CN101599964A - A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration - Google Patents
A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration Download PDFInfo
- Publication number
- CN101599964A CN101599964A CNA2009100597539A CN200910059753A CN101599964A CN 101599964 A CN101599964 A CN 101599964A CN A2009100597539 A CNA2009100597539 A CN A2009100597539A CN 200910059753 A CN200910059753 A CN 200910059753A CN 101599964 A CN101599964 A CN 101599964A
- Authority
- CN
- China
- Prior art keywords
- ovpn
- user
- request
- pit
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration, step is as follows: the user directly disposes PIT in real time by the signaling between PE and CE: the user initiates to dispose the PIT request by certain signaling or encrypted form to OVPN service provider, this request is by the authentication of provider's network charge system or other identity authorization systems, after obtaining this VPN user side access control system mandate, the service provider carries out PIT configuration for it according to this user's request on its continuous PE simultaneously; When the user needs real logical channel, initiate " setting up the OVPN logical channel " request in real time to Internet service provider, set up the VPN link as required by User Network Interface.This method can be directly be finished from configuration PIT to finally setting up the sequence of operations of OVPN logical links the user as required in real time by signaling, by the adding of signaling dynamic real-time ground or withdraw from OVPN.
Description
Technical field
The present invention relates to communication technical field, be specifically related to the L1OVPN dynamic access method of user's controllable network.
Background technology
Virtual Private Network (Virtual Private Network is called for short VPN) is the special data channel in logic that utilizes common network resource and equipment to set up.For VPN user, use VPN just as using traditional private line network, guarantee the privacy and the fail safe of its data.Traditional VPN technologies have (corresponding OSI seven layer model): second layer tunneling technique such as PPTP (RFC2637); Three layer tunnel technology such as IPSec and GRE (RFC2784); And between the MPLS technology of the second layer and the 3rd interlayer, more high-rise technology is just like SSL etc.Along with the development of optical-fiber network and ASON (ASON), OVPN (Optical VPN) receives more and more service providers and user's concern, itself and traditional VPN difference is to transmit the plane and control plane is separated.In current techniques support scope, the OVPN that offers the user is exactly optical fiber or optical wavelength or optical port physically, also is called L1VPN usually.
Fig. 1 is existing OVPN structural representation, and CE (Customer Edge) equipment is user network boundary device, and it can be that router or other needn't possess the equipment of VPN perception.PE (ProviderEdge) is a Provider Edge equipment, must possess the VPN perception, and should support GMPLS agreements such as (GMPLS), as optical cross-connection equipment (OXC) or SONET/SDH equipment.P (Provider) is service provider's nucleus equipment, also should support the GMPLS agreement, does not keep any VPN routing iinformation on it, only is responsible for the forwarding to Business Stream in netting, and also is OXC or SONET/SDH usually.
RFC5251 has proposed a kind of L1 OVPN basic model.This OVPN basic model is based on port, and each port on the PE at most can only be related with a VPN.All use GMPLSRSVP-TE as signaling mechanism between CE-PE and PE.Be positioned at CE and link, in this VPN, carry out unique identification by its two ends port address with each bar between PE.As follows among the RFC5251 to this two ends port address regulation:
1.CE side ports address (CPI, Customer Port Identifier) has uniqueness in this VPN, it belongs to user side address field address, and such address can cover or overlapping fully between different VPN.
2.PE side ports address (PPI, Provider Port Identifier) requires to have uniqueness in carrier network, it belongs to carrier side address field address.
3.PE port except having PPI, also has a user side address field address, requires this address to have uniqueness in this VPN, is called VPN-PPI (VPN-Provider Port Identifier).
4.PPI distribute by operator; CPI and VPN-PPI are distributed by the OVPN manager, and this OVPN manager may be an operator self, or with the third party that operator reaches an agreement, also may be user oneself.CE can only understand user side address field address (CPI and VPN-PPI), can not understand or invisible operation side address field address (PPI), all of the port address format can be IPv4, IPv6 or<port index number, Device IP v4 or IPv6 〉, but restriction sees RFC5251 for details to some extent.
RFC5251 is requirement also, for each VPN user, disposes the IP control channel of binding with this VPN between CE and PE, is used to transmit the OVPN subscriber control information.Be called CE-CC-Addr with this IP tunnel at the related port address of CE end; Be called PE-CC-Addr at the related port address of PE end.CE-CC-Addr and PE-CC-Addr have uniqueness in the VPN under it, distributed by the OVPN manager.
RFC5251 has also mentioned a port information table (Port Information Table is called for short PIT), is used to store the table of comparisons<CPI of OVPN user port address CPI and PE port address PPI, PPI 〉.When a certain user adds a certain OVPN, operator just with PE that this user is connected on for this user disposes the PIT item, and on other PE, upgrade PIT synchronously by auto-discovery mechanism.After operator finished configuration PIT, the user just can set up between operator request and all belong to other members of this OVPN or dismounting OVPN links.But in the OVPN of RFC5251 basic model, PIT can not be configured by the signaling between CE and PE, but by service provider's configuration, therefore, it purchases L1 VPN resource can not to realize user oneself control.Can control its L1 VPN as required in real time based on the user, design the present invention.
Summary of the invention
Problem to be solved by this invention is: how a kind of user controlled L 1 OVPN access method based on port information table (PIT) configuration is provided, and this method can make the user directly dispose PIT as required in real time by signaling and set up OVPN, dynamically adds and withdraw from OVPN.
Technical problem proposed by the invention is to solve like this: a kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration is provided, it is characterized in that, may further comprise the steps:
1. the user directly disposes PIT in real time by the signaling between PE and CE:
The user initiates to dispose the PIT request by certain signaling or encrypted form to OVPN service provider, this request is by the authentication of provider's network charge system or other identity authorization systems, after obtaining this VPN user side access control system mandate, the service provider carries out PIT configuration for it according to this user's request on its continuous PE simultaneously;
When 2. the user needs real logical channel, initiate " setting up the OVPN logical channel " request in real time to Internet service provider, set up the VPN link as required by User Network Interface.
According to the user controlled L 1 OVPN access method based on the port information table (PIT) configuration provided by the present invention, it is characterized in that, when setting up logical channel, require operator between each PE and coupled CE, to select a link as the public IP control channel between this CE and PE, and announce its PE-CC-Addr to this CE, claim that this address is Public-PE-CC-Addr, require Public-CE-CC-Addr and Public-PE-CC-Addr unique on this PE and CE, even belong to other PE and CE among the same OVPN, this public IP channel address still can be reused fully, be only limited to transmission in this public IP control channel and " set up new OVPN request ", " add new OVPN request ", " add OVPN failure announcement ", " adding OVPN successfully announces ", " thoroughly remove successfully announcement ", " thoroughly remove the failure announcement ", " OVPN failure notification " and " VPN-ID announcement " etc. belong to the association requests that disposes PIT or reply, can not transmit the OVPN control request and (as: set up the OVPN connection request, remove the OVPN connection request, increase request such as bandwidth etc.) and thoroughly remove the OVPN request, such request should be by transmitting with the OVPN control channel of VPN-ID binding.
According to the user controlled L 1 OVPN access method based on the port information table (PIT) configuration provided by the present invention, it is characterized in that the 1. middle configuration PIT of described step comprises following three kinds of situations:
A, set up a new OVPN:
By being client software of customer edge (CE) configuration, adopt the signaling form that user's OVPN solicited message and user's cid information are sent to the Provider Edge equipment (PE) that CE is adjacent therewith by the public IP control channel between this CE and PE and (claim that hereinafter this PE is source PE, claim this user to be source user, claim that this CE is source CE), comprise bandwidth request in this OVPN solicited message, user side access control strategy implementation pattern bulletin, information such as user side access control interface IP address and CID, do not comprise destination-address, after this solicited message authenticates by the service provider, PE returns a VPN-ID who has a time limit (or a virtual number, must guarantee its uniqueness in service provider network) for this OVPN user; The service provider is CE configured port information table (PIT) for this reason on this PE simultaneously, and this PE announces this OVPN information (comprising VPN-ID, bandwidth, PE service provider network address, source and user side access control strategy implementation pattern) to every other PE by BGP or other agreements; All PE are that this type of OVPN information is set up a volatile data base (Temple OVPN Table, be called for short T-OVPN-T), each record among the T-OVPN-T comprises four contents: 1) VPN-ID, 2) bandwidth, 3) user side access control strategy implementation pattern, 4) PE service provider's side network address, source of OVPN association therewith; The foundation of T-OVPN-T is can discern and add this OVPN from any PE for the newcomer.
In the regulation time limit of this VPN-ID scope, if there is at least one new user to add this OVPN, then this VPN-ID will become the permanent time limit.If do not have, then source PE sends " overtime announcement " to other PE, receives that the PE of this order will delete the T-OVPN-T information bank related with this OVPN, and meanwhile, source PE sends " OVPN failure notification " and gives source CE, the deletion PIT configuration related with this OVPN then.
B, user join an existing OVPN:
Intend joining existing OVPN at certain user, this user must obtain this VPN-ID and a client software by the approach beyond the OVPN, this VPN-ID is just as telephone number in the actual life, it is any as long as the user who authenticates by the service provider can initiate to add the request of this OVPN by this ID, as long as this user has obtained the access permission of this OVPN user side access control, the service provider will dispose PIT for this user on its adjacent PE, this client software can be discerned user side access control strategy implementation pattern, can carry out corresponding form encapsulation to user's request according to the specific implementation mode requirement.
C, user thoroughly remove or withdraw from certain OVPN:
When I. being not source user, at first remove its physics related or virtual connection (as label switched path etc.) with this OVPN at the user, and then the PIT configuration information of deletion on its continuous PE.
Concrete implementation step is: the user initiates the request of thoroughly removing by CE, after PE receives this request, whether check to have with the virtual of this user and be connected or the physical link existence: PE initiates to remove the OVPN request if having then, remove this virtual or physical link, and then deletion is related with this user and with the related PIT configuration information of this OVPN; If do not have, then directly delete related with this user and with the related PIT configuration information of this OVPN.Trigger (auto-discovery) process of finding automatically, upgrade the PIT configuration related that is positioned on other PE synchronously with this OVPN.
When II. being source user, require not have among this OVPN member's (except that source user) to delete at the user.
Concrete implementation step is: source user initiates thoroughly to remove the OVPN request; Source PE receives request back inquiry OVPN membership table, initiates thoroughly to remove all physics related with this OVPN or logic connection (label switched path) request by force to all these OVPN users.This request does not need to obtain user's agreement, only need notify this OVPN of this user to be removed.Its essence is exactly to replace all CE to initiate thoroughly to remove the OVPN request by source PE; Source PE sends OVPN " overtime announcement " to every other PE, and other PE receive this announcement back deletion all information related with this OVPN from T-OVPN-T; Source PE deletes this ground PIT configuration information and other information related with this OVPN, notifies the user " thoroughly to remove successfully announcement ".
According to the user controlled L 1 OVPN access method based on the port information table (PIT) configuration provided by the present invention, it is characterized in that the user joins an existing OVPN, concrete implementation step is as follows:
1. the user obtains VPN-ID and client software;
2. the user is that parameter initiates to add this OVPN request to the Internet Service Provider with this VPN-ID;
3. the PE that links to each other with this user receives this request, and by after the authentications such as charge system, this OVPN bandwidth of inquiry and user side access control strategy implementation pattern in T-OVPN-T, whether between this CE and PE have the data link that satisfy this bandwidth exist, if having then this user side access control strategy implementation pattern information is returned to this user CE client software if at first surveying;
4. after this CE client software was received this pattern information, according to this mode requirement the user being joined request encapsulated again, and sent its continuous PE that joins request for the second time.After PE receives this request, service provider's side network address of inquiry this OVPN source PE in local T-OVPN-T, and transmit this to this source PE and join request;
5. after source PE receives request, find that this request is the access request, then inquire about the user side access control interface IP address of this OVPN, this request is forwarded to this access control interface;
6. after this access control system receives this request,, strategic decision-making is carried out in this user's request, and sent request-reply message to source PE according to its corresponding strategy implementation.If this system has permitted this user's access, then, treat further to improve this user profile after the auto-discovery process in the 7th step in its local this user profile of preserving;
7. if source PE receives the affirmative acknowledgement of access control, then this PE sends configuration PIT request to adding end PE, asks to dispose PIT and relevant information for this new user; After adding the end PE request of receiving and configuring PIT and relevant information, just trigger the auto-discovery process, upgrade the PIT configuration related that is positioned on other PE synchronously with this OVPN, send " adding OVPN successfully announces " to this new user simultaneously;
1. 8. if source PE receives negative response, then source PE sends " failure announcement " to adding end PE, adds just to send " adding OVPN failure announcement " to user side after end PE receives this information, and so far, new user PIT configuration is finished.
The present invention concentrates the configuration and the delete procedure of having set forth PIT, in conjunction with existing OVPN logical channel signaling (as GMPLS) and interface (as the UNI1.0/2.0) technology set up, make the user can directly pass through signaling, finish in real time as required from configuration PIT to finally setting up the sequence of operations of OVPN logical links, also make the adding that OVPN user can be by the signaling dynamic real-time or withdraw from OVPN.The Internet Service Provider is except that its authentication and billing system of management, do not participate in any access control relevant with OVPN, OVPN user has all been transferred in access control to, control according to the autonomous user side access control system of selecting of himself demand for security by the user fully, this has not only alleviated complexity and risk that the Internet Service Provider must authenticate all users, also brought great flexibility and independence, made the OVPN value-added service have bigger attraction to the user.
Description of drawings
Fig. 1 is the OVPN structural representation;
Fig. 2 is embodiment overall structure figure;
Fig. 3 sets up for embodiment and adds OVPN signaling process figure.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is further described:
Whole invention thinking is that the process of setting up of OVPN is divided into following two steps:
1. virtual informations such as configuration PIT information and VPN-ID information are used to control OVPN user's access, only preserve on each PE, do not set up OVPN logical channel (as label switched path) in operator inside for this user.In the present invention, the user directly disposes PIT in real time by the signaling between PE and CE.The user side access control strategy of selecting according to himself demand for security in conjunction with the user who mentions among the present invention, the user can be finished from configuration PIT to finally setting up these a series of operations of OVPN logical links as required in real time by signaling, also make desire add the adding that the user of this OVPN can be by the signaling dynamic real-time or withdraw from this OVPN.All the elements of the present invention all are to belong to this " configuration OVPN virtual information " category.
2. after finishing the first step, when the user needs real logical channel, can initiate " setting up the OVPN logical channel " request in real time to the Internet Service Provider by the User Network Interface (UNI) or other interfaces that propose as OIF, set up the VPN link veritably as required.
The method invention thought that disposes PIT as required is: the user directly disposes PIT in real time by the signaling between PE and CE.The user initiates to dispose the PIT request by certain signaling or encrypted form to OVPN service provider, at first should ask to need to pass through the authentication of provider's network charge system or other identity authorization systems, after obtaining this VPN user side access control system mandate, the service provider just carries out PIT configuration for it according to this user's request on its continuous PE simultaneously.This user side access control system framework is: all-network provider edge device (PE) is carried out point (PEP) for access control, and the customer edge (CE) of initially setting up certain OVPN is this VPN policy decision point (PDP).The user can select different tactful implementations according to the required level of security of this VPN.Its implementation can be used for reference existing IP network strategy, can be by VPN access ratio threshold values being set or adopting fixedly OVPN user's access control etc., also can adopt distributedly or centralized, and the specific strategy implementation is not at this invention category.
Adding formula OVPN method for building up is a single-ended configuration completely, does not need to know the bipartite network address.After a certain user initially set up a certain OVPN, the service provider returned a VPN-ID or a virtual digit (it has uniqueness in service provider inside) with time limit to this user.OVPN sets up in the pattern in this adding formula, and that position of removing initial this OVPN is with outdoor, and every other member joins this OVPN by the adding mode.By this invention, efficiently solve the user before not becoming OVPN member, can not be by the problem of the privately owned address of service provider network perception the other side.
The present invention needs operator's selected link between each PE and coupled CE and to announce its PE-CC-Addr to this CE as the public IP control channel of this CE and PE, claims that this address is Public-PE-CC-Addr.All users on the CE can communicate by letter with operator by this address, be only limited to transmission in this public IP control channel and " set up new OVPN request ", " add new OVPN request ", " add OVPN failure announcement ", " adding OVPN successfully announces ", " thoroughly remove successfully announcement ", " thoroughly remove the failure announcement ", " OVPN failure notification " and " VPN-ID announcement " etc. belong to the association requests and the announcement of disposing PIT, can not transmit the OVPN control request and (as: set up the OVPN connection request, remove the OVPN connection request, increase bandwidth request etc.) and thoroughly remove the OVPN request, such request should be by transmitting with the OVPN control channel of VPN-ID binding.
Require Public-CE-CC-Addr and Public-PE-CC-Addr unique on this PE and CE, even belong to other PE and CE among the same OVPN, this special I P channel address still can be reused fully.A kind of identification means of this address that realizes is: usefulness<port index number, PE Customer Premises Network address〉sign Public-PE-CC-Addr, usefulness<port index number, CE Customer Premises Network address〉identify Public-CE-CC-Addr.
Configuration PIT divides following three kinds of situations among the present invention:
1. set up a new OVPN.
2. the user joins an existing OVPN.
3. the user thoroughly removes or withdraws from certain OVPN.
More than three kinds of situations suppose that all the user has passed through service provider's charge system, simultaneously, the present invention supposes that the user has had expense registration card ID (Charge ID, be called for short CID) and relevant information, this also conforms with existing telecom operation pattern.
A. when belonging to first kind of situation:
At setting up a new OVPN, the present invention is by being client software of customer edge (CE) configuration, adopt the signaling form that user's OVPN solicited message and user's cid information are sent to the Provider Edge equipment (PE) that CE is adjacent therewith by the public IP control channel between this CE and PE and (claim that hereinafter this PE is source PE, claim this user to be source user, claim that this CE is source CE).Comprise information such as bandwidth request, user side access control strategy implementation pattern bulletin, user side access control interface IP address and CID in this OVPN solicited message, do not comprise destination-address.After this solicited message authenticated by the service provider, PE returned a VPN-ID who has a time limit (or a virtual number, must guarantee its uniqueness in service provider network) for this OVPN user; The service provider is CE configured port information table (PIT) for this reason on this PE simultaneously, and this PE announces this OVPN information (comprising VPN-ID, bandwidth, PE service provider network address, source and user side access control strategy implementation pattern) to every other PE by BGP or other agreements.All PE are that this type of OVPN information is set up a volatile data base (Temple OVPN Table is called for short T-OVPN-T), and each record among the T-OVPN-T comprises four contents: 1) VPN-ID; 2) bandwidth; 3) user side access control strategy implementation pattern; 4) PE service provider's side network address, source of OVPN association therewith.The foundation of T-OVPN-T is can discern and add this OVPN from any PE for the newcomer.
In the regulation time limit of this VPN-ID scope, if there is at least one new user to add this OVPN, then this VPN-ID will become the permanent time limit.If do not have, then source PE sends " overtime announcement " to other PE, receives that the PE of this order will delete the T-OVPN-T information bank related with this OVPN, and meanwhile, source PE sends " OVPN failure notification " and gives source CE, the deletion PIT configuration related with this OVPN then.
B. when belonging to second kind of situation:
Intend joining existing OVPN at certain user, this user must obtain this VPN-ID and a client software by the approach beyond the OVPN.This VPN-ID is just as telephone number in the actual life, and is any as long as the user who authenticates by the service provider can initiate to add the request of this OVPN by this ID.As long as this user has obtained the access permission of this OVPN user side access control, the service provider will dispose PIT for this user on its adjacent PE.This client software can be discerned user side access control strategy implementation pattern, can carry out corresponding form encapsulation to user's request according to the specific implementation mode requirement.
Concrete implementation step is as follows:
1. the user obtains VPN-ID and client software.
2. the user is that parameter initiates to add this OVPN request (also having other certainly as parameters such as CID charge informations) to the Internet Service Provider with this VPN-ID.
3. the PE that links to each other with this user receives this request, and by after the authentications such as charge system, this OVPN bandwidth of inquiry and user side access control strategy implementation pattern in T-OVPN-T, whether between this CE and PE have the data link that satisfy this bandwidth exist, if having then this user side access control strategy implementation pattern information is returned to this user CE client software if at first surveying.
4. after this CE client software was received this pattern information, according to this mode requirement the user being joined request encapsulated again, and sent its continuous PE that joins request for the second time.After PE receives this request, service provider's side network address of inquiry this OVPN source PE in local T-OVPN-T, and transmit this to this source PE and join request.
5. after source PE receives request, find that this request is the access request, then inquire about the user side access control interface IP address of this OVPN, (the general and source CE of this interface is in same local area network (LAN), even be positioned on the same physical host with source CE, for distributed a plurality of interface IP addresses are arranged then), this request is forwarded to this access control interface.
6. after this access control system receives this request,, strategic decision-making is carried out in this user's request, and sent request-reply message to source PE according to its corresponding strategy implementation.If this system has permitted this user's access, then, treat further to improve this user profile after automatic discovery (auto-discovery) process in the 7th step in its local this user profile of preserving.
7. if source PE receives the affirmative acknowledgement of access control, then this PE sends configuration PIT request to adding end PE, asks to dispose PIT and relevant information for this new user; After adding the end PE request of receiving and configuring PIT and relevant information, just trigger and find (auto-discovery) process automatically, upgrade the PIT configuration related that is positioned on other PE synchronously, send " adding OVPN successfully announces " to this new user simultaneously with this OVPN.
8. if source PE receives negative response, then source PE sends " failure announcement " to adding end PE, adds just to send " adding OVPN failure announcement " to user side after end PE receives this information, and so far, new user PIT configuration is finished.
C. when belonging to the third situation:
When I. being not source user, at first remove its physics related or virtual connection (as label switched path etc.) with this OVPN at the user, and then the PIT configuration information of deletion on its continuous PE.
Concrete implementation step is: the user initiates the request of thoroughly removing by CE, after PE receives this request, whether check to have with the virtual of this user and be connected or the physical link existence: PE initiates to remove the OVPN request if having then, remove this virtual or physical link, and then deletion is related with this user and with the related PIT configuration information of this OVPN; If do not have, then directly delete related with this user and with the related PIT configuration information of this OVPN.Trigger (auto-discovery) process of finding automatically, upgrade the PIT configuration related that is positioned on other PE synchronously with this OVPN.
When II. being source user, require not have among this OVPN member's (except that source user) to delete at the user.
Concrete implementation step is:
1. source user initiates thoroughly to remove the OVPN request
2. source PE receives request back inquiry OVPN membership table, initiates thoroughly to remove all physics related with this OVPN or logic connection (label switched path) request by force to all these OVPN users.This request does not need to obtain user's agreement, only need notify this OVPN of this user to be removed.Its essence is exactly to replace all CE to initiate thoroughly to remove the OVPN request by source PE.
3. source PE sends OVPN " overtime announcement " to every other PE, and other PE receive this announcement back deletion all information related with this OVPN from T-OVPN-T.
4. source PE deletes this ground PIT configuration information and other information related with this OVPN, notifies the user " thoroughly to remove successfully announcement ".
Below be specific embodiments of the invention:
In the present embodiment, access control strategy implementation adopts " OVPN access ratio threshold values " mode, promptly as long as in a specified time scope, in the existing member of this OVPN, agree that the ratio that number of members that this new user adds accounts for total number of members surpasses this ratio threshold values, policy decision point is then authorized this user's access.When required level of security is low, low valve valve then is set, high threshold values then is set when high.Present embodiment overall structure figure sees Fig. 2, and embodiment sets up with adding OVPN signaling process figure and sees Fig. 3.
Comprise four user nodes among this embodiment, be respectively node CE1, CE2, CE3, CE4; Four service provider network fringe node PE1, PE2, PE3, PE4; Service provider's core network node P does not draw, and each CE is connected to the PE that is adjacent by multiport respectively.According to the regulation of RFC5251 about the address---require CPI, VPN-PPI, PE-CC-Addr and CE-CC-Addr to have uniqueness in the address in affiliated VPN, PPI address in service provider network has uniqueness.In the present embodiment, in order to reduce Analysis of Complex:
1. IP address of equipment is all adopted<port index number in all of the port address〉sign.
2. hypothesis is the address network segment that belongs to " 220.210.20.0 " from the Customer Premises Network address that the third party is assigned to, shown in address designation among Fig. 2.Suppose that simultaneously the network side address that operator distributes is the address network segment that belongs to " 192.168.48.0 ", shown in address designation among Fig. 2, each PE has had two addresses, and (one is the user side address, is the IP address of equipment among the VPN-PPI; One is the carrier side address, is the IP address of equipment among the PPI).
3. the hypothesis third party is No. 1 port for public IP control channel port specified between every couple of CE and PE.
4. hypothesis policy decision point and source CE are positioned at same physical host (by tcp port identification, this port is assumed to be 40000 among this embodiment).
A. set up and adding OVPN:
Hypothesis initiates to set up a new OVPN request by CE1 earlier, flow chart is seen Fig. 3, after CE1 configures tactful ratio threshold values, send " setting up new OVPN request " by CE1-PE1 public IP control channel to PE1, by supposing that as above then this request source address Public-CE-CC-Addr is<1,220.210.20.1 〉, destination address Public-PE-CC-Addr is<1,220.210.20.5 〉; Comprise information such as bandwidth request, user side access control strategy implementation pattern bulletin, user side access control interface IP address and CID in this request, as shown in table 1:
| Bandwidth | The strategy implementation pattern | User side access control interface IP address | Charging ID (CID) |
| 2.5G | Access ratio threshold values | 220.210.20.1(TCP:40000) | 1000 |
Table 1
As this request arrival PE1, PE1 sends into management system to its correlometer charge information such as CID etc. by authenticating the back:
1.PE1 according to its bandwidth request, whether inquiry has the datum plane link that satisfies this bandwidth demand between CE1 and PE1, (when needing many data link could satisfy its bandwidth demand simultaneously, can adopt link bundling to realize (seeing RFC4201), but it can only have a port-mark), then be VPN-ID of this request distribution if having with time limit, and the CPI of this data link and VPN-PPI and this VPN-ID binding; Be this VPN selected control plane IP control channel between CE1 and PE1 simultaneously, and, be OVPN control channel this control channel CE-CC-Addr and PE-CC-Addr and this VPN-ID binding.
2. send " VPN-ID announcement " by public IP control channel to CE1, comprise the VPN-ID with time limit, CPI and VPN-PPI and the IP control channel CE-CC-Addr and the PE-CC-Addr information of datum plane in this announcement.In the present embodiment, the CE of tentation data plane correspondence and PE port all are No. 2 ports, corresponding with the control plane passage all is No. 3 ports (this need connect situation according to actual port and decide), and then return information is as shown in table 2: (supposing that VPN-ID is 200010)
Table 2
3. meanwhile PE1 is local at it is that this disposes PIT with corpse, this PIT information<CPI, PPI〉be<<2,220.210.20.1,<2,192.168.48.1, and tactful implementation pattern<200010 of service provider's side network address of this VPN-ID, bandwidth and PE1 and this VPN, 2.5G, 192.168.48.1, access ratio threshold values〉information sends to PE2, PE3 and PE4 by agreements such as BGP, after receiving this message, PE2, PE3, PE4 just this OVPN information is joined in the local separately T-OVPN-T database.So far, initial OVPN finishes.
If (in 24 hours) do not have other users to add this OVPN in the time limit scope of VPN-ID regulation, then PE1 sends " overtime notice " to PE2, PE3 and PE4, the PIT configuration information of deleting this ground and this user then and being associated, and cancellation link bundling with this OVPN.Send " OVPN failure notification " by public IP control channel to CE1 simultaneously.
Suppose now that CE2 user's desire adds this OVPN and in the time limit of this VPN-ID regulation, then CE2 user at first needs to know this VPN-ID (200010) by the approach beyond the OVPN from CE1, initiate " add new OVPN request " by CE2-PE2 public IP control channel to PE2 as major parameter then, its<Public-CE-CC-Addr, Public-PE-CC-Addr〉be<<1,220.210.20.2,<1,220.210.20.6 〉; After PE2 receives this request, after correlometer charge information such as CID etc. are sent into management system and access authentication, according to bandwidth and the access control strategy implementation pattern (in this embodiment be 2.5G and access proportioning valve binarization mode) of this VPN-ID at local this OVPN of T-OVPN-T data base querying, PE2 surveys between itself and CE2 whether have the datum plane link that satisfies this bandwidth demand (2.5G) in this locality, if have then the access control strategy implementation pattern information (access proportioning valve binarization mode) that inquires is returned to the CE2 client, this client is initiated " adding this OVPN request " to PE2 once more according to this strategy implementation pattern information needed form; PE2 inquires about source PE (PE1) the service provider side address (being 192.168.48.1 among this embodiment) of this VPN-ID correspondence, and transmits joining request of user CE2 to this source PE; Source PE (being PE1 among this embodiment) receives this request after inquire about this OVPN user side access control interface IP address (being source CE1 among this embodiment), transmitting this by its OVPN control plane passage of having bound to CE1 joins request, promptly this CE-CC-Addr and PE-CC-Addr be respectively<3,220.210.20.1 with<3,220.210.20.5 〉; CE1 inquires about this request form and finds that it is for joining request, this request is forwarded to its access control interface (is 220.210.20.1 (40000) among this embodiment, after it receives this request, according to its strategy execution step, send the access request to all users that belong to this VPN, as long as, then permitting this user greater than setting threshold values, the access ratio adds); PE1 waits for that the user side access control system replys, if reply into certainly then PE1 send " configuration PIT request " to PE2, and on PE1, this VPN-ID time limit is changed into the permanent time limit, otherwise sends " failure announcement " to PE2.If PE2 receives " failure announcement ", then it sends " adding OVPN failure announcement " by the public IP control channel of CE2-PE2 to CE2; If PE2 receive reply into " configuration PIT request " then:
1.PE2 according to this OVPN bandwidth demand, selected datum plane link that satisfies this bandwidth demand between CE2 and PE2, and the CPI of this data link and VPN-PPI and this VPN-ID binding; Be this VPN user selected control plane IP control channel between CE2 and PE2 simultaneously, and, be OVPN control channel this control channel CE-CC-Addr and PE-CC-Addr and this VPN-ID binding.
2. send " adding OVPN successfully announces " by public IP control channel to CE2 user simultaneously, comprise CPI and VPN-PPI and the IP control channel CE-CC-Addr and the PE-CC-Addr information of this datum plane in this announcement.In the present embodiment, two access ports of tentation data and control all are respectively 3 and 2, then information such as table 3:
Table 3
3. meanwhile PE1 disposes PIT in its this locality for this user, this PIT information<CPI, PPI〉be<<3,220.210.20.2,<3,192.168.48.2, and trigger (auto-discovery) process of finding automatically, upgrade the PIT configuration (not at this invention scope) related that is positioned on other PE synchronously with this OVPN.So far, CE2 user PIT configuration finishes.
If this moment, CE3 user desired to join (this OVPN has had two member's ce1 and ce2s now) among this OVPN again, it adds step and CE2 adding step is similar, no longer sets forth.
More than several situations only set forth the layoutprocedure of PIT, under the prerequisite of finishing configuration PIT, the user sets up OVPN logical channel signaling (as GMPLS) in conjunction with existing, just can initiate to set up the request of OVPN logical links by the OVPN control channel of binding between CE and PE to Virtual network operator in real time.
B. thoroughly remove or withdraw from OVPN:
(it has three OVPN member CE1 on the basis of building OVPN, CE2 and CE3), if CE2 desires thoroughly to withdraw from this OVPN, then this user is by the OVPN control channel of its binding, send " thoroughly removing the OVPN request " to PE2, this channel address<CE-CC-Addr, PE-CC-Addr〉be:<<2,220.210.20.2,<2,220.210.20.6, after PE2 receives this request, check whether to have to exist, at first initiate dismounting OVPN connection request by PE2 if exist then with this user related virtual connection (as label switched path) in described OVPN, remove its virtual connection, and then deletion PE2 go up with this user and with the related PIT configuration information of this OVPN, cancel link bundling simultaneously, and trigger discovery (auto-discovery) process automatically.Pass through PE2-CE2 public IP control channel, address<Public-CE-CC-Addr, Public-PE-CC-Addr simultaneously〉be:<<1,220.210.20.2 〉,<1,220.210.20.6〉send " thoroughly removing successfully announcement " to this user.
If but CE1 desires thoroughly to remove this OVPN, this kind situation belongs to by source CE Client-initiated thoroughly removes OVPN, with above-mentioned situation a great difference is arranged, after receiving " thoroughly remove OVPN request " of sending as PE1 by CE1, it inquires about this OVPN member's tabulation, discovery has CE1, three OVPN members of CE2 and CE3, then it at first initiates " Force Deletion OVPN request " to PE2 and PE3, after PE2 and PE3 receive this request, if on PE2 and the PE3 there be virtual the connection, at first delete virtual connection, then deletion separately this ground and this user and with the related PIT configuration information of this OVPN, the cancellation binding triggers from moving (auto-discovery) process of finding, and sends " announcement of OVPN actual effect " by public IP control channel to CE2 and CE3.PE1 inquires about its OVPN member's tabulation once more, and have only this moment himself is this OVPN member, and PE2, PE3 and PE4 are given in its transmission " overtime announcement ", deletes the local PIT related with this OVPN configuration and other information then, and notice CE1 " thoroughly removes successfully ".After PE2, PE3 and PE4 receive " overtime announcement ", delete the T-OVPN-T information relevant with this OVPN, so far, this VPN-ID lost efficacy, and Any user all can not join this OVPN again, and OVPN thoroughly deletion finishes.
By the present invention, in conjunction with existing OVPN logical channel signaling (as GMPLS) and interface (as the UNI1.0/2.0) technology set up, make the user can directly pass through signaling, finish in real time as required from configuration PIT to finally setting up the sequence of operations of OVPN logical links, also make desire add the adding that the user of OVPN can be by the signaling dynamic real-time or withdraw from OVPN.Overcome in traditional mode the deficiency of non intelligentization such as manually application.
The present invention be directed to the OVPN network based on port, its preferred application instance objects is large-scale company and large-scale enterprises and institutions.This inventive principle range of application is not limited to the OVPN network of configuration based on port; along with optical switching network develops to fine granularity direction more; it also must be to more fine granularity development in the PIT configuration; but this inventive principle stands good; within the spirit and principles in the present invention all, to the protection range that this principle is revised or in a disguised form amplification all should belong to this invention.
Claims (8)
1, a kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration is characterized in that, may further comprise the steps:
1. the user directly disposes PIT in real time by the signaling between PE and CE:
The user initiates to dispose the PIT request by certain signaling or encrypted form to OVPN service provider, this request is by the authentication of provider's network charge system or other identity authorization systems, after obtaining this VPN user side access control system mandate, the service provider carries out PIT configuration for it according to this user's request on its continuous PE simultaneously;
When 2. the user needs real logical channel, initiate " setting up the OVPN logical channel " request in real time to Internet service provider, set up the VPN link as required by User Network Interface.
2, user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 1, it is characterized in that, when setting up logical channel, require operator between each PE and coupled CE, to select a link as the public IP control channel between this CE and PE, and announce its PE-CC-Addr to this CE, claim that this address is Public-PE-CC-Addr, require Public-CE-CC-Addr and Public-PE-CC-Addr unique on this PE and CE, even belong to other PE and CE among the same OVPN, this public IP channel address still can be reused fully, be only limited to transmission in this public IP control channel and " set up new OVPN request ", " add new OVPN request ", " add OVPN failure announcement ", " adding OVPN successfully announces ", " thoroughly remove successfully announcement ", " thoroughly remove the failure announcement ", " OVPN failure notification " and " VPN-ID announcement " belongs to the association requests that disposes PIT or replys, can not transmit the OVPN control request and thoroughly remove the OVPN request, such request should be by transmitting with the OVPN control channel of VPN-ID binding.
3, the user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 1 and 2 is characterized in that, comprises following three kinds of situations:
A, set up a new OVPN:
By being client software of CE configuration, adopt the signaling form that user's OVPN solicited message and user's cid information are sent to the adjacent PE of CE therewith by the public IP control channel between this CE and PE, comprise bandwidth request, user side access control strategy implementation pattern bulletin, user side access control interface IP address and cid information in this OVPN solicited message, do not comprise destination-address, after this solicited message authenticated by the service provider, PE returned a VPN-ID who has the time limit for this OVPN user; The service provider is CE configuration PIT for this reason on this PE simultaneously, and this PE gives every other PE this OVPN information announcement by BGP or other agreements; All PE are that this type of OVPN information is set up a volatile data base T-OVPN-T, each record among the T-OVPN-T comprises four contents: 1) VPN-ID, 2) bandwidth, 3) user side access control strategy implementation pattern, 4) PE service provider's side network address, source of OVPN association therewith;
B, user join an existing OVPN:
Intend joining existing OVPN at certain user, this user must obtain this VPN-ID and a client software by the approach beyond the OVPN, it is any as long as the user who authenticates by the service provider can initiate to add the request of this OVPN by this ID, as long as this user has obtained the access permission of this OVPN user side access control, the service provider will dispose PIT for this user on its adjacent PE, this client software can be discerned user side access control strategy implementation pattern, can carry out corresponding form encapsulation to user's request according to the specific implementation mode requirement;
C, user thoroughly remove or withdraw from certain OVPN:
When I. being not source user, at first remove its physics related or virtual connection with this OVPN at the user, and then the PIT configuration information of deletion on its continuous PE;
When II. being source user, require not have among this OVPN the member to delete at the user.
4, the user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 3, it is characterized in that, when setting up a new OVPN, in the regulation time limit of VPN-ID scope, if there is at least one new user to add this OVPN, then this VPN-ID will become the permanent time limit; If do not have, then source PE sends " overtime announcement " to other PE, receives that the PE of this order will delete the T-OVPN-T information bank related with this OVPN, and meanwhile, source PE sends " OVPN failure notification " and gives source CE, the deletion PIT configuration related with this OVPN then.
5, the user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 3, it is characterized in that, when setting up a new OVPN, in the regulation time limit of VPN-ID scope, if there is at least one new user to add this OVPN, then this VPN-ID will become the permanent time limit; If do not have, then source PE sends " overtime announcement " to other PE, receives that the PE of this order will delete the T-OVPN-T information bank related with this OVPN, and meanwhile, source PE sends " OVPN failure notification " and gives source CE, the deletion PIT configuration related with this OVPN then.
6, user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 3, it is characterized in that, when the user thoroughly removes or withdraw from certain OVPN, when being not source user at the user, at first remove its physics related or virtual connection with this OVPN, and then the PIT configuration information of deletion on its continuous PE, concrete implementation step is: the user initiates the request of thoroughly removing by CE, after PE receives this request, whether check to have with the virtual of this user and be connected or the physical link existence: PE initiates to remove the OVPN request if having then, remove this virtual or physical link, and then deletion is related with this user and with the related PIT configuration information of this OVPN; If do not have, then directly deletion related with this user and with the related PIT configuration information of this OVPN, trigger the auto-discovery process, the PIT related with this OVPN that renewal synchronously is positioned on other PE disposes.
7, the user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 3, it is characterized in that, when being source user at the user, require not have among this OVPN the member to delete, concrete implementation step is: source user initiates thoroughly to remove the OVPN request; Source PE receives request back inquiry OVPN membership table, initiates thoroughly to remove all physics related with this OVPN or logic connection requests by force to all these OVPN users, and this request does not need to obtain user's agreement, only need notify this OVPN of this user to be removed; Source PE sends OVPN " overtime announcement " to every other PE, and other PE receive this announcement back deletion all information related with this OVPN from T-OVPN-T; Source PE deletes this ground PIT configuration information and other information related with this OVPN, notifies the user " thoroughly to remove successfully announcement ".
8, the user controlled L 1 OVPN access method based on the port information table (PIT) configuration according to claim 3 is characterized in that the user joins an existing OVPN, and concrete implementation step is as follows:
1. the user obtains VPN-ID and client software;
2. the user is that parameter initiates to add this OVPN request to the Internet Service Provider with this VPN-ID;
3. the PE that links to each other with this user receives this request, and by after the authentications such as charge system, this OVPN bandwidth of inquiry and user side access control strategy implementation pattern in T-OVPN-T, whether between this CE and PE have the data link that satisfy this bandwidth exist, if having then this user side access control strategy implementation pattern information is returned to this user CE client software if at first surveying;
4. after this CE client software was received this pattern information, according to this mode requirement the user being joined request encapsulated again, and sent its continuous PE that joins request for the second time.After PE receives this request, service provider's side network address of inquiry this OVPN source PE in local T-OVPN-T, and transmit this to this source PE and join request;
5. after source PE receives request, find that this request is the access request, then inquire about the user side access control interface IP address of this OVPN, this request is forwarded to this access control interface;
6. after this access control system receives this request,, strategic decision-making is carried out in this user's request, and sent request-reply message to source PE according to its corresponding strategy implementation.If this system has permitted this user's access, then, treat further to improve this user profile after the auto-discovery process in the 7th step in its local this user profile of preserving;
7. if source PE receives the affirmative acknowledgement of access control, then this PE sends configuration PIT request to adding end PE, asks to dispose PIT and relevant information for this new user; After adding the end PE request of receiving and configuring PIT and relevant information, just trigger the auto-discovery process, upgrade the PIT configuration related that is positioned on other PE synchronously with this OVPN, send " adding OVPN successfully announces " to this new user simultaneously;
8. if source PE receives negative response, then source PE sends " failure announcement " to adding end PE, adds just to send " adding OVPN failure announcement " to user side after end PE receives this information, and so far, new user PIT configuration is finished.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100597539A CN101599964A (en) | 2009-06-25 | 2009-06-25 | A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100597539A CN101599964A (en) | 2009-06-25 | 2009-06-25 | A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101599964A true CN101599964A (en) | 2009-12-09 |
Family
ID=41421211
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009100597539A Pending CN101599964A (en) | 2009-06-25 | 2009-06-25 | A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101599964A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337924A (en) * | 2014-05-28 | 2016-02-17 | 华为技术有限公司 | Network service provider system data access control method and device |
| CN110945835A (en) * | 2017-09-21 | 2020-03-31 | 华为技术有限公司 | Message synchronization method and device |
-
2009
- 2009-06-25 CN CNA2009100597539A patent/CN101599964A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337924A (en) * | 2014-05-28 | 2016-02-17 | 华为技术有限公司 | Network service provider system data access control method and device |
| US10397234B2 (en) | 2014-05-28 | 2019-08-27 | Huawei Technologies Co., Ltd. | Method and device for controlling access to data in network service provider system |
| CN105337924B (en) * | 2014-05-28 | 2020-01-21 | 华为技术有限公司 | Network service provider system data access control method and equipment |
| US10911462B2 (en) | 2014-05-28 | 2021-02-02 | Huawei Technologies Co., Ltd. | Method and device for controlling access to data in network service provider system |
| CN110945835A (en) * | 2017-09-21 | 2020-03-31 | 华为技术有限公司 | Message synchronization method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11962571B2 (en) | Ecosystem per distributed element security through virtual isolation networks | |
| EP2624525B1 (en) | Method, apparatus and virtual private network system for issuing routing information | |
| CN1790980B (en) | Secure authentication advertisement protocol | |
| EP2995067B1 (en) | A direct connect virtual private interface for a one to many connection with multiple virtual private clouds | |
| US7447166B1 (en) | Method to distribute IEEE 802.1X authenticated users among multiple broadcast domains | |
| CN104811371B (en) | A kind of brand-new instantaneous communication system | |
| US8724505B2 (en) | Flexible mechanism for supporting virtual private network services based on source-independent distributed advertisements | |
| EP2012470A1 (en) | A method, apparatus, and system implementing the vpn configuration service | |
| CN103036784A (en) | Methods and apparatus for a self-organized layer-2 enterprise network architecture | |
| CN113114617B (en) | Communication method, system and storage medium | |
| CN101567831B (en) | Method and device for transmitting and receiving messages among local area networks and communication system | |
| CN111131258A (en) | Safe private network architecture system based on 5G network slice | |
| EP2922246B1 (en) | Method and data center network for cross-service zone communication | |
| CN102882758A (en) | Method for accessing virtual private cloud to network, network-side equipment and data center equipment | |
| CN101009629A (en) | Dynamic connection method for virtual private network | |
| EP1396979A3 (en) | System and method for secure group communications | |
| CN108810993A (en) | Network is sliced selection method, equipment, UE, control plane functional entity and medium | |
| CN112272145B (en) | Message processing method, device, equipment and machine readable storage medium | |
| CN103634171A (en) | Dynamic configuration method, device and system | |
| CN105577675A (en) | Multi-tenant resource management method and device | |
| CN107566237A (en) | A kind of data message processing method and device | |
| CN106027491B (en) | Separated links formula communication processing method and system based on isolation IP address | |
| CN107360089A (en) | A kind of method for routing foundation, business datum conversion method and device | |
| CN100563172C (en) | The life span segmentation realizes the method and system of network security protection | |
| CN101599964A (en) | A kind of user controlled L 1 OVPN access method based on the port information table (PIT) configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20091209 |