This invention relates to network address management for a telecommunications network, for example for Internet protocol (IP) address management for the Internet.
It has now become commonplace for systems dynamically to request their Internet protocol address (IP address) from a pool of addresses managed either by a Network Access Server (NAS) using the Remote Authentication Dial-In User (RADIUS) protocol or by servers using the Dynamic Host Configuration Protocol (DHCP).
As indicated, dynamic IP allocation is today based on one of two protocols, namely the Remote Authentication Dial-In user Protocol (RADIUS) and the Dynamic Host Configuration Protocol (DHCP). Information about RADIUS can be found, for example, in C Rigney, A Rubens, W Simpson and S Willens xe2x80x9cRemote Authentification Dial in User Service (RADIUS)xe2x80x9d RFC 2138, April 1997. Information about DHCP can be found, for example in R. Droms xe2x80x9cDynamic Host Configuration Protocolxe2x80x9d, RFC-2131, March 1997.
These two protocols are managed independently, with a separate pool of IP addresses being kept for each protocol. Where a remote client requests, either explicitly or implicitly, an IP address under RADIUS from a network access server, the network access server allocates an IP address from a RADIUS pool. Where a client on a LAN connected to a network access server requests an IP address from the network access server under DHCP, it allocates an IP address from the DHCP pool.
This conventional arrangement works in principle but it can be inefficient in its management of the IP addresses. This inefficiency is particularly true in an organisation where users may operate both on the local network and at a remote location requiring external access. One difficulty is the proliferation of IP addresses which results. Another possible area of difficulty is the maintenance of common access rights for a user when using local and remote sessions with different IP addresses.
An aim of the present invention is therefore to mitigate the problems identified above.
Particular and preferred aspects of the invention are set out in the accompanying independent and dependent claims. Combinations of features from the dependent claims may be combined with features of the independent claims as appropriate and not merely as explicitly set out in the claims.
In accordance with an aspect of the invention, there is provided a computer implemented method for network address allocation under first and second protocols, the method comprising the steps of:
maintaining a common network address pool as part of a directory service; and
responding to messages under at least one of the first and second protocols to cause the directory service to record an allocated network address.
Thus, in accordance with this aspect of the invention, a directory service maintains a common pool of available IP addresses for the two protocols and maintains a record of address allocations which can then be used for allocation of further IP addresses under either of the protocols. The identification of the IP addresses allocated to users and/or host names can be centralised. The record can be achieved, for example, by storing a network address allocated to a user at an entry for that user in a directory of the network service. The directory service can then retrieve an available network address from the directory of the directory service.
The responding step can comprise responding to an allocation request to initiate allocation of a network address. The allocation request can be either explicit or implicit. Where one of the protocols is, for example, RADIUS, an allocation request from a client can cause a server to allocate a network address. Where the protocol is RADIUS and the allocation is done at a client, an accounting message can cause the RADIUS server to record the network address. In this case the network address will be returned to the client.
In a preferred embodiment of the invention, the initiating step comprises sending an LDAP message from a protocol front end to the directory service.
Thus, the invention addresses for the first time the coexistence of these two protocols, and the management of common IP address pools. An embodiment of the invention bases the address pool management on an ISO/CCITT X.5500 based directory service.
In particular, a preferred embodiment of the invention unifies the two protocols by using the same address pools and keeps maps between the IP addresses and the user/hosts information in the same ISO/CCITT X.500 based directory service using the Lightweight Directory Access Protocol (LDAP). Messaging can also be implemented using LDAP messages. The network address can be an IP address in an Internet implementation. The first and second protocols can be selected from DHCP and RADIUS, for example.
In accordance with a preferred aspect of the invention, there is provided a computer implemented method for IP address allocation under RADIUS and DHCP, the method comprising steps of:
a) receiving a request from a client for an IP address through at least one of RADIUS and DHCP;
b) sending the request to a directory service for an unused IP address;
c) returning a response to the client including an unused IP address allocated to the client; and
d) updating the directory service for the allocated IP addressxe2x80x94hostname/user binding.
This method can include a subsequent step of:
e) de-allocating the IP address using accounting information on user logoff for RADIUS, or the lease time expiration for DHCP.
It is assumed in the above that the network address allocation is performed by the server. However, client based allocation is also possible in some environments. Thus, an embodiment of the invention can include listening to accounting messages to keep track of client based network address allocation.
An embodiment of the invention thus provides for the automatic updating of a directory to take account of changing network address allocations. In an embodiment of the invention, therefore, communication between a protocol front end (e.g., for RADIUS and/or DHCP) and a directory server includes the writing of information from the front ends to the directory. To date, the communication between a protocol front end and a directory server has been limited to read-only for authentification purposes. An embodiment of the invention thus enables writing to a directory server to record in the directory the allocation of, for example, network access addresses.
Indeed, in accordance with another aspect of the invention, there is provided computer implemented method for maintaining network access information in a directory of a directory service comprising steps at the directory service of:
maintaining the directory; and
responding to write instructions from an access protocol server to change the network access information in the directory.
This method can also include the step of the access protocol server listening to accounting messages from a client and issuing such a write instruction to update the directory in response to network address allocation information in an accounting message.
The network access information can comprise a network address (e.g., an IP address), for example, or also other information such as, for example, a calling ID (telephone number) of, for example, a client.
In accordance with a further aspect of the invention, there is provided a network address allocation mechanism for network address allocation under first and second protocols, the mechanism comprising a directory service controller configured to be operable to maintain a common network address pool and a protocol front end configured to be operable to respond to at least one of the first and second protocols to initiate recording of a network address allocation.
In an embodiment of the invention, the protocol front end is further configured to be operable to respond to an allocation request.
The invention also provides a computer program product on a carrier medium, the computer program product forming a mechanism for network address allocation under first and second protocols, the mechanism being configured to be operable to define a common network address pool and to record a network address allocation in response to messages under at least one of the first and second protocols.
Moreover, the invention provides a directory server operable to provide network address allocation under first and second protocols, the network access server comprising a directory service controller operable to:
maintain a common network address pool in a directory of the directory service; and
to respond to a message from a protocol front end for at least one of the first and second protocols to record a network address allocation in the directory.
The invention further provides a network address allocation mechanism configured to be responsive to a network address allocation request from a client to issue a request to a network access server under a directory access protocol to cause the network access server to return a network address for return to the client.
Moreover, the invention also provides a protocol server configured to be responsive to information from a client to cause updating of information in a directory of a directory service. For example, for protocol server-based protocol network address allocation, the protocol server can be responsive to a predetermined message or messages from the client under a directory access protocol to cause the network access server to return a network address for the client.