摘要
将可扩展的用户身份标识嵌入IPv6地址中,不仅为追溯用户身份和精细管控用户行为提供可能,而且有利于提高互联网的安全性、可审计性和可信性。目前提出的嵌入用户身份标识的IPv6地址生成方案存在DHCPv6客户端开发复杂或临时地址租约难以管理等问题,均不易于实际部署。考虑到身份认证与地址分配之间的时序逻辑,提出一种基于IEEE802.1x的嵌入用户身份标识的IPv6地址生成方案,通过在二层进行用户身份认证,随后进行IPv6地址分配,解耦了身份认证与地址分配过程,避免了为各操作系统开发新的扩展DHCPv6客户端以及为DHCPv6服务器维护临时地址租约等限制,更加具备可部署性。
Embedding extensible user identities into IPv6 addresses not only provides the possibility of tracing the user identity and finely controlling the user behavior, but also helps to improve the security, auditability and credibility of the Internet. Current schemes that embed user identity within IPv6 address are hard to deploy in practice due to the complexity of DHCPv6 client development or the complicated management of temporary address. Considering the sequential logic between identity authentication and address allocation, a IEEE 802.1 x-based user identity-embedded IPv6 address generation scheme was proposed. By conducting identity authentication using layer-2 mechanisms and then assigning IPv6 addresses, this scheme decoupled the process of identity authentication and address allocation, and avoided the limitation of developing new extended DHCPv6 clients for each operating system and maintaining temporary address leases on DHCPv6 servers, which was more deployable.
作者
况鹏
刘莹
何林
任罡
KUANG Peng;LIU Ying;HE Lin;REN Gang(Institute for Network Sciences and Cyberspace,Beijing National Research Center for Information Science and Technology,Tsinghua University,Beijing 100084,China)
出处
《电信科学》
2019年第12期15-23,共9页
Telecommunications Science
基金
国家自然科学基金资助项目(No.61772307,No.61402257)
国家重点研发计划基金资助项目(No.2018YFB1800405,No.2018YFB1800404,No.2017YFB0801701)~~
