the local address pool, or apply for a user IP address to the DHCP server, or assign the IP address assigned by the AAA server to the user through the authorization information; further, the WLAN device may The private network address assigned to the user is sent to the user, and a public network IP address and port number segment for performing network address translation for the user is allocated and stored on the WLAN device. Step S708: After the user authentication passes and the IP address is successfully assigned, the WLAN device sends a charging start request to the BNG device, and carries the identification information of the user. Further, the process of authenticating the user and obtaining the IP address is in no particular order; further, when the WLAN device allocates a private network IP address to the user and performs network address translation on the data packet of the user, the WLAN device also needs to have The following features. When the public network address and/or port block used for translation of the user network address is increased (for example, a public network address and a port block are added for the user), the WLAN device notifies the BRAS by using a charging start message or a charging update message. , carrying the changed user identification information. When the public network address and/or port block used for translation of the user network address is reduced (for example, if the user goes offline or reduces a public network address and port block of the user) or the NAT generation entry ages, the WLAN device passes the charging. The stop message or the charging update message informs the BRAS to carry the user identification information. When the NAT generation entry for the translation of the user network address is aging updated, the WLAN device notifies the BRAS through the charging update message, and carries the user identification information. Step S710: The BNG device receives the charging start request, finds the stored user authorization information by using the user identification information, and manages the user service traffic according to the user authorization information and the identification information. The above-mentioned broadband network gateway BNG also includes a BRAS (Broadband Remote Access Server), an SR (Service Router, a full service router), a NAS (Network Access Server), and the like. Three preferred embodiments of the embodiments of the present invention in different application scenarios are respectively described below. Of course, the embodiments of the present invention are not limited to the following three embodiments, and the following three embodiments are merely described as preferred embodiments. Embodiment 1 This embodiment describes a method for processing data packets in an AC direct connection scenario. The AC is between the AP and the BNG, and the AC functions as the 802.1x authenticator of the user, and the user is assigned an IP address. FIG. 8 is a flowchart of a method for processing a data packet in an AC direct-hanging scenario according to the first embodiment of the present invention. As shown in FIG. 8, the method includes the following steps (step S802-step S826): Step S802, user terminal The authentication request is initiated by sending an EAPoL-Start. Step S804: After receiving the EAPoL-Start message, the AC sends an EAP-Request/Identity message to the user terminal, and requests the user terminal to send the username to the BRAS. Step S806, the user terminal sends an EAP-Response/Identity message to the AC, including the username. Step S808: The AC encapsulates the EAP-Response/Identity message into the RADIUS Access-Request message and sends the message to the BRAS. After receiving the Radius Access-Request message sent by the AC, the BRAS sends a new Radius Access-Request message through the Radius Proxy function. Give AAA. Step S810, the AAA generates an EAP-Request, which is carried in the RADIUS Access-Challenge message and sent to the BRAS, and the Radius Proxy function is used to form a new RADIUS Access-Challenge message.
AC, AC将该消息发送给用户终端。 步骤 S812, 用户终端收到 EAP-Request后, 将 Challenged-Pass-word发送给 AC, AC进行 Radius报文封装后发送个 BRAS, BRAS使用 Radius Proxy功能对 Radius报 文进行重新封装发送给 AAA。 步骤 S814, AAA判断用户是否合法, 如果认证成功, 则在认证成功消息中携带 用户的授权信息发送给 BRAS。 步骤 S816, BRAS向 AC发送认证成功消息并储存用户的授权信息和认证报文中 的用户 MAC地址信息, AC向用户发送 802.1x认证成功消息。 步骤 S818, 用户向 AC发送 DHCP Discover消息请求 IP地址, AC在本地地址池 中为用户分配 IP地址或通过 DHCP服务器为用户分配 IP地址。 步骤 S820, AC向 BRAS发送计费开始消息, 携带用户的 MAC地址和 IP地址。 步骤 S822, BRAS收到计费开始消息后, 匹配用户的 MAC地址和存储的已通过 认证用户的 MAC地址, 找到用户的授权信息并记录用户的 IP地址信息, 同时 BRAS 向 AAA发送计费开始消息。 步骤 S824, AAA向 BRAS发送计费开始成功消息, BRAS通过 Radius Proxy功 能封装新的计费开始成功消息并发送给 AC。 步骤 S826,用户访问网络, BRAS根据接收到的用户数据报文中的 IP地址信息识 别出用户, 并根据该用户的授权信息对用户数据报文进行处理。 例如, BRAS 可以根据授权消息中的用户带宽对用户数据报文进行限速, 或根据 授权消息中的用户优先级对用户数据报文进行优先级映射等。 基于上述实施例介绍的 AC直挂场景下的数据报文的处理方法, 下面对为用户获 取 IP地址之后的数据报文封装和转发示意流程进行介绍,图 9是根据本发明实施例一 的数据报文封装和转发示意流程图, 如图 9所示, 该流程包括以下步骤 (步骤 S902- 步骤 S908): 步骤 S902, 用户向业务网络发送数据报文, 源 MAC 地址为用户的 MAC 地址 MACK 目的 MAC地址为 AC设备用户侧接口的 MAC地址 MAC2, 源 IP地址为用 户的 IP地址 IP1, 目的 IP地址为用户访问的业务 IP地址 IP2。 步骤 S904, AP对用户数据报文进行透传。 步骤 S906, AC接收到数据报文后, 修改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 AC与 BRAS相连接口的 MAC地址 MAC3, 目的 MAC地址修改 为 BRAS与 AC相连接口的 MAC地址 MAC4。 步骤 S908, BRAS接收到数据报文后, 根据源 IP地址识别用户, 并根据用户的授 权信息对报文进行处理, 例如优先级映射、 缓存、 丢弃等, 例如 BRAS判断经过处理 的报文可以向业务网络转发, 则再次更改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 BRAS的网络侧接口的 MAC地址 MAC5, 目的 MAC地址为网络侧 设备与 BRAS相连接口的 MAC地址 MAC6。 实施例二 本实施例介绍 AC直挂场景下的数据报文的处理方法, AC处于 AP和 BNG之间,The AC, AC sends the message to the user terminal. Step S812: After receiving the EAP-Request, the user terminal sends the Challenged-Pass-word to the AC. The AC performs the Radius packet encapsulation and sends a BRAS. The BRAS uses the Radius Proxy function to re-encapsulate the Radius packet and send it to the AAA. In step S814, the AAA determines whether the user is legal. If the authentication succeeds, the authorization information of the user is sent to the BRAS in the authentication success message. Step S816: The BRAS sends an authentication success message to the AC, and stores the user authorization information and the user MAC address information in the authentication message, and the AC sends an 802.1x authentication success message to the user. Step S818: The user sends a DHCP Discover message to the AC to request an IP address, and the AC allocates an IP address to the user in the local address pool or allocates an IP address to the user through the DHCP server. Step S820, the AC sends an accounting start message to the BRAS, carrying the user's MAC address and IP address. Step S822, after receiving the charging start message, the BRAS matches the MAC address of the user and the stored MAC address of the authenticated user, finds the authorization information of the user, and records the IP address information of the user, and the BRAS sends an accounting start message to the AAA. . Step S824, the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AC. Step S826: The user accesses the network, and the BRAS identifies the user according to the IP address information in the received user data packet, and processes the user data packet according to the authorization information of the user. For example, the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message. Based on the method for processing data packets in the AC direct-attached scenario, the following describes the flow of data packet encapsulation and forwarding after the user obtains an IP address, and FIG. 9 is a schematic diagram of a data packet encapsulation and forwarding process according to the first embodiment of the present invention. A flow chart of data packet encapsulation and forwarding is shown in FIG. 9. The process includes the following steps (step S902 - step S908): Step S902, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user. The destination MAC address is the MAC address MAC2 of the user-side interface of the AC, the source IP address is the IP address of the user, and the destination IP address is the service IP address IP2 accessed by the user. Step S904: The AP transparently transmits the user data packet. Step S906: After receiving the data packet, the AC modifies the source MAC address and the destination MAC address of the packet, and the source MAC address is modified to be the MAC address MAC3 of the interface connected to the AC and the BRAS, and the destination MAC address is modified to be the MAC address of the BRAS and the AC interface. Address MAC4. Step S908: After receiving the data packet, the BRAS identifies the user according to the source IP address, and processes the packet according to the authorization information of the user, such as priority mapping, buffering, discarding, etc., for example, the BRAS determines that the processed packet can be After the service network forwards, the source MAC address and the destination MAC address of the packet are changed again. The source MAC address is changed to the MAC address MAC5 of the network side interface of the BRAS, and the destination MAC address is the MAC address MAC6 of the interface connected to the BRAS by the network side device. Embodiment 2 This embodiment describes a method for processing data packets in an AC direct-connection scenario. The AC is between the AP and the BNG.
AC作为用户的 802.1x认证器, 同时为用户分配私网 IP地址, 并对用户的数据报文进 行网络地址转换。图 10是根据本发明实施例二的 AC直挂场景下的数据报文的处理方 法的流程图, 如图 10所示, 该方法包括以下步骤 (步骤 S1002-步骤 S1026): 步骤 S1002至步骤 S1016为用户的身份认证过程, 具体过程与上述实施例的步骤 S802至步骤 S816相似, 在此不再赘述。 步骤 S1018, 用户向 AC发送 DHCP Discover消息请求 IP地址, AC为用户分配 私网 IP地址发送给用户, 同时 AC为该用户分配用于进行网络地址翻译的公网 IP地 址和端口号段并存储在 AC设备上。 步骤 S1020, AC向 BRAS发送计费开始消息, 携带用户的 MAC地址、 公网 IP 地址和端口号段。 步骤 S1022, BRAS收到计费开始消息后, 匹配用户的 MAC地址和存储的已通过 认证用户的 MAC地址, 找到用户的授权信息并记录用户的公网 IP地址和端口号段, 同时 BRAS向 AAA发送计费开始消息。 步骤 S1024, AAA向 BRAS发送计费开始成功消息, BRAS通过 Radius Proxy功 能封装新的计费开始成功消息并发送给 AC。 步骤 S1026, 用户访问网络, BRAS根据接收到的用户数据报文中的 IP地址和端 口号信息识别出用户, 并根据该用户的授权信息对用户数据报文进行处理。 例如, BRAS 可以根据授权消息中的用户带宽对用户数据报文进行限速, 或根据 授权消息中的用户优先级对用户数据报文进行优先级映射等。 此外, 当用于该用户网络地址翻译的公网地址和 /或端口块有增加时(例如为用户 新增了一个公网地址和端口块), AC通过计费开始消息或计费更新消息通知 BRAS, 携带变化后的用户标识信息。 当用于该用户网络地址翻译的公网地址和 /或端口块有减少时(如用户下线、 减少 了用户的一个公网地址和端口块), AC通过计费停止消息或计费更新消息通知 BRAS, 携带用户标识信息。 当用于该用户网络地址翻译的 NAT生成条目老化更新时, AP通过计费更新消息 通知 BRAS, 携带用户标识信息。 基于上述实施例介绍的 AC直挂场景下的数据报文的处理方法, 下面对为用户获 取 IP地址之后的数据报文封装和转发示意流程进行介绍, 图 11是根据本发明实施例 二的数据报文封装和转发示意流程图,如图 11所示,该流程包括以下步骤 (步骤 S1102- 步骤 S1108): 步骤 S1102, 用户向业务网络发送数据报文, 源 MAC地址为用户的 MAC地址As the user's 802.1x authenticator, the AC assigns a private network IP address to the user and performs network address translation on the user's data packets. 10 is a flowchart of a method for processing a data packet in an AC direct-hanging scenario according to the second embodiment of the present invention. As shown in FIG. 10, the method includes the following steps (step S1002 - step S1026): Step S1002 to step S1016 The specific process is similar to the step S802 to the step S816 of the foregoing embodiment, and is not described here. Step S1018: The user sends a DHCP Discover message requesting an IP address to the AC, and the AC allocates a private network IP address to the user, and the AC allocates a public network IP address and port number segment for performing network address translation to the user and stores the On the AC device. Step S1020: The AC sends an Accounting Start message to the BRAS, carrying the user's MAC address, public network IP address, and port number segment. Step S1022: After receiving the charging start message, the BRAS matches the MAC address of the user and the stored MAC address of the authenticated user, finds the authorization information of the user, and records the public IP address and port number segment of the user, and the BRAS to the AAA Send a billing start message. Step S1024, the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AC. Step S1026: The user accesses the network, and the BRAS identifies the user according to the IP address and port number information in the received user data packet, and processes the user data packet according to the authorization information of the user. For example, the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message. In addition, when the public network address and/or port block used for translation of the user network address is increased (for example, a public network address and a port block are added for the user), the AC notifies by using an accounting start message or a charging update message. BRAS, carrying the changed user identification information. When the public network address and/or port block used for translation of the user network address is reduced (for example, if the user goes offline and reduces a public network address and port block of the user), the AC passes the charging stop message or the charging update message. Notify the BRAS to carry user identification information. When the NAT generation entry for the user network address translation is aged and updated, the AP notifies the BRAS through the charging update message, and carries the user identification information. Based on the method for processing data packets in the AC direct-attached scenario, the following describes the flow of data packet encapsulation and forwarding after the user obtains an IP address. FIG. 11 is a schematic diagram of a data packet encapsulation and forwarding process according to the second embodiment of the present invention. A flow chart of data packet encapsulation and forwarding is shown in FIG. 11. The process includes the following steps (step S1102-step S1108): Step S1102, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user.
MACK 目的 MAC地址为 AC设备用户侧接口的 MAC地址 MAC2, 源 IP地址为用 户的私网 IP地址 IP1, 目的 IP地址为用户访问的业务 IP地址 IP2, 源端口为 Portl, 目的端口为 Port2。 步骤 SI 104, AP对用户数据报文进行透传。 步骤 S 1106, AC接收到数据报文后, 修改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 AC与 BRAS相连接口的 MAC地址 MAC3, 目的 MAC地址修改 为 BRAS与 AC相连接口的 MAC地址 MAC4;同时修改报文的源 IP地址和源端口号, 源 IP地址修改为为该用户分配的公网 IP地址 IP3,并从为该用户分配的端口号段中选 择一个空闲的端口号 Port3作为报文的新的源端口号。 步骤 S1108, BRAS接收到数据报文后, 根据源 IP地址和端口号识别用户, 并根 据用户的授权信息对报文进行处理, 如优先级映射、 缓存、 丢弃等, 如 BRAS判断经 过处理的报文可以向业务网络转发,则再次更改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 BRAS的网络侧接口的 MAC地址 MAC5, 目的 MAC地址为网络 侧设备与 BRAS相连接口的 MAC地址 MAC6。 实施例三 无线接入点 (Access Point, 简称为 AP) 是 WLAN网络中的重要组成部分, 其工 作机制类似有线网络中的集线器(HUB), 无线终端可以通过 AP进行终端之间的数据 传输, 也可以通过 AP的" WAN"口与有线网络互通。 通常业界将 AP分为胖 AP和痩 AP。 胖 AP普遍应用于 SOHO家庭网络或小型无线局域网, 有线网络入户后, 可以部 署胖 AP进行室内覆盖, 室内无线终端可以通过胖 AP访问 INTERNETS 下面对胖 AP场景下的数据报文的处理方法进行介绍, AP直接 BNG设备相连, AP作为用户的 802.1x认证器, 同时负责为用户分配私网 IP地址, 并对用户的数据报 文进行网络地址转换。 图 12是根据本发明实施例三的胖 AP场景下的数据报文的处理 方法的流程图, 如图 12所示, 该方法包括以下步骤 (步骤 S1202-步骤 S1226): 步骤 S 1202用户向 AP发送 DHCP Discover消息请求 IP地址, AP为用户分配私 网 IP地址发送给用户。 步骤 S1204到 S1218为用户的身份认证过程,具体过程与上述实施例的步骤 S802 至步骤 S816相似, 只是 AP代替步骤 S802至步骤 S816中的 AC作为认证器, 在此不 再赘述。 步骤 S1220, 用户通过身份认证后, AP为该用户分配用于进行网络地址翻译的公 网 IP地址和端口号段并存储在 AP设备上; 同时 AP向 BRAS发送计费开始消息, 携 带用户的 MAC地址、 公网 IP地址和端口号段; 步骤 S1222, BRAS收到计费开始消息后, 匹配用户的 MAC地址和存储的已通过 认证用户的 MAC地址, 找到用户的授权信息并记录用户的公网 IP地址和端口号段, 同时 BRAS向 AAA发送计费开始消息; 步骤 S1224, AAA向 BRAS发送计费开始成功消息, BRAS通过 Radius Proxy功 能封装新的计费开始成功消息并发送给 AP; 步骤 S1226, 用户访问网络, BRAS根据接收到的用户数据报文中的 IP地址和端 口号信息识别出用户, 并根据该用户的授权信息对用户数据报文进行处理。 例如, BRAS 可以根据授权消息中的用户带宽对用户数据报文进行限速, 或根据 授权消息中的用户优先级对用户数据报文进行优先级映射等。 此外, 当用于该用户网络地址翻译的公网地址和 /或端口块有增加时(例如为用户 新增了一个公网地址和端口块), AP通过计费开始消息或计费更新消息通知 BRAS, 携带变化后的用户标识信息。 当用于该用户网络地址翻译的公网地址和 /或端口块有减少时(如用户下线或减少 了用户的一个公网地址和端口块) 或 NAT生成条目老化时, AP通过计费停止消息或 计费更新消息通知 BRAS, 携带用户标识信息。 当用于该用户网络地址翻译的 NAT生成条目老化更新时, AP通过计费更新消息 通知 BRAS, 携带用户标识信息。 基于上述实施例介绍的胖 AP场景下的数据报文的处理方法, 下面对为用户获取 IP地址之后的数据报文封装和转发示意流程进行介绍, 图 13是根据本发明实施例三 的数据报文封装和转发示意流程图, 如图 13所示, 该流程包括以下步骤(步骤 S1302- 步骤 S1306): 步骤 S1302, 用户向业务网络发送数据报文, 源 MAC地址为用户的 MAC地址 MACK 目的 MAC地址为 AC设备用户侧接口的 MAC地址 MAC2, 源 IP地址为用 户的私网 IP地址 IP1, 目的 IP地址为用户访问的业务 IP地址 IP2, 源端口为 Portl, 目的端口为 Port2; 步骤 S1304, AP接收到数据报文后, 修改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 AP与 BRAS相连接口的 MAC地址 MAC3, 目的 MAC地址修改 为 BRAS与 AP相连接口的 MAC地址 MAC4;同时修改报文的源 IP地址和源端口号, 源 IP地址修改为为该用户分配的公网 IP地址 IP3,并从为该用户分配的端口号段中选 择一个空闲的端口号 Port3作为报文的新的源端口号; AP将修改后的数据报文直接发 送给 BRAS设备; 步骤 S1306, BRAS接收到数据报文后, 根据源 IP地址和端口号识别用户, 并根 据用户的授权信息对报文进行处理, 如优先级映射、 缓存、 丢弃等, 如 BRAS判断经 过处理的报文可以向业务网络转发,则再次更改报文的源 MAC地址和目的 MAC地址, 源 MAC地址修改为 BRAS的网络侧接口的 MAC地址 MAC5, 目的 MAC地址为网络 侧设备与 BRAS相连接口的 MAC地址 MAC6。 对应于上述实施例介绍的数据报文的管理方法, 本实施例提供了一种数据报文的 管理装置, 该装置一般可以设置在 BNG设备侧, 用于实现上述实施例。 图 14是根据 本发明实施例的数据报文的管理装置的结构框图, 如图 14所示, 该装置包括: 认证模 块 10、 请求接收模块 20、 匹配模块 30、 报文识别模块 40和管理模块 50。 下面对该结 构进行介绍。 认证模块 10, 设置为通过 AAA服务器进行用户身份认证, 并在用户身份认证成 功后存储已认证用户的授权信息和标识信息; 请求接收模块 20, 连接至认证模块 10, 设置为接收 WLAN设备发送的计费开始 请求; 其中, 上述计费开始请求中携带有用户的标识信息; 匹配模块 30,连接至请求接收模块 20, 设置为匹配上述计费开始请求中携带的标 识信息和上述已认证用户的标识信息, 并在匹配成功后, 根据上述已认证用户的标识 信息确定上述授权信息; 报文识别模块 40,连接至匹配模块 30, 设置为根据上述用户的标识信息对上述用 户的数据报文进行识别; 管理模块 50,连接至报文识别模块 40, 设置为根据上述用户的授权信息对上述数 据报文进行管理。 通过上述实施例, BNG设备在用户身份认证成功后存储已认证用户的授权信息和 标识信息, BNG设备接收 WLAN设备发送的携带有用户的标识信息的计费开始请求, BNG设备匹配该标识信息和上述已认证用户的标识信息, 并在匹配成功后, 根据上述 已认证用户的标识信息确定上述授权信息; BNG设备根据上述用户的标识信息对上述 用户的数据报文进行识别, 根据上述用户的授权信息对上述数据报文进行管理, 解决 了相关技术中 BNG设备不参与用户地址分配流程的情况下 BNG无法识别用户的问 题,从而能够在不改变当前的 WLAN网络用户认证和地址分配的网络架构和流程的情 况下,快速部署 BNG设备实现用户业务和流量的管理、提升 WLAN网络的服务质量。 上述 WLAN设备可以为 AC或者 AP。对于述认证模块 10通过何种方式获取授权 信息和标识信息并存储, 本实施例提供了一种优选实施方式, 上述认证模块 10包括: 报文发送单元, 设置为向 AAA服务器发送用户认证报文; 其中, 该用户认证报文用 于通知上述 AAA服务器进行用户身份认证; 存储单元, 设置为接收上述 AAA服务器 发送的上述已认证用户的授权信息, 并根据上述用户认证报文存储上述已认证用户的 标识信息。 通过上述结构, BNG分别获取到授权信息和标识信息, 为后续 BNG设备 匹配标识信息, 并根据标识信息确定授权信息提供基础。 在 BNG 设备在用户身份认证成功后存储在述已认证用户的授权信息和标识信息 之后, 优选地, 上述装置还包括: 授权信息发送模块, 设置为将上述已认证用户的授 权信息发送至上述 WLAN设备。 在本实施例的优选实施方式中, 上述请求接收模块 20包括: 接收单元, 设置为接 收上述 WLAN设备发送的上述计费开始请求; 其中, 上述计费开始请求中携带有上述 用户的上述标识信息, 上述标识信息包括上述用户的 MAC地址, 以及公网 IP地址和 端口号段。 在本实施例的优选实施方式中, 上述报文识别模块 40包括: 第一识别单元, 设置 为根据用户数据报文中的 IP地址对用户进行识别。 上述报文识别模块 40还包括: 第 二识别单元, 设置为根据用户数据报文中的 IP地址和端口号信息对用户进行识别。 在本实施例的优选实施方式中, 上述装置还包括: 第一接收模块, 设置为在上述 公网 IP地址和 /或端口号段增加的情况下,接收上述 WLAN设备发送的计费更新消息; 其中, 上述计费更新消息中携带有变化后的标识信息。 上述装置还包括: 第二接收模块, 设置为在上述公网 IP地址和 /或端口号段减少, 或者用于网络地址翻译的网络地址转换 NAT生成条目老化的情况下,接收上述 WLAN 设备发送的计费更新消息; 其中, 上述计费更新消息中携带有变化后的标识信息。 上述装置还包括: 第三接收模块, 设置为在用于网络地址翻译的 NAT生成条目更 新的情况下, 接收上述 WLAN设备发送的计费更新消息; 其中, 上述计费更新消息中 携带有变化后的标识信息。 对应于上述实施例介绍的数据报文的管理方法, 本实施例提供了一种数据报文的 管理系统, 该系统用于实现上述实施例。 图 15是根据本发明实施例的数据报文的管理 系统的结构框图, 如图 15所示, 该系统包括上述实施例介绍的数据报文的管理装置, 还包括 WLAN设备, 该 WLAN设备包括: 地址分配模块 60, 设置为接收到用户的网 络协议 IP地址请求后, 为上述用户分配 IP地址。 在本实施例的优选实施方式中, 上述地址分配模块 60包括: 第一分配单元, 设置 为接收到上述用户的 IP地址请求后, 在本地地址池中为上述用户分配 IP地址; 或者, 第二分配单元,设置为接收到上述用户的 IP地址请求后,通过动态主机配置协议 DHCP 服务器为上述用户分配 IP地址。 上述地址分配模块 60还包括: 第三分配单元, 设置为接收到用户的 IP地址请求 后, 将认证授权计费 AAA服务器通过上述授权信息为上述用户分配的 IP地址分配给 上述用户。 上述地址分配模块 60还包括: 第四分配单元, 设置为接收到用户的 IP地址请求 后, 为上述用户分配私网 IP地址, 以及用于网络地址翻译的公网 IP地址和端口号段。 在本实施例的优选实施方式中, 上述 WLAN设备还包括: 存储模块, 设置为存储 上述公网 IP地址和上述端口号段。 从以上的描述中可以看出, 本发明实施例通过对现有技术和网络设备的扩展, 在 尽量不改变 WLAN网络的网络架构、用户认证和地址分配流程的前提下,避免因 BNG 设备不参与用户地址分配流程导致 BNG无法识别用户、进而导致 BNG无法根据用户 的授权信息进行用户业务和流量管理的问题,实现了 WLAN用户从固定宽带网络接入 的用户的业务和流量管理。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 The destination MAC address is MAC address MAC2 of the user-side interface of the AC. The source IP address is the IP address of the user's private IP address. The destination IP address is the IP address of the service IP address. The source port is Port1 and the destination port is Port 2. In step S104, the AP transparently transmits the user data packet. Step S1106: After receiving the data packet, the AC modifies the source MAC address and the destination MAC address of the packet, and the source MAC address is modified to be the MAC address MAC3 of the interface connected between the AC and the BRAS, and the destination MAC address is modified to be the interface between the BRAS and the AC. MAC address MAC4; modify the source IP address and source port number of the packet, change the source IP address to the public IP address IP3 assigned to the user, and select an idle port number from the port number segment assigned to the user. Port3 is the new source port number for the message. Step S1108: After receiving the data packet, the BRAS identifies the user according to the source IP address and the port number, and processes the packet according to the authorization information of the user, such as priority mapping, buffering, discarding, etc., for example, the BRAS judges the processed report. If the text can be forwarded to the service network, the source MAC address and destination MAC address of the packet are changed again. The source MAC address is changed to the MAC address MAC5 of the network side interface of the BRAS. The destination MAC address is the MAC address of the interface connected to the BRAS. MAC6. Embodiment 3 A wireless access point (AP) is an important component of a WLAN network, and its working mechanism is similar to a hub (HUB) in a wired network, and the wireless terminal can perform data transmission between the terminals through the AP. It can also communicate with the wired network through the "WAN" port of the AP. Generally, the industry divides APs into fat APs and 痩APs. Fat APs are commonly used in SOHO home networks or small wireless LANs. After a wired network is connected to the home, a fat AP can be deployed for indoor coverage. The indoor wireless terminal can access the INTERNETS through the fat AP. The following is a method for processing data packets in a fat AP scenario. The AP is directly connected to the BNG device. The AP functions as the 802.1x authenticator of the user. It also assigns the private network IP address to the user and performs network address translation on the data packets of the user. FIG. 12 is a flowchart of a method for processing a data packet in a fat AP scenario according to a third embodiment of the present invention. As shown in FIG. 12, the method includes the following steps (step S1202-step S1226): Step S1202 User to AP A DHCP Discover message is sent to request an IP address. The AP assigns a private network IP address to the user and sends it to the user. Steps S1204 to S1218 are the authentication process of the user. The specific process is similar to the step S802 to the step S816 of the foregoing embodiment, except that the AP replaces the AC in the step S802 to the step S816 as an authenticator, and details are not described herein again. Step S1220: After the user is authenticated by the identity, the AP allocates a public network IP address and a port number segment for performing network address translation to the AP and stores the same on the AP device. The AP sends an accounting start message to the BRAS, carrying the user's MAC address. Address, public network IP address, and port number segment; Step S1222, after receiving the charging start message, the BRAS matches the user's MAC address and the stored MAC address of the authenticated user, finds the user's authorization information, and records the user's public network. The IP address and the port number segment, and the BRAS sends an accounting start message to the AAA; in step S1224, the AAA sends a charging start success message to the BRAS, and the BRAS encapsulates a new charging start success message by the Radius Proxy function and sends the message to the AP; Step S1226 The user accesses the network, and the BRAS identifies the user according to the IP address and port number information in the received user data packet, and processes the user data packet according to the authorization information of the user. For example, the BRAS can limit the rate of the user data packets according to the user bandwidth in the authorization message, or perform priority mapping on the user data packets according to the user priority in the authorization message. In addition, when the public network address and/or the port block for the translation of the user network address is increased (for example, a public network address and a port block are added to the user), the AP notifies the charging start message or the charging update message. BRAS, carrying the changed user identification information. When the public network address and/or port block used for translation of the user network address is reduced (for example, if the user goes offline or reduces a public network address and port block of the user) or the NAT generation entry ages, the AP stops by charging. The message or charging update message informs the BRAS to carry the user identification information. When the NAT generation entry for the user network address translation is aged and updated, the AP notifies the BRAS through the charging update message, and carries the user identification information. The data packet processing method in the fat AP scenario is described in the foregoing embodiment. The following describes the data packet encapsulation and forwarding process after the user obtains the IP address. FIG. 13 is a data according to Embodiment 3 of the present invention. As shown in FIG. 13, the flow includes the following steps (step S1302 - step S1306): Step S1302, the user sends a data packet to the service network, and the source MAC address is the MAC address of the user. The MAC address is the MAC address MAC2 of the user interface of the AC device, the source IP address is the private IP address IP1 of the user, the destination IP address is the service IP address IP2 accessed by the user, the source port is Port1, and the destination port is Port2 ; Step S1304, After receiving the data packet, the AP modifies the source MAC address and destination MAC address of the packet. The source MAC address is modified to be the MAC address MAC3 of the interface connected between the AP and the BRAS, and the destination MAC address is modified to be the MAC address MAC4 of the interface connected to the BRAS and the AP. Modify the source IP address and source port number of the packet, and change the source IP address to the public IP address IP3 assigned to the user, and from the port number segment assigned to the user. Select an idle port number Port3 as the new source port number of the packet; the AP sends the modified data packet directly to the BRAS device; Step S1306, after receiving the data packet, the BRAS identifies the source IP address and port number. The user processes the packet according to the authorization information of the user, such as priority mapping, buffering, and discarding. If the BRAS determines that the processed packet can be forwarded to the service network, the source MAC address and destination MAC address of the packet are changed again. The address, the source MAC address is modified to the MAC address MAC5 of the network side interface of the BRAS, and the destination MAC address is the MAC address MAC6 of the interface connected to the BRAS by the network side device. Corresponding to the management method of the data packet introduced in the foregoing embodiment, the embodiment provides a device for managing a data packet, and the device can be generally disposed on the BNG device side to implement the foregoing embodiment. FIG. 14 is a structural block diagram of a data message management apparatus according to an embodiment of the present invention. As shown in FIG. 14, the apparatus includes: an authentication mode Block 10, request receiving module 20, matching module 30, message identification module 40, and management module 50. The structure is described below. The authentication module 10 is configured to perform user identity authentication through the AAA server, and store the authorization information and the identification information of the authenticated user after the user identity authentication succeeds. The request receiving module 20 is connected to the authentication module 10 and configured to receive the WLAN device. a charging start request; wherein the charging start request carries the identification information of the user; the matching module 30 is connected to the request receiving module 20, and is configured to match the identification information carried in the charging start request and the authenticated user. Identifying the information, and after the matching is successful, determining the authorization information according to the identification information of the authenticated user; the message identification module 40 is connected to the matching module 30, and configured to perform the data message of the user according to the identification information of the user. The management module 50 is connected to the message identification module 40 and configured to manage the data message according to the authorization information of the user. After the user identity authentication succeeds, the BNG device stores the authorization information and the identification information of the authenticated user, and the BNG device receives the charging start request that is sent by the WLAN device and carries the identification information of the user, and the BNG device matches the identification information and The identification information of the authenticated user is determined, and after the matching is successful, the authorization information is determined according to the identification information of the authenticated user; the BNG device identifies the data packet of the user according to the identification information of the user, according to the authorization of the user. The information is used to manage the foregoing data packet, and solves the problem that the BNG cannot identify the user when the BNG device does not participate in the user address allocation process in the related art, so that the network architecture of the current WLAN network user authentication and address allocation can be changed. In the case of the process, the BNG device is quickly deployed to implement user service and traffic management and improve the service quality of the WLAN network. The above WLAN device may be an AC or an AP. For example, the authentication module 10 includes: a packet sending unit, configured to send a user authentication packet to the AAA server, where the authentication module 10 obtains the authorization information and the identifier information and stores the information. The user authentication message is used to notify the AAA server to perform user identity authentication. The storage unit is configured to receive the authorization information of the authenticated user sent by the AAA server, and store the authenticated user according to the user authentication message. Identification information. Through the above structure, the BNG obtains the authorization information and the identification information respectively, matches the identification information for the subsequent BNG device, and determines the basis of the authorization information according to the identification information. After the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, the device further includes: an authorization information sending module, configured to send the authorization information of the authenticated user to the WLAN. device. In a preferred embodiment of the present embodiment, the request receiving module 20 includes: a receiving unit, configured to receive the charging start request sent by the WLAN device, where the charging start request carries the identification information of the user The foregoing identification information includes the MAC address of the user, and a public network IP address and a port number segment. In a preferred embodiment of the present embodiment, the message identification module 40 includes: a first identification unit configured to identify a user according to an IP address in a user data packet. The message identification module 40 further includes: a second identification unit configured to identify the user according to the IP address and port number information in the user data message. In a preferred embodiment of the present embodiment, the device further includes: a first receiving module, configured to receive a charging update message sent by the WLAN device if the public network IP address and/or the port number segment are increased; The charging update message carries the changed identification information. The device further includes: a second receiving module, configured to receive, when the public network IP address and/or the port number segment is reduced, or the network address translation NAT generating entry for network address translation is aged, receiving the WLAN device sending The charging update message; wherein the charging update message carries the changed identification information. The device further includes: a third receiving module, configured to receive a charging update message sent by the WLAN device when the NAT for generating a network address is updated, wherein the charging update message carries a change Identification information. Corresponding to the management method of the data packet introduced in the foregoing embodiment, this embodiment provides a data packet management system, which is used to implement the foregoing embodiment. FIG. 15 is a structural block diagram of a data packet management system according to an embodiment of the present invention. As shown in FIG. 15, the system includes the data packet management device introduced in the foregoing embodiment, and further includes a WLAN device, where the WLAN device includes: The address assignment module 60 is configured to assign an IP address to the user after receiving the network protocol IP address request of the user. In the preferred embodiment of the present embodiment, the address allocation module 60 includes: a first allocating unit, configured to allocate an IP address to the user in the local address pool after receiving the IP address request of the user; or, the second The allocating unit is configured to allocate an IP address to the user through the dynamic host configuration protocol DHCP server after receiving the IP address request of the user. The address allocation module 60 further includes: a third allocating unit, configured to: after receiving the IP address request of the user, assign the IP address assigned by the authentication and authorization charging AAA server to the user by using the authorization information to the user. The address allocation module 60 further includes: a fourth allocating unit configured to: after receiving the IP address request of the user, allocate a private network IP address for the user, and a public network IP address and a port number segment for network address translation. In a preferred embodiment of the present embodiment, the WLAN device further includes: a storage module, configured to store the public network IP address and the port number segment. As can be seen from the above description, the embodiments of the present invention prevent the BNG device from participating in the network architecture, user authentication, and address allocation process of the WLAN network by changing the existing technologies and network devices. The user address allocation process causes the BNG to fail to identify the user, which in turn causes the BNG to fail to perform user service and traffic management according to the user's authorization information, thereby realizing the service and traffic management of the WLAN user accessing the user from the fixed broadband network. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claims
1. 一种数据报文的管理方法, 包括: 1. A method for managing data packets, including:
宽带网络网关 BNG设备通过认证授权计费 AAA服务器进行用户身份认 证, 并在用户身份认证成功后存储已认证用户的授权信息和标识信息;  The broadband network gateway BNG device authenticates the authorized AAA server for user identity authentication, and stores the authorization information and identification information of the authenticated user after the user identity authentication succeeds;
所述 BNG设备接收无线局域网 WLAN设备发送的计费开始请求; 其中, 所述计费开始请求中携带有用户的标识信息;  The BNG device receives the charging start request sent by the WLAN device of the wireless local area network; wherein the charging start request carries the identification information of the user;
所述 BNG设备匹配所述计费开始请求中携带的标识信息和所述已认证用 户的标识信息, 并在匹配成功后, 根据所述已认证用户的标识信息确定所述授 权信息; 以及  The BNG device matches the identification information carried in the charging start request and the identification information of the authenticated user, and after the matching is successful, determines the authorization information according to the identification information of the authenticated user;
所述 BNG设备根据所述用户的标识信息对所述用户的数据报文进行识别, 根据所述用户的授权信息对所述数据报文进行管理。  The BNG device identifies the data packet of the user according to the identification information of the user, and manages the data packet according to the authorization information of the user.
2. 根据权利要求 1所述的方法, 其中, 所述 BNG设备通过所述 AAA服务器进行 用户身份认证, 并在用户身份认证成功后存储已认证用户的授权信息和标识信 息包括: The method according to claim 1, wherein the BNG device performs user identity authentication by using the AAA server, and storing the authorization information and the identification information of the authenticated user after the user identity authentication succeeds includes:
所述 BNG设备向所述 AAA服务器发送用户认证报文;  The BNG device sends a user authentication message to the AAA server;
所述 AAA服务器接收到所述用户认证报文后, 进行用户身份认证; 在用户身份认证成功后,所述 BNG设备接收所述 AAA服务器发送的所述 已认证用户的授权信息, 并根据所述用户认证报文存储所述已认证用户的标识 信息。  After receiving the user authentication packet, the AAA server performs user identity authentication; after the user identity authentication succeeds, the BNG device receives the authorization information of the authenticated user sent by the AAA server, and according to the The user authentication message stores the identification information of the authenticated user.
3. 根据权利要求 1所述的方法, 其中, 所述 BNG设备在用户身份认证成功后存 储所述已认证用户的授权信息和标识信息之后, 所述方法还包括: The method according to claim 1, wherein, after the BNG device stores the authorization information and the identification information of the authenticated user after the user identity authentication succeeds, the method further includes:
所述 BNG设备将所述已认证用户的授权信息发送至所述 WLAN设备。  The BNG device sends the authorization information of the authenticated user to the WLAN device.
4. 根据权利要求 1所述的方法, 其中, 所述 BNG设备接收所述 WLAN设备发送 的所述计费开始请求之前, 所述方法还包括: The method according to claim 1, wherein, before the BNG device receives the charging start request sent by the WLAN device, the method further includes:
所述 WLAN设备接收到用户的网络协议 IP地址请求后, 为所述用户分配 IP地址。 After receiving the network protocol IP address request of the user, the WLAN device allocates an IP address to the user.
5. 根据权利要求 4所述的方法, 其中, 所述 WLAN设备接收到用户的 IP地址请 求后, 为所述用户分配 IP地址包括: 5. The method according to claim 4, wherein after the WLAN device receives the IP address request of the user, assigning the IP address to the user includes:
所述 WLAN设备接收到用户的 IP地址请求后, 在本地地址池中为所述用 户分配所述 IP地址; 或者,  After receiving the IP address request of the user, the WLAN device allocates the IP address to the user in the local address pool; or
所述 WLAN 设备接收到用户的 IP 地址请求后, 通过动态主机配置协议 DHCP服务器为所述用户分配所述 IP地址。  After receiving the IP address request of the user, the WLAN device allocates the IP address to the user through a dynamic host configuration protocol DHCP server.
6. 根据权利要求 4所述的方法, 其中, 所述 WLAN设备接收到用户的 IP地址请 求后, 为所述用户分配 IP地址还包括: The method according to claim 4, wherein after the WLAN device receives the IP address request of the user, the assigning the IP address to the user further includes:
所述 WLAN设备接收到用户的 IP地址请求后, 将所述 AAA服务器通过 所述授权信息为所述用户分配的 IP地址分配给所述用户。  After receiving the IP address request of the user, the WLAN device allocates the IP address assigned by the AAA server to the user by using the authorization information to the user.
7. 根据权利要求 4所述的方法, 其中, 所述 WLAN设备接收到用户的 IP地址请 求后, 为所述用户分配 IP地址还包括: The method according to claim 4, wherein after the WLAN device receives the IP address request of the user, the assigning the IP address to the user further includes:
所述 WLAN设备接收到用户的 IP地址请求后,为所述用户分配私网 IP地 址, 以及用于网络地址翻译的公网 IP地址和端口号段。  After receiving the IP address request of the user, the WLAN device allocates a private network IP address to the user, and a public network IP address and port number segment for network address translation.
8. 根据权利要求 7所述的方法, 其中, 所述 WLAN设备为所述用户分配 IP地址 后, 所述方法还包括: The method according to claim 7, wherein, after the WLAN device allocates an IP address to the user, the method further includes:
所述 WLAN设备存储所述公网 IP地址和所述端口号段。  The WLAN device stores the public network IP address and the port number segment.
9. 根据权利要求 7所述的方法, 其中, 所述 BNG设备接收 WLAN设备发送的计 费开始请求包括- 所述 BNG设备接收所述 WLAN设备发送的所述计费开始请求; 其中, 所 述计费开始请求中携带有所述用户的所述标识信息, 所述标识信息包括所述用 户的 MAC地址, 以及所述公网 IP地址和所述端口号段。 The method of claim 7, wherein the receiving, by the BNG device, the charging start request sent by the WLAN device comprises: the BNG device receiving the charging start request sent by the WLAN device; The charging start request carries the identifier information of the user, where the identifier information includes a MAC address of the user, and the public network IP address and the port number segment.
10. 根据权利要求 5或 6所述的方法, 其中, 所述 BNG设备根据所述用户的标识 信息对所述用户的数据报文进行识别包括: The method according to claim 5 or 6, wherein the identifying, by the BNG device, the data packet of the user according to the identifier information of the user includes:
所述 BNG设备根据用户数据报文中的 IP地址对用户进行识别。  The BNG device identifies the user according to the IP address in the user data packet.
11. 根据权利要求 7所述的方法, 其中, 所述 BNG设备根据所述用户的标识信息 对所述用户的数据报文进行识别还包括: 所述 BNG设备根据用户数据报文中的 IP地址和端口号信息对用户进行识 别。 The method according to claim 7, wherein the identifying, by the BNG device, the data packet of the user according to the identifier information of the user further includes: The BNG device identifies the user according to the IP address and port number information in the user data packet.
12. 根据权利要求 7所述的方法, 其中, 所述方法还包括: The method according to claim 7, wherein the method further comprises:
当所述公网 IP地址和 /或端口号段增加时,所述 BNG设备接收所述 WLAN 设备发送的计费更新消息; 其中, 所述计费更新消息中携带有变化后的标识信 息。  When the public network IP address and/or the port number segment is increased, the BNG device receives the charging update message sent by the WLAN device, where the charging update message carries the changed identification information.
13. 根据权利要求 7所述的方法, 其中, 所述方法还包括: The method according to claim 7, wherein the method further comprises:
当所述公网 IP地址和 /或端口号段减少, 或者用于网络地址翻译的网络地 址转换 NAT生成条目老化时, 所述 BNG设备接收所述 WLAN设备发送的计 费更新消息; 其中, 所述计费更新消息中携带有变化后的标识信息。  When the public network IP address and/or port number segment is reduced, or the network address translation NAT generation entry for network address translation is aged, the BNG device receives the charging update message sent by the WLAN device; The charging update message carries the changed identification information.
14. 根据权利要求 7所述的方法, 其中, 所述方法还包括: The method according to claim 7, wherein the method further comprises:
当用于网络地址翻译的 NAT 生成条目更新时, 所述 BNG设备接收所述 WLAN设备发送的计费更新消息; 其中, 所述计费更新消息中携带有变化后的 标识信息。  The BNG device receives the charging update message sent by the WLAN device, and the charging update message carries the changed identification information.
15. 根据权利要求 1至 14中任一项所述的方法, 其中, 所述 WLAN设备为接入控 制器 AC或者接入点 AP。 The method according to any one of claims 1 to 14, wherein the WLAN device is an access controller AC or an access point AP.
16. 一种数据报文的管理装置, 应用于宽带网络网关 BNG设备, 包括: 16. A data message management device, applied to a broadband network gateway BNG device, comprising:
认证模块, 设置为通过认证授权计费 AAA服务器进行用户身份认证, 并 在用户身份认证成功后存储已认证用户的授权信息和标识信息;  The authentication module is configured to perform user identity authentication through the authentication and authorization charging AAA server, and store the authorization information and the identification information of the authenticated user after the user identity authentication succeeds;
请求接收模块, 设置为接收无线局域网 WLAN设备发送的计费开始请求; 其中, 所述计费开始请求中携带有用户的标识信息;  The request receiving module is configured to receive a charging start request sent by the WLAN device of the wireless local area network; wherein the charging start request carries the identification information of the user;
匹配模块, 设置为匹配所述计费开始请求中携带的标识信息和所述已认证 用户的标识信息, 并在匹配成功后, 根据所述已认证用户的标识信息确定所述 授权信息;  And the matching module is configured to match the identifier information carried in the charging start request and the identifier information of the authenticated user, and after the matching is successful, determine the authorization information according to the identifier information of the authenticated user;
报文识别模块, 设置为根据所述用户的标识信息对所述用户的数据报文进 行识别; 以及  a message identification module, configured to identify the data message of the user according to the identification information of the user;
管理模块, 设置为根据所述用户的授权信息对所述数据报文进行管理。 根据权利要求 16所述的装置, 其中, 所述认证模块包括: 报文发送单元, 设置为向所述 AAA服务器发送用户认证报文; 其中, 所 述用户认证报文用于通知所述 AAA服务器进行用户身份认证; The management module is configured to manage the data packet according to the authorization information of the user. The device according to claim 16, wherein the authentication module comprises: a message sending unit, configured to send a user authentication message to the AAA server, where the user authentication message is used to notify the AAA server to perform user identity authentication;
存储单元, 设置为接收所述 AAA服务器发送的所述已认证用户的授权信 息, 并根据所述用户认证报文存储所述已认证用户的标识信息。  The storage unit is configured to receive the authorization information of the authenticated user sent by the AAA server, and store the identifier information of the authenticated user according to the user authentication message.
18. 根据权利要求 16所述的装置, 其中, 所述装置还包括: 18. The device according to claim 16, wherein the device further comprises:
授权信息发送模块, 设置为将所述已认证用户的授权信息发送至所述 WLAN设备。  The authorization information sending module is configured to send the authorization information of the authenticated user to the WLAN device.
19. 根据权利要求 16所述的装置, 其中, 所述请求接收模块包括: The device according to claim 16, wherein the request receiving module comprises:
接收单元, 设置为接收所述 WLAN设备发送的所述计费开始请求; 其中, 所述计费开始请求中携带有所述用户的所述标识信息, 所述标识信息包括所述 用户的 MAC地址, 以及公网 IP地址和端口号段。  a receiving unit, configured to receive the charging start request sent by the WLAN device, where the charging start request carries the identifier information of the user, where the identifier information includes a MAC address of the user , and the public network IP address and port number segment.
20. 根据权利要求 16所述的装置, 其中, 所述报文识别模块包括: The device according to claim 16, wherein the message identification module comprises:
第一识别单元, 设置为根据用户数据报文中的 IP地址对用户进行识别。  The first identifying unit is configured to identify the user according to the IP address in the user data packet.
21. 根据权利要求 16所述的装置, 其中, 所述报文识别模块还包括: The device according to claim 16, wherein the message recognition module further comprises:
第二识别单元,设置为根据用户数据报文中的 IP地址和端口号信息对用户 进行识别。  The second identification unit is configured to identify the user according to the IP address and port number information in the user data message.
22. 根据权利要求 16所述的装置, 其中, 所述装置还包括: 第一接收模块, 设置为在所述公网 IP地址和 /或端口号段增加的情况下, 接收所述 WLAN设备发送的计费更新消息;其中,所述计费更新消息中携带有 变化后的标识信息。 The device according to claim 16, wherein the device further comprises: a first receiving module, configured to receive, when the public network IP address and/or the port number segment is increased, receive the WLAN device to send The charging update message, wherein the charging update message carries the changed identification information.
23. 根据权利要求 16所述的装置, 其中, 所述装置还包括: The device according to claim 16, wherein the device further comprises:
第二接收模块, 设置为在所述公网 IP地址和 /或端口号段减少, 或者用于 网络地址翻译的网络地址转换 NAT生成条目老化的情况下, 接收所述 WLAN 设备发送的计费更新消息; 其中, 所述计费更新消息中携带有变化后的标识信 息。 根据权利要求 16所述的装置, 其中, 所述装置还包括: 第三接收模块, 设置为在用于网络地址翻译的 NAT 生成条目更新的情况 下, 接收所述 WLAN设备发送的计费更新消息; 其中, 所述计费更新消息中携 带有变化后的标识信息。 The second receiving module is configured to receive the charging update sent by the WLAN device if the public network IP address and/or the port number segment is reduced, or the network address translation NAT generating entry for network address translation is aged. The charging update message carries the changed identification information. The device according to claim 16, wherein the device further comprises: a third receiving module, configured to receive a charging update message sent by the WLAN device in a case that the NAT is generated for the network address translation, where the charging update message carries the changed identification information .
25. 根据权利要求 16至 24中任一项所述的装置,其中,所述 WLAN设备为接入控 制器 AC或者接入点 AP。 The apparatus according to any one of claims 16 to 24, wherein the WLAN device is an access controller AC or an access point AP.
26. 一种数据报文的管理系统, 包括权利要求 16至 25中任一项所述的数据报文的 管理装置, 还包括无线局域网 WLAN设备, 所述 WLAN设备包括: A data message management system, comprising the data message management device according to any one of claims 16 to 25, further comprising a wireless local area network WLAN device, wherein the WLAN device comprises:
地址分配模块, 设置为接收到用户的网络协议 IP地址请求后, 为所述用户 分配 IP地址。  The address allocation module is configured to allocate an IP address to the user after receiving the network protocol IP address request of the user.
27. 根据权利要求 26所述的系统, 其中, 所述地址分配模块包括: 27. The system of claim 26, wherein the address allocation module comprises:
第一分配单元, 设置为接收到所述用户的 IP地址请求后, 在本地地址池中 为所述用户分配 IP地址; 或者,  a first allocating unit, configured to allocate an IP address to the user in a local address pool after receiving the IP address request of the user; or
第二分配单元, 设置为接收到所述用户的 IP地址请求后, 通过动态主机配 置协议 DHCP服务器为所述用户分配 IP地址。  The second allocating unit is configured to allocate an IP address to the user through the dynamic host configuration protocol DHCP server after receiving the IP address request of the user.
28. 根据权利要求 26所述的系统, 其中, 所述地址分配模块还包括: The system of claim 26, wherein the address allocation module further comprises:
第三分配单元,设置为接收到用户的 IP地址请求后,将认证授权计费 AAA 服务器通过所述授权信息为所述用户分配的 IP地址分配给所述用户。  And a third allocation unit, configured to: after receiving the IP address request of the user, assign the IP address assigned by the authentication authorization charging AAA server to the user by using the authorization information.
29. 根据权利要求 26所述的系统, 其中, 所述地址分配模块还包括: The system of claim 26, wherein the address allocation module further comprises:
第四分配单元, 设置为接收到用户的 IP地址请求后, 为所述用户分配私网 IP地址, 以及用于网络地址翻译的公网 IP地址和端口号段。  The fourth allocating unit is configured to, after receiving the user's IP address request, allocate the private network IP address to the user, and the public network IP address and port number segment used for network address translation.
30. 根据权利要求 26所述的系统, 其中, 所述 WLAN设备还包括: The system of claim 26, wherein the WLAN device further comprises:
存储模块, 设置为存储所述公网 IP地址和所述端口号段。  And a storage module, configured to store the public network IP address and the port number segment.
PCT/CN2013/082495 2012-10-29 2013-08-28 Data packet management method, device and system WO2014067334A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210420722.3A CN103796245B (en) 2012-10-29 2012-10-29 The management method of data message, apparatus and system
CN201210420722.3 2012-10-29

Publications (1)

Publication Number Publication Date
WO2014067334A1 true WO2014067334A1 (en) 2014-05-08

Family

ID=50626429

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082495 WO2014067334A1 (en) 2012-10-29 2013-08-28 Data packet management method, device and system

Country Status (2)

Country Link
CN (1) CN103796245B (en)
WO (1) WO2014067334A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104080150A (en) * 2014-07-04 2014-10-01 广州杰赛科技股份有限公司 WLAN access method for equipment sharing
CN110896371B (en) * 2016-02-14 2022-07-26 华为技术有限公司 Virtual network equipment and related method
CN107547509B (en) * 2017-06-27 2020-10-13 新华三技术有限公司 Message forwarding method and device
CN109842584B (en) * 2017-11-25 2021-11-19 华为技术有限公司 Authentication method and network device
CN111064759B (en) * 2018-10-17 2023-12-15 中兴通讯股份有限公司 User online method and device, broadband remote access server and storage medium
CN114710465B (en) * 2022-04-07 2023-05-02 中国联合网络通信集团有限公司 Network address translation method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547383A (en) * 2008-03-26 2009-09-30 华为技术有限公司 Access authentication method, access authentication system and related equipment
CN102098275A (en) * 2009-12-14 2011-06-15 中兴通讯股份有限公司 Method and device for controlling subscriber strategy
CN102752746A (en) * 2011-04-21 2012-10-24 中兴通讯股份有限公司 Authentication notifying method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656712B (en) * 2008-08-18 2014-04-02 华为技术有限公司 Method for recovering IP session, network system and network edge device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547383A (en) * 2008-03-26 2009-09-30 华为技术有限公司 Access authentication method, access authentication system and related equipment
CN102098275A (en) * 2009-12-14 2011-06-15 中兴通讯股份有限公司 Method and device for controlling subscriber strategy
CN102752746A (en) * 2011-04-21 2012-10-24 中兴通讯股份有限公司 Authentication notifying method and system

Also Published As

Publication number Publication date
CN103796245A (en) 2014-05-14
CN103796245B (en) 2019-01-25

Similar Documents

Publication Publication Date Title
CA3021367C (en) Using wlan connectivity of a wireless device
US9112909B2 (en) User and device authentication in broadband networks
EP3267653B1 (en) Techniques for authenticating a subscriber for an access network using dhcp
US8335490B2 (en) Roaming Wi-Fi access in fixed network architectures
US8509440B2 (en) PANA for roaming Wi-Fi access in fixed network architectures
US9749320B2 (en) Method and system for wireless local area network user to access fixed broadband network
WO2014067334A1 (en) Data packet management method, device and system
US20100275248A1 (en) Method, apparatus and system for selecting service network
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
US8611358B2 (en) Mobile network traffic management
US20190028475A1 (en) Systems and methods for routing traffic originating from a communicaiton device
WO2018192179A1 (en) Ip address allocation method and device
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2013067911A1 (en) Access authenticating method, system and equipment
WO2011150867A2 (en) Terminal authentication method and apparatus
TWI566545B (en) Femtocell and method for configuring ip
WO2013060224A1 (en) Secure connection method, system and network element
KR102558364B1 (en) Method for 5g lan service
US11818572B2 (en) Multiple authenticated identities for a single wireless association
JP5947763B2 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
Xie et al. A generic way for wireline and wireless access authentication
US8605901B1 (en) System and method for provisioning a home agent in a network environment
CN113785606A (en) Network device and method for policy-based wireless network access
Jonsson Security and cooperation considerations for Skekraft. net's wireless network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13850677

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13850677

Country of ref document: EP

Kind code of ref document: A1