WO2015196755A1 - Address allocation method in subscriber identifier and locator separation network, and access service router - Google Patents

Address allocation method in subscriber identifier and locator separation network, and access service router Download PDF

Info

Publication number
WO2015196755A1
WO2015196755A1 PCT/CN2014/094131 CN2014094131W WO2015196755A1 WO 2015196755 A1 WO2015196755 A1 WO 2015196755A1 CN 2014094131 W CN2014094131 W CN 2014094131W WO 2015196755 A1 WO2015196755 A1 WO 2015196755A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
terminal
asr
dhcp
identity
Prior art date
Application number
PCT/CN2014/094131
Other languages
French (fr)
Chinese (zh)
Inventor
芮通
郝振武
孙默
骆文
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015196755A1 publication Critical patent/WO2015196755A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to the field of data communication technologies, and in particular, to an address allocation method in an identity location separation network and an access service node (ASR).
  • ASR access service node
  • the IP address in the TCP/IP protocol widely used by the Internet has a dual function, which serves as both the location identifier of the communication terminal host network interface of the network layer in the network topology and the identity of the transport layer host network interface.
  • FIG. 1 shows a network architecture of the identity and location separation technology system. For the convenience of description, this user identity and location.
  • the Separation Network (SILSN, Subscriber Identifier & Locator Separation Network) is simply referred to as an identity location separation network.
  • the SILSN includes an Access Service Router (ASR), a User Equipment (UE), and an Identity and Location Register (ILR, Identification & Locater Register).
  • ASR Access Service Router
  • UE User Equipment
  • ILR Identity and Location Register
  • the UE accesses the ASR through the access network (not shown in FIG. 1), and the ASR is responsible for accessing the UE to the Internet, and assumes functions such as charging and switching, and the ILR assumes functions such as location registration and query of the user.
  • an access identifier (AID, Access IDentification) is used as the identity of the UE, and a route identifier (RID, Route IDentification) is used as the location identifier of the UE.
  • the location identifier here is usually the identifier of the ASR accessed by the UE, so each UE accessing the SILSN has its own AID and RID.
  • the UE When the UE accesses the SILSN, it first registers its location with the ILR through the ASR, that is, which ASR the UE is located under. After the UE registers, the ILR establishes a correspondence (AID, RID) of the identifier AID of the UE and the RID of the accessed ASR. After that, if UE1 needs to communicate with UE2, UE1 takes its own The ID of the ID2 is the source address, and the identity of the UE2 is the destination address. After the data packet is constructed and sent, the ASR1 queries the ILR for the location of the UE2, that is, the ASR (in the ASR 9 in Figure 1) where the UE2 is located. Then, ASR 1 sends the packet to the corresponding ASR 9, and ASR 9 processes the packet and sends it to UE2.
  • the foregoing network well implements the separation of the identity identifier and the location identifier of the UE.
  • the identity identifier does not need to be changed, the continuity of the service in the mobile process is guaranteed, and the route in the network is based on the address of the ASR.
  • the RID is routed, the number of ASRs is greatly reduced relative to the original IP address prefix, which improves network routing scalability.
  • the technical problem to be solved by the embodiments of the present invention is to provide an address allocation method and an ASR in an identity location separation network, and implement user address based address allocation under a portal authentication network architecture.
  • the address allocation method in the identity location separation network includes:
  • An address allocation method in an identity identification and location separation network comprising:
  • the access service node ASR receives the dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries the first media access control MAC address of the first terminal;
  • the ASR Determining, by the ASR, whether the first MAC address exists in a correspondence relationship table, where the correspondence relationship table records a correspondence between a user name and a MAC address of the terminal that has passed the identity authentication;
  • the ASR determines, according to the correspondence table, a first user name corresponding to the first MAC address, and sends the first user name to the identity identifier and the location registration register ILR. Carrying an identity request message carrying the first username;
  • the method further includes:
  • the ASR receives an identity authentication request forwarded by an ingress server, where the identity authentication request carries a MAC address, a username, and a password of a terminal;
  • the ASR forwards the authentication request to the identity authentication server, and records the correspondence between the user name and the MAC of the terminal in the correspondence relationship table after the terminal is authenticated by the identity authentication server.
  • the method further includes: the ASR forwarding the DHCP discovery message to the DHCP server, and the DHCP server is The temporary IP address selected in the temporary IP address pool is allocated to the first terminal.
  • the allocating the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal includes:
  • the ASR allocates a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and sets the lease date of the temporary IP address to a preset value.
  • the preset value is not greater than a predetermined maximum allowable duration between the terminal's identity authentication and the IP address assigned by the ILR.
  • the method further includes:
  • the ASR receives the DHCP renewing message sent by the second terminal, where the DHCP renewing message carries the second MAC address of the second terminal and the second IP address currently used;
  • the ASR determines whether the second MAC address exists in the correspondence table
  • the ASR When the second MAC address exists in the correspondence table, the ASR returns a DHCP NAK message that refuses to renew the lease to the second terminal;
  • the ASR When the second MAC address does not exist in the correspondence table, the ASR returns a DHCP ACK message allowing the lease to be renewed to the second terminal.
  • the ASR when the second IP address is not a temporary IP address, the ASR returns a DHCP ACK message for allowing the lease to be renewed to the second terminal.
  • An access service node ASR includes:
  • a first receiving unit configured to: receive a dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries a first media access control MAC address of the first terminal;
  • a first determining unit configured to: determine whether the first MAC address exists in a corresponding In the relationship table, the correspondence between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table;
  • a first processing unit configured to: determine, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and to identify an identity when the first MAC address exists in the corresponding relationship table
  • the location registration register ILR sends an identity identification request message carrying the first username; and receives the first IP address returned by the ILR, and allocates the first IP address to the first terminal, where The first IP address is an identity identifier that is allocated by the ILR based on the first user name.
  • the ASR further includes:
  • a second receiving unit configured to: receive an identity authentication request forwarded by the portal server, where the identity authentication request carries a MAC address, a username, and a password of the terminal;
  • a recording unit configured to forward the authentication request to the identity authentication server, and after the terminal authenticates by the identity authentication server, record the username and the MAC between the terminal in the correspondence table Correspondence.
  • the ASR further includes:
  • a second processing unit configured to: when the first MAC address does not exist in the correspondence table, forward the DHCP discovery message to a DHCP server, and pass between the DHCP server and the first terminal Forwarding the DHCP address allocation message, and assigning the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal.
  • the second processing unit is configured to: assign a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and assign the temporary The lease of the IP address is set to a preset value that is not greater than the maximum tolerable duration between the terminal's identity authentication and the IP address assigned by the ILR.
  • the ASR further includes:
  • a third receiving unit configured to: receive a DHCP renewing message sent by the second terminal, where the DHCP renewing message carries a second MAC address of the second terminal and a second IP address currently used;
  • a second determining unit configured to: determine whether the second IP address is a temporary IP address
  • a third determining unit configured to: when the second IP address is a temporary IP address, further determining whether the second MAC address exists in the correspondence relationship table;
  • a third processing unit configured to: when the second MAC address exists in the correspondence relationship table, return a DHCP NAK message that refuses to renew the lease to the second terminal;
  • a fourth processing unit configured to: when the second MAC address does not exist in the correspondence relationship table, return a DHCP ACK message that allows renewal of the lease to the second terminal.
  • the ASR further includes:
  • a fifth processing unit configured to: when the second IP address is not a temporary IP address, return a DHCP ACK message allowing the lease renewal to the second terminal.
  • Embodiments of the present invention also provide a computer program including program instructions that, when executed by an ASR, cause the ASR to perform the method described above.
  • Embodiments of the present invention also provide a computer readable storage medium carrying the computer program.
  • the address allocation method and the ASR of the embodiment of the present invention re-assign an IP address to the terminal based on the identity of the user after the terminal is authenticated by the portal identity, thereby realizing the identity identity assignment based on the user identity in the portal authentication network architecture.
  • the application identity separation technology in the authentication network architecture provides technical support. At the same time, the above solution does not need to install the client in the terminal, nor does it need to change the user's existing usage habits, and is convenient and has good ease of use.
  • FIG. 1 is a schematic diagram of a network architecture of an identity identification and location separation technology system according to related art
  • FIG. 2 is a schematic diagram of a network architecture of a portal authentication according to related art
  • FIG. 3 is a schematic flowchart of an address allocation method according to an embodiment of the present disclosure
  • FIG. 4 is a schematic diagram of functional modules of an ASR according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a specific example of an address allocation method provided by the present invention.
  • the portal user is an office user
  • the portal server is an authentication server.
  • the Broadband Access Server (BAS) is a router device that sends the user's username and password to the Radius authentication server (not shown in Figure 2), and the Radius authentication server verifies the user identity.
  • Portal authentication is also commonly referred to as Web authentication.
  • a typical example is as follows: When an unauthenticated user logs in to the government intranet, the device forces the user to log in to a specific site (such as an IT hotline), and the user can access the service of the site for free.
  • a specific site such as an IT hotline
  • users need to access other information resources of the intranet (such as accessing servers, office operations, etc.), they must be authenticated on the portal. Only after the authentication is passed can the resources be used.
  • the portal service can provide convenient management functions for the government and enterprise network, which makes the management of the government and enterprise network operation and maintenance personnel simple. Since the portal authentication does not require the installation of the software client in the terminal, the office users are convenient to operate and widely used in the market. However, the characteristics of the portal authentication method determine that the user needs to first assign an IP address (for example, DHCP automatically obtains an IP address), and then the user logs in to the portal for identity authentication.
  • IP address for example, DHCP automatically obtains an IP address
  • the core idea of the identity location separation network is to assign addresses based on user identity. It can be seen that the IP address obtained by the user before the portal authentication is passed cannot be used as the identity of the identity separation network. Therefore, after the authentication, the old address of the user is released, and the address is reassigned as the identity.
  • the embodiment of the present invention provides an address allocation method in an identity location separation network, which implements address allocation under the portal authentication architecture under the identity location separation technology, and does not need to be changed without installing a client.
  • the user is assigned an identity (IP address) based on the user's identity on the premise of the user's usage habits.
  • the address allocation method provided by the embodiment of the present invention is applied to an identity identification and location separation network, where the network includes an ASR, an ILR, and multiple terminals, and also includes a Portal server, a DHCP server, and an authentication server (such as a radius authentication server). And the device, wherein the terminal accesses the network through the corresponding ASR, and the DHCP server can be set in the ASR as a function module of the ASR, or can be independent of the ASR setting, and the ASR can act as a DHCP relay.
  • the specific networking mode can be constructed according to the time network requirements and referring to the existing DHCP architecture.
  • ILR can be integrated in ASR or set independently of ASR. Referring to FIG. 3, an address allocation method according to an embodiment of the present invention includes the following steps:
  • Step 31 The ASR receives a DHCP Discover message sent by the first terminal, where the DHCP Discover message carries the first MAC address of the first terminal.
  • a terminal transmits a DHCP discovery message according to an existing DHCP standard. For example, when a terminal powers up or an IP address lease expires, the terminal broadcasts.
  • a DHCP discovery message which usually carries the MAC address of the terminal itself (for convenience of reference later, the MAC address is referred to as the first MAC address), so that the ASR accessed by the first terminal receives the message.
  • Step 32 The ASR determines whether the first MAC address exists in a correspondence relationship table, where the correspondence between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table.
  • the user terminal can perform Portal identity authentication through the Portal site according to the access requirement, so as to obtain the permission to access more network resources.
  • the embodiment of the present invention sets a correspondence relationship table in the ASR, where the MAC address of the terminal that has passed the Portal identity authentication and the user name used by the terminal for Portal authentication are recorded in the table. Correspondence relationship.
  • the username used for Portal authentication represents the user identity of the terminal.
  • the corresponding relationship table may be maintained in the Portal authentication process of the terminal.
  • the specific maintenance mode may be: after the ASR receives the identity authentication request for any terminal forwarded by the Portal server, the identity authentication request carries the any terminal.
  • the MAC address, the user name, and the password are forwarded to the identity authentication server (such as the radius server) for identity authentication, and after the identity of the terminal is authenticated by the identity authentication server, in the corresponding relationship table. Record the correspondence between the username of the terminal and the MAC.
  • step 32 it is determined whether the first terminal has passed the portal identity authentication according to whether the first MAC address exists in the correspondence relationship table.
  • Step 33 When the first MAC address exists in the correspondence relationship table, the ASR determines, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and registers with the identity identifier and the location. The register ILR sends an identity request message carrying the first username.
  • the corresponding relationship between the MAC address of the first terminal and the user name will exist in the correspondence table, so the user name of the first terminal can be determined, so that the first terminal can be determined in the above step 33.
  • the username is carried in the identity request and sent to the ILR.
  • Step 34 The ASR receives a first IP address returned by the ILR, and allocates the first IP address to the first terminal, where the first IP address is the ILR based on the first
  • the user name is an identity identifier assigned by the first terminal.
  • the correspondence between the username and the identity of the legal user may be pre-stored in the ILR.
  • the identity may be an IP address, which is different from the temporary IP address assigned by the DHCP server.
  • the IP address here is called an official IP address.
  • the ILR determines the identity (ie, the first IP address) corresponding to the first user name according to the first user name carried in the request message, and then, The first IP address is sent to the ASR.
  • the ASR allocates the first IP address to the first terminal.
  • the embodiment of the present invention allocates an identity identifier (ie, an IP address) to the terminal based on the user name (ie, the user identity), thereby implementing identity identity assignment based on the user identity in the network architecture of the portal authentication. It is consistent with the core idea of the identity location separation network, and provides support for the application of identity location separation technology in the government-enterprise network. Moreover, the foregoing allocation method of the embodiment of the present invention does not need to install the client in the terminal, and does not need to change the user usage habit, which is convenient to implement and has good ease of use.
  • an identity identifier ie, an IP address
  • the portal terminal when the first terminal sends the DHCP discovery message, the portal terminal may not be authenticated.
  • the first terminal may be just powered on, and the DHCP discovery message is sent after the power is turned on.
  • the first terminal does not pass the identity authentication of the authentication server although it performs Portal authentication.
  • the first MAC address of the first terminal does not exist in the above correspondence table.
  • the foregoing method of the embodiment of the present invention further includes the following steps:
  • the ASR forwards the DHCP discovery message to a DHCP server, and allocates a temporary IP address selected by the DHCP server from the temporary IP address pool to the The first terminal.
  • the first terminal if it has not passed Portal authentication, it is used by the DHCP server. Assign a temporary IP address.
  • the DHCP server can maintain a temporary IP address pool, which includes a preset temporary IP address. For example, some IP addresses can be used as temporary IP addresses according to the network segment to which the address belongs. Of course, some specific IP addresses can also be used as temporary IP addresses.
  • the ASR can identify the temporary IP address, for example, according to the network segment to which the IP address belongs, or whether the IP address is a temporary IP address according to whether the IP address is the specific IP address.
  • the ASR allocates a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and sets the lease of the temporary IP address to A preset value.
  • the preset value should generally be set smaller, so as to quickly discover the terminals that are authenticated in the timeout process and pass the Portal authentication through frequent lease timeouts, and re-assign the user-identified IP addresses to the terminals.
  • the network will have a lot of performance parameters, and there will be an expected or required value for these network performance parameters.
  • the period from the time when a terminal passes the portal identity authentication to the IP address that the terminal obtains the ILR based on the user identity may be used as a performance indicator of the network.
  • the shorter the period the higher the sensitivity of the network, and the easier it is to discover the terminals that have recently passed the Portal authentication and reassign the IP addresses based on the user's identity. Therefore, the network administrator can set the identity of the ILR from the terminal through the identity authentication to the terminal according to the requirements of the network sensitivity and considering the processing capabilities of the ASR and the DHCP server, and the number of terminals in the network.
  • the preset value of the above rental period is set to a value not greater than the maximum allowable duration, for example, set to 10s.
  • the terminal determines when to initiate the renewal request based on the remaining duration of the lease of the current IP address. For example, when the lease period is still half the time, the DHCP renewal message is sent.
  • the second terminal is taken as an example to describe how to perform the lease renewal process in the embodiment of the present invention.
  • the second terminal here is any terminal in the network, for example, may be the first terminal in the above, or may be other terminals in the network.
  • the second terminal sends a DHCP renewal message, where the DHCP renewal message carries the second terminal The second MAC address and the second IP address currently in use.
  • the ASR determines whether the second IP address is a temporary IP address:
  • the ASR When the second IP address is not a temporary IP address, the ASR returns a DHCP ACK message allowing the lease renewal to the second terminal;
  • the ASR further determines whether the second MAC address exists in the correspondence table: if yes, returns a DHCP NAK that refuses to renew the lease to the second terminal. a message; if not, returning a DHCP ACK message allowing the renewal of the lease to the second terminal.
  • the ASR rejects the renewal request of the terminal.
  • the terminal will send a DHCP discovery message, and the ASR and ILR will assign the terminal identity based on the user identity (ie, the official IP).
  • the address is such that the terminal does not use the temporary IP address after passing the Portal authentication, but uses the official IP address to access the corresponding network resource.
  • the embodiment of the present invention further provides an ASR for implementing the foregoing method.
  • the ASR includes:
  • the first receiving unit 41 is configured to receive a DHCP discovery message sent by the first terminal, where the DHCP discovery message carries the first MAC address of the first terminal;
  • the first determining unit 42 is configured to determine whether the first MAC address exists in a correspondence relationship table, where the correspondence relationship between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table;
  • the first processing unit 43 is configured to: when the first MAC address exists in the correspondence relationship table, determine, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and The location registration register ILR sends an identity identification request message carrying the first username; and receives a first IP address returned by the ILR, and allocates the first IP address to the first terminal, where The first IP address is an identity identifier that is allocated by the ILR based on the first user name.
  • the foregoing ASR may maintain the foregoing correspondence table according to the information obtained in the authentication process of the terminal, where the ASR may further include:
  • a second processing unit configured to: when the first MAC address does not exist in the correspondence table, forward the DHCP discovery message to a DHCP server, and forward DHCP between the DHCP server and the first terminal
  • the address allocation message allocates the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal.
  • the second receiving unit is configured to receive an identity authentication request forwarded by the Portal server for any terminal, where the identity authentication request carries a MAC address, a username, and a password of the any terminal.
  • a recording unit configured to forward the authentication request to the identity authentication server, and after the identity of the terminal is authenticated by the identity authentication server, record the username and MAC address of the terminal in the corresponding relationship table. Correspondence between them.
  • the second processing unit is further configured to allocate a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and rent the temporary IP address.
  • the period is set to a preset value that is not greater than the maximum tolerable duration between the terminal's identity authentication and the IP address assigned by the ILR.
  • the preset value may be any value from 5 s to 15 s.
  • the ASR when receiving the renewal request sent by the terminal, the ASR may further determine whether to refuse or allow the renewal of the lease according to the IP address used by the terminal and whether the terminal has passed the Portal identity authentication. Also includes:
  • a third receiving unit configured to receive a DHCP renewing message sent by the second terminal, where the DHCP renewing message carries a second MAC address of the second terminal and a second IP address currently used;
  • the second determining unit is configured to determine whether the second IP address is a temporary IP address.
  • the third determining unit is configured to further determine whether the second MAC address exists in the correspondence relationship table when the second IP address is a temporary IP address.
  • the third processing unit is configured to return, when the second MAC address exists in the correspondence table, a DHCP NAK message that refuses to renew the lease to the second terminal.
  • a fourth processing unit configured to return, to the second terminal, a DHCP ACK message that allows for renewal when the second MAC address does not exist in the correspondence table.
  • the fifth processing unit is configured to return, to the second terminal, a DHCP ACK message allowing the lease renewal when the second IP address is not a temporary IP address.
  • a DHCP address request is initiated. Since the user terminal does not perform Portal identity authentication at this time, the network allocates a temporary IP address with limited permissions to the user. After the user initiates and authenticates through the portal identity, the network rejects the user terminal's request for renewal of the temporary IP address. Therefore, the user terminal waits for the lease of the temporary IP address to expire, and then re-initiates the DHCP address request.
  • the authenticated user identity is assigned to the user terminal as the official IP address of the identity. The specific process is shown in Figure 5, including:
  • Step 501 The UE is powered on (or plugged in to the Internet), initiates a DHCP Discover process, and sends a DHCP Discover message to request an address.
  • Step 502 The network allocates a temporary IP address to the user, for example, 10.255.255.1, because the UE does not pass the Portal identity authentication.
  • the ASR allocates a temporary address.
  • the ASR can act as a DHCP server to assign a temporary IP address. It can also act as a DHCP relay device to relay the address allocation request (DHCP Discover message) to the DHCP server.
  • the specific relay process can refer to the current relay process. There are technical implementations, which are not repeated here;
  • Step 503 The ASR returns a DHCP Offer message to the UE, where the message carries the temporary IP address allocated by the network, and the address cannot be used as the identity identifier of the UE.
  • Step 504 After receiving the temporary IP address, the UE sends a DHCP Request message to request a lease for the temporary IP address.
  • Step 505 After the ASR confirms, return a DHCP ACK message to the UE, and carry the lease term of the temporary address.
  • the lease term needs to be set shorter, for example: 10 seconds;
  • the UE obtains a temporary IP address and can use the temporary IP address to access the restricted network resources. If the UE does not initiate portal authentication during this process, when the temporary IP address lease expires, the UE initiates a request to renew the lease, and the network allows the lease to be renewed.
  • the renewal process can be implemented by referring to the prior art, and is not described here;
  • Step 506 The UE initiates portal authentication, and inputs a username and password.
  • the ASR forwards the user name and password to the identity authentication server (for example, AAA Server), and the identity authentication server authenticates the user identity.
  • the ASR and the identity authentication server may be combined and set. Can be set independently, depending on the actual networking decision;
  • Step 507 If the UE passes the authentication, the ASR records the user identity of the UE (for example, the username). Binding relationship with the MAC address;
  • the ASR After that, if the ASR receives the renewing request (DHCP Request message) for the temporary IP address of the UE, the ASR returns a DHCP NAK and refuses to renew the lease;
  • Step 508 the UE waits for the temporary IP address lease timer to expire. At this time, the UE still does not obtain the renewal success response of the temporary IP address, so the UE will re-initiate DHCP Discover, request the address;
  • Step 509 After receiving the DHCP Discover message of the UE, the ASR extracts the MAC address of the UE carried in the message. Since the user identity of the UE and the MAC address are bound, the ASR determines the UE by querying the binding relationship. The user has been authenticated, so the user is not assigned a temporary address, and the user needs to be assigned an identity-based address. The ASR can determine the username corresponding to the MAC address of the UE according to the binding relationship.
  • Step 510 The ASR sends an address request to the ILR, where the request message carries user identity information, such as a username;
  • Step 511 The ILR assigns an identity to the UE based on the user identity information, and then returns the identity of the user to the ASR (eg, address 10.2.6.1).
  • step 511 if the ILR is deployed in the ASR (ILR and ASR merge settings), the address allocation process in step 511 can be implemented in the ASR;
  • the ASR returns a DHCP Offer message to the user, and carries the identity identifier assigned by the ILR. In this way, the UE obtains an IP address based on the identity of the user. Subsequently, the UE may also send a DHCP Request message according to the DHCP process of the prior art, and request a lease for the IP address.
  • the ASR returns a DHCP ACK message to the UE, carrying the lease term of the IP address, and the lease term here can be set longer. In this way, the UE can use the IP address to access the corresponding network resource.
  • the ASR will allow the UE to continue using the IP address.
  • all or part of the steps of the above embodiments may also be implemented using an integrated circuit.
  • the steps may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps may be fabricated into a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the address allocation method and the ASR of the embodiment of the present invention re-assign an IP address to the terminal based on the identity of the user after the terminal is authenticated by the portal identity, thereby realizing the identity identity assignment based on the user identity in the portal authentication network architecture.
  • the application identity separation technology in the authentication network architecture provides technical support. At the same time, the above solution does not need to install the client in the terminal, nor does it need to change the user's existing usage habits, and is convenient and has good ease of use.

Abstract

An address allocation method in a subscriber identifier and locator separation network, and an access service router. The method comprises: an ASR receives a DHCP discovery message sent by a first terminal, the DHCP discovery message carrying a first MAC address of the first terminal; the ASR determines whether the first MAC address exits in a correspondence table; when the first MAC address exits in the correspondence table, the ASR determines a first user name corresponding to the first MAC address according to the correspondence table, and sends, to an identification and locator register (ILR), an identification request message carrying the first user name; and the ASR receives a first IP address returned by the ILR, and allocates the first IP address to the first terminal.

Description

一种身份位置分离网络中的地址分配方法及接入服务节点Address allocation method and access service node in identity location separation network 技术领域Technical field
本发明涉及数据通信技术领域,具体涉及一种身份位置分离网络中的地址分配方法及接入服务节点(ASR,Access Service Router)。The present invention relates to the field of data communication technologies, and in particular, to an address allocation method in an identity location separation network and an access service node (ASR).
背景技术Background technique
现有因特网广泛使用的TCP/IP协议中IP地址具有双重功能,既作为网络层的通信终端主机网络接口在网络拓扑中的位置标识,又作为传输层主机网络接口的身份标识。随着移动网络的发展,当主机/终端的移动越来越普遍时,这种IP地址双重功能的缺陷日益明显,直接影响到因特网的路由可扩展性和通信业务的连续性。The IP address in the TCP/IP protocol widely used by the Internet has a dual function, which serves as both the location identifier of the communication terminal host network interface of the network layer in the network topology and the identity of the transport layer host network interface. With the development of mobile networks, when the movement of hosts/terminals becomes more and more common, the defects of the dual functions of such IP addresses become increasingly obvious, directly affecting the route scalability of the Internet and the continuity of communication services.
身份标识和位置分离技术的目的是为了解决IP地址的语义的二义性问题,图1示出一种身份标识和位置分离技术系统的网络架构,为描述方便,本文将此用户身份标识和位置分离网络(SILSN,Subscriber Identifier&Locator Separation Network)简称为身份位置分离网络。The purpose of the identity and location separation technology is to solve the semantic ambiguity of the IP address. Figure 1 shows a network architecture of the identity and location separation technology system. For the convenience of description, this user identity and location. The Separation Network (SILSN, Subscriber Identifier & Locator Separation Network) is simply referred to as an identity location separation network.
在图1中,SILSN包括接入服务节点(ASR,Access Service Router)、用户终端(UE,User Equipment)和身份标识和位置登记寄存器(ILR,Identification&Locater Register)。其中UE通过接入网络接入(图1中没有示出)到ASR,ASR负责将UE接入到因特网,并承担计费、切换等功能,ILR承担用户的位置注册、查询等功能。In FIG. 1, the SILSN includes an Access Service Router (ASR), a User Equipment (UE), and an Identity and Location Register (ILR, Identification & Locater Register). The UE accesses the ASR through the access network (not shown in FIG. 1), and the ASR is responsible for accessing the UE to the Internet, and assumes functions such as charging and switching, and the ILR assumes functions such as location registration and query of the user.
在SILSN中,以接入标识符(AID,Access IDentification)作为UE的身份标识,以路由标识符(RID,Route IDentification)作为UE的位置标识。这里的位置标识通常为UE所接入的ASR的标识,因此每个接入到SILSN的UE都有自己的AID和RID。In the SILSN, an access identifier (AID, Access IDentification) is used as the identity of the UE, and a route identifier (RID, Route IDentification) is used as the location identifier of the UE. The location identifier here is usually the identifier of the ASR accessed by the UE, so each UE accessing the SILSN has its own AID and RID.
当UE接入SILSN时,先通过ASR向ILR登记其位置,即此UE位于哪个ASR下。ILR在UE登记后,建立UE的标识符AID和所接入的ASR的RID的对应关系(AID,RID)。之后,如果UE1需要和UE2通讯,UE1以自 己的身份标识AID1为源地址,UE2的身份标识为目的地址,构建并发出数据报文后,再由ASR1向ILR查询UE2的位置,即UE2位于哪个ASR(图1中为ASR 9)下,然后ASR 1将报文发送到对应的ASR 9,ASR 9再将报文处理后,发送给UE2。When the UE accesses the SILSN, it first registers its location with the ILR through the ASR, that is, which ASR the UE is located under. After the UE registers, the ILR establishes a correspondence (AID, RID) of the identifier AID of the UE and the RID of the accessed ASR. After that, if UE1 needs to communicate with UE2, UE1 takes its own The ID of the ID2 is the source address, and the identity of the UE2 is the destination address. After the data packet is constructed and sent, the ASR1 queries the ILR for the location of the UE2, that is, the ASR (in the ASR 9 in Figure 1) where the UE2 is located. Then, ASR 1 sends the packet to the corresponding ASR 9, and ASR 9 processes the packet and sends it to UE2.
上述网络很好的实现了UE的身份标识和位置标识的分离,用户移动和漫游时,不需要再更改身份标识,保证了移动过程中业务的连续性,且由于网络中路由是根据ASR的地址RID进行路由的,ASR的数量相对于原来的IP地址前缀大为减少,提高了网络路由扩展性。The foregoing network well implements the separation of the identity identifier and the location identifier of the UE. When the user moves and roams, the identity identifier does not need to be changed, the continuity of the service in the mobile process is guaranteed, and the route in the network is based on the address of the ASR. When the RID is routed, the number of ASRs is greatly reduced relative to the original IP address prefix, which improves network routing scalability.
发明内容Summary of the invention
本发明实施例要解决的技术问题是提供一种身份位置分离网络中的地址分配方法及ASR,在门户认证网络架构下实现基于用户身份的地址分配。The technical problem to be solved by the embodiments of the present invention is to provide an address allocation method and an ASR in an identity location separation network, and implement user address based address allocation under a portal authentication network architecture.
为解决上述技术问题,本发明实施例提供的身份位置分离网络中的地址分配方法,包括:To solve the above technical problem, the address allocation method in the identity location separation network provided by the embodiment of the present invention includes:
一种身份标识与位置分离网络中的地址分配方法,包括:An address allocation method in an identity identification and location separation network, comprising:
接入服务节点ASR接收第一终端发送的动态主机配置协议DHCP发现消息,所述DHCP发现消息携带所述第一终端的第一媒体接入控制MAC地址;The access service node ASR receives the dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries the first media access control MAC address of the first terminal;
所述ASR判断所述第一MAC地址是否存在于一对应关系表中,所述对应关系表记录有已通过身份认证的终端的用户名与MAC地址之间的对应关系;Determining, by the ASR, whether the first MAC address exists in a correspondence relationship table, where the correspondence relationship table records a correspondence between a user name and a MAC address of the terminal that has passed the identity authentication;
在所述第一MAC地址存在于所述对应关系表中时,所述ASR根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息;When the first MAC address exists in the correspondence table, the ASR determines, according to the correspondence table, a first user name corresponding to the first MAC address, and sends the first user name to the identity identifier and the location registration register ILR. Carrying an identity request message carrying the first username;
所述ASR接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。Receiving, by the ASR, a first IP address returned by the ILR, and assigning the first IP address to the first terminal, where the first IP address is the ILR based on the first user name The identity identifier assigned by the first terminal.
可选地,所述方法还包括:Optionally, the method further includes:
所述ASR接收入口服务器转发的身份认证请求,所述身份认证请求携带一终端的MAC地址、用户名和密码; The ASR receives an identity authentication request forwarded by an ingress server, where the identity authentication request carries a MAC address, a username, and a password of a terminal;
所述ASR将所述认证请求转发给身份认证服务器,并在所述终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述终端的用户名与MAC之间的对应关系。And the ASR forwards the authentication request to the identity authentication server, and records the correspondence between the user name and the MAC of the terminal in the correspondence relationship table after the terminal is authenticated by the identity authentication server.
可选地,在所述第一MAC地址不存在于所述对应关系表中时,所述方法还包括:所述ASR向所述DHCP服务器转发所述DHCP发现消息,并将所述DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。Optionally, when the first MAC address does not exist in the correspondence table, the method further includes: the ASR forwarding the DHCP discovery message to the DHCP server, and the DHCP server is The temporary IP address selected in the temporary IP address pool is allocated to the first terminal.
可选地,所述将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端,包括:Optionally, the allocating the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal includes:
所述ASR通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临时IP地址的租期设置为一预设值,所述预设值不大于预先确定的从终端通过身份认证到获得ILR所分配的IP地址之间的最大可忍受时长。The ASR allocates a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and sets the lease date of the temporary IP address to a preset value. The preset value is not greater than a predetermined maximum allowable duration between the terminal's identity authentication and the IP address assigned by the ILR.
可选地,所述方法还包括:Optionally, the method further includes:
所述ASR接收第二终端发送的DHCP续租消息,所述DHCP续租消息携带所述第二终端的第二MAC地址和当前使用的第二IP地址;The ASR receives the DHCP renewing message sent by the second terminal, where the DHCP renewing message carries the second MAC address of the second terminal and the second IP address currently used;
所述ASR判断所述第二IP地址是否为临时IP地址;Determining, by the ASR, whether the second IP address is a temporary IP address;
在所述第二IP地址为临时IP地址时,所述ASR判断所述第二MAC地址是否存在于所述对应关系表中;When the second IP address is a temporary IP address, the ASR determines whether the second MAC address exists in the correspondence table;
在所述第二MAC地址存在于所述对应关系表中时,所述ASR向所述第二终端返回拒绝续租的DHCP NAK消息;When the second MAC address exists in the correspondence table, the ASR returns a DHCP NAK message that refuses to renew the lease to the second terminal;
在所述第二MAC地址不存在于所述对应关系表中时,所述ASR向所述第二终端返回允许续租的DHCP ACK消息。When the second MAC address does not exist in the correspondence table, the ASR returns a DHCP ACK message allowing the lease to be renewed to the second terminal.
可选地,在所述第二IP地址不是临时IP地址时,所述ASR向所述第二终端返回允许续租的DHCP ACK消息。Optionally, when the second IP address is not a temporary IP address, the ASR returns a DHCP ACK message for allowing the lease to be renewed to the second terminal.
一种接入服务节点ASR,包括:An access service node ASR includes:
第一接收单元,其设置为:接收第一终端发送的动态主机配置协议DHCP发现消息,所述DHCP发现消息携带所述第一终端的第一媒体接入控制MAC地址;a first receiving unit, configured to: receive a dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries a first media access control MAC address of the first terminal;
第一判断单元,其设置为:判断所述第一MAC地址是否存在于一对应 关系表中,所述对应关系表中记录有已通过身份认证的终端的用户名与MAC地址之间的对应关系;a first determining unit, configured to: determine whether the first MAC address exists in a corresponding In the relationship table, the correspondence between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table;
第一处理单元,其设置为:在所述第一MAC地址存在于所述对应关系表中时,根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息;以及,接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。a first processing unit, configured to: determine, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and to identify an identity when the first MAC address exists in the corresponding relationship table And the location registration register ILR sends an identity identification request message carrying the first username; and receives the first IP address returned by the ILR, and allocates the first IP address to the first terminal, where The first IP address is an identity identifier that is allocated by the ILR based on the first user name.
可选地,所述ASR还包括:Optionally, the ASR further includes:
第二接收单元,其设置为:接收入口服务器转发的身份认证请求,所述身份认证请求携带一终端的MAC地址、用户名和密码;a second receiving unit, configured to: receive an identity authentication request forwarded by the portal server, where the identity authentication request carries a MAC address, a username, and a password of the terminal;
记录单元,其设置为:将所述认证请求转发给身份认证服务器,并在所述终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述终端的用户名与MAC之间的对应关系。a recording unit, configured to forward the authentication request to the identity authentication server, and after the terminal authenticates by the identity authentication server, record the username and the MAC between the terminal in the correspondence table Correspondence.
可选地,所述ASR还包括:Optionally, the ASR further includes:
第二处理单元,其设置为:在所述第一MAC地址不存在于所述对应关系表中时,向DHCP服务器转发所述DHCP发现消息,并通过在DHCP服务器和所述第一终端之间转发DHCP地址分配消息,将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。a second processing unit, configured to: when the first MAC address does not exist in the correspondence table, forward the DHCP discovery message to a DHCP server, and pass between the DHCP server and the first terminal Forwarding the DHCP address allocation message, and assigning the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal.
可选地,所述第二处理单元,是设置为:通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临时IP地址的租期设置为一预设值,所述预设值不大于从终端通过身份认证到获得ILR所分配的IP地址之间的最大可忍受时长。Optionally, the second processing unit is configured to: assign a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and assign the temporary The lease of the IP address is set to a preset value that is not greater than the maximum tolerable duration between the terminal's identity authentication and the IP address assigned by the ILR.
可选地,所述ASR还包括:Optionally, the ASR further includes:
第三接收单元,其设置为:接收到第二终端发送的DHCP续租消息,所述DHCP续租消息携带所述第二终端的第二MAC地址和当前使用的第二IP地址;a third receiving unit, configured to: receive a DHCP renewing message sent by the second terminal, where the DHCP renewing message carries a second MAC address of the second terminal and a second IP address currently used;
第二判断单元,其设置为:判断所述第二IP地址是否为临时IP地址; a second determining unit, configured to: determine whether the second IP address is a temporary IP address;
第三判断单元,其设置为:在所述第二IP地址为临时IP地址时,进一步判断所述第二MAC地址是否存在于所述对应关系表中;a third determining unit, configured to: when the second IP address is a temporary IP address, further determining whether the second MAC address exists in the correspondence relationship table;
第三处理单元,其设置为:在所述第二MAC地址存在于所述对应关系表中时,向所述第二终端返回拒绝续租的DHCP NAK消息;a third processing unit, configured to: when the second MAC address exists in the correspondence relationship table, return a DHCP NAK message that refuses to renew the lease to the second terminal;
第四处理单元,其设置为:在所述第二MAC地址不存在于所述对应关系表中时,向所述第二终端返回允许续租的DHCP ACK消息。And a fourth processing unit, configured to: when the second MAC address does not exist in the correspondence relationship table, return a DHCP ACK message that allows renewal of the lease to the second terminal.
可选地,所述ASR还包括:Optionally, the ASR further includes:
第五处理单元,其设置为:在所述第二IP地址不是临时IP地址时,向所述第二终端返回允许续租的DHCP ACK消息。And a fifth processing unit, configured to: when the second IP address is not a temporary IP address, return a DHCP ACK message allowing the lease renewal to the second terminal.
本发明实施例还提供一种计算机程序,包括程序指令,当该程序指令被ASR执行时,使得该ASR可执行上面所述的方法。Embodiments of the present invention also provide a computer program including program instructions that, when executed by an ASR, cause the ASR to perform the method described above.
本发明实施例还提供一种载有所述计算机程序的计算机可读存储介质。本发明实施例的上述地址分配方法及ASR,在终端通过Portal身份认证后,基于用户身份重新为终端分配IP地址,从而在门户认证网络架构中实现了基于用户身份的身份标识分配,为在门户认证网络架构中应用身份位置分离技术提供了技术支持。同时,上述方案不需要在终端安装客户端,也不需要改变用户的现有使用习惯,实现方便并具有良好的易用性。Embodiments of the present invention also provide a computer readable storage medium carrying the computer program. The address allocation method and the ASR of the embodiment of the present invention re-assign an IP address to the terminal based on the identity of the user after the terminal is authenticated by the portal identity, thereby realizing the identity identity assignment based on the user identity in the portal authentication network architecture. The application identity separation technology in the authentication network architecture provides technical support. At the same time, the above solution does not need to install the client in the terminal, nor does it need to change the user's existing usage habits, and is convenient and has good ease of use.
附图说明DRAWINGS
图1为相关技术的一种身份标识和位置分离技术系统的网络架构示意图;1 is a schematic diagram of a network architecture of an identity identification and location separation technology system according to related art;
图2为相关技术的一种门户认证的网络架构示意图;2 is a schematic diagram of a network architecture of a portal authentication according to related art;
图3为本发明实施例提供的地址分配方法的流程示意图;FIG. 3 is a schematic flowchart of an address allocation method according to an embodiment of the present disclosure;
图4为本发明实施例提供的ASR的功能模块示意图;4 is a schematic diagram of functional modules of an ASR according to an embodiment of the present invention;
图5为本发明提供的地址分配方法的一个具体实例的流程图。FIG. 5 is a flowchart of a specific example of an address allocation method provided by the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
随着网络的发展,在政企网络中也开始应用上述的身份位置分离技术,通过为每个员工分配固定的身份标识,加强网络安全管理,减少运维消耗。但由于现网中,很多政企网认证系统采用门户的认证方式,如图2所示。其中,入口用户(Portal User)是办公用户,入口服务器(Portal Server)是认证服务器。宽带接入服务器(BAS,Broadband Access Server)是路由器设备,将用户的用户名和口令发送到Radius认证服务器(图2中未示出),由Radius认证服务器校验用户身份。With the development of the network, the above-mentioned identity location separation technology has also been applied in the government-enterprise network. By assigning a fixed identity to each employee, network security management is enhanced and operation and maintenance consumption is reduced. However, due to the current network, many government and enterprise network authentication systems adopt the portal authentication method, as shown in Figure 2. The portal user is an office user, and the portal server is an authentication server. The Broadband Access Server (BAS) is a router device that sends the user's username and password to the Radius authentication server (not shown in Figure 2), and the Radius authentication server verifies the user identity.
所谓门户认证通常也称为Web认证,典型举例如下:未认证用户登录政企内网时,设备强制用户登录到特定站点(如:IT热线),用户可以免费访问该站点的服务。当用户需要访问内网的其它信息资源(如:访问服务器,办公操作等)时,必须在门户网站进行认证,只有认证通过后才可以使用该类资源。Portal authentication is also commonly referred to as Web authentication. A typical example is as follows: When an unauthenticated user logs in to the government intranet, the device forces the user to log in to a specific site (such as an IT hotline), and the user can access the service of the site for free. When users need to access other information resources of the intranet (such as accessing servers, office operations, etc.), they must be authenticated on the portal. Only after the authentication is passed can the resources be used.
门户业务可以为政企网络提供方便的管理功能,使政企网运维人员管理简单,由于门户认证不需要在终端安装软件客户端,其办公用户操作便捷,在市场上得到广泛应用。但门户认证方式的特点决定,需要为用户先分配IP地址(例如:DHCP自动获取IP地址方式),而后用户登录门户网站进行身份认证。而身份位置分离网络的核心思想是基于用户身份分配地址。由此可知,用户在门户网站认证通过之前获得的IP地址是不能作为身份位置分离网络的身份标识的,因此需要在认证之后,将用户之前的旧地址释放,再重新分配一次地址作为身份标识。The portal service can provide convenient management functions for the government and enterprise network, which makes the management of the government and enterprise network operation and maintenance personnel simple. Since the portal authentication does not require the installation of the software client in the terminal, the office users are convenient to operate and widely used in the market. However, the characteristics of the portal authentication method determine that the user needs to first assign an IP address (for example, DHCP automatically obtains an IP address), and then the user logs in to the portal for identity authentication. The core idea of the identity location separation network is to assign addresses based on user identity. It can be seen that the IP address obtained by the user before the portal authentication is passed cannot be used as the identity of the identity separation network. Therefore, after the authentication, the old address of the user is released, and the address is reassigned as the identity.
为了实现上述地址重新分配,本发明实施例提出了一种身份位置分离网络中的地址分配方法,在身份位置分离技术下实现门户认证架构下的地址分配,在不需要安装客户端,不需要改变用户使用习惯的前提下,基于用户身份为用户分配身份标识(IP地址)。In order to achieve the above address redistribution, the embodiment of the present invention provides an address allocation method in an identity location separation network, which implements address allocation under the portal authentication architecture under the identity location separation technology, and does not need to be changed without installing a client. The user is assigned an identity (IP address) based on the user's identity on the premise of the user's usage habits.
本发明实施例提供的地址分配方法,应用于一身份标识与位置分离网络中,该网络包括有ASR、ILR和多个终端,还包括有Portal服务器、DHCP服务器和认证服务器(如radius认证服务器)等设备,其中终端通过对应的ASR接入网络,DHCP服务器可以是设置在ASR中,作为ASR的一个功能模块,也可以是独立于ASR设置,此时ASR可以充当DHCP relay的角色, 具体的组网方式可以根据时间网络需求和参考现有的DHCP架构进行构建。类似的,ILR可以集成在ASR中,也可以独立于ASR而设置。请参照图3,本发明实施例提供的地址分配方法,包括步骤:The address allocation method provided by the embodiment of the present invention is applied to an identity identification and location separation network, where the network includes an ASR, an ILR, and multiple terminals, and also includes a Portal server, a DHCP server, and an authentication server (such as a radius authentication server). And the device, wherein the terminal accesses the network through the corresponding ASR, and the DHCP server can be set in the ASR as a function module of the ASR, or can be independent of the ASR setting, and the ASR can act as a DHCP relay. The specific networking mode can be constructed according to the time network requirements and referring to the existing DHCP architecture. Similarly, ILR can be integrated in ASR or set independently of ASR. Referring to FIG. 3, an address allocation method according to an embodiment of the present invention includes the following steps:
步骤31,ASR接收第一终端发送的DHCP发现(DHCP Discover)消息,DHCP发现消息携带所述第一终端的第一MAC地址。Step 31: The ASR receives a DHCP Discover message sent by the first terminal, where the DHCP Discover message carries the first MAC address of the first terminal.
这里,一个终端(为后文引用方便,将该终端称为第一终端)按照现有的DHCP标准,发送DHCP发现消息,例如,终端在上电或IP地址租约超时等情况发生时,会广播DHCP发现消息,该消息中通常会携带终端自身的MAC地址(为后文引用方便,将该MAC地址称为第一MAC地址),这样,该第一终端接入的ASR就会接收到该第一终端发送的DHCP发现消息Here, a terminal (referred to as a first terminal for convenience of reference later) transmits a DHCP discovery message according to an existing DHCP standard. For example, when a terminal powers up or an IP address lease expires, the terminal broadcasts. A DHCP discovery message, which usually carries the MAC address of the terminal itself (for convenience of reference later, the MAC address is referred to as the first MAC address), so that the ASR accessed by the first terminal receives the message. DHCP discovery message sent by a terminal
步骤32,所述ASR判断所述第一MAC地址是否存在于一对应关系表中,所述对应关系表中记录有已通过身份认证的终端的用户名与MAC地址之间的对应关系。Step 32: The ASR determines whether the first MAC address exists in a correspondence relationship table, where the correspondence between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table.
本发明实施例中,用户终端可以根据访问需要,通过Portal站点进行Portal身份认证,以获得访问更多网络资源的权限。为了区分已通过身份认证的终端,本发明实施例在ASR中设置一对应关系表,在该表中记录已经通过Portal身份认证的终端的MAC地址与该终端用于Portal认证的用户名之间的对应关系。这里,用于Portal认证的用户名,代表了终端的用户身份。In the embodiment of the present invention, the user terminal can perform Portal identity authentication through the Portal site according to the access requirement, so as to obtain the permission to access more network resources. In order to distinguish the terminal that has passed the identity authentication, the embodiment of the present invention sets a correspondence relationship table in the ASR, where the MAC address of the terminal that has passed the Portal identity authentication and the user name used by the terminal for Portal authentication are recorded in the table. Correspondence relationship. Here, the username used for Portal authentication represents the user identity of the terminal.
该对应关系表可以在终端的Portal认证过程中进行维护,具体的维护方式可以是:ASR在接收Portal服务器转发的针对任一终端的身份认证请求后,所述身份认证请求携带所述任一终端的MAC地址、用户名和密码,将所述认证请求转发给身份认证服务器(如radius服务器)进行身份认证,并在所述任一终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述任一终端的用户名与MAC之间的对应关系。The corresponding relationship table may be maintained in the Portal authentication process of the terminal. The specific maintenance mode may be: after the ASR receives the identity authentication request for any terminal forwarded by the Portal server, the identity authentication request carries the any terminal. The MAC address, the user name, and the password are forwarded to the identity authentication server (such as the radius server) for identity authentication, and after the identity of the terminal is authenticated by the identity authentication server, in the corresponding relationship table. Record the correspondence between the username of the terminal and the MAC.
这样,在上述步骤32中,就可以根据第一MAC地址是否存在于该对应关系表中,来判断第一终端是否已通过Portal身份认证。In this way, in the foregoing step 32, it is determined whether the first terminal has passed the portal identity authentication according to whether the first MAC address exists in the correspondence relationship table.
步骤33,在所述第一MAC地址存在于所述对应关系表中时,所述ASR根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息。 Step 33: When the first MAC address exists in the correspondence relationship table, the ASR determines, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and registers with the identity identifier and the location. The register ILR sends an identity request message carrying the first username.
这里,如果第一终端已经通过Portal身份认证,则对应关系表中将存在第一终端的MAC地址与用户名的对应关系,因此可以确定第一终端的用户名,从而在上述步骤33中将该用户名携带在身份标识请求中发送给ILR。Here, if the first terminal has already passed the portal identity authentication, the corresponding relationship between the MAC address of the first terminal and the user name will exist in the correspondence table, so the user name of the first terminal can be determined, so that the first terminal can be determined in the above step 33. The username is carried in the identity request and sent to the ILR.
步骤34,所述ASR接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。Step 34: The ASR receives a first IP address returned by the ILR, and allocates the first IP address to the first terminal, where the first IP address is the ILR based on the first The user name is an identity identifier assigned by the first terminal.
这里,可以预先在ILR中保存合法用户的用户名和身份标识的对应关系,这里的身份标识可以是指IP地址,区别于DHCP服务器所分配的临时IP地址,这里的IP地址称为正式IP地址。ILR在收到ASR在上述步骤33中发送的身份标识请求消息后,根据该请求消息中携带的第一用户名,确定第一用户名对应的身份标识(即第一IP地址),然后,将该第一IP地址发送给ASR。ASR在接收到ILR返回的第一IP地址后,将第一IP地址分配给第一终端。Here, the correspondence between the username and the identity of the legal user may be pre-stored in the ILR. The identity may be an IP address, which is different from the temporary IP address assigned by the DHCP server. The IP address here is called an official IP address. After receiving the identity request message sent by the ASR in step 33, the ILR determines the identity (ie, the first IP address) corresponding to the first user name according to the first user name carried in the request message, and then, The first IP address is sent to the ASR. After receiving the first IP address returned by the ILR, the ASR allocates the first IP address to the first terminal.
通过以上步骤,本发明实施例在终端通过认证后,基于用户名(即用户身份)为终端分配身份标识(即IP地址),从而在门户认证的网络架构中实现了基于用户身份的身份标识分配,与身份位置分离网络的核心思想相符合,为在政企网络中应用身份位置分离技术提供了支持。并且,本发明实施例的上述分配方法,不需要在终端安装客户端,也不需要改变用户使用习惯,其实现方便且具有良好的易用性。Through the above steps, after the terminal passes the authentication, the embodiment of the present invention allocates an identity identifier (ie, an IP address) to the terminal based on the user name (ie, the user identity), thereby implementing identity identity assignment based on the user identity in the network architecture of the portal authentication. It is consistent with the core idea of the identity location separation network, and provides support for the application of identity location separation technology in the government-enterprise network. Moreover, the foregoing allocation method of the embodiment of the present invention does not need to install the client in the terminal, and does not need to change the user usage habit, which is convenient to implement and has good ease of use.
本发明实施例中,第一终端在发送上述DHCP发现消息时,可能尚未进行Portal认证,例如第一终端可能是刚刚上电,并在上电后发送上述DHCP发现消息。当然,也有可能第一终端虽然进行了Portal认证,但未通过认证服务器的身份认证。这些情况下,上述对应关系表中都不会存在第一终端的第一MAC地址。作为上述步骤32中的另一种判断结果,所述第一MAC地址可能并不存在于所述对应关系表中时,此时,本发明实施例的上述方法还包括以下步骤:In the embodiment of the present invention, when the first terminal sends the DHCP discovery message, the portal terminal may not be authenticated. For example, the first terminal may be just powered on, and the DHCP discovery message is sent after the power is turned on. Of course, it is also possible that the first terminal does not pass the identity authentication of the authentication server although it performs Portal authentication. In these cases, the first MAC address of the first terminal does not exist in the above correspondence table. As another result of the foregoing step 32, the first MAC address may not exist in the corresponding relationship table. In this case, the foregoing method of the embodiment of the present invention further includes the following steps:
在所述第一MAC地址不存在于所述对应关系表中时,所述ASR向DHCP服务器转发所述DHCP发现消息,并将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。When the first MAC address does not exist in the correspondence table, the ASR forwards the DHCP discovery message to a DHCP server, and allocates a temporary IP address selected by the DHCP server from the temporary IP address pool to the The first terminal.
也就是说,如果第一终端尚未通过Portal认证,则由DHCP服务器为其 分配临时IP地址。DHCP服务器可以维护有一临时IP地址池,该池中包括有预先设定的临时IP地址。例如,可以根据地址所属网段,将某些IP地址作为临时IP地址。当然,也可以将某些特定的IP地址作为临时IP地址。本发明实施例中,ASR可以识别出临时IP地址,例如根据IP地址所属网段,或者根据IP地址是否为上述特定的IP地址,来识别出IP地址是否为临时IP地址。That is, if the first terminal has not passed Portal authentication, it is used by the DHCP server. Assign a temporary IP address. The DHCP server can maintain a temporary IP address pool, which includes a preset temporary IP address. For example, some IP addresses can be used as temporary IP addresses according to the network segment to which the address belongs. Of course, some specific IP addresses can also be used as temporary IP addresses. In the embodiment of the present invention, the ASR can identify the temporary IP address, for example, according to the network segment to which the IP address belongs, or whether the IP address is a temporary IP address according to whether the IP address is the specific IP address.
DHCP服务器分配临时IP地址的方式,可以参考现有技术的DHCP地址分配流程。在该流程中,所述ASR通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临时IP地址的租期设置为一预设值。这里,该预设值通常应设置的较小一些,以便于通过频繁的租约超时,来快速发现在超时过程中进行并通过Portal认证的终端,并重新为这些终端分配基于用户身份的IP地址。For the manner in which the DHCP server allocates a temporary IP address, refer to the prior art DHCP address allocation process. In the process, the ASR allocates a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and sets the lease of the temporary IP address to A preset value. Here, the preset value should generally be set smaller, so as to quickly discover the terminals that are authenticated in the timeout process and pass the Portal authentication through frequent lease timeouts, and re-assign the user-identified IP addresses to the terminals.
通常,网络会有很多性能参数,对这些网络性能参数会有一个期望值或要求值。作为一种实施方式,从一个终端通过Portal身份认证开始,到该终端获得ILR基于用户身份所分配的IP地址为止的这一段时间,可以作为该网络的一个性能指标。显然,该段时间越短,网络的灵敏性也就越高,也就越容易及时地发现最近通过Portal身份认证的终端,并为这些终端重新分配基于用户身份的IP地址。因此,网管人员可以根据网络灵敏性的要求,并综合考虑ASR、DHCP服务器的处理能力,以及网络中的终端数量等因素,来设置从终端通过身份认证到终端获得ILR所分配的身份标识之间的最大可忍受时长。然后,将上述租期的预设值,设置为不大于上述最大可忍受时长的一个数值,例如设置为10s。Usually, the network will have a lot of performance parameters, and there will be an expected or required value for these network performance parameters. As an implementation manner, the period from the time when a terminal passes the portal identity authentication to the IP address that the terminal obtains the ILR based on the user identity may be used as a performance indicator of the network. Obviously, the shorter the period, the higher the sensitivity of the network, and the easier it is to discover the terminals that have recently passed the Portal authentication and reassign the IP addresses based on the user's identity. Therefore, the network administrator can set the identity of the ILR from the terminal through the identity authentication to the terminal according to the requirements of the network sensitivity and considering the processing capabilities of the ASR and the DHCP server, and the number of terminals in the network. The maximum tolerable time. Then, the preset value of the above rental period is set to a value not greater than the maximum allowable duration, for example, set to 10s.
在临时IP地址的租约过程中,终端会根据当前IP地址的租期剩余时长,来决定何时发起续租请求。例如,在租期还剩下一半时长时,即发送DHCP续租消息。下面以第二终端为例,说明本发明实施例中是如何进行续租处理的。这里的第二终端是网络中的任意终端,例如,可以是上文中的第一终端,也可以是网络中的其他终端。During the lease of the temporary IP address, the terminal determines when to initiate the renewal request based on the remaining duration of the lease of the current IP address. For example, when the lease period is still half the time, the DHCP renewal message is sent. The second terminal is taken as an example to describe how to perform the lease renewal process in the embodiment of the present invention. The second terminal here is any terminal in the network, for example, may be the first terminal in the above, or may be other terminals in the network.
第二终端发送DHCP续租消息,所述DHCP续租消息携带所述第二终端 的第二MAC地址和当前使用的第二IP地址。ASR接收到第二终端发送的DHCP续租消息后,判断所述第二IP地址是否为临时IP地址:The second terminal sends a DHCP renewal message, where the DHCP renewal message carries the second terminal The second MAC address and the second IP address currently in use. After receiving the DHCP renewing message sent by the second terminal, the ASR determines whether the second IP address is a temporary IP address:
在所述第二IP地址不是临时IP地址时,所述ASR向所述第二终端返回允许续租的DHCP ACK消息;When the second IP address is not a temporary IP address, the ASR returns a DHCP ACK message allowing the lease renewal to the second terminal;
在所述第二IP地址是临时IP地址时,所述ASR进一步判断所述第二MAC地址是否存在于所述对应关系表中:若是,则向所述第二终端返回拒绝续租的DHCP NAK消息;若否,向所述第二终端返回允许续租的DHCP ACK消息。When the second IP address is a temporary IP address, the ASR further determines whether the second MAC address exists in the correspondence table: if yes, returns a DHCP NAK that refuses to renew the lease to the second terminal. a message; if not, returning a DHCP ACK message allowing the renewal of the lease to the second terminal.
通过上述步骤,本发明实施例在收到终端的续租请求消息时,如果该终端当前使用的IP地址是临时IP地址,且该终端当前已经通过Portal身份认证,则ASR拒绝终端的续租请求,这样,在租期超时(也可以是剩余租期小于某个预设门限)时,终端将发送DHCP发现消息,此时ASR和ILR将会该终端分配基于用户身份的身份标识(即正式IP地址),使得终端在通过Portal认证后不再使用临时IP地址,而是使用正式IP地址访问相应的网络资源。Through the above steps, when receiving the renewal request message of the terminal, if the IP address currently used by the terminal is a temporary IP address, and the terminal has already passed the portal identity authentication, the ASR rejects the renewal request of the terminal. In this way, when the lease timeout (or the remaining lease period is less than a preset threshold), the terminal will send a DHCP discovery message, and the ASR and ILR will assign the terminal identity based on the user identity (ie, the official IP). The address is such that the terminal does not use the temporary IP address after passing the Portal authentication, but uses the official IP address to access the corresponding network resource.
基于以上实施例提供的地址分配方法,本发明实施例还提供了一种实现上述方法的ASR,请参照图4,该ASR包括:Based on the address allocation method provided by the foregoing embodiment, the embodiment of the present invention further provides an ASR for implementing the foregoing method. Referring to FIG. 4, the ASR includes:
第一接收单元41,设置为接收第一终端发送的DHCP发现消息,DHCP发现消息携带所述第一终端的第一MAC地址;The first receiving unit 41 is configured to receive a DHCP discovery message sent by the first terminal, where the DHCP discovery message carries the first MAC address of the first terminal;
第一判断单元42,设置为判断所述第一MAC地址是否存在于一对应关系表中,所述对应关系表中记录已通过身份认证的终端的用户名与MAC地址之间的对应关系;The first determining unit 42 is configured to determine whether the first MAC address exists in a correspondence relationship table, where the correspondence relationship between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table;
第一处理单元43,设置为在所述第一MAC地址存在于所述对应关系表中时,根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息;以及,接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。The first processing unit 43 is configured to: when the first MAC address exists in the correspondence relationship table, determine, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and The location registration register ILR sends an identity identification request message carrying the first username; and receives a first IP address returned by the ILR, and allocates the first IP address to the first terminal, where The first IP address is an identity identifier that is allocated by the ILR based on the first user name.
本发明实施例中,上述ASR可以根据在终端的认证过程中获得的信息来维护上述对应关系表,上述ASR还可以包括: In the embodiment of the present invention, the foregoing ASR may maintain the foregoing correspondence table according to the information obtained in the authentication process of the terminal, where the ASR may further include:
第二处理单元,设置为在所述第一MAC地址不存在于所述对应关系表中时,向DHCP服务器转发所述DHCP发现消息,并通过在DHCP服务器和所述第一终端之间转发DHCP地址分配消息,将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。a second processing unit, configured to: when the first MAC address does not exist in the correspondence table, forward the DHCP discovery message to a DHCP server, and forward DHCP between the DHCP server and the first terminal The address allocation message allocates the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal.
第二接收单元,设置为接收Portal服务器转发的针对任一终端的身份认证请求,所述身份认证请求携带所述任一终端的MAC地址、用户名和密码。The second receiving unit is configured to receive an identity authentication request forwarded by the Portal server for any terminal, where the identity authentication request carries a MAC address, a username, and a password of the any terminal.
记录单元,设置为将所述认证请求转发给身份认证服务器,并在所述任一终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述任一终端的用户名与MAC之间的对应关系。a recording unit, configured to forward the authentication request to the identity authentication server, and after the identity of the terminal is authenticated by the identity authentication server, record the username and MAC address of the terminal in the corresponding relationship table. Correspondence between them.
这里,上述第二处理单元,还设置为通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临时IP地址的租期设置为一预设值,所述预设值不大于从终端通过身份认证到获得ILR所分配的IP地址之间的最大可忍受时长。优选的,预设值可以是5s~15s中的任意数值。Here, the second processing unit is further configured to allocate a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and rent the temporary IP address. The period is set to a preset value that is not greater than the maximum tolerable duration between the terminal's identity authentication and the IP address assigned by the ILR. Preferably, the preset value may be any value from 5 s to 15 s.
本发明实施例中,上述ASR在接收到终端发送的续租请求时,还可以根据终端当时使用的IP地址和该终端是否已经通过Portal身份认证,来决定拒绝还是允许续租,此时上述ASR还包括:In the embodiment of the present invention, when receiving the renewal request sent by the terminal, the ASR may further determine whether to refuse or allow the renewal of the lease according to the IP address used by the terminal and whether the terminal has passed the Portal identity authentication. Also includes:
第三接收单元,设置为接收到第二终端发送的DHCP续租消息,所述DHCP续租消息携带所述第二终端的第二MAC地址和当前使用的第二IP地址;a third receiving unit, configured to receive a DHCP renewing message sent by the second terminal, where the DHCP renewing message carries a second MAC address of the second terminal and a second IP address currently used;
第二判断单元,设置为判断所述第二IP地址是否为临时IP地址。The second determining unit is configured to determine whether the second IP address is a temporary IP address.
第三判断单元,设置为在所述第二IP地址为临时IP地址时,进一步判断所述第二MAC地址是否存在于所述对应关系表中。The third determining unit is configured to further determine whether the second MAC address exists in the correspondence relationship table when the second IP address is a temporary IP address.
第三处理单元,设置为在所述第二MAC地址存在于所述对应关系表中时,向所述第二终端返回拒绝续租的DHCP NAK消息。The third processing unit is configured to return, when the second MAC address exists in the correspondence table, a DHCP NAK message that refuses to renew the lease to the second terminal.
第四处理单元,设置为在所述第二MAC地址不存在于所述对应关系表中时,向所述第二终端返回允许续租的DHCP ACK消息。And a fourth processing unit, configured to return, to the second terminal, a DHCP ACK message that allows for renewal when the second MAC address does not exist in the correspondence table.
第五处理单元,设置为在所述第二IP地址不是临时IP地址时,向所述第二终端返回允许续租的DHCP ACK消息。 The fifth processing unit is configured to return, to the second terminal, a DHCP ACK message allowing the lease renewal when the second IP address is not a temporary IP address.
下面将通过一个应用示例,说明本发明实施例的地址分配方法。本示例中,用户终端接入网络后,发起DHCP地址请求,由于此时用户终端并未进行Portal身份认证,因此网络为用户分配权限受限的临时IP地址。当用户发起并通过Portal身份认证后,网络拒绝用户终端针对该临时IP地址的续租请求,因此用户终端等待该临时IP地址的租期超时后,重新发起DHCP地址请求,此时网络基于已经通过认证的用户身份,为用户终端分配作为其身份标识的正式IP地址,具体流程如图5所示,包括:The address allocation method of the embodiment of the present invention will be described below through an application example. In this example, after the user terminal accesses the network, a DHCP address request is initiated. Since the user terminal does not perform Portal identity authentication at this time, the network allocates a temporary IP address with limited permissions to the user. After the user initiates and authenticates through the portal identity, the network rejects the user terminal's request for renewal of the temporary IP address. Therefore, the user terminal waits for the lease of the temporary IP address to expire, and then re-initiates the DHCP address request. The authenticated user identity is assigned to the user terminal as the official IP address of the identity. The specific process is shown in Figure 5, including:
步骤501,UE开机(或插上网线),发起DHCP Discover过程,发送DHCP Discover消息,请求分配地址;Step 501: The UE is powered on (or plugged in to the Internet), initiates a DHCP Discover process, and sends a DHCP Discover message to request an address.
步骤502,由于此时UE未通过Portal身份认证,网络为用户分配一个临时IP地址,如:10.255.255.1。ASR分配临时地址的过程,可以是ASR自己充当DHCP Server分配临时IP地址,也可以自己充当DHCP Relay设备,将地址分配请求(DHCP Discover消息)中继到DHCP Server,具体的中继流程可以参照现有技术实现,此处不再赘述;Step 502: The network allocates a temporary IP address to the user, for example, 10.255.255.1, because the UE does not pass the Portal identity authentication. The ASR allocates a temporary address. The ASR can act as a DHCP server to assign a temporary IP address. It can also act as a DHCP relay device to relay the address allocation request (DHCP Discover message) to the DHCP server. The specific relay process can refer to the current relay process. There are technical implementations, which are not repeated here;
步骤503,ASR向UE返回DHCP Offer消息,该消息中携带网络分配的该临时IP地址,该地址并不能作为UE的身份标识;Step 503: The ASR returns a DHCP Offer message to the UE, where the message carries the temporary IP address allocated by the network, and the address cannot be used as the identity identifier of the UE.
步骤504,UE收到该临时IP地址后,发送DHCP Request消息,为该临时IP地址请求租约;Step 504: After receiving the temporary IP address, the UE sends a DHCP Request message to request a lease for the temporary IP address.
步骤505,ASR确认后,向UE返回DHCP ACK消息,携带该临时地址的租约期限。其中,租约期限需要设置的较短,例如:10秒;Step 505: After the ASR confirms, return a DHCP ACK message to the UE, and carry the lease term of the temporary address. Among them, the lease term needs to be set shorter, for example: 10 seconds;
这样,通过以上步骤,UE获得了临时IP地址,并可以使用该临时IP地址访问受限的网络资源。如果在此过程中,UE未发起门户认证,那么当临时IP地址租约快到期时,UE会发起请求续租,网络允许续租。续租流程可以参照现有技术实现,此处不再赘述;Thus, through the above steps, the UE obtains a temporary IP address and can use the temporary IP address to access the restricted network resources. If the UE does not initiate portal authentication during this process, when the temporary IP address lease expires, the UE initiates a request to renew the lease, and the network allows the lease to be renewed. The renewal process can be implemented by referring to the prior art, and is not described here;
步骤506,UE发起门户认证,输入用户名和密码;ASR将用户名和密码等信息转发给身份认证服务器(例如:AAA Server),由身份认证服务器验证用户身份,ASR和身份认证服务器可以合并设置,也可以分别独立设置,具体视实际组网决定;Step 506: The UE initiates portal authentication, and inputs a username and password. The ASR forwards the user name and password to the identity authentication server (for example, AAA Server), and the identity authentication server authenticates the user identity. The ASR and the identity authentication server may be combined and set. Can be set independently, depending on the actual networking decision;
步骤507,如果UE认证通过,ASR记录UE的用户身份(例如:用户名) 和MAC地址绑定关系;Step 507: If the UE passes the authentication, the ASR records the user identity of the UE (for example, the username). Binding relationship with the MAC address;
之后,ASR如果再接收到该UE的针对临时IP地址的续租请求(DHCP Request消息),则返回DHCP NAK,拒绝续租;After that, if the ASR receives the renewing request (DHCP Request message) for the temporary IP address of the UE, the ASR returns a DHCP NAK and refuses to renew the lease;
步骤508,UE等待临时IP地址租约定时器超时,此时UE仍然没有获得该临时IP地址的续约成功响应,因此UE将重新发起DHCP Discover,请求地址;Step 508, the UE waits for the temporary IP address lease timer to expire. At this time, the UE still does not obtain the renewal success response of the temporary IP address, so the UE will re-initiate DHCP Discover, request the address;
步骤509,ASR收到该UE的DHCP Discover消息后,提取消息中携带的UE的MAC地址,由于此时UE的用户身份和MAC的已经绑定,因此,ASR通过查询上述绑定关系,确定UE已经通过身份认证,因此将不再为用户分配临时地址,需要为用户分配基于身份的地址,ASR根据上述绑定关系,可以确定该UE的MAC地址对应的用户名;Step 509: After receiving the DHCP Discover message of the UE, the ASR extracts the MAC address of the UE carried in the message. Since the user identity of the UE and the MAC address are bound, the ASR determines the UE by querying the binding relationship. The user has been authenticated, so the user is not assigned a temporary address, and the user needs to be assigned an identity-based address. The ASR can determine the username corresponding to the MAC address of the UE according to the binding relationship.
步骤510,ASR向ILR发起地址请求,请求消息携带用户身份信息,如用户名;Step 510: The ASR sends an address request to the ILR, where the request message carries user identity information, such as a username;
步骤511,ILR基于用户身份信息,为该UE分配身份标识,然后向ASR返回该用户的身份标识(如:地址10.2.6.1);Step 511: The ILR assigns an identity to the UE based on the user identity information, and then returns the identity of the user to the ASR (eg, address 10.2.6.1).
上述步骤510和步骤511中,如果ILR部署在ASR中(ILR和ASR合并设置),则步骤511中的地址分配过程可以在ASR中实现;In the above steps 510 and 511, if the ILR is deployed in the ASR (ILR and ASR merge settings), the address allocation process in step 511 can be implemented in the ASR;
步骤512,ASR向用户返回DHCP Offer消息,携带ILR分配的身份标识。这样,UE即获得了基于用户身份的IP地址。后续,UE还可以按照现有技术的DHCP流程,发送DHCP Request消息,为该IP地址请求租约。ASR向UE返回DHCP ACK消息,携带该IP地址的租约期限,这里的租约期限可以设置的较长。这样UE就可以使用该IP地址访问相应的网络资源。In step 512, the ASR returns a DHCP Offer message to the user, and carries the identity identifier assigned by the ILR. In this way, the UE obtains an IP address based on the identity of the user. Subsequently, the UE may also send a DHCP Request message according to the DHCP process of the prior art, and request a lease for the IP address. The ASR returns a DHCP ACK message to the UE, carrying the lease term of the IP address, and the lease term here can be set longer. In this way, the UE can use the IP address to access the corresponding network resource.
在UE获得基于用户身份的IP地址后,若UE发起针对该IP地址的续租请求,ASR将允许该UE继续使用该IP地址。After the UE obtains the IP address based on the user identity, if the UE initiates a renewal request for the IP address, the ASR will allow the UE to continue using the IP address.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这 些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Alternatively, all or part of the steps of the above embodiments may also be implemented using an integrated circuit. The steps may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps may be fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明实施例的上述地址分配方法及ASR,在终端通过Portal身份认证后,基于用户身份重新为终端分配IP地址,从而在门户认证网络架构中实现了基于用户身份的身份标识分配,为在门户认证网络架构中应用身份位置分离技术提供了技术支持。同时,上述方案不需要在终端安装客户端,也不需要改变用户的现有使用习惯,实现方便并具有良好的易用性。 The address allocation method and the ASR of the embodiment of the present invention re-assign an IP address to the terminal based on the identity of the user after the terminal is authenticated by the portal identity, thereby realizing the identity identity assignment based on the user identity in the portal authentication network architecture. The application identity separation technology in the authentication network architecture provides technical support. At the same time, the above solution does not need to install the client in the terminal, nor does it need to change the user's existing usage habits, and is convenient and has good ease of use.

Claims (14)

  1. 一种身份标识与位置分离网络中的地址分配方法,包括:An address allocation method in an identity identification and location separation network, comprising:
    接入服务节点ASR接收第一终端发送的动态主机配置协议DHCP发现消息,所述DHCP发现消息携带所述第一终端的第一媒体接入控制MAC地址;The access service node ASR receives the dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries the first media access control MAC address of the first terminal;
    所述ASR判断所述第一MAC地址是否存在于一对应关系表中,所述对应关系表记录有已通过身份认证的终端的用户名与MAC地址之间的对应关系;Determining, by the ASR, whether the first MAC address exists in a correspondence relationship table, where the correspondence relationship table records a correspondence between a user name and a MAC address of the terminal that has passed the identity authentication;
    在所述第一MAC地址存在于所述对应关系表中时,所述ASR根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息;When the first MAC address exists in the correspondence table, the ASR determines, according to the correspondence table, a first user name corresponding to the first MAC address, and sends the first user name to the identity identifier and the location registration register ILR. Carrying an identity request message carrying the first username;
    所述ASR接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。Receiving, by the ASR, a first IP address returned by the ILR, and assigning the first IP address to the first terminal, where the first IP address is the ILR based on the first user name The identity identifier assigned by the first terminal.
  2. 如权利要求1所述的方法,还包括:The method of claim 1 further comprising:
    所述ASR接收入口服务器转发的身份认证请求,所述身份认证请求携带一终端的MAC地址、用户名和密码;The ASR receives an identity authentication request forwarded by an ingress server, where the identity authentication request carries a MAC address, a username, and a password of a terminal;
    所述ASR将所述认证请求转发给身份认证服务器,并在所述终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述终端的用户名与MAC之间的对应关系。And the ASR forwards the authentication request to the identity authentication server, and records the correspondence between the user name and the MAC of the terminal in the correspondence relationship table after the terminal is authenticated by the identity authentication server.
  3. 如权利要求1或2所述的方法,其中,The method of claim 1 or 2, wherein
    在所述第一MAC地址不存在于所述对应关系表中时,所述方法还包括:所述ASR向所述DHCP服务器转发所述DHCP发现消息,并将所述DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。When the first MAC address does not exist in the correspondence table, the method further includes: the ASR forwarding the DHCP discovery message to the DHCP server, and the DHCP server from the temporary IP address pool The temporary IP address selected in is assigned to the first terminal.
  4. 如权利要求3所述的方法,其中,The method of claim 3, wherein
    所述将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端,包括:The assigning the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal includes:
    所述ASR通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临 时IP地址的租期设置为一预设值,所述预设值不大于预先确定的从终端通过身份认证到获得ILR所分配的IP地址之间的最大可忍受时长。The ASR allocates a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and The lease of the IP address is set to a preset value that is not greater than a predetermined maximum allowable duration between the terminal's identity authentication and the IP address assigned by the ILR.
  5. 如权利要求3所述的方法,还包括:The method of claim 3 further comprising:
    所述ASR接收第二终端发送的DHCP续租消息,所述DHCP续租消息携带所述第二终端的第二MAC地址和当前使用的第二IP地址;The ASR receives the DHCP renewing message sent by the second terminal, where the DHCP renewing message carries the second MAC address of the second terminal and the second IP address currently used;
    所述ASR判断所述第二IP地址是否为临时IP地址;Determining, by the ASR, whether the second IP address is a temporary IP address;
    在所述第二IP地址为临时IP地址时,所述ASR判断所述第二MAC地址是否存在于所述对应关系表中;When the second IP address is a temporary IP address, the ASR determines whether the second MAC address exists in the correspondence table;
    在所述第二MAC地址存在于所述对应关系表中时,所述ASR向所述第二终端返回拒绝续租的DHCP NAK消息;When the second MAC address exists in the correspondence table, the ASR returns a DHCP NAK message that refuses to renew the lease to the second terminal;
    在所述第二MAC地址不存在于所述对应关系表中时,所述ASR向所述第二终端返回允许续租的DHCP ACK消息。When the second MAC address does not exist in the correspondence table, the ASR returns a DHCP ACK message allowing the lease to be renewed to the second terminal.
  6. 如权利要求5所述的方法,其中,The method of claim 5, wherein
    在所述第二IP地址不是临时IP地址时,所述ASR向所述第二终端返回允许续租的DHCP ACK消息。When the second IP address is not a temporary IP address, the ASR returns a DHCP ACK message allowing the lease renewal to the second terminal.
  7. 一种接入服务节点ASR,包括:An access service node ASR includes:
    第一接收单元,其设置为:接收第一终端发送的动态主机配置协议DHCP发现消息,所述DHCP发现消息携带所述第一终端的第一媒体接入控制MAC地址;a first receiving unit, configured to: receive a dynamic host configuration protocol DHCP discovery message sent by the first terminal, where the DHCP discovery message carries a first media access control MAC address of the first terminal;
    第一判断单元,其设置为:判断所述第一MAC地址是否存在于一对应关系表中,所述对应关系表中记录有已通过身份认证的终端的用户名与MAC地址之间的对应关系;a first determining unit, configured to: determine whether the first MAC address exists in a correspondence relationship table, where the correspondence between the user name and the MAC address of the terminal that has passed the identity authentication is recorded in the correspondence relationship table ;
    第一处理单元,其设置为:在所述第一MAC地址存在于所述对应关系表中时,根据所述对应关系表确定所述第一MAC地址对应的第一用户名,并向身份标识和位置登记寄存器ILR发送携带所述第一用户名的身份标识请求消息;以及,接收所述ILR返回的第一IP地址,并将所述第一IP地址分配给所述第一终端,其中,所述第一IP地址是所述ILR基于所述第一用户名为所述第一终端分配的身份标识。a first processing unit, configured to: determine, according to the correspondence relationship table, a first user name corresponding to the first MAC address, and to identify an identity when the first MAC address exists in the corresponding relationship table And the location registration register ILR sends an identity identification request message carrying the first username; and receives the first IP address returned by the ILR, and allocates the first IP address to the first terminal, where The first IP address is an identity identifier that is allocated by the ILR based on the first user name.
  8. 如权利要求7所述的ASR,还包括: The ASR of claim 7 further comprising:
    第二接收单元,其设置为:接收入口服务器转发的身份认证请求,所述身份认证请求携带一终端的MAC地址、用户名和密码;a second receiving unit, configured to: receive an identity authentication request forwarded by the portal server, where the identity authentication request carries a MAC address, a username, and a password of the terminal;
    记录单元,其设置为:将所述认证请求转发给身份认证服务器,并在所述终端通过身份认证服务器的身份认证后,在所述对应关系表中记录所述终端的用户名与MAC之间的对应关系。a recording unit, configured to forward the authentication request to the identity authentication server, and after the terminal authenticates by the identity authentication server, record the username and the MAC between the terminal in the correspondence table Correspondence.
  9. 如权利要求7或8所述的ASR,还包括:The ASR of claim 7 or 8, further comprising:
    第二处理单元,其设置为:在所述第一MAC地址不存在于所述对应关系表中时,向DHCP服务器转发所述DHCP发现消息,并通过在DHCP服务器和所述第一终端之间转发DHCP地址分配消息,将DHCP服务器从临时IP地址池中选择的临时IP地址分配给所述第一终端。a second processing unit, configured to: when the first MAC address does not exist in the correspondence table, forward the DHCP discovery message to a DHCP server, and pass between the DHCP server and the first terminal Forwarding the DHCP address allocation message, and assigning the temporary IP address selected by the DHCP server from the temporary IP address pool to the first terminal.
  10. 如权利要求9所述的ASR,其中,The ASR of claim 9 wherein
    所述第二处理单元,是设置为:通过转发来自DHCP服务器的DHCP Offer消息和DHCP ACK消息,将DHCP服务器选择的临时IP地址分配给所述第一终端,并将所述临时IP地址的租期设置为一预设值,所述预设值不大于从终端通过身份认证到获得ILR所分配的IP地址之间的最大可忍受时长。The second processing unit is configured to: assign a temporary IP address selected by the DHCP server to the first terminal by forwarding a DHCP Offer message and a DHCP ACK message from the DHCP server, and rent the temporary IP address The period is set to a preset value that is not greater than the maximum tolerable duration between the terminal's identity authentication and the IP address assigned by the ILR.
  11. 如权利要求10所述的ASR,还包括:The ASR of claim 10, further comprising:
    第三接收单元,其设置为:接收到第二终端发送的DHCP续租消息,所述DHCP续租消息携带所述第二终端的第二MAC地址和当前使用的第二IP地址;a third receiving unit, configured to: receive a DHCP renewing message sent by the second terminal, where the DHCP renewing message carries a second MAC address of the second terminal and a second IP address currently used;
    第二判断单元,其设置为:判断所述第二IP地址是否为临时IP地址;a second determining unit, configured to: determine whether the second IP address is a temporary IP address;
    第三判断单元,其设置为:在所述第二IP地址为临时IP地址时,进一步判断所述第二MAC地址是否存在于所述对应关系表中;a third determining unit, configured to: when the second IP address is a temporary IP address, further determining whether the second MAC address exists in the correspondence relationship table;
    第三处理单元,其设置为:在所述第二MAC地址存在于所述对应关系表中时,向所述第二终端返回拒绝续租的DHCP NAK消息;a third processing unit, configured to: when the second MAC address exists in the correspondence relationship table, return a DHCP NAK message that refuses to renew the lease to the second terminal;
    第四处理单元,其设置为:在所述第二MAC地址不存在于所述对应关系表中时,向所述第二终端返回允许续租的DHCP ACK消息。And a fourth processing unit, configured to: when the second MAC address does not exist in the correspondence relationship table, return a DHCP ACK message that allows renewal of the lease to the second terminal.
  12. 如权利要求10所述的ASR,还包括:The ASR of claim 10, further comprising:
    第五处理单元,其设置为:在所述第二IP地址不是临时IP地址时,向所述第二终端返回允许续租的DHCP ACK消息。 And a fifth processing unit, configured to: when the second IP address is not a temporary IP address, return a DHCP ACK message allowing the lease renewal to the second terminal.
  13. 一种计算机程序,包括程序指令,当该程序指令被ASR执行时,使得该ASR可执行权利要求1-6任一项所述的方法。A computer program comprising program instructions that, when executed by an ASR, cause the ASR to perform the method of any of claims 1-6.
  14. 一种载有权利要求13所述计算机程序的计算机可读存储介质。 A computer readable storage medium carrying the computer program of claim 13.
PCT/CN2014/094131 2014-06-27 2014-12-17 Address allocation method in subscriber identifier and locator separation network, and access service router WO2015196755A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410301968.8A CN105323325A (en) 2014-06-27 2014-06-27 Address assignment method for identity and position separation network, and access service node
CN201410301968.8 2014-06-27

Publications (1)

Publication Number Publication Date
WO2015196755A1 true WO2015196755A1 (en) 2015-12-30

Family

ID=54936662

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/094131 WO2015196755A1 (en) 2014-06-27 2014-12-17 Address allocation method in subscriber identifier and locator separation network, and access service router

Country Status (2)

Country Link
CN (1) CN105323325A (en)
WO (1) WO2015196755A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254575A (en) * 2016-09-09 2016-12-21 广州酷狗计算机科技有限公司 A kind of method and apparatus determining ID
EP3512181A4 (en) * 2016-09-09 2019-08-21 New H3C Technologies Co., Ltd. Network access control

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106255089B (en) * 2016-08-26 2019-09-17 杭州迪普科技股份有限公司 A kind of method and apparatus of radio three layer roaming
CN110581902A (en) * 2019-09-06 2019-12-17 迈普通信技术股份有限公司 Address allocation method, system, DHCP server and authentication server
CN112714370B (en) * 2019-10-26 2022-06-24 华为技术有限公司 Service configuration method, device and system
CN112689031A (en) * 2021-01-08 2021-04-20 杭州雾联科技有限公司 IP address allocation method, device and medium
CN114567547B (en) * 2021-04-19 2024-01-19 浙江正泰电器股份有限公司 Device networking method, system, device, communication management device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217575A (en) * 2008-01-18 2008-07-09 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
CN102307247A (en) * 2011-08-22 2012-01-04 神州数码网络(北京)有限公司 Dynamic address allocation method for dynamic host configuration protocol (DHCP) and system
CN103414709A (en) * 2013-08-02 2013-11-27 杭州华三通信技术有限公司 User identity binding and user identity binding assisting method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244866B (en) * 2011-08-18 2016-01-20 杭州华三通信技术有限公司 Gate verification method and access controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217575A (en) * 2008-01-18 2008-07-09 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
CN102307247A (en) * 2011-08-22 2012-01-04 神州数码网络(北京)有限公司 Dynamic address allocation method for dynamic host configuration protocol (DHCP) and system
CN103414709A (en) * 2013-08-02 2013-11-27 杭州华三通信技术有限公司 User identity binding and user identity binding assisting method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254575A (en) * 2016-09-09 2016-12-21 广州酷狗计算机科技有限公司 A kind of method and apparatus determining ID
EP3512181A4 (en) * 2016-09-09 2019-08-21 New H3C Technologies Co., Ltd. Network access control
CN106254575B (en) * 2016-09-09 2019-11-05 广州酷狗计算机科技有限公司 A kind of method and apparatus of determining user identifier
US11159524B2 (en) 2016-09-09 2021-10-26 New H3C Technologies Co., Ltd. Network access control

Also Published As

Publication number Publication date
CN105323325A (en) 2016-02-10

Similar Documents

Publication Publication Date Title
EP3821622B1 (en) Systems and methods for enabling private communication within a user equipment group
WO2015196755A1 (en) Address allocation method in subscriber identifier and locator separation network, and access service router
US10050971B2 (en) Portal authentication method and access controller
CN111010673B (en) Communication method and device
US10142159B2 (en) IP address allocation
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
US9596209B2 (en) Causing client device to request a new internet protocol address based on a link local address
WO2018192179A1 (en) Ip address allocation method and device
CN107547351B (en) Address allocation method and device
CN103442328B (en) A kind of method for controlling quality of service of internet-of-things terminal and system
CN114385314A (en) Internet of things equipment data migration system, method and device and storage medium
US9634917B2 (en) Method and system for detecting use of wrong internet protocol address
US20240098806A1 (en) Service data flow continuity for a ue in a system involving a gateway device
CN104253798A (en) Network security monitoring method and system
US20060193330A1 (en) Communication apparatus, router apparatus, communication method and computer program product
JP2013509837A (en) Method and system for realizing identity and location mapping
WO2009079896A1 (en) User access authentication method based on dynamic host configuration protocol
WO2018054272A1 (en) Data transmission method and device, and computer storage medium
WO2020029793A1 (en) Internet access behavior management system, device and method
US20240098583A1 (en) PDU session continuity for a UE moving between a telecommunications network and a gateway device
KR100739299B1 (en) An IP Automatic Assignment's Method in the way of Central IP Management thorugh Intermediate DHCP Server
CN108306807B (en) Account opening management method and device
KR102023115B1 (en) Communication method based on integrated flat id and system
KR100461538B1 (en) Method of Dynamic IP Address allocation/release on Diameter Server
US20210051076A1 (en) A node, control system, communication control method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14895847

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14895847

Country of ref document: EP

Kind code of ref document: A1