CN107528778A - The vpn system of dynamic tunnel end mode, virtual router and manager devices for it - Google Patents
The vpn system of dynamic tunnel end mode, virtual router and manager devices for it Download PDFInfo
- Publication number
- CN107528778A CN107528778A CN201610716440.6A CN201610716440A CN107528778A CN 107528778 A CN107528778 A CN 107528778A CN 201610716440 A CN201610716440 A CN 201610716440A CN 107528778 A CN107528778 A CN 107528778A
- Authority
- CN
- China
- Prior art keywords
- tunnel
- virtual router
- terminal
- tunnel end
- rule information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/24—Multipath
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/28—Flow control; Congestion control in relation to timing considerations
- H04L47/286—Time to live
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Abstract
Virtual router and manager devices the present invention relates to a kind of virtual private network system of dynamic tunnel end mode and for the virtual private network system, single virtual router is set to use multiple tunnel ends, the tunnel end table for including multiple tunnel client informations is provided to terminal and virtual router, tunnel end is dynamically selected according to predetermined rule, dynamically to change tunnel attribute.Thus, because the tunnel attribute of each VPN traffic dynamically changes, compared with common vpn system, it is not easy to carry out external hackers behavior, so as to improve the security of data transmit-receive.
Description
Technical field
The present invention relates to VPN (Virtual Private Network;Hereinafter referred to as " VPN "), more specifically
For be related to the virtual private network system of dynamic tunnel end mode and the manager devices for it etc..
Background technology
Common communication system is made up of client terminal and service providing server and the communication network for connecting it.
Also, in order to provide the plurality of communication services such as finance, home automation, it is necessary to utilize a terminal and multiple services
There is provided server to be attached, in order to realize such multi-wad join, communication network is also required to carry out appropriate network separation.
In addition, in order to use the public communication network of such as internet as industrial siding, at present using VPN.
Such VPN can be realized in the following way:Communication connection two terminal devices (End Equipment) it
Between configure extra gateway or router, and be defined as providing between gateway or router or between terminal device and gateway
The tunnel (Tunneling) of the system of specific communication system and encryption method.
Now, tunnel is to represent to be packaged the packet of underlay communication stipulations using upper layer communication stipulations, and is realized
The communication between 2 points on communication network.
That is, there is following feature:On a communication network, common packet and the packet of encapsulation are cannot be distinguished by out, and
Two end devices of the equipment at the both ends that can be decapsulated, i.e. tunnel can then filter out original packet.
The path that is invisible to the naked eye can be established between two equipment of the public network of such as internet to carry out
Communication, therefore " tunnel " is stated that, and the end in such tunnel is defined as tunnel end (Tunnel End).
In addition, in existing vpn system, will be in the intra-gateway being connected with more than one server (Server)
The virtual router (Virtual Router) of definition is used separately as an independent tunnel end.
Therefore, in vpn system, in order to realize the communication between terminal and particular server, with respective server phase
Need to form tunnel between the virtual router (VR) of linkage, now, corresponding virtual router turns into tunnel end.
In this case, terminal generation packet, the data structure of the packet are included as by common five-tuple
(Tuples) HoA of the local address defined, in order to realize the data transmit-receive based on tunnel, also addition is as extra extension report
The Care-of Address (Care-Of-Address, CoA) of leading address simultaneously sends virtual router to.
In respective virtual router, corresponding server is transferred a packet to after removing CoA, so as to perform data hair
Send.
In addition, in such common VPN traffic, more than one virtual router (VR) is defined in gateway
One address can be only arranged to tunnel end by portion, each virtual router.
That is, virtual router may make up only by a public ip address and a port (Port) a tunnel defining
End, as a result, can only form the tunnel using an address between specific terminal and a virtual router.
Therefore, even with vpn system, the data received and dispatched between specific terminal and server are by via constant one
Individual tunnel end, thus the shortcomings that to hacker's behavior fragility be present.
That is, in existing VPN, once forming a tunnel between terminal and server, identical is just used all the time
Destination-address (Dest.Address), port numbers (Port No.) for providing tunnel end etc., without changing, therefore,
Even if using CoA, the address at tunnel end will also keep constant, there are the shortcomings that easily being stolen by hacker.
Make virtual router that there are multiple tunnel ends in vpn system on the other hand, the present invention provides one kind, can be with spy
Determine terminal and realize multiple tunnels, and dynamically change the scheme of the tunnel client information between particular terminal and virtual router.
The content of the invention
Therefore, the purpose of embodiments of the invention is to provide a kind of vpn system, it can be set in single virtual router
Multiple tunnel ends.
Another object of the present invention is to provide a kind of vpn system, it can set between single virtual router and terminal
Put multiple tunnels and dynamically the tunnel end for the virtual router that change is connected with particular terminal.
A further object of the present invention is to provide a kind of manager devices for vpn system, in the vpn system, pipe
Manage device device (Manager) generation dynamic tunnel end table (Dynamic Tunnel End Table;DTE Table) and send to
Terminal agent and respective gateway, wherein the dynamic tunnel end table are used to represent each virtual router institute defined in intra-gateway
The setting order at the multiple tunnel ends having, respective virtual router carry out multiple tunnels using DTE tables with terminal agent
Dynamically changeable is set.
In order to realize such purpose, one embodiment of the invention provides a kind of virtual private network system, and it includes:It is empty
Intend router, it is connected by tunnel with terminal, and can set multiple tunnel ends, and the tunnel end is by from more than two
A public ip address being selected in public ip address and more than two port numbers and a port number define;And management
Device device, it generates the tunnel end table for including multiple tunnel client informations that the virtual router can be set, and by described in
Tunnel end table sends the terminal and the virtual router to, wherein the virtual router stores tunnel end table, and
Dynamically change the tunnel end in the tunnel for being connected with the terminal at regular intervals based on tunnel end table.
According to another embodiment of the present invention, the present invention provides a kind of virtual router, and it is connected by tunnel with terminal
Connect and carry out VPN traffic with the terminal, wherein, the virtual router can set multiple tunnel ends, wherein the tunnel
Hold the public ip address and a port by being selected from more than two public ip addresses and more than two port numbers
Number define, the virtual router receives tunnel end table from the manager devices of outside and stored, wherein tunnel end table
Including multiple tunnel client informations that the virtual router can be set, the virtual router is based on tunnel end table,
The tunnel end in the tunnel for being connected with the terminal is dynamically changed at regular intervals.
According to still another embodiment of the invention, the present invention provides a kind of manager devices, itself and terminal and virtual router
It is connected and controls the terminal and virtual router, wherein, the virtual router can set multiple tunnel ends, wherein institute
Tunnel end is stated by the public ip address selected from more than two public ip addresses and more than two port numbers and one
Individual port numbers define, and the manager devices generation tunnel end table simultaneously sends the terminal and the virtual router to, with
The virtual router and the terminal is based on tunnel end table, at regular intervals dynamically change connect the terminal and
The tunnel end in the tunnel between virtual router, wherein tunnel end table include the virtual router can set it is more
Individual tunnel client information.
Brief description of the drawings
Fig. 1 shows an example of common VPN traffic network.
Fig. 2 shows that the one of the data structure for the packet received and dispatched in the VPN shown in Fig. 1 between terminal and server shows
Example.
Fig. 3 shows common network address translation (Network Address Translation;NAT) the communication of mode
One example of network.
Fig. 4 shows the overall structure of the vpn system according to one embodiment of the invention.
Fig. 5 shows the dynamic tunnel end DTE setting up procedure in vpn system according to an embodiment of the invention.
Fig. 6 shows (empty in manager devices (Manager) and gateway in vpn system according to an embodiment of the invention
Intend router) between the facility registration that performs and tunnel end change process.
Fig. 7 shows the detailed construction of the manager devices used in vpn system according to an embodiment of the invention.
Description of reference numerals
100:Terminal (agency) 110,220:DTE tables DB
200:Gateway 210:Virtual router (VR)
300:Manager devices 310:DTE DB
330:VR management departments 340:DTE tables management department
400:Server zone 410:Server
Embodiment
Hereinafter, the part of the embodiment of the present invention is described in detail with reference to exemplary accompanying drawing.To each accompanying drawing
Inscape assign reference when, for identical inscape, even if it is shown on different accompanying drawings, also will
Identical reference is assigned as far as possible.Also, during the present invention will be described, if it is considered to known features or
The technological thought of the present invention is obscured in related the illustrating of function, then is omitted from detailed description thereof.
Also, during being illustrated to the inscape of the present invention, first, second, A, B, (a), (b) can be used
Deng term.Such term is only used for this composition key element and other inscapes being distinguished by, and the sheet of corresponding inscape
Matter, sequence, order or number etc. are not limited by the term.If record certain inscape with other inscapes " to connect
Connect ", " with reference to " or " access ", then be appreciated that this composition key element may be directly connected to or access to this other form will
Element, but also " sandwiched " can have other inscapes between each inscape, or each inscape passes through other inscapes
" connection ", " with reference to " or " access ".
Fig. 1 shows an example of common VPN traffic network.
Fig. 2 shows that the one of the data structure for the packet received and dispatched in the VPN shown in Fig. 1 between terminal and server shows
Example.
As shown in figure 1, common vpn system includes:Terminal 10;Including multiple (Virtual of virtual router 22
Router gateway 20);And the multiple servers 30 being connected with gateway.
In such vpn system, the agency (agent) of terminal 10 is arranged in order to specific server transmissioning data
Bag, the interior header being made up of to payload (Payload) addition as the data to be transmitted five-tuple (Tuples)
(Inner Header) is to generate fundamental packets.
Now, as shown in Figure 2 A, interior header includes:Agreement (Protocol), the source address (Source of oneself
) and source port number (Source Port No.), the destination-address (Dest.Addr.) and purpose of respective server Address
Ground port numbers (Dest.Port No.), such interior header can be expressed as to local address (Home Address, HoA).
Also, terminal agent also adds extension header or outer header (Outer Header) and life to master data pack arrangement
Into extended packet, outer header includes:Agreement (Protocol), the source address (Source Address) of oneself and source port number
(Source Port No.), as destination virtual router 22 address and destination-address as port numbers
And destination port numbers (Dest.Port No.) (Dest.Addr.).
Now, extension header or outer header can be expressed as to Care-of Address (Care of Address, CoA).
In addition, formed with the tunnel (Tunnel) as private communication path, terminal between terminal and virtual router
Extended packet is sent to the virtual router of intra-gateway by such tunnel.
Now, after corresponding virtual router removes CoA from extended packet, only will be made up of payload and HoA
Fundamental packets send respective server to, so as to complete packet transmission.
In this manual, VPN (Virtual Private Network) is the abbreviation of VPN, its table
Show and provide specific communication system so that the communication service of internet can be used as industrial siding.
That is, it is a kind of after using all purpose communication net connection client and particular server, makes two devices using in advance
The communication means with private communication identical effect is presented in the communication system (agreement) of setting.
In order to realize such VPN, in terminal (client) side need that certain VPN programs or terminal agent are installed,
When in the state of terminal agent as operation, data are handled by the agreement of setting and send gateway to and server
During side, it will be identified for gateway or server.
Now, the communication channel similar with industrial siding formed between terminal and server side can be expressed as VPN, it is special
It is not that the communication channel that can be will be formed between terminal and virtual router is expressed as tunnel.For terminal and virtual router it
Between the agreement that sets of tunnel using Point to Point Tunnel Protocol (the Point-to-Point Tunneling based on public network
Protocol, PPTP) or Level 2 Tunnel Protocol (Layer 2Tunneling Protocol, L2TP) etc..
Can be void by the substantial definition that VPN traffic between terminal and server can be realized in such vpn system
Intend router (VR), the physical unit for including multiple virtual routers is defined as gateway (Gateway;G/W).
That is, as shown in figure 1, including multiple virtual routers 22 inside gateway 20, each virtual router and one
Server 30 above or server zone linkage.
Now, each virtual router is identified using a public ip address and a port, can be virtual by as
The public ip address and port numbers of router are expressed as tunnel client information.
In addition, in the common vpn system shown in Fig. 1, each virtual router can be between particular terminal and oneself only
One tunnel is set.
For example, as shown in figure 1, the virtual router of terminal 10 and first forms the first tunnel T1, with the second virtual router
The second tunnel T2 is formed, now, the virtual router side end in each tunnel is tunnel end, and tunnel end is using by respective virtual road
The tunnel client information that is defined by the IP address and port numbers of device is identified.
It is described as follows so that terminal 10 carries out VPN traffic with first server 30 as an example.
First, in existing vpn system, it is simply formed between the virtual router VR1 of terminal 10 and first by one
Tunnel end is come the individual tunnel (T1) 40 that defines.
Generation includes CoA extended packet 52 in terminal, and sends respective virtual router 22 to using tunnel T1,
Virtual router then sends the fundamental packets 54 for removing CoA to corresponding server.
Now, as shown in Figure 2 A, the HoA of the packet transmitted or interior headers include:Agreement (Protocol), as end
The IP address at end and the source address (Source Address) and source port number (Source Port No.) of port numbers, as
The IP address of one server and the destination-address (Dest.Addr.) and destination port numbers (Dest.Port of port numbers
No.), CoA or extension header include:Source address (the Source of agreement (Protocol), the IP address as terminal and port numbers
Address) and source port number (Source Port No.), the IP address as the first virtual router VR1 and port numbers mesh
Way address (Dest.Addr.) and destination port numbers (Dest.Port No.).
Now, the tunnel end of the virtual router side in the first tunnel can be by the IP address as the first virtual router and end
The VR1 (IP, PortNo) of slogan is defined.
In the common vpn system shown in Fig. 1, virtual router may make up only to be held by a public ip address and one
Mouthful (Port) come the tunnel end that defines, as a result, can only be formed between specific terminal and a virtual router
One tunnel.
Therefore, even with vpn system, the data received and dispatched between specific terminal and server are by via certain one
Individual tunnel end, thus the shortcomings that fragile to hacker's behavior (hacking) be present.
That is, in the vpn system shown in Fig. 1, once forming a tunnel between terminal and server, just use all the time
Identical is used to provide destination-address (Dest.Address), the port numbers (Port No.) at tunnel end etc., without changing,
Therefore, even if using CoA, because the address at tunnel end keeps constant, it there are the shortcomings that easily being stolen by hacker.
Fig. 3 shows common network address translation (Network Address Translation;NAT) the communication of mode
One example of network.
NAT system representations are used for the address translator system that private ip address is converted to the communication network of public ip address.
Such NAT communication systems include:Public network 62, the address translator of exterior terminal 60, such as internet
70 and multiple counterpart terminals (Terminal) 80 for being connected with address translator.
The public ip address of the utilization counterpart terminal to be received extremely one or address translator in exterior terminal 60, generation
Fundamental packets and transmission shown in Fig. 2A.
Address translator 70 is with the destination-address that will be included in the interior header or HoA of fundamental packets
(Dest.Addr.) public ip address is converted into distributing to the private ip address or dynamic IP addressing of corresponding counterpart terminal, and
The device of the function of corresponding counterpart terminal is transferred to, it can be stated by other terms such as shared device.
Had the following advantages using such NAT communication systems:It is multiple by the way that a limited public IP is converted to
Internal proprietary IP, public IP can be saved;By using internal proprietary IP, the security for outside invasion is improved, easily
Carry out the management of the counterpart terminal for being connected to equipment.
But in such NAT systems, because counterpart terminal itself does not have public ip address, counterpart terminal can not
As independent common communication main body.
That is, counterpart terminal is only to be connected with address translator, and is obtained based on the control of address translator special
The distribution of IP address, rather than each counterpart terminal obtain the distribution of public ip address, therefore, in public communication network,
Each counterpart terminal itself can not be identified as independent communication node by outside communication agent, and each counterpart terminal must turn with address
Parallel operation, which is connected, to be used.
Therefore, in NAT systems, the terminal for being in linkage with address translator is only limitted to the clients such as personal PC, mobile terminal end
End, server unit can not then be realized by NAT systems.
On the other hand, aiming to provide a kind of system in embodiments of the invention, it can solve the problem that the common VPN systems shown in Fig. 1
System or Fig. 3 shown in NAT systems the shortcomings that, the multiple tunnel ends of definable in single virtual router, generation as be used for move
The dynamic tunnel end table of the multidate information at tunnel end is changed to state, and is stored in virtual router and terminal, according to certain rule
Then extract the tunnel client information included in the table of dynamic tunnel end and perform tunnel and (tunneling) is set.
Using such present invention, have the following advantages that:Lead to for the VPN between particular terminal and specific virtual router
The tunnel of letter dynamically changes, therefore, it is possible to reduce the danger of the outside invasions such as hacker's behavior or packet leakage, meanwhile,
The counterpart terminal to link due to virtual router and therewith uses public ip address, also can in server-client system
Applied.
Fig. 4 shows the overall structure of the vpn system of one embodiment of the invention.
As shown in figure 4, the vpn system of the present invention may include:Terminal 100;Gateway 200, includes and passes through tunnel
(tunneling) the more than one virtual router (VR being connected with terminal;210);Server 410 or server zone 400,
It is connected with virtual router;And manager devices 300, be connected with terminal and virtual router, for control terminal and
Tunnel building between virtual router.
The terminal 100 used in the present invention can be the communication such as common mobile communication terminal, PC, server computer
Component, the agency of the software as the VPN traffic function for performing the present invention is installed in terminal.
Terminal agent has the tunnel end table information for receiving from manager devices and being generated by each virtual router, and is deposited
The function of the dynamic tunnel client database (DB) 110 of terminal inner is stored in, according to what is received or itself have from manager devices
Rule Information, after the multiple tunnel client informations included from the table of tunnel end select one, according to selected tunnel end and accordingly
Virtual router sets the function in tunnel etc..
The gateway 200 of the present invention represents the communication node for including more than one virtual router 210, and it can be by local
Other terms statement such as gateway, shared device.
The virtual router (VR) 210 included in gateway is the communication section between terminal and server (group) respectively
Point, it represents with terminal to be connected by tunnel and is the device that the VPN traffic between terminal and server (group) is relayed.
MPLS L3VPN technologies based on LINUX can be utilized in router or Ethernet switch and taken to provide IPVPN
The communication protocol software be engaged in and used builds VPN traffic system.Such L3VPN technologies are based on internet engineering task group
The standard of IETF defineds can provide multi protocol label in IP network environment and exchange (MPLS) VPN (VPN) service.
In addition, according to the present invention, a virtual router includes multiple public ip addresses and multiple port numbers, using more
The public ip address selected in individual public ip address and a port number selected in multiple port numbers to set with terminal
Vpn tunneling.
That is, with there is a public ip address and a port number and only can between terminal and oneself shown in Fig. 1
Set tunnel end common virtual router except that, the virtual router of the present embodiment each has multiple public affairs
IP address and multiple port numbers altogether, multiple tunnels can be set with terminal using the public ip address and port number combinations therefrom selected
Road end.
Now, the public ip address selected in multiple public ip addresses and a port selected in multiple port numbers
Number it can be defined as tunnel end or tunnel client information.
Also, tunnel end forms one in the attribute (Attribute) in the tunnel formed between virtual router and terminal
It is individual, in the case of being changed at tunnel end, it can also keep that the tunnel between respective virtual router and terminal is identical, and change is only
Only it is the attribute in corresponding tunnel.
For example, when the first virtual router VR1 has i (i altogether>1) public IP and altogether j (a j>1) port
Number when, tunnel client information that the first virtual router can generate is i*j altogether.
That is, the first virtual router can set i*j in a tunnel including the network of terminal and between oneself
Tunnel end.
For example, tunnel client information TE (IP 1, port numbers 2) is by as the first virtual router and the tunnel of terminal setting
One of attribute.
Also, virtual router 210 each includes dynamic tunnel client database (DB) 220, it is stored from manager devices
The tunnel end table information of reception.
That is, multiple tunnel ends can be set in virtual router 210 of the invention, and the tunnel end is by from more than two public IP
A public ip address being selected in address and more than two port numbers and a port number define, and perform from outside
Manager devices receive the work(for including the tunnel end table of the settable multiple tunnel client informations of virtual router and being stored
Energy.
Also, virtual router 210 has based on the tunnel end table received from manager devices, at regular intervals dynamically
The tunnel end in the tunnel being connected with terminal is changed, so as to change the function of the attribute in the tunnel formed between terminal.
In this manual, table information in tunnel end represents to generate by each virtual router, and expression can be by respective virtual road
The set for the multiple tunnel client informations being configured by device.
In the case where the public ip address and port numbers that respective virtual router has are respectively i and j, quilt can be used
It is defined as tunnel client information composition table (table) form of i*j and is used as tunnel end table information.
Virtual router 210 can select the multiple tunnel client informations included in the tunnel end table received at regular intervals
In one after, change the tunnel attribute between terminal to be coincide with selected tunnel client information.
Also, virtual router 210 can also have the function that Rule Information is received from manager devices, the Rule Information is used
One in the multiple tunnel client informations for selecting to include in the table of tunnel end, now, can be according to the Rule Information of reception, by certain
It is spaced one be dynamically selected in the multiple tunnel client informations included in the table of tunnel end and changes tunnel attribute.
Now, the rule (Rule) of the change for tunnel client information and tunnel change is using sequential mode (first
Rule), random fashion (Second Rule), hybrid mode (three sigma rule and the 4th rule) etc. perform, this will be entered below
Row more detailed description.
Certainly, the Rule Information of the change for tunnel client information and tunnel change not necessarily connects from manager devices
Receive.
In addition, it can be entered according to the tunnel change between the virtual router of the present invention and terminal in transmission packet every time
OK, or when meeting preassigned data pack receiving and transmitting number carry out, or carried out by some cycles.
On the basis of Fig. 4 for example, can be in first packet in the case of using the first rule of sequential mode
Transmission when or during certain number/time, according to the first tunnel client information included in the table of tunnel end (for example, definable
For the first public ip address and first end slogan), there is the first tunnel between terminal and the first virtual router by being arranged at
The tunnel of road attribute transmits packet, can be in the transmission of second packet or during next number/cycle, according to work
For the second tunnel client information (for example, may be defined as the first public ip address and second port number) of next tunnel client information, lead to
Cross and be arranged at the tunnel with the second tunnel attribute between terminal and the first virtual router to transmit packet.
Now, as shown in Figure 2 A, the packet that terminal transmits to virtual router be in addition to payload and HoA,
Also include the extended packet of outer header or CoA, wherein outer the header or CoA are included and determined by selected tunnel client information
The IP address (Dest.Addr.) and port numbers (Port No) of the respective virtual router of justice.
Certainly, as shown in Figure 2 B, now interior the header or HoA of fundamental packets include:Agreement (Protocol), terminal
Source address (Source Address) and source port number (Source Port No.), need received data packet server mesh
Way address (Dest.Addr.) and destination port numbers (Dest.Port No.).
That is, after terminal extracts specific tunnel client information according to Rule Information from the tunnel end table of storage, this is chosen
The public ip address and port numbers of the virtual router included in the tunnel client information selected are respectively set to CoA destination-address
And destination port numbers (Dest.Port No) (Dest.Addr.).
The outer header or CoA that generate as described above are made an addition to outside master data packet head HoA to generate spreading number again
After bag, virtual router is sent to by tunnel.
In addition, in the present embodiment, the agreement included in HoA and CoA can be UDP (User
Datagram Protocol, UDP), but the present invention is not limited to this.
In virtual router 210, by with according to the tunnel set with the selected tunnel end of terminal identical rule
To receive extended packet, and remove server fundamental packets sent to after CoA as destination.
In addition, the packet that each virtual router 210 receives using the tunnel by setting from corresponding terminal receives
Elapsed time information after number or packet reception capacity or tunnel setting, is asked to tunnel to manager devices at regular intervals
The renewal of road end table information.
More specifically, reach more than critical number when the packet for carrying out self terminal receives number, or set in tunnel
When duration afterwards is more than the crash time, virtual router 210 can generate tunnel end table renewal request signal and send to
Manager devices, and receive new tunnel end table from manager devices and stored.
The subsequent tunnel with terminal is set the tunnel end table based on renewal and Rule Information to perform.
The manager devices 300 used in the present invention are to be connected with terminal and virtual router and control terminal and virtual
The device of router, the manager devices 300 perform generation and include multiple tunnels that virtual router can be configured
The tunnel end table of client information, and it is transferred to terminal and the function of the virtual router.
Also, manager devices 300 can also have eventually in addition to the generation with tunnel end table information and transmitting function
Authentication function and the original equipment registering functional of gateway or virtual router are held, it is carried out in more detail hereinafter with reference to Fig. 6
Explanation.
More specifically, manager devices 300 according to virtual router or the gateway including it facility registration, be each void
Intend the tunnel end table that router generates the catalogue for the multiple tunnel client informations that can be set as respective virtual router respectively, so
After be transferred to terminal and respective virtual router.
Also, when receiving the table renewal request of tunnel end from terminal or virtual router, or meet the tunnel pre-seted
When holding table update condition, manager devices 300 can be that each virtual router generates new tunnel end table and sends terminal to respectively
And virtual router.
Also, manager devices 300 also comprising create-rule information and can send terminal and the function of virtual router to,
The Rule Information is on the rule of one for being dynamically selected in the multiple tunnel client informations included in the table of tunnel end
(Rule) information.
Terminal and virtual router can be regular according to specified in such Rule Information, from prestoring by virtual road
By selecting tunnel end in multiple tunnel ends for being included in the tunnel end table of device, based on selected tunnel end change terminal
The attribute in the tunnel between virtual router.
Certainly, can be by advance really for the rule of one in multiple tunnel client informations for selecting to include in the table of tunnel end
It is fixed, so that terminal and virtual router can be applied, in the case, Rule Information can need not be received from manager devices, and
It is that the tunnel client information selection course for tunnel change is performed according to the rule pre-seted.
The rule of one in multiple tunnel client informations for selecting to include in the table of tunnel end is illustrated below.
The mode of one in the multiple tunnel client informations alternatively included in the table of tunnel end, can there is sequential mode
(the first rule), random fashion (Second Rule), hybrid mode (three sigma rule and the 4th rule) etc., but it is of the invention and unlimited
Due to this.
First, the first rule as sequential mode is the multiple tunnels included in a manner of positive or be reverse from the table of tunnel end
In turn select and apply in road client information.
For example, include i*j altogether of from (IP_1, PortNo_1) to (IP_i, PortNo_j) in the table of tunnel end
In the case of tunnel end, in the transmission of first packet or initial n packet transmission when or the period 1 during
During the transmission of packet, by using (IP_1, the PortNo_1) by first tunnel end as table come the first tunnel for defining
Road attribute is communicated come the tunnel formed, second packet transmission or n~2n packet transmission when or second
During the transmission of the packet during the cycle, by the use of with being determined by (IP_1, the PortNo_2) as second tunnel end of table
The tunnel of second tunnel attribute of justice.
According to the first of such sequential mode the rule, during data transmit-receive, only referring initially to tunnel end table one
It is secondary, thus there is the advantages of overhead (overhead) is small, but in the case where tunnel end table is compromised, its security
May be weaker.
Secondly, the Second Rule as random fashion be in the multiple tunnel client informations included from the table of tunnel end randomly
Select and apply.
Now, in the case of application Second Rule, Rule Information can include the table for the version for being used to represent tunnel end table
Version information (Table Version), as virtual router identifier virtual router number (VR No), for representing
Next tunnel end for wanting selected tunnel client information selects information (n { IP, PortNo }) etc..
Such Rule Information can generate from manager devices 300 and send terminal and virtual router to, so that
Two node application identical rules, but can also make the sender of transmission packet regular using being included in header of packet etc.
The mode of information transmits, and recipient then selects tunnel client information according to the Rule Information.
That is, because terminal and virtual router receive identical tunnel end table from manager devices and store, if utilized
Manager devices or the Rule Information of sender's transmission, terminal and virtual router can utilize identical rule selection identical tunnel
Simultaneously apply at road end.
,, can due to rule can not be known even if tunnel end table is compromised according to the Second Rule of such random fashion
Security is kept, but is required in each data transmit-receive process with reference to tunnel end table, thus makes how much overhead may some
Increase.
3rd, the three sigma rule as hybrid mode is to apply sequential mode first with a public ip address, so
Other tunnel ends of tunnel end table are moved to based on certain jumping parameters and carry out the mode of selection afterwards.
In the case of application three sigma rule, Rule Information can include the table version letter for the version for being used to represent tunnel end table
Breath (Table Version), the virtual router number (VR No) of identifier as virtual router, public affairs being used
IP address information (IP), the tunnel end jump information (n { skip for representing next tunnel client information to be selected altogether
Point or skip count }) etc..
For example, include i*j altogether of from (IP_1, PortNo_1) to (IP_i, PortNo_j) in the table of tunnel end
Tunnel end, IP=1, the tunnel end jump information n of public ip address are included as in the Rule Information based on three sigma rule
In the case of { skip point or skip count }=2 { 3 }, in turn select first two (n=2) tunnel ends (IP_1,
PortNo_1), (IP_1, PortNo_2), then jump three (skip count (number of hops)=3) with select by (IP_1,
PortNo_5) come the tunnel end that defines and utilize.
According to the 4th rule as another hybrid mode, to certain number, then it is first using sequential mode
It is the mode for being moved to other tunnel ends of tunnel end table using certain jumping parameters and selecting.
In the case of the 4th rule of application, Rule Information can include the table version letter for the version for being used to represent tunnel end table
Cease (Table Version), as virtual router identifier virtual router number (VR No), for representing next
Tunnel end jump information (n { IP, skip point or skip count }) for the tunnel client information to be selected etc..
For example, tunnel end jump information n { IP, skip the point or included in the Rule Information based on the 4th rule
Skip count }=2 in the case of { 2,3 }, in turn select first two (n=2) tunnel ends (IP_1, PortNo_1),
(IP_1, PortNo_2), followed by select by the IP_2 and the skip point since it as second public ip address
(jump)=3 are come the tunnel end of (IP_2, PortNo_3) that defines and utilize.
If using the three sigma rule of hybrid mode and the 4th rule, lacking for sequential mode and random fashion can be made up
Point.
That is, without reference tunnel end table every time, but only reference need to be carried out in the case where meeting tunnel end jump condition,
So as to reduce overhead, while make up using tunnel end jump condition the weaker security of sequential mode.
Such tunnel end selection rule can be become by manager devices according to specific policy according to certain cycle
More, and change Rule Information need to send terminal and virtual router to.
In the case, in order to which regulation information fails the situation that synchronizes and change in receiving-transmitting sides, advising
Then in the case of information change, previous regular version can be approved during certain time.
For example, in the state of Rule Information change, if sender is utilized based on to be changed regular selected
Data are transmitted at tunnel end, and recipient is the rule using previous version, then during the certain time after rule changes, can make
The rule of previous version is applied in recipient.
Certainly, in the case, when the rule of other side does not change yet after some period of time, it is rejected by reception and comes from phase
Answer the data of other side.
As described above, according to an embodiment of the invention, enable single virtual router that multiple tunnel ends are set, to terminal
The tunnel end table for including multiple tunnel client informations is provided with virtual router, tunnel end is dynamically selected using predetermined rule
And change tunnel attribute.
Therefore, different from the common vpn system shown in Fig. 1, the tunnel attribute of each VPN traffic dynamically becomes
Change, be not easy to carry out external hackers behavior, it is possible to increase the security of data transmit-receive.
Also, the device with being in linkage with shared device in existing network address translation (NAT) system is only limited to have
The situation of public IP client terminal is compared, and according to the present invention, the device for being in linkage with virtual router can have public IP
The server of address, therefore, there is the advantages of can also being applied to client-server communication.
That is, in existing NAT systems, the counterpart terminal for being in linkage with shared device or address translator can not have public IP
Address, therefore independent communication agent can not be turned into, in the present invention, server is in linkage with virtual router, can realize
The VPN traffic that security is improved.
Fig. 5 shows dynamic tunnel end (DTE) setting up procedure in the vpn system of embodiments of the invention.
First, gateway or virtual router perform facility registration process (step S510) in manager devices.
By facility registration process as execution, after manager devices is identified gateway or virtual router, there is provided
Generate the essential information of the tunnel end table information for respective virtual router.
During such facility registration, gateway provides the available resource information (public ip address number etc.) of oneself
To manager devices, thus, it can perform manager devices and generate number of virtual router to be used on respective gateway etc.
Information (VR information) and tunnel end table information for each virtual router process.
Such facility registration process is described in detail reference picture 6.
When completing facility registration, manager devices receive certification corresponding terminal after the terminal authentication request for carrying out self terminal
(step S520).
When completing the facility registration process of terminal authentication and gateway (virtual router), manager devices generation is used as tunnel
The VR (DTE Table) of road end table information, wherein including the multiple tunnels that can be set between terminal and respective virtual router
Road client information (step S530).
Certainly, can together generate in the process for one in multiple tunnel client informations for selecting to include in the table of tunnel end
Individual Rule Information.
Then, the tunnel end table information VR (DTE Table) that manager devices will generate respectively for each virtual router
It is respectively transmitted the tunnel end that will be received to the terminal and respective virtual router (gateway), terminal and virtual router of certification
Table information VR (DTE Table) is stored in tunnel end DB (step S535, step S540).
Then, rule and tunnel end table based on setting of terminal and virtual router, using reselecting at regular intervals
Tunnel end come after changing tunnel attribute, by performing the data transmit-receive based on VPN by the tunnel end changed come the tunnel defined
(step S550).
Then, virtual router monitors whether the update condition (step S555) for meeting tunnel end table, and is meeting tunnel
In the case of the update condition for holding table, regeneration request (step S560) is transmitted to tunnel end table manager devices.
Now, the update condition of tunnel end table can be when elapsed time is critical after keeping current tunnel to set
Between more than situation, or reach more than critical number situation using the reception number of current tunnel received data bag
Deng, but the present invention is not limited to this.
Asked according to the regeneration of the tunnel end table of such virtual router, manager devices generate new tunnel end table
And send corresponding terminal and virtual router to again, to update existing tunnel end table (step S575, step S580).
Fig. 6 is shown in the vpn systems of embodiments of the invention in manager devices (Manager) and gateway (virtual flow-line
Device) between the facility registration that performs and tunnel end change process.
As shown in fig. 6, the gateway of virtual router to be used using include oneself identification information (G/W ID) and as
The facility registration request of the CoA information of the public ip address information of oneself sends manager devices (step S610) to.
Thus, manager devices storage respective gateway information, generation respective gateway virtual router information (VR to be used
Information) after, it is transferred to gateway (step S615, step S620).
Virtual router information (VR information) can include the exercisable virtual router of respective gateway number, on it is each
Information of server (group) that virtual router is connected etc..
That is, determined to be used to route the function of each gateway of multiple servers (group) and held virtual by manager devices
Router number etc..
Thus, in the case where there are multiple gateways and server (group), manager devices, which are integrated to perform, is used for them
Between VPN traffic system architecture, so as to can also be effectively coped with when System Forming Elements change.
Then, the available resource information such as the number for the public ip address that gateway is held oneself and port number is sent to
Manager devices (step S625).
Manager devices connect using the virtual router information (VR information) that oneself is generated in step S615 and from gateway
The available resource information of receipts, tunnel end table (step S630) is generated respectively for each virtual router.
Assuming that the gateway for having carried out facility registration treats responsible virtual router for 2, the available resources from gateway transmission
Public ip address in information is 6, port number is j, and manager devices can distribute the first virtual flow-line to respective gateway
Device VR1 and the second virtual router VR2, public ip address 1~3 is distributed for the first virtual router VR1, is the second virtual flow-line
Device VR2 distributes public ip address 4~6.
In the case, manager devices generate tunnel end Table V R1 (TE Table) and send the first virtual router to
VR1 and terminal, wherein tunnel end Table V R1 include the TE as the tunnel client information for the first virtual router VR1
(IP_1, PortNo_1), TE (IP_1, PortNo_2) ..., TE (IP_3, PortNo_j) 3*j tunnel client information altogether
(step S635).
Certainly, during tunnel end table is generated respectively for each virtual router or before and after it, it can also generate and be used for
The Rule Information of one in the multiple tunnel client informations included in selection tunnel end table, and it is transferred to terminal and virtual road
By device.
Such Rule Information is not necessarily generated and provided by manager devices, as long as terminal and respective virtual route
Device can recognize that identical Rule Information, then can also be generated and provided by other devices, or be pre-stored within terminal and void
Intend router.
Tunnel end table information and/or Rule Information are stored in tunnel end by the virtual router for receiving tunnel end table information
DB (step S640).
Now, the tunnel end table and/or Rule Information of each virtual router are directed to due to also providing identical to terminal, it is empty
Intend the tunnel end that router selects according to rule-based information from the table of tunnel end, data transmit-receive is carried out after forming tunnel
(step S645).
Certainly, in order to which the tunnel client information for setting tunnel and selecting will dynamically change at regular intervals, therefore, specific
Terminal and virtual router between, also by by carrying out data receipts by the tunnel end changed at regular intervals the tunnel that defines
Hair.
Fig. 7 shows the detailed construction of the manager devices used in the vpn system of embodiments of the invention.
The manager devices of the present invention may include:Facility registration/authentication department 320;VR management departments 330, it is according to gateway
Ask and generate virtual router information and transmit;DTE tables management department 340, it is that each virtual router generates tunnel end respectively
Table simultaneously sends terminal and respective virtual router to;And DTE DB 310, it stores all virtual roads on being managed
Tunnel end table by device etc..
Also, can also it include:DTE tables update section 350, it is according to request of virtual router or terminal etc., by certain
Interval generates new tunnel end table and provided.
After facility registration/authentication department 320 receives the facility registration request of gateway and the certification request of terminal, store on net
The information of pass simultaneously performs facility registration process, and the process of the legal terminal of certification is performed using ID of terminal etc..
VR management departments 330 perform generation for the gateway of request facility registration virtual router information (VR information) to be used
Afterwards, the virtual router information (VR information) of generation is sent the function of gateway to, now, virtual router information (VR information)
The number of the exercisable virtual router of respective gateway, the server (group) on being connected with each virtual router can be included
Information etc..
As described above, VR management departments 330 perform function and the institute to each gateway for routeing multiple servers (group)
The function that virtual router number held etc. is configured and managed.
DTE tables management department 340 performs the available resource information provided based on gateway, determines that each virtual router is to be used
Public ip address and port number, generate the tunnel end for including multiple tunnel client informations respectively for each virtual router based on this
Table information, and it is transferred to terminal and the function of respective virtual router.
DTE tables management department 340 can also perform and further generate for being dynamically selected tunnel in addition to performing the function
The Rule Information of one in the multiple tunnel client informations included in the table of road end, and it is transferred to terminal and virtual router
Function.
Also, tunnel end table and/or Rule Information for each virtual router are stored in DTE by DTE tables management department 340
DB 310。
When meeting certain update condition, or from terminal or virtual router receive table regeneration request when, the renewal of DTE tables
Portion 350 performs new tunnel end table of the generation for respective virtual router, and is transferred to terminal and respective virtual route
The function of device.
According to embodiments of the invention as described above, enable single virtual router that multiple tunnels are set, to terminal
The tunnel end table for including multiple tunnel client informations is provided with virtual router, tunnel end is dynamically selected based on predetermined rule
And dynamically change tunnel attribute.
Therefore, because the tunnel attribute of each VPN traffic is dynamically changed, with the common vpn system shown in Fig. 1
Compared to being not easy to carry out external hackers behavior, so as to improve the security of data transmit-receive.
Also, in existing network address translation (NAT) system, it is only limitted to have with the device that shared device is connected
There is public IP client terminal, with the device that virtual router is connected can be that there is public IP in the present invention in contrast to this
The server of address, therefore there is the advantages of can also being applied to client-server communication.
Explanation and accompanying drawing above is only illustratively to show the technological thought of the present invention, in the essence without departing substantially from the present invention
In the range of characteristic, the those of ordinary skill of the technical field belonging to the present invention can carry out the combination of structure to it, separate, put
The a variety of modifications and deformation such as change and change.Therefore, embodiments of the disclosure is only for illustrating and being not intended to restriction in the present invention
The technological thought of the present invention, the scope of technological thought of the invention are not exposed to the restriction of such embodiment.The guarantor of the present invention
Shield scope should be defined by appended claims, and all technological thoughts in equivalent scope should be appreciated that therewith
To fall into the interest field of the present invention.
Claims (11)
1. a kind of virtual private network system, including:
Virtual router, it is connected by tunnel with terminal, and can set multiple tunnel ends, wherein, the tunnel end by
The public ip address and a port number selected from more than two public ip addresses and more than two port numbers comes
Definition;And
Manager devices, it generates the tunnel end table for including multiple tunnel client informations that the virtual router can be set,
And send tunnel end table to the terminal and the virtual router,
Wherein, the virtual router storage tunnel end table, and dynamically become at regular intervals based on tunnel end table
More it is used for the tunnel end in tunnel being connected with the terminal, to change the attribute in the tunnel.
2. virtual private network system according to claim 1, wherein,
The manager devices create-rule information simultaneously sends the terminal or virtual router to, wherein the Rule Information is used
One in the multiple tunnel client informations for selecting to include in the table of tunnel end,
The virtual router is dynamically selected the multiple tunnels included in the table of tunnel end at regular intervals according to the Rule Information
One in road client information, to change the attribute in the tunnel.
3. virtual private network system according to claim 1, wherein,
When the duration after packet reception number reaches more than critical number, or tunnel setting is more than the crash time,
The virtual router generation tunnel end table renewal request signal simultaneously sends manager devices to, and the manager devices generation is new
Tunnel end table and send the terminal and virtual router to.
4. virtual private network system according to claim 2, wherein,
The Rule Information includes one in the first Rule Information, Second Rule information, three sigma rule information, the 4th Rule Information
More than individual, wherein,
First Rule Information is used in turn select the multiple tunnel client informations included in the table of tunnel end;
The Second Rule information is used for one be randomly chosen in the multiple tunnel client informations included in the table of the tunnel end;
The three sigma rule information is used in turn to change the port numbers in a public ip address first, then predetermined
The mode that position is jumped to other port numbers selects tunnel client information;
4th Rule Information is used in turn to change public ip address and port numbers first, then precalculated position to its
The mode that his public ip address jumps with other port numbers selects tunnel client information.
5. a kind of virtual router, it is connected with terminal by tunnel and carries out VPN traffic with the terminal, wherein,
The virtual router can set multiple tunnel ends, wherein the tunnel end by from more than two public ip addresses and
A public ip address being selected in more than two port numbers and a port number define,
The virtual router receives tunnel end table from the manager devices of outside and stored, wherein tunnel end table includes
Multiple tunnel client informations that the virtual router can be set,
The virtual router is based on tunnel end table, dynamically changes at regular intervals for being connected with the terminal
The tunnel end in tunnel, to change the attribute in the tunnel.
6. virtual router according to claim 5, wherein,
The virtual router also receives Rule Information from the manager devices, and the Rule Information is used to select the tunnel
One in the multiple tunnel client informations included in the table of end,
According to the Rule Information of reception, the virtual router is dynamically selected what is included in the table of tunnel end at regular intervals
One in multiple tunnel client informations, to change the attribute in the tunnel.
7. virtual router according to claim 6, wherein,
Duration after more than critical number, or tunnel change is reached from the packet of terminal reception number is to face
When boundary is more than the time, virtual router generation tunnel end table renewal request signal simultaneously sends manager devices to, and from institute
Manager devices are stated to receive new tunnel end table and store.
8. a kind of manager devices, it is connected with terminal and virtual router and controls the terminal and virtual router, its
In,
The virtual router can set multiple tunnel ends, wherein the tunnel end by from more than two public ip addresses and
A public ip address being selected in more than two port numbers and a port number define,
The manager devices generate tunnel end table and send the terminal and the virtual router to, so that the virtual road
Tunnel end table is based on by device and the terminal, dynamically change is used as and connects the terminal and virtual flow-line at regular intervals
The tunnel end of the attribute in the tunnel between device, wherein tunnel end table include the virtual router can set it is multiple
Tunnel client information.
9. manager devices according to claim 8, wherein, the manager devices create-rule information simultaneously sends institute to
Terminal or virtual router are stated, wherein the Rule Information is used to select in multiple tunnel client informations for including in the table of tunnel end
One.
10. manager devices according to claim 9, wherein, reach when by the data pack receiving and transmitting number in the tunnel
It is more than critical number, or tunnel set after duration when being more than the crash time, the manager devices are according to from institute
The tunnel end table renewal request signal of virtual router reception is stated, new tunnel end table is generated and sends the terminal and virtual to
Router.
11. manager devices according to claim 9, wherein,
The Rule Information includes one in the first Rule Information, Second Rule information, three sigma rule information, the 4th Rule Information
More than individual, wherein,
First Rule Information is used in turn select the multiple tunnel client informations included in the table of tunnel end;
The Second Rule information is used for one be randomly chosen in the multiple tunnel client informations included in the table of the tunnel end;
The three sigma rule information is used in turn to change the port numbers in a public ip address first, then predetermined
The mode that position is jumped to other port numbers selects tunnel client information;
4th Rule Information is used in turn to change public ip address and port numbers first, then precalculated position to its
The mode that his public ip address jumps with other port numbers selects tunnel client information.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2016-0072703 | 2016-06-10 | ||
KR1020160072703A KR101712922B1 (en) | 2016-06-10 | 2016-06-10 | Virtual Private Network System of Dynamic Tunnel End Type, Manager Apparatus and Virtual Router for the same |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107528778A true CN107528778A (en) | 2017-12-29 |
Family
ID=58404146
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610716440.6A Pending CN107528778A (en) | 2016-06-10 | 2016-08-24 | The vpn system of dynamic tunnel end mode, virtual router and manager devices for it |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR101712922B1 (en) |
CN (1) | CN107528778A (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101947170B1 (en) * | 2017-07-06 | 2019-05-08 | 주식회사 아라드네트웍스 | Method and apparatus for dynamic vpn manegenment |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1503506A (en) * | 2002-11-20 | 2004-06-09 | 日立通讯技术株式会社 | Virtual insertion router |
CN1736077A (en) * | 2002-11-27 | 2006-02-15 | 捷讯研究有限公司 | Data transfer from a host server via a tunnel server to a wireless device, and associating a temporary IPV6 address with a temporary IPV4 address for communicating in an IPV4 wireless network with the |
CN101040496A (en) * | 2004-10-19 | 2007-09-19 | 日本电气株式会社 | VPN gateway device and hosting system |
US20080281978A1 (en) * | 2007-05-10 | 2008-11-13 | Motorola, Inc. | Methods for utilizing multiple tunnels within a communication network |
CN101753401A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | A method for realizing backup and load of IPSec virtual private network tunnel |
KR101206637B1 (en) * | 2008-07-18 | 2012-11-29 | 알까뗄 루슨트 | Establishing pseudowires in packet switching networks |
KR101308089B1 (en) * | 2011-12-29 | 2013-09-12 | 주식회사 시큐아이 | Ipsec vpn system and method for supporing high availability |
CN102217243B (en) * | 2008-11-17 | 2015-05-20 | 高通股份有限公司 | Method and device for remote access to local network |
CN104869118A (en) * | 2015-05-15 | 2015-08-26 | 北京云杉世纪网络科技有限公司 | Method and system for achieving DDoS defense based on technology of dynamic tunnels |
US20150263866A1 (en) * | 2014-03-17 | 2015-09-17 | Nec Corporation | Tunnel endpoint device, communication device, communication system, communication method, and program |
US20150288658A1 (en) * | 2014-04-07 | 2015-10-08 | Electronics And Telecommunications Research Institute | Access point apparatus for configuring multiple security tunnel, and system having the same and method thereof |
-
2016
- 2016-06-10 KR KR1020160072703A patent/KR101712922B1/en active IP Right Grant
- 2016-08-24 CN CN201610716440.6A patent/CN107528778A/en active Pending
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1503506A (en) * | 2002-11-20 | 2004-06-09 | 日立通讯技术株式会社 | Virtual insertion router |
CN1736077A (en) * | 2002-11-27 | 2006-02-15 | 捷讯研究有限公司 | Data transfer from a host server via a tunnel server to a wireless device, and associating a temporary IPV6 address with a temporary IPV4 address for communicating in an IPV4 wireless network with the |
CN101040496A (en) * | 2004-10-19 | 2007-09-19 | 日本电气株式会社 | VPN gateway device and hosting system |
US20080281978A1 (en) * | 2007-05-10 | 2008-11-13 | Motorola, Inc. | Methods for utilizing multiple tunnels within a communication network |
KR101206637B1 (en) * | 2008-07-18 | 2012-11-29 | 알까뗄 루슨트 | Establishing pseudowires in packet switching networks |
CN102217243B (en) * | 2008-11-17 | 2015-05-20 | 高通股份有限公司 | Method and device for remote access to local network |
CN101753401A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | A method for realizing backup and load of IPSec virtual private network tunnel |
KR101308089B1 (en) * | 2011-12-29 | 2013-09-12 | 주식회사 시큐아이 | Ipsec vpn system and method for supporing high availability |
US20150263866A1 (en) * | 2014-03-17 | 2015-09-17 | Nec Corporation | Tunnel endpoint device, communication device, communication system, communication method, and program |
US20150288658A1 (en) * | 2014-04-07 | 2015-10-08 | Electronics And Telecommunications Research Institute | Access point apparatus for configuring multiple security tunnel, and system having the same and method thereof |
CN104869118A (en) * | 2015-05-15 | 2015-08-26 | 北京云杉世纪网络科技有限公司 | Method and system for achieving DDoS defense based on technology of dynamic tunnels |
Non-Patent Citations (1)
Title |
---|
赵宁: "动态多点VPN的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Also Published As
Publication number | Publication date |
---|---|
KR101712922B1 (en) | 2017-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
ES2287697T3 (en) | ADDRESS AND APPLIANCE METHOD FOR ESTABLISHING HOST IDENTITY PROTOCOL (HIP) CONNECTIONS BETWEEN LEGACY AND HIP NODES. | |
CN105453488B (en) | For handling the method and system of DNS request | |
CN101442516B (en) | Method, system and apparatus for DHCP authentication | |
CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
US20040249911A1 (en) | Secure virtual community network system | |
US20040249973A1 (en) | Group agent | |
Baker et al. | Internet protocols for the smart grid | |
KR20150020530A (en) | Multi-tunnel virtual private network | |
CN101420423A (en) | Network system | |
CN103812960A (en) | Network address translation for application of subscriber-aware services | |
McPherson et al. | Architectural considerations of IP anycast | |
KR101743559B1 (en) | Virtual private network, internet cafe network using the same, and manager apparatus for the same | |
CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
TW201138380A (en) | Methods and apparatus for distribution of IP layer routing information in peer-to-peer overlay networks | |
Alves et al. | WS 3 N: Wireless Secure SDN-Based Communication for Sensor Networks | |
CN106506354B (en) | Message transmission method and device | |
US10015136B2 (en) | Method and firewall for soliciting incoming packets | |
Garcia-Carrillo et al. | Multihop bootstrapping with EAP through CoAP intermediaries for IoT | |
EP3016423A1 (en) | Network safety monitoring method and system | |
CN109981820A (en) | A kind of message forwarding method and device | |
CN107528778A (en) | The vpn system of dynamic tunnel end mode, virtual router and manager devices for it | |
Arkko et al. | Limitations of IPsec policy mechanisms | |
US20040037284A1 (en) | Method for secure packet-based communication between two units via an intermedia unit | |
Chen et al. | Secure network mobility (SeNEMO) for real-time applications | |
TWI300662B (en) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20171229 |
|
WD01 | Invention patent application deemed withdrawn after publication |