JP2006352182A - Method and apparatus for dynamically allocating agent of mobile vpn - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method and a system for designating the dynamic agent of a mobile VPN (virtual private network) in which roaming can be safely performed in an external network. <P>SOLUTION: When an MN (mobile node) performs roaming, an IP address is allocated by a DHCP server, and an x-HA (external home agent) logs in. The x-HA sends authorization acknowledgement request information to a foreign AAA server, and the foreign AAA server enters the access symbol of the x-HA and sends it to a home AAA server. Home agent request information is generated, an external home address is designated for the MN via the x-HA, and the foreign home address and its own address are set in home agent answer information and transmitted to the home AAA server. The home AAA server logs in an i-HA (internet home agent) with the external home address as the relay address of the MN, authorization acknowledgement answer information is transmitted to the x-HA, and the x-HA acquires registration response information including the external home address and the home agent address and transfers it to the MN. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  TECHNICAL FIELD The present invention relates to a method and system for assigning a dynamic home agent (Home Agent) of a mobile virtual private network (VPN), and in particular, in a VPN on an Internet communication security agreement (IPSec) frame, The present invention relates to a method and system for providing mobile node login by dynamically specifying.

  A virtual private network (hereinafter referred to as VPN) uses a wide area network (for example, the Internet) to construct a dedicated network path between a remote user's computer and a home network server. Provides security, such as being inside a private LAN, transmitting data, and closing.

VPN requires the following basic requirements to confirm safety:
1． User verification: The VPN must authenticate the identity of the user, and must strictly adhere to the discipline that only authorized users can log in.
2． Address management: A VPN must always assign a dedicated network address to the user and ensure the security of the address.
3． Data encryption: Data transmitted over the Internet must be encrypted to ensure that other unauthorized users on the Internet cannot read the data information.
Four. Encryption key management: A VPN must always be able to generate and update encrypted keys between the user's computer and the server.
Five. Supporting various agreements: VPNs must have basic agreements for general use, including IP, IPX, PPTP (point-to-point passage agreement), L2TP (second-tier passage agreement) or IPSec (Internet communication security agreement) on the Internet. You must be able to help.

  An Internet Communication Agreement (IP) is a communication agreement for transmitting material over a computer network (eg, the Internet), however, IP does not define any security mechanisms. Therefore, the Internet Engineering Task Force (hereinafter abbreviated as IETF) has defined an IPSec agreement in the "Request for Comments (RFC)" 2401 communication standard. This is a method of encrypting IP flow, and is a standard that protects network communications to prevent material changes, third-party eavesdropping, impersonation, theft and re-advertisement.

  However, how to build a mobile VPN by wireless transmission network is already a very important research subject for rapid development of wireless network technology. Mobile VPN using wireless technology defined both IETF and Mobile IPv4 (IETF RFC3344) agreement standards, but the Mobile IPv4 standard still has some problems that need to be solved. .

  For example, when one mobile node (hereinafter abbreviated as MN) (for example, an action computer equipped with wireless network equipment) roams on one intranet, one home agent (Home Agent, HA) designates one mobile IP (Mobile IP, hereinafter abbreviated as MIP) as the MN. When the MN roams from the intranet to one external network (Internet), for example, when in a home or a branch office outside the MN, the MN receives one IPSec from a local foreign agent (FA). By entering a security-based VPN gateway (VPN Gateway) and logging in to the home agent (HA), the VPN gateway is configured to establish an IPSec path for the foreign agent (FA).

  The MN can obtain one new relay address (Care of Address, hereinafter abbreviated as CoA) from the roaming external network, and the MN roams to the new subnetwork each time in the VPN gateway. Sometimes requires that the IPSec path be updated. However, all data packet information entering the VPN gateway is encrypted to the IPSec security standard, but the foreign agent (FA) cannot decrypt these encrypted data packets, so The agent (FA) cannot transmit this IP information.

  In order to solve the above-mentioned problems, the IETF Mobile Ipv4 Working Group (WG) uses a partially fixed mechanism (Mechanism) to roam VPN users without international schema (International Seamless Roaming, ISR). Proposed ways to help.

  In the method, a home agent (HA) in the intranet is defined as one intranet home agent (hereinafter referred to as i-HA), and one external network (External Network) is included in the external network. A home agent (External Home Agent, hereinafter abbreviated as x-HA) is constructed, and the i-HA is used by the intranet to manage the MN's roaming status (Mobility Management). Is used to manage the roaming status of the MN when the MN roams to the external network.

  The surplus x-HA covers the already established IPSec tunnel under the x-MIP tunnel and does not need to be changed to the already established IPSec tunnel. Therefore, the MN assigns a new CoA by the VPN gateway. After acquisition, the IPSec path established by the VPN gateway is not destroyed. Therefore, the foreign agent (FA) can decrypt the information of the x-MIP. Therefore, when this method is used, it is not necessary to revise Mobile Ipv4 standard and IPSec standard, and some mobile nodes are required. It is only necessary to change the relay address (CoA).

  As shown in FIG. 1 showing the mobile VPN standard frame defined by the IETF, in FIG. 1, there is MN 1 roaming in one intranet 10 through one i-HA 11. When the MN 1 moves from the intranet 10 to one external network 20, the MN 1 always logs in to one x-HA 21 and acquires a new CoA. The x-HA 21 requests that one VPN gateway 22 establish an IPSec path that connects to the x-HA 21. Finally, the VPN gateway 22 connects the established IPSec path to the i-HA 11 by logging in the VPN-TIA (VPN Tunnel Inner Address) of the MN 1 again to the i-HA 11, and externally. A virtual private network (VPN) that can all roam from the network 20 and the intranet 10 is formed.

  FIG. 2 is a diagram showing a path information structure constructed by the mobile VPN, in which the MN 1 is a path signal data packet 30 roamed from the intranet 10 to the external network 20, and further includes a primitive data packet. (Original Packet) 31 is included, and the path information 32 (from the i-HA 11 to the VPN gateway 22) of the internal mobile IP (i-MIP) is covered before the original data packet 31. In addition, further IPSec path information 33 (from the VPN gateway 22 to the x-HA 21) is covered outside the internal mobile IP path information 32, and further outside the IPSec path information 33. The path information 34 (from the x-HA 21 to the relay address of the MN 1) of the mobile IP (x-MIP) is covered.

  However, two problems can arise in the well-known IETF method. First, where is the most appropriate location for x-HA21? Second, can you believe that the x-HA is safe?

  In this well-known IETF method, in order to construct one static x-HA 21 in the external network 20, a plurality of subnetworks (Subnets) are included in the external network 20. In this case, the selection of the point of the x-HA 21 is performed by the time delay of the relay transmission (Handoff) between the foreign agent (FA) and the x-HA 21 between the roaming sub-network and the roaming. It affects the end-to-end time delay between sub-networks. In addition, since the x-HA 21 is in the external network 20 that is not controlled by the VPN gateway 22, can the x-HA 21 be truly believed to meet IPSec security standards?

  That is, the inventor of the present application applies the knowledge learned especially devoted to research to solve the above-mentioned requirements and problems of the conventional mobile VPN, and the mobile VPN dynamic agent (x-HA) ) Designation method and system were proposed. Since the home agent (HA) approaching the MN can be dynamically designated as the x-HA by the method and system, the delay of relay transmission (Handoff) between roaming networks and the terminal to the terminal An invention that can reduce the (End-to-End) delay to a minimum, and can perfectly combine VPN IPSec security control, is rational, and can effectively improve the above-mentioned drawbacks. It is.

The object of the present invention is to designate an external home agent close to the mobile node as a login agent of the mobile node while roaming in the same external network while roaming in the same external network. You only need to log in to the external home agent, you do not need to log in to the internal home agent of the intranet-it may be the IETF method), delays in relay transmission (Handoff) between agents and terminals when roaming in this way It is intended to provide a method and system for specifying a dynamic agent for a mobile VPN that can reduce delay from end to end (End-to-End) to a minimum and that can perfectly combine VPN IPSec security control.
◎

  In order to achieve the above-mentioned object, the present invention mainly provides a method for specifying a dynamic agent of a mobile VPN capable of establishing a VPN between at least one external network and one intranet. The method sends a login request message to a local foreign destination agent when the mobile node first roams in the foreign network. The external home agent transmits the authorization confirmation request information to one foreign AAA server, so that the foreign AAA server enters the network access indication of at least one external home agent in the authorization confirmation request information. Transfer to one home AAA server. Subsequently, after the home AAA server has succeeded in authenticating the MN, a security association is established between the foreign home agent and the mobile node, further generating one home agent request information, and send. The external home agent designates one external home address for the mobile node, sets the external home address and its own address in one home agent reply information, and transmits the home home server to the home AAA server. Then, the home AAA server logs in to the internal home agent using the external home address as the relay address of the mobile node. After the login is completed, the internal home agent grants authority to the home AAA server, and authorization confirmation reply information is transmitted to the external home agent. Finally, the external home agent obtains registration reply information including the external home address and the home agent address from the authorization confirmation response information, and transfers it to the mobile node. Thereafter, when the mobile node roams on the external network, the mobile node may log in to the home agent at the home agent address using the external home address.

The present invention further provides a mobile VPN dynamic foreign agent allocation system that establishes a VPN between at least an external network and an internal network so that at least a mobile node can roam safely within the external network. .
The system includes an internal local agent (i-HA) for the mobile node to manage roaming login in the internal network, and an external local for the mobile node to manage roaming login in the external network. An agent (x-HA), a VPN gateway capable of establishing an Internet security protocol (Ipsec) channel between the internal network and the external local agent, and any external local agent approaching the mobile node dynamically At least one agent allocating means for allocating and roaming login of the mobile node; and when the mobile node first roams in the external network, After establishing an IPsec channel with the VPN gateway by roaming login to a local agent, the AAA server, and the internal local server, the external local nearest to the mobile node when roaming in the external network And at least one external destination agent that can be simply logged in to the agent.

  For an understanding of the techniques, means and operation employed by the present invention to achieve its intended purpose, reference should be made to the following detailed description and drawings relating to the present invention. It is believed that the objects, features and advantages of the present invention will thereby be understood more deeply and specifically. However, the drawings are used for reference and description and are not intended to limit the invention.

  Refer to the block diagram of the mobile VPN system according to the present invention shown in FIG. The present invention mainly specifies the home agent (HA) closest to the mobile node (MN) 80 in the external network as the external home agent (x-HA) 54, thereby making the MN 80 the x- Log in to the HA54 and complete the construction of the IPSec path of the mobile virtual private network (Mobile VPN).

  In the present invention, the x-HA is dynamically specified by using a DHCP server, an AAA (Authentication, Authorization and Accounting) server, or a DNS server used in the external network area. The home agent (HA) closest to the MN 80 can be selected and designated as the x-HA 54. Further, since the x-HA 54 is closest to the MN 80, the delay between the x-HA 54 and the MN 80 is reduced to the minimum. The relay transmission (Handoff) from the terminal to the terminal between the sub-networks in the external network is further accelerated, and another home agent (HA) in the external network can be used for load balancing. .

  However, the most important thing is still the problem of the security mechanism of the x-HA54. Therefore, it is better to specify the x-HA54 using an AAA server. For example, we adopt the Diameter Base on Protocol (IETF RFC3588) as the AAA server and not only can specify the x-HA, but also multiple agents that move and change when roaming ( Agents) can establish a security association (hereinafter abbreviated as SA) to be a key distribution center (KDC).

  In FIG. 3, one Intranet 40 and at least one external network 50 are shown. The intranet 40 is a protected private network that is protected, and is connected to one DHCP server 41 and one interior router 42. The internal router 42 is connected to one DMZ 60. The DMZ 60 is the real area behind the Internet and faces the firewall and is located in front of the protective end system and the second firewall of materials. The DMZ 60 is connected to one (hereinafter abbreviated as AAAH) 61, one VPN gateway 62 and one exterior router 51, and the external router 51 is connected to the external network 50. Connected to (Internet).

The intranet 40 may include a plurality of sub-networks (Subnet) 43. All the sub-networks 43 are connected to at least one wireless base (Wireless Access Point, WAP) 44 and used to wirelessly connect at least one of the MNs 80. In the intranet 40, one i-HA 45 and one internal foreign agent (hereinafter referred to as i-FA) 46 are further installed. As shown in FIG. 3, the i-HA 45 is connected on the first sub-network (Subnet 1), and the i-FA 46 is connected on the second sub-network (Subnet 2). The DHCP server 41 is connected on a third subnetwork (Subnet 3).
◎

Please refer to FIG. 4 and FIG. 5 together. 4 and 5 show a login chart and a timing chart when the MN 80 roams in the intranet, respectively. When the MN 80 roams in the intranet 40, for example, when roaming from the first subnet (Subnet 1) to the second subnet (Subnet 2), the i-FA 40 Advertisement and Challenge 100 (200) to continually announce whether or not the MIP is roaming in the network.
◎

At this time, the MN 80 transmits log-in request (Registration Request, hereinafter abbreviated as Reg-Req) information 105 to the i-FA 46 (S205). Since the i-FA 46 does not recognize the MN 80, the i-FA 46 transfers the Reg-Req information 105 to the i-FA 46 to log in.
◎

  After login, the i-HA returns a login response (Registration Reply, hereinafter abbreviated as Reg-Reply) to the i-FA 46 (S215). At this time, since the i-FA 46 can recognize the MN 80, Reg-Reply information 115 is transmitted from the i-FA 46 to the MN 80 (S220), and login for roaming on the intranet is completed.

Please refer to FIG. 3 again. The external network (Internet) 50 is an unprotected public network, and a plurality of external networks may be included therein. As shown in FIG. 3, there is a first external network and a second external network, and each external network may further include a plurality of sub-networks. In addition, each of them has one foreign AAA server (Foreign AAA Server, hereinafter abbreviated as AAAF) 53, one x-HA 54, and one external foreign agent (hereinafter, abbreviated as x-FA) 55. Are connected to one DHCP server 56 and at least one wireless base (WAP) 57.
◎

  Please refer to FIGS. 6, 7 and 8 together. These show a login flowchart and a timing chart when the MN 80 roams in an external network. When the MN 80 roams from the intranet 40 to the external network 50, the local x-FA 55 continually checks whether any MN is roaming in the network and notifies (Advertisement and Challenge). . At this time, the MN 80 transmits Reg-Req information 305 to the x-FA 55 (S405).

In the Reg-Req information 305, one home address (hereinafter abbreviated as HoA), one HA address, one authentication consultant authorized to the AAAH 61 and one MN network access indication ( Network Access Identifier, NAI) etc. should be included.
◎

  However, in the Reg-Req information 305 received by the x-HA 54, all of the HoA and the HA address should be set to 0.0.0.0, and the MN 80 is connected to the external network. Indicates that one external home address (hereinafter abbreviated as x-HoA) is to be acquired. Therefore, the x-HA 54 generates an attribute value pair (hereinafter referred to as AVP) of one feature vector (MIP-Feature-Vector). Among them, MN80 home address request (Home-Address-Requested), home agent request (hereinafter referred to as Home-Agent-Requested) and one joint address request (hereinafter referred to as Co-Located-Mobile-Node-Requested) ) Is set, and the flag (Flag) is “1”.

At this time, the x-FA 55 sets the MIP-Feature-Vector AVP in one authorization request (AA-Mobile-Node-Request, hereinafter referred to as AMR) information 310, and in the Reg-Req information. Necessary data is acquired from the information, and the AMR information 310 is transmitted to the local AAAF 53 in addition to the related AVP (S410).
◎

  Since the AAAF 53 trusts the local x-FA 55, it grants the authority to the AMR information 310. However, the AAAF 53 still checks whether the flag bit (Flag bid) of Home-Agent-Requested in the MIP-Feature-Vector AVP is “1”.

When it is “1”, the AAAF 53 requests the AAAH 61 to permit the designation of one x-HA 54 in the roaming external network as the home agent (HA) of the MN 80. Therefore, the AAAF 53 sets a home agent application flag (hereinafter referred to as “Foreign-Home-Agent-Available”) in the outside area in the MIP-Feature-Vector AVP in the received AMR information 310. The network access indication (NAI) of at least one candidate x-HA54 is entered in one candidate home agent host computer (hereinafter referred to as MIP-Candidate-Home-Agent-Host) AVP, after which the AAAF 53 Further, the AMR information 310 is transmitted to the AAAH 61 (S415).

After the AAAH 61 receives the AMR information 310 transmitted from the AAAF 53, the Reg-Req information 305 must be given to the MN 80. For this reason, the AAAH 61 uses one security parameter index (MN-AAA-SPI, Security Parameters Index) set in the AMR information 310, and the MN 80 is responsible for some TONONOAID security measures (for example, encryption calculation method). And long-term share key).
◎

  If the AAAH 61 succeeds in authorization, the flag bits of the Home-Agent-Requested flag and the Foreign-Home-Agent-Available flag bit in the MIP-Feature-Vector AVP of the AMR information 310 are all “1”. Check if it exists. If “1”, it means that the MN requests to designate one x-HA 54 as the roaming external network area. The AAAH 61 establishes a security association (SA) between the x-HA 54 and the MN in the roaming external network area (S420). For example, a safety association (SA) is created between x-HA 54 and x-FA 55, between MN 80 and x-HA 54, or between MN 80 and x-FA 55.

Therefore, the AAAH 61 may generate a random key (generally referred to as Nonces) of at least 128 bits, and calculate and generate one communication key (Session Key) using the Nonces. it can. Thereby, the security property of a security association (SA) can be ensured.
◎

The MIP-Feature-Vector AVP in the AMR information 310 transmitted by the x-HA 54 and the AAAF 53 is a key request between the MN 80 and the home agent (HA) (hereinafter referred to as MN-HA-Key-Requested). ), Key request between MN80 and foreign agent (FA) (hereinafter referred to as MN-FA-Key-Requested), and key request between foreign agent (FA) and home agent (HA) ( (Hereinafter referred to as “FA-HA-Key-Requested”).
◎

The communication key (Session Key) is securely transmitted on the x-FA 55 or x-HA 54 via an AAA server of the Diameter Protocol. This is because the IPSec standard or the Transport Layer Security (TLS) standard (IETF RFC 2246) is forcibly applied to communication data between protected Diameter nodes (including servers, customers and agents) Because. However, in order to avoid exposing the communication key (Session Key) without a network protection agreement, the communication key (Session Key) is not directly transmitted on the MN 80, and only the key (Nonces) is transmitted to the MN 80. )give.
◎

Therefore, the AAAH 61 again generates one home agent request (Home-Agent-MIP-Request, hereinafter abbreviated as HAR) information 315, and the communication key (Session Key) and Reg-Req information in the HAR information 315. It is put into the related AVP and transmitted to the candidate x-HA 54 through the AAAF 53 (S425). The AAAF 53 mainly serves as a proxy server (Proxy).
Therefore, the x-HA 54 is a communication key (Session Key) between the x-HA 54 and the x-FA 55 among the related AVPs in the HAR information 315, and between the MN 80 and the x-FA 55. Keys (Nonces) and a key (Nonces) between the MN 80 and the x-HA 54 can be obtained.

  The x-HA 54 is a case where the received HAR information 315 does not include the address (hereinafter referred to as MIP-Mobile-Node-Address) AVP of the MN 80, and in the MIP-Feature-Vector AVP. When the flag bit of Home-Agent-Address-Requested is set to “1”, the x-HA 54 automatically designates one x-HoA for the MN 80, and the MIP-Mobile-Node- The address is set in the Address AVP, and the x-HA 54 automatically sets its own address in the MIP-Home-Agent-Address AVP.

  Subsequently, the x-HA 54 stores the communication key (Session Key) between the MN 80 and the x-HA 54, copies the key (Nonces) into one registration response (Reg-Reply), and then The x-HA 54 generates one home agent answer (Home-Agent-MIP-Answer, hereinafter abbreviated as HAA) information 320 and transmits it to the AAAH 61 through the AAAF 53 (S430). The HAA information 320 includes a login response (hereinafter referred to as MIP-Reg-Reply) AVP including at least one key (Nonces), one result code (Result-Code) AVP, and one MN80 x-HoA. Includes a MIP-Mobile-Node-address AVP including one and the MIP-Home-Agent-Address AVP including one x-HA54 address.

  The AAAH 61 receives the HAA information 320 transmitted by the x-HA 54 through the AAAF 53, and then the AAAH 61 obtains the x-HoA of the MN 80 from the MIP-Mobile-Node-address AVP. The x-HA 54 address is acquired from the MIP-Home-Agent-Address AVP.

  Then, the AAAH 61 creates new HAR information 325, and further fills the x-HoA and x-HA addresses in the MIP-Mobile-Node-Address and MIP-Home-Agent-Address AVP, respectively, and The AAAH 61 transmits the HAR information 325 and logs in to the i-HA 45 (S435).

After the i-HA 45 receives the HAR information 325, the i-HA 45 obtains the x-HoA from the AVP in the HAR information 325, and then assigns the obtained address of the x-HoA 54 to the public CoA of the MN 80. As the i-HA 45 recognizes the HAR information 325, the new HAA information 330 is created and transmitted to the AAAH 61 (S440).
◎

Then, after receiving the HAA information 330 transmitted by the i-HA 45, the AAAH 61 can indicate that the authorization is successful by the result code (Result-Code) AVP therein. Therefore, the AAAH 61 generates a single authorization response (AA-Mobile-Node-Answer, hereinafter referred to as AMA) information 335 and transmits it to the x-HA 54 through the AAAF 53 (S445). The AMA information 335 includes DIAMETER success result code (Result-Code), the MIP-Home-Agent-Address AVP, the MIP-Mobile-Node-address AVP, and the MIP-Reg-Reply AVP. These AVPs are copied from the HAA information 330 received.
In the AMA information 335, a key (MIP-MN-to FA-Key) AVP between the MN 80 and the x-FA 55, and a communication between the x-HA 54 and the x-FA 55 If a key (MIP-to-FA-Key) AVP is included, the x-FA 55 can receive a communication key (Session Key) between the MN 80 and the x-HA 54 therein.

  After the x-HA 54 receives the AMA information 335 transmitted from the AAAH 61, the result code (Result-Code) AVP can indicate that authorization is successful, so the x-HA 54 One Reg-Reply information 340 is acquired from the MIP-Reg-Reply AVP of the AMA information 335, and the Reg-Reply information 340 is transmitted to the MN 80 (S450). Otherwise, the x-HA 54 will gently discard the AMA information 335.

  Once the MN 80 receives the Reg-Reply information 340, the MN 80 can acquire the new x-HoA, the address of the x-HA, and the key (Nonces). Then, the MN 80 calculates an accurate communication key (Session Key) by using the received key (Nonces), a discrete calculation method similar to the AAAH 61, and a long term shared key (Longterm Shared Key).

Therefore, after the MN 80 is granted the right by the AAAH 61, and further logged in by the Mobile IPv4 security standard by the x-HA 54 and x-HA 45, the MN 80 is connected to the VPN gateway by connecting the x-HoA. An IPSec path 345 is established between the VPN gateway and the VPN gateway (S455), and security communication similar to that in the intranet is restored.

  After the designation of the x-HA 54 is completed, the construction of a security association (SA) between each local home agent (HA) in the roaming external network is also completed. At that time, the MN 80 does not need to pass through the AAA server, and can directly log in to the local x-HA 54 using the MIPv4 standard. That is, after the MN 80 acquires a new relay address (CoA) from the external network, it only has to log in to the designated x-HA 54 as if roaming inside the intranet. No need to log in.

  Furthermore, it is not necessary to reconstruct the IPSec path in the same external network. However, the communication key (Session Key) has a lifetime, and when the lifetime ends, a new communication key (Session Key) is generated through the AAA server based on the Diameter. In addition, if the MN 80 moves to another external network, or if a login request must be made to a new local x-HA, all the above processes are performed again, so that the x- HA will be designated again and the IPSec passage will be rebuilt.

  That is, the present invention provides a technique for replacing static x-HA with dynamically designated x-HA based on the above-disclosed technique, and therefore, transmission relay (Handoff) between home agents (HA) when roaming. Delays and end-to-end delays are significantly reduced, and the present invention adds Diameter MIPv4 to a security association (SA) built between relay home agents (HA). For application, the x-HA is reliable. Moreover, since the login operation for the x-HA and i-HA is completed at the same time, the present invention realizes a mobile VPN system platform. The present invention is quite different from the design of those skilled in the art and can improve the overall utility value. In addition, the present invention meets the requirements of the invention patent because it was not found in the publication and public use before requesting, and submits the invention patent request in accordance with the law.

  It should be noted that the drawings and descriptions disclosed above are the embodiments of the present invention, and those skilled in the art who are familiar with this technology can make various improvements based on the above descriptions. However, such improvements should fall within the spirit of the invention and the scope of the patents defined therein.

It is a figure which shows the standard frame of the mobile VPN of an IETF definition. It is a figure which shows the information structure of the channel | path which the said mobile VPN constructed | assembled. It is a figure which shows the system frame of the mobile VPN which concerns on this invention. FIG. 4 is a login flowchart in which the MN roams on an intranet in the system shown in FIG. It is a login flowchart in which the MN roams on an intranet. It is a login flowchart in which the MN roams in an external network. It is the first half of the timing chart when the MN roams in the external network. It is the latter half part of the timing chart when the MN roams in the external network.

Explanation of symbols

40 Intranet
41 DHCP server
42 Internal router
43 Subnetwork
44 Radio base
45 Internal home agent
46 Internal field agent
50 External network
51 External router
53 Foreign AAA server
54 External home agent
55 External agent
56 DHCP server
57 radio base
60 DMZ
61 Home AAA Server
62 VPN gateway
80 mobile nodes

Claims (23)

A method of dynamically assigning a mobile VPN agent, and constructing a virtual private network (VPN) between at least one external network and an internal network, thereby at least one mobile node (Mobile Node) , MN) can roam safely on the external network,
A method as described above, wherein a program including the following steps is sequentially executed.
(A) When the mobile node first roams in the foreign network, a DHCP server assigns a transfer address to the mobile node to the mobile node, so that the mobile node is local to the foreign local agent. Sending a login request message including an address request and a local agent address request;
(B) The authorization confirmation request information is transmitted from the external home agent to the external AAA server, whereby a network access identifier (Network Access Identifier, NAI) of at least one external home agent to be selected by the external AAA server. Is written in the authorization confirmation request information and then transferred to the home AAA server.
(C) The home AAA server establishes a security association between the foreign home agent, the foreign agent, and the mobile node, and generates home agent request information to the foreign home agent. Sending step.
(D) The external home agent assigns an external home address to the mobile node, sets the external home address and its own address in response information of the home agent, and transmits the response information to the home AAA server.
(E) The home AAA server logs in to the home agent using the external home address as the connection address of the mobile node, and after the login is completed, the home agent transmits authorization confirmation response information to the foreign agent. To the home AAA server.
And (f) the external agent acquires registration reply information including the external home address and the home agent address from the authorization confirmation response information and forwards it to the mobile node, and then the mobile node is connected to the external network. Enabling roaming to log in to the home agent at the address of the external home agent using the external home address.   2. The method of dynamically assigning a mobile VPN agent according to claim 1, wherein the mobile node is a portable personal computer provided with a wireless network device. Prior to the mobile node performing an initial roaming with the external neckwork,
The DHCP server continuously sends advertisement & challenge information to the external network to check whether the mobile node is roaming in the network, and the roaming mobile node If detected, automatically assigning a mobile IP address to the mobile node; and the mobile node uses the IP address as the connection address (CoA) and sends the login request to the external home agent. Perform the steps to
The method of dynamically assigning the mobile VPN agent according to claim 1.   The mobile VPN agent according to claim 1, wherein the registration request information further includes authentication information to be authorized by the home AAA server and a network access identifier (NAI) of the mobile node. How to assign.   2. The method of dynamically assigning a mobile VPN agent according to claim 1, wherein the registration request information of the external home address and the external home agent address are all set to 0, 0, 0, 0. After the mobile node performs initial roaming in the external network,
After the foreign agent receives the registration request information, the mobile node's home address request flag and a feature vector attribute value pair (MIP-Feature-Vector Attribute Value Pair) in which the home agent request flag is set. The method of dynamically assigning a mobile VPN agent according to claim 1, further comprising the step of generating and setting an attribute value pair of the feature vector in the authorization confirmation request information. , After sending the authorization confirmation request information by the external home agent,
After the home AAA server receives the authorization confirmation request transferred from the external AAA server, the mobile node authorizes the mobile node according to the MN-AAA-Security Parameters Index set in the authorization confirmation request. 2. The method of dynamically assigning a mobile VPN agent according to claim 1, comprising a step of confirming a security measure used when performing authentication. Building a security association with the home AAA server,
Generating a random key (Key Materials) of at least 128 bits by the home AAA server, generating a session key by calculation using the key, and confirming security of a security association; and the session 2. The method of dynamically assigning a mobile VPN agent according to claim 1, further comprising the step of setting a key in the request information of the home agent.   2. The mobile VPN agent according to claim 1, wherein in the step of establishing a security association with the home AAA server, the request information of the home agent is transferred to the external home agent via the external AAA server. How to assign. The mobile VPN agent according to claim 1, wherein in the step of establishing a security association with the home AAA server, the request information of the home agent includes a key and a session key between the mobile node and the external home agent. How to assign to.   The mobile VPN according to claim 1, wherein in the step of assigning an external home address to the mobile node by the external home agent, response information of the home agent is transferred to the home AAA server via the external AAA server. How to assign agents dynamically. Transferring the registration reply information to the mobile node by the external home agent;
2. The mobile VPN agent according to claim 1, wherein the mobile node dynamically constructs an IPsec channel between the mobile node and the VPN gateway using the connection line intersection of the external home address and the VPN gateway. How to assign. A device that dynamically allocates external agents for mobile VPN, and constructs a virtual private network (VPN) between at least one external network and the internal network, thereby at least one mobile node (Mobile Node, MN) in a device that allows security roaming in the external network,
An apparatus as described above, comprising the following components:
(A) An internal home agent (internal home agent, i-HA) that is provided in the internal network and manages roaming login of the mobile node in the internal network.
(B) At least one external home agent (External Home Agent, x-HA) that is provided in the external network and manages roaming login of the mobile node in the external network.
(C) An Internet communication security protocol (IPsec) channel can be established between the internal network and the external home agent, so that when the mobile node roams in the external network, A VPN gateway that can be connected to the internal network.
(D) At least one agent assigning device that dynamically assigns an external home agent close to the mobile node to perform roaming login of the mobile node.
(E) provided in the external network, and when the mobile node performs the first roaming in the external network, an IP address is automatically assigned as a connection address, whereby the external home agent, the AAA server, and the After roaming login to an internal home agent and establishing an IPsec channel with the VPN gateway, when the mobile node roams in an external network, it is only necessary to log in to the nearest external home agent Make at least one DHCP server.   14. The apparatus for dynamically assigning a mobile VPN foreign agent according to claim 13, wherein the foreign network includes a plurality of sub-networks.   14. The apparatus for dynamically assigning a mobile VPN foreign agent according to claim 13, wherein the mobile node is a portable personal computer provided with a wireless network device.   The VPN gateway and the agent assignment device are provided in a DMZ (DeMilitarized Zone), and the DMZ (60) is a real area in the back of the Internet, and is a second device that protects the back end device and data against the firewall. 14. The apparatus for dynamically assigning a mobile VPN foreign agent according to claim 13, located in front of a layer firewall.   The VPN gateway and the agent assigning device are provided in the DMZ, and the DMZ (60) is a real area in the back of the Internet, and is a second layer firewall that protects the rear-end system and data against the firewall. 14. The apparatus for dynamically assigning a mobile VPN foreign agent according to claim 13, characterized in that it is located in front.   18. The apparatus for dynamically allocating an external agent of a mobile VPN according to claim 17, wherein the DMZ is connected to the internal network via an internal router and is connected to the external network via an external router.   14. The apparatus for dynamically allocating an external agent of a mobile VPN according to claim 13, wherein the agent allocating apparatus can use an AAA server, a DHCP server, or a DNS server.   The agent assigning apparatus not only assigns the foreign home agent using the AAA server, but also constructs a security association (Security Association, SA) among a plurality of agents in a roaming area, 20. The apparatus for dynamically allocating an external agent for mobile VPN according to claim 19, which can be used as (Key Distribution Center, KDC).   21. The apparatus for dynamically assigning an external agent of a mobile VPN according to claim 20, wherein the agent is an AAA server using a Diameter Base on Protocol.   In at least one sub-network connected to the internal network, the mobile node can roam and log in to the internal home agent via the internal external agent when roaming in the sub-network. 14. The apparatus for dynamically allocating an external agent of a mobile VPN according to claim 13, including an external agent (Internal Foreign Agent, i-FA).   14. The apparatus for dynamically assigning an external agent of a mobile VPN according to claim 13, comprising a wireless base station (Wireless Access Point) provided in the internal network or the external network for wirelessly connecting to the mobile node.

Images