1. Field of the Technology
The present disclosure relates to a network access technology of a communication field, and more particularly to a network access method and system and a network connection device.
2. Background of the Disclosure
The interconnection technology between Internet Protocol (IP) networks has been developed greatly. For example, in the initial period of the transition from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6), the IPv4 network has been widely deployed, while the IPv6 network is distributed at different corners of the world and therefore has effectively been confined to some “isolated islands”. To realize the IPv6 network interconnection, dedicated lines can be used to interconnect the IPv6 isolated islands, which, however, is apparently uneconomical. Therefore, the tunnel technology is often utilized to create tunnels on the IPv4 network to realize the network interconnection of the IPv6 isolated islands. The tunnels established on the IPv4 network for connecting the IPv6 network are referred to as IPv6 over IPv4 tunnels.
The existing IPv6 over IPv4 tunnel technology will be described briefly as follows.
A first and a second border router must start the IPv4/IPv6 dual protocol stacks. After receiving a message from the first IPv6 network side, if the destination of the message is not the first border router, the first border router regards the received IPv6 message as a load, and adds an IPv4 message header to the received IPv6 message, that is, encapsulates the received IPv6 message in an IPv4 message. In the IPv4 network, the encapsulated tunnel message is transmitted to a peer second border router through an IPv6 over IPv4 tunnel. The peer second border router decapsulates the received tunnel message to remove the IPv4 message header, and forwards the decapsulated IPv6 message to the peer second IPv6 network.
It is known that network based on the IPv4 protocol and the network based on the IPv6 protocol can be interconnected through the tunnel technology. Based on the basic tunneling technology, an automatic network interconnection tunneling technology, namely, the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) tunneling technology, is provided to enable IPv4/IPv6 hosts in the IPv4 network to access the IPv6 network.
The ISATAP tunneling is an automatic IPv6 over IPv4 tunneling technology which establishes ISATAP tunnels between the IPv4/IPv6 hosts (which can access both the IPv4 and IPv6 networks) supporting the ISATAP and ISATAP routers such that the IPv4/IPv6 hosts in the IPv4 network can access the IPv6 network.
The principles of the ISATAP tunneling technology will be described briefly in the following.
When an ISATAP tunnel is established, the IPv6 address must be in the ISATAP format, which has the following structure:
IPv6 Prefix (64 bits)::0000:5EFE:IPv4-Address.
When an IPv4/IPv6 host on the IPv4 network uses an IPv6 link-local address in the ISATAP format to send a router request message to the ISATAP router, the router request message must be encapsulated in an IPv4 message before the router request message is sent to the ISATAP router. The ISATAP router uses a router notification message to respond to the router request. The router notification message includes prefix information about a global address of an IPv6 network. The IPv4/IPv6 host combines the prefix provided by the ISATAP router and 5EFE:IPv4-Address so as to obtain the global address of the IPv6 network of the host, and uses the global address of the IPv6 network to access the IPv6 network, and further to access an IPv6 host on the IPv6 network.
It is known from the previous description that the ISATAP tunneling can be used to enable a great number of host users on the IPv4 network to access the IPv6 network. In the application environment in the initial period of the IPv6 network when the IPv4 network is dominant, a great number of scattered IPv4 hosts can access the ISATAP routers, which are also referred to as ISATAP gateways, through the ISATAP tunnels, thereby realizing the access to the IPv6 network.
For the network interconnection technology based on different protocols, it is vital to maintain the security of network access. An authentication mechanism must be used to control which users of the Ipv4 hosts can access the IPv6 network through the ISATAP tunnels. Otherwise, the ISATAP accessing mode cannot be applied in the large-scale deployment and operation supervision.
The aforementioned ISATAP gateway has an authentication, authorization, and accounting (AAA) mechanism which provides a uniform framework for configuring the three security functions of authentication, authorization, and accounting. The AAA realizes the network security through access control in the following aspects such as which users can access the network, which services a user with the access right can obtain, and how to perform the accounting for a user using network resources.
The authentication of the AAA includes local authentication and remote authentication.
In the local authentication, the user information (including the user name, password, and other attributes of a local user) is configured on an access server. The local authentication has a high speed and can reduce the operational cost.
The local authentication can locally configure attributes such as the address pool, user name, password, DNS server address, and WEB authentication server address on the access server. These attributes can be used to authenticate the user information directly.
In the remote authentication, the authentication is performed through authentication protocols and a remote authentication server. The most commonly used protocol is the Remote Authentication Dial In User Service (RADIUS) protocol or the Terminal Access Controller Access Control System (TACACS) protocol. When a user intends to establish a connection with an access server through a network so as to obtain the right to access another network or the right to use some network resources, the access server authenticates the user or the corresponding connection. The access server is responsible for transferring the authentication information of the user to the RADIUS or TACACS server. The RADIUS or TACACS protocol specifies how to transfer the user information and charging information between the access server and the RADIUS or TACACS server. The RADIUS or TACACS server receives a connection request of the user, completes the authentication, and returns the configuration information required by the user to the access server.
Normally, an access protocol predefines the authentication attributes. For example, in a message based on the Radius protocol, the attribute format for transferring the user information is as shown in FIG. 1 in which the Type value may be User-Name, User-Password, CHAP-Password, NAS-IP-Address, NAS-Port, Service-Type, Framed-Protocol, Framed-IP-Address, Framed-IP-Netmask, Framed-Routing, Filter-Id, Framed-MTU, Framed-Compression, Login-IP-Host, Login-Service, or Login-TCP-Port. The data having different Type values represents the corresponding authentication information. Currently, an authentication technology for the ISATAP tunneling access is realized through a captive Portal authentication on the access network (corresponding to the IPv4 network) which is an indirect network access authentication method. The Portal is a common authentication technology in which a Portal authentication server must be set on the access network (corresponding to the IPv4 network). Thus, when the user accesses the Internet, the user can use a standard WWW browser to access the Portal server, a Web server implements the user authentication according to characteristic information of the user on the IPv4 network (for example, the IPv4 network address of the user), and the user can perform the authentication and select relevant services on WWW pages. Only the access network hosts (corresponding to the IPv4/IPv6 hosts on the IPv4 network) passing the authentication of the Portal authentication server can access network connection devices such as the access gateway (corresponding to the ISATAP router), so as to obtain the global address prefix of the network to be accessed returned by the network connection device. Thus, the access network hosts can access the network to be accessed (corresponding to the IPv6 network).
If the previous access network authentication method is used to enable the IPv4/IPv6 hosts on the IPv4 network to access the IPv6 network to be accessed through the ISATAP tunnels, a Portal authentication service must be set in the IPv4 network which causes additional limits to the networking.
To prevent the additional limits to the networking because the Portal authentication service must be set in the access network, another authentication method using the tunneling technology to access the network is also provided in the prior art which is based on the pure network protocol authentication on the network to be accessed (corresponding to the IPv6 network). In detail, an IPv4/IPv6 host on the IPv4 network firstly accesses an ISATAP router and obtains the global address of the IPv6 network according to the global address prefix of the IPv6 network returned by the ISATAP router. Then, the layer 3 authentication technology on the IPv6 network is used to authenticate the global address of the IPv6 network of the IPv4/IPv6 host. If the authentication is passed, the IPv4/IPv6 host can access the resources on the network to be accessed (the IPv6 network). Though the Portal authentication server does not need to be set in the IPv4 network according to this authentication method, as the authentication method is based on the authentication of the global address of the IPv6 network of the host requiring to access the IPv6 network, when this technical solution is used, the global address of the IPv6 network must be assigned to the host requiring to access the IPv6 network before the authentication. That is, the IPv4/IPv6 hosts on the IPv4 network can obtain their global addresses of the IPv6 network even if the hosts cannot pass the authentication on the IPv6 network, resulting in potential risks to the network security.