IPv6 stateless configuration is considered a configuration manner newly defined in the IPv6 protocol, by which flexible configuration of a terminal can be achieved and plug&play of a terminal device is made possible.
FIG. 1 shows a schematic view of an access network architecture supporting IPv6 user equipment, in which there are comprised a plurality of user equipment (only user equipment 3 is shown for simplicity), an access device (or access node) 1 and a router 2. Among them, access device 1 can be a layer 2 device with some layer 3 functionalities. A typical such device is IPDSLAM (IP Digital Subscriber Line Access Multiplexer). Router 2 can be an IPv6 protocol-based edge router (IPv6 BRAS/Edge Router).
In the standard IPv6 stateless configuration, user equipment 3 first generates a local link transfer address by itself, and then multicasts, by taking the address as a source address, address configuration information called router solicitation (RS) via access device 1 to all routers 2 on the local link. Router 2 responds to the solicitation with a router advertisement (RA) message which contains an aggregate global unicast transfer address prefix and other relevant configuration information. User equipment 3 combines the global address prefix which it gets via access device 1 from router 2 and an interface identifier generated by itself to generate a global address automatically. And through repeated address detection, user equipment 3 can communicate with other user equipment on the Internet. Using stateless configuration, IP addresses of all hosts within a network can be changed without manual intervention.
However, IPv6 stateless configuration, which was generated in open network applications, goes on the premise that neighboring nodes trust each other. Directly applying this mechanism in an access network will cause security and scalability problems of the access network, especially for a layer 2 access device or an enhanced layer 2 access device with some layer 3 functionalities. Detailed description will be given below.
Applying the standard IPv6 stateless configuration mechanism in an access network will cause the following problems:
1. Potential security problem: in stateless configuration, when multiple DSL lines share the same prefix, malicious user equipment could easily spoof IP addresses by directly getting the advertised prefix. It is almost impossible for access device 1 to support an anti-spoofing filter since no address state information has been maintained at access device 1.
2. Potential scalability problem: when access device 1 receives a RA from edge router 2, it has to relay this RA message to all DSL line users. This is because that access device 1 has no knowledge which DSL line the RA message is targeting to. As the number of broadband users keeps increasing, relaying the RA message to all DSL line ports could cause certain performance problem which may eventually have side effect on the scalability of access device 1.
In order improve security and scalability, it is preferred that edge router 2 advertises a dedicated address prefix to each DSL line. Thus, 1) access device 1 could easily realize an IP address anti-spoofing filter by inspecting the prefix of a packet's source and 2) access device 1 could avoid the scalability problem by only relaying the RA message from edge router 2 to a particular DSL line.
The technical problem to be solved in the prior art is how to support such configuration of allocating one address prefix for each DSL line configuration in a broadband access network employing a layer 2 access device with some layer 3 functionalities.
In an existing layer 2 access network, both VLAN-based cross-connected mode and MAC address-based bridge mode can be employed in data forwarding. For the technical problem described above, one existing solution is that access device 1 may operate in cross-connected mode, VLAN (virtual local area network) is configured to identify and separate traffic or information (e.g. RS message) from different DSL lines. At IPv6-based edge router 2, the RA message containing a particular address prefix will be only sent to the DSL line identified by a certain VLAN. In cross-connected mode, no modification is needed in access device 1. Here, cross-connect mode means that the user's VLAN information could be maintained at network side and different customers will not share the same VLAN identifier.
Since the number of VLAN identifiers is limited (<=1024 VLANs) (an access network can support at most 1024 VLANs), it would be impossible for an access network to support one VLAN identifier per a DSL line when there are a large number of DSL lines in the access network. VLAN stacking is an alternative solution to solve the scalability problem of standard VLAN solution. By using VLAN stacking, it is possible to scale up to support 1024*1024 distinct VLANs. Unfortunately, VLAN stacking has not been standardized, and thus is not supported by all access devices and Ethernets.
When access device 1 operates in bridge mode, since DSL line identifiers cannot be transferred to network side, edge router 2 cannot allocate a particular address prefix for each DSL line correctly. Here, bridge mode means that since the DSL line information of user equipment cannot be maintained at network side, it is impossible to effectively distinguish different user equipment.
The present invention is proposed to solve the aforesaid problems in the prior art.