+

WO2008138274A1 - Procédé et dispositif correspondant et système servant à accéder à un service distant - Google Patents

Procédé et dispositif correspondant et système servant à accéder à un service distant Download PDF

Info

Publication number
WO2008138274A1
WO2008138274A1 PCT/CN2008/070963 CN2008070963W WO2008138274A1 WO 2008138274 A1 WO2008138274 A1 WO 2008138274A1 CN 2008070963 W CN2008070963 W CN 2008070963W WO 2008138274 A1 WO2008138274 A1 WO 2008138274A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
session
layer
tunnel
Prior art date
Application number
PCT/CN2008/070963
Other languages
English (en)
Chinese (zh)
Inventor
Weilong Ouyang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008138274A1 publication Critical patent/WO2008138274A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and system for accessing a remote service.
  • IP Internetworking Protocol
  • VoIP Voice over IP
  • IPTV TV over IP
  • PPPoE Client Ethernet PPP over Ethernet Client
  • NAS Network Access Server
  • the PPPoE client After the PPPoE session is successfully established, the PPPoE client initiates a PPP Authentication process to the NAS;
  • the NAS extracts the authentication information such as the user's account number and password from the PPP authentication message, and sends the authentication request (Authentication Reques t) to the authentication server ( Radius Server ) as the agent of the user;
  • the Radius Server confirms that the user is a valid VP user based on the user account and password, and carries the user policy and Layer 2 Tunneling Protocol (L2TP) tunnel parameters in the authentication response packet, such as IP address of the virtual private network server,
  • L2TP Layer 2 Tunneling Protocol
  • the NAS confirms that the user is a VP user, and negotiates and establishes an L2TP tunnel and a session with the virtual private network server according to the L2TP tunnel parameters of the authentication response message;
  • the NAS After confirming that the L2TP session is successfully established, the NAS forwards the user's PPP packet to the L2TP session.
  • the user and the virtual private network server obtain the PPP link parameters and IP address and other information through the point-to-point link configuration protocol/network configuration protocol (PPP LCP/NCP) negotiation process, and the entire VPDN call The process ends (Session UP).
  • PPP LCP/NCP point-to-point link configuration protocol/network configuration protocol
  • PPP dialing a typical remote access method
  • a remote service device such as a VP server to configure, manage, and maintain the user terminal device
  • the management and maintenance are complicated and costly. high.
  • the embodiment of the present invention provides a method for dynamic remote access, where the access method includes: an IP edge device obtains tunnel information required by a user session of the user, and establishes a layer 2 tunnel and/or session with the remote service device; The IP edge device obtains the Layer 2 address information of the user, and binds the Layer 2 address information and the location of the network where the user is located; and the IP edge device establishes the mapping of the Layer 2 address information to the Layer 2 tunnel and/or the session. Relationship to access remote services.
  • An embodiment of the present invention further provides a communication access device, where the device includes: a session establishment device And the tunnel information used to obtain the user session of the user, establishing a layer 2 tunnel and/or a session with the remote service device according to the tunnel information required by the user session; and the associating device, configured to obtain the user access Layer 2 address information, binding the layer 2 address information and the location of the network where the user is located, establishing a mapping relationship between the layer 2 address information and the layer 2 tunnel and/or session to connect the user session Enter the remote service device.
  • the device includes: a session establishment device And the tunnel information used to obtain the user session of the user, establishing a layer 2 tunnel and/or a session with the remote service device according to the tunnel information required by the user session; and the associating device, configured to obtain the user access Layer 2 address information, binding the layer 2 address information and the location of the network where the user is located, establishing a mapping relationship between the layer 2 address information and the layer 2 tunnel and/or session to connect the user session Enter the remote
  • the embodiment of the present invention further provides a communication system, where the system includes: at least one remote service device and at least one IP edge device, where the at least one IP edge device is configured to obtain tunnel information required for a user session, according to the The tunnel information is established with the Layer 2 tunnel and/or the session of the at least one remote service device, and the Layer 2 address information accessed by the user is obtained, and the Layer 2 address information and the location of the network where the user is located are bound.
  • the at least one remote service device configured to pass the Layer 2 tunnel and/or the session and the session
  • the at least one IP edge device is connected to receive a message from the IP edge device to access the user session to the remote service device.
  • the dynamic tunnel establishment mechanism does not need to directly configure the user terminal equipment, thereby simplifying the management and service deployment.
  • Figure 1 shows the call flow of a traditional PPPoE access virtual private network server
  • FIG. 2 is a flow chart of establishing an implicit authentication IPS essi on dynamic access VPN according to an embodiment of the present invention
  • FIG. 3 is a flowchart of establishing a PANA authentication IP session dynamic access VPN according to an embodiment of the present invention
  • FIG. 5 is a flow chart of a policy-driven IP session dynamic access VPN according to an embodiment of the present invention
  • FIG. 6 is a policy-driven PPP session dynamic access VPN according to an embodiment of the present invention
  • Figure 7 is a schematic diagram of a protocol stack according to an embodiment of the present invention.
  • FIG. 8A is a structural block diagram of a communication access device according to an embodiment of the present invention.
  • FIG. 8-B is a structural block diagram of a communication access device according to an embodiment of the present invention.
  • An embodiment of the present invention provides a method for remote access. After a user initiates a user session call, the user obtains tunnel information required for the user session, and establishes a layer 2 tunnel and/or session with the remote service device.
  • the Layer 2 address information is bound to the Layer 2 address information and the location of the network where the user is located; the mapping relationship between the Layer 2 address information and the Layer 2 tunnel and/or the session is established, and the packet is forwarded according to the mapping relationship. .
  • the user logs in through a certain user terminal, and the access communication device is bound to the Layer 2 address information accessed by the user and the location of the network where the user is located, and the Layer 2 address information is established to the Layer 2 tunnel and/or Or a mapping relationship of sessions, so the remote service device may not need to configure, manage, and maintain the user terminal.
  • the call flow of the virtual private network is accessed through implicit authentication.
  • implicit authentication For example, the session establishment process of the IP session dynamic access virtual private network based on the implicit authentication shown in Figure 2 is as follows:
  • S201 The user (User) sends a DHCP Discover message of the dynamic host configuration protocol through a DHCP client of the network terminal device such as a computer, and starts an address allocation process.
  • the access node captures a DHCP Discover message sent by the user terminal device, and inserts a port number or a DSL port number that receives the DHCP Discover message into the format of Option 82 (82 option). In the DHCP Discover message, the modified packet is forwarded.
  • the access node can implement the Layer 2 DHCP relay function.
  • the access node can be a digital subscriber line access aggregation device. Access Multiplexer, DSLAM);
  • the access node may not modify the subsequent DHCP messages, such as offer, reques t and Ack, but directly forward;
  • IP Edge such as a broadband remote access server (BRAS)
  • BRAS broadband remote access server
  • BRAS broadband remote access server
  • DHCP Discover message sent by the user terminal device, from which Extracting the port number of the user terminal device (Line Info) or constructing a user account, and the proxy user initiates an authentication request to the authentication server (Radius Server);
  • BRAS broadband remote access server
  • the authentication server performs authentication according to the port number or the user account of the user terminal device. After the authentication is passed, the authentication response packet is sent to the IP edge device, and the authentication response packet carries the remote dial-in user that includes the user policy.
  • the attribute of the authentication service (Remote Authent ication Dia l in User Service, Radius). If the user is a virtual private network user (VPN or VP ⁇ user), the user policy also carries the information of the tunnel of the virtual private network, such as L2TP v3. Session parameters, IP address of the virtual private network server (VPDN Server), etc.
  • S205 Negotiating and establishing an L2TP tunnel or session between the IP edge device and the virtual private network server. Specifically, the IP edge device confirms whether the user is legal. If the user is confirmed to be legitimate, the user authorization information is obtained, and the IP ses s ion is confirmed to be 4 Authorized, then apply the user policy to the IP Ses ion, if the user is a virtual private network user, negotiate and establish an L2TP tunnel or session with the virtual private network server according to the virtual private network parameters of the user;
  • S206 On the IP edge device, when the L2TP tunnel or session is successfully established, it is determined that the IP ses ion initiated by the user terminal device is authorized, and the Layer 2 information accessed by the user, such as MAC and/or virtual local area network (VLAN) address information. And establishing a binding relationship with the location information that is detected by the IP edge device, and establishing a mapping relationship between the MAC and/or other Layer 2 information (such as a VLAN) and the L2TP session.
  • the Layer 2 information accessed by the user such as MAC and/or virtual local area network (VLAN) address information.
  • VLAN virtual local area network
  • the IP edge device relays or forwards the user's DHCP Di scover message to the virtual private network server through the user's L2TP session. If necessary, the DHCP Di scover message may carry the Radius attribute of the response server S204.
  • the virtual private network server receives the DHCP Di scover of the user, establishes an IP tunnel or session, and authorizes the session, for example, establishing an association relationship (or a binding relationship and a mapping relationship) between the user's MAC and the L2TP session locally; According to the implicit authentication mode of the IP ses s ion, the authentication is performed according to the attributes such as Radius carried in the DHCP Di scover message. If the user authentication confirms that the user is legitimate, or directly trusts the Radius of the DHCP Di scover message from the IP Edge, etc. The attribute confirms that the user is legitimate. Therefore, it is determined that the IP session is authorized by 4, and the user policy is applied to the IP session;
  • S209 The virtual private network server forwards the DHCP Discover message to the DHCP server, and if necessary, the Radius attribute is carried in the DHCP Discover message, and the process is consistent with the implicitly authenticated IP session.
  • the DHCP server checks the parameters of the DHCP Discover, confirms that it is the address allocation server of the user, and sends a DHCP Offer message to the user, and the message is relayed or forwarded to the virtual private network server and the IP edge device.
  • the user receives the DHCP Offer message sent by the DHCP server, confirms that the server is selected as the address allocation server, and sends an address request (DHCP Request) to the DHCP server; the user may also need to confirm that the server is selected as the address allocation server. Directly send an address allocation request (DHCP Request) to the DHCP server;
  • the DHCP server allocates an IP address to the user according to the parameter of the DHCP Request and responds to the DHCP Ack to the user or responds to the DHCP Ack by the IP edge device. After the DHCP Ack is received, the IP session of the virtual private network is dynamically established. It is over.
  • the call flow of the virtual private network is accessed through the authentication method of the protocol for carrying authentication for network access (PANA).
  • PANA authentication for network access
  • the session establishment process of the IP session dynamic access virtual private network based on the PANA authentication shown in Figure 3 is as follows:
  • DHCP Discover dynamic host configuration protocol discovery
  • IP config address allocation process
  • the Radius Server1 sends an authentication response to the IP edge device, where the authentication response indicates an authentication, accounting, and authorization (AAA) attribute, where the AAA attribute carries the user policy, if the user is VPDN, then the AAA attribute also carries the information of the tunnel of the VPDN, such as the session parameter of the L2TP v3, the IP address of the virtual private network server, and the like;
  • AAA authentication, accounting, and authorization
  • S304 Negotiate and establish an L2TP session between the IP edge device and the virtual private network server (VP ⁇ Server). Specifically, if the IP edge device confirms that the user is legal, it is confirmed that the IP session is authorized, and the user policy is applied to the IP session. If the user is a VP user, the VPDN parameter and the virtual The private network server negotiates and establishes an L2TP tunnel and session;
  • the IP edge device confirms that the L2TP session is successfully established, so that the user's IP Session has been authorized by the user, and then the user's MAC and other Layer 2 information (such as a VLAN) are perceived by the IP session user on the IP edge device.
  • the location information establishes a binding relationship, and establishes a mapping relationship between the MAC or/and other Layer 2 information and the L2TP session;
  • IP reconfig re-address allocation process
  • S307 The AN processes and forwards the DHCP>3 ⁇ 4 text according to the process of address configuration (IP config);
  • S308 The IP edge device receives the DHCP Discover message, and forwards the DHCP Di scover>3 ⁇ 4 text to the virtual private network server through the L2TP session. If necessary, the DHCP Discover message may be updated according to the Radius information of the user, that is, the Radius attribute is carried in the DHCP Discover message forwarded to the virtual private network server;
  • the virtual private network server receives the DHCP Discover message from the user, and establishes the binding relationship and mapping relationship between the MAC address and the L2TP session of the user locally.
  • the attributes such as Radius are carried out for authentication. If the user passes the authentication, the user is confirmed to be legal or directly trusts DHCP Discover from the IP Edge. The attribute of the Radius and other attributes confirms that the user is legal, and then determines that the IP session is authorized, applies the user policy to the IP session, and then forwards the DHCP Discover message to the DHCP server (DHCP Server2);
  • the DHCP server 2 checks the parameters of the DHCP Discover, confirms that it is the address allocation server of the user, and sends a DHCP Offer message to the user, and the message is relayed or forwarded to the virtual private network server and the IP edge device.
  • S311 The user receives the DHCP Offer message sent by the server, confirms that the server is selected as the address allocation server, and sends an address request (DHCP Request) to the DHCP server 2; the user may also need to confirm the selection of the server as the address allocation server, and may directly Send an address assignment request (DHCP Request) to DHCP Server2;
  • DHCP Server2 assigns an IP address to the user according to the parameter of the DHCP Request and responds to the DHCP Ack to the user or responds to the DHCP Ack to the IP edge device.
  • the call flow of the virtual private network is accessed through Dynamic Host Configuration Protocol (DHCP) authentication.
  • DHCP Dynamic Host Configuration Protocol
  • the session establishment process of the IP session dynamic access virtual private network based on the DHCP Auth authentication shown in Figure 4 is as follows:
  • S401 The user sends a dynamic host configuration protocol discovery (DHCP Discover) message through a DHCP client of a network terminal such as a computer, and starts an address allocation process.
  • DHCP Discover dynamic host configuration protocol discovery
  • the access node such as the DSLAM, captures the DHCP Discover message of the user, and inserts the port number or the DSL port number of the received message into the DHCP Discover message in the format of Opt ion 82 (82 option), and then Forward the modified DHCP Discover message;
  • the access node may not modify the subsequent DHCP messages, such as offer, request, and Ack messages, but directly forward them.
  • S403 The IP edge device (IP Edge), for example, the BRAS receives the DHCP Discover message, extracts the user's port number (Line Info) and the DHCP Auth option, and performs a DHCP Auth process with the user if necessary.
  • the IP edge device can perform a DHCP authentication process with the user according to an authentication protocol (such as draf t-pruss-dhcp-auth-dsl-00);
  • the IP edge device sends an authentication request to the Radius Server according to the authentication protocol ( ⁇ . draft_pruss_dhcp_auth_dsl_00). After confirming that the user authentication is passed, the Radius Server sends an authentication response packet to the IP edge device, where the authentication response packet carries the AAA of the user policy. Attribute, if the user is a VPDN, the AAA attribute also carries information about the tunnel of the VPDN, such as the session parameter of the L2TP v3, the IP address of the VPDN server, and the like;
  • the IP edge device establishes an IP session. Specifically, if the IP edge device confirms that the user is legal, and confirms that the IP session is authorized, the user policy is applied to the IP session. If the user is a VPDN user, according to the VPDN parameter of the user. The VPDN server negotiates and establishes an L2TP tunnel and session;
  • the IP edge device confirms that the L2TP session is successfully established, and determines that the user's IP Session has been authorized by 4, and then the user's MAC and other Layer 2 information (such as a VLAN, etc.) and the IP session user's location information on the IP edge device. Establish a binding relationship and establish a mapping relationship between the MAC or/and other Layer 2 information and the L2TP session.
  • the IP edge device relays or forwards the DHCP Discover message of the user to the VP server through the L2TP session of the user.
  • the DHCP Discover message may carry the necessary Radius attribute of the authentication server response.
  • the VPDN server receives the DHCP Discover of the user, and establishes the binding relationship and mapping relationship between the user's MAC and the L2TP session locally. If necessary, the user can re-authenticate according to the DHCP Auth authentication mode or the implicit authentication mode of the IP session. Confirm that the user authentication passes or directly trusts the Radius and other attributes of the DHCP message from the IP Edge to confirm that the user is legal, thereby determining that the IP session is authorized 4, and applying the user policy to the IP Sessential;
  • S409 The VP server forwards the DHCP Discover message to the DHCP server, and the process is consistent with the IP authentication of the implicit authentication.
  • S411 The user receives the DHCP Offer message that the server responds, confirms that the server is selected as the address allocation server, and sends a DHCP Reques t (address allocation request) to the DHCP server; the user may also need to confirm the selection of the server as the address allocation server, Directly send an address allocation request (DHCP Reques t) to the DHCP server;
  • the DHCP server allocates an IP address to the user according to the parameter of the DHCP Reques t and responds to the DHCP Ack to the user or responds to the DHCP Ack to the IP edge device. After the DHCP Ack is received by the user, the session establishment process of the IP access session of the dynamic access VPN is dynamically performed. It is over.
  • the call flow of the virtual private network is accessed through a policy-driven manner.
  • the session establishment process of the policy-based IP-based dynamic access virtual private network shown in FIG. 5 is as follows:
  • S502 Establish and authorize an IP session on the IP edge device. Specifically, the IP edge device confirms that the user is legal, determines that the IP s s ion is authorized, and applies the user policy to the IP s ion;
  • the 0SS, the BSS, or the application server needs to dynamically access the user to the VPN server, and promote the updated user policy to the IP edge device.
  • the user policy carries the information of the VPDN tunnel, such as the session parameter of the L2TP v3 and the VPDN server.
  • IP addresses, and user policies also carry filtering policies, such as texts of all users, access to an IP address, and so on;
  • the IP edge device confirms that the IP address of the user to be updated by the policy server still exists, and negotiates with the VP server according to the VP parameter of the user, and establishes an L2TP tunnel and a session;
  • the IP edge device After confirming that the user's L2TP session is successfully created, the IP edge device updates the policy of the user's IP session, applies the corresponding filtering policy to the IP session, and applies the user's MAC and other two.
  • the layer information (such as a VLAN) is associated with the location information that the IP ses user senses on the IP edge device, and establishes a mapping relationship between the MAC or/and other Layer 2 information and the L2TP session.
  • the IP edge device forwards the IP packet containing the MAC address of the specified user to the VP through the L2TP session of the user according to the updated filtering policy, and the VP server performs subsequent processing.
  • the VPN process is over.
  • the method provided by the embodiment of the present invention not only supports the Internet Protocol (SES), but also supports a point-to-point protocol ( ⁇ ) session.
  • SES Internet Protocol
  • point-to-point protocol
  • a policy-driven session dynamically accessing a VPN call is shown in Figure 6.
  • the process of establishing a policy-driven session dynamic access VPN is shown in Figure 6.
  • S601 The user configures an IP address according to the original PPP Ses ion authentication process
  • the IP edge device confirms that the user is legal, determines that the PPP ses s ion is authorized, and applies the user policy to the IP ses s ion;
  • the 0SS, the BSS, or the application server needs to dynamically access the user to the VPN server, and promote the updated user policy to the IP edge device, where the user policy carries the information of the VPDN tunnel, such as the session parameter of the L2TP v3, the VP server.
  • the IP address of the user such as the IP address of the user, such as the packets of all users, access to an IP address, etc.
  • the IP edge device confirms that the PPP Ses ion of the user to be updated by the policy server still exists, and negotiates with the VPDN server according to the VPDN parameter of the user, and establishes an L2TP tunnel and a session;
  • the IP edge device After confirming that the user's L2TP session is successfully created, the IP edge device updates the policy of the user's PPP session and applies the response filtering policy to the session, and the user's MAC and/or other Layer 2 information (such as a VLAN, etc.) Establish a binding relationship with the location information that the user is aware of on the IP edge device, and map Layer 2 information such as MAC and/or other Layer 2 information (such as VLAN) to the L2TP session.
  • Layer 2 information such as a VLAN, etc.
  • the IP edge device binds the MAC and the location information according to the updated filtering policy, and performs subsequent processing by using the MAC, IP, and other Layer 2 signaling servers included in the PPP packet of the user.
  • the process of dynamically accessing the VPN is over.
  • the foregoing methods implement a complete interaction process in which a user session dynamically establishes a tunnel or a session accesses to a VPN, and the method can ensure the credibility of information above the second layer (such as the MAC layer) of the user session, thereby establishing A trusted connection from the user to the IP edge device up to the VPN server.
  • the specific protocol stack processing is shown in Figure 7.
  • the remote service device (such as a virtual private network) does not need to directly configure (static configuration) the user terminal device through the dynamic tunnel establishment mechanism, thereby simplifying management and service.
  • the edge device is bound with the Layer 2 address information and the location of the network where the user is located, instead of the user ID and the identifier of the virtual private network, the user can effectively access the target network in the nomadic state.
  • a communication access device such as an IP Edge
  • a remote service device such as a virtual private network server
  • the method of obtaining the user policy corresponding to the user session includes: obtaining the user policy corresponding to the user session by parsing the authentication message returned by the authentication server; and/or obtaining the user policy corresponding to the user session by parsing the message delivered by the policy server.
  • the user policy also includes a filtering policy (such as a packet of all users, accessing an IP address, etc.), and the packet can be forwarded according to the filtering policy.
  • the tunnel information required for the user session is carried in the user policy and provided to the communication access device and/or the remote service device. In this manner, the process can be conveniently managed and simplified, and of course, ⁇ Use other methods.
  • the user session related information may be performed by using multiple authentication modes, multiple grading modes, or multiple authentication modes (ie, combining multiple authentication modes).
  • Authentication, applicable authentication methods include but are not limited to the following: implicit authentication, network access authentication protocol (PANA) authentication, authentication and authorization accounting (AAA) authentication, point-to-point protocol (PPP) authentication, dynamic host configuration Protocol (DHCP) authentication, or other authentication methods.
  • PANA network access authentication protocol
  • AAA authentication and authorization accounting
  • PPP point-to-point protocol
  • DHCP dynamic host configuration Protocol
  • the communication access device 800 (such as IP Edge) 800 provided by the embodiment of the present invention includes the following components, as shown in FIG. 8-A and FIG. 8-B:
  • the session establishing apparatus 802 is configured to: after the user terminal initiates the user session call, obtain the tunnel information required by the user session, and establish a layer 2 tunnel and/or a session with the remote service device according to the tunnel information required by the user session;
  • the association device 804 is configured to obtain the Layer 2 address information that is accessed by the user, bind the Layer 2 address information, and the location of the network where the user is located, and establish the Layer 2 address information to the Layer 2 tunnel and/or Or a mapping relationship of the session to access the user session to the remote service device.
  • the forwarding device 806 is configured to forward the packet according to the mapping relationship.
  • the policy obtaining device 808 is configured to obtain a user policy corresponding to the user terminal.
  • the policy application device 810 is configured to install and/or update a user policy corresponding to the user session, and apply the user policy to the layer 2 tunnel or session.
  • the network end authentication device 812 is configured to perform authentication negotiation with the network side authentication service device, and the network end authentication device supports the authentication mode, including: dynamic host configuration protocol (DHCP) authentication, network access authentication protocol (PANA) authentication, and authentication.
  • DHCP dynamic host configuration protocol
  • PANA network access authentication protocol
  • AAA Authorized Charging
  • PPP Point-to-Point Protocol
  • implicit authentication and/or
  • the client authentication device 814 is configured to perform authentication negotiation with the user terminal, and the authentication modes supported by the client authentication device include: dynamic host configuration protocol (DHCP) authentication, user session (IP Ses s ion ) authentication, and point-to-point protocol. (PPP) Authentication and Network Access Authentication Protocol (PANA) certification.
  • DHCP dynamic host configuration protocol
  • IP Ses s ion user session
  • PPP Point-to-point protocol
  • PPP Authentication and Network Access Authentication Protocol (PANA) certification.
  • the policy obtaining device includes a first policy obtaining device and/or a second policy obtaining device: the first policy obtaining device, configured to obtain the user policy by parsing an authentication response message returned by the network end authentication device; and/or
  • the second policy obtaining means is configured to obtain the user policy by parsing a message sent by a user session parameter providing device (such as a policy server).
  • an embodiment of the present invention provides a communication system, where the system includes: at least one remote service device and at least one communication access device (such as an IP edge device),
  • the at least one communication access device is configured to obtain tunnel information required by the user session after the user initiates the user session call, and establish and the at least one remote service setting according to the tunnel information.
  • the Layer 2 tunnel information and the session are obtained, and the Layer 2 address information of the user is obtained, and the Layer 2 address information and the location of the network where the user is located are bound, and the Layer 2 address information is established to the Layer 2 tunnel.
  • the at least one remote service device is configured to connect to the at least one communication access device by using the Layer 2 tunnel and/or the session, and receive a packet from the communication access device, to access through the communication Users accessing the device provide remote access services.
  • the communication system also includes at least one communication device that provides an authentication service,
  • the at least one communication device providing the authentication service is configured to perform authentication negotiation with the communication access device and/or the user terminal, where the authentication mode includes one or more of the following combinations: Dynamic Host Configuration Protocol (DHCP) authentication, Network Access Authentication Protocol (PANA) authentication, Authentication and Authorization Accounting (AAA) authentication, Point-to-Point Protocol (PPP) authentication, and implicit authentication.
  • DHCP Dynamic Host Configuration Protocol
  • PANA Network Access Authentication Protocol
  • AAA Authentication and Authorization Accounting
  • PPP Point-to-Point Protocol
  • implicit authentication includes one or more of the following combinations: Dynamic Host Configuration Protocol (DHCP) authentication, Network Access Authentication Protocol (PANA) authentication, Authentication and Authorization Accounting (AAA) authentication, Point-to-Point Protocol (PPP) authentication, and implicit authentication.
  • DHCP Dynamic Host Configuration Protocol
  • PANA Network Access Authentication Protocol
  • AAA Authentication and Authorization Accounting
  • PPP Point-to-Point Protocol
  • the at least one communication device providing the authentication service includes:
  • the authentication device is configured to perform authentication negotiation with the communication access device, where the authentication mode includes one or more of the following: Dynamic Host Configuration Protocol (DHCP) authentication, and Network Access Authentication Protocol (PANA) Authentication, Authentication and Authorization Accounting (AAA) authentication, Point-to-Point Protocol (PPP) authentication and implicit authentication;
  • DHCP Dynamic Host Configuration Protocol
  • PANA Network Access Authentication Protocol
  • AAA Authentication and Authorization Accounting
  • PPP Point-to-Point Protocol
  • the user session parameter providing means is configured to provide the communication access device with user information corresponding to the user policy and/or tunnel information required by the user session.
  • the communication system further includes a user session parameter providing device, configured to provide the communication access device with user information corresponding to the user session and/or tunnel information required for the user session.
  • the remote service device includes:
  • a session establishing device configured to establish a layer 2 tunnel or session with the edge device
  • a session access device configured to provide a virtual private network access service for the user terminal after the layer 2 tunnel or session establishment is completed;
  • the policy application device is configured to install and/or update a user policy corresponding to the user session, and apply the user policy to the layer 2 tunnel and/or session.
  • the policy here may be a filtering policy, such as all users' access to a certain IP address.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé, un dispositif correspondant et un système servant à accéder à un service distant, impliquant le domaine de communication. Le procédé comprend les étapes suivantes : le dispositif IP périphérique acquiert les informations de tunnel pour la session d'utilisateur de l'utilisateur, et la configuration du tunnel et/ou la session de 2 couches sur le dispositif de service distant; le dispositif IP périphérique acquiert les informations d'adresse de 2 couches pour l'utilisateur, et la liaison des informations d'adresse de 2 couches et de la position de réseau pour l'utilisateur; et le dispositif IP périphérique configure le rapport de mappage entre les informations d'adresse de 2 couches et le tunnel et/ou la session de 2 couches, de façon à accéder au service distant.
PCT/CN2008/070963 2007-05-14 2008-05-14 Procédé et dispositif correspondant et système servant à accéder à un service distant WO2008138274A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710074459A CN101309284B (zh) 2007-05-14 2007-05-14 一种远程接入的通信方法、设备和系统
CN200710074459.6 2007-05-14

Publications (1)

Publication Number Publication Date
WO2008138274A1 true WO2008138274A1 (fr) 2008-11-20

Family

ID=40001709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070963 WO2008138274A1 (fr) 2007-05-14 2008-05-14 Procédé et dispositif correspondant et système servant à accéder à un service distant

Country Status (2)

Country Link
CN (1) CN101309284B (fr)
WO (1) WO2008138274A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019223466A1 (fr) * 2018-05-21 2019-11-28 华为技术有限公司 Procédé et dispositif de communication
CN111262939A (zh) * 2020-01-17 2020-06-09 实地地产集团有限公司 边缘计算节点通信方法、装置、计算机设备和存储介质
CN113595847A (zh) * 2021-07-21 2021-11-02 上海淇玥信息技术有限公司 远程接入方法、系统、设备和介质
CN115834529A (zh) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 一种边缘设备远程监测方法及系统

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107666505B (zh) * 2016-07-29 2020-09-15 京东方科技集团股份有限公司 对资源接入进行控制的方法和装置
CN108617008B (zh) 2016-12-05 2019-09-17 大唐移动通信设备有限公司 一种业务数据处理的方法和装置
CN107798843A (zh) * 2017-11-14 2018-03-13 江苏领安智能桥梁防护有限公司 一种能够获得水文信息的防撞套箱智能系统
CN109802920A (zh) * 2017-11-16 2019-05-24 杭州中威电子股份有限公司 一种用于安防行业的设备接入混合认证系统
CN109819063A (zh) * 2019-01-28 2019-05-28 上海市共进通信技术有限公司 实现自动更新下挂设备ip地址功能的方法及系统
CN114501680B (zh) * 2020-11-11 2024-11-08 中国移动通信有限公司研究院 局域网的实现方法、核心网设备和终端
CN113542395B (zh) * 2021-07-13 2022-07-12 武汉绿色网络信息服务有限责任公司 报文处理方法和报文处理系统
CN114039795B (zh) * 2021-11-26 2023-06-23 郑州信大信息技术研究院有限公司 软件定义路由器及基于该软件定义路由器的数据转发方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6614809B1 (en) * 2000-02-29 2003-09-02 3Com Corporation Method and apparatus for tunneling across multiple network of different types
CN1759558A (zh) * 2003-03-10 2006-04-12 汤姆森特许公司 利用公共验证服务器的无线局域网访问控制中的身份映射机制
CN1780294A (zh) * 2004-11-26 2006-05-31 中兴通讯股份有限公司 基于以太网上的点到点协议实现虚拟专网的方法
CN1787485A (zh) * 2004-12-08 2006-06-14 日立通讯技术株式会社 信息包传输装置及通信网络
WO2007033519A1 (fr) * 2005-09-20 2007-03-29 Zte Corporation Procede permettant la mise a jour d'un reseau de communication prive virtuel dynamiquement

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100391180C (zh) * 2003-10-30 2008-05-28 华为技术有限公司 一种以太网二层交换设备绑定硬件地址和端口的方法
CN100508520C (zh) * 2004-06-03 2009-07-01 华为技术有限公司 基于虚拟局域网的二层虚拟专用网的实现方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6614809B1 (en) * 2000-02-29 2003-09-02 3Com Corporation Method and apparatus for tunneling across multiple network of different types
CN1759558A (zh) * 2003-03-10 2006-04-12 汤姆森特许公司 利用公共验证服务器的无线局域网访问控制中的身份映射机制
CN1780294A (zh) * 2004-11-26 2006-05-31 中兴通讯股份有限公司 基于以太网上的点到点协议实现虚拟专网的方法
CN1787485A (zh) * 2004-12-08 2006-06-14 日立通讯技术株式会社 信息包传输装置及通信网络
WO2007033519A1 (fr) * 2005-09-20 2007-03-29 Zte Corporation Procede permettant la mise a jour d'un reseau de communication prive virtuel dynamiquement

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN D. ET AL.: "Research on L2Tp Tunnel Switching", JOURNAL OF CHANGZHOU INSTITUTE OF TECHNOLOGY, vol. 18, no. 5, October 2005 (2005-10-01), pages 9 - 13 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019223466A1 (fr) * 2018-05-21 2019-11-28 华为技术有限公司 Procédé et dispositif de communication
CN110519171A (zh) * 2018-05-21 2019-11-29 华为技术有限公司 通信的方法和设备
CN110519171B (zh) * 2018-05-21 2021-02-12 华为技术有限公司 通信的方法和设备
US11277479B2 (en) 2018-05-21 2022-03-15 Huawei Technologies Co., Ltd. Communication method and communications device
US11652889B2 (en) 2018-05-21 2023-05-16 Huawei Technologies Co., Ltd. Communication method and communications device
CN111262939A (zh) * 2020-01-17 2020-06-09 实地地产集团有限公司 边缘计算节点通信方法、装置、计算机设备和存储介质
CN111262939B (zh) * 2020-01-17 2023-03-28 珠海市横琴盈实科技研发有限公司 边缘计算节点通信方法、装置、计算机设备和存储介质
CN113595847A (zh) * 2021-07-21 2021-11-02 上海淇玥信息技术有限公司 远程接入方法、系统、设备和介质
CN113595847B (zh) * 2021-07-21 2023-04-07 上海淇玥信息技术有限公司 远程接入方法、系统、设备和介质
CN115834529A (zh) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 一种边缘设备远程监测方法及系统
CN115834529B (zh) * 2022-11-23 2023-08-08 浪潮智慧科技有限公司 一种边缘设备远程监测方法及系统

Also Published As

Publication number Publication date
CN101309284B (zh) 2012-09-05
CN101309284A (zh) 2008-11-19

Similar Documents

Publication Publication Date Title
WO2008138274A1 (fr) Procédé et dispositif correspondant et système servant à accéder à un service distant
CN102572830B (zh) 终端接入认证的方法及用户端设备
CN104506670B (zh) 建立网游连接的方法、设备及系统
US7542455B2 (en) Unlicensed mobile access (UMA) communications using decentralized security gateway
JP4648148B2 (ja) 接続支援装置
WO2008006317A1 (fr) Système et procédé pour accès multiservice
US20110173678A1 (en) User and Device Authentication in Broadband Networks
CN103052064B (zh) 一种访问运营商自有业务的方法、设备及系统
JP2008518533A (ja) モバイルユーザーをトランスペアレントに認証してウェブサービスにアクセスする方法及びシステム
US20090043891A1 (en) Mobile WiMax network system including private network and control method thereof
WO2013056585A1 (fr) Procédé d'authentification d'accès à un cloud privé virtuel et appareil correspondant
CN101160887A (zh) 一种无线接入的方法、装置和系统
WO2011041967A1 (fr) Procédé de communication anonyme, procédé d'enregistrement, procédé et système d'envoi et de réception d'informations
WO2009049557A1 (fr) Procédé, système et dispositif de communication à base de conversion d'authentification
WO2007000120A1 (fr) Systeme, procede et serveur d'acces pour authentification
WO2014176964A1 (fr) Procédé de gestion de communication et système de communication
CN102316548A (zh) 信息传递方法和系统
WO2009012675A1 (fr) Passerelle de réseau d'accès, terminal, procédé et système pour établir une connexion de données
CN103634171A (zh) 一种动态配置方法及装置、系统
JP4253569B2 (ja) 接続制御システム、接続制御装置、及び接続管理装置
JP2008160709A (ja) 計算機システム
WO2009082910A1 (fr) Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur
WO2009094910A1 (fr) Procédé, système et appareil pour convergence fixe-mobile
WO2009012729A1 (fr) Procédé, système et dispositif de conversion d'authentification d'accès à un réseau
US7698384B2 (en) Information collecting system for providing connection information to an application in an IP network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08748569

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08748569

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载