[go: up one dir, main page]

WO2008014723A1 - Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6 - Google Patents

Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6 Download PDF

Info

Publication number
WO2008014723A1
WO2008014723A1 PCT/CN2007/070376 CN2007070376W WO2008014723A1 WO 2008014723 A1 WO2008014723 A1 WO 2008014723A1 CN 2007070376 W CN2007070376 W CN 2007070376W WO 2008014723 A1 WO2008014723 A1 WO 2008014723A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
site
address
packet
information
Prior art date
Application number
PCT/CN2007/070376
Other languages
English (en)
Chinese (zh)
Inventor
Bin Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008014723A1 publication Critical patent/WO2008014723A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to the field of communications, and in particular, to a technology for implementing a virtual private network based on an IPv6 address structure.
  • IPv6 address is more clearly layered, for example:
  • the IPv6 address is divided into multiple global routing levels.
  • the Internet address authority assigns address blocks to the top-level aggregation (TLA), which can be assigned to permanent Internet service providers and telecom operators.
  • TLA top-level aggregation
  • NLA next level of aggregation
  • the NLA provider
  • the NLA can divide its address down to its subscribers. Since the NLA addresses under the same TLA have the same TLA prefix, the routing efficiency is better. Moreover, subscribers with the same provider have the same NLA address prefix.
  • the aggregation-based allocation scheme is based on a number of high-level switching nodes through which permanent Internet service providers and telecom operators are interconnected. Because information exchange is global, these switching nodes with IPv6 address classes have a certain geographical distribution. Typically, these nodes are provided to large operators.
  • the first three addresses are address types such as unicast or multicast.
  • the next 13 bits are assigned to different TLAs in the world.
  • the next 32 bits are assigned to the next level of providers and orderers.
  • next level of aggregation can be divided into NLA address fields to create their own level, such as mapping NLA addresses to existing larger ISPs, subdividing them to smaller ISPs, and so on.
  • IPv6 class routing is the only way for the backbone router to control the routing table.
  • the subscriber's internal network segment can be accessed through the advanced aggregation point, which allows the backbone router to summarize the routing table through the TLA address prefix.
  • a higher level (hierarchical) router can only look at the TLA address prefix to quickly calculate the route.
  • the large hierarchical address space of IPv6 allows for more distributed address allocation.
  • the aggregate-based address is only part of the IPv6 address space, and other address ranges are assigned to the site-local address and the link-local address when multicasting, or when there is only one unique address within a limited range.
  • Link-local address Used internally by the enterprise, not used by public registries. Link-local addresses are used for a link-wide application, or as a temporary, "over” before some sites get global unicast addresses. """"bootstrapping") site address.
  • Site-local address The address used in the site, similar to the IPv4 private network address.
  • Multicast address Define a set of interfaces. Packets sent to a multicast address will be sent to all interfaces of the multicast group, and there is no broadcast address in IPV6. The broadcast address is replaced by a multicast address.
  • Ffxl The local scope of the node, which will not be forwarded out.
  • Ffx2 Link local range, not forwarded by the router. (for link range)
  • Ffx5 Site-local address, will not be forwarded out of the site.
  • Ffx8 Organization local address, will not be forwarded out of the organization. This type of address is controlled by a routing protocol. Ffxe : Worldwide.
  • Anycast address Used for a set of interfaces. However, packets forwarded to anycast address will be routed to the nearest interface in the set of interfaces that have the address. The anycast address and the global address are in the same range.
  • IPv6 address embedded in IPv4 address The IPv6 transition mechanism provides a technology for transmitting IPv6 packets in a tunnel manner through the IPv4 routing structure.
  • An IPv6 node using this technique is assigned to a special IPv6 unicast address, the lower 32 bits of which are IPv4 addresses. This address is called "IPv4-compatible IPv6 address" and has the following format:
  • IPv4-compatible IPv6 address must be a unique global unicast IPv4 address.
  • IPv6 address embedded in an IPv4 address is defined. This address uses an IPv6 address to represent an IPv4 node. This address is called “map IPv4 IPv6 address" and has the following format:
  • the prior art related to the present invention is the IPv6 over BGP/MPLS VPN technology.
  • the backbone network must be required to support MPLS.
  • Some label distribution protocol, such as the LDP protocol, must be run to bring additional overhead.
  • the embodiment of the invention provides a method and a device for implementing a virtual private network based on an IPv6 address structure, so as to carry the VPN traffic on the pure IPv6 network, and the prior art backbone network must support MPLS, and the MPLS encapsulated IPv6 packet band is adopted. To add overhead issues.
  • An embodiment of the present invention provides a method for implementing a virtual private network based on an IPv6 address structure, including:
  • the embodiment of the present invention provides a method for implementing a virtual private network, including:
  • An embodiment of the present invention provides a device for implementing a virtual private network, including:
  • the routing information establishing unit is configured to establish routing information of each site in the VPN according to a VPN local address and a VPN global address of each site in the VPN, where the VPN local address and the VPN global address of each site in the VPN are based on
  • the VPN packet transmission processing unit is configured to transmit, according to the routing information established by the routing information, a VPN packet exchanged between sites in the VPN.
  • the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then according to the set local address and global address. Establishing routing information of each site in the VPN, and transmitting VPN packets through each site in the VPN according to the routing information.
  • the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, thereby solving the problem that the prior art backbone network must support.
  • MPLS and the additional overhead caused by MPLS encapsulating IPv6 packets;
  • Figure 1 is a schematic diagram of a VPN structure
  • the embodiments of the present invention provide a technical solution for implementing a virtual private network based on an IPv6 address structure, which mainly includes: first setting a VPN local address and a VPN global address of each site in a virtual private network VPN based on an IPv6 address structure; The set local address and the global address establish routing information of each site in the VPN, and transmit VPN packets through each site in the VPN according to the routing information.
  • the mapping relationship between the VPN local address and the VPN global address is also established, so as to perform VPN according to the mapping relationship. Forwarding of packets.
  • the process of establishing the routing information of each site in the VPN according to the local address and the global address, and transmitting the VPN packet between the sites in the VPN according to the routing information may include:
  • the step (1) may specifically include any of the following implementation manners:
  • the PE device When a unicast packet exists in the VPN, the PE device generates an IPv6 aggregation route of each site in the VPN according to the VPN site ID.
  • the PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol; the P device and/or the destination PE are configured according to the VPN ID information included in the VPN site ID, and the local configuration.
  • the VPN IDs in the VPN site ID are compared. If they are the same, the route is saved. Otherwise, the route is discarded.
  • the VPN site is configured with the VPN group ID and the VPN group ID information is assigned to it.
  • the assigned VPN group ID information is added to the multicast through the multicast routing protocol.
  • Implementation mode three
  • the PEs of the VPN configure each site in the VPN, and allocate VPN site ID information, ingress route target RT information, and egress RT information for each site.
  • the PE device When a unicast packet exists in the VPN, the PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information, and adds the RT extension included in the egress RT information to the IPv6 aggregate routing information.
  • the community attribute is then advertised to the P device and/or destination PE of the VPN through a routing protocol;
  • the P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, and if at least one RT extended community attribute information is the same, Then save this route; otherwise discard the route.
  • the step ( 2 ) may be configured to statically configure routing information between the VPN site and the associated site at each VPN site; or, by using a routing protocol between the PE device and the PE device at each VPN site, The routing information of the site associated with the site. If the latter implementation is adopted, the corresponding processing may specifically include:
  • the VPN routing information is sent to the target PE device by using the site set on the local PE device, where the VPN routing information carries the VPN site ID information of the site;
  • the target PE When receiving the VPN routing information, the target PE checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.
  • the corresponding processing when the packets are forwarded between the sites in the VPN, the corresponding processing may include:
  • the source address and the destination address of the VPN packet are configured according to the VPN local address of each site in the set VPN. According to the routing information configured on the site, the standard single/multicast forwarding mechanism is used to forward the VPN packet. Forward to the site corresponding to the destination address.
  • the corresponding processing may specifically include any one of the following two methods:
  • the ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;
  • the ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;
  • the destination address of the packet is converted to the destination VPN global multicast address by adding the VPN site ID information of the corresponding site to the source VPN global address.
  • the multicast group information stored on the PE device is searched according to the VPN group ID information, and the destination VPN site ID information is obtained, and the packet is multicasted to the corresponding site according to the destination VPN site ID information.
  • the corresponding processing may include: when the P device receives the unicast packet, adopts the standard IPv6 route according to the obtained aggregated route of the destination site.
  • the method forwards the packet to the egress PE; or, when the P device receives the multicast packet, searches for the multicast route according to the VPN group ID information in the VPN global multicast address carried in the packet.
  • the information is obtained, and the site ID information of each site in the corresponding multicast group is obtained.
  • the multicast packet is multicasted to each site in the corresponding multicast group according to the obtained site ID information.
  • the corresponding processing may specifically include any of the following implementation manners:
  • the source and destination global addresses of the packet are translated into a unicast local address in the VPN.
  • the source global address of the packet is translated into a local address in the VPN.
  • the packet is forwarded according to the group ID information in the multicast local address of the VPN.
  • the corresponding processing may include: converting, by the VPN site, the source local address of the site in the VPN to the source global address according to the VPN site ID information, and The local address is translated to the Internet global address, and the Internet is accessed based on the converted Internet global address.
  • the method before performing the step (3), further includes: configuring, by the ingress PE device, an interface that is connected to the VPN site to receive only the packet whose destination address is a VPN local address and an Internet global address, And refusing to receive the packet whose destination address is the VPN global address; and configuring the P device to reject the packet whose source IP address is the VPN local address.
  • the method may further include:
  • the egress PE After receiving the packet, the egress PE extracts the VPN site ID information in the source address of the packet, and checks whether the interface that the packet enters the egress PE is obtained by using the VPN site ID information. Site The interface that aggregates routes. If yes, the packet is forwarded through the egress PE. Otherwise, the packet is discarded.
  • the corresponding step (2) may further include: allocating an IPv4 VPN site ID to the IPv4 site on the PE device, and according to the allocated IPv4 site ID.
  • the IPv4 routing information of each IPv4 site is configured on the PE device; or the IPv4 VPN group ID is assigned to the IPv4 site on the PE device, and the allocated IPv4 is configured on the PE device by using a multicast routing protocol.
  • the VPN group ID information is added to each VPN site in the multicast group.
  • the corresponding step (2) may further include: allocating IPv4 VPN site ID information to the IPv4 site on each IPv4 site, and configuring the association with each IPv4 site according to the allocated IPv4 site ID information.
  • IPv4 inter-office IPv4 routing information assigning an IPv4 VPN group ID to the IPv4 site at each IPv4 site, and transmitting the assigned IPv4 VPN group ID information at each IPv4 site through a multicast routing protocol. Join the VPN sites in the multicast group.
  • the step (3) may include any one of the following processing modes:
  • the source IPv4 address of the packet is first analyzed, and the configured IPv4 routing information is searched according to the source address information to obtain the corresponding destination IPv4 address information, and then the The source and destination IPv4 addresses are translated into an IPv6 unicast address of the embedded IPv4, and the IPv4 packet is forwarded according to the destination address;
  • the egress device determines, according to the IPv4 VPN site ID information carried in the packet, that the site corresponding to the destination address of the packet is an IPv4 site, and then searches for the IPv4 routing information, and converts the destination IPv6 address into an IPv4 destination address. And forwarding the packet to the corresponding destination site according to the IPv4 destination address;
  • the ingress PE When receiving the IPv4 multicast packet, the ingress PE first analyzes the source IPv4 address of the packet, and searches for the configured IPv4 routing information according to the source address information to obtain the corresponding destination IPv4 address information, and then The source and destination IPv4 addresses are translated into an IPv6 unicast address with an embedded IPv4, and the IPv4 packet is forwarded in the IPv6 network according to the destination address;
  • the egress PE device When the packet arrives at the egress PE device, the egress PE device is based on the IPv4 VPN group carried in the packet.
  • the ID information determines that the site corresponding to the destination address of the packet is an IPv4 site, it searches for IPv4 routing information, translates the destination IPv6 address into an IPv4 destination address, and forwards the packet to the IPv4 destination address. Corresponding destination site.
  • the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then establishes routing information of each site in the VPN according to the set local address and the global address, and According to the routing information, VPN packets are transmitted through each site in the VPN.
  • the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, which solves the problem that the prior art backbone network must support MPLS and adopts MPLS encapsulation. Additional overhead caused by IPv6 packets;
  • each site can simultaneously access the Internet and
  • VPN which is easy to implement; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system, and the autonomous system border router does not need to store/forward VPN routes, and does not need a multi-layer label stack.
  • the VPN composition relationship is clear, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing; and the VPN site prefix is added by the operator PE, and the legality check is performed at the ingress PE.
  • the egress PE is used for RPF check to ensure the security of the VPN.
  • the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.
  • the first embodiment provided by the embodiment of the present invention is based on a VPN structure provided by a conventional operator as shown in FIG. 1 , and includes a CE device, an ingress PE device, a P device, and an egress PE device in the VPN.
  • the PE device and the P device form a VPN public network
  • the CE device and the PE device form a VPN intranet.
  • Each site has an ID. There is one internal/global one. They are called the VPN local site ID and the global site ID.
  • the global site is called the global site.
  • the ID can be the same as the site ID of the VPN public network address, but with a different prefix.
  • Step 100 Set a virtual private network VPN local address and a VPN global address of each site based on the IPv6 address structure, and use the site ID to identify each site in the VPN global address.
  • the VPN local address is set.
  • the VPN local address is valid only in the VPN intranet, and the devices in the VPN intranet access each other.
  • the unicast VPN local address structure is set to the structure shown below:
  • the VPN local address structure is set to the following structure:
  • V bit (bit 10) in the figs field to 1, indicating that it is a VPN multicast address; to be compatible with RFC3306, set the 11th bit to 0; T bit (bit 12) is set to 1 , identifying that the multicast address is non-permanent.
  • the scop segment (13-16 bits) is 1000, indicating a valid multicast address in the VPN intranet. After this setting, the following format is formed: 80 32
  • the VPN global address is used to address the destination address in the VPN on the carrier network, that is, the VPN public network.
  • the operator only cares about how the router arrives at a VPN site and which VPN site it arrives, regardless of how it reaches the VPN internal destination site.
  • the VPN global address is different from the global public address.
  • the router must prevent VPN global addresses of different VPNs from reaching each other.
  • the unicast VPN global address is set to the following structure:
  • the vpn global routing prefix is set to include a prefix 002, and a VPN Site ID structure; the Subnet ID and the interface ID are only used to save the VPN internal unicast address. It is ignored when addressing on the VPN public network.
  • the multicast VPN global address is set to the following structure:
  • the VPN group ID indicates the multicast group that propagates multicast packets between sites in the VPN.
  • the scop field is set to 1110, it indicates that the address is a globally valid multicast address.
  • the group ID is only used to save the multicast address inside the VPN and is ignored when addressing on the public network.
  • the unicast VPN local address and the VPN global address can be mapped to each other.
  • mapping the Interface ID and subnet ID fields remain unchanged during mapping.
  • processing other fields add different prefixes according to the structural characteristics of the global/local address, and add or clear the VPN site ID information.
  • the multicast VPN global address is mapped by the VPN local address.
  • mapping set the scop field according to the characteristics of the global/local address, and add or clear the VPN group ID.
  • Step 200 Establish a connection relationship between the sites, that is, a topology relationship of the VPN.
  • the establishment of a VPN topology relationship includes the following three methods:
  • the first type uses a part of the VPN Site ID field in the unicast VPN global address to identify the VPN, that is, the VPN ID. If some Sites belong to the same VPN network, they have the same VPN ID.
  • the format of the VPN site ID is as follows:
  • the second method is to add a route attribute to the VPN site ID field in the unicast VPN global address to express the VPN topology.
  • This routing attribute can be in the format of the Route Target (RT) in the BGP extended community attribute.
  • a VPN relationship between a site and other associated sites is statically configured on the PE device in the VPN to form a VPN topology relationship.
  • Step 300 Configure routing attribute information of each site device in the VPN.
  • step 300 The specific implementation process of step 300 is as follows:
  • Step 310 Configure routing information between the sites in the VPN on the PE.
  • the PE device configures the VPN during initialization.
  • Each site in the network is assigned a corresponding VPN site ID information, and the PE device generates an IPv6 aggregation route, which is called a VPN site route, for example, 002: VPN site ID: : /48, and routes through the VPN site ID information.
  • the protocol is issued to the P device of the VPN and other PE devices.
  • the destination PE device matches the VPN ID in the locally configured VPN site ID according to the VPN ID information included in the VPN site ID information. If the information is the same, the route is saved. Otherwise, the route is discarded.
  • the specific real-time process includes the following steps:
  • Step 311 Set a VPN site in the PE device, and assign a VPN site ID to the PE device.
  • Step 312 The PE device generates an IPv6 aggregation route, that is, a VPN site route, according to the VPN site ID.
  • Step 313 The PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol.
  • Step 314 The P device and/or the destination PE compares the VPN ID information included in the VPN site ID with the VPN ID in the locally configured VPN site ID. If the information is the same, the route is saved; otherwise, the route is saved. Said routing.
  • the sites belonging to the same VPN are reachable, and the sites that do not belong to the same VPN are unreachable.
  • the VPN site ID information is assigned to the VPN site (that is, the VPN site configured for the PE device) and is added to the VPN site through the multicast routing protocol. In the VPN site in the multicast group.
  • the sites in the VPN are configured on the PEs of the VPN, and the VPNs are respectively allocated to the sites.
  • the PE device Based on the information, the PE device generates an IPv6 aggregation routing information, for example, 002: VPN site ID: : /48, and adds the RT extended community attribute contained in the egress RT list to the P device and other PE devices through the routing protocol.
  • the PE device matches the RT list in the VPN route with the local ingress RT list. If at least one RT extension attribute is the same, the route is saved. Otherwise, the route is discarded.
  • VPN topologies such as full mesh and hub-spoke can be constructed, and intranet (intranet) and extranet can be constructed. External network) and so on.
  • the specific implementation process includes the following steps:
  • Step 315 During initialization, configure a site in the VPN through the PE device of the VPN, and allocate VPN site ID information, ingress route target RT information, and exit RT information for each site.
  • Step 316 The PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information.
  • Step 317 Add, in the IPv6 aggregate routing information, the RT extended community attribute included in the egress RT information, and advertise the same to the P device and/or the destination PE of the VPN through the routing protocol.
  • Step 318 The P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, if at least one RT extended community attribute exists. If the information is the same, the route is saved; otherwise the route is discarded.
  • the VPN group ID information is allocated to each site when the PEs are configured with the sites in the VPN. Then, the PE device adds the VPN group ID information to the group through the multicast routing protocol. Each site of the group.
  • a routing list is formed for each site on the PE, and the site ID information of each site having a VPN relationship with the site is included in the list.
  • Step 320 Configure routing information of the site on each site.
  • the specific implementation process includes the following steps: Step 321: Statically configure routing information between sites;
  • Step 322 Run a routing protocol between the PE device and the PE device to obtain routing information of other sites that belong to the same VPN as the site.
  • step 322 specifically includes:
  • the local PE device advertises the VPN routing information to the target PE device, where the VPN routing information carries the VPN site ID information of the site set on the local PE device.
  • the target PE When the target PE receives the VPN routing information, it checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.
  • the routing information of the Site includes routing information of the site and all sites having a VPN relationship with the site.
  • Step 400 Implement VPN message transmission based on the site routing information set by the foregoing.
  • the specific implementation process is as follows: When forwarding packets between sites within the VPN:
  • a standard single/multicast forwarding mechanism can be adopted.
  • the site forwards the VPN packet to other Site devices in the VPN through the standard unicast/multicast forwarding mechanism.
  • the source/destination addresses carried in the packet are constructed in the VPN internal address format.
  • the global VPN address can only be generated by the PE to prevent forged VPN packets.
  • other interfaces are not allowed to receive packets whose source/destination address is a VPN local address.
  • the P device does not receive packets whose source/destination address is a VPN local address.
  • the ingress PE device forwards the VPN packet, first, to identify which site the VPN packet belongs to, it is generally identified by the interface/sub-interface method, or according to the IPv6 triplet/IPv4 quintuple/VLAN/ DSCP and other methods are used for identification.
  • the VPN site ID information is added to the source address structure carried in the packet, and the source address is converted into the source VPN global address.
  • the s saved on the PE device is searched.
  • the ite routing information after the site ID information of the destination site is found, the destination address carried in the packet is converted into the destination VPN global address according to the destination site ID information, and then the VPN is globally based on the translated destination.
  • the ingress PE device When the unicast packet is forwarded by the ingress PE device, it includes:
  • Step 411 The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.
  • Step 412 Add the VPN site ID information of the site corresponding to the source address to the packet, and convert the source address into a source VPN global address.
  • Step 413 Search for routing information of the destination site according to the destination address carried in the packet, and obtain the destination VPN site ID information.
  • Step 414 Convert the destination address carried by the packet to the destination VPN global address according to the obtained destination VPN site ID, and forward the packet to the corresponding site according to the destination VPN site ID information. .
  • the ingress PE device forwards multicast packets, it includes:
  • Step 421 The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.
  • Step 422 Convert the source address to the source VPN global address by adding the corresponding VPN site ID information of the s i te;
  • Step 423 Convert the destination address carried by the packet to the destination VPN by adding the VPN group ID information.
  • Global multicast address
  • Step 424 Search for the multicast routing information saved on the PE device according to the VPN group ID information, obtain the corresponding destination VPN site ID information, and multicast the packet to the corresponding destination according to the destination VPN site ID information. Site.
  • the P device For unicast packets, the P device has obtained the aggregated route to the destination site. Therefore, the standard IPv6 route forwarding can be used to reach the egress PE. For multicast packets, you need to search for multicast routing information based on the VPN group ID information in the global multicast address of the VPN. Different from the standard multicast forwarding process, it is forwarded according to the multicast aggregation route according to the longest matching method, also known as multicast aggregation route forwarding.
  • the specific implementation process is as follows:
  • Step 431 When receiving the unicast packet, the P device forwards the packet to the egress PE by using a standard IPv6 routing manner according to the obtained aggregated route of the destination site.
  • Step 432 When receiving the multicast packet, the P device searches for multicast routing information according to the VPN group ID information in the VPN global multicast address carried in the packet, and obtains each of the corresponding multicast groups. Site ID information of the site;
  • Step 433 Multicast the multicast packet to each site in the corresponding multicast group according to the obtained site ID information.
  • the method is: after the egress PE receives the packet, first extracts the VPN site ID information in the source address in the packet; and then, according to the VPN site ID information, checks that the packet enters the egress PE. If the interface is the interface that obtains the VPN site aggregation route, the packet is forwarded by the egress PE. Otherwise, the packet is discarded.
  • the unicast packet When forwarding a VPN packet on the egress PE, the unicast packet is first converted into a unicast local address in the VPN, and then the local site is searched according to the site ID information in the translated destination address. Routing information, and forwarding the VPN packet according to the information.
  • the source address is translated into the multicast local address of the VPN
  • the destination global address is translated into the multicast local address of the VPN according to the VPN group ID information in the destination address.
  • the group ID information in the address forwards the message.
  • Step 451 When the egress PE device receives the unicast packet, the source and destination global addresses of the packet are translated into a unicast local address in the VPN.
  • Step 452 Search and obtain local route information of the corresponding site according to the VPN site ID information in the destination global address.
  • Step 453 Forward the packet according to the obtained local routing information.
  • the egress packet When the egress packet is forwarded by the egress PE device, it includes:
  • Step 454 When the egress PE device receives the multicast packet, the source global address of the packet is translated into a local address in the VPN.
  • Step 455 Search and obtain the local routing information of the corresponding site according to the VPN group ID information in the destination address of the packet, and convert the destination global address address into a multicast local address in the VPN according to the obtained local routing information.
  • Step 456 Forward the packet according to the group ID information in the multicast local address of the converted VPN.
  • the above process describes the process of accessing each site in the VPN. In addition to accessing other sites in the VPN, the VPN site can also access the Internet.
  • the VPN site When the VPN site accesses the Internet, the VPN site converts the local address of the site in the VPN into an Internet global address according to the VPN site ID information, and accesses the Internet according to the converted Internet global address.
  • the above format is RFC3587 standard format, where the global routing prefix can be automatically generated by the VPN site ID.
  • the standard IPv6 routing and forwarding mode is adopted when forwarding VPN packets. Therefore, when spanning the autonomous system, only the sites in the VPN or the multicast groups in the VPN are required. The routing information is advertised to the neighboring autonomous system, and the routes of the sites in the VPN are distributed between the PE devices belonging to the same VPN network.
  • the embodiment of the present invention can also implement interconnection of IPV4 sites, that is, multiple IPv4s through an IPv6 backbone network. The network is connected to each other or to a VPN user with an IPv4 address. For a unicast packet, the PE device in the VPN still assigns an IPv6 VPN site ID to each IPv4 site.
  • the IPv4 site For multicast packets, for each multicast packet, the IPv4 site still assigns a VPN group ID and maintains the IPv4 routing information and saves it to the IPv4 routing information. However, the IPv4 routing information carries a routing attribute, including the VPN site ID to which the IPv4 belongs.
  • the PE device After the VPN topology is discovered, after the PE device obtains the IPv4 route from the site, the PE site ID attribute is added to other PEs. The destination PE device checks whether the site belongs to the same VPN as the local site. Then save this route, otherwise discard.
  • the unicast packet from the CE device to the PE device determines which site it originates from based on the inbound interface, and then searches the IPv4 routing table, determines the destination site, and then translates the source/destination IPv4 address into an IPv6 VPN with embedded IPv4.
  • Unicast address the format is as follows:
  • the VPN site ID finds the next hop for forwarding according to the destination site.
  • the P device searches for the aggregated route of the VPN site according to the address and forwards the packet.
  • the IPv4 routing table is forwarded to the IPv4 address and the IPv4 routing table is forwarded to the CE.
  • the multicast packet that enters the PE from the CE is first determined according to the inbound interface and other information, determines the VPN site, determines the VPN group, and then translates the source address into an IPv6 VPN unicast address embedded with IPv4, and translates the destination address into the embedded address.
  • IPv4 IPv6 VPN multicast address in the following format:
  • IPv4 address 11111111
  • IPv4 address IPv4 address Then forwarded in the backbone network according to the VPN group.
  • the egress PE When the egress PE is reached, it knows that its destination is an IPv4 site, translates it to an IPv4 multicast address, and forwards it to the CE based on the VPN group ID.
  • the embodiment of the present invention utilizes an IPv6 address structure, and can form a VPN address without adding a VPN prefix.
  • the addressing of the local address and the encapsulation of VPN packets in the VPN network are all based on IPv6.
  • the address structure, the route of the site in the VPN network does not need to adopt a special method, and can be implemented by using ordinary IPv6 routes, and does not need to use a special tunnel to encapsulate VPN packets. And there is no need to save inside the VPN backbone. There is also no need to publish routing information for each site within the VPN. Therefore, it has the following significant effects:
  • IPv6 address is used to accommodate VPN information, and no additional overhead is required for VPN packets.
  • the forwarding process of the VPN packets and the common IP packets is unified, and the VPN traffic can be carried on the pure IPv6 network.
  • the P device maintains only the VPN site aggregation route, and the overhead is small.
  • the VPN has a clear relationship.
  • the VPN route only needs to carry a fixed-length site ID for easy processing.
  • the site can access the Internet and the VPN at the same time, which is easy to implement;
  • the VPN site prefix is added by the operator PE, and the legitimacy check is performed on the ingress PE, and the RPF check is performed on the egress PE to ensure the security of the VPN.
  • IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.
  • the method of crossing the autonomous system is simple to implement. There is no need for the autonomous system border router to store/forward VPN routes, and there is no need for a multi-layer label stack.
  • each site can access the Internet and the VPN at the same time, thereby facilitating the implementation; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system.
  • the autonomous system border router does not need to store/forward the VPN route, and the multi-layer label stack is not required, so that the implementation is relatively simple.
  • the VPN has a clear relationship, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing.
  • the VPN site prefix is added by the operator PE, and the entry PE performs the legality check, and the egress PE performs the RPF check to ensure the security of the VPN.
  • the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif permettant de mettre en oeuvre un réseau privé virtuel fondé sur une structure d'adresse IPv 6, qui consiste principalement en ceci: d'abord, l'adresse locale VPN et l'adresse mondiale VPN du site respectif dans le réseau privé virtuel sont fondées sur une structure d'adresse IPv6, ensuite, l'information d'acheminement du site respectif dans le VPN est établie à partir de l'adresse locale fixée et de l'adresse mondiale fixée, et en fonction de l'information d'acheminement, le message VPN est transféré via le site respectif dans le VPN. Non seulement l'information VPN peut être contenue dans l'adresse IPv6, mais aussi en fonction de la différence des préfixes d'adresse cible, le site respectif peut accéder à Internet et au VPN; lorsque le système autonome est croisé, seul l'acheminement du site VPN et du groupe de VPN est distribué au système autonome contigu.
PCT/CN2007/070376 2006-07-27 2007-07-27 Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6 WO2008014723A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2006101038177A CN101114971A (zh) 2006-07-27 2006-07-27 基于IPv6地址结构实现虚拟专用网的方法
CN200610103817.7 2006-07-27

Publications (1)

Publication Number Publication Date
WO2008014723A1 true WO2008014723A1 (fr) 2008-02-07

Family

ID=38996896

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070376 WO2008014723A1 (fr) 2006-07-27 2007-07-27 Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6

Country Status (2)

Country Link
CN (1) CN101114971A (fr)
WO (1) WO2008014723A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572993A (zh) * 2012-01-31 2012-07-11 北京航空航天大学 一种基于综合能力评选的机会网络Anycast路由方法
CN113300949A (zh) * 2020-02-24 2021-08-24 华为技术有限公司 转发报文的方法、发布路由信息的方法、装置及系统

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808038B (zh) * 2010-03-29 2012-02-08 杭州华三通信技术有限公司 一种vpn实例的划分方法和设备
CN102404716A (zh) * 2010-09-07 2012-04-04 上海贝尔股份有限公司 用于在基于ip的无线传感器网络中进行数据传输的方法和设备
CN107483311B (zh) 2012-09-20 2020-07-21 华为技术有限公司 Vpn实现方法和pe设备
CN102904814B (zh) * 2012-10-19 2015-09-16 福建星网锐捷网络有限公司 数据传输方法、源pe、目的pe和数据传输系统
CN102932231B (zh) * 2012-11-28 2015-05-20 杭州华三通信技术有限公司 一种减少更新报文的方法和服务提供商网络边缘设备
CN103166874B (zh) 2013-03-25 2016-03-02 杭州华三通信技术有限公司 一种报文转发方法及设备
CN104158737B (zh) 2013-05-15 2017-07-28 华为技术有限公司 一种控制路由信息发布的方法、装置和系统
CN105491558A (zh) * 2014-09-18 2016-04-13 北京信威通信技术股份有限公司 一种集群组的IPv6组播地址生成方法
CN109412952B (zh) * 2018-12-13 2019-09-06 北京华三通信技术有限公司 路由信息发布方法及装置
CN110266592B (zh) * 2019-06-21 2021-07-30 Ut斯达康通讯有限公司 Srv6网络与ip mpls网络的通信方法及装置
CN111131049B (zh) 2019-12-31 2021-08-27 苏州盛科通信股份有限公司 路由表项的处理方法及装置
CN113098770B (zh) * 2020-01-08 2024-04-16 华为技术有限公司 报文发送方法、路由表项的生成方法、装置及存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697408A (zh) * 2004-05-14 2005-11-16 华为技术有限公司 一种基于IPv6的虚拟专用网管理路由的方法
CN1710877A (zh) * 2004-06-16 2005-12-21 华为技术有限公司 实现混合站点混合骨干网虚拟专用网的系统和方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697408A (zh) * 2004-05-14 2005-11-16 华为技术有限公司 一种基于IPv6的虚拟专用网管理路由的方法
CN1710877A (zh) * 2004-06-16 2005-12-21 华为技术有限公司 实现混合站点混合骨干网虚拟专用网的系统和方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572993A (zh) * 2012-01-31 2012-07-11 北京航空航天大学 一种基于综合能力评选的机会网络Anycast路由方法
CN113300949A (zh) * 2020-02-24 2021-08-24 华为技术有限公司 转发报文的方法、发布路由信息的方法、装置及系统
CN113300949B (zh) * 2020-02-24 2022-12-06 华为技术有限公司 转发报文的方法、发布路由信息的方法、装置及系统

Also Published As

Publication number Publication date
CN101114971A (zh) 2008-01-30

Similar Documents

Publication Publication Date Title
WO2008014723A1 (fr) Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6
CN107222449B (zh) 基于流规则协议的通信方法、设备和系统
CN1266913C (zh) 通过接入网络的隧道传送
US7698455B2 (en) Method for providing scalable multicast service in a virtual private LAN service
US8661525B2 (en) Implementation method and system of virtual private network
US9756682B2 (en) Method and system for partitioning wireless local area network
WO2019105462A1 (fr) Procédé et appareil d'envoi de paquet, procédé et appareil de traitement de paquet, nœud pe et nœud
US7266124B2 (en) Method for setting up QoS supported bi-directional tunnel and distributing L2VPN membership information for L2VPN using extended LDP
JP4801153B2 (ja) 通信ネットワーク内のIPv6ステートレスアドレス構成をサポートするアクセス装置、ルーティング装置およびその方法
EP2466817A1 (fr) Procédé et système d'implémentation de réseau privé virtuel
EP1811728B2 (fr) Procédé, système et dispositif de gestion de trafic dans un réseau de commutation d'étiquette à protocoles multiples
JP2004357292A (ja) IP交換網上で伝達されるデータをIPv4ベースからIPv6ベースに変換するシステム
JP2000286853A (ja) パケットをルーティングする方法および装置
WO2011103781A2 (fr) Procédé, dispositif pour la mise en oeuvre de la séparation d'identificateur et de localisateur et procédé d'encapsulation de données
CN1787485A (zh) 信息包传输装置及通信网络
WO2007112691A1 (fr) Système, procédé et dispositif réseau permettant à un client de réseau privé virtuel (vpn) d'accéder à un réseau public
WO2008011818A1 (fr) Procédé de fourniture d'un service réseau local privé virtuel à hiérarchie et système réseau
WO2005112350A1 (fr) Procede de gestion de chemin dans un reseau prive virtuel utilisant le protocole ipv6
WO2023082779A1 (fr) Procédé de transfert de paquet, dispositif électronique et support de stockage
WO2024016869A1 (fr) Procédé et appareil de configuration de multidiffusion
CN101753419B (zh) 发送数据、转发数据的方法、设备和多地址空间移动网络
CN101841548B (zh) 主机标识到网络地址的映射方法
CN101304338A (zh) 发现多协议标签交换三层虚拟私有网中设备的方法、装置
CN117879998A (zh) 一种基于互联网出口的管理系统
WO2013181991A1 (fr) Procédé et système de traitement de message et dispositif de routage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07764296

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07764296

Country of ref document: EP

Kind code of ref document: A1