TW512263B - On-demand system and method for access repeater used in Virtual Private Network - Google Patents

Abstract

The invention processes user's connection request with two-stage PPP link. The first-stage PPP link proceeds communication coordination between user and access repeater and verification of user's identity. If the user is a legal user, the user will be given a new network address. Then user can select a service item from the function menu provided by on-demand repeater, including virtual private network (VPN) services and NON-VPN services. If user selects NON-VPN service, access repeater will transmit packets to its destination address. If user requests a VPN service, access repeater will create a second-stage PPP link with VPN. As such, user can access services in connection with NON-VPN without having to directly connect to VPN server.

Description

1., ¾¾ < ^ year 彳 Θ factory ΓΓϊΐί Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 512263 5. Description of the invention () 5 — 1 Field of invention and background A · Field of the invention The present invention is an application for virtual private Network (Virtual pHvate NetWorks, VPN) access relay (Access Concentrator), especially an access relay that can provide on-demand services (0n_Demand), so that users can connect to the virtual private In front of the web server, there are other service options available. B. Background of the Invention A virtual private network (Virtual Private Network, hereinafter referred to as VpN) is a data network (heart network) using a public telecommunication transmission system (pubHc telecommunication infrastructure), as shown in Figure}. VPN's network system is usually connected by a dedicated line, so it has more privacy. Through an authorized Internet service company (ISP) 13, a company or enterprise 14 can treat the Internet 15 as a large local area network. When data is transmitted from the VPN to the VPN at the other end via the public telephone network 12 and the Internet 15, encryption and decryption procedures are usually required to ensure data security. In order to protect the privacy and security of data, the Internet (tUnneHng) 16 is used to provide a special path for a specific company to transmit messages or files through the Internet 15. The protocol that provides this communication is called a point-to-point tunneling protocol (hereinafter referred to as ρρτρ). Through ρρτρ, the company can securely transmit data by generating a VPN on the Internet. 2 This paper size is applicable to China National Standard (CNS) A4 specification (210 X 297 mm) ------------------- Order ---- ----- S (Please read the notes on the back before filling this page)

I

I

^ 2263 Middle-aged ^ month i Guang, A7-yij — B7 V. Description of the invention () In this way, the company or enterprise 14 does not need to use the leased wide area network cable, and can safely use the general network system. The network service company 1 3 uses the access repeater 17 and a database i 8 to handle the VPN communication. The access repeater 17 has two interfaces: a VpN interface 171 to provide point-to-point access using public switched telephone networks (psTNs) or Integrated Services Digital Network (ISDN), and a general network communication interface 172, which can provide TCP / IP protocol to send packets to the Internet 15 or non-virtual private networks. PPTP uses an enhanced GRE (Generic Routing Encapsulation) mechanism to provide traffic and congestion-encapsulated datagram services to transmit ppp packets. When the user 11 of an enterprise uses the PPTP protocol and dials to an Internet service company 13, the packet is encapsulated and then transmitted to the access repeater 17. The wrapped ppp packets will be transmitted using IP. Therefore, the data format of the wrapped PPP packet will be shown in Figure 2. It includes a media header 21, an IP header 22, a GRE header 23, and a packet 24 of PP. The conventional access repeater 17 will only confirm the authenticity of the dial-up user's identity from the eaUm block in the PP packet, and then assign a legitimate network address to the dial-up user to replace its source bit. site. In this way, without having to decrypt the packet, the dial-up user can access the virtual 3 paper size applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 mm). page

Order leaven

Printed by the Intellectual Property Bureau of the Ministry of Economic Affairs and Consumer Affairs Co., Ltd. 512263 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 5. Description of the invention () It is intended to be a private network. In other words, the network service company 13 can enable the dial-up user U to directly execute the ppp communication protocol with the server 14. As a result, if the dial-up user only wants to browse the Internet or use remote login (TELNET), file transfer (FTP), electronic bulletin board (BBS), and Internet (WWW) functions, he still has to link to VPN 1 9 server 1 4. This result not only consumes connection time, but also generates unnecessary communication traffic. In addition, as far as the architecture of the eye access repeater is concerned, if you want to add on-demand services, you must cooperate with the "Remote Authentication Dial-In User Service (RADI〇U)" Certified architecture to achieve. In this way, not only must the existing PPP communication protocol be modified to support EAP (PPP Extensible Authentication, RFC2284) standard, but also the cost of the RADms authentication architecture must be increased. In this way, it is difficult and complicated to set up and program. In addition, under the design of a single PPP link, the access repeater can send packets of PPP data (payload) transmitted by the remote user, which can only be used to wrap the vpN header and forward the action. 'The packet cannot be analyzed at any time. The internal data, such as Ιρ, Ιρχ, etc., are used as the basis for the selection of link service quality, so it is less flexible in practice. 5 — 2 Objects and Summary of the Invention According to the above-mentioned problems, one of the objects of the present invention is to propose an on-demand service system and method for an access repeater for VPN, which can make 4 paper sizes turn over Chinese national standards (CjNsA specifications (210 X 297 meals) ------------- ----- — Order ------- ---- stupid | (Please read the precautions on the back before filling (This page) 512263

Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of the Invention () Before connecting to the VPN server, the user can request the service of the non-virtual private network for the access repeater. Another object of the present invention is to provide an access repeater system and method that can provide on-demand services, which can continue the existing ppp communication protocol mechanism and can provide the function of repeater on-demand services to reduce programs. Installation and correction costs. Another object of the present invention is to propose a method for segmenting a PPTP link applied to a virtual private network, which can only provide a function of a repeater for only a small modification of some codes of the virtual private network. Add or upgrade code to reduce the complexity of equipment installation and maintenance. Another object of the present invention is to propose a method for segmenting a PPTP link without additional support for a radius mechanism, which can save the cost of setting up a radius proxy server and server equipment, thereby saving costs. According to the above-mentioned object ', the present invention mainly uses two-stage ppp links to handle user connection requirements. The first stage of the ppp link is for coordination between the user and the access repeater. During the first PPP link, the identity of the user will be confirmed. If the user is a legitimate user, the user is assigned a new network address. Then the user can select a service item from the function menu provided by the on-demand repeater, including virtual private network and non-virtual private network. (210 X 29 「公 f） 嶋---- -______ III — — ill — — — — ^« 1 —-- I --- (Please read the notes on the back before filling this page) A7 512263 Ψ Ί Γ ......................-....... Β7__ 5. Description of the invention () Remote login (TELNET), file transfer (FTP), electronic Bulletin Board (BBS) 'and Internet (WWW). If the user chooses a non-virtual private network, the access repeater will send the packet to its destination address. If the user requests a virtual network service, The access repeater will establish a PPP communication protocol that is connected to the virtual private network. In this way, users can access services that are not connected to the virtual private network without having to connect directly to the server of the virtual private network 5 — 3 Brief description of the diagrams Figure 1 shows a schematic diagram of a conventional virtual private network system. Figure 2 shows a parcel of PPP The format of the packet. Figure 3 shows the operation of the repeater system with on-demand function of the present invention. Figure 4 shows the flowchart of the method of the present invention. Figure number description: 11: user 1 3: network service company 1 5: Internet 1 7: Access repeater 1 72: Network communication interface 21: Media header 23: GRE header 3 0: Network service company This paper standard applies to China National Standard (CNS) A4 specifications (210 X 297 mm) --------------------- Order · -----— (Please read the notes on the back before filling this page) 1 2: Public telephone network 14: Enterprise 16: Tunnel 171: VPN interface 1 8: Database 22: IP header 24: PPP packet 3 1: Access repeater 6 Printed by the Consumer Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs 512263

V. Description of the invention (32: Public switched telephone line 34: User 3 6 1: Link layer control device 33: Physical layer interface device 35: VPN server 3 62: Identity confirmation device Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs The communication control device 3 of the Kushiro layer: the service providing device 3 8 1 · the connection layer control device 3 82: the network layer connection control device 5-4 The detailed description of the present invention is 5 and the nature of the network dial-up service is The Internet is roaming and virtual private. The local network connected to the Kushiro Temple server uses the TCP / IP communication protocol. The method of the present invention is divided into two stages in the PPP link, as shown in Figure 3. Figure 3 Shows the access repeater with the on-demand service function of the present invention. The access repeater 31 is executed on a platform that can accept dial-up access, and can control the exchange of telephone lines from a parent Switched Telephone NetWrks) 32 'or dial-up telephone access control for the Integrated Services Digital Network (ISDN), or issue an outward circuit-switched connection. The access repeater 31 also provides a physical layer interface device 33 (physical native interfacing device ) To connect to the public telephone line 32. When the remote user dials up successfully and requests a communication coordination with the data link layer of the network service company 30, the link layer control device 361 is used for the dialing The user performs a PPP link-layer communication coordination to connect with the dial-up user's host 34. When connecting, the identity confirmation device 3 62 queries a VPN user database to perform identity verification, such as querying the user packet Source address, usage rights, and user identification This paper size is applicable to China National Standard (CNS) A4 (210 X 297 mm) -------- itii! — Order ------- ——S (Please read the notes on the back before filling this page) A7

512263 V. Description of the invention (codes and passwords are not correct. If it is determined that the user 34 is a legitimate VPN use | find 'PPP protocol will continue to implement the network layer (N etw rk layer) Communication Association 5 weeks. Unlike the conventional technology, the communication control device at the network layer: U q _ decodes the packet and obtains its network number and service requirements

And other information. After the PPP communication is coordinated, the remote user 34 will be assigned a secret new network address, such as an IP address. Because the address of this network is different from ^ 太 # '& the VPN network address to which the user belongs, so the user has + AA4, k

The packets from X will not be transmitted to the VPN to which they belong. And for this use, you do not need to connect to the VPN server 35 to which it belongs first, and then connect the VpN server 35 to other network services or use its resources. The network link control device i 363 can also determine the routing mode of the packet. Then, after the first ppp communication coordination is completed, the packet with the new network address is transmitted to the service providing device 37. The service providing means 37 provides on-demand services for the dialing user to select. Since the dial-up user already has a new IP address, he can freely choose various non-virtual private network services, such as remote login (Delne Ding), file transfer (FTP), and electronic bulletin board (BBS). And the internet (). When the Shiguo user 34 selects the service of Non_VPN, the service providing device η will directly send these packets to its destination address, without having to connect to the VPN server 35 of the user company. On the other hand, if the user 34 chooses a VPN service, the access repeater 31 establishes a second PPP connection to the vpN server h. In the ppp communication protocol, the link layer control device 381 can select the link layer communication protocol from 笛 — ^ PPP ^ yj- «Youdi_ren linking link layer protocol ---------! 丨 ------ -Order --------- (Please read the notes on the back before filling out this page) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Printed A? B7 Five 'Invention Explanation () The obtained user data does not need to perform the identity verification of the user, so the connection speed can be accelerated. The packet is then forwarded to the network layer link control device 3 82 to establish a network layer flood to the virtual private network server 3 5. At this time, the user can obtain a valid VPN address, such as a 1P address or an IPX address, from the vpN server 35, so the user can access the resources of the VPN server 35. Fig. 4 shows the on-demand method of the VPN access repeater according to the present invention, which includes the following steps: 40 1: When a connection request is received, a link layer communication coordination is performed for a dial-up user. 402. Query a virtual private network user database to determine the identity of the dial-up user. If the identity of the dial-up user is correct, perform step 4 04; otherwise, perform step 403. 403 · • Deny connection request from dial-up user. 4 04: Perform a network layer communication coordination for the dial-up user, including decrypting the PPP packet to obtain the network address and service demand data. 405: Assign a new network address to the dial-up user. 406: Provide a menu of on-demand services for the dialing user to choose. If the user requests a service from a non-virtual private network, perform step 407. Otherwise, step 408 is performed. 407 · If the dial-up user selects a service other than a virtual private network, such as TELNET, FTP, BBS, and WWW, the packet is forwarded to 9 of this paper. The paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) ） • —! Ί! 丨 丨. 丨 丨 丨 丨 丨 .. 丨 Order 丨 —— 丨 i- ί Please read the notes on the back before filling in this page} 1

Private adjustment ^ 2263 ^.-R " — 丨 丨 丨 __ 圆 丨 " 丨 __, V. Description of the invention () Destination address. 408: Based on the data obtained from the first link layer # communication, perform a link layer communication coordination on the virtual network server. 409 • Implement a network layer communication protocol to the virtual private network server. 040 provide the virtual private network address of the beta method to the dial-up user, such as an IP address or IPX address. 4 1 0 · Connect to the virtual private network server. The preferred embodiment of the present invention has been described in detail above, but several changes made in the above embodiments are still within the scope of the patent of the present invention. For example, the present invention can be applied to any future virtual private network connection. Similar protocol. Moreover, the on-demand service items can also be set according to the actual situation, and are not limited to the FTP, FTp, Bbs, and www services mentioned above. The above description is only the preferred embodiment of the present invention, and has achieved a wide range of practical effects. Any equivalent changes and modifications made in accordance with the scope of the patent application of the present invention are still covered by the patent of the present invention. ----------------- 丨 Order --------- ^ 9— (Please read the notes on the back before filling this page) Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs Printed by Consumer Cooperatives 10 This paper is sized for China National Standard (CNS) A4 (210 X 297 mm)

Claims (1)

Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 512263 A8 B8 C8 D8 VI. Application for Patent Scope 1. An on-demand service method for access repeaters applied to virtual private networks, including steps: When a dial-up is used When the connection needs of the dial-up user, establish the first-stage point-to-point communication protocol of the dial-up user; query a virtual private network user database to determine the authenticity of the dial-up user's identity; when the dial-up user's identity is determined as When true, the dial-up user is given a network address; an on-demand service menu is provided for the dial-up user to select, and the on-demand service includes a virtual private network connection service and a non-virtual private network service ; When the dial-up user selects a virtual private network connection service, establishing a second-stage point-to-point communication link with the server of the virtual private network; and assigning the dial-up user a legal virtual private network Address to access the virtual private network. 2. The method described in item 1 of the scope of patent application, further comprising the steps of: establishing a virtual private network user database to store user data of the virtual private network. 3. The method described in item 1 of the scope of patent application, further including the steps: 11 This paper size applies the national standard (CNS) A4 specification (210X297 mm) of the paper (please read the precautions on the back before filling out this page) ) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 512263 A8 B8 C8 D8 VI. Scope of Patent Application When the identity of the above dial-up user is determined to be inaccurate 'rejection of the above-mentioned first-phase peer-to-peer communication connection request. 4. The method described in item 1 of the scope of patent application, wherein the above-mentioned network address is an IP address. 5. The method described in item 1 of the scope of patent application, wherein the aforementioned non-virtual private network services include: remote login, file transfer, Internet, and electronic bulletin board. 6. The method described in item 1 of the scope of patent application, wherein the legal virtual private network address is an IP address. 7. The method described in item 1 of the scope of patent application, wherein the legal virtual private network address is an IPX address. 8. The method described in item 1 of the scope of patent application, further comprising the steps of: when the dial-up user selects a service of a non-virtual private network; and forwarding the packet of the dial-up user to its destination address. 9. The method described in item 1 of the scope of patent application, wherein the second-stage PPP communication link is performed based on the user data obtained in the first-stage PPP communication link. 12 This paper uses China National Standard (CNS) A4 size (210 X 297 mm) I --------- 1 # _------ ^ ------ (please first (Read the notes on the back and fill out this page) 512263 A8 B8 C8 6. Scope of Patent Application 1 〇 A virtual private network access repeater system capable of providing on-demand service functions' includes: (Please read the precautions on the back before filling this page) An interface device for receiving A connection request from a public telephone network; a first link layer control device to perform communication coordination with the link layer of a host of a dial-up user; an identity confirmation device coupled to a virtual private network user data The library is used to determine the authenticity of the dial-up user. A first network layer control device is used to perform communication coordination with the network layer of the host of the dial-up user and obtain a network address. A service providing device for providing an on-demand service menu for the dialing user to choose; a second link layer control device for establishing a second link layer communication coordination with a virtual private network server; and a first The second network layer control device is used to give the dial-up user a legal virtual private network address to access the virtual private network server. Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 11. The system described in item 10 of the scope of patent application, wherein the above-mentioned network address is an IP address. 12. The system described in item 10 of the scope of patent application, wherein the on-demand services mentioned above include a virtual private network service and a non-virtual private network service. 13 This paper size is applicable to Laos National Standard (CNS) A4 (210X297 mm) 512263 A8 B8 C8 D8 VI. Application scope of patents 1 3. The system described in item 12 of the scope of patent applications, where the above non- Virtual private network services include: remote login, file transfer, Internet, and electronic bulletin boards. 14. The system as described in item 10 of the scope of patent application, wherein the legal virtual private network address is an IP address. 15 / The system according to item 10 of the scope of patent application, wherein the legal virtual private network address is an IPX address. 16. The system as described in item 10 of the scope of patent application, wherein the above-mentioned service providing device transfers the above-mentioned dial-up user's packet to the dial-up user when the dial-up user requests a non-virtual private network service. Destination address. (Please read the notes on the back before filling out this page) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 14 This paper size applies the national standard (CNS) A4 (210X297 mm)