[1]马云龙,张千里,李风华,等.基于IPoE的校园网IPv4/IPv6双栈准入认证设计与实现[J].深圳大学学报理工版,2020,37(增刊1):1-5.[doi:10.3724/SP.J.1249.2020.99001]
 MA Yunlong,ZHANG Qianli,LI Fenghua,et al.IPoE based campus network IPv4/IPv6 dual-stack admission control design and implementation[J].Journal of Shenzhen University Science and Engineering,2020,37(增刊1):1-5.[doi:10.3724/SP.J.1249.2020.99001]
点击复制

基于IPoE的校园网IPv4/IPv6双栈准入认证设计与实现()
分享到:

《深圳大学学报理工版》[ISSN:1000-2618/CN:44-1401/N]

卷:
第37卷
期数:
2020年增刊1
页码:
1-5
栏目:
下一代互联网IPv6技术
出版日期:
2020-11-20

文章信息/Info

Title:
IPoE based campus network IPv4/IPv6 dual-stack admission control design and implementation
文章编号:
202099001
作者:
马云龙张千里李风华姜彩萍潘丽孟斌
清华大学信息化技术中心,北京100084
Author(s):
MA Yunlong ZHANG Qianli LI Fenghua JIANG Caiping PAN Li and MENG Bin
Information Technology Center, Tsinghua University, Beijing 100084, P.R.China
关键词:
认证授权与审计IPv4/IPv6双栈准入控制网络安全校园网
Keywords:
authentication authorization and accounting(AAA) dual-stack admission control network security campus network
分类号:
TP393
DOI:
10.3724/SP.J.1249.2020.99001
文献标志码:
A
摘要:
校园网规模的不断扩大增加了校园网面对的安全风险,目前的AAA认证大多数仅限于在校园网出口,无法实施接入的准入控制,这使得一方面动态分配IP地址使用效率降低,另一方面用户可能规避流量计费.为实现现有大规模校园网中IPv4/IPv6双栈网络的准入认证,清华大学校园网设计和实施了基于IPoE的双栈准入认证.IPoE是一种接入认证方式,在IPoE业务中,用户通过以太网物理链路接入,以DHCP方式动态获取IP 地址,可以使用多种用户身份验证方式实现认证.IP报文在以太网对用户接入设备封装后,经过接入网络,一直到达BRAS设备.BRAS设备在收到客户端的DHCP确认请求报文后,根据报文中的客户端硬件地址和当前的Vlan ID来查找该用户的地址分配信息.本研究针对IPv4/IPv6的统一联动下的多样应用场景,设计了基于Session级的IPoE技术,通过不同协议栈接口的配置模板向AAA服务器递交不同的控制策略账号,解决了现有用户多类型、多场景的复杂需求;针对大规模校园网中的安全风险,设计了BRAS、AAA服务器和DHCP服务器多角色联动机制,实现了只有授权后用户才能够获取地址,避免了未认证用户所带来的不可管理的安全风险;针对大规模部署下系统的高负载压力,通过在BRAS端设置webportal重定向白名单,降低了webportal服务器的负载.实际部署表明,现有的双栈准入认证系统达到了预定的设计目标,可以稳定运行.
Abstract:
With the expansion of the campus network, various security risks have appeared. Most campus networks have implemented AAA, but seldom implemented admission control, which decreases the efficiency of dynamic allocation of IP addresses and makes it possible for users to avoid traffic billing. In order to realize the admission control of IPv4/IPv6 dual-stack network in large-scale campus network, we design and implement IPoE-based dual-stack admission control for the campus network in Tsinghua University. In IPoE, users can obtain IP address by DHCP with Ethernet physical link access. Authentication is achieved through a variety of user authentication methods. IP packets are encapsulated in Ethernet and pass through the access network to BRAS devices. BRAS devices find the user’s address assignment information based on the client hardware address and the current Vlan ID after receiving the client’s DHCP confirmation request message. Our main contributions include: for the various application scenarios under unified IPv4/IPv6 network, session-level IPoE technology is proposed; with the application of different configuration template in different protocol stack, various account control policy is submitted to AAA servers to achieve multi-type, multi-scenario requirements; to deal with the risk in large scale campus network, BRAS, AAA server, DHCP server can cooperate to realize that only authorized users are permitted to obtain addresses, thus avoid the security threats from unauthorized users; to cope with the high load pressure under large-scale deployment, the whitelist of webportal configured on the BRAS side reduces the load on webportal servers. The actual deployment shows that the dual-stack access authentication system has achieved the design objectives and runs smoothly.

参考文献/References:

[1] WANG Haibo, WANG Jilong, DANG Weizhen, et al. Squeezing the gap: an empirical study on dhcp performance in a large-scale wireless network[C]// IEEE/ACM Transactions on Networking, Honolulu, USA:[s.n.], 2020:1-14.
[2] DEERING S, Hinden R. Internet protocol, Version 6 (IPv6) specification[EB/OL]. (1998-12-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc2460.
[3] MAMAKOS L, LIDL K, EVARTS J, et al. A method for transmitting PPP over Ethernet (PPPoE)[EB/OL].(1999-02-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc2516.
[4] CONGDON P, ABOBA B, SMITH A, et al. IEEE 802.1X remote authentication dial in user service (RADIUS) usage guidelines[EB/OL]. (2003-09-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc3580.
[5] 朱宗楠,IPoE在校园网中的应用[D]. 西安:陕西师范大学,2014:11-16.
[6] 南静,校园网认证计费系统的设计与实现[D]. 西安:陕西师范大学,2013.
[7] DROMS R. Dynamic host configuration protocol[EB/OL]. (1997-03-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc2131.
[8] DROMS R, BOUND J, VOLZ B, et al. Dynamic host configuration protocol for IPv6 (DHCPv6)[EB/OL].(2003-07-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc3315.
[9] ALEXANDER S, DROMS R. DHCP options and bootp vendor extensions[EB/OL]. (1997-03-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc2132.
[10] THOMSON S, NARTEN T, JINMEI T. IPv6 stateless address autoconfiguration[EB/OL].(2007-09-01)[2020-09-01]. https://www.rfc-editor.org/info/rfc4862.

备注/Memo

备注/Memo:
Received:2020-09-22
Foundation:National Key R & D Program of China (2017YFB0503703)
Corresponding author:Associate research fellow ZHANG Qianli. E-mail: zhang@cernet.edu.cn
Citation:MA Yunlong, ZHANG Qianli, LI Fenghua, et al. IPoE based campus network IPv4/IPv6 dual-stack admission control design and implementation[J]. Journal of Shenzhen University Science and Engineering, 2020, 37(Suppl.1): 1-5.(in Chinese)
基金项目:国家重点研发计划资助项目(2017YFB0503703)
作者简介:马云龙(1972—),清华大学高级工程师. 研究方向:宽带认证计费,大规模邮件系统等.
E-mail: myl@tsinghua.edu.cn
引文:马云龙,张千里,李风华,等. 基于IPoE的校园网IPv4/IPv6双栈准入认证设计与实现[J]. 深圳大学学报理工版,2020,37(增刊1):1-5.
更新日期/Last Update: 2020-11-26