CN101043411B - Method and system for realizing mobile VPN service in hybrid network - Google Patents

Method and system for realizing mobile VPN service in hybrid network Download PDF

Info

Publication number
CN101043411B
CN101043411B CN2006100584520A CN200610058452A CN101043411B CN 101043411 B CN101043411 B CN 101043411B CN 2006100584520 A CN2006100584520 A CN 2006100584520A CN 200610058452 A CN200610058452 A CN 200610058452A CN 101043411 B CN101043411 B CN 101043411B
Authority
CN
China
Prior art keywords
address
ipv6
vpn
ipv4
mobile node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2006100584520A
Other languages
Chinese (zh)
Other versions
CN101043411A (en
Inventor
张宏科
程钢
郑彬
张晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing Jiaotong University
Original Assignee
Huawei Technologies Co Ltd
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing Jiaotong University filed Critical Huawei Technologies Co Ltd
Priority to CN2006100584520A priority Critical patent/CN101043411B/en
Priority to PCT/CN2007/000446 priority patent/WO2007109963A1/en
Publication of CN101043411A publication Critical patent/CN101043411A/en
Application granted granted Critical
Publication of CN101043411B publication Critical patent/CN101043411B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • H04W80/045Network layer protocols, e.g. mobile IP [Internet Protocol] involving different protocol versions, e.g. MIPv4 and MIPv6

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates a method for mobile VPN in mixed network and system. The related method for mobile VPN in mixed network comprises: in a mixed network with IPv4 and IPv6, setting a VPN gateway to provide the inner interface with IPv6 address and the outer interface with IPv4 address; firstly, building the channel to transmit VPN message between external network and inner IPv6 network, the channel with end address as the IPv4 address of external network and IPv4 address provided by VPN gateway; then, packing IPv4 head on the VPN message to transmit through the channel. This invention makes good use of IPv6-in-IPv4 channel technology, and uses the mixed network to realize mobile VPN business.

Description

Method and system for realizing mobile VPN in hybrid network
Technical Field
The invention relates to the technical field of network communication, in particular to a technology for realizing mobile VPN.
Background
Mobile VPN (virtual private network) is a new VPN solution combining traditional VPN with mobile technology. A MN (mobile node) supporting the VPN interior maintains communication with the VPN interior node in the external network by establishing a tunnel with the VPN gateway. IPsecVPN (IP network security protocol VPN) adopts IPsec (IP network security protocol) as the security guarantee of tunnel technology to realize VPN, thereby providing good security for communication nodes at two ends of a tunnel in an IP network and further guaranteeing the security of VPN service. The IPsec VPN in combination with the standard mobile IPv4 protocol provides the basic framework for a mobile VPN.
In an IPv 4-only network environment, when a typical IPsec VPN is combined with MIPv4 (mobile IPv4), there are two major problems:
(1) when a mobile node moves outside a VPN, if a care-of address is obtained through an FA (foreign agent) of a foreign network, since the foreign agent is configured by an administrator of other network and generally does not support IPSec, it will result in that the mobile node cannot register with an i-HA (home agent inside) located in the VPN;
(2) if the mobile node obtains the collocated care-of address in the external network, although the mobile node can complete the registration to the home agent in the VPN by establishing an IPSec tunnel with the VPN gateway, the mobile node needs to renegotiate with the VPN gateway to establish the IPSec tunnel every time the collocated care-of address is changed, and under the condition that the node frequently moves, the delay of network switching is increased, and the mobility of the node is reduced.
One solution currently provided for the above problem is: in the IPv4 environment, an x-HA (external home agent) is set outside the VPN gateway, and the mobile node first registers with the external home agent, and then establishes an IPsec tunnel with the VPN gateway through the external home agent to complete registration with the VPN internal home agent, thereby solving the two problems.
Corresponding network structure as shown in fig. 1, x-HA denotes a home agent set in an External network, and an External network (External Net) supporting mobile IPv4 exists in the Internet; meanwhile, a Home network (Home Net) and a Foreign network (Foreign Net) supporting mobile IPv4 also exist in the VPN.
When a mobile node moves to a foreign network, after obtaining a care-of address, it first registers with a foreign home agent and obtains an x-HoA (foreign home address). And then performing IKE (Internet Key exchange) negotiation with the VPN gateway by using the external home address to establish an IPsec tunnel, and registering to a home agent in the VPN through the IPsec tunnel. The mobile node may then communicate with the VPN interior network node.
The following describes the registration procedure and the packet encapsulation of the mobile node, taking the mobile node located in a foreign network configured with x-FA (foreign agent) as an example.
When the mobile node enters into the external network configured with the external home agent, the care-of address of the foreign agent is obtained; meanwhile, the mobile node also needs to send a standard mobile IPv4 registration request to the external home agent and the internal home agent;
the mobile node is located in the external network, so that the mobile node can only receive the registration response from the external home agent, and the mobile node obtains the x-HoA allocated by the external home agent according to the response message and uses the x-HoA as the care-of address of the mobile node in the external network;
the mobile node uses the obtained x-HoA as an end point address of IKE negotiation and IPsec tunnel to establish a tunnel with the VPN gateway;
in negotiating with the VPN gateway, the VPN gateway assigns the mobile node a VPN-TIA (VPN tunnel internal address); the mobile node takes the VPN-TIA as a care-of address registered to an internal home agent, and encapsulates the VPN-TIA in an IPsec tunnel to register to the internal home agent;
after registration is complete, the mobile node and the correspondent node within the VPN can communicate. The data packets of communication are encapsulated for three times, and the specific encapsulation result is shown in fig. 2, wherein the x-MIP representation of the outermost layer is mobile IPv4 encapsulation from the mobile node to the external home agent, the middle layer is IPsec encapsulation from the x-HA to the VPN gateway, and the i-MIP representation of the innermost layer is VPN internal mobile IPv4 encapsulation. As can be seen from fig. 2, the mobile node can complete registration with the home agent inside the VPN in the foreign network configured with the foreign agent, and when the care-of address of the mobile node changes, the maintenance of the IPsec tunnel is not affected. This implementation therefore effectively solves both of the problems described.
However, the external home agent is introduced into the implementation scheme, so that the VPN network structure is more complex, and the maintenance cost is increased; meanwhile, the introduction of the external home agent also brings new problems, such as the position selection problem of the external home agent, the trust problem of the external home agent and the like.
At present, another implementation scheme provided for solving the above two problems is: under the IPv4 environment, IPsec supporting MOBIKE (IKEv2 mobile and multi-interface protocol) protocol is used as a tunneling technique between a mobile node and a VPN gateway, and the two problems are solved.
The MOBIKE is an extended protocol based on IKEv2, and effectively supports the mobility of two ends of IPsec tunnel communication. When the mobile node starts to negotiate with the VPN gateway to establish the IPsec tunnel, an IKE SA and an IPsec SAs are generated in sequence. The MOBIKE protocol allows the nodes at both ends of the tunnel to update their IP addresses while maintaining the IKE SA and IPsec SAs, that is, the original IPsec tunnel can be maintained for communication after the node addresses at both ends of the tunnel are changed without renegotiation.
The network structure based on MOBIKE is shown in FIG. 3, and an External network (External Net) supporting mobile IPv4 exists in the Internet; meanwhile, a Home network (Home Net) and a Foreign network (Foreign Net) supporting mobile IPv4 also exist in the VPN internal network.
The mobile node, when located in a foreign network within the VPN, communicates with home agents and correspondent nodes within the VPN using standard mobile IPv 4. When the mobile node leaves the VPN internal network and enters an external network, IKE negotiation with a VPN gateway is required to be carried out, and an IPsec tunnel supporting MOBIKE is established. At the same time, inside the VPN, the mobile node and the home agent still keep a valid mobile IPv4 binding cache, and the mobile node registers with the home agent by using the VPN-TIA assigned to the mobile node by the VPN gateway as a configuration care-of address of the network inside the VPN.
After the mobile node enters another external network from one external network due to the change of the position, the mobile node obtains a new mobile IPv4 care-of address. At this moment, the mobile node starts to use the MOBIKE protocol to update the IP addresses of the IKE SA and the IPsec SAs of the terminal point, and notifies the VPN gateway to update the IP address of the corresponding SA. After the address update of the SA is completed, the communication is continued using the original IPsec tunnel.
It can be seen that this solution proposes to use MOBIKE in an IPv 4-only network environment to solve the two problems. However, since the internet has been developed in IPv6, and a hybrid network of "IPv 6 island" and "IPv 4 sea" has long existed in the process of replacing IPv4 with IPv6, there is a need to solve the corresponding problems existing in the hybrid network. However, the existing technical solutions cannot solve the application problem of mobile VPN in the hybrid network including IPv4 and IPv 6.
Disclosure of Invention
The invention aims to provide a method and a system for realizing mobile VPN in a hybrid network, thereby solving the application problem of the mobile VPN under the corresponding IPv4 and IPv6 hybrid networks and enabling the development of VPN services based on an IPv6 network in the existing network scene to be possible.
The purpose of the invention is realized by the following technical scheme:
the invention provides a method for realizing mobile VPN in a hybrid network, which is applied to the hybrid network comprising an IPv4 network and an IPv6 network inside the VPN, and a VPN gateway of a mobile virtual private network VPN is arranged in the hybrid network, wherein the VPN gateway is provided with an internal interface of an IPv6 address and an external interface of an IPv4 address, and the method comprises the following steps:
A. a tunnel for transmitting VPN messages interacted between an external network and an IPv6 network inside the VPN is established between the VPN gateway and the external network, and addresses at two ends of the tunnel are respectively an IPv4 address of the external network and an IPv4 address of an external interface provided by the VPN gateway;
B. and after the VPN message needing to be transmitted is packaged with an IPv4 header, the VPN message is transmitted through the tunnel, and the interaction of VPN services is realized in the hybrid network.
The external network is as follows: an IPv4 external network or an IPv6 external network.
The step A comprises the following steps:
a1, after an IPsec tunnel is established between the VPN gateway and a mobile node which is located in an IPv6 external network and obtains a care-of address, the VPN gateway and an access router in the IPv6 external network establish an IPv6inIPv4 tunnel for transmitting IPv6 messages, the tunnel encapsulates the IPv6 messages in IPv4 messages, and the addresses at the two ends of the tunnel are respectively the IPv4 address of the IPv6 external network access router and the IPv4 address of the VPN gateway external interface;
or,
a2, establishing IPsec protocol tunnel between the VPN gateway and the mobile node in IPv4 external network for obtaining the care-of address.
The IPsec protocol tunnel is as follows: IPsec tunneling supporting Internet key exchange mobile and multi-interface protocol MOBIKE.
The step A1 includes:
a11, the mobile node moving to IPv6 external network initiates DNS request according to the address information of domain name server DNS saved in IPv6 network for resolving IPv4 address of VPN gateway;
a12, after receiving the DNS request, the DNS returns a DNS response message to the mobile node, wherein the response message comprises IPv4 address information of the VPN gateway;
a13, the mobile node and the IPv6 network obtain the IPv4 address information of the VPN gateway.
The step A11 includes:
the mobile node initiates a DNS request of a VPN gateway to a DNS in the IPv6 network, and the request is forwarded to a domain name server application layer gateway DNS-ALG arranged in the IPv6 network after reaching the DNS in the IPv6 network;
and the DNS-ALG determines a DNS for analyzing the IPv4 address of the VPN gateway according to the stored DNS server information, converts the DNS request into a DNS request in an IPv4 format and sends the DNS request to the determined DNS.
The step A13 includes:
after receiving the returned DNS response message, the DNS-ALG stores the IPv4 address information of the VPN gateway, converts the IPv4 address added prefix into an IPv6 address in an IPv6 format and sends the IPv6 address to the mobile node, and the mobile node takes the IPv6 address as the address information of the VPN gateway.
The step B comprises the following steps:
b1, the mobile node in the IPv6 external network constructs the message of the IPv6 address corresponding to the VPN gateway and sends the message to the external access router of the IPv6 network;
b2, the external access router receives the IPv6 message from the mobile node, adds an IPv4 message header to the message, the message header carries the IPv4 address of the VPN gateway, and sends the message to the VPN gateway through the tunnel;
b3, VPN gateway analyzes the received message, decapsulates the IPv4 message and reduces the message into IPv6 message, and continues to transmit the IPv6 message.
The step B comprises the following steps:
b4, the mobile node in the IPv6 external network constructs the message of the IPv6 address corresponding to the VPN gateway and sends the message to the NAT-PT entity of network address translation-protocol translation;
b5, the NAT-PT converting the IPv6 address in the IPv6 message into an IPv4 address and sending the IPv4 address to an external access router, and the external access router sending the message to the VPN gateway through the tunnel;
b6, VPN gateway analyzes the received message and continues to transmit the message.
The step A2 includes:
a21, when the mobile node moves to the IPv4 external network, the care-of address of the IPv4 network is obtained;
a22, mobile node and VPN gateway negotiate to establish IPsec tunnel, the addresses at two ends of tunnel are the care-of address and IPv4 address of VPN gateway.
The step A22 includes:
during the internet key exchange IKE negotiation between the mobile node and the VPN gateway, the VPN gateway will determine a VPN tunnel internal address for the mobile node as the mobile IPv6 care-of address for the mobile node to register inside the VPN.
The step B comprises the following steps:
the mobile node in the IPv4 network firstly packages the data packet by mobile IPv6, then packages IPsec according to the established tunnel, and sends the VPN service message packaged with IPv4 header to the VPN gateway through the established tunnel.
The step B also comprises the following steps:
when the mobile node packages the data packet in mobile IPv6, the corresponding source address is the address inside the VPN tunnel, and the destination address is the address of the node inside the VPN.
When the IP address of the mobile node in the VPN internal network changes during the moving process, the communication with other nodes in the VPN is stopped immediately, and the method also comprises the following steps:
c1, if the mobile node obtains IPv4 care-of address, using the IPv4 care-of address and VPN gateway to support IKE negotiation of MOBIKE, and establishing IPsec tunnel; the mobile node initiates registration to the internal home agent through the tunnel by using an internal IPv6 care-of address provided by the VPN gateway, and communicates with the VPN network node through the tunnel after receiving a registration application response;
or,
c2, if the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly inquired by using a domain name resolution mode, and then the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN; upon receiving the IPv6 registration reply, the mobile node is determined to be located within the VPN and the mobile node communicates with the VPN interior node using the new IPv6 care-of address.
The step C2 further includes:
if the mobile node does not receive the mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, determining that the mobile node is positioned in an IPv6 network outside the VPN, carrying out IKE negotiation supporting MOBIKE by using the new IPv6 address and the VPN gateway, and establishing an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway, sends a registration request to the internal home agent through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving a registration response.
When the IP address of the mobile node originally in the IPv4 external network changes during the moving process, the communication with the VPN internal node is stopped, and the method further comprises the following steps:
d1, if the mobile node obtains the IPv4 care-of address, and the mobile node is determined to move to another IPv4 external network, then the MOBIKE is initialized, and the SA address is updated, the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel;
or,
d2, if the mobile node obtains the IPv6 care-of address, indirectly inquiring the IPv6 address of the VPN gateway by using a domain name resolution mode; and then, the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN, and after receiving a mobile IPv6 registration response, the mobile node is determined to move to the network in the VPN, and the mobile node communicates with the node in the VPN by using a new IPv6 care-of address.
The step D2 further includes:
if the mobile node does not receive the mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, and the mobile node is determined to move to the IPv6 external network, the MOBIKE is initialized, the SA address is updated, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.
When the IP address of the mobile node originally in the IPv6 external network changes during the moving process, the communication with the VPN internal node is stopped, and the method further comprises the following steps:
e1, if the mobile node obtains the IPv4 care-of address, and the mobile node is determined to move to the IPv4 external network, then the MOBIKE is initialized, the SA address is updated, the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel;
or,
e2, if the mobile node obtains the IPv6 care-of address, indirectly inquiring the IPv6 address of the VPN gateway by using a domain name resolution mode; and then, the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN, and after receiving a corresponding mobile IPv6 registration response, the mobile node is determined to move to the network in the VPN, and the mobile node uses a new IPv6 care-of address to communicate with the node in the VPN.
Step E2 further includes:
if the mobile node does not receive the corresponding mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, and the mobile node is determined to move to another IPv6 external network, the MOBIKE is initialized, the SA address is updated, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.
The invention also provides a system for realizing mobile VPN in a hybrid network, which comprises an IPv4 external network, an IPv6 external network and a VPN gateway, wherein the VPN internal network is an IPv6 network, the internal interface provided by the VPN gateway is an IPv6 interface, the external interface is an IPv4 interface, and the system also comprises:
a tunnel establishment module: a tunnel for establishing a VPN message for transmitting interaction between the VPN gateway and an external network, wherein addresses at two ends of the tunnel are an IPv4 address of the external network and an IPv4 address of an external interface provided by the VPN gateway, respectively;
a message encapsulation transmission module: and the network side equipment is arranged at two ends of the tunnel and used for packaging an IPv4 message header on a VPN message to be sent and sending the VPN message to an opposite end through the tunnel.
In the IPv6 external network, the system further includes:
DNS-ALG: the network is configured to be an IPv4 and IPv6 dual protocol stack for providing an IPv6 address corresponding to the VPN gateway in the process of carrying out VPN service through an IPv6 external network;
DNS in IPv6 networks: configuring IPv4 and IPv6 dual stack, which configures upper level DNS as said DNS-ALG;
external access router: the device is configured as an IPv4 and IPv6 dual protocol stack, and is used for realizing the function of encapsulating IPv6 messages into IPv4 message headers and simultaneously for de-encapsulating corresponding messages.
In the IPv6 external network, the system further includes:
DNS-ALG: the network is configured to be an IPv4 and IPv6 dual protocol stack for providing an IPv6 address corresponding to the VPN gateway;
DNS in IPv6 networks: configuring the upper level DNS in the DNS as the DNS-ALG;
NAT-PT entity: the network element is used for communicating with an external access router and carrying out corresponding conversion between an IPv6 address and an IPv4 address on a message passing through the entity;
external access router: the VPN gateway is used for sending the message converted by the NAT-PT entity to the VPN gateway and receiving the message sent by the VPN gateway.
The technical scheme provided by the invention can show that the invention realizes the development of the mobile VPN service in the IPv4 and IPv6 mixed network by utilizing the IPv6in IPv4 tunnel technology, so that the mobile VPN service can still be realized in the process of the evolution from the IPv4 network to the IPv 6.
The invention also utilizes the MOBIKE protocol to update the address item of the SA, and successfully solves two problems described in the background technology by matching with the method that the VPN gateway assigns the address to the mobile node VPN-TIA. And a complete solution is provided for the mobile node to realize access to VPN service and switching between networks on the premise of maintaining normal communication under the IPv4-v6 hybrid environment with IPv4 as a backbone network in the transition period from IPv4to IPv 6.
In the specific implementation process of the invention, based on the existing communication network, no new equipment is introduced, no hardware is required to be upgraded, and only the software of the corresponding equipment is required to be improved, so that the whole configuration operation process is simple and easy to implement.
Drawings
Fig. 1 is a structure of a mobile VPN configured with an external home agent in an IPv4 environment;
fig. 2 is a structure of a mobile VPN configured with MOBIKE in an IPv4 environment;
fig. 3 is a network structure of a mobile VPN implementation of a hybrid network according to the present invention;
FIG. 4 is a DNS request forwarding process of FIG. 3;
FIG. 5 is the DNS reply forwarding process of FIG. 3;
FIG. 6 is a schematic process flow diagram of the method of the present invention.
Detailed Description
With the development of network communication technology, in the development process of replacing an IPv4 network with an IPv6 network, due to the wide application of the existing IPv4 network, an IPv4-v6 hybrid network based on an "IPv 6 island" and an "IPv 4 sea" can exist for a long time in a period of time.
The invention mainly aims to provide a network structure and corresponding equipment function requirements of a mobile VPN under an IPv4-v6 hybrid network and a mode of accessing a mobile node to the VPN in different types of networks, so that the problem of updating an SA address of the mobile node when the mobile node is switched among the different types of networks is solved.
The invention takes IPv4-v6 hybrid network of 'IPv 6 island' and 'IPv 4 sea' as basic network frame, and solves the SA address updating problem of the mobile node by introducing MOBIKE extension protocol; and the IPv6in IPv4 tunnel technology is combined with the domain name resolution mode to realize that the mobile node communicates with the VPN gateway in the IPv6 network and the IPv4 network, so that the mobile node is finally positioned in various types of networks and can realize the communication between the mobile node and the VPN internal node.
That is, the invention mainly adopts the idea of IPv6in IPv4 tunneling, and configures devices such as DNS-ALG (domain name server-application layer gateway) to implement that the mobile node is located outside the IPv6, queries the VPN gateway IPv6 address through the IPv4 network, and performs corresponding communication. Therefore, when the mobile node is positioned in an IPv6 external network, the mobile node can still communicate with the VPN gateway through the IPv4 network, and further mobile VPN service under an IPv4 and IPv6 hybrid network can be realized.
Specifically, in the hybrid network, according to the different locations of the mobile nodes, the method specifically includes: the mobile node is located in an IPv6 internal network (i.e. located inside a VPN), an IPv4 external network and an IPv6 external network, and different communication modes are required for different situations, so that a mobile VPN service can be implemented in a hybrid network.
In order to distinguish communication modes adopted under different conditions, when the IP address of the mobile node changes, the communication with other nodes is stopped firstly, and the type of the current network is judged according to the type of the IP address; then, judging whether the mobile node is positioned in an internal network or an external network by means of mobile IP registration and VPN address query, and establishing an IPsec tunnel or updating the address of the original IPsec SA according to the condition; and after the corresponding processing is completed, the previous communication is resumed.
In the process of implementing the invention, specifically, an IPv4 and an IPv6 dual-protocol stack are required to be arranged in an x-AR (external access router), a DNS-ALG and a DNS server at the edge of an IPv6 external network, and the dual-protocol stack is arranged in the VPN gateway; meanwhile, the x-AR and the VPN gateway have IPv6in IPv4 tunnel encapsulation and de-encapsulation processing functions.
After the setting, different communication processing modes can be adopted according to different conditions to realize the mobile VPN service in the hybrid network. Taking the mobile node entering the IPv6 external network as an example, the corresponding processing procedure mainly includes the following procedures:
(1) after the mobile node carries out IPv6 external network, the IPv6 address of the VPN gateway is indirectly inquired by utilizing a domain name resolution mode;
(2) the mobile node sends out an IPv6DNS request of the VPN gateway, converts the IPv6DNS request into an IPv4DNS request through DNS-ALG and forwards the IPv4DNS request to the IPv4 network;
(3) after the IPv4 network returns the IPv4 address related to the VPN gateway, the address is firstly sent to the DNS-ALG, the DNS-ALG adds a specific prefix to the IPv4 address to form an IPv6 address, and the address is finally returned to the mobile node.
(4) The mobile node constructs a data packet according to the returned IPv6 address of the VPN gateway and communicates with the VPN gateway; the data packets communicated between the mobile node and the VPN gateway are encapsulated and de-encapsulated through an IPv6in IPv4 tunnel, so that communication between nodes with different protocol types is realized.
Through the above processing procedures, the intercommunication of the mobile VPN service can be realized in the hybrid network.
For the purpose of promoting an understanding of the invention, reference will now be made in detail to specific implementations of the invention as illustrated in the accompanying drawings.
The networking structure of the technical scheme for realizing the mobile VPN in the IPv4-v6 hybrid network provided by the invention is shown in figure 4. In fig. 4, inside the VPN is an IPv6 network environment, and meanwhile, inside the VPN, there are a Home network (Home Net) and a Foreign network (Foreign Net) that support mobile IPv 6; the External network in the network is an internet mainly based on IPv4, and there are an IPv4 External network (External Net IPv4) supporting mobile IPv4 and an IPv6 External network (External Net IPv6) supporting mobile IPv 6. The DNS-ALG equipment is arranged at the edge of the IPv6 external network and is used for realizing that the mobile node can obtain the VPN gateway address in the IPv4 network in the IPv6 external network in a domain name query mode.
In the network system shown in fig. 4, the functions of each constituent device are as follows:
(1) MN (Mobile node)
Configuring an IPv4-v6 dual protocol stack, supporting standard MIPv4 (mobile IPv4)/MIPv6 (mobile IPv6), and configuring an IPsec protocol supporting MOBIKE;
(2) VPN gateway
The external interface address of the VPN gateway and an external network is an IPv4 address, the internal interface address of the VPN gateway and an internal network is an IPv6 address, an IPv4-v6 dual-protocol stack is configured on the VPN gateway, meanwhile, the VPN gateway has the encapsulation and de-encapsulation functions of an IPv6in IPv4 tunnel (the technology of transmitting an IPv6 message by an IPv4 tunnel), standard MIPv6 (mobile IPv6 protocol) is supported, and an IPsec protocol supporting MOBIKEE (IKEv2 mobile and multi-interface protocol) is configured;
(3) DNS-ALG (Domain name Server-application layer gateway) and DNS (Domain name Server)
The DNS-ALG is configured with IPv4-v6 dual-protocol stacks, namely IPv6 and IPv4 protocols can be supported at the same time, and is used for providing IPv4 address information of the VPN gateway, adding a specific prefix to a corresponding IPv4 address, converting the prefix into a corresponding IPv6 address and serving as an upper-level DNS of a DNS in the IPv6 network; the DNS in the IPv6 network only configures an IPv6 protocol stack;
4. x-AR (external access router)
An IPv4-v6 dual protocol stack is configured, and the encapsulation and decapsulation functions of an IPv6in IPv4 tunnel are provided.
In the system shown in fig. 4, the corresponding IP address configuration mode inside the VPN is as follows:
the conventional IPv4 network is configured with private network addresses inside the VPN, and can only be used inside the VPN. In the IPv6 address classification, the site local unicast address is well suited for VPN applications, and therefore, the present invention configures the VPN internal network with IPv6 site local unicast addresses. The site local unicast address can only be used for transmitting data inside the VPN network, and a router inside the site can only forward a data packet of the address type inside the site but cannot forward the data packet outside the site. The structure of the site local unicast address may be: 1111111011+38 bits "0" +16 bits of subnet identifier +64 bits of interface identifier.
Based on the system shown in fig. 4, a specific implementation of the access method of the mobile node provided by the present invention will be described below.
In the mobile VPN of the IPv4-v6 hybrid network, there are three ways for the mobile node to access the VPN, and the following respectively describes the three ways and the corresponding ways of processing to develop VPN services:
in the network environment that the network in the VPN is pure IPv6, the mobile node in the VPN communicates with an internal home agent and a communication node by standard mobile IPv 6;
when the mobile node is in the internal network of the VPN, the corresponding way for developing the VPN service is as follows:
the whole internal network is regarded as a common IPv6 network, and the mobility of the mobile node is realized by mobile IPv 6; when the mobile node is in an internal home network, the mobile node communicates through an IPv6 routing mechanism; when the mobile node moves out of the home network and enters a foreign network supporting mobile IPv6, the access router acquires a care-of address of mobile IPv6, and registers with the home agent and the communication node to complete binding update, thereby realizing mobile communication in the internal network.
In an IPv4 external network, a mobile node outside a VPN supports mobile IPv4, obtains an IPv4 care-of address, performs IKE negotiation with a VPN gateway through the obtained care-of address, establishes an IPsec tunnel, and realizes communication with a communication node inside the VPN through the tunnel;
when the mobile node moves out of the VPN internal network and enters an IPv4 external network supporting mobile IPv4, the corresponding processing procedure for developing VPN services specifically includes:
the mobile node will be assigned an IPv4 foreign agent care-of address or IPv4 collocated care-of address. After the identity authentication with the VPN gateway is completed, the mobile node starts IKE negotiation with the VPN gateway and establishes an IPsec tunnel. The addresses at both ends of the tunnel are respectively the care-of address of the mobile node and the IPv4 address of the external interface of the VPN gateway.
When IKE negotiation is carried out, a VPN gateway gives a VPN-TIA (VPN tunnel internal address) and informs the address to a mobile node; after moving out of the internal network, the mobile node still maintains a mobile IPv6 binding cache with the internal home agent or the communication node of the VPN, and the VPN-TIA is used as a mobile IPv6 care-of address registered by the mobile node to the internal home agent or the communication node.
That is, the mobile node does not use the care-of address obtained by itself in the foreign network as the care-of address registered with the home agent of the home network, but uses the VPN-TIA as the home network care-of address of the mobile node; the purpose is as follows: the home agent and communication node in VPN can not be affected by the change of the care-of address of mobile node in external network, reducing frequent sending of control information such as registration update, etc., and avoiding the problem that the mobile node obtains IPv4 care-of address but registers to the home agent in IPv 6.
After an IPsec tunnel is established, a mobile node firstly carries out mobile IPv6 encapsulation on a data packet of an upper layer protocol, wherein the source address is VPN-TIA, and the destination address is the address of an internal home agent or a communication node; and performing IPsec encapsulation, wherein the source address is an external network IPv4 care-of address of the mobile node, and the destination address is an IPv4 address of an external interface of the VPN gateway.
The structure of the data packet after two times of encapsulation is shown in table 1, wherein: the i-HoA is the home address of the mobile node at the home network, the x-CoA is the care-of address obtained by the mobile node at the foreign network, and the v4-v6 mark before the address indicates the address type.
TABLE 1
V4x-CoAV4VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protoco l ESPTrailer
And (III) in the IPv6 external network, the mobile node outside the VPN supports mobile IPv6 and obtains an IPv6 care-of address. The VPN gateways in the x-AR and IPv4 networks of the IPv6 external network utilize IPv6in IPv4 tunneling technology to enable the mobile node in the IPv6 external network to communicate with the VPN gateway in the IPv4 network;
the process of the mobile node communicating with the VPN interior node in case the mobile node is located in the IPv6 external network, i.e. outside the VPN, is as follows:
(1) when the mobile node enters an external network supporting mobile IPv6, an access router (namely x-AR) in the network provides a wireless interface for accessing the external network for the mobile node, namely, the mobile node obtains a corresponding IPv6 care-of address so as to carry out network communication;
(2) after obtaining the corresponding IPv6 care-of address, the mobile node adopts IPv6in IPv4 tunnel technology to respectively carry out IPv4 encapsulation and decapsulation on the data packet of IPv6 at the x-AR of the IPv6 external network and the VPN gateway of the IPv4 network, thus realizing the intercommunication between the IPv4 host and the IPv6 host;
the reason for adopting the IPv6in IPv4 tunneling technology is as follows: after the mobile node obtains the IPv6 care-of address, if the mobile node communicates with a VPN gateway in the IPv4 network, it still cannot process an IP packet with a different IP version from the mobile node itself due to the difference in address structures at both ends, that is, cannot directly communicate with the mobile node, and therefore, the IPv6 packet needs to be encapsulated by IPv4, so that the VPN gateway at the opposite end can recognize the received packet.
A specific implementation of the process of communicating with a VPN interior node in the case where the mobile node is outside the VPN will now be described.
In the specific implementation process of the invention, the basis for establishing communication between the IPv4 host and the IPv6 host is to carry out association through domain names. That is, the mobile node does not need to know whether the VPN gateway requiring communication is an IPv4 address or an IPv6 address, but only needs to know the FQDN (full Qualified Domain Name) of the VPN gateway. Thus, after domain name resolution, the communication address of the VPN gateway can be obtained, and corresponding data packets can be constructed to realize mutual communication.
First, a specific process of performing domain name resolution of a VPN gateway by using a DNS (domain name server) will be described, where the specific process includes two processing stages, a domain name resolution request and a domain name resolution response.
In the corresponding domain name resolution request phase, as shown in fig. 5, the main processing procedure includes:
(1) the mobile node sends a DNS request to a DNS server in the IPv6 site, namely sends an (AAAA) DNS request to a corresponding IPv6DNS server to request to analyze the FQDN of a destination host and obtain the address information of the VPN gateway;
for an IPv6 host mobile node initiating communication, it is not known whether a communication partner is an IPv4 host or an IPv6 host, and the mobile node has only the FQDN, e.g., www.vpngw.com, of a destination host (VPN gateway), and therefore, it is necessary to obtain the address of the VPN gateway through a domain name resolution request.
(2) After the DNS request of the mobile node reaches a DNS server, the DNS request is forwarded to a DNS-ALG;
this is because the DNS server of the IPv6 site receives that the DNS request of the mobile node is actually the FQDN of the VPN gateway in the IPv4 network, so the DNS server cannot resolve the domain name and will forward the request to the upper level DNS server; in the IPv6 external network, the address of the upper level DNS server configured in the DNS server is the address of the in-station DNS-ALG, and therefore, the DNS request sent by the mobile node is forwarded to the DNS-ALG by the DNS server;
(3) the DNS-ALG stores the DNS server address of the IPv4 network, when the DNS-ALG receives an (AAAA) IPv6DNS request of a mobile node forwarded by the DNS server, the DNS-ALG determines the DNS server address of a VPN gateway according to a stored DNS server list, and as the external interface of the VPN gateway is an IPv4 interface, the corresponding address is an IPv4 address and the corresponding DNS server is a DNS server in the IPv4 network, the IPv6DNS request needs to be converted into an IPv4DNS request ('A') and sent to the DNS server of the IPv4 network;
(4) because the DNS-ALG is connected with the x-AR, the DNS-ALG sends the IPv4DNS request to the x-AR first and then the x-AR sends the IPv4DNS request to the IPv4 network.
A corresponding domain name resolution response phase, that is, a DNS reply process, is as shown in fig. 6, after receiving the request, the DNS server in the IPv4 network returns a DNS reply, where a reply message includes an IPv4 address of the VPN gateway, and the reply message is returned to the mobile node in the IPv6 network, and the specific DNS reply process includes the following processing procedures:
(1) the DNS-ALG in the IPv6 network receives a DNS reply from the DNS server of the IPv4 network, the result of which is the IPv4 address of the VPN gateway; the DNS-ALG needs to add a specific address prefix to the VPN gateway address, and data packets with the prefix are all routed to the x-AR;
the prefix route can be configured and issued in advance in a routing device of an IPv6 network, for example, the prefix is 5efO: 3248:/64, and assuming that the IPv4 address of the VPN gateway is 200.0.0.1, the DNS-ALG appends the prefix to the IPv4 address of the VPN gateway, and constructs the IPv6 address in the shape of 5efO:3248: 200.0.0.1 to be returned to a DNS server in the IPv6 network;
(2) after receiving an IPv6 address with a specific prefix returned by a DNS-ALG, a DNS server in the IPv6 network writes the corresponding address into a cache as the address of a VPN gateway corresponding to a DNS request of a mobile node, namely, the corresponding relation information between the address in the IPv6 format of the VPN gateway and the domain name thereof is stored on the DNS in the IPv6 network;
it should be noted that: after the DNS of the VPN gateway is analyzed once, the process is not repeated, and then a host communicating with the VPN gateway through a domain name can directly obtain the converted address of the VPN gateway in a DNS server of an IPv6 network, wherein the address is an IPv6 address;
(3) after the analysis result (i.e. the IPv6 address with the specific prefix) is written into the cache, the DNS server also returns the IPv6 address formed by the specific address prefix and the IPv4 address of the VPN gateway to the mobile node, so that the mobile node obtains the address information of the VPN gateway required for developing the mobile VPN service.
After the mobile node and the DNS server obtain the address information of the VPN gateway, the mobile node can implement communication with a node in the VPN intranet by performing packet conversion and forwarding, and the corresponding specific communication process includes:
(1) the mobile node receives the IPv6 address returned by the DNS server, the address is an IPv6 address formed by adding a specific address prefix to the IPv4 address of the VPN gateway, and the mobile node forms an IPv6 data packet by taking the address as a destination address.
(2) Since the prefix route of the destination address is configured and issued in the IPv6 network, all IPv6 packets with the address prefix point to the x-AR, so that IPv6 data packets sent by the mobile node are routed to the x-AR, and the specific address prefix is assumed to be 5efO:3248: 64, and the IPv4 address of the VPN gateway is 200.0.0.1;
(3) the x-AR receives an IPv6 data packet with a destination prefix of 5efO:3248: 64, recognizes that the prefix is a specific prefix issued by the DNS-ALG, and performs IPv6in IPv4 tunnel encapsulation on the IPv6 data packet, wherein the specific encapsulation mode is as follows:
the x-AR extracts the IPv4 address of the VPN gateway from the destination address entry of the IPv6 packet, and uses the IPv4 address of the x-AR as the destination address of the IPv4 tunnel header, and uses the IPv4 address of the x-AR as the source address of the IPv4 tunnel header, and the newly constructed IPv4 packet structure is shown in table 2, that is, the corresponding packet structure encapsulated by the IPv4 tunnel is shown in table 2:
TABLE 2
IPv4 packet header IPv6 packet header IPv6 valid data
(4) The x-AR sends the encapsulated IPv4 data packet to an IPv4 network;
(5) the IPv4 data packet received by the VPN gateway can be a data packet from a mobile node of the IPv4 external network, and can also be a data packet encapsulated by the mobile node of the IPv6 external network through an IPv4 tunnel; in order to identify the source of the data packet, the VPN gateway needs to read an IPv4 packet header, and if the next packet header is found to be an IPv6 address, it is determined that the data packet is from an IPv6 external network, and decapsulates the data packet, and passes the decapsulated IPv6 data packet to another module for further processing, and the subsequent processing procedure is the same as the processing method of the ordinary IPv6 data packet, so detailed description thereof is not given.
When a node in the VPN needs to send information to a mobile node in an IPv6 external network, an IPv6 data packet needing to be sent to the mobile node needs to be packaged by the VPN gateway with an IPv4 packet header and sent to the mobile node through a tunnel between the x-AR and the VPN gateway, wherein the destination address of the IPv4 data packet header packaged by the IPv4 tunnel of the VPN gateway is the IPv4 address of the x-AR, and the source address is the IPv4 address of the VPN gateway. When the x-AR receives the IPv4 data packet, reads the IPv4 packet header, finds that the next packet header is IPv6, decapsulates the packet header, and forwards the IPv6 data packet obtained by decapsulation to the mobile node. The specific process may be viewed as a reverse process of sending a packet by the mobile node to the VPN gateway.
In the above processing procedure, when the mobile node is in the IPv6 external network, if the mobile node wants to communicate with the VPN internal node, a tunnel needs to be established between the mobile node and the VPN gateway, that is, how to establish the tunnel ensures that the IPv6 external network communicates with the VPN internal node is a key for implementing VPN communication in the hybrid network. For this reason, the following describes in detail the establishment of the IPsec tunnel and the forwarding process of the packet when the mobile node is in the IPv6 external network.
In the prior art, the communication between a mobile node and a VPN gateway supports IKEv2 negotiation of MOBIKE, an IPsec tunnel is established, and then a data packet is transmitted after being encapsulated in an IPsec ESP (IPsec encapsulated security payload) tunnel mode. However, under the application scenario described in the present invention, because the mobile node and the VPN gateway are located in different types of networks, the signaling information of the IKE negotiation and the subsequent IPsec encapsulation data packet both pass through encapsulation and decapsulation of the IPv6in IPv4 tunnel, and therefore, for a mobile node in an IPv6 external network to communicate with a VPN internal node, it is necessary to establish a corresponding IPsec tunnel whose both end addresses are IPv4 addresses, that is, a tunnel supporting IPv6in IPv4 encapsulation and decapsulation, and perform encapsulation transmission of IPv6 IPv4 messages through the tunnel.
In the invention, in the established tunnel, the SPI (security parameter index) destination address item of the mobile node SA is the IPv6 address of the VPN gateway, and the SPI destination address item of the VPN gateway SA is the IPv6 address of the mobile node, and in the IKE negotiation process of the two parties, the VPN gateway also obtains the own IPv6 address, namely the corresponding specific prefix plus the own IPv4 address.
After the IPsec tunnel is established, interactive transmission of data packets needs to be performed through the tunnel, and a forwarding process of a corresponding data packet will be described below.
The mobile node firstly encapsulates a data packet of an upper layer protocol by mobile IPv6, wherein a source Address is a VPN-TIA (VPN unknown Inner Address, an Address inside a VPN tunnel), and a destination Address is an Address of a node inside the VPN (including an internal home agent or a communication node).
After that, IPsec encapsulation is carried out, the source address is the external network IPv6 care-of address of the mobile node, the destination address is the VPN gateway external interface IPv6 address, and the address is generated by adding a specific prefix to the VPN gateway IPv4 address.
The structure of the IPv6 packet after the corresponding packet is encapsulated twice is shown in table 3, where i-HoA is the home address of the mobile node in the home network, x-CoA is the care-of address obtained by the mobile node in the foreign network, and VPN-GW is the IPv6 address with a specific prefix added. The v4/v6 tag before the address indicates the address type.
TABLE 3
V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer
Since prefix routing of the destination address of the data packet is configured and issued in the IPv6 network, all IPv6 packets with the address prefix point to the x-AR, and therefore IPv6 data packets sent by the mobile node are routed to the x-AR.
The x-AR identifies that the prefix is a specific prefix issued by the DNS-ALG, so that IPv6INIPv4 tunnel encapsulation is carried out on the IPv6 data packet; the method specifically comprises the following steps: the x-AR extracts an IPv4 address of the VPN gateway from the destination address entry of the IPv6 packet, and uses the IPv4 address of the x-AR as the destination address of the IPv4 tunnel packet header, and uses the IPv4 tunnel packet header as the source address of the IPv4 tunnel packet header, and the format of the IPv4 packet encapsulated by the IPv4 tunnel is shown in table 4, where the packet header at the outermost layer is the IPv4 packet header, and the original entire IPv6 packet is encapsulated as an IPv payload in the IPv4 packet. Wherein, the x-AR in the outermost packet header is the IPv4 address of the access router, and the VPN-GW is the IPv4 address of the VPN gateway.
TABLE 4
V4x-ARV4VPN-GW V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6I-HoAV6CN User Protocol ESPTrailer
And forwarding the tunneled IPv4 data packet to the IPv4 network by the x-AR. After receiving the data packet, the VPN gateway releases the IPv4 tunnel encapsulation; and then the IP address is transferred to an IPsec function module, the IPsec encapsulation is removed, and the IP address is forwarded to an internal home agent or a communication node, so that the communication between the mobile node and the VPN internal node is realized.
The forwarding and conversion of the data packet sent by the VPN interior node to the mobile node can be completely regarded as the reverse process of the above steps, and therefore, the details are not described herein again.
In the specific implementation process of the present invention, when the mobile node moves to the IPv6 external network, the following scheme may be adopted to implement the communication between the mobile node and the VPN internal node.
In the IPv4-v6 hybrid network, in order to realize communication between a host (mobile node) located in an IPv6 network and a host (VPN gateway) located in an IPv4 network, NAT-PT (network address translation-protocol translation) technology may be used in addition to IPv6in IPv4 tunneling technology.
The invention also applies the NAT-PT to the IPv4-v6 hybrid network according to the basic technology and thought of the NAT-PT to realize the mobile VPN, and further provides a communication scheme between the mobile node in the IPv6 network and the VPN gateway in the IPv4 network under the structure.
A NAT-PT entity, namely NAT-PT equipment, needs to be configured at the edge of the IPv6 external network, and the NAT-PT and the DNS-ALG can be combined into the same equipment in the invention.
The detailed implementation process of the mobile node located in the IPv6 external network communicating with the VPN gateway in the IPv4 network will be described below.
The mobile node still obtains the IPv6 address of the VPN gateway by using the domain name query method, and the specific query process is described in the foregoing description and will not be described in detail here. The IPv6 address is a VPN gateway IPv4 address plus a specific address prefix. The mobile node constructs a data packet by using the address as a destination address.
The IPv6 data packet with the specific address prefix is routed to the NAT-PT by default, and the NAT-PT judges that the data packet is sent to a host in the IPv4 network according to the specific address prefix, so that protocol conversion is carried out on the IPv6 data packet. NAT-PT maps the source address (care-of address of mobile node) of the IPv6 packet received to an IPv4 address, as the source address for translating the IPv4 packet, 32 bits behind the destination address are as the destination address for translating the IPv4 packet, syntax and semantic translation (namely NAT-PT) is carried out on each field in the IPv6 packet, and the destination address of the IPv4 data packet after the translation is the IPv4 address of the VPN gateway;
the NAT-PT and the x-AR are dual-protocol stack devices, the NAT-PT sends the converted IPv4 data packet to the x-AR, and the x-AR sends the data packet to the IPv4 network.
The process of converting IPv4 packets into IPv6 packets is the reverse of the above steps. When the x-AR receives an IPv4 data packet, routing to the NAT-PT, extracting a destination address of the IPv4 packet by the NAT-PT, searching an address mapping table, and finding an IPv6 address corresponding to the IPv4 destination address as the destination address of the IPv6 data packet; adding a specific prefix to the source address of the IPv4 packet to serve as the source address of the IPv6 packet, carrying out syntax and semantic conversion on each field in the IPv4 packet, constructing an IPv6 data packet, and finally forwarding the data packet to the mobile node.
The following will describe in detail the tunnel establishment and packet forwarding process that are required for the mobile node in the IPv6 external network to communicate with the VPN internal network when the NAT-PT entity is installed.
Firstly, the tunnel establishment process is as follows:
similarly, the initial communication between the mobile node and the VPN gateway is to support IKEv2 negotiation of MOBIKE, establish an IPsec tunnel, and then transmit the data packet after being encapsulated in an IPsec ESP tunnel mode. Because of existence of NAT-PT, signaling information of IKE negotiation and subsequent IPsec encapsulation data packets are converted by IPv4to IPv6 or IPv6to IPv4, an SPI destination address item of a mobile node SA is an IPv6 address of a VPN gateway, an SPI destination address item of the VPN gateway SA is an IPv4 address of the mobile node, and two parties do not know that a communication opposite end is a host different from the type of the own network. Therefore, the establishment of tunnels of both sides and the transmission of data are not influenced, and convenience is brought to the switching of the mobile node in different types of external networks: whether the mobile node is in an IPv4 foreign network or an IPv6 foreign network, the VPN gateway always considers the mobile node to be in an IPv4 network.
Then, the process of forwarding the packet by using the tunnel is as follows:
after an IPsec tunnel is established, a mobile node firstly carries out mobile IPv6 encapsulation on a data packet of an upper layer protocol, wherein the source address is VPN-TIA, and the destination address is the address of an internal home agent or a communication node; and performing IPsec encapsulation, wherein the source address is the external network IPv6 care-of address of the mobile node, and the destination address is the external interface IPv6 address of the VPN gateway, and the address is generated by adding a specific prefix to the IPv4 address of the VPN gateway. The IPv6 packet structure of the mobile node located in the IPv6 external network after twice encapsulation is shown in table 5, where i-HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node in the external network, and VPN-GW (VPN gateway) is the IPv6 address added with a specific prefix. The v4/v6 tag before the address indicates the address type.
TABLE 5
V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer
After the data packet is routed to the NAT-PT, the NAT-PT maps the source address (the care-of address of the mobile node) of the received IPv6 packet to an IPv4 address to serve as a source address for converting the IPv4 packet, the 32 bits behind the destination address serve as a destination address for converting the IPv4 packet, syntax and semantic conversion is carried out on all fields in the IPv6 packet, and an IPv4 data packet with the destination address being the VPN gateway IPv4 address is constructed. Table 6 shows the IPv4 packet format after NAT-PT translation, where the IPsec header at the outermost layer has been translated into an IPv4 address. Wherein, the x-CoA is the IPv4 care-of address mapped by the IPv6 care-of address of the mobile node, and the VPN-GW is the IPv4 address of the VPN gateway.
The structure of the IPv4 packet after NAT-PT translation is shown in table 6:
TABLE 6
V4x-CoAV4VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer
The IPv4 data packet converted by the NAT-PT is forwarded to the x-AR, and then forwarded to the IPv4 network by the x-AR. After receiving the data packet, the VPN gateway removes the IPsec encapsulation and forwards the data packet to an internal home agent or a communication node, so that the communication between the mobile node and the VPN internal node is realized.
The forwarding and conversion of the data packet sent by the VPN interior node to the mobile node are completely the reverse of the above steps, and are not described herein again.
In the present invention, the mobility of the mobile node determines that the present invention also includes the process of handover between different types of networks and update of SA addresses in the implementation process, which will be described in detail below.
An IPv4 external network supporting mobile IPv4 and an IPv6 external network supporting mobile IPv6 exist in the IPv4-v6 hybrid network, heterogeneous networks refer to IPv4 and IPv6 networks respectively, and homogeneous networks refer to IPv4 networks or IPv6 networks.
After the mobile node accesses the VPN using the IPsec tunnel, it may move between different networks. In the invention, when the mobile node is located in the internal network, the mobile node can communicate by using standard mobile IPv 6; when the mobile node roams from an internal network to an external network, an IPsec tunnel needs to be established to communicate with the VPN internal node; after the mobile node leaves the current external network and enters a new heterogeneous or similar external network, the new care-of address can be used for updating the SA address through the MOBIKE protocol, the original IPsec tunnel is kept, and the communication with the VPN internal node is continued.
In order to avoid renegotiation after the care-of address of the mobile node is changed and to continue communication by using the original IPsec tunnel, the invention needs to adopt an MOBIKE protocol to realize the support of the IPsec protocol on the mobility of the node, thereby allowing the original IPsec tunnel to be continuously maintained for communication through SA address update after the change of the care-of address of the mobile node.
To clearly illustrate this technical point in the present invention, the conventional MOBIKE protocol is first described below.
MOBIKE is an extended protocol based on IKEv2, and effectively supports mobility at two ends of IPsec tunnel communication. The MOBIKE allows the nodes at both ends of the tunnel to update their IP addresses while maintaining the IKE SA and IPsec SA, that is, the original IPsec tunnel can be maintained after the IP addresses of the nodes at both ends of the tunnel are changed without renegotiation. An important application scenario of the MOBIKE protocol is that a mobile node of the IPsec VPN maintains the original IPsec tunnel with the VPN gateway after the external network changes its care-of address.
The MOBIKE parties supporting communication have multiple addresses and the end address pair of the tunnel used is decided by the initiator of IKE _ SA (internet key exchange-security association). When updating the IPsec SA address, an update address request is also issued by the originator of the IKE SA. Such a MOBIKE setup is well suited for mobile VPN application scenarios. In the mobile VPN, often, the mobile node initiates IKE negotiation to the VPN gateway when it is in an external network, and establishes an IPsec tunnel. After the care-of address of the mobile node is changed, the mobile node initiates an address updating request to start updating the address of the mobile node in IKE SA and IPsec SAs (IPsec Security Association).
Since MOBIKE is an extended protocol of IKEv2, its implementation is all done in a negotiation exchange of IKEv 2. MOBIKE defines some new advertising payload that is used during the negotiation exchange of the three exchange types (IKE SA exchange, IPsec SA exchange and information exchange) of IKEv2 to implement MOBIKE supported functions.
If it is desired to support the MOBIKE protocol in the established IPsec tunnel, first, at the time of IKE _ SA initialization, a MOBIKE _ SUPPORTED (MOBIKE SUPPORTED) advertisement payload is added in IKE _ AUTH (IKE initialized authentication exchange) exchange, indicating that both sides of the node support the MOBIKE protocol.
The MOBIKE protocol supports entities at both ends of communication to have multiple addresses simultaneously, and an initiator and a responder can add addition _ IPv4_ ADDRESS (adding IPv4 ADDRESS) or addition _ IPv6_ ADDRESS (adding IPv6 ADDRESS) notification load in IKE _ AUTH exchange (namely the last two messages of IKEv2 initialization exchange).
When the MOBIKE protocol is implemented, the updating process of the address of the corresponding IPsec SAs is as follows:
in MOBIKE, the initiator of the IKE SA decides the address used in the IPsec SAs. That is, the responder UPDATEs the IP address of the IPsec SAs only after receiving an UPDATE _ SA _ address request explicitly from the initiator. After the initiator determines that the address needs to be updated, the IP addresses in the IKE _ SA and the IPsec SAs are updated, and a "pending _ update" mark is set in the IKE _ SA; if there is an IKEv2 request sent to the responder but no reply has been received, retransmitting the request using the updated IP address; when the window size allows, sending a message exchange request containing the UPDATE _ SA _ address announcement payload and clearing the "pending _ UPDATE" flag; if the address changes again while waiting for the message exchange reply, the return reply message is again started from the first step and ignored.
When processing a message exchange request including UPDATE _ SA _ address, a corresponding responder specifically needs to perform the following processing procedure:
1. since it is possible that the received requests are out of order if the responder uses a window size larger than 1, it is necessary to check if an UPDATE _ SA _ address request newer than the message has been received, and if so, to reply only one response, and not perform other actions;
2. checking whether the source ADDRESS and the destination ADDRESS of the IP packet header are acceptable according to a local policy, if not, returning a response containing an UNACCEPTABLE _ ADDRESS notification load, which indicates that the IP packet header is not acceptable;
3. updating the IP address in the IKE _ SA by using the IP address in the IP packet header sent by the initiator;
4. replying a message exchange response to indicate that the updating is finished;
after the initiator receives the response, the corresponding processing procedure is required to be performed as follows:
1. if the IP address has changed before the response comes, sending a new UPDATE _ SA _ ADDRESSES request without any processing to the response;
2. if the response contains the UNACCEPTABLE _ ADDRESSES advertisement payload, the initiator may choose another address to re-exchange, or continue to use the current address, or disconnect.
In the MOBIKE protocol, a Return route reachability Check (Return route reachability Check) function is further included, specifically: whether the initiator or the responder can optionally verify that the partner can receive the data packet using the current address. The return route reachability check may be performed before or after updating the IPsec SAs, or during a normal connection. By default, return route reachability checks need to be performed after the update of IPsec SAs is completed. One party initiates an IKE information exchange request containing a cookie2 advertisement payload; after receiving the information exchange request, the other party sends an information exchange response, copies the received cookie2 notice load and includes the notice load in the information exchange response; after receiving the information exchange response, the initiator checks whether the received cookie2 advertised payload is identical to that sent by itself, thereby completing the return route reachability check.
Having introduced the MOBIKE protocol, the network handover and SA address update procedures for the mobile node will be described below.
Handover of a mobile node to an external network can be divided into two cases:
switching among networks of the same kind, wherein the switching among the networks of the same kind refers to that the mobile node roams from one IPv4 external network to another IPv4 external network, or roams from one IPv6 external network to another IPv6 external network;
and switching among heterogeneous networks, wherein the switching among the heterogeneous networks refers to that the mobile node roams from an IPv4 foreign network to an IPv6 foreign network or roams from an IPv6 foreign network to an IPv4 foreign network.
In addition, the roaming of the mobile node from the IPv6 internal network to the external network can be divided into: mobile to IPv4 foreign network and mobile IPv6 foreign network.
The following describes the configuration of the mobile node and the SA address update in each case.
A mobile node is located in an internal network
The mobile node is located in an internal network and if not in the home network, communicates with the VPN internal home agent and correspondent node via standard mobile IPv 6. When the IP address changes during the movement of the mobile node in the home network, the required processing includes:
(1) immediately stopping communication with other nodes in the VPN, if the IPv4 care-of address is obtained, determining that the mobile node is positioned in an IPv4 external network at the moment, starting to use the IPv4 care-of address to perform IKE negotiation supporting MOBIKE with a VPN gateway, and establishing an IPsec tunnel;
(2) the mobile node uses VPN-TIA generated by VPN gateway as internal MIPv6 transfer address to send register request to i-HA (internal home agent) through IPsec tunnel, and after receiving register response, the mobile node communicates with internal network node through built IPsec tunnel;
(3) if the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly inquired by utilizing a domain name resolution mode, and the specific inquiry process is described above and is not described again;
(4) while executing step (3), the mobile node needs to send a standard mobile IPv6 registration request to the VPN internal home agent;
(5) the mobile node performs corresponding communication processing according to whether a corresponding mobile IPv6 registration response is received or not;
(51) if the mobile node receives a mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the step (4), determining that the network where the mobile node is currently located is still a VPN internal network, so that the mobile node can use a new IPv6 care-of address to communicate with the VPN internal node after the registration update is completed;
(52) if the mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the step (4) is not received and the IPv6 address of the VPN gateway is inquired successfully, the mobile node is located in an IPv6 external network at the moment, the new IPv6 address and the VPN gateway are used for carrying out IKE negotiation supporting MOBIKE, and an IPsec tunnel is established;
in step (52), the specific process of establishing the IPsec tunnel is as follows: the mobile node uses VPN-TIA generated by VPN gateway as internal mobile IPv6 care-of address, sends registration request to internal home agent through IPsec tunnel, and communicates with internal network node through built IPsec tunnel after receiving registration response.
(II) the mobile node is located in a foreign network
When the mobile node is in an external network, an IPsec tunnel is established, and the mobile node communicates with the VPN internal node through the IPsec tunnel. The mobile node is located in the IPv4 external network and the IPv6 external network, which adopt different configurations, compared with the situation that the mobile node is located in the IPv6 external network, and the tunnel encapsulation of the IPv6in IPv4 is needed, which is more complicated.
The following describes roaming of the mobile node in the IPv4 foreign network and roaming in the IPv6 foreign network, respectively.
1. Mobile node located in IPv4 external network
When the mobile node is located in an IPv4 external network, the obtained IPv4 care-of address is used as the address of the home end of the tunnel, IKE negotiation supporting MOBIKE is carried out with a VPN gateway, an IPsec tunnel is established, and communication is carried out with a VPN internal node through the IPsec tunnel. When the mobile node moves in the IPv4 external network and the IP address changes, the processing that needs to be performed includes:
(1) immediately stopping communication with the VPN internal node, if the IPv4 care-of address is obtained, indicating that the mobile node enters another IPv4 external network, starting to initialize MOBIKE and update the SA address, wherein the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway;
(2) if the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly inquired in a domain name resolution mode;
(3) while executing step (2), the mobile node needs to send a standard mobile IPv6 registration request to the VPN internal home agent;
(4) the mobile node performs corresponding communication processing according to whether to return a corresponding registration response;
(41) if the mobile node receives a mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the step (3), determining that the mobile node enters the VPN internal network, and after the registration update is completed, the mobile node can use a new IPv6 care-of address to communicate with the VPN internal node;
(42) if the MIPv6 (Mobile IPv6) registration response corresponding to the mobile IPv6 registration request in the step (3) is not received and the IPv6 address of the VPN gateway is inquired successfully, at the moment, the mobile node is located in an IPv6 external network, the MOBIKE is initialized, the SA address is updated, and the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway;
after performing step (42) to complete the IKE SA and IPsec SAs address update, the mobile node continues to communicate with the VPN interior node through the IPsec tunnel.
What needs to be explained for the SA address is: as the mobile node moves from the IPv4 foreign network to the IPv6 foreign network, both the destination address and the source address of the mobile node (i.e., the endpoint address of the SA) change, and the mobile node updates them to the IPv6 address; since the VPN gateway is updated according to the address of the IP packet after receiving the UPDATE _ SA _ address advertisement payload, the VPN gateway considers that the endpoint address of the SA has changed and UPDATEs the endpoint address to the IPv6 ADDRESSES of the mobile node and the VPN gateway.
2. Mobile node located in IPv6 external network
When the mobile node is positioned in an IPv6 external network, the mobile node obtains an IPv6 care-of address and queries the IPv6 address of the VPN gateway in a domain name resolution mode. And then, initiating IKE negotiation supporting the MOBIKEs and establishing the IPsec tunnel. And communicating with the VPN internal node through the IPsec tunnel. When the mobile node moves in the IPv6 external network and the IP address changes, the processing that needs to be performed includes:
(1) immediately stopping communication with the VPN internal node, if the IPv4 care-of address is obtained, indicating that the mobile node enters another IPv4 external network, starting to initialize MOBIKE and update the SA address, wherein the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway;
(2) if the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly inquired in a domain name resolution mode;
(3) simultaneously with the step (2), sending a standard mobile IPv6 registration request to the home agent in the VPN;
(4) the mobile node performs corresponding communication processing according to the condition whether to return a registration response;
(41) if the mobile node receives a mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the step (3), determining that the mobile node enters the VPN internal network, and after the registration update is completed, enabling the mobile node to communicate with the VPN internal node by using a new IPv6 care-of address;
(42) if the MIPv6 registration response corresponding to the mobile IPv6 registration request in the step (3) is not received and the IPv6 address of the VPN gateway is successfully inquired, at the moment, the mobile node is located in an IPv6 external network, the MOBIKE is initialized, the SA address is updated, and the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway;
and after the IKE SA and the IPsec SAs address updating is completed after the step (42) is executed, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.
In the present invention, the corresponding security problem needs to be considered in the process of updating the SA address, which specifically includes: when updating the SA address, some security threats may be encountered from third parties in the network. The MOBIKE protocol designs two guarantee mechanisms under the condition of considering the safety factor:
first, a return route reachability check ("return route reachability" check) may be used to check the reachability of addresses provided by both nodes, which avoids a large amount of communication traffic passing into a third party;
second, NAT inhibition (NAT inhibition) makes the IP address not modifiable by any NAT, IPv4/v6, or other similar devices.
This feature is mainly used when the administrator already knows that there is no NAT device between the two nodes, so any modification to the packet is considered an attack.
In the invention, after each SA address update and before the communication of the data stream is not recovered, return route reachability check is added to ensure that the updated address is safe and routable. In the event that the mobile node enters an IPv4 foreign network or an IPv6 foreign network, it is assumed that no necessary NAT device exists between the mobile node and the VPN gateway, and therefore NAT barring can be used to protect data packets from modification.
In summary, the present invention utilizes MOBIKE protocol to update the address entry of the SA, and cooperates with the method that the VPN gateway assigns to the mobile node VPN-TIA address, so as to successfully solve the two problems mentioned in the prior art. And it proposes that in the transition period from IPv4to IPv6, under the mixed environment of IPv4-v6 using IPv4 as backbone network, the mobile node realizes access to VPN service and switches between networks under the premise of keeping normal communication.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (19)

1. A method for realizing mobile VPN in hybrid network is characterized in that the method is applied to hybrid network including IPv4 network and IPv6 network inside mobile virtual private network VPN, and VPN gateway of VPN is set in the hybrid network, the VPN gateway provides internal interface of IPv6 address and external interface of IPv4 address, the method includes:
A. a tunnel for transmitting VPN messages interacted between an external network and an IPv6 network inside the VPN is established between the VPN gateway and the external network, and addresses at two ends of the tunnel are respectively an IPv4 address of the external network and an IPv4 address of an external interface provided by the VPN gateway;
B. after the VPN message needing to be transmitted is packaged with an IPv4 header, the VPN message is transmitted through the tunnel, and interaction of VPN services is realized in the hybrid network;
wherein, when the external network is an IPv4 external network, the step a includes: an IPsec protocol tunnel is established between the VPN gateway and a mobile node which is positioned in an IPv4 external network and obtains a care-of address;
or
When the external network is an IPv6 external network, the step a includes: after an IPsec protocol tunnel is established between the VPN gateway and a mobile node which is positioned in an IPv6 external network and obtains a care-of address, the VPN gateway and an access router in the IPv6 external network establish an IPv6in IPv4 tunnel for transmitting an IPv6 message, the tunnel encapsulates the IPv6 message in an IPv4 message, and the addresses at the two ends of the tunnel are respectively the IPv4 address of the IPv6 external network access router and the IPv4 address of an external interface of the VPN gateway;
the IPsec protocol tunnel is an IPsec protocol tunnel supporting Internet key exchange mobile and multi-interface protocol MOBIKE.
2. The method as claimed in claim 1, wherein after establishing the IPsec tunnel between the VPN gateway and the mobile node in the IPv6 external network that obtains the care-of address, the VPN gateway and the access router in the IPv6 external network establish an IPv6in IPv4 tunnel for transmitting IPv6 messages, the tunnel encapsulates an IPv6 message in an IPv4 message, and addresses at two ends of the tunnel are an IPv4 address of the IPv6 external network access router and an IPv4 address of the VPN gateway external interface, respectively, the method comprising:
a11, the mobile node moving to IPv6 external network initiates DNS request according to the address information of domain name server DNS saved in IPv6 network for resolving IPv4 address of VPN gateway;
a12, after receiving the DNS request, the DNS returns a DNS response message to the mobile node, wherein the response message comprises IPv4 address information of the VPN gateway;
a13, the mobile node and the IPv6 network obtain the IPv4 address information of the VPN gateway.
3. The method for implementing a mobile VPN in a hybrid network as claimed in claim 2, wherein said step a11 comprises:
the mobile node initiates a DNS request of a VPN gateway to a DNS in the IPv6 network, and the request is forwarded to a domain name server application layer gateway DNS-ALG arranged in the IPv6 network after reaching the DNS in the IPv6 network;
and the DNS-ALG determines a DNS for analyzing the IPv4 address of the VPN gateway according to the stored DNS server information, converts the DNS request into a DNS request in an IPv4 format and sends the DNS request to the determined DNS.
4. The method for implementing a mobile VPN in a hybrid network as claimed in claim 3, wherein said step a13 comprises:
after receiving the returned DNS response message, the DNS-ALG stores the IPv4 address information of the VPN gateway, converts the IPv4 address added prefix into an IPv6 address in an IPv6 format and sends the IPv6 address to the mobile node, and the mobile node takes the IPv6 address as the address information of the VPN gateway.
5. The method for implementing a mobile VPN in a hybrid network according to any of the claims 1-4, wherein said step B comprises:
b1, the mobile node in the IPv6 external network constructs the message of the IPv6 address corresponding to the VPN gateway and sends the message to the external access router of the IPv6 network;
b2, the external access router receives the IPv6 message from the mobile node, adds an IPv4 message header to the message, the message header carries the IPv4 address of the VPN gateway, and sends the message to the VPN gateway through the tunnel;
b3, VPN gateway analyzes the received message, decapsulates the IPv4 message and reduces the message into IPv6 message, and continues to transmit the IPv6 message.
6. The method for implementing a mobile VPN in a hybrid network according to any of the claims 1-4, wherein said step B comprises:
b4, the mobile node in the IPv6 external network constructs the message of the IPv6 address corresponding to the VPN gateway and sends the message to the NAT-PT entity of network address translation-protocol translation;
b5, the NAT-PT converting the IPv6 address in the IPv6 message into an IPv4 address and sending the IPv4 address to an external access router, and the external access router sending the message to the VPN gateway through the tunnel;
b6, VPN gateway analyzes the received message and continues to transmit the message.
7. The method of claim 1, wherein said establishing an IPsec protocol tunnel between said VPN gateway and a care-of-address-acquiring mobile node located in an IPv4 foreign network comprises:
a21, when the mobile node moves to the IPv4 external network, the care-of address of the IPv4 network is obtained;
a22, mobile node and VPN gateway negotiate to establish IPsec tunnel, the addresses at two ends of tunnel are the care-of address and IPv4 address of VPN gateway.
8. The method for implementing a mobile VPN in a hybrid network as claimed in claim 7, wherein said step a22 comprises:
during the internet key exchange IKE negotiation between the mobile node and the VPN gateway, the VPN gateway will determine a VPN tunnel internal address for the mobile node as the mobile IPv6 care-of address for the mobile node to register inside the VPN.
9. A method for implementing a mobile VPN in a hybrid network according to any of claims 1, 7 or 8 wherein said step B comprises:
the mobile node in the IPv4 network firstly packages the data packet by mobile IPv6, then packages IPsec according to the established tunnel, and sends the VPN service message packaged with IPv4 header to the VPN gateway through the established tunnel.
10. The method of claim 9, wherein step B further comprises:
when the mobile node packages the data packet in mobile IPv6, the corresponding source address is the address inside the VPN tunnel, and the destination address is the address of the node inside the VPN.
11. A method for implementing a mobile VPN in a hybrid network according to any one of claims 1 to 4, wherein when the IP address of a mobile node located in the network inside the VPN changes during the movement, the communication with other nodes inside the VPN is stopped immediately, and the method further comprises:
c1, if the mobile node obtains IPv4 care-of address, using the IPv4 care-of address and VPN gateway to support IKE negotiation of MOBIKE, and establishing IPsec tunnel; the mobile node initiates registration to the internal home agent through the tunnel by using an internal IPv6 care-of address provided by the VPN gateway, and communicates with the VPN network node through the tunnel after receiving a registration application response;
or,
c2, if the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly inquired by using a domain name resolution mode, and then the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN; upon receiving the IPv6 registration reply, the mobile node is determined to be located within the VPN and the mobile node communicates with the VPN interior node using the new IPv6 care-of address.
12. The method for implementing a mobile VPN in a hybrid network as claimed in claim 11, wherein said step C2 further comprises:
if the mobile node does not receive the mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, determining that the mobile node is positioned in an IPv6 network outside the VPN, carrying out IKE negotiation supporting MOBIKE by using the new IPv6 address and the VPN gateway, and establishing an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway, sends a registration request to the internal home agent through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving a registration response.
13. The method of any of claims 1 to 4, wherein when the IP address of the mobile node in the external network of IPv4 changes during the movement, the method stops the communication with the VPN internal node, and the method further comprises:
d1, if the mobile node obtains the IPv4 care-of address, and the mobile node is determined to move to another IPv4 external network, then the MOBIKE is initialized, and the SA address is updated, the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel;
or,
d2, if the mobile node obtains the IPv6 care-of address, indirectly inquiring the IPv6 address of the VPN gateway by using a domain name resolution mode; and then, the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN, and after receiving a mobile IPv6 registration response, the mobile node is determined to move to the network in the VPN, and the mobile node communicates with the node in the VPN by using a new IPv6 care-of address.
14. The method for implementing a mobile VPN in a hybrid network as claimed in claim 13, wherein said step D2 further comprises:
if the mobile node does not receive the mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, and the mobile node is determined to move to the IPv6 external network, the MOBIKE is initialized, the SA address is updated, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.
15. The method of any of claims 1 to 4, wherein when the IP address of the mobile node in the external network of IPv6 changes during the movement, the method stops the communication with the VPN internal node, and the method further comprises:
e1, if the mobile node obtains the IPv4 care-of address, and the mobile node is determined to move to the IPv4 external network, then the MOBIKE is initialized, the SA address is updated, the updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel;
or,
e2, if the mobile node obtains the IPv6 care-of address, indirectly inquiring the IPv6 address of the VPN gateway by using a domain name resolution mode; and then, the mobile node sends a standard mobile IPv6 registration request to the home agent in the VPN, and after receiving a corresponding mobile IPv6 registration response, the mobile node is determined to move to the network in the VPN, and the mobile node uses a new IPv6 care-of address to communicate with the node in the VPN.
16. The method for implementing a mobile VPN in a hybrid network as claimed in claim 15, wherein said step E2 further comprises:
if the mobile node does not receive the corresponding mobile IPv6 registration response and successfully queries the IPv6 address of the VPN gateway, and the mobile node is determined to move to another IPv6 external network, the MOBIKE is initialized, the SA address is updated, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.
17. A system for realizing mobile VPN in hybrid network is characterized in that the system comprises an IPv4 external network, an IPv6 external network and a VPN gateway, the internal network of the VPN is an IPv6 network, the internal interface provided by the VPN gateway is an IPv6 interface, the external interface is an IPv4 interface, and the system also comprises:
a tunnel establishment module: a tunnel for establishing a VPN message for transmitting interaction between the VPN gateway and an external network, wherein addresses at two ends of the tunnel are an IPv4 address of the external network and an IPv4 address of an external interface provided by the VPN gateway, respectively;
a message encapsulation transmission module: the VPN message header is arranged at two ends of the tunnel and used for packaging an IPv4 message header on a VPN message to be sent and sending the VPN message to an opposite end through the tunnel;
wherein, when the external network is an IPv4 external network, the tunnel establishment module further includes: an IPsec protocol tunnel is established between the VPN gateway and a mobile node which is positioned in an IPv4 external network and obtains a care-of address;
or
When the external network is an IPv6 external network, the tunnel establishment module further includes: after an IPsec protocol tunnel is established between the VPN gateway and a mobile node which is positioned in an IPv6 external network and obtains a care-of address, the VPN gateway and an access router in the IPv6 external network establish an IPv6in IPv4 tunnel for transmitting an IPv6 message, the tunnel encapsulates the IPv6 message in an IPv4 message, and the addresses at the two ends of the tunnel are respectively the IPv4 address of the IPv6 external network access router and the IPv4 address of an external interface of the VPN gateway;
the IPsec protocol tunnel is an IPsec protocol tunnel supporting Internet key exchange mobile and multi-interface protocol MOBIKE.
18. The system for implementing a mobile VPN in a hybrid network according to claim 17 wherein in an IPv6 external network, said system further comprises:
DNS-ALG: the network is configured to be an IPv4 and IPv6 dual protocol stack for providing an IPv6 address corresponding to the VPN gateway in the process of carrying out VPN service through an IPv6 external network;
DNS in IPv6 networks: configuring IPv4 and IPv6 dual stack, which configures upper level DNS as said DNS-ALG;
external access router: the device is configured as an IPv4 and IPv6 dual protocol stack, and is used for realizing the function of encapsulating IPv6 messages into IPv4 message headers and simultaneously for de-encapsulating corresponding messages.
19. The system for implementing a mobile VPN in a hybrid network as recited in claim 17 wherein said system further comprises, in an IPv6 external network:
DNS-ALG: the network is configured to be an IPv4 and IPv6 dual protocol stack for providing an IPv6 address corresponding to the VPN gateway;
DNS in IPv6 networks: configuring the upper level DNS in the DNS as the DNS-ALG;
NAT-PT entity: the network element is used for communicating with an external access router and carrying out corresponding conversion between an IPv6 address and an IPv4 address on a message passing through the entity;
external access router: the VPN gateway is used for sending the message converted by the NAT-PT entity to the VPN gateway and receiving the message sent by the VPN gateway.
CN2006100584520A 2006-03-24 2006-03-24 Method and system for realizing mobile VPN service in hybrid network Expired - Fee Related CN101043411B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2006100584520A CN101043411B (en) 2006-03-24 2006-03-24 Method and system for realizing mobile VPN service in hybrid network
PCT/CN2007/000446 WO2007109963A1 (en) 2006-03-24 2007-02-08 A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006100584520A CN101043411B (en) 2006-03-24 2006-03-24 Method and system for realizing mobile VPN service in hybrid network

Publications (2)

Publication Number Publication Date
CN101043411A CN101043411A (en) 2007-09-26
CN101043411B true CN101043411B (en) 2012-05-23

Family

ID=38540796

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006100584520A Expired - Fee Related CN101043411B (en) 2006-03-24 2006-03-24 Method and system for realizing mobile VPN service in hybrid network

Country Status (2)

Country Link
CN (1) CN101043411B (en)
WO (1) WO2007109963A1 (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4623177B2 (en) * 2008-09-17 2011-02-02 富士ゼロックス株式会社 Information processing system
CN101399838B (en) * 2008-10-29 2012-01-25 成都市华为赛门铁克科技有限公司 Method, apparatus and system for processing packet
CN102104634B (en) * 2009-12-17 2013-08-07 华为技术有限公司 Method for communicating between LISP site and non-LISP site and apparatus and system thereof
US10079917B2 (en) 2010-04-26 2018-09-18 Nokia Technologies Oy Method and apparatus for synthesized address detection
CN102347993B (en) * 2010-07-28 2014-03-26 中国移动通信集团公司 Network communication method and equipment
CN102469063B (en) * 2010-11-03 2016-03-30 中兴通讯股份有限公司 Routing protocol security alliance management method, Apparatus and system
CN102469449B (en) * 2010-11-15 2016-03-30 上海贝尔股份有限公司 Routing optimization method in an IPv6 low-consumption wireless territory net
CN103314561A (en) * 2010-12-11 2013-09-18 惠普发展公司,有限责任合伙企业 Computer network node discovery
WO2013034100A2 (en) * 2011-09-08 2013-03-14 北京智慧风云科技有限公司 Communications system and method for terminals based on different network protocols
CN103001844A (en) * 2011-09-09 2013-03-27 华耀(中国)科技有限公司 IPv6 (internet protocol version 6) network system and data transmission method thereof
CN102904814B (en) * 2012-10-19 2015-09-16 福建星网锐捷网络有限公司 Data transmission method, source PE, object PE and data transmission system
CN104348821B (en) * 2013-08-08 2018-04-27 联想(北京)有限公司 Manage the method, apparatus and system of IPv4/IPv6 business
CN103475646A (en) * 2013-08-23 2013-12-25 天津汉柏汉安信息技术有限公司 Method for preventing hostile ESP (electronic stability program) message attack
CN105681249B (en) * 2014-11-17 2019-09-13 中国移动通信集团公司 A kind of Network Access Method and link switch equipment
CN104601577A (en) * 2015-01-16 2015-05-06 网神信息技术(北京)股份有限公司 VPN switching protocol based method and device
CN105025004B (en) * 2015-07-16 2018-01-02 东南大学 A kind of double stack IPSec VPN devices
CN105530159B (en) * 2016-01-19 2018-12-18 武汉烽火网络有限责任公司 A kind of method and system realizing the VPN across IPv6 and IPv4 and exchanging visits
CN109067933B (en) * 2018-07-25 2021-12-24 赛尔网络有限公司 Tunnel-based IPv4 and IPv6 network communication system and method
CN108986440B (en) * 2018-09-27 2020-07-17 深圳友讯达科技股份有限公司 Multi-network fusion meter reading system and address allocation method of meter reading system
CN110086702B (en) * 2019-04-04 2021-09-21 杭州迪普科技股份有限公司 Message forwarding method and device, electronic equipment and machine-readable storage medium
CN112437467A (en) * 2020-10-23 2021-03-02 中国人民解放军61062部队 Ad hoc network tunnel communication method without home agent
CN113438108B (en) * 2021-06-22 2022-11-29 京信网络系统股份有限公司 Communication acceleration method, device, base station and computer readable storage medium
CN115567484A (en) * 2021-06-30 2023-01-03 中国电信股份有限公司 Data forwarding method, network side edge router and network system
CN115296988B (en) * 2022-10-09 2023-03-21 中国电子科技集团公司第三十研究所 Method for realizing IPSec gateway dynamic networking
CN116107229A (en) * 2023-03-02 2023-05-12 常熟理工学院 ZigBee-based intelligent home monitoring method, system and remote terminal for Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1376351A (en) * 1999-09-24 2002-10-23 英国电讯有限公司 Packet network interfacing
WO2004082192A2 (en) * 2003-03-10 2004-09-23 Cisco Technology, Inc ARRANGEMENT FOR TRAVERSING AN IPv4 NETWORK BY IPv6 MOBILE ROUTERS
CN1710877A (en) * 2004-06-16 2005-12-21 华为技术有限公司 System and method for realizing virtual special network of hybrid backbond network of hybrid station
CN1711739A (en) * 2002-11-13 2005-12-21 汤姆森许可贸易公司 Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005086256A (en) * 2003-09-04 2005-03-31 Kddi Corp Tunnel gateway apparatus
CN100413289C (en) * 2005-11-25 2008-08-20 清华大学 Method for realizing IPv6 high performance interconnection based on P2P on IPv4

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1376351A (en) * 1999-09-24 2002-10-23 英国电讯有限公司 Packet network interfacing
CN1711739A (en) * 2002-11-13 2005-12-21 汤姆森许可贸易公司 Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism
WO2004082192A2 (en) * 2003-03-10 2004-09-23 Cisco Technology, Inc ARRANGEMENT FOR TRAVERSING AN IPv4 NETWORK BY IPv6 MOBILE ROUTERS
CN1710877A (en) * 2004-06-16 2005-12-21 华为技术有限公司 System and method for realizing virtual special network of hybrid backbond network of hybrid station

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JP特开2005-86256A 2005.05.31

Also Published As

Publication number Publication date
WO2007109963A1 (en) 2007-10-04
CN101043411A (en) 2007-09-26

Similar Documents

Publication Publication Date Title
CN101043411B (en) Method and system for realizing mobile VPN service in hybrid network
EP2466985B1 (en) Network based on identity identifier and location separation
US7453887B2 (en) Arrangement for traversing an IPv4 network by IPv6 mobile nodes
US7149225B2 (en) Arrangement for traversing an IPv4 network by IPv6 mobile nodes via a mobility anchor point
JP5335886B2 (en) Method and apparatus for communicating data packets between local networks
JP4527721B2 (en) Apparatus and method for improving remote LAN connectivity using tunneling
US7940769B2 (en) Maintaining secrecy of assigned unique local addresses for IPV6 nodes within a prescribed site during access of a wide area network
EP1139632B1 (en) Method for packet communication with mobile node
US7031328B2 (en) Arrangement for traversing an IPv4 network by IPv6 mobile routers
US7162529B2 (en) System using mobile proxy for intercepting mobile IP message and performing protocol translation to support multiple communication protocols between mobile networks
KR101785760B1 (en) Method and network element for enhancing ds-lite with private ipv4 reachability
US7453850B2 (en) Apparatus, and associated method, for facilitating bi-directional routing of data in a packet radio communication system
US20030193952A1 (en) Mobile node handoff methods and apparatus
US20080039079A1 (en) Roaming in a Communications Network
EP1618709A2 (en) Mobile ethernet
AU2004209863A1 (en) Methods and apparatus for supporting an internet protocol (IP) version independent mobility management system
KR20040063830A (en) Mobile communication system and method capable of allowing shortest communications path
Nam et al. An identifier locator separation protocol for the shared prefix model over IEEE WAVE IPv6 networks
Nguyen et al. State of the art of mobility protocols

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120523

Termination date: 20160324