CN101951380B - Access control method and device used therein in dual-stack lite network - Google Patents
Access control method and device used therein in dual-stack lite network Download PDFInfo
- Publication number
- CN101951380B CN101951380B CN201010294845.8A CN201010294845A CN101951380B CN 101951380 B CN101951380 B CN 101951380B CN 201010294845 A CN201010294845 A CN 201010294845A CN 101951380 B CN101951380 B CN 101951380B
- Authority
- CN
- China
- Prior art keywords
- address
- message
- npe
- client
- described client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an access control method and a device used therein in a dual-stack lite network, which are applied to the process of controlling client access to an IPv4 network in the network in which the IPv4 network and an IPv6 network coexist. The method comprises the following steps: access equipment obtains the IPv4 network access right information of the client, the address of the client and the address of network protection equipment (NPE) allocated for the client and sets a corresponding message forwarding rule according to the obtained IPv4 network access right information, address of the client and address of the NPE corresponding to the client; and when receiving the message sent by the client, the access equipment controls forwarding of the message according to the set message forwarding rule. The invention can realize right control of user access to the IPv4 network.
Description
Technical field
The present invention relates to communication technical field, particularly relate to access control method and device thereof in a kind of light-weight dual-stack networking.
Background technology
Along with the fusion of mobile communication and the Internet and the continuous increase of communication service kind, the IPv4 address is about to exhaust, though almost inexhaustible IPv6 address and correlation technique have been arranged, but in the face of existing network is disposed, the factors such as equipment investment repayment of operator, the IPv6 network design can not be accomplished in one move, and IPv4 network and IPv6 network will coexist in very long a period of time.
Because the IPv4 address is deficient, and the IPv4 business also increases at full speed, a lot of edge devices of IPv4 of only supporting can not all replace to the equipment of supporting two stacks in the short time, therefore the IPv4 broadband deployment that increases newly must consider can't get access to the situation of global IPv4 address (being global I Pv4 address) on edge device.
Consider that from ISP (Internet Service Provider, ISP) angle its IPv4 client need visit the IPv4 server on the Internet, but do not have unnecessary IPv4 address assignment to give these clients; Also have, ISP wants at its core network (being core net) deploy IPv6 in order to solve the deficient problem in IPv4 address, but owing to need to consider back compatible (being compatible IPv4), the costs and benefits of upgrading IPv6 is not directly proportional, and has increased IPv6 and has disposed difficulty.Therefore, be necessary to use DS-lite (Dual-SrackLite, light-weight dual-stack) technology when solving the deficient problem in IPv4 address, to reduce the variation of network topology and the renewal of equipment.
The DS-lite technology that IETF (Internet Engineering Task Force, Internet engineering duty group) proposes allows the different IP v4 edge device in the same ISP network to use overlapping IPv4 address, thereby slows down the speed that exhausts of IPv4 address.
Fig. 1 shows the realization of a kind of DS-Lite.As shown in Figure 1, DS-Lite is encapsulated into user's private network IPv4 message in the IPv6 tunnel earlier, is sent to carry out NAT (Network Address Translation, network address translation) when solving the IPv4 message when NPE (being network equipment) goes up again.Use user's IPv6 address to distinguish different user private networks, the private network space can be overlapping.
The user need understand the terminal address of uplink tunnel, i.e. the address of NPE.Can dispose the NPE address at CPE (being user side equipment) by hand, but be not easy to actual deployment.In order to inform the NPE address of user operator, the DS-Lite scheme provides a kind of technology that the DHCPv6 option is dynamically notified CPE of passing through of standard: namely after CPE reaches the standard grade, CPE is informed in the NPE address that the user connects, authorized user uses this NPE, and this process is finished by the DHCPv6 agreement.
In the existing IPv4 network, to control accordingly user's IPv4 access rights.After being upgraded to the IPv6 network, also can similarly limit user's IPv6 access rights.The control point is chosen in the control of authority that conducts interviews of BAS (Broadbind Access Server, BAS Broadband Access Server) equipment, because BAS equipment at carrier side, is all users' common access point, is convenient to operator's control.Concrete authentication mechanism has a variety of, such as 802.1x, Portal, PPPoE etc.
The network authenticating protocol of a kind of standard that 802.1x authentication mechanism is the IEEE tissue to be worked out, the access control of this agreement is based on port, authenticate by preceding the user, the work that close port E-Packets, make port be in slave mode, only allowing the authentication protocol message is that the EAPOL message passes through, the user authenticates alternately by the EAPOL protocol massages, authentication by after open port, make port be in uncontrolled state, the user allows access network, behind the user offline port is reverted to slave mode again, waits for user's authentication again.802.1x corresponding expansion is also arranged in the realization, can carry out control of authority to the user based on IP, MAC (Media Access Control, medium access control) etc.
The Portal authentication mechanism is to be pushed to WEB page of user by BAS, and the user inputs user name password etc. at the page and carries out the user and authenticate, after authentication is passed through, can be according to information such as IP address, MAC Address, and open user's access authority.
PPPoE authentication, also be BAS equipment as the PPPoE server, allow user PC or cpe device to be remotely logged on the BAS and authenticate, then the open user's access authority of BAS.
After having disposed the DS-Lite access, networking structure can be as shown in Figure 2.Wherein, the DHCPv6 server is connected on the BAS equipment, and NPE is connected between BAS and the IPv4 network, and the IPv4inIPv6 message that CPE sent out (namely being encapsulated in the IPv4 message in the IPv6 tunnel) changes the IPv4 network over to after being sent on the NPE after the decapsulation.
The inventor finds that there is following defective at least in prior art in realizing process of the present invention:
In the existing scheme, the DS-Lite user's of BAS control of authority can only be accomplished the control than coarseness, can only accomplish the port rank such as 802.1x, Portal (door, entrance also refers to another address that web authenticates) can only accomplish the control of packet outer layer IP address.Have virtually no control for the IPv4 private network message in the user tunnel, this will cause accomplishing the IPv4 access authority of limited subscriber.
Summary of the invention
The object of the present invention is to provide access control method and device thereof in a kind of light-weight dual-stack networking, to solve under IPv4 network and the network coexisted situation of IPv6, the problem that existing DS-Lite technology can't be controlled user's IPv4 network access authority, for this reason, the present invention adopts following technical scheme:
Access control method in a kind of light-weight dual-stack networking is applied in the network coexisted networking of IPv4 network and IPv6, and to the process that client-access IPv4 network is controlled, this method comprises:
Access device obtains the IPv4 network access authority information of client, and the address of the address of described client and the network equipment NPE that distributes for this client, and according to the IPv4 network access authority information that gets access to, client address and the NPE address corresponding with it, corresponding message is set transmits rule;
When described access device receives the message of described client transmission, transmit the described message forwarding of rule control according to the message that arranges.
In the said method, when a NPE was only arranged in described networking, described message was transmitted rule and is comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source IP is that described client address, destination address do not allow to pass through for the message of the NPE address corresponding with described client address.
In the said method, when a plurality of NPE being arranged in described networking and being assigned the NPE network segment for client, described message is transmitted rule and is comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address;
Source address is that described client address, destination address allow to pass through for the message of the NPE address corresponding with described client address;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address.
In the said method, carry the IPv4 network access authority information of client in the authentication extension attribute in the message identifying of described client, described access device obtains the IPv4 network access authority information of client, is specially:
Described access device by with the authentication information of the mutual described client of certificate server, obtain the IPv4 network access authority information of the client of wherein carrying.
In the said method, described access device obtains the address of described client and the address of the network equipment NPE that distributes for this client, is specially:
Described access device is by monitoring the mutual information of described client and Dynamic Host Configuration Protocol server, obtains the address of described client and is the address of the NPE of described client distribution.
A kind of access device is applied in the network coexisted networking of IPv4 network and IPv6, and to the process that client-access IPv4 network is controlled, this access device comprises:
First acquisition module is for the IPv4 network access authority information of obtaining client;
Second acquisition module is for the address of the network equipment NPE that obtains the address of described client and distribute for this client;
Rule arranges module, is used for the IPv4 network access authority information that gets access to according to described first acquisition module, and the client address that gets access to of second acquisition module and the NPE address corresponding with it, corresponding message is set transmits rule;
Packet forwarding module is used for when receiving the message of described client transmission, according to described rule the described message forwarding of message forwarding rule control that module arranges is set.
Lie can the book access device in, when a NPE was only arranged in described networking, the message that described rule arranges the module setting was transmitted rule and is comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source IP is that described client address, destination address do not allow to pass through for the message of the NPE address corresponding with described client address.
In the above-mentioned access device, when a plurality of NPE being arranged in described networking and being assigned the NPE network segment for client, the message that described rule arranges the module setting is transmitted rule and is comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address;
Source address is that described client address, destination address allow to pass through for the message of the NPE address corresponding with described client address;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address.
In the above-mentioned access device, described first acquisition module specifically is used for, by with the authentication information of the mutual described client of certificate server, obtain the IPv4 network access authority information of the client of wherein carrying.
In the above-mentioned access device, described second acquisition module specifically is used for, and by monitoring the mutual information of described client and Dynamic Host Configuration Protocol server, obtains the address of described client and the address of the NPE that distributes for described client.
The present invention has following beneficial effect:
Access device is by obtaining the IPv4 network access authority information of client, and the address of the address of described client and the network equipment NPE that distributes for this client, and according to the IPv4 network access authority information that gets access to, client address and the NPE address corresponding with it, corresponding message is set transmits rule, thereby can transmit control according to the message that this rule is sent this client.Usually message forwarding rule comprises that permission is passed through or no thoroughfare, therefore can realize that by the present invention the user is carried out the IPv4 access to netwoks by NPE equipment to be controlled.
Description of drawings
Fig. 1 is the realization schematic diagram of DS-Lite in the prior art;
Fig. 2 is the network architecture schematic diagram of DS-Lite in the prior art;
Fig. 3 is the schematic diagram of the RADIUS expansion in the embodiment of the invention;
Access control schematic flow sheet in the light-weight dual-stack networking that Fig. 4 provides for the embodiment of the invention;
The structural representation of the access device that Fig. 5 provides for the embodiment of the invention.
Embodiment
In order in the DS-Lite group-network construction, to realize the IPv4 access rights are controlled, thereby guarantee the manageability of DS-Lite networking, the embodiment of the invention provides a kind of NPE by restricting user access, thereby reaches the technical scheme of the IPv4 network access authority of limited subscriber.
In the embodiment of the invention, disposed the group-network construction of DS-Lite and can wherein, by the mutual DHCPv6 message of BAS, can dynamically notify NPE the address between Dynamic Host Configuration Protocol server and the CPE as shown in Figure 2.User's access rights to be controlled by BAS equipment with reference in the former IPv4 network access authority control scheme, in order keeping consistency, after having disposed DS-Lite, still to be controlled the user to the access rights of IPv4 network by BAS equipment in the embodiment of the invention.Because only there is the IPv6 agreement between CPE and the BAS, so going up original IP address control of authority, BAS will continue to carry out at the IPv6 address, the embodiment of the invention does not limit this.
BAS will limit user's IPv4 access authority, namely to control user's NPE address access rights, no matter adopt which kind of NPE address distribution when disposing, as long as BAS can obtain NPE address and user's incidence relation in real time, and acquisition user's corresponding authorization message, can control accordingly.
BAS will be retrieved as the NPE address that the user distributes, and needs to understand the assigning process of NPE, and its assigning process can comprise the manual mode distribution and distribute by the DHCPv6 agreement.In the embodiment of the invention, if by manual mode with the NPE address configuration on CPE, then also to dispose accordingly synchronously on the NPE, and NPE address and user's corresponding relation is synchronized on the BAS equipment, so that BAS can control the authority of relative users visit IPv4 network according to this corresponding relation and authorized user message; If distribute the NPE address by the DHCPv6 protocol interaction, then BAS equipment can be by the DHCPv6 reciprocal process of listen for user, know the IP address of IP address and corresponding NPE, namely knows NPE address and user's corresponding relation.
BAS equipment can further be recorded to IP address and the corresponding NPE address that obtains by manual configuration mode or the mode of intercepting in the user message table.Table 1 shows a kind of user message table, wherein records IP address and is the corresponding relation of its NPE address of distributing.
Table 1: user message table
| User name | IP address | The NPE address | …… | …… |
| UserA | IP A | NPE A | …… | …… |
| User B | IP B | NPE B | …… | …… |
| …… | …… | …… | …… | …… |
IP address in this table and the corresponding relation of NPE address can be used for follow-up IPv4 control of authority.If authorized user can use the NPE corresponding with this authorized user that records in the user message table, then at BAS corresponding packet filtering rule is set, thereby allows the user to visit corresponding NPE at forwarding plane; If the NPE corresponding with this authorized user that does not allow the user to use to record in the user message table then arranges corresponding packet filtering rule at BAS, thereby forbid that at forwarding plane the user visits corresponding NPE.
Concrete, suppose that IP address is IP A, have only a NPE in the current network, be designated as NPE A, record the corresponding relation of IP A and NPE A in the user message table, then packet filtering rule can arrange as follows:
(1) use under the situation of NPE visit IPv4 network for allowing the user in the authorization message of IPv4 access to netwoks, following rule be set:
Source IP is that the message of IP A allows to pass through;
(2) do not use under the situation of NPE visit IPv4 network for not allowing the user in the authorization message of IPv4 access to netwoks, following rule be set:
Source IP is that the message of IP A allows to pass through;
Source IP is IP A, and purpose IP is that the message of NPE A does not allow to pass through.
By above filtering rule, in network, only have under the situation of a NPE, when the assigned NPE address of authorized user is NPE A, and when the IPv4 access to netwoks authorization message of this authorized user allows to use NPE visit IPv4 network, the message that the client of this authorized user sends to NPE A can be forwarded to NPEA by BAS, thereby arrive the IPv4 network, realize the visit of IPv4 network; When the NPE address that authorized user distributes is NPE A, and when the IPv4 access to netwoks authorization message of this authorized user does not allow to use NPE A visit IPv4 network, the message that the client of this authorized user sends to NPE A can not arrive NPE A by the BAS device forwards, thereby forbids the visit to the IPv4 network.As can be seen, the setting by above filtering rule.Solve the problem of the IPv4 access rights control in the DS-Lite networking, and guaranteed the fail safe of NPE in the DS-Lite networking.
Under the situation that has many users to insert, need usually to dispose many NPE in order to share user's load.At this situation, in the embodiment of the invention, a plurality of NPE can be planned in the same network segment, and the one or more NPE in the same network segment can be distributed to same user, carry out control of authority with the convenient network segment that uses.
Concrete, supposing that IP address is IP A, NPE A belongs to network segment NET A, records the corresponding relation of IPA and NPE A in the user message table, and then packet filtering rule can arrange as follows:
(1) use under the situation of NPE visit IPv4 network for allowing the user in the authorization message of IPv4 access to netwoks, then following rule can be set:
Source IP is that the message of IP A allows to pass through;
Source IP is IP A, and purpose IP is that the message of NET A does not allow to pass through;
Source IP is IP A, and purpose IP is that the message of NPE A allows to pass through.
(2) do not use under the situation of NPE visit IPv4 network for not allowing the user in the authorization message of IPv4 access to netwoks, following rule can be set:
Source IP is that the message of IP A allows to pass through;
Source IP is IP A, and purpose IP is that the message of NET A does not allow to pass through.
By above filtering rule, in network, have under the situation of a plurality of NPE, when user's IPv4 access to netwoks authorization message allows to use NPE visit IPv4 network, BAS can be forwarded to the message that this user client sends to certain NPE this NPE (but can not by other NPE in this network segment) and arrive the IPv4 network, thereby realizes the visit of IPv4 network; When user's IPv4 access to netwoks authorization message does not allow to use NPE visit IPv4 network, BAS does not send message from this user client to this NPE is forwarded to any NPE in the network segment under this this NPE and this NPE, thereby forbids the visit to the IPv4 network.As can be seen, the setting by above filtering rule.Solve the problem of the IPv4 access rights control in the DS-Lite networking, and guaranteed the fail safe of NPE in the DS-Lite networking.Have in operator under the situation of a plurality of NPE, adopt the above-mentioned message of the embodiment of the invention to transmit rule, compared with prior art, avoided the user after knowing the NPE address, can be arbitrarily and this NPE under certain NPE in the network segment carry out interconnectedly, influence the problem that carrier network moves.
Whether the user can carry out the IPv4 access to netwoks, can be by expansion AAA (Authentication, Authorization, Accounting, authentication) authentication protocol, realize as RADIUS (RemoteAuthentication Dial In User Service, remote customer dialing authentication service) agreement.Radius authorization information can be undertaken by the mode of advanced radius attribute.Because radius protocol itself is supported the extended attribute function, therefore can adopt the scheme of the privately owned attribute of advanced radius to realize in the embodiment of the invention, the extended attribute form can be observed the format specification of No. 26 attributes of RFC2865, and the form of No. 26 attributes can be as shown in Figure 3.Wherein, expansion adopts TLV (Type Length Value, type, length and value) form, Type is a byte, value is 100, length is a byte, value is 6, remain 4 bytes and be the mode of concrete control strategy, by setting the different different control modes of value sign, for example, 0x0001 identifies the control (namely not allowing to carry out the IPv4 access to netwoks) that this user need carry out IPv4, the 0x0002 sign does not need to carry out the control (namely allowing to carry out the IPv4 access to netwoks) of IPv4, and its residual value can be waited until expansion.After the user passes through by RADIUS authentication, can issue as shown in Figure 3 user's control strategy attribute to BAS equipment, make BAS equipment can judge whether to allow authorized user to carry out the IPv4 access to netwoks according to the value of this attribute.
Need to prove that radius protocol is that aaa protocol is a kind of, adopts other aaa protocol, also can carry out similar expansion, control IPv4 access rights.
According to group-network construction shown in Figure 2, Fig. 4 shows the access control flow process in a kind of light-weight dual-stack networking that the embodiment of the invention provides, this flow process is example with the PPP authentication, has described the process that the IPv4 network access authority of authorized user is controlled, and this flow process can comprise:
Step 401, CPE sets up PPP with BAS and is connected.
Step 402, BAS and aaa server interactive user authentication information include user's IPv4 network access authority information in this user authentication information, and this authority information shows that this authorized user can use NPE visit IPv4 network.
In this step, can be by the mode of advanced radius attribute, as shown in Figure 3, in the RADIUS of message identifying extended attribute, be provided for identifying the attribute that whether allows the user to use NPE visit IPv4, whether allow this authorized user to use NPE visit IPv4 network thereby BAS can be known.
Step 403, address and relevant configuration information are obtained in CPE and DHCPv6 server interaction, comprise NPE information.
Step 404, BAS intercepts the reciprocal process of CPE and DHCPv6 server in the step 403, thereby obtain information such as NPE address and station address, and the IPv4 network access authority information that gets access in step 402 is combined, the downward message filtering rule is gone up corresponding message port to this BAS.
In this step, the packet filtering rule that BAS issues can adopt ACL (Access Control List (ACL)) rule, according to whether allowing authorized user by the corresponding relation of NPE visit IPv4 network and this authorized user and NPE, issue different ACL, the packet filtering rule that issues is ditto described, does not repeat them here.
Step 406, BAS uses the packet filtering rule, checks the message in the step 405, under its situation about passing through of permission, this message is transmitted to NPE.If do not allow it to pass through, then this message be not transmitted to NPE.This flow process is example to allow its situation about passing through.
Step 407, the message of NPE carries out decapsulation, thereby makes this authorized user visit IPv4 network.
Based on identical technical conceive, the embodiment of the invention also provides a kind of access device (as BAS equipment), can be applicable to the above-mentioned flow process of the embodiment of the invention.
As shown in Figure 5, the BAS equipment that provides of the embodiment of the invention can comprise:
Rule arranges module 503, is used for the IPv4 network access authority information that gets access to according to first acquisition module 501, and the client address that gets access to of second acquisition module 502 and the NPE address corresponding with it, corresponding message is set transmits rule;
In the above-mentioned access device, first acquisition module 501 can by with the authentication information of the mutual described client of certificate server, obtain the IPv4 network access authority information of the client of wherein carrying.
In the above-mentioned access device, second acquisition module 502 can be by monitoring the mutual information of described client and Dynamic Host Configuration Protocol server, obtains the address of described client and be the address of the NPE of described client distribution.
When a NPE was only arranged in described networking, the message forwarding rule that rule arranges module 503 settings comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source IP is that described client address, destination address do not allow to pass through for the message of the NPE address corresponding with described client address.
When a plurality of NPE being arranged in described networking and being assigned the NPE network segment for client, rule arranges message that module 503 arranges and transmits rule and comprise:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address;
Source address is that described client address, destination address allow to pass through for the message of the NPE address corresponding with described client address;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address.
Need to prove that in the group-network construction that the embodiment of the invention provides, DHCPv6 server, NPE may be integrated with BAS equipment, at such group-network construction, the IPv4 access control scheme that the embodiment of the invention provides still is suitable for.
In addition, the DHCPv6 option issues the NPE mode that issues that NPE is a kind of standard, if there is other NPE to issue mode, can carry out similar expansion.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a station terminal equipment (can be mobile phone, personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.
Claims (8)
1. the access control method in the light-weight dual-stack networking is applied in the network coexisted networking of IPv4 network and IPv6, and the process to client-access IPv4 network is controlled is characterized in that, may further comprise the steps:
Access device obtains the IPv4 network access authority information of client, the address of the address of described client and the network equipment NPE that distributes for this client, and according to the IPv4 network access authority information that gets access to, client address and the NPE address corresponding with it, corresponding message is set transmits rule;
When a NPE is only arranged in described networking, described message is transmitted rule and is comprised: show that in IPv4 network access authority information described message is transmitted rule and is: source address is that the message of described client address allows to pass through under the situation that allows described client to use NPE visit IPv4 network; Show that in IPv4 network access authority information described message is transmitted rule and is: source address is that the message of described client address allows to pass through under the situation that does not allow the user to use NPE visit IPv4 network; Source IP is that described client address, destination address do not allow to pass through for the message of the NPE address corresponding with described client address;
When described access device receives the message of described client transmission, transmit the described message forwarding of rule control according to the message that arranges.
2. the method for claim 1 is characterized in that, when a plurality of NPE being arranged in described networking and being assigned the NPE network segment for client, described message is transmitted rule and comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address;
Source address is that described client address, destination address allow to pass through for the message of the NPE address corresponding with described client address;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address.
3. method as claimed in claim 1 or 2, it is characterized in that, carry the IPv4 network access authority information of client in the authentication extension attribute in the message identifying of described client, described access device obtains the IPv4 network access authority information of client, is specially:
Described access device by with the authentication information of the mutual described client of certificate server, obtain the IPv4 network access authority information of the client of wherein carrying.
4. method as claimed in claim 1 or 2 is characterized in that, described access device obtains the address of described client and the address of the network equipment NPE that distributes for this client, is specially:
Described access device is by monitoring the mutual information of described client and Dynamic Host Configuration Protocol server, obtains the address of described client and is the address of the NPE of described client distribution.
5. access device is applied in the network coexisted networking of IPv4 network and IPv6, and the process to client-access IPv4 network is controlled is characterized in that, comprising:
First acquisition module is for the IPv4 network access authority information of obtaining client;
Second acquisition module is for the address of the network equipment NPE that obtains the address of described client and distribute for this client;
Rule arranges module, is used for the IPv4 network access authority information that gets access to according to described first acquisition module, and the client address that gets access to of second acquisition module and the NPE address corresponding with it, corresponding message is set transmits rule; When a NPE is only arranged in described networking, the message forwarding rule that described rule arranges the module setting comprises: show that in IPv4 network access authority information described message is transmitted rule and is: source address is that the message of described client address allows to pass through under the situation that allows described client to use NPE visit IPv4 network; Show that in IPv4 network access authority information described message is transmitted rule and is: source address is that the message of described client address allows to pass through under the situation that does not allow the user to use NPE visit IPv4 network; Source IP is that described client address, destination address do not allow to pass through for the message of the NPE address corresponding with described client address;
Packet forwarding module is used for when receiving the message of described client transmission, according to described rule the described message forwarding of message forwarding rule control that module arranges is set.
6. access device as claimed in claim 5 is characterized in that, when a plurality of NPE being arranged in described networking and being assigned the NPE network segment for client, the message that described rule arranges the module setting is transmitted rule and comprised:
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that allows described client to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address;
Source address is that described client address, destination address allow to pass through for the message of the NPE address corresponding with described client address;
Show that in IPv4 network access authority information described message is transmitted rule and is under the situation that does not allow the user to use NPE visit IPv4 network:
Source address is that the message of described client address allows to pass through;
Source address is that described client address, destination address do not allow to pass through for the message of the address of the network segment under the NPE corresponding with described client address.
7. as claim 5 or 6 described access devices, it is characterized in that described first acquisition module specifically is used for, by with the authentication information of the mutual described client of certificate server, obtain the IPv4 network access authority information of the client of wherein carrying.
8. as claim 5 or 6 described access devices, it is characterized in that, described second acquisition module specifically is used for, and by monitoring the mutual information of described client and Dynamic Host Configuration Protocol server, obtains the address of described client and the address of the NPE that distributes for described client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010294845.8A CN101951380B (en) | 2010-09-28 | 2010-09-28 | Access control method and device used therein in dual-stack lite network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010294845.8A CN101951380B (en) | 2010-09-28 | 2010-09-28 | Access control method and device used therein in dual-stack lite network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101951380A CN101951380A (en) | 2011-01-19 |
| CN101951380B true CN101951380B (en) | 2013-08-28 |
Family
ID=43454741
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010294845.8A Active CN101951380B (en) | 2010-09-28 | 2010-09-28 | Access control method and device used therein in dual-stack lite network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101951380B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801685A (en) * | 2011-05-23 | 2012-11-28 | 中兴通讯股份有限公司 | Web authentication method and system |
| CN102325145B (en) * | 2011-10-21 | 2015-04-15 | 杭州华三通信技术有限公司 | Method and equipment for carrying out access control on dual-stack user |
| CN103684968B (en) * | 2014-01-03 | 2017-04-12 | 中国联合网络通信集团有限公司 | Access network deployment method, terminal equipment, network core equipment and system |
| CN105978844A (en) * | 2015-06-04 | 2016-09-28 | 乐视致新电子科技(天津)有限公司 | Network access control method, router and system based on router |
| CN112738132A (en) * | 2021-01-27 | 2021-04-30 | 华北石油通信有限公司 | Secondary authentication access system and method thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478485A (en) * | 2009-01-19 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method for local area network access control and network gateway equipment |
| CN101605097A (en) * | 2009-07-22 | 2009-12-16 | 赛尔网络有限公司 | IPv6/IPv4 address hierarchical access right control method and access control gateway |
| CN101610156A (en) * | 2009-08-04 | 2009-12-23 | 杭州华三通信技术有限公司 | A kind of method of dual protocol stack user authentication, equipment and system |
| CN101771605A (en) * | 2008-12-30 | 2010-07-07 | 华为技术有限公司 | DS-Lite based business flow management method, device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136851A (en) * | 2007-09-29 | 2008-03-05 | 华为技术有限公司 | Stream forwarding method and equipment |
-
2010
- 2010-09-28 CN CN201010294845.8A patent/CN101951380B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771605A (en) * | 2008-12-30 | 2010-07-07 | 华为技术有限公司 | DS-Lite based business flow management method, device and system |
| CN101478485A (en) * | 2009-01-19 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method for local area network access control and network gateway equipment |
| CN101605097A (en) * | 2009-07-22 | 2009-12-16 | 赛尔网络有限公司 | IPv6/IPv4 address hierarchical access right control method and access control gateway |
| CN101610156A (en) * | 2009-08-04 | 2009-12-23 | 杭州华三通信技术有限公司 | A kind of method of dual protocol stack user authentication, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101951380A (en) | 2011-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103580980B (en) | The method and device thereof that virtual network finds and automatically configures automatically | |
| CN101340334B (en) | Network access method, system and apparatus | |
| CN100507895C (en) | Serving network selection and multihoming using IP access network | |
| CN102325145B (en) | Method and equipment for carrying out access control on dual-stack user | |
| US10454880B2 (en) | IP packet processing method and apparatus, and network system | |
| CN103685026A (en) | Virtual network access method and system | |
| US8611358B2 (en) | Mobile network traffic management | |
| CN101951380B (en) | Access control method and device used therein in dual-stack lite network | |
| CN101515896B (en) | Safe socket character layer protocol message forwarding method, device, system and exchange | |
| CN101374110B (en) | Method, system and equipment for processing packet of wireless service network | |
| WO2009026839A1 (en) | Pana for roaming wi-fi access in fixed network architectures | |
| CN102238543A (en) | Wireless Portal authentication method and access controller | |
| AU2014261983A1 (en) | Communication managing method and communication system | |
| CN101616405A (en) | Wireless Internet access method and wireless router | |
| CN102404293A (en) | Dual-stack user managing method and broadband access server | |
| CN102724767A (en) | Virtual private network access method and device for mobile user | |
| US20140181279A1 (en) | Virtual Console-Port Management | |
| CN102638782B (en) | Method and system for distributing home agent | |
| CN104243454A (en) | IPv6 message filtering method and device | |
| CN102883265B (en) | The positional information method of sending and receiving of access user, equipment and system | |
| CN102447710A (en) | Method and system for controlling access right of user | |
| KR101821794B1 (en) | Apparatus, method and system for providing of secure IP communication service | |
| CN102577299B (en) | The Access Network authentication information bearing protocol simplified | |
| CN105812499B (en) | Communication means and communication system and virtual client terminal device | |
| CN105515797B (en) | Park area network user authentication charging method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |