WO2014079265A1

WO2014079265A1 - Method, apparatus and access device for releasing ip address

Info

Publication number: WO2014079265A1
Application number: PCT/CN2013/083518
Authority: WO
Inventors: 张兴新
Original assignee: 华为技术有限公司
Priority date: 2012-11-21
Filing date: 2013-09-14
Publication date: 2014-05-30
Also published as: CN103841219A; CN103841219B

Abstract

Disclosed are a method, apparatus and access device for releasing an IP address, the method comprising: sending a request message to an address server by the access device, wherein the request message is adapted to request the address server to assign the IP address for a terminal, and obtaining an authorized result message of the terminal, if the authorized result message is an unsuccessful message, the access device is interactive with the address server, thus it can make the address server release the IP address assigned for the terminal. After obtaining the authorized result message of the terminal, the access device as herein defined is interactive with the address server, such that the address server can fast release the IP address assigned for an illegal terminal, thus the IP resource in the network resource is not depleted by the illegal terminal, and it is ensured that a legal terminal can access a network.

Description

释放 IP地址的方法、装置及接入设备技术领域 Method, device and access device for releasing IP address

[01] 本发明涉及通信技术领域，特别是涉及释放互联网协议（Internet Protocol , IP ) 地址的方法、装置及接入设备。背景技术 [01] The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an access device for releasing an Internet Protocol (IP) address. Background technique

[02] 处于某一特定覆盖区域之内，并且具有某种关联的站点（Stat ion, STA ) 或称终端组成一个基本服务集（Bas ic Servi ce Set , BSS )， BSS是无线局域网（Wireless Local Area Network, WLAN) 的基本组成部分。在一个 BSS 内，通常可以设置一个管理 BSS的接入设备， BSS 内的 STA与该接入设备相互关联，该接入设备通常具有认证代理、接入控制、 IP 地址分配代理等功能，例如，可以具体为接入点（Access Point , AP )，或者接入控制器（Access Control , AC)。 [02] is within a certain coverage area, and has a certain associated station (Stat, STA) or terminal to form a basic service set (Basic Server Set, BSS), BSS is a wireless local area network (Wireless Local The basic components of Area Network, WLAN). In a BSS, an access device that manages a BSS can be set up. The STAs in the BSS are associated with the access device. The access device usually has functions such as an authentication proxy, an access control, and an IP address assignment proxy. For example, It can be specifically an access point (AP) or an access controller (Access Control, AC).

[03] 在 BSS 内的每个 STA 要接入网络时，需要通过接入设备与认证授权和计费 ( Authent icat ion Authorizat ion and Account ing, AAA) 月艮务器交互，对 STA的身份进行认证，同时还需要通过接入设备与动态主机配置协议（Dynamic Host Confi gurat ion Protocol , DHCP ) 服务器交互，获得一个 IP地址， STA通过该 IP地址接入网络，并实现与网络中其它 STA的通信。现有技术中由于对 STA认证和对 STA分配 IP地址同步进行，因此非法 STA可以在认证通过之前的短时间内向接入设备发起多次接入请求，由接入设备向 DHCP服务器请求多个 IP地址，从而使得网络中的 IP资源快速被耗尽，导致合法 STA无法接入网络，影响用户体验。发明内容 [03] When each STA in the BSS needs to access the network, it needs to interact with the Authentic Authentication and Accounting (AAA) server to perform the identity of the STA. Authentication, and the access device needs to interact with the Dynamic Host Confidation Protocol (DHCP) server to obtain an IP address. The STA accesses the network through the IP address and implements communication with other STAs in the network. . In the prior art, the STA is authenticated and the IP address is allocated to the STA. Therefore, the illegitimate STA can initiate multiple access requests to the access device within a short time before the authentication is passed. The access device requests multiple IP addresses from the DHCP server. The address is so that the IP resources in the network are quickly exhausted, which prevents the legal STA from accessing the network and affects the user experience. Summary of the invention

[04] 本发明实施例中提供了释放 IP 地址的方法、装置及接入设备，以解决现有技术中非法 STA在认证通过前的短时间内请求多个 IP地址，容易导致网络中 IP资源被耗尽的问题。 In the embodiment of the present invention, a method, a device, and an access device for releasing an IP address are provided, so as to solve the problem that an illegal STA requests multiple IP addresses in a short time before the authentication passes, which may easily lead to IP resources in the network. The problem is exhausted.

[05] 为了解决上述技术问题，本发明实施例公开了如下技术方案： [06] 第一方面，提供一种释放 IP地址的方法，所述方法包括： [05] In order to solve the above technical problem, the embodiment of the present invention discloses the following technical solution: [06] In a first aspect, a method for releasing an IP address is provided, where the method includes:

[07] 接入设备向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为终端分配 IP地址； [07] The access device sends a request message to the address server, where the request message is used to request the address server to allocate an IP address for the terminal;

[08] 以及，所述接入设备获取所述终端的认证结果消息； [09] 如果所述认证结果消息为认证失败消息，则所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 [08] and, the access device acquires an authentication result message of the terminal; [09] If the authentication result message is an authentication failure message, the access device interacts with the address server to release the address server as an IP address allocated by the terminal.

[10] 结合第一方面，在第一方面的第一种可能的实现方式中，所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址，包括： [11] 所述接入设备接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [10] In combination with the first aspect, in a first possible implementation manner of the first aspect, the access device, by interacting with the address server, to enable the address server to release an IP address allocated to the terminal The method includes: [11] the access device receives a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

[12] 向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 [12] Sending a release message to the address server to release the IP address after the address server receives the release message.

[13] 结合第一方面，在第一方面的第二种可能的实现方式中，所述请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间； [13] In combination with the first aspect, in a second possible implementation manner of the first aspect, the request message further includes a short lease time that is requested by the address server to be allocated to the terminal;

[14] 所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址，包括： [14] The access device interacts with the address server, so that the address server releases the IP address assigned to the terminal, including:

[15] 所述接入设备接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [16] 向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址，或者丢弃所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 [15] The access device receives a response message returned by the address server, where the response message includes an IP address assigned by the address server to the terminal after receiving the request message; [16] Sending, by the address server, a release message, after the address server receives the release message, releasing the IP address, or discarding an IP address assigned by the address server to the terminal, so that the address server is in the The IP address is released when the short lease time arrives.

[17] 结合第一方面的第二种可能的实现方式，在第一方面的第三种可能的实现方式中，所述方法还包括： [18] 如果所述认证结果消息为认证成功消息，则所述接入设备在接收到包含所述地址服务器为所述终端分配的 IP地址的响应消息后，将所述 IP地址下发给所述终端。 [17] In combination with the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, the method further includes: [18] if the authentication result message is an authentication success message, After the access device receives the response message including the IP address allocated by the address server for the terminal, the access device sends the IP address to the terminal.

[19] 结合第一方面，在第一方面的第四种可能的实现方式中，所述请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； [19] In combination with the first aspect, in a fourth possible implementation manner of the first aspect, the request message further includes a request for the address server to allocate a temporary IP address to the terminal;

[20] 所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址，包括： [20] The access device interacts with the address server, so that the address server releases the IP address assigned to the terminal, including:

[21] 所述接入设备接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； [22] 向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 [21] The access device receives the response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address. [22] Sending a revocation message to the address server, so that after the address server receives the revocation message, releasing the IP address as a temporary IP address.

[23] 结合第一方面的第四种可能的实现方式，在第一方面的第五种可能的实现方式中，所述方法还包括： [24] 如果所述认证结果消息为认证成功消息，则所述接入设备在接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 [23] In combination with the fourth possible implementation of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes: [24] if the authentication result message is an authentication success message, After receiving the response message including the IP address of the temporary IP address allocated by the address server for the terminal, the access device sends an acknowledgement message to the address server, so that the address server receives the After the confirmation message is described, the IP address is formally assigned to the terminal.

[25] 第二方面，提供一种释放 IP地址的装置，所述装置包括： [26] 发送单元，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为终端分配 IP地址； [25] The second aspect provides an apparatus for releasing an IP address, where the apparatus includes: [26] a sending unit, configured to send a request message to an address server, where the request message is used to request the address server to allocate a terminal IP address;

[27] 获取单元，用于获取所述终端的认证结果消息； [27] an obtaining unit, configured to obtain an authentication result message of the terminal;

[28] 交互单元，用于如果所述获取单元获取的认证结果消息为认证失败消息，则通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 [29] 结合第二方面，在第二方面的第一种可能的实现方式中，所述交互单元包括： [28] The interaction unit is configured to: if the authentication result message obtained by the obtaining unit is an authentication failure message, interact with the address server to release the address server as an IP address allocated by the terminal. [29] In combination with the second aspect, in a first possible implementation manner of the second aspect, the interaction unit includes:

[30] 第一地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [30] a first address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

[31] 第一释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 [32] 结合第二方面，在第二方面的第二种可能的实现方式中，所述发送单元发送的所述请求消息中还包含地址服务器为所述终端分配的短租约时间； [31] The first release request subunit is configured to send a release message to the address server, so that after the address server receives the release message, release the IP address. With reference to the second aspect, in a second possible implementation manner of the second aspect, the request message sent by the sending unit further includes a short lease time allocated by the address server to the terminal;

[33] 所述交互单元包括： [33] The interaction unit includes:

[34] 第二地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [35] 第二释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址；或者， [36] 地址丢弃子单元，用于丢弃所述第二地址接收子单元接收到的所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 [34] a second address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message; [35] a second release request sub-unit, configured to send a release message to the address server, so that after the address server receives the release message, release the IP address; or [36] an address discarding subunit, configured to discard an IP address allocated by the address server received by the second address receiving subunit for the terminal, so that the address server arrives at the short lease time Release the IP address.

[37] 结合第二方面的第二种可能的实现方式，在第二方面的第三种可能的实现方式中，所述交互单元还包括： [38] 地址下发子单元，用于如果所述获取单元获取到的认证结果消息为认证成功消息，则在所述第二地址接收子单元接收到包含所述地址服务器为所述终端分配的 IP 地址的响应消息后，将所述 IP地址下发给所述终端。 [37] In conjunction with the second possible implementation of the second aspect, in a third possible implementation of the second aspect, the interaction unit further includes: [38] an address delivery subunit, After the authentication result message obtained by the obtaining unit is an authentication success message, after the second address receiving subunit receives the response message including the IP address allocated by the address server for the terminal, the IP address is Send to the terminal.

[39] 结合第二方面，在第二方面的第四种可能的实现方式中，所述发送单元发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； [40] 所述交互单元包括： [39] In conjunction with the second aspect, in a fourth possible implementation manner of the second aspect, the request message sent by the sending unit further includes a flag that requests the address server to allocate a temporary IP address to the terminal; 40] The interaction unit includes:

[41] 第三地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； [41] a third address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address for the terminal;

[42] 撤销请求子单元，用于向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 [43] 结合第二方面的第四种可能的实现方式，在第二方面的第五种可能的实现方式中，所述交互单元还包括： [42] The revocation request subunit is configured to send a revocation message to the address server, so that after the address server receives the revocation message, the IP address as a temporary IP address is released. [43] In conjunction with the fourth possible implementation of the second aspect, in a fifth possible implementation manner of the second aspect, the interaction unit further includes:

[44] 确认通知子单元，用于如果所述获取单元获取到的所述认证结果消息为认证成功消息，则在所述第三地址接收子单元接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 [44] a confirmation notification subunit, configured to: if the authentication result message obtained by the obtaining unit is an authentication success message, receive, at the third address receiving subunit, that the address server is configured to allocate the terminal After receiving the response message as the IP address of the temporary IP address, the acknowledgment message is sent to the address server, so that after the address server receives the acknowledgment message, the IP address is formally allocated to the terminal.

[45] 第三方面，提供一种接入设备，所述接入设备包括：总线以及通过所述总线连接的客户端接口、网络接口和处理器；其中， [45] In a third aspect, an access device is provided, where the access device includes: a bus and a client interface, a network interface, and a processor connected through the bus;

[46] 所述客户端接口，用于连接终端； [46] the client interface, configured to connect to the terminal;

[47] 所述网络接口，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为所述终端分配 IP地址，以及获取所述终端的认证结果消息； [47] the network interface is configured to send a request message to the address server, where the request message is used to request the address server to allocate an IP address for the terminal, and obtain an authentication result message of the terminal;

[48] 所述处理器，用于如果所述认证结果消息为认证失败消息，则通过所述网络接口与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 [49] 结合第三方面，在第三方面的第一种可能的实现方式中， [48] The processor is configured to: if the authentication result message is an authentication failure message, interact with the address server through the network interface, so that the address server releases an IP address allocated to the terminal. [49] In combination with the third aspect, in a first possible implementation manner of the third aspect,

[50] 所述处理器，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 [00] The processor is specifically configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message, and The network interface sends a release message to the address server, so that after the address server receives the release message, the IP address is released.

[51] 结合第三方面，在第三方面的第二种可能的实现方式中， [51] In combination with the third aspect, in a second possible implementation manner of the third aspect,

[52] 所述网络接口发送的请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间； [52] The request message sent by the network interface further includes requesting the short lease time allocated by the address server to the terminal;

[53] 所述处理器，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址，或者用于丢弃所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 [53] The processor is specifically configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message, and The network interface sends a release message to the address server, so that after the address server receives the release message, the IP address is released, or is used to discard the IP address assigned by the address server to the terminal, The address server is caused to release the IP address when the short lease time arrives.

[54] 结合第三方面的第二种可能的而实现方式，在第三方面的第三种可能的实现方式中，所述处理器，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的 IP地址的响应消息后，将所述 IP地址下发给所述终端。 [54] In combination with the second possible implementation of the third aspect, in a third possible implementation manner of the third aspect, the processor is further configured to: if the authentication result message is an authentication success message, After the network interface receives the response message including the IP address allocated by the address server for the terminal, the IP address is sent to the terminal.

[55] 结合第三方面，在第三方面的第四种可能的实现方式中， [55] In combination with the third aspect, in a fourth possible implementation manner of the third aspect,

[56] 所述网络接口发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； [56] the request message sent by the network interface further includes a flag for requesting the address server to allocate a temporary IP address to the terminal;

[57] 所述网络接口，还用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； [57] The network interface is further configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address for the terminal;

[58] 所述处理器，具体用于通过所述网络接口向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 [59] 结合第三方面的第四种可能的实现方式，在第三方面的第五种可能的实现方式中，所述处理器，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 The processor is specifically configured to send a revocation message to the address server by using the network interface, so that after the address server receives the revocation message, the IP address that is a temporary IP address is released. With the fourth possible implementation of the third aspect, in a fifth possible implementation manner of the third aspect, the processor is further configured to: if the authentication result message is an authentication success message, After the network interface receives the response message including the IP address assigned as the temporary IP address by the address server for the terminal, sending an acknowledgement message to the address server, so that the address server receives the acknowledgement After the message, the IP ground will be The address is officially assigned to the terminal.

[60] 本发明实施例中，接入设备向地址服务器发送用于请求所述地址服务器为终端分配 IP 地址的请求消息，以及获取所述终端的认证结果消息，如果所述认证结果消息为认证失败消息，则所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。本发明实施例中接入设备在获取到对终端的认证结果后，通过与 DHCP服务器交互，使得 DHCP服务器可以快速释放为非法终端分配的 IP地址，从而使网络中的 IP 资源不会被非法终端耗尽，保证合法终端可以接入网络。附图说明 In the embodiment of the present invention, the access device sends a request message for requesting the address server to allocate an IP address to the terminal, and obtains an authentication result message of the terminal, if the authentication result message is authentication. The failure message, the access device interacts with the address server to release the address server as an IP address allocated by the terminal. In the embodiment of the present invention, after obtaining the authentication result of the terminal, the access device interacts with the DHCP server, so that the DHCP server can quickly release the IP address assigned to the illegal terminal, so that the IP resources in the network are not illegal. Depleted, ensuring that legitimate terminals can access the network. DRAWINGS

[61] 为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，对于本领域普通技术人员而言，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。 [61] In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art description will be briefly described below, and it is obvious that it is common in the art. For the technicians, other drawings can be obtained based on these drawings without paying for creative labor.

[62] 图 1A为本发明释放 IP地址的方法的一个实施例流程图； [63] 图 1B为应用本发明实施例的一个网络架构示意图； [64] 图 2为本发明释放 IP地址的方法的另一个实施例流程图； [65] 图 3为本发明释放 IP地址的方法的另一个实施例流程图； [66] 图 4为本发明释放 IP地址的方法的另一个实施例流程图； [67] 图 5为本发明释放 IP地址的装置的实施例框图； [68] 图 6为本发明接入设备的实施例框图。具体实施方式 1 is a flowchart of an embodiment of a method for releasing an IP address according to the present invention; [63] FIG. 1B is a schematic diagram of a network architecture according to an embodiment of the present invention; [64] FIG. 2 is a method for releasing an IP address according to the present invention. FIG. 3 is a flow chart of another embodiment of a method for releasing an IP address according to the present invention; [66] FIG. 4 is a flowchart of another embodiment of a method for releasing an IP address according to the present invention; 5 is a block diagram of an embodiment of an apparatus for releasing an IP address according to the present invention; [68] FIG. 6 is a block diagram of an embodiment of an access device of the present invention. detailed description

[69] 本发明如下实施例提供了释放 IP地址的方法、装置及接入设备。 The following embodiments of the present invention provide a method, an apparatus, and an access device for releasing an IP address.

[70] 为了使本技术领域的人员更好地理解本发明实施例中的技术方案，并使本发明实施例的上述目的、特征和优点能够更加明显易懂，下面结合附图对本发明实施例中技术方案作进一步详细的说明。 The above described objects, features, and advantages of the embodiments of the present invention will become more apparent and understood. The technical solution is described in further detail.

[71] 参见图 1A，为本发明释放 IP地址的方法的第一实施例流程图： [72] 步骤 101 : 接入设备向地址服务器发送请求消息，该请求消息用于请求地址服务器为终端分配 IP地址。 [73] 本发明实施例中，地址服务器可以是 DHCP服务器；请求消息可以是 DHCP DISCOVERY (发现）消息或者 DHCP REQUEST (请求）消息。 [71] FIG. 1A is a flowchart of a first embodiment of a method for releasing an IP address according to the present invention: [72] Step 101: The access device sends a request message to the address server, where the request message is used to request the address server to allocate the terminal. IP address. In the embodiment of the present invention, the address server may be a DHCP server; the request message may be a DHCP DISCOVERY message or a DHCP REQUEST message.

[74] 本实施例中，接入设备可以具体指 AP或者 AC等。该接入设备作为所连接的终端的代理，可以通过与 DHCP服务器交互，请求 DHCP服务器为要接入网络的终端分配 IP地址。接入设备在为终端请求 IP地址时，可以向 DHCP服务器发送包含该终端的身份标识的请求消息，该身份标识可以是终端的 MAC地址。 [78] In this embodiment, the access device may specifically refer to an AP or an AC. The access device acts as a proxy for the connected terminal, and can interact with the DHCP server to request the DHCP server to assign an IP address to the terminal to access the network. When the access device requests an IP address for the terminal, the access device may send a request message including the identity of the terminal to the DHCP server, where the identity identifier may be the MAC address of the terminal.

[75] DHCP服务器接收到请求消息后，可以为终端分配一个 IP地址，并在租约表中记录该终端的租约表项，该租约表项中包含终端的 IP地址、 MAC地址、租约时间等信息。 [75] After receiving the request message, the DHCP server can assign an IP address to the terminal, and record the lease entry of the terminal in the lease table. The lease entry includes information such as the IP address, MAC address, and lease time of the terminal. .

[76] 步骤 102 : 接入设备获取终端的认证结果消息。 [77] 本发明实施例中对终端请求 IP 地址的过程与对终端的认证过程可以并行执行。其中，对终端进行认证的认证服务器可以具体为 AAA服务器，认证服务器对终端的认证过程与现有技术一致，例如，可以采用基于客户端 /服务器（Cl ient/Server ) 的访问控制和认证协议，比如 802. lx认证。当认证结束后，认证服务器向接入设备返回包含终端认证结果的认证结果消息，认证结果消息包括终端为合法终端时的认证成功消息或终端为非法终端时的认证失败消息。 [76] Step 102: The access device acquires an authentication result message of the terminal. [77] The process of requesting an IP address for a terminal and the authentication process for a terminal in the embodiment of the present invention may be performed in parallel. The authentication server that authenticates the terminal may be specifically an AAA server, and the authentication process of the authentication server to the terminal is consistent with the prior art. For example, a client/server (Cient/Server)-based access control and authentication protocol may be adopted. For example, 802. lx authentication. After the authentication is completed, the authentication server returns an authentication result message including the terminal authentication result to the access device, where the authentication result message includes an authentication success message when the terminal is a legal terminal or an authentication failure message when the terminal is an illegal terminal.

[78] 步骤 103 : 如果认证结果消息为认证失败消息，则接入设备通过与地址服务器交互，以使地址服务器释放为终端分配的 IP地址。 [78] Step 103: If the authentication result message is an authentication failure message, the access device interacts with the address server to release the IP address assigned to the terminal by the address server.

[79] 在第一个可选的实现方式中，接入设备接收地址服务器返回的响应消息，响应消息中包含地址服务器接收到所述请求消息后为所述终端分配的 IP地址，以及接入设备接收到认证失败消息后，可以获取认证失败消息中包含的终端的终端标识，查找保存的终端标识与 MAC地址的对应关系，获取与终端的终端标识对应的终端的 MAC地址，向地址服务器发送包含该 MAC地址的释放消息，地址服务器根据该 MAC地址查找租约表，得到终端的租约表项后，释放为终端分配的 IP地址，从而保证非法终端无法占用 IP资源。 [79] In the first optional implementation manner, the access device receives a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message, and access After receiving the authentication failure message, the device may obtain the terminal identifier of the terminal included in the authentication failure message, search for the correspondence between the saved terminal identifier and the MAC address, obtain the MAC address of the terminal corresponding to the terminal identifier of the terminal, and send the MAC address of the terminal to the address server. The release message containing the MAC address, the address server searches the lease table according to the MAC address, and obtains the lease address of the terminal, and then releases the IP address assigned to the terminal, thereby ensuring that the illegal terminal cannot occupy the IP resource.

[80] 在第二个可选的实现方式中，接入设备在向地址服务器发送的请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间，接入设备接收地址服务器返回的响应消息，响应消息中包含地址服务器接收到所述请求消息后为所述终端分配的 IP 地址，以及接入设备接收到认证失败消息后，可以向地址服务器发送释放消息，地址服务器接收到释放消息后，释放为所述终端分配的 IP地址，或者接入设备丢弃地址服务器为所述终端分配的 IP地址，即不将该 IP 地址下发给所述终端，相应的，地址服务器在所述短租约时间到达时释放该 IP地址，由于短租约时间比预设租约时间短，因此可以保证非法终端无法长时间占用 IP [81] 在第三个可选的实现方式中，接入设备在向地址服务器发送的请求消息中还包括请求地址服务器为终端分配临时 IP地址的标记，接入设备接收地址服务器返回的响应消息，响应消息中包含地址服务器接收到所述请求消息后为所述终端分配的 IP地址，以及接入设备接收到认证失败消息后，不向所述终端下发该 IP地址，同时向地址服务器发送包含所述终端的 MAC地址的撤销消息， DHCP服务器在接收到撤销消息后，根据 MAC地址查找租约表，得到所述终端的租约表项后，释放作为临时 IP地址的 IP地址，从而保证非法终端无法占用 IP资源。 [80] In a second optional implementation manner, the access device sends, in the request message sent to the address server, a short lease time that is requested by the address server to be allocated by the address server, and the access device receives the address server. The returned response message includes the IP address assigned to the terminal by the address server after receiving the request message, and the access device may send a release message to the address server after receiving the authentication failure message, and the address server receives the message. After the message is released, the IP address assigned to the terminal is released, or the access device discards the IP address assigned by the address server to the terminal, that is, the IP address is not sent to the terminal, and the address server is located at the address server. The IP address is released when the short lease time arrives. Since the short lease time is shorter than the preset lease time, it can ensure that the illegal terminal cannot occupy the IP for a long time. [81] In a third optional implementation manner, the access device further includes a requesting address server to allocate a temporary IP address to the terminal in the request message sent by the address server, and the access device receives the response message returned by the address server. The response message includes an IP address assigned to the terminal by the address server after receiving the request message, and the access device does not send the IP address to the terminal after receiving the authentication failure message, and sends the IP address to the address server. After receiving the revocation message of the MAC address of the terminal, after receiving the revocation message, the DHCP server searches the lease table according to the MAC address, obtains the lease entry of the terminal, and releases the IP address as the temporary IP address, thereby ensuring the illegal terminal. Unable to occupy IP resources.

[82] 由上述实施例可见，接入设备在获取到对终端的认证结果后，通过与 DHCP 服务器交互，使得 DHCP服务器可以快速释放为非法终端分配的 IP地址，从而使网络中的 IP资源不会被非法终端耗尽，保证合法终端可以接入网络。 [82] It can be seen from the foregoing embodiment that after the access device obtains the authentication result of the terminal, the DHCP server can quickly release the IP address assigned to the illegal terminal by interacting with the DHCP server, so that the IP resources in the network are not It will be exhausted by the illegal terminal, ensuring that the legitimate terminal can access the network.

[83] 参见图 1B，为应用本发明实施例的一种网络架构示意图： [83] Referring to FIG. 1B, a schematic diagram of a network architecture in which an embodiment of the present invention is applied:

[84] 图 1B中示出了一个 BSS，该 BSS内包括一个管理 BSS的接入设备 AP，以及三个终端，分别表示为 STA1、 STA2和 STA3。 BSS内的三个终端与该接入设备 AP相互关联，该 AP通常具有认证代理、接入控制、 IP地址分配代理等功能，本发明实施例中，在 BSS内的每个终端要接入网络时，需要通过 AP与认证服务器交互，对终端的身份进行认证，同时还需要通过接入设备与 DHCP服务器交互，获得一个 IP地址，终端可以通过该 IP地址接入网络，并实现与网络中其它终端的通信。 [84] A BSS is shown in FIG. 1B. The BSS includes an access device AP that manages the BSS, and three terminals, which are denoted as STA1, STA2, and STA3, respectively. The three terminals in the BSS are associated with the access device AP. The AP usually has the functions of an authentication proxy, an access control, an IP address assignment proxy, and the like. In the embodiment of the present invention, each terminal in the BSS needs to access the network. The AP needs to interact with the authentication server to authenticate the identity of the terminal. At the same time, the access device needs to interact with the DHCP server to obtain an IP address. The terminal can access the network through the IP address and implement other interfaces. Terminal communication.

[85] 下面结合图 1B示出的网络架构，以释放为第一终端分配的 IP地址为例，详细描述本发明实施例。 [85] The embodiment of the present invention is described in detail below by taking the network architecture shown in FIG. 1B as an example to release the IP address assigned to the first terminal.

[86] 参见图 2，为本发明释放 IP地址的方法的第二实施例流程图，该实施例示出了 AP 通过发送 DHCP释放消息请求 DHCP服务器释放为非法终端分配的 IP地址的过程： [86] FIG. 2 is a flowchart of a second embodiment of a method for releasing an IP address according to the present invention. The embodiment shows a process in which an AP requests a DHCP server to release an IP address assigned to an illegal terminal by sending a DHCP release message:

[87] 步骤 201 : AP向 DHCP服务器发送 DHCP请求消息，请求 DHCP服务器为第一终端分配 IP地址，该 DHCP请求消息中包含第一终端的第一 MAC地址。 [88] 本实施例中， AP作为所连接的第一终端的代理，可以通过与 DHCP服务器交互，请求 DHCP服务器为要接入网络的第一终端分配 IP地址。 AP在为终端请求 IP地址时，可以向 DHCP服务器发送包含该第一终端的第一 MAC地址的 DHCP请求消息（DHCP REQUEST ) ₀ [87] Step 201: The AP sends a DHCP request message to the DHCP server, requesting the DHCP server to allocate an IP address to the first terminal, where the DHCP request message includes the first MAC address of the first terminal. In this embodiment, the AP acts as a proxy for the connected first terminal, and can interact with the DHCP server to request the DHCP server to allocate an IP address for the first terminal to access the network. DHCP request to the AP when the terminal IP address or MAC address of the transmission comprising a first terminal of a first request message to the DHCP server (DHCP REQUEST) ₀

[89] 步骤 202 : AP获取认证服务器返回的第一终端的认证结果消息，该认证结果消息中包含第一终端的终端标识。 [90] 本发明实施例中对终端请求 IP 地址的过程与对终端的认证过程可以并行执行。其中，认证服务器可以具体为 AAA服务器，认证服务器对终端的认证过程与现有技术一致，例如，可以采用基于客户端 /服务器（Cl ient/Server )的访问控制和认证协议，比如 802. lx 认证。当认证结束后，认证服务器向 AP返回包含第一终端认证结果的认证结果消息，认证结果消息包括第一终端为合法终端时发送的认证成功消息或第一终端为非法终端时发送的认证失败消息。认证结果消息中还可以携带对话令牌（Dialog token ) , 通常对话令牌由 AP分配，用于标识 AP与认证服务器之间的认证对话， AP通过记录该对话令牌与终端 MAC地址的对应关系，识别不同终端的认证结果消息。 [89] Step 202: The AP acquires an authentication result message of the first terminal that is returned by the authentication server, where the authentication result message includes the terminal identifier of the first terminal. [90] The process of requesting an IP address for a terminal and the authentication process for a terminal in the embodiment of the present invention may be performed in parallel. The authentication server may be specifically an AAA server, and the authentication process of the authentication server is consistent with the prior art. For example, a client/server (Cient/Server)-based access control and authentication protocol, such as 802. lx authentication, may be adopted. . After the authentication is completed, the authentication server returns an authentication result message including the first terminal authentication result to the AP, where the authentication result message includes an authentication success message sent when the first terminal is a legal terminal or an authentication failure message sent when the first terminal is an illegal terminal. . The authentication result message may also carry a Dialog token. The dialog token is usually assigned by the AP to identify an authentication session between the AP and the authentication server. The AP records the correspondence between the session token and the terminal MAC address. , identify the authentication result message of different terminals.

[91] 步骤 203 : AP接收 DHCP服务器发送的 DHCP响应消息，该 DHCP响应消息包含 DHCP 服务器根据 DHCP请求消息为第一终端分配的第一 IP地址。 [91] Step 203: The AP receives a DHCP response message sent by the DHCP server, where the DHCP response message includes a first IP address allocated by the DHCP server to the first terminal according to the DHCP request message.

[92] DHCP服务器接收到 DHCP请求消息后，可以为第一终端分配第一 IP地址，并将该第一 IP地址携带在 DHCP响应消息（DHCP ACKNOWLEDGE 或者 DHCP OFFER) 中；相应的， DHCP 服务器在租约表中记录该第一终端的租约表项，该租约表项中包含第一终端的 IP 地址、第一 MAC地址、租约时间等信息。 [93] 需要说明的是，本发明实施例对步骤 202和步骤 203之间的执行顺序不进行限制。 [92] After receiving the DHCP request message, the DHCP server may allocate the first IP address to the first terminal, and carry the first IP address in a DHCP response message (DHCP ACKNOWLEDGE or DHCP OFFER); correspondingly, the DHCP server is A lease entry of the first terminal is recorded in the lease table, and the lease entry includes information such as an IP address, a first MAC address, and a lease time of the first terminal. It is to be noted that the embodiment of the present invention does not limit the order of execution between step 202 and step 203.

[94] 步骤 204: AP判断认证结果消息的类型，如果为认证失败消息，则执行步骤 205 ; 如果为认证成功消息，则执行步骤 208。 [204] Step 204: The AP determines the type of the authentication result message. If it is an authentication failure message, step 205 is performed; if it is an authentication success message, step 208 is performed.

[95] 步骤 205 : AP查找保存的终端标识与 MAC地址的对应关系，获取与第一终端的终端标识对应的第一终端的第一 MAC地址。 [96] AP中保存了各个终端的终端标识和 MAC地址的对应关系，当 AP接收到认证失败消息时，可以确定第一终端为非法终端， AP从认证失败消息中获取第一终端的终端标识，根据第一终端的终端标识查找保存的对应关系，获得与第一终端的终端标识对应的第一终端的第一 MAC地址。 [95] Step 205: The AP searches for the correspondence between the saved terminal identifier and the MAC address, and obtains the first MAC address of the first terminal corresponding to the terminal identifier of the first terminal. [96] The AP stores the correspondence between the terminal identifier and the MAC address of each terminal. When the AP receives the authentication failure message, the AP determines that the first terminal is an illegal terminal, and the AP obtains the terminal identifier of the first terminal from the authentication failure message. And searching for the saved correspondence according to the terminal identifier of the first terminal, and obtaining a first MAC address of the first terminal corresponding to the terminal identifier of the first terminal.

[97] 步骤 206 : AP向 DHCP服务器发送 DHCP释放消息，该 DHCP释放消息中包含第一 MAC 地址。 [97] Step 206: The AP sends a DHCP release message to the DHCP server, where the DHCP release message includes the first MAC address.

[98] 由于第一终端为非法终端，因此 AP向 DHCP服务器发送包含第一终端的第一 MAC地址的 DHCP释放消息 ( DHCP RELEASE )。 [98] Since the first terminal is an illegal terminal, the AP sends a DHCP release message (DHCP RELEASE) containing the first MAC address of the first terminal to the DHCP server.

[99] 步骤 207 : DHCP服务器接收到 DHCP释放消息后，根据第一 MAC地址查找到第一 IP 地址，并释放为第一终端分配的第一 IP地址，结束当前流程。 [100】DHCP服务器接收到 DHCP释放消息后，获取该消息中携带的第一 MAC地址，并根据第一 MAC地址查找租约表，获得第一终端的租约表项，释放该租约表项中为第一终端分配的第一 IP地址，从而保证 DHCP服务器可以快速释放为非法终端分配的 IP地址，防止非法终端的 IP地址攻击。 [101】步骤 208: AP将第一 IP地址下发给第一终端，结束当前流程。 [99] Step 207: After receiving the DHCP release message, the DHCP server searches for the first IP address according to the first MAC address, and releases the first IP address assigned to the first terminal, and ends the current process. [100] After receiving the DHCP release message, the DHCP server obtains the first MAC address carried in the message, and searches the lease table according to the first MAC address to obtain the lease entry of the first terminal, and releases the lease entry as the first The first IP address assigned by a terminal ensures that the DHCP server can quickly release the IP address assigned to the illegal terminal and prevent the IP address attack of the illegal terminal. [101] Step 208: The AP sends the first IP address to the first terminal, and ends the current process.

[102】另外，如果 AP 接收到认证成功消息，则可以根据认证成功消息确定第一终端为合法终端， AP将第一 IP地址下发给第一终端，第一终端按照 AP下发的第一 IP地址接入网络即可，该第一终端也可以在租约到达时请求续租第一 IP地址， DHCP服务器中相应保存第一终端的租约表项。 [103】由上述实施例可见，接入设备在获取到认证服务器对终端的认证结果后，通过向 DHCP服务器发送 DHCP释放消息，使得 DHCP服务器可以快速释放为非法终端分配的 IP 地址，从而使网络中的 IP资源不会被非法终端耗尽，保证合法终端可以接入网络。 [102] In addition, if the AP receives the authentication success message, the AP may determine that the first terminal is a legal terminal according to the authentication success message, and the AP sends the first IP address to the first terminal, and the first terminal sends the first one according to the AP. The IP address can be accessed by the network. The first terminal can also request to renew the first IP address when the lease arrives. The DHCP server stores the lease entry of the first terminal. [103] It can be seen from the foregoing embodiment that after obtaining the authentication result of the authentication server to the terminal, the access device sends a DHCP release message to the DHCP server, so that the DHCP server can quickly release the IP address assigned to the illegal terminal, thereby making the network The IP resources in the network will not be exhausted by the illegal terminal, ensuring that the legitimate terminal can access the network.

[104】参见图 3，为本发明释放 IP地址的方法的第三实施例流程图，该实施例示出了 AP 通过发送短租约时间以使 DHCP服务器可以在较短的时间内释放为非法终端分配的 IP地址，同时保证合法终端的对所分配 IP地址的续租： Referring to FIG. 3, it is a flowchart of a third embodiment of a method for releasing an IP address according to the present invention. The embodiment shows that an AP sends a short lease time to enable a DHCP server to be released as an illegal terminal in a short time. The assigned IP address, while ensuring the renewal of the assigned IP address by the legal terminal:

[105】步骤 301 : AP向 DHCP服务器发送 DHCP请求消息，请求 DHCP服务器为第一终端分配 IP地址，该 DHCP请求消息中包含第一终端的第一 MAC地址和请求 DHCP服务器为第一终端分配的短租约时间。 [105] Step 301: The AP sends a DHCP request message to the DHCP server, requesting the DHCP server to allocate an IP address to the first terminal, where the DHCP request message includes the first MAC address of the first terminal and the requesting DHCP server to allocate the first terminal. Short lease time.

[106】本实施例中， AP作为所连接的第一终端的代理，可以通过与 DHCP服务器交互，请求 DHCP服务器为要接入网络的第一终端分配 IP地址。 AP在为终端请求 IP地址时，可以向 DHCP服务器发送包含该第一终端的第一 MAC地址的 DHCP请求消息（DHCP REQUEST ), 进一步，该 DHCP请求消息与现有 DHCP请求消息相比，可以增加一个选项，该新增加的选项用于指示 DHCP服务器为第一终端分配一个较短的租约时间，由于该较短的租约时间低于预设的租约时间，因此本实施例中称该较短的租约时间为短租约时间，短租约时间可以根据需要进行设置，对此本发明实施例不进行限制。 In this embodiment, the AP acts as a proxy for the connected first terminal, and can interact with the DHCP server to request the DHCP server to assign an IP address to the first terminal to access the network. When requesting an IP address for the terminal, the AP may send a DHCP request message (DHCP REQUEST) including the first MAC address of the first terminal to the DHCP server. Further, the DHCP request message may be increased compared with the existing DHCP request message. An option, the newly added option is used to instruct the DHCP server to allocate a shorter lease time to the first terminal. Since the shorter lease time is lower than the preset lease time, the shorter one is called in this embodiment. The lease time is a short lease time, and the short lease time can be set as needed.

[107】步骤 302: AP获取认证服务器返回的第一终端的认证结果消息，该认证结果消息中包含第一终端的终端标识。 [107] Step 302: The AP obtains an authentication result message of the first terminal that is returned by the authentication server, where the authentication result message includes the terminal identifier of the first terminal.

[108】本发明实施例中对终端请求 IP 地址的过程与对终端的认证过程可以并行执行。其中，认证服务器可以具体为 AAA服务器，认证服务器对终端的认证过程与现有技术一致，例如，可以采用基于客户端 /服务器（Cl ient/Server)的访问控制和认证协议，比如 802. lx 认证。当认证结束后，认证服务器向 AP返回包含第一终端认证结果的认证结果消息，认证结果消息包括第一终端为合法终端时发送的认证成功消息或第一终端为非法终端时发送的认证失败消息。认证结果消息中还可以携带对话令牌（Dialog token ) , 通常对话令牌由 AP分配，用于标识 AP与认证服务器之间的认证对话， AP通过记录该对话令牌与终端 MAC地址的对应关系，识别不同终端的认证结果消息。 [108] The process of requesting an IP address for a terminal and the authentication process for a terminal in the embodiment of the present invention may be performed in parallel. The authentication server may be specifically an AAA server. The authentication process of the authentication server to the terminal is consistent with the prior art. For example, a client/server (Cl ient/Server)-based access control and authentication protocol may be used, such as 802. lx. Certification. After the authentication is completed, the authentication server returns an authentication result message including the first terminal authentication result to the AP, where the authentication result message includes an authentication success message sent when the first terminal is a legal terminal or an authentication failure message sent when the first terminal is an illegal terminal. . The authentication result message may also carry a Dialog token. The dialog token is usually assigned by the AP to identify an authentication session between the AP and the authentication server. The AP records the correspondence between the session token and the terminal MAC address. , identify the authentication result message of different terminals.

[109】步骤 303 : AP接收 DHCP服务器根据 DHCP请求消息为第一终端分配的第一 IP地址。 [109] Step 303: The AP receives the first IP address assigned by the DHCP server to the first terminal according to the DHCP request message.

[110】DHCP服务器接收到地址请求消息后，可以为第一终端分配第一 IP地址，并将该第一 IP地址携带在 DHCP响应消息（DHCP ACKNOWLEDGE 或者 DHCP Offer ) 中；相应的， DHCP 服务器在租约表中记录该第一终端的租约表项，该租约表项中包含第一终端的 IP 地址、第一 MAC地址、短租约时间等信息。 [110] After receiving the address request message, the DHCP server may allocate the first IP address to the first terminal, and carry the first IP address in a DHCP response message (DHCP ACKNOWLEDGE or DHCP Offer); correspondingly, the DHCP server is A lease entry of the first terminal is recorded in the lease table, and the lease entry includes information such as an IP address, a first MAC address, and a short lease time of the first terminal.

[111】需要说明的是，本发明实施例对步骤 302和步骤 303之间的执行顺序不进行限制。 [111] It should be noted that the embodiment of the present invention does not limit the order of execution between step 302 and step 303.

[112】步骤 304: 判断认证结果消息的类型，如果为认证失败消息，则执行步骤 305 ; 如果为认证成功消息，执行步骤 306。 [112] Step 304: Determine the type of the authentication result message, if it is an authentication failure message, execute step 305; if it is an authentication success message, perform step 306.

[113】步骤 305 : AP丢弃 DHCP服务器为第一终端分配的第一 IP地址，以及 DHCP服务器在短租约时间到达时释放第一 IP地址，结束当前流程。 [113] Step 305: The AP discards the first IP address assigned by the DHCP server to the first terminal, and the DHCP server releases the first IP address when the short lease time arrives, and ends the current process.

[114] AP根据认证失败消息确定第一终端为非法终端时，不将第一 IP地址下发给第一终端，并丢弃该第一 IP地址；相应的，由于 DHCP服务器在第一终端的租约表项中记录了第一终端的短租约时间，因此在短租约时间到达时，可以快速释放为非法的第一终端分配的第一 IP地址，使得第一终端无法接入网络，更不能对第一 IP地址进行续租，并且 DHCP服务器可以将第一 IP地址分配给其它合法终端，以防止非法终端的 IP地址攻击。 [114] The AP determines that the first terminal is an illegal terminal according to the authentication failure message, and does not send the first IP address to the first terminal, and discards the first IP address; correspondingly, the lease of the DHCP server at the first terminal The short lease time of the first terminal is recorded in the entry, so that when the short lease time arrives, the first IP address assigned to the illegal first terminal can be quickly released, so that the first terminal cannot access the network, and The first IP address is renewed, and the DHCP server can assign the first IP address to other legitimate terminals to prevent IP address attacks of the illegal terminal.

[115】另外， AP根据认证失败消息确定第一终端为非法终端时，也可以向 DHCP服务器发送包含第一终端的第一 MAC地址的 DHCP释放消息（DHCP RELEASE ) , DHCP服务器接收到 DHCP释放消息后，根据第一 MAC地址查找到第一 IP地址，并释放为第一终端分配的第一 IP地址。 [116】步骤 306 : AP将第一 IP地址下发给第一终端，以使第一终端在短租约时间到达前向 DHCP服务器请求续租第一 IP地址，结束当前流程。 [115] In addition, when determining that the first terminal is an illegal terminal according to the authentication failure message, the AP may also send a DHCP release message (DHCP RELEASE) including the first MAC address of the first terminal to the DHCP server, and the DHCP server receives the DHCP release message. After that, the first IP address is found according to the first MAC address, and the first IP address allocated for the first terminal is released. [116] Step 306: The AP sends the first IP address to the first terminal, so that the first terminal requests the DHCP server to renew the first IP address before the short lease time arrives, and ends the current process.

[117】AP根据认证成功消息确定第一终端为合法终端时，将第一 IP地址下发给第一终端，第一终端可以利用该第一 IP地址向 DHCP服务器请求续租；相应的， DHCP服务器可以在短租约时间到达前接收到合法的第一终端续租请求，从而为第一 IP地址分配预设的租约时间，保证第一终端正常的网络通信。 [117] When the AP determines that the first terminal is a legal terminal according to the authentication success message, the first IP address is sent to the first terminal, and the first terminal can use the first IP address to request to renew the lease from the DHCP server; correspondingly, DHCP The server may receive a legal first terminal renewal request before the short lease time arrives, thereby assigning a preset lease to the first IP address. Time, to ensure normal network communication of the first terminal.

[118】由上述实施例可见，接入设备在请求为终端分配 IP地址时，向 DHCP服务器发送短租约时间，从而在获取到认证服务器对终端的认证结果后，通过与 DHCP服务器交互，使得 DHCP服务器可以在短租约时间到达时，快速释放为非法终端分配的 IP地址，从而使网络中的 IP资源不会被非法终端耗尽，保证合法终端可以接入网络。 [118] It can be seen from the foregoing embodiment that when the access device requests to allocate an IP address to the terminal, the access device sends a short lease time to the DHCP server, so that after obtaining the authentication result of the authentication server to the terminal, by interacting with the DHCP server, The DHCP server can quickly release the IP address assigned to the illegal terminal when the short lease time arrives, so that the IP resources in the network are not exhausted by the illegal terminal, and the legal terminal can access the network.

[119】参见图 4，为本发明释放 IP地址的方法的第四实施例流程图，该实施例示出了 AP 通过发送撤销消息通知 DHCP服务器释放为非法终端分配的 IP地址的过程： Referring to FIG. 4, it is a flowchart of a fourth embodiment of a method for releasing an IP address according to the present invention. The embodiment shows a process in which an AP notifies a DHCP server to release an IP address assigned to an illegal terminal by sending a revocation message:

[120】步骤 401 : AP向 DHCP服务器发送地址请求消息，请求 DHCP服务器为第一终端分配临时 IP地址，该地址请求消息中包含第一终端的第一 MAC地址以及请求 DHCP服务器为第一终端分配临时 IP地址的标记。 [120] Step 401: The AP sends an address request message to the DHCP server, requesting the DHCP server to allocate a temporary IP address to the first terminal, where the address request message includes the first MAC address of the first terminal and the requesting DHCP server allocates the first terminal. The tag of the temporary IP address.

[121】本实施例中， AP作为所连接的第一终端的代理，可以通过与 DHCP服务器交互，请求 DHCP服务器为要接入网络的第一终端分配 IP地址。 AP在为终端请求 IP地址时，可以在现有的 DHCP请求消息中携带一个临时 IP地址的标记，请求 DHCP服务器为第一终端分配一个临时 IP地址。 [122】步骤 402: AP获取认证服务器返回的第一终端的认证结果消息，该认证结果消息中包含第一终端的终端标识。 In this embodiment, the AP acts as a proxy for the connected first terminal, and can interact with the DHCP server to request the DHCP server to assign an IP address to the first terminal to access the network. When the AP requests an IP address for the terminal, the AP may carry a temporary IP address tag in the existing DHCP request message, requesting the DHCP server to allocate a temporary IP address to the first terminal. [122] Step 402: The AP obtains an authentication result message of the first terminal that is returned by the authentication server, where the authentication result message includes the terminal identifier of the first terminal.

[123】本发明实施例中对终端请求 IP 地址的过程与对终端的认证过程可以并行执行。其中，认证服务器可以具体为 AAA服务器，认证服务器对终端的认证过程与现有技术一致，例如，可以采用基于客户端 /服务器（Cl ient/Server)的访问控制和认证协议，比如 802. lx 认证。当认证结束后，认证服务器向 AP返回包含第一终端认证结果的认证结果消息，认证结果消息包括第一终端为合法终端时发送的认证成功消息或第一终端为非法终端时发送的认证失败消息。认证结果消息中还可以携带对话令牌（Dialog token), 通常对话令牌由 AP分配，用于标识 AP与认证服务器之间的认证对话， AP通过记录该对话令牌与终端 MAC地址的对应关系，识别不同终端的认证结果消息。 [124】步骤 403: AP接收 DHCP服务器发送的地址响应消息，该地址响应消息包含 DHCP服务器根据地址请求消息为第一终端分配的第一 IP地址，同时 DHCP服务器为第一 IP地址添加临时标记。 [123] The process of requesting an IP address for a terminal and the authentication process for a terminal in the embodiment of the present invention may be performed in parallel. The authentication server may be specifically an AAA server, and the authentication process of the authentication server is consistent with the prior art. For example, a client/server (Cl ient/Server)-based access control and authentication protocol, such as 802. lx authentication, may be adopted. . After the authentication is completed, the authentication server returns an authentication result message including the first terminal authentication result to the AP, where the authentication result message includes an authentication success message sent when the first terminal is a legal terminal or an authentication failure message sent when the first terminal is an illegal terminal. . The authentication result message may also carry a Dialog token. Usually, the session token is allocated by the AP, and is used to identify an authentication session between the AP and the authentication server. The AP records the correspondence between the session token and the terminal MAC address. , identify the authentication result message of different terminals. [124] Step 403: The AP receives an address response message sent by the DHCP server, where the address response message includes a first IP address allocated by the DHCP server according to the address request message to the first terminal, and the DHCP server adds a temporary tag to the first IP address.

[125】DHCP服务器接收到地址请求消息后，可以为第一终端分配第一 IP地址，并将该第一 IP地址携带在地址响应消息中；相应的， DHCP服务器在租约表中记录该第一终端的租约表项，该租约表项中包含第一终端的第一 IP地址、第一 MAC地址、租约时间、以及临时标记等。 After receiving the address request message, the DHCP server may allocate the first IP address to the first terminal, and carry the first IP address in the address response message; correspondingly, the DHCP server records the first in the lease table. a lease entry of the terminal, where the lease entry includes a first IP address, a first MAC address, a lease time, and Temporary markings, etc.

[126】需要说明的是，本发明实施例对步骤 402和步骤 403之间的执行顺序不进行限制。 It is to be noted that the embodiment of the present invention does not limit the order of execution between step 402 and step 403.

[127】步骤 404: AP判断认证结果消息的类型，如果为认证失败消息，则执行步骤 405 ; 如果为认证成功消息，执行步骤 407。 [128】步骤 405 : AP向 DHCP服务器发送包含第一 MAC地址的撤销消息。 [127] Step 404: The AP determines the type of the authentication result message. If it is an authentication failure message, step 405 is performed; if it is an authentication success message, step 407 is performed. [128] Step 405: The AP sends a revocation message including the first MAC address to the DHCP server.

[129】当 AP根据认证失败消息确定第一终端为非法终端时， AP构建包含第一终端的第一 MAC地址的撤销消息，并将该撤销消息发送给 DHCP服务器。 [129] When the AP determines that the first terminal is an illegal terminal according to the authentication failure message, the AP constructs a revocation message including the first MAC address of the first terminal, and sends the revocation message to the DHCP server.

[130】步骤 406 : DHCP服务器接收到撤销消息后，根据第一 MAC地址查找到第一 IP地址，并释放为第一终端分配的第一 IP地址，结束当前流程。 [131】DHCP服务器接收到撤销消息后，获取撤销消息中的第一 MAC地址，根据第一 MAC地址查找租约表，获得第一终端的租约表项，释放该租约表项中为第一终端分配的第一 IP 地址，从而保证 DHCP服务器可以快速释放为非法终端分配的 IP地址，防止非法终端的 IP地址攻击。 [130] Step 406: After receiving the revocation message, the DHCP server searches for the first IP address according to the first MAC address, and releases the first IP address assigned to the first terminal, and ends the current process. After receiving the revocation message, the DHCP server obtains the first MAC address in the revocation message, searches the lease table according to the first MAC address, obtains the lease entry of the first terminal, and releases the first terminal allocation in the lease entry. The first IP address ensures that the DHCP server can quickly release the IP address assigned to the illegal terminal and prevent the IP address attack of the illegal terminal.

[132】步骤 407 : AP将第一 IP地址下发给第一终端，并向 DHCP服务器发送包含第一 MAC 地址的确认消息。 [132] Step 407: The AP sends the first IP address to the first terminal, and sends an acknowledgement message including the first MAC address to the DHCP server.

[133】当 AP 根据认证成功消息确定第一终端为合法终端时，将地址响应消息中携带的第一 IP地址下发给第一终端，并且 AP构建包含第一终端的第一 MAC地址的确认消息，并将该确认消息发送给 DHCP服务器。 [133] When the AP determines that the first terminal is a legal terminal according to the authentication success message, the first IP address carried in the address response message is sent to the first terminal, and the AP constructs a confirmation that the first MAC address of the first terminal is included. Message, and send the confirmation message to the DHCP server.

[134】步骤 408 : DHCP服务器接收到确认消息后，根据第一 MAC地址查找到第一 IP地址，并删除第一 IP地址的临时标记，结束当前流程。 [134] Step 408: After receiving the acknowledgement message, the DHCP server searches for the first IP address according to the first MAC address, and deletes the temporary identifier of the first IP address, and ends the current process.

[135】DHCP服务器接收到确认消息后，获取确认消息中的第一 MAC地址，根据第一 MAC地址查找租约表，获得第一终端的租约表项，删除该租约表项中为第一 IP地址设置的临时标记，从而保证合法的第一终端可以正常进行网络通信。 After receiving the acknowledgment message, the DHCP server obtains the first MAC address in the acknowledgment message, searches the lease table according to the first MAC address, obtains the lease entry of the first terminal, and deletes the first IP address in the lease entry. The temporary flag is set to ensure that the legal first terminal can perform network communication normally.

[136】由上述实施例可见，接入设备在获取到认证服务器对终端的认证结果后，通过向 DHCP服务器发送撤销消息，使得 DHCP服务器可以快速释放为非法终端分配的 IP地址，从而使网络中的 IP资源不会被非法终端耗尽，保证合法终端可以接入网络。 [136] It can be seen from the foregoing embodiment that after obtaining the authentication result of the authentication server to the terminal, the access device sends the revocation message to the DHCP server, so that the DHCP server can quickly release the IP address assigned to the illegal terminal, thereby making the network The IP resources will not be exhausted by the illegal terminal, ensuring that the legitimate terminal can access the network.

[137】与本发明释放 IP地址的方法的实施例相对应，本发明还提供了释放 IP地址的装置及接入设备, Corresponding to the embodiment of the method for releasing an IP address of the present invention, the present invention also provides a device for releasing an IP address. And access equipment,

[138】参见图 5，为本发明释放 IP地址的装置的实施例框图: [138] Referring to FIG. 5, it is a block diagram of an embodiment of an apparatus for releasing an IP address according to the present invention:

[139】该装置包括：发送单元 510、获取单元 520和交互单元 530。 The device includes: a transmitting unit 510, an obtaining unit 520, and an interaction unit 530.

[140】其中，发送单元 510，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为终端分配 IP地址； [140] The sending unit 510 is configured to send a request message to the address server, where the request message is used to request the address server to allocate an IP address to the terminal;

[141】获取单元 520，用于获取所述终端的认证结果消息； [141] The obtaining unit 520 is configured to obtain an authentication result message of the terminal.

[142】交互单元 530，用于如果所述获取单元 520获取的认证结果消息为认证失败消息，则通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 [142] The interaction unit 530 is configured to: if the authentication result message acquired by the obtaining unit 520 is an authentication failure message, interact with the address server to release the address server as an IP address allocated by the terminal.

[143】在第一个具体的实施例中，所述交互单元 530可以包括： [144】第一地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [143] In the first specific embodiment, the interaction unit 530 may include: [144] a first address receiving subunit, configured to receive a response message returned by the address server, where the response message includes Determining, by the address server, an IP address allocated to the terminal after receiving the request message;

[145】第一释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 [145] The first release request subunit is configured to send a release message to the address server, so that after the address server receives the release message, release the IP address.

[146】在第二个具体的实施例中，所述发送单元 510发送的所述请求消息中还包含地址服务器为所述终端分配的短租约时间； [146] In the second specific embodiment, the request message sent by the sending unit 510 further includes a short lease time allocated by the address server to the terminal;

[147】所述交互单元 530可以包括： [147] The interaction unit 530 can include:

[148】第二地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； [148] a second address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

[149】第二释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址；或者， [149] a second release request sub-unit, configured to send a release message to the address server, so that after the address server receives the release message, release the IP address; or

[150】地址丢弃子单元，用于丢弃所述第二地址接收子单元接收到的所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址； [150] an address discarding subunit, configured to discard an IP address allocated by the address server received by the second address receiving subunit for the terminal, so that the address server arrives at the short lease time Release the IP address;

[151】地址下发子单元，用于如果所述获取单元 520获取到的认证结果消息为认证成功消息，则在所述第二地址接收子单元接收到包含所述地址服务器为所述终端分配的 IP 地址的响应消息后，将所述 IP地址下发给所述终端。 [151] an address delivery subunit, configured to: if the authentication result message obtained by the obtaining unit 520 is an authentication success message, receive, by the second address receiving subunit, that the address server is included to allocate the terminal After the response message of the IP address, the IP address is sent to the terminal.

[152】在第三个具体的实施例中，所述发送单元 510发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； [153】所述交互单元 530可以包括： [152] In the third specific embodiment, the request message sent by the sending unit 510 further includes requesting the address. The server allocates a tag of the temporary IP address to the terminal; [153] the interaction unit 530 may include:

[154】第三地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； [155】撤销请求子单元，用于向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址； [154] a third address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address by the terminal; [155] a requesting subunit, configured to send a revocation message to the address server, so that after the address server receives the revocation message, release the IP address as a temporary IP address;

[156】确认通知子单元，用于如果所述获取单元 520获取到的所述认证结果消息为认证成功消息，则在所述第三地址接收子单元接收到包含所述地址服务器为所述终端分配的作为临时 IP 地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 [156] A confirmation notification subunit, configured to: when the authentication result message acquired by the obtaining unit 520 is an authentication success message, receive, at the third address receiving subunit, the address server that is the terminal After the response message of the IP address as the temporary IP address is allocated, an acknowledgment message is sent to the address server, so that after the address server receives the acknowledgment message, the IP address is formally allocated to the terminal.

[157】参见图 6，为本发明接入设备的实施例框图： [157] Referring to FIG. 6, a block diagram of an embodiment of an access device of the present invention:

[158】该接入设备包括：总线 610，以及通过所述总线 610连接的客户端接口 620、网络接口 630和处理器 640。 The access device includes: a bus 610, and a client interface 620, a network interface 630, and a processor 640 connected by the bus 610.

[159】其中，所述客户端接口 620，用于连接终端； [160】所述网络接口 630，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为所述终端分配 IP地址，以及获取所述终端的认证结果消息； [159] The client interface 620 is configured to connect to the terminal; [160] the network interface 630 is configured to send a request message to the address server, where the request message is used to request the address server to be the terminal. Assigning an IP address, and obtaining an authentication result message of the terminal;

[161】所述处理器 640，用于如果所述认证结果消息为认证失败消息，则通过所述网络接口与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 The processor 640 is configured to: if the authentication result message is an authentication failure message, interact with the address server by using the network interface, so that the address server releases an IP address allocated to the terminal. .

[162】在第一个具体的实施例中： [163】所述处理器 640，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的一 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 [162] In the first specific embodiment: [163] the processor 640 is specifically configured to receive a response message returned by the address server, where the response message includes the address server receiving the request The message is followed by an IP address assigned by the terminal, and a release message is sent to the address server through the network interface, so that after the address server receives the release message, the IP address is released.

[164】在第二个具体的实施例中: [165】所述网络接口 630 发送的请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间； [166】所述处理器 640，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址，或者用于丢弃所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址； [164] In the second specific embodiment: [165] the request message sent by the network interface 630 further includes a short lease time requested by the address server for the terminal; The processor 640 is specifically configured to receive a response message returned by the address server, where the response message includes an IP address assigned by the address server to the terminal after receiving the request message, and The network interface sends a release message to the address server, so that the address server releases the IP address after receiving the release message, or is used to discard the IP address assigned by the address server to the terminal. So that the address server releases the IP address when the short lease time arrives;

[167】进一步，所述处理器 640，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的 IP地址的响应消息后，将所述 IP地址下发给所述终端。 [106] Further, the processor 640 is further configured to: after the network interface receives the response message including the IP address allocated by the address server for the terminal, if the authentication result message is an authentication success message Sending the IP address to the terminal.

[168】在第三个具体的实施例中： [169】所述网络接口 630 发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； [168] In the third specific embodiment: [169] the request message sent by the network interface 630 further includes a flag requesting the address server to allocate a temporary IP address to the terminal;

[170】所述网络接口 630，还用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； The network interface 630 is further configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address.

[171】所述处理器 640，具体用于通过所述网络接口向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的所述 IP地址； The processor 640 is specifically configured to send, by using the network interface, a revocation message to the address server, so that after the address server receives the revocation message, release the IP address;

[172】进一步，所述处理器 640，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 [173】本实施例中，接入设备可以具体指 AP或者 AC等。 [172] Further, the processor 640 is further configured to: when the authentication result message is an authentication success message, receive, at the network interface, an IP that is a temporary IP address that is allocated by the address server to the terminal. After the response message of the address, the acknowledgment message is sent to the address server, so that after the address server receives the acknowledgment message, the IP address is formally allocated to the terminal. [173] In this embodiment, the access device may specifically refer to an AP or an AC.

[174】由上述实施例可见，接入设备向地址服务器发送用于请求所述地址服务器为终端分配 IP地址的请求消息，以及获取所述终端的认证结果消息，如果所述认证结果消息为认证失败消息，则所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。本发明实施例中接入设备在获取到对终端的认证结果后，通过与 DHCP服务器交互，使得 DHCP服务器可以快速释放为非法终端分配的 IP地址，从而使网络中的 IP 资源不会被非法终端耗尽，保证合法终端可以接入网络。。 [174] It can be seen from the above embodiment that the access device sends a request message for requesting the address server to allocate an IP address to the terminal, and obtains an authentication result message of the terminal, if the authentication result message is authentication. The failure message, the access device interacts with the address server to release the address server as an IP address allocated by the terminal. In the embodiment of the present invention, after obtaining the authentication result of the terminal, the access device interacts with the DHCP server, so that the DHCP server can quickly release the IP address assigned to the illegal terminal, so that the IP resources in the network are not illegal. Depleted, ensuring that legitimate terminals can access the network. .

[175】本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解，本发明实施例中的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品可以存储在存储介质中，如 R0M/RAM、磁碟、光盘等，包括若干指令用以使得一台计算机设备（可以是个人计算机，服务器，或者网络设备等）执行本发明各个实施例或者实施例的某些部分所述的方法。 It will be apparent to those skilled in the art that the techniques in the embodiments of the present invention can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product. Stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform various embodiments or embodiments of the present invention. Some of the methods described.

[176】本说明书中的各个实施例均采用递进的方式描述，各个实施例之间相同相似的部分互相参见即可，每个实施例重点说明的都是与其他实施例的不同之处。尤其，对于*** 实施例而言，由于其基本相似于方法实施例，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。 Each of the embodiments in the present specification is described in a progressive manner, and the same or similar portions between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

[177】以上所述的本发明实施方式，并不构成对本发明保护范围的限定。任何在本发明的精神和原则之内所作的修改、等同替换和改进等，均应包含在本发明的保护范围之内。 The above described embodiments of the invention are not intended to limit the scope of the invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

~1~ ~1~

Claims

权利要求书 Claim

1、一种释放互联网协议 IP地址的方法，其特征在于，所述方法包括： A method for releasing an Internet Protocol IP address, the method comprising:

接入设备向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为终端分配 IP地址； The access device sends a request message to the address server, where the request message is used to request the address server to allocate an IP address for the terminal;

以及，所述接入设备获取所述终端的认证结果消息； And the access device acquires an authentication result message of the terminal;

如果所述认证结果消息为认证失败消息，则所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 And if the authentication result message is an authentication failure message, the access device interacts with the address server to release the address server as an IP address allocated by the terminal.

2、根据权利要求 1所述的方法，其特征在于，所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址，包括： The method of claim 1, wherein the access device interacts with the address server to release the IP address assigned by the address server to the terminal, including:

所述接入设备接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； Receiving, by the access device, a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 And sending a release message to the address server, so that after the address server receives the release message, the IP address is released.

3、根据权利要求 1所述的方法，其特征在于，所述请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间； The method according to claim 1, wherein the request message further includes a short lease time that is requested by the address server to be allocated to the terminal;

所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址，包括： The access device interacts with the address server to release the IP address assigned by the address server to the terminal, including:

向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址，或者丢弃所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 Sending a release message to the address server, so that after the address server receives the release message, releasing the IP address, or discarding an IP address assigned by the address server to the terminal, so that the address server The IP address is released when the short lease time arrives.

4、根据权利要求 3所述的方法，其特征在于，所述方法还包括： 4. The method according to claim 3, wherein the method further comprises:

如果所述认证结果消息为认证成功消息，则所述接入设备在接收到包含所述地址服务器为所述终端分配的 IP地址的响应消息后，将所述 IP地址下发给所述终端。 And if the authentication result message is an authentication success message, the access device sends the IP address to the terminal after receiving the response message that includes the IP address allocated by the address server for the terminal.

5、根据权利要求 1所述的方法，其特征在于，所述请求消息中还包括请求所述地址服务器为所述终端分配临时 IP地址的标记； The method according to claim 1, wherein the request message further includes a flag for requesting the address server to allocate a temporary IP address to the terminal;

所述接入设备通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 The access device interacts with the address server to release the address server for allocation to the terminal

IP地址，包括： IP address, including:

所述接入设备接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； Receiving, by the access device, a response message returned by the address server, where the response message includes the address service An IP address assigned to the terminal as a temporary IP address;

向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 Sending a revocation message to the address server, so that after the address server receives the revocation message, the IP address as the temporary IP address is released.

6、根据权利要求 5所述的方法，其特征在于，所述方法还包括： The method according to claim 5, wherein the method further comprises:

如果所述认证结果消息为认证成功消息，则所述接入设备在接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 If the authentication result message is an authentication success message, the access device sends a confirmation to the address server after receiving the response message including the IP address of the temporary IP address allocated by the address server for the terminal. a message, after the address server receives the confirmation message, formally assigning the IP address to the terminal.

7、一种释放 IP地址的装置，其特征在于，所述装置包括： 7. A device for releasing an IP address, the device comprising:

发送单元，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为终端分配 IP地址； a sending unit, configured to send a request message to the address server, where the request message is used to request the address server to allocate an IP address for the terminal;

获取单元，用于获取所述终端的认证结果消息； An obtaining unit, configured to obtain an authentication result message of the terminal;

交互单元，用于如果所述获取单元获取的认证结果消息为认证失败消息，则通过与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 The interaction unit is configured to: if the authentication result message obtained by the acquiring unit is an authentication failure message, interact with the address server to release the address server as an IP address allocated by the terminal.

8、根据权利要求 7所述的装置，其特征在于，所述交互单元包括： The device according to claim 7, wherein the interaction unit comprises:

第一地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； a first address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

第一释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 And a first release request subunit, configured to send a release message to the address server, so that after the address server receives the release message, release the IP address.

9、根据权利要求 7所述的装置，其特征在于， 9. Apparatus according to claim 7 wherein:

所述发送单元发送的所述请求消息中还包含地址服务器为所述终端分配的短租约时间；所述交互单元包括： The request message sent by the sending unit further includes a short lease time allocated by the address server to the terminal; the interaction unit includes:

第二地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址； a second address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message;

第二释放请求子单元，用于向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址；或者， a second release request subunit, configured to send a release message to the address server, so that after the address server receives the release message, release the IP address; or

地址丢弃子单元，用于丢弃所述第二地址接收子单元接收到的所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 An address discarding subunit, configured to discard an IP address allocated by the address server received by the second address receiving subunit for the terminal, so that the address server releases the shortest lease time IP address.

10、根据权利要求 9所述的装置，其特征在于，所述交互单元还包括： The device according to claim 9, wherein the interaction unit further comprises:

地址下发子单元，用于如果所述获取单元获取到的认证结果消息为认证成功消息，则在所述第二地址接收子单元接收到包含所述地址服务器为所述终端分配的 IP 地址的响应消息后，将所述 IP地址下发给所述终端。 An address sending subunit, configured to: if the authentication result message obtained by the obtaining unit is an authentication success message, After receiving the response message including the IP address allocated by the address server for the terminal, the second address receiving sub-unit sends the IP address to the terminal.

11、根据权利要求 7所述的装置，其特征在于， 11. Apparatus according to claim 7 wherein:

所述发送单元发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP 地址的标记； The request message sent by the sending unit further includes a flag requesting the address server to allocate a temporary IP address to the terminal;

所述交互单元包括： The interaction unit includes:

第三地址接收子单元，用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； a third address receiving subunit, configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address for the terminal;

撤销请求子单元，用于向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 And a revocation request subunit, configured to send a revocation message to the address server, so that after the address server receives the revocation message, release the IP address as a temporary IP address.

12、根据权利要求 11所述的装置，其特征在于，所述交互单元还包括： The device according to claim 11, wherein the interaction unit further comprises:

确认通知子单元，用于如果所述获取单元获取到的所述认证结果消息为认证成功消息，则在所述第三地址接收子单元接收到包含所述地址服务器为所述终端分配的作为临时 IP 地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 a confirmation notification subunit, configured to: if the authentication result message acquired by the obtaining unit is an authentication success message, receive, at the third address receiving subunit, that the address server is allocated to the terminal as a temporary After the response message of the IP address of the IP address, the acknowledgment message is sent to the address server, so that after the address server receives the acknowledgment message, the IP address is formally allocated to the terminal.

13、一种接入设备，其特征在于，所述接入设备包括：总线以及通过所述总线连接的客户端接口、网络接口和处理器；其中， An access device, comprising: a bus; and a client interface, a network interface, and a processor connected through the bus; wherein

所述客户端接口，用于连接终端； The client interface is used to connect to the terminal;

所述网络接口，用于向地址服务器发送请求消息，所述请求消息用于请求所述地址服务器为所述终端分配 IP地址，以及获取所述终端的认证结果消息； The network interface is configured to send a request message to the address server, where the request message is used to request the address server to allocate an IP address for the terminal, and obtain an authentication result message of the terminal;

所述处理器，用于如果所述认证结果消息为认证失败消息，则通过所述网络接口与所述地址服务器交互，以使所述地址服务器释放为所述终端分配的 IP地址。 The processor is configured to, if the authentication result message is an authentication failure message, interact with the address server through the network interface, so that the address server releases an IP address allocated to the terminal.

14、根据权利要求 13所述的接入设备，其特征在于， 14. The access device of claim 13, wherein

所述处理器，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址。 The processor is specifically configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message, and the network interface is configured by the network interface. Sending a release message to the address server, so that after the address server receives the release message, releasing the IP address.

15、根据权利要求 13所述的接入设备，其特征在于， 15. The access device of claim 13, wherein

所述网络接口发送的请求消息中还包含请求所述地址服务器为所述终端分配的短租约时间；所述处理器，具体用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器接收到所述请求消息后为所述终端分配的 IP地址，并通过所述网络接口向所述地址服务器发送释放消息，以使所述地址服务器接收到所述释放消息后，释放所述 IP地址，或者用于丢弃所述地址服务器为所述终端分配的 IP地址，以使所述地址服务器在所述短租约时间到达时释放所述 IP地址。 The request message sent by the network interface further includes a short lease time that is requested by the address server to be allocated to the terminal; The processor is specifically configured to receive a response message returned by the address server, where the response message includes an IP address allocated by the address server to the terminal after receiving the request message, and the network interface is configured by the network interface. Sending a release message to the address server, so that after the address server receives the release message, releasing the IP address, or for discarding an IP address assigned by the address server to the terminal, so that the The address server releases the IP address when the short lease time arrives.

16、根据权利要求 15所述的接入设备，其特征在于， 16. The access device of claim 15, wherein

所述处理器，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的 IP地址的响应消息后，将所述 IP地址下发给所述终端。 The processor is further configured to: after the network interface receives the response message including the IP address allocated by the address server for the terminal, if the authentication result message is an authentication success message, the IP address is Is sent to the terminal.

17、根据权利要求 13所述的接入设备，其特征在于， 17. The access device of claim 13, wherein

所述网络接口发送的请求消息中还包括请求所述地址服务器为所述终端分配临时 IP 地址的标记； The request message sent by the network interface further includes a flag requesting the address server to allocate a temporary IP address to the terminal;

所述网络接口，还用于接收所述地址服务器返回的响应消息，所述响应消息中包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址； The network interface is further configured to receive a response message returned by the address server, where the response message includes an IP address that is allocated by the address server as the temporary IP address for the terminal;

所述处理器，具体用于通过所述网络接口向所述地址服务器发送撤销消息，以使所述地址服务器接收到所述撤销消息后，释放所述作为临时 IP地址的 IP地址。 The processor is specifically configured to send a revocation message to the address server by using the network interface, so that after the address server receives the revocation message, the IP address that is a temporary IP address is released.

18、根据权利要求 17所述的接入设备，其特征在于， 18. The access device of claim 17, wherein

所述处理器，还用于如果所述认证结果消息为认证成功消息，则在所述网络接口接收到包含所述地址服务器为所述终端分配的作为临时 IP地址的 IP地址的响应消息后，向所述地址服务器发送确认消息，以使所述地址服务器接收到所述确认消息后，将所述 IP地址正式分配给所述终端。 The processor is further configured to: after the network interface receives the response message including the IP address of the temporary IP address allocated by the address server for the terminal, if the authentication result message is an authentication success message, Sending an acknowledgement message to the address server, so that after the address server receives the acknowledgement message, the IP address is formally allocated to the terminal.