TWI254546B - Assignment method and system of home agent in mobile VPN - Google Patents

Assignment method and system of home agent in mobile VPN Download PDF

Info

Publication number
TWI254546B
TWI254546B TW93123260A TW93123260A TWI254546B TW I254546 B TWI254546 B TW I254546B TW 93123260 A TW93123260 A TW 93123260A TW 93123260 A TW93123260 A TW 93123260A TW I254546 B TWI254546 B TW I254546B
Authority
TW
Taiwan
Prior art keywords
external
local
agent
network
mobile
Prior art date
Application number
TW93123260A
Other languages
Chinese (zh)
Other versions
TW200607292A (en
Inventor
Jyh-Cheng Chen
Li-Wei Lin
Yi-Wen Liu
Original Assignee
Zyxel Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zyxel Communications Corp filed Critical Zyxel Communications Corp
Priority to TW93123260A priority Critical patent/TWI254546B/en
Priority to JP2005110463A priority patent/JP2006352182A/en
Publication of TW200607292A publication Critical patent/TW200607292A/en
Application granted granted Critical
Publication of TWI254546B publication Critical patent/TWI254546B/en

Links

Abstract

The present invention provides an assignment method and system of home agent in mobile VPN, wherein a virtual private network is established between at least an intranet and an external network, so that at least a mobile node can roam safely in the external network. In the present invention, an external home agent close to the mobile node and roaming in the external network can be dynamically assigned as the registration agent of the mobile node. Thus, when the mobile node roams in the same external network, it is only necessary to register in the external home agent, without the necessity to register IETF in the internal home agent of the intranet. Thereby the handoff delay among the agents and end-to-end delay during roaming can be reduced to minimum, and the IPsec security control of VPN can be completely associated.

Description

1254546_ 五:發明說明(l\ " 【發明所屬之技術領域】 本發明係為一種移動式VPN(Mobile Virtual Private1254546_ V: Invention Description (l\ " [Technical Field of the Invention] The present invention is a mobile VPN (Mobile Virtual Private

Network)之動態代理器(Home Agent)指派(Assignment)方 法及系統,特別是關於一種在網際網路通訊安全協定 (IPsec)的架構上VPN ’可動態指派外部代理器提供移動節 點註冊的方法及系統。 【先前技術】 按,虛擬專用網路(Virtual Private Network,以下 簡稱VPN)是一種可利用廣域網路(如網際網路)將一遠端使 用者電腦與一本地網路的伺服器建立專用的網路通道,進 行數據傳輸’並長:供就像在封閉的私人區域網路内部一樣 安全。 VPN為了確認安全性因此具有下列基本要求: 1 ·用戶驗證· VPN必須能夠驗證使用者身份並嚴格控 制只有經註冊授權的使用者才能登入。 卫 2·地址管理·· VPN必須能夠為使用者分配專用網路上 的地址’並確保地址安全性。 3 ·數據加密:對於通過網際網路傳輸的數據必須經過 加密,以確保網際網路上的其他未授權使用者無法讀取數 據訊息。 4·密鑰管理:VPN必須能夠產生並更新使用者端電腦 與伺服器的加密金鑰。 5·支援多種協定:VPN必須能夠支援網際網路上普遍Network)'s Home Agent assignment method and system, and in particular to a VPN over the Internet Protocol Security Protocol (IPsec) architecture, a method for dynamically assigning external agents to provide mobile node registration and system. [Prior Art] Virtual Private Network (VPN) is a network that can use a wide area network (such as the Internet) to establish a dedicated network between a remote user's computer and a local network server. Road channel, for data transmission 'and long: as safe as inside a closed private area network. In order to confirm security, VPN has the following basic requirements: 1 · User authentication · VPN must be able to verify the identity of the user and strictly control only registered users to log in. Wei 2 · Address Management · VPN must be able to assign users the address on the private network ' and ensure address security. 3 • Data Encryption: Data transmitted over the Internet must be encrypted to ensure that other unauthorized users on the Internet cannot read the data. 4. Key Management: The VPN must be able to generate and update the encryption key of the client computer and the server. 5. Support multiple protocols: VPN must be able to support the Internet

1254546 五、發明說明(2) 使用的基本協定,包括IP、IPX、PPTP(點對點通道協 定)、L2TP(第2層通道協定)或IPsec(網際網路通訊安全協 定)…等等。 1 網際網路通訊協定(IP)是一種在電腦網路(如網際網 路)上傳輸資料所使用的通訊協定,然而I p並未定義任何 的安全性機制。因此,網際網路工程任務推動小組 (Internet Engineering Task Force,以下簡稱IETF)在 「Request for Comments (RFC)」240 1 通訊標準中定義一 種IP s e c協定,是一種將I p流量加密的方法,可以保護網 路通訊,以防止資料修改、第三者檢視、模擬,以及被榻 取及重播的標準。 但由於無線網路技術的迅速發展,因此針對無線傳輸 網路如何建立移動式VPN已成為相當重要的研究課題,而 應用無線技術的移動式(Mobile)VPN,在IETF亦定義了一1254546 V. INSTRUCTIONS (2) Basic protocols used, including IP, IPX, PPTP (Peer-to-Peer Channel Protocol), L2TP (Layer 2 Channel Agreement) or IPsec (Internet Communication Security Protocol), etc. 1 Internet Protocol (IP) is a protocol used to transmit data over a computer network (such as the Internet). However, Ip does not define any security mechanisms. Therefore, the Internet Engineering Task Force (IETF) defines an IP sec protocol in the "Request for Comments (RFC)" 240 1 communication standard, which is a method of encrypting IP traffic. Protect network communications to prevent data modification, third party viewing, simulation, and standards for being picked up and replayed. However, due to the rapid development of wireless network technology, it has become a very important research topic for how to establish a mobile VPN for wireless transmission networks. The mobile VPN using wireless technology has also been defined in the IETF.

Mobile IPv4(IETF RFC 3344)協定標準,但在該 M〇bile IPv4標準仍有一些的問題需要解決。 例如,當一移動節點(Mobile Node,以下簡稱MN)(如 裝設有無線網路設備的行動電腦),在一内部網路 (Intranet)漫遊時,會由一本地代理器(H〇me Agent,HA) 指派一移動IP(Mobile IP,以下簡稱旧?)給該MN,而當該 MN由該内部網路漫遊至一外部網路(Internet)時,如在家 中或外地分公司,該MN會由當地的一外地代理器(F〇reign Agent, FA)進入一以ipsec為安全基礎的vpN閘道器(vpN Gateway)向該本地代理器(HA)進行註冊,使該vpN閘道器The Mobile IPv4 (IETF RFC 3344) protocol standard, but there are still some issues to be resolved in the M〇bile IPv4 standard. For example, when a mobile node (Mobile Node, hereinafter referred to as MN) (such as a mobile computer equipped with a wireless network device) roams on an internal network (Intranet), a local agent (H〇me Agent) , HA) assigns a Mobile IP (Mobile IP, hereinafter referred to as the old?) to the MN, and when the MN roams from the internal network to an external network (Internet), such as a branch at home or in the field, the MN A local foreign agent (F〇reign Agent, FA) enters a vpN gateway (vpN Gateway) based on ipsec to register with the local agent (HA) to make the vpN gateway

12545461254546

對該外地代理器(FA)建立iPsec通道。 而該MN在所漫遊的外部網路中會得到一個新的轉接址 位(Care of Address,以下簡稱c〇A),並要求該vpN閘道 器為該MN在每次漫遊到一新的子網路時更新lpsec通道。 然而,所有進入該VPN閘道器的數據封包訊息皆會被1}^^ 安全標準加密,而該外地代理器(FA)並無法解密該些加密 過的數據封包,因此該外地代理器(FA)並無法傳輸該ιρ訊 息。 為了解決上述的問題,IETF的Mobile IPv4的工作小 組(Working Group,WG)提出一種利用一部固定的機器 (Mechanism)去支援VPN用戶作國際無縫漫遊 (International Seamless Roaming, ISR)的方法。Establish an iPsec channel for the foreign agent (FA). The MN will get a new Care of Address (c〇A) in the roaming external network, and ask the vpN gateway to roam for a new one for the MN. Update the lpsec channel when the subnet. However, all data packet messages entering the VPN gateway will be encrypted by the 1^^^ security standard, and the foreign agent (FA) cannot decrypt the encrypted data packets, so the foreign agent (FA) ) The ιρ message cannot be transmitted. In order to solve the above problems, the IETF's Mobile IPv4 Working Group (WG) proposes a method to support VPN users for International Seamless Roaming (ISR) by using a fixed mechanism (Mechanism).

該方法是在將該内部網路中的本地代理器(HA ) 定義 為一内部本地代理器(Internal Home Agent, 以下簡稱卜 HA),而在該外部網路(External Network)中建置一外部 本地代理器(External Home Agent,以下簡稱x-HA),該 i-HA是作為該内部網路管理(Mobility Management)該MN 的漫遊狀況之用,而該x-HA則是當該MN漫遊至該外部網路 時,作為管理該MN的漫遊狀況之用。 而多出的該X-HA可將已建立的IPsec tunnel包覆在又一 M IP tunnel之下,不需變更到已建立的IPsec tunnel,因 此當該MN由該VPN閘道器獲得一新的C〇A後,該VPN閘道器 所建立的IPsec通道則不會被破壞,亦因此該外部代理器 (FA)就可以解密該X-Μ IP的訊息,故而用此方法可不必修The method is to define a local agent (HA) in the internal network as an internal home agent (hereinafter referred to as HA), and an external device is built in the external network (External Network). An external home agent (x-HA), which is used as the roaming status of the MN for the internal network management (Mobility Management), and the x-HA is when the MN roams to The external network is used as a roaming condition for managing the MN. The extra X-HA can encapsulate the established IPsec tunnel under another M IP tunnel without changing to the established IPsec tunnel, so when the MN obtains a new one from the VPN gateway After C〇A, the IPsec channel established by the VPN gateway will not be destroyed, so the external agent (FA) can decrypt the X-Μ IP message, so this method can be repaired.

1254546 五、發明說明(4) 改Mobi le IPv4標準及IPsec標準,只改變一些移動節點所 必需要的轉接位址(C〇A)。 如第一圖所示,即為IETF所定義的移動式VPN標準架 構示意圖。在第一圖中有一MN 1透過一i-HA 11漫遊在一 内部網路1 0内,而當該MN 1由該内部網路1 〇移至一外部網 路20時,該MN 1必須向一χ-ΗΑ 21進行註冊,以獲得一新 的CoA,而該X-HA 21再向一 VPN閘道器22要求建立ipsec通 道連接至該x-HA 21。最後該VPN閘道器22再向該i-HA 11 註冊該MN 1 的VPN-TIA (VPN Tunnel Inner Address),以 便將所建立該IPsec通道連接該i-HA n,形成由外部網路 2 0及内部網路1 〇皆可漫遊的虛擬專用網路(y ρ Ν )。 立而第二圖即為該移動式VPN的所建立通道的訊息結構 示意圖,是由該MN 1由内部網路10漫遊到外部 " 道訊號數據封包3。,其中包含一層原始數據J包罔路2〇的通 (Original Packet)31,在該原始數據封包31前包 而的通道訊息32(由該Ηηι到該渭曰間 道益22),而在該内部移紐通道訊_ ΙΡ_通道訊息33(由該VPN閘道器22到該 ^ 該IPsec通道訊息33外再包霜一 Μ | ; 又在 、蓄邙自w 〇 層外部移動IP(x-MIP)的通 道汛心34(由該X_HA 21到該MN J的韓 但是在習知而的方法中,止卜1254546 V. INSTRUCTIONS (4) Change the Mobi le IPv4 standard and the IPsec standard, and only change the transit address (C〇A) that some mobile nodes must have. As shown in the first figure, it is a schematic diagram of the mobile VPN standard architecture defined by the IETF. In the first figure, an MN 1 roams through an i-HA 11 in an internal network 10, and when the MN 1 is moved from the internal network 1 to an external network 20, the MN 1 must A χ-ΗΑ 21 is registered to obtain a new CoA, and the X-HA 21 requests a VPN gateway 22 to establish an ipsec channel connection to the x-HA 21. Finally, the VPN gateway 22 registers the VPN-TiA (VPN Tunnel Inner Address) of the MN 1 with the i-HA 11 to connect the established IPsec channel to the i-HA n to form an external network 2 0. And a virtual private network (y ρ Ν ) that can roam on the internal network. The second diagram is a schematic diagram of the message structure of the established channel of the mobile VPN, and the MN 1 roams from the internal network 10 to the external "way signal data packet 3. , comprising a layer of raw data J packet 2, an original packet 31, a channel message 32 (from the Ηηι to the inter-channel benefit 22) before the original data packet 31, and Internal transfer channel information _ _ _ channel message 33 (by the VPN gateway 22 to the ^ IPsec channel message 33 outside the frosted one;; in addition, stored in the w 〇 layer outside the mobile IP (x- MIP) channel 34 34 (from the X_HA 21 to the MN J's Han, but in a conventional method, stop

該x-HA 21應該被放置於何處最:生心個,題,第-J X - HA是安全的? ^田·第二疋可否相信該 由於在該習知IETF的方法中是在該外部網路Μ中建置Where should the x-HA 21 be placed: the most important, the title, the -J X-HA is safe? ^Tian·Second can believe this because it is built in the external network in the traditional IETF method.

1254546 五、發明說明(5) 一固定(Static)的x-HA 21,若該外部網路2〇中有包含複 數個子網路(Subnet)時,則如何安排該χ_ΗΑ 21的放置地 點,將會影響到漫遊子網路間該外部代理器(FA)與該χ_ΗΑ 21間的轉接傳遞(Handoff)時間延遲,以及漫遊子網路間 的端至端(End-to-End)時間延遲問題。且由於該χ_ΗΑ 21 是VPN閘道器22無法控制的外部網路2〇中,因此是否能相 信該χ-ΗΑ 21是否真的符合ipsec的安全標準? 職是,本案發明人即為解決上述現^移動式VPN的需 求以及問題點,乃特潛心研究並配合學理之運用,提 種移動式VPN之動態代理器(X-HA)指派方法及系統,可動一 態指派接近該MN的本地代理器(HA)作為該χ_ΗΑ,因此可 漫遊網路間的轉接傳遞(Handoff)延遲及端至端(End t〇 ' End)延遲降到最小,且可完全結合安全控制, 是一合理且能有效改善上述缺失之發明。 【發明内容】 本發明之 器指派方法及 該移動節點的 器,使該移動 該外部本地代 部本地代理器 的代理器間轉 End)延遲降到 目的係在於提供一種移動式vpN之動態代理 系統,可動態派指派在漫遊外部網路中接近 =部本地代理器作為該移動節點的註冊代理 節點在相同的外部網路中漫遊時,(只需向 理器注冊即可,而不必再至該内部網路之° 註冊-IETF的方法亦可),如此可將漫遊 接傳遞(Handoff)延遲及端至端(End t〇 最小,且可完全結合安全控制。1254546 V. Description of the invention (5) A fixed (x-HA) 21, if the external network 2〇 contains a plurality of subnets (Subnet), how to arrange the location of the χ_ΗΑ 21, will It affects the Handoff time delay between the external agent (FA) and the χ_ΗΑ 21 between roaming subnets, and the end-to-end time delay between roaming subnets. And since the χ_ΗΑ 21 is in the external network 2 that the VPN gateway 22 cannot control, is it possible to believe that the χ-ΗΑ 21 really meets the security standard of ipsec? In order to solve the above-mentioned needs and problems of the mobile VPN, the inventor of this case has devoted himself to researching and using the application of theory to propose a dynamic proxy (X-HA) assignment method and system for mobile VPN. The mobile state assigns the local agent (HA) close to the MN as the χ_ΗΑ, so the Handoff delay and the End t〇' End delay between roaming networks are minimized. Fully integrated with safety control is an invention that is reasonable and can effectively improve the above-mentioned defects. SUMMARY OF THE INVENTION The device assignment method of the present invention and the device of the mobile node delays the transfer of the external local agent local agent to the end of the network to provide a mobile vpN dynamic proxy system. Dynamically assigning a roaming external network to approach the local agent as the registered proxy node of the mobile node roaming in the same external network (just register with the processor, and not have to The registration of the internal network - the IETF method is also possible, so that the Rotary Handoff delay and end-to-end (End t〇 is minimal, and can be fully integrated with security control.

1254546 五、發明說明(6) 為達成上述目的,本發明主要提供一種移動式VPN之 動態代理器指派方法,可在至少一外部網路與一内部網路 間建立VPN,該方法首先當一移動節點第一次漫遊於該外 部網路中時,發出一註冊請求訊息給當地之一外部外地代 理器;而該外部外地代理器則發出一授權確認請求訊息給 一外地AAA伺服器,使該外地AAA伺服器將至少一外部本地 代理器之網路接取標示填入該授權確認請求訊息中,再轉 送給一本地AAA伺服器;接著,該本地AAA伺服器成功認證 MN後,建立該外部本地代理器、該外部外地代理器與該移 動節點間之安全聯結,並產生一本地代理器請求訊息,發 送給該外部本地代理器;該外部本地代理器為該移動節點 指派一外部本地位址,並將該外部本地位址及本身的位址 設定於一本地代理器回答訊息中,發送給該本地AAa伺服 器,然後,该本地AAA伺服器使用該外部本地位址作為該 移動節點的轉接位址,向該内部本地代理器進行註冊,註 冊完畢後,該内部本地代理器授權該本地AAA伺服器發出 一授權確認回答訊息給該外部外地代理器;最後,該%卜部 外地代理器從該授權確認回答訊息中獲得一包含該外部本 地位址及該本地代理器位址之註冊回覆訊息,轉送給該移 動節點,此後該移動節點在該外部網路漫遊時,即可利用 該外部本地位址向該本地代理器位址之本地代理器 冊即可。 σ 丁吞 本發明更提供一種移動式VPN之動態外部代理器指派 系統,係可在至少一外部網路與一内部網路間建立vpN ^1254546 V. Invention Description (6) In order to achieve the above object, the present invention mainly provides a dynamic proxy assignment method for a mobile VPN, which can establish a VPN between at least one external network and an internal network. The method first moves as a mobile device. When the node first roams in the external network, it sends a registration request message to one of the local external foreign agents; and the external foreign agent sends an authorization confirmation request message to a foreign AAA server to make the foreign field The AAA server fills the network access identifier of at least one external local agent into the authorization confirmation request message, and then forwards the message to a local AAA server. Then, after the local AAA server successfully authenticates the MN, the external local device is established. An agent, a secure connection between the external foreign agent and the mobile node, and a local agent request message sent to the external local agent; the external local agent assigns an external local address to the mobile node, And setting the external location address and its own address in a local agent response message, and sending the local AAa servo And then the local AAA server uses the external local address as the transit address of the mobile node to register with the internal local proxy, and after the registration is completed, the internal local proxy authorizes the local AAA server to issue a Authorizing the confirmation response message to the external foreign agent; finally, the % foreign agent obtains a registration reply message including the external local address and the local agent address from the authorization confirmation response message, and forwards the message to the mobile The node, after which the mobile node can use the external local address to the local agent book of the local agent address when roaming the external network. The present invention further provides a dynamic external proxy assignment system for a mobile VPN, which can establish a vpN between at least one external network and an internal network.

1254546 五、發明說明(7) 1吏至少-移動節點可安全地漫遊在該外部網路,該系統包 括一内部本地代理器、至少一外部本地代理器、一vpN間 ,器至夕代理器指派裝置及至少一外部外地代理器, ^中該内部本地代理器(i〜HA)係作為管理該移動節點在該 ^網路中的漫遊註冊;而該外部本地代理器(χ — ΗΑ)係作 理該移動節點在該外部網路中的漫遊註冊;該νρΝ閘 了,立一網際網路通訊安全協定(lpsec)通道在該内 口 P、、祠路與該外部本地代理哭· α ^ „ .b v y ^叭理态之間,該代理器指派裝置係用 派任—接近該移動節點之外部本地代理器來進行 節點第^ ^ 及該外部外地代理器係使該移動 m 卜部網路時,透過該外部外地代判 進行“ΐ冊以! ☆ 祠服器及該内部本地代理器1254546 V. INSTRUCTIONS (7) 1. At least - the mobile node can safely roam in the external network, the system includes an internal local agent, at least one external local agent, a vpN, and an agent to the evening agent And the at least one external foreign agent, wherein the internal local agent (i~HA) is used to manage roaming registration of the mobile node in the network; and the external local agent (χ-ΗΑ) is Handling the roaming registration of the mobile node in the external network; the νρ 了 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Between the .bvy states, the agent assigning device uses the dispatcher--the external local agent close to the mobile node to perform the node and the external foreign agent to make the mobile network Through the external field judgement, "reissue!" ☆ server and the internal local agent

使該移動節點漫遊在外部網路内皆僅 C 本地代理器進行註冊即可。 π妾近之該外部 【實施方式】 為了使 貴審杳 定目的所採取之技;、ΐ 步瞭解本發明為達成預 明之样細說明與附圖,c冑參閱以下有關本發 當可由此得-深入且具體目的、特徵與特點, 考與說明Η,並非用來對太2 ^而所附圖式僅提供參 請參閱第三圖所示1:::二限制者。 構示意圖。本發明主要是發明移動侧之系統架 動L指派一外部網路中最接近 1254546 五、發明說明(8) " ' 一移動節點(MN)80的本地代理器(ha)作為一外部本地代理 器(x-HA)54,以便讓該MN 8〇向該χ — ΗΑ 54進行註冊,完成 移動式虛擬專用網路(Mobi le VPN) IPsec通道的建立。 本發明可利用在外部網路領域内所使用的DHCp伺服 器、AAA(Authentication, Authori zation andThe mobile node roams in the external network and only the C local agent registers. π 妾 之 外部 外部 【 【 【 【 【 【 【 【 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部 外部- In-depth and specific purposes, features and characteristics, test and description, not used to be too 2 ^ and the drawings only provide reference to the 1::: two limit shown in the third figure. Schematic diagram. The invention is mainly for inventing the mobile side system racking L to assign an external network which is closest to 1254546. 5. Inventive Note (8) " 'A mobile node (MN) 80 local agent (ha) as an external local agent (x-HA) 54 to allow the MN 8 to register with the χ ΗΑ 54 to complete the establishment of a mobile virtual private network (Mobi le VPN) IPsec tunnel. The present invention can utilize the DHCp server used in the field of external network, AAA (Authentication, Authori zation and

Accounting)伺服器或DNS伺服器…等,都可以用來動態指 派該x-HA,以選擇在外部網路中最接近該MN 8〇的本地代 理器(HA)指派成為該x-hA 54,且由於該χ-ΗΑ 54最接近該 MN 80 ’因此該x-HA 54與該MN 80間的延遲能夠被降到最 低。而在該外部網路中子網(inter — subnet)間的端至端轉 接傳遞(Handof f )也將變的更為快速,另外亦可將在外部 網路中的另一本地代理器(HA)作為負載平衡之用。 雖然如此’但最重要的仍是該X-HA 54的安全機制問 題’因此較佳地可使用AAA伺服器來指派該χ-ΗΑ 54,例如 我們可以採用Diameter基礎協定(Diameter Base on Protocol) (IETF RFC 3588 )作為該AAA伺服器,不僅能指 派該χ-ΗΑ,更能夠在漫遊時移動變化的複數代理器 (Agents)之間’建立安全聯結(Security Association, 以下間稱SA) ’並作為金餘分發中心(Key Distribution Center, KDC) 〇 在第三圖中顯示有一内部網路(Intranet)40及至少一 外部網路(Internet)50,該内部網路40是一個受保護的私 人網路(Protected Private Network),連接設有一DHCP 伺服器41及一内部路由器(Interior Router)42,該内部The Accounting server or DNS server, etc., can be used to dynamically assign the x-HA to select the local agent (HA) closest to the MN 8 in the external network to be assigned to the x-hA 54, And since the χ-ΗΑ 54 is closest to the MN 80 ', the delay between the x-HA 54 and the MN 80 can be minimized. The end-to-end transfer (Handof f) between the sub-networks in the external network will also become faster, and another local agent in the external network (or another local agent in the external network) HA) is used for load balancing. Nonetheless 'but the most important issue is the security mechanism of the X-HA 54'. Therefore, it is better to use the AAA server to assign the χ-ΗΑ. For example, we can use the Diameter Base on Protocol ( IETF RFC 3588) as the AAA server, not only can assign this χ-ΗΑ, but also can establish a security association (Security Association, hereinafter referred to as SA) between the multiple agents moving during roaming. The Key Distribution Center (KDC) shows an internal network (Intranet) 40 and at least one external network (Internet) 50 in the third figure. The internal network 40 is a protected private network. (Protected Private Network), the connection is provided with a DHCP server 41 and an internal router (Interior Router) 42, the internal

第12頁 1254546 五、發明說明(9) 路由器42連接一非管制區(DMZ)60,該非管制區(DMZ)6()是 網際網路後面的實體區域,面對防火牆位於保護後端系統 和負料的第二層防火牆前面,而該非管制區(6 〇又連 接有一本地AAA伺服器(以下簡稱AAAH)61、一 vpn閘道器62 及一外部路由器(Exterior Router)51,而該外部路由器 51則連接至該外部網路5〇(lnternet)。 而在該内部網路4 0中又可能包含了複數的子網路 (Subnet)43,每一子網路43都連接至少一無線基地台 (Wireless Access Point, WAP)44,用以無線連接至少一 該MN 80。而在該内部網路4〇中更設有一丨―ha 45及一内部 外地代理器(Internal Foreign Agent,以下簡稱i-FA) 46,如圖三中顯示該i-HA 45是連接於第一子網路(Subnet 1)上’而該i-FA 46則連接於第二子網路(Subnet 2)上, 而該DHCP 4司服器41則連接於第三子網路(Subnet 3)上。 請一併參閱第四圖及第五圖,係為該.8 〇在内部網 路40漫遊的註冊流程圖及時態示意圖,當該〇 8〇在該内 部網路40中漫遊時,如從第一子網路(Subnet n漫遊至第 二子網路(Subnet 2)時,該i-FA 46會不斷廣播並詢問 (Advertisement & Challenge) 100 是否有任何一該 mn 80 的ΜIP在網路内漫遊(s2 0 0 ),此時該MN 8 0會發出一註冊請 求(Registration Request,以下簡稱Reg-Reci)訊息1〇5 給 該i_FA 46(S20 5 ),由於該i-FA 46並不認識該mn 80,故 而該i-FA 46會轉送該Reg-Req訊息1〇5至該i-jjA 45進行註 冊(S210)。Page 12 1254546 V. Description of the invention (9) The router 42 is connected to a non-regulated area (DMZ) 60, which is a physical area behind the Internet, facing the firewall in the protection backend system and In front of the second layer firewall of the negative material, the non-regulated area (6 〇 is connected to a local AAA server (hereinafter referred to as AAAH) 61, a vpn gateway 62 and an external router 51, and the external router 51 is connected to the external network 5 (lnternet). In the internal network 40, a plurality of subnets 43 may be included, and each subnet 43 is connected to at least one wireless base station. (Wireless Access Point, WAP) 44, for wirelessly connecting at least one MN 80. In the internal network, there is further provided a "Ha 45" and an internal foreign agent (hereinafter referred to as i- FA) 46, as shown in FIG. 3, the i-HA 45 is connected to the first subnet (Subnet 1) and the i-FA 46 is connected to the second subnet (Subnet 2). The DHCP 4 server 41 is connected to the third subnet (Subnet 3). Please refer to the fourth. And the fifth figure is a schematic diagram of the registration flow chart of the .8 漫游 roaming on the internal network 40. When the 〇8〇 roams in the internal network 40, such as from the first subnet (Subnet n When roaming to the second subnet (Subnet 2), the i-FA 46 will continuously broadcast and ask (Advertisement & Challenge) 100 if any of the mn 80's ΜIP roams within the network (s2 0 0), At this time, the MN 80 sends a registration request (Registration Request, hereinafter referred to as Reg-Reci) message 1〇5 to the i_FA 46 (S20 5 ), since the i-FA 46 does not recognize the mn 80, so the i The -FA 46 will forward the Reg-Req message 1 to 5 to the i-jjA 45 for registration (S210).

第13頁 1254546 五、發明說明(10) 當註冊完畢後,該i-H A 45會回覆一註冊回覆 (Registration Reply,以下簡稱Reg-Reply)訊息 110 給該 i-FA 46(S215),此時該i-FA 46即可認識該MN 80,再由 該 i-FA 46 發送一 Reg-Repiy 訊息 115 給該 MN 80(S220 ),以 完成内部網路的漫遊註冊程序。 請再參閱第三圖,該外部網路(Internet) 50是一個不 受保護的公眾網路(Unprotected Public Network),其中 可能包含有複數個外部網路所組成,如第三圖顯示有一第 一外部網路及一第二外部網路,而在每一外部網路中又可 能包含有複數個子網路,且可分別連接有一外地AAA伺服 器(Foreign AAA Server,以下簡稱AAAF)53 、 一x-HA 54、一外部外地代理器(Externai F〇reign Agent,以下 簡稱x-FA) 55、一DHCP伺服器56及至少一無線基地台 (WAP)57 。 請一併參閱第六圖及第七圖A、B所示,係為該MN 80 在外部網路50漫遊的註冊流程圖及時態示意圖。當該MN 80從該内部網路4〇漫遊至該外部網路時,則當地的該χ- FA 55 會不斷廣播並詢問(Advertisement & Challenge) 300是否有任何一該關80在網路内漫遊(S400 ),此時該MN 80 會發出一 Reg - Req 訊息 3〇5 給該 x-fa 55(S40 5 )。 而在該Reg-Req訊息305中應包含有一本地位址(Home Address,以下簡稱H〇A)、一HA位址、一需被該AAAH 61授 權的 < 也 > ‘以及一 Μ N的網路接取標示(n e t w 〇 r k A c c e s sPage 13 1254546 V. Invention Description (10) After the registration is completed, the iH A 45 will reply a Registration Reply (Reg-Reply) message 110 to the i-FA 46 (S215). The i-FA 46 can recognize the MN 80, and the i-FA 46 sends a Reg-Repiy message 115 to the MN 80 (S220) to complete the roaming registration procedure of the internal network. Referring to the third figure, the external network (Internet) 50 is an unprotected public network, which may include a plurality of external networks, as shown in the third figure. An external network and a second external network, and each external network may include a plurality of sub-networks, and may be respectively connected to a foreign AAA server (AAAF) 53 , an x - HA 54, an external foreign agent (Externai F〇reign Agent, hereinafter referred to as x-FA) 55, a DHCP server 56 and at least one wireless base station (WAP) 57. Please refer to the sixth figure and the seventh figure A and B together, which is a schematic diagram of the registration flow chart of the MN 80 roaming on the external network 50. When the MN 80 roams from the internal network 4 to the external network, the local χ-FA 55 will continuously broadcast and ask (Advertisement & Challenge) 300 whether there is any such 80 in the network. Roaming (S400), at this time the MN 80 will issue a Reg-Req message 3〇5 to the x-fa 55 (S40 5). The Reg-Req message 305 should include a Home Address (H〇A), a HA address, and a <also > 'and a ΜN authorized by the AAAH 61. Network access label (netw 〇rk A ccess

Identifier, NAI)…等等的請求。Identifier, NAI)...etc.

1254546 五、發明說明(π) 且在該x_FA 55所收到的該Reg-Req訊息305中,該HoA 與該HA位址皆應被設為0. (K 0· 0,表示該MN 80是想要在該 外部網路中獲得一外部本地位址(E X t e r n a 1 Η 〇 m e Address, 以下簡稱x-HoA),以及想要得知當地該x-HA的 位址,因此該X - FA 55會產生一個特徵向量(MIP-Feature -Vector)屬性值對(Attribute Value Pair,以下簡稱 AVP)’其中設定有MN80的本地位址請求(以下稱HoIne-Address-Requested),以及本地代理器請求(以下稱Home-Agent-Requested) 到該 AVP 的旗標(Flag) 中。 此時該x-FA 55 會將該MIP-Feature-Vector AVP 設定 於一授權確認請求(AA - Mobile-Node-Request, 以下簡稱 A M R)訊息3 1 0中,從R e g - R e q訊息中取得必要的資訊加到相 關的AVP中,並將該AMR訊息3 10發送至當地的該AAAF 53 (S410) 〇 由於當地的該AAAF 53會信任當地的該x_FA 55,因此 會授權該AMR訊息310,但該AAAF 53仍會先檢查在該MIP -Feature-Vector AVP 中的Home-Agent-Requested 旗標位元 (Flag bit)是否為·· 1”。 若為π 1"時,該AAAF 53會要求該AAAH 61允許指派在 漫遊之外部網路中的一個χ-ΗΑ 54作為該ΜΝ 80的本地代理 器(ΗΑ),因此該AAAF 53會在所收到之AMR訊息310中該 Μ IP-Feature-Vector AVP内設定一外地的本地代理器可用 (以下稱Foreign_Home_Agent-Available)旗標,並且在一 候選本地代理器主機(以下稱MIP-Candidate-Home-Agent-1254546 V. Inventive Note (π) and in the Reg-Req message 305 received by the x_FA 55, both the HoA and the HA address should be set to 0. (K 0· 0, indicating that the MN 80 is I want to obtain an external location address (EX terna 1 Η 〇me Address, hereinafter referred to as x-HoA) in the external network, and want to know the address of the local x-HA, so the X-FA 55 A feature vector (MIP-Feature-Vector) attribute value pair (AVP) is generated, in which a MN80 local address request (hereinafter referred to as HoIne-Address-Requested), and a local agent request ( The following is called Home-Agent-Requested) to the flag of the AVP. At this time, the x-FA 55 sets the MIP-Feature-Vector AVP to an authorization confirmation request (AA - Mobile-Node-Request, In the following AMR) message 3 1 0, the necessary information is obtained from the R eg - R eq message and added to the relevant AVP, and the AMR message 3 10 is sent to the local AAAF 53 (S410) 〇 due to local The AAAF 53 will trust the local x_FA 55 and will therefore authorize the AMR message 310, but the AAAF 53 The Home-Agent-Requested flag bit (Flag bit) in the MIP-Feature-Vector AVP is checked first. If π 1", the AAAF 53 will require the AAAH 61 to allow assignment. A χ-ΗΑ 54 in the roaming external network acts as the local agent (ΗΑ) of the ΜΝ 80, so the AAAF 53 sets a 内 in the AM IP-Feature-Vector AVP in the received AMR message 310. The local local agent is available (hereinafter referred to as the Foreign_Home_Agent-Available) flag, and is in a candidate local agent host (hereinafter referred to as MIP-Candidate-Home-Agent-

第15頁 1254546 五、發明說明(12) ost)AVP中填入至少一候選χ-ΗΑ 54的網路接取標示 (NAI) ’然後該AAAF 53再把該AMR訊息310傳送至該AAAH 61(S415)。 當該AAAH 61接收到該AAAF 53所傳來之AMR訊息310 後,必需進行授權該MN 80的Reg-Req訊息30 5,因此該 AAAH 61可透過該AMR訊息310中所設定之一(MN-AAA- SPI, Security Paremeters Index)來確定該 〇 80 是使用那一 種的安全性策略,如加密演算法和長期分享金鑰。 如果該AAAH 61授權成功則會檢查該AMR訊息310之 MIP-Feature-Vector AVP 中的該Home-Agent-Requested 的 旗標位元以及該Foreign-Home-Agent-Available的旗標位 元是否皆等於” Γ ,若是,則表示MN要求動態指派一χ-ΗΑ 54在所漫遊的外部網路區域中,而該AAAH 61亦會在漫遊 之外部網路區域中的X-HA,X-FA與MN之間建立安全聯結 (SA)(S420),如χ-ΗΑ 54 與X-FA 55 間、MN 80 與x-HA 54 間 或者MN 80與x-FA 55間。 為此該AAAH 61會產生一個至少128位元亂數的金鑰元 件(Key Materials),一般統稱為Nonces,利用該Nonces 可計算產生一通信金鑰(Session Key),以確該安全聯結 (SA)的安全性。 而在該X - HA 54及該AAAF 53所發送之該AMR訊息310中 的MIP-Feature-Vector AVP亦包含有複數個金鑰(Key-Requested)請求,包括從MN 80與本地代理器(HA)間的金 鑰請求(以下稱MN-HA-Key-Requested)、MN 80與外地代理Page 15 1254546 V. Invention Description (12) ost) AVP is filled with at least one candidate χ-ΗΑ 54 Network Access Label (NAI) 'The AAAF 53 then transmits the AMR message 310 to the AAAH 61 ( S415). After the AAAH 61 receives the AMR message 310 sent by the AAAF 53, it is necessary to authorize the Reg-Req message 30 5 of the MN 80, so the AAAH 61 can pass one of the settings in the AMR message 310 (MN- AAA-SPI, Security Paremeters Index) to determine which security policy is used, such as encryption algorithms and long-term shared keys. If the AAAH 61 authorization is successful, it will check whether the Home-Agent-Requested flag bit in the MIP-Feature-Vector AVP of the AMR message 310 and the flag bit of the Foreign-Home-Agent-Available are equal to Γ If yes, it means that the MN requires dynamic assignment of a χ-ΗΑ 54 in the roaming external network area, and the AAAH 61 will also be in the X-HA, X-FA and MN in the roaming external network area. Establish a safety connection (SA) (S420), such as between χ-ΗΑ 54 and X-FA 55, between MN 80 and x-HA 54, or between MN 80 and x-FA 55. To this end, AAAH 61 will produce a Key Materials, which are at least 128-bit random numbers, are generally referred to as Nonces, and the Nonces can be used to calculate a Session Key to ensure the security of the Security Association (SA). The MIP-Feature-Vector AVP in the AMR message 310 sent by the X-HA 54 and the AAAF 53 also includes a plurality of Key-Requested requests, including between the MN 80 and the local agent (HA). Key request (hereinafter referred to as MN-HA-Key-Requested), MN 80 and foreign agent

第16頁 1254546 五、發明說明(13) 器(FA)間的金鑰請求(MN-FA-Key_Requested)以及外地代 理器(FA)與本地代理器(HA)間的金鑰請求(FA-HA- Key-Requested) ···等 〇 而該通信金錄(Session Key)可透過以Diameter協定 (Diameter Protocol)的AAA伺服器被安全地傳輸到這些X-FA 55或者x-HA 54上。這是因為IPsec標準或是運輸層安Page 16 1254546 V. Invention Description (13) Key request between device (FA) (MN-FA-Key_Requested) and key request between foreign agent (FA) and local agent (HA) (FA-HA) - Key-Requested) The message key can be securely transmitted to these X-FA 55 or x-HA 54 via the Diameter Protocol AAA server. This is because the IPsec standard or transport layer security

全(Transport Layer Security,TLS)標準(IETF RFC 2246 )即是強制應用在保護Diameter節點(包括伺服器、客 端與代理器)之間的通訊數據。但該通信金鑰(Session Key)並不會直接傳遞到MN 80上,因為如此將會使該通信 金鑰(Session Key)暴露在沒有保護網路協定中,而只給 該MN 80該金錄元件(Nonces)。 因此該AAAH 61會再產生一本地代理器請求(H〇me-Agent-MIP-Request,以下簡稱HAR)訊息315,把通信金鑰 (Session Key)及Reg-Req訊息封裝在HAR訊息315之該相 關的AVP中,透過該AAAF 53傳送給該候選的x-ha 54 (S425),該AAAF 53主要是扮演代理伺服器(proxy)的角 色。 故而在該HAR訊息315中的通信金鑰(sessi〇n Key)包 含有該x_HA 54與該x-FA 55間的通信金鑰(MIP —HA-to-FA -Key)AVP、該 MN 80 與該 χ-FA 55 間的金鑰元件(mIP-MN-to-FA-Key)AVP,以及該MN 80與χ-HA 54間的金錄元件(MIP -^〇-1:0-11八-1^7)八¥?等等,都將會附加到該11八1^訊息315中。 因此該x_HA 54能夠從該HAR訊息315中之相關AVP中分The Transport Layer Security (TLS) standard (IETF RFC 2246) is mandatory for the protection of communication data between Diameter nodes (including servers, clients and agents). However, the communication key is not directly transmitted to the MN 80, because this will expose the communication key to the unprotected network protocol, and only to the MN 80. Elements (Nonces). Therefore, the AAAH 61 regenerates a local proxy request (H〇me-Agent-MIP-Request, hereinafter referred to as HAR) message 315, and encapsulates the session key and the Reg-Req message in the HAR message 315. The associated AVP is transmitted to the candidate x-ha 54 (S425) through the AAAF 53, which acts primarily as a proxy server. Therefore, the communication key (sessi〇n Key) in the HAR message 315 includes the communication key (MIP-HA-to-FA-Key) AVP between the x_HA 54 and the x-FA 55, and the MN 80 and The IP-FA 55 key element (mIP-MN-to-FA-Key) AVP, and the MN 80 and χ-HA 54 gold recording component (MIP -^〇-1:0-11 eight - 1^7) Eight ¥?, etc., will be attached to the 11 8.1 message 315. Therefore, the x_HA 54 can be divided from the relevant AVPs in the HAR message 315.

第17頁 1254546 五、發明說明(14) 別取得該X-HA 54與該X-FA 55間的通信金錄(Session Key)、該MN 80與該x-FA 55間的金鑰元件(Nonces),以及 該MN 80與該X-HA 54間的金鍮元件(Nonces)。 而該x-HA 54在所接收到的HAR訊息315中如果沒有包 含該MN 80 的位址(以下稱MIP_Mobi le-Node-Address) AVP ’ 且在該MIP-Feature-Vector AVP 中的Home-Agent-Address-Requested的旗標位元是被設為Π1Π時,則該X-HA 54將自動為該MN 80指派一χ-ΗοΑ設定在該10卩-^〇1^16-Node-Address A VP中,並且該X-Η A 54會自動將它本身的 位址設定到該MIP-Home -Agent-Address AVP 中。 接著,該X-HA 54會將該MN 80與該x_HA 54間的該通 信金鑰(Session Key)儲存起來,並將該金鑰元件 (Nonces)複製到一註用回覆(Reg-Reply)上,然後該x-HA 54產生一本地代理器回答(Home-Agent-MIP-Answer,以下 簡稱HAA)訊息320透過該AAAF 53再傳送至該AAAH 61 (S430),而該HAA訊息320中至少包括了一包含有該金鑰元 件(Nonces)的註冊回覆(以下稱MIP-Reg-Reply)AVP、一結 果碼(Result- ode)AVP、一包含有該MN 80 X-HoA 的MIP-Mobile-Node- address AVP,以及一包含該 x-HA 54 位址 的MIP-Home- Agent-Address AVP 〇 該AAAH 61在接收到該χ-ΗΑ 54透過該AAAF 53所送出 之該 HAA 訊息 320 後,該AAAH 61 會從該 MIP-Mobile- Node-Address AVP 中獲得該MN 80 的x-HoA,以及從MIP- Home-Agent-Address AVP 中獲得該x-HA 54 的位址。Page 17 1254546 V. Invention Description (14) Do not obtain the communication key between the X-HA 54 and the X-FA 55, the key element between the MN 80 and the x-FA 55 (Nonces) ), and the metal element (Nonces) between the MN 80 and the X-HA 54. And the x-HA 54 does not include the address of the MN 80 (hereinafter referred to as MIP_Mobi le-Node-Address) AVP ' in the received HAR message 315 and the Home-Agent in the MIP-Feature-Vector AVP When the flag bit of -Address-Requested is set to Π1Π, the X-HA 54 will automatically assign a χ-ΗοΑ to the MN 80. The 10卩-^〇1^16-Node-Address A VP is set. Medium, and the X-Η A 54 will automatically set its own address to the MIP-Home-Agent-Address AVP. Next, the X-HA 54 stores the communication key between the MN 80 and the x_HA 54 and copies the key element (Nonces) to a Reg-Reply. Then, the x-HA 54 generates a Home-Agent-MIP-Answer (HAA) message 320 to be transmitted to the AAAH 61 through the AAAF 53 (S430), and the HAA message 320 includes at least A registration reply (hereinafter referred to as MIP-Reg-Reply) AVP, a result code (AVP) AVP, and a MIP-Mobile-Node including the MN 80 X-HoA - address AVP, and a MIP-Home-Agent-Address AVP containing the x-HA 54 address, after the AAAH 61 receives the HAA message 320 sent by the AAAF 53, the AAAH 61 The x-HoA of the MN 80 is obtained from the MIP-Mobile-Node-Address AVP, and the address of the x-HA 54 is obtained from the MIP-Home-Agent-Address AVP.

第18頁 1254546 五、發明說明(15) 然後該AAAH 61會建立一新的HAR訊息325,並將該X-HoA 及χ-ΗΑ 位址分別填入MIP-Mobi le-Node-Address 及 MIP_Home-Agent-Address AVP,接著該AAAH 61 發送該HAR 訊息325向該i-HA 45進行註冊(S43 5 )。 當該i-HA 45接收到該HAR訊息325後,該i-HA 45從該 HAR訊息325中的AVP獲得該x-HoA,會將所獲得x-HoA 54的 位址註冊為該MN 80的公共CoA,使該i-HA 45認識該HAR訊 息325後建立出一新的HAA訊息330傳送至該AAAH 61 (S440 )。 然後,該AAAH 61在接收該i-HA 45所發出的該HAA訊 息330後,可由其中之該結果碼(Result-Code)AVP顯示出 已授權成功。因此該AAAH 61會建立一授權確認回答(AA-Mobi le-Node-Answer,以下簡稱ΑΜΑ)訊息 33 5 透過該AAAF 53傳送至該X-FA 55 (S445 ),而在該ΑΜΑ訊息335中包括一 DIAMETER成功的結果碼(Result-Code)、該MIP-Home-Agent-Address AVP 、該MIP-Mobile-Node- Address AVP 以及該MIP-Reg-Reply AVP,而該些AVP可從所接收到的該 HAA訊息330中被複製出來。 如果在該ΑΜΑ訊息335中有包含該MN 80與該x-FA 55間 的金鑰元件(MIP-MN-to-FA-Key)AVP以及該χ-ΗΑ 54與該X-FA 55 間的通信金鑰(MIP-HA-to_FA-Key)AVP,則該x-FA 55會接收到其中的MN 80與x-FA 55間的金錄元件(Nonces) 以及x_FA 55與χ-ΗΑ 54間的通信金鑰(Session Key)。 當該x-FA 55接收到由該AAAH 61所傳來之該ΑΜΑ訊息Page 18 1254546 V. Invention Description (15) Then the AAAH 61 will create a new HAR message 325 and fill the X-HoA and χ-ΗΑ addresses into MIP-Mobi le-Node-Address and MIP_Home- respectively. The Agent-Address AVP, and then the AAAH 61 sends the HAR message 325 to register with the i-HA 45 (S43 5). After the i-HA 45 receives the HAR message 325, the i-HA 45 obtains the x-HoA from the AVP in the HAR message 325, and registers the obtained address of the x-HoA 54 as the MN 80. The public CoA causes the i-HA 45 to recognize the HAR message 325 and establish a new HAA message 330 to transmit to the AAAH 61 (S440). Then, after receiving the HAA message 330 sent by the i-HA 45, the AAAH 61 can display the authorized success by the Result-Code AVP. Therefore, the AAAH 61 will establish an authorization confirmation response (AA-Mobi le-Node-Answer, hereinafter referred to as ΑΜΑ) message 33 5 to be transmitted to the X-FA 55 through the AAAF 53 (S445), and include in the ΑΜΑ message 335 a DIAMETER successful result code (Result-Code), the MIP-Home-Agent-Address AVP, the MIP-Mobile-Node-Address AVP, and the MIP-Reg-Reply AVP, and the AVPs can be received from The HAA message 330 is copied. If there is a key element 335 between the MN 80 and the x-FA 55 (MIP-MN-to-FA-Key) AVP and the communication between the χ-ΗΑ 54 and the X-FA 55 The key (MIP-HA-to_FA-Key) AVP, the x-FA 55 will receive the communication between the MN 80 and the x-FA 55 (Nonces) and the communication between the x_FA 55 and the χ-ΗΑ 54 Key (Session Key). When the x-FA 55 receives the message sent by the AAAH 61

第19頁 1254546 五、發明說明(16) 335後,可從該結果碼(Result-Code)AVP中顯示出已授權 成功,則該X-FA 55會從該ΑΜΑ訊息335之MIP-Reg-Replay AVP中獲得一Reg-Rep 1 ay訊息340,並將該Reg-Rep 1 ay訊息 340轉送至該MN 80(S450 )。否則該x-FA 55會悄悄地將該 A Μ A訊息3 3 5丟掉。Page 19 1254546 V. Invention Description (16) After 335, if the authorized success is displayed from the Result-Code AVP, the X-FA 55 will receive MIP-Reg-Replay from the message 335. A Reg-Rep 1 ay message 340 is obtained in the AVP, and the Reg-Rep 1 ay message 340 is forwarded to the MN 80 (S450). Otherwise, the x-FA 55 will silently discard the A Μ A message 3 3 5 .

一旦該MN 80接收到該Reg-Replay訊息340,則該MN 80即可取得該新的x-HoA、該x-HA位址以及該金鍮元件 (Nonces),然後該MN 80使用所接收到的金鑰元件 (Nonces)和相同於該AAAH 61的散列算法及長期分享金鑰 (Longterm Shared Key)計算出正確的通信金输(&essi〇n Key) 〇 因此,當該MN 80經過該AAAH 61授權,以及經過該χ_ HA 54及i-HA 45以Mobile IPv4安全標準註冊後,即可使 用該X-HoA與該VPN閘道器連結,使該MN 80與該vpn閘道器 之間建立IP s e c通道3 4 5 (S 4 5 5 ) ’恢復像在内部網路一樣 的安全通訊。 而在完成該x-HA 54的指派後,在該漫遊之外部網路 内各個當地的本地代理器(Η A)間的安全聯結(SA )亦將被建 立完成。此後,該MN 80即可直接使用MIPV4標準透過該χ_ FA 55與邊當地之χ-ΗΑ 54進行注冊通訊,而不需要^透過 該ΑΑΑ伺服器,意即,當該ΜΝ 80在該外部網路内獲得一 ^ 新的轉接位址(Co A )後,即可如同在内部網路内漫遊般, 只需要向被指派的x-HA 54註冊即可,而不必再^該^HA 4 5進行註冊。Once the MN 80 receives the Reg-Replay message 340, the MN 80 can obtain the new x-HoA, the x-HA address, and the Golden Element (Nonces), and then the MN 80 uses the received The key element (Nonces) and the hash algorithm and Longterm Shared Key that are the same as the AAAH 61 calculate the correct communication gold (&essi〇n Key). Therefore, when the MN 80 passes After the AAAH 61 is authorized, and after the χ_HA 54 and i-HA 45 are registered with the Mobile IPv4 security standard, the X-HoA can be used to connect with the VPN gateway to make the MN 80 and the VPN gateway. Establish IP sec channel 3 4 5 (S 4 5 5 ) 'Restore secure communication like the internal network. After completing the assignment of the x-HA 54, the security association (SA) between the local local agents (ΗA) in the roaming external network will also be completed. Thereafter, the MN 80 can directly use the MIPV4 standard to register and communicate with the local χ-ΗΑ 54 through the χ_FA 55, without the need to pass through the ΑΑΑ server, that is, when the ΜΝ 80 is on the external network Once you get a new transfer address (Co A ), you can just log in to the assigned x-HA 54 as if you are roaming inside the internal network, instead of ^^ 4 5 Sign up.

五、發明說明(17) 、、而且在相同的該外部網路内並不需再重建 C不過該通4金鍮(Session Key)是有壽命的,如果壽 命終士,則仍需透過該Diameter基礎的AAA伺服器產生一 新通“金鑰(Session Key),另外若該MN 8〇再移動至另外 一個外部網路時,又必須向當地的一個新的χ — 請求註冊 時,則上述的整個過程將再次被執行,讓該1“再次被指 派’而IPsec通道亦將再被重建。 職疋’本發明確能藉上述所揭露之技術,提供一種使 用動^指派x-HA替換靜止X-HA的技術,因而漫遊時的本地 代理器(HA)間傳遞轉接(Hand〇ff)延遲以及端至端(End伪 End)的延遲都將被顯著的降低,而且本發明是以 Μ IPv4應用在轉接的本地代理器(HA)之間建立的安全聯結 (SA) ’因此該X — HA是可以被相任的,且對該乂―ha及該卜ha 的註冊動作是同時被完成的。故而本發明實現了一個移動 式VPN的系統平台,迥然不同於習知者的設計,堪能提高 正,之使用彳貝值,又其申請前未見於刊物或公開使用,誠 已符合發明專利之要件,爰依法提出發明專利申請。 惟,上述所揭露之圖式、說明,僅為本發明之實施例 而已凡精于此項技藝者當可依據上述之說明作其他種種 之改良’而這些改變仍屬於本發明之發明精神及以下所界 定之專利範圍中。5. The invention description (17), and in the same external network does not need to be re-established. However, the session key has a longevity. If the life-end is completed, the Diameter still needs to be transmitted. The basic AAA server generates a new "Session Key", and if the MN 8 is moved to another external network, it must request a registration from a new local network. The entire process will be executed again, letting the 1 "re-assigned" and the IPsec channel will be re-established. </ RTI> The present invention can provide a technique for replacing a stationary X-HA with a mobile device by using the above-disclosed technology, so that the local agent (HA) transfer transfer (Hand〇ff) during roaming Both the delay and the end-to-end (End pseudo-End) delay will be significantly reduced, and the present invention is a secure association (SA) established between the transited local agents (HAs) of the IPv4 application. – HA is arbitrarily arbitrarily, and the registration actions for 乂-ha and 卜ha are completed at the same time. Therefore, the present invention realizes a mobile VPN system platform, which is different from the design of the prior art, can improve the positive use of the mussel value, and is not found in the publication or public use before the application, and has already met the requirements of the invention patent. , 提出 filed an invention patent application in accordance with the law. However, the drawings and descriptions disclosed above are merely examples of the present invention, and those skilled in the art can make various other modifications based on the above descriptions. These changes still belong to the inventive spirit of the present invention and the following. Within the scope of the defined patent.

第21頁 1254546 圖式簡單說明 【圖示簡單說明】 第一圖係為係為IETF所定義的移動式VPN標準架構示 意圖; 第二圖係為該移動式VPN的所建立通道的訊息結構示 意圖, 第二圖係為本發明移動式V p N之系統架構示意圖· 第四圖係為該MN在内部網路漫遊的註冊流程圖· 第五圖係為該MN在内部網路漫遊的時態示音圖· 第六圖係為該MN在外部網路漫遊的註冊流^圖’· 第七圖A、B係為該MN在外部網路漫遊的g ;音當 【主要元件符號說明】 1 移動節點(MN) 11 内部本地代理器(i-HA) 10 内部網路 20 外部網路 21 外部本地代理器(x-HA) 22 VPN閘道器 30 通道訊號數據封包 31 原始數據封包 32 内部移動I P通道訊息 33 IP s e c通道訊息 34 外部移動IP通道訊息 80 移動節點(MN)Page 21 1254546 Simple description of the diagram [Simple description of the diagram] The first diagram is a schematic diagram of the mobile VPN standard architecture defined by the IETF; the second diagram is the message structure diagram of the established channel of the mobile VPN. The second figure is a schematic diagram of the system architecture of the mobile V p N according to the present invention. The fourth figure is the registration flow chart of the MN roaming on the internal network. The fifth picture shows the tense state of the MN roaming on the internal network. The sixth picture is the registration flow of the MN roaming on the external network. · Figure 7A, B is the g of the MN roaming on the external network; the tone is [the main component symbol description] 1 move Node (MN) 11 Internal Local Agent (i-HA) 10 Internal Network 20 External Network 21 External Local Agent (x-HA) 22 VPN Gateway 30 Channel Signal Packet 31 Raw Data Packet 32 Internal Mobile IP Channel Message 33 IP sec Channel Message 34 External Mobile IP Channel Message 80 Mobile Node (MN)

1254546 圖式簡單說明1254546 Simple description of the schema

第23頁 54 外部本地代理器(X - Η A ) 40 内部網路 41 DHCP伺服器 42 内部路由器 43 子網路 44 無線基地台 45 内部本地代理器(i-HA) 46 内部外地代理器(i-FA) 50 外部網路 51 外部路由器 53 外地AAA伺服器(AAAF) 54 外部本地代理器(X - Η A) 55 外部外地代理器(x-FA) 56 DHCP祠服器 57 無線基地台 60 非管制區 61 本地AAA伺服器(AAAH) 62 VPN閘道器Page 23 54 External Local Agent (X - Η A ) 40 Internal Network 41 DHCP Server 42 Internal Router 43 Subnet 44 Wireless Base Station 45 Internal Local Agent (i-HA) 46 Internal Foreign Agent (i -FA) 50 External network 51 External router 53 Foreign AAA server (AAAF) 54 External local agent (X - Η A) 55 External foreign agent (x-FA) 56 DHCP server 57 Wireless base station 60 Non Control Area 61 Local AAA Server (AAAH) 62 VPN Gateway

Claims (1)

1254546 六、申請專利範圍 一匕種移動式VPN之動態代理器指派方法,#、可在至少 一外。卩網路與一内部網路間建立虛擬專用網路^卜忭“ 雨k,VPN),使至少—移動節點(M〇bUe Node,MN)可安全地漫遊在該外部網路中,該方法包括: 該移動節點第一次漫遊於該外部網路中時,發出一註 7請求訊息給當地之一外部外地代理器,該註冊請求訊息 至夕包含一外部本地位址請求及一外 地代理器位址 請求; 該外部外地代理器發出一授權確認請求訊息給一外地 AAA伺服器,使該外地AAA伺服器將至少一候選之外部本地 理器之網路接取標示(Network Access Identifier,MI) 填入該授權確認請求訊息中,再轉送給一本地AAA伺服 3S · , 該本地AAA伺服器建立該外部本地代理器、該外部外 地理器與該移動節點間之安全聯結(S e c u r i t y Association),並產生一本地代理器請求訊息,發送給該 外部本地代理器; 該外部本地代理器為該移動節點指派一外部本地位 址,並將該外部本地位址及本身的位址設定於一本地代理 器回答訊息中,發送給該本地AAA伺服器; 該本地AAA伺服器使用該外部本地位址作為該移動節 點的轉接位址,向該内部本地代理器進行註冊,註冊完畢 後,該内部本地代理器授權該本地AAA伺服器發出一授權 確認回答訊息給該外部外地代理器;及1254546 VI. Patent Application Scope A dynamic proxy assignment method for mobile VPNs, #, can be at least one.虚拟 establishing a virtual private network between the network and an internal network, such as “rain k, VPN”, so that at least the mobile node (M〇bUe Node, MN) can securely roam in the external network. The method includes: when the mobile node roams in the external network for the first time, sends a request message 7 to an external foreign agent, where the registration request message includes an external local address request and a foreign agent Address request; the external foreign agent sends an authorization confirmation request message to a foreign AAA server, so that the foreign AAA server selects at least one candidate external network device (Network Access Identifier, MI) Filling in the authorization confirmation request message, and then forwarding it to a local AAA server 3S, the local AAA server establishes the external local agent, the security association between the external external geographical device and the mobile node, And generating a local proxy request message, which is sent to the external local proxy; the external local proxy assigns an external local address to the mobile node And setting the external local address and its own address in a local proxy reply message to the local AAA server; the local AAA server uses the external local address as the transit address of the mobile node Registering with the internal local agent, after the registration is completed, the internal local agent authorizes the local AAA server to send an authorization confirmation response message to the external foreign agent; 第24頁 1254546 六、申請專利範圍 &quot; — 該外部外地代理器從該授權確認回答訊息中獲得一包 含該外部本地位址及該本地代理器位址之註冊回覆訊息, 轉送給該移動節點,此後該移動節點在該外部網路漫遊 時,即可利用該外部本地位址向該外部本地代理器位址之 本地代理器進行註冊即可。 2·如申請專利範圍第1項所述之移動式vpn之動態代理器 指派方法,其中該移動節點係可為裝設有無線網路設備的 行動電腦。 3·如申請專利範圍第1項所述之移動式VpN之動態代理器 指派方法’其中該移動節點第一次漫遊於該外部網路之步 驟前,更包括: 由該外部外地代理器發出一廣播及詢問 (Advertisement &amp; Challenge)訊息至該外部網路中,以 詢問網路上是否有任何一該移動節點在網路内漫遊。 4·如申請專利範圍第i項所述之移動式VPN之動態代理器 指派方法’其中該註冊請求訊息中更包含有需被該本地 AAA伺服器授權之一認證資訊及該移動節點之一網路接取 標示(NAI)。 5·如申請專利範圍第i項所述之移動式vpN之動態代理器 指派方法,其中該註冊請求訊息之該外部本地位址請求及 邊外部本地代理器位址請求,其中包含被設為〇 · 〇 · 〇. 〇之 外部本地位址及外部本地代理器位址。 6·如申請專利範圍第1項所述之移動SVPN之動態代理器 指派方法,其中該移動節點第一次漫遊於該外部網路之步 1254546 六、申請專利範圍 驟後更包括: 該外部外地代理器接收該註冊請求訊息後,產生一特 徵向里屬性值對(MIP-Feature-Vector Attribute Value Pa i r) ’其中設定有該移動節點之本地位址請求旗標及該 本地代理器請求旗標;及 將該特微向量屬性值對設定於該授權確認請求訊息 中 〇 7·如申請專利範圍第1項所述之移動式VPN之動態代理器 指派方法,其中該外部外地代理器發出授權確認請求訊息 之步驟後更包括: 該本地AAA伺服器收到該外地AAA伺服器所傳送之該授 權確認請求後,可透過該授權確認請求中所設定之一(MN-AAA-Security Parameters Index)來確認該移動節點是使 用那一種安全性策略進行認證。 8.如申請專利範圍第1項所述之移動式VPN之動態代理器 指派方法,其中該本地AAA伺服器建立安全聯結的步驟 中,更包括: 該本地AAA伺服器會產生一至少128位元亂數之金鑰元 件(Key Materials),利用該金鑰元件可計算產生一通信 金錄(Session Key),以確該安全聯結的安全性;及 將該通信金鑰設定於該本地代理器請求訊息中。 9·如申請專利範圍第1項所述之移動式VPN之動態代理器 指派方法,其中該本地AAA伺服器建立安全聯結的步驟 中,該本地代理器請求訊息係透過該外地AAA伺服器傳送Page 24 1254546 6. Patent application scope&quot; — The external foreign agent obtains a registration reply message including the external local address and the local agent address from the authorization confirmation response message, and forwards the message to the mobile node. Thereafter, when the mobile node roams on the external network, the external local address can be used to register with the local agent of the external local agent address. 2. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the mobile node is a mobile computer equipped with a wireless network device. 3. The dynamic proxy assignment method of the mobile VpN as described in claim 1, wherein the mobile node first roams the external network before the step of the external network, the method further comprises: issuing, by the external foreign agent The Advertisement & Challenge message is sent to the external network to ask if there is any mobile node on the network roaming within the network. 4. The method for assigning a dynamic proxy of a mobile VPN as described in claim i, wherein the registration request message further includes authentication information and one of the mobile nodes to be authorized by the local AAA server. Road access indication (NAI). 5. The method of assigning a dynamic proxy of a mobile vpN as described in claim i, wherein the external request address of the registration request message and the external local proxy address request are included in the request · 〇· 〇. The external location of the 〇 and the external local agent address. 6. The method for assigning a dynamic proxy for a mobile SVPN as described in claim 1, wherein the mobile node roams the external network for the first time in step 1254546. 6. After the patent application scope further includes: the external field After receiving the registration request message, the proxy generates a MIP-Feature-Vector Attribute Value Pa ir, where the location address request flag of the mobile node and the local proxy request flag are set. And the dynamic proxy assignment method of the mobile VPN described in claim 1, wherein the external foreign agent issues an authorization confirmation. After the step of requesting the message, the method further includes: after receiving the authorization confirmation request sent by the foreign AAA server, the local AAA server may use one of the authorization confirmation requests (MN-AAA-Security Parameters Index) Confirm that the mobile node is using that security policy for authentication. 8. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the step of establishing the secure connection by the local AAA server further comprises: the local AAA server generating a minimum of 128 bits. Key material, which can be used to calculate a session key to confirm the security of the secure connection; and set the communication key to the local agent request In the message. 9. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the local AAA server establishes a secure connection, and the local proxy request message is transmitted through the foreign AAA server. 1254546 一 _ 六、申請專利範圍 給該外部本地代理器。 I 0 ·如申請專利範圍第1項所述之移動式VPN之動態代理 器指派方法,其中該本地AAA伺服器建立安全聯結的步驟 中,該本地代理器請求訊息中包含該外部本地代理器與該 外部外地代理器間的通信金鑰、該移動節點與該外部外地 代理器間的金鑰元件,以及該移動節點與該外部本地代理 器間的金鑰元件及通信金输。 II ·如申請專利範圍第1項所述之移動式VPN之動態代理 器指派方法,其中該外部本地代理器為該移動節點指派一 外部本地位址的步驟中,該本地代理器回答訊息係透過該 外地AAA伺服器傳送給該本地AAA伺服器。 12·如申請專利範圍第1項所述之移動式VpN之動態代理 器指派方法,其中該外部外地代理器將註冊回覆訊息轉送 給該移動節點之步驟中,更包括: 該移動節點使用該外部本地位址與一 VPN閘道器連線 結,使該移動節點與該VPN閘道器間建立一 ipsec通道。 1 3· —種移動式VPN之動態外部代理器指派系統,係可 至少一外部網路與一内部網路間建立虛擬專用網路 (Virtual Private Network,νρΝ),使至少一移動節點 (Mobile Node, MN)可安全地漫遊在該外部網路,該系統 包括: 一内部本地代理器(Internal Home Agent,i_H ΐ網路中,作為管理該移動節點在該内部網路 1254546 六、申請專利範圍 至^ 外 ^ 本地代理器(External Home Agent, χ-HA) ’係设於该外部網路中’作為管理該移動節點在該外 部網路中的漫遊註冊; 一 VPN閘道器’係可建立一網際網路通訊安全協定 (=IPsec)通道在該内部網路與該外部本地代理器之間,使 該移動節點在該外部網路漫遊時,仍可安全地連接至該内 部網路; 至少一代理器指派裝置,係用以動態指派任一接近該 =動節點之外部本地代理器來進行該移動節點之漫遊註 冊;及 移動外部外地代理器,係設於該外部網路中,使該 理漫遊在該外部網路時,透過該外部外地代 理=該外部本地代理器、該AAA伺服器及該内部本地代 後°,ίΐίΪ註冊,以建立與該VPN問道器間之1Psec通道 Ur! 漫遊在外部網路内皆僅需向最接近之該 外邛本地代理器進行註冊即可。 % &lt;这 14·如申請專利範圍第13 代,派系統,其中該外部網路係包 =以外部 、5·如申請專利範圍第13項所述之移動 代理器指派系、统,其中該内部網路係包含%复數子么悲外部 、16·如申請專利範圍第13項所述之移動 =:。 j理器指派系統,其中該移動節點係可為&quot; 怨外部 没備的行動電腦。、、°又有“、、線網路 η.如中請專利範圍第13項所述之移動式㈣之動態外部 1254546 六 申請專利範圍 代理器指派系統,其中該VPN閘道器與該代理器指派器係 配設於一非管制區(DMZ)内,該非管制區(DMZ)60是網際網 路後面的實體區域,面對防火牆位於保護後端系統和資料 的第二層防火牆前面。 18·如申請專利範圍第17項所述之移動式vpN之動態外部 代理器指派系統,其中該非管制區(DMZ)係透過一内部路 由器連接於該内部網路,並透過一外部路由器連接於該外 部網路。 1 9·如申請專利範圍第丨3項所述之移動式VPN之動態外部 代理器指派系統,其中該代理器指派器係可使用一AAA伺 服器、一DHCP伺服器或一DNS伺服器。 20·如申請專利範圍第1 9項所述之移動式vpn之動態外部 代理器指派糸統’其中該代理器指派器使用該Aaa伺服器 不僅能指派該外部本代理器,更能夠在漫遊區域内的複數 個代理^s(Agents)之間’建立安全聯結(security Association,SA),並作為金鑰分發中心(Key Distribution Center, KDC) ° 21.如申請專利範圍第20項所述之移動式VPN之動態外部 代理器才曰派糸統’其中該代理器指派器係採用D i a m e t e r基 礎協定(Diameter Base on Protocol)的AAA祠服器。 22·如申請專利範圍第13項所述之移動sVPN之動態外部 代理器指派系統,其中更包括: 至少一内部外地代理器(Internal Foreign Agent, i -F A),係於連接於該内部網路之至少一子網路中,使該1254546 A _ 6. Applying for a patent scope to the external local agent. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the local AAA server establishes a secure connection, the local proxy request message includes the external local proxy and The communication key between the external foreign agent, the key element between the mobile node and the external foreign agent, and the key element and communication gold between the mobile node and the external local agent. II. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the external local proxy assigns an external local address to the mobile node, and the local proxy answers the message The foreign AAA server is transmitted to the local AAA server. 12. The dynamic proxy assignment method of the mobile VpN according to claim 1, wherein the external foreign agent forwards the registration reply message to the mobile node, and further includes: the mobile node uses the external The address is connected to a VPN gateway to establish an ipsec channel between the mobile node and the VPN gateway. A dynamic external proxy assignment system for a mobile VPN is configured to establish a virtual private network (Virtual Private Network, νρΝ) between at least one external network and an internal network, so that at least one mobile node (Mobile Node) , MN) can safely roam in the external network, the system includes: an internal home agent (Internal Home Agent, i_H ΐ network, as the management of the mobile node in the internal network 1254546 VI, the scope of patent application to ^ External Home Agent (χ-HA) ' is installed in the external network 'as a roaming registration to manage the mobile node in the external network; a VPN gateway' can establish a An Internet Protocol Security Protocol (=IPsec) channel between the internal network and the external local agent enables the mobile node to securely connect to the internal network while roaming the external network; at least one An agent assigning device for dynamically assigning an external local agent close to the mobile node to perform roaming registration of the mobile node; and moving the external foreign agent, Provided in the external network, when the roaming is in the external network, through the external foreign agent=the external local agent, the AAA server, and the internal local proxy, registration, to establish The 1Psec channel between the VPN interrogators Ur! Roaming in the external network only needs to register with the nearest foreign agent. % &lt;This 14 · If the patent application scope 13th generation, send the system , wherein the external network package = external, 5, as described in claim 13 of the scope of the mobile agent assignment system, wherein the internal network contains % complexes, externally, 16 · as applied The mobile device described in Item 13 of the patent scope:: The device is assigned to the system, wherein the mobile node can be a mobile computer that is not prepared for external use., ° has a ",, line network η. The mobile external (1) dynamic external 1254546 patent application scope assigning system described in claim 13 , wherein the VPN gateway and the agent dispatcher are disposed in a non-regulated area (DMZ), The non-regulated area (DMZ) 60 is the Internet The physical area behind the network, facing the firewall in front of the second layer firewall that protects the backend system and data. 18. The dynamic external proxy assignment system of the mobile vpN as described in claim 17 of the patent application, wherein the non-regulated The zone (DMZ) is connected to the internal network through an internal router and is connected to the external network through an external router. 1 9. The dynamic external agent of the mobile VPN as described in claim 3 of the patent application scope A system is assigned, wherein the agent assigner can use an AAA server, a DHCP server, or a DNS server. 20. The dynamic external proxy assignment system of the mobile VPN as described in claim 19, wherein the proxy assigner uses the Aaa server to not only assign the external proxy but also to the roaming area. Within a plurality of agents ^s (Agents) 'establish a security association (SA), and as a Key Distribution Center (KDC) ° 21. Mobile as described in claim 20 The dynamic external agent of the VPN is configured to use the AAA server of the Diameter Base on Protocol. The dynamic external agent assignment system of the mobile sVPN according to claim 13, wherein the method further comprises: at least one internal foreign agent (i-FA) connected to the internal network At least one subnet, so that 第29頁 _ i 1254546 &gt;、申請專利範圍 l^n 、移動節點漫遊在該子網路時,透以σ卩外地代理器向該内 部本地代理器進行漫遊註冊。 2 3 ·如申請專利範圍第1 3項戶斤述之移動式v ρ Ν之動態外部 代理=,派系統,其中更包括·· 置於 部 台(Wireless Access p〇int),係設 點。 $卜4網中,用以無線連接該移動節Page 29 _ i 1254546 &gt;, the scope of patent application l^n, when the mobile node roams in the subnet, the σ卩 foreign agent performs roaming registration to the internal local agent. 2 3 · If the scope of application for patents is the first one of the mobile v ρ Ν dynamic external agent =, send the system, which also includes · · placed in the department (Wireless Access p〇int), system points. $卜网, used to wirelessly connect the mobile section 第30頁Page 30
TW93123260A 2004-08-03 2004-08-03 Assignment method and system of home agent in mobile VPN TWI254546B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW93123260A TWI254546B (en) 2004-08-03 2004-08-03 Assignment method and system of home agent in mobile VPN
JP2005110463A JP2006352182A (en) 2004-08-03 2005-04-07 Method and apparatus for dynamically allocating agent of mobile vpn

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW93123260A TWI254546B (en) 2004-08-03 2004-08-03 Assignment method and system of home agent in mobile VPN

Publications (2)

Publication Number Publication Date
TW200607292A TW200607292A (en) 2006-02-16
TWI254546B true TWI254546B (en) 2006-05-01

Family

ID=37587357

Family Applications (1)

Application Number Title Priority Date Filing Date
TW93123260A TWI254546B (en) 2004-08-03 2004-08-03 Assignment method and system of home agent in mobile VPN

Country Status (2)

Country Link
JP (1) JP2006352182A (en)
TW (1) TWI254546B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI394415B (en) * 2007-05-31 2013-04-21 Qualcomm Inc Methods and apparatus for providing pmip key hierarchy in wireless communication networks
TWI448128B (en) * 2006-08-21 2014-08-01 Qualcomm Inc Method and apparatus for interworking authorization of dual stack operation

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100667502B1 (en) * 2005-03-28 2007-01-10 주식회사 케이티프리텔 Method of mobile node's connection to virtual private network using Mobile IP
JP6273903B2 (en) 2013-03-15 2018-02-07 株式会社リコー Information processing system, information processing method, and program

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI448128B (en) * 2006-08-21 2014-08-01 Qualcomm Inc Method and apparatus for interworking authorization of dual stack operation
TWI394415B (en) * 2007-05-31 2013-04-21 Qualcomm Inc Methods and apparatus for providing pmip key hierarchy in wireless communication networks

Also Published As

Publication number Publication date
JP2006352182A (en) 2006-12-28
TW200607292A (en) 2006-02-16

Similar Documents

Publication Publication Date Title
US7486951B2 (en) Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same
US7805754B2 (en) Communication method and apparatus using IP address of VPN gateway for mobile node in a VPN
RU2440688C2 (en) User profile, policy and distribution of pmip keys in wireless communication network
US8516243B2 (en) Host identity protocol method and apparatus
EP2245799B1 (en) Route optimization in mobile ip networks
JP5238029B2 (en) Method and apparatus for roaming between communication networks
US20060078119A1 (en) Bootstrapping method and system in mobile network using diameter-based protocol
US8289929B2 (en) Method and apparatus for enabling mobility in mobile IP based wireless communication systems
US7477626B2 (en) Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same
US20070204150A1 (en) Identification method and apparatus for establising host identity protocol (hip) connections between legacy and hip nodes
JP2009542159A (en) Method for creating a security association in a mobile IP network
WO2008009238A1 (en) A method and system for generating and distributing mobile ip key
JP2013502879A (en) Pre-registration security support in multi-technology interworking
JP5044690B2 (en) Dynamic Foreign Agent-Home Agent Security Association Assignment for IP Mobility System
WO2007004208A1 (en) Transfer of secure communication sessions between wireless networks access points
CN101606404A (en) Mobile management system, local agent and be used for wherein mobile terminal administration method and program thereof
JP4510682B2 (en) Method and apparatus for dynamically assigning mobile VPN agents
CN102638782B (en) Method and system for distributing home agent
Korhonen et al. Diameter proxy mobile IPv6: mobile access gateway and local mobility anchor interaction with diameter server
TWI254546B (en) Assignment method and system of home agent in mobile VPN
Laurent-Maknavicius et al. Inter-domain security for mobile Ipv6
EP2471247B1 (en) Method and network nodes for generating cryptographically generated addresses in mobile IP networks
KR100687721B1 (en) Method for extending of diameter AAA protocol supporting mobile IPv6
EP1638285B1 (en) Apparatus of dynamically assigning external home agent for mobile virtual private networks and method for the same
Chen et al. Fast handoff in mobile virtual private networks

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees