IPoEv4 Access Fundamentals
Modes of IPoE Access
According to actual networking situations and service processing, IPoE access has the following modes:
Common IPoE access
A user PC accesses an Ethernet interface on a BRAS through a Layer 2 device (hub or LAN switch). The Layer 2 device does not encapsulate or change the IPoE packets from the user. The IP packets sent from the user are encapsulated into IPoE packets when passing through the Ethernet interface of the user PC. Then, the packets are forwarded to the BRAS through the Layer 2 device. Therefore, the packets received on the BRAS are IPoE packets.
Common IPoEoVLAN access
A user PC accesses an Ethernet interface on a BRAS through an 802.1Q-supporting switch. The IP packets sent from the user are encapsulated into IPoE packets when passing through the Ethernet interface of the user PC. Then, the LAN switch adds VLAN tags to the IPoE packets and changes them into IPoEoVLAN packets. Finally, the packets are forwarded to the BRAS. Therefore, the packets received on the BRAS are IPoEoVLAN packets.
Common IPoEoQ access
A user PC accesses an Ethernet interface on a BRAS through two 802.1Q-supporting switches and QinQ is configured on an interface on the switch close to the BRAS. The IP packets sent from the user are encapsulated into IPoE packets when passing through the Ethernet interface of the user PC. The switch close to the user PC adds a VLAN tag to each IPoE packet and changes them into IPoEoVLAN packets before forwarding the packets. When the IPoEoVLAN packets reach the switch close to the BRAS, this switch adds another VLAN tag to each IPoEoVLAN packet before forwarding them. Therefore, each packet finally received on the BRAS is an IP packet with two VLAN tags, that is, an IPoEoQ packet.
According to the number of access users, IPoE access has the following modes:
Individual Users
Individual users log in to the BRAS through Layer 2 or Layer 3 network. Each individual user has independent service attributes. The BRAS authenticates and charges each individual user separately.
Leased-line Users
Lease-line users are a group of users that access the Internet using a Layer 2 or Layer 3 network, including Layer 2 and Layer 3 leased-line users. These users share a service attribute for unified authentication and accounting.
Layer 2 leased line access
The networking mode for Layer 2 leased line access is the same as that for common IPoX access, and the packets that reach the BRAS are of three types: IPoE, IPoEoVLAN, and IPoEoQ. The only difference is that the BRAS handles the Layer 2 leased line service in a different manner.
Layer 3 leased line access
A user PC is connected to the BRAS through a Layer 3 switch. The packets that reach the BRAS are of three types: IPoE, IPoEoVLAN, and IPoEoQ.
Interaction Process for IPoEv4 Users to Get Online
In IPoE access mode, a user can access the Internet using the DSLAM. After passing DHCP authentication and obtaining service authorization, the IPoEv4 user can visit corresponding services. The overall service procedure is shown in Figure 1.
After a user terminal (such as an NGN telephone or an IPTV STB) is powered on or started, it sends a DHCP Discover message. The message is relayed to BRAS through an access device. In this process, the access device can add Option 82 information to the DHCP Discover message as required to provide user's line information.
BRAS extracts information, such as the MAC address and Option 82 from the DHCP Discover message and communicates with the RADIUS server using the RADIUS protocol. The RADIUS server then authenticates the user based on the MAC address and line information. After learning the user's service type, the RADIUS server delivers service authorization and QoS policy to BRAS.
After authentication is complete, BRAS forwards the DHCP Discover message to the DHCP server.
The DHCP server communicates with the user terminal to assign a dynamic IP address to the user. BRAS then binds the user's service control and QoS policy to its IP address.
The user terminal visits a service system to use the required service. For example, the user can visit the NGN telephone to use NGN voice services or visit IPTV headend to use IPTV services.
IP addresses of IPoE access users can be either statically configured on the client or statically/dynamically assigned. Configuration on the DHCP server determines whether the server statically or dynamically assigns IP addresses.
Extension functions of IPoEv4
When a user accesses the Internet using IPoE, the DHCP server uses the physical or logical information carried by the DHCP protocol during the interactive process to authenticate users and authorize user services.
However, DHCP and ARP do not support the functions such as user authentication, link establishment, and link monitoring. Therefore, IPoE adopts some extension function to support these functions.
Authentication: Unlike PPP packets, DHCP or ARP packets cannot carry authentication information such as user names or passwords. Hence, IPoE adopts bind authentication, Web authentication, or fast authentication.
Bind authentication refers to the authentication mode in which a user is authenticated according to physical information about the user connection. When this mode is adopted, users do not need to enter the user names or passwords. Instead, the BRAS generates user names and passwords according to the Option 82 value, MAC address, and IP address and sends the user names together with the passwords to the authentication server. Only the users who pass authentication are considered legal and are assigned IP addresses.
Web authentication refers to the authentication mode in which a user who has obtained an IP address through DHCP or static configuration accesses the authentication page of a web server and enters the user name and password for authentication.
Fast authentication refers to the authentication mode in which a user accesses the authentication page of a web server and submits an authentication request without entering the user name or password. Fast authentication is a combination of Web authentication and bind authentication.
Link establishment: Forwarding entries are created for IPoE access users. Only the traffic of a user who passes authentication and obtains an IP address can be forwarded.
Link monitoring: The system detects the link of an IPoE access user through ARP probes. If the system detects that the number of link failures exceeds the pre-set number, the system considers that the user has gone offline. In this case, the system takes back the IP address from the user and deletes the forwarding entry.