CN107528778A - The vpn system of dynamic tunnel end mode, virtual router and manager devices for it - Google Patents

Abstract

Virtual router and manager devices the present invention relates to a kind of virtual private network system of dynamic tunnel end mode and for the virtual private network system, single virtual router is set to use multiple tunnel ends, the tunnel end table for including multiple tunnel client informations is provided to terminal and virtual router, tunnel end is dynamically selected according to predetermined rule, dynamically to change tunnel attribute.Thus, because the tunnel attribute of each VPN traffic dynamically changes, compared with common vpn system, it is not easy to carry out external hackers behavior, so as to improve the security of data transmit-receive.

Description

The vpn system of dynamic tunnel end mode, virtual router and manager for it Device

Technical field

The present invention relates to VPN (Virtual Private Network；Hereinafter referred to as " VPN "), more specifically For be related to the virtual private network system of dynamic tunnel end mode and the manager devices for it etc..

Background technology

Common communication system is made up of client terminal and service providing server and the communication network for connecting it.

Also, in order to provide the plurality of communication services such as finance, home automation, it is necessary to utilize a terminal and multiple services There is provided server to be attached, in order to realize such multi-wad join, communication network is also required to carry out appropriate network separation.

In addition, in order to use the public communication network of such as internet as industrial siding, at present using VPN.

Such VPN can be realized in the following way：Communication connection two terminal devices (End Equipment) it Between configure extra gateway or router, and be defined as providing between gateway or router or between terminal device and gateway The tunnel (Tunneling) of the system of specific communication system and encryption method.

Now, tunnel is to represent to be packaged the packet of underlay communication stipulations using upper layer communication stipulations, and is realized The communication between 2 points on communication network.

That is, there is following feature：On a communication network, common packet and the packet of encapsulation are cannot be distinguished by out, and Two end devices of the equipment at the both ends that can be decapsulated, i.e. tunnel can then filter out original packet.

The path that is invisible to the naked eye can be established between two equipment of the public network of such as internet to carry out Communication, therefore " tunnel " is stated that, and the end in such tunnel is defined as tunnel end (Tunnel End).

In addition, in existing vpn system, will be in the intra-gateway being connected with more than one server (Server) The virtual router (Virtual Router) of definition is used separately as an independent tunnel end.

Therefore, in vpn system, in order to realize the communication between terminal and particular server, with respective server phase Need to form tunnel between the virtual router (VR) of linkage, now, corresponding virtual router turns into tunnel end.

In this case, terminal generation packet, the data structure of the packet are included as by common five-tuple (Tuples) HoA of the local address defined, in order to realize the data transmit-receive based on tunnel, also addition is as extra extension report The Care-of Address (Care-Of-Address, CoA) of leading address simultaneously sends virtual router to.

In respective virtual router, corresponding server is transferred a packet to after removing CoA, so as to perform data hair Send.

In addition, in such common VPN traffic, more than one virtual router (VR) is defined in gateway One address can be only arranged to tunnel end by portion, each virtual router.

That is, virtual router may make up only by a public ip address and a port (Port) a tunnel defining End, as a result, can only form the tunnel using an address between specific terminal and a virtual router.

Therefore, even with vpn system, the data received and dispatched between specific terminal and server are by via constant one Individual tunnel end, thus the shortcomings that to hacker's behavior fragility be present.

That is, in existing VPN, once forming a tunnel between terminal and server, identical is just used all the time Destination-address (Dest.Address), port numbers (Port No.) for providing tunnel end etc., without changing, therefore, Even if using CoA, the address at tunnel end will also keep constant, there are the shortcomings that easily being stolen by hacker.

Make virtual router that there are multiple tunnel ends in vpn system on the other hand, the present invention provides one kind, can be with spy Determine terminal and realize multiple tunnels, and dynamically change the scheme of the tunnel client information between particular terminal and virtual router.

The content of the invention

Therefore, the purpose of embodiments of the invention is to provide a kind of vpn system, it can be set in single virtual router Multiple tunnel ends.

Another object of the present invention is to provide a kind of vpn system, it can set between single virtual router and terminal Put multiple tunnels and dynamically the tunnel end for the virtual router that change is connected with particular terminal.

A further object of the present invention is to provide a kind of manager devices for vpn system, in the vpn system, pipe Manage device device (Manager) generation dynamic tunnel end table (Dynamic Tunnel End Table；DTE Table) and send to Terminal agent and respective gateway, wherein the dynamic tunnel end table are used to represent each virtual router institute defined in intra-gateway The setting order at the multiple tunnel ends having, respective virtual router carry out multiple tunnels using DTE tables with terminal agent Dynamically changeable is set.

In order to realize such purpose, one embodiment of the invention provides a kind of virtual private network system, and it includes：It is empty Intend router, it is connected by tunnel with terminal, and can set multiple tunnel ends, and the tunnel end is by from more than two A public ip address being selected in public ip address and more than two port numbers and a port number define；And management Device device, it generates the tunnel end table for including multiple tunnel client informations that the virtual router can be set, and by described in Tunnel end table sends the terminal and the virtual router to, wherein the virtual router stores tunnel end table, and Dynamically change the tunnel end in the tunnel for being connected with the terminal at regular intervals based on tunnel end table.

According to another embodiment of the present invention, the present invention provides a kind of virtual router, and it is connected by tunnel with terminal Connect and carry out VPN traffic with the terminal, wherein, the virtual router can set multiple tunnel ends, wherein the tunnel Hold the public ip address and a port by being selected from more than two public ip addresses and more than two port numbers Number define, the virtual router receives tunnel end table from the manager devices of outside and stored, wherein tunnel end table Including multiple tunnel client informations that the virtual router can be set, the virtual router is based on tunnel end table, The tunnel end in the tunnel for being connected with the terminal is dynamically changed at regular intervals.

According to still another embodiment of the invention, the present invention provides a kind of manager devices, itself and terminal and virtual router It is connected and controls the terminal and virtual router, wherein, the virtual router can set multiple tunnel ends, wherein institute Tunnel end is stated by the public ip address selected from more than two public ip addresses and more than two port numbers and one Individual port numbers define, and the manager devices generation tunnel end table simultaneously sends the terminal and the virtual router to, with The virtual router and the terminal is based on tunnel end table, at regular intervals dynamically change connect the terminal and The tunnel end in the tunnel between virtual router, wherein tunnel end table include the virtual router can set it is more Individual tunnel client information.

Brief description of the drawings

Fig. 1 shows an example of common VPN traffic network.

Fig. 2 shows that the one of the data structure for the packet received and dispatched in the VPN shown in Fig. 1 between terminal and server shows Example.

Fig. 3 shows common network address translation (Network Address Translation；NAT) the communication of mode One example of network.

Fig. 4 shows the overall structure of the vpn system according to one embodiment of the invention.

Fig. 5 shows the dynamic tunnel end DTE setting up procedure in vpn system according to an embodiment of the invention.

Fig. 6 shows (empty in manager devices (Manager) and gateway in vpn system according to an embodiment of the invention Intend router) between the facility registration that performs and tunnel end change process.

Fig. 7 shows the detailed construction of the manager devices used in vpn system according to an embodiment of the invention.

Description of reference numerals

100：Terminal (agency) 110,220：DTE tables DB

200：Gateway 210：Virtual router (VR)

300：Manager devices 310：DTE DB

330：VR management departments 340：DTE tables management department

400：Server zone 410：Server

Embodiment

Hereinafter, the part of the embodiment of the present invention is described in detail with reference to exemplary accompanying drawing.To each accompanying drawing Inscape assign reference when, for identical inscape, even if it is shown on different accompanying drawings, also will Identical reference is assigned as far as possible.Also, during the present invention will be described, if it is considered to known features or The technological thought of the present invention is obscured in related the illustrating of function, then is omitted from detailed description thereof.

Also, during being illustrated to the inscape of the present invention, first, second, A, B, (a), (b) can be used Deng term.Such term is only used for this composition key element and other inscapes being distinguished by, and the sheet of corresponding inscape Matter, sequence, order or number etc. are not limited by the term.If record certain inscape with other inscapes " to connect Connect ", " with reference to " or " access ", then be appreciated that this composition key element may be directly connected to or access to this other form will Element, but also " sandwiched " can have other inscapes between each inscape, or each inscape passes through other inscapes " connection ", " with reference to " or " access ".

Fig. 1 shows an example of common VPN traffic network.

Fig. 2 shows that the one of the data structure for the packet received and dispatched in the VPN shown in Fig. 1 between terminal and server shows Example.

As shown in figure 1, common vpn system includes：Terminal 10；Including multiple (Virtual of virtual router 22 Router gateway 20)；And the multiple servers 30 being connected with gateway.

In such vpn system, the agency (agent) of terminal 10 is arranged in order to specific server transmissioning data Bag, the interior header being made up of to payload (Payload) addition as the data to be transmitted five-tuple (Tuples) (Inner Header) is to generate fundamental packets.

Now, as shown in Figure 2 A, interior header includes：Agreement (Protocol), the source address (Source of oneself ) and source port number (Source Port No.), the destination-address (Dest.Addr.) and purpose of respective server Address Ground port numbers (Dest.Port No.), such interior header can be expressed as to local address (Home Address, HoA).

Also, terminal agent also adds extension header or outer header (Outer Header) and life to master data pack arrangement Into extended packet, outer header includes：Agreement (Protocol), the source address (Source Address) of oneself and source port number (Source Port No.), as destination virtual router 22 address and destination-address as port numbers And destination port numbers (Dest.Port No.) (Dest.Addr.).

Now, extension header or outer header can be expressed as to Care-of Address (Care of Address, CoA).

In addition, formed with the tunnel (Tunnel) as private communication path, terminal between terminal and virtual router Extended packet is sent to the virtual router of intra-gateway by such tunnel.

Now, after corresponding virtual router removes CoA from extended packet, only will be made up of payload and HoA Fundamental packets send respective server to, so as to complete packet transmission.

In this manual, VPN (Virtual Private Network) is the abbreviation of VPN, its table Show and provide specific communication system so that the communication service of internet can be used as industrial siding.

That is, it is a kind of after using all purpose communication net connection client and particular server, makes two devices using in advance The communication means with private communication identical effect is presented in the communication system (agreement) of setting.

In order to realize such VPN, in terminal (client) side need that certain VPN programs or terminal agent are installed, When in the state of terminal agent as operation, data are handled by the agreement of setting and send gateway to and server During side, it will be identified for gateway or server.

Now, the communication channel similar with industrial siding formed between terminal and server side can be expressed as VPN, it is special It is not that the communication channel that can be will be formed between terminal and virtual router is expressed as tunnel.For terminal and virtual router it Between the agreement that sets of tunnel using Point to Point Tunnel Protocol (the Point-to-Point Tunneling based on public network Protocol, PPTP) or Level 2 Tunnel Protocol (Layer 2Tunneling Protocol, L2TP) etc..

Can be void by the substantial definition that VPN traffic between terminal and server can be realized in such vpn system Intend router (VR), the physical unit for including multiple virtual routers is defined as gateway (Gateway；G/W).

That is, as shown in figure 1, including multiple virtual routers 22 inside gateway 20, each virtual router and one Server 30 above or server zone linkage.

Now, each virtual router is identified using a public ip address and a port, can be virtual by as The public ip address and port numbers of router are expressed as tunnel client information.

In addition, in the common vpn system shown in Fig. 1, each virtual router can be between particular terminal and oneself only One tunnel is set.

For example, as shown in figure 1, the virtual router of terminal 10 and first forms the first tunnel T1, with the second virtual router The second tunnel T2 is formed, now, the virtual router side end in each tunnel is tunnel end, and tunnel end is using by respective virtual road The tunnel client information that is defined by the IP address and port numbers of device is identified.

It is described as follows so that terminal 10 carries out VPN traffic with first server 30 as an example.

First, in existing vpn system, it is simply formed between the virtual router VR1 of terminal 10 and first by one Tunnel end is come the individual tunnel (T1) 40 that defines.

Generation includes CoA extended packet 52 in terminal, and sends respective virtual router 22 to using tunnel T1, Virtual router then sends the fundamental packets 54 for removing CoA to corresponding server.

Now, as shown in Figure 2 A, the HoA of the packet transmitted or interior headers include：Agreement (Protocol), as end The IP address at end and the source address (Source Address) and source port number (Source Port No.) of port numbers, as The IP address of one server and the destination-address (Dest.Addr.) and destination port numbers (Dest.Port of port numbers No.), CoA or extension header include：Source address (the Source of agreement (Protocol), the IP address as terminal and port numbers Address) and source port number (Source Port No.), the IP address as the first virtual router VR1 and port numbers mesh Way address (Dest.Addr.) and destination port numbers (Dest.Port No.).

Now, the tunnel end of the virtual router side in the first tunnel can be by the IP address as the first virtual router and end The VR1 (IP, PortNo) of slogan is defined.

In the common vpn system shown in Fig. 1, virtual router may make up only to be held by a public ip address and one Mouthful (Port) come the tunnel end that defines, as a result, can only be formed between specific terminal and a virtual router One tunnel.

Therefore, even with vpn system, the data received and dispatched between specific terminal and server are by via certain one Individual tunnel end, thus the shortcomings that fragile to hacker's behavior (hacking) be present.

That is, in the vpn system shown in Fig. 1, once forming a tunnel between terminal and server, just use all the time Identical is used to provide destination-address (Dest.Address), the port numbers (Port No.) at tunnel end etc., without changing, Therefore, even if using CoA, because the address at tunnel end keeps constant, it there are the shortcomings that easily being stolen by hacker.

Fig. 3 shows common network address translation (Network Address Translation；NAT) the communication of mode One example of network.

NAT system representations are used for the address translator system that private ip address is converted to the communication network of public ip address.

Such NAT communication systems include：Public network 62, the address translator of exterior terminal 60, such as internet 70 and multiple counterpart terminals (Terminal) 80 for being connected with address translator.

The public ip address of the utilization counterpart terminal to be received extremely one or address translator in exterior terminal 60, generation Fundamental packets and transmission shown in Fig. 2A.

Address translator 70 is with the destination-address that will be included in the interior header or HoA of fundamental packets (Dest.Addr.) public ip address is converted into distributing to the private ip address or dynamic IP addressing of corresponding counterpart terminal, and The device of the function of corresponding counterpart terminal is transferred to, it can be stated by other terms such as shared device.

Had the following advantages using such NAT communication systems：It is multiple by the way that a limited public IP is converted to Internal proprietary IP, public IP can be saved；By using internal proprietary IP, the security for outside invasion is improved, easily Carry out the management of the counterpart terminal for being connected to equipment.

But in such NAT systems, because counterpart terminal itself does not have public ip address, counterpart terminal can not As independent common communication main body.

That is, counterpart terminal is only to be connected with address translator, and is obtained based on the control of address translator special The distribution of IP address, rather than each counterpart terminal obtain the distribution of public ip address, therefore, in public communication network, Each counterpart terminal itself can not be identified as independent communication node by outside communication agent, and each counterpart terminal must turn with address Parallel operation, which is connected, to be used.

Therefore, in NAT systems, the terminal for being in linkage with address translator is only limitted to the clients such as personal PC, mobile terminal end End, server unit can not then be realized by NAT systems.

On the other hand, aiming to provide a kind of system in embodiments of the invention, it can solve the problem that the common VPN systems shown in Fig. 1 System or Fig. 3 shown in NAT systems the shortcomings that, the multiple tunnel ends of definable in single virtual router, generation as be used for move The dynamic tunnel end table of the multidate information at tunnel end is changed to state, and is stored in virtual router and terminal, according to certain rule Then extract the tunnel client information included in the table of dynamic tunnel end and perform tunnel and (tunneling) is set.

Using such present invention, have the following advantages that：Lead to for the VPN between particular terminal and specific virtual router The tunnel of letter dynamically changes, therefore, it is possible to reduce the danger of the outside invasions such as hacker's behavior or packet leakage, meanwhile, The counterpart terminal to link due to virtual router and therewith uses public ip address, also can in server-client system Applied.

Fig. 4 shows the overall structure of the vpn system of one embodiment of the invention.

As shown in figure 4, the vpn system of the present invention may include：Terminal 100；Gateway 200, includes and passes through tunnel (tunneling) the more than one virtual router (VR being connected with terminal；210)；Server 410 or server zone 400, It is connected with virtual router；And manager devices 300, be connected with terminal and virtual router, for control terminal and Tunnel building between virtual router.

The terminal 100 used in the present invention can be the communication such as common mobile communication terminal, PC, server computer Component, the agency of the software as the VPN traffic function for performing the present invention is installed in terminal.

Terminal agent has the tunnel end table information for receiving from manager devices and being generated by each virtual router, and is deposited The function of the dynamic tunnel client database (DB) 110 of terminal inner is stored in, according to what is received or itself have from manager devices Rule Information, after the multiple tunnel client informations included from the table of tunnel end select one, according to selected tunnel end and accordingly Virtual router sets the function in tunnel etc..

The gateway 200 of the present invention represents the communication node for including more than one virtual router 210, and it can be by local Other terms statement such as gateway, shared device.

The virtual router (VR) 210 included in gateway is the communication section between terminal and server (group) respectively Point, it represents with terminal to be connected by tunnel and is the device that the VPN traffic between terminal and server (group) is relayed.

MPLS L3VPN technologies based on LINUX can be utilized in router or Ethernet switch and taken to provide IPVPN The communication protocol software be engaged in and used builds VPN traffic system.Such L3VPN technologies are based on internet engineering task group The standard of IETF defineds can provide multi protocol label in IP network environment and exchange (MPLS) VPN (VPN) service.

In addition, according to the present invention, a virtual router includes multiple public ip addresses and multiple port numbers, using more The public ip address selected in individual public ip address and a port number selected in multiple port numbers to set with terminal Vpn tunneling.

That is, with there is a public ip address and a port number and only can between terminal and oneself shown in Fig. 1 Set tunnel end common virtual router except that, the virtual router of the present embodiment each has multiple public affairs IP address and multiple port numbers altogether, multiple tunnels can be set with terminal using the public ip address and port number combinations therefrom selected Road end.

Now, the public ip address selected in multiple public ip addresses and a port selected in multiple port numbers Number it can be defined as tunnel end or tunnel client information.

Also, tunnel end forms one in the attribute (Attribute) in the tunnel formed between virtual router and terminal It is individual, in the case of being changed at tunnel end, it can also keep that the tunnel between respective virtual router and terminal is identical, and change is only Only it is the attribute in corresponding tunnel.

For example, when the first virtual router VR1 has i (i altogether>1) public IP and altogether j (a j>1) port Number when, tunnel client information that the first virtual router can generate is i*j altogether.

That is, the first virtual router can set i*j in a tunnel including the network of terminal and between oneself Tunnel end.

For example, tunnel client information TE (IP 1, port numbers 2) is by as the first virtual router and the tunnel of terminal setting One of attribute.

Also, virtual router 210 each includes dynamic tunnel client database (DB) 220, it is stored from manager devices The tunnel end table information of reception.

That is, multiple tunnel ends can be set in virtual router 210 of the invention, and the tunnel end is by from more than two public IP A public ip address being selected in address and more than two port numbers and a port number define, and perform from outside Manager devices receive the work(for including the tunnel end table of the settable multiple tunnel client informations of virtual router and being stored Energy.

Also, virtual router 210 has based on the tunnel end table received from manager devices, at regular intervals dynamically The tunnel end in the tunnel being connected with terminal is changed, so as to change the function of the attribute in the tunnel formed between terminal.

In this manual, table information in tunnel end represents to generate by each virtual router, and expression can be by respective virtual road The set for the multiple tunnel client informations being configured by device.

In the case where the public ip address and port numbers that respective virtual router has are respectively i and j, quilt can be used It is defined as tunnel client information composition table (table) form of i*j and is used as tunnel end table information.

Virtual router 210 can select the multiple tunnel client informations included in the tunnel end table received at regular intervals In one after, change the tunnel attribute between terminal to be coincide with selected tunnel client information.

Also, virtual router 210 can also have the function that Rule Information is received from manager devices, the Rule Information is used One in the multiple tunnel client informations for selecting to include in the table of tunnel end, now, can be according to the Rule Information of reception, by certain It is spaced one be dynamically selected in the multiple tunnel client informations included in the table of tunnel end and changes tunnel attribute.

Now, the rule (Rule) of the change for tunnel client information and tunnel change is using sequential mode (first Rule), random fashion (Second Rule), hybrid mode (three sigma rule and the 4th rule) etc. perform, this will be entered below Row more detailed description.

Certainly, the Rule Information of the change for tunnel client information and tunnel change not necessarily connects from manager devices Receive.

In addition, it can be entered according to the tunnel change between the virtual router of the present invention and terminal in transmission packet every time OK, or when meeting preassigned data pack receiving and transmitting number carry out, or carried out by some cycles.

On the basis of Fig. 4 for example, can be in first packet in the case of using the first rule of sequential mode Transmission when or during certain number/time, according to the first tunnel client information included in the table of tunnel end (for example, definable For the first public ip address and first end slogan), there is the first tunnel between terminal and the first virtual router by being arranged at The tunnel of road attribute transmits packet, can be in the transmission of second packet or during next number/cycle, according to work For the second tunnel client information (for example, may be defined as the first public ip address and second port number) of next tunnel client information, lead to Cross and be arranged at the tunnel with the second tunnel attribute between terminal and the first virtual router to transmit packet.

Now, as shown in Figure 2 A, the packet that terminal transmits to virtual router be in addition to payload and HoA, Also include the extended packet of outer header or CoA, wherein outer the header or CoA are included and determined by selected tunnel client information The IP address (Dest.Addr.) and port numbers (Port No) of the respective virtual router of justice.

Certainly, as shown in Figure 2 B, now interior the header or HoA of fundamental packets include：Agreement (Protocol), terminal Source address (Source Address) and source port number (Source Port No.), need received data packet server mesh Way address (Dest.Addr.) and destination port numbers (Dest.Port No.).

That is, after terminal extracts specific tunnel client information according to Rule Information from the tunnel end table of storage, this is chosen The public ip address and port numbers of the virtual router included in the tunnel client information selected are respectively set to CoA destination-address And destination port numbers (Dest.Port No) (Dest.Addr.).

The outer header or CoA that generate as described above are made an addition to outside master data packet head HoA to generate spreading number again After bag, virtual router is sent to by tunnel.

In addition, in the present embodiment, the agreement included in HoA and CoA can be UDP (User Datagram Protocol, UDP), but the present invention is not limited to this.

In virtual router 210, by with according to the tunnel set with the selected tunnel end of terminal identical rule To receive extended packet, and remove server fundamental packets sent to after CoA as destination.

In addition, the packet that each virtual router 210 receives using the tunnel by setting from corresponding terminal receives Elapsed time information after number or packet reception capacity or tunnel setting, is asked to tunnel to manager devices at regular intervals The renewal of road end table information.

More specifically, reach more than critical number when the packet for carrying out self terminal receives number, or set in tunnel When duration afterwards is more than the crash time, virtual router 210 can generate tunnel end table renewal request signal and send to Manager devices, and receive new tunnel end table from manager devices and stored.

The subsequent tunnel with terminal is set the tunnel end table based on renewal and Rule Information to perform.

The manager devices 300 used in the present invention are to be connected with terminal and virtual router and control terminal and virtual The device of router, the manager devices 300 perform generation and include multiple tunnels that virtual router can be configured The tunnel end table of client information, and it is transferred to terminal and the function of the virtual router.

Also, manager devices 300 can also have eventually in addition to the generation with tunnel end table information and transmitting function Authentication function and the original equipment registering functional of gateway or virtual router are held, it is carried out in more detail hereinafter with reference to Fig. 6 Explanation.

More specifically, manager devices 300 according to virtual router or the gateway including it facility registration, be each void Intend the tunnel end table that router generates the catalogue for the multiple tunnel client informations that can be set as respective virtual router respectively, so After be transferred to terminal and respective virtual router.

Also, when receiving the table renewal request of tunnel end from terminal or virtual router, or meet the tunnel pre-seted When holding table update condition, manager devices 300 can be that each virtual router generates new tunnel end table and sends terminal to respectively And virtual router.

Also, manager devices 300 also comprising create-rule information and can send terminal and the function of virtual router to, The Rule Information is on the rule of one for being dynamically selected in the multiple tunnel client informations included in the table of tunnel end (Rule) information.

Terminal and virtual router can be regular according to specified in such Rule Information, from prestoring by virtual road By selecting tunnel end in multiple tunnel ends for being included in the tunnel end table of device, based on selected tunnel end change terminal The attribute in the tunnel between virtual router.

Certainly, can be by advance really for the rule of one in multiple tunnel client informations for selecting to include in the table of tunnel end It is fixed, so that terminal and virtual router can be applied, in the case, Rule Information can need not be received from manager devices, and It is that the tunnel client information selection course for tunnel change is performed according to the rule pre-seted.

The rule of one in multiple tunnel client informations for selecting to include in the table of tunnel end is illustrated below.

The mode of one in the multiple tunnel client informations alternatively included in the table of tunnel end, can there is sequential mode (the first rule), random fashion (Second Rule), hybrid mode (three sigma rule and the 4th rule) etc., but it is of the invention and unlimited Due to this.

First, the first rule as sequential mode is the multiple tunnels included in a manner of positive or be reverse from the table of tunnel end In turn select and apply in road client information.

For example, include i*j altogether of from (IP_1, PortNo_1) to (IP_i, PortNo_j) in the table of tunnel end In the case of tunnel end, in the transmission of first packet or initial n packet transmission when or the period 1 during During the transmission of packet, by using (IP_1, the PortNo_1) by first tunnel end as table come the first tunnel for defining Road attribute is communicated come the tunnel formed, second packet transmission or n~2n packet transmission when or second During the transmission of the packet during the cycle, by the use of with being determined by (IP_1, the PortNo_2) as second tunnel end of table The tunnel of second tunnel attribute of justice.

According to the first of such sequential mode the rule, during data transmit-receive, only referring initially to tunnel end table one It is secondary, thus there is the advantages of overhead (overhead) is small, but in the case where tunnel end table is compromised, its security May be weaker.

Secondly, the Second Rule as random fashion be in the multiple tunnel client informations included from the table of tunnel end randomly Select and apply.

Now, in the case of application Second Rule, Rule Information can include the table for the version for being used to represent tunnel end table Version information (Table Version), as virtual router identifier virtual router number (VR No), for representing Next tunnel end for wanting selected tunnel client information selects information (n { IP, PortNo }) etc..

Such Rule Information can generate from manager devices 300 and send terminal and virtual router to, so that Two node application identical rules, but can also make the sender of transmission packet regular using being included in header of packet etc. The mode of information transmits, and recipient then selects tunnel client information according to the Rule Information.

That is, because terminal and virtual router receive identical tunnel end table from manager devices and store, if utilized Manager devices or the Rule Information of sender's transmission, terminal and virtual router can utilize identical rule selection identical tunnel Simultaneously apply at road end.

,, can due to rule can not be known even if tunnel end table is compromised according to the Second Rule of such random fashion Security is kept, but is required in each data transmit-receive process with reference to tunnel end table, thus makes how much overhead may some Increase.

3rd, the three sigma rule as hybrid mode is to apply sequential mode first with a public ip address, so Other tunnel ends of tunnel end table are moved to based on certain jumping parameters and carry out the mode of selection afterwards.

In the case of application three sigma rule, Rule Information can include the table version letter for the version for being used to represent tunnel end table Breath (Table Version), the virtual router number (VR No) of identifier as virtual router, public affairs being used IP address information (IP), the tunnel end jump information (n { skip for representing next tunnel client information to be selected altogether Point or skip count }) etc..

For example, include i*j altogether of from (IP_1, PortNo_1) to (IP_i, PortNo_j) in the table of tunnel end Tunnel end, IP=1, the tunnel end jump information n of public ip address are included as in the Rule Information based on three sigma rule In the case of { skip point or skip count }=2 { 3 }, in turn select first two (n=2) tunnel ends (IP_1, PortNo_1), (IP_1, PortNo_2), then jump three (skip count (number of hops)=3) with select by (IP_1, PortNo_5) come the tunnel end that defines and utilize.

According to the 4th rule as another hybrid mode, to certain number, then it is first using sequential mode It is the mode for being moved to other tunnel ends of tunnel end table using certain jumping parameters and selecting.

In the case of the 4th rule of application, Rule Information can include the table version letter for the version for being used to represent tunnel end table Cease (Table Version), as virtual router identifier virtual router number (VR No), for representing next Tunnel end jump information (n { IP, skip point or skip count }) for the tunnel client information to be selected etc..

For example, tunnel end jump information n { IP, skip the point or included in the Rule Information based on the 4th rule Skip count }=2 in the case of { 2,3 }, in turn select first two (n=2) tunnel ends (IP_1, PortNo_1), (IP_1, PortNo_2), followed by select by the IP_2 and the skip point since it as second public ip address (jump)=3 are come the tunnel end of (IP_2, PortNo_3) that defines and utilize.

If using the three sigma rule of hybrid mode and the 4th rule, lacking for sequential mode and random fashion can be made up Point.

That is, without reference tunnel end table every time, but only reference need to be carried out in the case where meeting tunnel end jump condition, So as to reduce overhead, while make up using tunnel end jump condition the weaker security of sequential mode.

Such tunnel end selection rule can be become by manager devices according to specific policy according to certain cycle More, and change Rule Information need to send terminal and virtual router to.

In the case, in order to which regulation information fails the situation that synchronizes and change in receiving-transmitting sides, advising Then in the case of information change, previous regular version can be approved during certain time.

For example, in the state of Rule Information change, if sender is utilized based on to be changed regular selected Data are transmitted at tunnel end, and recipient is the rule using previous version, then during the certain time after rule changes, can make The rule of previous version is applied in recipient.

Certainly, in the case, when the rule of other side does not change yet after some period of time, it is rejected by reception and comes from phase Answer the data of other side.

As described above, according to an embodiment of the invention, enable single virtual router that multiple tunnel ends are set, to terminal The tunnel end table for including multiple tunnel client informations is provided with virtual router, tunnel end is dynamically selected using predetermined rule And change tunnel attribute.

Therefore, different from the common vpn system shown in Fig. 1, the tunnel attribute of each VPN traffic dynamically becomes Change, be not easy to carry out external hackers behavior, it is possible to increase the security of data transmit-receive.

Also, the device with being in linkage with shared device in existing network address translation (NAT) system is only limited to have The situation of public IP client terminal is compared, and according to the present invention, the device for being in linkage with virtual router can have public IP The server of address, therefore, there is the advantages of can also being applied to client-server communication.

That is, in existing NAT systems, the counterpart terminal for being in linkage with shared device or address translator can not have public IP Address, therefore independent communication agent can not be turned into, in the present invention, server is in linkage with virtual router, can realize The VPN traffic that security is improved.

Fig. 5 shows dynamic tunnel end (DTE) setting up procedure in the vpn system of embodiments of the invention.

First, gateway or virtual router perform facility registration process (step S510) in manager devices.

By facility registration process as execution, after manager devices is identified gateway or virtual router, there is provided Generate the essential information of the tunnel end table information for respective virtual router.

During such facility registration, gateway provides the available resource information (public ip address number etc.) of oneself To manager devices, thus, it can perform manager devices and generate number of virtual router to be used on respective gateway etc. Information (VR information) and tunnel end table information for each virtual router process.

Such facility registration process is described in detail reference picture 6.

When completing facility registration, manager devices receive certification corresponding terminal after the terminal authentication request for carrying out self terminal (step S520).

When completing the facility registration process of terminal authentication and gateway (virtual router), manager devices generation is used as tunnel The VR (DTE Table) of road end table information, wherein including the multiple tunnels that can be set between terminal and respective virtual router Road client information (step S530).

Certainly, can together generate in the process for one in multiple tunnel client informations for selecting to include in the table of tunnel end Individual Rule Information.

Then, the tunnel end table information VR (DTE Table) that manager devices will generate respectively for each virtual router It is respectively transmitted the tunnel end that will be received to the terminal and respective virtual router (gateway), terminal and virtual router of certification Table information VR (DTE Table) is stored in tunnel end DB (step S535, step S540).

Then, rule and tunnel end table based on setting of terminal and virtual router, using reselecting at regular intervals Tunnel end come after changing tunnel attribute, by performing the data transmit-receive based on VPN by the tunnel end changed come the tunnel defined (step S550).

Then, virtual router monitors whether the update condition (step S555) for meeting tunnel end table, and is meeting tunnel In the case of the update condition for holding table, regeneration request (step S560) is transmitted to tunnel end table manager devices.

Now, the update condition of tunnel end table can be when elapsed time is critical after keeping current tunnel to set Between more than situation, or reach more than critical number situation using the reception number of current tunnel received data bag Deng, but the present invention is not limited to this.

Asked according to the regeneration of the tunnel end table of such virtual router, manager devices generate new tunnel end table And send corresponding terminal and virtual router to again, to update existing tunnel end table (step S575, step S580).

Fig. 6 is shown in the vpn systems of embodiments of the invention in manager devices (Manager) and gateway (virtual flow-line Device) between the facility registration that performs and tunnel end change process.

As shown in fig. 6, the gateway of virtual router to be used using include oneself identification information (G/W ID) and as The facility registration request of the CoA information of the public ip address information of oneself sends manager devices (step S610) to.

Thus, manager devices storage respective gateway information, generation respective gateway virtual router information (VR to be used Information) after, it is transferred to gateway (step S615, step S620).

Virtual router information (VR information) can include the exercisable virtual router of respective gateway number, on it is each Information of server (group) that virtual router is connected etc..

That is, determined to be used to route the function of each gateway of multiple servers (group) and held virtual by manager devices Router number etc..

Thus, in the case where there are multiple gateways and server (group), manager devices, which are integrated to perform, is used for them Between VPN traffic system architecture, so as to can also be effectively coped with when System Forming Elements change.

Then, the available resource information such as the number for the public ip address that gateway is held oneself and port number is sent to Manager devices (step S625).

Manager devices connect using the virtual router information (VR information) that oneself is generated in step S615 and from gateway The available resource information of receipts, tunnel end table (step S630) is generated respectively for each virtual router.

Assuming that the gateway for having carried out facility registration treats responsible virtual router for 2, the available resources from gateway transmission Public ip address in information is 6, port number is j, and manager devices can distribute the first virtual flow-line to respective gateway Device VR1 and the second virtual router VR2, public ip address 1~3 is distributed for the first virtual router VR1, is the second virtual flow-line Device VR2 distributes public ip address 4~6.

In the case, manager devices generate tunnel end Table V R1 (TE Table) and send the first virtual router to VR1 and terminal, wherein tunnel end Table V R1 include the TE as the tunnel client information for the first virtual router VR1 (IP_1, PortNo_1), TE (IP_1, PortNo_2) ..., TE (IP_3, PortNo_j) 3*j tunnel client information altogether (step S635).

Certainly, during tunnel end table is generated respectively for each virtual router or before and after it, it can also generate and be used for The Rule Information of one in the multiple tunnel client informations included in selection tunnel end table, and it is transferred to terminal and virtual road By device.

Such Rule Information is not necessarily generated and provided by manager devices, as long as terminal and respective virtual route Device can recognize that identical Rule Information, then can also be generated and provided by other devices, or be pre-stored within terminal and void Intend router.

Tunnel end table information and/or Rule Information are stored in tunnel end by the virtual router for receiving tunnel end table information DB (step S640).

Now, the tunnel end table and/or Rule Information of each virtual router are directed to due to also providing identical to terminal, it is empty Intend the tunnel end that router selects according to rule-based information from the table of tunnel end, data transmit-receive is carried out after forming tunnel (step S645).

Certainly, in order to which the tunnel client information for setting tunnel and selecting will dynamically change at regular intervals, therefore, specific Terminal and virtual router between, also by by carrying out data receipts by the tunnel end changed at regular intervals the tunnel that defines Hair.

Fig. 7 shows the detailed construction of the manager devices used in the vpn system of embodiments of the invention.

The manager devices of the present invention may include：Facility registration/authentication department 320；VR management departments 330, it is according to gateway Ask and generate virtual router information and transmit；DTE tables management department 340, it is that each virtual router generates tunnel end respectively Table simultaneously sends terminal and respective virtual router to；And DTE DB 310, it stores all virtual roads on being managed Tunnel end table by device etc..

Also, can also it include：DTE tables update section 350, it is according to request of virtual router or terminal etc., by certain Interval generates new tunnel end table and provided.

After facility registration/authentication department 320 receives the facility registration request of gateway and the certification request of terminal, store on net The information of pass simultaneously performs facility registration process, and the process of the legal terminal of certification is performed using ID of terminal etc..

VR management departments 330 perform generation for the gateway of request facility registration virtual router information (VR information) to be used Afterwards, the virtual router information (VR information) of generation is sent the function of gateway to, now, virtual router information (VR information) The number of the exercisable virtual router of respective gateway, the server (group) on being connected with each virtual router can be included Information etc..

As described above, VR management departments 330 perform function and the institute to each gateway for routeing multiple servers (group) The function that virtual router number held etc. is configured and managed.

DTE tables management department 340 performs the available resource information provided based on gateway, determines that each virtual router is to be used Public ip address and port number, generate the tunnel end for including multiple tunnel client informations respectively for each virtual router based on this Table information, and it is transferred to terminal and the function of respective virtual router.

DTE tables management department 340 can also perform and further generate for being dynamically selected tunnel in addition to performing the function The Rule Information of one in the multiple tunnel client informations included in the table of road end, and it is transferred to terminal and virtual router Function.

Also, tunnel end table and/or Rule Information for each virtual router are stored in DTE by DTE tables management department 340 DB 310。

When meeting certain update condition, or from terminal or virtual router receive table regeneration request when, the renewal of DTE tables Portion 350 performs new tunnel end table of the generation for respective virtual router, and is transferred to terminal and respective virtual route The function of device.

According to embodiments of the invention as described above, enable single virtual router that multiple tunnels are set, to terminal The tunnel end table for including multiple tunnel client informations is provided with virtual router, tunnel end is dynamically selected based on predetermined rule And dynamically change tunnel attribute.

Therefore, because the tunnel attribute of each VPN traffic is dynamically changed, with the common vpn system shown in Fig. 1 Compared to being not easy to carry out external hackers behavior, so as to improve the security of data transmit-receive.

Also, in existing network address translation (NAT) system, it is only limitted to have with the device that shared device is connected There is public IP client terminal, with the device that virtual router is connected can be that there is public IP in the present invention in contrast to this The server of address, therefore there is the advantages of can also being applied to client-server communication.

Explanation and accompanying drawing above is only illustratively to show the technological thought of the present invention, in the essence without departing substantially from the present invention In the range of characteristic, the those of ordinary skill of the technical field belonging to the present invention can carry out the combination of structure to it, separate, put The a variety of modifications and deformation such as change and change.Therefore, embodiments of the disclosure is only for illustrating and being not intended to restriction in the present invention The technological thought of the present invention, the scope of technological thought of the invention are not exposed to the restriction of such embodiment.The guarantor of the present invention Shield scope should be defined by appended claims, and all technological thoughts in equivalent scope should be appreciated that therewith To fall into the interest field of the present invention.

Claims (11)

1. a kind of virtual private network system, including：

Virtual router, it is connected by tunnel with terminal, and can set multiple tunnel ends, wherein, the tunnel end by The public ip address and a port number selected from more than two public ip addresses and more than two port numbers comes Definition；And

Manager devices, it generates the tunnel end table for including multiple tunnel client informations that the virtual router can be set, And send tunnel end table to the terminal and the virtual router,

Wherein, the virtual router storage tunnel end table, and dynamically become at regular intervals based on tunnel end table More it is used for the tunnel end in tunnel being connected with the terminal, to change the attribute in the tunnel.

2. virtual private network system according to claim 1, wherein,

The manager devices create-rule information simultaneously sends the terminal or virtual router to, wherein the Rule Information is used One in the multiple tunnel client informations for selecting to include in the table of tunnel end,

The virtual router is dynamically selected the multiple tunnels included in the table of tunnel end at regular intervals according to the Rule Information One in road client information, to change the attribute in the tunnel.

3. virtual private network system according to claim 1, wherein,

When the duration after packet reception number reaches more than critical number, or tunnel setting is more than the crash time, The virtual router generation tunnel end table renewal request signal simultaneously sends manager devices to, and the manager devices generation is new Tunnel end table and send the terminal and virtual router to.

4. virtual private network system according to claim 2, wherein,

The Rule Information includes one in the first Rule Information, Second Rule information, three sigma rule information, the 4th Rule Information More than individual, wherein,

First Rule Information is used in turn select the multiple tunnel client informations included in the table of tunnel end；

The Second Rule information is used for one be randomly chosen in the multiple tunnel client informations included in the table of the tunnel end；

The three sigma rule information is used in turn to change the port numbers in a public ip address first, then predetermined The mode that position is jumped to other port numbers selects tunnel client information；

4th Rule Information is used in turn to change public ip address and port numbers first, then precalculated position to its The mode that his public ip address jumps with other port numbers selects tunnel client information.

5. a kind of virtual router, it is connected with terminal by tunnel and carries out VPN traffic with the terminal, wherein,

The virtual router can set multiple tunnel ends, wherein the tunnel end by from more than two public ip addresses and A public ip address being selected in more than two port numbers and a port number define,

The virtual router receives tunnel end table from the manager devices of outside and stored, wherein tunnel end table includes Multiple tunnel client informations that the virtual router can be set,

The virtual router is based on tunnel end table, dynamically changes at regular intervals for being connected with the terminal The tunnel end in tunnel, to change the attribute in the tunnel.

6. virtual router according to claim 5, wherein,

The virtual router also receives Rule Information from the manager devices, and the Rule Information is used to select the tunnel One in the multiple tunnel client informations included in the table of end,

According to the Rule Information of reception, the virtual router is dynamically selected what is included in the table of tunnel end at regular intervals One in multiple tunnel client informations, to change the attribute in the tunnel.

7. virtual router according to claim 6, wherein,

Duration after more than critical number, or tunnel change is reached from the packet of terminal reception number is to face When boundary is more than the time, virtual router generation tunnel end table renewal request signal simultaneously sends manager devices to, and from institute Manager devices are stated to receive new tunnel end table and store.

8. a kind of manager devices, it is connected with terminal and virtual router and controls the terminal and virtual router, its In,

The virtual router can set multiple tunnel ends, wherein the tunnel end by from more than two public ip addresses and A public ip address being selected in more than two port numbers and a port number define,

The manager devices generate tunnel end table and send the terminal and the virtual router to, so that the virtual road Tunnel end table is based on by device and the terminal, dynamically change is used as and connects the terminal and virtual flow-line at regular intervals The tunnel end of the attribute in the tunnel between device, wherein tunnel end table include the virtual router can set it is multiple Tunnel client information.

9. manager devices according to claim 8, wherein, the manager devices create-rule information simultaneously sends institute to Terminal or virtual router are stated, wherein the Rule Information is used to select in multiple tunnel client informations for including in the table of tunnel end One.

10. manager devices according to claim 9, wherein, reach when by the data pack receiving and transmitting number in the tunnel It is more than critical number, or tunnel set after duration when being more than the crash time, the manager devices are according to from institute The tunnel end table renewal request signal of virtual router reception is stated, new tunnel end table is generated and sends the terminal and virtual to Router.

11. manager devices according to claim 9, wherein,

The Rule Information includes one in the first Rule Information, Second Rule information, three sigma rule information, the 4th Rule Information More than individual, wherein,

First Rule Information is used in turn select the multiple tunnel client informations included in the table of tunnel end；

The Second Rule information is used for one be randomly chosen in the multiple tunnel client informations included in the table of the tunnel end；

The three sigma rule information is used in turn to change the port numbers in a public ip address first, then predetermined The mode that position is jumped to other port numbers selects tunnel client information；

4th Rule Information is used in turn to change public ip address and port numbers first, then precalculated position to its The mode that his public ip address jumps with other port numbers selects tunnel client information.