CN106453214A - Method, device and system for testing legality of user - Google Patents
Method, device and system for testing legality of user Download PDFInfo
- Publication number
- CN106453214A CN106453214A CN201510492716.2A CN201510492716A CN106453214A CN 106453214 A CN106453214 A CN 106453214A CN 201510492716 A CN201510492716 A CN 201510492716A CN 106453214 A CN106453214 A CN 106453214A
- Authority
- CN
- China
- Prior art keywords
- ipv6
- prefix
- user terminal
- aftr
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000012360 testing method Methods 0.000 title abstract description 3
- 238000010200 validation analysis Methods 0.000 claims description 19
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000007689 inspection Methods 0.000 claims description 9
- 238000012423 maintenance Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a system for testing the legality of a user. When receiving a tunnel building request, an AFTR gateway extracts IPv6 address prefix information from the tunnel building request, and judges whether the extracted IPv6 address prefix information is included in a local IPv6 prefix table; if the extracted IPv6 address prefix information is included in a local IPv6 prefix table, the AFTR gateway builds a corresponding tunnel; or, the AFTR gateway refuses the tunnel building request. The safety protection capability of the system can be improved effectively without modifying the existing network architecture.
Description
Technical field
The present invention relates to the communications field, particularly to a kind of method for checking user validation,
Device and system.
Background technology
In light-duty pair of traditional stack (DS-Lite) environment, user passes through B4 (Base Bridge
Broadband Element, bridges wide element substantially) initiate PPP (Point to Point, point
To point) connect and obtain AFTR (Address Family Transition Router, address family turns
Change router) FQDN (Fully Qualified Domain Name, fully qualified domain name) domain
After name, you can initiate tunnel building request to AFTR, as shown in Figure 1.And AFTR is not to next
Carry out any legitimacy detection from the tunnel building request of B4, because AFTR itself adopts public network ground
Location externally provides service, and this address is easy to be detected and obtains, and thus results in more severe safety
Hidden danger.That is, all kinds of fraudulences will be highly susceptible to using the AFTR gateway device of public network address to attack
Hit and lead to paralyse, as shown in Figure 2.
For example, user passes through CPE (Customer Premises Equipment, user side equipment)
Outlet packet capturing, you can easily obtain public network IP v6 address of service (and the DS-Lite tunnel of AFTR
Road end address), this address is obtained afterwards it is only necessary to be simply provided to route by disabled user, that is,
Tunnel building request can be initiated to AFTR by disguise as validated user, and AFTR also can mutually should ask
Ask, provide service for it.
The safe precaution ability of therefore system is badly in need of improving.
Content of the invention
The embodiment of the present invention provides a kind of methods, devices and systems for checking user validation.
By using BRAS server be validated user terminal distribution IPv6 address prefix information to tunnel
Road is set up request and is carried out legitimacy inspection, thus the safe precaution ability of system can be effectively improved.
According to an aspect of the present invention, provide a kind of method for checking user validation, bag
Include:
When receiving tunnel building request, before extracting IPv6 address from tunnel building request
Sew information;
Judge whether the IPv6 address prefix information extracting is included in local IPv6 prefix table
In;
If the IPv6 address prefix information extracting includes, in local IPv6 prefix table, building
Found corresponding tunnel;
If the IPv6 address prefix information extracting is not included in local IPv6 prefix table,
Refusal tunnel building request.
In one embodiment, receiving BRAS server for validated user terminal distribution
After IPv6 address prefix information, the IPv6 receiving address prefix information is stored in local
In IPv6 prefix table.
In one embodiment, after receiving prefix removal request, accordingly legal use will be distributed to
The IPv6 address prefix information of family terminal is deleted from local IPv6 prefix table, wherein BRAS
Server is detecting the validated user terminal described prefix removal request of offline rear transmission.
According to a further aspect in the invention, provide a kind of AFTR for checking user validation
Gateway, including receiving unit, extraction unit, recognition unit and dispensing unit, wherein:
Receiving unit, for receiving tunnel building request;
Extraction unit, for when receiving unit receives tunnel building request, asking from tunnel building
IPv6 address prefix information is extracted in asking;
Recognition unit, whether the IPv6 address prefix information for judging to extract includes local
IPv6 prefix table in;
Dispensing unit, for the judged result according to recognition unit, if the IPv6 address extracting
Prefix information includes in local IPv6 prefix table, then setting up corresponding tunnel;If extracting
IPv6 address prefix information be not included in local IPv6 prefix table, then refuse tunnel building
Request.
In one embodiment, above-mentioned gateway also includes maintenance unit, wherein:
Maintenance unit, divides for validated user terminal for receiving BRAS server in receiving unit
After the IPv6 address prefix information joined, the IPv6 receiving address prefix information is stored in locally
IPv6 prefix table in.
In one embodiment, maintenance unit is additionally operable to receive prefix removal request in receiving unit
Afterwards, the IPv6 address prefix information of corresponding validated user terminal will be distributed to before local IPv6
Sew in table and delete, wherein BRAS server is detecting described in the offline rear transmission of validated user terminal
Prefix removal request.
According to a further aspect in the invention, provide a kind of system for checking user validation, bag
Include AFTR gateway, BRAS server, wherein:
AFTR gateway, is the AFTR gateway that any of the above-described embodiment is related to;
BRAS server, for after the access request receiving user terminal transmission, to user
Terminal carries out legitimacy inspection;If judging user terminal for validated user terminal, for user terminal
Distribution IPv6 address prefix information, and the IPv6 address prefix information of distribution is sent to AFTR
Gateway, so that the IPv6 address prefix information of distribution is stored in local IPv6 by AFTR gateway
In prefix table.
In one embodiment, BRAS server is additionally operable to validated user terminal is detected offline
Afterwards, send prefix removal request to AFTR gateway;So that AFTR gateway just distributes to phase
The IPv6 address prefix information answering validated user terminal is deleted from local IPv6 prefix table.
In one embodiment, said system also includes certificate server, wherein:
The IPv6 address prefix information of distribution is sent to certificate server by BRAS service implement body;
Certificate server, for being stored in local conjunction by the IPv6 receiving address prefix information
In method prefix table, also the IPv6 receiving address prefix information is transmitted to AFTR gateway.
In one embodiment, BRAS service implement body is validated user terminal is detected offline
Afterwards, send prefix removal request to certificate server;
Certificate server is additionally operable to according to the prefix removal request receiving, and it is accordingly legal to distribute to
The IPv6 address prefix information of user terminal is deleted from local legal prefix table, and by prefix
Removal request is transmitted to AFTR gateway.
The present invention by using BRAS server be validated user terminal distribution IPv6 address before
Sew information and legitimacy inspection is carried out to tunnel building request, only include in tunnel building request
IPv6 address prefix includes in the local IPv6 prefix table of AFTR gateway, just sets up corresponding
Tunnel, thus the safe precaution ability of system can be effectively improved.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will
The accompanying drawing of required use in embodiment or description of the prior art is briefly described it is clear that
Ground, drawings in the following description are only some embodiments of the present invention, the common skill for this area
For art personnel, without having to pay creative labor, can also be obtained according to these accompanying drawings
Obtain other accompanying drawings.
Fig. 1 is the schematic diagram that in prior art, validated user is reached the standard grade.
Fig. 2 is the schematic diagram of disabled user's invasion in prior art.
Fig. 3 is used for for the present invention checking the schematic diagram of one embodiment of method of user validation.
Fig. 4 is the schematic diagram of one embodiment of AFTR gateway of the present invention.
Fig. 5 is the schematic diagram of another embodiment of AFTR gateway of the present invention.
Fig. 6 is used for for the present invention checking the schematic diagram of one embodiment of system of user validation.
Fig. 7 is used for for the present invention checking the schematic diagram of another embodiment of system of user validation.
Fig. 8 is the handling process schematic diagram of accessing user terminal to network of the present invention.
The handling process that Fig. 9 receives during tunnel building request for AFTR gateway of the present invention is illustrated
Figure.
Figure 10 is that handling process when BRAS server of the present invention finds that validated user is offline is shown
It is intended to.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the technical scheme in the embodiment of the present invention
It is clearly and completely described it is clear that described embodiment is only present invention part reality
Apply example, rather than whole embodiments.Description at least one exemplary embodiment is real below
It is merely illustrative on border, never as any limit to the present invention and its application or use
System.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative labor
The every other embodiment being obtained under the premise of dynamic, broadly falls into the scope of protection of the invention.
Unless specifically stated otherwise, the part otherwise illustrating in these embodiments and the phase of step
Arrangement, numerical expression and numerical value are not limited the scope of the invention.
Simultaneously it should be appreciated that for the ease of description, the chi of the various pieces shown in accompanying drawing
Very little is not to draw according to actual proportionate relationship.
May not make in detail for technology, method and apparatus known to person of ordinary skill in the relevant
Thin discussion, but in the appropriate case, described technology, method and apparatus should be considered to authorize to be said
A part for bright book.
In all examples with discussion shown here, any occurrence should be construed as merely
Exemplary, not as restriction.Therefore, the other examples of exemplary embodiment can have
There are different values.
It should be noted that:Similar label and letter represent similar terms in following accompanying drawing, therefore,
Once being defined in a certain Xiang Yi accompanying drawing, then do not need it is carried out in subsequent accompanying drawing
Discussed further.
Fig. 3 is used for for the present invention checking the schematic diagram of one embodiment of method of user validation.As
Shown in Fig. 3, the method and step of the present embodiment can be executed by AFTR gateway.
Step 301, when receiving tunnel building request, extracts from tunnel building request
IPv6 address prefix information.
Step 302, judges whether the IPv6 address prefix information extracting is included in local IPv6
In prefix table.If the IPv6 address prefix information extracting includes in local IPv6 prefix table,
Then execution step 303;If the IPv6 address prefix information extracting is not included in local IPv6
In prefix table, then execution step 304.
Step 303, sets up corresponding tunnel.Afterwards, other steps of the present embodiment are no longer executed.
Step 304, refusal tunnel building request.
The method for checking user validation being provided based on the above embodiment of the present invention, by profit
With pre-assigned IPv6 address prefix information, legitimacy inspection is carried out to tunnel building request, only
The IPv6 address prefix including in tunnel building request is included in the local IPv6 of AFTR gateway
In prefix table, just set up corresponding tunnel, thus the safe precaution ability of system can be effectively improved.
Preferably, AFTR gateway can be safeguarded to local IPv6 prefix table.For example, exist
After receiving the IPv6 address prefix information that BRAS server is validated user terminal distribution, will
The IPv6 address prefix information receiving is stored in local IPv6 prefix table.
Additionally, after receiving prefix removal request, corresponding validated user terminal will be distributed to
IPv6 address prefix information is deleted from local IPv6 prefix table, and wherein BRAS server exists
The validated user terminal described prefix removal request of offline rear transmission is detected.Thus can be according to user's
Upper down status adjust local IPv6 prefix table immediately.
Fig. 4 is the schematic diagram of one embodiment of AFTR gateway of the present invention.As shown in figure 4, should
AFTR gateway may include receiving unit 401, extraction unit 402, recognition unit 403 and configuration
Unit 404.Wherein:
Receiving unit 401, for receiving tunnel building request.
Extraction unit 402, for when receiving unit 401 receives tunnel building request, from tunnel
Road is set up in request and is extracted IPv6 address prefix information.
Recognition unit 403, whether the IPv6 address prefix information for judging to extract includes
In local IPv6 prefix table.
Dispensing unit 404, for the judged result according to recognition unit 403, if the IPv6 extracting
Address prefix information includes in local IPv6 prefix table, then setting up corresponding tunnel;If carrying
The IPv6 address prefix information taking out is not included in local IPv6 prefix table, then refuse tunnel
Set up request.
The AFTR gateway for checking user validation being provided based on the above embodiment of the present invention,
By using pre-assigned IPv6 address prefix information, legitimacy inspection is carried out to tunnel building request
Test, the IPv6 address prefix only including in tunnel building request includes local in AFTR gateway
IPv6 prefix table in, just set up corresponding tunnel, thus can effectively improve system safety prevent
Model ability.
Fig. 5 is the schematic diagram of another embodiment of AFTR gateway of the present invention.With embodiment illustrated in fig. 4
Compare, in the embodiment shown in fig. 5, still further comprise maintenance unit 501.Wherein:
Maintenance unit 501, for receiving BRAS (Broadband in receiving unit 401
Remote Access Server, Broadband Remote Access Server) server is validated user terminal
After the IPv6 address prefix information of distribution, the IPv6 receiving address prefix information is stored in this
In the IPv6 prefix table on ground.
Preferably, maintenance unit 501 is additionally operable to receive prefix removal request in receiving unit 401
Afterwards, the IPv6 address prefix information of corresponding validated user terminal will be distributed to before local IPv6
Sew in table and delete, wherein BRAS server is detecting described in the offline rear transmission of validated user terminal
Prefix removal request.
Fig. 6 is used for for the present invention checking the schematic diagram of one embodiment of system of user validation.As
Shown in Fig. 6, this system may include AFTR gateway 601, BRAS server 602, wherein:
AFTR gateway 601, is the AFTR gateway that in Fig. 4 and Fig. 5, any embodiment is related to.
BRAS server 602, for after the access request receiving user terminal transmission, right
User terminal carries out legitimacy inspection;If judging user terminal for validated user terminal, for user
Terminal distribution IPv6 address prefix information, and the IPv6 address prefix information of distribution is sent to
AFTR gateway 601, so that the IPv6 address prefix information of distribution is deposited by AFTR gateway 601
Storage is in local IPv6 prefix table.
The system for checking user validation being provided based on the above embodiment of the present invention, AFTR
The IPv6 address prefix information that gateway distributes for validated user by using BRAS server is to tunnel
Road is set up request and is carried out legitimacy inspection, only before the IPv6 address that tunnel building request is included
Sew including in the IPv6 prefix table local in AFTR gateway, just set up corresponding tunnel, thus
The safe precaution ability of system can be effectively improved.
Preferably, BRAS server 602 be additionally operable to detect validated user terminal offline after,
Send prefix removal request to AFTR gateway 601;So that AFTR gateway 601 just distributes
Delete from local IPv6 prefix table to the IPv6 address prefix information of corresponding validated user terminal
Remove.
Further, since the requirement traced to the source, therefore can also be recorded using certificate server
BRAS server is the IPv6 address prefix information of validated user terminal distribution.
Fig. 7 is used for for the present invention checking the schematic diagram of another embodiment of system of user validation.With
Embodiment illustrated in fig. 6 is compared, and in the embodiment shown in fig. 7, this system may also include authentication service
Device 701.Wherein:
The IPv6 address prefix information of distribution is specifically sent to certification clothes by BRAS server 602
Business device 701.
Certificate server 701, for being stored in locally the IPv6 receiving address prefix information
Legal prefix table in, also the IPv6 receiving address prefix information is transmitted to AFTR gateway
601.
Preferably, certificate server 701 can for AAA (Authentication,
Authorization, Accounting, checking, authorization and accounting) server.
Preferably, BRAS server 602 specifically detect validated user terminal offline after, to
Certificate server 701 sends prefix removal request.
Certificate server 701 is additionally operable to according to the prefix removal request receiving, and will distribute to corresponding
The IPv6 address prefix information of validated user terminal is deleted from local legal prefix table, and will
Prefix removal request is transmitted to AFTR gateway 601.
For example, the interface between certificate server 701 and AFTR gateway 601 can be opened,
With the method for variable update, the legal prefix table real-time synchronization in certificate server 701 is arrived
The IPv6 prefix table of AFTR gateway 601.
Below by specific example, the present invention will be described.
【Embodiment one】
This embodiment is related to process when new user terminal is reached the standard grade, as shown in Figure 8.
Step 801, user terminal 1 sends access request to BRAS server.
Step 802, BRAS server receive user terminal 1 transmission access request after,
Legitimacy inspection is carried out to user terminal 1.
Step 803, if judging user terminal 1 for validated user terminal, BRAS server is
User terminal 1 distributes IPv6 address prefix information.
Step 804, the IPv6 address prefix information of distribution is sent to AAA by BRAS server
Server.
Step 805, the IPv6 receiving address prefix information is stored in locally by certificate server
Legal prefix table in.
Step 806, the IPv6 receiving address prefix information is transmitted to AFTR by certificate server
Gateway.
Step 807, the IPv6 address prefix information of distribution is stored in local by AFTR gateway
In IPv6 prefix table.
Step 808, BRAS server, after judging user terminal 1 for validated user terminal, leads to
Cross CR (Core Router, core router) and send tunnel building request to AFTR gateway.
Step 809, AFTR gateway extracts IPv6 address prefix letter from tunnel building request
Breath.
Step 810, AFTR gateway judges whether the IPv6 address prefix information extracting includes
In local IPv6 prefix table.
Step 811, carries out respective handling according to judged result.
If the IPv6 address prefix information extracting includes, in local IPv6 prefix table, building
Found corresponding tunnel.If before the IPv6 address prefix information extracting is not included in local IPv6
Sew in table, then the request of refusal tunnel building.
【Embodiment two】
This embodiment is related to user terminal 2 and sends place during tunnel building request to AFTR gateway
Reason, as shown in Figure 9.
Step 901, user terminal 2 sends tunnel building request to AFTR gateway.
Step 902, AFTR gateway extracts IPv6 address prefix letter from tunnel building request
Breath.
Step 903, AFTR gateway judges whether the IPv6 address prefix information extracting includes
In local IPv6 prefix table.
Step 904, carries out respective handling according to judged result.
If the IPv6 address prefix information extracting includes, in local IPv6 prefix table, building
Found corresponding tunnel.If before the IPv6 address prefix information extracting is not included in local IPv6
Sew in table, then the request of refusal tunnel building.
Thus, can effectively refuse the tunnel building request of malicious third parties transmission.
【Embodiment three】
This embodiment be related to validated user terminal offline when process, as shown in Figure 10.
Step 1001, whether BRAS server detection validated user terminal 3 is offline.
Step 1002, BRAS server detect validated user terminal 3 offline after, to AAA
Server sends prefix removal request.
Step 1003, aaa server, according to the prefix removal request receiving, will distribute to phase
The IPv6 address prefix information answering validated user terminal 3 is deleted from local legal prefix table.
Step 1004, prefix removal request is transmitted to AFTR gateway by aaa server.
Step 1005, AFTR gateway just distributes to the IPv6 ground of corresponding validated user terminal 3
Location prefix information is deleted from local IPv6 prefix table.
Thus, malicious third parties can be prevented effectively from using the IPv6 ground once distributing to user terminal 3
Location prefix access network.
By implementing the present invention, following beneficial effect can be obtained:
1) propose and a kind of realize IPv6 in IPv6 transition period, under the tunnel environment of light-duty pair of stack
The method of user validation checking.
2) the IPv6 address prefix being distributed for validated user using BRAS server, can effective system
Safe precaution ability.
3) existing network framework need not be changed, substantially can ignore time delay.
One of ordinary skill in the art will appreciate that realizing all or part step of above-described embodiment
Suddenly can be completed it is also possible to the hardware being instructed correlation by program is completed by hardware, institute
The program stated can be stored in a kind of computer-readable recording medium, and storage mentioned above is situated between
Matter can be read only memory, disk or CD etc..
Description of the invention is given for the sake of example and description, and is not exhaustively
Or limit the invention to disclosed form.Many modifications and variations are for the common skill of this area
It is obvious for art personnel.Select and describe the principle that embodiment is in order to the present invention is more preferably described
And practical application, and make those of ordinary skill in the art it will be appreciated that the present invention is thus design is suitable
In the various embodiments with various modifications for the special-purpose.
Claims (10)
1. a kind of method for checking user validation it is characterised in that
When receiving tunnel building request, before extracting IPv6 address from tunnel building request
Sew information;
Judge whether the IPv6 address prefix information extracting is included in local IPv6 prefix table
In;
If the IPv6 address prefix information extracting includes, in local IPv6 prefix table, building
Found corresponding tunnel;
If the IPv6 address prefix information extracting is not included in local IPv6 prefix table,
Refusal tunnel building request.
2. method according to claim 1 is it is characterised in that also include:
Receiving the IPv6 address prefix information that BRAS server is validated user terminal distribution
Afterwards, the IPv6 receiving address prefix information is stored in local IPv6 prefix table.
3. method according to claim 2 is it is characterised in that also include:
After receiving prefix removal request, the IPv6 ground of corresponding validated user terminal will be distributed to
Location prefix information is deleted from local IPv6 prefix table, and wherein BRAS server is detecting
Described prefix removal request is sent after validated user terminal is offline.
4. a kind of AFTR gateway for checking user validation is it is characterised in that include connecing
Receive unit, extraction unit, recognition unit and dispensing unit, wherein:
Receiving unit, for receiving tunnel building request;
Extraction unit, for when receiving unit receives tunnel building request, asking from tunnel building
IPv6 address prefix information is extracted in asking;
Recognition unit, whether the IPv6 address prefix information for judging to extract includes local
IPv6 prefix table in;
Dispensing unit, for the judged result according to recognition unit, if the IPv6 address extracting
Prefix information includes in local IPv6 prefix table, then setting up corresponding tunnel;If extracting
IPv6 address prefix information be not included in local IPv6 prefix table, then refuse tunnel building
Request.
5. gateway according to claim 4 is it is characterised in that also include maintenance unit,
Wherein:
Maintenance unit, divides for validated user terminal for receiving BRAS server in receiving unit
After the IPv6 address prefix information joined, the IPv6 receiving address prefix information is stored in locally
IPv6 prefix table in.
6. gateway according to claim 5 it is characterised in that
Maintenance unit is additionally operable to, after receiving unit receives prefix removal request, will distribute to corresponding
The IPv6 address prefix information of validated user terminal is deleted from local IPv6 prefix table, wherein
BRAS server is detecting the validated user terminal described prefix removal request of offline rear transmission.
7. a kind of system for checking user validation is it is characterised in that include AFTR net
Pass, BRAS server, wherein:
AFTR gateway, is the AFTR gateway that any one of claim 4-6 is related to;
BRAS server, for after the access request receiving user terminal transmission, to user
Terminal carries out legitimacy inspection;If judging user terminal for validated user terminal, for user terminal
Distribution IPv6 address prefix information, and the IPv6 address prefix information of distribution is sent to AFTR
Gateway, so that the IPv6 address prefix information of distribution is stored in local IPv6 by AFTR gateway
In prefix table.
8. system according to claim 7 it is characterised in that
BRAS server be additionally operable to detect validated user terminal offline after, to AFTR gateway
Send prefix removal request;So that AFTR gateway just distributes to corresponding validated user terminal
IPv6 address prefix information is deleted from local IPv6 prefix table.
9. system according to claim 8 is it is characterised in that also include certificate server,
Wherein:
The IPv6 address prefix information of distribution is sent to certificate server by BRAS service implement body;
Certificate server, for being stored in local conjunction by the IPv6 receiving address prefix information
In method prefix table, also the IPv6 receiving address prefix information is transmitted to AFTR gateway.
10. system according to claim 9 it is characterised in that
BRAS service implement body detect validated user terminal offline after, send out to certificate server
Send prefix removal request;
Certificate server is additionally operable to according to the prefix removal request receiving, and it is accordingly legal to distribute to
The IPv6 address prefix information of user terminal is deleted from local legal prefix table, and by prefix
Removal request is transmitted to AFTR gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510492716.2A CN106453214A (en) | 2015-08-12 | 2015-08-12 | Method, device and system for testing legality of user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510492716.2A CN106453214A (en) | 2015-08-12 | 2015-08-12 | Method, device and system for testing legality of user |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106453214A true CN106453214A (en) | 2017-02-22 |
Family
ID=58093262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510492716.2A Pending CN106453214A (en) | 2015-08-12 | 2015-08-12 | Method, device and system for testing legality of user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106453214A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547687A (en) * | 2017-08-31 | 2018-01-05 | 新华三技术有限公司 | A kind of message transmitting method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1929447A (en) * | 2006-06-01 | 2007-03-14 | 华为技术有限公司 | Method and device for searching address prefixion and message transfer method and system |
| CN1980250A (en) * | 2005-11-29 | 2007-06-13 | 中国移动通信集团公司 | Network protocol multi-media sub-system and method for obtaining access-in point information |
| CN101043614A (en) * | 2007-04-23 | 2007-09-26 | 中国科学院计算技术研究所 | Video-on-demand method combined user IP address with user gradation |
| CN101547132A (en) * | 2008-03-25 | 2009-09-30 | 华为技术有限公司 | Method, system and device for establishing data forwarding tunnel |
| CN101785270A (en) * | 2007-06-19 | 2010-07-21 | 松下电器产业株式会社 | Access-network to core-network trust relationship detection for a mobile node |
| CN101902482A (en) * | 2010-08-23 | 2010-12-01 | 中国电信股份有限公司 | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration |
| CN102131233A (en) * | 2010-01-18 | 2011-07-20 | 中兴通讯股份有限公司 | Method and device for sending data packet based on dual-stack (DS)-LITE |
| CN102546568A (en) * | 2010-12-31 | 2012-07-04 | 华为技术有限公司 | Method and device for Internet protocol (IP) terminal being accessed into network |
| US20120218998A1 (en) * | 2011-02-28 | 2012-08-30 | Futurewei Technologies, Inc. | Multicast Support for Dual Stack-Lite and Internet Protocol Version Six Rapid Deployment on Internet Protocol Version Four Infrastructures |
| CN103051543A (en) * | 2012-11-01 | 2013-04-17 | 广州微仕科信息技术有限公司 | Route prefix processing, lookup, adding and deleting method |
| CN104363176A (en) * | 2014-10-24 | 2015-02-18 | 杭州华三通信技术有限公司 | Message control method and equipment |
-
2015
- 2015-08-12 CN CN201510492716.2A patent/CN106453214A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980250A (en) * | 2005-11-29 | 2007-06-13 | 中国移动通信集团公司 | Network protocol multi-media sub-system and method for obtaining access-in point information |
| CN1929447A (en) * | 2006-06-01 | 2007-03-14 | 华为技术有限公司 | Method and device for searching address prefixion and message transfer method and system |
| CN101043614A (en) * | 2007-04-23 | 2007-09-26 | 中国科学院计算技术研究所 | Video-on-demand method combined user IP address with user gradation |
| CN101785270A (en) * | 2007-06-19 | 2010-07-21 | 松下电器产业株式会社 | Access-network to core-network trust relationship detection for a mobile node |
| CN101547132A (en) * | 2008-03-25 | 2009-09-30 | 华为技术有限公司 | Method, system and device for establishing data forwarding tunnel |
| CN102131233A (en) * | 2010-01-18 | 2011-07-20 | 中兴通讯股份有限公司 | Method and device for sending data packet based on dual-stack (DS)-LITE |
| CN101902482A (en) * | 2010-08-23 | 2010-12-01 | 中国电信股份有限公司 | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration |
| CN102546568A (en) * | 2010-12-31 | 2012-07-04 | 华为技术有限公司 | Method and device for Internet protocol (IP) terminal being accessed into network |
| US20120218998A1 (en) * | 2011-02-28 | 2012-08-30 | Futurewei Technologies, Inc. | Multicast Support for Dual Stack-Lite and Internet Protocol Version Six Rapid Deployment on Internet Protocol Version Four Infrastructures |
| CN103051543A (en) * | 2012-11-01 | 2013-04-17 | 广州微仕科信息技术有限公司 | Route prefix processing, lookup, adding and deleting method |
| CN104363176A (en) * | 2014-10-24 | 2015-02-18 | 杭州华三通信技术有限公司 | Message control method and equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547687A (en) * | 2017-08-31 | 2018-01-05 | 新华三技术有限公司 | A kind of message transmitting method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101848197B (en) | Detection method and device and network with detection function | |
| CN104158824B (en) | Genuine cyber identification authentication method and system | |
| CN106789851A (en) | Auth method, system, service server and authentication server | |
| CN104080085B (en) | Wireless network access double authentication method, device and system | |
| CN101888329B (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
| CN108270615A (en) | Network equipment beginning method, apparatus and equipment based on SDN network controller | |
| CN107707435B (en) | Message processing method and device | |
| CN110830447A (en) | SPA single packet authorization method and device | |
| CN107659934A (en) | A kind of control method and wireless network access device of wireless network connection | |
| CN104954508B (en) | A kind of system and its auxiliary charging method for DHCP protocol auxiliary charging | |
| CN104038424B (en) | A kind of processing method and equipment of offline message | |
| CN110138714A (en) | Method, apparatus, electronic equipment and the storage medium of access process | |
| CN110166474A (en) | A kind of message processing method and device | |
| CN108632634A (en) | A kind of providing method and device of direct broadcast service | |
| CN109547270A (en) | A kind of method for network access control and system based on vCPE | |
| CN106453214A (en) | Method, device and system for testing legality of user | |
| CN101640689A (en) | Static user access method and device thereof | |
| CN106230640A (en) | A kind of safety regulation port configuration method and equipment | |
| CN101505478B (en) | Method, apparatus and system for filtering packets | |
| CN104244217B (en) | Realize the method and system of user data real-time synchronization | |
| CN101567883B (en) | Realization method for preventing MAC address forgery | |
| CN112104611A (en) | CC attack protection management method | |
| CN106878020A (en) | Network system, the authentication method of the network equipment and device | |
| CN106341413A (en) | Portal authentication method and device | |
| CN117082522A (en) | Dynamic IP access method, device and equipment for Internet of things equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170222 |
|
| RJ01 | Rejection of invention patent application after publication |