Professional Documents
Culture Documents
Ipoe Access: About This Chapter
Ipoe Access: About This Chapter
5 IPoE Access
IPoEv4
l Definition
In IP over Ethernet (IPoE) scenario, a PC is connected to the Ethernet interface of a
BRAS through a Layer 2 device (such as LAN Switch). When the PC accesses the IPv4
network, a user IP packet is encapsulated into an IPoE packet on the Ethernet interface.
The IPoE packet is forwarded to the BRAS through the Layer 2 device. The BRAS then
authenticates the user and authorizes user services based on physical or logical
information carried in the IPoE packet, such as the MAC address, VLAN ID, and Option
82 (line information).
l Purpose
Compared with Point-to-Point over Ethernet (PPPoE), IPoE is easy to use and does not
need any client dial-in software.
In addition, the IPTV or PPPoE access can no longer meet the customers' new
requirements, especially new services that need to be deployed with multicast. IPoE is an
access technology that can meet requirements of multiple services.
l Benefits
IPoE offers the following benefits to carriers:
– IPoE is a simple method of accessing the Internet, and does not need any client dial-
in software.
– IPoE is an economic method of accessing the Internet, and does not need any user
device (such as modem) at the client.
– IPoE is an access method that facilitates the deployment of multicast services. It
provides users with value-added services, such as IPTV, NGN telephone, and broad
vision.
IPoE offers the following benefits to users:
– IPoE is easy to use. After connecting the PC to the Internet, a user can access the
Internet directly after the computer is started.
IPoEv6 Access
l Definition
IPv6 over Ethernet (IPoEv6) access refers to the access mode in which users access a
BRAS by sending Dynamic Host Configuration Protocol for IPv6 (DHCPv6) packets,
Neighbor Discovery (ND) packets, or IPv6 packets. In IPoEv6 access mode, users can
directly access the Internet using Web browsers, without having to install client dial-in
software on their PCs.
An IPoE dual-stack user can have both an IPv4 address and an IPv6 address. The IPoE
dual-stack access is the combination of the IPoE access and the IPoEv6 access. An IPoE
dual-stack user obtains an IPv4 address through IPoEv4 and an IPv6 address through
IPoEv6; however, during this process, the user is authenticated only once.
IPv6, also called IP Next Generation (IPng), is the second-generation standard protocol
of network layer protocols. As a set of specifications defined by the Internet Engineering
Task Force (IETF), IPv6 is the upgraded version of IPv4. The most obvious difference
between IPv4 and IPv6 is that IPv4 addresses are of 32 bits whereas IPv6 addresses are
of 128 bits.
IPv6 address autoconfiguration has two modes, stateful address autoconfiguration and
stateless address autoconfiguration. IPv4 has only one address assignment mode, the
DHCP mode.
In stateless address autoconfiguration mode, a user running ND sends a Router
Solicitation (RS) message to a neighboring router. After receiving the RS message, the
router assigns an IPv6 prefix to the user through a Router Advertisement (RA) message.
In stateful address autoconfiguration mode, a DHCPv6 client sends an Information-
Request message containing the IPv6 address and information about the DNS server to
the DHCPv6 server. After receiving the message, the DHCP server replies with the
required configuration information according to the policy.
l Purpose
With the development of the Internet, the shortage of IPv4 address spaces becomes
increasingly serious. IPv6 solves the problem of IP address exhaustion. With the
development of the IPv6 Internet, users need to obtain IPv6 addresses for accessing
network resources.
According to the number of access users, IPoE access has the following modes:
l Individual Users
Individual users log in to the BRAS through Layer 2 or Layer 3 network. Each individual
user has independent service attributes. The BRAS authenticates and charges each
individual user separately.
l Leased-line Users
Lease-line users are a group of users that access the Internet using a Layer 2 or Layer 3
network, including Layer 2 and Layer 3 leased-line users. These users share a service
attribute for unified authentication and accounting.
– Layer 2 leased line access
The networking mode for Layer 2 leased line access is the same as that for common
IPoX access, and the packets that reach the BRAS are of three types: IPoE,
IPoEoVLAN, and IPoEoQ. The only difference is that the BRAS handles the Layer
2 leased line service in a different manner.
– Layer 3 leased line access
A user PC is connected to the BRAS through a Layer 3 switch. The packets that
reach the BRAS are of three types: IPoE, IPoEoVLAN, and IPoEoQ.
IP addresses of IPoE access users can be either statically configured on the client or statically/
dynamically assigned. Configuration on the DHCP server determines whether the server
statically or dynamically assigns IP addresses.
However, DHCP and ARP do not support the functions such as user authentication, link
establishment, and link monitoring. Therefore, IPoE adopts some extension function to
support these functions.
l Authentication: Unlike PPP packets, DHCP or ARP packets cannot carry authentication
information such as user names or passwords. Hence, IPoE adopts bind authentication,
Web authentication, or fast authentication.
Bind authentication refers to the authentication mode in which a user is authenticated
according to physical information about the user connection. When this mode is adopted,
users do not need to enter the user names or passwords. Instead, the BRAS generates
user names according to the Option 82 value, MAC address, and IP address and sends
the user names together with the default passwords configured on the BRAS to the
authentication server. Only the users who pass authentication are considered legal and
are assigned IP addresses.
Web authentication refers to the authentication mode in which a user who has obtained
an IP address through DHCP or static configuration accesses the authentication page of a
web server and enters the user name and password for authentication.
Fast authentication refers to the authentication mode in which a user accesses the
authentication page of a web server and submits an authentication request without
entering the user name or password. Fast authentication is a combination of Web
authentication and bind authentication.
l Link establishment: Forwarding entries are created for IPoE access users. Only the
traffic of a user who passes authentication and obtains an IP address can be forwarded.
Link monitoring: The system detects the link of an IPoE access user through ARP
probes. If the system detects that the number of link failures exceeds the pre-set number,
the system considers that the user has gone offline. In this case, the system takes back the
IP address from the user and deletes the forwarding entry.
Concepts
Web authentication, also called portal authentication, is classified as proactive web
authentication or mandatory web authentication.
l Proactive web authentication: A user accesses the authentication page of a web server
and enters and submits the username and password. After obtaining the username and
password, the web server sends them to the BRAS. The BRAS then exchanges messages
with the RADIUS server to complete user authentication.
l Mandatory web authentication: A user attempts to access other extranet resources using
HTTP and is forcibly redirected to the web authentication page to enter and submit the
username and password. After obtaining the username and password, the web server
sends them to the BRAS. The BRAS then exchanges messages with the RADIUS server
to complete user authentication.
As shown in Figure 5-3, the user accesses other extranet resources through HTTP and is
forcibly redirected to the web authentication page by the BRAS. The user can access only the
web authentication page in the web pre-authentication domain. If the user passes the
authentication after entering the username and password on the page, the user is switched to
the web authentication domain and can access network resources.
The following describes the authentication process for the first and subsequent Internet
access.
Because a user does not need to enter the username and password again for Internet access after the first
access, you need to control access rights of terminals accordingly.
in the system. The username can be in either of the following formats: pure username+domain
name delimiter+domain name (if the system is configured to place the domain name behind
the domain name delimiter) or domain name+domain name delimiter+pure username (if the
system is configured to place the domain name before the domain name delimiter).
Figure 5-8 Networking diagram of local address allocation for Layer 2 access users
A DHCP access user can obtain an IP address from a remote DHCP server. In this case,
the BRAS performs only user authentication, authorization, accounting, and forwarding
control but does not manage IP addresses. The BRAS forwards the DHCP packet from a
user to the remote DHCP server and sends the reply from the DHCP server to the DHCP
client. Figure 5-10 shows the address allocation process through a remote DHCP server.
Figure 5-10 Networking diagram of remote address allocation for a Layer 2 access user
By applying a remote address pool in a domain, the BRAS can enable the remote DHCP
server to allocate an address of an access user. A remote address pool does not contain
any IP addresses but indicates the corresponding DHCP server. When a remote address
pool is used, the BRAS replaces the user to send a DHCP Request packet to apply for an
IP address from the DHCP server or extend the address lease, or relays the DHCP
Request packet from the user.
A remote address pool can be bound to a DHCP server group. You can configure a
maximum of two DHCP servers in each DHCP server group. If two DHCP servers are
configured, they can work either in master/slave mode or in load balance mode. By
default, the two DHCP servers work in master/slave mode.
– In master/slave mode, the master and slave DHCP servers are determined based on
the sequence in which they are added to a DHCP server group. The DHCP server
added earlier is the master and the DHCP server added later is the slave. During IP
address assignment, the master server is used preferentially to assign IP addresses.
If the addresses in the address pool bound to the master DHCP server are used up,
the slave DHCP server is used.
– In load balancing mode, the two DHCP servers assign IP addresses based on
weights. The weight of each DHCP server is configured when the server is added to
a DHCP server group. For example, 100 users apply for IP addresses and server A
and server B have weights being 60 and 40 respectively. Therefore, server A
allocates 60 IP addresses and server B allocates 40 IP addresses.
– In polling mode: The BRAS sends request packets to all servers and selects the
server that receives the packets first. Subsequent packets, except for the discover
and select request packets, are sent to only the selected server.
l A Layer 3 access user adopting Web authentication:
The BRAS does not know the MAC address of a user accessing the network through a
Layer 3 device. Therefore, the BRAS does not allocate an IP address to a user who
adopts Web authentication. A Layer 3 device, allocates an IP address to a user accessing
the network through a Layer 3 device. After receiving an IP packet from a Layer 3 user,
the BRAS checks whether it supports the Layer 3 user. If yes, the BRAS allows the user
to perform Web authentication. After the client visits the web page and submits the user
name and password, the Layer 3 user can access the network if it passes authentication.
Figure 5-12 shows the networking diagram of Layer 3 access users adopting Web
authentication.
Figure 5-12 Networking diagram of Layer 3 access users adopting Web authentication
In the situation that a user accesses the network through a Layer 3 device, a Layer 3
device acts as a DHCP relay agent and relays the DHCP packet from the client to the
BRAS. After authenticating the user, the BRAS allocates an idle IP address to the user
according to the giaddr field. Alternatively, the RADIUS server can allocate an IP
address to the user and send the DHCP Response packet to the client.
Figure 5-13 shows the networking diagram of Layer 3 access users adopting Web
authentication.
The address pool selection mode for Layer 3 access is different from that for Layer 2
access. For a Layer 2 access user, the address pool searched is in the domain to which the
user belongs. For a Layer 3 access user, the address pool of the same gateway IP address
is searched according to the giaddr field in the DHCP packet. This ensures that the
allocated address is on the same network segment with the gateway IP address.
passes through the leased line and the BRAS restricts the bandwidth of the leased line in
a unified manner.
Figure 5-16 shows Layer 2 VPN leased line access.
Figure 5-20 Networking diagram for access of a Layer 2 IPv6 user running ND
The PC and the BRAS need to support basic IPv6 functions. If the M on the access interface
of the BRAS is set to 0, it indicates that the BRAS assigns an address to the user connected to
the BRAS through the interface in stateless address configuration mode. In this case, binding
authentication needs to be configured on the interface, and the IPv6 prefix pool and the IPv6
address pool need to be configured on the BRAS. In addition, other user access configurations
need to be performed on the BRAS.
authenticates the user. If the message sent by the user is an RA message and the user passes
the authentication, the BRAS sends an RA message containing an IPv6 prefix to the user. If
the message sent by the user is a DHCPv4 Discovery message and the user passes the
authentication, the BRAS assigns an IPv4 address to the user. The user can then access the
corresponding network by using the obtained address.
After receiving an RS message or a DHCPv4 Discovery message from a user that has been
authenticated, the BRAS assigns an address of another type to the user without authenticating
the user. After obtaining the address, the user can access the corresponding network by using
the address.
Figure 5-21 shows access of an IPv4/IPv6 dual-stack user running DHCPv4 and ND.
Figure 5-21 Networking diagram for access of a Layer 2 IPv4/IPv6 dual-stack user running
DHCPv4 and ND
The PC and the BRAS need to support the IPv4/IPv6 dual stack. Compared with the access of
an IPv6 user running ND, the related IPv4 configuration needs to be performed for the access
of an IPv4/IPv6 dual-stack user.
An IPv4/IPv6 dual-stack user supports Web authentication. After the user obtains an IPv4
address and an IPv6 address, the BRAS allows the user to access the Web server only. After
the user accesses the Web server with the IPv4 address and passes the Web authentication, the
BRAS allows the user to use the IPv4 address and the IPv6 address. Then, the user can access
the corresponding IPv4 and IPv6 networks.
Figure 5-22 Networking diagram for access of a Layer 2 IPv4/IPv6 dual-stack user running
DHCPv4 and DHCPv6
Both the PC and BRAS need to support dual-stack and DHCPv6. In comparison with Layer 2
IPv6 users running DHCPv6, Layer 2 IPv4/IPv6 dual-stack users running DHCPv4/DHCPv6
require IPv4 configurations. Similar to Layer 2 IPv4/IPv6 dual-stack users running DHCPv4
and ND, Layer 2 DHCPv4/DHCPv6 dual-stack users also support web authentication.
Access of a Layer 2 IPv6 User Running DHCPv6 to Log in from the Local Address
Pool
To access the BRAS through a Layer 2 network, an IPv6 user sends an RS message to the
BRAS. The BRAS replies with an RA message with the M/O field being set to 1. After
receiving the RA message from the BRAS, the user sends a DHCPv6 Solicitation message to
the BRAS. After receiving the DHCPv6 Solicitation message from the user, the BRAS
authenticates the user. If the user passes the authentication, the BRAS assigns an IPv6 address
to the user. Then, the user can access the corresponding network by using the IPv6 address.
Figure 5-23 Networking diagram for access of a Layer 2 IPv6 user running DHCPv6
In the access of a Layer 2 IPv6 user running DHCPv6, the PC and the BRAS need to support
DHCPv6. If the M on the access interface of the BRAS is set to 1, it indicates that the BRAS
assigns an address to the user connected to the BRAS through the interface in stateful address
configuration mode. In this case, binding authentication needs to be configured on the
interface, and the DHCPv6 DUID, IPv6 prefix pool, and IPv6 address pool need to be
configured on the BRAS. In addition, other user access configurations need to be performed
on the BRAS.
Access of a Layer 2 IPv6 User Running DHCPv6 to Log in from the Remote
Address Pool
To access the BRAS through a Layer 2 network, an IPv6 user sends an RS message to the
BRAS. The BRAS replies with an RA message with the M and O flags both being set to 1.
The user then sends a DHCPv6 Solicitation message to the BRAS. After receiving the
DHCPv6 Solicitation message, the BRAS authenticates the user. If the user is authenticated,
the BRAS provides the relay agent functionality. The user then uses an address allocated from
a remote server to access the network.
Figure 5-24 shows access of a Layer 2 IPv6 user running DHCPv6.
Figure 5-24 Networking diagram for access of a Layer 2 IPv6 user running DHCPv6
A remote IPv6 prefix pool, a remote IPv6 address pool, and a DHCPv6 server need to be
configured on the BRAS. This is different from the scenario where the address pool on the
BRAS is used to allocate an address to a user.
Figure 5-25 Networking diagram for access of a Layer 3 IPv6 user running DHCPv6
The PC, router, and BRAS need to support basic IPv6 functions and DHCPv6. The DHCPv6
relay function needs to be configured on the router, the DHCPv6 DUID, IPv6 prefix pool, and
IPv6 address pool need to be configured on the BRAS. In addition, other user access
configurations need to be performed on the BRAS.
Figure 5-26 Networking diagram for access of Layer 2 IPv6 users using a routed home
gateway
In the scenario, both the home gateway and BRAS need to support DHCPv6-PD for IPv6
prefix allocation. The BRAS interface that provides access services for users must be
configured with binding authentication. A DHCPv6 DUID, an IPv6 prefix pool, an IPv6
address pool, and other user access settings must be configured on the BRAS.
obtain an IPv6 prefix and an IPv6 address from the BRAS. The home gateway assigns the
obtained IPv6 address to the WAN interface and allocates IPv6 addresses to the IPv6 PCs
based on the obtained IPv6 prefix.
Figure 5-27 Networking diagram for access of Layer 2 IPv6 users using a routed home
gateway
The BRAS needs to allocate both an IPv6 address and an IPv6 prefix to the home gateway in
numbered mode. This is different from the unnumbered mode. If addresses are to be allocated
from the local server, a delegation address pool and a local address pool need to be configured
on the BRAS. The delegation address pool is in charge of prefix allocation, and the local
address pool is in charge of address allocation.
Figure 5-28 Networking diagram for access of Layer 2 IPv6 users using a routed home
gateway
In the preceding scenario, both the home gateway and the BRAS must support DHCPv6-
Prefix Delegation (DHCPv6-PD) for IPv6 prefix allocation. The home gateway can allocate
IPv6 addresses to the IPv6 PCs through ND or DHCPv6. The BRAS interfaces that allow
access to users must be configured with binding authentication. The BRAS must be
configured with the DHCPv6 DUID, IPv6 prefix pool, address pool, and other access
configurations.
Figure 5-29 Networking diagram for access of Layer 2 IPv4/IPv6 dual-stack users using a
routed home gateway
In the preceding scenario, both the home gateway and the BRAS must support IPv4/IPv6 dual
stack and DHCPv6-PD. In addition to the configurations for access of Layer 2 IPv6 users
through a routed home gateway, the related IPv4 configurations are required. Like IPv6 users,
IPv4/IPv6 dual-stack users support Web authentication.
Figure 5-31 Networking diagram for access of IPoEv6 users to a 6PE/6vPE network
ND Proxy
As shown in Figure 5-26, PC1 and PC2 belong to different VLANs and are both IPv6oE
users attached to the BRAS. To allow PC1 to communicate with PC2, you need to enable ND
proxy on the BRAS interfaces that connect to PC1 and PC2.
Figure 5-32 Schematic diagram of communication between users with the same prefix
through the BRAS
If PC1 and PC2 are connected to different interfaces of the BRAS, both interfaces must be
enabled with ND proxy; otherwise, the PCs cannot communicate with each other.
Term
Term Definition
Term Definition
NS Neighbor Solicitation
NA Neighbor Advertisement
PD Prefix delegation
RS Router Solicitation
RA Router Advertisement