CN1248447C - Broadband network access method - Google Patents
Broadband network access method Download PDFInfo
- Publication number
- CN1248447C CN1248447C CNB021178038A CN02117803A CN1248447C CN 1248447 C CN1248447 C CN 1248447C CN B021178038 A CNB021178038 A CN B021178038A CN 02117803 A CN02117803 A CN 02117803A CN 1248447 C CN1248447 C CN 1248447C
- Authority
- CN
- China
- Prior art keywords
- dhcp
- user terminal
- request message
- network
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention discloses a broadband network access method. In the method, when a user terminal sends a DHCP (Dynamic Host Configuration Protocol) request message, after receiving the DHCP request message of the user terminal, a DHCP relay server authenticates the user and checks the validity of a user according to the message; if checking passes, the DHCP request message of the user terminal is forwarded to a DHCP server; the DHCP server assigns an IP(Internet Protocol) address to the user terminal and records network initialized information, such as the IP address, etc. in a DHCP response message; the DHCP relay server forwards the DHCP response message to the user terminal which obtains the IP address so as to access a network, else the DHCP relay server discards the DHCP request message of the user terminal and terminates the network access of the user. The adoption of the present invention can prevent illegal users from accessing the network and can improve the security of the network access.
Description
Technical field
The present invention relates to the cut-in method of wireless network, relate in particular to the cut-in method of broadband wireless network.
Background technology
In broadband network, if user terminal sends the network insertion request, the server of then being responsible for IP address assignment in the network can send address, a Internet of network insertion requesting users terminal distribution (IP) for this, so that user terminal can access network.The server of the responsible IP address assignment in the present broadband network, be the DHCP (DHCP that Dynamic Host Configuration Protocol server adopts standard, Dynamic Host Configuration Protocol), make user terminal when network insertion, can obtain netinit information such as IP address automatically from Dynamic Host Configuration Protocol server.When user terminal carries out network insertion, at first send DHCP request message application access network by user terminal, after the DHCP relay server is received this request message, to wherein be given to Dynamic Host Configuration Protocol server, after Dynamic Host Configuration Protocol server is received the DHCP request message of user terminal, netinit information such as distributing to user's IP address is documented in the dhcp response message, issue the DHCP relay server, again by being given to user terminal in the dhcp response message of DHCP relay server with the Dynamic Host Configuration Protocol server received, user terminal obtains the IP address, thereby makes this accessing user terminal to network.From said process as can be known, adopt existing method for network access, as long as user terminal is initiated the DHCP request, no matter be illegal user or validated user, Dynamic Host Configuration Protocol server all can be given user's distributing IP address, so not only cause the waste of IP address, and provide the chance that need not authenticate, charge and just can surf the Net to the disabled user, even more serious is if the DHCP request is constantly initiated on illegal user from malicious ground, to exhaust all IP addresses in the Dynamic Host Configuration Protocol server address pool and uncontrollable, therefore, the fail safe of existing method for network access is relatively poor.
Summary of the invention
The object of the present invention is to provide a kind of fail safe broadband network access method preferably, use this method can limit disabled user's access network.
For achieving the above object, the safety access method of broadband network provided by the invention comprises:
(1) user terminal sends the DHCP request message to the DHCP relay server;
(2) after the DHCP relay server is received the DHCP request message of user terminal, according to message the user is authenticated and validity checking, pass through if check, be given to Dynamic Host Configuration Protocol server in the DHCP request message with this user terminal, change step (3) then, otherwise abandon the DHCP request message of this user terminal, stop this user's network insertion;
(3) after Dynamic Host Configuration Protocol server is received the DHCP request message of user terminal, be this user terminal distributing IP address, and netinit information such as IP address are documented in the dhcp response message, issue the DHCP relay server;
(4) the DHCP relay server is transmitted to user terminal with the dhcp response message of the Dynamic Host Configuration Protocol server received, and user terminal obtains to distribute to IP address and then the access network of oneself.
Described step (1) is finished by following step:
(A1) user terminal sends the DHCP request message to two layers of access device in network;
(A2) two layers of access device in the network are transmitted to the DHOP Relay Server with the DHCP request message.
The described two layers of access device of above-mentioned steps (A1) are the network switch.
Above-mentioned steps (A1) also comprises: two layers of access device add virtual network (VLAN) label in the DHCP request message, and two layers of access device of this VLAN tag identifier insert the virtual network sign (VLANID) of user port.
The described user authentication with validity checking according to message of above-mentioned steps (2) undertaken by the VLANID in the DHCP request message.
Because the present invention sends the network insertion request message at DHCP relay server place by user terminal it is authenticated and validity checking, filter according to the DHCP request message of check result user terminal, only being given to Dynamic Host Configuration Protocol server in the DHCP request message of validated user, like this, remedied the security hole of DHCP agreement itself, when reality realizes, need not to change existing Dynamic Host Configuration Protocol server software, only need make amendment, expand and get final product convenient application at the DHCP relay place; Because the present invention can limit disabled user's access network, has improved the fail safe of network insertion.
Description of drawings
Fig. 1 is first embodiment flow chart of the method for the invention;
Fig. 2 is second embodiment flow chart of the method for the invention;
Fig. 3 is the ethernet frame that has the 802.1Q tag head;
Fig. 4 is the 802.1Q tag head that comprises tag protocol identifier and tag control information.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
At present in broadband access, user terminal generally all can pass through the two-layer switching equipment access network, wherein common two-layer switching equipment be support the 802.1Q agreement (it be by IEEE (Institute of Electrical and Electric Engineers) organize to set up about how realizing a standard agreement of VLAN) Ethernet Layer 2 switch (LANSWITCH, Local Area Network Switch).The message that all user terminals that inserted by LANSWITCH send can be coupled with a special mark that is used for user terminal identification, in the reality, this mark can (Virtual Local AreaNetwork: label VLAN), this VLAN label mark can this user terminal of unique identification insert the particular physical interface of LANSWITCH for VLAN.Therefore, the DHCP relay server in the network just can utilize authentication and the validity checking of this VLAN label realization to the user.
Fig. 1 is first embodiment flow chart of the method for the invention, and this flow process is by two-layer network device in the network, and promptly the network switch, DHCP relay server and Dynamic Host Configuration Protocol server are realized.As shown in Figure 1, in step 1, the network switch LANSWITCH of user terminal in network sends the DHCP request message, existing LANSWITCH supports the 8021.Q agreement usually, and the user will add the port position that a VLAN head inserts with identifying user from the message of the ethernet format that access interface is sent through this switch.According to the message format of 802.1Q protocol encapsulation is exactly to have increased a 802.1Q frame head after the source address in original Ethernet frame head, connects the length or the type field of original Ethernet afterwards, with reference to figure 3.This 802.1Q tag head has comprised tag protocol identifier (TPID-TagProtocol Identifier), show that this is a message that adds the 802.1Q label, also comprise tag control information (TCI-Tag Control Information), above-mentioned tag protocol identifier and tag control information are with reference to figure 4.The information of the tag head that Fig. 4 describes comprises:
(VLAN Identified, VLANID), this is one 12 territory to the virtual network sign, indicates the ID of VLAN, belongs to which VLAN in order to indicate this message, is the sign of carrying out based on port authentication.
Cannonical format indication (CFI:Canonical Format Indicator), the frame format when being used for the Ethernet of bus-type and FDDI, token-ring network swap data.
Priority (Priority), the position indicates the priority of frame, is used for preferentially sending which packet when switch blocks.
Owing to increased the 802.1Q tag head, even therefore the user interrupts not supporting 802.1Q, the Ethernet frame head that is the packet that sends of computer does not comprise these information, as long as can add that this VLAN head is to carry out legitimate verification to the user by LANSWITCH through behind the LANSWITCH.
Based on step 1, the LANSWITCH equipment in step 2 network is transmitted to the DHCP relay server with the DHCP request message.Like this, the DHCP relay server receives the DHCP request message of user terminal in step 3, the user is authenticated and validity checking by the VLANID in the DHCP request message in step 4 then, pass through if check, be given to Dynamic Host Configuration Protocol server in the DHCP request message with this user terminal, carry out step 6 then, Dynamic Host Configuration Protocol server receives the DHCP request message of user terminal, be this user terminal distributing IP address, and netinit information such as IP address are documented in the dhcp response message, issue the DHCP relay server.In step 7, by the DHCP relay server dhcp response message that the Dynamic Host Configuration Protocol server of receiving sends is transmitted to user terminal at last, user terminal obtains to distribute to IP address and then the access network of oneself; If the validity checking of step 4 is not passed through, then abandon the DHCP request message of this user terminal in step 5, stop this user's network insertion.
Fig. 2 is second embodiment flow chart of the method for the invention, and this flow process realizes by DHCP relay server in the network and Dynamic Host Configuration Protocol server.At first in step 11, user terminal sends the DHCP request message to the DHCP relay server; The DHCP relay server authenticates and validity checking the user according to message after receiving the DHCP request message of user terminal in step 12, if inspection is passed through, is given to Dynamic Host Configuration Protocol server in the DHCP request message with this user terminal; Dynamic Host Configuration Protocol server is this user terminal distributing IP address, and netinit information such as IP address is documented in the dhcp response message at the DHCP request message of step 14 reception user terminal, issues the DHCP relay server; At last in step 15, the DHCP relay server is transmitted to user terminal with the dhcp response message of the Dynamic Host Configuration Protocol server received, user terminal obtains to distribute to IP address and then the access network of oneself, if do not pass through in authentication and validity checking that step 12 couple user carries out, then abandon the DHCP request message of this user terminal, stop this user's network insertion in step 13.
Need explanation, if adopt the execution mode of Fig. 2, be authentication and the validity checking of carrying out step 12 couple user, need in the message that step 11 user terminal sends, add customer identification information, for this reason, can determine this information by the method for user's registered in advance, so just can authenticate and validity checking step 12 couple user, thereby isolate the disabled user by the DHCP relay server.
Claims (2)
1, a kind of broadband network access method comprises:
(1) the two layer access device of user terminal in network send the DHCP request message, and two layers of access device in the network are transmitted to the DHCP relay server with the DHCP request message: described DHCP is a DHCP;
(2) after the DHCP relay server is received the DHCP request message of user terminal, according to message the user is authenticated and validity checking, pass through if check, be given to Dynamic Host Configuration Protocol server in the DHCP request message with this user terminal, change step (3) then, otherwise abandon the DHCP request message of this user terminal, stop this user's network insertion;
(3) after Dynamic Host Configuration Protocol server is received the DHCP request message of user terminal, be this user terminal distributing IP address, and netinit information such as IP address are documented in the dhcp response message, issue the DHCP relay server;
(4) the DHCP relay server is transmitted to user terminal with the dhcp response message of the Dynamic Host Configuration Protocol server received, and user terminal obtains to distribute to IP address and then the access network of oneself;
It is characterized in that: when the two layer access device of user terminal in network send the DHCP request message, two layers of access device add virtual network (VLAN) label in the DHCP request message, two layers of access device of this VLAN tag identifier insert the virtual network sign (VLANID) of user port.
2, the cut-in method of broadband network according to claim 1 is characterized in that: the described user authentication with validity checking according to message of step (2) undertaken by the VLANID in the DHCP request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021178038A CN1248447C (en) | 2002-05-15 | 2002-05-15 | Broadband network access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021178038A CN1248447C (en) | 2002-05-15 | 2002-05-15 | Broadband network access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1458761A CN1458761A (en) | 2003-11-26 |
| CN1248447C true CN1248447C (en) | 2006-03-29 |
Family
ID=29426694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021178038A Expired - Fee Related CN1248447C (en) | 2002-05-15 | 2002-05-15 | Broadband network access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1248447C (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100334855C (en) * | 2004-08-17 | 2007-08-29 | 杭州华为三康技术有限公司 | Method to allocate protocol relay address table and server address pool for synchronization dynamic host machine |
| CN100388739C (en) * | 2005-04-29 | 2008-05-14 | 华为技术有限公司 | Method and system for contributing DHCP addresses safely |
| CN101141492B (en) * | 2005-04-29 | 2014-11-05 | 华为技术有限公司 | Method and system for implementing DHCP address safety allocation |
| CN1921496B (en) * | 2005-08-24 | 2010-04-14 | 中兴通讯股份有限公司 | Method for DHCP client terminal to identifying DHCP server |
| CN100435527C (en) * | 2005-08-25 | 2008-11-19 | 广东省电信有限公司研究院 | Method for realizing efficient video multicasting in ethernet passive optical entwork system |
| CN1889572B (en) * | 2006-07-27 | 2010-06-09 | 杭州华三通信技术有限公司 | Internet protocol address distributing method and dynamic main machine configuration protocol relay |
| CN101127600B (en) * | 2006-08-14 | 2011-12-07 | 华为技术有限公司 | A method for user access authentication |
| CN101127630B (en) * | 2006-08-15 | 2017-04-12 | 华为技术有限公司 | Method, device and system for managing object instant |
| CN101145907B (en) * | 2006-09-11 | 2010-05-12 | 华为技术有限公司 | Method and system for user authentication based on DHCP |
| CN101174952B (en) * | 2006-10-31 | 2010-05-19 | 中兴通讯股份有限公司 | Automatic authentication method and device for IPTV service |
| CN101355474B (en) | 2007-07-25 | 2010-09-08 | 华为技术有限公司 | Method and equipment for requesting and distributing connection point address |
| CN101179604B (en) * | 2007-11-27 | 2011-08-24 | 华为技术有限公司 | MAC address assignment method, equipment and system |
| CN101924800B (en) * | 2009-06-11 | 2015-03-25 | 华为技术有限公司 | Method for obtaining IP address of DHCPv6 server, DHCPv6 server and DHCPv6 communication system |
| CN101577738B (en) * | 2009-06-25 | 2011-08-31 | 杭州华三通信技术有限公司 | Address distribution method and equipment thereof |
| CN102055637B (en) * | 2009-11-03 | 2015-06-03 | 中兴通讯股份有限公司 | Wide band network system and realizing method thereof |
| WO2012106883A1 (en) * | 2011-07-12 | 2012-08-16 | 华为技术有限公司 | Method, apparatus and system for initial deployment of layer 2 network device |
| CN103856416B (en) * | 2012-12-06 | 2017-04-12 | 华为技术有限公司 | Network access method, device and system |
| CN104184615A (en) * | 2014-08-07 | 2014-12-03 | 惠州学院 | Network management system and network management method for laboratory on campus |
| CN105187400B (en) * | 2015-08-12 | 2018-04-27 | 莱诺斯科技(北京)股份有限公司 | A kind of mobile terminal safety guard system and safety protecting method |
| CN108616884B (en) * | 2016-11-30 | 2022-01-07 | 上海掌门科技有限公司 | Method and apparatus for wireless access point connection |
| CN107708200A (en) * | 2017-08-21 | 2018-02-16 | 上海源岷投资管理有限公司 | One kind is used for rural multi-user's biogas data collection radio base station equipment and method |
| CN107743046A (en) * | 2017-08-21 | 2018-02-27 | 上海源岷投资管理有限公司 | The radio relay station device and method of a kind of data acquisition for rural biogas |
-
2002
- 2002-05-15 CN CNB021178038A patent/CN1248447C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1458761A (en) | 2003-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1248447C (en) | Broadband network access method | |
| EP2472824B1 (en) | A method and a device in an IP network | |
| CN1129272C (en) | Virtual local area network access method in ethernet access network | |
| CN1177439C (en) | Method of acting address analytic protocol Ethernet Switch in application | |
| EP1876754A1 (en) | Method system and server for implementing dhcp address security allocation | |
| CN102438028B (en) | A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system | |
| CN100546304C (en) | A kind of method and system that improves network dynamic host configuration DHCP safety | |
| US20090172156A1 (en) | Address security in a routed access network | |
| CN1487696A (en) | Intelligent terminal managing method | |
| US20080192751A1 (en) | Method and system for service provision | |
| US20060031925A1 (en) | Access control method and apparatus | |
| CN1859440A (en) | Method for distributing service based on terminal mark | |
| CN101110847A (en) | Method, device and system for obtaining medium access control address | |
| CN1437360A (en) | Method for the point-to-point protocol log-on user to obtain Internet protocol address | |
| KR101064382B1 (en) | Arp attack blocking system in communication network and method thereof | |
| CN1538706A (en) | HTTP relocation method for WEB identification | |
| JP2004062417A (en) | Certification server device, server device and gateway device | |
| JP2001326696A (en) | Method for controlling access | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN1204713C (en) | Management method of user's connecting network in wideband network | |
| CN1889465A (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| CN200973108Y (en) | Access equipment for implementing safety access | |
| CN1297104C (en) | Method for realizing port based identification and transmission layer based identification compatibility | |
| CN1792075A (en) | Confinement of data transfers to a local area network | |
| Cisco | MPLS VPN ID |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060329 Termination date: 20180515 |