Technical Analysis of Metro aggregation layer Ethernet User Authentication

For most businesses in the Ethernet network, the operator cannot fully control the client device or media physically. Operators must logically control users or devices to operate and manage broadband services. This control process is mainly achieved through authentication and authorization of users and user devices.

Analysis of Ethernet user access authentication technical requirements

Due to the increasingly wide application of Ethernet-based services, it is imperative to meet the requirements of multiple Ethernet services, taking into account the advantages of Ethernet Access flexibility and good scalability, it also ensures the security of Ethernet Access and supports access authentication technology that allows operators to control and manage access users.

The combination of Ethernet technology and access authentication technology requires network access control to complete the following functions:

The access control of the network is independent of the business type provided by the network, that is, whether it is a wired access service or a wireless access service, or other forms of public Ethernet Access Service, A general access authentication solution is adopted. telecom-level IP Access networks require strict control and management of users, including user access to the network and user identification. for users, users only need to face a single authentication interface to roam between multiple network access services. Support for emerging businesses is also an important factor to consider when selecting authentication technology, the authentication technology must support emerging businesses under the existing authentication system. For carriers, the general authentication solution can simplify the security management of Remote Access VPN, the scope of user authentication is extended to the LAN. The authentication technology adapted to the telecom-level IP Broadband Network Access Control needs will simplify the Network Authentication Architecture of operators and reduce the carrier's cost for training and maintenance, reduce operation costs.

Certification Technical Analysis

According to the layered Internet model, each layer of the Protocol can authenticate and authenticate network access for users or devices. Generally, the authentication technology can be divided into several categories based on the layer-Based Network Model of the authentication, including physical layer authentication, MAC layer authentication, IP layer authentication, UDP/TCP Application Layer authentication.

802.11b uses a typical physical layer authentication. The advantage of physical layer authentication is that you do not need to change the upper-layer MAC or TCP/IP protocol. The disadvantage is that you need to change the hardware of the NIC and access server, and the Protocol modification is reflected in the long cycle supported by the device, such as WEPv1.0), and it is difficult to integrate with AAA.

The Representative technologies of MAC layer authentication are PPP and 802.1x. The advantage of this authentication method is that you do not need to modify the hardware of the device. New authentication technologies can be introduced through software upgrades. The Protocol has a short response period and can be quickly and effectively integrated with AAA through EAP ). The disadvantage is that you need to modify the MAC layer.

You do not need to modify the customer's MAC and TCP/IP layers for IP layer authentication. The defect is that you need to open some network access permissions to the authentication requestor before authentication and assign addresses to users. IP-based authentication generally does not provide billing statistics, and the scalability is poor.

UDP/TCP authentication uses the application layer authentication and does not need to modify the underlying layer. Generally, the token card protocol is used. Some networks need to be opened before authentication, without the statistical billing capability and poor scalability.

By comparing the above authentication methods, we can find that link layer authentication has outstanding advantages. It features fast, simple, and low cost. Most link layer protocols, such as PPP and IEEE802, support link layer-based authentication. The customer does not need to locate the server or obtain an IP address before authentication. Network access devices only need a limited layer-3 function, which can be easily combined with AAA, so as to provide a wide range of flexible authentication methods and billing methods. In a multi-protocol network environment, layer-based authentication can be fully transparent to upper-layer applications, that is, it can be compatible with new network-layer protocols such as IPv6. Link Layer authentication reduces the latency of authentication packet processing and ensures the service quality of key applications.