JP2011049841A - Network control method and network system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To maintain a communication environment by a VPN (Virtual Private Network) without performing the reset of an established IPsec (security architecture for IP) tunnel, or the like, even when a terminal in the VPN separates from an IP (Internet Protocol) network of the terminal itself. <P>SOLUTION: A network system constitutes the VPN by establishing the IPsec tunnel for performing dynamic routing based on an IP prefix between a first tunnel terminating device in a first IP network and a second tunnel terminating device in a second IP network. When a terminal in the second IP network separates from the second IP network, information regarding the separation is added to information for determining an IPsec tunnel route of the first tunnel terminating device. In addition, the information regarding the separation is added to the second tunnel terminating device or the subordinate router of the second tunnel terminating device. The separation can be responded by transferring packets by longest-coincidence retrieval with the devices. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to techniques such as address assignment, communication control, and path control in a VPN (Virtual Private Network) configured by IPsec (security architecture for IP) tunneling in an IP (Internet Protocol) network.

  In recent years, the following technologies are used in the field of information communication.

(1) IPsec ESP (Encapsulating Security Payload) Tunnel Mode Technology As a typical technology for connecting IP networks with IP tunneling technology, IPsec ESP tunnel mode (defined in IETF (Internet Engineering Task Force) RFC (Request for Comments) 4301 ( Hereinafter, there is a technique (referred to as non-patent document 1). By using this technique, it becomes possible to further encapsulate (encrypt) packets (IP packets; the same applies hereinafter) and transfer them.

(2) IKEv2 (Internet Key Exchange version 2) Technology As a technology for automatically establishing the IPsec tunnel shown in the above (1), there is an IKEv2 technology defined in IETF RFC4306 (see Non-Patent Document 2). By using this technology, exchange of information for performing authentication (authentication of whether or not the other device is a legitimate device, and so on) between tunnel terminating devices to be connected, and IP communication in an IPsec tunnel It is possible to establish a secure IPsec tunnel after dynamically assigning an IP address (or IP prefix) to be used for performing encryption, generating an encryption key, and the like. Note that authentication can also be realized by cooperation with an authentication server or the like.

(3) Dynamic Routing Technology As a technology for learning transfer destination information corresponding to a packet destination when a router or the like transfers a packet, there is a dynamic routing technology. Examples of the dynamic routing technique include BGP (Border Gateway Protocol) 4+ defined in IETF RFC2545 (see Non-Patent Document 3) and IETF RFC2858 (see Non-Patent Document 4). By using the present technology, it is possible to configure a wide-area IP network by exchanging route information learned between IP devices specified in advance.

  With these techniques, for example, a virtual private network (hereinafter referred to as “VPN”) as shown in FIG. 14 is constructed. In the example shown in FIG. 14, the VPN is realized by connecting the IP network A and the IP network B with an IPsec tunnel provided on the IP network existing between them.

  In the example illustrated in FIG. 14, description will be made on the assumption that the IP prefix used in the IP network B is assigned from the IP network A side to the IP network B side by IKEv2. The IP address is composed of an IP prefix and a host address. Further, in the example shown in FIG. 14, it is assumed that one IP prefix is given to each of the IP network A and the IP network B.

  On the IP network B side, each terminal in the IP network B can communicate by determining the IP address used by itself by combining the IP prefix assigned to the IP network B and a predetermined host address.

  On the IP network A side, the tunnel terminating device advertises the route of the IP prefix assigned to the IP network B to each terminal in the IP network A, so that the terminal in the IP network A can change the terminal in the IP network B. Can be transmitted to the IP network B side via the tunnel termination device in the IP network A.

  When communication between terminals within IP network A and IP network B is performed between terminals, it is not necessary to go through an IPsec tunnel, so each router has a router or the like installed in each IP network. The packet is forwarded so that communication can be performed.

S. Kent, K. Seo, “Security Architecture for the Internet Protocol”, Request for Comments: 4301, Internet Engineering Task Force, December 2005 C. Kaufman, Ed., “Internet Key Exchange (IKEv2) Protocol”, Request for Comments: 4306, Internet Engineering Task Force, December 2005 P. Marques, F. Dupont, “Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing”, Request for Comments: 2545, Internet Engineering Task Force, March 1999 T. Bates et al., “Multiprotocol Extensions for BGP-4”, Request for Comments: 2858, Internet Engineering Task Force, June 2000

  In a VPN configured by the prior art, when a terminal in the IP network B (hereinafter referred to as “outing terminal”) goes out (refers to going out of the IP network B; the same applies hereinafter), the outing terminal itself tunnels. An IPsec tunnel is established by using IKEv2 from the outside of the IP network B with the tunnel termination device 3A.

  Here, when trying to communicate by connecting to the VPN by continuously using the IP address used by the outing terminal in the IP network B, the IP address used by the outing terminal is the IP network A as described above. Assuming that However, as the outing terminal goes out, communication between the IP network A and the outing terminal, communication between the IP network B and the outing terminal, and communication between the IP network A and the IP network B can be performed simultaneously. In order to do so, it is necessary to re-set the IPsec tunnel between the IP network A and the IP network B, and to perform re-advertisement of the route in the IP network A in the tunnel terminating device in the IP network A, and the processing is complicated. It was.

  The present invention has been made in order to solve the above-described problem. Even when a terminal in the VPN is disconnected from its own IP network, the communication environment by the VPN can be established without resetting the established IPsec tunnel. The challenge is to maintain.

  In order to solve the above-described problem, the present invention provides a dynamic based on an IP prefix between a first tunnel termination device in a first IP network and a second tunnel termination device in a second IP network. The present invention relates to a network system that configures a VPN by establishing an IPsec tunnel for performing routing. When a terminal in the second IP network leaves the second IP network, information related to the departure is added to the IPsec tunnel route determination information of the first tunnel termination device. In addition, information regarding the leaving is added to the second tunnel termination device or a router under its control. These devices can cope with the departure by transferring the packet by the longest match search.

  According to the present invention, a VPN communication environment can be maintained without re-establishing an established IPsec tunnel or the like even when a terminal in the VPN is disconnected from its own IP network.

(A) is a configuration diagram of the network system and (b) is a flowchart showing a processing flow of each device at the time of initial connection in mode 1 of the present embodiment. FIG. 2 is a configuration diagram of a tunnel termination device of the present embodiment, where (a) is an explanatory diagram of processing at the time of normal IP packet transfer, and (b) is an explanatory diagram of processing at the time of sending into an IPsec tunnel. When the outing terminal is out in mode 1 of the present embodiment, (a) is a configuration diagram of the network system, and (b) is a flowchart showing a processing flow of each device. It is a block diagram of each table of each device at the time of initial connection in mode 1 of the present embodiment. It is a block diagram of each table of each device when the outing terminal goes out in mode 1 of the present embodiment. (A) is a configuration diagram of the network system, and (b) is a flowchart showing a processing flow of each device at the time of initial connection in mode 2 of the present embodiment. It is a flowchart which shows the flow of a process of each apparatus about the time of going out of the going-out terminal in the mode 2 of this embodiment. It is a block diagram of each table of each device at the time of initial connection in mode 2 of the present embodiment. It is a block diagram of each table of each device when the outing terminal goes out in mode 2 of the present embodiment. (A) is a configuration diagram of the network system and (b) is a flowchart showing a processing flow of each device at the time of initial connection in mode 3 of the present embodiment. It is a flowchart which shows the flow of a process of each apparatus about the time of going out of the going-out terminal in the mode 3 of this embodiment. It is a block diagram of each table of each device at the time of initial connection in mode 3 of the present embodiment. It is a block diagram of each table of each device when the outing terminal goes out in mode 3 of the present embodiment. It is explanatory drawing of VPN in a prior art.

  DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention (hereinafter referred to as “embodiments”) will be described with reference to the drawings. In the present embodiment, it is assumed that an IP prefix used in the IP network B is assigned by the IKEv2 from the IP network A side to the IP network B side. Further, the operation of the tunnel terminating device on the IP network B side will be described in three modes (modes 1, 2, and 3). In addition, after describing mode 1, in the description of modes 2 and 3, the description overlapping with that of mode 1 will be omitted as appropriate.

(Mode 1)
In mode 1, the tunnel termination device (3B) in the IP network B operates in the pass-through mode, and notifies the subordinate router (router in the same IP network; the same applies hereinafter) of the peer address. Then, the subordinate router performs route exchange (exchange of route information, the same applies hereinafter) with the tunnel termination device (A) in the IP network A, and updates its own route table so that the outing terminal can go out. Correspond.

  As shown in FIG. 1A, the mode 1 network system S (hereinafter also referred to as “VPN” when functioning as a VPN) of the present embodiment includes an IP network A (first IP network), an IP The network B (second IP network) and the IP network 100 are configured.

  The IP network A includes a terminal 1A, a router 2A, a tunnel termination device 3A (first tunnel termination device), and an authentication server 4A. The IP network B includes a terminal 1B, a router 2B, a tunnel termination device 3B (second tunnel termination device), and an outing terminal 5 (device similar to the terminal 1B). In addition, the IP network 100 includes an access router (AR) 6A to which the tunnel termination device 3A is connected, an access router (AR) 62B to which the tunnel termination device 3B is connected, and an outing terminal 5 that is connected to the destination (external to the IP network B). ) Is connected to the access router (AR) 6C.

  Since FIG. 1A is a schematic diagram, for example, there are usually not a single terminal 1A, a router 2A, a terminal 1B, and a router 2B. In addition, the number of devices and the connection status are not limited to this example. In addition, the outing terminal 5 can be easily carried, such as a notebook computer or a mobile phone.

  All devices in the network system S have communication functions, such as a central processing unit (CPU), a random access memory (RAM), a read only memory (ROM), a hard disk drive (HDD), a communication interface, a communication port, an input port. An output interface, LSI (Large Scale Integration), etc. are provided as appropriate.

  Specifically, as shown in FIGS. 2A and 2B, the tunnel termination device 3 (corresponding to the tunnel termination devices 3A and 3B) includes a communication unit 31 including a communication IP interface and an IPsec interface, a mouse, and a keyboard. , I / O unit 32 composed of an input / output interface, LCD (Liquid Crystal Display), etc., storage unit 33 (first storage unit) composed of RAM, ROM, HDD, etc., and processing unit 34 composed of CPU (first processing) And a second processing unit).

  The storage unit 33 stores an IPsec tunnel route determination table 331 and a route table 332. The processing unit 34 includes a processing unit (other) 341, an IPsec processing unit 342, and an IP processing unit 343.

  With reference to FIG. 2A, processing at the time of normal IP packet transfer (processing other than the processing in the case of FIG. 2B) will be described. When the tunnel terminating device 3 receives the packet (step (1)), the IP processing unit 343 searches the route table 332 for the destination route (step (2)). As a result of the search, when the destination route is a communication IP interface (step (3)), the IP processing unit 343 outputs a packet to the communication IP interface in the communication unit 31 (step (4)).

  Next, referring to FIG. 2B, sending of a packet to the IPsec tunnel will be described. When the tunnel terminating device 3 receives the packet (step (1)), the IP processing unit 343 searches the route table 332 for the destination route (step (2)). As a result of the search, when the destination route is an IPsec interface (step (3)), the IP processing unit 343 takes over the processing to the IPsec processing unit 342 (step (4)). The IPsec processing unit 342 searches the IPsec tunnel route determination table 331 for the destination IPsec tunnel route (step (5)). When the destination IPsec tunnel route is determined (step (6)), the IPsec processing unit 342 performs IPsec tunneling processing (encryption and encapsulation) (step (7)). Thereafter, the IP processing unit 343 that has taken over the processing outputs a packet to the IPsec tunnel in the communication unit 31 (step (8)). In addition, after step (7), the IP processing unit 343 may search the route table 332 again, but the description thereof is omitted.

<Initial connection>
Next, processing of each device at the time of initial connection (IPsec tunnel establishment between IP networks A and B) will be described. For this purpose, first, a table included in each apparatus will be described with reference to FIG. In FIG. 4, “network A” means IP network A, and “network B” means IP network B.

  As shown in FIG. 4, the tunnel terminating device 3A includes a route table 332A and an IPsec tunnel route determination table 331A. In each table, as information for processing received packets for the IP network A → IP network B direction and for the IP network B → IP network A direction, a source address, a destination address, and an operation (processing) Information on the subject to be performed and the packet destination). In FIG. 4, [bbb] indicates an IP prefix assigned to the IP network B. “ANY” indicates that it is arbitrary.

  The tunnel terminating device 3B includes an IPsec tunnel route determination table 331B and a route table 332B. Furthermore, the router 2B has a route table. Similarly, in these tables, a source address, a destination address, and an operation (information on a subject to be processed, a packet destination, etc.) are associated as information for processing a received packet.

  Next, with reference to FIG. 1B, processing of each device at the time of initial connection will be described (refer to other figures as appropriate). In the following description, the operation subject of processing of each device is a processing unit (CPU or the like), but a description to that effect is omitted. In addition, a device that is in the middle of information communication is as illustrated, and the description thereof is omitted as appropriate (in FIG. 3, the description is also omitted as appropriate in the case of “transfer”).

  First, the tunnel termination device 3B activates IKEv2 for the tunnel termination device 3A (step S21).

  During the IKEv2 sequence, the tunnel termination device 3A determines the IP prefix ([bbb]) to be assigned to the IP network B after completing the authentication for the tunnel termination device 3B in cooperation with the authentication server 4A. Then, a peer address for route exchange is determined by combining the IP prefix and a predetermined host address, and these (IP prefix and peer address) are notified to the tunnel terminating device 3B (step S22). Further, when step S22 is completed, an entry as illustrated is set in each table (a table described as “entry generation timing: S22” in FIG. 4).

  Thereafter, the tunnel termination device 3A and the tunnel termination device 3B continue the IKEv2 sequence and establish the IPsec tunnel 10 (first IPsec tunnel) (see FIG. 3A) (step S23).

  Subsequently, the tunnel terminating device 3B notifies the router 2B in the IP network B of the IP prefix using, for example, DHCP (Dynamic Host Configuration Protocol), RA (Router Advertisement), etc., and the notified peer An address is set (step S24). At this point, an entry as shown in FIG. 4 is set in the route table of the router 2B.

  Next, the tunnel terminating device 3B notifies the IP prefix to the terminal 1B and the outing terminal 5 in the IP network B using, for example, DHCP, RA, etc. (step S25).

  Subsequently, the tunnel terminating device 3A advertises the IP prefix assigned to the IP network B to the router 2A, the terminal 1A, and the authentication server 4A in the IP network A as route information (step S26).

  Through the above processing, communication between the terminal 1A and the terminal 1B, and between the terminal 1A and the outing terminal 5 becomes possible via the IPsec tunnel 10 (see FIG. 3A). Note that the communication between the terminal 1B and the outing terminal 5 is performed via the router 2B and does not go through the tunnel termination device 3B or the IPsec tunnel 10. The same applies to communications in the IP network A.

<Outing terminal 5>
Next, with reference to FIG. 3B, processing of each device when the outing terminal goes out (leaves from the IP network B) will be described (refer to other figures as appropriate). FIG. 3A shows a state after step S605. At the time when the processing of FIG. 3B starts, the outing terminal 5 exists in the IP network B, and the IPsec tunnel 11 (Second IPsec tunnel) is not established.

  First, the outing terminal 5 goes out (outside the IP network B) (step S601). The outing terminal 5 that has gone out then connects to the access router 6C on the IP network (not shown in FIG. 3B).

  Next, the outing terminal 5 activates IKEv2 for the tunnel terminating device 3A (requests establishment of an IPsec tunnel via the access router 6C and the access router 6A) (step S602).

  During the IKEv2 sequence, the tunnel terminating device 3A cooperates with the authentication server 4A to finish the authentication of the outing terminal 5 and then, as an IP address to be assigned to the outing terminal 5, the IP prefix of the IP network B and a predetermined host address And the IP address is notified to the outing terminal 5 via the access router 6A and the access router 6C (step S603). Whether to assign an IP prefix or an IP address is based on the assumption that identification is possible based on a user ID (IDentification) or the like used for authentication, and notifies the peer address only when assigning an IP prefix, When assigning an IP address, the peer address is not notified. Here, since an IP address is assigned to the outing terminal 5, the peer address is not notified.

  Next, the tunnel terminating device 3A updates its own IPsec tunnel route determination table 331A so as to send a packet addressed to the outing terminal 5 to the IPsec tunnel 11 (described later) (step S604). The IPsec tunnel route determination table 331A is updated as shown in FIG. Here, [zz] is the host address of the outing terminal 5. That is, for the IP address of the outing terminal 5, the IP prefix is [bbb] and the host address is [zz].

  Thereafter, the outing terminal 5 and the tunnel terminating device 3A continue the IKEv2 sequence and establish the IPsec tunnel 11 (step S605). The tunnel terminating device 3A does not advertise the route to the IP network A because the IP address assigned to the outing terminal 5 includes the IP prefix assigned to the IP network B ([bbb] is common) ( No need to do).

  Next, the tunnel terminating device 3A refers to the IPsec tunnel route determination table 331A (see FIG. 5), and the IPsec tunnel 10 route and the IPsec tunnel 11 route are in an inclusive relationship (the IP prefix is common). After establishing the peer for the peer address (router 2B) that has already been notified to the IP network B, the IP address assigned to the outing terminal 5 via the IPsec tunnel 10 is route information. To the peer (router 2B) (step S606).

  Thereafter, the router 2B that has received the advertisement from the tunnel termination device 3A via the IPsec tunnel 10 receives its own route so as to transfer the packet addressed to the IP address assigned to the outing terminal 5 to the tunnel termination device 3B side. The table is updated (see FIG. 5) (step S607).

  Next, when the terminal 1B transmits to the router 2B a packet addressed to the outing terminal 5 (a packet whose destination IP address is a combination of the IP prefix [bbb] and the host address [zz]), the packet is stored in the table of each device. (See FIG. 5), the terminal arrives at the outing terminal 5 (step S608). In this case, the longest match search (longest match) algorithm is used for the route search. In the longest match search algorithm, when there are a plurality of destination IP address candidates, the longest match (longest) is selected that matches the destination IP address of the received packet. That is, in this case, when the destination IP address candidates are “bbb” and “bbb + zz”, “bbb + zz” is selected.

  Similarly, a packet from the terminal 1A to the out-going terminal 5 arrives at the out-going terminal 5 via the IPsec tunnel 11 by determining the route by the longest match search using the IPsec tunnel route determination table 331A of the tunnel terminating device 3A. (Step S609).

  Thus, when the outing terminal 5 connected to the VPN, the established IPsec tunnel 10 is reset, the reroute advertisement in the IP network A, the IP address is reset in the IP network B, etc. Even if it does not perform, the packet from the terminal 1A and the terminal 1B to the outing terminal 5 can reach the outing terminal 5.

<Return of outing terminal 5>
When the outing terminal 5 returns to the IP network B from the state in which the outing terminal 5 is out (see FIG. 3A), the outing terminal 5 uses the IKEv2 to establish the IPsec tunnel 11 with respect to the tunnel terminating device 3A. Request deletion.

  The tunnel terminating device 3A that has received the request for deleting the IPsec tunnel 11 deletes the IPsec tunnel 11 after performing a route deletion advertisement to the router 2B. As a result, the table of each device is updated (returned) to the state shown in FIG.

  Through these processes, the communication environment in the network system S returns to the state before the outing terminal 5 goes out, and the packets addressed to the outing terminal 5 transmitted from the terminals 1A, 1B, etc. reach the outing terminal 5 normally. Can do.

(Mode 2)
In mode 2, the tunnel termination device 3B in the IP network B operates in the proxy mode. That is, the tunnel termination device 3B performs route exchange with the tunnel termination device A, and sends a proxy ARP (Address Resolution Protocol) / NDP (Neighbor Discovery Protocol) response to the subordinate router (router 2B) with respect to the route information. carry out. Then, the route table on the subordinate router (router 2B) is updated.

  As shown in FIG. 6A, the configuration of the network system S is the same as that in the mode 1 (see FIG. 1A).

<Initial connection>
Next, processing of each device at the time of initial connection (IPsec tunnel establishment between IP networks A and B) will be described. The table of each device is as shown in FIG.

  Next, with reference to FIG. 6B, processing of each device at the time of initial connection will be described (see FIG. 7 and the like as appropriate).

  First, the tunnel termination device 3B activates IKEv2 for the tunnel termination device 3A (step S31).

  During the IKEv2 sequence, the tunnel termination device 3A determines the IP prefix to be assigned to the IP network B after completing the authentication for the tunnel termination device 3B in cooperation with the authentication server 4A. And a predetermined host address are combined to determine a peer address for route exchange, and notify them (IP prefix and peer address) to the tunnel termination device 3B (step S32). Further, when step S32 is completed, an entry as illustrated is set in each table (a table described as “entry generation timing: S32” in FIG. 8).

  Thereafter, the tunnel termination device 3A and the tunnel termination device 3B continue the IKEv2 sequence and establish the IPsec tunnel 10 (similar to the IPsec tunnel 10 in FIG. 3A) (step S33).

  Subsequently, the tunnel termination device 3B notifies the IP prefix to the router 2B, the terminal 1B, and the outing terminal 5 in the IP network B using, for example, DHCP, RA, or the like (step S34). At this time, an entry as shown in FIG. 8 is set in the route table of the router 2B.

  Further, tunnel terminating device 3B sets the peer address notified from tunnel terminating device 3A to itself (step S35).

  Thereafter, the tunnel terminating device 3A advertises the IP prefix assigned to the IP network B as route information to the router 2A, the terminal 1A, and the authentication server 4A in the IP network A (step S36).

  Through the above processing, communication between the terminal 1A and the terminal 1B, and between the terminal 1A and the outing terminal 5 becomes possible via the IPsec tunnel 10. Note that the communication between the terminal 1B and the outing terminal 5 is performed via the router 2B and does not go through the tunnel termination device 3B or the IPsec tunnel 10. The same applies to communications in the IP network A.

<Outing terminal 5>
Next, with reference to FIG. 7, the processing of each device when the outing terminal goes out (leaves from the IP network B) will be described (refer to other figures as appropriate).

  First, the outing terminal 5 goes out (outside the IP network B) (step S701). The outing terminal 5 that has gone out then connects to the access router 6C on the IP network (not shown in FIG. 7).

  Next, the outing terminal 5 activates IKEv2 for the tunnel terminating device 3A (requests establishment of an IPsec tunnel via the access router 6C and the access router 6A) (step S702).

  During the IKEv2 sequence, the tunnel terminating device 3A cooperates with the authentication server 4A to finish the authentication of the outing terminal 5 and then, as an IP address to be assigned to the outing terminal 5, the IP prefix of the IP network B and a predetermined host address Is determined, and the IP address is notified to the outing terminal 5 via the access router 6A and the access router 6C (step S703). Here, it is assumed that the outing terminal 5 is assigned an IP address belonging to the IP prefix assigned to the IP network B.

  The tunnel terminating device 3A updates its own IPsec tunnel route determination table 331A so as to send the packet addressed to the outing terminal 5 to the IPsec tunnel 11 (step S704). At this time, the IPsec tunnel route determination table 331A is updated as shown in FIG.

  Thereafter, the outing terminal 5 and the tunnel terminating device 3A continue the IKEv2 sequence and establish the IPsec tunnel 11 (similar to the IPsec tunnel 11 in FIG. 3A) (step S705). Note that the tunnel terminating device 3A does not advertise (does not need to) the route to the IP network A because the IP address assigned to the outing terminal 5 includes the IP prefix assigned to the IP network B.

  After step S705, the tunnel terminating device 3A refers to the IPsec tunnel route determination table 331A (see FIG. 9), and the IPsec tunnel 10 route and the IPsec tunnel 11 route are in an inclusive relationship (the IP prefix is And the IP address assigned to the outing terminal 5 through the IPsec tunnel 10 after establishing the peer with the peer address (tunnel terminating device 3B) already notified to the IP network B. The address is advertised as route information to the peer (tunnel terminating device 3B) (step S706).

  Next, the tunnel terminating device 3B that has received the route advertisement from the tunnel terminating device 3A via the IPsec tunnel 10 makes a proxy response to the ARP or NDP request relating to the IP packet addressed to the IP address assigned to the outing terminal 5 The operation is started (step S707).

  Thereafter, the router 2B receives a proxy response to the ARP or NDP request, and updates its route table so that the packet addressed to the outing terminal 5 is transferred to the tunnel termination device 3B (see FIG. 9) (step S708).

  Similarly, when the terminal 1B transmits to the router 2B a packet addressed to the outing terminal 5 (a packet whose destination IP address is a combination of the IP prefix [bbb] and the host address [zz]), the packet is transmitted to each device. Based on the entry in the table (see FIG. 9), it arrives at the outing terminal 5 (step S709). The route search uses a longest match search (longest match) algorithm.

  Similarly, a packet from the terminal 1A to the going-out terminal 5 is transferred to the going-out terminal 5 through the IPsec tunnel 11 by determining the route by the longest match search using the IPsec tunnel route determining table 331A of the tunnel terminating device 3A. (Step S710).

  Thus, when the outing terminal 5 connected to the VPN, the established IPsec tunnel 10 is reset, the reroute advertisement in the IP network A, the IP address is reset in the IP network B, etc. Even if it does not perform, the packet from the terminal 1A and the terminal 1B to the outing terminal 5 can reach the outing terminal 5.

<Return of outing terminal 5>
When the outing terminal 5 returns to the IP network B from the state in which the outing terminal 5 is out (the state immediately after step S708 in FIG. 7), the outing terminal 5 uses the IKEv2 to communicate with the tunnel terminating device 3A. Request deletion of the tunnel 11.

  The tunnel terminating device 3A that has received the request for deleting the IPsec tunnel 11 deletes the IPsec tunnel 11 after performing a route deletion advertisement to the router 2B. The tunnel terminating device 3B that has received the route deletion advertisement stops the proxy response to the ARP and NDP requests regarding the outing terminal 5. As a result, each table of each device is updated (returned) to the state shown in FIG.

  Through these processes, the communication environment in the network system S returns to the state before the outing terminal 5 goes out, and the packets addressed to the outing terminal 5 transmitted from the terminals 1A, 1B, etc. reach the outing terminal 5 normally. Can do.

(Mode 3)
In mode 3, the tunnel termination device 3B in the IP network B operates in the route exchange mode. That is, the tunnel terminating device 3B performs route exchange with the tunnel terminating device A and updates its route table.

  As shown in FIG. 10A, the configuration of the network system S is different from that in the mode 1 (see FIG. 1A) in that the router 2B does not exist. This does not mean that there is no router in the IP network B, but means that the presence of the router 2B is unnecessary for the description of mode 3.

<Initial connection>
Next, processing of each device at the time of initial connection (IPsec tunnel establishment between IP networks A and B) will be described. The table which each device has is as shown in FIG.

  Next, with reference to FIG. 10B, processing of each device at the time of initial connection will be described (see FIG. 12 and the like as appropriate).

  First, the tunnel termination device 3B activates IKEv2 for the tunnel termination device 3A (step S41).

  During the IKEv2 sequence, the tunnel termination device 3A determines the IP prefix to be assigned to the IP network B after completing the authentication for the tunnel termination device 3B in cooperation with the authentication server 4A. And a predetermined host address are combined to determine a peer address for route exchange and notify them (IP prefix and peer address) to the tunnel terminating device 3B (step S42). At this time, an entry as shown in FIG. 12 is set in each table of each device.

  Thereafter, the tunnel termination device 3A and the tunnel termination device 3B continue the IKEv2 sequence and establish the IPsec tunnel 10 (similar to the IPsec tunnel 10 in FIG. 3A) (step S43).

  Subsequently, the tunnel termination device 3B notifies the IP prefix to the terminal 1B and the outing terminal 5 in the IP network B using, for example, DHCP, RA, or the like (step S44).

  Further, tunnel terminating device 3B sets the peer address notified from tunnel terminating device 3A to itself (step S45).

  Thereafter, the tunnel terminating device 3A advertises the IP prefix assigned to the IP network B to the router 2A, the terminal 1A, and the authentication server 4A in the IP network A as route information (step S46).

  Through the above processing, communication between the terminal 1A and the terminal 1B, and between the terminal 1A and the outing terminal 5 becomes possible via the IPsec tunnel 10. Note that communication between the terminal 1B and the outing terminal 5 is performed by relaying the tunnel termination device 3B.

<Outing terminal 5>
Next, with reference to FIG. 11, the processing of each device when the outing terminal goes out (leaves from the IP network B) will be described (refer to other figures as appropriate).

  First, the outing terminal 5 goes out (outside the IP network B) (step S801). The outing terminal 5 that has gone out then connects to the access router 6C on the IP network (not shown in FIG. 11).

  Next, the outing terminal 5 activates IKEv2 for the tunnel terminating device 3A (requests establishment of an IPsec tunnel via the access router 6C and the access router 6A) (step S802).

  During the IKEv2 sequence, the tunnel terminating device 3A cooperates with the authentication server 4A to finish the authentication of the outing terminal 5 and then, as an IP address to be assigned to the outing terminal 5, the IP prefix of the IP network B and a predetermined host address And the IP address is notified to the outing terminal 5 via the access router 6A and the access router 6C (step S803). Here, it is assumed that the outing terminal 5 is assigned an IP address belonging to the IP prefix assigned to the IP network B.

  Next, the tunnel terminating device 3A updates its own IPsec tunnel route determination table 331A so as to send a packet addressed to the outing terminal 5 to the IPsec tunnel 11 (step S804). Note that the IPsec tunnel route determination table 331A is updated as shown in FIG.

  Thereafter, the outing terminal 5 and the tunnel terminating device 3A continue the IKEv2 sequence and establish the IPsec tunnel 11 (similar to the IPsec tunnel 11 in FIG. 3A) (step S805). Note that the tunnel terminating device 3A does not advertise (does not need to) the route to the IP network A because the IP address assigned to the outing terminal 5 includes the IP prefix assigned to the IP network B.

  Next, the tunnel terminating device 3A refers to the IPsec tunnel route determination table 331A (see FIG. 13), and the IPsec tunnel 10 route and the IPsec tunnel 11 route are in an inclusive relationship (the IP prefix is common). After establishing the peer for the peer address (tunnel terminating device 3B) that has already been notified to the IP network B, the IP address assigned to the outing terminal 5 is set via the IPsec tunnel 10 The route information is advertised to the peer (tunnel terminating device 3B) (step S806).

  Next, the tunnel termination device 3B that has received the route advertisement from the tunnel termination device 3A via the IPsec tunnel 10 uses its own route so as to process the packet addressed to the outing terminal 5 using the IPsec tunnel route determination table. The table 332B is updated (see FIG. 13) (step S807).

  Thereafter, when the terminal 1B transmits a packet addressed to the going-out terminal 5 (a packet whose destination IP address is a combination of the IP prefix [bbb] and the host address [zz]), the packet is stored in each table entry of each device. Based on this (see FIG. 13), it arrives at the outing terminal 5 (step S808). The route search uses a longest match search (longest match) algorithm.

  Similarly, a packet from the terminal 1A to the going-out terminal 5 is transferred to the going-out terminal 5 through the IPsec tunnel 11 by performing route determination by the longest match search using the IPsec tunnel route determination table 331A of the tunnel terminating device 3A. (Step S809).

  Thus, when the outing terminal 5 connected to the VPN, the established IPsec tunnel 10 is reset, the reroute advertisement in the IP network A, the IP address is reset in the IP network B, etc. Even if it does not perform, the packet from the terminal 1A and the terminal 1B to the outing terminal 5 can reach the outing terminal 5.

<Return of outing terminal 5>
When the outing terminal 5 returns to the IP network B from the state in which the outing terminal 5 is out (the state immediately after step S807 in FIG. 11), the outing terminal 5 uses the IKEv2 to communicate with the tunnel terminating device 3A. Request deletion of the tunnel 11.

  The tunnel terminating device 3A that has received the request for deleting the IPsec tunnel 11 performs a route deletion advertisement to the tunnel terminating device 3B, and then deletes the IPsec tunnel 11. Thereby, the table of each apparatus is updated (returned) to the state of FIG.

  By these processes, the communication environment in the network system S returns to the state before the outing terminal 5 goes out, and packets addressed to the outing terminal 5 transmitted from the terminals 1A, 1B, etc. normally reach the outing terminal 5. Can do.

Although description of this embodiment is finished above, the aspect of the present invention is not limited to these.
For example, the tunnel termination device 3A may have the function of the authentication server 4A.

Also, a plurality of IP prefixes may be given to the IP network A and the IP network B, respectively, and even in this case, the present invention can be similarly applied.
In addition, specific configurations and processes can be appropriately changed without departing from the gist of the present invention.

1A, 1B terminal 2A, 2B router 3, 3A, 3B Tunnel termination device 4A Authentication server 5 Outing terminal 6A, 6B, 6C Access router 31 Communication unit 32 I / O unit 33 Storage unit 34 Processing unit 100, A, B IP network 331, 331A, 331B IPsec tunnel route determination table 332, 332A, 332B route table

Claims (12)

A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network control method in a network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing, and a first processing unit,
The first processing unit of the first tunnel termination device includes:
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. To decide
The router in the second IP network is:
Receiving an IP prefix and a peer address of the second IP network from the first tunnel termination device via the second tunnel termination device when the first IPsec tunnel is established; Set the peer address to itself,
When a terminal in the second IP network leaves the second IP network,
The IP address of the detached terminal is received from the first tunnel termination device via the second tunnel termination device, and the packet addressed to the IP address is stored in the first IPsec tunnel in its own storage unit. Memorize the information to send,
Thereafter, when a packet addressed to the detached terminal is received, it is determined that the packet is sent to the first IPsec tunnel by referring to the own storage unit and performing a longest match search regarding a destination IP address. Network control method. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network control method according to claim 1, wherein a router in the second IP network deletes the stored information from the storage unit of the router. A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network control method in a network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing, and a first processing unit,
The first processing unit of the first tunnel termination device includes:
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. To decide
The second tunnel termination device is:
Receiving an IP prefix of the second IP network and a peer address from the first tunnel terminating device when establishing the first IPsec tunnel, and setting the peer address to itself;
When a terminal in the second IP network leaves the second IP network,
The IP address of the detached terminal is received from the first tunnel termination device, and the router addressed to the router in the second IP network stores the packet addressed to the IP address in the first IPsec tunnel. Memorize the information to send,
The router in the second IP network is:
Thereafter, when a packet addressed to the detached terminal is received via a proxy response by the second tunnel terminating device, the first IPsec tunnel is referred to by referring to the storage unit and performing a longest match search for a destination IP address. And determining that the packet is to be sent to the network control method. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network control method according to claim 3, wherein the router in the second IP network deletes the stored information from the storage unit via a proxy response by the second tunnel termination device. . A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network control method in a network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing, and a first processing unit,
The first processing unit of the first tunnel termination device includes:
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. To decide
The second tunnel termination device is:
Receiving an IP prefix of the second IP network and a peer address from the first tunnel terminating device when establishing the first IPsec tunnel, and setting the peer address to itself;
When a terminal in the second IP network leaves the second IP network,
Receiving the IP address of the detached terminal from the first tunnel termination device, and storing in its own storage unit information indicating that the packet addressed to the IP address is sent to the first IPsec tunnel;
Thereafter, when a packet addressed to the detached terminal is received, it is determined that the packet is sent to the first IPsec tunnel by referring to the own storage unit and performing a longest match search regarding a destination IP address. Network control method. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network control method according to claim 5, wherein the second tunnel termination device deletes the stored information from the storage unit of the second tunnel termination device. A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing;
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. A first processing unit for determining that,
The network system includes:
Receiving an IP prefix and a peer address of the second IP network from the first tunnel termination device via the second tunnel termination device when the first IPsec tunnel is established; Set the peer address to itself,
When a terminal in the second IP network leaves the second IP network,
The IP address of the detached terminal is received from the first tunnel termination device via the second tunnel termination device, and the packet addressed to the IP address is stored in the first IPsec tunnel in its own storage unit. Memorize the information to send,
After that, when a packet addressed to the detached terminal is received, a decision is made to refer to its own storage unit and to send the packet to the first IPsec tunnel by a longest match search for the destination IP address. A network system comprising a router in an IP network. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network system according to claim 7, wherein a router in the second IP network deletes the stored information from the storage unit of the second IP network. A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing;
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. A first processing unit for determining that,
The second tunnel termination device is:
Receiving an IP prefix of the second IP network and a peer address from the first tunnel terminating device when establishing the first IPsec tunnel, and setting the peer address to itself;
When a terminal in the second IP network leaves the second IP network,
The IP address of the detached terminal is received from the first tunnel termination device, and the router addressed to the router in the second IP network stores the packet addressed to the IP address in the first IPsec tunnel. A second processing unit for storing information to send in,
The network system includes:
When a packet addressed to the detached terminal is received via a proxy response by the second tunnel termination device, the storage unit is referred to and the first IPsec tunnel is associated with the longest match search for the destination IP address. A network system comprising a router in a second IP network that decides to send a packet. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network system according to claim 9, wherein the router in the second IP network deletes the stored information from the storage unit through a proxy response by the second tunnel termination device. A first IPsec (security that performs dynamic routing based on an IP prefix between a first tunnel termination device in a first IP (Internet Protocol) network and a second tunnel termination device in a second IP network architecture for IP) A network system that configures a VPN (Virtual Private Network) by establishing a tunnel,
The first tunnel terminator is
In order to determine the IPsec tunnel to which the received packet is sent, for each IP prefix of the destination IP address of the received packet, information for determining the IPsec tunnel route that stores information indicating the IPsec tunnel to which the received packet is sent A first storage unit for storing;
When a terminal in the second IP network leaves the second IP network,
In response to a request for establishing an IPsec tunnel from the terminal that has left the network, the terminal that has left the network determines an IP address consisting of an IP prefix of the second IP network and a predetermined host address, and notifies it. Establish a second IPsec tunnel with the disconnected terminal,
To the IPsec tunnel route determination information stored in the first storage unit, information indicating that a packet addressed to the IP address of the detached terminal is sent to the second IPsec tunnel is added.
After that, when a packet addressed to the disconnected terminal is received, the information is sent to the second IPsec tunnel by referring to the information for determining the IPsec tunnel route to which the information has been added and performing a longest match search regarding the destination IP address. A first processing unit for determining that,
The second tunnel termination device is:
Receiving an IP prefix of the second IP network and a peer address from the first tunnel terminating device when establishing the first IPsec tunnel, and setting the peer address to itself;
When a terminal in the second IP network leaves the second IP network,
Receiving the IP address of the detached terminal from the first tunnel termination device, and storing in its own storage unit information indicating that the packet addressed to the IP address is sent to the first IPsec tunnel;
After that, when a packet addressed to the detached terminal is received, a decision is made to refer to its own storage unit and to send the packet to the first IPsec tunnel by a longest match search for the destination IP address. A network system comprising a processing unit. When the detached terminal returns to the second IP network,
The first processing unit of the first tunnel termination device deletes the added information from the IPsec tunnel route determination information,
The network system according to claim 11, wherein the second processing unit of the second tunnel termination device deletes the stored information from the storage unit of the second tunnel termination device.

Images