CN102340509B - Access control method and equipment for dual-stack user - Google Patents
Access control method and equipment for dual-stack user Download PDFInfo
- Publication number
- CN102340509B CN102340509B CN201110325237.3A CN201110325237A CN102340509B CN 102340509 B CN102340509 B CN 102340509B CN 201110325237 A CN201110325237 A CN 201110325237A CN 102340509 B CN102340509 B CN 102340509B
- Authority
- CN
- China
- Prior art keywords
- address
- client
- server
- ipv4
- ipv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000013507 mapping Methods 0.000 claims abstract description 93
- 238000012545 processing Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 23
- 238000010276 construction Methods 0.000 description 5
- 238000009826 distribution Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 210000004258 portal system Anatomy 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an access control method and equipment for a dual-stack user. The method and equipment are used in a PORTAL network system, wherein a mapping algorithm between an IPv4 address and an IPv6 address is configured on a DHCPv4 server, a DHCPv6 server and a PORTAL authentication gateway respectively. The method comprises the following steps that: when the DHCPv4/DHCPv6 server receives an address allocation request of the client, the DHCPv4/DHCPv6 server judges whether an IP address of a corresponding protocol is pre-allocated to the client; if so, the DHCPv4/DHCPv6 server allocates the pre-allocated IP address to the client; otherwise, the DHCPv4/DHCPv6 server allocates an IP address to the client, and pre-allocates an IP address of another protocol to the client according to the mapping algorithm between the IPv4 address and the IPv6 address; when the PORTAL authentication gateway receives a network access request based on the IPv4 address or the IPv6 address from the client and the client passes the authentication, the PORTAL authentication gateway obtains an IP address of the other protocol according to the mapping algorithm between the IPv4 address and the IPv6 address, and performs network access right control on the client according to the IPv4 address and the IPv6 address of the client.
Description
Technical field
The present invention relates to the Video Supervision Technique in communication technical field, particularly relate to a kind of method and apparatus that two stack user access is controlled.
Background technology
IPv6 (Internet Protocol Version 6, IPv 6) be the second generation standard agreement of network layer protocol, be also referred to as IPng (IP Next Generation, next generation Internet), it is IETF (Internet Engineering Task Force, Internet engineering duty group) a set of specification of designing is the upgraded version of IPv4.Between IPv6 and IPv4, most significant difference is: the length of IP address is increased to 128 bits from 32 bits.
IPv6 address can manual configuration or completed by auto configuration mode, auto configuration mode comprises ND stateless address autoconfiguration and DHCP (Dynamic Host Configuration Protocol, DHCP) has state to configure.The DHCPv6 DHCP of IPv6 (support) is for the design of IPv6 addressing scheme, agreement for host assignment IPv6 address and other network configuration parameters.Compared with other IPv6 address distribution (manual configuration, automatically configured by the network prefix stateless in Router Advertisement message), DHCPv6 has the following advantages:
(1) distribution of address is controlled better.Not only can be recorded as the address of host assignment by DHCPv6, specific address can also be distributed for particular host, so that network management;
(2) except IPv6 address, DNS (Domain Name System, the domain name system) network configuration parameters such as server, domain name can also be provided for main frame.
DHCPv6 adopts client/server communication pattern, proposes configuration application by user end to server, and server is returned as the corresponding configuration informations such as the IP address of client distribution, to realize the dynamic-configuration of the information such as IP address.DHCPv6 client passes through multicast address and the DHCPv6 server communication of link range, to obtain IPv6 address and other network configuration parameters.If server and client side is not in same link range, then need to be E-Packeted by DHCPv6 relaying, can avoid like this disposing DHCPv6 server in each link range, both provide cost savings, and be convenient to again manage concentratedly.
Portal, also referred to as Web Portal scheme, is made up of five fundamentals in classical group net mode: Authentication Client, access device, Portal server, certification/accounting server and Security Policy Server usually.
Based on above group-network construction, the flow process that user access controls mainly is comprised:
During unauthenticated user accesses network, HTTP (HyperText Transfer Protocol is initiated by the address inputting a Internet in IE address field, HTML (Hypertext Markup Language)) request, this HTTP request can be redirected on the web authentication homepage of Portal server through access device; User submits to after input authentication information in certification homepage/authentication dialog, and the authentication information of user can be passed to access device by Portal server; Access device communicates with certification/accounting server and carries out certification and charging; After certification is passed through, if do not adopt security strategy to user, then access device can open the path of user and the Internet, allows user to access the Internet; If have employed security strategy to user, then client, access device and Security Policy Server are mutual, and pass through afterwards the safety detection of user, Security Policy Server accesses unlimited resources according to the security authorization user of user.
In PORTAL networking, if wish (to be expressed as IPv4/IPv6 to IPv4 and IPv6 simultaneously, as follows) user carry out online control, then need access device can distinguish IPv4 online flow process and the IPv6 online flow process of same user, namely from its address allocation procedure, IPv4 address and the IPv6 address of same user can be found out.This process can be distinguished, then generate the user message table of+IPv6 address, MAC+IPv4 address, and then control its IPv4/IPv6 access authority based on MAC (Media Access Control, media interviews control) address.Like this, as long as user is by a PORTAL certification, no matter be IPv4PORTAL or IPv6PORTAL, two stack online can be carried out and control.
In prior art, access device needs according to MAC Address, IPv4 and the IPv6 internet information of associated user, after PORTAL certification is passed through, also can control the IPv4/IPv6 online flow process of user according to this information.
Inventor is realizing finding in process of the present invention that prior art at least exists following defect:
(1) PORTAL authentication gateway is deployed on convergence-level, and after namely spanning three-layer equipment, the mac address information of user may be lost by middle routing device, thus the association between the IPv4/IPv6 address cannot setting up same user.
(2) for DHCPv4 address assignment flow process, MAC Address is present in DHCP message always, and in DHCPv6 flow process, if DUID is (DHCPv6Unique ID, the unique identification of DHCPv6 server) in containing MAC Address (as Type 2 namely not containing), then after DHCPv6 Server Relay, mac address information will not exist, and then cannot set up the incidence relation of IPv4/IPv6 address of same user.
(3) if the message in address assignment flow process is without being positioned at BAS (Broadbind AccessServer, BAS Broadband Access Server) in PORTAL authentication gateway, PORTAL authentication gateway cannot learn the IPv4/IPv6 address information relation of user.
PORTAL authentication gateway all can be caused in above-mentioned several situation cannot to know association between the IPv4/IPv6 address of same user, and then the access control of two stack online cannot be carried out same user.
Summary of the invention
The invention provides a kind of method and apparatus that two stack user access is controlled, in order to solve cannot know same user because of PORTAL authentication gateway in prior art IPv4/IPv6 address between association, and then the problem of the access control of two stack online cannot be carried out to same user.
The method that two stack user access is controlled provided by the invention, be applied to PORTAL network system, wherein, PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device is provided with the mapping algorithm of IPv4 address and IPv6 address, the method comprises:
When DHCPv4 server or DHCPv6 server receive the address assignment request of client, determine whether that described client preassignment has the IP address of respective protocol, if be judged as YES, then will give described client for the preallocated IP address assignment of described client; Otherwise, be described client distributing IP address, and according to the mapping algorithm of IPv4 address and IPv6 address, be the IP address of described another agreement of client preassignment;
When PORTAL authentication gateway receives the network access request of client based on IPv4 address or IPv6 address, and after described client certificate is passed through, obtain the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address, and according to the IPv4 address of described client and IPv6 address, network access authority control is carried out to described client.
PORTAL authentication gateway provided by the invention, be arranged in the access device of PORTAL network system, the mapping algorithm of IPv4 address and IPv6 address is provided with in described PORTAL authentication gateway, and described mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway coordinates and IPv6 address, when DHCPv4/DHCPv6 server is client distributing IP address, according to the IP address of described another agreement of mapping algorithm preassignment, described PORTAL authentication gateway comprises: control unit, authentication ' unit, address mapping unit and access control unit, wherein:
Described control unit, for after place PORTAL authentication gateway receives the network access request of client, indicates described authentication ' unit to carry out authentication processing to described client; After described authentication ' unit is passed through described client certificate, indicate described address mapping unit to carry out address maps, indicate described access control unit to map according to described address mapping unit the address obtained and network access authority control is carried out to described client;
Described authentication ' unit, for the instruction according to described control unit, carries out certification by PORTAL server and authentication and accounting server to described client;
Described address mapping unit, for the instruction according to described control unit, obtains the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address;
Described access control unit, for the instruction according to described control unit, carries out network access authority control according to the IPv4 address of described client and IPv6 address to described client.
The present invention compared with prior art, has following Advantageous Effects:
By the PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device being arranged the mapping algorithm of IPv4 address and IPv6 address, when making DHCPv4/DHCPv6 server be client distributing IP address, can according to the IP address of this another agreement of mapping algorithm preassignment, thus the IPv4 address of same client and IPv6 address be made to there are mapping relations.Due to PORTAL authentication gateway being also deployed with this mapping algorithm, thus enable PORTAL authentication gateway obtain the IP address of another agreement according to IPv4 address or IPv6 address computation, the IPv4 address of same client and the mapping relations of IPv6 address can be accessed, and then control of authority can be carried out to two stack online of same client.
Present invention also offers a kind of Dynamic Host Configuration Protocol server, in order to solve the existing problem based on the mapping relations of MAC Address and IPv4 address and IPv6 address cannot be set up in the IP address assignment flow process of DHCP.
Dynamic Host Configuration Protocol server provided by the invention, be applied to PORTAL network system, the mapping algorithm of IPv4 address and IPv6 address is provided with in described Dynamic Host Configuration Protocol server, and described mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server coordinates and IPv6 address, described Dynamic Host Configuration Protocol server comprises:
Receiving element, for receiving the address assignment request of client;
Judging unit, for the address assignment request received according to described receiving element, judges whether the mark of corresponding described client records the IP address of preallocated respective protocol;
Allocation unit, is provided with the mapping algorithm of IPv4 address and IPv6 address, for when described judging unit is judged as YES, will give described client for the preallocated IP address assignment of described client; When described judging unit is judged as NO, for described client distributing IP address, according to the mapping algorithm of IPv4 address and IPv6 address, for the IP address of described another agreement of client preassignment, and the mark recording described client with distribute for described client and the corresponding relation of preallocated IP address;
Wherein, when described Dynamic Host Configuration Protocol server is DHCPv4 server, the IP address of another agreement described is IPv6 address; When described Dynamic Host Configuration Protocol server is DHCPv6 server, the IP address of another agreement described is IPv4 address.
The present invention compared with prior art, has following Advantageous Effects:
By arranging the mapping algorithm of IPv4 address and IPv6 address, make while for client distributing IP v4 address, according to this mapping algorithm preassignment IPv6 address, when for this client distributing IP v6 address address, this preallocated IPv6 address of direct use, vice versa, thus the mapping relations of the mark can setting up client and the IPv4 address distributed for this client and IPv6 address, solve in existing DHCPv6 flow process, because not containing MAC Address in DUID, so that mac address information will not exist after DHCPv6 Server Relay, and the problem of the mapping relations of cause DHCPv6 server to be established as IPv4 address that same client distributes and IPv6 address.
Accompanying drawing explanation
Fig. 1 is the Portal system group network configuration diagram in the embodiment of the present invention;
The address assignment schematic flow sheet that Fig. 2 provides for the embodiment of the present invention;
The address recovery process schematic diagram that Fig. 3 provides for the embodiment of the present invention;
The access control schematic flow sheet that Fig. 4 provides for the embodiment of the present invention;
The handling process schematic diagram that rolls off the production line that Fig. 5 provides for the embodiment of the present invention;
The structural representation of the PORTAL authentication gateway that Fig. 6 provides for the embodiment of the present invention;
The structural representation of the Dynamic Host Configuration Protocol server that Fig. 7 provides for the embodiment of the present invention.
Embodiment
When the embodiment of the present invention cannot obtain two stack address related information of two stack user for the PORTAL authentication gateway in access device, propose the technical scheme of a kind of pair of stack address association, and adopt this to associate to carry out user to surf the Net control.Specifically, the embodiment of the present invention is by the mapping algorithm at DHCPv4/DHCPv6 server and PORTAL authentication gateway deploy IPv4/IPv6 address, and when for user distributing IP v4 address or IPv6 address, preassignment is carried out to the IP address of another agreement, thus set up IPv4/IPv6 user-association relation, and then can two stack controls of authority of completing user on PORTAL authentication gateway.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in detail.
In the PORTAL group-network construction of the embodiment of the present invention, by the convergence-level of DHCPv4/DHCPv6 server disposition in PORTAL group-network construction, and interconnected with Access Layer.Concrete, DHCPv4/DHCPv6 server is deployed on same convergence device as one or different functional modules, or be deployed on different convergence devices as different functional modules, or as independent equipment connection on convergence device, and interconnected with access device two layers, and then can be interconnected at two layers with all users.Wherein, DHCPv4/DHCPv6 server disposition is in the same link of access user, and DHCPv4/DHCPv6 server database is shared.If DHCPv4/DHCPv6 server is deployed on same convergence device or different convergence device respectively, at this moment need DHCPv4 server can communicate with DHCPv6 server between the two.
BAS deploy has PORTAL authentication gateway, and PORTAL authentication gateway and PORTAL server complete PORTAL certification jointly.
In order to synchronously recognize two stack addresses of user between all devices, the embodiment of the present invention devises the algorithm that IPv4 address and IPv6 address map one by one, and at DHCPv4/DHCPv6 server and this algorithm of PORTAL authentication gateway deploy.Wherein, this algorithm can be specifically: IPv4 address is uniquely mapped to latter 32 that one is fixed the IPv6 address of 96 prefixes.Certainly, any algorithm that can realize uniquely being mapped in IPv4 address and IPv6 address, all should be included within protection scope of the present invention.
Fig. 1 shows PORTAL group-network construction schematic diagram when DHCPv4/DHCPv6 server is deployed on same convergence device as a functional module.
Based on above-mentioned group-network construction, whenever DHCPv4 server is (when disposing DHCPv4/DHCPv6 server as a functional module, can be described as DHCPv4/DHCPv6 server herein) when dispensing an IPv4 address, corresponding IPv6 address is obtained by this algorithm, and be preassignment by this IPv6 address mark, the mark (MAC Address of such as user or user's name) of record respective user and the corresponding relation of the IPv4 address distributed and preallocated IPv6 address, thus can when this user applies for IPv6 address, this user will be given for the preallocated IPv6 address assignment of this user.In like manner, whenever DHCPv6 server is (when disposing DHCPv4/DHCPv6 server as a functional module, can be described as DHCPv4/DHCPv6 server herein) dispense an IPv6 address, then passing through this algorithm is this user's preassignment IPv4 address, and the corresponding relation of the mark recording this user and the IPv6 address distributed and preallocated IPv4 address, thus when this user applies for IPv4 address, can will give this user for the preallocated IPv4 address assignment of this user.Fig. 2 and Fig. 3 shows the idiographic flow of a kind of address assignment and management.
See Fig. 2, be the address administration schematic flow sheet that the embodiment of the present invention provides, as shown in the figure, this flow process can comprise:
Step 201, the IPv4 address assignment request that DHCPv4 server receives user is sent by place client.
Step 202, DHCPv4 server judges whether to be this user's preassignment IPv4 address, if be judged as YES, then proceeds to step 203; Otherwise, proceed to step 204.
Concrete, because DHCPv4 server and DHCPv6 server disposition are in the same link of access user, and DHCPv4 server and DHCPv6 server database are shared, and DHCPv6 server is when for user distributing IP v6 address, also the IPv4 address that has been this user's preassignment, and the corresponding relation of the mark that have recorded user and the IPv6 address distributed and preallocated IPv4 address address, therefore, DHCPv4 server, by the database of inquiry DHCPv6 server, determines whether this user's preassignment IPv4 address according to the mark of this user.Certainly, the corresponding relation of the mark of user and the IPv6 distributed address and preallocated IPv4 address address also can be synchronized to the database of DHCPv4 server by DHCPv6 server, thus make DHCPv4 server by the database of inquiry oneself, determine whether this user's preassignment IPv4 address according to the mark of this user.
Step 203, DHCPv4 server will give this user for the preallocated IPv4 address assignment of this user.
Step 204, DHCPv4 server is this user distributing IP v4 address, and is this user's preassignment IPv6 address according to the IPv4 address of configuration on it and the mapping algorithm of IPv6 address.
Concrete, behind the complete IPv4 address of DHCPv4 server-assignment, the IPv4 address according to configuration on it obtains the IPv6 address corresponding with this IPv4 address with the mapping algorithm of IPv6 address, and is preassignment by this IPv6 address mark.Then, this user of DHCPv4 server record mark and the IPv4 address distributed for this user and be that the corresponding relation of the preallocated IPv6 address of this user is in database.Further, this correspondence relationship information also can be synchronized in the database of DHCPv6 server by DHCPv4 server.
See Fig. 3, when the address release of user, its flow process also can comprise the following steps:
Step 301, DHCPv4 server wouldn't directly discharge this address after receiving the IPv4 address releasing request of user, but is preassignment by this address mark.
Step 302, DHCPv4 server judges the state of the IPv6 address of this user, if IPv6 address mark is preassignment, then proceeds to step 303; Otherwise, terminate this address and reclaim release flow process.
Concrete, DHCPv4 server knows the state of IPv6 address label by the corresponding relation of the mark and IPv4 address and IPv6 address of inquiring about this user, if IPv6 address mark is preassignment, then one may be this user also non-request dispatching IPv6 address, another kind may be this user request dispatching cross IPv6 address, but this IPv6 address is discharged by this user, no matter which kind of situation, all illustrate that this IPv6 address is current really not used by this user, the IPv4 address now corresponding to this user recyclable and IPv6 address.If IPv6 address is unmarked is preassignment, then illustrating that this IPv6 address is current is being used by this user, the IPv4 address now after the release of IPv6 address again corresponding to this user of synchronous release and IPv6 address.
Step 303, DHCPv4/DHCPv6 server reclaims IPv4 address and IPv6 address, and deletes the mark of this user and the corresponding relation of IPv4 address and IPv6 address.
It should be noted that the flow process shown in above-mentioned Fig. 2 and Fig. 3 all describes for the distribution of IPv4 address and removal process, distribution and the removal process of IPv6 address are similar, do not repeat them here.
When the PORTAL authentication gateway in BAS carries out PORTAL certification to user, after the IPv4PORTAL certification of this user is passed through, if the security strategy of authenticated user allows two stack online, then PORTAL authentication gateway obtains the IPv6 address of this user according to the mapping algorithm of IPv4 address and IPv6 address, opens the access authority of IPv6 address simultaneously.Its idiographic flow can be as shown in Figure 5.
See Fig. 4, be the access control schematic flow sheet that the embodiment of the present invention provides, as shown in the figure, this flow process can comprise:
Step 401 ~ 403, after PORTAL authentication gateway in BAS receives the network access request based on IPv4 address that user sent by place client, be redirected on the WEB certification page of PORTAL server, and after receiving the authentication information that user submitted to by this WEB certification page, send it to certification/accounting server, and mutual to carry out certification and charging to this user with it.Its idiographic flow can adopt existing mode to realize, and does not repeat them here.
Step 404, after passing through this user authentication, PORTAL authentication gateway judges whether to allow the two stack online of this user according to security strategy, if the judgment is Yes, then proceeds to step 405; Otherwise, proceed to step 407.
Step 405, PORTAL authentication gateway obtains the IPv6 address of this user according to the IPv4 address of configuration on it and the mapping algorithm of IPv6 address.
Step 406, PORTAL authentication gateway judges whether this user is using this IPv6 address to carry out access to netwoks, if the judgment is Yes, then proceeds to step 407; Otherwise, proceed to step 408.
Step 407, PORTAL authentication gateway is the access authority that this user opens IPv4 address.
Now, if access to netwoks is carried out in current this IPv6 address that using of this user, then still keep the network access authority of the IPv6 address of this user constant.
Step 408, PORTAL authentication gateway carries out network access authority control according to the IPv4 address of this user and IPv6 address to this user.
Concrete, PORTAL authentication gateway can carry out network access authority control according to security strategy, as when allowing the two stack of this user to surf the Net, for this user opens the access authority of IPv4 address and IPv6 address.
See Fig. 5, when user based on IPv4 address network connect roll off the production line time, this flow process can comprise:
Step 501 ~ 502, the PORTAL authentication gateway in BAS know user based on IPv4 address network connect roll off the production line time, judge this user based on IPv6 address network connect whether roll off the production line, if the judgment is Yes, then proceed to step 503; Otherwise, proceed to step 504.
Step 503, PORTAL authentication gateway to roll off the production line process to this user, closes the access authority of this user.
Step 504, the presence that PORTAL authentication gateway keeps this user current, and the access authority keeping this user current.
By describing above and can finding out, by the PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device being arranged the mapping algorithm of IPv4 address and IPv6 address, when making DHCPv4/DHCPv6 server be client distributing IP address, can according to the IP address of this another agreement of mapping algorithm preassignment, thus the IPv4 address of same user and IPv6 address be made to there are mapping relations.Due to PORTAL authentication gateway being also deployed with this mapping algorithm, thus enable PORTAL authentication gateway obtain the IP address of another agreement according to IPv4 address or IPv6 address computation, the IPv4 address of same user and the mapping relations of IPv6 address can be accessed, and then control of authority can be carried out to two stack online of same user.
Based on identical technical conceive, the embodiment of the present invention additionally provides a kind of the PORTAL authentication gateway and the Dynamic Host Configuration Protocol server that are applied to above-mentioned PORTAL network system and handling process.
See Fig. 6, for the structural representation of the PORTAL authentication gateway that the embodiment of the present invention provides, this PORTAL authentication gateway is arranged in the access device of PORTAL network system, the mapping algorithm of IPv4 address and IPv6 address is provided with in this PORTAL authentication gateway, and this mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway coordinates and IPv6 address, when DHCPv4/DHCPv6 server is client distributing IP address, according to the IP address of this another agreement of mapping algorithm preassignment.
As shown in Figure 6, this PORTAL authentication gateway comprises: control unit 601, authentication ' unit 602, address mapping unit 603 and access control unit 604, wherein:
Control unit 601, for after place PORTAL authentication gateway receives the network access request of client, instruction authentication ' unit 602 carries out authentication processing to described client; After authentication ' unit 602 is passed through described client certificate, instruction address mapping unit 603 carries out address maps, and instruction access control unit 604 maps according to address mapping unit 603 address obtained and carries out network access authority control to described client;
Authentication ' unit 602, for the instruction according to control unit 601, carries out certification by PORTAL server and authentication and accounting server to described client;
Address mapping unit 603, for the instruction according to control unit 601, obtains the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address;
Concrete, address mapping module 603 is when described network access request is the network access request based on IPv4 address, and the mapping algorithm according to IPv4 address and IPv6 address obtains IPv6 address; And when described network access request is the network access request based on IPv6 address, the mapping algorithm according to IPv4 address and IPv6 address obtains IPv4 address.
Access control unit 604, for the instruction according to control unit 601, carries out network access authority control according to the IPv4 address of described client and IPv6 address to described client.
Further, control unit 601 also for: after authentication ' unit 602 is passed through described client certificate, judge to ask the client of carrying out access to netwoks whether to be allowed to dual-stack network access; And, after address mapping unit 603 maps and obtains IP address, judge that described client is current and whether using described address mapping unit to map the IP address obtained to carry out access to netwoks.Accordingly, control unit 601 is when judging to ask the client of carrying out access to netwoks to be allowed to dual-stack network access, and instruction address mapping unit 603 carries out address maps; And when judging that access to netwoks is carried out in the current IP address not using mapping to obtain of described client, instruction access control unit 604 opens the IPv4 address of described client and the network access authority of IPv6 address.
Further, control unit 601 also for: know client based on IPv4 address network connect disconnect time, judge described client based on IPv6 address network connect whether disconnect; And, when knowing that the network of client based on IPv6 address connects disconnection, judge whether described client disconnects based on the network connection of IPv4 address.Accordingly, control unit 601 judge the network of described client based on IPv6 address or IPv4 address connect disconnect time, instruction access control unit 604 closes the network access authority of described client; Judge the network of described client based on IPv6 address or IPv4 address connect do not disconnect time, instruction access control unit 604 keeps the network access authority of described client.Access control unit 604 carries out respective handling according to the instruction of control unit 603.
See Fig. 7, it is the structural representation of the Dynamic Host Configuration Protocol server that the embodiment of the present invention provides.This Dynamic Host Configuration Protocol server is applied to PORTAL network system, the mapping algorithm of IPv4 address and IPv6 address is provided with in this Dynamic Host Configuration Protocol server, and this mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server coordinates and IPv6 address.Concrete, the mapping algorithm of described IPv4 address and IPv6 address is: IPv4 address is uniquely mapped to latter 32 of the IPv6 address fixing 96 prefixes.
As shown in Figure 7, this Dynamic Host Configuration Protocol server can comprise: receiving element 701, judging unit 702 and allocation unit 703, wherein:
Receiving element 701, for receiving the address assignment request of client;
Judging unit 702, for the address assignment request received according to receiving element 701, judges whether the mark of corresponding described client records the IP address of preallocated respective protocol;
Allocation unit 703, is provided with the mapping algorithm of IPv4 address and IPv6 address, for when judging unit 702 is judged as YES, will give described client for the preallocated IP address assignment of described client; When judging unit 702 is judged as NO, for described client distributing IP address, according to the mapping algorithm of IPv4 address and IPv6 address, for the IP address of described another agreement of client preassignment, and the mark recording described client with distribute for described client and the corresponding relation of preallocated IP address;
Wherein, when described Dynamic Host Configuration Protocol server is DHCPv4 server, the IP address of another agreement described is IPv6 address; When described Dynamic Host Configuration Protocol server is DHCPv6 server, the IP address of another agreement described is IPv4 address.
Further, receiving element 701 also for, receive the IP address releasing request of client; Accordingly, judging unit 702 also for, receive the IP address releasing request of client at receiving element 701 after, judge whether the IP address of another agreement of described client is preassignment state; Accordingly, allocation unit 703 also for, when judging unit 702 is judged as YES, reclaim IPv4 address and the IPv6 address of described client; When judging unit 702 is judged as NO, by ask the state of IP address discharged to be set to preassignment.
In sum, the situation that the embodiment of the present invention is surfed the Net for two stack user PORTAL certification, by address information mechanism, solves two stack user and to surf the Net the association of flow process, conveniently carries out online to user and manages.In addition, because the IPv4/IPv6 address mapping relation of user is fixed, concerning operator, the monitor and managment of user can be carried out more easily.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a station terminal equipment (can be mobile phone, personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should look protection scope of the present invention.
Claims (13)
1. the method that two stack user access is controlled, be applied to PORTAL network system, it is characterized in that, PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device is provided with the mapping algorithm of IPv4 address and IPv6 address, the method comprises:
When DHCPv4 server or DHCPv6 server receive the address assignment request of client, determine whether that described client preassignment has the IP address of respective protocol, if be judged as YES, then will give described client for the preallocated IP address assignment of described client; Otherwise, be described client distributing IP address, and according to the mapping algorithm of IPv4 address and IPv6 address, be the IP address of described another agreement of client preassignment;
When PORTAL authentication gateway receives the network access request of client based on IPv4 address or IPv6 address, and after described client certificate is passed through, obtain the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address, and according to the IPv4 address of described client and IPv6 address, network access authority control is carried out to described client;
Wherein, DHCPv4 server and DHCPv6 server disposition are on the same convergence device of PORTAL network system; Or
DHCPv4 server and DHCPv6 server are deployed on the different convergence device of PORTAL network system respectively; Or
DHCPv4 server and DHCPv6 server are connected to the convergence device of PORTAL network system.
2. the method for claim 1, it is characterized in that, DHCPv4 server or DHCPv6 server are at the mapping algorithm according to IPv4 address and IPv6 address, after described client preassignment IP address, also comprise: the IP address record the mark of described client, distributing for described client and the corresponding relation of preallocated IP address;
When DHCPv4 server or DHCPv6 server receive the address assignment request of client, if the identification record inquiring corresponding described client has the IP address of preallocated respective protocol, then give described client by the IP address assignment of described respective protocol.
3. the method for claim 1, is characterized in that, the method also comprises:
After DHCPv4 server or DHCPv6 server receive the IP address releasing request of client, judge whether the IP address of another agreement of described client is preassignment state, if be judged as YES, then reclaim IPv4 address and the IPv6 address of described client; Otherwise, by ask the state of IP address discharged to be set to preassignment.
4. the method for claim 1, is characterized in that, PORTAL authentication gateway obtains the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address, and opens the IPv4 address of described client and the network access authority of IPv6 address, comprising:
When described network access request is the network access request based on IPv4 address, PORTAL authentication gateway judges to ask the client of carrying out access to netwoks whether to be allowed to dual-stack network access, and when being judged as YES, mapping algorithm according to IPv4 address and IPv6 address obtains IPv6 address, and when judging that access to netwoks is carried out in the current IPv6 of the use address of described client, open the IPv4 address of described client and the network access authority of IPv6 address; Or/and
When described network access request is the network access request based on IPv6 address, PORTAL authentication gateway judges to ask the client of carrying out access to netwoks whether to be allowed to dual-stack network access, and when being judged as YES, mapping algorithm according to IPv4 address and IPv6 address obtains IPv4 address, and when judging that access to netwoks is carried out in the current IPv4 of the use address of described client, open the IPv4 address of described client and the network access authority of IPv6 address.
5. the method for claim 1, is characterized in that, the method also comprises:
PORTAL authentication gateway know client based on IPv4 address network connect disconnect time, judge described client based on IPv6 address network connect whether disconnect, if be judged as YES, then close the network access authority of described client; Otherwise, keep the network access authority of described client; Or
PORTAL authentication gateway know client based on IPv6 address network connect disconnect time, judge described client based on IPv4 address network connect whether disconnect, if be judged as YES, then close the network access authority of described client; Otherwise, keep the network access authority of described client.
6. the method as described in one of claim 1-5, is characterized in that, the mapping algorithm of described IPv4 address and IPv6 address, is specially: IPv4 address is uniquely mapped to latter 32 of the IPv6 address fixing 96 prefixes.
7. a PORTAL authentication gateway, be arranged in the access device of PORTAL network system, it is characterized in that, the mapping algorithm of IPv4 address and IPv6 address is provided with in described PORTAL authentication gateway, and described mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway coordinates and IPv6 address, when DHCPv4/DHCPv6 server is client distributing IP address, according to the IP address of described another agreement of mapping algorithm preassignment, described PORTAL authentication gateway comprises: control unit, authentication ' unit, address mapping unit and access control unit, wherein:
Described control unit, for after place PORTAL authentication gateway receives the network access request of client, indicates described authentication ' unit to carry out authentication processing to described client; After described authentication ' unit is passed through described client certificate, indicate described address mapping unit to carry out address maps, indicate described access control unit to map according to described address mapping unit the address obtained and network access authority control is carried out to described client;
Described authentication ' unit, for the instruction according to described control unit, carries out certification by PORTAL server and authentication and accounting server to described client;
Described address mapping unit, for the instruction according to described control unit, obtains the IP address of another agreement according to the mapping algorithm of IPv4 address and IPv6 address;
Described access control unit, for the instruction according to described control unit, carries out network access authority control according to the IPv4 address of described client and IPv6 address to described client;
Wherein, DHCPv4 server and DHCPv6 server disposition are on the same convergence device of PORTAL network system; Or
DHCPv4 server and DHCPv6 server are deployed on the different convergence device of PORTAL network system respectively; Or
DHCPv4 server and DHCPv6 server are connected to the convergence device of PORTAL network system.
8. PORTAL authentication gateway as claimed in claim 7, is characterized in that, described control unit also for, after described authentication ' unit is passed through described client certificate, judge that asking the client of carrying out access to netwoks whether to be allowed to dual-stack network accesses; And, after described address mapping unit maps and obtains IP address, judge that described client is current and whether using described address mapping unit to map the IP address obtained to carry out access to netwoks;
Described control unit specifically for, when the client judging that access to netwoks is carried out in request is allowed to dual-stack network access, indicate described address mapping unit to carry out address maps; And, when judging that access to netwoks is carried out in the current IP address not using mapping to obtain of described client, indicate described access control unit to open the IPv4 address of described client and the network access authority of IPv6 address.
9. PORTAL authentication gateway as claimed in claim 7, is characterized in that, described control unit also for, know the network of client based on IPv4 address connect disconnect time, judge that described client connects based on the network of IPv6 address and whether disconnect; And, when knowing that the network of client based on IPv6 address connects disconnection, judge whether described client disconnects based on the network connection of IPv4 address;
Described control unit specifically for, judge the network of described client based on IPv6 address or IPv4 address connect disconnect time, indicate described access control unit to close the network access authority of described client; Judge the network of described client based on IPv6 address or IPv4 address connect do not disconnect time, indicate described access control unit to keep the network access authority of described client;
Described access control unit also for, according to the instruction of described control unit, close the network access authority of described client, or, keep the network access authority of described client.
10. the PORTAL authentication gateway as described in one of claim 7-9, it is characterized in that, described address mapping module specifically for, when described network access request is the network access request based on IPv4 address, the mapping algorithm according to IPv4 address and IPv6 address obtains IPv6 address; And when described network access request is the network access request based on IPv6 address, the mapping algorithm according to IPv4 address and IPv6 address obtains IPv4 address.
11. 1 kinds of Dynamic Host Configuration Protocol server, be applied to PORTAL network system, the mapping algorithm of IPv4 address and IPv6 address is provided with in described Dynamic Host Configuration Protocol server, and described mapping algorithm and identical with the mapping algorithm of the IPv4 address arranged in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server coordinates and IPv6 address, it is characterized in that, described Dynamic Host Configuration Protocol server comprises:
Receiving element, for receiving the address assignment request of client;
Judging unit, for the address assignment request received according to described receiving element, judges whether the mark of corresponding described client records the IP address of preallocated respective protocol;
Allocation unit, is provided with the mapping algorithm of IPv4 address and IPv6 address, for when described judging unit is judged as YES, will give described client for the preallocated IP address assignment of described client; When described judging unit is judged as NO, for described client distributing IP address, according to the mapping algorithm of IPv4 address and IPv6 address, for the IP address of described another agreement of client preassignment, and the mark recording described client with distribute for described client and the corresponding relation of preallocated IP address;
Wherein, when described Dynamic Host Configuration Protocol server is DHCPv4 server, the IP address of another agreement described is IPv6 address; When described Dynamic Host Configuration Protocol server is DHCPv6 server, the IP address of another agreement described is IPv4 address;
DHCPv4 server and DHCPv6 server disposition are on the same convergence device of PORTAL network system; Or
DHCPv4 server and DHCPv6 server are deployed on the different convergence device of PORTAL network system respectively; Or
DHCPv4 server and DHCPv6 server are connected to the convergence device of PORTAL network system.
12. Dynamic Host Configuration Protocol server as claimed in claim 11, is characterized in that, described receiving element also for, receive the IP address releasing request of client;
Described judging unit also for, receive the IP address releasing request of client at described receiving element after, judge whether the IP address of another agreement of described client is preassignment state;
Described allocation unit also for, when described judging unit is judged as YES, reclaim IPv4 address and the IPv6 address of described client; When described judging unit is judged as NO, by ask the state of IP address discharged to be set to preassignment.
13. Dynamic Host Configuration Protocol server as claimed in claim 11, it is characterized in that, the mapping algorithm of described IPv4 address and IPv6 address, is specially: IPv4 address is uniquely mapped to latter 32 of the IPv6 address fixing 96 prefixes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110325237.3A CN102340509B (en) | 2011-10-24 | 2011-10-24 | Access control method and equipment for dual-stack user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110325237.3A CN102340509B (en) | 2011-10-24 | 2011-10-24 | Access control method and equipment for dual-stack user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102340509A CN102340509A (en) | 2012-02-01 |
| CN102340509B true CN102340509B (en) | 2015-04-15 |
Family
ID=45516007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110325237.3A Active CN102340509B (en) | 2011-10-24 | 2011-10-24 | Access control method and equipment for dual-stack user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102340509B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2890091B1 (en) | 2012-09-29 | 2018-07-11 | Huawei Technologies Co., Ltd. | Address allocation method, device and system |
| CN103220378B (en) * | 2013-04-27 | 2015-12-02 | 杭州华三通信技术有限公司 | A kind of report method of unified certification User IP and equipment |
| CN105704104A (en) * | 2014-11-27 | 2016-06-22 | 华为技术有限公司 | Authentication method and access equipment |
| CN105591929B (en) * | 2015-10-28 | 2019-10-08 | 新华三技术有限公司 | Lightweight dual stack group authentication method off the net and device |
| CN108718280B (en) * | 2018-08-30 | 2021-05-25 | 新华三技术有限公司 | Message forwarding method and device |
| CN112804367B (en) * | 2019-11-14 | 2023-04-07 | 北京百度网讯科技有限公司 | Address allocation method and device under dual-stack environment |
| CN110995886B (en) * | 2019-12-12 | 2022-06-28 | 新华三大数据技术有限公司 | Network address management method, device, electronic equipment and medium |
| CN111162914B (en) * | 2020-02-11 | 2023-06-16 | 河海大学常州校区 | IPv4 identity authentication method and system of Internet of things based on PUF |
| CN113014550A (en) * | 2021-02-07 | 2021-06-22 | 南京林业大学 | Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities |
| CN114189498A (en) * | 2021-12-03 | 2022-03-15 | 中国电信股份有限公司 | Address allocation method and device and dynamic host configuration protocol server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447879A (en) * | 2009-01-13 | 2009-06-03 | 杭州华三通信技术有限公司 | Charging method and access equipment therefor |
| CN101610156A (en) * | 2009-08-04 | 2009-12-23 | 杭州华三通信技术有限公司 | A kind of method of dual protocol stack user authentication, equipment and system |
| CN101692674A (en) * | 2009-10-30 | 2010-04-07 | 杭州华三通信技术有限公司 | Method and equipment for double stack access |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
-
2011
- 2011-10-24 CN CN201110325237.3A patent/CN102340509B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447879A (en) * | 2009-01-13 | 2009-06-03 | 杭州华三通信技术有限公司 | Charging method and access equipment therefor |
| CN101610156A (en) * | 2009-08-04 | 2009-12-23 | 杭州华三通信技术有限公司 | A kind of method of dual protocol stack user authentication, equipment and system |
| CN101692674A (en) * | 2009-10-30 | 2010-04-07 | 杭州华三通信技术有限公司 | Method and equipment for double stack access |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102340509A (en) | 2012-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102340509B (en) | Access control method and equipment for dual-stack user | |
| CN101692674B (en) | Method and equipment for double stack access | |
| CN101447879B (en) | Charging method and access equipment therefor | |
| CN101577675B (en) | Method and device for protecting neighbor table in IPv6 network | |
| CN102148878B (en) | IP (internet protocol) address allocation method, system and device | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN101656725B (en) | Method for implementing safety access and access equipment | |
| US20040107234A1 (en) | Addressing method and system for using an anycast address | |
| CN103841024B (en) | A kind of home gateway realizes the method and home gateway of data distribution | |
| CN102172062B (en) | Communication system, connection control device, mobile terminal, base station control method, service request method and program | |
| CN101184099B (en) | Second IP address assignment method based on dynamic host machine configuration protocol access authentication | |
| CN102137170A (en) | Method and device for distributing IPv6 (Internet Protocol version 6) addresses | |
| CN102437946B (en) | Access control method, network access server (NAS) equipment and authentication server | |
| CN105323325A (en) | Address assignment method for identity and position separation network, and access service node | |
| CN104270325B (en) | Cpe device realizes the system and method for public network access customer number limitation based on Linux | |
| CN104468619B (en) | A kind of method and authentication gateway for realizing double stack web authentications | |
| CN100365591C (en) | Client-based Network Address Assignment Method | |
| CN104333467A (en) | Gateway proxy method and device for wireless network link failure of rail transit | |
| CN104253878A (en) | VLAN (Virtual Local Area Network) information management system and method of DHCP (Dynamic Host Configuration Protocol) RELAY termination sub-interface | |
| CN103220149B (en) | A kind of portal authentication method and equipment | |
| CN101184100A (en) | User access authentication method based on dynamic host machine configuration protocol | |
| CN105049404A (en) | Dynamic IP addressing method and system for home gateway equipment | |
| JP2013509837A (en) | Method and system for realizing identity and location mapping | |
| CN102209011A (en) | Method for establishing connection with multi-homed terminal and system thereof | |
| CN106878481A (en) | A kind of Internet protocol IP address acquisition methods, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230619 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |