Feature Glance - BRAS
Feature Glance - BRAS
Feature Glance - BRAS
What Is a BRAS?
STB FTTH IP
Metro backbone
RGW OLT network
Phone ONT BRAS
PC
Corporation CPE
DHCP Policy
Component 4 Component 5
Address allocation
and management Service control
Component 2
Connection
Component 1 management Component 3
User
packets
User access AAA and user
identification BRAS's five functional management
components
Internet
PPPoX user
TCP/UDP
IP TCP/UDP DHCP
PPP(carrying IP TCP/UDP TCP/UDP
the user
PPP IP IP
name and
password) ETH PPP PPP
ETH AAL5 ETH Q ETH Q Q
IP Core
EAP-MD5
Radius
EAP-MD5 UDP
EAP-MD5 EAPoL EAP-MD5 EAP-MD5 IP
EAPoL ETH EAPoL EAPoL EAPoL
ETH AAL5 ETH Q ETH Q Q ETH
IP Core
Insert Option60.
PPP
Web Bind 802.1X
Authenticat
Authentication Authentication Authentication
ion
IP address IP address
IP address allocation allocation
IP address
IP address allocation before before
allocation using
allocation after authentication authentication
DHCP after
process authenticati Secondary Secondary
authentication
on address address
allocation allocation
Pre- Pre-
authentication authentication
resource resource
access free of access free of
charge charge
Additional Advertisement Advertisement
Support for
service services on the services on the None
VPDN
features authentication authentication
web page web page
Service
selection
Service
customization
VBAS
PPPoE PPPoE+
The BRAS uses VBAS to actively PPPoE+ uses the vendor specific
query user's physical location attribute (VSA) to identify the user's
information from an access physical location information.
device.
DHCP Option 82 identifies the Double VLAN tags are used to identify
user's physical location the user's physical location information.
information.
AAA Process
IP network
BRAS Internet
4. Network
5. Go to
access is
www.huawei.com.
allowed.
AAA Mode
Authentication Authentication Authorization Accounting
Mode Scheme Mode Mode
• PPP
authentication • Non- • Non-
• 802.1X authentication • Local accounting
authentication • Local authorization • Remote
• Bind authentication • Remote accounting
authentication • Remote authorization • Real-time
• Web authentication • Online accounting
authentication • Combined authorization • Local
• Fast authentication accounting
authentication
User Management
PPPoE domain
The user has network
IPTV domain ……
access authorities, the
…… bandwidth of 2 Mbit/s,
and a list of inaccessible
CMTS domain
address list...
Stealing DHCP
other users'
IP addresses
Address security issues
IP addresses not
released upon
user terminal Access
power-off, Internet
network
consuming
resources for a BRAS
long time
Repeated IP
address
application by
forging MAC
addresses
BoD DAA
Extranet traffic
Intranet traffic
A user enters a user name and After the user traffic volume or
password for login during web duration quota is used up,
authentication. Before the user Disconnection Management (DM)
accesses the Internet, the user is packets can be sent to allow the
redirected to a web page by the device to log out users.
portal server. This web page
displays the user information,
Internet access duration, and
advertisement.
IP Core
DSLAM BRAS
1. The STB uses 6. The BRAS checks 5. The AAA server identifies
DHCP Option 60 to the IP+MAC+VLAN or the terminal type based on
identify terminal types IP+MAC+port binding Option 60, authenticates
so that different information of users based on Option 82,
addresses can be upstream and and assigns different IP
assigned to different downstream packets addresses to users based
terminals. one by one. on policies.
IP Core
BRAS
IP Core
BRAS
1. A user uses
IP Core
PPPoE to dial up.
Access
network Internet
Security Protection
URPF
• URPF for PPPoE/IPoE users checks the validity of
the source IP address in the IP header.
• URPF on BAS interfaces checks the packet loss
Security Measure statistics.
HostCAR
• Rate limiting can be performed on traffic sent to the
CPU using host CAR, HTTP host CAR, or VLAN host
CAR.
• Host CAR supports attack source tracing and attack
Security Measure event reporting, facilitating management for
maintenance engineers.
• Host CAR is associated with penalty measures to
dynamically suppress packets from malicious users.
Chasten
• PPPoE/DHCP connection penalty can be configured
to protect normal services against invalid connections.
•
Security Measure Unauthorized users are prevented from obtaining
passwords of authorized users by brute force.
Reliability