CN1813445A - Secure and seamless roaming between internal and external networks, switching between double and triple tunnel, and protecting communication between home agent and mobile phone - Google Patents
Secure and seamless roaming between internal and external networks, switching between double and triple tunnel, and protecting communication between home agent and mobile phone Download PDFInfo
- Publication number
- CN1813445A CN1813445A CN 200480017456 CN200480017456A CN1813445A CN 1813445 A CN1813445 A CN 1813445A CN 200480017456 CN200480017456 CN 200480017456 CN 200480017456 A CN200480017456 A CN 200480017456A CN 1813445 A CN1813445 A CN 1813445A
- Authority
- CN
- China
- Prior art keywords
- mip
- addr
- address
- network
- mobile node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
Describing a system and method for secure seamless roaming between internal and external networks. Double and triple tunnel are used to connect the mobile nodes to communication host, the mobile nodes have the performance that it can connect two networks at the same time to implement seamless roaming between networks. For example, this system can be contained in the external assignment agent (605) and secure gateway (606) in demilitarization area between internal assignment agent (602) and two firewalls (603, 604) in virtual private network, moreover, tunnel contains internal mobile IP tunnel (610), and the tunnel is contained in the IPSec tunnel optionally and in the external mobile IP tunnel (608). In an implementation case, the mobile node (607) includes the application to visit the external and internal MIP drives which connect to a first and second network drive separately. In an another implementation case, responding a second connection building with a second network drive, and communication transfers to a second network from a first network.
Description
Related application data
The title that this application requires to submit on July 22nd, 2003 is the U. S. application 60/488 of " Seamless andSecure WAN-LAN roaming ", 809 and be the priority of " Secure and Seamless WAN-LAN Roaming " at the title that on July 21st, 2004 submitted to, the content of these applications is incorporated in this by reference clearly.
Technical field
Aspect of the present invention relates to radio communication.When relating in particular to and roam, aspect of the present invention keeps connectivity between wireless network.
Background technology
There is different wireless technologys for the mobile data user.The mobile data user can use cellular technology, the technology based on IEEE 802.11, bluetooth and other wireless technologys, so that be connected to network.Though it is well-known switching (hand off) in single network between access point, it is difficult switching between the access point of operation different radio agreement.At this moment, although the user expectation network changes, has seamless mobility.In addition, the intrusion effect for protecting network is not harmful to can use a plurality of fire compartment walls in the position of spanning network.A negative effect of fire compartment wall is the network that has stoped the user freely to visit them.Therefore, the user needs a kind of solution that mobility is provided and their safety of home network (homenetwork) is inserted.
Mobile IP system is included in mobile IP customer terminal software on the user terminal and the mobile IP home agent (home agent) in network infrastructure (HA), the correct topological address (being called home address (home address) here) of home agent control mobile node, and the list of bindings of the current location of maintenance and mobile node (MN) (be called here and deliver (care-of) address).Mobile node upgrades home agent with its current Care-of Address (care-of-address).This can directly carry out, and perhaps alternatively, carries out by means of intermediary outside agency (FA).Home agent is provided with forward tunnel, so that the business from correct topological home address is redirected to present care-of address.The tunnel produces from sealing the dress of home agent execution.As a reference, any non-moving main frame can be called communication node (CN).
Seamless IP mobility when fashionable with the safety johning knot, allows the user to insert their home network from remote location.Long-range VPN technologies allow in mobile node and the such connection between the vpn gateway (VPNgw) in this locality for communication node.Vpn solution comprises total (totaling) and encrypts, and keeping two vacations (vacation) from the security domain to the terminal, wherein this terminal is the long-range connection in dangerous position in the same area never.Vpn solution normally arrives the method for optimizing of the parts of security domain inside.
A kind of method of creating the vpn tunneling of crossing over fire compartment wall is to use architecture shown in Figure 1.Fig. 1 comprises TCP IP layer 101, inner mobile IP driver (i-MIP) 102, VPN 103,104 and two network interface drivers of outside mobile IP driver (x-MIP) (network drive A 105 and network drive B 106).Here, TCP IP layer 101 can be connected with B 106 by three Management Of Resources, Accesses ﹠ Network driver A 105.First passage is by i-MIP driver 102, VPN 103 and x-MIP driver 104.The safest long-range connection that this is normally available.Second channel is by i-MIP driver 102 and x-MIP driver 104.This also is long-range connection.Third channel is directly to x-MIP driver 104 from tcp/ip layer 101.When centering within the fire compartment wall of communication node, uses for example mobile node the 3rd connection.
Method among Fig. 1 can not easily be provided at the bumpless transfer between network drive A 105 and the network drive B 106.This is because x-MIP driver 104 is handled local interface channel and other passage.When using local access path, x-MIP driver 104 can easily be handled the information on this passage.If the user asks to set up VPN then and connects, then x-MIP driver 104 abandons needs current connection, sets up the VPN passage, rebuilds then and being connected of network drive A 105.
Therefore, need a kind of improvement system that is used for seamless roam.
Summary of the invention
Aspect of the present invention has solved one or more the problems referred to above, the environment that provides wireless user wherein to roam between network thus.
Description of drawings
Fig. 1 shows traditional tunnel (tunneling) system.
Fig. 2 shows the tunnel system according to aspect of the present invention.
Fig. 3 shows the tunnel system on the other hand according to the present invention.
Fig. 4 shows the illustrative architecture according to aspect of the present invention.
Fig. 5 shows another illustrative architecture according to aspect of the present invention.
Fig. 6 shows triple (triple) tunnel according to aspect of the present invention.
Fig. 7 shows double (double) tunnel according to aspect of the present invention.
Fig. 8 shows the data-signal of aspect of the present invention.
Fig. 9 shows according to aspect of the present invention, uses the data-signal of acting on behalf of.
Figure 10 A-10L shows according to aspect of the present invention when the data-signal of mobile node when network moves to external network just internally.
Figure 11 A-11F shows according to aspect of the present invention when the mobile node data-signal when external network moves to internal network just.
Figure 12 A-12K shows according to aspect of the present invention when the data-signal of moving load when network moves to external network just internally.
Figure 13 A-13S shows an example according to aspect of the present invention, the data-signal when mobile node switches between double MIP tunnel and triple tunnel.
Figure 14 A-14NN shows another example according to aspect of the present invention, the data-signal when mobile node switches between double MIP tunnel and triple tunnel.
Figure 15 A-15BB shows according to aspect of the present invention, the data flow structure item between relevant with Figure 14 A-14NN.
The illustrative that Figure 16 A-16D shows according to aspect of the present invention triggers the illustrated example that bag is handled.
Figure 17 A-17I shows according to aspect of the present invention, from the registration of external home agent.
Figure 18 show according to aspect of the present invention, with the use vpn tunneling the relevant data flow of i-MIP register method.
Figure 19 show according to aspect of the present invention, with the use internal network the relevant data flow of i-MIP register method.
Embodiment
Aspect of the present invention relates to the netsurfing that allows safety.It is also noted that, set forth the various connections between the unit in the following description.It is also noted that unless otherwise indicated, otherwise these connections can be direct or indirect connection usually, and this specification does not plan to limit in this respect.
Following description is divided into following part to help the reader understanding, and these parts are: term; General architecture; Data flow; Security consideration and response; And detailed data stream and routing table.
Term
The term that uses in this application tabulation is provided below:
Network node
A.MN: mobile node
B.CH: communication host (correspondent host)
C.x-HA: external home agent (SMG)
D.i-HA: inner home agent
The e.VPN-GW:VPN gateway
MN network interface (comprising pseudo-interface):
A.phy-IF: physical interface (wired ethernet or wave point)
B.i-MIP-tun: internal MIP tunnel interface (pseudo-device)
C.x-MIP-tun: outside MIP tunnel interface (pseudo-device)
D.VPN-tun:VPN tunnel interface (pseudo-device)
The IP address:
All IP addresses are represented with suffix " addr/i " or " addr/x ".Here, "/i " is meant home address, and "/x " is meant external address.Border between "/i " and "/x " is set to VPN-GW, yet it can be made amendment according to requiring.Can or can be not yet to protecting (for example realizing) by encrypting from the message of "/x " address or the message of delivering to this address.
A.cell-addr/x: the location address in the cellular network
B.hs-addr/x: the location address in hot spot networks
C.cell-router-addr/x: the default router address in cellular network
D.hs-router-addr/x: the default router address in hot spot networks
E.ho-router-addr/x: the default router address in home network
The IP address of f.i-HA-addr/i:i-HA
G.i-HoA-addr/i: be by the home address of i-HA processing
The IP address of h.x-HA-addr/x:x-HA
I.x-HoA-addr/x: be by the home address of x-HA processing
J.CH-addr/i: the CH address in internal network
The IP address of k.VPNgw-addr/x:VPN gateway
L.VPNinn-addr1/i: the vpn tunneling home address of distributing to the MN end in tunnel
M.VPNinn-addr2/i: the vpn tunneling home address of distributing to the VPN end in tunnel.
N.N-addr/i: internal network address
General architecture
Fig. 2 shows the general architecture that is used for one or more aspect of the present invention.Tcp/ip layer 201 and i-MIP driver 202 exchange messages.I-MIP driver 202 can be directly, by x-MIP driver 204 or the combination by VPN 203 and x-MIP driver 204, communicate with network drive A 205 and B 206.In addition, comprise can be by the network drive A 205 and the network drive B 206 of i-MIP driver 202 and x-MIP driver 204 visits for Fig. 2.
Fig. 3 shows the interface example on i-MIP driver and x-MIP driver.Fig. 3 comprises controller 301, i-MIP driver 302, x-MIP driver 303 and three network adapter A-C 304-306.For illustrative purposes, network adapter can comprise Wi-Fi, honeycomb, bluetooth and other wireless technologys.It is also noted that the two needn't be present in Wi-Fi and cellular technology in the system.Combination as an alternative also is possible.
Fig. 3 shows the i-MIP driver 302 with a plurality of interfaces.These interfaces allow i-MIP driver 302 to be connected to various network adapters 304-306.X-MIP driver 303 has similarly (can be or can not be identical) sets of interfaces.Various interface allows i-MIP driver 302 and x-MIP driver 303 to communicate with network adapter independently of one another.Compared to Figure 1, i-MIP driver 302 can directly be connected with network adapter 304-306.When i-MIP driver 302 communicated with network adapter 304-306, x-MIP driver 303 can not set up new communication port (perhaps writing down next stator channel) with another network adapter of being visited by i-MIP driver 302 at present among the network adapter 304-306.This allows the system creation passage, to allow seamless roam between the heterogeneous networks that can be visited by network adapter 304-306.
Fig. 4 shows the illustrated examples according to the architecture of aspect of the present invention.Architecture shown in Figure 4 can be based on the system of UNIX.This architecture can comprise application program 401, tcp/ip layer 403, WLAN interface 404, cellular interface 405, i-MIP interface 406, VPN interface 407 and x-MIP interface 408.In this example based on UNIX, software comprises application layer program and kernel level module.In application layer, the application program of other node indication in the enough networks of several energy can be arranged.
Here, the appendage that is called safe general mobile controller 402 is added in the application layer.The general mobile controller 402 Control Network interfaces of safety and some kernel level form are with the universal mobility of Administrative Security.The general mobile controller 402 of safety communicates with routing table 409 and Security Policy Database 410.
Show the bag path with big arrow among Fig. 4, and in Fig. 4, show control performance this path with little arrow.
TCP/IP module 403 receives the bag from application program and network interface, and according to routing table 409 and Security Policy Database 410 they is forwarded to other application or interface.Which IP bag Security Policy Database (SPD) 410 determines encrypt or decipher, and how to encrypt or decipher them.Routing table 409 determines where the IP bag is forwarded to.
Some network interface driver has the physical network device of the real network of being connected to, for example wired ethernet, WLAN (wireless local area network) (LAN) and cellular network.Other network interface may not have physical equipment, but may receive bag from tcp/ip layer, they is handled, and they are sent it back tcp/ip layer.These network interfaces are called as puppet (pseudo) network interface.These false network interfaces for example solve mobile IP or VPN problem.The MIP interface encapsulates IP (IP-in-IP) bag in IP of IP bag or encapsulation.The VPN interface is encrypted the IP bag, perhaps the bag of encrypting is decrypted.
Fig. 5 shows the architecture of the another kind of form that can use in the present invention.Here, tcp/ip layer can be based on form (Windows).Fig. 5 comprises one or more application 500 and controller 501.Controller 501 various drivers of control and routing tables, supervising the network correlation behavior (such as wireless signal strength, network site etc.).Controller 501 can or can be separated into several processing.The processing that separates can comprise point of application (AP) selection software 502, VPN client 503, i-MIP client 504, x-MIP client 505, reach other processing (for example comprising 1xrtt SDK 506).
TCP/IP driver 507 can handle transport layer functionality (for example, UDP or TCP) and Network layer function (for example, IP).Routing table 515 keeps the routing iinformation of TCP IP driver 507.Routing table 515 permission TCP/IP drivers 507 have knows the performance of transmitting bag to where.I-MIP driver 508 is handled the i-MIP bag, so that receive and send.VPN driver 509 is handled the VPN bag.X-MIP driver 510 is handled the x-MIP bag.Network interface connects driver (for example, WLAN driver 511 and 1x/rtt driver 513) and handles the bag that is used for the corresponding interface equipment (for example, being respectively interface card 512 and 514).
Above-mentioned driver may or can be by the software control of application layer.Show the bag path with big arrow among Fig. 5, and in Fig. 5, show control performance this path with little arrow.
Data flow
Fig. 6 shows each data flow according to aspect of the present invention.Fig. 6 comprises the communication node (correspondent node) 601 with inner home agent i-HA 602.Fig. 6 comprises two fire compartment walls 603 and 604.The bag of 603 pairs of outputs of fire compartment wall filters, and 604 pairs of bags that enter of fire compartment wall filter.Between fire compartment wall 603 and 604 IPsec gateway 606 and external home agent x-HA 605.External firewall 604 is mobile nodes 607.For the sake of simplicity, be called internal network in the zone of fire compartment wall 603 inside.Zone in fire compartment wall 604 outsides is called external network.Zone between fire compartment wall 603 and 604 is called demilitarized zone (demilitarized zone) (DMZ).
In order between mobile node 607 and communication host 601, to transmit data, can set up various tunnels to pass through fire compartment wall 603 and 604 transmission information.First tunnel can comprise x-MIP tunnel 608, and its permission will be wrapped from mobile node 607 and is sent to x-HA 605.Second tunnel can comprise IPsec tunnel 609.The 3rd tunnel can comprise i-MIP tunnel 610.
Here, outside mobile IP (x-MIP) (according to previous figure) provides the external IP mobility.In x-MIP tunnel 608, carry (tunneled) bag of IPsec tunnel, so that the mobility in IPsec tunnel 609 is provided.For this reason, external home agent (x-HA) 605 resides among the DMZ.DMZ can be by enterprise or is wherein provided the operator of enterprise firewall service to manage.
Inner mobile IP (i-MIP) (according to previous figure) provides inner IP mobility.This is used for not only supporting to switch at internal network but also between inside and outside network (handoff).For a kind of reason in back, even when mobile node (MN) 607 is in the external network, also use i-MIP.For i-MIP is provided, inner home agent (i-HA) 602 resides in the internal network.
Aspect of the present invention uses IPsec to protect in internal network and the business of exchange between the MN 607 in the network externally.For this reason, the IPsec gateway resides in DMZ (between fire compartment wall 603 and 604) or the internal network (in fire compartment wall 603 inside).
During total node 607 was in the external network, once the IPsec tunnel of setting up between mobile node 607 and IPsec gateway 606 can or can remain in the state of foundation.Especially owing to overtime such as inertia or reach simultaneously multiple reason the maximum number in the IPsec tunnel of setting up, can finish this IPsec tunnel 609 by any one party in tunnel.
Aspect of the present invention can or can allow limited type will be under the situation of not using the IPsec tunnel bag of the MN 607 of forwarded in the network externally internally call out and need not remain IPsec and connect so that MN 607 can receive the application of incoming call during away from internal network.
Fig. 7 shows the replacement method of method shown in Figure 6, has wherein set up x-MIP tunnel 608 and i-MIP tunnel 610 and does not use IPsec tunnel among Fig. 6.
With respect to various tunnels, depend on whether IPsee tunnel 609 has been set up, this model allows two kinds of operator schemes during MN is in the external network.These two kinds of patterns comprise MIP-IPsec-MIP encapsulation mode among Fig. 6 and the MIP-MIP encapsulation mode among Fig. 7 respectively.
Security consideration and response
Fail safe is important for VPN user.With the lower part described with Fig. 6 in MIP-IPsec-MIP encapsulation mode and/or the relevant various security threat of the MIP-MIP encapsulation mode among Fig. 7.
Threaten 1: the DoS attack on i-HA
Aspect of the present invention allows the MN 607 in the network externally to carry out the i-MIP registration.Therefore, safe if i-MIP registration jeopardizes, then might allow the assailant in the external network mobilize DoS (Denial of Service, denial of service) to attack, to revise or to remove the MIP binding high-speed cache on i-HA602.If login request message is not subjected to the same powerful and mechanism protection arranging key (re-keying) again with typical MAC (Message Authentication Code) algorithm that is used for IPsec, then the i-MIP registration may jeopardize safe.
Threaten 2: information leakage
Aspect of the present invention allow some wrap forwarded internally in the external network MN607 and do not use IPsec tunnel 609.Have company information and can send to the possibility of external network with clear-text way.
Threaten 3: false incoming call and virus infections
Aspect of the present invention allows the MN 607 in the network externally to open one or more TCP/UDP ports, receives incoming call with network internally.Therefore, the assailant can send the incoming call of forging on the port of opening, and this will make MN 607 expend to be used to handle incoming call and to set up the resource of IPsec tunnel 609 so that the caller is responded.Depend on how to handle incoming call, MN 607 may receive virus rather than real incoming call, and is subjected to virus infections.Such virus may be damaged each entity, and these infringements comprise kidnapping and connect and the removing hard disk, and in case after having set up the IPsec tunnel, it will influence the overall security of internal network.
To threatening 1 processing:
For threatening 1, the i-MIP login request message that aspect of the present invention support is sent by the MN 607 in the network externally is always by the IPsec tunnel transmission, so that provide the protection class identical with IPsec for login request message.If the IPsec tunnel does not have, then MN 607 at first sets up IPsec tunnel 609, sends the i-MIP register requirement by tunnel 609 then.If automatically set up IPsec tunnel 609 via IKE (Internet cipher key change), then support again key agreement (re-keying) by IKE equally.By this method, provide acceptable safe class for the i-MIP register requirement.On the other hand, exist when outside home address (x-HoA) is used as external care-of-address (this is the situation when allowing the MIP-MIP encapsulation tunnel), i-MIP registration reply message directly is transferred to the possibility of MN 607 by x-HA 605, so i-MIP registration reply message is not the same with the i-MIP login request message safe.Though this may be illustrated in the DoS attack on the MN 607, this can not be the DoS attack on i-HA, and this pattern provides for the acceptable safe class that threatens 1.
To threatening 2 processing:
Aspect of the present invention does not allow reciprocal business (that is the business that originates from external network and enter internal network) to enter internal network usually under the situation of IPsec of no use tunnel 609 protections.Therefore; except being used to enter the MIP-MIP encapsulation mode and directly transmitting and the i-MIP registration reply message of not encrypting by x-HA605; and internally network send to MN can neither carry out comprise that all business of signaling and packet are all used IPsec tunnel 609 outside first packet that integrity protection do not encrypt again.I-MIP registration reply message comprises the inner topology information such as the IP address of i-HA 602, but does not comprise any application data.For first packet, it is TCP-SYN or sip invite message normally, and it is used to initiate to connect and does not comprise any important data.Therefore,,, then important information just can not occur and reveal, threaten 2 thereby alleviated for these message so that only the bag of limited type can be protected without IPsec and just passes in the external network if the firewall router in DMZ is configured like this.
To threatening 3 processing:
For the possibility of the incoming call of minimum false, MN 607 equipment can be configured with personal fire wall, so that the bag that can only accept limited type is as initiating the triggering that IPsec tunnel 609 is set up.In addition, MN 607 can limit the speed of accepting such triggering bag, to prevent the DoS attack of consumption of natural resource.In order to minimize the possibility of virus infections; again transmit by transmitter except triggering bag; and in case constructed the tunnel and i-MIP bound high-speed cache and be updated to and use the VPN Care-of Address as the i-MIP Care-of Address; just by outside these IPsec tunnel 619 these bags that transmit again of transmission; MN 607 can or can use not protected arrival bag as the triggering of setting up the IPsec tunnel; and abandon it quietly, and do not handle the application pay(useful) load of this bag.
Detailed data flow and routing table
Following part has been described various situations, and these situations comprise the various data flow that aspect of the present invention is run into and the description of routing table.With the lower part situation of triple tunnels collection and the situation of double tunnel collection have been described.
The situation in triple tunnels always
First situation that will describe is called (always-triple) situation in triple tunnels always.Here, when mobile node (MN) when moving to external network, it always sets up the triple tunnels of i-MIP/VPN/x-MIP.
Situation
Detailed internet message and processing in comprising the various network nodes of mobile node have below been described.Mobile node can have various implementations.Describe below mobile node based on form with based on the version of UNIX.
MN network internally moves to the situation of external network
Following situation be wherein mobile node internally network move to a situation of external network.Figure 10 A-10L is used to illustrate this conversion.Here, system comprises communication host 601, i-HA 602, vpn gateway 1001 (being positioned at the inside of fire compartment wall 603), external home agent 605, fire compartment wall 604 and mobile node 607.Example has been described the restriction based on UNIX for mobile node 607 hereto.
Under initial condition, mobile node 607 determines where it is positioned at.This can be undertaken by checking network connection information (including, but not limited to Ethernet interface, WLAN interface, dialing PPP etc.), network configuration (being provided by DHCP, router advertisement or mobile agent) and/or WLAN/ cellular signal strength.
For moving of mobile node 607 is described, example suppose that mobile node 607 is arranged in internal network, and the routing table of mobile node is in initial condition (with reference to internal network) hereto.
In Figure 10 A, mobile node 607 moves in the cellular network.Mobile node 607 can detect moving of it according to intensity or other location identification technologies of for example WLAN signal.
The PPP interface of mobile node 607 receives IP address and routing iinformation.Next mobile node 607 changes its routing table according to this information.Figure 10 A shows the routing table of mobile node 607.
Figure 10 B and 10C have described the x-MIP registration.In Figure 10 B, mobile node 607 sends the x-MIP login request message to x-HA 605, and receives the x-MIP registration reply message from x-HA 605.After mobile node 607 was arrived in the successful response of x-HA 605 transmissions, x-HA 605 upgraded its mobility bindings.After x-HA 605 receives success response, be used for the reverse tunnel of x-MIP at mobile node 607 if desired, then mobile node 607 adds new clauses and subclauses in its routing table.The configuration of external firewall can require to be used for the reverse tunnel of x-MIP.The more IP bags that send to any address the internal network from MN are considered to the tunnel transmission by x-MIP.Figure 10 B and 10C show the renewal to form.
Also can be with reference to the part of make-before-break as described below (Make-Before-Break).
Figure 10 D and 10E have described and have set up vpn tunneling.After x-MIP succeeded in registration, mobile node 607 request VPN-gw 1001 set up vpn tunneling by the x-MIP tunnel.If successfully set up VPN, then mobile node 607 is created clauses and subclauses and is upgraded routing table in its Security Policy Database, so that send by the VPN/x-MIP tunnel at the more IP bags (except that the bag that is sent to VPNGW address and DMZ) that transmit between mobile node 607 and the internal network.
VPN-gw 1001 also upgrades its SPD, to communicate with mobile node 607.These renewals have been shown in Figure 10 D and 10E.
Figure 10 F and 10G have illustrated the i-MIP registration.After successfully setting up the VPN connection, mobile node 607 sends the i-MIP register requirement by the VPN/x-MIP tunnel.If i-HA602 has accepted register requirement, then i-HA 602 upgrades its mobility binding table, and mobile node 607 is made answer.After mobile node 607 has received successful response message, mobile node 607 changes the clauses and subclauses in the routing tables, so that send by the VPN/x-MIP tunnel at the more IP bags that transmit between mobile node 607 and the internal network (except address, DMZ and the i-MIP update package of the VPN-gw 1001 that sends to i-HA 602).
Figure 10 F and 10G show the form of having revised.
Figure 10 H has described by triple tunnels and has sent data.When mobile node 607 sent to communication node 601 (CH-addr/i) with IP bag, the IP layer of mobile node 607 was with reference to this routing table, and searched the clauses and subclauses that are used for N-addr/i.Here, mobile node 607 notices that bag should send via the i-HA-tun interface.Reverse tunnel if desired, then the i-HA-tun interface encapsulates this bag with the i-MIP header.Next, mobile node 607 refers again to routing table.Yet the destination address of this bag is i-HA-addr/i now.Mobile node 607 is searched the clauses and subclauses that are used for i-HA-addr/i, and these clauses and subclauses indicate this bag to send via the VPN-tun interface.The SPD that goes out can indicate the bag that sends to internal network should be encrypted.Therefore, the VPN-tun interface is encrypted bag, encapsulates this bag with IPsec ESP, and according to SPD this bag is labeled as by VPNgw-addr/x and sends.
Next, when new bag arrived, mobile node 607 was with reference to routing table, and searched the clauses and subclauses that are used for VPNgw-addr/x, and these clauses and subclauses represent that this bag should send via the x-MIP-tun interface.Reverse tunnel if desired, then the x-MIP-tun interface encapsulates this bag with the x-MIP header.X-MIP-tun is labeled as this bag will send to x-HA-addr/x.Mobile node 607 is with reference to this routing table, and searches the clauses and subclauses that are used for x-HAaddr/x.This clauses and subclauses indication bag should send via cellular interface.This bag finally sends to cellrouter-addr/x as first hop (hop) via cellular interface.
Figure 10 H shows relevant form.
Figure 10 I is used for describing by triple tunnels reception data.When the cellular interface of mobile node 607 received bag by triple tunnels, the IP layer of mobile node 607 was checked the outmost IP header of this bag.The protocol fields of header shows that it is IP-in-IP (x-MIP) bag.Therefore, the outmost IP-in-IP header of MIP layer decapsulation.Ensuing IP header shows that it comprises IPsec ESP, so the VPN interface is decrypted bag.Ensuing IP header shows that it is IP-in-IP (i-MIP) bag, so the MIP layer carries out decapsulation to bag.At last, inner most IP header occurs, and should receive and handle by application program by bag.
Figure 10 J shows mobile node 607 and moves to another external network (for example, focus).When in new network, mobile node 607 is handled according to WLAN signal strength signal intensity or other and is detected moving of it.The wlan network interface of mobile node 607 receives IP address and routing iinformation.Next, mobile node 607 is according to its routing table of this information updating.This renewal has been shown among Figure 10 J.
Figure 10 K and 10L show x-MIP and upgrade change.Here, mobile node 607 sends the x-MIP login request message to x-HA 605, and receives the x-MIP registration reply message from x-HA 605.When x-HA 605 sent success response to mobile node 607, x-HA605 upgraded its mobility binding.Be noted that mobile node 607 does not need to revise itself and being connected of VPN and i-MIP.
MN moves to the situation of internal network from external network
Figure 11 A-11F shows mobile node 607 wherein moves to internal network from external network system.The implementation based on UNIX that is used for mobile node 607 has below been described.
In Figure 11 A, mobile node 607 moves back to home network.Here, the prerequisite of this example is that mobile node 607 has moved to internal network.Mobile node 607 detects moving of it according to WLAN signal strength signal intensity etc.When using the WLAN signal strength signal intensity to determine the position of MN, the wlan network interface of MN obtains IP address and routing iinformation.Mobile node 607 is according to its routing table of this information updating.
At this moment, mobile node 607 communicates with respective nodes 601 and need not any tunnel.If people do not pay close attention to VPN-gw 1001 and x-HA 605, then when expectation, mobile node 607 can destroy and clear up tunnel information simply.Alternatively, people can keep and allow the tunnel open.
Below show and how to destroy the tunnel.Here, allow x-HA 605 and VPN-gw1001 to discharge their resource immediately.
Figure 11 B shows the renewal (words if necessary) of x-MIP.Can use two situations:
A. situation 1: mobile node 607 can not use externally employed network interface in the network.For example, mobile node 607 is just being reused the same network interface that uses in the network externally, till mobile node 607 moves in the internal network so that this interface have with network externally in set another different IP address of address.
B. situation 2: mobile node 607 can use externally employed network interface in the network.In other words, mobile node 607 has at least two network interfaces (physically or virtually), and they can be used simultaneously.
For example, mobile node 607 is used for externally that network uses cellular interface, and uses the WLAN interface in internal network.
If situation is 1, then mobile node 607 needs to upgrade x-MIP (referring to Figure 11 B and 12I).Mobile node 607 is registered as x-MIP CoA with i-HoA-addr/i.X-HA 605 upgrades its mobility binding, so that set up the tunnel once more.
If situation is 2, then shown in following figure, mobile node 607 can use network interface, and need not upgrade x-MIP.
Figure 11 C and 11D show vpn tunneling and disconnect.Mobile node 607 sends VPN by the x-MIP tunnel and disconnects request.VPN-gw 1001 removes the clauses and subclauses of mobile node 607 from its SPD.Mobile node 607 is also removed the clauses and subclauses of VPN-gw 1001 from its SPD, and upgrades routing table.This allows to be released in the resource of using among the VPN, and mobile node 607 is stopped using VPN.
Figure 11 E and 11F show the x-MIP cancel register.Mobile node 607 sends x-MIP cancel register request message to x-HA 605, and receives x-MIP cancel register response message from x-HA 605.When x-HA 605 sent success response to mobile node 607, x-HA 605 removed the mobility binding clauses and subclauses that are used for mobile node 607.
After x-HA 605 received success response, mobile node 607 was removed clauses and subclauses from its routing table at mobile node 607.This allows all tunnels to disappear.Finally, mobile node 607 turns back to the state identical with initial condition.
MN network internally moves to the situation (based on the node of form (Windows)) of external network
Figure 12 A-12K described mobile node 607 wherein internally network move to the situation of external network (using mobile node) based on form.In some cases, with reference to mobile node internally network move to other relevant accompanying drawing of situation of external network.
Figure 13 A-13T shows the handshaking in the parts of mobile node.
In this situation, suppose that NIC1 1310 is interfaces of similar WLAN or wired lan.Suppose the interface of NIC2 1311 for similar honeycomb or some other agreement.
Figure 12 A shows mobile node 607 and begins to transmit data.With reference to figure 13A, can use following processing:
B. next, bag is sent to NIC1 driver 1308.NIC1 driver 1308 is used for the specified packet of NIC1 1310 according to this data creation.
C. next, data are sent to NIC1 1310.
Figure 12 B and 13B show the wherein example of mobile node 607 reception data.Action in mobile node 607 inside is as follows:
D.TCP/IP driver 1303 deletion tcp/ip headers.
E.TCP/IP driver 1303 arrives this data forwarding then and uses 1301.
Figure 10 B and 13C have described mobile node 607 and have created the x-MIP register requirement.The internal actions of mobile node 607 can comprise:
B.x-MIP driver 1307 is created the x-MIP register requirement, and it is sent to NIC2 driver 1312.
C.NIC2 driver 1312 is created its specified packet that is used for NIC2 1311, and it is forwarded to NIC2 1311.
Figure 10 C and 13D show mobile node 607 and receive the x-MIP registration reply.Internal actions can comprise:
C.x-MIP driver 1307 receives data and it is forwarded to controller 1302.
Figure 10 D and 13E show mobile node 607 and create the VPN connection request.Referring to Figure 13 E:
C.x-MIP driver 1307 adds the x-MIP header in the bag to, and it is forwarded to NIC2 driver 1308.
In Figure 10 E and 13F, mobile node 607 receives the VPN connection response.Internal actions is as follows:
Figure 10 F and 13G have described mobile node 607 and have created the i-MIP register requirement.Below with reference to Figure 13 G:
1306 pairs of these requests of b.VPN driver are encrypted and are added header information, send it to x-MIP driver 1307 then.X-MIP driver 1307 adds the x-MIP header information, and sends it to NIC2 driver 1309.
Figure 10 G and 13H relate to mobile node 607 and receive the i-MIP registration reply.The action of Figure 13 H is as follows:
B.x-MIP driver 1307 receives and removes the x-MIP header, and sends it to VPN driver 1306.
D.i-MIP driver 1305 receives and deal with data.
E. last, information is forwarded to controller 1302, therein routing table 1303 is upgraded.
Figure 10 H and 13I relate to mobile node and send application data to communication host.According to Figure 13 I, show the action of mobile node:
A. use and create data, and it is sent to the TCP/IP driver.
The b.TCP/IP driver adds header, and it is sent to the i-MIP driver after the reference routing table.
The c.i-MIP driver adds the i-MIP header, and data are sent to the VPN driver.
The e.x-MIP driver adds the x-MIP header, and data are sent to the NIC2 driver.The NIC2 driver is from wherein creating its specified packet that is used for NIC2, and it is sent to NIC2.
F.NIC2 is transferred to bag its next hop (hop).
Figure 10 I and 13J show mobile node 607 receives application data from communication host 601 processing.Data flow in mobile node 607 inside has been shown among Figure 13 J.
C.x-MIP driver 1307 receives and removes the x-MIP header, and it is sent to VPN driver 1306.
E.i-MIP driver 1305 is removed the i-MIP header, and bag is sent to TCP/IP driver 1303.
F.TCP/IP driver 1303 is removed header and bag is sent to application 1301.
The processing that Figure 10 K and 13K show when mobile node 607 moves to focus, change between network interface.Figure 13 K shows the processing in mobile node 607 inside.Here, mobile node sends the x-MIP register requirement.
B.x-MIP driver 1307 is created the x-MIP register requirement, and it is sent to NIC1 driver 1308.
Figure 10 L and 13L have described the mobile node 607 when receiving x-MIP registration response.Figure 13 L shows the processing in mobile node 607 inside.
C.x-MIP driver 1307 receives bag and it is forwarded to controller 1302.
Figure 12 C and 13M show the processing when mobile node 607 sends to communication host 1301 with application data.Figure 13 M shows the processing in mobile node 607 inside.
B.i-MIP driver 1305 adds the i-MIP header, and bag is sent to VPN driver 1306.
D.x-MIP driver 1307 adds the x-MIP header, and bag is sent to NIC1 driver 1308.
Figure 12 D and 13N show mobile node 607 and receive application data from communication hosts 601.Figure 13 N shows the inter-process of mobile node 607.
C.x-MIP driver 1307 receives bag, removes the x-MIP header and bag is sent to VPN driver 1306.
E.i-MIP driver 1305 is removed the i-MIP header, and bag is sent to TCP/IP driver 1303.
F.TCP/IP driver 1303 is removed header and bag is sent to application 1301.
Processing when Figure 12 E shows mobile node 607 and is moved back into cellular network.
Figure 12 F shows and the relevant processing of x-MIP registration with 12G.In Figure 12 F, mobile node 607 sends the x-MIP login request message to x-HA 605, and receives the x-MIP registration reply message from x-HA 605.After mobile node 607 was arrived in the successful response of x-HA 605 transmissions, x-HA 605 upgraded its mobility bindings.After x-HA 605 receives success response, be used for the reverse tunnel of x-MIP at mobile node 607 if desired, then mobile node 607 adds new clauses and subclauses in its routing table.The configuration of external firewall can require to be used for the reverse tunnel of x-MIP.The more IP bags that send to any address the internal network from MN are considered to the tunnel transmission by x-MIP.
Figure 12 H and 12I show by triple tunnels and send data.When mobile node 607 sent to communication node 601 (CH-addr/i) with IP bag, the IP layer of mobile node 607 was with reference to routing table, and searched the clauses and subclauses that are used for N-addr/i.Here, mobile node 607 notices that bag should send via the i-HA-tun interface.Reverse tunnel if desired, then the i-HA-tun interface encapsulates this bag with the i-MIP header.Next, mobile node 607 refers again to routing table.Yet the destination address of this bag is i-HA-addr/i now.Mobile node 607 is searched the clauses and subclauses that are used for i-HA-addr/i, and these clauses and subclauses indicate this bag to send via the VPN-tun interface.The SPD that goes out can indicate the bag that sends to internal network should be encrypted.Therefore, the VPN-tun interface is encrypted bag, with IPsec ESP it is encapsulated, and according to SPD this bag is labeled as by VPNgw-addr/x and sends.
Next, when new bag arrived, mobile node 607 was with reference to routing table and search the clauses and subclauses that are used for VPNgw-addr/x, and these clauses and subclauses show that this bag should send via the x-MIP-tun interface.Reverse tunnel if desired, then the x-MIP-tun interface encapsulates this bag with the x-MIP header.X-MIP-tun is labeled as this bag will send to x-HA-addr/x.Mobile node 607 is with reference to routing table and search the clauses and subclauses that are used for x-HA-addr/x.This clauses and subclauses indication bag should send via cellular interface.This bag finally sends to cellrouter-addr/x as first hop via cellular interface.
Figure 12 H shows relevant form.
Figure 12 I is used for describing by triple tunnels reception data.When the cellular interface of mobile node 607 received bag by triple tunnels, the IP layer of mobile node 607 was checked the outmost IP header of this bag.The protocol fields of header shows that it is IP-in-IP (x-MIP) bag.Therefore, the outmost IP-in-IP header of MIP layer decapsulation.Ensuing IP header shows that it comprises IPsec ESP, so the VPN interface is decrypted bag.Ensuing IP header shows that it is IP-in-IP (i-MIP) bag, so the MIP layer carries out decapsulation to bag.At last, inner most IP header occurs, and should receive and handle by application program by bag.
Figure 11 B and 12J show x-MIP and upgrade variation.Here, mobile node 607 sends the x-MIP login request message to x-HA 605, and receives the x-MIP registration reply message from x-HA 605.When x-HA 605 sent successful response to mobile node 607, x-HA605 upgraded its mobility binding.Be noted that mobile node 607 does not need to revise itself and being connected of VPN and i-MIP.
Figure 12 K and 13O have described mobile node and have created the request of i-MIP cancel register.The internal actions of mobile node 607 is described below:
B.i-MIP driver 1305 is created the request of i-MIP cancel register, and it is sent to VPN driver 1306.
It encrypts, adds header and bag is sent to x-MIP driver 1307 the c.VPN driver to this.
D.x-MIP driver 1307 adds the x-MIP header, and bag is sent to NIC1 driver 1308.
E.NIC1 driver l308 creates its specified packet that is used for NIC1 1310 from this bag, and it is sent to NICl 1310.
Figure 12 L and 13P have described mobile node 607 reception i-MIP cancel registers and have replied.
C.x-MIP driver 1307 receives bag, removes the x-MIP header and bag is sent to VPN driver 1306.
E.i-MIP driver 1305 receives and handles, and warning controller 1302.
F. controller is that routing table 1304 is upgraded in any variation.
Figure 11 C and 13Q have described and have created the mobile node 607 that VPN disconnects request.Figure 11 C has described hereinbefore.Figure 13 Q shows the internal signal stream that is used for mobile node 607.
C.x-MIP driver 1307 adds the x-MIP header in the request to, and it is forwarded to NIC1 driver 1308.
Figure 11 D and 13R have described and have received the mobile node 607 that VPN disconnects response.Figure 11 D described hereinbefore.Figure 13 R shows the interior signaling of mobile node 607.
C.x-MIP driver 1307 receives and removes the x-MIP header.This driver sends to bag VPN driver 1306 then.
Figure 11 E and 13S have described the mobile node 607 of creating the request of x-MIP cancel register.Figure 11 E described in the above.The interior signaling of mobile node 607 has been described among Figure 13 S.
B.x-MIP driver 1307 is created the request of x-MIP cancel register, and this request is sent to NIC1 driver 1308.
Figure 11 F and 13T have described and have received the mobile node 607 that the x-MIP cancel register is replied.Figure 11 F described in the above.Figure 13 T has described the internal signal of mobile node 607.
C.x-MIP driver 1307 receives these bags, it is handled and information is sent to controller 1302.
The initial condition of mobile node
The initial condition of mobile node 607 has below been described.Initial condition can comprise that mobile node 607 determines where it is positioned at.This can be undertaken by a plurality of processing, and these are handled including, but not limited to network connectivty and relative address (Ethernet interface, WLAN interface, dialing ppp etc.), network configuration (being provided by DHCP, router advertisement or mobile agent) and the WLAN/ cellular signal strength of determining it.
Initial network setting among the checking MN
Next, mobile node 607 attempts to verify its initial network setting.This can comprise checking its some or all-network setting.These are provided with and can or can comprise network interface configuration, routing table and SPD.In addition, mobile node 607 can use DHCP, router advertisement and mobile agent to announce and verify network interface configuration and routing table.If necessary, mobile node 607 can upgrade them as required.
Determine the mobile status of mobile node
Next, mobile node 607 is determined its mobile status.Mobile node 607 is checked the network configuration pattern of verifying in the step formerly, and searches the suitable configuration in any possible mobile status.
For example, mobile node 607 may not have any specific mobility binding and SPD clauses and subclauses.Movable network interface has inner home address 602.The simplest network configuration is that wherein mobile node 607 is in a configuration in the internal home network.This also provides mobile node 607 can easily determine the advantage of its internal home network.
Check and trigger with the change state
Make-before-break (Make-Before-Break)
According to an aspect of the mobile node 607 of aspect of the present invention be it in the performance of interrupting connecting before the previous connection.Therefore, if for example a mobile node moves to new network, then can the new connection of structure before finishing old connection.This allows mobile node to change and can not be lost to the connectivity of home network.
For example, mobile node 607 can move to outside cellular network from the inside mobile node 607 wlan network inside.In order to realize make-before-break, MN monitors the signal strength scale of WLAN always.The Internal-WLAN signal strength signal intensity become be lower than threshold value A before, MN brings into use cellular network, and sets up x-MIP tunnel and vpn tunneling as backup path.When signal level drops to when being lower than another threshold value (than threshold value A low " B "), MN sends the i-MIP register requirement on backup path, and sets up the i-MIP tunnel.Then, the mobile node 607 WLAN interfaces of stopping using, and bring into use i-MIP/VPN/x-MIP tunnel on honeycomb.
This method can be removed the principal element of switching delay, and this is to set up because just carried out PPP session foundation and vpn tunneling before in switching (switch-over).
Double MIP tunnel situation
The situation in double MIP tunnel has below been described.If mobile node does not communicate with internal network, then when mobile node 607 moved in the external network, it can set up the double tunnel of i-MIP/x-MIP.In case but mobile node 607 detects and needs VPN, then it can or can automatically switch to the triple tunnel modes of i-MIP/VPN/x-MIP.
Switching between double and triple tunnel modes
Switching between double and triple tunnel modes is described below.
About double tunnel->triple tunnels
In order not begin applied business, can rank to triggering bag, till having set up triple tunnels.
About triple tunnels->double tunnel
When mobile node 607 and communication node 601 are finished applied business, can delete vpn tunneling.
Situation
Diverse network message and processing in the network node that is included in mobile node have below been described.Mobile node can have various implementations.For example, it can comprise based on the architecture of UNIX or based on the architecture of form.
For the mobile node based on Unix, mobile node switches to situation triple and conversely from double
Following situation with reference to figure 14A-14NN has been described in the mobile node based on UNIX, and mobile node switches to triple tunnels and switches go back to double tunnel once more from double tunnel.
Figure 14 A shows at the communication host 1401 of fire compartment wall 1404 inside, i-HA 1402 and VPN-gw 1403.Figure 14 A also be included in fire compartment wall 1404 outside but still at the SMG/x-HA 1405 of fire compartment wall 1406 inside.At last, mobile node 1407 is in the outside of fire compartment wall 1406.Mobile node 1407 is supported by external network.Mobile node 1407 can have routing table, and this routing table has following information:
A. destination: default (all destinations), gateway/interface: local-router/x
Figure 14 B shows the mobile node 1407 when detecting it and be positioned on the external network.Here, mobile node 1407 is created the x-MIP register requirement, and sends it to SMG/x-HA 1405.The form of x-MIP register requirement has following information:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x (x-home agent address)
C. home address: x-HoA-addr/x
D. home agent: x-HA-addr/x
E. Care-of Address=local-addr/x
F. reverse tunnel request flag=true
G. the authentication extension value that is used for x-HA
Figure 14 C shows the SMG/x-HA 1405 that carries out mobility binding.Here, when SMG/x-HA 1405 received the x-MIP register requirement, SMG/x-HA 1405 usefulness authentication extension values authenticated it.If authentication success, the then following information structuring mobility binding of SMG/x-HA 1405 usefulness:
A. home address: x-HoA-addr/x, Care-of Address: local-addr/x
SMG/x-HA 1405 can utilize following information that the x-MIP registration reply is sent to mobile node 1407 then:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
C. home address: x-HoA-addr/x
D. home agent: x-HA-addr/x
When mobile node 1407 received the x-MIP registration reply, mobile node 1407 can utilize following information to add clauses and subclauses in its routing table:
A. destination: x-HA-addr/x, gateway/interface: local-router-addr/x
B. destination: VPN-gateway-addr/x, gateway/interface: x-MIP-tunnel
C. destination: internal-network-addr/i, gateway/interface: x-MIP-tunnel
Below show two kinds of methods of i-MIP registration.Can also use other method.Use " SMG " and " MIP " to describe this two kinds of methods below.
Figure 14 D shows the SMG registration.Here, i-MIP register requirement of information creating that mobile node 1407 usefulness are following, and send it to SMG/x-HA 1405, described information comprises:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. the authentication extension value that is used for i-HA
G. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1405 receives the i-MIP register requirement, it is authenticated, and if authentication success, then change source and destination IP address information, and they sent to i-HA 1402 with following information:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
Figure 14 E shows the SMG registration.When i-HA 1402 received the i-MIP register requirement, it authenticated this request, and if authentication success, the then following information creating mobility binding of i-HA 1402 usefulness:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
I-MIP registration reply of information creating that i-HA 1402 usefulness are following and send it to SMG/x-HA 1405:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1405 received the i-MIP registration reply, the following information of SMG/x-HA 1405 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Oppositely mobility binding can use in a minute open tunnel (split tunnel) pattern.
SMG/x-HA 1405 utilizes following information to change source IP address and IP address, destination, and sends signal to mobile node 1407:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1407 received the gci-MIP registration reply, it utilizes added clauses and subclauses in following its routing table of information:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
Figure 14 F shows and utilizes following information creating i-MIP register requirement and this request is sent to the mobile node 1407 of SMG/x-HA 1405, and described information is:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
H. the authentication extension value that is used for i-HA
I. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1405 receives the i-MIP register requirement, this request is authenticated, and if authentication success, then it removes x-MIP source and IP address, x-MIP destination, and sends it to i-HA.
Figure 14 G shows the registration response.When i-HA 1402 received the i-MIP register requirement, it authenticated this request, and if authentication success, the then following information creating mobility binding of i-HA 1402 usefulness:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
I-MIP registration reply of information creating that i-HA 1402 usefulness are following and send it to SMG/x-HA 1405:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1405 received the i-MIP registration reply, the following information of SMG/x-HA 1405 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i can use reverse mobility binding by tunnel mode separately.
SMG/x-HA 1405 utilizes following information to add x-MIP source IP address and IP address, x-MIP destination, and it is sent to mobile node 1407:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1407 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in its routing table:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
There is at least two types double MIP tunnel.At first, have two kinds of patterns that are used for double MIP (x-MIP and i-MIP), a kind of is overlapping (overlaid) MIP, another kind of for separating (split) MIP.How below be described in the drawings data flows between mobile node 1407 and communication host 1401.
Figure 14 H shows mobile node 1407 and sends data to communication host 1401 and do not use VPN (overlapping MIP).When mobile node 1407 sent packet, it utilized the bag of following information creating encapsulation, and sends it to SMG/x-HA 1405:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C.i-MIP source IP address: i-HoA-addr/x
IP address, d.i-MIP destination: i-HA-addr/i
E. source IP address: i-HoA-addr/i
F. destination IP address: CH-addr/i
G. effective load data
When SMG/x-HA 1405 received packet, it removed x-MIP IP header, sends it to i-HA 1402 then.
When i-HA 1402 received packet, it removed i-MIP IP header, then bag was sent to communication host 1401.
Communication host 1401 receives does not have packed common IP packet.
Figure 141 shows communication host and mobile node is replied and does not use VPN (being called overlapping API).When communication host 1401 sent packet, it used following information creating bag, and it is sent to i-HA 1402:
A. source IP address: CH-addr/i
B. destination IP address: i-HoA-addr/i
C. effective load data
When i-HA 1402 received packet, it utilized following information to add i-MIP IP header, and bag is sent to SMG/x-HA 1405:
A.i-MIP source IP address: i-HA-addr/i
IP address, b.i-MIP destination: x-HoA-addr/x
When SMG/x-HA 1404 received packet, it utilized following information to add the x-MIP header, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/i
IP address, b.x-MIP destination: local-addr/i
Figure 14 J shows that mobile node 1405 wherein sends data to communication host 1401 and the example of not using VPN.This also can be called separately MIP.
When mobile node 1405 sent packet, it utilized the bag of following information creating encapsulation, and sends it to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: i-HoA-addr/i
D. destination IP address: CH-addr/i
E. effective load data
When SMG/x-HA 1404 received packet, it removed x-MIP IP header, and utilized the reverse mobility binding of following information utilization to add i-MIP IP header, then this bag was sent to i-HA 1402:
A.i-MIP source IP address: x-HoA-addr/x
IP address, b.i-MIP destination: i-HA-addr/i
When i-HA 1402 received packet, it removed i-MIP IP header, then it was sent to communication host 1401.
Communication host 1401 receives common IP packet (it does not have packed).
Figure 14 K shows 1401 pairs of mobile nodes 1405 of communication host and replys and do not use VPN.When communication host 1401 sent packet, it used following information creating bag, and it is sent to i-HA 1402:
A. source IP address: CH-addr/i
B. destination IP address: i-HoA-addr/i
C. effective load data
When i-HA 1402 received packet, it utilized following information to add i-MIP IP header, and bag is sent to SMG/x-HA 1404:
A.i-MIP source IP address: i-HA-addr/i
IP address, b.i-MIP destination: x-HoA-addr/x
When SMG/x-HA 1404 received packet, it removed the i-MIP header, utilizes following information to add the x-MIP header, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/i
IP address, b.x-MIP destination: local-addr/i
Figure 14 L shows mobile node 1405 request vpn tunnelings.When mobile node 1405 was wanted to create vpn tunneling, mobile node 1405 used following information to initiate the VPN connection request, and sends it to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: VPNgw-addr/x
E.IKE or other agreement
When SMG/x-HA 1404 received the VPN connection request, it removed x-MIP IP header, and this bag is sent to VPN-gw 1403 was used for handling.
Figure 14 M shows the response to mobile node 1405 request vpn tunnelings.When VPN-gw 1403 receives the VPN connection request, the SPD that VPN-gw 1403 utilizes following information creating to go out:
A. selector: source address=arbitrarily, destination address=VPNinn-addr1/i
B. action: ipsec tunnel (source address=VPNgw-addr/x, destination address=x-HoA-addr/x)
VPN-gw 1403 utilizes following information creating VPN connection response, and sends it to SMG/x-HA 1404:
A. source IP address: VPNgw-addr/x
B. destination IP address: x-HoA-addr/x
C.IKE or other agreement
D. the vpn tunneling home address=VPNinn-addr1/i that is used for MN
E. the vpn tunneling home address=VPNinn-addr2/i that is used for GW
When SMG/x-HA 1404 received the VPN connection response, it utilized following information to add the x-MIP header, and bag is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node received the VPN connection response, it utilized following information to add clauses and subclauses in routing table or changes clauses and subclauses in the routing table:
A. destination: VPNinn-addr2/i, gateway/interface: VPN-tun
B. destination: i-HA-addr/i, gateway/interface: VPN-tun
C. destination: internal network, gateway/interface: VPN-tun
The SPD that mobile node 1405 utilizes following information creating to go out:
A. selector: source address=VPNinn-addr1/i, destination address=internal-network-addr/i
B. action: ipsec tunnel (source address=x-HoA-addr/x, destination address=VPNgw-addr/x)
Figure 14 N shows the i-MIP register requirement that transmits by vpn tunneling.
After creating the VPN connection, mobile node 1405 may must re-register i-MIP via vpn tunneling.In order to realize it, mobile node 1405 utilizes following information creating i-MIP register requirement, and it is sent to SMG/x-HA 1404.
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
The bag that e.ESP encrypts
F. source IP address=VPNinn-addr1/i
G. destination IP address=i-HA-addr/i
H.i-MIP home address=i-HoA-addr/i
I.i-MIP home agent=i-HA-addr/i
J. Care-of Address=VPNinn-addr1/i
When SMG/x-HA 1404 received the i-MIP register requirement, it removed the x-MIP header, and sent it to VPN-GW.
When VPN-gw 1403 received the i-MIP register requirement, it removed the IP header, and ESP is decrypted and sends it to i-HA 1402.
Figure 14 O shows by the response of vpn tunneling to the i-MIP register requirement.When i-HA1402 received the i-MIP register requirement, it utilized following information to revise its mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: VPNinn-addr1/i
I-MIP registration reply of information creating that i-HA 1402 usefulness are following, and it is sent to VPN-gw 1403:
A. source IP address=i-HA-addr/i
B. destination IP address=VPNinn-addr1/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
When VPN-gw1403 received the i-MIP registration reply, it was encrypted the IP bag, utilizes following information to add the IP header, and it is sent to SMG/x-HA 1404, and described information is:
A. source IP address IP bag=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
When SMG/x-HA 1404 received the i-MIP registration reply, it utilized following information to add the x-MIP header and it is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
Figure 14 P shows mobile node 1405 and uses VPN to send data to communication host 1401.Mobile node 1405 utilizes following information creating data, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/i
D. destination IP address=VPNgw-addr/x
The bag that e.ESP encrypts
F.i-MIP source IP address=VPNinn-addr1/i
G.i-MIP destination IP address=i-HA-addr/i
H. source IP address=i-HoA-addr/i
I. destination IP address=CH-addr/i
J. effective load data
When SMG/x-HA 1404 received data, it removed x-MIP IP header, and sent it to VPN-gw 1403.When VPN-gw 1403 received data, it removed the IP header, ESP is decrypted, and bag is sent to i-HA 1402.When i-HA 1402 received packet, it was removed i-MIP IP header and it is sent to communication host 1401.
Figure 14 Q shows communication host 1401 and uses VPN to send data to mobile node 1405.When communication host 1401 sent data, communication host 1401 used following information creating packet, and it is sent to i-HA 1402:
A. source IP address=CH-addr/i
B. destination IP address=i-HoA-addr/i
C. effective load data
When i-HA 1402 received data, i-HA 1402 utilized following information to add the i-MIPIP header, and it is sent to VPN-gw 1403:
A.i-MIP source address=i-HA-addr/i
B.i-MIP destination address=VPNinn-addr1/i
When VPN-gw1403 received data, it was encrypted, utilizes following information to add the IP header to these data and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=VPNinn=addr1/i
When SMG/x-HA 1404 received data, it utilized following information to add the x-MIP header, and bag is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
Figure 14 R shows mobile node 1405 and moves to another external network.When the mobile node 1405 that uses triple tunnels has moved to another external network, change the routing table entry that is used for x-HA-addr/x with following information:
A. destination: x-HA-addr/x, gateway/interface: local-router-addr2/x
The i-MIP register requirement that mobile node 1405 utilizes following information creating to be used to re-register, and it is sent to SMG/x-HA 1404.
A. source IP address=local-addr2/x
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr2/x
Figure 14 S shows mobile node 1405 and moves to another external network (x-MIP registers response).When SMG/x-HA 1404 received the x-MIP register requirement, it changed its mobility binding with following information:
A. home address: x-HoA-addr/x, Care-of Address: local-addr2/x
SMG/x-HA 1404 utilizes following information creating x-MIP registration reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr2/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
Figure 14 T, 14U, 14V and 14W relate to the i-MIP registration.Here, in case mobile node 1405 has been removed vpn tunneling, mobile node 1405 just may re-register the i-MIP tunnel via x-MIP.For example, show 2 kinds of situations: a kind of is via the i-MIP of SMG registration, and another kind is the i-MIP registration by the x-MIP tunnel.
For following description, mobile node 1405 is in the original external network, and local address is local-addr/x.
In Figure 14 T, mobile node 1405 utilizes following information creating i-MIP register requirement, and this request is sent to SMG/x-HA 1404.
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. the authentication extension value that is used for i-HA
G. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the i-MIP register requirement, it authenticated this request, and if authentication success, then utilize following information to change the source and destination IP address of this request, and it sent to i-HA 1402:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
In Figure 14 V, i-HA 1402 receives the i-MIP register requirement, this request is authenticated, and if authentication success, the then following information change of i-HA 1402 usefulness mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and send it to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i can use reverse mobility binding by tunnel mode separately.
SMG/x-HA 1404 utilizes following information to change source IP address and IP address, destination, and request is sent to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1405 receives the i-MIP registration reply, in routing table, carry out following change:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
In Figure 14 U, mobile node 1405 utilizes following information creating i-MIP register requirement, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
H. the authentication extension value that is used for i-HA
I. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the i-MIP register requirement, SMG/x-HA 1404 authenticated it, and if authentication success, then remove x-MIP source and IP address, x-MIP destination, and it sent to i-HA 1402.
In Figure 14 W, when i-HA 1402 received the i-MIP register requirement, i-HA 1402 authenticated it, and if authentication success, then the following information of i-HA 1402 usefulness changes mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and send it to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Can use reverse mobility binding by separating tunnel mode.
SMG/x-HA 1405 utilizes following information to add x-MIP source IP address and IP address, x-MIP destination, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 received the i-MIP registration reply, it utilized following information that clauses and subclauses are added in the routing table:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
Figure 14 X shows mobile node 1405 and breaks from vpn tunneling.After the cancel register of i-MIP, mobile node 1405 utilizes following information creating VPN to disconnect request, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
E.VPN disconnects request
When SMG/x-HA 1404 received VPN disconnection request, it removed x-MIP IP header, and this request is sent to VPN-gw 1403.
Figure 14 Y shows the response to mobile node 1405 request disconnection vpn tunnelings.When VPN-gw 1403 received VPN disconnection request, its deleted the SPD that goes out, and utilized following information creating VPN disconnection response, and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
C.VPN disconnects response
When SMG/x-HA 1404 received VPN disconnection request, it utilized following information to add x-MIP IP header, and request is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
When mobile node 1405 receives VPN disconnection request, be used for the clauses and subclauses of VPNinnaddr2/i and i-HA-addr/i in the mobile node 1405 deletion routing tables.
The i-MIP cancel register has below been described.Have two kinds of methods that are used to send the cancel register request at least: a kind of is via SMG, and another kind is by the x-MIP tunnel.
Figure 14 Z shows by SMG and sends the cancel register request.Here, the information creating i-MIP cancel register request that mobile node 1405 usefulness are following, and send it to SMG/x-HA:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. duration=0
G. the authentication extension value that is used for i-HA
H. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the request of i-MIP cancel register, SMG/x-HA1404 authenticated it, and if authentication success, then utilize following information to change source and destination IP address, and this request sent to i-HA 1402:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
Figure 14 BB shows the further processing to the request of SMG cancel register.When i-HA1402 received the request of i-MIP cancel register, i-HA 1402 authenticated it, and if authentication success, then i-HA 1402 deletion mobility bindings.
The following information creating i-MIP cancel register of i-HA 1402 usefulness is replied, and sends it to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 receives the i-MIP cancel register when replying, SMG/x-HA1404 deletes reverse mobility binding.In addition, SMG/x-HA 1404 utilizes following information to change source IP address and IP address, destination, and this is replied sends to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1405 receives the i-MIP cancel register when replying, mobile node 1405 utilizes following information to change clauses and subclauses in the routing table:
A. destination: internal network address/i, gateway/interface: the x-MIP-tunnel that is closing
Figure 14 Z-14EE shows mobile node 1405 closures of a tunnel.
Figure 14 AA just shows and sends the request of i-MIP cancel register by the x-MIP tunnel.Mobile node 1405 utilizes the request of following information creating i-MIP cancel register, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
H. duration=0
G. the authentication extension value that is used for i-HA
J. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the request of i-MIP cancel register, SMG/x-HA1404 authenticated it, and if authentication success, then remove x-MIP source and IP address, x-MIP destination, and this request sent to i-HA 1402.
Figure 14 CC shows the subsequent response of system to the cancel register request.When i-HA 1402 received the request of i-MIP cancel register, i-HA 1402 authenticated it, and if authentication success, then i-HA 1402 deletion mobility bindings.
The following information creating i-MIP cancel register of i-HA 1402 usefulness is replied, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 receives the i-MIP registration reply, the reverse mobility binding of SMG/x-HA 1404 deletions.SMG/x-HA 1404 utilizes following information to add x-MIP source IP address and IP address, x-MIP destination, and this is replied sends to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 receives the i-MIP cancel register when replying, it utilizes following information to change clauses and subclauses in the routing table:
A. destination: internal network address/i, gateway/interface: x-MIP-tunnel
Figure 14 DD shows x-MIP cancel register processing of request.When mobile node 1405 cancel register i-MIP, mobile node 1405 utilizes the request of following information creating x-MIP cancel register, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/x
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/x
F. duration=0
G. the authentication extension value that is used for x-HA
Figure 14 EE shows the processing to the response of x-MIP cancel register.When SMG/x-HA1404 received the request of x-MIP cancel register, after success identity, SMG/x-HA1404 utilized following information creating x-MIP cancel register to reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr/x
C. home address=x-HoA-addr/x
D. home agent=x-HA-addr/x
When mobile node 1405 receives the x-MIP cancel register when replying, be used for the clauses and subclauses of Internal-network-addr/i, VPNgw-addr/x in the mobile node 1405 deletion routing tables, and change following information:
A. destination: default, gateway/interface: local-router-addr/x
Below show the mobile node 1405 that turns back to internal network.Especially, Figure 14 GG-14NN shows when mobile node 1405 is in the state of the similar triple tunnel modes shown in Figure 14 FF, moves to the mobile node 1405 of inter access network.
In Figure 14 GG, mobile node 1405 moves to inter access network (using the i-MIP register requirement).When mobile node 1405 moves to the inter access network, for x-HA-addr/x change routing table and default be local-router-addr/i.
Mobile node 1405 utilizes following information creating i-MIP register requirement, and it is sent to i-HA 1402:
A. source IP address=local-addr/i
B. destination IP address=i-HA-addr/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
E. Care-of Address=local-addr/i
Figure 14 HH shows i-MIP registration response.When i-HA 1402 received the i-MIP register requirement, it utilized following information to revise mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: local-addr/i
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to mobile node 1405:
A. source IP address=i-HA-addr/i
B. destination IP address=local-addr/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
When mobile node 1405 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table:
A. destination: i-HA-addr/i, gateway/interface: local-router-addr/i
B. destination: internal-network-addr/i, gateway/interface: i-MIP-tun
Figure 14 II shows the x-MIP register requirement.Here, mobile node 1405 is registered to SMG/x HA 1404 via the x-MIP tunnel, to disconnect vpn tunneling.Mobile node 1405 utilizes following information creating x-MIP register requirement, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/i
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/i
In Figure 14 JJ, show processing to x-MP registration response.When SMG/x-HA1404 received the x-MIP register requirement, it changed mobility binding with following information:
A. home address: x-HoA-addr/i, Care-of Address: local-addr/i
SMG/x-HA 1404 utilizes following information creating x-MIP registration reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr/i
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
Figure 14 KK shows mobile node 1405 and disconnects vpn tunneling.Mobile node 1405 utilizes following information creating VPN to disconnect request, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/i
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
E.VPN disconnects request
When SMG/x-HA 1404 received VPN disconnection request, it removed x-MIP IP header, and it is sent to VPN-gw 1403.
The VPN that Figure 14 LL shows mobile node 1405 disconnects request responding.When VPN-GW VPN-gw 1403 received VPN disconnection request, its utilized following information creating VPN to disconnect response, and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
C.VPN disconnects response
When SMG/x-HA 1404 received VPN disconnection response, it utilized following information to add x-MIP IP header, and it is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/i
When mobile node 1405 receives VPN disconnection response, be used for the clauses and subclauses of VPNinnaddr2/i in its deletion routing table.
Figure 14 MM shows the request of x-MIP cancel register.Mobile node 1405 utilizes the request of following information creating x-MIP cancel register, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/i
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/i
F. duration=0
G. the authentication extension value that is used for x-HA
Figure 14 NN shows the response of x-MIP cancel register.When SMG/x-HA 1404 receives the request of x-MIP cancel register, and after success identity, SMG/x-HA 1404 deletion mobility bindings, utilize following information creating x-MIP cancel register to reply and it sent to mobile node 1405:
A-source IP address=x-HA-addr/x
B. destination IP address=local-addr/i
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
When mobile node 1405 receives the x-MIP cancel register when replying, be used for the clauses and subclauses of VPNgwaddr/x in its deletion routing table:
Mobile node is the situation of the implementation of similar windows system
Below describe mobile node wherein and had said circumstances based on the implementation of windows system.Here, below show mobile node 1405 and how to switch to triple tunnel modes from double MIP tunnel.With Figure 14 A-14NN Figure 15 A-15BB has been described explicitly.Figure 15 A-15BB shows the mobile node 1405 that has with lower member:
C.TCP/IP driver 1503
D. routing table 1504
E.i-MIP driver 1505
G.x-MIP driver 1507
J. network interface unit 11510
K. network interface unit 21511
In Figure 14 A, mobile node 1405 is energized in the network externally.Mobile node 1405 has routing table, and this routing table has following information:
A. destination: default (institute on purpose), gateway/interface: local-router/x
In Figure 14 B and Figure 15 A, mobile node 1405 detects it and is arranged in external network.Next, mobile node 1405 is created the x-MIP register requirement, and it is sent to SMG/x-HA 1404.The x-MIP register requirement comprises following information:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x (x-home agent address)
C. home address: x-HoA-addr/x
D. home agent: x-HA-addr/x
E. Care-of Address=local-addr/x
F. reverse tunnel request flag=true
G. the authentication extension value that is used for x-HA
At Figure 14 C and 15B, when SMG/x-HA 1404 received the x-MIP register requirement, SMG/x-HA 1404 usefulness authentication extension values authenticated it.If authentication success, the then following information structuring mobility binding of SMG/x-HA 1404 usefulness:
A. home address: x-HoA-addr/x, Care-of Address: local-addr/x
Next, SMG/x-HA 1404 utilizes following information that the x-MIP registration reply is sent to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
C. home address: x-HoA-addr/x
D. home agent: x-HA-addr/x
When mobile node 1405 received the x-MIP registration reply, mobile node 1405 utilized following information that clauses and subclauses are added in the routing table 1504:
A. destination: x-HA-addr/x, gateway/interface: local-router-addr/x
B. destination: VPN-gateway-addr/x, gateway/interface: x-MIP-tunnel
C. destination: internal-network-addr/i, gateway/interface: x-MIP-tunnel
The i-MIP registration has below been described.Have several methods that can be used for constructing the i-MIP tunnel.Below show two examples, these two examples comprise uses SMG and MIP.
Figure 14 D and 15C show and use SMG to create the i-MIP tunnel.The information creating i-MIP register requirement that mobile node 1405 usefulness are following, and send it to SMG/x-HA1404:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. the authentication extension value that is used for i-HA
G. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the i-MIP register requirement, it authenticated this request, and if authentication success, then it utilizes following information to change source and destination IP address, and request is sent to i-HA 1402:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
Figure 14 F and 15E show the next step that uses SMG.When i-HA 1402 received the i-MIP register requirement, i-HA 1402 authenticated it, and if authentication success, then i-HA 1402 utilizes following information creating mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and send it to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Can use reverse mobility binding by separating tunnel mode.
SMG/x-HA 1404 utilizes following information to change source IP address and IP address, destination, and it is sent to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1405 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table 1504:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
Figure 14 E and 15D show the method for using a kind of replacement and create i-MIP.The information creating i-MIP register requirement that mobile node 1405 usefulness are following, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
H. the authentication extension value that is used for i-HA
I. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 receives the i-MIP register requirement, it is authenticated, and if authentication success, then remove x-MIP source and IP address, x-MIP destination, and this request sent to i-HA 1402.
Figure 14 G and 15F show the further processing to register requirement.When i-HA 1402 received the i-MIP register requirement, it authenticated this request, and if authentication success, the then following information creating mobility binding of i-HA 1402 usefulness:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Can use reverse mobility binding by separating tunnel mode.
Next, SMG/x-HA 1404 utilizes following information to add x-MIP source IP address and IP address, x-MIP destination, and will reply and send to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table 1504:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
Two types double MIP tunnel has below been described: overlapping and separately.These are tangible when data are transmitted between mobile node 1405 and communication host 1401.
Figure 14 H and 15G show data send to communication host 1401 from mobile node 1405 method of superposition.When mobile node 1405 sent packet, mobile node 1405 utilized the bag of following information creating encapsulation, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C.i-MIP source IP address: x-HoA-addr/x
IP address, d.i-MIP destination: i-HA-addr/i
E. source IP address: i-HoA-addr/i
F. destination IP address: CH-addr/i
G. effective load data
When SMG/x-HA 1404 received packet, it removed x-MIP IP header, sends it to i-HA 1402 then.When i-HA 1402 received this packet, it removed i-MIP IP header, then bag was sent to communication host 1401.Communication host 1401 receives the not common IP packet of encapsulation then.
Figure 14 I and 15H show communication host 1401 and use overlapping tunnel that bag is sent to mobile node 1405.When communication host 1401 sent packet, it used following information creating bag, and it is sent to i-HA 1402:
A. source IP address: CH-addr/i
B. destination IP address: i-HoA-addr/i
C. effective load data
When i-HA 1402 received packet, it utilized following information to add i-MIP IP header, and bag is sent to SMG/x-HA 1404:
A.i-MIP source IP address: i-HA-addr/i
IP address, b.i-MIP destination: x-HoA-addr/x
When SMG/x-HA 1404 received this packet, it utilized following information to add the x-MIP header, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/i
IP address, b.x-MIP destination: local-addr/i
Figure 14 J and 15I show the branch open tunnel that is used for sending to from mobile node 1405 data of communication host 1401.When mobile node 1405 sent packet, mobile node 1405 utilized the bag of following information creating encapsulation, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: i-HoA-addr/i
D. destination IP address: CH-addr/i
E. effective load data
When SMG/x-HA 1404 received packet, it removed x-MIP IP header, and utilized the reverse mobility binding of following information utilization to add i-MIP IP header, then it was sent to i-HA 1402:
A.i-MIP source IP address: x-HoA-addr/x
IP address, b.i-MIP destination: i-HA-addr/i
When i-HA 1402 received this packet, it removed i-MIP IP header, then it was sent to communication host 1401.
Communication host 1401 receive decapsulation common IP packet.
Figure 14 K and 15J show communication host 1401 and send data to mobile node 1405.When communication host 1401 wished to send packet, it used following information creating bag, and it is sent to i-HA 1402:
A. source IP address: CH-addr/i
B. destination IP address: i-HoA-addr/i
C. effective load data
When i-HA 1402 received packet, it utilized following information to add i-MIP IP header, and bag is sent to SMG/x-HA 1404:
A.i-MIP source IP address: i-HA-addr/i
IP address, b.i-MIP destination: x-HoA-addr/x
When SMG/x-HA 1404 received packet, it removed the i-MIP header, utilizes following information to add the x-MIP header, and bag is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/i
IP address, b.x-MIP destination: local-addr/i
Figure 14 L and 15K show mobile node 1405 requests and set up vpn tunneling.When vpn tunneling was created in the mobile node expectation, mobile node 1405 used following information creating VPN connection request, and it is sent to SMG/x-HA:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: VPNgw-addr/x
E.IKE or other agreement
When SMG/x-HA 1404 received the VPN connection request, it removed x-MIP IP header, and request is sent to VPN-gw 1403.
Figure 14 M and 15L show corresponding response.When VPN-gw 1403 received the VPN connection request, VPN-gw 1403 utilized the following information creating SPD that goes out:
A. selector: source address=arbitrarily, destination address=VPNinn-addr1/i
B. action: ipsec tunnel (source address=VPNgw-addr/x, destination address=x-HoA-addr/x)
VPN-gw 1403 utilizes following information creating VPN connection response, and it is sent to SMG/x-HA 1404:
A. source IP address: VPNgw-addr/x
B. destination IP address: x-HoA-addr/x
C.IKE or other agreement
D. the vpn tunneling home address=VPNinn-addr1/i that is used for MN
E. the vpn tunneling home address=VPNinn-addr2/i that is used for GW
When SMG/x-HA 1404 received this VPN connection response, it utilized following information to add the x-MIP header, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 received the VPN connection response, it utilized following information to add clauses and subclauses in routing table 1504 or changes clauses and subclauses in the routing table 1504:
A. destination: VPNinn-addr2/i, gateway/interface: VPN-tun
B. destination: i-HA-addr/i, gateway/interface: VPN-tun
C. destination: internal network, gateway/interface: VPN-tun
In addition, mobile node 1405 utilizes the following information creating SPD that goes out:
A. selector: source address=VPNinn-addr1/i, destination address=internal-network-addr/i
B. action: ipsec tunnel (source address=x-HoA-addr/x, destination address=VPNgw-addr/x)
Figure 14 N and 15M show in the i-MIP register requirement that exists under the situation of VPN.After having constructed the VPN connection, mobile node 1405 may re-register i-MIP via vpn tunneling.Mobile node 1405 utilizes following information creating i-MIP register requirement, and it is sent to SMG/i-HA 1404:
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
The bag that e.ESP encrypts
F. source IP address=VPNinn-addr1/i
G. destination IP address=i-HA-addr/i
H.i-MIP home address=i-HoA-addr/i
I.i-MIP home agent=i-HA-addr/i
J. Care-of Address=VPNinn-addr1/i
When SMG/x-HA 1404 received this i-MIP register requirement, it removed the x-MIP header, and it is sent to VPN-gw 1403.
When VPN-gw 1403 received the i-MIP register requirement, it removed the IP header, and ESP is decrypted and it is sent to i-HA 1402.
Figure 14 O and 15N show the i-MIP registration response by vpn tunneling.When i-HA1402 received this i-MIP register requirement, i-HA 1402 utilized following information to change its mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: VPNinn-addr1/i
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to VPN-gw 1403:
A. source IP address=i-HA-addr/i
B. destination IP address=VPNinn-addr1/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
When VPN-gw1403 received this i-MIP registration reply, it was encrypted the IP bag, utilizes following information interpolation IP header and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
When SMG/x-HA 1404 received this i-MIP registration reply, it utilized following information to add the x-MIP header and bag is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
Figure 14 P and 15O show mobile node 1405 and use VPN to send data to communication host 1401.Mobile node 1405 utilizes following information creating data, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/i
D. destination IP address=VPNgw-addr/x
The bag that e.ESP encrypts
F.i-MIP source IP address=VPNinn-addr1/i
G.i-MIP destination IP address=i-HA-addr/i
H. source IP address=i-HoA-addr/i
B. destination IP address=CH-addr/i
J. effective load data
When SMG/x-HA 1404 received data, it removed x-MIP IP header, and it is sent to VPN-gw 1403.When VPN-gw 1403 received these data, it removed the IP header, ESP is decrypted, and it is sent to i-HA 1402.When i-HA1402 received these data, it was removed i-MIP IP header and it is sent to communication host 1401.
Figure 14 Q and 15P show communication host 1401 and use VPN to send data to mobile node 1405.When communication host 1401 expectations sent data, communication host 1401 used following information creating data, and it is sent to i-HA 1402:
A. source IP address=CH-addr/i
B. destination IP address=i-HoA-addr/i
C. effective load data
When i-HA 1402 received data, i-HA 1402 utilized following information to add the i-MIPIP header, and it is sent to VPN-gw 1403:
A.i-MIP source address=i-HA-addr/i
B.i-MIP destination address=VPNinn-addr1/i
When VPN-gw1403 received data, it was encrypted these data, utilizes following information to add the IP header, and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=VPNinn-addr1/i
When SMG/x-HA 1404 received packet, it utilized following information to add the x-MIP header, and it is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
Figure 14 R and 15Q show mobile node 1405 and move to another external network.When mobile node 1405 (using triple tunnels) when having moved to another external network, revise the routing table entry that is used for x-HA-addr/x with following information:
A. destination: x-HA-addr/x, gateway/interface: local-router-addr2/x
The i-MIP register requirement that mobile node 1405 utilizes following information creating to be used to re-register, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr2/x
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr2/x
Figure 14 S and 15R show mobile node 1405 and move to another external network (utilizing x-MIP registration response).When SMG/x-HA 1404 received the x-MIP register requirement, it changed its mobility binding with following information:
A. home address: x-HoA-addr/x, Care-of Address: local-addr2/x
Next, SMG/x-HA 1404 utilizes following information creating x-MIP registration reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr2/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
Below relate to the i-MIP registration.Figure 14 T-14W relates to the aforesaid the whole bag of tricks that is used to register.Here, mobile node 1405 is in the original external network, and local address is local-addr/x.
In Figure 14 T, the information creating i-MIP register requirement that mobile node 1405 usefulness are following, and send it to SMG/x-HA 1404:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. the authentication extension value that is used for i-HA
G. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 receives the i-MIP register requirement, it is authenticated, and if authentication success, then utilize following information to change source and destination IP address, and request sent to i-HA 1402:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
In Figure 14 V, when i-HA 1402 received the i-MIP register requirement, it authenticated this request, and if authentication success, then the following information of i-HA 1402 usefulness changes its mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Can use reverse mobility binding by separating tunnel mode.
SMG/x-HA 1404 utilizes following information to change source IP address and IP address, destination, and will reply and send to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1405 received the i-MIP registration reply, it utilized the clauses and subclauses in the following information change routing table 1504:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
In Figure 14 U, the information creating i-MIP register requirement that mobile node 1405 usefulness are following, and send it to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
G. the authentication extension value that is used for i-HA
I. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 received the i-MIP register requirement, it authenticated this request, and if authentication success, then remove x-MIP source and IP address, x-MIP destination, and utilize following information that it is sent to i-HA 1402.
In Figure 14 W, when i-HA 1402 received the i-MIP register requirement, it authenticated this request, and if authentication success, then the following information of i-HA 1402 usefulness changes mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: x-HoA-addr/x
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 received the i-MIP registration reply, the following information of SMG/x-HA 1404 usefulness write down reverse mobility binding:
A. source address: i-HoA-addr/x, i-HA address: i-HA-addr/i
Can use reverse mobility binding by separating tunnel mode.
SMG/x-HA 1404 utilizes following information interpolation x-MIP source IP address and IP address, x-MIP destination in above-mentioned replying, and it is sent to mobile node 1405:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table:
A. destination: i-HA-addr/i, gateway/interface: x-MIP-tunnel
B. destination: internal network address/i, gateway/interface: i-MIP-tunnel
Figure 14 X and 15S show mobile node 1405 and break from vpn tunneling.After cancel register i-MIP, mobile node 1405 utilizes following information creating VPN to disconnect request, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/x
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
E.VPN disconnects request
When SMG/x-HA 1404 received VPN disconnection request, it removed x-MIP IP header, and it is sent to VPN-gw 1403.
Figure 14 Y and 15T show the disconnection request responding to mobile node 1405.When VPN-gw 1403 received VPN disconnection request, its deleted the SPD that goes out, and utilized following information creating VPN disconnection response, and it is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
C.VPN disconnects response
When SMG/x-HA 1404 received VPN disconnection response, it utilized following information to add x-MIP IP header, and response is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/x
When mobile node 1405 receives VPN disconnection response, be used for the clauses and subclauses of VPNinnaddr2/i and i-HA-addr/i in its deletion routing table.
Below relate to the i-MIP cancel register.Two kinds of methods that are used to send the cancel register request are arranged: a kind of is via SMG, and another kind is by the x-MIP tunnel.
Figure 14 Z relates to by SMG transmission request.Here, the information creating i-MIP cancel register request that mobile node 1405 usefulness are following, and it is sent to SMG/x-HA 1404:
A. source IP address: local-addr/x
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
E. Care-of Address: x-HoA-addr/x
F. duration=0
G. the authentication extension value that is used for i-HA
H. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 receives the request of i-MIP cancel register, it is authenticated, and if authentication success, then utilize following information to change source and destination IP address, and request sent to i-HA 1402:
A. source IP address: x-HA-addr/x
B. destination IP address: i-HA-addr/i
In Figure 14 BB, when i-HA 1402 receives the request of i-MIP cancel register, it is authenticated, and if authentication success, then i-HA 1402 deletion mobility bindings.I-HA1402 replys with following information creating i-MIP cancel register, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 receives the i-MIP cancel register when replying, SMG/x-HA1404 deletes reverse mobility binding.Next, SMG/x-HA 1404 utilizes following information to change source IP address and IP address, destination, and it is sent to mobile node 1405:
A. source IP address: x-HA-addr/x
B. destination IP address: local-addr/x
When mobile node 1405 receives the i-MIP cancel register when replying, mobile node 1405 utilizes following information to change clauses and subclauses in the routing table 1504:
A. destination: internal network address/i, gateway/interface: the x-MIP-tunnel in two MIP tunnels of cancel register
How externally Figure 14 Z-14EE shows mobile node 1405 closure of a tunnel in the network.
Figure 14 AA shows the transmission in i-MIP cancel register request (by the x-MIP tunnel).The information creating i-MIP cancel register request that mobile node 1405 usefulness are following, and send it to SMG/x-HA 1404:
A.x-MIP source IP address: local-addr/x
IP address, b.x-MIP destination: x-HA-addr/x
C. source IP address: x-HoA-addr/x
D. destination IP address: i-HA-addr/x
E. home address: i-HoA-addr/i
F. home agent: i-HA-addr/i
G. Care-of Address: x-HoA-addr/x
H. duration=0
I. the authentication extension value that is used for i-HA
J. be used for supplier's expansion of x-HA authentication
When SMG/x-HA 1404 receives the request of i-MIP cancel register, it is authenticated, and if authentication success, then remove x-MIP source and IP address, x-MIP destination, and request sent to i-HA 1402.
In Figure 14 BB, when i-HA 1402 received the request of i-MIP cancel register, it authenticated this request, and if authentication success, then i-HA 1402 deletion mobility bindings.
The following information creating i-MIP cancel register of i-HA 1402 usefulness is replied, and it is sent to SMG/x-HA 1404:
A. source IP address: i-HA-addr/i
B. destination IP address: x-HoA-addr/x
C. home address: i-HoA-addr/i
D. home agent: i-HA-addr/i
When SMG/x-HA 1404 receives the i-MIP registration reply, the reverse mobility binding of SMG/x-HA 1404 deletions.
SMG/x-HA 1404 adds x-MIP source IP address and IP address, x-MIP destination.It utilizes following information to send the described mobile node 1405 of replying then:
A.x-MIP source IP address: x-HA-addr/x
IP address, b.x-MIP destination: local-addr/x
When mobile node 1405 receives the i-MIP cancel register when replying, its utilizes following information to change clauses and subclauses in routing table 1504:
A. destination: internal network address/i, gateway/interface: x-MIP-tunnel
Figure 14 DD shows the transmission of x-MIP cancel register request.When mobile node 1405 write ofves registration i-MIP, mobile node 1405 utilizes the request of following information creating x-MIP cancel register, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/x
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/x
F. duration=0
G. the authentication extension value that is used for x-HA
Figure 14 EE shows the transmission of x-MIP cancel register response.When SMG/x-HA 1404 receives the request of x-MIP cancel register, and after carrying out success identity, it utilizes following information creating x-MIP cancel register to reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr/x
C. home address=x-HoA-addr/x
D. home agent=x-HA-addr/x
When mobile node 1405 receives the x-MIP cancel register when replying, be used for the clauses and subclauses of Internal-network-addr/i, VPNgw-addr/x in the mobile node 1405 deletion routing tables 1504, and change following information:
A. destination: default, gateway/interface: local-router-addr/x
Figure 14 GG-14NN and 15U-15BB show mobile node 1405 and utilize the triple tunnel modes shown in Figure 14 FF to move back to internal network from external network.
Figure 15 U shows mobile node 1405 and moves to inter access network (using the i-MIP register requirement).When mobile node 1405 moves to the inter access network,, and default to local-router-addr/i for x-HA-addr/x changes routing table.Mobile node 1405 utilizes following information creating i-MIP register requirement, and it is sent to i-HA 1402:
A. source IP address=local-addr/i
B. destination IP address=i-HA-addr/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
E. Care-of Address=local-addr/i
Figure 14 HH and 15V show the processing to i-MIP registration response.Here, when i-HA1402 received the i-MIP register requirement, it utilized following information to change mobility binding:
A. home address: i-HoA-addr/i, Care-of Address: local-addr/i
The information creating i-MIP registration reply that i-HA 1402 usefulness are following, and it is sent to mobile node 1405:
A. source IP address=i-HA-addr/i
B. destination IP address=local-addr/i
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
When mobile node 1405 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table 1504:
A. destination: i-HA-addr/i, gateway/interface: local-router-addr/i
B. destination: internal-network-addr/i, gateway/interface: i-MIP-tun
Figure 14 II and 15W relate to the x-MIP register requirement.Here, mobile node 1405 is registered to x-HA 1404 via the x-MIP tunnel, to disconnect vpn tunneling.
Mobile node 1405 utilizes following information creating x-MIP register requirement, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/i
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/i
Figure 14 JJ and 15x relate to x-MIP registration response.When SMG/x-HA 1404 received the x-MIP register requirement, it changed mobility binding with following information:
A. home address: x-HoA-addr/x, Care-of Address: local-addr/i
Next, SMG/x-HA 1404 utilizes following information creating x-MIP registration reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr/i
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
Figure 14 KK and 15Y relate to the mobile node 1405 that disconnects from vpn tunneling.Mobile node 1405 utilizes following information creating VPN to disconnect request, and it is sent to SMG/x-HA 1404:
A.x-MIP source IP address=local-addr/i
B.x-MIP destination IP address=x-HA-addr/x
C. source IP address=x-HoA-addr/x
D. destination IP address=VPNgw-addr/x
E.VPN disconnects request
When SMG/x-HA 1404 received VPN disconnection request, it removed x-MIP IP header, and it is sent to VPN-gw 1403.
Figure 14 LL and 15Z show VPN are disconnected request responding.When VPN-gw 1403 received VPN disconnection request, its utilized following information creating VPN to disconnect response, and this response is sent to SMG/x-HA 1404:
A. source IP address=VPNgw-addr/x
B. destination IP address=x-HoA-addr/x
C.VPN disconnects response
When SMG/x-HA 1404 received VPN disconnection response, it utilized following information to add x-MIP IP header, and this response is sent to mobile node 1405:
A.x-MIP source IP address=x-HA-addr/x
B.x-MIP destination IP address=local-addr/i
When mobile node 1405 receives VPN disconnection response, be used for the clauses and subclauses of VPNinnaddr2/i in its deletion routing table.
Figure 14 MM and 15AA show the request of x-MIP cancel register.Here, mobile node 1405 utilizes the request of following information creating x-MIP cancel register, and it is sent to SMG/x-HA 1404:
A. source IP address=local-addr/i
B. destination IP address=x-HA-addr/x
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
E. Care-of Address=local-addr/i
F. duration=0
G. the authentication extension value that is used for x-HA
Figure 14 NN and 15BB show the response of x-MIP cancel register.When SMG/x-HA1404 receives the request of x-MIP cancel register, and after carrying out success identity, it deletes mobility binding, utilizes following information creating x-MIP cancel register to reply, and it is sent to mobile node 1405:
A. source IP address=x-HA-addr/x
B. destination IP address=local-addr/i
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent=x-HA-addr/x
When mobile node 1405 receives the x-MIP cancel register when replying, be used for the clauses and subclauses of VPNgwaddr/x in its deletion routing table.
Trigger bag
Below relate to and trigger the bag processing.Triggering bag is such one type applied business, and they begin to be used to form the processing of vpn tunneling when having set up x-MIP and i-MIP.
Trigger the example that bag is handled
Below show and trigger bag and trigger the example that bag is handled.For example, triggering bag may relate to:
A. mobile node 1405 is from any bag of communication host 1401 (internal network) reception, and the bag such as TCP SYN bag, SIP INVITE bag depends on that perhaps mobile node 1405 wraps for application program 1501 uses and so on.
B. mobile node 1405 sends to any bag of internal network.For example, the i-MIP registration can send via vpn tunneling, so that create x-MIP and i-MIP tunnel.
Figure 16 A-16D relates to the processing that triggers bag.
The example that mobile node 1405 received triggering bags are handled has below been described.
In Figure 16 A, when mobile node 1600 received the triggering bag, its interior signaling was described below.NIC2 1612 receives and triggers bag and it is sent to NIC2 driver 1610.NIC2 driver 1610 is created its specified packet that is used for x-MIP driver 1608 from this triggering bag, and this specified packet is sent to x-MIP driver 1608.X-MIP driver 1608 receives this bag, and after protocol processes this bag is sent to i-MIP driver 1606.I-MIP driver 1606 is handled its agreement, identifies this bag for triggering bag, indicates to controller 1602 then, and should trigger to wrap to be forwarded to and trigger bag formation 1613.
Figure 16 B shows the internal actions of mobile node 1600 when setting up vpn tunneling.Controller 1602 sends a message to i-MIP driver 1606, sets up vpn tunneling with request.I-MIP driver 1606 is obtained from formation 1613 and is triggered bag, and it is sent to TCP/IP driver 1603.TCP/IP driver 1603 sends to application program 1601 with it after having handled agreement.
Figure 16 C has described the processing to the triggering bag that is transmitted by mobile node 1600.Application program 1601 sends to trigger wraps TCP/IP driver 1603.TCP/IP driver 1603 sends to it i-MIP driver 1606 after having handled agreement.It is to trigger bag that i MIP driver 1606 detects this bag, and indicates to controller 1602, and this bag is remained in the formation 1613.
Figure 16 D shows the interior signaling when mobile node 1600 is set up vpn tunneling.Controller 1601 sends the relevant message of vpn tunneling of setting up to i-MIP driver 1606.I-MIP driver 1606 is obtained this triggering bag then from formation 1613, and it is sent to VPN driver 1607.VPN driver 1607 sends to it x-MIP driver 1608 after handling.X-MIP driver 1608 sends to it NIC driver 1610 after handling then.NIC driver 1610 sends to it NIC 1612 after handling.NIC 1612 sends to network with this bag then.
In the session of the port that utilizes dynamic assignment, detect the example that triggers message
Below be wherein in the session that utilizes the dynamic assignment port opposite, to detect the example that triggers message with the traditional static port.
For example, some SIP implementation is moved as shown in Figure 8.IP source address and destination address are represented in the description of source SRC and destination DST.A is at the pre-configured port of mobile node 802 and communication host 801 places.X, y and z are the port numbers of dynamic assignment.Because they are dynamic, what are so do not know them before session begins.The instruction that mobile node 802 usefulness " use X to respond " sends the instruction with source=y and destination=A and arrives communication host 801.The communication host apparatus is active=and the OK message of A and destination=y makes response.After a while, during the incoming call from source z, the destination is X, and has the pay(useful) load " invitation " that is used to call out.Response is the OK message with source x and destination z.
If x is constant, then network drive can easily detect " invitation " message.But x is a dynamic assignment, so network drive can not easily detect triggering.
Fig. 9 has solved this problem.Here, used acting server 901.At first, by port A ' being set to Service-Port and being server address, can be configured to use acting server 901 using 902 with the local host address setting.
When using 902 when sending the message 903 of " using x to respond ", the agency changes this message, and sends " using x ' to respond " 904 to actual server communication main frames 801.Then send OK message 905 and 906.This allows agency 901 to be captured in rightabout connection 907.This connects follows as message 908, by acting on behalf of 901 to using 902.Its back is two OK message (from using 902 to agency 901 and from acting on behalf of 901 to communication host 801) then.
Triggering switches to double pattern from triplex mode
The triggering that switches to double tunnel mode from triple tunnel modes has below been described.When application was unloaded or finish, the i-MIP driver detected it, and indication gives controller to disconnect vpn tunneling.
Whether unload or finish in order to detect application, at least one in following can occur:
The a.i-MIP driver can comprise that one is used to measure the timer that how long does not send or receive packet, and expiring of this timer triggered the VPN disconnection.
The b.i-MIP driver can detect some bag that is used to close utility cession, and these wrap including, but not limited to the bag such as TCP FIN (can use other bag for other agreement certainly).
I-MIP registration from external network
I-MIP registration from external network has below been described.Various i-MIP register methods have been described.Figure 17 A-17J, 18 and 19 relates to various register methods.
Here, Figure 17 A-17J comprises i-HA 1701, VPN-gw 1702, SMG/x-HA1703 and mobile node 1704.
When mobile node 1704 has the triple tunnels of i-MIP/VPN/x-MIP already, and will construct the double tunnel of i-MIP/x-MIP the time, mobile node 1704 uses the i-MIP registration messages that x-HoA is registered as the Co A that is used for i-MIP, and disconnects vpn tunneling.
If mobile node 1704 does not have any tunnel, then mobile node 1704 structure x-MIP tunnels are registered as x-HoA the CoA that is used for i-MIP then.
Following figure has described the method for several MN of being used to registration i-MIP CoA, and below they is described.
When SMG also is outside MIP home agent, via the i-MIP register method of SMG
Figure 17 A-17J relates to when SMG also is outside MIP home agent, carries out the whole bag of tricks of i-MIP registration via SMG.
Here, this example based on:
A. mobile node 1704 is in the network of outside (public).
B. except that x-MIP and i-MIP have airborne (piggyback) registration, set up x-MIP tunnel (referring to Figure 17 I-17J) already.
1703 pairs of i-MIP register requirement of c.SMG/x-HA bag authenticates.
Figure 17 A shows the registration of using SMG.Mobile node 1704 has routing table, and this routing table has following information:
Destination and gateway are right.
A. destination: x-HA-addr/x, gateway: mobile node is positioned at the router of external network wherein.
B. destination: VPNgw-addr/x, gateway: x-MIP tunnel.
C. destination: internal network, gateway: x-MIP tunnel.
SMG/x-HA 1703 has the mobility binding table that is used for mobile node 1704, and it has following information:
A. home address=x-HoA-addr/x
B. Care-of Address=local-addr/x
The information creating i-MIP register requirement that mobile node 1704 usefulness are following, and send it to SMG/x-HA 1704:
Source address=the local-addr/x of a.IP header
Destination address=the x-HA-addr/x of b.IP header
C. home address=i-HoA-addr/i
D. home agent address=i-HA-addr/i
E.CoA address=x-HoA-addr/x
The i-MIP register requirement has the authentication extension value that is used for i-HA 1701, and the supplier's expansion that is used for x-HA 1703 authentications.
When x-HA 1703 received the i-MIP register requirement, the supplier that x-HA 1703 usefulness are used for the x-HA authentication expanded execution strong (strong) authentication.SMG/x-HA 1703 changed into x-HA-addr/x with the source address in the IP header from local-addr/x before the i-MIP register requirement is sent to i-HA 1701.Before SMG/x-HA 1703 sends to i-HA 1701 with request, can remove the supplier's expansion that is used for the x-HA authentication by it.
When i-HA 1701 received the i-MIP register requirement, i-HA 1701 authenticated it, and created i-MIP registration response.
Figure 17 B shows a response.When i-HA 1701 created the i-MIP registration reply, i-HA 1701 had the mobility binding table that is used for mobile node 1704, and it has following information:
A. home address=i-HoA-addr/i
B. Care-of Address=x-HoA-addr/x
I-HA 1701 utilizes following information that the i-MIP registration reply is sent to SMG/x-HA1703:
Source address=i-HA-addr/i in the a.IP header
Destination address=x-HA-addr/x in the b.IP header
C. home address=i-HoA-addr/i
D. home agent address=i-HA-addr/i
When SMG/x-HA 1703 received the i-MIP registration reply, SMG/x-HA 1703 used following information creating to be used for the reverse mobility binding table of mobile node 1704:
A. source address=i-HoA-addr/i
B.i-HA address=i-HA-addr/i
Separately the MIP tunnel need this reverse mobility binding.When SMG/x-HA 1703 receives the x-MIP packet, the reverse mobility binding structure of SMG/x-HA 1703 usefulness i-MIP header.
SMG/x-HA 1703 with described reply send to mobile node 1704 before, it changes into x-HA-addr/x with the source address in the IP header from i-HA-addr/i, and destination address is changed into local-addr/x from x-HA-addr/x.
When mobile node 1704 received the i-MIP registration reply, it utilized following information to add clauses and subclauses in routing table:
A. destination: i-HA-addr/i, gateway: x-MIP tunnel
B. destination: internal network, gateway: i-MIP tunnel.
Figure 17 C shows the registration by the x-MIP tunnel, and mobile node 1704 sends the i-MIP registration packet that is encapsulated in the x-MIP IP-in-IP header.In case SMG/x-HA 1703 receives it, SMG/x-HA 1703 just carries out decapsulation to this i-MIP registration packet, and it is forwarded to i-HA 1701.Here, this example makes i-HA 1701 have strong authentication, and this is because the externally transmission and not being protected in the network of i-MIP registration packet.I-HA 1701 can check the registration message of reception, and in a kind of safe mode they is authenticated.
Figure 17 D shows the request that is used for the tunnel.Mobile node 1704 comprises the routing table with following information:
Right for destination and gateway:
A. destination: x-HA-addr/x, gateway: mobile node is positioned at the router of external network wherein.
B. destination: VPNgw-addr/x, gateway: x-MIP tunnel.
C. destination: internal network, gateway: x-MIP tunnel.
SMG/x-HA 1703 has the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=x-HoA-addr/x
B. Care-of Address=local-addr/x
The information creating i-MIP register requirement that mobile node 1704 usefulness are following, and send it to SMG/x-HA 1703:
Source address=local-addr/x in the a.x-MIP IP header
Destination address=x-HA-addr/x in the b.x-MIP IP header
Source address=x-HoA-addr/x in the c.IP header
Destination address=i-HA-addr/i in the d.IP header
E. home address=i-HoA-addr/i
F. home agent address=i-HA-addr/i
G.CoA address=x-HoA-addr/x
The i-MIP register requirement has the authentication extension value that is used for i-HA 1701, and the supplier's expansion that is used for the x-HA authentication.
When SMG/x-HA 1703 received the i-MIP register requirement, the supplier that SMG/x-HA 1703 usefulness are used for the x-HA authentication expanded the execution strong authentication.Before SMG/x-HA 1703 sent to i-HA 1701 with the i-MIP register requirement, it removed x-MIP IP header.Before this request is sent to i-HA 1701, can remove the supplier's expansion that is used for the x-HA authentication by SMG/x-HA 1703.
When i-HA 1701 received the i-MIP register requirement, i-HA 1701 authenticated it, and created i-MIP registration response.
Figure 17 D shows the establishment and the processing of response.When i-HA 1701 created the i-MIP registration reply, i-HA 1701 had the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=i-HoA-addr/i
B. Care-of Address=x-HoA-addr/x
I-HA 1701 utilizes following information that the i-MIP registration reply is sent to SMG/x-HA1703:
Source address=i-HA-addr/i in the a.IP header
Destination address=x-HA-addr/x in the b.IP header
C. home address=i-HoA-addr/i
D. home agent address=i-HA-addr/i
When SMG/x-HA 1703 received the i-MIP registration reply, SMG/x-HA 1703 used following information creating to be used for the reverse mobility binding table of mobile node 1704:
A. source address=i-HoA-addr/i
B.i-HA address=i-HA-addr/i
Separately the MIP tunnel need this reverse mobility binding.When SMG/x-HA 1703 received the x-MIP packet, SMG/x-HA 1703 utilized reverse mobility binding to create the i-MIP header.
SMG/x-HA 1703 added x-MIP IP header before the IP header.X-MIP IP address, source is x-HA-addr/x, and x-MIP IP address, source is local-addr/x.Next, SMG/x-HA 1703 sends to mobile node 1704 with the i-MIP registration reply.
When mobile node 1704 receives the i-MIP registration reply, utilize following information in the routing table of mobile node 1704, to add clauses and subclauses:
A. destination: i-HA-addr/i, gateway: x-MIP tunnel
B. destination: internal network, gateway: i-MIP tunnel.
Figure 17 E and 17F show the registration (utilizing src=CoA) via SMG.
In Figure 17 E, mobile node 1704 comprises the routing table with following information: destination and gateway are right.
A. destination: x-HA-addr/x, gateway: mobile node is positioned at the router of external network wherein.
B. destination: VPNgw-addr/x, gateway: x-MIP tunnel.
C. destination: internal network, gateway: x-MIP tunnel.
SMG/x-HA 1703 has the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=x-HoA-addr/x
B. Care-of Address=local-addr/x
The information creating i-MIP register requirement that mobile node 1704 usefulness are following, and send it to SMG/x-HA 1703:
Source address=the local-addr/x of a.IP header
Destination address=x-HA-addr/x in the b.IP header
C. home address=i-HoA-addr/i
D. home agent address=i-HA-addr/i
E.CoA address=x-HoA-addr/x
The i-MIP register requirement can have the authentication extension value that is used for i-HA 1701, and the supplier's expansion that is used for the x-HA authentication.
When SMG/x-HA 1703 received the i-MIP register requirement, the supplier that SMG/x-HA 1703 usefulness are used for the x-HA authentication expanded the execution strong authentication.SMG/x-HA 1703 changed into x-HA-addr/x with the source address in the IP header from local-addr/x before the i-MIP register requirement is sent to i-HA 1701.Before this request is sent to i-HA 1701, can remove the supplier's expansion that is used for the x-HA authentication by SMG/x-HA 1703.
When i-HA 1701 received the i-MIP register requirement, i-HA 1701 authenticated it, and created i-MIP registration response.
Difference between Figure 17 A and 17E is that the source address that is used for SMG/x-HA1703 in the IP header has changed.
Figure 17 F shows a response.When i-HA 1701 created the i-MIP registration reply, i-HA 1701 had the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=i-HoA-addr/i
B. Care-of Address=x-HoA-addr/x
I-HA 1701 utilizes following information that the i-MIP registration reply is sent to SMG/x-HA1703:
Source address=i-HA-addr/i in the a.IP header
Destination address=x-HoA-addr/x in the b.IP header
C. home address=i-HoA-addr/i
D. home agent address=i-HA-addr/i
When SMG/x-HA 1703 received the i-MIP registration reply, SMG/x-HA 1703 used following information creating to be used for the reverse mobility binding table of mobile node 1704:
A. source address=i-HoA-addr/i
B.i-HA address=i-HA-addr/i
Can use reverse mobility binding by separating the MIP tunnel.When SMG/x HA 1703 receives the x-MIP packet, the reverse mobility binding structure of SMG/x-HA 1703 usefulness i-MIP header.
With described reply send to mobile node 1704 before, SMG/x-HA 1703 changes into x-HA-addr/x with the source address in the Ip header from i-HA-addr/i, and destination address is changed into local-addr/x from x-HoA-addr/x.
When mobile node 1704 receives the i-MIP registration reply, utilize following information in the routing table of mobile node 1704, to add clauses and subclauses:
A. destination: i-HA-addr/i, gateway: x-MIP tunnel
B. destination: internal network, gateway: i-MIP tunnel.
Difference between Figure 71 B and Figure 17 F is the destination address in the IP header that sent of i-HA 1701.
Figure 17 G and 17H show and utilize the registration of replacing encapsulation.
In Figure 17 G, mobile node 1704 has routing table, and this routing table has following information:
Destination and gateway are right.
A. destination: x-HA-addr/x, gateway: mobile node is positioned at the router of external network wherein.
B. destination: VPNgw-addr/x, gateway: x-MIP tunnel.
C. destination: internal network, gateway: x-MIP tunnel.
SMG/x-HA 1703 has the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=x-HoA-addr/x
B. Care-of Address=local-addr/x
The information creating i-MIP register requirement that mobile node 1704 usefulness are following, and send it to SMG/x-HA 1703:
Source address=local-addr/x in the a.x-MIP IP header
Destination address=x-HA-addr/x in the b.x-MIP IP header
The c.x-HA authentication value
Source address=x-HoA-addr/x in the d.IP header
Destination address=i-HA-addr/i in the e.IP header
F. home address=i-HoA-addr/i
G. home agent address=i-HA-addr/i
H.CoA address=x-HoA-addr/x
The i-MIP register requirement has the authentication extension value that is used for i-HA.
The i-MIP register requirement does not have the x-HA authentication value in supplier's expansion.When SMG/x-HA 1703 received the i-MIP register requirement, this x-HA authentication value of SMG/x-HA 1703 usefulness was carried out strong authentication.Before SMG/x-HA 1703 sent to i-HA 1701 with the i-MIP register requirement, it removed x-MIP IP header and x-HA authentication value.
When i-HA 1701 received the i-MIP register requirement, i-HA 1701 authenticated it, and created i-MIP registration response.
Figure 17 H is identical with Figure 17 D.
Figure 17 I and 17J relate to x-MIP and i MIP airborne (piggyback) registration.Mobile node 1704 sends the i-MIP registration message that is included in the x-MIP registration message.Mobile node 1704 can use the supplier's extended field container that acts on the i-MIP registration message in the x-MIP message.In other words, in airborne mode the i-MIP registration message is sent to x-MIP message.
When SMG/x-HA 1703 received airborne bag, SMG/x-HA 1703 authenticated this package informatin in the mode of safety, created the i-MIP registration message, and it is sent to i-HA 1701.
In this method, i-HA 1701 must have the strong authentication feature, and this is because registration message has been authenticated by SMG/x-HA 1703.
Figure 171 shows a request.Mobile node 1704 has routing table as follows: destination and gateway are right.
A. destination: default, gateway: mobile node is positioned at the router of external network wherein.
Information creating x-MIP that mobile node 1704 usefulness are following and i-MIP register requirement, and send them:
X-MIP source address=local-addr/x in the a.IP header
X-MIP destination address=x-HA-addr/x in the b.IP header
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent address=x-HA-addr/x
E.x-MIP CoA address=local-addr/x
F. the x-MIP authentication extension value that is used for x-HA
I-MIP source address=x-HoA-addr/x in the g.IP header
I-MIP destination address=i-HA-addr/i in the h.IP header
I.i-MIP home address=i-HoA-addr/i
J.i-MIP home agent=i-HA-addr/i
K.i-MP CoA address=x-HoA-addr/x
L. the i-MIP authentication extension value that is used for i-HA
When SMG/x-HA 1703 received x-MIP and i-MIP register requirement, SMG/x-HA 1703 usefulness were used for the authentication extension value of SMG/x-HA1703 and carry out strong authentication.The i-MIP register requirement of half after the following information creating of SMG/x-HA 1703 usefulness has:
I-MIP source address=x-HoA-addr/x in the a.IP header
I-MIP destination address=i-HA-addr/i in the b.IP header
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent=i-HA-addr/i
E.i-MIP CoA address=x-HoA-addr/x
F. the i-MIP authentication extension value that is used for i-HA
When i-HA 1701 received the i-MIP register requirement, i-HA 1701 authenticated it, and created i-MIP registration response.
In Figure 17 J, when i-HA 1701 created the i-MIP registration reply, i-HA 1701 had the mobility binding table that is used for mobile node 1704, and this mobility binding table has following information:
A. home address=i-HoA-addr/i
B. Care-of Address=x-HoA-addr/x
I-HA 1701 utilizes following information that the i-MIP registration reply is sent to SMG/x-HA1703:
IP source address=i-HA-addr/i in the a.IP header
IP destination address=x-HoA-addr/x in the b.IP header
C.i-MIP home address=i-HoA-addr/i
D.i-MIP home agent address=i-HA-addr/i
When SMG/x-HA 1703 received the i-MIP registration reply, SMG/x-HA 1703 used following information creating to be used for the reverse mobility binding table of mobile node 1704:
A. source address=i-HoA-addr/i
B.i-HA address=i-HA-addr/i
Can use reverse mobility binding by separating the MIP tunnel.When SMG/x-HA 1703 receives the x-MIP packet, the reverse mobility binding structure of SMG/x-HA 1703 usefulness i-MIP header.
When SMG/x-HA 1703 created x-MIP and i-MIP registration reply, SMG/x-HA1703 used following information creating to be used for the mobility binding table of mobile node 1704:
A. home address=x-HoA-addr/x
B. Care-of Address=local-addr/x
The following information of SMG/x-HA 1703 usefulness was added the x-MIP registration reply before the i-MIP registration reply:
Source address=x-HA-addr/x in the a.IP header
Destination address=local-addr/x in the b.IP header
C.x-MIP home address=x-HoA-addr/x
D.x-MIP home agent address=x-HA-addr/x
When mobile node 1704 receives x-MIP and i-MIP registration reply, add the clauses and subclauses that are used for routing table with following information:
A. destination: x-HA-addr/x, gateway: mobile node is positioned at the router of external network wherein.
B. destination: VPNgw-addr/x, gateway: x-MIP tunnel
C. destination: i-HA-addr/i, gateway: x-MIP tunnel
D. destination: internal network, gateway: i-MIP tunnel.
Use the i-MIP register method of vpn tunneling
Figure 18 shows the i-MIP register method that uses vpn tunneling.Figure 18 comprises communication host 1801, i-HA 1802, decapsulator 1803, vpn gateway 1804, x-HA 1805 and mobile node 1806.
In order to create the i-MIP/x-MIP tunnel, mobile node 1806 is at first created the VPN/x-MIP tunnel, and uses the VPN/x-MIP tunnel to send the i-MIP registration message.If mobile node 1806 has had the triple tunnels of i-MIP/VPN/x-MIP, then mobile node 1806 needn't be created new tunnel, and can use existing VPN/x-MIP tunnel.
When the VPN/x-MIP tunnel was ready, mobile node 1806 created wherein that IP source address and i-MIP CoA are the i-MIP registration message of x-HoA.If mobile node 1806 only sends this information by the VPN/x-MIP tunnel, then existing vpn gateway 1804 implementations can be refused it, and this is because the address does not match between vpn tunneling home address and its IP source address.
So another IP header of mobile node 1806 usefulness encapsulates this i-MIP registration message, wherein the source address of this IP header is the vpn tunneling home address, and destination address is the pre-configured address of decapsulator 1803.Bag through encapsulation passes through the VPN/x-MIP tunnel transmission, and arrives decapsulator 1803.Decapsulator is carried out decapsulation to this bag, and the i-MIP registration message of inside is forwarded to i-HA 1802.
I-HA 1802 can combine with decapsulator 1803 or keep separating.
In this method, i-HA 1802 must have the strong authentication feature, and this is because vpn gateway 1804 transmission of registration message by being subjected to good protection.Certainly, method as an alternative, it can have strong encryption.
Use the i-MIP register method of internal network
Figure 19 shows the i-MIP register method that uses internal network.Figure 19 comprises mobile node 1901, x-HA 1902, i-HA 1903, internal network and external network.Mobile node 1901 comprises WLAN interface and cellular interface (as the example of network).
When mobile node 1901 when network moves in the external network internally, mobile node 1901 can send the i-MIP registration message before going out.
In this method, i-HA 1903 must have the strong authentication feature, and this is because registration message transmits in internal network.As selection, i-HA 1903 can comprise the strong authentication feature equally.
The present invention has been described according to preferred and illustrative embodiment of the present invention.Many other embodiments, the modifications and variations of those of ordinary skills within reading these scope and spirit that will expect falling into claim after open.
Claims (31)
1, a kind of system of roaming between first network and second network of being used for comprises:
Inner mobile IP driver, it is connected to first network drive;
Outside mobile IP driver, it is connected to described first network drive and second network drive,
Wherein, an application communicates by described first network drive and described first network, and communicates by described second network drive and described second network.
2, the system as claimed in claim 1, wherein, the mobile IP driver in described inside can be connected to described second network drive.
3, the system as claimed in claim 1 also comprises: the VPN driver can be connected between the mobile IP driver of mobile IP driver in described inside and described outside.
4, the system as claimed in claim 1 is characterized in that: the mobile IP driver of mobile IP driver in described inside and described outside is connected to each other directly.
5, a kind of system of roaming between first network and second network of being used for comprises:
The TCP/IP controller;
Inner mobile IP driver, it is connected to first network drive;
Outside mobile IP driver, it is connected to second network drive,
Wherein, before the mobile IP driver in described inside disconnected from described first network by described first network drive, the mobile IP driver in described outside utilized described second network drive to be connected to described second network.
6, system as claimed in claim 5 also comprises: the VPN driver.
7, system as claimed in claim 6, wherein, described VPN driver can be connected between the mobile IP driver of mobile IP driver in described inside and described outside.
8, system as claimed in claim 6, wherein, the mobile IP driver of mobile IP driver in described inside and described outside is connected to each other directly.
9. one kind is used to method that portable terminal is roamed between first network and second network, comprises step:
Setting up first network between first network drive of described portable terminal and described first network connects;
Setting up second network between second network drive of described portable terminal and described second network connects;
To communicate by letter from described first network switch to described second network.
10. method as claimed in claim 9 also comprises step:
Using described second network drive to set up VPN connects.
11, a kind of portable terminal of roaming between first network and second network of being used for comprises:
Be used between first network drive of portable terminal and described first network, setting up the device that first network connects;
Be used between second network drive of described portable terminal and described second network, setting up the device that second network connects;
Be used for the device of communication from described first network switch to described second network.
12, method as claimed in claim 9 also comprises:
Be used to use described second network drive to set up the device that VPN connects.
13, a kind of mobile node that is used for conversion between double tunnel that arrives home network and the connection of triple tunnel comprises:
Outside mobile IP driver is used for receiving information from first network drive;
Inner mobile IP driver is used for the mobile IP driver reception information from described outside;
Controller is used to control is used for the signaling switched between double tunnel and triple tunnel,
Wherein, the mobile IP driver in described inside determines whether described information is the indication that mobile node should switch to triple tunnels from double tunnel, and the data of relevant described indication are provided to described controller.
14, mobile node as claimed in claim 13, wherein, the mobile IP driver in described inside determines whether described information is the indication that mobile node should switch to double tunnel from triple tunnels, and the data of relevant described indication are provided to described controller.
15, mobile node as claimed in claim 13 also comprises:
Trigger the bag formation,
Wherein, the mobile IP driver in described inside is forwarded to the formation of described triggering bag with described information.
16, a kind of method of switching between double tunnel and triple tunnel of being used for comprises step:
Receive bag;
Determine whether described bag is to trigger bag;
The described bag of storage in triggering the bag formation; And
Between described double tunnel and described triple tunnel, switch.
17, method as claimed in claim 16, wherein, described bag receives from network.
18, method as claimed in claim 16, wherein, described bag receives from use.
19, a kind of system of switching between double tunnel and triple tunnel of being used for comprises:
Be used to receive the device of bag;
Be used for determining whether described bag is the device that triggers bag;
Be used to store the device of described bag; And
Be used between described double tunnel and described triple tunnel, carrying out device for switching.
20, system as claimed in claim 19, wherein, described bag receives from network.
21, system as claimed in claim 19, wherein, described bag receives from use.
22, a kind of system that is used to prevent Denial of Service attack comprises:
With the mobile node that inner home agent communicates, it only sends inner mobile IP login request by the IPsec tunnel.
23, the system as claimed in claim 22, wherein, described IPsec sets up by cipher key change in the tunnel.
24, a kind of system that is used to prevent leakage of information comprises:
The mobile node that communicates with inner home agent,
Wherein, inner mobile IP registration is replied not encrypted, and at least some other signals and packet are encrypted.
25, system as claimed in claim 24, wherein, described encryption comprises the IPsec tunnel.
26, a kind of system that is used to prevent false incoming call comprises:
With the mobile node that inner home agent communicates, described mobile node comprises fire compartment wall,
Described fire compartment wall prevents from bag is accepted as the triggering bag, and wherein said accepted triggering bag allows the IPsec tunnel of described mobile node foundation and described inner home agent.
27, a kind of method that is used to prevent Denial of Service attack comprises step:
Communicate with inner home agent, wherein said communication only sends inner mobile IP login request by the IPsec tunnel.
28, method as claimed in claim 27 also comprises step:
Set up described IPsec tunnel by cipher key change.
29, a kind of method that is used to prevent leakage of information comprises step:
Communicate with inner home agent;
Inner mobile IP registration is not replied and encrypt;
At least some other signaling and packet encrypted.
30, method as claimed in claim 29 also comprises step:
By transmit described other signaling and packet through the IPsec tunnel, come they are encrypted.
31, a kind ofly be used to prevent comprise from the method for the incoming call of the falseness of mobile node:
Communicate with inner home agent;
Prevent from bag is accepted as the triggering bag, wherein said accepted triggering bag allows the IPsec tunnel of described mobile node foundation and described inner home agent.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910208858.6A CN101707759B (en) | 2003-07-22 | 2004-07-22 | The mobile node, the system and method that between double and triple tunnels, switch |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US48880903P | 2003-07-22 | 2003-07-22 | |
| US60/488,809 | 2003-07-22 | ||
| US10/895,411 | 2004-07-21 |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910208858.6A Division CN101707759B (en) | 2003-07-22 | 2004-07-22 | The mobile node, the system and method that between double and triple tunnels, switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1813445A true CN1813445A (en) | 2006-08-02 |
| CN100574228C CN100574228C (en) | 2009-12-23 |
Family
ID=36845402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004800174563A Active CN100574228C (en) | 2003-07-22 | 2004-07-22 | Between inside and outside network, carry out safety and seamless roam, between dual and triple tunnels, switch, and communicating by letter between protection home agent and mobile node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100574228C (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101939952A (en) * | 2007-12-17 | 2011-01-05 | 韩国电子通信研究院 | Method for supporting mobility using secure tunnel |
| CN102131189A (en) * | 2010-12-28 | 2011-07-20 | 中国电信股份有限公司 | Acquisition instrument, mobile supervision method and system |
| US9723521B2 (en) | 2013-06-21 | 2017-08-01 | Huawei Technologies Co., Ltd. | Network handover method, terminal, controller, gateway, and system |
| CN111064650A (en) * | 2019-12-23 | 2020-04-24 | 浙江宇视科技有限公司 | Method and device for dynamically changing tunnel connection service port number |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FI105978B (en) * | 1998-05-12 | 2000-10-31 | Nokia Mobile Phones Ltd | Method of connecting a wireless data terminal in a data transmission network and a wireless data terminal |
| EP1032179B1 (en) * | 1999-02-26 | 2005-09-14 | Lucent Technologies Inc. | Mobile IP supporting quality of service |
| US20030021253A1 (en) * | 2001-07-03 | 2003-01-30 | Tae-Sung Jung | Method of transmitting data from server of virtual private network to mobile node |
-
2004
- 2004-07-22 CN CNB2004800174563A patent/CN100574228C/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101939952A (en) * | 2007-12-17 | 2011-01-05 | 韩国电子通信研究院 | Method for supporting mobility using secure tunnel |
| CN101939952B (en) * | 2007-12-17 | 2013-12-25 | 韩国电子通信研究院 | Method for supporting mobility using secure tunnel |
| CN102131189A (en) * | 2010-12-28 | 2011-07-20 | 中国电信股份有限公司 | Acquisition instrument, mobile supervision method and system |
| US9723521B2 (en) | 2013-06-21 | 2017-08-01 | Huawei Technologies Co., Ltd. | Network handover method, terminal, controller, gateway, and system |
| CN111064650A (en) * | 2019-12-23 | 2020-04-24 | 浙江宇视科技有限公司 | Method and device for dynamically changing tunnel connection service port number |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100574228C (en) | 2009-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1817013A (en) | Terminal and communication system | |
| CN101043411A (en) | Method and system for realizing mobile VPN service in hybrid network | |
| CN1275418C (en) | Authentication in packet data network | |
| CN1481081A (en) | Virtual special internet system | |
| CN1574792A (en) | Multi-layer based method for implementing network firewalls | |
| CN1774889A (en) | Arrangement for traversing an IPv4 network by IPv6 mobile nodes | |
| CN1298148C (en) | Micro mobile network route system and method | |
| CN1509577A (en) | Existential server in IP multi-media | |
| CN1849840A (en) | Secure intra- and inter-domain handover | |
| CN1836419A (en) | Method, system and apparatus to support mobile IP version 6 services in CDMA system | |
| CN1486102A (en) | Mobile communication system, router, mobile node, and mobile communication method | |
| CN1574791A (en) | Method and framework for integrating a plurality of network policies | |
| CN1251455C (en) | Route device and communication network system | |
| CN101053213A (en) | Multi-interface communication equipment, terminal and path switching method | |
| CN1855825A (en) | Computer system | |
| CN1574839A (en) | Multi-layered firewall architecture | |
| CN101040497A (en) | Firewall system and firewall control method | |
| CN1741523A (en) | Key exchange protocol method for realizing main machine transferability and multi-home function | |
| CN1503595A (en) | 802.11 for aiding quick overarea switch by compressed ressociation | |
| CN1636356A (en) | Internet protocol based wireless communication arrangements | |
| CN1630259A (en) | Home agent apparatus, mobile router, communication system, and communication method | |
| CN1655553A (en) | System and method for facilitating third-party call and device control | |
| CN1324537A (en) | Method and system for supporting the quality of service in wireless networks | |
| CN1890945A (en) | Communication systems for traversing firewalls and network address translation (NAT) installations | |
| CN1883220A (en) | Mobile communication system using private network, relay node, and radio base control station |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220106 Address after: Texas, USA Patentee after: Zhuoxin heritage Co. Address before: Tokyo, Japan Patentee before: Toshiba Corp. Patentee before: Zhuoxin heritage Co. Effective date of registration: 20220106 Address after: Tokyo, Japan Patentee after: Toshiba Corp. Patentee after: Zhuoxin heritage Co. Address before: Tokyo, Japan Patentee before: Toshiba Corp. Patentee before: TELCORDIA TECH Inc. Effective date of registration: 20220106 Address after: Stockholm, SWE Patentee after: Telefonaktiebolaget LM Ericsson (publ) Address before: Texas, USA Patentee before: Zhuoxin heritage Co. |