CN1738280A - Dynamic proxy allocation method and system for mobile VPN - Google Patents
Dynamic proxy allocation method and system for mobile VPN Download PDFInfo
- Publication number
- CN1738280A CN1738280A CN 200410057023 CN200410057023A CN1738280A CN 1738280 A CN1738280 A CN 1738280A CN 200410057023 CN200410057023 CN 200410057023 CN 200410057023 A CN200410057023 A CN 200410057023A CN 1738280 A CN1738280 A CN 1738280A
- Authority
- CN
- China
- Prior art keywords
- proxy server
- mobile node
- server
- network
- mobile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a dynamic agent distribution method and system of Mobile VPN, which can establish Virtual Private Network between at least one external Network and one internal Network to make at least one Mobile Node roam safely in the external Network, the invention can dynamically allocate the foreign home agent close to the mobile node in the roaming foreign network as the registration agent of the mobile node, so that the mobile node only needs to register with the foreign home agent when roaming in the same foreign network, without having to register with the internal home agent of the internal network-a method of the internet engineering task force IETF is also possible, this minimizes inter-proxy Handoff (Handoff) delay and End-to-End (End-to-End) delay while roaming, and fully incorporates the IP security control of the VPN.
Description
Technical field
The present invention distributes (Assignment) method and system for a kind of portable VPN (virtual private network) (Mobile Virtual PrivateNetwork with) dynamic proxy device (Home Agent), particularly about a kind of VPN on Internet traffic security protocol (IPsec) framework, but dynamic assignment external agent device provides mobile node process registration and system.
Background technology
VPN (virtual private network) (Virtual Private Network, hereinafter to be referred as VPN) be that a kind of Wide Area Network (as the internet) that utilizes is set up special-purpose network channel with the server of a long-range user's computer and a local network, carry out transfer of data, and provide just as safe in the private LAN inside of sealing.
Therefore VPN has following basic demand in order to confirm fail safe:
1. user rs authentication: VPN must be able to verify that user's identity and strict control has only the user through registed authorization to login.
2. address administration: VPN must distribute address on the dedicated network for the user, and guarantees address safety.
3. data encryption: must be through encrypting, to guarantee that other unauthorized user on the internet can't read data information for data by Internet transmission.
4. key management: VPN must produce and upgrade the encryption gold key that the user holds computer and server.
5. support various protocols: VPN must be able to support on the internet basic agreement generally used to comprise IP, IPX, PPTP (point-to-point channel agreement), L2TP (the 2nd layer channel protocol) or Internet traffic security protocol ... or the like.
The Internet communication protocol (IP) is a kind of in the employed communication protocol of computer network (as the internet) transmitting data, however IP and undefined any security mechanisms.Therefore; internet engineering task group (Internet Engineering Task Force; hereinafter to be referred as IETF) a kind of Internet traffic security protocol of definition in Request for Comments (RFC) 2401 communication standards; be a kind of with IP flow method of encrypting; can protecting network communication; preventing that data modification, the third party from inspecting, simulating, and captured and the standard of playback.
But owing to developing rapidly of radio network technique, therefore how setting up mobile VPN at wireless-transmission network has become considerable research topic, and the mobile VPN of using rfid technology, also defined a Mobile IPv4 (IETF RFC 3344) consensus standard at IETF, but still had the problem of some to need to solve in this Mobile IPv4 standard.
For example, as a mobile node (Mobile Node, hereinafter to be referred as MN) mobile computer of Wireless Communication Equipment (as be equiped with), when an internal network (Intranet) is roamed, can be by a Local proxy server (Home Agent, HA) distribute a mobile IP (Mobile IP, hereinafter to be referred as MIP) to this MN, and when MN roams to an external network (Internet) by this internal network, as at home or nonlocal branch company, MN can be by a foreign agent (the Foreign Agent of locality, FA) entering one is that the vpn gateway device (VPN Gateway) of foundation for security is registered to Local proxy server (HA) with the Internet traffic security protocol, makes the vpn gateway device set up Internet traffic security protocol passage to foreign agent (FA).
And MN can obtain a new transfer address (Careof Address is hereinafter to be referred as CoA) in the external network of being roamed, and to require the vpn gateway device be MN when roaming into a new sub-network at every turn update internet communication security protocol channels.Yet all data packet information that enter this vpn gateway device all can be by Internet traffic safety protocol safe Standard Encryption, and foreign agent and can't decipher the data packet that these were encrypted, so foreign agent (FA) also can't be transmitted IP information.
In order to solve the above problems, work group (the Working Group of the Mobile IPv4 of IETF, WG) proposing a kind of fixing machine (Mechanism) that utilizes goes to support VPN user to make international seamless roam (International Seamless Roaming, method ISR).
This method is the Local proxy server in the internal network (HA) to be defined as an inside local proxy server (Internal Home Agent, hereinafter to be referred as i-HA), put an outside local proxy server (External HomeAgent and externally build in the network (External Network), hereinafter to be referred as x-HA), i-HA is the usefulness as the roaming situation of internal network management (MobilityManagement) MN, x-HA then is when MN roams to external network, as the usefulness of the roaming situation of managing MN.
And the x-HA that has more can be coated on the Internet traffic security protocol passage of having set up (Ipsectunnel) under the outside mobile data communication (x-MIP tunnel), need not be altered to the Internet traffic security protocol passage of having set up, therefore when this MN is obtained a new transfer address (CoA) by the vpn gateway device after, the Internet traffic security protocol passage that the vpn gateway device is set up then can be not destroyed, therefore also this external agent's device (FA) just can be deciphered the channel information of the mobile IP in this outside (x-MIP), so can revise Mobile IPv4 standard and Internet traffic security protocol standard with the method, only change some mobile nodes the transfer address (CoA) that must want.
As shown in Figure 1, be the defined mobile VPN standard architecture of IETF schematic diagram.In Fig. 1, there is a MN1 to roam in the internal network 10 by an i-HA11, and when MN1 moves to an external network 20 by internal network 10, MN1 must register to an x-HA21, obtaining a new CoA, and x-HA21 requires to set up Internet traffic security protocol passage to a vpn gateway device 22 again and is connected to x-HA21.Last vpn gateway device 22 is registered the VPN-TIA (VPN Tunnel InnerAddress) of MN1 again to i-HA11, so that this Internet traffic security protocol passage of set up is connected this i-HA11, form the VPN (virtual private network) that all can roam by external network 20 and internal network 10.
And it is shown in Figure 2, message structure schematic diagram for the channel of setting up of mobile VPN, it is MN1 is roamed into external network 20 by internal network 10 channel signal data packet 30, wherein comprise one deck initial data package (Original Packet) 31, before initial data package 31, coat the channel information 32 (by i-HA11 to vpn gateway device 22) of the inner mobile IP of one deck (i-MIP), and outside the mobile IP channel information 32 in inside, more coat one deck Internet traffic security protocol channel information 33 (by vpn gateway device 22 to x-HA21), outside Internet traffic security protocol channel information 33, coat the channel information 34 (by the transfer address of x-HA21) of the outside mobile IP of one deck (x-MIP) again again to MN1.
But in the method for these known IETF, can produce two problems, the firstth, should the most suitable where x-HA21 be placed on? the secondth, could believe that x-HA is safe?
Owing to be externally to build the x-HA21 that puts fixing (Static) in the network 20 in the method for these known IETF, if when in the external network 20 experimental process of comprising network (Subnet) being arranged, then how to arrange the placement location of x-HA21, will have influence on switching transmission (Handoff) time delay between external agent's device (FA) and x-HA21 between the roaming sub-network, and the end between the roaming sub-network is to end (End-to-End) time delay problem.Can and, therefore believe whether x-HA21 really meets the safety standard of Internet traffic security protocol because x-HA21 is in the vpn gateway device 22 uncontrollable external networks 20?
Artificial demand and the problem that solves above-mentioned existing mobile VPN of invention, a kind of mobile VPN dynamic proxy device (x-HA) distribution method and system are proposed, but dynamic assignment near the Local proxy server (HA) of MN as x-HA, therefore the switching transmission (Handoff) between roaming network can be postponed and hold to holding (End to End) to postpone to drop to minimum, and can be fully in conjunction with the Internet traffic safety protocol safe control of VPN, be one rationally and can effectively improve the invention of above-mentioned shortcoming.
Summary of the invention
The objective of the invention is to be to provide a kind of dynamic proxy device distribution method and system of mobile VPN, can be distributed in dynamically in the roaming external network near the outside local proxy server of mobile node registration agent as this mobile node, when mobile node is roamed in identical external network, only need to get final product to this outside local proxy server registration, and the method for needn't be again registering an internet engineering task group to the inside local proxy server of this internal network gets final product, so switching between the proxy server in when roaming can be transmitted (Handoff) and postpone and end to end (End to End) postpones to drop to minimum, and can control in conjunction with the Internet traffic safety protocol safe of VPN fully.
For reaching above-mentioned purpose, the present invention mainly provides a kind of dynamic proxy device distribution method of mobile VPN, can between an at least one external network and an internal network, set up VPN, this method is at first when a mobile node roams in the external network for the first time, distribute an IP address by a Dynamic Host Configuration Protocol server, transfer address as mobile node sends register requirement to outside Local proxy server, the outside local proxy server then sends a license confirmation solicited message and gives a nonlocal aaa server, nonlocal aaa server is inserted the network reception sign of at least one outside local proxy server in the license confirmation solicited message, transferred to a local aaa server again; Then, behind the local aaa server success identity MN, the safety of setting up between outside local proxy server and mobile node is connected, and produces a Local proxy server solicited message, sends to the outside local proxy server; The outside local proxy server is that mobile node distributes an outside local address, and outside local address is reached address setting own in a Local proxy server return information, sends to local aaa server; Then, local aaa server uses the transfer address of outside local address as mobile node, register to inner Local proxy server, after registration finished, the local aaa server of inside local proxy server mandate sent a license confirmation return information and gives the outside local proxy server; At last, the outside local proxy server obtains a registration return information that comprises outside local address and Local proxy server address from the license confirmation return information, transfer to mobile node, after this mobile node externally during netsurfing, can utilize outside local address to register to the Local proxy server of Local proxy server address and get final product.
The present invention more provides a kind of dynamic outer proxy server distribution system of mobile VPN, be between an at least one external network and an internal network, to set up VPN, make at least one mobile node can roam in external network safely, this system comprises an inside local proxy server, at least one outside local proxy server, a vpn gateway device, at least one proxy server distributor and at least one Dynamic Host Configuration Protocol server, and wherein inside local proxy server (i-HA) is as the roaming registration of management mobile node in internal network; And outside local proxy server (x-HA) is as the externally registration of the roaming in the network of management mobile node; The vpn gateway device can be set up (Internet traffic security protocol) channel between internal network and outside local proxy server; The proxy server distributor is the roaming registration of carrying out mobile node in order to any one outside local proxy server near mobile node of dynamic assignment; And Dynamic Host Configuration Protocol server is when allowing mobile node roam in external network for the first time, automatically distribute an IP address to roam registration to outside Local proxy server, aaa server and inside local proxy server, with set up with the vpn gateway device between Internet traffic security protocol passage after, make mobile node only roam in the external network need and register to immediate outside local proxy server and get final product.
Description of drawings
Fig. 1 is the defined portable VPN (virtual private network) standard architecture schematic diagram of internet engineering task group;
Fig. 2 is the message structure schematic diagram of the channel of setting up of this movable type VPN (virtual private network);
Fig. 3 is the system configuration diagram for the portable VPN (virtual private network) of the present invention;
Fig. 4 is the register flow path figure of this mobile node in the internal network roaming;
Fig. 5 is the tense schematic diagram of this mobile node in the internal network roaming;
Fig. 6 is the externally register flow path figure of netsurfing of this mobile node;
Fig. 7 A, Fig. 7 B are this mobile node tense schematic diagram of netsurfing externally.
The figure number explanation
1 mobile node (mobile node), 11 inside local proxy servers (i-HA)
10 internal networks, 20 external networks
21 outside local proxy servers (x-HA), 22 virtual private network gateway devices
30 channel signal data packets, 31 initial data envelope
32 inner mobile IP channel information 33 IPsec channel informations
34 outside mobile IP channel information 80 mobile nodes (MN)
54 outside local proxy servers (x-HA), 40 internal networks
41 Dynamic Host Configuration Protocol server, 42 internal routers
43 sub-networks (subenet), 44 radio base stations (WAP)
45 inside local proxy servers (i-HA), 46 inner foreign agent (i-FA)
50 external networks, 51 outside routers
53 nonlocal aaa servers (AAAF), 54 outside local proxy servers (x-HA)
55 outside foreign agent (x-FA), 56 Dynamic Host Configuration Protocol server
57 radio base stations (WAP), 60 non-regulatory area (DMZ)
61 local aaa servers (AAAH), 62 vpn gateway devices
Specific implementation method
Reach technology, means and the effect that predetermined purpose is taked in order to make your juror can further understand the present invention, see also following about detailed description of the present invention and accompanying drawing, believe purpose of the present invention, feature and characteristics, go deep into and concrete understanding when getting one thus.As shown in Figure 3, be the system architecture schematic diagram of mobile VPN of the present invention.But the present invention mainly be in dynamic assignment one external network near the Local proxy server (HA) of a mobile node 80 as an outside local proxy server (x-HA) 54, so that allow MN80 register, finish the foundation of portable VPN (virtual private network) (Mobile VPN) Internet traffic security protocol channel to x-HA54.
The present invention can utilize the externally interior employed Dynamic Host Configuration Protocol server of network field, AAA (Authentication, Authorization and Accounting) server or dns server ... etc., can be used for dynamic assignment x-HA, distribute and become x-HA54 to be chosen in the external network Local proxy server (HA) near MN80, and because x-HA54 is near MN80, so the delay between x-HA54 and MN80 can be dropped to minimum.And externally in the network end between subnet (inter-subnet) to end switching transmit more quick that (Handoff) also will become, in addition also can be with the usefulness of another Local proxy server (HA) in the network externally as load balance.
Even so, but the most important security mechanism problem that is still x-HA54, therefore preferably can use aaa server to distribute x-HA54, for example we can adopt Diameter basic agreement (Diameter Base on Protocol) (IETF RFC 3588) as aaa server, can not only distribute x-HA, more can when roaming, move between several proxy servers (Agents) of variation, set up safety and connect (Security Association is hereinafter to be referred as SA), and as golden key Distribution Center (Key Distribution Center, KDC).
One internal network (Intranet) 40 and at least one external network (Internet) 50 are arranged as shown in Figure 3; internal network 40 is a shielded private network (ProtectedPrivate Network); be connected with a Dynamic Host Configuration Protocol server 41 and an internal router (Interior Router) 42; internal router 42 connects a non-regulatory area (DMZ) 60; non-regulatory area (DMZ) the 60th, the entity area of back, internet; be positioned at the second layer fire compartment wall front of protection back-end system and data in the face of fire compartment wall; but not regulatory area (DMZ) 60 is connected with a local aaa server (hereinafter to be referred as AAAH) 61 again; an one vpn gateway device 62 and an outside router (Exterior Router) 51, outside router 51 then is connected to external network 50 (Internet).
And in internal network 40, may comprise several sub-network (Subnet) 43, each sub-network 43 all connect at least one radio base station (Wireless Access Point, WAP) 44, in order at least one MN of wireless connections 80.And in internal network 40, more be provided with an i-HA45 and an inner foreign agent (Internal Foreign Agent, hereinafter to be referred as i-FA) 46, as showing among Fig. 3 that i-HA45 is connected on first sub-network (Subnet1), i-FA46 then is connected on second sub-network (Subnet 2), and Dynamic Host Configuration Protocol server 41 then is connected on the 3rd sub-network (Subnet 3).
As Fig. 4 and shown in Figure 5, be to be register flow path figure and the tense schematic diagram of MN80 in internal network 40 roamings.Because the function of Dynamic Host Configuration Protocol server 41 mainly is the IP address in order to each computer in the dynamic assignment network,, on the detecting network whether new computer online (S200) is arranged so Dynamic Host Configuration Protocol server 41 can constantly send broadcasting and Query Information 100.
When roaming in therefore when MN80 roams to other sub-network of internal network 40, as when second sub-network (Subnet 2) roams to the 3rd sub-network (Subnet 3), this moment, MN80 was found in Dynamic Host Configuration Protocol server 41 meetings, and MN80 can send the information 105 of requiring of an IP address and gives Dynamic Host Configuration Protocol server 41, and Dynamic Host Configuration Protocol server 41 promptly can distribute a new dynamic IP addressing 110 to give MN80 (S205).
And MN80 can utilize new IP address as a transfer address (CoA), send a register requirement (Registration Request is hereinafter to be referred as Reg-Req) information 115 (S210) to inner Local proxy server (i-HA) 45, because i-HA45 originally just can discern MN80, so can register, and can reply MN80 one registration and reply (Registration Reply, hereinafter to be referred as Reg-Reply) information 120 (S215), to finish the roaming accreditation process of internal network.
As shown in Figure 3; external network (Internet) 50 is not shielded public network (Unprotected Public Network); wherein may include several external networks forms; Fig. 3 is shown one first external network and one second external network; and in each external network, may include the experimental process network; and can be connected with a nonlocal aaa server (Foreign AAA Server respectively; hereinafter to be referred as AAAF) 53; one x-HA54; one outside foreign agent (External Foreign Agent is hereinafter to be referred as x-FA) 55; one Dynamic Host Configuration Protocol server 56 and at least one radio base station (WAP) 57.
Shown in Fig. 6 and Fig. 7 A, Fig. 7 B, be to be MN 80 externally the register flow path figure and the tense schematic diagram of network 50 roaming.As MN80 when network 40 roams to external network 50 internally, similarly, local Dynamic Host Configuration Protocol server 56 distributes a dynamic IP addressing to give MN80 (S400) automatically, and MN 80 utilizes the IP address as a transfer address (CoA) 300, and sends a Reg-Req information 305 (S405) to x-HA54.
And in Reg-Req information 305, should include a local address (Home Address, hereinafter to be referred as HoA), the network of authentication information that HA address, need are authorized by AAAH61 and a MN receive sign (Network Access Identifier, NAI) ... or the like request.
And in the Reg-Req information 305 that x-HA54 received, HoA and HA address all should be set as 0.0.0.0, expression MN80 wants externally to obtain an outside local address (External Home Address in the network, hereinafter to be referred as x-HoA), therefore x-HA54 can produce a characteristic vector (MIP-Feature-Vector) property value to (AttributeValue Pair, hereinafter to be referred as AVP), wherein be provided with the local address request (Home-Address-Requested is hereinafter to be referred as HAR) of MN80, and Local proxy server request (Home-Agent-Requested) and common address request (to call Co-Located-Mobile-Node-Requested an in the following text) identifier (Flag) for " 1 ".
This moment, x-HA45 can be arranged on MIP-Feature-Vector AVP a license confirmation request (AA-Mobile-Node-Request, hereinafter to be referred as AMR) in the information 310, from Reg-Req information, obtain necessary information and be added among the relevant AVP, and AMR information 310 is sent to local AAAF 53 (S410).
AAAF 53 can check earlier that whether the Local proxy server request mark positions (Flag bit) in MIP-Feature-Vector AVP are " 1 ".
If " 1 " time, AAAF 53 can require AAAH 61 to allow to be distributed in a x-HA54 in the external network of roaming as the Local proxy server (HA) of MN80, therefore AAAF53 can be provided with Local proxy server (Foreign-Home-Agent-Available) sign in an other places in the MIP-Feature-Vector AVP in the AMR information of being received 310, and the network of inserting at least one candidate x-HA54 in candidate's Local proxy server main frame (MIP-Can didate-Home-Agent-ost) AVP receives sign (NAI), and AAAF53 is sent to AAAH 61 (S415) to AMR message 310 more then.
After AAAH 61 receives the AMR information 310 that AAAF 53 transmitted, must authorize the Reg-Req information 305 of MN80, therefore AAAH 61 can be by set in this AMR information 310 a mandate working index (MN-AAA-SPI, SecurityParemeters Index) determine that MN80 is to use that a kind of security policies, as cryptographic algorithm with share golden key for a long time.
The sign position that can check the sign position of the Home-Agent-Requested among the MIP-Feature-Vector AVP of AMR information 310 and Foreign-Home-Agent-Available if AAAH 61 authorizes successfully whether all equal for " 1 ", if, represent that then MN requires dynamic assignment one x-HA54 in the external network zone of being roamed, and AAAH61 also can in the external network zone of roaming, set up between x-HA54 and MN safety connection (SA) (S420).
Therefore AAAH61 can produce the golden key assembly (KeyMaterials) of at least 128 random numbers, generally is referred to as Nonces, utilizes Nonces to calculate and produces a communication golden key (Session Key), really to be somebody's turn to do the fail safe that safety connects (SA).
And the MIP-Feature-Vector AVP in the AMR information 310 that x-HA54 and AAAF 53 are sent also includes the golden key request (Key-Requested) between MN80 and Local proxy server (HA).And the golden key of communicating by letter (Session Key) can be transferred on the x-HA54 safely by the aaa server with Diameter (Diameter Protocol).
This be because Internet traffic security protocol standard or transport layer safety (Transport Layer Security, TLS) standard (IETF RFC 2246) promptly is the communication data of mandatory use between protection Diameter node (comprising server, visitor's end and proxy server).But the golden key of this communication (Session Key) can't be directly delivered on the MN80, does not have in the protecting network agreement because this golden key of communicating by letter is exposed to, and only gives MN80 gold key assembly (Nonces).
Therefore AAAH61 can produce a Local proxy server request (Home-Agent-MIP-Request again, hereinafter to be referred as HAR) information 315, communication golden key (Session Key) and Reg-Req information are encapsulated among the relevant AVP of HAR information 315, send candidate's x-HA54 (S425) to by AAAF53, AAAF53 mainly is the role who plays the part of acting server (Proxy).Therefore x-HA54 obtains the golden key assembly (Nonces) of x-HA54 and MN80 in can the relevant AVP from HAR message 315.
And if x-HA54 does not comprise the address (to call MIP-Mobile-Node-Address in the following text) of MN80 in received HAR information 315, and the sign position at the Home-Agent-Address-Requested of characteristic vector property value centering is to be set as " 1 " time, then x-HA54 will be arranged among the MIP-Mobile-Node-Address AVP for MN80 distributes an x-HoA automatically, and x-HA54 can be automatically with the address setting of itself in MIP-Home-Agent-Address AVP.
Then, x-HA54 can store the gold key of communicating by letter between MN80 and x-HA54, and golden key assembly is copied to a registration reply on (Reg-Reply), x-HA54 produces a Local proxy server and replys (Home-Agent-MIP-Answer then, hereinafter to be referred as HAA) information 320 is by being resent to this AAAH61 (S430) by AAAF53, and comprised at least in the HAA information 320 that a registration that includes this gold key assembly (Nonces) replys (to call MIP-Reg-Reply in the following text) AVP, a result code (Result-ode) AVP, a MIP-Mobile-Node-address AVP who includes MN80 x-HoA, and a MIP-Home-Agent-Address AVP who comprises the x-HA54 address.
AAAH61 receive x-HA54 by the HAA information 320 that this AAAF53 sent after, AAAH61 can obtain the x-HoA of MN80 from MIP-Mobile-Node-Address AVP, and the address that obtains x-HA54 from MIP-Home-Agent-Address AVP.
AAAH61 can set up a new HAR information 325 then, and x-HoA and x-HA address are inserted MIP-Mobile-Node-Address and MIP-Local proxy server address AVP respectively, and then AAAH61 sends HAR information 325 and registers (S435) to i-HA45.
After i-HA45 receives HAR information 325, after the AVP of i-HA45 from HAR information 325 obtains x-HoA, can be the public CoA of MN80 with the address registration of acquisition x-HoA54, i-HA45 be discerned set up out a new HAA information 330 after the HAR information 325 to be sent to AAAH61 (S440).
Then, AAAH61 can be demonstrated by result code (Result-Code) AVP wherein and authorize success after receiving the HAA information 330 that i-HA45 sent.Therefore AAAH61 can set up a license confirmation and reply (AA-Mobile-Node-Answer, hereinafter to be referred as AMA) information 335 is sent to x-HA54 (S445) by AAAF53, and comprise result code (Result-Code), this MIP-Home-Agent-Address AVP, this MIP-Mobile-Node-Address AVP and the MIP-Reg-Reply AVP of a DIAMETER success in AMA information 335, and these AVP can be replicated out from received HAA information 330.
After receiving the AMA information 335 that transmits by AAAH61 as x-HA54, can from result code (Result-Code) AVP, demonstrate and authorize success, then x-HA54 can obtain a Reg-Reply information 340 from the MIP-Reg-Reply AVP of AMA information 335, and this Reg-Reply information 340 is transferred to MN80 (S450).Otherwise x-HA54 can lose AMA information 335 stealthily.
In case MN80 receives Reg-Reply information 340, then MN80 can obtain new x-HoA, x-HA address and golden key assembly (Nonces), and MN80 uses received golden key assembly (Nonces) and the hashing algorithm that is same as AAAH61 and shares golden key (Longterm Shared Key) for a long time and calculates the golden key (SessionKey) of correct communication then.
Therefore, when MN80 authorizes through AAAH61, and by x-HA54 and i-HA45 with the registration of Mobile IPv4 safety standard after, can use x-HoA and vpn gateway device to link, make and set up Internet traffic security protocol passage 345 (S455) between MN80 and the vpn gateway device, recover as secure communication at internal network.
And after the distribution of finishing x-HA54, the safety connection (SA) in the external network of roaming between each local Local proxy server (HA) also will be established to be finished.After this, MN80 can directly use the x-HA 54 of MIPv4 standard and locality to carry out registering communication, and do not need again by this aaa server, after MN80 externally obtains a new transfer address (CoA) in the network, can as in internal network the roaming as, only need get final product, and needn't register to i-HA45 again to the x-HA54 registration that is assigned with.
And in identical external network, do not need to rebuild again Internet traffic security protocol passage, the golden key (Session Key) of but communicating by letter has the life-span, if end-of-life, then still need produce new traffic gold key (Session Key) by the aaa server on Diameter basis, when moving to the another one external network again as if MN80 in addition, during again must be new x-HA request registration to of locality, then above-mentioned whole process will be performed once more, x-HA is assigned with once more, and Internet traffic security protocol passage will be rebuilt more also.
The invention provides a kind of technology of using dynamic assignment x-HA to replace static x-HA, thereby transmit transit delay between the Local proxy server (HA) in when roaming and end-to-end delay all will be reduced significantly, and the present invention is applied in the safety of setting up between the Local proxy server of switching with Diameter MIPv4 to connect (SA), therefore x-HA can be believed, and the registration action of x-HA and i-HA is done simultaneously.So the present invention has realized the system platform of a mobile VPN, far different in known person's design, can improve whole use value.
Above-mentioned disclosed accompanying drawing, explanation only are embodiment of the present invention, allly are skillful in this operator when can doing other all improvement according to above-mentioned explanation, and these change belong to still that the present invention invents spirit and the claim that defined in.
Claims (22)
1. the dynamic proxy device distribution method of a mobile VPN is to set up VPN (virtual private network) VPN between at least one external network and an internal network, and an individual at least mobile node can be roamed in the external network safely, it is characterized in that:
When mobile node roves in this external network for the first time, allot a transfer address by a Dynamic Host Configuration Protocol server and give this mobile node, make mobile node can send a registration information and give a local outside local proxy server, register requirement comprises an outside local address request and a Local proxy server Address requests;
This outside local proxy server sends a license confirmation solicited message and gives a nonlocal aaa server, this other places aaa server is inserted the network reception sign of at least one candidate's outside local reason device in this license confirmation solicited message, transferred to a local aaa server again;
This this locality aaa server sets up that the safety between geographical device and mobile node is connected outside outside local proxy server, this outside, and produces a Local proxy server solicited message, sends to this outside local proxy server;
The outside local proxy server is that mobile node distributes an outside local address, and this outside local address is reached address setting own in a Local proxy server return information, sends to local aaa server;
Local aaa server uses the transfer address of this outside local address as this mobile node, register to inner Local proxy server, after registration finished, the local aaa server of inside local proxy server mandate sent a license confirmation return information and gives outside foreign agent; And
Outside foreign agent obtains a registration return information that comprises this outside local address and Local proxy server address from the license confirmation return information, transfer to this mobile node, after this this mobile node can utilize this outside local address to register to the Local proxy server of this outside local proxy server address and get final product when this external network roaming.
2. according to claim 1, the dynamic proxy device distribution method of mobile VPN, it is characterized in that: mobile node can be the mobile computer that is equiped with Wireless Communication Equipment.
3. according to claim 1, the dynamic proxy device distribution method of mobile VPN, it is characterized in that: mobile node also comprises before roving the step of external network for the first time:
Constantly send a broadcast message to external network by Dynamic Host Configuration Protocol server, in network, roam, then distribute a dynamic IP addressing to give this mobile node automatically if having so that whether any one mobile node is arranged on the requester network; And
Mobile node utilizes this IP address as transfer address, so that send register requirement to outside Local proxy server.
4. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: also include a network that needs by authentication information of local aaa server mandate and mobile node in the registration information and receive sign.
5. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: this mobile node also comprises after roaming in the step of external network for the first time:
After this outside foreign agent received registration information, it was right to produce a characteristic vector property value, wherein is provided with local address request identifier and this Local proxy server request identifier of mobile node; And
With the little vector attribute value of spy to being arranged in the license confirmation solicited message.
6. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: the outside local proxy server also comprises after sending the step of license confirmation solicited message
Local aaa server can confirm that mobile node is to use that a kind of security policies to carry out authorization identifying by the Security Parameter Index of a mobile node server set in this license confirmation request after receiving the license confirmation request that nonlocal aaa server transmits.
7. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: this this locality aaa server is set up in the safe step of connecting, also comprises:
This this locality aaa server can produce the golden key assembly of at least 128 random numbers, utilizes this gold key assembly to calculate and produces a golden key of communication, with the fail safe of guaranteeing that safety connects; And
The golden key of will communicating by letter is arranged in this Local proxy server solicited message.
8. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: local aaa server is set up in the safe step of connecting, and the Local proxy server solicited message is to send this outside local proxy server to by this other places aaa server.
9. according to claim 1, the dynamic proxy device distribution method of mobile VPN, it is characterized in that: local aaa server is set up in the safe step of connecting, comprises the golden key assembly and the golden key of communicating by letter between mobile node and outside local proxy server in the Local proxy server solicited message.
10. according to claim 1, the dynamic proxy device distribution method of mobile VPN, it is characterized in that: the outside local proxy server is that mobile node distributes in the step of an outside local address, and this Local proxy server return information is to send local aaa server to by nonlocal aaa server.
11. according to claim 1, the dynamic proxy device distribution method of mobile VPN is characterized in that: the outside local proxy server will be registered in the step that return information transfers to mobile node, also comprise:
Mobile node uses this outside local address and a vpn gateway device online, makes and sets up an Internet traffic security protocol passage between this mobile node and vpn gateway device.
12. the dynamic outer proxy server distribution system of a mobile VPN can be set up VPN (virtual private network) between at least one external network and an internal network, make at least one mobile node can roam in external network safely, this system comprises:
One inside local proxy server is arranged in this internal network, as the roaming registration of management mobile node in internal network;
At least one outside local proxy server is arranged in the external network, as the externally registration of the roaming in the network of management mobile node;
One vpn gateway device is can set up an Internet traffic security protocol channel between this internal network and outside local proxy server, makes mobile node when this external network roaming, still can be connected to internal network safely;
At least one proxy server distributor is the roaming registration of carrying out this mobile node in order to the arbitrary outside local proxy server near this mobile node of dynamic assignment; And
At least one Dynamic Host Configuration Protocol server, be arranged in this external network, when making mobile node roam in external network for the first time, automatically distribute an IP address to roam registration to outside Local proxy server, aaa server and inside local proxy server as a transfer address, with set up with the vpn gateway device between Internet traffic security protocol passage after, make mobile node only roam in the external network all need and register to immediate outside local proxy server and get final product.
13. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: external network is to comprise the plurality of sub network.
14. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: internal network is to comprise the plurality of sub network.
15. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN, it is characterized in that: mobile node can be the mobile computer that is equiped with Wireless Communication Equipment.
16. as described in claim 12; the dynamic outer proxy server distribution system of mobile VPN; it is characterized in that: vpn gateway device and this proxy server distributor are to be provided in the non-regulatory area; non-regulatory area 60 is entity areas of back, internet, is positioned at the second layer fire compartment wall front of protection back-end system and data in the face of fire compartment wall.
17. as described in claim 16, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: non-regulatory area is to be connected in internal network by an internal router, and is connected in external network by an outside router.
18. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: this proxy server distributor is to use an aaa server, a Dynamic Host Configuration Protocol server or a dns server.
19. as described in claim 18, it is system that the dynamic outer proxy server of mobile VPN distributes, it is characterized in that: the proxy server distributor uses aaa server can not only distribute this this proxy server of outside, between more can several proxy servers in random zone, set up safety and connect, and as golden key Distribution Center.
20. as described in claim 19, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: this proxy server distributor is the aaa server that adopts the Diameter basic agreement.
21. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: also comprise:
At least one inner foreign agent is in being connected at least one sub-network of this internal network, when making mobile node roam in this sub-network, roams registration by inner foreign agent to inner Local proxy server.
22. as described in claim 12, the dynamic outer proxy server distribution system of mobile VPN is characterized in that: also comprise:
At least one radio base station is arranged in internal network or the extranets, in order to the wireless connections mobile node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100570232A CN100496010C (en) | 2004-08-20 | 2004-08-20 | Dynamic agent distribution method and system for mobile VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100570232A CN100496010C (en) | 2004-08-20 | 2004-08-20 | Dynamic agent distribution method and system for mobile VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1738280A true CN1738280A (en) | 2006-02-22 |
| CN100496010C CN100496010C (en) | 2009-06-03 |
Family
ID=36080943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100570232A Expired - Lifetime CN100496010C (en) | 2004-08-20 | 2004-08-20 | Dynamic agent distribution method and system for mobile VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100496010C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100469017C (en) * | 2006-06-02 | 2009-03-11 | 鸿富锦精密工业(深圳)有限公司 | Local agent, register method, network system and network roaming method |
| CN101645984B (en) * | 2008-10-22 | 2011-12-07 | 中国科学院声学研究所 | Agent-based business span-domain operation supporting system and method |
| CN103168458A (en) * | 2010-10-29 | 2013-06-19 | 西门子公司 | Method for manipulation-resistant key management |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1666486B (en) * | 2002-06-28 | 2010-05-26 | 思科技术公司 | Methods and apparatus for anchoring of mobile nodes using DNS |
-
2004
- 2004-08-20 CN CNB2004100570232A patent/CN100496010C/en not_active Expired - Lifetime
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100469017C (en) * | 2006-06-02 | 2009-03-11 | 鸿富锦精密工业(深圳)有限公司 | Local agent, register method, network system and network roaming method |
| CN101645984B (en) * | 2008-10-22 | 2011-12-07 | 中国科学院声学研究所 | Agent-based business span-domain operation supporting system and method |
| CN103168458A (en) * | 2010-10-29 | 2013-06-19 | 西门子公司 | Method for manipulation-resistant key management |
| CN103168458B (en) * | 2010-10-29 | 2016-04-20 | 西门子公司 | For the method and apparatus of the key management of anti-manipulation |
| US9674164B2 (en) | 2010-10-29 | 2017-06-06 | Siemens Aktiengesellschaft | Method for managing keys in a manipulation-proof manner |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100496010C (en) | 2009-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100651716B1 (en) | Bootstrapping Method and System for Mobile Networks in Diqa-based Protocols | |
| US8185935B2 (en) | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking | |
| CN101006682B (en) | Fast network attachment | |
| CN101053233B (en) | Method and system for controlling mobility in a communication network, related network and computer program product therefor | |
| US7486951B2 (en) | Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same | |
| CN1265676C (en) | Method for realizing roaming user to visit network inner service | |
| EP1943856B1 (en) | Method and server for providing a mobile key | |
| CN1647559A (en) | System and method for pushing data in an internet protocol network environment | |
| CN1636378A (en) | Addressing mechanism in mobile internet protocol | |
| US8289929B2 (en) | Method and apparatus for enabling mobility in mobile IP based wireless communication systems | |
| CN1446419A (en) | Enabling seamless user mobility in short-range wireless networking environment | |
| ES2836180T3 (en) | Method and apparatus for setting up a mobile communication network with monitoring areas | |
| EP1188287B1 (en) | Determination of the position of a mobile terminal | |
| US20060067265A1 (en) | Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same | |
| US7379433B1 (en) | Methods and apparatus for broadcast optimization in mobile IP | |
| CN101031133B (en) | Method and apparatus for determining mobile-node home agent | |
| CN1738280A (en) | Dynamic proxy allocation method and system for mobile VPN | |
| TWI300662B (en) | ||
| Laurent-Maknavicius et al. | Inter-domain security for mobile Ipv6 | |
| KR101345953B1 (en) | Method and system for managing mobility of mobile station in mobile telecommunication system using mobile ip | |
| CN100496011C (en) | Dynamic agent distribution method and system for mobile VPN | |
| JP2006352182A (en) | Method and apparatus for dynamically allocating agent of mobile vpn | |
| EP1638285B1 (en) | Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same | |
| CN101198157A (en) | Method for modifying local proxy of mobile node | |
| CN101383756B (en) | Route optimizing method, system and proxy mobile IP customer terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: WUXI YANQIN INFORMATION TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HEQIN SCIENCE AND TECHNOLOGY CO., LTD. Effective date: 20101201 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: NO.6, CHUANGXIN ROAD 2, SCIENCE PARK, HSINCHU, TAIWAN, CHINA TO: 214028 3F, LAND BLOCK E, 60#, MINSHAN ROAD, NEW DISTRICT, WUXI CITY, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20101201 Address after: 214028 Jiangsu Province, Wuxi City District Road No. 60 block -E 3F min Patentee after: WUXI MITRASTAR TECHNOLOGY Corp. Address before: China Taiwan Hsinchu Science Park Innovation two Road No. 6 Patentee before: ZYXEL COMMUNICATIONS CORPORATION |
|
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20090603 |