马云龙,张千里,李风华,等.基于IPoE的校园网IPv4/IPv6双栈准入认证设计与实现[J].深圳大学学报理工版,2020,37(增刊1):1-5.[doi:10.3724/SP.J.1249.2020.99001]
MA Yunlong,ZHANG Qianli,LI Fenghua,et al.IPoE based campus network IPv4/IPv6 dual-stack admission control design and implementation[J].Journal of Shenzhen University Science and Engineering,2020,37(Suppl.1):1-5.[doi:10.3724/SP.J.1249.2020.99001]
点击复制
基于IPoE的校园网IPv4/IPv6双栈准入认证设计与实现
马云龙,张千里,李风华,姜彩萍,潘 丽,孟 斌

清华大学信息化技术中心,北京100084

认证授权与审计; IPv4/IPv6双栈准入控制; 网络安全; 校园网

IPoE based campus network IPv4/IPv6 dual-stack admission control design and implementation
MA Yunlong, ZHANG Qianli, LI Fenghua, JIANG Caiping, PAN Li, and MENG Bin

Information Technology Center, Tsinghua University, Beijing 100084, P.R.China

authentication authorization and accounting(AAA); dual-stack admission control; network security; campus network

DOI: 10.3724/SP.J.1249.2020.99001

备注

校园网规模的不断扩大增加了校园网面对的安全风险,目前的AAA认证大多数仅限于在校园网出口,无法实施接入的准入控制,这使得一方面动态分配IP地址使用效率降低,另一方面用户可能规避流量计费.为实现现有大规模校园网中IPv4/IPv6双栈网络的准入认证,清华大学校园网设计和实施了基于IPoE的双栈准入认证.IPoE是一种接入认证方式,在IPoE业务中,用户通过以太网物理链路接入,以DHCP方式动态获取IP 地址,可以使用多种用户身份验证方式实现认证.IP报文在以太网对用户接入设备封装后,经过接入网络,一直到达BRAS设备.BRAS设备在收到客户端的DHCP确认请求报文后,根据报文中的客户端硬件地址和当前的Vlan ID来查找该用户的地址分配信息.本研究针对IPv4/IPv6的统一联动下的多样应用场景,设计了基于Session级的IPoE技术,通过不同协议栈接口的配置模板向AAA服务器递交不同的控制策略账号,解决了现有用户多类型、多场景的复杂需求; 针对大规模校园网中的安全风险,设计了BRAS、AAA服务器和DHCP服务器多角色联动机制,实现了只有授权后用户才能够获取地址,避免了未认证用户所带来的不可管理的安全风险; 针对大规模部署下系统的高负载压力,通过在BRAS端设置webportal重定向白名单,降低了webportal服务器的负载.实际部署表明,现有的双栈准入认证系统达到了预定的设计目标,可以稳定运行.

With the expansion of the campus network, various security risks have appeared. Most campus networks have implemented AAA, but seldom implemented admission control, which decreases the efficiency of dynamic allocation of IP addresses and makes it possible for users to avoid traffic billing. In order to realize the admission control of IPv4/IPv6 dual-stack network in large-scale campus network, we design and implement IPoE-based dual-stack admission control for the campus network in Tsinghua University. In IPoE, users can obtain IP address by DHCP with Ethernet physical link access. Authentication is achieved through a variety of user authentication methods. IP packets are encapsulated in Ethernet and pass through the access network to BRAS devices. BRAS devices find the user's address assignment information based on the client hardware address and the current Vlan ID after receiving the client's DHCP confirmation request message. Our main contributions include: for the various application scenarios under unified IPv4/IPv6 network, session-level IPoE technology is proposed; with the application of different configuration template in different protocol stack, various account control policy is submitted to AAA servers to achieve multi-type, multi-scenario requirements; to deal with the risk in large scale campus network, BRAS, AAA server, DHCP server can cooperate to realize that only authorized users are permitted to obtain addresses, thus avoid the security threats from unauthorized users; to cope with the high load pressure under large-scale deployment, the whitelist of webportal configured on the BRAS side reduces the load on webportal servers. The actual deployment shows that the dual-stack access authentication system has achieved the design objectives and runs smoothly.

·