201136264 六、發明說明: 【發明所屬之技術領域】 本發明係針對行動通信,且特定而言係針對當主機移動 時保持持續連接。 ^ 【先前技術】 在多播及/或廣播應用中,在有線網路及/或 將資料從一伺服器傳輸至多個接收器。如本文所使用的 多播系統係一伺服器將相同資料同時傳輸至多個接收器之 系統’其中該等接收器形成所有接收器之一子集,其多 達且可涵括所有接收器。一廣播系統係一伺服器將相同資 料同時傳輸至所有接收器之一系統。即,依據定義,一多 播系統可包含一廣播系統。 存在對於行動性問題之許多既有解決方案。行動網際網 路協定(IP)係在不改變傳輸層或應用層的情況下實現順暢 仃:性之標準方式。然巾,行動IP需要用於行動器件及一 本籍代理之S個位址,該本籍代理係在行動域及最故目 :地之間轉遞封包之-電腦。其之三角式路由係效率不 各在二角式路由中,替代將封包直接發送至該目的地, 將封包發送至一本籍代理,該本籍代理繼而將封 4目的地。此產生三角關係。該三 :的封包係-樣的。此外,部署係-個_,因=傳 雜性。 轉遞封包及運行,從而保證安全而增加複 、有對於仃動性之較好的支援但其未被廣泛部署 149606.doc 201136264 此外’ IPv6僅支援專門使用IPv6之應用。IPv6不支援Π>ν6 至1Ρν4之行動性。即,IPv6係不回溯相容。 TCP遷移係對於行動性問題之一傳輸層解決方案。然 而’ TCP遷移需改變協定堆疊。很難部署此一解決方案。 亦存在介於應用層及傳輸層之間增加另一層之一些會期 層解決方案。該等會期層解決方案增加整個系統的複雜性 且因此需要更多系統資源。 【發明内容】 隨時隨地通信之需要已促使各種網路(例如,乙太網 路、3G、WiFi ' WiMAX、藍芽、GPRS及許多類型的可攜 式/行動器件)之發展。此等發展已使得使用者在不丟失網 路存取之情況下自由漫遊。 現代行動(可攜式)器件通常配備有用於多重網路之多重 JI面。例如,當在路上時一使用者可使用一智慧型電話以 存取3G,但相同使用者可在他的/她的辦公室使用WiFi。 當使用一無線網路時,通常發生間歇性的連接丟失。例 如,當在一長隧道、穿過一長橋或進入一大厦時,一使用 者可能丟失訊號且不久之後恢復連接。當連線斷開的時間 足夠長時,可指派一新位址。 無淪係保持連線或透過暫停及恢復,虛擬化技術之發展 使得可能將一正在運行的虛擬機器系統從一實體位置遷移 至另一實體位置。即使該虛擬機器僅具一虛擬介面,但在 遷移之後,該虛擬機器可使用一不同的實體介面而連接至 外面的網路,此虛擬機器亦改變其實體位址。 149606.doc 201136264 在所有此等案例中,行動性意謂網路附接點之—改變或 一短期的連線斷開及因此丟失先前所建立的連接。雖然一 使用者可自由漫遊且具有至網際網路之存取,但一旦進行 連接,則該使用者被無線地栓接至相關聯的網路直至該連 接終止(或被終止)為止。 此外許多使用者採取暫停一正在運行的系統且隨後恢 復°亥系統之貫踐,且隨著虛擬機器技術變得更普遍,該實 戔將更加机行。但現今廣泛使用的連接導向的傳輸協定不 支援此操作。在恢復之後,將丟失所有先前所建立的連 接。 具有可用的所有此等技術,使㈣期望—平穩順暢的網 路體驗 '然而’不存在此等服務之系統支援。當前應用必 須找出其等自身之特用(ad-hoc)解決方案。 描述—種方法,該方法包含:判定一行動主機是否已移 動;回應該判定而用該行動主機之—當前網路位址更新一 網域名稱伺服器;判定一相應行動主機是否已移動;回應 該第二判定而查詢該網域名稱伺服器。亦描述一種裝置, 該裝置包含-密錄交換模組、—行動性模組、―通信模組 及一控制器模組。 【實施方式】 替代改變標準及等待廣泛部署的係,本發明使用一使用 者層級、經修改的TCP以保持持續連接以支援穿過不同網 路之行動性且透通地處置系統暫停及恢復。應用可將Μ 用作為一整合式模組以處置時序、封包傳輸及接收等。亦 ]49606.doc 201136264 可能對於使用者層級TCP使用一專用程序,此類似於微核 心(miCr〇-kernel)方法。與先前方法相比,本發明具有以下 優點: •本發明獨立於網路層協定,且因此本發明之該方法可順 暢地在不同網路協定之間(例如從IPv4至IPv6)遷移或在 既有協定之頂層(例如,UDP)使用。 •本發明係一端對端解決方案。因此,無需網路支援。 •僅需略微修改即可應用。可在不修改的情況下使用既有 協定且無需部署一新的協定。因此,更容易部署。此 外,一代理應用可使用本發明之該方法以對舊型應用提 供支援使得舊型應用可保持不變。 •本發明係基於明確定義的TCp標準,使得得以重新使用 業經廣泛測試且成熟的既有實施方妹。例如Ηττρ、 SMTP之應用層協疋可直接使用本發明之該方法以實現 相同於TCP之可靠度。 •許多問題已藉由使用例如可靠的傳遞、擁塞控制、流程 控制及往返時間評估之一標準實施方案而解決。 因為將本發明之該方法整合入一應用中所以將不影響 其他應用之安全性。 使用使用者層級TCP來保持持續連接 通㊉,一 TCP連接係藉由—值組(tuple)而識別: <源丨口位 址 '源埠 '目的地ip位址、目的地埠 >。當一位址改變 時,中斷既有連接。 在本發明中,動態網域名稱係用作為間接之一層級。如 149606.doc 201136264 本:Γ:的間接意謂著一網域名稱係用以識別相應行動 主 ΓΙΡ位址),因為該網域名稱保持相同,但ίρ位址 可改變以區隔一連接之使用期限及擁有-特定網路位址之 持續時間。位置服務係由動態網域名稱飼服器⑽NS)提 供。一相應行動主機係遠離該行動主機之一行動器件。該 Π主機及該相應行動主機兩者皆具有相同的功能及操作 此力且兩者皆可移動。在任何時間點一行動主機及-相應 行動主機均可交換位異。 t本文所使料㈣主機包含行動㈣、行 終端器件、同級者、用戶端、用戶端器件、節點、站台、 行動站台、膝上型雷腦/缸 話及使"線網路模式智慧型電 何以上行動器件。件。可虛擬化任 當一行動主機改變其網路位址時,其安全地用其新位址 2新動態名稱伺服器。接著該行動主機開始使用該 路位址以將封包發送至該相應行動主機。該相應行動主機 係與原始订動主機進行通信之任何其他的行動器件。該行 動主機或4相應仃動主機可在任何時間點傳輸及/或接 ,。:,各者(該行動主機或該相應行動主機)可係—收發 益。^相應行動主機接收經傳輪的封包時,h 經接收的封包中的源位址改變。該相應行動主機接:使用 該新位址以傳輸(發送,轉遞)回覆(回應)封包。因此白 應用之觀點,雖_行動主機之網路位址改變,但使用i 層級TCP連接係保持連接m復連接時(從中斷或暫停 149606.doc 201136264 中恢復),可能網路條件(狀態)係不同的。該使用者層級 TCP應重新開始擁塞控制程序而非使用先前的擁塞控制狀 態’例如自緩慢的開始。 若連線斷開時期已足夠長’則可能在該行動主機獲得一 新位址且開始將封包發送至該相應行動主機之前,該相應 打動主機已逾時。在此情況下’在可組態次數重試之後, 該相應行動主機亦查詢該行動主機之當前位址之網域名稱 伺服器。若存在一更新,則將使用該新位址。否則,其使 用一计時器以週期性查詢相關的新位址。 另一可能性係在該行動主機移動之後該相應行動主機接 收一網際網路控制訊息協定(ICMP)目的地不可達或協定不 可達訊息。在此情況下,該相應行動主機知道該行動主機 係在獲得-新位址之進程中’且因此設定一計時器以週期 性查詢該行動主機之新位址之網域名稱伺服器。 又另一可旎性係在連線斷開的行動主機獲得一新位址之 前將該行動主機之舊位址指派給另一行動主機。在此情況 下,回應於該相應行動主機已發送封包,視施行情況,該 相應行動主機可以或無法接收一通知訊息。例如,若UDP 係用作為基礎協定,則將傳回一 ICMP埠不可達訊氬(若無 應用程式在該埠上傾聽)。亦可能該相應行動主機 TCP重設訊息。在所有此等情況下,該相應行動主機可忽 略此等訊息且週期性查詢該行動主機新位址之網域名稱= 服器。若使用者層級TCP係在UDP頂層使用,則本發明之 该方法僅繫結一本端埠且不繫結遠端位址及埠。在通訊端 I49606.doc 201136264 程式設計(socket pr〇gramming)中,「繫結一埠」意謂著指 定系統接收此埠所指定的封包。繫結一位址意謂著僅接收 以此位址為目的地的封包(若使用一新位址,則不能接收 封包)。使得移動之後,同級者仍可從現具有一新位址之 β玄相應行動主機節點接收封包。若使用巧“與ιρν6兩者, 則各通彳s方(例如’主機)使用兩個UDp通訊端以通過ipV4 網路及IPv6網路而接收封包。 當由任意主機而發送一叢訊封包係時,可能發送主機之 本知缓衝器係填滿的且一些封包無法排入佇列中。在此情 況下,該tcp啟動一擁塞控制。例如,若UDp係用作為基 礎協定且使用同步通訊端發送,則當將封包放入相同佇列 日守,返回發送操作。若使用非同步通訊端操作(使用一非 同步通訊端或MSG—D0NTWAIT標誌)且不存在可用的緩衝 器,則傳回值係EAGAIN或EWOULDBLOCK。 為了獲得一及時的位址更新,網域名稱伺服器不允許該 行動主機之DNS快取(IP位址至網域名稱之映射)。 在圖1A中,一動態名稱词服器係通過一骨幹網路而連接 至3G網路及WiFi網路兩者。該行動主機在3G網路中開始 至主機A之一連接且接著該行動主機移動以將該連接遷移 至該WiFi網路。 在圖1B中,在於該WiFi網路中獲得一新位址之後,該行 動主機用其新位址更新該動態名稱伺服器。主機A通知位 址改變且開始使用該行動主機之新位址從而通過在圖以所 建立的相同連接而開始將封包發送至該行動主機。即使該 149606.doc 201136264 實體位址係不同的,但其係相同的連接,®為主機A仍具 有與該行動主機之-已建置會期。即使如展示般主機A係 直接連接至邊骨幹網路’亦可能主機錢'通過—存取網路 而連接。進-步可能主機4可正如該行動主機般移動。 在圖2Α中,在主機β中運行的一虛擬主機與主機a建立 一連接。接著該虛擬機器從主機B移動至主機c。 在圖2B中,在從主機B移動至主機c之後,該虛擬機器 用其新位址更新動態網域名稱伺服器。主機A通知該位址 改變且開始使用該行動主機之新位址從而通過在圖2 A所建 立的相同連接而開始將封包發送至該行動主機。即使該實 體位址係不同的,但其係相同的連接,因為主機A仍具有 與该虛擬機器之一已建置會期。 在圖3中,展示使用者層級TCp係直接在核心網路層之 頂層。例如,該核心可將原始IP封包傳遞至該使用者層級 TCP且該使用者層級TCP發送原始吓封包。在此情況下, 在IP封包標頭中的協定類型欄位可能係一新類型。若該協 疋類型棚位仍係TCP,則必須能夠明確地將習知tcp之封 包與使用者層級T C P之封包區分開。一解決方案係斑習知 TCP共用埠號碼空間且直接將使用者層級TCP封包轉移至 該使用者層級TCP。 圖4顯示用於UDP頂層之使用者層級TCP。在此情況下, 經由UDP通訊端收送及接發使用者層級TCP封包。 由於在各封包中的UDP標頭之出現,當計算—TCP封包 之可用空間時,必須考慮該UDP標頭長度。例如,若原始 149606.doc -10. 201136264 最大區段大小係MS S,則新大小係MSS — 8。該UDP標頭之 長度係8個位元組。 安全遷移一連接 藉由切斷TCP連接端點與網路位址之間的繫結,連接可 倖免於網路位址改變。然而,可能一攻擊者藉由首先監聽 一既有連接之訊務及使用一新位址以接替該連接而「劫 持」該連接。為了安全更新一既有連接之該等端點,本發 明之該方法使用一種基於一共用安全密鑰之方法以防範此 等攻擊。 該密鑰係在於交換任何資料之前之一連接之初交換。假 S又在δ亥役錄父換階段期間,兩個通信行動主機不改變網路 位址。三種安全交換密鑰之可能方式為: 1 ·使用TCP連接之起點,密鑰交換可沿循TLS(傳輸層安 全)之步驟。 2·使用橢圓曲線迪菲赫曼法(E1Uptic Curve Diffie_201136264 VI. Description of the Invention: TECHNICAL FIELD OF THE INVENTION The present invention is directed to mobile communications and, in particular, to maintaining a persistent connection while the host is moving. ^ [Prior Art] In multicast and/or broadcast applications, data is transmitted over a wired network and/or from a server to multiple receivers. A multicast system, as used herein, is a system in which a server simultaneously transmits the same data to a plurality of receivers' wherein the receivers form a subset of all of the receivers, which are numerous and can encompass all of the receivers. A broadcast system is a server that simultaneously transmits the same data to one of all receiver systems. That is, by definition, a multicast system can include a broadcast system. There are many existing solutions to mobility problems. Mobile Internet Protocol (IP) is a standard way of achieving smoothness without changing the transport or application layer. However, the mobile IP needs to be used for the mobile device and the S address of a home agent. The agent is the computer that transfers the packet between the mobile domain and the most important destination. The triangular routing system is not efficient in the two-way routing. Instead, the packet is sent directly to the destination, and the packet is sent to a home agent, which in turn will block the destination. This creates a triangular relationship. The three: the package is - like. In addition, the deployment system is a _, because of the = passivity. Forwarding packets and operations to ensure security and add complexity, with better support for turbulence but not widely deployed 149606.doc 201136264 In addition, 'IPv6 only supports applications that use IPv6 exclusively. IPv6 does not support the mobility of Π>ν6 to 1Ρν4. That is, IPv6 is not backward compatible. TCP migration is one of the transport layer solutions for mobility issues. However, 'TCP migration needs to change the protocol stack. It is difficult to deploy this solution. There are also some mezzanine solutions that add another layer between the application layer and the transport layer. These session level solutions add complexity to the overall system and therefore require more system resources. SUMMARY OF THE INVENTION The need for anytime, anywhere communication has led to the development of various networks (e.g., Ethernet, 3G, WiFi 'WiMAX, Bluetooth, GPRS, and many types of portable/mobile devices). These developments have enabled users to roam freely without losing network access. Modern mobile (portable) devices are often equipped with multiple JI faces for multiple networks. For example, a user can use a smart phone to access 3G while on the road, but the same user can use WiFi in his/her office. When using a wireless network, intermittent connection loss typically occurs. For example, when in a long tunnel, through a long bridge, or into a building, a user may lose the signal and resume the connection shortly after. When the connection is disconnected for a long enough time, a new address can be assigned. The development of virtualization technology makes it possible to migrate a running virtual machine system from one physical location to another. Even though the virtual machine has only one virtual interface, after the migration, the virtual machine can connect to the outside network using a different physical interface, and the virtual machine also changes its physical address. 149606.doc 201136264 In all of these cases, action means a network attachment point—change or a short-term disconnection and thus loss of a previously established connection. While a user is free to roam and has access to the Internet, once connected, the user is wirelessly bolted to the associated network until the connection is terminated (or terminated). In addition, many users take the time to suspend a running system and then resume the system, and as virtual machine technology becomes more prevalent, the reality will become even more feasible. However, connection-oriented transport protocols that are widely used today do not support this operation. After the recovery, all previously established connections will be lost. All of these technologies are available to enable (d) expectations—smooth and smooth network experience 'however' there is no system support for such services. Current applications must find their own ad-hoc solutions. Describe a method, the method comprising: determining whether a mobile host has moved; returning to determine the current network address of the mobile host to update a domain name server; determining whether a corresponding mobile host has moved; The domain name server should be queried for the second decision. A device is also described which includes a secret recording switch module, an action module, a "communication module" and a controller module. [Embodiment] Instead of changing standards and waiting for widespread deployment, the present invention uses a user-level, modified TCP to maintain a continuous connection to support mobility and transparent handling of system pauses and resumes across different networks. Applications can use Μ as an integrated module to handle timing, packet transmission and reception. Also] 49606.doc 201136264 It is possible to use a dedicated program for user level TCP, which is similar to the micro core (miCr〇-kernel) method. The present invention has the following advantages over the prior methods: • The present invention is independent of the network layer protocol, and thus the method of the present invention can be smoothly migrated between different network protocols (e.g., from IPv4 to IPv6) or both There is a top level of agreement (for example, UDP). • The present invention is an end-to-end solution. Therefore, no network support is required. • Apply with a little modification. Existing agreements can be used without modification and there is no need to deploy a new agreement. Therefore, it is easier to deploy. In addition, a proxy application can use the method of the present invention to provide support for legacy applications so that legacy applications can remain unchanged. • The present invention is based on well-defined TCp standards, enabling reuse of well-tested and mature existing implementations. For example, the application layer protocol of Ηττρ, SMTP can directly use the method of the present invention to achieve the same reliability as TCP. • Many problems have been solved by using standard implementations such as reliable delivery, congestion control, process control, and round trip time assessment. Since the method of the present invention is integrated into an application, the security of other applications will not be affected. User-level TCP is used to maintain a persistent connection. A TCP connection is identified by a tuple: <source port address 'source' destination ip address, destination 埠 >. When an address changes, the connection is broken. In the present invention, the dynamic domain name is used as an indirect level. For example, 149606.doc 201136264 this: Γ: indirect means that a domain name is used to identify the corresponding action master address), because the domain name remains the same, but the ίρ address can be changed to separate a connection The duration of use and the duration of the owned-specific network address. The location service is provided by the Dynamic Domain Name Feeder (10) NS). A corresponding mobile host is one of the mobile devices away from the mobile host. Both the host and the corresponding mobile host have the same function and operation force and both can be moved. At any point in time, a mobile host and the corresponding mobile host can exchange bits. t This article (4) host contains actions (four), line terminal devices, peers, users, user devices, nodes, stations, mobile stations, laptop thunder brain / cylinder words and make "line network mode smart More than the mobile device. Pieces. It can be virtualized whenever a mobile host changes its network address, and it securely uses its new address 2 new dynamic name server. The mobile host then begins using the path address to send the packet to the corresponding mobile host. The corresponding mobile host is any other mobile device that communicates with the original booking host. The mobile host or 4 correspondingly the host can be transmitted and/or connected at any point in time. : Each person (the mobile host or the corresponding mobile host) can be connected to and receive benefits. ^ When the corresponding mobile host receives the packet of the transmitted round, the source address in the received packet changes. The corresponding mobile host connects: uses the new address to transmit (send, forward) the reply (response) packet. Therefore, from the point of view of white application, although the network address of the mobile host changes, but the i-level TCP connection is used to keep the connection m complex connection (recover from interruption or suspension 149606.doc 201136264), possible network conditions (status) Different. The user level TCP should restart the congestion control procedure instead of using the previous congestion control state', e.g., from a slow start. If the connection disconnection period is long enough, it may be that the corresponding host has timed out before the mobile host obtains a new address and starts sending the packet to the corresponding mobile host. In this case, after the configurable number of retries, the corresponding mobile host also queries the domain name server of the current address of the mobile host. If there is an update, the new address will be used. Otherwise, it uses a timer to periodically poll the associated new address. Another possibility is that the corresponding mobile host receives an Internet Control Message Protocol (ICMP) destination unreachable or agreed unreachable message after the mobile host moves. In this case, the corresponding mobile host knows that the mobile host is in the process of obtaining a new address' and thus sets a timer to periodically query the domain name server of the new address of the mobile host. Yet another simplification is to assign the old address of the mobile host to another mobile host before the disconnected mobile host obtains a new address. In this case, in response to the corresponding mobile host having sent the packet, the corresponding mobile host may or may not receive a notification message depending on the implementation. For example, if UDP is used as the underlying protocol, an ICMP 埠 unreachable argon will be returned (if no application is listening on that )). It is also possible that the corresponding mobile host TCP resets the message. In all of these cases, the corresponding mobile host can ignore the messages and periodically query the domain name of the new address of the mobile host = server. If the user-level TCP is used on top of UDP, the method of the present invention only binds one end and does not bind the remote address and port. In the communication terminal I49606.doc 201136264 programming (socket pr〇gramming), "binding a 埠" means that the specified system receives the packet specified by this 。. The splicing of a single address means that only packets destined for this address are received (if a new address is used, the packet cannot be received). After the move, the peer can still receive the packet from the β-Xu corresponding mobile host node that now has a new address. If you use both "i" and "ιρν6", each of the ports (such as 'hosts" use two UDp terminals to receive packets over the ipV4 network and the IPv6 network. When a trunk is sent by any host In this case, the local buffer of the sending host may be filled and some packets may not be placed in the queue. In this case, the tcp initiates a congestion control. For example, if the UDp is used as a basic protocol and uses synchronous communication. When sending, the packet is placed in the same queue and returned to the sending operation. If the asynchronous communication terminal is used (using an asynchronous communication terminal or MSG_D0NTWAIT flag) and there is no buffer available, it is sent back. The value is EAGAIN or EWOULDBLOCK. In order to obtain a timely address update, the domain name server does not allow the mobile host's DNS cache (IP address to domain name mapping). In Figure 1A, a dynamic name word The server is connected to both the 3G network and the WiFi network through a backbone network. The mobile host starts to connect to one of the hosts A in the 3G network and then the mobile host moves to migrate the connection to the WiFi. In Figure 1B, after obtaining a new address in the WiFi network, the mobile host updates the dynamic name server with its new address. Host A notifies the address change and starts using the new mobile host. The address thus begins to send the packet to the mobile host by the same connection established in the figure. Even though the 149606.doc 201136264 physical address is different, it is the same connection, and ® is still the host A. The mobile host has been set up. Even if the host A is directly connected to the backbone network as shown, it may be connected by the access network. The host may be the host. In Figure 2, a virtual host running in host β establishes a connection with host a. The virtual machine then moves from host B to host c. In Figure 2B, after moving from host B to host c The virtual machine updates the dynamic domain name server with its new address. Host A notifies the address change and begins to use the new address of the mobile host to begin sealing with the same connection established in Figure 2A. Sent to the mobile host. Even if the physical address is different, it is the same connection, because host A still has a session with one of the virtual machines. In Figure 3, the user-level TCp system is shown. Directly at the top of the core network layer. For example, the core can pass the original IP packet to the user-level TCP and the user-level TCP sends the original scary packet. In this case, the type of agreement in the IP packet header The field may be a new type. If the type of the booth is still TCP, it must be able to clearly distinguish the packet of the conventional tcp from the packet of the user-level TCP. A solution is to learn the TCP share. The number space and directly transfer the user-level TCP packet to the user-level TCP. Figure 4 shows the user-level TCP for the top layer of UDP. In this case, the user-level TCP packet is delivered and received via the UDP communication terminal. Due to the presence of the UDP header in each packet, the UDP header length must be considered when calculating the available space for the TCP packet. For example, if the original 149606.doc -10. 201136264 maximum segment size is MS S, the new size is MSS-8. The length of the UDP header is 8 bytes. Secure migration of a connection By disconnecting the connection between the TCP connection endpoint and the network address, the connection is immune to network address changes. However, an attacker may "hijack" the connection by first listening to an existing connected service and using a new address to take over the connection. In order to securely update such endpoints that are connected, the method of the present invention uses a method based on a shared security key to guard against such attacks. The key is the exchange of one of the connections before the exchange of any data. The fake S is in the process of the parental change, the two communication mobile hosts do not change the network address. The three possible ways to exchange keys securely are: 1 • Using the starting point of a TCP connection, the key exchange can follow the steps of TLS (Transport Layer Security). 2. Use the elliptic curve Diffieman method (E1Uptic Curve Diffie_
Heilman ; ECDH)而在使用者層級處使用TCP選項。 3.使用一安全連接以交換(若干)密鑰。例如,SSL(安全 通訊端層)或TLS(傳輸層安全)可用以安全地交換共用密 錄。 在兩個通4行動主機同意該共用密鑰之後,可保護隨後的 通仏。因此可保護該通信之真實性以及安全性。 圖6圖解說明當UDP用作為基礎協定時之一封包格式。 在左側的最兩有效位置處係一 Ip層協定標頭(ιρν4或 6)後續接著一 UDP標頭。若多重連接使用相同的UDp 149606.doc 201136264 通訊端,則連接ID係用以識別一特定的連接。此連接ID係 類似於一會期ID之概念。存在兩種主要差異: 1. 該連接ID係在該TCP層之下且保持相同的TCP連接, 但會期ID係在該TCP層之上且保持具有可能的多重TCP 連接之相同的會期。 2. 連接ID係與各封包一起被傳輸,同時該會期ID係用於 本端使用且不被傳輸。 接著一訊息鑑認碼(MAC)係用以保證此封包之真實性。該 使用者層級TCP標頭及有效負載係在該封包末端處。 甚至在網路位址改變之後,該連接ID仍係唯一識別一連 接之一隨機選擇號碼。該連接ID係在一連接之初被選擇且 不應與兩者行動主機所使用的其他連接發生衝突。該連接 ID重新使用UDP標頭或使用者層級TCP標頭之琿號碼、在 此等情況下,MAC緊接於該UDP標頭之後。若不使用使用 者層級TCP埠號碼,則亦可刪除其等以減小總標頭大小。 該MAC係整個或部分封包之雜湊值。雖然本文將SHA1 用作為一例示性實施例,但例如MD5、SHA1等之其他雜 湊演算法亦係可能的。 若期望僅防範路由錯誤或標頭毁損,則可能基於在該使 用者層級TCP標頭中的資訊而計算該MAC : MAC = SHA 1 (key, tcp_header, length) 為了保證整個封包之真實性,亦可估算(判定、計算)包 含有效負載之雜湊: MAC = SHA1 (key, tcp_header, length, packet_payload) 149606.doc -12· 201136264 然而, 之保密性 的内容。 訊息仍係使用純文字而傳輸。 ,可首先加密該封包有效負載 為了確保封包内容 且可傳輸該經加密 encrypted_pay_load=encrypt(key, packet_payl〇ad) MAC=SHAl(key, tcp_header, length, encrypted_pay_l〇ad) 當-接收到該經加密的封包時,接收器(行動主—機或相 應行動主機)首先藉由計算雜_而確認封包之完整性。若 該雜湊係正確的,則該接收器解密該封包以獲得原始内= (有效負載)。 另-未必但可能的攻擊係等待序列號碼以環繞及執行— 重放攻擊。在-重放攻擊中,攻擊主機監聽所有訊務且重 放(重新發送)先前的訊務以干擾一新通信連接。在此情況 下’可使用各封包之TCP TIMESTAMp選項,使得兩^封 包共用相同標頭之可能性幾乎為〇。 若無需安全性,則可刪除mac。 圖5係使用使用者層級TCP而解決行動性問題之本發明 之該方法之一流程圖。圖5顯示雙方(兩者主機:該行動主 機及該相應行動主機)之流程圖,因為雙方皆可移動。在 處理區塊505「密鑰交換」中,通信主機交換隨後用於安 全行動性之共用密鑰。此程序可在連接建立期間(例如)通 過在TCP SYN區段中的TCP選項而執行。此程序亦可在已 完成三路訊號交換但未開始資料交換之後執行。在處理區 塊5 10「發送/接收資料」中,通信主機交換資料。封包格 式之例示性貫細•例係在以上描述的圖6中圖解說明。在 Λ 149606.doc -13- 201136264 515,執行一測試以判定通信是否已結束/完成。若該通信 已結束/完成,則控制轉至終止區塊「結束」且終止處 理。若該通信未結束(完成),則將控制轉至處理區塊52〇 「本端行動性檢查」。該本端行動性檢查(測試、判定)可藉 由比較該行動主機之當前網路位址(例如,Ip位址)與該行 動主機先前所使用的網路位址而執行。亦可能在一暫停虛 擬機器之情況下將相同位址指派至恢復虛擬機器使得該位 址保持不變。在525執行一測試(檢查 '判定)以判定行動器 件或虛擬機器是否已移動。若該行動器件或虛擬機器已移 動,則在530用當前位址更新該網域名稱伺服器。在 「同級者行動性檢查」處理區塊檢查(判定)相應方(行動主 機)是否具有-改變的位址。該相應行動主機亦可移動且 因此改變位址。若該相應行動主機(遠端行動主機、遠端 同級者)移動且獲得一新位址,則可不使用該相應行動主 機之舊位址或忒舊位址可不由另—行動主機所使用。同級 者行動!生檢查可經由特定訊息(例如,WMF主機不可達訊 息、ICMP槔不可達訊息等)之重新傳輸逾時或接收而執 行。當該行動主機嘗試將資料發送至不再使用(不再存在) 之一相應行動主機之一位址時, 右+使用§亥舊位址,則該 行動主機將逾時。甚番# 重新使用S亥舊位址(已藉由DNS而重 新指派至另一行動φ,日I丨·^ / 機)則该行動主機將接收一 ICMP訊 息。在540執行一測試判 J疋I』級者之相應及原始位址是 否已改變。若同級者之4腌 相應及原始行動主機位址已改變, 則在5 4 5查詢发夕ίίί· > u m '、, 用;隨後的通信。網域名稱伺服 I49606.doc -14- 201136264 咨具有一固定的位址且記錄主嬙夕 球王機之*刖ip位址。若該同級 者(相應及原始仃動主機)之位址未改變,則處理前進至 51若該行動ϋ件或虛擬機器尚未移動,則處理前進至 535 〇 可進#最佳化此方法。若不使用訊息鑑認碼或加密, 貝L而密鑰乂換步驟。當存在多重會期時,當該行動主機 移動時僅需更新網域名稱舰器—次。類似地,當相應主 機_存在與此主機之多重會期時,則僅需向該網域名 稱伺服斋查詢其新位址—次且將該新位址用於所有此等會 期。 總和檢查碼(Checksum)計算 為了阻止一主機接收由於路由錯誤或資料毁損所引起的 ’”、用封包,傳統的TCP總和檢查碣計算不僅僅包含TCP標 頭及有效負載’亦包含一偽標頭,偽標頭包含源IP位址、 目的地IP位址、封包長度及協定類型。一例示性偽標頭係 顯示於圖7中。 若°亥行動主機移動且其網路位址改變,則發送至相應主 機之封包包含一不同的源位址,且因此必須在以每一封包 為基礎之上建構該偽標頭以通過總和檢查碼測試(檢查、 判定)。然而,可能當一行動主機移動且獲得一新位址 時,發送至舊行動主機位址之封包(具有相同的位址)亦可 此通過總和檢查碼驗證。接著至使用者層級TCp以確認所 接收封包之有效性。 藉由區隔TCP連接與網路位址,在總和檢查碼計算中可 s 149606.doc -15- 201136264 能不包含ip位址,但使用連接ID作為端對端識別且用於總 和檢查碼計算。若MAC涵蓋整個封包,則無需執行習知總 和檢查碼驗證。類似地,若使用1/〇1>且UDp總和檢查碼功 能係可用的,則無需使用者層級TCP總和檢查碼。 應用崩潰偵測 可食b應用在一連接中間崩潰。在未通知相對端之情況 下,相應主機將繼續等待,假設另一方(行動主機)已移 動此導致等待方之本端資源消耗。在未適當處理的情況 下,無法釋放該資源直至一系統重新啟動為止。 使用回應一名稱查詢及最後更新時間之一延伸式DDNS 伺服器。即,該延伸式1)1)1^8伺服器不僅僅以網路位址作 出回應。探測方、未崩潰方(主機)保存另一(崩潰)方之(行 動主機)網路位址及最後的更新時間戳記的複本。若更新 忒網路位址且探測方未接收其所期望的訊息,則可假設另 方朋潰且可隨後重新啟動該行動主機。例如,當另一行 動主機重新啟動及用其新網路位址更新時,發送方 (未朋項仃動主機)可獲得一 UDP埠不可達訊息或ICMP協定 不可達訊息且因此釋放本端資源。 然而,存在各主機(相應行動主機或行動主機)崩潰且保 持無用山達很長一段時間之可能性。在此情況下,另一通信 方(未朋 >貝仃動主機)不知道何時釋放本端資源。為了解決 此問題,指定使孤立連接逾時之—最大持續時間。 實例應用程式:Telnet(遠端登錄) 為了說明本發明之該方法如何可用以支援行動性’一 149606.doc 201136264Heilman; ECDH) uses the TCP option at the user level. 3. Use a secure connection to exchange (several) keys. For example, SSL (secure communication end layer) or TLS (transport layer security) can be used to securely exchange shared secrets. Subsequent calls are protected after the two pass 4 mobile hosts agree to the shared key. Therefore, the authenticity and security of the communication can be protected. Figure 6 illustrates a packet format when UDP is used as the underlying protocol. At the most significant positions on the left, an Ip layer protocol header (ιρν4 or 6) is followed by a UDP header. If multiple connections use the same UDp 149606.doc 201136264 communication end, the connection ID is used to identify a particular connection. This connection ID is similar to the concept of a session ID. There are two main differences: 1. The connection ID is below the TCP layer and maintains the same TCP connection, but the session ID is above the TCP layer and maintains the same duration of possible multiple TCP connections. 2. The connection ID is transmitted with each packet, and the session ID is used for the local end and is not transmitted. A message authentication code (MAC) is then used to ensure the authenticity of the packet. The user level TCP header and payload are at the end of the packet. Even after the network address is changed, the connection ID still uniquely identifies one of the connections to randomly select the number. The connection ID is selected at the beginning of a connection and should not conflict with other connections used by both mobile hosts. The connection ID re-uses the UDP header or the user-level TCP header number, in which case the MAC immediately follows the UDP header. If you do not use the user-level TCP port number, you can also delete it to reduce the total header size. The MAC is the hash value of all or part of the packet. Although SHA1 is used herein as an exemplary embodiment, other hashing algorithms such as MD5, SHA1, etc. are also possible. If it is desired to only guard against routing errors or header corruption, the MAC may be calculated based on the information in the user-level TCP header: MAC = SHA 1 (key, tcp_header, length) To ensure the authenticity of the entire packet, It is possible to estimate (determine, calculate) the hash containing the payload: MAC = SHA1 (key, tcp_header, length, packet_payload) 149606.doc -12· 201136264 However, the content of confidentiality. The message is still transmitted using plain text. The packet payload may be first encrypted in order to ensure the content of the packet and the encrypted encrypted_pay_load=encrypt(key, packet_payl〇ad) MAC=SHA1(key, tcp_header, length, encrypted_pay_l〇ad) may be transmitted when the encrypted packet is received When the packet is encapsulated, the receiver (the mobile master or the corresponding mobile host) first confirms the integrity of the packet by calculating the miscellaneous_. If the hash is correct, the receiver decrypts the packet to obtain the original inner = (payload). Another - not necessarily but possible attack is waiting for the serial number to wrap around and execute - replay attack. In a replay attack, the attacking host listens for all traffic and replays (retransmits) the previous traffic to interfere with a new communication connection. In this case, the TCP TIMESTAMp option for each packet can be used, so that the possibility that the two packets share the same header is almost paralyzed. If you don't need security, you can delete the mac. Figure 5 is a flow diagram of one such method of the present invention for solving mobility problems using user level TCP. Figure 5 shows a flow chart of both parties (both host: the mobile host and the corresponding mobile host), as both parties are mobile. In processing block 505 "Key Exchange", the communication host exchanges the common key that is subsequently used for secure mobility. This procedure can be performed during connection establishment (for example) via the TCP option in the TCP SYN section. This program can also be executed after the three-way signal exchange has been completed but the data exchange has not started. In processing block 5 10 "Send/Receive Data", the communication host exchanges data. An exemplary embodiment of the packet format is illustrated in Figure 6 of the above description. At 149 149606.doc -13- 201136264 515, a test is performed to determine if the communication has ended/completed. If the communication has been completed/completed, control passes to the termination block "end" and the processing is terminated. If the communication is not completed (completed), control is transferred to the processing block 52 「 "Local Mobility Check". The local mobility check (test, decision) can be performed by comparing the current network address of the mobile host (e.g., the Ip address) with the network address previously used by the mobile host. It is also possible to assign the same address to the recovery virtual machine in the case of a suspended virtual machine so that the address remains unchanged. A test is performed at 525 (check 'decision') to determine if the mobile device or virtual machine has moved. If the mobile device or virtual machine has moved, the domain name server is updated with the current address at 530. In the "Same Action Check" processing block check (determines) whether the corresponding party (action master) has a - changed address. The corresponding mobile host can also move and thus change the address. If the corresponding mobile host (the remote mobile host, the remote peer) moves and obtains a new address, the old address or the old address of the corresponding mobile host may not be used by the other mobile host. The same level of action! The health check can be performed by retransmission timeout or reception of a specific message (for example, WMF host unreachable message, ICMP unreachable message, etc.). When the mobile host attempts to send data to one of the corresponding mobile hosts that is no longer in use (no longer exists), right + uses the old address, the mobile host will time out.番番# Reusing the old address of S Hai (re-assigned to another action φ by DNS, the day I丨·^ / machine) then the mobile host will receive an ICMP message. At 540, a test is performed to determine whether the corresponding and original address of the J.I class has changed. If the same level of the 4 picks and the original mobile host address has changed, then in the 5 4 5 query 夕 ί ί ί ί ί ί ί ί ί ί ί Domain Name Servo I49606.doc -14- 201136264 The consultant has a fixed address and records the *刖ip address of the main player. If the address of the peer (corresponding and original spoofing host) has not changed, then the process proceeds to 51. If the action component or virtual machine has not moved, the process proceeds to 535 〇 进 可#. If you do not use the message authentication code or encryption, the key is replaced by the key. When there are multiple sessions, only the domain name ship needs to be updated when the mobile host moves. Similarly, when the corresponding host_ has multiple sessions with this host, then it is only necessary to query the network domain name for its new address-time and use the new address for all such sessions. Checksum calculation In order to prevent a host from receiving a packet due to a routing error or data corruption, the traditional TCP sum check 碣 calculation includes not only the TCP header and the payload' but also a pseudo header. The pseudo-header includes a source IP address, a destination IP address, a packet length, and a protocol type. An exemplary pseudo-header is shown in Figure 7. If the mobile host moves and its network address changes, The packet sent to the corresponding host contains a different source address, and therefore the pseudo-header must be constructed on a per-packet basis to pass the sum check code test (check, determine). However, it may be a mobile host When moving and obtaining a new address, the packet sent to the old mobile host address (having the same address) can also be verified by the sum check code. Then the user level TCp is used to confirm the validity of the received packet. By dividing the TCP connection and the network address, it can be used in the calculation of the sum check code. 149606.doc -15- 201136264 Can not contain the ip address, but use the connection ID as the end-to-end identification and use The sum check code is calculated. If the MAC covers the entire packet, there is no need to perform the conventional sum check code verification. Similarly, if 1/〇1> is used and the UDp check code function is available, the user level TCP sum check code is not required. The application crash detection edible b application crashes in the middle of a connection. If the opposite end is not notified, the corresponding host will continue to wait, assuming that the other party (the mobile host) has moved, causing the waiting party's local resource consumption. If the resource is not properly processed, the resource cannot be released until a system is restarted. Use the one-name query and the last update time to extend the DDNS server. That is, the extended 1)1)1^8 server is not only Respond only to the network address. The probe, the uncrash party (host) saves another (crash) party (mobile host) network address and a copy of the last update timestamp. If the network address is updated If the probe does not receive the message it expects, it can be assumed that the other party is down and can then restart the mobile host. For example, when another mobile host restarts and When the new network address is updated, the sender (not connected to the host) can obtain a UDP unreachable message or an ICMP protocol unreachable message and thus release the local resource. However, there are hosts (the corresponding mobile host or The mobile host crashes and remains useless for a long time. In this case, another party (not a friend) does not know when to release the local resource. To solve this problem, specify Connect orphaned timeout - maximum duration. Example application: Telnet (remote login) To illustrate how this method of the invention can be used to support mobility 'a 149606.doc 201136264
Telnet應用程式係用作為一實例。UDP係用作為基礎協定 且該TCP埠號碼係用作為連接ID。 1 ·伺服器在埠23上初始化一使用者層級TCP通訊端傾 聽; • 2·伺服器在埠2323上產生一UDP通訊端且接收封包; • 3.用戶端初始化一使用者層級TCP通訊端且隨機選擇一 使用者TCP埠,例如3000 ; 4. 用戶端開啟一 UDP通訊端且繫結一本端埠,例如 5000 ; 5. 用戶端在埠2323處通過UDP封包而將使用者層級TCP 封包發送至該伺服器; 6. 伺服器在本端埠23處接收使用者層級TCP通訊端且尋 找傾聽使用者層級TCP通訊端; 7. 伺服器產生具有〈本端埠23、遠端埠3000>之另一使用 者層級TCP通訊端且產生另一執行緒用於此連接; 8. 伺服器在埠5000通過該本端UDP通訊端而將封包發送 至用戶端。 當該用戶端移動時,其獲得一新位址且使用該新位址以 • 將在UDP封包中所囊裝的使用者層級TCP封包發送至該伺 _ 服器。該伺服器注意到在所接收的封包中的位址改變且使 用該位址用於將回覆封包發送至該用戶端。該IP位址非用 於識別TCP連接。取而代之者,係使用連接ID(在此情況下 係TCP埠號碼)。The Telnet application is used as an example. UDP is used as a basic protocol and this TCP port number is used as the connection ID. 1) The server initializes a user-level TCP communication terminal on 埠23; • 2. The server generates a UDP communication terminal on 埠2323 and receives the packet; • 3. The user terminal initializes a user-level TCP communication terminal and Randomly select a user TCP port, for example 3000; 4. The client opens a UDP communication terminal and binds a terminal port, for example 5000; 5. The client sends the user-level TCP packet through the UDP packet at 埠 2323. To the server; 6. The server receives the user-level TCP communication terminal at the local end 23 and seeks to listen to the user-level TCP communication terminal; 7. The server generates the <local end 23, remote 埠 3000> Another user-level TCP communication terminal generates another thread for the connection; 8. The server sends the packet to the client through the local UDP communication terminal at 埠5000. When the client moves, it obtains a new address and uses the new address to: • send the user-level TCP packet encapsulated in the UDP packet to the server. The server notices an address change in the received packet and uses the address for sending a reply packet to the client. This IP address is not used to identify TCP connections. Instead, the connection ID (in this case, the TCP port number) is used.
圖8A顯示當建立一連接時在用戶端上的使用者層級TCPFigure 8A shows the user level TCP on the client when establishing a connection.
S 149606.doc -17- 201136264 之結構。使用者層級TCP使用本端埠3000及遠端埠23。基 礎UDP通訊端具有本端埠5〇〇〇 〇 圖8B顯示在伺服器端上的使用者層級tcp之結構。UDP 埠2323係用於接收使用者層級TCP封包。具有本端蜂23之 使用者層級TCP通讯端係處於傾聽狀態。具有本端埠η及 遠端埠3000之另一使用者層級TCP通訊端係處於已建置狀 態。 圖9係一行動主機之一方塊圖。因為行動主機及相應行 動主機兩者皆具有相同的功能且可在任何時間點有效,所 以該方塊圖對於該(原始)行動主機及相應(遠端)行動主機 係相同的。可將該行動主機之模組(元件)實施為硬體、軟 體及/或動體或以上之任何組合,包含特殊應用積體電路 (ASIC)、精簡指令集電腦(RISC)、場可程式化閘陣列 (FPGA)及任何其他等效的結構。控制器模組控制其他模 組。若需安全(安全連接)’則密錄交換模組係用以交換密 錄。行動性檢查模組檢查本端位址是否已改變(該行動主 機或虛擬機器已移動),且若該行動主機或虛擬機器已移 動(位址改變),則更新網域名稱伺服器。本文將此稱為本 端行動性檢查。行動性檢查模組亦可檢查該相應行動主機 之行動性。若(該相應或遠端行動主機之)遠端位址已改 變’則此模組將使用新位址用於未來的通信。資料交換模 組係用於在兩台行動主機(原始及相應(遠端))之間交換資 料。通信模組係用於傳輸及接收資料封包。資料封包包含 任何資料或諸如ICMP訊息之訊息。若該行動主機(或相康 149606.doc • 18 - 201136264 行動主機)係-虛擬機器,則所有此等模組係該虛擬化機 器之組件。 應瞭解本發明可以軟體、硬體、勒體、專用處理器或其 等之一組合之各種形式實施。較佳地,將本發明實施為硬 體及軟體之-組合。此外,將軟體較佳地實施為在一程式 儲存裝置上有形地具體實施的一應用程式。該應用程式可 被上載至包括任何合適的架構之一機器且係由該機器所執 行幸又佳地,该機器係在具有諸如一或多個中央處理單元 (CPU)、一隨機存取記憶體(RAM)及輸入/輸出…⑺介面之 硬體之一電腦平台上執行。該電腦平台亦包含一作業系統 及微指令碼。本文所描述的各種程序及功能可能係經由該 作業系統而執行的微指令碼之部分或該應用程式之部分 (或其等之一組合卜此外,諸如一額外資料儲存裝置及一 列P族置之各種其他周邊裝置可連接至該電腦平台。 進步應瞭解,因為在隨附圖式中描繪的一些組成系統 組件及方法步驟較佳地係在軟冑中實&,所以取決於程式 I匕本發明之方式,系統元件(或程序步驟)之間的實際連接 可此不同。鑑於本文教示,一般相關技術者將能夠明白本 發明之此等及類似實施或組態。 【圖式簡單說明】 圖1A係顯示—行動器件從3(3網路至一 wiFi網路之遷移 路徑之—示意圖,其中該行動器件最初係通過該3G網路而 連接至主機A ; 圖1B係顯示一行動器件從3(}網路至一 wiFi網路之遷移 149606.doc -19· 201136264 路徑之一示意圖,其中該行動器件最終係通過該WiFi網路 而連接至主機A ; 圖2A係顯示具有至主機A之一連接之一虛擬機器之遷移 路控之一示意圖’且該虛擬機器最初係在主機B中運行及 後來遷移至主機C ; 圖2B係顯示具有至主機A之—連接之一虛擬機器之遷移 路徑之—示意圖,且該虛擬機器最終係在主機C中運行; 圖3顯示直接位於核心網路層之頂層之使用者層級 TCP ; 圖4顯示在UDP頂層所使用的使用者層級丁CP ; 圖5係本發明之方法之一例示性實施例之一流程圖; 圖6係圖解說明當卿係用作為基礎協定時之-例示伯 封包格式; 丁㈡ 圖7圖解說明一例示性偽標頭; 圖8Α顯示當建立一 力 TCP之結構· 鸲上的該使用者層紹 圖8B顯示告逢 TCP之結構f及—連接時在飼服器端上的該使用者層為 圖 9 係 一 ^ v 機之一方塊圖。 149606.doc 20·S 149606.doc -17- 201136264 structure. User level TCP uses local 埠3000 and remote 埠23. The basic UDP communication terminal has a local terminal 〇〇〇 5 〇〇〇 Figure 8B shows the structure of the user hierarchy tcp on the server side. UDP 埠 2323 is used to receive user-level TCP packets. The user-level TCP communication end with the local bee 23 is in a listening state. Another user-level TCP communication terminal having a local end 埠 η and a remote 埠 3000 is in an established state. Figure 9 is a block diagram of a mobile host. Since both the mobile host and the corresponding mobile host have the same functionality and can be active at any point in time, the block diagram is the same for both the (original) mobile host and the corresponding (remote) mobile host. The module (component) of the mobile host can be implemented as hardware, software and/or mobile or any combination of the above, including special application integrated circuit (ASIC), reduced instruction set computer (RISC), field programmable Gate array (FPGA) and any other equivalent structure. The controller module controls other modules. For security (secure connection), the secret exchange module is used to exchange passwords. The mobility check module checks if the local address has changed (the mobile host or virtual machine has moved), and if the mobile host or virtual machine has moved (address changed), the domain name server is updated. This article refers to this as the local mobility check. The mobility check module can also check the mobility of the corresponding mobile host. If the remote address of the corresponding or remote mobile host has changed, then the module will use the new address for future communications. The data exchange module is used to exchange data between two mobile hosts (original and corresponding (remote)). The communication module is used to transmit and receive data packets. The data packet contains any information or information such as ICMP messages. If the mobile host (or 470606.doc • 18 - 201136264 mobile host) is a virtual machine, then all of these modules are components of the virtualized machine. It will be appreciated that the invention can be implemented in various forms of a combination of software, hardware, a constellation, a dedicated processor, or the like. Preferably, the invention is embodied as a combination of a hard body and a soft body. Moreover, the software is preferably implemented as an application tangibly embodied on a program storage device. The application can be uploaded to and executed by one of the machines including any suitable architecture, such as one or more central processing units (CPUs), a random access memory. (RAM) and input/output... (7) One of the hardware of the interface is executed on a computer platform. The computer platform also includes an operating system and microinstruction code. The various procedures and functions described herein may be part of a microinstruction code executed by the operating system or part of the application (or a combination thereof, such as an additional data storage device and a list of P-groups) Various other peripheral devices can be connected to the computer platform. Progress should be understood, as some of the constituent system components and method steps depicted in the accompanying drawings are preferably in the soft palate & In the manner of the invention, the actual connections between system components (or program steps) may vary. In view of the teachings herein, one of ordinary skill in the art will recognize this and similar implementations or configurations of the present invention. 1A shows a schematic diagram of a mobile device from 3 (3 network to a wiFi network migration path), where the mobile device is initially connected to host A through the 3G network; Figure 1B shows a mobile device from 3 (} Network to a wiFi network migration 149606.doc -19· 201136264 path diagram, where the mobile device is ultimately connected to host A through the WiFi network; 2A shows a schematic diagram of a migration path with a virtual machine connected to one of the hosts A' and the virtual machine is initially running in host B and later migrated to host C; Figure 2B shows that there is a host to host A. A schematic diagram of a migration path connecting one virtual machine, and the virtual machine is ultimately running in host C; Figure 3 shows the user-level TCP directly at the top of the core network layer; Figure 4 shows the top layer used in UDP. User Level D; FIG. 5 is a flow chart of one exemplary embodiment of the method of the present invention; FIG. 6 is a diagram illustrating an exemplary packet format when the system is used as a basic protocol; D (2) FIG. An exemplary pseudo-header; Figure 8A shows the user layer on the structure of the establishment of a force TCP. Figure 8B shows the structure of the TCP and the user layer on the feeder end when connected. Figure 9 is a block diagram of a v machine. 149606.doc 20·