1235570 玖、發明說明 (發明說明應敘明:發明所屬之技術領 —、發明所屬之技術領域即技術、內谷、實施方式及圖式簡職明) 本發明係、關於行動通訊之技術 私有網路之網際網路行動管理系統及方法 種通透 先前技術 :年來’筆記型電腦、行動電話、個人數位助理等 ,端設備的數量增加得相當快速;而這些網路設備 :裂上行動IP(M〇bileIP)通訊協定之後,便可以在不修 網路相關設定之下’四處漫遊。而這許多行動設備連 上網際網路的需求將使得„>位址不足的問題更加惡 化;雖然網際網路之下一代協定IPv6提供了幾乎無限制 的網路位址,但IPv6的網路環境並未成形,預期現有的 IPv4網路環境將會繼續使用數年之久。 網路位址轉換器(Network Address TfanslatQM NAT)是用來在私有網路位址與公共網路位址之間做 互相轉換之網路设備,其允許内部的許多網路主機共 同使用少數幾個網路位址,來存取外部的路資源,使 得IP數量不足的問題能夠和緩下來。依不同的功能來 分’ N A T有數種型式,而網路位址與通訊谭轉換 (Network Address Port Translation,NAPT)貝丨J 是最常 見的一種,其不僅做網路位址(IP Address)的轉換, 同時也做通訊埠口(Port Number)的轉換。NAPT並且 獲得許多公司組織的採用,俾以可僅僅使用一個外部 IP位址,來提供内部私有網路連往外部網際網路。 1235570 如圖i所示,NAPT的運作是:當它收到一個由内 部網路向外送的封包時,它就在對映表丨1中加入一個 相對應的記錄並做轉換的動作,它將修改來源位址與 來源埠口,之後往目的端送。這個對映表中記載著此 封包轉換刖與轉換後的對映關係,當該封包的接收端 傳回一個回應封包時,則查閱此對映表是否有相關的 記錄’再做相關的轉換動作一次,即修改回應封包之 目的地位址與目的地埠口 ,最後再送回原本的傳送 端。NAPT能夠讓一個私有的内部網路自由的存取外 部的網路資源,但是反方向的存取則否;由於由外部 網路啟始的連線事先並無相對應的記錄存在於對映 表中’故NAPT無法轉換封包,除非napt對映表中存 在相關的記錄,否則外部網路無法與内部作溝通。 行動IP通訊協定則係於1 9 9 6年提出,其可使得行 動終端設備在連上網路時具有行動能力,不受網路組 態須因地制宜之限制;行動主機(MN,Mobile Node) 能夠隨處漫遊,並且不須要更改網路設定。如圖2所 示,在行動IP中,MN21的行動力是由本地端代理器 22(Home Agent,HA)與外地端代理器 23(Foreign Agent,FA)所提供。當MN21漫遊到外地端網路 (ForeignNetwork)時,先取得一當地網路的轉交位址 (Care of Address,CoA),之後MN21送出註冊要求 (Registration Request,RRQ)給 HA22,將此 c〇A 向 HA22註冊;註冊成功後,HA22負責將送到MN21的封 包攔截下來並轉送到MN21的CoA,如此MN21即可接 收到它該收到的封包。其中,封包轉送的動作使用穿 1235570 隧(tunneling)技術,行動IP定義了三種可用之穿隧 法’分別是:在 IP 中之 IP 封裝(IP encapsulation within IP)、最小封裝(Minimal Encapsulation)、及一般路由 封裝(General Routing Encapsulation)。 而如前所述,由於行動終端設備的數量之增加,將 行動IP與私有網路整合便為一必然之趨勢,然而,當 行動IP元件放置於NAPT之後時,將會發生以下潛在 的整合問題: (1) 無法抵達(Unreachable)HA:由於依照NAPT的 運作規則,一條網路連線只能由在NAPT内部的網路 向外部網路做初始(initiate)後方可運行;路徑在初始 連線時是單向通行的。而MN在漫遊至外部網路時必 須要向它的Η A進行註冊的動作,此時即為由外部網 路向内部網路進行初始的行為,Home NAPT無法做到 相對映的封包轉換,因此對MN而言,HA是無法抵達 的。 (2) 轉換資訊不足(insufficient Translation Information) : NAPT在做封包轉換時,會檢查封包的 IP位址與通訊埠口號碼,在對映表中記錄下該封包的 來源與目的地位址後,再做轉換的工作。而一個經過 穿隨技術封裝過的封包,NAPT將看不到通訊埠口號 碼’所需資訊不足造成NAPT無法將該封包做轉換。 (3) 無法區別的本地位址(identical Home Address):當有多部使用相同私有網路位址而來自不 同本地端網路(Home Network)的MN同時來到同一個 外部網路時’他們必須要取得一個轉交位址,若是此 1235570 外部網路使用FA的模式,則所有MN皆使用該FA的位 址當成CoA ;當FA收到封包而要往MN送時,由於有 多部MN擁有相同的私有網路位址(Private Home Address),FA將會無法分辨該封包真正的目的地究竟 是這些MN中的那一部。 (4) 無法偵測交遞(Handoff Detection):當 MN 由一 個外部網路漫遊至另一個外部網路時,由於私有網路 的特性,有機會會遇上有相同網路位址的另一個 FA,MN若依照FA的IP的變換來做為漫遊至另一外部 網路之依據,則MN將無法準確的判斷。 (5) 未知的本地NAPT(Unknown Home NAPT):當 MN在本地端網路時,它並不知道它是在一個由本地 端NAPT隔離的私有網路,亦即MN並沒有本地端 NAPT的相關訊息。一旦MN漫遊至外部網路時,MN 必須向HA註冊,而本地端NAPT位於註冊要求的必經 路上,Η A的位址又是私有位址,在網際網路上無法 路由,MN必須先送到本地端NAPT,轉換後再送達 HA。由於MN沒有本地端NAPT的相關訊息,MN無法 送註冊要求至本地端NAPT,也無法送達HA,造成行 動力無法達成。 為解決上述之問題,行動IP與私有網路的整合己 在 IETF(Internet Engineering Task Force)的工作小組 討論數年,其中一種方案係為使用反向穿隧(Reverse Tunneling),並可解決一特定網路配置狀況(如圖3) 的整合問題。在圖3中,本地端網路與外地端網路均 為私有網路,FA23與HA22各有兩個以上的網路介 1235570 面,一個連接私有網路,另一為連接公開網路並由網 際網路連接起來。MN2 1漫遊至外地端網路時取得一 該外地端網路之轉交位址。關連點3 l(Correspondent Node,C N)必須是位於本地端網路的私有網路節點, 不能是取得合法IP的網路主機。當MN21與CN31互通 訊息,封包將被反向穿隧封裝後送回到本地端網路; HA22收到後,將封裝過的封包解開,再使用鏈結層 (Link-layer)的機制往CN31轉送。 為讓CN3 1為一個取得合法IP的網路主機,當 MN21欲與CN3 1通訊時,需先從HA22取得一個合法的 IP位址再進行通訊。之後MN21便使用此IP來進行與 CN的通訊。 前述反向穿隧使特定一種簡單的網路配置能夠 在私有網路上執行行動IP,其中CN的位置限定在本 地端網路,並且MN永遠不會回到本地端網路中。這 在行動電話網路是常態,但在網際路則否。 圖4顯示一種習知之行動ip與NAT整合的解決方 案,在此方案中,HA(FA)與NAT必須安裝在同一部主 機上,如圖所示,當MN21漫遊至外地網路時,MN21 自ΗA22取得一合法IP位址,HA22要負責指派合法IP 位址給MN2卜而當CN31要與位於本地端網路的MN21 通訊時,要先送出一 DNS(Domain Name Server)查 詢,DNS伺服器32接著將此查詢送交HA22,觸發HA22 指派一個合法的IP給相對映的MN21,HA22接著將此 合法IP位址再傳回DNS伺服器32,最後由DNS伺服器 10 1235570 3 2回應C N 3 1此一指派之IP位址。之後C N 3 1與Μ N 2 1便 可直接通訊。 前述之方法係將行動代理器與NAT結合在同一 個主機内同時提供服務。如此的配置方法避開了許多 潛在的整合問題,並且提供了一個整合的方案。CN 被允許向一個私有網路内的MN啟始一條連線。然此 方法的缺點則是MN在通訊之前均必須先取得一個合 法的IP位址,能夠同時通訊的MN的最大個數將受限 於合法IP的數量;並且HA與DNS之間必須要能夠互相 協調,使得DNS能夠觸發HA派發一個合法ip給MN ; 同時CN若沒有先送出DNS查詢,也就無法啟始一條與 MN的連線。 此外,為了能使經過穿隧封裝過的封包能夠與 NAPT相容,進而穿越NAPT,於是產生了 UDP穿隧 (UDP Tunneling)技術。UDP穿隧係在原本己經過穿隧 封裝過的封包的外部標頭(〇uter Header)之後加入了 額外的UDP標頭,使得外部標頭結合UDP標頭後能夠 被NAPT所辨識,而可像普通的TCp/Ip、uDP/IP—樣 地被轉換。一個經過U D P穿隧封裝過的封包格式例子 如圖5所示,其為UDP穿隨的ip_in_ip版本,其中,UDp 標頭5 1與MIP Data Message標頭52為新加入的標頭。 UDP穿隧可用於正向的穿隧與反向穿隧(F〇rward & Reverse Tunnel),用來傳送資料封包,因為行動ιρ 的註冊封包本身即是UDP封包,不須此一累贅。新加 入的UDP封包中,若是由所送出,則來源埠設定 為與MN最近一次所送出的註冊封包的來源埠相同; 1235570 目的地埠則固定設為434。當HA要將封包轉送給在外 地網路的Μ N時,反轉來源與目的地埠號即可。^ D p 穿隧的方法可以解決外地網路是由ΝΑΡΤ所隔離的私 有網路的情況。然而,即便UDP穿隧可使得穿隨封包 得以穿透ΝΑΡΤ,ΝΑΡΤ的原始限制仍然存在,即外5 網路無法向本地端網路啟始一條連線。 三、發明内容 本發明之一目的係在提供一種通透私有網路之網 際網路行動管理系統及方法,其可在不使Ιρ不足的問題 馨 更惡化之前提下’提供行動主機行動力之運作需求。 本發明之另一目的係在提供一種通透私有網路之 網際網路行動管理系統及方法,其可在本地網路及外部 網路皆為私有網路時,提供行動主機行動力之運作需 求。 依據本發明之一特色,於所提出之通透私有網路之 網際網路行動管理系統中,一為私有網路之本地端網路 設置有一本地端代理器及一本地端ΝΑρτ,一外地端網 _ 路设置有一外地端代理器,一行動主機係註冊於該本地 端網路並可漫遊至該外地端網路,其中,該本地端代理 器、外地端代理器及行動主機係以UDp穿隧進行通訊, 該本地端NAPT的行動IP註冊埠係繫結至本地端代理器 的仃動IP註冊埠,該行動主機係以反向穿隧來繞送行動 主機所發出之資料封包。 依據本發明之另一特色,所提出之通透私有網路之 、祠際網路行動官理方法可提供一行動主機由其本地端 12 1235570 網路漫遊至一外地端網路之行動力的運作需求,該本地 端網路為一私有網路,其設置有一本地端代理器及一本 地端NAPT,該本地端NAPT的行動Ip註冊埠係繫結至本 地‘代理器的行動IP註冊埠,該外地端網路設置有一外 地‘代理器,該方法主要包括:一註冊程序,係供漫遊 至忒外地端網路之行動主機發出註冊封包以透過外地 知代理器及本地端NAPT而向該本地端代理器註冊,其 中,β亥注冊封包的目的地位址為本地端Napt的IP,目 的地通吼埠為行動IP註冊埠,俾以在本地端NApT收到 此註冊封包,可依據預設之行動Ip註冊埠繫結,將註冊 封包轉送給本地端代理器;以及一資料封包傳送程序, 係供該漫遊至該外地端網路之行動主機透過外地端代 理器、本地端代理器、及本地端NAPT而向一關連點傳 送資料封包,其中,該外地端代理器係以UDP穿遂來將 資料封包封裝’封裝時外加的標頭的目的通訊埠為行動 IP註冊埠,俾以依據預設之行動Ip註冊埠繫結,將資料 封包繞送至本地端代理器,之後再轉往該關連點。 四、實施方式 為能讓貴審查委員能更瞭解本發明之技術内容, 特舉較佳具體實施例說明如下。 有關本發明之通透私有網路之網際網路行動管理 系統,請先參照圖6所示之網路配置圖,本地端網路6 j 為一私有網路’其設置有一 HA611及一本地端 NAPT6 12(Home NAPT),外地端網路62可為一公有網路 或一私有網路,於本實施例中,外地端網路62為一私有 13 1235570 且在UDP穿隧之設計上,資料封包經過封裝後,UDp標 頭的目的通訊埠永遠指向第4 3 4號,故結合反向穿隧與 繫結第434號通訊埠的做法後,資料封包即可在(:1^64與 MN63之間暢通無阻。 以前述本發明之通透私有網路之網際網路行動管 理系統進行通訊之訊息流程如圖7、8所示,其中,圖7 顯示註冊訊息的傳送,亦即MN63漫遊至外地端網路62 的註冊封包流向,其訊息流依序如下: (1-1 )MN63收到FA621所發出的代理器廣播(Agent1235570 发明 Description of the invention (The description of the invention should state: the technical field to which the invention belongs—the technical field to which the invention belongs, that is, the technology, the inner valley, the implementation mode, and the schematic diagram) The invention is a private network of technology related to mobile communications Road's Internet mobile management systems and methods are transparent with the previous technology: the number of end devices has increased quite rapidly over the past year's' notebook computers, mobile phones, personal digital assistants, etc .; and these network devices: cracked on mobile IP ( MobileIP) protocol, you can roam around without changing network settings. The need for many mobile devices to connect to the Internet will worsen the problem of insufficient addresses; although IPv6, the next-generation protocol of the Internet, provides almost unlimited network addresses, the IPv6 network The environment is not yet formed, and it is expected that the existing IPv4 network environment will continue to be used for several years. Network Address TfanslatQM NAT is used between private network addresses and public network addresses. As a mutual conversion network device, it allows many internal network hosts to use a few network addresses to access external road resources, so that the problem of insufficient IP can be alleviated. According to different functions There are several types of sub-NAT. Network Address Port Translation (NAPT) is the most common type. It not only does IP address translation, but also Conversion of communication port number (Port Number). NAPT has been adopted by many companies, so that only one external IP address can be used to provide internal private network connection to external Internet 1235570 As shown in Figure i, the operation of NAPT is: When it receives a packet sent from the internal network, it adds a corresponding record to the mapping table 丨 1 and performs a conversion action. It will Modify the source address and source port, and then send it to the destination. This mapping table records the mapping between this packet and the converted mapping. When the receiving end of the packet returns a response packet, refer to this Does the mapping table have related records? Do another related conversion action, that is, modify the destination address and destination port of the response packet, and then send it back to the original sender. NAPT can make a private intranet free. Access to external network resources, but access in the opposite direction is not; because the connection initiated by the external network does not have a corresponding record in the mapping table in advance, so NAPT cannot convert the packet unless napt maps There are related records in the table, otherwise the external network cannot communicate with the internal. The mobile IP protocol was proposed in 196, which can make mobile terminal equipment have a good function when connected to the network. Capability, not limited by network configuration according to local conditions; mobile host (MN, Mobile Node) can roam everywhere and does not need to change network settings. As shown in Figure 2, in mobile IP, the mobility of MN21 is determined by Provided by the local agent 22 (Home Agent, HA) and the foreign agent 23 (Foreign Agent, FA). When MN21 roams to the foreign network (ForeignNetwork), first obtain a care-of address of the local network ( Care of Address (CoA), and then MN21 sends a Registration Request (RRQ) to HA22 to register this coA with HA22. After successful registration, HA22 is responsible for intercepting the packet sent to MN21 and forwarding it to the CoA of MN21 So that MN21 can receive the packets it should receive. Among them, the action of packet forwarding uses the 1235570 tunneling technology. Mobile IP defines three available tunneling methods. They are: IP encapsulation within IP, Minimal Encapsulation, and General routing encapsulation. As mentioned earlier, due to the increase in the number of mobile terminal devices, it is an inevitable trend to integrate mobile IP with private networks. However, when mobile IP components are placed behind NAPT, the following potential integration problems will occur : (1) Unreachable HA: Due to the operating rules of NAPT, a network connection can only be operated after the network is initiated from the internal network of NAPT to the external network; the path is at the time of initial connection It is one-way traffic. When MN roams to an external network, it must register with its , A. At this time, it is the initial behavior from the external network to the internal network. Home NAPT cannot perform relative packet conversion. For MN, HA is unreachable. (2) Insufficient Translation Information: When NAPT performs packet conversion, it will check the IP address and communication port number of the packet, record the source and destination addresses of the packet in the mapping table, and then Do conversion work. And for a packet that has been packaged with the pass-through technology, NAPT will not see the port number ’The required information is insufficient and NAPT cannot convert the packet. (3) Indistinguishable Home Address: When there are multiple MNs from different Home Networks using the same private network address, they come to the same external network at the same time. It is necessary to obtain a care-of address. If this 1235570 external network uses FA mode, all MNs use the address of the FA as a CoA; when the FA receives a packet and sends it to the MN, since many MNs have With the same Private Home Address, the FA will not be able to tell whether the real destination of the packet is which of these MNs. (4) Handoff Detection: When the MN roams from one external network to another, due to the characteristics of the private network, there is a chance that it will encounter another with the same network address. FA, MN will not be able to make an accurate judgment if the IP of FA is used as the basis for roaming to another external network. (5) Unknown Home NAPT (Unknown Home NAPT): When the MN is on the local network, it does not know that it is on a private network isolated by the local NAPT, that is, the MN is not related to the local NAPT. message. Once the MN roams to the external network, the MN must register with the HA, and the local NAPT is located on the required path of the registration request. The address of A is a private address and cannot be routed on the Internet. The MN must be delivered first. The local NAPT is delivered to HA after conversion. Because the MN does not have information about the local NAPT, the MN cannot send a registration request to the local NAPT, nor can it reach the HA, resulting in unsuccessful action. In order to solve the above problems, the integration of mobile IP and private networks has been discussed in the working group of the Internet Engineering Task Force (IETF) for several years. One of the solutions is to use reverse tunneling, which can solve a specific problem. Integration problem of network configuration status (Figure 3). In Figure 3, both the local network and the foreign network are private networks. FA23 and HA22 each have more than two network interfaces 1235570. One is connected to the private network, and the other is connected to the public network. The internet is connected. MN2 1 obtains a care-of address for the foreign network when roaming to the foreign network. The connection point 3 l (Correspondent Node, CN) must be a private network node located on the local network, and cannot be a network host that obtains a legitimate IP. When MN21 and CN31 communicate with each other, the packets will be tunneled by reverse tunneling and then sent back to the local network. After HA22 receives the packets, it will unpack the encapsulated packets and then use the link-layer mechanism to CN31 forwarded. In order for CN3 1 to be a network host that obtains a valid IP, when MN21 wants to communicate with CN3 1, it needs to obtain a valid IP address from HA22 before communicating. MN21 then uses this IP to communicate with CN. The aforementioned reverse tunneling enables a specific simple network configuration to perform mobile IP on a private network, where the location of the CN is limited to the local network, and the MN never returns to the local network. This is normal on mobile phone networks, but not on the Internet. Figure 4 shows a conventional solution for integrating mobile IP and NAT. In this solution, HA (FA) and NAT must be installed on the same host. As shown in the figure, when MN21 roams to a foreign network, MN21 automatically ΗA22 obtains a legal IP address. HA22 is responsible for assigning a legal IP address to MN2. When CN31 wants to communicate with MN21 located on the local network, it must first send a DNS (Domain Name Server) query. DNS server 32 This query is then sent to HA22, which triggers HA22 to assign a valid IP to the corresponding MN21. HA22 then sends this valid IP address back to DNS server 32. Finally, DNS server 10 1235570 3 2 responds to CN 3 1 This assigned IP address. C N 3 1 and MN 2 1 can then communicate directly. The aforementioned method combines the mobile agent and NAT to provide services simultaneously in the same host. This configuration method avoids many potential integration problems and provides an integrated solution. The CN is allowed to initiate a connection to the MN within a private network. However, the disadvantage of this method is that the MN must obtain a legal IP address before communication. The maximum number of MNs that can communicate at the same time is limited by the number of legal IPs; and HA and DNS must be able to communicate with each other. The coordination enables the DNS to trigger the HA to send a valid IP to the MN; meanwhile, if the CN does not send out a DNS query first, it cannot start a connection with the MN. In addition, in order to make the tunnel-encapsulated packets compatible with NAPT and then pass through NAPT, UDP Tunneling (UDP Tunneling) technology was created. The UDP tunneling system adds additional UDP headers after the external header (〇uter Header) of the packet that has been tunneled and encapsulated, so that the external header combined with the UDP header can be recognized by NAPT and can be recognized as Ordinary TCp / Ip, uDP / IP—samples are converted. An example of a packet format that has been tunneled and encapsulated by U D P is shown in FIG. 5, which is a version of ip_in_ip followed by UDP. Among them, UDp header 51 and MIP Data Message header 52 are newly added headers. UDP tunneling can be used for forward tunneling and reverse tunneling (FORward & Reverse Tunnel) to transmit data packets, because the registration packet of mobile ιρ itself is a UDP packet, so this is not a burden. In the newly added UDP packet, if it is sent, the source port is set to be the same as the source port of the last registered packet sent by the MN; the 1235570 destination port is fixed to 434. When the HA wants to forward the packet to the MN in the foreign network, the source and destination port numbers can be reversed. ^ The method of D p tunneling can solve the situation where the foreign network is a private network isolated by NAPT. However, even though UDP tunneling can allow traversal packets to penetrate NAPT, the original limitation of NAPT still exists, that is, the outer 5 network cannot initiate a connection to the local network. III. SUMMARY OF THE INVENTION An object of the present invention is to provide an internet action management system and method that is transparent to a private network, which can be used to provide the action power of a mobile host before the problem of Ιρ deficiency is exacerbated. Operational requirements. Another object of the present invention is to provide an internet mobile management system and method through a private network, which can provide the operational requirements of mobile host mobile power when both the local network and the external network are private networks. . According to a feature of the present invention, in the proposed internet mobile management system that is transparent to the private network, a local-side network of the private network is provided with a local-side agent and a local-side ΝΑτ, a foreign-side An external agent is set on the network. A mobile host is registered on the local network and can roam to the foreign network. The local agent, the foreign agent and the mobile host are connected by UDp. The tunnel performs communication. The mobile IP registration port of the local NAPT is connected to the automatic IP registration port of the local agent. The mobile host uses a reverse tunnel to bypass the data packets sent by the mobile host. According to another feature of the present invention, the proposed method for transcending private networks and inter-network operations can provide a mobile host with the ability to roam from its local end 12 1235570 network to a foreign end network. Operational requirements. The local network is a private network, which is provided with a local agent and a local NAPT. The mobile IP registration port of the local NAPT is tied to the mobile IP registration port of the local agent. The foreign network is provided with a foreign agent, and the method mainly includes: a registration procedure for a mobile host roaming to the foreign network to send a registration packet to the local through the foreign agent and the local NAPT. Proxy registration, where the destination address of the βHai registration packet is the local Napt IP, and the destination port is the mobile IP registration port. In order to receive this registration packet at the local NApT, it can be preset. The mobile IP registration port is bound to forward the registration packet to the local agent; and a data packet transmission process for the mobile host roaming to the foreign network through the foreign agent , A local agent, and a local NAPT to send a data packet to a related point. The foreign agent uses UDP tunneling to encapsulate the data packet. The destination communication port of the header added during the encapsulation is the mobile IP. Register the port, bind it according to the preset action IP registration port, and send the data packet to the local agent, and then transfer to the connection point. Fourth, implementation mode In order to allow your review committee to better understand the technical content of the present invention, the preferred specific embodiments are described below. Regarding the Internet mobile management system of the transparent private network of the present invention, please refer to the network configuration diagram shown in FIG. 6 first. The local network 6 j is a private network, which is provided with a HA611 and a local network. NAPT6 12 (Home NAPT). The foreign network 62 can be a public network or a private network. In this embodiment, the foreign network 62 is a private 13 1235570. In the design of UDP tunneling, data After the packet is encapsulated, the destination communication port of the UDp header always points to No. 4 34, so after combining reverse tunneling and binding the No. 434 communication port, the data packet can be in (: 1 ^ 64 and MN63 There is no obstruction between each other. The message flow for communication with the aforementioned internet mobile management system of the transparent private network of the present invention is shown in Figs. The flow of registration packets from the foreign network 62 is as follows: (1-1) MN63 receives the agent broadcast from the FA621 (Agent
Advertisement),告知MN63己漫遊至外部網路。FA621 可在廣播訊息中加入FA621的NAI,使得MN63可得知它 在不同的F A間移動,或在廣播訊息加入外地端n A P T的 公開網路介面的IP位址,MN63亦可依此位址結合FA的 私有位址來判斷是否移到另一個FA62 1管轄範圍内。 (1-2)MN63判斷出其移到另一個FA621管轄範圍 後,送出一註冊訊息(RRQ)給HA61 1。封包内的目的地 位址為本地端NAPT6 12的IP,目的地通訊埠為434。 (1-3)FA記下此MN63的鏈結層(Link_layer)位址、本 地端位址及MN63的本地端NAPT612的位址,以利分辨 有著相同本地端位址的MN63的封包該如何轉送。之後 FA621將此封包轉送出去。 (1-4)外地端NAPT622將此註冊封包做位址轉換(修 改來源IP及來源通訊埠)’並於對映表623記下此一轉 換,之後將之傳送到封包上記錄的目的地(即本地端 NAPT612)。 15 1235570 (1-5)本地端NAPT6 12收到此註冊封包,檢視其位址 轉換對映表613,發現第434號通訊埠繫結至HA61 1之第 434號通訊埠,修改目的地IP位址成hA61 !的IP位址,之 後轉送給HA61 1。 (1-6)HA611收到註冊封包後,執行完註冊程序後, 送回一個註冊回應封包(RRP),將原封包内的位址與通 訊埠反轉後成為送出的位址與通訊埠;此時目的地位址 為外地端NAPT622的IP位址,目的通訊埠為原本地端 NAPT612所指派之通訊埠。 (1-7)本地端NAPT6 12會收到此註冊回應封包,並依 修 據先前建立好的對映表613轉換封包;修改來源1?為本 地端NAPT6 1 2的IP位址,來源通訊埠則不改變(同為 434)之後將之傳送出去,目的位址為外地端napt622。 (1·8)外地端NAPT622收到後,參考位址轉換對映表 623,修改封包的目的地位址與目的地通訊埠為先前步 驟(1 -3)所收到之註冊封包的來源住址與來源通訊埠。接 著轉送給FA621。若註冊成功,FA621同時記錄μΝ63的 本地端ΝΑΡΤ位址在何處。 鲁 (1 - 9) F A 6 2 1根據此封包中的來源位址與目的位址對 照步驟(1-3)所記下之對映關係,可判斷出此註冊回應封 包之最終接收MN63,接著使用鏈結層的機制傳送至 MN63。 圖8顯示資料(Data)封包的傳送,亦即MN63傳送資 料封包時資料的封包流向,其訊息流依序如下: 、 16 1235570 (2-1 )MN63向CN64開啟一條連線,封包會先經過 FA621,此封包的來源IP與目的地Ip分別為MN63的本地 位址與CN64的IP。 (2-2)FA621用UDP穿遂將此封包封裝起來,在封裝 時’外加的標頭的來源與目的地位址分別為此fA621的 IP與本地端NAPT612的IP。目的通訊埠為434,來源通訊 埠則與上一次註冊封包同。 (2 - 3)外地知N A P T 6 2 2收到此封包,在轉送對映表 623建立適當的對映關係後,修改來源Ip與來源通訊 埠’其中,來源IP改成外地端]^人!>丁622的Ip,來源通訊 埠則由本地端NAPT6 1 2自行選擇,接著此封包傳向本地 端 NAPT612。 (2-4)本地端NAPT6 12收到此封包,見其目的通訊埠 為434,查詢對映622表後修改目的地1?為hA61丨的Ip, 並轉送給HA611。 (2-5)HA61 1由434槔收到一個封包,解開封裝後將此 封包再轉送出去,此時封包的目的地1?為CN64,來源則 為Μ N 6 3的本地位址。 (2-6)本地ΝΑΡΤ6 12接到此封包,在位址轉換對映表 622上建立一記錄並修改其來源Ιρ與來源通訊埠分別為 本地ΝΑΡΤ6 12的IP,通訊埠則自行選擇,隨後將之傳往 目的地CN64。 (2-7)CN64收到此封包,處理過後送回一個回應封 包。回應封包的標頭的位址與通訊埠則接收封包之反 轉’即目的IP為本地端NAP T6 12。 17 1235570 (2-8)本地端NAPT6 12收到此回應封包,檢查位址轉 換對映表6 1 3後,目的IP為與目的通訊埠修改回先前步 驟(2-6)收到封包的來源IP與來源通訊埠,接著往Mn64 的本地位址送。 (2-9)HA611攔截此回應封包,用UDP穿遂封裝穿隧 至MN64目前的所在網路,此時外加上的標頭的目的地 IP為外地端NAPT622之IP,來源通訊埠為434,目的通訊 埠與先前註冊封包相同。 (2· 10)本地端NAPT6 12收到此回應封包,查詢位址 轉換對映表613,並修改來源IP與通訊埠後傳向目的地 位址。 (2-11)回應封包由外地端\八卩丁622收到,查詢位址 轉換對映表623,並修改目的地IP與目的通訊蜂為先前 於步驟(2-3)所收到封包之來源IP與來源通訊埠,之後傳 向 FA621 。 (2 -1 2)FA62 1收到此封包,並解開UDP穿遂的封掌 後,再使用鏈結層的機制轉給MN64。 而如外地端網路62為一公有網路,相似之訊息流亦 可實現通透私有網路之目的’圖9顯示註冊訊自的傳 送,亦即MN漫遊為公有網路之外地端網路62的註冊封 包流向,其訊息流依序如下: (3_1)MN收到FA所發出的代理器廣播(八^加 Advertisement),告知MN己漫遊至外部網路。 (3-2)MN判斷出它移到另一個FA管轄範圍後,送出 一註冊訊息給FA。FA記錄MN之MAC仿u α ^ 1立址及本地端 NAPT的 IP。 1235570 (3-3)FA轉送此註冊訊息至本地端nAPT。 (3-4)本地端NAPT收到此註冊封包,檢視其位址轉 換對映表,發現第434號通訊埠繫結至HA之第434號通訊 槔’修改目的地IP位址成HA的IP位址,之後轉送給ha。 (3-5)HA收到註冊封包後,執行完註冊程序後,送回 一個註冊回應封包。 (3-6)本地端NAPT轉送此註冊回應封包至fa。 (3_7#人轉送此註冊回應封包至]^^[。 圖1 0顯示資料封包的傳送,亦即MN傳送資料封包時 資料的封包流向,其訊息流依序如下: (4-1)ΜΝ開啟一條連線,此封包的來源Ip與目的& ιρ 分別為MN之本地位址與CN,接著封包會經過fa。 (4-2)FA用UDP穿遂將此封包封裝起來,在封裝時, 外加的標頭的來源與目的地位址分別為此FA的1]?與MN 的本地端NAPT,目的通訊埠為434,然後FA將此封包轉 送至MN的本地端NAPT。 給Advertisement), telling MN63 that it has roamed to an external network. FA621 can add the NAI of FA621 to the broadcast message, so that MN63 can learn that it moves between different FAs, or add the IP address of the public network interface of the APT n APT in the broadcast message. MN63 can also use this address Combine the FA's private address to determine whether to move to another FA62 1 jurisdiction. (1-2) After MN63 judges that it has moved to another FA621 jurisdiction, it sends a registration message (RRQ) to HA61 1. The destination address in the packet is the IP of the local NAPT6 12 and the destination communication port is 434. (1-3) The FA writes down the link layer address (Local_layer) address, local end address, and local address of NAPT612 of MN63, so as to distinguish how to forward MN63 packets with the same local end address. . The FA621 then forwards the packet. (1-4) The local end NAPT622 performs address conversion (modify the source IP and source communication port) of this registered packet, and records this conversion in the mapping table 623, and then transmits it to the destination recorded on the packet ( (Ie, local NAPT612). 15 1235570 (1-5) The local end NAPT6 12 received this registration packet, checked its address conversion mapping table 613, and found that port 434 was bound to port 434 of HA61 1, and the destination IP address was modified. The address is the IP address of hA61! And then forwarded to HA61 1. (1-6) After HA611 receives the registration packet, after performing the registration procedure, it sends back a registration response packet (RRP), which reverses the address and communication port in the original packet into the sent address and communication port; At this time, the destination address is the IP address of NAPT622 on the foreign side, and the destination communication port is the communication port assigned by the original local NAPT612. (1-7) The local NAPT6 12 will receive this registration response packet, and convert the packet according to the previously established mapping table 613; modify the source 1? To the local NAPT6 1 2 IP address and source communication port It will not be changed (same as 434) and then sent out, and the destination address is napt622 in the field. (1 · 8) After receiving the NAPT622 at the foreign end, referring to the address conversion mapping table 623, modify the destination address and destination communication port of the packet to the source address and address of the registered packet received in the previous step (1-3). Source port. Then transfer to FA621. If the registration is successful, FA621 also records where the local NAPT address of μN63 is. Lu (1-9) FA 6 2 1 According to the mapping relationship between the source address and the destination address in step (1-3), it can be judged that the registration response packet finally receives MN63, then Transfer to the MN63 using the link layer mechanism. Figure 8 shows the transmission of the Data packet, that is, the packet flow direction of the data when the MN63 transmits the data packet. The message flow is as follows: 、 16 1235570 (2-1) MN63 opens a connection to the CN64. The packet will pass through first. FA621, the source IP and destination IP of this packet are the local address of MN63 and the IP of CN64, respectively. (2-2) The FA621 encapsulates this packet with UDP tunneling. The source and destination addresses of the headers added during the encapsulation are the IP of the fA621 and the IP of the local NAPT612. The destination communication port is 434, and the source communication port is the same as the last registered packet. (2-3) Foreigners know that NAPT 6 2 2 received this packet, and after transferring the mapping table 623 to establish an appropriate mapping relationship, modify the source IP and source communication port 'where the source IP is changed to a foreign end] ^ people! > IP of Ding 622, the source communication port is selected by the local end NAPT6 1 2 and then the packet is transmitted to the local end NAPT612. (2-4) The local end NAPT6 12 receives this packet, and sees that the destination communication port is 434. After querying the mapping table 622, the destination 1? Is changed to Ip of hA61 丨 and forwarded to HA611. (2-5) HA61 1 received a packet from 434 槔. After unpacking, this packet was forwarded again. At this time, the destination 1 of the packet is CN64, and the source is the local address of MN 6 3. (2-6) The local NAPT6 12 receives this packet, establishes a record on the address translation mapping table 622, and modifies its source Iρ and source communication port to the IP of the local NAPT6 12 respectively. The communication port is selected by itself, and then Go to destination CN64. (2-7) CN64 receives this packet and sends back a response packet after processing. The address and communication port of the header of the response packet are the reverse of the received packet ’, that is, the destination IP is the local NAP T6 12. 17 1235570 (2-8) The local end NAPT6 12 received this response packet. After checking the address conversion mapping table 6 1 3, the destination IP was changed to the destination communication port back to the previous step (2-6) the source of the received packet IP and source communication port, then send to the home address of Mn64. (2-9) HA611 intercepts this response packet, and uses UDP tunneling to encapsulate the tunnel to the current network of MN64. At this time, the destination IP of the header added is the IP of NAPT622 at the foreign end, and the source communication port is 434. The destination port is the same as the previously registered packet. (2 · 10) The local NAPT6 12 receives the response packet, queries the address conversion mapping table 613, and modifies the source IP and communication port to send it to the destination address. (2-11) The response packet was received by the foreign terminal \ Hachiman Ding 622, querying the address conversion mapping table 623, and modifying the destination IP and destination communication bee to be the same as the packet received in step (2-3). The source IP and source communication port are then transmitted to FA621. (2 -1 2) After FA62 1 receives this packet and unpacks the UDP passthrough packet, it uses the link layer mechanism to transfer it to MN64. If the foreign network 62 is a public network, similar information flows can also achieve the purpose of penetrating the private network. Figure 9 shows the transmission of registration information, that is, MN roaming is a public network other than the public network. The registration packet flow of 62, and its message flow is as follows: (3_1) The MN receives the agent broadcast (eight plus advertisement) from the FA to inform the MN that it has roamed to the external network. (3-2) After the MN judges that it has moved to another FA jurisdiction, it sends a registration message to the FA. The FA records the MAC imitation u α ^ 1 address of the MN and the IP of the local NAPT. 1235570 (3-3) The FA forwards this registration message to the local nAPT. (3-4) The local NAPT receives this registration packet, checks its address conversion mapping table, and finds that the communication port 434 is connected to the communication 434 of HA 槔 'Modify the destination IP address to the IP of HA Address, and then forwarded to ha. (3-5) After receiving the registration packet, the HA sends back a registration response packet after executing the registration procedure. (3-6) The local NAPT forwards this registration response packet to fa. (3_7 # people forward this registration response packet to] ^^ [. Figure 10 shows the transmission of the data packet, that is, the packet flow direction of the data when the MN transmits the data packet. The message flow is as follows: (4-1) MN opens One connection, the source IP and destination of this packet are MN ’s home address and CN respectively, and then the packet passes through fa. (4-2) The FA uses UDP tunneling to encapsulate this packet. The source and destination addresses of the additional headers are 1] of this FA and the local NAPT of the MN, and the destination communication port is 434. Then the FA forwards this packet to the local NAPT of the MN.
HA (4-3)本地端NAPT收到此封包,見其目的通訊璋為 434,查詢對映表後修改目的地1?為11八的Ip,並轉送 (4-4)HA由434琿收到-個封包,解開封震後將此封 包再轉送至MN,此時封包的目的地”為CN, MN的本地位址。 ’’、、】马 (4-5)本地NAPT接到此封包,在位址轉換對映 建立一記錄,隨後將之傳往目的地CN。 19 1235570 (4-6)CN收到此封包,其來源ip為本地napT的IP, CN送回一個回應封包。回應封包之目的Ip為本地端 NAPT。 (4-7)本地端NAPT收到此回應封包,檢查位址轉換 對映表後,修改封包並將封包往MN的本地位址送。 (4-8)HA攔截此回應封包,用UDP穿遂封裝以將來源 埠設為434’而穿隧至MN目前的所在網路。 (4-9)本地端NAPT收到此回應封包,查詢位址轉換 對映表,並修改來源IP與通訊埠後傳向目的地位址。 (4-1 0)F A收到此封包,並解開UDP穿遂的封裝後, 再使用鏈結層的機制轉給MN。 由以上之說明可知,本發明藉由UDP穿遂、反向穿 隨、及將NAPT的第434通訊埠與HA的第434通訊埠繫在 一起等機制,確可解決習知之各種問題,而可使行動Ip 與NAPT交互運作,且當FA與HA均位於由NAPT所隔離 的私有網路之内時,亦能夠運行行動IP協定。 上述實施例僅係為了方便說明而舉例而已,本發明 所主張之權利範圍自應以申請專利範圍所述為準,而非 僅限於上述實施例。 五、圖式簡單說明 圖1 :係顯示以網路位址與通訊埠轉換(ΝΑρτ)來提供内 部私有網路連往外部網際網路之示意圖。 圖2 :係顯示以行動IP提供行動主機能夠隨處漫遊之示 意圖。 圖3 ·係顯示以反向穿隨支援私有網路之網路配置。 20 1235570 之整合行動1P與NAT的方案HA (4-3) The local NAPT receives this packet, and sees that the destination communication address is 434. After querying the mapping table, the destination 1? Is changed to 11 and the IP is forwarded to (4-4) HA and received by 434. There is a packet. After unsealing the packet, this packet is forwarded to the MN. At this time, the destination of the packet is "CN, the original address of the MN." ,,] Ma (4-5) The local NAPT received this packet. A record is created in the address conversion mapping, and then it is transmitted to the destination CN. 19 1235570 (4-6) The CN receives this packet, its source IP is the IP of the local napT, and the CN sends back a response packet. Response The destination IP of the packet is the local NAPT. (4-7) After receiving the response packet, the local NAPT checks the address conversion mapping table, modifies the packet, and sends the packet to the local address of the MN. (4-8) The HA intercepts this response packet and uses UDP tunneling to encapsulate it to set the source port to 434 'and tunnels to the current network of the MN. (4-9) The local NAPT receives this response packet and queries the address translation mapping. Table, and modify the source IP and communication port and then send it to the destination address. (4-1 0) After receiving the packet and unpacking the UDP tunneling, the FA uses the link layer mechanism to transfer To the MN. As can be seen from the above description, the present invention can indeed solve various conventional problems through mechanisms such as UDP tunneling, reverse routing, and tying the 434th communication port of NAPT and the 434th communication port of HA. The mobile IP can interact with NAPT, and when both FA and HA are located in the private network isolated by NAPT, they can also run the mobile IP protocol. The above embodiments are just examples for the convenience of explanation. The scope of the claimed rights of the invention should be based on the scope of the patent application, and not limited to the above-mentioned embodiments. V. Brief Description of the Figures Figure 1: It is provided by network address and communication port conversion (ΝΑρτ). Schematic diagram of internal private network connecting to the external Internet. Figure 2: Schematic diagram showing mobile hosts provided by mobile IP can roam anywhere. Figure 3 Schematic diagram showing the network configuration supporting private networks in reverse traversal. 20 1235570 Integrated Action 1P and NAT Solution
統的網路配置圖。 圖4 :係為一種習知之整 置圖。 之網路配 -対裒過的封包格式範例。 路之網際網路行動管理系 Η 7係員示本發明之通透私有網路之網際網路行動管 理方法之一實施例的註冊訊息流程。 圖8 ·係顯示本發明之通透私有網路之網際網路行動管 理方法之一實施例的資料封包傳送流程。 圖9 :係顯示本發明之通透私有網路之網際網路行動管 理方法之另一實施例的註冊訊息流程。 圖10 :係顯示本發明之通透私有網路之網際網路行動管 理方法之另一實施例的資料封包傳送流程。 圖號說明 (1 1)(613)(623)對映表 (21) (63)行動主機 (22) (61 1)本地端代理器 (23) (621)外地端代理器 (31) (64)關連點 (32) DNS伺服器 (51) UDP 標頭 (52) MIP Data Message標頭 (61)本地端網路 (612)本地端NAPT (6 2)外地端網路 1235570 (622)外地端ΝΑΡΤSystem network configuration diagram. Figure 4: A conventional setup diagram. Network Configuration-Example of a packet format. Department of Internet Action Management of Road Η 7 series members show the registration message flow of one embodiment of the method for managing Internet actions of the private network of the present invention. Fig. 8 is a diagram showing a data packet transmission process according to an embodiment of an internet mobile management method for a transparent private network according to the present invention. FIG. 9 is a flowchart of a registration message showing another embodiment of a method for managing an internet action of a transparent private network according to the present invention. FIG. 10 shows a data packet transmission process according to another embodiment of the internet mobile management method for a transparent private network of the present invention. Figure number description (1 1) (613) (623) Mapping table (21) (63) Mobile host (22) (61 1) Local agent (23) (621) Foreign agent (31) (64) ) Connection point (32) DNS server (51) UDP header (52) MIP Data Message header (61) Local network (612) Local NAPT (6 2) Foreign network 1235570 (622) Foreign network ΝΑΡΤ
22twenty two