1277328 九、發明說明: 【發明所屬之技術領域】 本發明係有關於-種網路系統,特別是有關於—種基於 SSL加密保護之IPv6通道服務系統。 【先前技#f】 目月il的全球網際網路所採用的通訊協定是tcp/IP(jIp是TCP/IP 中網路層的協定,是TCP/IP的核心協定。目前IP協定的版本為4(簡 • 稱為1Pv4),發展至今已經使用了 30多年。IPv4的位址為32位元, 也就疋最夕有2的32次方的電腦可以連到internet上。近十年來由 於網際網路的蓬勃發展,IP位址的f求量愈來愈大,使得ιρ位址的 發放愈趨嚴格’各項資料顯示全球IPv4位址可能在2〇〇5至年 間全部發完。 IPv6是網際網路的通訊協定的下一版本,它的提出最初是因為 隨著網際網路的迅速發展,IPv4定義的有限位址空間將被耗盡,位 址空間的不足必將妨礙網際網路的進一步發展。為了擴大位址空 間,擬透過IPv6重新定義位址空間。IPv6採用128位元的位址長度, ® 幾乎可以不受限制地提供位址。因為按保守方法估算IPv6實際可分 配的位址,整個地球的每平方公尺面積上仍可分配1〇〇〇多個位址。 在IPv6的設計過程中除了一勞永逸地解决了位址短缺問題以外,還 考慮了在IPv4中不易解決的其它問題,主要有點到點的IP連接、 服務品質(QoS)、安全性、多點傳送(multicast)、移動性、與隨插即 用等。 IPv6與IPv4相比具有下列特點和優點:一、較大的位址空間。 IPv4中規定IP位址長度為32位元,即有232個位址;而ιρν6中ip 位址長度為128位元,即有2128個位址;二、較小的路由表。ιρν6 0935-A21274TWF(N2);P17940001 TW;ihhuang 1277328 的位址分配一開始就遵循聚類(aggregation)的原則,這使得路由器能 在路由表中用一項紀錄(entry)表示一片子網,大大地減小了路由 中路由表的長度,提高了路由器轉發封包的速度;三、增强支援多 點傳送(multicast)以及流量控制(flow-control)。這使得網路上的多媒 體應用有了長足發展的機會,為控制服務品質(QoS)提供了良好的網 路平台;四、支援自動配置(auto-configuration)。這是對DHCP協定 的改進和擴展,使得網路(尤其是區域網路)的管理更加方便和快捷; 五、較高的安全性。在使用IPv6網路中用戶可以對網路層的資料進 行加密並對IP訊息進行校驗,這大大地增强了網路安全。 因此,IPv6將在不久的未來成為網際網路的標準通訊協定。在 由目前IPv4轉換至IPv6的過渡期中,為了要使IPv4的使用者在沒 有IPv6網路連線的環境下,連到ιρν6的網路資源。目前常用兩種 解決方案:一為建立IPv6 over IPv4的通道(Tunnel)連線;二為建 立 IPv6/IPv4 的通訊協定轉譯器(protocol Translat〇r )。 然而一般IPv6 over IPv4的通道伺服器(Tunnd Server),並沒 有認證的機能。目前在網際網路(Internet)上所提供的通道連線點, 均沒有辦法建立收費與安全控管的機制。因此又開發的一種新技 術,稱為通道代理者(Tunnel Broker) (RFC 3〇53),來進行通道的 使用權管理’如第1圖所示。 但是通道代理者系統的管理相當複雜,不同的通道代理者有不 同的用戶端軟體。使用者必須先安I用戶端軟體,並手動進行相關 設定後’才能正常的與通道代理者取得與通_服器的連線權,進 而再直接與通道瓶器連線。用戶端與通道代理者及通道伺服考的 資訊流並未加密’有資訊於性風險。對網來說,使用者帳 號儲存在通道代理者本機上’ _與财的認μ統結合,而且無 法視不同的使料組,訂定不同的安全f理機制及提供品質保障的 0935-A21274TWF(N2);P17940001 TW;ihhuang 6 1277328 =二者,通道代理者必須—直與通道伺服器保持溝通,互相交 芮::貝二’、但通道代理者與通道伺服器間整合相當困難。雖有廠 ° 代理者與通道伺服器整合性設備,但使用者仍有學習障 二2外’ 一旦通道伺服器與使用者的通道連線建立完成後,便無 j用者的仃為,只要使用者—直保持連線,通道伺服器就無 法中斷連線’因此對服務_式攻擊無防禦能力。 由於對-般的大眾在使用上會相#不方便,而對網管人 說’官理上也大負荷。所以通道代理者服務—直沒有辦法普及1277328 IX. Description of the invention: [Technical field to which the invention pertains] The present invention relates to a network system, and more particularly to an IPv6 channel service system based on SSL encryption protection. [Previous technology #f] The communication protocol adopted by the global Internet of the month is tcp/IP (jIp is the protocol of the network layer in TCP/IP, and is the core protocol of TCP/IP. The current version of the IP protocol is 4 (Jane • called 1Pv4), has been used for more than 30 years since its development. The address of IPv4 is 32 bits, and it is also the computer with the 32nd power of 2 on the Internet. It has been connected to the internet in the past ten years. With the rapid development of the Internet, the IP address is getting larger and larger, making the distribution of the IP address more stringent. 'The data shows that the global IPv4 address may be completed in the period from 2.5 to 5. IPv6 is The next version of the Internet Protocol, which was originally proposed because with the rapid development of the Internet, the limited address space defined by IPv4 will be exhausted, and the lack of address space will hinder the Internet. Further development. In order to expand the address space, it is proposed to redefine the address space through IPv6. IPv6 uses a 128-bit address length, and ® can provide an address almost unrestricted because the IPv6 actually assignable bits are estimated in a conservative way. Address, every square meter of the entire earth More than one address can still be allocated. In the design process of IPv6, in addition to solving the address shortage problem once and for all, other problems that are not easy to solve in IPv4 are considered, mainly the point-to-point IP connection, Quality of Service (QoS), security, multicast, mobility, and plug-and-play, etc. Compared with IPv4, IPv6 has the following features and advantages: 1. Large address space. IP is specified in IPv4. The address length is 32 bits, that is, there are 232 addresses; and the length of the ip address in ιρν6 is 128 bits, that is, there are 2128 addresses; Second, the smaller routing table. ιρν6 0935-A21274TWF(N2); P17940001 TW; ihhuang 1277328 address allocation from the beginning to follow the principle of aggregation, which allows the router to use an entry in the routing table to represent a subnet, greatly reducing the routing table in the routing The length of the router increases the speed at which the router forwards the packet. Third, the enhanced support for multicast and flow-control. This makes the multimedia application on the network have a great opportunity to develop services. (QoS) provides a good network platform; Fourth, supports auto-configuration. This is an improvement and extension of the DHCP protocol, making the management of the network (especially the regional network) more convenient and fast; High security. In the IPv6 network, users can encrypt the network layer data and verify the IP information, which greatly enhances network security. Therefore, IPv6 will become the Internet in the near future. The standard communication protocol for the network. In the current transition period from IPv4 to IPv6, in order to enable IPv4 users to connect to the network resources of ιρν6 in the absence of IPv6 network connection. Currently, two solutions are commonly used: one is to establish a tunnel connection for IPv6 over IPv4; the other is to establish an IPv6/IPv4 protocol protocol translator (protocol Translat〇r). However, the general IPv6 over IPv4 channel server (Tunnd Server) does not have certified functions. At present, there is no way to establish a charging and security control mechanism for the channel connection points provided on the Internet. Therefore, a new technology developed, called Tunnel Broker (RFC 3〇53), is used to manage the use of channels as shown in Figure 1. However, the management of the channel agent system is quite complicated, and different channel agents have different client software. The user must first install the client software and manually perform the relevant settings, so that the channel agent can obtain the connection right with the channel server and then directly connect to the channel bottle. The information flow of the client and channel agent and channel servo test is not encrypted. For the network, the user account is stored in the channel agent's own machine's combination with the financial system, and can not be based on different materials, set different security mechanisms and provide quality assurance 0935- A21274TWF(N2); P17940001 TW; ihhuang 6 1277328 = Both, the channel agent must - communicate with the channel server directly, and exchange each other:: Bay II', but the channel agent and channel server integration is quite difficult. Although there is a factory agent and channel server integration device, but the user still has a learning barrier 2 2' Once the channel connection between the channel server and the user is established, there is no user's fault, as long as The user - keeps the connection straight, the channel server can't break the connection' so there is no defense against the service_type attack. Because the general public is inconvenient to use, it is not convenient for the network administrator. So channel agent service - there is no way to popularize
到-般大眾。進而也無法使—般大眾能夠很容易的接觸到w的产 境。對IPv6的應用推廣也無法順利進行。 衣 因此,為了簡化-般IPv4使用者連接至Ipv6網路的學習 及網管人員的貞擔及降低網路服務提供業者_運成本,必^早< 計出和目前通道代理者系統不-樣的解決方案,才 ^設 的應用。 《推廣IPv6 【發明内容】 有鑑於此,為了解決上述問題,本發明提供一種通道月 系統,包括:一用戶端,位於一第一網路,上述第一 務 、岬路係伟 用一 IPv4通訊協定·’ 一第一伺服器,橋接於上述第—之 、、j 从及 使用上述IPv4通訊協定之一第二網路之間;一第二 J服,橋 接於上述第二網路以及使用一 IPv6通訊協定之一赏= 禾二網路之 間;以及一目標節點,位於上述第三網路,並支援 ^ IPv6 ii 訊協定,其中上述用戶端與上述第一伺服器之„ _ σ〜间建立— SSL-VPN通道,並透過上述SSL-VPN通道與上述第二 /、 —词服器之 間建立一 IPν6通道,並藉由上述IPV6通道存取上述目梗^黑 資料。 ”、、之 0935-A21274TWF(N2);P17940001 TW;ihhuang 1277328 另外,本發明提供一種通道服務連線方法,適用於一用戶 端透過一第一伺服器以及一第二伺服器至一目標節點存取資 料,包括建立一 SSL-VPN通道於上述用戶端與上述第一伺服器 之間;透過上述SSL-VPN通道建立一 IPv6通道,連接上述用 戶端與上述第二伺服器;以及上述用戶端透過上述IPv6通道存 取上述目標節點之資料,其中上述用戶端係位於使用一 IPv4通 訊協定之一第一網路,上述第一伺服器係橋接於上述第一網路 以及使用上述IPv4通訊協定之一第二網路之間,上述第二伺服 器係橋接於上述第二網路以及使用一 IPv6通訊協定之一第三網 路之間。 【實施方式】 為使本發明之上述目的、特徵和優點能更明顯易懂,下文 特舉一較佳實施例,並配合所附圖式,作詳細說明如下: 實施例: 參閱第2圖,第2圖係顯示根據本發明實施例所述之IPv6 通道服務系統之架構圖200。 在使用根據本發明實施例所述之IPv6通道服務系統時,網 管人員一般會執行設定系統之動作,包括:於耦接於上述第一 伺服器221之IPv4 Radius伺服器227、IPv4 AD伺服器228、 或SSL-VPN閘道(第一伺服器)221本機上建立用戶端211的 帳號、密碼、及群組(group );在SSL-VPN閘道(第一祠服 器)221上設定用戶端211的IP網段及位址,不同的群組有其 專屬之網段;以及在SSL-VPN閘道(第一伺服器)221上設定 用戶端211的DNS伺服器222及路由政策。在此,不同的群組 0935-A21274TWF(N2);P17940001 TW;ihhuang 1277328 ’ 有其專屬之DNS伺服器及路由表。另外,網管人員所執行之設 , 定動作可為:編輯SSL-VPN閘道(第一伺服器)221上的特定 群組政策(group policy),如用戶端211需安裝防毒軟體才可 連線等等;編輯SSL-VPN閘道(第一伺服器)221上的網頁及 群組特定資訊(group specified information);設定 SSL-VPN 閘道(第一伺服器)221的認證機制及優先順序,在本案中以 IPv4 Radius伺服器227為優先;設定SSL-VPN閘道(第一伺服 器)221的自動啟動(auto-launch )功能,將建立通道的程序完 全自動化,並提醒用戶端211已連接至安全通道,且可自動將 ,連線狀態隱藏於用戶端211電腦之Tool Bar ;設定耦接於目標 節點242以及用戶端211之間防火牆(Firewall) 225的政策, 只允許特定的IP網段與其特定的DNS伺服器及特定的通道伺 月艮器(第二伺服器)241溝通,並僅開放特定的Port及Type ; 設定通道伺服器(第二伺服器)241的IPv6及IPv4連線;在通 道伺服器(第二伺服器)241上啟用自動通道定址通訊協定 (Intra-Site Automatic Tunnel Addressing Protocol; ISATAP); 在每個群組特定的DNS伺服器上,輸入其特定的IS ATAP A • Record,A Record即為其特定的通道伺服器(第二伺服器)241 之啟用ISATAP之IPv4介面。 接著,以下步驟係用以強化網路管理及統計功能,包括: 每個通道伺服器(第二伺服器)241皆指定耦接於上述SSL-VPN 閘道(第一伺服器)221之NETFLOW收集器(collector) 229, 以收集並分析通道伺服器(第二伺服器)241上IPv6及IPv4之 網路行為分析並存入資料庫伺服器中;SSL-VPN閘道(第一伺 服器)、防火牆(Firewall) 225、及通道伺服器(第二伺服器) 241皆開啟SNMP功能,以供SNMP收集器230收集其流量或 0935-A21274TWF(N2);P17940001 TW;ihhuang 9 1277328 系統資訊;SSL-VPN閘道(第一伺服器)、防火牆(Firewall) 225、及通道伺服器(第二伺服器)241皆開啟SYSLOG功能, 以便將資訊送給IPv4 SYSLOG伺服器226,再由IPv4 SYSLOG 祠服器226存入資料庫祠服器中;建立網頁式(web based )的 網路資訊站以整合先前所收集之資訊;設定完成後,建立測試 帳號,測試本系統是否能正常運作。必須說明的是,上述設定 步驟僅為特定之實施例,並非執行本發明之必要動作,不可用 以限制本發明之範圍。 然後,位於使用IPv4通訊協定之第一網路212上之用戶端 211,藉由超文字傳輸協定(Hyper Text Transfer Protocol; HTTP ) 與橋接於上述第一網路212以及使用IPv4通訊協定之第二網路 224之間的SSL-VPN閘道(第一伺服器)22丨連線並建立 SSL-VPN通道,同時,上述SSL-VPN閘道(第一伺服器)221 配發上述第二網路224之虛擬位址、上述DNS伺服器222的位 址、及網域名稱尾碼給上述用戶端211。接著,上述用戶端211 利用上述DNS伺服器222查詢橋接於上述第二網路224以及使 用IPv6通訊協定之第三網路243之間的通道伺服器(第二伺服 器)241之位址。然後,再透過上述SSL-VPN通道與通道伺服 器(第二伺服器)241之間建立IPv6通道,並配發上述第三網 路243之虛擬位址及一第三網路預設閘道位址給上述用戶端 211,再藉由上述IPv6通道存取位於上述第三網路243上支援 IPv6通訊協定之目標節點242之資料。當上述用戶端211欲中 斷與上述目標節點242連線時,只需停止執行超文字傳輸協定 之應用程式即可。 本發明利用SSL-VPN的技術,以SSL-VPN閘道 (Gateway),防火牆(Firewall)及DNS祠服器的組合’取代了 0935-A21274TWF(N2);P17940001 TW;ihhuang 10 1277328 原有通道代理者的功能,並改進了原來通道代理者系統的缺 點,進而能讓使用者在完全不用改變現有網路使用習慣的情況 下,使用網頁瀏覽器,在網站中輸入帳號密碼後,就可以取得 IPv6網路位址並連上國際IPv6網路的解決方案。 本發明最大的優點在於使用者端不需要安裝程式就可以連 接到IPv6的網路環境,並可支援網路位址轉譯器(Network Address Translator; NAT)及防火牆穿越功能。較目前採用的IPv6 通道代理者技術而言,可大幅簡化使用者連接至IPv6的過程。 由於IPv4的連線内容也會由SSL機制進行加密保護,其資料傳 輸的安全性也較高、並可與目前網際網路服務業者的網管系統 相容。本系統可以整合在現有的服務架構中,不需要為了管理 IPv6通道代理者而購置或開發新的網管系統。在權限控管上也 整合了現有SSL-VPN的控管技術,也不需要再學習新的權限控 管系統。由於此系統為開放性架構設計,只要合乎本系統所要 求之規格的設備,均可採用,其維運技術不會掌握在特定廠商 手中。目前已整合於工研院SSL-VPN服務中,已證實本系統的 可行性。 本發明雖以較佳實施例揭露如上,然其並非用以限定本發 明的範圍,任何熟習此項技藝者,在不脫離本發明之精神和範 圍内,當可做些許的更動與潤飾,因此本發明之保護範圍當視 後附之申請專利範圍所界定者為準。 0935-A21274TWF(N2);P17940001 TW;ihhuang 1277328 【圖式簡單說明】 " 第1圖係顯示以通道代理者,來進行通道的使用權管理。 第2圖係顯示根據本發明實施例所述之IPv6通道服務系統 之架構圖,包括:用戶端、SSL-VPN閘道(第一伺服器)、通 道伺服器(Tunnel Server)(第二伺服器)、目標節點、DNS 伺服器、防火牆、IPv4 SYSLOG伺服器、IPv4 Radius伺服器、 IPv4 AD 伺服器、NETFLOW 收集器(collector )、以及 SNMP 收集器。 φ 【主要元件符號說明】 100、211〜用戶端 101〜通道代理者(Tunnel Broker) 102、241 〜通道祠服器(Tunnel Server) 110〜IPv4網路 111〜IPv6網路 120〜提出建立IPv6通道的要求 121〜對建立通道的要求所做的回應 φ 122〜通道代理者對通道伺服器進行設定動作 123〜用戶端與通道伺服器建立通道 200〜IPv6通道月艮務系統之架構 210、220〜IPv4通訊協定 212〜IPv4網際網路 221〜SSL-VPN閘道(第一伺服器) 222〜IPv4企業内部網路用DNS飼月艮器 223〜IPv6網際網路用DNS伺服器 224〜IPv4企業内部網路 0935-A21274TWF(N2);P17940001 TW;ihhuang 12 1277328 225〜防火牆 " 226〜IPv4 SYSLOG伺月艮器 227〜IPv4 Radius 司月艮器 228〜IPv4 AD饲月艮器 229〜NETFLOW 收集器(collector) 230〜SNMP收集器 240〜IPv6通訊協定 242〜目標節點 243〜IPv6網際網路 • 0935-A21274TWF(N2);P17940001 TWiihhuang 13To the general public. Furthermore, it is impossible for the general public to have easy access to the environment of w. The promotion of IPv6 applications cannot be carried out smoothly. Therefore, in order to simplify the learning of IPv4 users connected to the Ipv6 network and the burden of network administrators and reduce the cost of network service providers, it is necessary to calculate the current channel agent system. The solution is only the application. [Promotion of IPv6] [Invention] In order to solve the above problems, the present invention provides a channel monthly system, including: a user terminal, located in a first network, and the first service and the network system use an IPv4 communication. a protocol, a first server, bridged between the first, the j, and the second network using one of the IPv4 communication protocols; a second J service, bridged to the second network, and used One of the IPv6 communication protocols is between the two networks; and a target node is located in the third network and supports the IPv6 protocol, wherein the user terminal and the first server are between „ σ σ Establishing an SSL-VPN channel, and establishing an IPν6 channel between the SSL/VPN channel and the second/, the word server, and accessing the black data through the IPV6 channel. In addition, the present invention provides a channel service connection method, which is suitable for a client to access data through a first server and a second server to a target node. An SSL-VPN tunnel is established between the user terminal and the first server; an IPv6 channel is established through the SSL-VPN tunnel, and the user terminal and the second server are connected; and the user terminal transmits the IPv6 channel. Accessing data of the target node, wherein the user terminal is located in a first network using one of the IPv4 communication protocols, the first server is bridged to the first network, and the second network using one of the IPv4 communication protocols Between the paths, the second server is bridged between the second network and a third network using an IPv6 communication protocol. The above described objects, features and advantages of the present invention will become more apparent from the following description. 2 is a block diagram 200 showing an IPv6 channel service system in accordance with an embodiment of the present invention. When using the IPv6 channel service system according to the embodiment of the present invention, the network administrator generally performs the action of setting the system, including: the IPv4 Radius server 227 and the IPv4 AD server 228 coupled to the first server 221. , or the SSL-VPN gateway (first server) 221 establishes the account, password, and group (group) of the client 211 on the local machine; sets the user on the SSL-VPN gateway (the first server) 221. The IP network segment and address of the terminal 211, different groups have their own network segments; and the DNS server 222 of the client 211 and the routing policy are set on the SSL-VPN gateway (first server) 221. Here, different groups 0935-A21274TWF(N2); P17940001 TW; ihhuang 1277328 ’ have their own dedicated DNS server and routing table. In addition, the configuration performed by the network administrator may be: editing a specific group policy on the SSL-VPN gateway (first server) 221, for example, the user terminal 211 needs to install the anti-virus software to connect. Etc; editing the web page and group specified information on the SSL-VPN gateway (first server) 221; setting the authentication mechanism and priority order of the SSL-VPN gateway (first server) 221. In this case, the IPv4 Radius server 227 is prioritized; the auto-launch function of the SSL-VPN gateway (first server) 221 is set, the program for establishing the channel is fully automated, and the user terminal 211 is connected. To the secure channel, the connection status can be automatically hidden in the Tool Bar of the client 211 computer; the policy of the firewall 225 coupled between the target node 242 and the client 211 is set, and only a specific IP network segment is allowed. Communicate with its specific DNS server and specific channel server (second server) 241, and only open specific ports and types; set IPv6 and IPv4 connection of channel server (second server) 241 Enable the Intra-Site Automatic Tunnel Addressing Protocol (IASATAP) on the channel server (second server) 241; enter its specific IS ATAP A on each group-specific DNS server. Record, A Record is the ISATAP enabled IPv4 interface for its specific channel server (second server) 241. Then, the following steps are used to strengthen the network management and statistics functions, including: Each channel server (second server) 241 is configured to be coupled to the NETFLOW collection of the SSL-VPN gateway (first server) 221. Collector 229, to collect and analyze the network behavior analysis of IPv6 and IPv4 on the channel server (second server) 241 and store it in the database server; SSL-VPN gateway (first server), Both the firewall 225 and the channel server (second server) 241 enable the SNMP function for the SNMP collector 230 to collect its traffic or 0935-A21274TWF(N2); P17940001 TW; ihhuang 9 1277328 system information; SSL- The VPN gateway (first server), the firewall (Firewall) 225, and the channel server (second server) 241 both turn on the SYSLOG function to send information to the IPv4 SYSLOG server 226, and then the IPv4 SYSLOG server. 226 is stored in the database server; a web-based network information station is built to integrate the previously collected information; after the setting is completed, a test account is established to test whether the system can operate normally. It should be noted that the above-described setting steps are only specific embodiments, and are not necessary to perform the necessary actions of the present invention, and may not be used to limit the scope of the present invention. Then, the client 211 located on the first network 212 using the IPv4 protocol, and the second network 212 and the second protocol using the IPv4 protocol by Hypertext Transfer Protocol (HTTP) The SSL-VPN gateway (first server) 22 between the network 224 is connected and establishes an SSL-VPN tunnel, and the SSL-VPN gateway (first server) 221 allocates the second network. The virtual address of 224, the address of the DNS server 222, and the domain name end code are given to the client 211. Then, the client 211 uses the DNS server 222 to query the address of the channel server (second server) 241 bridged between the second network 224 and the third network 243 using the IPv6 protocol. Then, an IPv6 channel is established between the SSL-VPN tunnel and the channel server (second server) 241, and the virtual address of the third network 243 and a third network preset gateway bit are allocated. The address is given to the client 211, and the data of the target node 242 supporting the IPv6 communication protocol located on the third network 243 is accessed by the IPv6 channel. When the user terminal 211 wants to disconnect from the target node 242, it is only necessary to stop the application of the hypertext transfer protocol. The invention utilizes the SSL-VPN technology to replace the 0935-A21274TWF (N2); P17940001 TW; ihhuang 10 1277328 original channel agent with the combination of SSL-VPN gateway, firewall and DNS server. The function of the original channel agent system is improved, and the user can use the web browser to enter the account password without having to change the existing network usage habits. The network address is connected to the international IPv6 network solution. The biggest advantage of the present invention is that the user can connect to the IPv6 network environment without installing a program, and can support the Network Address Translator (NAT) and firewall traversal functions. Compared to the current IPv6 channel agent technology, the process of connecting users to IPv6 can be greatly simplified. Since the IPv4 connection content is also encrypted and protected by the SSL mechanism, the data transmission security is also high and compatible with the network management system of the current Internet service provider. The system can be integrated into existing service architectures without the need to purchase or develop new network management systems for managing IPv6 channel agents. The existing SSL-VPN control technology is also integrated in the privilege control, and there is no need to learn a new privilege control system. Since this system is designed for an open architecture, it can be used as long as it meets the specifications required by the system, and its maintenance technology will not be in the hands of specific manufacturers. It has been integrated into the Institute of Technology's SSL-VPN service and has proven the feasibility of this system. The present invention has been described above with reference to the preferred embodiments thereof, and is not intended to limit the scope of the present invention, and the invention may be modified and modified without departing from the spirit and scope of the invention. The scope of the invention is defined by the scope of the appended claims. 0935-A21274TWF(N2); P17940001 TW; ihhuang 1277328 [Simple description of the diagram] " Figure 1 shows the use of the channel by the channel agent. 2 is a block diagram showing an IPv6 channel service system according to an embodiment of the present invention, including: a client, an SSL-VPN gateway (first server), and a tunnel server (a second server). ), target node, DNS server, firewall, IPv4 SYSLOG server, IPv4 Radius server, IPv4 AD server, NETFLOW collector (collector), and SNMP collector. Φ [Major component symbol description] 100, 211 ~ client 101 ~ channel broker (Tunnel Broker) 102, 241 ~ channel server (Tunnel Server) 110 ~ IPv4 network 111 ~ IPv6 network 120 ~ proposed to establish an IPv6 channel Requirement 121~Response to the requirement to establish a channel φ 122~Channel agent performs setting action on channel server 123~ Client and channel server establish channel 200~IPv6 channel system architecture 210, 220~ IPv4 Protocol 212~IPv4 Internet 221~SSL-VPN Gateway (First Server) 222~IPv4 Enterprise Internal Network with DNS Feeder 223~IPv6 Internet with DNS Server 224~IPv4 Enterprise Internal Network 0935-A21274TWF(N2); P17940001 TW; ihhuang 12 1277328 225~Firewall" 226~IPv4 SYSLOG 艮 艮 227~IPv4 Radius 艮 艮 228~IPv4 AD Feeding 艮 229~NETFLOW Collector ( Collector) 230~SNMP Collector 240~IPv6 Protocol 242~Target Node 243~IPv6 Internet • 0935-A21274TWF(N2);P17940001 TWiihhuang 13