Patent Application
20140245405
The present application relates to a network communications technology, and in particular, to a method for transferring authorization information, a relay device, and a server.
Typical networking of the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) that supports the Internet Protocol Version 6 (IPv6) includes three roles: a DHCPvb 6client, a DHCPvb 6server, and a DHCPvb 6relay. The DHCPvb 6client is a device that dynamically acquires an IPvb 6address, a delegated IPvb 6prefix, or other network configuration parameters. The DHCPvb 6server is a device that is responsible for allocating an IPvb 6address, an IPvb 6prefix, or other network configuration parameters to the DHCPv6 client. When the DHCPvb 6server and the DHCPvb 6client are not within the scope of a same link, the DHCPvb 6server and the DHCPvb 6client need to use a DHCPvb 6relay to forward a message, thereby avoiding deployment of a DHCPvb 6server within the scope of each link. This saves costs and facilitates centralized management.
To ensure security of the allocation of an IPvb 6address, a delegated IPvb 6prefix, and other network configuration parameters, on existing DHCPvb 6networking, a DHCPv6 client needs to be AAA-authenticated before DHCPvb 6allocation is performed, and the DHCPvb 6client can be allocated with an IPvb 6address, an IPvb 6prefix, and other network configuration parameters only after the authentication is successful.
In a practical application process, when determining that the authentication of the DHCPvb 6client is successful, an AAA (Authentication-Authorization-Accounting) server authorizes some information related to address allocation to the DHCPvb 6relay by using an Access-Accept message. However, currently, the authorization information cannot be transferred to the DHCPvb 6server by using a DHCPvb 6process, which limits flexibility of providing correct configurations to the DHCPvb 6client by the DHCPvb 6server and application scenarios.
The present application provides a method for transferring authorization information, a relay device, and a server, which are used to send authorization information delivered by an AAA server to a DHCPvb 6server, so that the DHCPvb 6server can provide correct configuration information for a DHCPvb 6client.
An embodiment of the present application provides a method for transferring authorization information, including:
receiving authorization information delivered by an AAA server; and
inserting an option into a DHCPvb 6Relay-Forward message, encapsulating the authorization information in the option, and sending the option to a DHCPvb 6server.
An embodiment of the present application provides a relay device, including:
a first receiving module, configured to receive authorization information delivered by an AAA server; and
an encapsulating module, configured to insert an option into a DHCPv6 Relay-Forward message, encapsulate the authorization information in the option, and send the option to a DHCPvb 6server.
An embodiment of the present application provides a server, including:
a third receiving module, configured to receive authorization information which is encapsulated by using an option of a DHCPvb 6Relay-Forward message and sent by a relay device, where the authorization information is delivered by an AAA server to the relay device; and
an allocating module, configured to allocate corresponding configuration information to a DHCPvb 6client according to the authorization information.
According to the method for transferring authorization information, the relay device, and the server in the embodiments of the present application, the relay device inserts an option into a DHCPvb 6Relay-Forward message, encapsulates authorization information in the option, and sends the option to a DHCPvb 6server, so that the DHCPvb 6server can provide a correct configuration for a DHCPvb 6client according to the authorization information, thereby solving the problem of lack of information in the prior art caused by a failure of transferring authorization information to a DHCPvb 6server by using a DHCPvb 6process; and further, when the authorization information is information related to address allocation, such as designation of a specific prefix pool, a specific address pool, a specific address, or a specific prefix for the DHCPvb 6client, the DHCPvb 6server can allocate a correct address configuration to the DHCPvb 6client according to the authorization information.
To describe the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings required for describing the embodiments. Apparently, the accompanying drawings in the following description show some embodiments of the present application, and persons of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.
To make the objectives, technical solutions, and advantages of the embodiments of the present application more clear, the following clearly describes the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application. Apparently, the described embodiments are a part rather than all of the embodiments of the present application. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present application without creative efforts shall fall within the protection scope of the present application.
Step 101: A DHCPvb 6relay device receives authorization information delivered by an AAA server.
This embodiment is applicable to a DHCPvb 6allocation process in which a device with a DHCPvb 6relay function (called a relay device hereinafter) exists and participates in AAA authentication. The DHCPvb 6allocation process is an address allocation process in which information, such as an IPvb 6address, is allocated to a DHCPvb 6client. In embodiments of the present application, the DHCPvb 6client may be a customer premise equipment (CPE), a personal computer (PC), or the like; and the relay device may be a network access server (NAS).
In a practical application, when the DHCPvb 6client needs to solicit IPvb 6address information, the DHCPvb 6client sends a Solicit message to solicit address information. The Solicit message carries such information as a Client Identifier option, an Identity Association for Non-temporary Addresses (IA_NA) option used for requesting an IPvb 6address, and an Identity Association for Prefix Delegation (IA_PD) option used for requesting a delegated prefix, where the address information that needs to be solicited by the DHCPvb 6client mainly refers to an IPvb 6address, an IPvb 6prefix, other network configuration parameters, and the like. When the DHCPvb 6client is a CPE or a PC, the Client Identifier option may include a media access control (MAC) address of the CPE or a MAC address of the PC.
After receiving the Solicit message, the relay device sends an Access-Request message to the AAA server requesting identity authentication on the DHCPvb 6client. The Access-Request message may carry such information as an access port identifier (such as NAS-Port or NAS-Port-ID) or a DHCPvb 6client identifier. When the DHCPvb 6client is the CPE or the PC, the DHCPvb 6client identifier may be the MAC address of the CPE or the MAC address of the PC.
After receiving the Access-Request message, the AAA server performs identity authentication on the DHCPvb 6client according to the information carried in the Access-Request message, and returns, to the relay device by using an Access-Accept message, a result that the DHCPvb 6client passes the authentication or returns, to the relay device by using an Access-Reject message, a result that the DHCPvb 6client fails to pass the identity authentication. When the DHCPvb 6client passes the identity authentication, the AAA server further delivers some authorization information by using the Access-Accept message, where the authorization information delivered by the AAA server may include a name of an address pool or a name of a prefix pool, or may include a designated IPvb 6address or a designated IPvb 6prefix. For example, the AAA server may request a DHCPvb 6server to allocate an IPv6 address within an address pool for a wide area network (WAN) of the DHCPvb 6client by designating a name of the address pool; the AAA server may request the DHCPvb 6server to allocate a delegated IPvb 6prefix within a prefix pool for the DHCPvb 6client by designating a name of the prefix pool; the AAA server may request the DHCPvb 6server to allocate a specific IPvb 6address for the DHCPvb 6client by designating the IPvb 6address; and the AAA server may request the DHCPvb 6server to allocate a specific delegated IPvb 6prefix for the DHCPvb 6client by designating the IPvb 6prefix.
Currently, a Radius address or prefix pool name attribute defined by IETF RFC2869 is Framed-Pool (Attribute 88); a Radius delegated IPvb 6prefix attribute defined by IETF RFC4818 is Delegated-IPv6-Prefix (Attribute 123); and a Radius IPvb 6address attribute defined by a Radext work group draft draft-ietf-radext-ipv6-access is Framed-IPv6-Address, a Radius delegated IPvb 6prefix pool name attribute is Delegated-IPv6-Prefix-Pool, and a Radius stateful IPvb 6address pool name attribute is Stateful-IPv6-Address-Pool. In the embodiments of the present application, the prefix pool name or the address pool name designated in the Radius attribute Framed-Pool, Delegated-IPv6-Prefix-Pool, or Stateful-IPv6-Address-Pool, the delegated IPvb 6prefix designated in the Radius attribute Delegated-IPv6-Prefix, and the IPvb 6address designated in the Radius attribute Framed-IPv6-Address may all be used as the authorization information delivered by the AAA server to the relay device (for example, a network access server NAS) after the DHCPv6 client passes the authentication.
Step 102: The DHCPvb 6relay device inserts an option into a DHCPv6 Relay-Forward message, encapsulates the authorization information in the option, and sends the option to the DHCPvb 6server.
In this embodiment, in order to send the authorization information delivered by the AAA server to the DHCPvb 6server, the relay device inserts the option into a Relay-Forward message to be sent, encapsulates the authorization information in the option, and sends the option to the DHCPvb 6server.
After receiving the Relay-Forward message, the DHCPvb 6server acquires the authorization information by parsing the Relay-Forward message and performs a corresponding operation according to the authorization information. For example, when the authorization information is information related to address allocation, the DHCPvb 6server may allocate address information to the DHCPvb 6client according to the authorization information. More specifically, when the authorization information is a name of an address pool or a name of a prefix pool, the DHCPvb 6server allocates an IPvb 6address or a delegated IPvb 6prefix from the address pool or the prefix pool to the DHCPvb 6client.
In this embodiment, after receiving authorization information delivered by an AAA server, a relay device inserts a corresponding option into a Relay-Forward message, encapsulates the authorization information in the option, and sends the option to a DHCPv6 server, so that the DHCPvb 6server can provide correct configuration information to a DHCPvb 6client according to the authorization information. This solves the problem in the prior art that authorization information delivered by an AAA server cannot be transferred to a DHCPvb 6server by using a DHCPvb 6process; and further, when the authorization information is related to address allocation, the DHCPvb 6server can dynamically allocate an IPvb 6address or an IPvb 6prefix in a designated address pool or a designated prefix pool to the DHCPv6 client according to the authorization information, or designate a specific IPvb 6address or a specific IPvb 6prefix for the DHCPvb 6client according to the authorization information, thereby better meeting a flexibility requirement of an IPvb 6service on configuration of a user address.
The following embodiment uses a DHCPvb 6allocation process as an example to describe a process of transferring authorization information in detail.
Step 1: A CPE sends a Solicit message to a NAS, so as to send a DHCPvb 6solicit.
Step 2: After receiving the Solicit message sent by the CPE, the NAS sends an Access-Request message to an AAA server, so as to request the AAA server to perform authentication on the CPE.
Step 3: The AAA server performs identity authentication on the CPE, and after the CPE passes the authentication, encapsulates authorization information in an Access-Accept message, and returns the Access-Request message to the NAS.
In this embodiment, one or more pieces of authorization information may exist. Each piece of the authorization information may be a name of an address pool or a name of a prefix pool, such as Framed-pool, Delegated-IPv6-Prefix-Pool, Stateful-IPv6-Address-Pool or the like.
Step 4: After receiving the Access-Accept message, the NAS acquires the authorization information of the CPE, encapsulates both the Solicit message from the CPE and the authorization information from the AAA server in a Relay-Forward message, and send the Relay-Forward message to the DHCPvb 6server.
A first implementation manner in which the NAS encapsulates the authorization information in the Relay-Forward message is as follows:
The NAS inserts an option (which may also be called a DHCPvb 6option) corresponding to each piece of the authorization information into the Relay-Forward message, for example, when two pieces of the authorization information are delivered by the AAA server, one piece of the authorization information is Framed-Pool, and the other piece of the authorization information is Delegated-IPv6-Prefix-Pool, the NAS inserts two DHCPv6 options into the Relay-Forward message, where one DHCPvb 6option stores the authorization information Delegated-IPv6-Prefix-Pool, and the other DHCPvb 6option stores the authorization information Framed-Pool.
Then, the NAS encapsulates each piece of the authorization information in the corresponding option and sends the option to the DHCPvb 6server.
A format of the DHCPvb 6option is shown in
A second implementation manner in which the NAS encapsulates the authorization information in the Relay-Forward message is as follows:
The NAS inserts an option (in this implementation, the option may be called a container) corresponding to all the authorization information into the Relay-Forward message and places each piece of the authorization information in the option (or the container) by using sub-options; and then the NAS sends the option (or the container) to the DHCPv6 server.
In this implementation manner, the corresponding option (or the container) may be recorded as Option_Authorization and its format is also shown in
Each sub-option may comply with a data structure of a DHCPvb 6option shown in
The sub-option authoriztion-options may be the foregoing Option_Pool_Name used to encapsulate a designated name of an address pool or a prefix pool, or may be the foregoing Option_Address_Prefix_Auth used to encapsulate a designated address or prefix.
Step 5: The DHCPvb 6server allocates IPvb 6address information to the CPE according to the authorization information in the Relay-Forward message, encapsulates the allocated IPvb 6address information in a Relay-Reply message, and returns the Relay-Reply message to the NAS functioning as a DHCPvb 6relay device.
The IPvb 6address information may be such information as an IPvb 6address or a delegated IPvb 6prefix.
Step 6: The NAS encapsulates the IPvb 6address information returned by the DHCPvb 6server in an Advertise message and sends the Advertise message to the CPE.
Step 7: The CPE sends a Request message to the NAS and the IPvb 6address information is carried in the Request message.
Step 8: The NAS forwards the Relay-Forward message to the DHCPvb 6server.
The Relay-Forward message includes the IPvb 6address information in the Request message.
Step 9: The DHCPvb 6server returns the Relay-Reply message to the NAS.
The Relay-Reply message includes the IPvb 6address information in response to a request in the Relay-Forward message.
Step 10: The NAS returns a Reply message to the CPE.
The Reply message includes the IPvb 6address information in the Relay-Reply message.
Step 7 to step 10 describe a process in which the CPE notifies the DHCPvb 6server that the CPE has acquired the IPvb 6address information. The process is the same as that in the prior art and therefore is not described in detail in this embodiment.
In this embodiment, a NAS inserts a DHCPvb 6option into a Relay-Forward message and sends authorization information delivered by an AAA server to a DHCPv6 server by using the DHCPvb 6option; the DHCPvb 6server allocates correct IPvb 6address information to a CPE according to the authorization information encapsulated in the received option, thereby solving the problem in the prior art that authorization information delivered by an AAA server and related to address information cannot be transferred to a DHCPv6 server by using a DHCPvb 6process; and further, in this embodiment, the authorization information delivered by the AAA server is sent to the DHCPvb 6server, so that the DHCPv6 server can dynamically allocate an IPvb 6address or an IPvb 6prefix in a designated address pool or prefix pool to a DHCPvb 6client according to the authorization information, or designates a specific IPvb 6address or IPvb 6prefix for a DHCPvb 6client according to the authorization information, thereby better fulfilling a flexibility requirement of an IPvb 6service on configuration of a user address.
In addition, by using the method in this embodiment, the AAA server and the DHCPvb 6server may be two devices independent from each other, thereby solving a network restraint caused by combining the AAA server and the DHCPvb 6server into one server and better facilitating development of an IPvb 6service.
It should be noted herein that this embodiment uses authorization information related to address allocation in a DHCPvb 6allocation process as an example for description but the present application is not limited thereto. Regardless whether the authorization information is related to address allocation, the DHCPvb 6option may be inserted into the Relay-Forward message and the authorization information delivered by the AAA may be encapsulated in the DHCPvb 6option so as to send the authorization information to the DHCPvb 6server.
The first receiving module 31 is configured to receive authorization information delivered by an AAA server. The encapsulating module 32 is connected to the first receiving module 31 and is configured to insert an option into a Relay-Forward message in a DHCPv6 process, encapsulate the authorization information in the option, and send the option to a DHCPvb 6server.
The functional modules of the relay device described in this embodiment are configured to execute the process of the method for transferring authorization information shown in
The relay device in this embodiment, after receiving authorization information delivered by an AAA server, inserts an option into a Relay-Forward message, and sends the authorization information to a DHCPvb 6server by means of the option, so that the DHCPv6 server can provide a correct configuration for a DHCPvb 6client according to the authorization information, thereby solving the problem in the prior art that authorization information delivered by an AAA server cannot be transferred to a DHCPvb 6server by using a DHCPv6 process. Further, when the authorization information is related to address allocation, the DHCPvb 6server can dynamically allocate an IPvb 6address or an IPvb 6prefix in a designated address pool or prefix pool to the DHCPvb 6client according to the authorization information, or designates a specific IPvb 6address or IPvb 6prefix for the DHCPvb 6client according to the authorization information, thereby better fulfilling a flexibility requirement of an IPvb 6service on configuration of a user address.
The first inserting unit 321 is configured to insert an option corresponding to each piece of the authorization information into the Relay-Forward message. The first transferring unit 322 is connected to the first inserting unit 321 and the first receiving unit 31 and is configured to encapsulate each piece of the authorization information in the corresponding option, and send the option to the DHCPvb 6server.
The functional units above may be configured to execute the process of the first implementation manner of step 4 in the embodiment shown in
As shown in
The second inserting unit 323 is configured to insert an option corresponding to all the authorization information into the Relay-Reply message; and the second transferring unit 324 is connected to the second inserting unit 323 and the first receiving module 31 and is configured to encapsulate all the authorization information in the option and send the option to the DHCPvb 6server.
Further, the second transferring unit 324 is specifically configured to insert a sub-option corresponding to each piece of the authorization information into the option, encapsulate each piece of the authorization information in the corresponding sub-option, and send the sub-option to the DHCPvb 6server.
In the DHCPvb 6allocation process, each piece of the authorization information may be Framed-Pool, Delegated-IPv6-Prefix-Pool, Stateful-IPv6-Address-Pool, Delegated-IPv6-Prefix, Framed-IPv6-Address, or the like.
Further, the relay device in this embodiment further includes a second receiving module 33, where the second receiving module 33 is configured to receive configuration information which is delivered by the DHCPvb 6server to the DHCPvb 6client according to the authorization information.
The second receiving module 33 may be configured to execute a corresponding process in the method shown in
The relay device in this embodiment implements insertion of an option into a Relay-Forward message by using an inserting unit and a transferring unit, and the relay device sends authorization information to a DHCPvb 6server by using the option field; and the DHCPvb 6server allocates correct configuration information to a CPE according to the authorization information encapsulated in the received option, thereby solving the problem in the prior art that authorization information delivered by an AAA server cannot be transferred to a DHCPvb 6server by using a DHCPvb 6process. In addition, by using the method in this embodiment, the AAA server and the DHCPvb 6server may be two devices independent from each other, thereby solving a network restraint caused by combining the AAA server and the DHCPvb 6server into one server and better facilitating development of an IPvb 6service. Further, in this embodiment, the authorization information delivered by the AAA server is sent to the DHCPvb 6server, so that the DHCPvb 6server can dynamically allocate an IPv6 address or an IPvb 6prefix in a designated address pool or prefix pool to a DHCPvb 6client according to the authorization information, or designates a specific IPvb 6address or IPv6 prefix for a DHCPvb 6client according to the authorization information, thereby better fulfilling a flexibility requirement of an IPvb 6service on configuration of a user address.
The third receiving module 51 is configured to receive authorization information which is encapsulated by using an option in a Relay-Forward message in a DHCPvb 6process and sent by a relay device, where the authorization information is delivered by an AAA server to the relay device. The allocating module 52 is connected to the third receiving module 51 and is configured to allocate correct configuration information to a DHCPvb 6client according to the authorization information.
The authorization information may be Framed-Pool, Delegated-IPv6-Prefix-Pool, Stateful-IPv6-Address-Pool, Delegated-IPv6-Prefix, or Framed-IPv6-Address delivered by the AAA server in a DHCPvb 6allocation process, but is not limited thereto.
The server in this embodiment may be a DHCPvb 6server in a DHCPvb 6allocation process and the functional modules of the server may be configured to execute a corresponding process in the embodiment shown in
It should be noted herein that, when the authorization information is not information related to address allocation, the server in this embodiment may not perform address information allocation based on the authorization information but may still receive the authorization information sent by the relay device.
Persons of ordinary skill in the art may understand that all or a part of the steps of the method embodiments may be implemented by a program instructing relevant hardware. The program may be stored in a computer readable storage medium. When the program runs, the steps of the method embodiments are performed. The storage medium includes: any medium that can store program code, such as a ROM, a RAM, a magnetic disk, an optical disc, and the like.
It should be finally noted that the foregoing embodiments are merely intended to describe the technical solutions of the present application rather than to limit the present application. Although the present application is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments or make equivalent replacements to some technical features thereof, as long as such modifications or replacements do not cause the nature of corresponding technical solutions to depart from the scope of the technical solutions of the embodiments of the present application.
| Number | Date | Country | Kind |
|---|---|---|---|
| 201110349928.7 | Nov 2011 | CN | national |
This application is a continuation of International Patent Application No. PCT/CN2012/083290, filed on Oct. 22, 2012, which claims priority to Chinese Patent Application No. 201110349928.7, filed on Nov. 8, 2011, both of which are hereby incorporated by reference in their entireties.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/CN2012/083290 | Oct 2012 | US |
| Child | 14272217 | US |
