CN101521621A - Method for realizing secure communication of any two ends of the internet in DMVPN - Google Patents
Method for realizing secure communication of any two ends of the internet in DMVPN Download PDFInfo
- Publication number
- CN101521621A CN101521621A CN200810034127A CN200810034127A CN101521621A CN 101521621 A CN101521621 A CN 101521621A CN 200810034127 A CN200810034127 A CN 200810034127A CN 200810034127 A CN200810034127 A CN 200810034127A CN 101521621 A CN101521621 A CN 101521621A
- Authority
- CN
- China
- Prior art keywords
- spoke
- configuration
- address
- dmvpn
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for realizing secure communication of any two ends of the internet in DMVPN by applying a flow segmentation technique. The method utilizes the DMVPN to construct a topological network which adopts mGRE technology communication equipment at the center and parts and takes star-shaped structure as primary and network-shaped structure as supplement; the network ensures the communication security by setting IPSEC; an NHRP protocol is utilized to lead the parts to communicate mutually and directly; and the NHRP protocol is extended and the extension header in the NHRP protocol is used for completing flow segmentation. In the practical application, the invention can provide that enterprises can realize secure communication of all end points in the internet with low price, thus replacing the original two-layer access with expensive cost (such as ISDN and the like), and solving the high rentals or complex network configuration maintenance in the original application.
Description
Technical field:
The present invention relates to network security and data communication technology field, particularly a kind of method at the middle application traffic cutting techniques realization of DMVPN (Dynamic Multipoint VPN, dynamically multiple spot Virtual Private Network) the Internet secure communication of any two ends.
Background technology:
At present, for the enterprise that some corporate HQs, branch, office are dispersed in various places, they need a kind of safe network interconnectedly to make any point-to-point transmission all can communicate by letter it.Initial solution is to rent two layers of cut-in method of some costlinesses (as ISDN etc.).But picture is comparatively speaking, a kind of cheap more, communication mode is to use Internet to insert and encrypts by IPSEC and guarantees fail safe flexibly.
IPSEC (Security Architecture for IP network) is point-to-point encryption tunnel.General headquarters and the branch network of the encryption tunnel composition of point-to-point arbitrarily are a kind of network structures.Main in actual applications communication flows concentrates on communicating by letter of branch (spoke) and center (hub), and such network configuration becomes Star Network (hub-to-spoke).But do not get rid of communicate by letter (spoke-to-spoke) between branch and branch yet.So what adopt in the actual network design is star-like network, also can be used as a transfer by the center if will communicate by letter between branch.
In the use of reality, there are many unfavorable factors iff the encryption tunnel that uses IPSEC.Because what use is that IPSEC encrypts, and deciphers encrypted process again so the encrypted packet of communicating by letter between branch experiences one again when transmitting by the center, has increased extra burden for central server like this.Central server will all be set up a tunnel with each branch simultaneously, use GRE will set up a plurality of communication port like this, and these communication port have use is identical cryptographic algorithm, so cause central server no matter still to safeguard very loaded down with trivial details in configuration.
Need a kind of solution more efficiently to be used to solve following several problems like this:
1. central server will be easy to safeguard.Because the cipher mode in each tunnel etc. are all the same, consider to use a kind of tunnel of point-to-multipoint.Configuration is gone up so only needs communication port of configuration get final product, simultaneously the unified cryptographic algorithm of use in the communicating by letter of this port and every other point.This can solve by mGRE.
2. for the communicating by letter of branch and center, branch only need know that the address at center gets final product.And the communication between branch can consider to walk around the server direct communication in order to alleviate the burden of central server as far as possible.Can send the address that inquiry obtains opposite end branch to central server, can directly communicate by letter subsequently with opposite end branch.This can be resolved by using NHRP agreement (next node Routing Protocol).
3., then to consider the problem that flow is cut apart if bigger flow need bear in certain branch.
Summary of the invention:
In view of above-mentioned application demand and existing in prior technology technology limitation, the purpose of this invention is to provide a kind of in DMVPN the application traffic cutting techniques realize the method for the Internet secure communication of any two ends.This technical scheme can provide enterprise to realize secure communication between each end points in actual applications in the Internet of cheapness.Thereby replace two layers of access (as ISDN etc.) of original cost costliness, solve great number rent in original application the or complicated network configuration and safeguard.
Realize the correlation technique that the invention described above method is related and act on as follows:
1.mGRE technology: the technology that proposes mGRE on existing point-to-point GRE technical foundation is a kind of technology of point-to-multipoint.The GRE of relative single-point, mGRE need not to know the address of opposite end, needs to use the NHRP agreement to come the address of dynamic obtaining communication opposite end in the actual communication.The same mGRE with GRE also is used to set up two tunnels between communication end point simultaneously.
2.NHRP technology:, need when communication, be determined to the address of the end and which node communication and opposite end because the opposite end of mGRE is a plurality of nodes.So the present invention uses the NHRP agreement to realize this function.
3.IPSEC technology: the fail safe of IPSEC principal security when communication.
Utilize the formed flow cutting techniques among the DMVPN that is combined in of above-mentioned three kinds of major techniques,, enterprise is realized between general headquarters and each branch, the secure communication of point-to-point transmission arbitrarily by DMVPN by following communication mechanism described in the invention.
Utilize among the present invention program DMVPN in the Internet, make up one by center and branch adopt all that mGRE technical communication equipment set up based on hub-and-spoke configuration, network structure is the topological network of assisting; By being set, IPSEC ensures communication safety in this network; Utilize the NHRP agreement to make direct communication mutually between branch; And expansion NHRP agreement is utilized the extension header in the NHRP agreement, finishes flow and cuts apart.
(referring to Fig. 1) is as follows for concrete steps:
Communicate by letter (hub-to-spoke) between center and branch:
(1) all spoke use NHRP protocol encapsulation message to send the binding information of native protocol address and nbma address to hub.
Also in the extension of NHRP header, add inbound traffics partitioning algorithm and relevant information when (2) needing node processing that flow cuts apart to send the binding information of address.
(3) hub receives these information and is kept in the local cache.
Communicate by letter (spoke-to-spoke) between branch and branch:
(1) spoke sends the protocol address information address of opposite end sopke earlier to hub.Hub searches buffer memory, and (i.e. the buffer memory of cutting apart for no flow returns after directly finding and gets final product to select suitable buffer memory.Need find all available buffer memorys for the buffer memory that has flow to cut apart, require to select one at computation system more and return to spoke) back returns to spoke to the nbma address of protocol address correspondence.
(2) spoke just can directly communicate by letter with opposite end spoke according to the nbma address of receiving.While is this information of buffer memory also, and when communicating by letter with this spoke, it is just passable directly to look into local cache later on.
(3) above-mentioned all buffer memorys all have necessarily overtime, overtime back deletion.
In addition, the flow cutting techniques of the related DMVPN of the inventive method is the improvement on the basis of DMVPN.When if certain node need bear bigger flow, can share flow at this node increase equipment.In central apparatus (server), coordinate simultaneously the data flow of other each nodes and this node, so that by determining that suitable data flows to the data flow coordination system that forms between a kind of coordinating communication two ends according to specific algorithm (as poll, based on the selection of weight etc.).
Beneficial effect in the foregoing invention is:
1. use mGRE to simplify the configuration of central server.Need not to every day the tunnel the cipher mode etc. of communication be configured.Simultaneously can center of reduction equipment safeguard (as changing cryptographic algorithm etc. simply).
2. use the NHRP agreement, make communicating by letter between spoke and spoke need not transfer by hub.Alleviated on the one hand the burden of hub, on the other hand the time delay that may reduce to communicate by letter between spoke (as two spoke in same city, if by the hub transfer could increase time delay).
3. expand the NHRP agreement, use the flow cutting techniques of DMVPN only need increase equipment, need not to change the central server configuration, just can finish flow and cut apart, improve the flow of handling up, can alleviate the burden of the spoke of certain high load capacity simultaneously at the high load capacity end.
Description of drawings:
Further specify the present invention below in conjunction with the drawings and specific embodiments.
Fig. 1 is the flow chart of technical solution of the present invention.
Fig. 2 is the network topology structure figure of the present invention in concrete administration step.
Fig. 3 is the present invention's configuration hub node flow chart in concrete administration step.
Fig. 4 is the flow chart of the present invention configuration spoke in concrete administration step.
Embodiment:
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram and illustrative example, further set forth the present invention.
As shown in Figure 2, this figure is one of described network topology structure of the inventive method.Process common in actual the setting is as follows:
A. set up the suitable network topology.If there is the bigger spoke point place of duty ratio can increase equipment to alleviate the burden of spoke.
B. dispose hub node (referring to Fig. 3).Dispose a tunnel interface and in interface, use the pattern of mGRE.IPSEC relevant configuration (profile name, the transform-set of use etc.) is applied in the profile name encipherment protection that is used in the tunnel port this tunnel simultaneously.(configuration multicast dynamic is mainly used in when sending multicast message to the spoke of all registrations transmission the NHRP relevant configuration.Multicast message generally is the message of dynamic routing protocol, is used to obtain the protocol address of next jumping spoke when arriving destination address).The configuration dynamic routing protocol makes the next hop address (protocol address) of obtaining the other side between spoke
C. dispose spoke (referring to Fig. 4).Dispose a tunnel interface and in interface, use the pattern of mGRE.IPSEC relevant configuration (profile name, the transform-set of use etc.) is applied in the profile name encipherment protection that is used in the tunnel port this tunnel simultaneously.Configuration NHRP (the protocol address of configuration center server, and the binding information of protocol address and nbma address, spoke can be sent to correct central server with the log-on message of itself like this), flow is cut apart and also need add weight information (supporting the algorithm based on weight at present) after address binding information if desired.The configuration dynamic routing protocol makes the next hop address (protocol address) of obtaining the other side between spoke.
According to above-mentioned setting up procedure,, demonstrate collective's realization configuration operation that DMVPN of the present invention and flow are cut apart below by the embodiment program of enumerating according to compiling that inventive concept is provided with:
The configuration of A.hub end:
1.IPSEC configuration:
crypto?isakmp?policy?1
authentication?pre-share
crypto?isakmp?key?bdcom99?address?0.0.0.0
crypto?ipsec?transform-set?trans2?esp-des?esp-md5-hmac
mode?transport
crypto?ipsec?profile?vpnprof
set?transform-set?trans2
2.Tunnel, mGRE, NHRP the configuration
interface?Tunne10
ip?address?10.0.0.1?255.255.255.0
ip?nhrp?map?multicast?dynamic
ip?nhrp?network-id?99
ip?nhrp?holdtime?300
no?ip?split-horizon?eigrp?1
tunnel?source?Ethernet0
tunnel?mode?gre?multipoint
tunnel?protection?ipsec?profile?vpnprof
3. dynamic routing configuration
router?eigrp?1
network?10.0.0.0?255.255.255.0
network?192.168.0.0?255.255.255.0
The configuration of B.spoke
1.IPSEC configuration:
crypto?isakmp?policy?1
authentication?pre-share
crypto?isakmp?key?bdcom99?address?0.0.0.0
crypto?ipsec?transform-set?trans2?esp-des?esp-md5-hmac
mode?transport
crypto?ipsec?profile?vpnprof
set?transform-set?trans2
2.Tunnel, mGRE, NHRP the configuration
interface?Tunne10
ip?address?10.0.0.2?255.255.255.0
ip?nhrp?map?10.0.0.1?172.17.0.1?load-balance?weight?1
ip?nhrp?map?multicast?172.17.0.1
ip?nhrp?network-id?99
ip?nhrp?holdtime?300
ip?nhrp?nhs?10.0.0.1
tunnel?source?Ethernet0
tunnel?mode?gre?multipoint
tunnel?protection?ipsec?profile?vpnprof
3. dynamic routing configuration
router?eigrp?1
network?10.0.0.0?255.255.255.0
network?192.168.0.0?255.255.255.0
Above-mentioned parameter is provided as one of realization means, is not unique as an illustration with reference to its form and parameter.
More than show and described basic principle of the present invention and principal character and advantage of the present invention.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; that describes in the foregoing description and the specification just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications, and these changes and improvements all fall in the claimed scope of the invention.The claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (7)
1, in DMVPN, realize the method for the Internet secure communication of any two ends, this method utilize DMVPN in the Internet, make up one by center and branch adopt all that mGRE technical communication equipment set up based on hub-and-spoke configuration, network structure is the topological network of assisting; By being set, IPSEC ensures communication safety in this network; Utilize the NHRP agreement to make direct communication mutually between branch; And expansion NHRP agreement is utilized the extension header in the NHRP agreement, finishes flow and cuts apart;
It is characterized in that: comprise following concrete steps:
A. the communication steps between center and branch:
(1) all spoke use NHRP protocol encapsulation message to send the binding information of native protocol address and nbma address to hub;
Also in the extension of NHRP header, add inbound traffics partitioning algorithm and relevant information when (2) needing node processing that flow cuts apart to send the binding information of address;
(3) hub receives these information and is kept in the local cache;
B. the communication steps between branch and branch:
(1) spoke sends the protocol address information address of opposite end sopke earlier to hub; Hub searches buffer memory, selects behind the suitable buffer memory nbma address of protocol address correspondence to be returned to spoke;
(2) spoke just can directly communicate by letter with opposite end spoke according to the nbma address of receiving; While is this information of buffer memory also, and when communicating by letter with this spoke, it is just passable directly to look into local cache later on;
(3) above-mentioned all buffer memorys all have necessarily overtime, overtime back deletion.
2, according to the method that realizes the Internet secure communication of any two ends in DMVPN of claim 1, it is characterized in that: hub for the buffer memory that no flow is cut apart, returns after directly finding and gets final product when searching buffer memory in the communication steps between described branch and branch; Need find all available buffer memorys for the buffer memory that has flow to cut apart, require to select one at computation system more and return to spoke.
3, according to the method that in DMVPN, realizes the Internet secure communication of any two ends of claim 1, it is characterized in that: the flow cutting techniques of related DMVPN can be shared flow at this node increase equipment in the described method when certain node need bear bigger flow.In central apparatus, coordinate the data flow of other each nodes and this node simultaneously, so that by determining that suitable data flows to the data flow coordination system that forms between a kind of coordinating communication two ends according to specific algorithm.
4, according to the method that realizes the Internet secure communication of any two ends in DMVPN of claim 3, it is characterized in that: described specific algorithm can be poll, based on multiple algorithms such as weights.
5, according to the method that in DMVPN, realizes the Internet secure communication of any two ends of claim 1, it is characterized in that: if there is the bigger spoke point place of duty ratio can increase equipment to alleviate the burden of spoke in the communication.
6, according to the method that realizes the Internet secure communication of any two ends in DMVPN of claim 1, it is characterized in that: the process of configuration hub node is as follows:
A) tunnel interface of configuration and in interface, use the pattern of mGRE;
B) IPSEC relevant configuration: as the profile name is set, the transform-set of use etc. are applied in the profile name encipherment protection that is used in the tunnel port this tunnel simultaneously;
C) NHRP relevant configuration: configuration multicast dynamic is mainly used in when sending multicast message to the spoke of all registrations transmission;
D) the configuration dynamic routing protocol makes the next hop address of obtaining the other side between spoke.
7, according to the method that realizes the Internet secure communication of any two ends in DMVPN of claim 1, it is characterized in that: the process of configuration spoke is as follows:
A) tunnel interface of configuration and in interface, use the pattern of mGRE;
B) IPSEC relevant configuration: as the profile name is set, the transform-set of use etc. are applied in the profile name encipherment protection that is used in the tunnel port this tunnel simultaneously;
C) configuration NHRP: the protocol address of configuration center server, and the binding information of protocol address and nbma address, spoke can be sent to correct central server with the log-on message of itself like this,
Flow is cut apart also and need be added weight information after address binding information if desired;
D) the configuration dynamic routing protocol makes the next hop address of obtaining the other side between spoke.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034127XA CN101521621B (en) | 2008-02-29 | 2008-02-29 | Method for realizing secure communication of any two ends of the internet in DMVPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034127XA CN101521621B (en) | 2008-02-29 | 2008-02-29 | Method for realizing secure communication of any two ends of the internet in DMVPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521621A true CN101521621A (en) | 2009-09-02 |
| CN101521621B CN101521621B (en) | 2012-12-12 |
Family
ID=41082003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810034127XA Expired - Fee Related CN101521621B (en) | 2008-02-29 | 2008-02-29 | Method for realizing secure communication of any two ends of the internet in DMVPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101521621B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119795A (en) * | 2015-07-14 | 2015-12-02 | 中国联合网络通信集团有限公司 | Establishment method and device of multicast tunnel |
| CN109923838A (en) * | 2017-05-22 | 2019-06-21 | 华为技术有限公司 | Bridge the elastic VPN of long-range isolated island |
| CN111726289A (en) * | 2019-12-02 | 2020-09-29 | 北京天御云安科技有限公司 | Multi-stage HUB node mode interconnection and intercommunication routing method based on DMVPN framework |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1791099A (en) * | 2004-12-16 | 2006-06-21 | 北京三星通信技术研究有限公司 | Method for producing IPv6 profiles |
| CN1992599A (en) * | 2005-12-30 | 2007-07-04 | 英业达股份有限公司 | Data receiving system and method |
| CN100477643C (en) * | 2006-09-22 | 2009-04-08 | 中国科学院计算技术研究所 | Method for realizing data packet catching based on sharing internal memory |
-
2008
- 2008-02-29 CN CN200810034127XA patent/CN101521621B/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119795A (en) * | 2015-07-14 | 2015-12-02 | 中国联合网络通信集团有限公司 | Establishment method and device of multicast tunnel |
| CN105119795B (en) * | 2015-07-14 | 2019-04-30 | 中国联合网络通信集团有限公司 | A kind of method for building up and device of Multicast Tunnel |
| CN109923838A (en) * | 2017-05-22 | 2019-06-21 | 华为技术有限公司 | Bridge the elastic VPN of long-range isolated island |
| CN109923838B (en) * | 2017-05-22 | 2021-01-05 | 华为技术有限公司 | Resilient VPN bridging remote islands |
| US10938599B2 (en) | 2017-05-22 | 2021-03-02 | Futurewei Technologies, Inc. | Elastic VPN that bridges remote islands |
| US11792045B2 (en) | 2017-05-22 | 2023-10-17 | Futurewei Technologies, Inc. | Elastic VPN that bridges remote islands |
| CN111726289A (en) * | 2019-12-02 | 2020-09-29 | 北京天御云安科技有限公司 | Multi-stage HUB node mode interconnection and intercommunication routing method based on DMVPN framework |
| CN111726289B (en) * | 2019-12-02 | 2024-01-30 | 北京天御云安科技有限公司 | Multistage HUB node mode interconnection routing method based on DMVPN architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101521621B (en) | 2012-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109995510B (en) | Quantum key relay service method | |
| CN104272674B (en) | Multiple tunnel VPN | |
| US20190334813A1 (en) | Determining routing decisions in a software-defined wide area network overlay | |
| US9237091B2 (en) | System and method of load balancing for ethernet link aggregation | |
| CN202206418U (en) | Traffic management device, system and processor | |
| CN101222406B (en) | Method for application level content routing in virtual private network (VPN) using dual-proxy method | |
| CN102801695B (en) | Virtual private network (VPN) communication equipment and data pack transmission method thereof | |
| US6718387B1 (en) | Reallocating address spaces of a plurality of servers using a load balancing policy and a multicast channel | |
| CN101252509B (en) | Application of dual-NAT method in packet data processing and routing of dynamic virtual private network (VPN) | |
| US6701437B1 (en) | Method and apparatus for processing communications in a virtual private network | |
| CN103685467B (en) | A kind of Internet of Things interconnects platform and its communication means | |
| CN101379755B (en) | Digital object title authentication | |
| CN110290093A (en) | The SD-WAN network architecture and network-building method, message forwarding method | |
| CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
| US20090034738A1 (en) | Method and apparatus for securing layer 2 networks | |
| CN101599901A (en) | The method of remotely accessing MPLS VPN, system and gateway | |
| CN103795630B (en) | The message transmitting method and device of a kind of label exchange network | |
| CN101355505A (en) | Method, apparatus and system for forwarding packet | |
| CN101572643A (en) | Method and system for realizing data transmission among private networks | |
| CN111612466A (en) | Consensus and resource transmission method, device and storage medium | |
| US20140301396A1 (en) | Method for constructing virtual private network, method for packet forwarding, and gateway apparatus using the methods | |
| Davoli et al. | An anonymization protocol for the internet of things | |
| CN1697408B (en) | Method for managing routes in virtual private network based on IPv6 | |
| CN102437966A (en) | Layer-3 switching system and method based on layer-2 DHCP (Dynamic Host Configuration Protocol) SNOOPING | |
| US9794174B2 (en) | Fast path content delivery over metro access networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121212 Termination date: 20210228 |