[go: up one dir, main page]

WO2007109963A1 - Passerelle de réseau privé virtuel et système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et procédé correspondant - Google Patents

Passerelle de réseau privé virtuel et système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et procédé correspondant Download PDF

Info

Publication number
WO2007109963A1
WO2007109963A1 PCT/CN2007/000446 CN2007000446W WO2007109963A1 WO 2007109963 A1 WO2007109963 A1 WO 2007109963A1 CN 2007000446 W CN2007000446 W CN 2007000446W WO 2007109963 A1 WO2007109963 A1 WO 2007109963A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipv6
address
vpn
ipv4
network
Prior art date
Application number
PCT/CN2007/000446
Other languages
English (en)
Chinese (zh)
Inventor
Hongke Zhang
Gang Cheng
Bin Zheng
Hui Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd., Beijing Jiaotong University filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007109963A1 publication Critical patent/WO2007109963A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • H04W80/045Network layer protocols, e.g. mobile IP [Internet Protocol] involving different protocol versions, e.g. MIPv4 and MIPv6

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a technology for implementing a mobile VPN. Background of the invention
  • Mobile VPN Virtual Private Network
  • the MN mobile node supporting the VPNrt unit maintains communication with the VPN internal node by establishing a tunnel with the VPN gateway on the external network.
  • IPsec VPN IP network security protocol VPN
  • IPsec IP network security protocol
  • IPsec IP network security protocol
  • the mobile node If the mobile node obtains the configuration care-of address on the external network, it can complete registration with the home agent in the VPN by establishing an IPSec tunnel with the VPN gateway, but the mobile node renegotiates with the VPN gateway every time the configuration of the care-of address is changed.
  • the IPSec tunnel in this case, increases the delay of network switching and reduces the mobility of the node when the node moves frequently.
  • ⁇ - ⁇ indicates the home agent set up in the external network.
  • External Internet External Network
  • Mobile IPv4 exists in the Internet (W network).
  • W network Internet
  • Home Net Home Network
  • Fore ign Net Form Network supporting Mobile IPv4.
  • the mobile node After the mobile node moves to the external network and obtains the care-of address, it first registers with the external home agent and obtains c-I-IoA (external home address); then uses the external home address to communicate with the VPN gateway for IKE (Internet Key Exchange)
  • IKE Internet Key Exchange
  • the IPsec tunnel is negotiated and registered with the home agent inside the VPN through the IPsec tunnel, so that the mobile node can communicate with the VPN internal network node.
  • the following takes the external network of the mobile node in the configuration x-FA (foreign agent of the external network) as an example to describe the registration process of the mobile node and the way the data packet is encapsulated.
  • the mobile node After the mobile node enters the external network configuring the external home agent, the foreign agent care-of address is obtained; at the same time, the mobile node also needs to send a standard mobile IPv4 registration request to the external home agent and the internal home agent;
  • the mobile node Since the mobile node is located in the external network, it can only receive the registration response from the external home agent, and according to the response message, the mobile node obtains the x-HoA assigned by the external home agent and acts as a handover of the mobile node on the external network. Address
  • the mobile node uses the obtained x-HoA as the endpoint address of the IKE negotiation and IPsec tunnel to establish a tunnel with the VPN gateway; during the negotiation with the VPN gateway, the VPN gateway assigns a VPN-TIA (VPN tunnel internal address) to the mobile node;
  • the node uses the VPN-TIA as the care-of address registered with the internal home agent, and encapsulates it in the IPsec tunnel to register with the internal home agent; After the registration is completed, the mobile node and the communication node inside the VPN can communicate.
  • the communication packet is encapsulated three times. The specific encapsulation result is shown in Figure 2.
  • the outermost x-MIP indicates the mobile IPv4 encapsulation of the mobile node to the external home agent, and the middle layer is from the X-HA to the VPN gateway.
  • VPN GW IPsec encapsulation
  • the innermost i-MIP is the VPN internal mobile IPv4 encapsulation.
  • the introduction of the external home agent in the above implementation scheme, the VPN network structure is more complicated and the maintenance cost is increased.
  • the introduction of the external home agent also brings some new problems, such as the location selection problem of the external home agent, and External home agent is subject to trust issues.
  • IPsec supporting the MOBIKE (IKEv2 Mobile and Multi-Interface Protocol) protocol is used as a tunneling technology between the mobile node and the VPN gateway to solve the above two Questions.
  • MOBIKE IKEv2 Mobile and Multi-Interface Protocol
  • the MOBIKE is an extension protocol based on IKEv2, which effectively supports the mobility of both ends of the IPsec tunnel communication.
  • IKEv2 IP Security
  • the MOBIKE protocol allows the nodes at both ends of the tunnel to update their IP addresses while maintaining IKE SA and IPsec SAs. That is, the original IPsec tunnel can still be maintained after the node addresses on both ends of the tunnel are changed, without renegotiation.
  • the network structure based on MOBIKE is shown in Figure 3.
  • the mobile node When the mobile node is located in a foreign network inside the VPN, it uses standard mobile IPv4 to communicate with the home agent and communication node inside the VPN. When the mobile node leaves the VPN internal network and enters the external network, it performs IKE negotiation with the VPN gateway to establish an IPsec tunnel that supports MOBIKE. At the same time, within the VPN, the mobile node and the home agent still maintain a valid mobile IPv4 binding cache, and the mobile node uses the VPN-TIA designated by the VPN gateway as the configuration care-of address of the VPN internal network to register with the internal home agent.
  • the mobile node After the mobile node enters another external network from one external network due to the change of location, a new mobile IPv4 care-of address is obtained. At this point, the mobile node starts to use the MOBIKE protocol to update the IP addresses of the IKE SA and IPsec SAs of the endpoint, and advertises the VPN gateway to update the IP address of the corresponding SA. After completing the address update of the SA, the communication is continued using the original IPsec tunnel.
  • Embodiments of the present invention provide a VPN gateway, an IPv6 network system, and a system and method for implementing a mobile VPN in a hybrid network, to solve the application problem of the mobile VPN under the corresponding IPv4 and IPv6 hybrid network, so that the existing In the network scenario, it is possible to conduct VPN services based on IPv6 networks.
  • the embodiment of the present invention provides a VPN gateway, which includes an IPv4 packet processing unit, an IPv4 interface, an IPv6 packet processing unit, and an IPv6 interface, where the IPv4 interface is used to perform IPv4 packet interaction with the IPv4 network.
  • IPv4 message processing unit is used to enter The IPv6 packet is encapsulated or decapsulated.
  • the IPv6 interface is used to perform IPv6 packet exchange with the IPv6 network.
  • the IPv6 packet processing unit is configured to encapsulate or decapsulate the IPv6 packet.
  • the embodiment of the present invention provides an IPv6 network system, where the system can traverse the IP v4 network and communicate with the IPv6 network inside the VPN through the VPN gateway.
  • the internal interface provided by the VPN gateway is an IPv6 interface
  • the external interface is an IPv4 interface.
  • the system further includes: a tunnel establishment module: configured to establish, between the VPN gateway and the external network, a tunnel that can transmit VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively an IPv4 address of the external network and The IPv4 address of the external interface provided by the VPN gateway.
  • the packet encapsulation and delivery module is configured to be configured to send the VPN packet to be sent to the peer end through the tunnel.
  • the embodiment of the present invention provides a system for implementing a mobile VPN in a hybrid network, including an external network, an IPv4 network, a VPN, and a VPN gateway.
  • the VPN internal network is an IPv6 network
  • the internal interface provided by the VPN gateway is IPv6.
  • the external interface is an IPv4 interface
  • the external network includes an IPv4 external network and an IPv6 external network
  • the system further includes:
  • the tunnel establishment module is configured to establish a tunnel between the VPN gateway and the external network, which can transmit the VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively provided by the IPv4 address of the external network and the VPN gateway. IPv4 address of the external interface;
  • the packet encapsulation and delivery module is configured to be configured to be configured to be configured to send the VPN packet to be sent to the peer end by using the tunnel.
  • Embodiments of the present invention provide a method for implementing a mobile VPN in a hybrid network, where the method is applied to a hybrid network including an IPv4 network and an IPv6 network inside a mobile virtual private network VPN, and a VPN is set in the hybrid network.
  • the VPN gateway provides an internal interface with an IPv6 address and an external interface of an IPv4 address, and the method includes:
  • the tunnel is used to transmit a VPN packet exchanged between the external network and the IPv6 network inside the VPN, and the addresses at both ends of the tunnel are respectively the IPv4 address of the external network.
  • an IPv4 address of the external interface provided by the VPN gateway where the external network is an IPv4 external network or an IPv6 external network;
  • the VPN packet to be transmitted is encapsulated in the IPv4 header, the VPN packet is transmitted through the tunnel to implement the VPN service in the hybrid network.
  • the embodiment of the present invention implements the mobile VPN service in the IPv4 and IPv6 hybrid network by using the IPv6 in IPv4 tunneling technology, so that the mobile VPN service can still be implemented in the process of transitioning from the IPv4 network to the IPv6.
  • Figure 1 shows the structure of a mobile VPN configured with an external home agent in an IPv4 environment
  • FIG. 2 is a schematic diagram of a data packet encapsulation structure
  • Figure 3 shows the structure of a mobile VPN configured with M0BIKE in an IPv4 environment
  • FIG. 4 is a schematic structural diagram of a network of a mobile VPN of a hybrid network according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a DNS request forwarding process in FIG. 3;
  • FIG. 6 is a schematic diagram of the DNS response forwarding processing process in FIG. 3. Mode for carrying out the invention
  • the embodiment of the present invention provides a hybrid network with a mobile network structure and corresponding device functions in an IPv4-v6 hybrid network, and a method for the mobile node to access the VPN in different types of networks, thereby Resolve an issue where the mobile node's SA (Security Association) address is updated when the mobile node switches between different types of networks.
  • SA Security Association
  • the specific embodiment of the present invention uses the "IPv6 island” and “IPv4 ocean” ⁇ 4- ⁇ 6 bubble network as the basic network framework, and solves the problem of updating the SA address of the mobile node by introducing the M0BIKE extension protocol; and adopts the IPv6 in IPv4 tunnel technology to combine
  • the method of domain name resolution enables the mobile node to communicate with the VPN gateway in the IPv6 network and the IPv4 network, so that the mobile node can communicate with the internal node of the VPN in the mobile node-multiple types of networks.
  • the embodiment of the present invention mainly adopts the idea of IPv6 in IPv4 tunneling technology, and configures a device such as a DNS-ALG (Domain Name Server-Application Layer Gateway) to implement a mobile node located in an IPv6 external network to query a WN gateway through an IPv4 network.
  • IPv6 address, and communicate accordingly. Therefore, when the mobile node is located in the IPv6 external network, the IPv4 network can still communicate with the VPN gateway, thereby implementing the mobile VPN service under the hybrid network of IPv4 and IPv6.
  • DNS-ALG Domain Name Server-Application Layer Gateway
  • the mobile node is located in the IPv6 internal network (that is, inside the VPN), the IPv4 external network, and the IPv6 external network. Different situations require different communication methods, so that mobile VPN services can be implemented in a hybrid network.
  • the communication with other nodes is first stopped, and the type of the current network is determined according to the IP address type;
  • the method of querying the VPN address determines whether the mobile node is located in the internal network or the external network, and establishes an IPsec tunnel or updates the address of the original IPsec SA according to the situation; after completing the corresponding processing, the previous communication is resumed.
  • an x-AR external access router
  • IPv4 and IPv6 dual protocol stacks are set in the DNS-ALG and the DNS server, and the dual protocol stack is set in the VPN gateway. Meanwhile, the x-AR and the VPN gateway need to have the IPv6 in IPv4 tunnel encapsulation and decapsulation processing functions.
  • the corresponding process mainly includes the following processes:
  • IPv6 DNS request of the VPN node of the mobile node is converted into an IPv4 DNS request by the DNS-ALG, and then forwarded to the IPv4 network;
  • IPv4 network After the IPv4 network returns the IPv4 address of the VPN gateway, it first sends it to the DNS-ALG.
  • the DNS-ALG adds a specific prefix to the IPv4 address to form an IPv6 address, and finally returns the address to the mobile node.
  • the mobile node constructs a data packet according to the returned VPN gateway IPv6 address, and communicates with the VPN gateway; wherein, the data packets communicated by the mobile node and the VPN gateway are encapsulated and decapsulated by the IPv6 in IPv4 tunnel to implement different protocols. Communication between type nodes.
  • the interworking of the mobile VPN service can be implemented in the hybrid network.
  • the embodiment of the present invention provides a system for implementing a mobile VPN in a hybrid network, which includes an external network, an IPv4 network, a VPN, and a VPN gateway.
  • the VPN internal network is an IPv6 network
  • the internal interface provided by the VPN gateway is An IPv6 interface
  • the external interface is an IPv4 interface
  • the external network includes an IPv4 external network and an IPv6 external network
  • the system further includes tunnel establishment.
  • Module and message encapsulation transfer module where:
  • the tunnel establishing module is configured to establish, between the VPN gateway and the external network, a tunnel that can transmit VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively an IPv4 address and a VPN of the external network.
  • the IPv4 address of the external interface provided by the gateway, that is, the IPv4 packet is transmitted through the tunnel.
  • the packet encapsulation and delivery module is configured at the two ends of the tunnel, and is configured to encapsulate the VPN packet to be sent into the IPv4 packet header, and send the packet to the peer end through the tunnel, so that the opposite end Whether the IPv4 network or the IPv6 network can identify the IPv4 packet, so that the communication interaction can be performed normally.
  • the IPv6 external network may be specifically implemented by using any one of the following two solutions:
  • the first solution is that the IPv6 external network further includes the following functional entities -
  • the DNS-ALG is configured as an IPv4 and IPv6 dual protocol stack, and is configured to provide an IPv6 address corresponding to the VPN gateway in the process of performing a VPN service through an IPv6 external network.
  • DNS in an IPv6 network Configure its upper-level DNS as the described DNS-ALG;
  • External access routers Configured as an IPv4 and IPv6 dual protocol stack, which is used to encapsulate IPv6 packets on IPv6 packets and decapsulate corresponding packets.
  • IPv6 external network may further include the following functional entities:
  • the DNS-ALG is configured to provide the IPv6 address corresponding to the VPN gateway in the process of performing the VPN service through the IPv6 external network.
  • DNS in an IPv6 network Configure its upper-level DNS in the DNS as the DNS-ALG;
  • NAT-PT entity used for communication with an external access router, and performs conversion between the corresponding IPv6 address and the IPv4 address of the packet passing through the entity;
  • the external access router is configured to send the packet converted by the NAT-PT entity to the VPN gateway, and receive the packet sent by the VPN gateway.
  • the main difference from the first scheme is that the NAT-PT entity is added, thereby simplifying the processing of the external access router.
  • FIG. 4 shows a networking structure of a technical solution for implementing a mobile VPN in an IPv4-v6 hybrid network according to an embodiment of the present invention.
  • the VPN is internally an IPv6 network environment.
  • the external network in the network is IPv4-based Internet, and there is also support for Mobile IPv4.
  • External Net IPv4 External Net IPv4
  • External Net IPv6 IPv6 External Network supporting Mobile IPv6.
  • the DNS-ALG device is set on the edge of the IPv6 external network, so that the mobile node can obtain the VPN gateway address in the IPv4 network through the domain name query on the IPv6 external network.
  • the IPv6 network further includes a tunnel establishment module and a packet encapsulation transmission module.
  • each component device In the network system shown in Figure 4, the functions of each component device are as follows:
  • IPv4-v6 dual protocol stack support standard MIPv4 (mobile IPv4) / ⁇ (mobile IPv6), configuration support M0BIKE IPsec protocol;
  • the connection is set on the path between the internal network and the external network, and provides an interface for communicating with the internal network and the external network respectively, and the external interface address provided with the external network is an IPv4 address, and the internal interface address of the internal network is An IPv6 address
  • an IPv4-v6 dual protocol stack is configured on the VPN gateway, and the VPN gateway has an IPv6 in IPv4 tunnel (the technology of transmitting IPv6 packets by using an IPv4 tunnel), and has an IPv4 packet processing unit. It is used to encapsulate or decapsulate IPv4 packets.
  • the IPv6 packet processing unit is used to encapsulate or decapsulate IPv6 packets.
  • the VPN gateway also supports standard MIPv6 (Mobile IPv6 protocol) and supports MOBIKE ( IPsec protocol for IKEv2 mobile and multi-interface protocol);
  • the VPN gateway further includes an IPv4 address allocation unit, configured to allocate a VPN tunnel internal address to the mobile node moving to the IPv4 external network, where the address is a care-of address of the mobile node in the home network.
  • IPv4 address allocation unit configured to allocate a VPN tunnel internal address to the mobile node moving to the IPv4 external network, where the address is a care-of address of the mobile node in the home network.
  • DNS-ALG Domain Name Server - Application Layer Gateway
  • DNS Domain Name Server
  • the DNS-ALG configures an IPv4 v6 dual protocol stack, that is, supports both IPv6 and IPv4 protocols, provides IPv4 address information of the VPN gateway, and adds a specific prefix to the corresponding IPv4 address. Converted to the corresponding IPv6 address, and acts as the upper-level DNS of the DNS in the IPv6 network.
  • the DNS in the IPv6 network can only be configured with the SlPv6 protocol stack;
  • the IPv4-v6 dual protocol stack is encapsulated and decapsulated.
  • the corresponding IP address configuration in the VPN is as follows:
  • the VPN of a traditional IPv4 network is internally configured with a private network address and can only be used inside the VPN.
  • the site local unicast address is very suitable for the application of the VPN. Therefore, in the embodiment of the present invention, the VPN internal network is configured with an IPv6 site local unicast address.
  • the site local unicast address can only be used to transmit data inside the VPN network.
  • the routers in the site can only forward the data packets of the address type within the site, but cannot forward them to the site.
  • the structure of the site local unicast address may be: 1111111011 + 38 bits of "0" + 16 bit subnet identifier + 64 bit interface identifier.
  • the mobile node inside the VPN communicates with the internal home agent and the communication node by using standard mobile IPv6;
  • the corresponding application examples of the VPN service are:
  • the whole internal network is regarded as a common IPv6 network, and the mobility of the mobile node is implemented by mobile IPv6; that is, in the internal home network, the mobile node communicates through the IPv6 routing mechanism; when the mobile node moves out of the home network, enters the mobile IPv6-enabled network.
  • the mobile IPv6 care-of address is obtained through the access router, and the home agent and the communication node are registered, and the binding update is completed, thereby implementing mobile communication on the internal network.
  • the mobile node outside the VPN supports mobile IPv4, obtains the IPv4 care-of address, performs IKE negotiation with the VPN gateway through the obtained care-of address, and establishes an IPsec tunnel, thereby implementing internal communication with the VPN through the tunnel.
  • the corresponding embodiments of the VPN service processing process specifically include:
  • a mobile node entering an IPv4 external network is assigned an IPv4 foreign agent care-of address or an IPv4 proxy care-of address.
  • the mobile node After the identity authentication is completed with the VPN gateway, the mobile node starts IKE negotiation with the VPN gateway to establish an IPsec tunnel.
  • the addresses at both ends of the tunnel are the care-of address of the mobile node and the IPv4 address of the external interface of the VPN gateway.
  • VPN gateway gives a VPN-TAA (VPN tunnel internal address) and advertises the address to the mobile node; after moving out of the internal network, the mobile node still maintains a move with the VPN internal home agent or communication node.
  • VPN-TAA VPN tunnel internal address
  • IPv6 binding cache VPN-TIA is a mobile IPv6 care-of address used as a mobile node to register with an internal home agent or communication node.
  • the mobile node does not use the care-of address obtained by the external network as the care-of address registered with the home agent of the internal network, but uses the VPN-TIA as the internal network care-of address of the mobile node; its purpose is: to make the VPN
  • the internal home agent and communication node can be affected by the change of the mobile node's care-of address in the external network, reducing the frequent transmission of control information such as registration updates, and avoiding the mobile node obtaining the IPv4 care-of address but moving to the internal home agent of the mobile IPv6. The problem caused by registration.
  • the mobile node After the IPsec tunnel is established, the mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol, the source address is VPN-TIA, and the destination address is the address of the internal home agent or the communication node; then the data packet is further encapsulated by IPsec, the source The address is the external network IPv4 care-of address of the mobile node, and the destination address is the IPv4 address of the external interface of the VPN gateway.
  • the structure of the packet after two encapsulation is shown in Table 1, where: i HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node on the external network, and the v4-v6 mark in front of the address Indicates the address type.
  • the mobile node outside the VPN supports mobile IPv6 and obtains the IPv6 care-of address.
  • the VPN gateway in the x-AR and IPv4 networks of the IPv6 external network utilizes the IPv6 in IPv4 tunnel encapsulation technology to enable the mobile node in the IPv6 external network to communicate with the VPN gateway in the IPv4 network;
  • the mobile node is located in the IPv6 external network, that is, in the case of the VPN external, the process of communicating with the VPN internal node is as follows: (1) When the mobile node enters an external network supporting mobile IPv6, the access router in the network (ie, X-AR) will provide a wireless interface to the external network, that is, the mobile node will obtain the corresponding IPv6 care-of address to facilitate network communication using the IPv6 care-of address;
  • the mobile node After obtaining the corresponding IPv6 care-of address, the mobile node uses the IPv6 in IPv4 tunneling technology to encapsulate and decapsulate IPv6 packets in the IPv6 external network's x-AR and IPv4 network VPN gateways respectively to implement IPv4. Interworking between the host and the IPv6 host;
  • IPv6 IPv4 tunneling technology
  • the mobile node After the mobile node obtains the IPv6 care-of address, if it communicates with the VPN gateway located in the IPv4 network, it will still be unable to process its own IP because of the different address structures at both ends.
  • the IP packets of different versions cannot communicate directly. To this end, IPv6 packets need to be encapsulated in IPv4 so that the peer VPN gateway can identify them. Received message.
  • the basis for establishing communication between the IPv4 host and the IPv6 host is to associate by domain name. That is, the mobile node does not need to know whether the VPN gateway that needs to communicate is an IPv4 address or an IPv6 address, but only needs to know the FQDN (Full Qualified Domain Name) of the VPN gateway. In this way, after the domain name is resolved, the communication address of the VPN gateway can be obtained, and corresponding data packets can be constructed to implement communication with each other.
  • FQDN Full Qualified Domain Name
  • the specific processing procedure of the VPN gateway domain name resolution through the DNS includes two processing stages: the domain name resolution request and the domain name resolution response.
  • the main processing S includes:
  • the mobile node sends a DNS request to the DNS server in the IPv6 site, that is, sends a DNS request ("AAAA") to the corresponding IPv6 DNS server to request to resolve the FQDN of the destination host to obtain the address information of the VPN gateway;
  • the mobile node MN For the IPv6 host (ie, the mobile node MN) that initiates the communication, it does not know that the communication partner is an IPv4 host or an IPv6 host, and the mobile node only has the FQDN of the destination host (VPN gateway), for example, ww.vpngw.com, Therefore, it is necessary to obtain the address of the VPN gateway through the domain name resolution request.
  • VPN gateway for example, ww.vpngw.com
  • the DNS server of the IPv6 site receives the DNS request of the mobile node, which is actually the FQDN of the VPN gateway in the IPv4 network, so the DNS server cannot resolve the domain name and will forward the request to the upper-level DNS server.
  • the address of the upper-level DNS server configured in the DNS server is the address of the intra-site DNS-ALG, and therefore, the DNS request sent by the mobile node MN is forwarded by the DNS server to the DNS-ALG;
  • the DNS-ALG holds the DNS server address of the IPv4 network.
  • the DNS-ALG determines the VPN according to the stored DNS server list.
  • the DNS server address of the gateway because the external interface of the VPN gateway of the internal network is an IPv4 interface, the corresponding address is an IPv4 address, and the corresponding DNS server is a DNS server in the IPv4 network. Therefore, it is necessary to convert this IPv6 DNS request.
  • An IPv4 DNS request (“A) and sent to the DNS server of the IPv4 network;
  • the DNS-ALG Since the DNS-ALG is connected to the X-AR, the DNS-ALG sends the IPv4 DNS request to the x-AR first, and then the x-AR sends it to the IPv4 network.
  • the corresponding domain name resolution response process that is, the DNS response forwarding process is as shown in FIG. 6.
  • the DNS server in the IPv4 network After receiving the request, the DNS server in the IPv4 network returns a DNS response, and the response message includes the IPv4 address of the VPN gateway, and the response message It will be returned to the mobile node in the IPv6 network.
  • the specific DNS response process includes the following processing:
  • the DNS-ALG in the IPv6 network receives the DNS response from the DNS server of the IPv4 network, and the result is the IPv4 address of the VPN gateway; the DNS-ALG needs to add a specific address prefix to the VPN gateway address, with the prefix Packets are routed to x-AR;
  • the prefix route can be configured and distributed in advance in the routing device of the IPv6 network.
  • the prefix is 5ef0: 3248 : : /64
  • the IPv4 address of the VPN gateway is 200. 0. 0. 1
  • the DNS-ALG will This prefix is added to the IPv4 address of the VPN gateway, and is configured as a DNS server in the form of 5ef0: 3248: : 200. 0. 0. 1 to the DNS server in the IPv6 network;
  • the DNS server in the IPv6 network corresponds to the DNS request of the mobile node, and writes the corresponding address as the address of the VPN gateway to the cache, that is, in IPv6.
  • the correspondence between the IPv6 format address of the VPN gateway and its domain name is saved on the DNS in the network;
  • the process will not be repeated, and then the host communicating with the VPN gateway through the domain name can directly obtain the converted office in the DNS server of the IPv6 network.
  • the address of the VPN gateway, and the address is an IPv6 address
  • the DNS server After the parsing result (that is, the IPv6 address with the specific prefix) is written into the cache, the DNS server also returns the IPv6 address formed by the specific address prefix and the IPv4 address of the VPN gateway to the mobile node, so that the mobile node Obtained the address information of the VPN gateway required to carry out the mobile VPN service.
  • the mobile point can implement communication with the node in the VPN intranet through data packet conversion and forwarding processing, and corresponding specific communication.
  • the process includes:
  • the mobile node receives the IPv6 address returned by the DNS server.
  • the address is an IPv6 address of the VPN gateway's IPv4 address added with a specific address prefix.
  • the mobile node constructs an IPv6 packet with this address as the destination address.
  • the IPv6 packets with the address prefix are all directed to the X AR, so the IPv6 packets sent by the mobile node are routed to the X- AR.
  • the specific address prefix is 5ef0 : 3248 : : /64, and the IPv4 address of the VPN gateway is 200. 0. 0. 1;
  • the X-AR receives an IPv6 packet whose destination prefix is 5ef 0: 3248:: /64, and identifies the specific prefix whose prefix is DNS-ALG, and then performs IPv6 in IPv4 tunnel for the TPv6 packet.
  • the specific packaging method is:
  • the X-AR extracts the IPv4 address of the VPN gateway from the destination address entry of the IPv6 packet as the destination address of the IPv4 tunnel header, and uses the IPv4 address of the X- AR as the source address of the IPv4 tunnel header, and the newly constructed IPv4 packet structure.
  • Table 2 the corresponding packet structure encapsulated by IPv4 tunnel is shown in Table 2:
  • the x-AR sends the encapsulated IPv4 data packet to the IPv4 network
  • the IPv4 data packet received by the VPN gateway may be a data packet from an IPv4 external network mobile node, or may be a data packet encapsulated by an IPv4 external network from a mobile node of the IPv6 external network; to identify the source of the data packet, the VPN gateway needs to If the next packet header is an IPv6 address, the packet is determined to be from the IPv6 external network and decapsulated. The unencapsulated IPv6 packet is forwarded to other modules for further processing. The processing is the same as that of ordinary IPv6 packets, so it will not be described in detail.
  • a node that is inside a VPN needs to send information to a mobile node that is in an IPv6 external network, it needs to encapsulate the IPv4 header on the IPv6 packet that the VPN gateway needs to send to the mobile node, and pass the x-AR.
  • the tunnel between the VPN gateway and the VPN gateway is sent to the mobile node.
  • the destination address of the IPv4 packet header encapsulated by the VPN gateway IPv4 tunnel is the IPv4 address of the x-AR, and the source address is the VPN gateway IPv4 address.
  • the x-AR When the x-AR receives the IPv4 packet, reads the IPv4 header, and finds that the next packet is IPv6, decapsulates the IPv4 packet and forwards the decapsulated IPv6 packet to the mobile node.
  • the specific process can be seen as a mobile node to a VPN gateway. An inverse process of sending a packet.
  • the mobile node when the mobile node is in the IPv6 external network, if the mobile node communicates with the VPN internal node, it needs to establish a tunnel with the VPN gateway, that is, how to establish a tunnel to ensure the IPv6 external network and the VPN internal Letters are the key to implementing VPN communications in a hybrid network.
  • the following is a detailed description of the establishment of the corresponding IPsec tunnel and the forwarding process of the data packet when the mobile node is in the IPv6 external network.
  • the communication between the mobile node and the VPN gateway supports the IKEv2 negotiation of M0BIKE, establishes an IPsec tunnel, and then the data packet is transmitted in the IPsec ESP (IPsec Encapsulated Security Payload) tunnel mode encapsulation.
  • IPsec ESP IPsec Encapsulated Security Payload
  • Encapsulation and decapsulation therefore, for a mobile node in an IPv6 external network to communicate with a VPN internal node, it is necessary to establish an IPsec tunnel with an IPv4 address at both ends, that is, a tunnel supporting IPv6 in IPv4 encapsulation and decapsulation.
  • IPv6 in IPv4 packet is encapsulated and delivered through the tunnel.
  • the SPI (Security Parameter Index) destination address entry of the mobile node SA is the IPv6 address of the VPN gateway
  • the SPI destination address entry of the VPN gateway SA is the IPv6 address of the mobile node.
  • the VPN gateway also obtains its own IPv6 address, that is, the corresponding specific prefix plus its own IPv4 address.
  • the data packet After the IPsec tunnel is established, the data packet needs to be transmitted through the tunnel.
  • the following describes the forwarding process of the corresponding data packet.
  • the mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol.
  • the source address is VPN-TIA (VPN Tunnel Inner Address), and the destination address is the node inside the VPN (including the internal home agent or communication 'point). address.
  • the IPsec encapsulation is performed, and the source address is the external network IPv6 care-of address of the mobile node, and the destination address is the IPv6 address of the external interface of the VPN gateway.
  • the address is generated by the VPN gateway IPv4 address plus a specific prefix.
  • IPv6 packet after the corresponding packet is encapsulated twice is shown in Table 3.
  • i-HoA is the home address of the mobile node in the internal network
  • x-CoA is the care-of address obtained by the mobile node on the external network.
  • VPN- GW is an IPv6 address with a specific prefix. The v4/v6 flag in front of the address indicates the address type.
  • the X-AR identifies the IPv6 in IPv4 tunnel encapsulation of the IPv6 packet, and the X-AR extracts the IPv4 of the VPN gateway from the destination address entry of the IPv6 packet.
  • the IPv4 packet format encapsulated by the IPv4 tunnel is shown in Table 4, where the outermost header is IPv4.
  • the packet header, the original entire IPv6 packet is encapsulated in the IPv4 packet as an IPv payload.
  • the x-AR in the outermost packet header is the IPv4 address of the access router, and the VPN-GW is the IPv4 address of the VPN gateway.
  • the tunnel encapsulated IPv4 packet forwarding is forwarded by the x-AR to the IPv4 network.
  • the VPN gateway After receiving the data packet, the VPN gateway first decapsulates the IPv4 tunnel; then forwards it to the IPsec function module, releases the IPsec encapsulation, and forwards it to the internal home agent or communication point to implement communication between the mobile node and the WN internal node.
  • the forwarding and conversion of the data packets transmitted by the internal nodes of the VPN to the mobile node can be regarded as the reverse process of the above steps, and therefore will not be described here.
  • the implementation of the communication between the mobile node and the internal node of the VPN can also be implemented by the following scheme.
  • IPv4-v6 hybrid network in order to implement communication between the host (mobile node) located in the IPv6 network and the host (VPN gateway) located in the IPv4 network, refer to the second implementation scheme of the IPv6 external network described above, except In addition to the IPv6 in IPv4 tunneling technology, NAT-PT (Network Address Translation - Protocol Translation) technology can also be implemented.
  • NAT-PT Network Address Translation - Protocol Translation
  • the implementation of the present invention can also be applied to the IPv4-v6 hybrid network to implement the mobile VPN according to the basic technology and idea of the NAT-PT, and then the mobile node located in the IPv6 network and the IPv4 network under the structure are proposed.
  • the communication scheme of the VPN gateway can also be applied to the IPv4-v6 hybrid network to implement the mobile VPN according to the basic technology and idea of the NAT-PT, and then the mobile node located in the IPv6 network and the IPv4 network under the structure are proposed.
  • the corresponding NAT-PT entity that is, the NAT-PT device, needs to be configured on the edge of the IPv6 external network.
  • the MT-PT and the previously described DNS-ALG can be combined into the same device.
  • the mobile node still obtains the IPv6 address of the VPN gateway by using the domain name query method.
  • the specific query process has been described in the foregoing description and will not be described in detail herein.
  • the IPv6 address is the VPN gateway IPv4 address plus a specific address prefix.
  • the mobile node constructs a packet with this address as the destination address.
  • the IPv6 packet with the specific address prefix is routed to the NAT-PT by default.
  • the MT-PT determines that the packet is sent to the host in the IPv4 network according to the specific address prefix, and therefore performs protocol conversion on the IPv6 packet.
  • the NAT-PT maps the received source address of the IPv6 packet (the care-of address of the mobile node) to an IPv4 address as the source address of the translated IPv4 packet, and the 32-bit address of the destination address is used as the destination address for converting the IPv4 packet to the IPv6 packet.
  • Each field is grammatically and semantically converted (ie, NAT-PT), and the destination address of the converted IPv4 packet is the IPv4 address of the VPN gateway;
  • NAT-PT sends the converted IPv4 packets to X- AR, which then sends the packets to the IPv4 network.
  • the process of converting an IPv4 packet into an IPv6 packet is the reverse of the above steps.
  • the x-AR receives the IPv4 data packet, it first routes to the NAT-PT, and the NAT-PT extracts the IPv4 packet destination address, searches the address mapping table, and finds the IPv6 address corresponding to the IPv4 destination address as the destination address of the IPv6 data packet;
  • the source address of the IPv4 packet is added as a source address of the IPv4 packet, and the fields in the IPv4 packet are grammatically and semantically converted, and the IPv6 data packet is constructed and finally forwarded to the mobile node.
  • the mobile node in the IPv6 external network is internally communicated with the VPN.
  • the process of establishing the tunnel and the process of forwarding the data packet are described in detail.
  • the tunnel establishment process is as follows:
  • the initial communication between the mobile node and the VPN gateway is to support M0BIKE IKEv2 negotiation, establish an IPsec tunnel, and then the data packet is transmitted after IPsec ESP tunnel mode encapsulation.
  • the signaling information of the IKE negotiation and the subsequent IPsec encapsulated data packets are converted by IPv4 to IPv6 or IPv6 to IPv4, and the SPI destination address entry of the mobile node SA is the IPv6 address of the VPN gateway, and the VPN gateway
  • the SPI destination address entry of the SA is the IPv4 address of the mobile node, and the two parties do not know that the communication peer is a different host of its own network type. This does not affect the establishment of tunnels and data transmission between the two parties. It also brings convenience for mobile nodes to switch between different types of external networks: Regardless of whether the mobile node is in an IPv4 external network or an IPv6 external network, the VPN gateway always considers the mobile node to be In an IPv4 network.
  • the mobile node After the IPsec tunnel is established, the mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol, the source address is VPN-TAA, and the destination address is the address of the internal home agent or the communication node; then the IPsec encapsulation is performed, and the source address is the mobile node.
  • the external network IPv6 care-of address, the destination address is the IPv6 address of the VPN gateway external interface, which is generated by the VPN gateway IPv4 address plus a specific prefix.
  • IPv6 packet structure of the mobile node located in the IPv6 external network twice encapsulated is shown in Table 5, where i-HoA is the home address of the mobile node in the internal network, and x-CoA is the care-of address obtained by the mobile node on the external network.
  • - GW VPN Gateway
  • v4/v6 tag in front of the address indicates the address type.
  • the NAT-PT maps the received source address of the IPv6 packet (the care-of address of the mobile node) to an IPv4 address, which is used as the source address for converting the IPv4 packet, and the destination address is 32 bits as the conversion.
  • the destination address of the IPv4 packet grammatically and semantically converts the fields in the IPv6 packet, and constructs an IPv4 packet whose destination address is the IPv4 address of the VPN gateway.
  • Table 6 shows the NAT-PT-converted IPv4 packet format, at which point the outermost IPsec header has been converted to an IPv4 address.
  • the x-CoA is the IPv4 care-of address obtained by the mobile node from the IPv6 care-of address mapping
  • the VPN-GW is the IPv4 address of the VPN gateway.
  • IPv4 packets are forwarded to the x-AR, which is then forwarded by the x-AR to the IPv4 network.
  • the VPN gateway releases the IPsec encapsulation and forwards it to the internal home agent or communication node to implement communication between the mobile node and the VPN internal node.
  • the forwarding and conversion of the data packets sent by the VPN internal node to the mobile node is completely the reverse process of the above steps, and will not be described here.
  • the mobility of the mobile node determines the process of the handover of the mobile node between different types of networks and the update of the SA address in the specific implementation process of the embodiment of the present invention. Carry out detailed instructions.
  • the IPv4-v6 hybrid network has an IPv4 external network supporting mobile IPv4 and an IPv6 external network supporting mobile IPv6.
  • the heterogeneous network refers to the IPv4 and IPv6 networks respectively, and the similar network refers to the same IPv4 network or the same IPv6 network.
  • the mobile node After the mobile node accesses the VPN using the IPsec tunnel, it may move between different networks.
  • standard mobile IPv6 communication may be used; when the mobile node roams from the internal network to the external network, the IPsec tunnel needs to be established to communicate with the VPN internal node; After the mobile node enters a new heterogeneous or homogeneous external network from the current external network, it can update the SA address with the newly obtained care-of address through the M0BIKE protocol, maintain the original IPsec tunnel, and continue to communicate with the VPN internal node.
  • the original IPsec tunnel is used to continue the communication.
  • the M0BIKE protocol is used to implement the IPsec protocol to support the mobility of the node, thereby allowing After the mobile node care-of address changes, the original IPsec tunnel continues to be communicated through the SA address update.
  • M0BIKE an extension protocol based on IKEv2
  • M0BIKE allows the nodes at both ends of the tunnel to update their IP addresses while maintaining the IKE SA and IPsec SA. That is, the original IPsec tunnel can be maintained after the IP addresses of the nodes at both ends of the tunnel are changed.
  • a key application scenario of the M0BIKE protocol is that the IPsec VPN mobile node still maintains the original IPsec tunnel with the VPN gateway after the external network changes its care-of address.
  • the M0BIKE support communication has multiple addresses on both sides, and the initiator address of the IKE-SA (Internet Key Exchange-Security Association) determines the end address pair of the tunnel to be used.
  • IKE-SA Internet Key Exchange-Security Association
  • the update address request is also issued by the initiator of the IKE-SA.
  • the setting of M0BIKE is very suitable for the application scenario of mobile VPN. In a mobile VPN, it is often the case that the mobile node initiates an IKE negotiation to the VPN gateway when the external network is in the external network, and establishes an IPsec tunnel. After the mobile node care-of address changes, the mobile node initiates an update address request, and begins to update the address of the mobile node in the IKE SA and IPsec SAs (IPsec SA).
  • IPsec SA IPsec SA
  • M0BIKE is an extended protocol of IKEv2, its implementation is completed in the negotiation exchange of IKEv2.
  • M0BIKE defines some new advertising payloads, which are used to implement M0BIKE support in the negotiation exchange of IKEv2's three switching types (IKE-SA switching, IPsec SA switching, and information exchange).
  • the M0BIKE protocol supports entities at both ends of the communication to have multiple addresses at the same time.
  • the initiator and the responder can add ADDITI0NAL_IPv4_ADDRESS (adding IPv4 address) or ADDITIONAL-IPv6-ADDRESS in the IKE JVUTH exchange (that is, the last two messages exchanged by IKEv2). (Join the IPv6 address) Announce the payload.
  • the initiator of IKE_SA determines the address used in IPsec SAs. That is, the responder updates the IP address of the IPsec SAs only after receiving the UPDATE_SA_ADDRESSES request from the initiator. After the initiator determines that the address is to be updated, update the IP address in IKE-SA and IPsec SAs, set the "pending-update” flag in IKE-SA; if it is sent to the responder but has not received it yet Responding to the IKEv2 request, retransmitting the request with the updated IP address; when the window size allows, sending a message exchange if request containing the UPDATE_SA_ADDRESSES notification payload, and clearing the "pending_update”flag; Waiting for the message exchange response period address ⁇ has changed, it starts again from the first step The returned response message is ignored.
  • the initiator When the initiator receives the response, it needs to perform the corresponding processing as follows:
  • the initiator can choose another address and re-exchange, or continue to use the current address, or disconnect.
  • the Return Routabiity Check function is also included, which is: Whether the initiator or the responder can selectively confirm whether the other party can receive the data packet by using the current address. .
  • the return route reachability check can be performed before or after updating the IPsec SAs, or during a normal connection. By default, a return route reachability check is required after the IPsec SAs update is completed.
  • One party initiates an IKE information exchange request, which contains a C00 kie2 advertisement payload; the other party sends an information exchange response after receiving the information exchange request, copies the received c 0 okie2 advertisement payload and is included in the information exchange response; After receiving the information exchange response, the party checks whether the received cookie2 advertisement payload is exactly the same as that sent by itself, thus completing the return route reachability check.
  • the switching of mobile nodes on the external network can be divided into two situations:
  • the switching between the similar networks refers to the mobile node roaming from one IPv4 external network to another IPv4 external network, or roaming from one IPv6 external network to another IPv6 external network;
  • the heterogeneous network switching refers to the mobile node roaming from an IPv4 external network to an IPv6 external network, or roaming from an IPv6 external network to an IPv4 external network.
  • the mobile node roaming from the IPv6 internal network to the external network can be divided into two cases: moving to the IPv4 external network and the mobile IPv6 external network.
  • the mobile node is located in the internal network
  • the mobile node is located on the internal network. If it is not in the home network, it communicates with the VPN internal home agent and communication node through standard mobile IPv6.
  • the mobile node located in the internal network moves, when the IP address changes, it needs to immediately stop communication with other nodes in the VPN, and includes:
  • IPv4 care-of address If the IPv4 care-of address is obtained, it is determined that the mobile node is located in an IPv4 external network, and the IPv4 care-of address is used to perform IKE negotiation with the VPN gateway to support MOBIKE, and an IPsec tunnel is established; the mobile node generates the VPN gateway.
  • the VPN-TIA sends a registration request to the i-HA (internal home agent) through the IPsec tunnel as the internal MIPv6 care-of address, and passes the registration response.
  • the established IPsec tunnel communicates with the internal network node;
  • the domain name is used to indirectly query the IPv6 address of the VPN gateway.
  • the specific query process has been described above and will not be described here.
  • the mobile node needs to play the VPN internal hometown.
  • the proxy sends a standard mobile IPv6 registration request, and the mobile node performs corresponding communication processing according to whether the corresponding mobile IPv6 registration response is received, specifically: if the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, Then, it is determined that the network where the mobile node EI is located is still in the VPN internal network, so that after completing the registration update, the mobile node can communicate with the VPN internal node by using the new IPv6 care-of address;
  • the mobile node should be located in an IPv6 external network, and use the new IPv6 address and the VPN gateway to support M0BIKE.
  • the IKE negotiation establishes an IPsec tunnel.
  • the specific process of establishing an IPsecP tunnel is as follows: The mobile node uses the VPN-TIA generated by the VPN gateway as the internal mobile IPv6 care-of address, and sends a registration request to the internal home agent through the IPsec tunnel. After receiving the registration response, it communicates with the internal network node through the established IPsec tunnel.
  • the mobile node is located in the external network
  • IPsec tunnel When the mobile node is on the external network, an IPsec tunnel is established to communicate with the internal nodes of the VPN through the IPsec tunnel.
  • the configuration of the mobile node in the IPv4 external network and the IPv6 external network is different.
  • the IPv6 external network in the mobile node needs to be encapsulated in IPv6 in IPv4 tunnel, which is more complicated.
  • the following describes the mobile node roaming on the IPv4 external network and the roaming on the IPv6 external network respectively.
  • the mobile node is located in the IPv4 external network.
  • the IPv4 care-of address is used as the local address of the tunnel
  • the VPN gateway supports the IKE negotiation of M0BIKE to establish an IPsec tunnel and communicate with the VPN internal node through the IPsec tunnel.
  • the communication with the internal node of the VPN is immediately stopped, and includes:
  • the mobile node enters another IPv4 external network, starts to initialize M0BIKE, and performs SA address update.
  • the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway.
  • the domain name resolution method is used to indirectly query the IPv6 address of the VPN gateway; at the same time, the mobile node also needs to send a standard mobile IPv6 registration request to the VPN internal home agent; Return the corresponding registration response for corresponding communication processing, including:
  • the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, it is determined that the mobile node now enters the VPN internal network, and after completing the registration update, the mobile node can use the new IPv6 care-of address and the VPN
  • MIPv6 Mobile IPv6
  • the address update, the updated SA endpoint address is the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway; after completing the IKE SA and iPsec SAs address update, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.
  • the SA address needs to be explained: Since the mobile node moves from the IPv4 external network to the IPv6 external network, the destination address and the source address of the mobile node (that is, the endpoint address of the SA) are changed, and the mobile node updates them to IPv6 address; for the VPN gateway, after receiving the UPDATE-SA-ADDRESSES (Update Security Association Address) notification payload, it is updated according to the address of the worker P packet. Therefore, the VPN gateway considers that the endpoint address of the SA has changed and will be updated to mobile.
  • the IPv6 address of the node and VPN gateway 2.
  • the mobile node is located in the IPv6 external network.
  • the mobile node When the mobile node is located on the IPv6 external network, obtain the IPv6 care-of address and query the IPv6 address of the VPN gateway through domain name resolution. Then initiate IKE negotiation that supports M0BIKE and establish an IPsec tunnel. Communicate with the internal nodes of the VPN through the IPsec tunnel. When the mobile node moves in the IPv6 external network and the IP address changes, it immediately stops communication with the internal node of the VPN, and includes:
  • the mobile node enters another IPv4 external network, starts to initialize M0BIKE, and performs SA address update.
  • the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway.
  • the domain name resolution method is used to indirectly query the IPv6 address of the VPN gateway; at the same time, a standard mobile IPv6 registration request is sent to the VPN internal home agent; and the mobile node returns the registration response according to whether it is returned.
  • Corresponding communication processing including:
  • the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, it is determined that the mobile node now enters the VPN internal network, and after completing the registration update, the mobile node can communicate with the VPN internal node by using the new IPv6 care-of address. If the MIPv6 registration response corresponding to the mobile IPv6 registration request is not received, and the IPv6 address of the VPN gateway is successfully queried, the mobile node is located in an IPv6 external network, and the M0BIKE is initialized, and the SA address is updated, and the updated The SA endpoint address is the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway. After completing the IKE SA and IPsec SAs address update, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.
  • the return routability check (“return routability" check) can be used to check the reachability of addresses provided by both nodes of the apricot, which avoids A large amount of communication traffic is passed to third parties;
  • NAT prohibition makes IP addresses unmodified by any NAT, IPv4/v6, or other similar device.
  • This feature is mainly used when the administrator already knows that there are no NAT devices between the two nodes, so any modification to the packet is considered an attack.
  • a return route reachability check is added before each SA address update, before the communication of the data stream has been resumed, ensuring that the updated address is securely routable.
  • the mobile node enters the IPv4 external network or the IPv6 external network, it is considered that there is no necessary NAT device between the mobile node and the VPN gateway. Therefore, NAT prohibition can be used to protect the data packet from being modified.
  • the embodiment provided by the present invention successfully solves the two problems mentioned in the prior art by using the M0BIKE protocol to update the address item of the SA and the method assigned by the VPN gateway to the VPN node of the mobile node. It is proposed that in the IPv4 to IPv6 transition period, the IPv4 is used as the backbone network in the IPv4-v6 hybrid environment, the mobile node implements access to the VPN service, and maintains the normal communication under the premise of switching between networks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne une passerelle de réseau privé virtuel (VPN) et un système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et le procédé correspondant. La présente invention est utilisée dans le réseau hybride comportant un réseau IPv4 et un réseau IPv6, dans lequel, une passerelle VPN est établie, la passerelle VPN fournit l'interface interne d'adresse IPv6 et l'interface externe de IPv4; et comprend: d'abord, l'établissement d'un premier tunnel entre la passerelle VPN et le réseau externe pour transmettre les paquets en interaction avec le réseau externe et le réseau IPv6 à l'intérieur du VPN, et les adresses des deux extrémités du tunnel sont l'adresse IPv4 du réseau externe et l'adresse IPv4 de l'interface externe fournie par la passerelle VPN; et ensuite, la transmission tdes paquets VPN qui doivent être transmis par ledit tunnel, afin de réaliser le service VPN. Grâce à la réalisation de la présente invention lors de l'évolution à partir du réseau IPv4 vers un réseau IPv6, le service VPN mobile peut également être réalisé par le réseau hybride.
PCT/CN2007/000446 2006-03-24 2007-02-08 Passerelle de réseau privé virtuel et système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et procédé correspondant WO2007109963A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2006100584520A CN101043411B (zh) 2006-03-24 2006-03-24 混合网络中实现移动vpn的方法及系统
CN200610058452.0 2006-03-24

Publications (1)

Publication Number Publication Date
WO2007109963A1 true WO2007109963A1 (fr) 2007-10-04

Family

ID=38540796

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000446 WO2007109963A1 (fr) 2006-03-24 2007-02-08 Passerelle de réseau privé virtuel et système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et procédé correspondant

Country Status (2)

Country Link
CN (1) CN101043411B (fr)
WO (1) WO2007109963A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469063A (zh) * 2010-11-03 2012-05-23 中兴通讯股份有限公司 路由协议安全联盟管理方法、装置及系统
CN103475646A (zh) * 2013-08-23 2013-12-25 天津汉柏汉安信息技术有限公司 一种防止恶意esp报文攻击的方法
CN112437467A (zh) * 2020-10-23 2021-03-02 中国人民解放军61062部队 一种无家乡代理的自组网网络隧道通信方法
CN113438108A (zh) * 2021-06-22 2021-09-24 京信网络系统股份有限公司 通信加速方法、装置、基站和计算机可读存储介质
CN116107229A (zh) * 2023-03-02 2023-05-12 常熟理工学院 基于ZigBee的物联网智能家居监控方法、系统及远程终端

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4623177B2 (ja) * 2008-09-17 2011-02-02 富士ゼロックス株式会社 情報処理システム
CN101399838B (zh) * 2008-10-29 2012-01-25 成都市华为赛门铁克科技有限公司 报文处理方法、装置和系统
CN102104634B (zh) * 2009-12-17 2013-08-07 华为技术有限公司 非lisp站点与lisp站点通信的方法、装置及系统
EP2564579A4 (fr) 2010-04-26 2016-10-12 Nokia Technologies Oy Procédé et appareil de détection d'adresse synthétisée
CN102347993B (zh) * 2010-07-28 2014-03-26 中国移动通信集团公司 一种网络通信的方法和设备
CN102469449B (zh) * 2010-11-15 2016-03-30 上海贝尔股份有限公司 IPv6低功耗无线个域网中的路由优化方法
EP2649766A4 (fr) * 2010-12-11 2014-06-04 Hewlett Packard Development Co Recherche de n uds de réseau informatique
WO2013034100A2 (fr) * 2011-09-08 2013-03-14 北京智慧风云科技有限公司 Système et procédé de communication se fondant sur différents protocoles ip
CN103001844A (zh) * 2011-09-09 2013-03-27 华耀(中国)科技有限公司 IPv6网络系统及其数据传输方法
CN102904814B (zh) * 2012-10-19 2015-09-16 福建星网锐捷网络有限公司 数据传输方法、源pe、目的pe和数据传输系统
CN104348821B (zh) * 2013-08-08 2018-04-27 联想(北京)有限公司 管理IPv4/IPv6业务的方法、设备和系统
CN105681249B (zh) * 2014-11-17 2019-09-13 中国移动通信集团公司 一种网络访问方法和网络转换设备
CN104601577A (zh) * 2015-01-16 2015-05-06 网神信息技术(北京)股份有限公司 基于vpn切换协议的方法和装置
CN105025004B (zh) * 2015-07-16 2018-01-02 东南大学 一种双栈IPSec VPN装置
CN105530159B (zh) * 2016-01-19 2018-12-18 武汉烽火网络有限责任公司 一种实现跨IPv6和IPv4的VPN互访的方法和系统
CN109067933B (zh) * 2018-07-25 2021-12-24 赛尔网络有限公司 基于隧道的IPv4与IPv6的网络通信系统及方法
CN108986440B (zh) * 2018-09-27 2020-07-17 深圳友讯达科技股份有限公司 多网融合抄表系统和抄表系统的地址分配方法
CN110086702B (zh) * 2019-04-04 2021-09-21 杭州迪普科技股份有限公司 报文转发方法、装置、电子设备及机器可读存储介质
CN115567484B (zh) * 2021-06-30 2024-11-26 中国电信股份有限公司 数据转发方法、网络侧边缘路由器和网络系统
CN115296988B (zh) * 2022-10-09 2023-03-21 中国电子科技集团公司第三十研究所 一种实现IPSec网关动态组网的方法

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1376351A (zh) * 1999-09-24 2002-10-23 英国电讯有限公司 分组网络连接
WO2004082192A2 (fr) * 2003-03-10 2004-09-23 Cisco Technology, Inc Dispositif permettant a des routeurs mobiles ipv6 de traverser un reseau ipv4
JP2005086256A (ja) * 2003-09-04 2005-03-31 Kddi Corp トンネルゲートウェイ装置
CN1710877A (zh) * 2004-06-16 2005-12-21 华为技术有限公司 实现混合站点混合骨干网虚拟专用网的系统和方法
CN1711739A (zh) * 2002-11-13 2005-12-21 汤姆森许可贸易公司 支持穿过网络地址转换机制的 6to4遂道协议的方法和设备
CN1848802A (zh) * 2005-11-25 2006-10-18 清华大学 基于P2P在IPv4上实现IPv6高性能互联的方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1376351A (zh) * 1999-09-24 2002-10-23 英国电讯有限公司 分组网络连接
CN1711739A (zh) * 2002-11-13 2005-12-21 汤姆森许可贸易公司 支持穿过网络地址转换机制的 6to4遂道协议的方法和设备
WO2004082192A2 (fr) * 2003-03-10 2004-09-23 Cisco Technology, Inc Dispositif permettant a des routeurs mobiles ipv6 de traverser un reseau ipv4
JP2005086256A (ja) * 2003-09-04 2005-03-31 Kddi Corp トンネルゲートウェイ装置
CN1710877A (zh) * 2004-06-16 2005-12-21 华为技术有限公司 实现混合站点混合骨干网虚拟专用网的系统和方法
CN1848802A (zh) * 2005-11-25 2006-10-18 清华大学 基于P2P在IPv4上实现IPv6高性能互联的方法

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469063A (zh) * 2010-11-03 2012-05-23 中兴通讯股份有限公司 路由协议安全联盟管理方法、装置及系统
CN103475646A (zh) * 2013-08-23 2013-12-25 天津汉柏汉安信息技术有限公司 一种防止恶意esp报文攻击的方法
CN112437467A (zh) * 2020-10-23 2021-03-02 中国人民解放军61062部队 一种无家乡代理的自组网网络隧道通信方法
CN113438108A (zh) * 2021-06-22 2021-09-24 京信网络系统股份有限公司 通信加速方法、装置、基站和计算机可读存储介质
CN116107229A (zh) * 2023-03-02 2023-05-12 常熟理工学院 基于ZigBee的物联网智能家居监控方法、系统及远程终端

Also Published As

Publication number Publication date
CN101043411A (zh) 2007-09-26
CN101043411B (zh) 2012-05-23

Similar Documents

Publication Publication Date Title
CN101043411B (zh) 混合网络中实现移动vpn的方法及系统
CA2521505C (fr) Ethernet mobile
EP2466985B1 (fr) Réseau basé sur une architecture de séparation d'identificateur et de localisation
US7616615B2 (en) Packet forwarding apparatus for connecting mobile terminal to ISP network
US8873578B2 (en) Method and apparatus for use in a communications network
US20010036184A1 (en) Method for packet communication and computer program stored on computer readable medium
WO2003085847A2 (fr) Procedes et appareil de support de messagerie d'enregistrement de session
JP2011515945A (ja) ローカル・ネットワーク間でデータ・パケットを通信するための方法および装置
WO2010127610A1 (fr) Procédé, équipement et système permettant de traiter des informations de noeud de réseau privé virtuel
AU2004209863A1 (en) Methods and apparatus for supporting an internet protocol (IP) version independent mobility management system
JP5147995B2 (ja) ホスト・アイデンティティ・プロトコル・サーバ・アドレス構成
WO2007112645A1 (fr) Procédé et système de mise en oeuvre d'un réseau privé virtuel mobile
US20120271965A1 (en) Provisioning mobility services to legacy terminals
WO2007022683A1 (fr) Procede de communication entre le noeud ipv6 mobile et le partenaire de communication ipv4
KR101901341B1 (ko) 사용자 장치의 이동성을 지원하는 네트워크 접속 방법 및 장치
WO2011032462A1 (fr) Procédé d'envoi et de réception de données, système et routeur correspondants
WO2011032447A1 (fr) Procédé, système et terminal de communication permettant d'implémenter une intercommunication entre un nouveau réseau et internet
WO2007036146A1 (fr) Procédé, système et dispositif pour communiquer entre un nœud mobile ipv6 et un partenaire de communication ipv4
US20090300217A1 (en) Method and apparatus for dynamically assigning unique addresses to endpoints
KR100737140B1 (ko) 이동통신에서의 인터넷 프로토콜 가상 사설망 서비스처리장치 및 방법
WO2007143955A1 (fr) Appareil et procédé permettant à un nœud mobile à pile double de se déplacer vers un réseau ipv4
Jung et al. Mobile-oriented future internet (MOFI): Architecture and protocols
NGUYEN State of the art of Mobility Protocols
WO2011054362A1 (fr) Procédé et système des réseaux permettant d'offrir un accès à un réseau d'au moins un dispositif client par l'intermédiaire d'un réseau mobile
White et al. Network Working Group D. Farinacci Internet-Draft D. Lewis Intended status: Informational D. Meyer Expires: April 26, 2012 cisco Systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07702316

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702316

Country of ref document: EP

Kind code of ref document: A1