WO2015184853A1 - Authentication method and apparatus for ipv6 stateless auto-configuration - Google Patents

Authentication method and apparatus for ipv6 stateless auto-configuration Download PDF

Info

Publication number
WO2015184853A1
WO2015184853A1 PCT/CN2015/072585 CN2015072585W WO2015184853A1 WO 2015184853 A1 WO2015184853 A1 WO 2015184853A1 CN 2015072585 W CN2015072585 W CN 2015072585W WO 2015184853 A1 WO2015184853 A1 WO 2015184853A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
access
authentication
entity
user terminal
Prior art date
Application number
PCT/CN2015/072585
Other languages
French (fr)
Chinese (zh)
Inventor
郑坤
岳雪梅
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015184853A1 publication Critical patent/WO2015184853A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to the field of communications, and in particular, to an IPv6 (Sixth Edition of Internet Protocol) authentication method and apparatus for stateless automatic configuration.
  • IPv6 ixth Edition of Internet Protocol
  • IPv6 short for Internet Protocol Version 6, the sixth edition of the Internet Protocol
  • IPv6 has the characteristics of plug-and-play.
  • a node can join the network to obtain network parameters such as IPv6 address prefix, DNS (short name for domain name service, domain name service).
  • DNS short name for domain name service, domain name service.
  • the network parameters of the nodes working on the IPv6 network are configured in two ways: stateful automatic configuration through the DHCPv6 (Dynamic Host Configuration Protocol for IPv6) protocol; NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol) Perform stateless automatic configuration.
  • BRAS Broadband Remote Access Server, Broadband Remote Access Server
  • the BRAS authenticates the user first, and the authentication allows the user to access the broadband network. If the authentication fails, the user is denied access to the broadband network.
  • IPv4 BRAS is divided into PPPoX (abbreviated as the base of the two layer protocol point to point, point-to-point based on any Layer 2 protocol) and IPoX (IP access based on Layer 2 protocol, and Layer 2 protocol X can be Ethernet Ethernet) It can be an asynchronous transfer mode ATM, or other Layer 2 protocol).
  • PPPoX access PPP protocol itself provides the authentication protocol.
  • the IPoX access is different according to the access protocol.
  • the IPv4 DHCP Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol
  • access provides WEB authentication and DHCP option authentication. .
  • IPv6 BRAS access is also divided into PPPoX and IPoX.
  • the authentication of PPPoX access is the authentication protocol provided by the PPP protocol itself.
  • IPoX's DHCPv6 (stateful auto-configuration) mode provides WEB authentication and option authentication (also called boot authentication);
  • IPoX's NDP (stateless auto-configuration) mode provides access to WEB authentication.
  • the WEB authentication process Firstly, the network parameter allocation protocol (DHCP, DHCPv6, NDP allocates network parameters, the IP address in the assigned network parameters is limited, only the WEB server used for authentication can be accessed, and the Internet cannot be accessed; when the user accesses the WEB website When the BRAS redirects the accessed webpage to the WEB server for authentication; the user logs in the username and password to the authentication WEB server for authentication, and the restricted IP address assigned by the user becomes unrestricted after the authentication is passed, and the user can then Access to the Internet, authentication failure The restricted IP address assigned by the user is still limited and the user cannot access the Internet.
  • DHCP network parameter allocation protocol
  • the WEB method can be used for authentication, and the terminal that cannot access the WEB for the TV set-top box obviously cannot perform WEB authentication.
  • This application scenario typically uses option authentication for DHCP and DHCPv6 protocols.
  • Option authentication refers to the option of inserting the user name and password information into the protocol packet requesting the network parameter. Before assigning the network address parameter, use the username and password in the option to authenticate, the authentication successfully assigns network parameters, and the authentication fails without assigning the network. The parameter, the terminal that failed the authentication cannot access the broadband network because there is no network parameter assigned.
  • the IPv6 stateless auto-configured NDP access cannot perform the option authentication or the WEB authentication, thereby limiting the IPv6 stateless automatic configuration of the broadband access application scenario.
  • the purpose of the embodiments of the present invention is to provide an IPv6 stateless automatic configuration authentication method and device, which solves the problem of IPv6 stateless automatic configuration NDP access, and the option authentication cannot be performed because there is no special option.
  • an IPv6 stateless automatic configuration authentication method provided by an embodiment of the present invention is applied to an access entity, where the authentication method includes:
  • RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
  • the access entity is an access device of the user terminal
  • the step of acquiring the router requesting the RS message by inserting the access information option includes:
  • the monitored access information is inserted into the RS message as an access information option.
  • the network parameter further includes: a domain name service DNS address
  • the step of receiving the router advertisement RA message returned by the BRAS entity includes:
  • the step of acquiring a router requesting an RS message by inserting an access information option includes:
  • the pre-configured access information option is inserted directly into the RS message.
  • the method further includes: after obtaining the router requesting the RS message by inserting the access information option,
  • a timeout timer is obtained that times the time of the router advertisement RA message returned from the broadband remote access server BRAS entity.
  • the method further includes: if the returned RA message is not received within the preset timeout period, restoring the state of the user terminal before applying for authentication.
  • the using the neighbor discovery ND protocol to send the RS message to the broadband remote access includes:
  • the access information option is configured as an ND protocol option, and the ND protocol option is encapsulated into the RS message, and the RS message is sent to the BRAS entity for authentication.
  • the embodiment of the present invention further provides an IPv6 stateless automatic configuration authentication apparatus, which is applied to an access entity, where the authentication apparatus includes:
  • a first obtaining module configured to acquire a router requesting an RS message with an option of inserting an access information
  • a sending module configured to send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol
  • the receiving module is configured to receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
  • the first acquiring module includes:
  • a first obtaining unit configured to acquire and listen to the forwarded router request RS message of the user terminal
  • a second acquiring unit configured to monitor access information of the user terminal and a port corresponding to the access device
  • the first processing unit is configured to insert the monitored access information into the RS message as an access information option.
  • the network parameter further includes: a domain name service DNS address
  • the receiving module includes:
  • the first neighbor discovery ND unit is configured to receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
  • a sending unit configured to send according to the allocated IPv6 address prefix and the DNS address Sending the deleted RA message to the user terminal.
  • the first acquiring module includes:
  • a third acquiring unit configured to acquire an RS message of the user terminal
  • a second processing unit is arranged to directly insert the pre-configured access information option into the RS message.
  • the IPv6 stateless automatic configuration authentication device further includes:
  • the second obtaining module is configured to acquire a timeout timer for timing the time of returning the router advertisement RA message.
  • the IPv6 stateless automatic configuration authentication device further includes:
  • the processing module is configured to restore the state of the user terminal before applying for authentication if the returned RA message is not received within the preset timeout period.
  • the sending module includes:
  • the second ND unit is configured to configure the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
  • an embodiment of the present invention further provides a computer program, including program instructions, which can be implemented when the program instructions are executed.
  • an embodiment of the present invention further provides a carrier carrying the computer program.
  • the RA message carrying the network parameter with the IPv6 address prefix returned by the BRAS entity is received, and the authentication and address allocation are completed.
  • the IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.
  • FIG. 1 is a schematic diagram of basic steps of an IPv6 stateless automatic configuration authentication method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of inserting access information in an RS message when an access entity is an access device according to an embodiment of the present invention
  • FIG. 3 is a diagram of an interaction process when an access entity is an access device according to an embodiment of the present invention.
  • FIG. 4 is a flow chart of steps of performing authentication by a BRAS entity according to an embodiment of the present invention
  • FIG. 5 is a flowchart of processing of an access entity and a BRAS entity according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of an IPv6 stateless automatic configuration authentication apparatus according to an embodiment of the present invention.
  • FIG. 7 is a unit composition of an access entity and a BRAS entity according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of an example of a deployment networking according to an embodiment of the present invention.
  • the embodiment of the present invention provides an IPv6 stateless automatic configuration authentication method and device for the IPv6 stateless automatic configuration of the NDP access failure authentication (option authentication) in the related art, and inserts the access through the access device.
  • the RS of the information option authenticates the BRAS entity, or the user terminal directly initiates stateless autoconfiguration, and sends an RS message with the access information inserted to the BRAS entity for authentication, and the address is assigned after the authentication is passed.
  • the IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.
  • An entity of an embodiment of the present invention includes two entities (an access entity and a BRAS entity).
  • the access entity may be a user terminal (such as a set top box) or an access device (such as a switch) of the user terminal.
  • the BRAS entity is a broadband access resource management point and an authentication point of the user terminal, and is responsible for the network parameter. Number assignment and authentication of the user terminal.
  • the IPv6 stateless automatic configuration authentication method in the embodiment of the present invention is applied to an access entity, including:
  • Step 101 Obtain a router requesting an RS message inserted with an access information option.
  • the access information option refers to the access location information option. If the access entity is a switch or listens for an RS message, and the port receives or forwards the RS message, the port is the access location information and will be accessed. The location information generation option is inserted into the RS message and forwarded. If the access entity is a set-top box, the set-top box needs to enter the number of the set-top box in advance, and the set-top box inserts the number in the RS message because the set-top box has a different number (identification of which or which set-top box). The authentication server compares and parses the difference between the inserted information and the early entry. After the authentication is passed, the address is assigned.
  • Step 102 Send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol, where the BRAS entity authenticates the RS message.
  • the stateless automatic configuration is initiated by sending an RS message.
  • Step 103 Receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
  • the ND (Neighbor Discovery) protocol is a key protocol of IPv6, and is an upgrade and improvement of some protocols of IPv4, such as ARP (Address Resolution Protocol, Address Resolution Protocol), ICMP (abbreviation of Address Resolution Protocol). Abbreviation of Internet Control Message Protocol, Internet Control Message Protocol, etc.
  • the ND protocol includes: prefix discovery, neighbor unreachable monitoring, duplicate address monitoring, and address autoconfiguration.
  • the ND protocol packet contains an option field, which can be filled with one or more options. For example, when the address is automatically configured, the DNS server address is delivered through the ND protocol option.
  • the ND protocol defines some standard options. The private options can also be defined as needed to extend the functionality of the ND protocol. It can be seen that the ND protocol has good scalability.
  • the RS message obtained in step 101 is sent to the BRAS entity for execution by step 102, and the RS message is authenticated by the BRAS entity, and then the step 103 returns to the BRAS entity.
  • the RA message after the certificate so that the extended ND protocol option can be used to support the carrying of the access information, and the IPv6 stateless automatic configuration can implement the booting authentication, and solve the limitation of the stateless automatic configuration in the authentication, which not only provides various The way the address is assigned, and it is convenient for configuration.
  • step 101 when the access entity is the access device of the user terminal, step 101 includes:
  • Step 201 Acquire and listen to the forwarded router request RS message of the user terminal.
  • Step 202 Monitor access information of the user terminal and a port corresponding to the access device.
  • Step 203 Insert the intercepted access information into the RS message as an access information option.
  • the network parameter further includes: a domain name service DNS address, and correspondingly, step 103 includes:
  • Step 21 Receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
  • Step 22 Send the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
  • the RS message is forwarded through the step 201, and the access information is received or forwarded through the port connected to the user terminal by the access device, and the corresponding port is accessed through step 202 to obtain the access information.
  • the access information option is inserted into the RS message, and the RS message is sent to the BRAS entity for authentication.
  • the authentication access RA message returned by the BRAS entity is received, and the access information is deleted.
  • the RA message is forwarded to the user terminal via step 22.
  • the interaction process when the access entity in the embodiment of the present invention is an access device is as follows:
  • Step 301 The RS message is sent when the terminal is powered on, and the IPv6 address is applied, and the interface ID of the terminal is 221:97ff:fe85:9204.
  • Step 302 The switch switch1 listens to the RS message on the port port 5. Through the switch The name and the user terminal are connected to the port of the switch to generate the authentication information, which can be "switch1:port5". The authentication information is configured as an ND protocol option and encapsulated into the RS message. The switch forwards the encapsulated RS message to the BRAS.
  • Step 303 The BRAS receives the RS message and parses the authentication information, which is "switch1:port5".
  • the BRAS encapsulates the authentication information into an authentication message and sends it to the authentication server.
  • Step 304 The authentication server receives the authentication message and parses the authentication information. According to the authentication information "switch1:port5", the authentication server passes the authentication and responds to the BRAS authentication success message.
  • Step 305 The BRAS receives the authentication success message, allocates an IPv6 address prefix, and may be 2001::/64, and encapsulates the prefix and the authentication information option into the RA message and sends the message to the terminal.
  • Step 306 The switch listens to the RA message, deletes the authentication information option from the RA message, and forwards the RA message after deleting the authentication information option.
  • Step 307 The user terminal receives the RA message, parses the prefix 2001::/64, and generates an IPv6 address according to the interface ID of the user terminal, and the generated IPv6 address may be 2001::221:97ff:fe85:9204/64.
  • the user terminal applied for an IPv6 address after boot authentication.
  • the deployment example only exemplifies the application of the address, and the application of other network parameters is similar.
  • step 101 includes:
  • Step 31 Obtain an RS message of the user terminal.
  • step 32 the pre-configured access information option is directly inserted into the RS message.
  • Pre-configuring access information refers to access location information.
  • the user terminal may refer to a user terminal connected to the access device, or may be an independent user terminal, or may be a user terminal connected to the non-access function device, and the RS message inserted into the access information option may be It can be sent through an independent user terminal or a user terminal connected to the access device, or can be sent through an access device connected to the user terminal, and the configuration is pre-selected according to the user.
  • step 101 further includes :
  • Step 41 Obtain a timeout timer for timing the time when the returned router advertises the RA message.
  • the timing of returning the RA message is determined by the timeout timer to determine whether the application request is responsive, which improves the accuracy of the authentication.
  • the method when performing step 103, the method further includes:
  • Step 51 If the returned RA message is not received within the preset timeout period, the state of the user terminal before applying for authentication is restored.
  • the message is considered invalid and discarded.
  • the preset time may be obtained according to multiple experiments, or the user may set according to requirements, and any length of time for ensuring data validity belongs to the protection scope of the present invention.
  • the step 102 includes:
  • Step 61 Construct the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
  • the access information is inserted into the extended ND protocol option, and the RS message is sent to the BRAS entity for authentication, which can implement IPv6 stateless automatic configuration boot authentication, and solve the limitation of the stateless automatic configuration in the authentication, which not only provides A variety of ways to assign addresses, and convenient for configuration.
  • the step of performing authentication by the BRAS entity includes:
  • Step 401 Receive the RS message, and parse out the access information option.
  • the access information may be the device name of the switch plus the interface name. If the user opens the access service, the operator enters the name and the access port of the switch accessed by the user terminal on the authentication server. When the authentication information received by the authentication server is entered on the authentication server, the authentication is passed. If the authentication information received by the authentication server is not entered, the authentication fails.
  • Step 402 Perform authentication on the access entity according to the access information option, and obtain authentication. result;
  • Step 403 When the authentication result is the authentication pass, allocate and encapsulate the network parameter and the access information option into the RA message, and send the RA message to the access entity.
  • the authentication information For user terminal authentication, if the authentication information is stored locally, it can be authenticated locally.
  • the authentication information can also be sent to a dedicated authentication server (such as RADIUS (Remote Authentication Dial In User Service), remote user dial-up authentication system). Certification.
  • RADIUS Remote Authentication Dial In User Service
  • remote user dial-up authentication system For user terminal authentication, if the authentication information is stored locally, it can be authenticated locally.
  • the authentication information can also be sent to a dedicated authentication server (such as RADIUS (Remote Authentication Dial In User Service), remote user dial-up authentication system). Certification.
  • RADIUS Remote Authentication Dial In User Service
  • the process of sending an authentication by the access entity to the BRAS entity in the embodiment of the present invention and passing the BRAS entity authentication is as follows.
  • Step 501 When the access entity is used as the terminal, the RS message is sent to initiate stateless automatic configuration to obtain the network parameter, the access information option is inserted in the RS, and the network parameter timeout timer is started; or the access entity is used as the access device to listen. Forwarded RS message, insert access information option.
  • Step 502 The BRAS entity receives the RS message, parses out the access information option, and performs authentication according to the access information option.
  • Step 503 The BRAS entity authenticates the user through the access information option, allocates an IPv6 address prefix and other network parameters, encapsulates the information into the RA message, and sends the RA message to the user.
  • the access entity listens for the RA message.
  • the access entity acts as the terminal, parses the IPv6 address prefix and other network parameters, applies the network parameters, and deletes the network parameter timeout timer.
  • the access entity acts as the access device and deletes the access information option in the RA message. And forward the processed RA message.
  • the embodiment of the present invention provides an IPv6 stateless automatic configuration authentication apparatus, which is applied to an access entity, and includes:
  • the first obtaining module 601 is configured to obtain a router requesting an RS message with the option of inserting the access information
  • the sending module 602 is configured to send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
  • the receiving module 603 is configured to receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
  • IPv6 stateless auto-configuration can implement boot authentication, and solve the limitation of the stateless auto-configuration in authentication. It not only provides multiple ways to allocate addresses, but also facilitates. Configuration use.
  • the first acquiring module 601 when the access entity is an access device of the user terminal, the first acquiring module 601 includes:
  • a first obtaining unit configured to acquire and listen to the forwarded router request RS message of the user terminal
  • a second acquiring unit configured to monitor access information of the user terminal and a port corresponding to the access device
  • the first processing unit is configured to insert the monitored access information into the RS message as an access information option.
  • the network parameter further includes: a domain name service DNS address
  • the receiving module 603 includes:
  • the first neighbor discovery ND unit is configured to receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
  • the sending unit is configured to send the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
  • the first acquiring module when the access entity is a user terminal, includes:
  • a third acquiring unit configured to acquire an RS message of the user terminal
  • a second processing unit configured to directly insert the pre-configured access information option into the RS interest.
  • the IPv6 stateless automatic configuration authentication apparatus of the embodiment of the present invention further includes:
  • the second obtaining module is configured to acquire a timeout timer for timing the time of returning the router advertisement RA message.
  • the IPv6 stateless automatic configuration authentication apparatus of still another embodiment of the present invention further includes:
  • the processing module is configured to restore the state of the user terminal before applying for authentication if the returned RA message is not received within the preset timeout period.
  • the sending module 602 includes:
  • the second ND unit is configured to configure the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
  • the first ND unit and the second ND unit in the embodiment of the present invention may be ND units of the same access entity, and the access entity 701 includes an authentication information management unit and an ND unit; and the BRAS entity 702 includes an authentication unit. And the ND unit of the BRAS entity.
  • the authentication information management unit is configured to manage the authentication information of the access entity 701, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving to the storage; Information (such as MAC (short for Media Access Control)) generates authentication information.
  • Information such as MAC (short for Media Access Control)
  • the authentication unit of the BRAS is configured to authenticate the user terminal. If the authentication information is stored locally, the authentication unit may perform the localization; the authentication information may also be sent to a dedicated authentication server (such as RADIUS (Remote Authentication Dial In User Service). , remote user dial-up authentication system) server) to authenticate.
  • a dedicated authentication server such as RADIUS (Remote Authentication Dial In User Service). , remote user dial-up authentication system) server
  • the interaction process between the access entity and the BRAS entity when the authentication is passed in the embodiment of the present invention is as follows.
  • Step 801 If the access entity 701 is an access device of the user terminal, the ND unit of the access entity listens to the forwarded RS message; if the access entity 701 is the user terminal, the ND unit of the access entity initiates stateless automatic configuration acquisition. Network parameters and start to get the network parameter timeout timer.
  • Step 802 The ND unit of the access entity requests authentication from the authentication information management unit.
  • Step 803 The authentication information management unit notifies the ND unit of the access entity to perform authentication information of the access entity 701.
  • Step 804 The ND unit of the access entity encapsulates the authentication information of the authentication information into an ND protocol packet into an RS message, and sends the RS message to the BRAS entity 702.
  • the authentication information management unit manages the access information of the access entity, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity (such as MAC) to generate authentication information.
  • the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity (such as MAC) to generate authentication information.
  • the ND protocol has good scalability by extending the option information of the ND protocol, and the authentication information option is implemented by extending the options of the ND protocol message.
  • Step 805 The ND unit of the BRAS entity receives the RS message, parses the authentication information, and notifies the authentication unit of the authentication information.
  • Step 806 The authentication unit user terminal of the BRAS entity 702 authenticates and notifies the ND unit of the BRAS entity.
  • Step 807 After the user terminal passes the authentication, the ND unit of the BRAS entity obtains the network parameter and encapsulates it into the response message RA message of the RS message, and sends it back to the user terminal.
  • the user terminal refers to a user terminal of an access device, an independent user terminal, or another user terminal connected to a device without an access function.
  • Step 808 The ND unit of the access entity receives the RA message. If the access entity 701 is an access device of the user terminal, it is checked whether the RA message contains an authentication information option, and if so, the authentication information option is deleted. If the access entity 701 is a user terminal, the RA message is obtained by parsing the RA message and applied, and the network parameter timeout timer is cancelled.
  • the interaction process between the access entity and the BRAS entity when the authentication fails in the embodiment of the present invention is as follows.
  • Step 901 If the access entity 701 is an access device of the user terminal, the ND unit of the access entity listens to the forwarded RS message; if the access entity 701 is the user terminal, the ND unit of the access entity initiates stateless automatic configuration acquisition. Network parameters and start to get the network parameter timeout timer.
  • Step 902 The ND unit of the access entity requests authentication from the authentication information management unit.
  • Step 903 The authentication information management unit notifies the ND unit of the access entity to perform the access entity 701. Certification information.
  • the authentication information management unit manages the access information of the access entity, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity (such as MAC) to generate authentication information.
  • the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity (such as MAC) to generate authentication information.
  • Step 904 The ND unit of the access entity encapsulates the authentication information of the authentication information into an ND protocol message into an RS message, and sends the RS message to the BRAS entity 702.
  • the ND protocol has good scalability by extending the option information of the ND protocol, and the authentication information option is implemented by extending the options of the ND protocol message.
  • Step 905 The ND unit of the BRAS entity receives the RS message, parses the authentication information, and notifies the authentication unit of the authentication information.
  • Step 906 The authentication unit user terminal of the BRAS entity 702 fails to authenticate and notifies the ND unit of the BRAS entity.
  • the ND unit of the BRAS entity is silent and does not send a response RA message.
  • Step 907 If the access entity 701 is an access device of the user terminal, the ND unit of the access entity does not perform any processing. If the access entity 701 is a user terminal, when the network parameter timer expires, the application for the IPv6 address prefix and other network addresses fails, and the user terminal is restored to the pre-application state.
  • the user terminal refers to a user terminal of an access device, an independent user terminal, or another user terminal connected to a device without an access function.
  • the terminal is connected to the switch of the operator access network, and the terminal configures an IPv6 address prefix by using the ND protocol.
  • the switch performs insertion and deletion of authentication information options for the access entity 701.
  • the BRAS in the carrier network allocates an IPv6 address prefix to the terminal through the ND protocol, and authenticates to the operator's authentication server according to the authentication information option before the address is assigned.
  • the apparatus provided by the embodiment of the present invention is a device that applies the foregoing IPv6 stateless automatic configuration authentication method, and all embodiments of the IPv6 stateless automatic configuration authentication method are applicable to the device, and both can be achieved. The same or similar benefits.
  • IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An authentication method and apparatus for IPv6 stateless auto-configuration, which relates to the field of communications and solves the problem that for ND protocol access of IPv6 stateless auto-configuration, the power-on authentication cannot be performed because there is no special option. The authentication method for IPv6 stateless auto-configuration is applied in an access entity and comprises: acquiring a router request (RS) message in which an access information option is inserted; sending the RS message to a broadband remote access server (BRAS) entity by means of a neighbor discovery (ND) protocol, and the BRAS entity authenticates the RS message; and receiving a router advertisement (RA) message returned by the BRAS entity, the RA message carrying the access information option and a network parameter allocated by the BRAS entity and having an IPv6 address prefix. In this manner, the IPv6 stateless auto-configuration of a user terminal is implemented, and limitations of the stateless auto-configuration in authentication are solved.

Description

一种IPv6无状态自动配置的认证方法及装置IPv6 stateless automatic configuration authentication method and device 技术领域Technical field
本发明涉及通信领域,特别是涉及一种IPv6(互联网协议的第六版)无状态自动配置的认证方法及装置。The present invention relates to the field of communications, and in particular, to an IPv6 (Sixth Edition of Internet Protocol) authentication method and apparatus for stateless automatic configuration.
背景技术Background technique
随着IPv4(Internet Protocol Version 4的简称,互联网协议的第四版)地址资源枯竭等问题的出现,IPv6(Internet Protocol Version 6的简称,互联网协议的第六版)将逐步取代IPv4。IPv6具有即插即用的特性,无需任何人工干涉,一个节点加入网络中即可获取IPv6地址前缀、DNS(Domain Name service的简称,域名服务)地址等网络参数。工作在IPv6网络上的节点的网络参数通过两种方式来实现配置:通过DHCPv6(Dynamic Host Configuration Protocol for IPv6的简称)协议进行有状态自动配置;通过NDP(Neighbor Discovery Protocol的简称,邻居发现协议)进行无状态自动配置。With the emergence of IPv4 (short for Internet Protocol Version 4, the fourth edition of the Internet Protocol), and the emergence of address resources, IPv6 (short for Internet Protocol Version 6, the sixth edition of the Internet Protocol) will gradually replace IPv4. IPv6 has the characteristics of plug-and-play. Without any manual intervention, a node can join the network to obtain network parameters such as IPv6 address prefix, DNS (short name for domain name service, domain name service). The network parameters of the nodes working on the IPv6 network are configured in two ways: stateful automatic configuration through the DHCPv6 (Dynamic Host Configuration Protocol for IPv6) protocol; NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol) Perform stateless automatic configuration.
BRAS(Broadband Remote Access Server的简称,宽带远程接入服务器)是一种面向宽带网络应用的接入网关。它是宽带接入网和骨干网之间的桥梁,提供基本的接入手段和宽带接入网的管理功能。它位于网络的边缘,提供宽带接入服务、实现多种业务的汇聚与转发,能满足不同用户对传输容量和带宽利用率的要求,因此是宽带用户接入的核心设备。BRAS对于接入的用户首先进行认证,认证通过则允许用户访问宽带网络,认证失败则拒绝用户访问宽带网络。BRAS (short for Broadband Remote Access Server, Broadband Remote Access Server) is an access gateway for broadband network applications. It is a bridge between the broadband access network and the backbone network, providing basic access means and management functions of the broadband access network. It is located at the edge of the network, provides broadband access services, and achieves convergence and forwarding of multiple services. It can meet the requirements of different users for transmission capacity and bandwidth utilization. Therefore, it is the core device for broadband users to access. The BRAS authenticates the user first, and the authentication allows the user to access the broadband network. If the authentication fails, the user is denied access to the broadband network.
BRAS接入方式不同,认证方式也不同。IPv4的BRAS分为PPPoX(Based on the arbitrary two layer protocol point to point的简称,基于任意二层协议的点对点)和IPoX(基于二层协议的IP接入,二层协议X可以是以太网Ethernet也可以是异步传输模式ATM,或者其他二层协议)。PPPoX接入PPP协议本身提供了认证协议;IPoX接入根据接入的协议不同认证方式不同,IPv4的DHCP(Dynamic Host Configuration Protocol的简称,动态主机配置协议)接入提供了WEB认证和DHCP选项认证。 The BRAS access method is different and the authentication method is different. IPv4 BRAS is divided into PPPoX (abbreviated as the base of the two layer protocol point to point, point-to-point based on any Layer 2 protocol) and IPoX (IP access based on Layer 2 protocol, and Layer 2 protocol X can be Ethernet Ethernet) It can be an asynchronous transfer mode ATM, or other Layer 2 protocol). The PPPoX access PPP protocol itself provides the authentication protocol. The IPoX access is different according to the access protocol. The IPv4 DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) access provides WEB authentication and DHCP option authentication. .
IPv6的BRAS接入也分为PPPoX和IPoX方式。PPPoX接入的认证就是本身PPP协议提供的认证协议。IPoX的DHCPv6(有状态自动配置)方式接入,可以提供WEB认证和选项认证方式(也叫开机认证);IPoX的NDP(无状态自动配置)方式接入,提供了WEB认证方式。IPv6 BRAS access is also divided into PPPoX and IPoX. The authentication of PPPoX access is the authentication protocol provided by the PPP protocol itself. IPoX's DHCPv6 (stateful auto-configuration) mode provides WEB authentication and option authentication (also called boot authentication); IPoX's NDP (stateless auto-configuration) mode provides access to WEB authentication.
WEB认证流程:首先通过网络参数分配协议(DHCP、DHCPv6、NDP分配网络参数,分配的网络参数中的IP地址受限,只能访问用于认证的WEB服务器,不能访问因特网;当用户访问WEB网站时,BRAS把访问的网页重定向到用于认证的WEB服务器;用户登录用户名和密码,到认证WEB服务器进行认证,认证通过后用户被分配的受限IP地址变成非受限,用户随即可以访问因特网,认证失败用户分配的受限IP地址仍然受限,用户不能访问因特网。WEB authentication process: Firstly, the network parameter allocation protocol (DHCP, DHCPv6, NDP allocates network parameters, the IP address in the assigned network parameters is limited, only the WEB server used for authentication can be accessed, and the Internet cannot be accessed; when the user accesses the WEB website When the BRAS redirects the accessed webpage to the WEB server for authentication; the user logs in the username and password to the authentication WEB server for authentication, and the restricted IP address assigned by the user becomes unrestricted after the authentication is passed, and the user can then Access to the Internet, authentication failure The restricted IP address assigned by the user is still limited and the user cannot access the Internet.
对于个人计算机终端可以采用WEB方式进行认证,对于电视机顶盒这种没办法进行WEB访问的终端显然不能进行WEB认证。这种应用场景对于DHCP和DHCPv6协议通常采用选项认证。选项认证是指在申请网络参数的协议报文中插入表示用户名和密码信息的选项,在分配网络地址参数之前,使用选项中的用户名和密码去认证,认证成功分配网络参数,认证失败不分配网络参数,认证失败的终端由于没有分配网络参数不能访问宽带网络。For the personal computer terminal, the WEB method can be used for authentication, and the terminal that cannot access the WEB for the TV set-top box obviously cannot perform WEB authentication. This application scenario typically uses option authentication for DHCP and DHCPv6 protocols. Option authentication refers to the option of inserting the user name and password information into the protocol packet requesting the network parameter. Before assigning the network address parameter, use the username and password in the option to authenticate, the authentication successfully assigns network parameters, and the authentication fails without assigning the network. The parameter, the terminal that failed the authentication cannot access the broadband network because there is no network parameter assigned.
由于电视机顶盒这类终端,通过IPv6无状态自动配置的NDP接入无法进行选项认证,也不能通过WEB认证,从而限制了IPv6的无状态自动配置的宽带接入应用场景。Due to the terminal of the TV set-top box, the IPv6 stateless auto-configured NDP access cannot perform the option authentication or the WEB authentication, thereby limiting the IPv6 stateless automatic configuration of the broadband access application scenario.
发明内容Summary of the invention
本发明实施例的目的在于提供一种IPv6无状态自动配置的认证方法及装置,解决IPv6无状态自动配置的NDP接入,由于没有专门的选项从而无法进行选项认证的问题。The purpose of the embodiments of the present invention is to provide an IPv6 stateless automatic configuration authentication method and device, which solves the problem of IPv6 stateless automatic configuration NDP access, and the option authentication cannot be performed because there is no special option.
为了解决上述技术问题,本发明实施例提供的一种IPv6无状态自动配置的认证方法,应用于接入实体中,所述认证方法包括:In order to solve the above technical problem, an IPv6 stateless automatic configuration authentication method provided by an embodiment of the present invention is applied to an access entity, where the authentication method includes:
获取插入有接入信息选项的路由器请求RS消息; Obtaining a router requesting an RS message inserted with an access information option;
利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体;Transmitting the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。Receiving a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
可选的,所述接入实体为用户终端的接入设备,所述获取插入有接入信息选项的路由器请求RS消息的步骤包括:Optionally, the access entity is an access device of the user terminal, and the step of acquiring the router requesting the RS message by inserting the access information option includes:
获取并监听转发的所述用户终端的路由器请求RS消息;Acquiring and listening to the forwarded router request RS message of the user terminal;
监听所述用户终端与所述接入设备对应端口的接入信息;And monitoring access information of the port corresponding to the user terminal and the access device;
将监听到的接入信息作为接入信息选项插入所述RS消息中。The monitored access information is inserted into the RS message as an access information option.
可选的,所述网络参数还包括:域名服务DNS地址,所述接收所述BRAS实体返回的路由器通告RA消息的步骤包括:Optionally, the network parameter further includes: a domain name service DNS address, and the step of receiving the router advertisement RA message returned by the BRAS entity includes:
接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项;Receiving the RA message returned by the BRAS entity, and determining that the access information option is included in the RA message, deleting the access information option;
根据分配的所述IPv6地址前缀及所述DNS地址,发送删除后的所述RA消息至所述用户终端。Sending the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
可选的,所述接入实体为用户终端时,所述获取插入有接入信息选项的路由器请求RS消息的步骤包括:Optionally, when the access entity is a user terminal, the step of acquiring a router requesting an RS message by inserting an access information option includes:
获取所述用户终端的RS消息;Obtaining an RS message of the user terminal;
直接将预先构造的接入信息选项插入所述RS消息。The pre-configured access information option is inserted directly into the RS message.
可选的,还包括:所述获取插入有接入信息选项的路由器请求RS消息之后,Optionally, the method further includes: after obtaining the router requesting the RS message by inserting the access information option,
获取对从宽带远程接入服务器BRAS实体返回的路由器通告RA消息的时间进行定时的超时定时器。A timeout timer is obtained that times the time of the router advertisement RA message returned from the broadband remote access server BRAS entity.
可选的,还包括:若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。Optionally, the method further includes: if the returned RA message is not received within the preset timeout period, restoring the state of the user terminal before applying for authentication.
可选的,所述利用邻居发现ND协议将所述RS消息发送给宽带远程接入 服务器BRAS实体的步骤包括:Optionally, the using the neighbor discovery ND protocol to send the RS message to the broadband remote access The steps of the server BRAS entity include:
将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。The access information option is configured as an ND protocol option, and the ND protocol option is encapsulated into the RS message, and the RS message is sent to the BRAS entity for authentication.
为了解决上述技术问题,本发明实施例还提供一种IPv6无状态自动配置的认证装置,应用于接入实体中,所述认证装置包括:In order to solve the above technical problem, the embodiment of the present invention further provides an IPv6 stateless automatic configuration authentication apparatus, which is applied to an access entity, where the authentication apparatus includes:
第一获取模块,设置为获取插入有接入信息选项的路由器请求RS消息;a first obtaining module, configured to acquire a router requesting an RS message with an option of inserting an access information;
发送模块,设置为利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体;a sending module, configured to send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
接收模块,设置为接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。The receiving module is configured to receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
可选的,所述接入实体为用户终端的接入设备时,所述第一获取模块包括:Optionally, when the access entity is an access device of the user terminal, the first acquiring module includes:
第一获取单元,设置为获取并监听转发的所述用户终端的路由器请求RS消息;a first obtaining unit, configured to acquire and listen to the forwarded router request RS message of the user terminal;
第二获取单元,设置为监听所述用户终端与所述接入设备对应端口的接入信息;a second acquiring unit, configured to monitor access information of the user terminal and a port corresponding to the access device;
第一处理单元,设置为将监听到的接入信息作为接入信息选项插入所述RS消息中。The first processing unit is configured to insert the monitored access information into the RS message as an access information option.
可选的,所述网络参数还包括:域名服务DNS地址,所述接收模块包括:Optionally, the network parameter further includes: a domain name service DNS address, and the receiving module includes:
第一邻居发现ND单元,设置为接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项;The first neighbor discovery ND unit is configured to receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
发送单元,设置为根据分配的所述IPv6地址前缀及所述DNS地址,发 送删除后的所述RA消息至所述用户终端。a sending unit, configured to send according to the allocated IPv6 address prefix and the DNS address Sending the deleted RA message to the user terminal.
可选的,所述接入实体为用户终端时,所述第一获取模块包括:Optionally, when the access entity is a user terminal, the first acquiring module includes:
第三获取单元,设置为获取所述用户终端的RS消息;a third acquiring unit, configured to acquire an RS message of the user terminal;
第二处理单元,设置为直接将预先构造的接入信息选项插入所述RS消息。A second processing unit is arranged to directly insert the pre-configured access information option into the RS message.
其中所述IPv6无状态自动配置的认证装置,还包括:The IPv6 stateless automatic configuration authentication device further includes:
第二获取模块,设置为获取对返回的路由器通告RA消息的时间进行定时的超时定时器。The second obtaining module is configured to acquire a timeout timer for timing the time of returning the router advertisement RA message.
其中所述IPv6无状态自动配置的认证装置,还包括:The IPv6 stateless automatic configuration authentication device further includes:
处理模块,设置为若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。The processing module is configured to restore the state of the user terminal before applying for authentication if the returned RA message is not received within the preset timeout period.
可选的,所述发送模块包括:Optionally, the sending module includes:
第二ND单元,设置为将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。The second ND unit is configured to configure the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
为解决上述技术问题,本发明实施例还提供了一种计算机程序,包括程序指令,当所述程序指令被执行时,可实现上述方法。In order to solve the above technical problem, an embodiment of the present invention further provides a computer program, including program instructions, which can be implemented when the program instructions are executed.
为解决上述技术问题,本发明实施例还提供了一种载有所述计算机程序的载体。In order to solve the above technical problem, an embodiment of the present invention further provides a carrier carrying the computer program.
上述技术方案的有益效果如下:The beneficial effects of the above technical solutions are as follows:
通过将获取到插入有接入信息选项的RS消息发送给BRAS实体进行认证后,接收所述BRAS实体返回的携带有具有IPv6地址前缀的网络参数的RA消息,完成认证及地址分配。这样实现用户终端的IPv6无状态自动配置认证,解决所述的无状态自动配置在认证上的局限性。 After the RS message with the option of inserting the access information is sent to the BRAS entity for authentication, the RA message carrying the network parameter with the IPv6 address prefix returned by the BRAS entity is received, and the authentication and address allocation are completed. In this way, the IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.
附图概述BRIEF abstract
图1为本发明实施例的IPv6无状态自动配置的认证方法的基本步骤示意图;1 is a schematic diagram of basic steps of an IPv6 stateless automatic configuration authentication method according to an embodiment of the present invention;
图2为本发明实施例的接入实体为接入设备时RS消息中进行插入接入信息的示意图;2 is a schematic diagram of inserting access information in an RS message when an access entity is an access device according to an embodiment of the present invention;
图3为本发明实施例的接入实体为接入设备时的交互过程图;FIG. 3 is a diagram of an interaction process when an access entity is an access device according to an embodiment of the present invention;
图4为本发明实施例的BRAS实体进行认证的步骤流程图;4 is a flow chart of steps of performing authentication by a BRAS entity according to an embodiment of the present invention;
图5为本发明实施例的接入实体与BRAS实体的处理流程图;FIG. 5 is a flowchart of processing of an access entity and a BRAS entity according to an embodiment of the present invention;
图6为本发明实施例的IPv6无状态自动配置的认证装置的结构示意图;6 is a schematic structural diagram of an IPv6 stateless automatic configuration authentication apparatus according to an embodiment of the present invention;
图7为本发明实施例的接入实体和BRAS实体的单元组成;7 is a unit composition of an access entity and a BRAS entity according to an embodiment of the present invention;
图8为本发明实施例的认证通过时接入实体和BRAS实体的交互过程;8 is an interaction process between an access entity and a BRAS entity when the authentication is passed according to an embodiment of the present invention;
图9为本发明实施例的认证不通过时接入实体和BRAS实体的交互过程;9 is an interaction process between an access entity and a BRAS entity when the authentication fails;
图10为本发明实施例的部署组网实例图。FIG. 10 is a schematic diagram of an example of a deployment networking according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
下面将结合附图及实施例进行详细描述。The detailed description will be made below in conjunction with the accompanying drawings and embodiments.
本发明实施例针对相关技术中IPv6无状态自动配置的NDP接入无法开机认证(选项认证)的问题,提供一种IPv6无状态自动配置的认证方法及装置,通过接入设备转发插入了接入信息选项的RS给BRAS实体进行认证,或者用户终端直接发起无状态自动配置,发送已经插入了接入信息的RS消息给BRAS实体进行认证,认证通过后分配地址。这样实现用户终端的IPv6无状态自动配置认证,解决所述的无状态自动配置在认证上的局限性。The embodiment of the present invention provides an IPv6 stateless automatic configuration authentication method and device for the IPv6 stateless automatic configuration of the NDP access failure authentication (option authentication) in the related art, and inserts the access through the access device. The RS of the information option authenticates the BRAS entity, or the user terminal directly initiates stateless autoconfiguration, and sends an RS message with the access information inserted to the BRAS entity for authentication, and the address is assigned after the authentication is passed. In this way, the IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.
本发明实施例的实体包括两个实体(接入实体和BRAS实体)。其中接入实体可以为用户终端(例如机顶盒)或者用户终端的接入设备(例如交换机)。BRAS实体为用户终端的宽带接入资源管理点和认证点,负责网络参 数分配和用户终端的认证。An entity of an embodiment of the present invention includes two entities (an access entity and a BRAS entity). The access entity may be a user terminal (such as a set top box) or an access device (such as a switch) of the user terminal. The BRAS entity is a broadband access resource management point and an authentication point of the user terminal, and is responsible for the network parameter. Number assignment and authentication of the user terminal.
如图1至图5所示,本发明实施例的IPv6无状态自动配置的认证方法,应用于接入实体中,包括:As shown in FIG. 1 to FIG. 5, the IPv6 stateless automatic configuration authentication method in the embodiment of the present invention is applied to an access entity, including:
步骤101,获取插入有接入信息选项的路由器请求RS消息;Step 101: Obtain a router requesting an RS message inserted with an access information option.
其中所述接入信息选项是指接入位置信息选项,如果接入实体是交换机就是监听RS消息,在哪个端口收到或转发所述RS消息,该端口即为接入位置信息,将接入位置信息生成选项插入RS消息中并转发。若接入实体是机顶盒,由于不同机顶盒有不同编号(标识哪个或者哪户的机顶盒),编号认证服务器中需提前录入机顶盒的编号,在机顶盒申请IPv6地址时,机顶盒在RS消息中插入所述编号,认证服务器比较解析插入的信息与提前录入的区别,在认证通过后,分配地址。The access information option refers to the access location information option. If the access entity is a switch or listens for an RS message, and the port receives or forwards the RS message, the port is the access location information and will be accessed. The location information generation option is inserted into the RS message and forwarded. If the access entity is a set-top box, the set-top box needs to enter the number of the set-top box in advance, and the set-top box inserts the number in the RS message because the set-top box has a different number (identification of which or which set-top box). The authentication server compares and parses the difference between the inserted information and the early entry. After the authentication is passed, the address is assigned.
步骤102,利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体,由所述BRAS实体对所述RS消息进行认证;Step 102: Send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol, where the BRAS entity authenticates the RS message.
其中通过发送RS消息发起无状态自动配置。The stateless automatic configuration is initiated by sending an RS message.
步骤103,接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。Step 103: Receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
其中所述ND(邻居发现)协议是IPv6的一个关键协议,是IPv4某些协议在IPv6综合起来的升级和改进,所述Ipv4协议如ARP(Address Resolution Protocol的简称,地址解析协议),ICMP(Internet Control Message Protocol的简称,Internet控制报文协议)等。ND协议包括:前缀发现,邻居不可达监测,重复地址监测及地址自动配置。The ND (Neighbor Discovery) protocol is a key protocol of IPv6, and is an upgrade and improvement of some protocols of IPv4, such as ARP (Address Resolution Protocol, Address Resolution Protocol), ICMP (abbreviation of Address Resolution Protocol). Abbreviation of Internet Control Message Protocol, Internet Control Message Protocol, etc. The ND protocol includes: prefix discovery, neighbor unreachable monitoring, duplicate address monitoring, and address autoconfiguration.
ND协议报文中包含选项字段,可以填充一个或者多个选项,比如当进行地址自动配置时,通过ND协议选项下发DNS服务器地址。ND协议定义了一些标准选项,根据需要也可定义私有选项来扩展ND协议的功能,由此可以看出ND协议具有很好的扩展性。The ND protocol packet contains an option field, which can be filled with one or more options. For example, when the address is automatically configured, the DNS server address is delivered through the ND protocol option. The ND protocol defines some standard options. The private options can also be defined as needed to extend the functionality of the ND protocol. It can be seen that the ND protocol has good scalability.
通过步骤102将步骤101获取到的RS消息发送给BRAS实体执行,由所述BRAS实体对所述RS消息进行认证,然后步骤103返回BRAS实体认 证后的RA消息,这样就可以通过扩展ND协议选项支持携带接入信息,IPv6无状态自动配置可以实现开机认证,解决所述的无状态自动配置在认证上的局限性,不仅提供了多种分配地址的方式,而且方便了配置使用。The RS message obtained in step 101 is sent to the BRAS entity for execution by step 102, and the RS message is authenticated by the BRAS entity, and then the step 103 returns to the BRAS entity. The RA message after the certificate, so that the extended ND protocol option can be used to support the carrying of the access information, and the IPv6 stateless automatic configuration can implement the booting authentication, and solve the limitation of the stateless automatic configuration in the authentication, which not only provides various The way the address is assigned, and it is convenient for configuration.
如图2所示,当接入实体为用户终端的接入设备时,本发明实施例的IPv6无状态自动配置的认证方法中,步骤101包括:As shown in FIG. 2, in the IPv6 stateless automatic configuration authentication method of the embodiment of the present invention, when the access entity is the access device of the user terminal, step 101 includes:
步骤201,获取并监听转发的所述用户终端的路由器请求RS消息;Step 201: Acquire and listen to the forwarded router request RS message of the user terminal.
步骤202,监听所述用户终端与所述接入设备对应端口的接入信息;Step 202: Monitor access information of the user terminal and a port corresponding to the access device.
步骤203,将监听到的接入信息作为接入信息选项插入所述RS消息中。Step 203: Insert the intercepted access information into the RS message as an access information option.
本发明的又一实施例的IPv6无状态自动配置的认证方法中,所述网络参数还包括:域名服务DNS地址,相应地,步骤103包括:In the IPv6 stateless automatic configuration authentication method of the embodiment of the present invention, the network parameter further includes: a domain name service DNS address, and correspondingly, step 103 includes:
步骤21,接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项;Step 21: Receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
步骤22,根据分配的所述IPv6地址前缀及所述DNS地址,发送删除后的所述RA消息至所述用户终端。Step 22: Send the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
在接入实体为用户终端的接入设备时,通过步骤201监听转发的RS消息,由于会通过接入设备与用户终端连接的端口接收或者转发,通过步骤202监听对应的端口获取接入信息,然后通过步骤203将接入信息选项插入到RS消息中,通过步骤102再将RS消息发送给BRAS实体认证,通过步骤21接收所述BRAS实体返回的认证接入RA消息,删除所述接入信息选项,通过步骤22转发RA消息至所述用户终端。通过扩展ND协议选项支持携带接入信息,IPv6无状态自动配置可以实现开机认证,解决所述的无状态自动配置在认证上的局限性,不仅提供了多种分配地址的方式,而且方便了配置使用。When the access entity is the access device of the user terminal, the RS message is forwarded through the step 201, and the access information is received or forwarded through the port connected to the user terminal by the access device, and the corresponding port is accessed through step 202 to obtain the access information. Then, in step 203, the access information option is inserted into the RS message, and the RS message is sent to the BRAS entity for authentication. In step 21, the authentication access RA message returned by the BRAS entity is received, and the access information is deleted. Optionally, the RA message is forwarded to the user terminal via step 22. By extending the ND protocol option to support carrying information, IPv6 stateless auto-configuration can implement boot authentication, and solve the limitation of the stateless auto-configuration in authentication. It not only provides multiple ways to allocate addresses, but also facilitates configuration. use.
如图3所示,本发明实施例的接入实体为接入设备时的交互过程的如下:As shown in FIG. 3, the interaction process when the access entity in the embodiment of the present invention is an access device is as follows:
步骤301:终端开机启动时发送RS消息,申请IPv6地址,终端的接口ID为221:97ff:fe85:9204。Step 301: The RS message is sent when the terminal is powered on, and the IPv6 address is applied, and the interface ID of the terminal is 221:97ff:fe85:9204.
步骤302:交换机switch1在端口port5上监听到RS消息。通过交换机的 名字和用户终端连交换机的端口生成认证信息,可以为“switch1:port5”,认证信息构造成ND协议选项,封装到RS消息中。交换机向BRAS转发封装后的RS消息。Step 302: The switch switch1 listens to the RS message on the port port 5. Through the switch The name and the user terminal are connected to the port of the switch to generate the authentication information, which can be "switch1:port5". The authentication information is configured as an ND protocol option and encapsulated into the RS message. The switch forwards the encapsulated RS message to the BRAS.
步骤303:BRAS收到RS消息,解析出认证信息,为“switch1:port5”。BRAS把认证信息封装到认证消息中发送到认证服务器。Step 303: The BRAS receives the RS message and parses the authentication information, which is "switch1:port5". The BRAS encapsulates the authentication information into an authentication message and sends it to the authentication server.
步骤304:认证服务器收到认证消息,解析出认证信息。根据认证信息“switch1:port5”,认证服务器认证通过,回应BRAS认证成功消息。Step 304: The authentication server receives the authentication message and parses the authentication information. According to the authentication information "switch1:port5", the authentication server passes the authentication and responds to the BRAS authentication success message.
步骤305:BRAS收到认证成功消息,分配IPv6地址前缀,可以为2001::/64,把前缀和认证信息选项封装到RA消息中并向终端发送。Step 305: The BRAS receives the authentication success message, allocates an IPv6 address prefix, and may be 2001::/64, and encapsulates the prefix and the authentication information option into the RA message and sends the message to the terminal.
步骤306:交换机监听到RA消息,把认证信息选项从RA消息中删除,转发删除认证信息选项后的RA消息。Step 306: The switch listens to the RA message, deletes the authentication information option from the RA message, and forwards the RA message after deleting the authentication information option.
步骤307:用户终端收到RA消息,解析出前缀2001::/64,根据用户终端的接口ID生成IPv6地址,生成的IPv6地址可以为2001::221:97ff:fe85:9204/64。Step 307: The user terminal receives the RA message, parses the prefix 2001::/64, and generates an IPv6 address according to the interface ID of the user terminal, and the generated IPv6 address may be 2001::221:97ff:fe85:9204/64.
至此,用户终端开机认证后申请到了IPv6地址。该部署实例只举例地址的申请,其他网络参数的申请类似。At this point, the user terminal applied for an IPv6 address after boot authentication. The deployment example only exemplifies the application of the address, and the application of other network parameters is similar.
当接入实体为用户终端时,本发明实施例的IPv6无状态自动配置的认证方法中,步骤101包括:When the access entity is a user terminal, in the IPv6 stateless automatic configuration authentication method of the embodiment of the present invention, step 101 includes:
步骤31,获取所述用户终端的RS消息;Step 31: Obtain an RS message of the user terminal.
步骤32,直接将预先构造的接入信息选项插入所述RS消息。In step 32, the pre-configured access information option is directly inserted into the RS message.
预先构造接入信息指接入位置信息。Pre-configuring access information refers to access location information.
其中所述用户终端可以指与接入设备连接的用户终端,也可以是指独立的用户终端,也可以是指和无接入功能设备连接的用户终端,插入接入信息选项的RS消息既可以通过独立用户终端或者连接接入设备的用户终端发送,也可以通过连接用户终端的接入设备发送,根据用户预先选择配置。The user terminal may refer to a user terminal connected to the access device, or may be an independent user terminal, or may be a user terminal connected to the non-access function device, and the RS message inserted into the access information option may be It can be sent through an independent user terminal or a user terminal connected to the access device, or can be sent through an access device connected to the user terminal, and the configuration is pre-selected according to the user.
当接入实体为用户终端时,由于用户终端需要请求申请认证,所以相应的需要判断请求的消息是否有响应,因此本发明实施例的IPv6无状态自动配置的认证方法中,步骤101之后还包括: When the access entity is a user terminal, the user terminal needs to request to apply for authentication, so it is necessary to determine whether the requested message is responsive. Therefore, in the IPv6 stateless automatic configuration authentication method in the embodiment of the present invention, step 101 further includes :
步骤41,获取对返回的路由器通告RA消息的时间进行定时的超时定时器。Step 41: Obtain a timeout timer for timing the time when the returned router advertises the RA message.
通过超时定时器进行返回RA消息的时间的定时,来确定是否对申请请求有响应,这样提高了认证的准确性。The timing of returning the RA message is determined by the timeout timer to determine whether the application request is responsive, which improves the accuracy of the authentication.
可选的,本发明的又一实施例的IPv6无状态自动配置的认证方法中,执行步骤103时,还包括:Optionally, in the method for authenticating the IPv6 stateless automatic configuration in another embodiment of the present invention, when performing step 103, the method further includes:
步骤51,若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。Step 51: If the returned RA message is not received within the preset timeout period, the state of the user terminal before applying for authentication is restored.
若在大于预设时间长度收到RA消息,则认为是无效消息,丢弃处理。If the RA message is received after the preset time length is greater than the preset time length, the message is considered invalid and discarded.
其中所述预设时间可以根据多次实验得到,也可是用户根据需求进行设定,任何保证数据有效性的时间长度均属于本发明的保护范围。The preset time may be obtained according to multiple experiments, or the user may set according to requirements, and any length of time for ensuring data validity belongs to the protection scope of the present invention.
可选的,本发明的又一实施例的IPv6无状态自动配置的认证方法中,步骤102包括:Optionally, in the IPv6 stateless automatic configuration authentication method of the embodiment of the present invention, the step 102 includes:
步骤61,将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。Step 61: Construct the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
其中将接入信息插入扩展的ND协议选项中,发送RS消息给BRAS实体进行认证,可以实现IPv6无状态自动配置开机认证,解决所述的无状态自动配置在认证上的局限性,不仅提供了多种分配地址的方式,而且方便了配置使用。The access information is inserted into the extended ND protocol option, and the RS message is sent to the BRAS entity for authentication, which can implement IPv6 stateless automatic configuration boot authentication, and solve the limitation of the stateless automatic configuration in the authentication, which not only provides A variety of ways to assign addresses, and convenient for configuration.
如图4所示,可选的,本发明的又一实施例的IPv6无状态自动配置的认证方法中,所述BRAS实体进行认证的步骤包括:As shown in FIG. 4, optionally, in the IPv6 stateless automatic configuration authentication method of the embodiment of the present invention, the step of performing authentication by the BRAS entity includes:
步骤401,接收到所述RS消息,并解析出所述接入信息选项;Step 401: Receive the RS message, and parse out the access information option.
其中接入信息可以为交换机的设备名加上接口名,如果用户开通接入服务,运营商在认证服务器上录入用户终端接入的交换机对应的名字和接入的端口。当认证服务器收到的认证信息认证服务器上已录入,则认证通过,当认证服务器收到的认证信息认证服务器上没有录入,认证不通过。The access information may be the device name of the switch plus the interface name. If the user opens the access service, the operator enters the name and the access port of the switch accessed by the user terminal on the authentication server. When the authentication information received by the authentication server is entered on the authentication server, the authentication is passed. If the authentication information received by the authentication server is not entered, the authentication fails.
步骤402,根据所述接入信息选项对所述接入实体进行认证,得到认证 结果;Step 402: Perform authentication on the access entity according to the access information option, and obtain authentication. result;
步骤403,在所述认证结果为认证通过时,分配并封装所述网络参数和所述接入信息选项至所述RA消息中,发送所述RA消息给所述接入实体。Step 403: When the authentication result is the authentication pass, allocate and encapsulate the network parameter and the access information option into the RA message, and send the RA message to the access entity.
对用户终端认证,如果认证信息保存在本地,可以本地进行认证;也可把认证信息发送到专门的认证服务器(如RADIUS(Remote Authentication Dial In User Service的简称,远程用户拨号认证系统)服务器)去认证。For user terminal authentication, if the authentication information is stored locally, it can be authenticated locally. The authentication information can also be sent to a dedicated authentication server (such as RADIUS (Remote Authentication Dial In User Service), remote user dial-up authentication system). Certification.
在所述认证结果为认证失败时,静默不处理。When the authentication result is that the authentication fails, the silent process is not processed.
如图5所示,本发明实施例的接入实体向BRAS实体发送认证,并通过BRAS实体认证通过的处理流程举例如下。As shown in FIG. 5, the process of sending an authentication by the access entity to the BRAS entity in the embodiment of the present invention and passing the BRAS entity authentication is as follows.
步骤501,接入实体作为终端时,发送RS消息发起无状态自动配置获取网络参数,在RS中插入接入信息选项,开启获取网络参数超时定时器;或者接入实体作为接入设备时,监听转发的RS消息,插入接入信息选项。Step 501: When the access entity is used as the terminal, the RS message is sent to initiate stateless automatic configuration to obtain the network parameter, the access information option is inserted in the RS, and the network parameter timeout timer is started; or the access entity is used as the access device to listen. Forwarded RS message, insert access information option.
步骤502,BRAS实体接收到RS消息,解析出接入信息选项,根据接入信息选项进行认证。Step 502: The BRAS entity receives the RS message, parses out the access information option, and performs authentication according to the access information option.
步骤503,BRAS实体通过接入信息选项对用户认证通过,分配IPv6地址前缀以及其他网络参数,封装到RA消息中,把RA消息发送给用户。Step 503: The BRAS entity authenticates the user through the access information option, allocates an IPv6 address prefix and other network parameters, encapsulates the information into the RA message, and sends the RA message to the user.
步骤504,接入实体监听RA消息。接入实体作为终端,解析出IPv6地址前缀以及其他网络参数,应用这些网络参数,并删除获取网络参数超时定时器;或者,接入实体作为接入设备,把RA消息中的接入信息选项删除,并转发处理后的RA消息。In step 504, the access entity listens for the RA message. The access entity acts as the terminal, parses the IPv6 address prefix and other network parameters, applies the network parameters, and deletes the network parameter timeout timer. Alternatively, the access entity acts as the access device and deletes the access information option in the RA message. And forward the processed RA message.
相应的,为了解决上述技术问题,如图6所示,本发明实施例提供一种IPv6无状态自动配置的认证装置,应用于接入实体中,包括:Correspondingly, in order to solve the above technical problem, as shown in FIG. 6, the embodiment of the present invention provides an IPv6 stateless automatic configuration authentication apparatus, which is applied to an access entity, and includes:
第一获取模块601,设置为获取插入有接入信息选项的路由器请求RS消息;The first obtaining module 601 is configured to obtain a router requesting an RS message with the option of inserting the access information;
发送模块602,设置为利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体; The sending module 602 is configured to send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
接收模块603,设置为接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。The receiving module 603 is configured to receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
通过发送模块602将第一获取模块601获取到的RS消息发送给BRAS实体执行,由所述BRAS实体对所述RS消息进行认证,然后接收模块603返回BRAS实体的认证后的RA消息,这样就可以通过扩展ND协议选项支持携带接入信息,IPv6无状态自动配置可以实现开机认证,解决所述的无状态自动配置在认证上的局限性,不仅提供了多种分配地址的方式,而且方便了配置使用。Sending, by the sending module 602, the RS message acquired by the first obtaining module 601 to the BRAS entity, the RSS entity authenticates the RS message, and then the receiving module 603 returns the RA message of the BRAS entity, so that The extended ND protocol option can support carrying information. IPv6 stateless auto-configuration can implement boot authentication, and solve the limitation of the stateless auto-configuration in authentication. It not only provides multiple ways to allocate addresses, but also facilitates. Configuration use.
本发明的又一实施例的IPv6无状态自动配置的认证装置中,所述接入实体为用户终端的接入设备时,所述第一获取模块601包括:In the IPv6 stateless automatic configuration authentication apparatus of the embodiment of the present invention, when the access entity is an access device of the user terminal, the first acquiring module 601 includes:
第一获取单元,设置为获取并监听转发的所述用户终端的路由器请求RS消息;a first obtaining unit, configured to acquire and listen to the forwarded router request RS message of the user terminal;
第二获取单元,设置为监听所述用户终端与所述接入设备对应端口的接入信息;a second acquiring unit, configured to monitor access information of the user terminal and a port corresponding to the access device;
第一处理单元,设置为将监听到的接入信息作为接入信息选项插入所述RS消息中。The first processing unit is configured to insert the monitored access information into the RS message as an access information option.
本发明的又一实施例的IPv6无状态自动配置的认证装置中,所述网络参数还包括:域名服务DNS地址,所述接收模块603包括:In an IPv6 stateless automatic configuration authentication apparatus according to still another embodiment of the present invention, the network parameter further includes: a domain name service DNS address, and the receiving module 603 includes:
第一邻居发现ND单元,设置为接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项;The first neighbor discovery ND unit is configured to receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
发送单元,设置为根据分配的所述IPv6地址前缀及所述DNS地址,发送删除后的所述RA消息至所述用户终端。The sending unit is configured to send the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
本发明的又一实施例的IPv6无状态自动配置的认证装置中,所述接入实体为用户终端时,所述第一获取模块包括:In the IPv6 stateless automatic configuration authentication apparatus of the embodiment of the present invention, when the access entity is a user terminal, the first acquiring module includes:
第三获取单元,设置为获取所述用户终端的RS消息;a third acquiring unit, configured to acquire an RS message of the user terminal;
第二处理单元,设置为直接将预先构造的接入信息选项插入所述RS消 息。a second processing unit configured to directly insert the pre-configured access information option into the RS interest.
本发明的又一实施例的IPv6无状态自动配置的认证装置,还包括:The IPv6 stateless automatic configuration authentication apparatus of the embodiment of the present invention further includes:
第二获取模块,设置为获取对返回的路由器通告RA消息的时间进行定时的超时定时器。The second obtaining module is configured to acquire a timeout timer for timing the time of returning the router advertisement RA message.
本发明的又一实施例的IPv6无状态自动配置的认证装置还包括:The IPv6 stateless automatic configuration authentication apparatus of still another embodiment of the present invention further includes:
处理模块,设置为若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。The processing module is configured to restore the state of the user terminal before applying for authentication if the returned RA message is not received within the preset timeout period.
本发明的又一实施例的IPv6无状态自动配置的认证装置中,所述发送模块602包括:In an IPv6 stateless automatic configuration authentication apparatus according to still another embodiment of the present invention, the sending module 602 includes:
第二ND单元,设置为将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。如图7所示,本发明实施例的第一ND单元与第二ND单元可以是同一接入实体的ND单元,且接入实体701包括认证信息管理单元和ND单元;BRAS实体702包括认证单元和BRAS实体的ND单元。The second ND unit is configured to configure the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication. As shown in FIG. 7, the first ND unit and the second ND unit in the embodiment of the present invention may be ND units of the same access entity, and the access entity 701 includes an authentication information management unit and an ND unit; and the BRAS entity 702 includes an authentication unit. And the ND unit of the BRAS entity.
所述的认证信息管理单元设置为管理接入实体701的认证信息,所述的认证信息可以通过以下方式配置,包括但不限于:人工配置认证信息并保存到存储上;通过认证实体的唯一性信息(如MAC(Media Access Control的简称))生成认证信息。The authentication information management unit is configured to manage the authentication information of the access entity 701, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving to the storage; Information (such as MAC (short for Media Access Control)) generates authentication information.
所述的BRAS的认证单元设置为对用户终端认证,如果认证信息保存在本地,认证单元可以本地进行;也可把认证信息发送到专门的认证服务器(如RADIUS(Remote Authentication Dial In User Service的简称,远程用户拨号认证系统)服务器)去认证。The authentication unit of the BRAS is configured to authenticate the user terminal. If the authentication information is stored locally, the authentication unit may perform the localization; the authentication information may also be sent to a dedicated authentication server (such as RADIUS (Remote Authentication Dial In User Service). , remote user dial-up authentication system) server) to authenticate.
如图8所示,本发明实施例的认证通过时接入实体和BRAS实体的交互过程举例如下。As shown in FIG. 8, the interaction process between the access entity and the BRAS entity when the authentication is passed in the embodiment of the present invention is as follows.
步骤801:如果接入实体701是用户终端的接入设备,接入实体的ND单元监听到转发的RS消息;如果接入实体701是用户终端,接入实体的ND单元发起无状态自动配置获取网络参数,并启动获取网络参数超时定时器。Step 801: If the access entity 701 is an access device of the user terminal, the ND unit of the access entity listens to the forwarded RS message; if the access entity 701 is the user terminal, the ND unit of the access entity initiates stateless automatic configuration acquisition. Network parameters and start to get the network parameter timeout timer.
步骤802:接入实体的ND单元向认证信息管理单元请求认证。 Step 802: The ND unit of the access entity requests authentication from the authentication information management unit.
步骤803:认证信息管理单元通知接入实体的ND单元进行接入实体701的认证信息。Step 803: The authentication information management unit notifies the ND unit of the access entity to perform authentication information of the access entity 701.
步骤804:接入实体的ND单元把认证信息构造成ND协议报文的认证信息选项封装到RS消息中,并把RS消息发送到BRAS实体702。Step 804: The ND unit of the access entity encapsulates the authentication information of the authentication information into an ND protocol packet into an RS message, and sends the RS message to the BRAS entity 702.
所述的认证信息管理单元管理接入实体的接入信息,所述的认证信息可以通过以下方式配置,包括但不限于:人工配置认证信息并保存到存储上;通过认证实体的唯一性信息(如MAC)生成认证信息。The authentication information management unit manages the access information of the access entity, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity ( Such as MAC) to generate authentication information.
ND协议通过扩展ND协议的选项信息从而具有良好的扩展性,所述的认证信息选项通过扩展ND协议报文的选项来实现。The ND protocol has good scalability by extending the option information of the ND protocol, and the authentication information option is implemented by extending the options of the ND protocol message.
步骤805:BRAS实体的ND单元收到RS消息,解析出认证信息,并把认证信息通知认证单元。Step 805: The ND unit of the BRAS entity receives the RS message, parses the authentication information, and notifies the authentication unit of the authentication information.
步骤806:BRAS实体702的认证单元用户终端认证通过并通知BRAS实体的ND单元。Step 806: The authentication unit user terminal of the BRAS entity 702 authenticates and notifies the ND unit of the BRAS entity.
步骤807:用户终端认证通过后,BRAS实体的ND单元获取网络参数封装到RS消息的响应消息RA消息中,并发送回用户终端。Step 807: After the user terminal passes the authentication, the ND unit of the BRAS entity obtains the network parameter and encapsulates it into the response message RA message of the RS message, and sends it back to the user terminal.
其中所述用户终端是指接入设备的用户终端,独立的用户终端或者其他与无接入功能设备连接的用户终端。The user terminal refers to a user terminal of an access device, an independent user terminal, or another user terminal connected to a device without an access function.
步骤808:接入实体的ND单元接收到RA消息。如果接入实体701是用户终端的接入设备,则检查RA消息中是否包含认证信息选项,如果包含,则把认证信息选项删除。如果接入实体701是用户终端,则解析RA消息获取网络消息并应用,取消获取网络参数超时定时器。Step 808: The ND unit of the access entity receives the RA message. If the access entity 701 is an access device of the user terminal, it is checked whether the RA message contains an authentication information option, and if so, the authentication information option is deleted. If the access entity 701 is a user terminal, the RA message is obtained by parsing the RA message and applied, and the network parameter timeout timer is cancelled.
如图9所示,本发明实施例的认证不通过时接入实体和BRAS实体的交互过程举例如下。As shown in FIG. 9, the interaction process between the access entity and the BRAS entity when the authentication fails in the embodiment of the present invention is as follows.
步骤901:如果接入实体701是用户终端的接入设备,接入实体的ND单元监听到转发的RS消息;如果接入实体701是用户终端,接入实体的ND单元发起无状态自动配置获取网络参数,并启动获取网络参数超时定时器。Step 901: If the access entity 701 is an access device of the user terminal, the ND unit of the access entity listens to the forwarded RS message; if the access entity 701 is the user terminal, the ND unit of the access entity initiates stateless automatic configuration acquisition. Network parameters and start to get the network parameter timeout timer.
步骤902:接入实体的ND单元向认证信息管理单元请求认证。Step 902: The ND unit of the access entity requests authentication from the authentication information management unit.
步骤903:认证信息管理单元通知接入实体的ND单元进行接入实体701 的认证信息。Step 903: The authentication information management unit notifies the ND unit of the access entity to perform the access entity 701. Certification information.
所述的认证信息管理单元管理接入实体的接入信息,所述的认证信息可以通过以下方式配置,包括但不限于:人工配置认证信息并保存到存储上;通过认证实体的唯一性信息(如MAC)生成认证信息。The authentication information management unit manages the access information of the access entity, and the authentication information may be configured in the following manner, including but not limited to: manually configuring the authentication information and saving the storage information; and authenticating the uniqueness information of the entity ( Such as MAC) to generate authentication information.
步骤904:接入实体的ND单元把认证信息构造成ND协议报文的认证信息选项封装到RS消息中,并把RS消息发送到BRAS实体702。Step 904: The ND unit of the access entity encapsulates the authentication information of the authentication information into an ND protocol message into an RS message, and sends the RS message to the BRAS entity 702.
ND协议通过扩展ND协议的选项信息从而具有良好的扩展性,所述的认证信息选项通过扩展ND协议报文的选项来实现。The ND protocol has good scalability by extending the option information of the ND protocol, and the authentication information option is implemented by extending the options of the ND protocol message.
步骤905:BRAS实体的ND单元收到RS消息,解析出认证信息,并把认证信息通知认证单元。Step 905: The ND unit of the BRAS entity receives the RS message, parses the authentication information, and notifies the authentication unit of the authentication information.
步骤906:BRAS实体702的认证单元用户终端认证失败,并通知BRAS实体的ND单元。BRAS实体的ND单元静默,不发送响应的RA消息。Step 906: The authentication unit user terminal of the BRAS entity 702 fails to authenticate and notifies the ND unit of the BRAS entity. The ND unit of the BRAS entity is silent and does not send a response RA message.
步骤907:如果接入实体701是用户终端的接入设备,接入实体的ND单元不做任何处理。如果接入实体701是用户终端,当获取网络参数定时器超时,申请IPv6地址前缀和其他网络地址失败,把用户终端恢复到申请前状态。Step 907: If the access entity 701 is an access device of the user terminal, the ND unit of the access entity does not perform any processing. If the access entity 701 is a user terminal, when the network parameter timer expires, the application for the IPv6 address prefix and other network addresses fails, and the user terminal is restored to the pre-application state.
其中所述用户终端是指接入设备的用户终端,独立的用户终端或者其他与无接入功能设备连接的用户终端。The user terminal refers to a user terminal of an access device, an independent user terminal, or another user terminal connected to a device without an access function.
如图10所示,终端连接运营商接入网的交换机,终端通过ND协议配置IPv6地址前缀。交换机为接入实体701进行认证信息选项的插入和删除。运营商网络中的BRAS通过ND协议为终端分配IPv6地址前缀,在分配地址之前,根据认证信息选项到运营商的认证服务器进行认证。As shown in FIG. 10, the terminal is connected to the switch of the operator access network, and the terminal configures an IPv6 address prefix by using the ND protocol. The switch performs insertion and deletion of authentication information options for the access entity 701. The BRAS in the carrier network allocates an IPv6 address prefix to the terminal through the ND protocol, and authenticates to the operator's authentication server according to the authentication information option before the address is assigned.
需要说明的是,本发明实施例提供的装置是应用上述IPv6无状态自动配置的认证方法的装置,则上述IPv6无状态自动配置的认证方法的所有实施例均适用于该装置,且均能达到相同或相似的有益效果。It should be noted that, the apparatus provided by the embodiment of the present invention is a device that applies the foregoing IPv6 stateless automatic configuration authentication method, and all embodiments of the IPv6 stateless automatic configuration authentication method are applicable to the device, and both can be achieved. The same or similar benefits.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现,相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or part of the steps in the above methods may be passed through the program. The instruction related hardware is completed, and the program can be stored in a computer readable storage medium such as a read only memory, a magnetic disk or an optical disk. Optionally, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits. Accordingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented by using a software function module. Formal realization. The invention is not limited to any specific form of combination of hardware and software.
以上所述是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.
工业实用性Industrial applicability
实现了用户终端的IPv6无状态自动配置认证,解决所述的无状态自动配置在认证上的局限性。 The IPv6 stateless automatic configuration authentication of the user terminal is implemented, and the limitation of the stateless automatic configuration in the authentication is solved.

Claims (16)

  1. 一种IPv6无状态自动配置的认证方法,应用于接入实体中,包括:An IPv6 stateless automatic configuration authentication method is applied to an access entity, including:
    获取插入有接入信息选项的路由器请求RS消息;Obtaining a router requesting an RS message inserted with an access information option;
    利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体;Transmitting the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
    接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPV6地址前缀的网络参数。Receiving a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPV6 address prefix allocated by the BRAS entity.
  2. 根据权利要求1所述的认证方法,其中,The authentication method according to claim 1, wherein
    所述接入实体为用户终端的接入设备,The access entity is an access device of a user terminal,
    所述获取插入有接入信息选项的路由器请求RS消息的步骤包括:The step of obtaining a router requesting an RS message inserted with an access information option includes:
    获取并监听转发的所述用户终端的路由器请求RS消息;Acquiring and listening to the forwarded router request RS message of the user terminal;
    监听所述用户终端与所述接入设备对应端口的接入信息;And monitoring access information of the port corresponding to the user terminal and the access device;
    将监听到的接入信息作为接入信息选项插入所述RS消息中。The monitored access information is inserted into the RS message as an access information option.
  3. 根据权利要求2所述的认证方法,其中,The authentication method according to claim 2, wherein
    所述网络参数还包括:域名服务DNS地址,The network parameter further includes: a domain name service DNS address,
    所述接收所述BRAS实体返回的路由器通告RA消息的步骤包括:The step of receiving the router advertisement RA message returned by the BRAS entity includes:
    接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项;Receiving the RA message returned by the BRAS entity, and determining that the access information option is included in the RA message, deleting the access information option;
    根据分配的所述IPv6地址前缀及所述DNS地址,发送删除后的所述RA消息至所述用户终端。Sending the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
  4. 根据权利要求1所述的认证方法,其中,所述接入实体为用户终端时,所述获取插入有接入信息选项的路由器请求RS消息的步骤包括:The authentication method according to claim 1, wherein when the access entity is a user terminal, the step of acquiring a router requesting an RS message inserted with an access information option comprises:
    获取所述用户终端的RS消息;Obtaining an RS message of the user terminal;
    直接将预先构造的接入信息选项插入所述RS消息。The pre-configured access information option is inserted directly into the RS message.
  5. 根据权利要求4所述的认证方法,还包括:The authentication method according to claim 4, further comprising:
    所述获取插入有接入信息选项的路由器请求RS消息之后,After obtaining the router requesting the RS message with the access information option inserted,
    获取对从宽带远程接入服务器BRAS实体返回的路由器通告RA消息的 时间进行定时的超时定时器。Obtaining a router advertisement RA message returned from the broadband remote access server BRAS entity Time-timed timeout timer.
  6. 根据权利要求5所述的认证方法,还包括:The authentication method according to claim 5, further comprising:
    若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。If the returned RA message is not received within the preset timeout period, the state of the user terminal before applying for authentication is restored.
  7. 根据权利要求1至6任一项所述的认证方法,其中,所述利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体的步骤包括:The authentication method according to any one of claims 1 to 6, wherein the step of transmitting the RS message to the broadband remote access server BRAS entity by using the neighbor discovery ND protocol comprises:
    将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。The access information option is configured as an ND protocol option, and the ND protocol option is encapsulated into the RS message, and the RS message is sent to the BRAS entity for authentication.
  8. 一种IPv6无状态自动配置的认证装置,应用于接入实体中,包括:An IPv6 stateless automatic configuration authentication device is applied to an access entity, including:
    第一获取模块,设置为获取插入有接入信息选项的路由器请求RS消息;a first obtaining module, configured to acquire a router requesting an RS message with an option of inserting an access information;
    发送模块,设置为利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体;a sending module, configured to send the RS message to the broadband remote access server BRAS entity by using a neighbor discovery ND protocol;
    接收模块,设置为接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。The receiving module is configured to receive a router advertisement RA message returned by the BRAS entity, where the RA message carries the access information option and a network parameter with an IPv6 address prefix allocated by the BRAS entity.
  9. 根据权利要求8所述的认证装置,其中,所述接入实体为用户终端的接入设备时,所述第一获取模块包括:The authentication device according to claim 8, wherein when the access entity is an access device of the user terminal, the first acquiring module includes:
    第一获取单元,设置为获取并监听转发的所述用户终端的路由器请求RS消息;a first obtaining unit, configured to acquire and listen to the forwarded router request RS message of the user terminal;
    第二获取单元,设置为监听所述用户终端与所述接入设备对应端口的接入信息;a second acquiring unit, configured to monitor access information of the user terminal and a port corresponding to the access device;
    第一处理单元,设置为将监听到的接入信息作为接入信息选项插入所述RS消息中。The first processing unit is configured to insert the monitored access information into the RS message as an access information option.
  10. 根据权利要求9所述的认证装置,其中,The authentication device according to claim 9, wherein
    所述网络参数还包括:域名服务DNS地址;The network parameter further includes: a domain name service DNS address;
    所述接收模块包括:The receiving module includes:
    第一邻居发现ND单元,设置为接收所述BRAS实体返回的所述RA消息,判断所述RA消息中包含所述接入信息选项时,删除所述接入信息选项; The first neighbor discovery ND unit is configured to receive the RA message returned by the BRAS entity, and determine that the access information option is deleted when the RA message includes the access information option;
    发送单元,设置为根据分配的所述IPv6地址前缀及所述DNS地址,发送删除后的所述RA消息至所述用户终端。The sending unit is configured to send the deleted RA message to the user terminal according to the allocated IPv6 address prefix and the DNS address.
  11. 根据权利要求8所述的认证装置,其中,所述接入实体为用户终端时,所述第一获取模块包括:The authentication device of claim 8, wherein when the access entity is a user terminal, the first obtaining module comprises:
    第三获取单元,设置为获取所述用户终端的RS消息;a third acquiring unit, configured to acquire an RS message of the user terminal;
    第二处理单元,设置为直接将预先构造的接入信息选项插入所述RS消息。A second processing unit is arranged to directly insert the pre-configured access information option into the RS message.
  12. 根据权利要求11所述的认证装置,还包括:The authentication device of claim 11, further comprising:
    第二获取模块,设置为获取对返回的路由器通告RA消息的时间进行定时的超时定时器。The second obtaining module is configured to acquire a timeout timer for timing the time of returning the router advertisement RA message.
  13. 根据权利要求12所述的认证装置,还包括:The authentication device of claim 12, further comprising:
    处理模块,设置为若在所述超时定时器预设时间内未接收到返回的所述RA消息,则恢复申请认证前的所述用户终端的状态。The processing module is configured to restore the state of the user terminal before applying for authentication if the returned RA message is not received within the preset timeout period.
  14. 根据权利要求8至13任一项所述的认证装置,其中,所述发送模块包括:The authentication device according to any one of claims 8 to 13, wherein the transmitting module comprises:
    第二ND单元,设置为将所述接入信息选项构造为ND协议选项,并将所述ND协议选项封装到所述RS消息中,并发送所述RS消息给所述BRAS实体进行认证。The second ND unit is configured to configure the access information option as an ND protocol option, and encapsulate the ND protocol option into the RS message, and send the RS message to the BRAS entity for authentication.
  15. 一种计算机程序,包括程序指令,当所述程序指令被执行时,可实现权利要求1~7中任一项所述的方法。A computer program comprising program instructions that, when executed, implement the method of any one of claims 1-7.
  16. 一种载有权利要求15所述计算机程序的载体。 A carrier carrying the computer program of claim 15.
PCT/CN2015/072585 2014-10-20 2015-02-09 Authentication method and apparatus for ipv6 stateless auto-configuration WO2015184853A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410557797.5 2014-10-20
CN201410557797.5A CN105591848A (en) 2014-10-20 2014-10-20 Authentication method and device of IPv6 stateless automatic configuration

Publications (1)

Publication Number Publication Date
WO2015184853A1 true WO2015184853A1 (en) 2015-12-10

Family

ID=54766083

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/072585 WO2015184853A1 (en) 2014-10-20 2015-02-09 Authentication method and apparatus for ipv6 stateless auto-configuration

Country Status (2)

Country Link
CN (1) CN105591848A (en)
WO (1) WO2015184853A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110875923A (en) * 2018-08-29 2020-03-10 通用汽车环球科技运作有限责任公司 Enhanced network access control (eNAC) framework
CN111541797A (en) * 2020-04-23 2020-08-14 深圳市吉祥腾达科技有限公司 Eco-based IPV6 implementation method
CN113114795A (en) * 2021-03-30 2021-07-13 烽火通信科技股份有限公司 IPv6 address allocation method and system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071926B (en) * 2016-12-02 2020-07-03 北京中创信测科技股份有限公司 Method for complementing S1-MME interface user IPv6 address
CN113660357B (en) * 2021-08-17 2023-10-27 烽火通信科技股份有限公司 Method and device for automatically acquiring IP address by IPv6 dual stack system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897589A (en) * 2005-07-13 2007-01-17 上海贝尔阿尔卡特股份有限公司 Access apparatus, routing equipment and method for supporting IPv6 stateless address configuration in telecommunication network
US20090285215A1 (en) * 2008-05-13 2009-11-19 Futurewei Technologies, Inc. Internet Protocol Version Six (IPv6) Addressing and Packet Filtering in Broadband Networks
CN102340546A (en) * 2010-07-16 2012-02-01 中国电信股份有限公司 IPv6 (Internet Protocol Version 6) address allocation method and system
CN103384282A (en) * 2013-07-31 2013-11-06 北京华为数字技术有限公司 Method for obtaining IPV6ND address and broadband remote access server (BARS)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100583904C (en) * 2006-03-03 2010-01-20 华为技术有限公司 Automatic configuration method for host address in IPV6 network
CN101179603B (en) * 2006-11-09 2011-06-08 上海贝尔阿尔卡特股份有限公司 Method and device for controlling user network access in IPv6 network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897589A (en) * 2005-07-13 2007-01-17 上海贝尔阿尔卡特股份有限公司 Access apparatus, routing equipment and method for supporting IPv6 stateless address configuration in telecommunication network
US20090285215A1 (en) * 2008-05-13 2009-11-19 Futurewei Technologies, Inc. Internet Protocol Version Six (IPv6) Addressing and Packet Filtering in Broadband Networks
CN102340546A (en) * 2010-07-16 2012-02-01 中国电信股份有限公司 IPv6 (Internet Protocol Version 6) address allocation method and system
CN103384282A (en) * 2013-07-31 2013-11-06 北京华为数字技术有限公司 Method for obtaining IPV6ND address and broadband remote access server (BARS)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110875923A (en) * 2018-08-29 2020-03-10 通用汽车环球科技运作有限责任公司 Enhanced network access control (eNAC) framework
CN110875923B (en) * 2018-08-29 2022-04-15 通用汽车环球科技运作有限责任公司 Method and system for providing enhanced network access control to a network
CN111541797A (en) * 2020-04-23 2020-08-14 深圳市吉祥腾达科技有限公司 Eco-based IPV6 implementation method
CN113114795A (en) * 2021-03-30 2021-07-13 烽火通信科技股份有限公司 IPv6 address allocation method and system

Also Published As

Publication number Publication date
CN105591848A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
EP2919444B1 (en) Method, relay device, and system for acquiring internet protocol address in network
US9756052B2 (en) Method and apparatus for dual stack access
US9485147B2 (en) Method and device thereof for automatically finding and configuring virtual network
US8681695B1 (en) Single address prefix allocation within computer networks
US8125993B2 (en) Network element having a DHCP lease timer
US8539055B2 (en) Device abstraction in autonomous wireless local area networks
WO2019214560A1 (en) Dhcp packet processing method and device
US8605582B2 (en) IP network system and its access control method, IP address distributing device, and IP address distributing method
WO2015184853A1 (en) Authentication method and apparatus for ipv6 stateless auto-configuration
US20180083968A1 (en) Method and system for authorizing service of user, and apparatus
EP3108643B1 (en) Ipoe dual-stack subscriber for routed residential gateway configuration
WO2009089741A1 (en) Method, device and system for selecting service network
US11265244B2 (en) Data transmission method, PNF SDN controller, VNF SDN controller, and data transmission system
CN108307694B (en) Network connection information acquisition method and router
WO2017166936A1 (en) Method and device for implementing address management, and aaa server and sdn controller
WO2015054882A1 (en) Network device communication method and network device
KR20110060895A (en) A method and a gateway for providing multiple internet access
WO2015018069A1 (en) Method, device and system for acquiring service by network terminal
EP3108642B1 (en) Ipoe dual-stack subscriber for bridged residential gateway configuration
EP3048756B1 (en) Management method and apparatus for dynamic host configuration protocol server and relay
WO2009079896A1 (en) User access authentication method based on dynamic host configuration protocol
US20160080315A1 (en) Enhanced dynamic host configuration protocol (dhcp)
CN101436969A (en) Network access method, apparatus and system
KR20070024116A (en) System for managing network service connection based on terminal aucthentication
WO2016177185A1 (en) Method and apparatus for processing media access control (mac) address

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15803371

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15803371

Country of ref document: EP

Kind code of ref document: A1