Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Feature Glance - BRAS

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

BRAS

------ Feature Glance – BRAS ------

What Is a BRAS?

A broadband remote access server (BRAS) is an access


gateway that functions as a bridge between a broadband
access network and a backbone network, providing basic
access and management functions.

Customer Network Access Network Metro Core


FTTB

LAN HG MxU OLT

STB FTTH IP
Metro backbone
RGW OLT network
Phone ONT BRAS

PC

AP DSL DSLAM LSW

Corporation CPE

BRAS Functional Components

DHCP Policy

Component 4 Component 5

Address allocation
and management Service control
Component 2

Connection
Component 1 management Component 3
User
packets
User access AAA and user
identification BRAS's five functional management
components

BRAS Service Processing Process


The access identification component receives a
connection request from a user terminal, obtains a
1. Obtain
user name and password and physical location
authentication
information from the request, and sends the
information.
information to the connection management
component for authentication.

The connection management component


2. Request for determines whether to allow user access based on
authentication. access conditions. If user access is allowed, the
component forwards the authentication information
to the AAA and user management component.

The AAA and user management component


3. Perform
performs authentication and authorization based on
authentication
AAA schemes and responds to the connection
and
management module with the authentication result
authorization.
and authorization information.

If the authentication is successful, the connection


4. Apply for an management component applies to the address
IP address. allocation and management component for an IP
address.

The address allocation and management


component assigns an IP address to the user
terminal based on user information and responds to
5. Assign an IP
the connection management component with the
address.
assigned IP address. (If a remote address pool is
used, the DHCP server is used to assign IP
addresses.)
The connection management component responds
to the access identification component with the
6. Allow user
authentication result and assigned IP address. The
access.
access identification component then allows the
user to go online.

After the user accesses the network, the AAA and


7. Perform user management component and the service
accounting and control component work together to implement
control. accounting, bandwidth limitation, and QoS
enforcement on basic and value added services.

Component 1 User access identification

The BRAS identifies a user based on the access protocol of


received connection requests and obtains the user's physical
information and user name and password by performing
authentication.
The user name format can be username@domain or
domain@username. Here, @ is a domain name delimiter. A
domain name can precede or follow a user name, which can
be configured.

IPoX user Headend


Send
connection
requests. Softx
802.1X user
BRAS

Internet
PPPoX user

User Access Identification — Identifying Access


Protocols and Obtaining User Names and Passwords
Identify PPPoX access users.
• When a PPPoE user dials up, it enters a user name
and password.
• The BRAS sends the user name and password to the
AAA server for authentication.

TCP/UDP
IP TCP/UDP DHCP
PPP(carrying IP TCP/UDP TCP/UDP
the user
PPP IP IP
name and
password) ETH PPP PPP
ETH AAL5 ETH Q ETH Q Q

IP Core

PC HG DSLAM AGG BRAS

“name@domain” Insert PPPoE+ (TR-101) Identify the username


for dial and PPPoE+

Identify 802.1X users.


• 802.1X users must be authenticated using 802.1X
(EAP) authentication.
• 802.1X users must enter user names and passwords.

EAP-MD5
Radius
EAP-MD5 UDP
EAP-MD5 EAPoL EAP-MD5 EAP-MD5 IP
EAPoL ETH EAPoL EAPoL EAPoL
ETH AAL5 ETH Q ETH Q Q ETH

PC AP DSLAM AGG BRAS

Identify IPoX access users.


IPoX users do not need to enter user names and
passwords. The BRAS automatically generates user
names and passwords for IPoX users based on their
physical locations.
• A user name can be automatically generated based on
physical location information, such as the MAC and IP
addresses, Option 82, and Option 60.
• A domain name can be the default domain of the
access interface or obtained from Option 60.
IPoX users can also be authenticated based on the user
name and password entered on the web page in web
authentication.
DHCP
TCP/UDP
TCP/UDP IP TCP/UDP TCP/UDP
STB IP ETH IP IP
ETH AAL5 ETH Q ETH Q Q

IP Core
Insert Option60.

HG DSLAM AGG BRAS

Identify the Option60


Insert Option82.
PC and Option82.

User Access Identification — Authentication


Technologies
A user name and password are entered using the
802.1X
802.1X dialer for identity authentication. EAP is used
authentication
during 802.1X authentication.

A user name and password are entered using the


PPP
PPP dialer for user authentication during PPP
authentication
connection establishment.

A user accesses the web authentication server and


Web
enters a user name and password for identity
authentication
authentication.

A user opens an authentication web page for


Fast authentication, without entering a user name and
authentication password. Fast authentication is a combination of
web and bind authentication.
User information, such as the access location, is
Bind inserted to user packets so that a user name and
authentication password can be automatically generated for
authentication.
Comparison Between Authentication Technologies
PPP
Web Bind 802.1X
Authenticat
Authentication Authentication Authentication
ion
Access
PPP VLAN user and VLAN user and Logical
control
connection physical port physical port interface
granularity
Client
Commercial Standard No special Vendor-specific
requireme
client browser client required client
nt
IPoE is used
PPPoE is IPoE is used for IPoE is used for multicast
used for multicast for multicast encapsulation
multicast encapsulation, encapsulation, after the
encapsulati and a and a authentication,
on, the downstream downstream and a
BRAS must device of the device of the downstream
Multicast be deployed BRAS can be BRAS can be device of the
as the deployed as the deployed as BRAS can be
multicast multicast the multicast deployed as
replication replication replication the multicast
point, which point, which point, which replication
has low increases increases point, which
efficiency. efficiency. efficiency. increases
efficiency.
PPP
encapsulati
Encapsula on and Ethernet Ethernet Ethernet
tion cost large packet encapsulation encapsulation encapsulation
fragmentati
on

PPP
Web Bind 802.1X
Authenticat
Authentication Authentication Authentication
ion
IP address IP address
IP address allocation allocation
IP address
IP address allocation before before
allocation using
allocation after authentication authentication
DHCP after
process authenticati Secondary Secondary
authentication
on address address
allocation allocation
Pre- Pre-
authentication authentication
resource resource
access free of access free of
charge charge
Additional Advertisement Advertisement
Support for
service services on the services on the None
VPDN
features authentication authentication
web page web page
Service
selection
Service
customization

User Access Identification — Physical Location


Identification Technologies
User's physical location information
VBAS PPPoE+

VBAS
PPPoE PPPoE+

The BRAS uses VBAS to actively PPPoE+ uses the vendor specific
query user's physical location attribute (VSA) to identify the user's
information from an access physical location information.
device.

Option 82 Vlan Stack

DHCP Option82 VLAN VLAN VLAN


DHCP

DHCP Option 82 identifies the Double VLAN tags are used to identify
user's physical location the user's physical location information.
information.

Security measures: account + physical location authentication


• User identification: account + access location + user
terminal identifier (IP or MAC address)
• Account security: User accounts can be bound to specific
interfaces.
• Network attack locating: Each user has its specific access
location, and therefore attacks cannot be denied.

Component 2 Connection management

The connection management component manages


connections, functioning as a bridge between the other
four components.

Interact with the Assist in


AAA and user establishing
management user
component. connections.

Interact with Assist in


Connection maintaining
the address
Management user
management
component. connections.

Interact with Assist in


the access tearing
identification down user
component. connections.

Component 3 AAA and User Management

AAA is short for Authentication, Authorization, and Accounting.

AAA Process

Signaling stream Push authentication


account information
Data flow
3. The user has
network access
BOSS authorities, the
bandwidth
(Mbit/s), a static
2. AAA server, IP network
1. want to IP address, and
please check a list of
access whether the user
the inaccessible
has network address list...
network. access
authorities.

IP network

BRAS Internet
4. Network
5. Go to
access is
www.huawei.com.
allowed.

AAA Mode
Authentication Authentication Authorization Accounting
Mode Scheme Mode Mode
• PPP
authentication • Non- • Non-
• 802.1X authentication • Local accounting
authentication • Local authorization • Remote
• Bind authentication • Remote accounting
authentication • Remote authorization • Real-time
• Web authentication • Online accounting
authentication • Combined authorization • Local
• Fast authentication accounting
authentication

User Management

User Management Method


Domain-based User Management User-Account-based User Management
Users with the same service User accounts and service attributes
attributes are classified into the are configured on an AAA server and
same domain. are delivered to users when they go
HSI domain: online or dynamically delivered to
2 Mbit/s users after the users go online.

HSI domain: Access


10 Mbit/s network

PPPoE domain
The user has network
IPTV domain ……
access authorities, the
…… bandwidth of 2 Mbit/s,
and a list of inaccessible
CMTS domain
address list...

User Management Contents


Access Management Service Management
Specify resources for user access Manage the authorities, bandwidth,
and access authorities control, and QoS for basic access services
including: (Internet access) and value-added
• AAA schemes and servers services, in addition to:
• User address pool • Captive portal
• DNS server • Idle-cut
• Bound user group • Traffic statistics collection
• Time range control • IP address usage alarm
• Number of access users allowed
• Rate limit

Component 4 Address Management

A user must use an IP How does a BRAS assign and manage


address for network access. IP addresses?

• Manually configured or delivered by the


RADIUSserver
Static IP address • Applied to Internet cafes, enterprises,
• and users that need fixed IP addresses.
IP Address Type

• Assigned using IPCP.


Dynamic IPv4
• Assigned using DHCPv4 (through an
address
internal or external DHCPv4 server).

Dynamic IPv6 • Assigned using ND.


address • Assigned using DHCPv6 (through an
internal or external DHCPv6 server).
• User address binding; anti-address spoofing
• The BRAS releases the IP address
assigned to a user terminal after the
Address security terminal is powered off.
• The number of DHCP and PPP connections
allowed to be established is limited,
preventing malicious address application.

Stealing DHCP
other users'
IP addresses
Address security issues

IP addresses not
released upon
user terminal Access
power-off, Internet
network
consuming
resources for a BRAS
long time

Repeated IP
address
application by
forging MAC
addresses

Component 5 Service Control


Service-based — Value-Added Service Control
Value-added services are provided for target customers with
flexible service and accounting policies based on actual
customer requirements. This facilitates fast service
customization, increases operating revenues, and avoids
homogenized competition.

BoD DAA

Extranet traffic

Intranet traffic

Traditional mode: Your service  The extranet and intranet traffic is


mode can be changed only in the differentiated and charged at
carrier's business office, which is different tariff levels.
time-consuming.  Carriers can perform
Bandwidth on demand (BoD) differentiated rate limiting,
allows users to change services scheduling, and accounting on
any time anywhere using the different traffic.
portal, saving time.
Value-Added
EDSG Service iVSE
Technologies

 User-based dynamic service  Fast channel change (FCC)


delivery  Enhanced IPTV user
 Service templates overlaying experience
 Dynamic adjustment of the  Improved troubleshooting
ISP's IP addresses efficiency

User-based — Value-Added Service Control


Dynamic Change of Bandwidth Controllable Multicast

Change of Authorization (CoA) The permission of a user to join a


packets can be delivered to multicast group and the multicast
dynamically change authorization program list that can be ordered by
information of online users. users are controlled.

Captive Portal Forcible Logout Using DM Packets

A user enters a user name and After the user traffic volume or
password for login during web duration quota is used up,
authentication. Before the user Disconnection Management (DM)
accesses the Internet, the user is packets can be sent to allow the
redirected to a web page by the device to log out users.
portal server. This web page
displays the user information,
Internet access duration, and
advertisement.

User Access Processes in Typical Scenarios

Scenario 1: IPoE access


IPoE Access — Bind Authentication (Based on
Option 82 and Option 60)
3. The switch uses 4. The BRAS
DHCP trusted distributes
interfaces to connect traffic based
2. The DSLAM to authorized servers, on DHCP
inserts Option 82 and other interfaces Option 60 to
carrying user line are untrusted. This different DHCP DHCP
information to the prevents bogus DHCP servers for
packets. server attacks. authentication.

IP Core

DSLAM BRAS
1. The STB uses 6. The BRAS checks 5. The AAA server identifies
DHCP Option 60 to the IP+MAC+VLAN or the terminal type based on
identify terminal types IP+MAC+port binding Option 60, authenticates
so that different information of users based on Option 82,
addresses can be upstream and and assigns different IP
assigned to different downstream packets addresses to users based
terminals. one by one. on policies.

IPoE Access — Web Authentication


4.The BRAS obtains the
3.The user enters a user user name and password
User name: name and password on from the web server and
Password: the web page to be sends them to the AAA
authenticated. server for authentication.

IP Core
BRAS

1. A user terminal uses 2.The BRAS uses 5. The AAA server


DHCP to apply for an IP ACLs to allow the authenticates the
address. If the user user to access limited user and instructs
accesses the Internet but resources before the the BRAS to allow
has not been authenticated, user is authenticated. the user to access
it will be redirected to a web the Internet.
page so that it can enter the
user name and password for
authentication.

IPoE Access — Fast Authentication


Fast authentication combines web and bind
authentication. A user opens an authentication web
page for authentication, without entering a user name
and password.
The BRAS authenticates users based on the physical
location information of the terminals.
3.The BRAS generates the user
name and password based on
Web the physical location information
of users and sends them to the
AAA server for authentication.

IP Core
BRAS

1.A user terminal uses 4. The AAA server


2. The BRAS uses
DHCP to apply for an IP authenticates the
ACLs to allow users
address. If the user user and instructs
to access only
accesses the Internet the BRAS to allow
limited resources
but has not been the user to access
before
authenticated, it will be the Internet.
authentication and
redirected to a web
redirects users that
page and then be
failed authentication
automatically
to the arrears page.
authenticated without
the need to enter a user
name and password.

Scenario 2: PPPoE Access

3. The AAA server


2. The BRAS sends responds with an
an authentication authentication
request. success message.

1. A user uses
IP Core
PPPoE to dial up.

Access
network Internet

4. The address BRAS


server assigns
an IP address.

5. The user accesses


the Internet.

Security Protection

URPF
• URPF for PPPoE/IPoE users checks the validity of
the source IP address in the IP header.
• URPF on BAS interfaces checks the packet loss
Security Measure statistics.

• Automatic reclamation of conflicted


addresses
• Setting idle addresses to prevent IP
Security Measure address exhaustion

HostCAR
• Rate limiting can be performed on traffic sent to the
CPU using host CAR, HTTP host CAR, or VLAN host
CAR.
• Host CAR supports attack source tracing and attack
Security Measure event reporting, facilitating management for
maintenance engineers.
• Host CAR is associated with penalty measures to
dynamically suppress packets from malicious users.

Attack source tracing


• User accounts can be bound to specific interfaces.
• User access locations can be identified, and
therefore attacks cannot be denied.
Security Measure

Chasten
• PPPoE/DHCP connection penalty can be configured
to protect normal services against invalid connections.

Security Measure Unauthorized users are prevented from obtaining
passwords of authorized users by brute force.

Reliability

• AAA servers can work in master/backup or load


balancing mode.
Network • DHCP servers can work in master/backup or
Server load balancing mode.
• Policy servers can work in master/backup or load
balancing mode.

• An interface can have ARP-trigger, IP-trigger, or


ND-trigger configured. The device saves
temporary entries for users that abnormally log
off, allowing the users to go online directly
without needing to dial up.
• User detection: The device detects the online
User Entry status of users and deletes users that are offline
to reclaim addresses. This avoids accounting of
users that are not online for a long time.
• High-end memory can be used to store DHCP
user information, ensuring that users can
automatically go online after the device is
restarted, or a board, subcard, or interface fails.

• Link protection can be implemented for intra-


board Eth-Trunk interfaces.
Link Board • Board protection can be implemented for inter-
board Eth-Trunk interfaces.

• Cold backup: protects BRAS services, and users


need to re-dial up after a master/backup device
switchover.
Device-Level
• Hot backup: protects BRAS services. Users do
Backup not detect faults that cause a master/backup
switchover, and the backup device quickly take
over services.

Presented by Huawei Fixed


Network Information Department
Copyright © Huawei Technologies Co., Ltd. All rights reserved.

You might also like