WO2015131568A1 - 一种IPv6地址管理方法、装置、终端和网关设备 - Google Patents

一种IPv6地址管理方法、装置、终端和网关设备 Download PDF

Info

Publication number
WO2015131568A1
WO2015131568A1 PCT/CN2014/092088 CN2014092088W WO2015131568A1 WO 2015131568 A1 WO2015131568 A1 WO 2015131568A1 CN 2014092088 W CN2014092088 W CN 2014092088W WO 2015131568 A1 WO2015131568 A1 WO 2015131568A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipv6 address
terminal
address
ipv6
gateway device
Prior art date
Application number
PCT/CN2014/092088
Other languages
English (en)
French (fr)
Inventor
朱承旭
袁博
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015131568A1 publication Critical patent/WO2015131568A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5053Lease time; Renewal aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses

Definitions

  • the present invention relates to, but is not limited to, the field of communications, and in particular, to an IPv6 address management method, apparatus, terminal, and gateway device.
  • IPv4 Internet Protocol version 4
  • NAT Network Address Translation
  • IPv6 networks Similar to IPv4 networks, network security is also an important issue for IPv6 networks. Scanning hosts that exist on the network can discover information such as the IP address used by the active host, the open port, and the operating system used. This information is necessary for network management, because it is a prerequisite for malicious attackers to carry out network intrusion, and is also an indispensable part of the worm propagation process. Therefore, research on network scanning technology is of great significance to network security.
  • the first 64 bits are network prefixes, including "001", global routing prefix, and subnet identification ID.
  • the router on the Internet Internet transmits packets through it.
  • the link to the host; the last 64 bits are the interface ID, which is used to distinguish different hosts in the same link.
  • the interface ID is usually generated by the host through its own media access control MAC address or other information, and the prefix is assigned to the host by a network device (such as a broadband gateway).
  • the attacker performs network address scanning on the user host, it is assumed that the network prefix of the link has been obtained from the known host address, that is, the first 64 bits in the host address have been known by the scanner (attacker), and the scan is For the last 64 bits in the address, the scan of the interface ID in the address.
  • the related technical solution is to upgrade the terminal and the network device to support the so-called IP address frequency hopping (or IP address hopping) technology, and the user host can switch its own address according to a certain rate.
  • IP address frequency hopping or IP address hopping
  • the user host can switch its own address according to a certain rate.
  • To achieve the purpose of avoiding address scanning as much as possible including the 64-bit interface ID and the first 64-bit (that is, the 64-bit IPv6 prefix) after switching, in which the interface ID can be switched synchronously while switching the prefix.
  • the IP address hopping technology can solve the address scanning problem to a certain extent, and also brings new problems, such as the business continuity problem before and after the hopping, that is, the IPv6 address change causes the online service to be interrupted, which affects the interruption of the user service experience.
  • the embodiments of the present invention provide an IPv6 address management method, apparatus, terminal, and gateway device, which implement user service continuity before and after IPv6 hopping, and improve the security and availability of the IPv6 network.
  • An Internet Protocol version 6 IPv6 address management method is used for a first terminal, and the method includes:
  • the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device, where the first service is
  • the first IPv6 address is an IPv6 address used by the first terminal that is being used by the first terminal, where the first terminal and the second terminal are currently performing services;
  • the gateway device When the judgment result carried in the address reservation response message indicates that the gateway device agrees that the first terminal reserves the first IPv6 address and the address retention response message carries the continuation of the first IPv6 address And the first terminal continues to perform the first service with the second terminal by using the first IPv6 address before the continuation lifetime of the first IPv6 address is terminated.
  • the first IPv6 address is at least one of a 128-bit IPv6 address and a 64-bit IPv6 address prefix.
  • the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device, including:
  • the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device by using a dynamic host configuration protocol supporting IPv6.
  • the method further includes: if the first service is not terminated before the continuation lifetime of the first IPv6 address is terminated, the first terminal continues to send a request to the gateway device to reserve the first An address reservation request message for an IPv6 address.
  • the embodiment of the invention further provides an IPv6 address management method, which is used for a gateway device, and the method includes:
  • the first IPv6 address is an IPv6 address used by the first terminal to perform the first service
  • the method when the first IPv6 address is 128 bits, the method further includes:
  • an IPv6 duplicate address detection message that carries the first IPv6 address, where the gateway device pre-allocates a third IPv6 address, the prefix of the third IPv6 address, and the first The prefix of the IPv6 address is the same;
  • the determining whether the first terminal is reserved by the first terminal to obtain the first IPv6 address, and obtaining the determination result includes:
  • the local configuration policy is at least one of a port-based configuration policy, a logical interface-based configuration policy, and a user-based domain configuration policy.
  • the embodiment of the present invention further provides an Internet Protocol version 6 IPv6 address management apparatus, which is used for a first terminal, and the apparatus includes:
  • a first sending module configured to: when the first service is not ended before the first IPv6 address original lifetime expires, the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device
  • the first service is a service currently being performed by the first terminal and the second terminal, and the first IPv6 address is an IPv6 address used by the first service that is performed by the first terminal;
  • a first receiving module configured to: receive an address reservation response message returned by the gateway device, where the address reservation response message carries at least the determining, by the gateway device, whether the first terminal reserves the first IPv6 address Result;
  • a processing module configured to: when the judgment result carried in the address reservation response message indicates that the gateway device agrees that the first terminal reserves the first IPv6 address, and the address reservation response message carries the When the continuation lifetime of the first IPv6 address expires, the first terminal continues the first use of the first IPv6 address with the second terminal before the continuation lifetime of the first IPv6 address is terminated. business.
  • the first IPv6 address is at least one of a 128-bit IPv6 address and a 64-bit IPv6 address prefix.
  • the first sending module includes:
  • a sending submodule configured to: send, by the first terminal, an address reservation request message requesting to reserve the first IPv6 address to the gateway device by using a dynamic host configuration protocol that supports IPv6.
  • the first sending module is further configured to:
  • the first terminal continues to send an address reservation request message requesting to reserve the first IPv6 address to the gateway device.
  • the embodiment of the invention further provides an IPv6 address management device, which is used for a gateway device, and the device includes:
  • a second receiving module configured to: receive an address reservation request message that is sent by the first terminal and request to reserve the first IPv6 address, where the first terminal and the second terminal are performing the first service, and the first service is The first IPv6 address is not ended before the first IPv6 address is terminated.
  • the first IPv6 address is an IPv6 address used by the first terminal to perform the first service.
  • a judging module configured to: determine whether the first terminal is reserved to retain the first IPv6 Address, obtain the judgment result;
  • a second sending module configured to: when the determining result indicates that the first terminal is reserved for the first IPv6 address, the address retention response message carrying the judgment result and the first IPv6 address continuation lifetime Sending to the first terminal, so that the first terminal continues to use the first IPv6 address to perform the first service with the second terminal before the continuation lifetime of the first IPv6 address is terminated.
  • the apparatus when the first IPv6 address is 128 bits, the apparatus further includes:
  • a third receiving module configured to: receive an IPv6 duplicate address detection message that is sent by the third terminal and that carries the first IPv6 address, where the gateway device pre-allocates a third IPv6 address, the third The prefix of the IPv6 address is the same as the prefix of the first IPv6 address;
  • a third sending module configured to: send, to the third terminal, a neighbor request message that is used by the first IPv6 address, so that the third terminal cannot establish a session by using the first IPv6 address.
  • the determining module includes:
  • a determining sub-module configured to: determine, according to at least one of a local configuration policy and a user authorization policy of the first terminal, whether the first terminal is allowed to reserve the first IPv6 address, and obtain the determination result.
  • the local configuration policy is at least one of a port-based configuration policy, a logical interface-based configuration policy, and a user-based domain configuration policy.
  • the embodiment of the present invention further provides a terminal, where the terminal includes the IPv6 address management apparatus for the terminal according to any one of the above items.
  • the embodiment of the present invention further provides a gateway device, where the gateway device includes the IPv6 address management device for the gateway device.
  • the embodiment of the present invention further provides a computer program, including program instructions, when the program instruction is executed by the terminal, so that the terminal can perform the method described in any one of the above.
  • Embodiments of the present invention also provide a computer readable storage medium carrying the computer program.
  • the embodiment of the present invention further provides a computer program, including program instructions, when the program instruction is executed by a gateway device, so that the terminal can perform the method described in any one of the above.
  • Embodiments of the present invention also provide a computer readable storage medium carrying the computer program.
  • IPv6 IPv6 address reservation is implemented by improving the terminal and the network device, thereby implementing user service continuity before and after IPv6 hopping, improving the security and availability of the IPv6 network, and speeding up the deployment of the IPv6 network. To positive effects.
  • FIG. 1 is a schematic diagram of a related art IPv6 address structure
  • FIG. 2 is a schematic diagram of a network topology according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of an IPv6 address management method according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of interaction between a terminal and a gateway device in an IPv6 address management method according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an overall structure topology of an IPv6 address management according to an embodiment of the present invention.
  • FIG. 6 is an overall flowchart of an IPv6 address management method according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of another IPv6 address management method according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an overall structure topology of another IPv6 address management according to an embodiment of the present disclosure.
  • FIG. 9 is a flowchart of a third IPv6 address management method according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of an IPv6 address management apparatus for a first terminal according to an embodiment of the present disclosure
  • FIG. 11 is a schematic structural diagram of an IPv6 address management apparatus for a gateway device according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of module interaction between a terminal and a gateway device according to an embodiment of the present invention.
  • the user service continuity before and after the IPv6 hopping can be implemented by deploying an IPv6 address update.
  • An embodiment of the present invention provides a method for managing an IPv6 address of the sixth version of the Internet Protocol, which is used in the first terminal. The method is as shown in FIG.
  • Step 31 When the first service is not ended before the first IPv6 address original lifetime expires, the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device, where the A service is a service currently being performed by the first terminal and the second terminal, and the first IPv6 address is an IPv6 address used by the first service that is performed by the first terminal;
  • Step 32 Receive an address reservation response message returned by the gateway device, where the address reservation response message carries at least the determination result of whether the gateway device agrees to retain the first IPv6 address by the first terminal.
  • Step 33 The judgment result carried in the address reservation response message indicates that the gateway device agrees that the first terminal reserves the first IPv6 address, and the address reservation response message carries the first IPv6 address.
  • the first terminal continues the first service with the second terminal by using the first IPv6 address before the continuation lifetime of the first IPv6 address is terminated.
  • the gateway device determines, according to at least one of the local configuration policy and the user authorization policy of the first terminal, whether the first terminal is allowed to reserve the first IPv6 address, and obtains the first A judgment result.
  • the local configuration policy is at least one of a port-based configuration policy, a logical interface-based configuration policy, and a user-based domain configuration policy.
  • the gateway device here includes a Broadband Network Gateway (BNG), a broadband remote access server BRAS, a service router SR, a router, and a switch.
  • BNG Broadband Network Gateway
  • BRAS broadband remote access server
  • SR service router
  • router router
  • switch switch
  • the first IPv6 address is at least one of a 128-bit IPv6 address and a 64-bit IPv6 address prefix.
  • the gateway device receives the address reservation request of the 128-bit IPv6 address, if the first IPv6 address or the IPv6 prefix corresponding to the first IPv6 address has not been allocated to another terminal, or the first IPv6 address is corresponding to the first IPv6 address.
  • the IPv6 prefix has been assigned to another host but the 128-bit IPv6 address has not been used yet, and it is determined whether to agree to the address reservation request according to at least one of a local configuration policy decision and a user authorization policy.
  • the address reservation response message carries the first judgment result and the continuation lifetime allocated by the gateway device for the first IPv6 address.
  • the gateway device sends the IPv6 address corresponding to the first IPv6 address before the address reservation response message is sent or after the address reservation response message is sent.
  • the prefix device is assigned to another terminal, for example, the third terminal, and the gateway device receives the IPv6 duplicate address detection message that is sent by the third terminal and carries the first IPv6 address, where the gateway device allocates the third terminal to the third terminal.
  • IPv6 address the prefix of the third IPv6 address is the same as the prefix of the first IPv6 address, and the gateway device sends a neighbor request message carrying the first IPv6 address to the third terminal, so that the The third terminal cannot establish a session using the first IPv6 address.
  • the first terminal Before the continuation of the continuation of the first IPv6 address, the first terminal continues to perform the first service with the second terminal by using the first IPv6 address, that is, the first terminal is no longer the first The IPv6 address establishes a new Transmission Control Protocol/User Datagram Protocol (TCP/UDP) connection. That is, the first terminal actively triggers the new connection to use the other IPv6 address (the IPv6 host allows multiple addresses to coexist), and the connection establishment request sent by the external network and the destination address is the first IPv6 address, the first The terminal no longer accepts to prevent network side scanning attacks.
  • TCP/UDP Transmission Control Protocol/User Datagram Protocol
  • the first terminal does not generate a new 128-bit IPv6 address under the first IPv6 prefix.
  • the new connection triggered by the first terminal adopts a third IPv6 address
  • the first IPv6 address is a 64-bit IPv6 address prefix
  • the third IPv6 address The prefix is different from the first IPv6 address, and the first terminal can continue to use the first IPv6 address to perform the first service with the second terminal, thereby ensuring continuity of the first service.
  • the first terminal Since the first terminal no longer establishes a new TCP/UDP connection with the first IPv6 address, the first terminal sends the TCP/UDP connection using the first IPv6 address to the gateway device after all the TCP/UDP connections are terminated. Send an address release notification.
  • the first terminal continues to send an address reservation request message requesting to reserve the first IPv6 address to the gateway device.
  • the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device by using a dynamic host configuration protocol that supports IPv6.
  • IPv6 address management method provided by the embodiment of the present invention is as follows:
  • Step 41 The first terminal performs the first service with the second terminal before the end of the first IPv6 address lifetime, and the first terminal sends an address reservation request to the gateway device.
  • the first IPv6 address is an IPv6 address that the first terminal is using for the first service; the IPv6 address includes at least one of a 128-bit IPv6 address and a 64-bit IPv6 prefix; the address reservation request passes the DHCPv6 protocol.
  • the gateway device includes a BNG, a BRAS, an SR, a router, and a switch;
  • Step 42 after receiving the address reservation request, the gateway device determines whether to agree to the address reservation request, and if yes, proceeds to step 43;
  • the gateway device After receiving the address reservation request, the gateway device determines whether to agree to the address reservation request according to a local configuration policy and/or a user authorization policy; the local configuration policy is based on a port and/or a logical interface and/or a user domain.
  • the gateway device After receiving the address reservation request of the 128-bit IPv6 address, the gateway device does not allocate the IPv6 prefix corresponding to the first IPv6 address or the first IPv6 address to another terminal, or the first IPv6. If the IPv6 prefix corresponding to the address has been allocated to another host but the 128-bit IPv6 address has not been used, it is determined according to the local configuration policy decision and/or the user authorization policy whether to agree to the address reservation request;
  • Step 43 The gateway device sends an address reservation response message to the first terminal, and the response type is an agreed address reservation request.
  • the address retention response message carries a continuation lifetime of the first IPv6 address
  • the gateway device receives When the DAD detection message carrying the 128-bit first IPv6 address is sent to the third terminal, the neighboring request NS message is sent to the third terminal to notify that the first IPv6 address has been used;
  • Step 44 After receiving the address reservation response message described in step 43, the first terminal does not And establishing a new TCP/UDP connection by using the first IPv6 address;
  • the first terminal sends an address release notification to the gateway after all TCP/UDP connections using the first IPv6 address are terminated;
  • the first terminal does not generate any new 128-bit IPv6 address under the first IPv6 prefix
  • the current first service is not terminated before the continuation lifetime of the IPv6 address is terminated, and the process returns to step 41.
  • the IPv6 address reservation is considered.
  • the gateway device agrees that the first terminal reserves the first IPv6 address, the continuation lifetime is re-allocated for the first IPv6 address, and the lifetime is continued in the first IPv6 address.
  • the first terminal continues to perform the first service with the second terminal by using only the first IPv6 address, thereby implementing service continuity before and after the IPv6 hopping.
  • the first IPv6 address is a 128-bit address, and the address reservation is successful.
  • the specific process includes:
  • Step 60 The first terminal sends an IPv6 prefix to the BNG device BNG1 through the neighbor discovery ND protocol, and the BNG1 sends one or more IPv6 prefixes to the first terminal by using the ND protocol, where the prefix Prefix1 and its original lifetime T0 are included.
  • Step 61 Before the end of the IPv6 prefix Prefix1 lifetime T0, the first terminal sends an address reservation request to the BNG1 to apply for retaining the first IPv6 address.
  • the TCP/UDP connection between the first terminal and the second terminal is using a 128-bit address under Prefix 1, that is, the first IPv6 address;
  • the address reservation request is carried by a DHCPv6 protocol message
  • Step 62 After receiving the address reservation request, the BNG1 determines to agree to the address reservation according to at least one of the port to which the first terminal belongs, or the logical interface and the policy configured on the user domain, and the authorization information of the first terminal. request;
  • Step 63 The BNG1 sends an address reservation response message to the first terminal, where the response type is an agreed address reservation request.
  • the address retention response message carries a continuation lifetime of the first IPv6 address. T1;
  • Step 64 After receiving the address reservation response message described in step 63, the first terminal does not establish a new TCP/UDP connection with the first IPv6 address.
  • the first terminal sends an address release notification to the gateway after all TCP/UDP connections using the first IPv6 address are terminated;
  • Step 65 The third terminal sends an IPv6 prefix request to BNG1 before T1 ends, and BNG1 assigns Prefix1 to Host3.
  • the BNG1 listens to the DAD detection message sent by the third terminal before the T1 ends or receives the address release notification sent by the first terminal, and receives the DAD request sent by the third terminal and carries the first IPv6 address. Then the BNG returns an NS message to Host3 to inform the first IPv6 address that it is in use.
  • the first IPv6 address is a 128-bit address, and the address is successfully retained again.
  • the specific process includes:
  • Steps 70-75 are the same as steps 60-65;
  • Step 76 Before the continuation lifetime T1 of the prefix Prefix1 is terminated, the TCP/UDP between the first terminal and the second terminal is still not terminated, and the first terminal sends an address reservation request to the BNG1 again, requesting to reserve the first IPv6. address;
  • the address reservation request is carried by a DHCPv6 protocol message
  • Step 77 After receiving the address reservation request, the BNG1 determines to agree to the address reservation request according to at least one of the port, the logical interface, and the policy configured on the user domain, and the authorization information of the first terminal. ;
  • Step 78 The BNG1 sends an address reservation response message to the first terminal, where the response type is an agreed address reservation request.
  • the address retention response message carries a continuation lifetime T2 of the first IPv6 address
  • Step 79 After receiving the address reservation response message described in step 78, the first terminal still does not establish a new TCP/UDP connection with the first IPv6 address.
  • the first terminal terminates all TCP/UDP connections using the first IPv6 address. Afterwards, sending an address release notification to the gateway;
  • the BNG1 listens to the DAD detection message sent by the third terminal before the T2 ends or receives the address release notification sent by the first terminal, and receives the DAD request sent by the third terminal that carries the first IPv6 address, and then the BNG Returning NS to the third terminal informs the first IPv6 address that it is in use.
  • the first IPv6 address is a 64-bit address prefix, and the address reservation succeeds.
  • the specific process includes:
  • Step 90 The first terminal accesses the router device Router through the Ethernet-based point-to-point protocol (PPPoE) to complete the user authentication.
  • the first terminal applies for the IPv6 prefix to the router device through the ND protocol, and the Router sends one or the first terminal to the first terminal through the ND protocol.
  • Multiple IPv6 prefixes including the first IPv6 address and its original lifetime T0, the first IPv6 address being a 64-bit address prefix Prefix1;
  • the Router receives the authorization information sent by the AAA server, where the authorization information includes an attribute that allows the user address to be reserved;
  • Step 91 Before the end of the original lifetime T0, the first terminal sends an address reservation request to the Router to apply for a reserved prefix.
  • the TCP/UDP connection between the first terminal and the fourth terminal/fifth terminal/sixth terminal is respectively using the 128-bit address IP4/IP5/IP6 under Prefix1;
  • the address reservation request is carried by a DHCPv6 protocol message
  • Step 92 After receiving the address reservation request, the Router determines to agree to the address reservation request according to the port and/or the logical interface and/or the policy configured on the user domain and the authorization information of the first terminal.
  • Step 93 The Router sends an address reservation response message to the first terminal, and the response type is an agreed address reservation request.
  • the address retention response message carries a continuation lifetime T1 of Prefix1;
  • Step 94 After receiving the address reservation response message described in step 93, the first terminal does not establish a new TCP/UDP connection by using any IP address under Prefix1.
  • the first terminal sends an address release notification to the Router.
  • the first terminal does not generate any new 128-bit IPv6 address under Prefix1;
  • Step 95 The third terminal sends an IPv6 prefix request to the Router before the end of the T1, and the Router requests the Prefix1 to be assigned to the third terminal, and the Router allocates another IPv6 prefix to the third terminal.
  • the router listens to the DAD detection message sent by the first terminal before the T1 ends or receives the address release notification sent by the first terminal, and if the DAD request of the other terminal is obtained by the first terminal, The BNG returns NS to the third terminal to inform that the address is unavailable or in use.
  • the embodiment of the present invention further provides an Internet Protocol version 6 IPv6 address management apparatus, which is used for a first terminal, and the apparatus is as shown in FIG. 10, and includes:
  • a first sending module configured to: when the first service is not ended before the first IPv6 address original lifetime expires, the first terminal sends an address reservation request message requesting to reserve the first IPv6 address to the gateway device;
  • the first service is a service currently being performed by the first terminal and the second terminal, and the first IPv6 address is an IPv6 address used by the first service that is performed by the first terminal;
  • a first receiving module configured to receive an address reservation response message returned by the gateway device, where the address reservation response message carries at least the determination result of whether the gateway device agrees to retain the first IPv6 address by the first terminal;
  • a processing module configured to: when the judgment result carried in the address reservation response message, the gateway device agrees that the first terminal reserves the first IPv6 address, and the address reservation response message carries the first The first terminal continues to perform the first service with the second terminal by using the first IPv6 address before the continuation lifetime of the first IPv6 address is terminated.
  • the first IPv6 address may be at least one of a 128-bit IPv6 address and a 64-bit IPv6 address prefix.
  • the first sending module may include:
  • a sending submodule configured to send, by the first terminal, an address reservation request message requesting to reserve the first IPv6 address to the gateway device by using a dynamic host configuration protocol supporting IPv6.
  • the embodiment of the invention further provides an IPv6 address management device, which is used for a gateway device.
  • the device is as shown in FIG.
  • the second receiving module is configured to receive an address reservation request message that is sent by the first terminal and request to reserve the first IPv6 address, where the first terminal and the second terminal are performing the first service, and the first service is in the The first IPv6 address is not ended before the first IPv6 address is terminated.
  • the first IPv6 address is an IPv6 address used by the first terminal to perform the first service.
  • a determining module configured to determine whether the first terminal is allowed to reserve the first IPv6 address, and obtain a determination result
  • a second sending module configured to: when the determining result indicates that the first terminal is allowed to reserve the first IPv6 address, send an address reservation response message carrying the judgment result and the first IPv6 address continuation lifetime to the The first terminal is configured to continue to use the first IPv6 address to perform the first service with the second terminal before the continuation lifetime of the first IPv6 address is terminated.
  • the apparatus when the first IPv6 address is 128 bits, the apparatus may further include:
  • a third receiving module configured to receive an IPv6 duplicate address detection message that is sent by the third terminal and that carries the first IPv6 address, where the gateway device pre-allocates a third IPv6 address, the third IPv6 address, to the third terminal
  • the prefix is the same as the prefix of the first IPv6 address
  • the third sending module is configured to send, to the third terminal, a neighbor request message that is used by the first IPv6 address, so that the third terminal cannot establish a session by using the first IPv6 address.
  • the determining module may include:
  • the determining sub-module is configured to determine, according to at least one of the local configuration policy and the user authorization policy of the first terminal, whether the first terminal is allowed to reserve the first IPv6 address, and obtain the determination result.
  • the local configuration policy may be at least one of a port-based configuration policy, a logical interface-based configuration policy, and a user-based domain configuration policy.
  • the embodiment of the present invention further provides a terminal, where the terminal includes the IPv6 address management apparatus for the terminal according to any one of the above items.
  • the embodiment of the present invention further provides a gateway device, where the gateway device includes the IPv6 address management device for the gateway device.
  • FIG. 12 The schematic diagram of interaction between the module of the address management device on the first terminal and the module of the address management device on the gateway device is shown in FIG. 12 .
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the embodiments of the present invention implement user service continuity before and after IPv6 hopping, improve the security and availability of the IPv6 network, and play an active role in speeding up the deployment of the IPv6 network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种IPv6地址管理方法、装置、终端和网关设备,其中,所述方法包括:当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,第一终端向网关设备发送请求保留第一IPv6地址的地址保留请求消息;接收网关设备返回的地址保留响应消息,地址保留响应消息中至少携带网关设备是否同意第一终端保留所述第一IPv6地址的判断结果;当地址保留响应消息中携带的判断结果指示网关设备同意第一终端保留第一IPv6地址且地址保留响应消息中携带第一IPv6地址的延续生存期时,在第一IPv6地址的延续生存期终止之前,第一终端使用第一IPv6地址与第二终端继续进行所述第一业务。

Description

一种IPv6地址管理方法、装置、终端和网关设备 技术领域
本发明涉及但不限于通信领域,尤其涉及一种IPv6地址管理方法、装置、终端和网关设备。
背景技术
随着互联网的快速普及和数据通信技术的飞速发展,全球因特网协议IP终端数量激增。当前全球因特网协议第四版(Internet Protocol version 4,IPv4)公网地址已经告罄,而网络地址翻译(Network Address Translation,NAT)技术又存在性能、应用层支持诸多难题,因此,编码长度更长、地址空间更多的因特网协议第六版(Internet Protocol version 6,IPv6)技术的普及对全球运营商和用户来说都是势在必行的重大课题。
与IPv4网络类似,对于IPv6网络来说,网络安全也是一个重要的课题。对网络中存在的主机进行扫描,可以发现活动主机所使用的IP地址、开放的端口、使用的操作系统等信息。这些信息对于网络管理是必须的,因其是恶意攻击者进行网络入侵的前提,也是蠕虫传播过程中必不可少的部分。因此,关于网络扫描技术的研究对于网络安全具有重要的意义。
如图1所示,在全球单播地址结构中,前64比特bit是网络前缀,包含“001”、全球选路前缀、子网标识ID三部分,互联网Internet上的路由器通过它将数据包传送到主机所在的链路;后64比特是接口标识ID,用来区分同一链路中的不同主机。接口ID通常是主机通过自身的媒体访问控制MAC地址或其他信息生成,前缀由网络设备(例如宽带网关)分配给主机。在考虑攻击者对用户主机进行网络地址扫描时,假设链路的网络前缀已从已知的主机地址中获得,即主机地址中的前64 bit已被扫描者(攻击者)所知,扫描是针对地址中的后64 bit,即对地址中接口ID的扫描。
针对上述问题,相关技术方案是升级终端和网络设备支持所谓IP地址跳频(或称IP地址跳变)技术,用户主机可以按照一定的速率切换自身地址以 达到尽量规避地址扫描的目的,包括切换后64 bit接口ID和前64 bit(即64位IPv6前缀)两种方法,其中切换前缀的同时也可以同步切换接口ID。
IP地址跳频技术固然可以在一定程度上解决地址扫描问题,同时也带来了新的问题,例如跳变前后的业务连续性问题,即IPv6地址变化导致在线业务中断,影响中断用户服务体验。
发明内容
本发明实施例提供了一种IPv6地址管理方法、装置、终端和网关设备,实现IPv6跳变前后的用户业务连续性,提升IPv6网络的安全性和可用性。
一种因特网协议第六版IPv6地址管理方法,用于第一终端,所述方法包括:
当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;
当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,所述第一终端使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
可选地,上述的IPv6地址管理方法中,所述第一IPv6地址为128位IPv6地址和64位的IPv6地址前缀中的至少一项。
可选地,上述的IPv6地址管理方法中,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息,包括:
所述第一终端通过支持IPv6的动态主机配置协议向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
可选地,上述方法还包括:如果所述第一业务在所述第一IPv6地址的延续生存期终结之前仍未终止,那么所述第一终端继续向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
本发明实施例还提供了一种IPv6地址管理方法,用于网关设备,所述方法包括:
接收第一终端发送的请求保留第一IPv6地址的地址保留请求消息;其中,所述第一终端与第二终端正在进行第一业务且所述第一业务在所述第一IPv6地址原始生存期终止之前仍未结束,所述第一IPv6地址为所述第一终端进行所述第一业务所使用的IPv6地址;
判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果;
当所述判断结果指示同意所述第一终端保留所述第一IPv6地址,将携带所述判断结果和所述第一IPv6地址延续生存期的地址保留响应消息发送到所述第一终端,使得所述第一终端在所述第一IPv6地址的所述延续生存期终止之前,继续使用所述第一IPv6地址与所述第二终端进行所述第一业务。
可选地,上述的IPv6地址管理方法中,当所述第一IPv6地址为128位时,所述方法还包括:
接收第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端预先分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同;
向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
可选地,上述的IPv6地址管理方法中,所述判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果,包括:
根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述判断结果。
可选地,上述的IPv6地址管理方法中,所述本地配置策略为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
本发明实施例还提供了一种因特网协议第六版IPv6地址管理装置,用于第一终端,所述装置包括:
第一发送模块,其设置为:当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
第一接收模块,其设置为:接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;以及
处理模块,其设置为:当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,所述第一终端使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
可选地,上述的IPv6地址管理装置中,所述第一IPv6地址为128位IPv6地址和64位的IPv6地址前缀中的至少一项。
可选地,上述的IPv6地址管理装置中,所述第一发送模块包括:
发送子模块,其设置为:所述第一终端通过支持IPv6的动态主机配置协议向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
可选地,所述第一发送模块还设置为:
如果所述第一业务在所述第一IPv6地址的延续生存期终结之前仍未终止,那么所述第一终端继续向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
本发明实施例还提供了一种IPv6地址管理装置,用于网关设备,所述装置包括:
第二接收模块,其设置为:接收第一终端发送的请求保留第一IPv6地址的地址保留请求消息;其中,所述第一终端与第二终端正在进行第一业务且所述第一业务在所述第一IPv6地址原始生存期终止之前仍未结束,所述第一IPv6地址为所述第一终端进行所述第一业务所使用的IPv6地址;
判断模块,其设置为:判断是否同意所述第一终端保留所述第一IPv6地 址,获得判断结果;以及
第二发送模块,其设置为:当所述判断结果指示同意所述第一终端保留所述第一IPv6地址,将携带所述判断结果和所述第一IPv6地址延续生存期的地址保留响应消息发送到所述第一终端,使得所述第一终端在所述第一IPv6地址的所述延续生存期终止之前,继续使用所述第一IPv6地址与所述第二终端进行所述第一业务。
可选地,上述的IPv6地址管理装置中,当所述第一IPv6地址为128位时,所述装置还包括:
第三接收模块,其设置为:接收第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端预先分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同;以及
第三发送模块,其设置为:向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
可选地,上述的IPv6地址管理装置中,所述判断模块包括:
判断子模块,其设置为:根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述判断结果。
可选地,上述的IPv6地址管理装置中,所述本地配置策略为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
本发明实施例还提供了一种终端,所述终端包括上述任一项所述的用于终端的IPv6地址管理装置。
本发明实施例还提供了一种网关设备,所述网关设备包括上述任一项所述的用于网关设备的IPv6地址管理装置。
本发明实施例还提供了一种计算机程序,包括程序指令,当该程序指令被终端执行时,使得该终端可执行上述任一项所述的方法。
本发明实施例还提供了一种载有所述计算机程序的计算机可读存储介质。
本发明实施例还提供了一种计算机程序,包括程序指令,当该程序指令被网关设备执行时,使得该终端可执行上述任一项所述的方法。
本发明实施例还提供了一种载有所述计算机程序的计算机可读存储介质。
在本发明实施例中,通过对终端以及网络设备的改进,部署IPv6 IPv6地址保留,从而实现IPv6跳变前后的用户业务连续性,提升IPv6网络的安全性和可用性,对加快IPv6网络部署速度起到积极作用。
附图概述
图1是相关技术IPv6地址结构示意图;
图2是本发明实施例的网络拓扑示意图;
图3是本发明实施例提供的IPv6地址管理方法的流程示意图;
图4是本发明实施例提供的IPv6地址管理方法终端与网关设备的交互流程示意图;
图5是本发明实施例提供的一种IPv6地址管理的整体结构拓扑示意图;
图6是本发明实施例提供的一种IPv6地址管理方法的整体流程图;
图7是本发明实施例提供的另一种IPv6地址管理方法的流程图;
图8是本发明实施例提供的另一种IPv6地址管理的整体结构拓扑示意图;
图9是本发明实施例提供的第三种IPv6地址管理方法的流程图;
图10是本发明实施例提供的用于第一终端的IPv6地址管理装置的结构示意图;
图11是本发明实施例提供的用于网关设备的IPv6地址管理装置的结构示意图;
图12是本发明实施例提供的终端与网关设备间模块交互示意图。
本发明的较佳实施方式
下面将结合附图对本发明的具体实施例进行详细描述,在不冲突的情况 下,本发明实施例和实施例中的特征可以相互任意组合。
在本发明实施例中,可选地,可以通过部署IPv6地址更新,实现IPv6跳变前后的用户业务连续性。本发明实施例提供了一种因特网协议第六版IPv6地址管理方法,用于第一终端,所述方法如图3所示,包括:
步骤31,当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
步骤32,接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;
步骤33,当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,所述第一终端使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
在本发明实施例中,网关设备会根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述第一判断结果。可选地,所述本地配置策略为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
这里的网关设备包括宽带网络网关(Broadband Network Gateway,BNG)、宽带远程接入服务器BRAS、业务路由器SR、路由器、交换机。
可选地,所述第一IPv6地址为128位IPv6地址和64位的IPv6地址前缀中的至少一项。所述网关设备在收到128位IPv6地址的地址保留请求之后,若所述第一IPv6地址或所述第一IPv6地址对应的IPv6前缀尚未分配给另一终端,或所第一述IPv6地址对应的IPv6前缀已分配给另一主机但所述128位IPv6地址尚未使用,则根据本地配置策略决策和用户授权策略中的至少一项判断是否同意所述地址保留请求。
当网关设备同意第一终端保留所述第一IPv6地址时,地址保留响应消息中除了携带第一判断结果还同时携带了网关设备为所述第一IPv6地址分配的延续生存期。
此时,应当注意地是,当第一IPv6地址为128位时,如果网关设备在所述地址保留响应消息发送前或所述地址保留响应消息发送后,将所述第一IPv6地址对应的IPv6前缀分配给另一终端,例如第三终端,那么网关设备在接收到第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同,网关设备会向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
在第一IPv6地址的延续生存期终止之前,第一终端仅使用所述第一IPv6地址与所述第二终端继续进行所述第一业务,也就是说第一终端不再以所述第一IPv6地址建立新的传输控制协议/用户数据报协议(TCP/UDP)连接。即第一终端主动向外触发的新连接使用其它IPv6地址(IPv6主机允许多地址共存),同时由外部网络发来的连接建立请求且目的地址为所述第一IPv6地址的,所述第一终端不再接受,以此防止网络侧扫描攻击。
若所述第一IPv6地址为64位的IPv6地址前缀时,则所述第一终端不再生成以所述第一IPv6前缀下的新的128位IPv6地址。
通过上述方式,即使第一终端发生了IPv6地址跳变,例如第一终端触发的新连接采用第三IPv6地址,若所述第一IPv6地址为64位的IPv6地址前缀时,则第三IPv6地址的前缀与所述第一IPv6地址不同,第一终端仍可以继续使用第一IPv6地址与第二终端进行第一业务,从而保证了第一业务的连续性。
由于第一终端不再以所述第一IPv6地址建立新的TCP/UDP连接,因此所述第一终端在使用所述第一IPv6地址的所有TCP/UDP连接全部终止后,向所述网关设备发送地址释放通知。
如果所述第一业务在所述第一IPv6地址的延续生存期终结之前仍未终止,那么第一终端继续向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
可选地,所述第一终端通过支持IPv6的动态主机配置协议向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
下面结合图2和图4对本发明实施例的上述过程进行详细说明。本发明实施例提供的一种可选地IPv6地址管理方法的流程如下:
步骤41,第一终端在第一IPv6地址生存期终结之前仍在与第二终端进行第一业务,此时第一终端向网关设备发送地址保留请求;
其中,所述第一IPv6地址为第一终端进行第一业务正在使用的IPv6地址;所述IPv6地址包括128位IPv6地址和64位IPv6前缀中的至少一项;所述地址保留请求通过DHCPv6协议消息携带;
可选地,所述网关设备包括BNG、BRAS、SR、路由器、交换机;
步骤42,所述网关设备收到所述地址保留请求之后,判断是否同意所述地址保留请求,若同意则进入步骤43;
所述网关设备在收到所述地址保留请求之后,根据本地配置策略和/或用户授权策略判断是否同意所述地址保留请求;所述本地配置策略基于端口和/或逻辑接口和/或用户域上配置的策略;
另外,所述网关设备在收到128位IPv6地址的地址保留请求之后,若所述第一IPv6地址或所述第一IPv6地址对应的IPv6前缀尚未分配给另一终端,或所述第一IPv6地址对应的IPv6前缀已分配给另一主机但所述128位IPv6地址尚未使用,则根据本地配置策略决策和/或用户授权策略判断是否同意所述地址保留请求;
步骤43,所述网关设备向所述第一终端发送地址保留响应消息,响应类型为同意地址保留请求;
可选地,所述地址保留响应消息中携带所述第一IPv6地址的延续生存期;
可选地,若所述第一IPv6地址对应的IPv6前缀在所述地址保留响应消息发送前或所述地址保留响应消息发送后,由网关设备分配给第三终端,则所述网关设备在收到所述第三终端发送的携带所述128位第一IPv6地址的重复地址检测DAD检测消息时,向所述第三终端发送邻居请求NS消息告知所述第一IPv6地址已被使用;
步骤44,所述第一终端在收到步骤43所述的地址保留响应消息后,不 再以所述第一IPv6地址建立新的TCP/UDP连接;
可选地,所述第一终端在使用所述第一IPv6地址的所有TCP/UDP连接全部终止后,向所述网关发送地址释放通知;
可选地,若所述第一IPv6地址为64位IPv6前缀,则所述第一终端不再生成所述第一IPv6前缀下任一新的128位IPv6地址;
可选地,当前第一业务在所述IPv6地址的延续生存期终结之前仍未终止,转回步骤41。
在本发明实施例中的上述过程,考虑进行IPv6地址保留,当网关设备同意第一终端保留第一IPv6地址时,会为第一IPv6地址重新分配延续生存期,在第一IPv6地址延续生存期终止之前,第一终端仅使用第一IPv6地址继续与第二终端进行第一业务,从而实现IPv6跳变前后的业务连续性。
下面分别介绍应用本发明实施例提供的上述方法的几个实施例。
<实施例1>
如图5和图6所示,第一IPv6地址为128位地址,且地址保留成功。具体过程包括:
步骤60,第一终端通过邻居发现ND协议向BNG设备BNG1申请IPv6前缀,BNG1通过ND协议向第一终端发送一个或多个IPv6前缀,其中包含前缀Prefix1及其原始生存期T0;
步骤61,第一终端在IPv6前缀Prefix1生存期T0终结之前,向BNG1发送地址保留请求,申请保留第一IPv6地址;
可选地,第一终端与第二终端间的TCP/UDP连接正在使用Prefix1下的一个128位地址,即第一IPv6地址;
可选地,所述地址保留请求通过DHCPv6协议消息携带;
步骤62,BNG1收到所述地址保留请求之后,根据第一终端所属端口、或逻辑接口和用户域上配置的策略中的至少一项,以及第一终端的授权信息,判断同意所述地址保留请求;
步骤63,BNG1向所述第一终端发送地址保留响应消息,响应类型为同意地址保留请求;
可选地,所述地址保留响应消息中携带所述第一IPv6地址的延续生存期 T1;
步骤64,第一终端在收到步骤63所述的地址保留响应消息后,不再以所述第一IPv6地址建立新的TCP/UDP连接;
可选地,第一终端在使用第一IPv6地址的所有TCP/UDP连接全部终止后,向所述网关发送地址释放通知;
步骤65,第三终端在T1结束之前,向BNG1发送IPv6前缀请求,BNG1将Prefix1分配给Host3;
可选地,BNG1在T1结束或收到第一终端发送的地址释放通知之前,监听所述第三终端发出的DAD检测消息,若收到第三终端发出的携带第一IPv6地址的DAD请求,则BNG向Host3返回NS消息告知第一IPv6地址正在使用。
<实施例2>
如图5和图7所示,第一IPv6地址为128位地址,且地址再次保留成功。具体过程包括:
步骤70-75同步骤60-65;
步骤76,在前缀Prefix1的延续生存期T1终结之前,步骤71所述第一终端与第二终端间的TCP/UDP仍未终止,第一终端再次向BNG1发送地址保留请求,申请保留第一IPv6地址;
可选地,所述地址保留请求通过DHCPv6协议消息携带;
步骤77,BNG1收到所述地址保留请求之后,根据第一终端所属端口、逻辑接口和用户域上配置的策略中的至少一项,以及第一终端的授权信息,判断同意所述地址保留请求;
步骤78,BNG1向所述第一终端发送地址保留响应消息,响应类型为同意地址保留请求;
可选地,所述地址保留响应消息中携带所述第一IPv6地址的延续生存期T2;
步骤79,第一终端在收到步骤78所述的地址保留响应消息后,仍保持不再以所述第一IPv6地址建立新的TCP/UDP连接;
可选地,第一终端在使用第一IPv6地址的所有TCP/UDP连接全部终止 后,向所述网关发送地址释放通知;
可选地,BNG1在T2结束或收到第一终端发送的地址释放通知之前,监听第三终端发出的DAD检测消息,若收到第三终端发出的携带第一IPv6地址的DAD请求,则BNG向第三终端返回NS告知第一IPv6地址正在使用。
<实施例5>
如图8和图9所示,第一IPv6地址为64位地址前缀,地址保留成功。具体过程包括:
步骤90,第一终端通过基于以太网的点对点协议PPPoE方式接入路由器设备Router、完成用户认证,第一终端通过ND协议向路由器设备Router申请IPv6前缀,Router通过ND协议向第一终端发送一个或多个IPv6前缀,其中包含第一IPv6地址及其原始生存期T0,第一IPv6地址为64位地址前缀Prefix1;
可选地,用户认证过程中,Router收到AAA服务器发送的授权信息,所述授权信息中包含允许所述用户地址保留的属性;
步骤91,第一终端在原始生存期T0终结之前,向Router发送地址保留请求,申请保留前缀;
可选地,第一终端与第四终端/第五终端/第六终端间的TCP/UDP连接正在分别使用Prefix1下的128位地址IP4/IP5/IP6;
可选地,所述地址保留请求通过DHCPv6协议消息携带;
步骤92,Router收到所述地址保留请求之后,根据第一终端所属端口和/或逻辑接口和/或用户域上配置的策略,以及第一终端的授权信息,判断同意所述地址保留请求;
步骤93,Router向所述第一终端发送地址保留响应消息,响应类型为同意地址保留请求;
可选地,所述地址保留响应消息中携带Prefix1的延续生存期T1;
步骤94,第一终端在收到步骤93所述的地址保留响应消息后,不再以Prefix1下的任一IP地址建立新的TCP/UDP连接;
可选地,第一终端在使用Prefix1的所有TCP/UDP连接全部终止后,向Router发送地址释放通知。
可选地,第一终端不再生成Prefix1下任一新的128位IPv6地址;
步骤95,第三终端在T1结束之前,向Router发送IPv6前缀请求,请求Router将Prefix1分配给第三终端,Router分配另一IPv6前缀给第三终端;
可选地,Router在T1结束或收到第一终端发送的地址释放通知之前,监听第一终端发出的DAD检测消息,若收到第一终端发出的Prefix1下得其它IP地址的DAD请求,则BNG向第三终端返回NS告知此地址无法使用或正在使用。
本发明实施例还提供了一种因特网协议第六版IPv6地址管理装置,用于第一终端,所述装置如图10所示,包括:
第一发送模块,设置为当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
第一接收模块,设置为接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;
处理模块,设置为当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,所述第一终端使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
上述的IPv6地址管理装置中,所述第一IPv6地址可以为128位IPv6地址和64位的IPv6地址前缀中的至少一项。
上述的IPv6地址管理装置中,所述第一发送模块可以包括:
发送子模块,设置为所述第一终端通过支持IPv6的动态主机配置协议向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
本发明实施例还提供了一种IPv6地址管理装置,用于网关设备,所述装置如图11所示,包括:
第二接收模块,设置为接收第一终端发送的请求保留第一IPv6地址的地址保留请求消息;其中,所述第一终端与第二终端正在进行第一业务且所述第一业务在所述第一IPv6地址原始生存期终止之前仍未结束,所述第一IPv6地址为所述第一终端进行所述第一业务所使用的IPv6地址;
判断模块,设置为判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果;
第二发送模块,设置为当所述判断结果指示同意所述第一终端保留所述第一IPv6地址,将携带所述判断结果和所述第一IPv6地址延续生存期的地址保留响应消息发送到所述第一终端,使得所述第一终端在所述第一IPv6地址的所述延续生存期终止之前,继续使用所述第一IPv6地址与所述第二终端进行所述第一业务。
上述的IPv6地址管理装置中,当所述第一IPv6地址为128位时,所述装置还可以包括:
第三接收模块,设置为接收第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端预先分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同;
第三发送模块,设置为向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
上述的IPv6地址管理装置中,所述判断模块可以包括:
判断子模块,设置为根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述判断结果。
上述的IPv6地址管理装置中,所述本地配置策略可以为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
本发明实施例还提供了一种终端,所述终端包括上述任一项所述的用于终端的IPv6地址管理装置。
本发明实施例还提供了一种网关设备,所述网关设备包括上述任一项所述的用于网关设备的IPv6地址管理装置。
其中,第一终端上地址管理装置的模块与网关设备上地址管理装置的模块间进行交互的示意图如图12所示。
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。
任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。
工业实用性
本发明实施例实现IPv6跳变前后的用户业务连续性,提升IPv6网络的安全性和可用性,对加快IPv6网络部署速度起到积极作用。

Claims (22)

  1. 一种因特网协议第六版IPv6地址管理方法,用于第一终端,所述方法包括:
    当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
    接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;
    当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,所述第一终端使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
  2. 如权利要求1所述的IPv6地址管理方法,其中,所述第一IPv6地址为128位IPv6地址和64位的IPv6地址前缀中的至少一项。
  3. 如权利要求1所述的IPv6地址管理方法,其中,所述第一终端向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息,包括:
    所述第一终端通过支持IPv6的动态主机配置协议向所述网关设备发送所述地址保留请求消息。
  4. 如权利要求1所述的IPv6地址管理方法,还包括:
    如果所述第一业务在所述第一IPv6地址的延续生存期终结之前仍未终止,那么所述第一终端继续向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
  5. 一种因特网协议第六版IPv6地址管理方法,用于网关设备,所述方法包括:
    接收第一终端发送的请求保留第一IPv6地址的地址保留请求消息;其中, 所述第一终端与第二终端正在进行第一业务且所述第一业务在所述第一IPv6地址原始生存期终止之前仍未结束,所述第一IPv6地址为所述第一终端进行所述第一业务所使用的IPv6地址;
    判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果;
    当所述判断结果指示同意所述第一终端保留所述第一IPv6地址,将携带所述判断结果和所述第一IPv6地址延续生存期的地址保留响应消息发送到所述第一终端,使得所述第一终端在所述第一IPv6地址的所述延续生存期终止之前,继续使用所述第一IPv6地址与所述第二终端进行所述第一业务。
  6. 如权利要求5所述的IPv6地址管理方法,其中,当所述第一IPv6地址为128位时,所述方法还包括:
    接收第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端预先分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同;
    向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
  7. 如权利要求5所述的IPv6地址管理方法,其中,所述判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果,包括:
    根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述判断结果。
  8. 如权利要求7所述的IPv6地址管理方法,其中,所述本地配置策略为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
  9. 一种因特网协议第六版IPv6地址管理装置,用于第一终端,所述装置包括:
    第一发送模块,其设置为:当第一业务在第一IPv6地址原始生存期终止之前仍未结束时,向网关设备发送请求保留所述第一IPv6地址的地址保留请求消息;其中,所述第一业务为所述第一终端与第二终端当前正在进行的业务,所述第一IPv6地址为所述第一终端正在进行的所述第一业务所使用的IPv6地址;
    第一接收模块,其设置为:接收所述网关设备返回的地址保留响应消息,所述地址保留响应消息中至少携带所述网关设备是否同意所述第一终端保留所述第一IPv6地址的判断结果;以及
    处理模块,其设置为:当所述地址保留响应消息中携带的所述判断结果指示所述网关设备同意所述第一终端保留所述第一IPv6地址且所述地址保留响应消息中携带所述第一IPv6地址的延续生存期时,在所述第一IPv6地址的所述延续生存期终止之前,使用所述第一IPv6地址与所述第二终端继续进行所述第一业务。
  10. 如权利要求9所述的IPv6地址管理装置,其中,所述第一IPv6地址为128位IPv6地址和64位的IPv6地址前缀中的至少一项。
  11. 如权利要求9所述的IPv6地址管理装置,其中,所述第一发送模块包括:
    发送子模块,其设置为:通过支持IPv6的动态主机配置协议向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
  12. 如权利要求9所述的IPv6地址管理装置,其中,所述第一发送模块还设置为:
    如果所述第一业务在所述第一IPv6地址的延续生存期终结之前仍未终止,那么所述第一终端继续向所述网关设备发送请求保留所述第一IPv6地址的地址保留请求消息。
  13. 一种因特网协议第六版IPv6地址管理装置,用于网关设备,所述装置包括:
    第二接收模块,其设置为:接收第一终端发送的请求保留第一IPv6地址的地址保留请求消息;其中,所述第一终端与第二终端正在进行第一业务且所述第一业务在所述第一IPv6地址原始生存期终止之前仍未结束,所述第一IPv6地址为所述第一终端进行所述第一业务所使用的IPv6地址;
    判断模块,其设置为:判断是否同意所述第一终端保留所述第一IPv6地址,获得判断结果;以及
    第二发送模块,其设置为:当所述判断结果指示同意所述第一终端保留所述第一IPv6地址,将携带所述判断结果和所述第一IPv6地址延续生存期的 地址保留响应消息发送到所述第一终端,使得所述第一终端在所述第一IPv6地址的所述延续生存期终止之前,继续使用所述第一IPv6地址与所述第二终端进行所述第一业务。
  14. 如权利要求13所述的IPv6地址管理装置,其中,当所述第一IPv6地址为128位时,所述装置还包括:
    第三接收模块,其设置为:接收第三终端发送的携带第一IPv6地址的IPv6重复地址检测消息,其中所述网关设备为所述第三终端预先分配了第三IPv6地址,所述第三IPv6地址的前缀与所述第一IPv6地址的前缀相同;以及
    第三发送模块,其设置为:向所述第三终端发送携带所述第一IPv6地址已被使用的邻居请求消息,使得所述第三终端不能使用所述第一IPv6地址建立会话。
  15. 如权利要求13所述的IPv6地址管理装置,其中,所述判断模块包括:
    判断子模块,其设置为:根据本地配置策略和所述第一终端的用户授权策略中的至少一项,判断是否同意所述第一终端保留所述第一IPv6地址,获得所述判断结果。
  16. 如权利要求15所述的IPv6地址管理装置,其中,所述本地配置策略为基于端口配置策略、基于逻辑接口配置策略和基于用户域配置策略中的至少一项。
  17. 一种终端,所述终端包括权利要求8-10任一项所述的IPv6地址管理装置。
  18. 一种网关设备,所述网关设备包括权利要求11-14任一项所述的IPv6地址管理装置。
  19. 一种计算机程序,包括程序指令,当该程序指令被终端执行时,使得该终端可执行权利要求1-4任一项所述的方法。
  20. 一种载有权利要求19所述计算机程序的计算机可读存储介质。
  21. 一种计算机程序,包括程序指令,当该程序指令被网关设备执行时,使得该终端可执行权利要求5-8任一项所述的方法。
  22. 一种载有权利要求21所述计算机程序的计算机可读存储介质。
PCT/CN2014/092088 2014-09-24 2014-11-24 一种IPv6地址管理方法、装置、终端和网关设备 WO2015131568A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410495256.4 2014-09-24
CN201410495256.4A CN105516375A (zh) 2014-09-24 2014-09-24 一种IPv6地址管理方法、装置、终端和网关设备

Publications (1)

Publication Number Publication Date
WO2015131568A1 true WO2015131568A1 (zh) 2015-09-11

Family

ID=54054449

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092088 WO2015131568A1 (zh) 2014-09-24 2014-11-24 一种IPv6地址管理方法、装置、终端和网关设备

Country Status (2)

Country Link
CN (1) CN105516375A (zh)
WO (1) WO2015131568A1 (zh)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465811A (zh) * 2009-01-07 2009-06-24 上海大学 基于分层移动IPv6协议资源预留方法
CN101577675A (zh) * 2009-06-02 2009-11-11 杭州华三通信技术有限公司 IPv6网络中邻居表保护方法及邻居表保护装置
CN101945144A (zh) * 2010-09-14 2011-01-12 中兴通讯股份有限公司 一种ip地址重分配的方法和服务节点
US20110258636A1 (en) * 2010-04-16 2011-10-20 International Business Machines Corporation Addressing a workload partition

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374098A (zh) * 2007-08-22 2009-02-25 华为技术有限公司 一种地址资源管理的方法、装置和终端

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465811A (zh) * 2009-01-07 2009-06-24 上海大学 基于分层移动IPv6协议资源预留方法
CN101577675A (zh) * 2009-06-02 2009-11-11 杭州华三通信技术有限公司 IPv6网络中邻居表保护方法及邻居表保护装置
US20110258636A1 (en) * 2010-04-16 2011-10-20 International Business Machines Corporation Addressing a workload partition
CN101945144A (zh) * 2010-09-14 2011-01-12 中兴通讯股份有限公司 一种ip地址重分配的方法和服务节点

Also Published As

Publication number Publication date
CN105516375A (zh) 2016-04-20

Similar Documents

Publication Publication Date Title
US10911368B2 (en) Gateway address spoofing for alternate network utilization
US8681695B1 (en) Single address prefix allocation within computer networks
KR101528410B1 (ko) 다이나믹 호스트 컨피규레이션 및 네트워크 액세스 인증
US8462735B2 (en) Multiple simultaneous wireless connections in a wireless local area network
US9094264B2 (en) Method and apparatus for dual stack access
JP4975190B2 (ja) IPv6ネットワーク内のホストの探索方法
CN103580980A (zh) 虚拟网络自动发现和自动配置的方法及其装置
EP3108643B1 (en) Ipoe dual-stack subscriber for routed residential gateway configuration
EP3032859A1 (en) Access control method and system, and access point
WO2007009367A1 (fr) Méthode de détection de doublons d’adresse dans un réseau d’accès deux couches ipv6 et système pour celle-ci
WO2012163007A1 (zh) 解决网际协议地址分配冲突的方法及相关设备和系统
CN112654049B (zh) 用于配置无线通信覆盖扩展系统的方法、系统、节点和介质
WO2017107871A1 (zh) 访问控制方法和网络设备
WO2012174914A1 (zh) 控制地址配置方式的方法和设备
KR20110039451A (ko) 네트워크 어드레스 할당 방법, 장치 및 컴퓨터 판독 가능한 저장 매체
US20230283589A1 (en) Synchronizing dynamic host configuration protocol snoop information
EP3108642B1 (en) Ipoe dual-stack subscriber for bridged residential gateway configuration
WO2012126335A1 (zh) 一种访问控制方法、接入设备及系统
US9438475B1 (en) Supporting relay functionality with a distributed layer 3 gateway
US20060193330A1 (en) Communication apparatus, router apparatus, communication method and computer program product
WO2014156143A1 (ja) ホームゲートウェイ装置およびパケット転送方法
JP2004312482A (ja) ネットワークシステム、網内識別子の設定方法、アクセス認証情報管理装置、そのプログラム、ネットワーク接続点、網内識別子の設定プログラム、及び記録媒体
WO2024000975A1 (zh) 一种会话建立系统、方法、电子设备及存储介质
WO2016177185A1 (zh) 媒体访问控制mac地址的处理方法及装置
EP1451705A2 (en) A mechanism to create pinhole for existing session in middlebox

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884599

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14884599

Country of ref document: EP

Kind code of ref document: A1