WO2005125103A1 - A virtual private network system of hybrid site and hybrid backbone network and its realizing method - Google Patents

A virtual private network system of hybrid site and hybrid backbone network and its realizing method Download PDF

Info

Publication number
WO2005125103A1
WO2005125103A1 PCT/CN2005/000869 CN2005000869W WO2005125103A1 WO 2005125103 A1 WO2005125103 A1 WO 2005125103A1 CN 2005000869 W CN2005000869 W CN 2005000869W WO 2005125103 A1 WO2005125103 A1 WO 2005125103A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipv4
ipv6
route
routes
user site
Prior art date
Application number
PCT/CN2005/000869
Other languages
French (fr)
Chinese (zh)
Inventor
Defeng Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005125103A1 publication Critical patent/WO2005125103A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to virtual private network technology, and in particular, to a virtual backbone of a hybrid site hybrid backbone network with Internet Protocol version 4 (Internet Protocol version 4) and Internet Protocol version 6 (IPv6). Private network system and its implementation method. Background of the invention
  • a virtual private network (Virtual Private Networking, VPN) is a virtual private network established on a public network. It has the same excellent security, reliability, and manageability as a private network.
  • VPN replaces traditional dial-up access, using the Internet (Internet) public network or operator network resources as a continuation of the enterprise's private network, saving expensive leased line lease fees.
  • Internet Internet
  • VPNs can use tunneling protocols, identity verification and data encryption technologies to ensure The security of communication is welcomed by enterprise users.
  • VPNs can bring many benefits through the construction of VPNs. For example, by using VPNs, enterprises can save a lot of expenses for daily communication of enterprises; they can conduct remote teaching and remote monitoring to achieve unified corporate management; and they can also improve the internal business information circulation of enterprises. safety. It is foreseeable that VPN is the inevitable trend of enterprise internal network design, information management, and circulation.
  • the MPLS (Layer 3, L3) VPN model is shown in Figure 1.
  • the model includes three components: a user edge router (Custom Edge Router, CE) located at the edge of the customer premise network, and located at the edge of the backbone network.
  • the CE router is an integral part of the customer premises network, and there are interfaces directly connected to the backbone network of the operator.
  • the CE router does not sense the existence of the VPN and does not need to maintain the entire routing information of the VPN.
  • the PE router is the operator network.
  • the edge device is directly connected to the CE router of the user.
  • the MPLS network all processing of the VPN is done on the PE router.
  • the P router is in the carrier network and is not directly connected to the CE router.
  • the P router has MPLS. Basic signaling capabilities and forwarding capabilities. Those skilled in the art can understand that the division of CE and PE is mainly divided from the management scope of operators and users, and CE and PE are the boundaries of the management scope of both.
  • CE routers and PE routers can use routing protocols such as External Border Gateway Protocol (External BGP, EBGP) or Interior Gateway Protocol (Interior Gateway Protocol, IGP) to exchange routing information, or static routes.
  • EBGP External Border Gateway Protocol
  • IGP Interior Gateway Protocol
  • the CE does not need to support MPLS and does not need to sense the entire network route of the VPN.
  • the entire network route of the VPN is outsourced to the operator to complete. PE.
  • the entire network routing information of the VPN is exchanged through the Multi-Protocol Border Gateway Protocol (MP-BGP).
  • MP-BGP Multi-Protocol Border Gateway Protocol
  • a VPN is composed of multiple user sites (Sites).
  • each site corresponds to a VPN Routing / Forwarding instance (VRF).
  • VRF VPN Routing / Forwarding instance
  • IP Internet Protocol
  • the interface and management information include a route distinguishing identifier (Route Distinguishes RD), a route filtering policy, and a list of member interfaces.
  • the site's VRF in VPN actually integrates the site's VPN membership and routing rules.
  • the system maintains a separate set of routing tables and label forwarding tables for each VRF, and stores message forwarding information in the routing table and label forwarding tables of each VRF. This prevents data from leaking out of the VPN and prevents data from entering outside the VPN.
  • routing information is transmitted between the CE and the PE through the Interior Gateway Protocol (IGP) or EBGP.
  • IGP Interior Gateway Protocol
  • EBGP EBGP
  • the PE obtains the VPN routing table and stores it in a separate VRF.
  • PEs use IGP to ensure normal IP connectivity, and use IBGP to propagate VPN composition information and routes, and update their VRFs. Route exchange between CEs.
  • a new address family-VPN-IPv4 address is used.
  • a VPN-IPv4 address has 12 bytes, starting with an 8-byte RD, followed by a 4-byte IPv4 address.
  • PE uses RD to identify routing information from different VPNs. Operators can assign RDs independently, but need to use their dedicated AS number as part of the RD to ensure the global uniqueness of each RD.
  • VPN-IPv4 address with RD zero is the same as globally unique
  • An IPv4 address is synonymous.
  • the route received by the PE from the CE is an IPv4 route and needs to be imported into the VRF routing table. At this time, an RD needs to be attached. In a common implementation, set the same RD for all routes from the same user site.
  • the Route Target attribute is used to identify the set of sites that can use a route, that is, which sites can receive the route, and which sites can receive the routes transmitted by the PE router. All PE routers connected to the site specified in the Route Target will receive routes with this attribute. After the PE router receives the route containing this attribute, it adds it to the corresponding routing table.
  • a PE router has two sets of Route Target attributes: one set is used to attach to routes received from a site, and is called Export Route Targets; the other set is used to determine which routes can be imported into the routing table of this site, called Is Import Route Targets. Membership of the VPN can be obtained by matching the Route Target attribute carried in the route. Matching the Route Target attribute can be used to filter the routing information received by the PE router.
  • Figure 2 is a schematic diagram of filtering received routes by matching the Route Target attribute.
  • VPN 4 text forwarding uses two layers of labeling.
  • the first layer that is, the outer label is exchanged inside the backbone network, represents a Label Switched Path (LSP) from PE to the peer (PEER).
  • LSP Label Switched Path
  • PEER peer
  • VPN packets can use this layer label to The LSP reaches the peer PE.
  • the second layer that is, the inner label
  • the inner label indicates to which site the packet arrives, or more specifically, to which CE. In this way, the interface that forwards the packet can be found based on the inner label.
  • IPv4 Internet Engineering Task Force
  • IPv6 In order to continue to provide various services in the IPv4 environment during the evolution from IPv4 to IPv6, VPN solutions on IPv6 networks must be studied simultaneously. Because IPv6 itself is still in the experimental stage, there is no formal large-scale commercial use, and there is no formal VPN service application under IPv6 networks.
  • each IPv6 site is connected to at least one dual stack of the IPv4 backbone network and supports the MP-BGP PE router, that is, the 6PE router shown in FIG. 3.
  • the 6PE router is called a Double Stack BGP (DS-BGP) router, that is, a DS-BGP router.
  • the DS-BGP router has at least one IPv4 address on the IPv4 side and at least one IPv6 address on the IPv6 side, and the IPv4 address must be routable in the IPv4 network.
  • the ingress DS-BGP router passes the IPv6 data packet.
  • the MPLS tunnel that is, the LSP, is transparently transmitted to the egress DS-BGP router.
  • the DS-BGP router can use its IPv4 address when advertising its own address as the next hop of the BGP route, and use MPLS tunnels or other IPv4 address-based tunnels, such as Generic Route Encapsulation (GRE) protocol tunnels, IP security protocols. (IP Security Protocol, IPsec) tunnels; IPv6 addresses can also be used and corresponding tunnels, such as 6to4 tunnels, Intra-Site Automatic Tunnel Access Protocol (ISATAP) tunnels, and use these tunnel requirements Address form.
  • GRE Generic Route Encapsulation
  • IP security protocols IP security protocols.
  • IP Security Protocol, IPsec IP Security Protocol
  • IPv6 addresses can also be used and corresponding tunnels, such as 6to4 tunnels, Intra-Site Automatic Tunnel Access Protocol (ISATAP) tunnels, and use these tunnel requirements Address form.
  • IPv4 IPv6
  • IPv6 IPv6
  • Both user networks and backbone networks may be IPv4 networks or IPv6 networks, or IPv4 / IPv6 mixed networks. This requires that the VPN services under the new generation network can adapt to complex network environments and can be applied to IPv4 networks, IPv6 networks, or mixed IPv4 / IPv6 networks.
  • a main object of the present invention is to provide a virtual private network system with a mixed-site hybrid backbone network.
  • sites based on different IP versions can be The bone-thousand networks of different IP versions access each other and carry out VPN services.
  • Another main objective of the present invention is to provide a method for implementing a virtual private network of a mixed-site hybrid backbone network, which can enable sites based on different IP versions to access each other and develop VPN services through backbone networks based on different IP versions .
  • the present invention provides a virtual private network system of a hybrid site and hybrid backbone.
  • the system includes a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a backbone network.
  • the user site accesses the backbone network to transmit data to each other through the CE and the PE, and the virtual private network system includes a user site based on the internetworking protocol version 4 IPv4 and version 6 IPv6;
  • the backbone network includes IPv4 single domain and IPv6 single domain;
  • IPv4 single domain and the IPv6 single domain are connected to each other through an ASBR that supports IPv4 and IPv6 dual protocol stacks.
  • the CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and / or IPv6 routes;
  • the PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and IPv6 routes;
  • Data is transmitted between the user sites according to the routes stored by the CE and the PE.
  • the CE and the PE connecting the user site and the single domain support the IPv4 and IPv6 dual protocol stacks.
  • IPv4 routes For CEs of IPv4 user sites that need to access IPv6 user sites, store IPv4 routes and IPv6 routes; For CEs of IPv6 user sites that need to access IPv4 user sites, only IPv6 routes are stored; for CEs of IPv4 user sites that only access IPv4 user sites, only CE IPv4 routing.
  • IPv4 and IPv6 user sites to form a unified format of IPv4 and IPv6 address information
  • the user site and the backbone network learn and advertise routes, and publish IPv4 routes and IPv6 routes to the PE in the system and the CE connected to the PE;
  • the backbone network distributes inner labels and outer labels
  • the data packet of the user site is encapsulated and forwarded through the backbone network by encapsulating the inner label and the outer label.
  • route distinguisher + IPv4 address is adopted between the IPv4 user sites to form an IPv4 address with an address family identifier of 1; between an IPv4 user site and an IPv6 user site. Between points, and between IPv6 user sites It takes the form of "route distinguisher + IPv6 address" to form an IPv6 address with an address family identifier of 2.
  • IPv4 user site that communicates with an IPv6 user site can map the IPv4 address ABCD to an IPv6 address of the form 0 :: A: B: C: D, and then combine it with a routing identifier to form a place. IPv6 with an address family identifier of 2 address.
  • CE advertises the aggregated IPv4 user site or IPv6 user site route to the connected PE;
  • the PE advertises IPv4 routes and IPv6 routes learned from the CE to other PEs and ASBRs in the single domain.
  • the ASBR in another single domain will learn IPv4 routes from the source ASBR in the single domain. And IPv6 routes are advertised to PEs in this single domain;
  • the PE advertises IPv4 routes and IPv6 routes learned from other PEs and IPv4 routes and IPv6 routes learned from ASBR to the CEs connected to it.
  • the step B2 may further include:
  • the PE router learns the IPv4 route and IPv6 route learned from the CE router, plus the routing identifier RD, address family identifier AFI, and subsequent address family identifier SAFI according to the VPN and routing IP version to which it belongs; forming a routing target that includes RD, AFI, and SAFL Community attributes Route Target, a unified form of routing information for IPv4 addresses / IPv6 addresses.
  • the internal border gateway protocol based on the single domain IP version may be used to publish the route of the user site of the CE connected to the PE;
  • step B3 the ASBR publishes a route to another different version of the single-domain ASBR through the IPv6-based multi-protocol external border gateway protocol;
  • step B4 the ASBR publishes the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the single domain.
  • the step B5 may include the following sub-steps:
  • the CE connected to the IPv4 user site and the PE connected to the CE run an IPv6-based routing protocol to learn routes; the PE converts the saved IPv4 user site route from the ABCD / n form to 0 :: A: B: C: D / (96 + n) IPv6 route, published to the CE through IPv6 routing protocol;
  • the CE restores the IPv4 route in the form of ABCD / n, and saves the route of the IPv6 user site as IPv6. routing.
  • the step B5 may include Include the following sub-steps:
  • the CE connected to the IPv6 user site and the PE connected to the CE run a routing protocol based on IPv6 to learn routes;
  • the CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0 :: A: B: C: D / (96 + n), and saves the route of the IPv6 user site in the original form.
  • step B For an IPv4 user site that only accesses an IPv4 user site, in step B, only a IPv4 routing protocol can be run between a CE connected to the IPv4 user site and a PE connected to the CE, and only learn and save other IPv4 users. IPv4 routes for the site, and IPv6 routes are discarded.
  • the PE may decide whether to learn and publish to the user site according to the extended target community attribute of the multi-protocol border gateway protocol.
  • step C the inner label is allocated by the ingress PE, which is used to distinguish different user sites connected by the same ingress PE, and the inner label is distributed to the corresponding egress PE along with the route when the route is advertised;
  • the outer label is allocated in a single domain by running a label allocation protocol, a resource reservation protocol-traffic engineering, or a label allocation protocol that constrains routing. Between different single domains, it is an external border gateway protocol.
  • the step D may include the following sub-steps:
  • the egress PE forwards the data of the Internet Protocol between the egress PE and the destination user site according to the inner label and the routing table stored by the egress PE.
  • the step D2 may include the following sub-steps:
  • the ASBR forwards the data packet to the next adjacent single-domain ASBR according to the outer label allocated between the ASBRs;
  • the ASBR forwards the data packet to the egress PE.
  • the topology relationship between the user sites can be achieved by matching the routing target community attributes.
  • the virtual private network system of the mixed-site hybrid backbone network of the present invention and the implementation method thereof differ from the prior art in that the present invention runs IPv4 / IPv6 dual routing on CE routers and PE routers.
  • Table configure IPv4 and IPv6 protocol stacks according to the network connection between CE routers and PE routers, perform VPN addressing and necessary IPv4 address and IPv6 address translation for VPN user sites, and then advertise and assign routes, and use multiple layers
  • the label realizes the data forwarding, so as to realize the VPN in the case of the mixed site mixed backbone network.
  • a VPN can be formed in the case where the user network and the backbone network transition from IPv4 to IPv6, so that the VPN solution in the network transition period has greater flexibility and reduces
  • the complexity of small network equipment upgrades makes the transition from IPv4 to IPv6 smoother and greatly improves the economics and feasibility of network upgrades.
  • FIG. 1 is a schematic diagram of the system composition of MPLS L3 VPN defined by RFC2547bis
  • FIG. 2 is a schematic diagram of filtering received routes by matching Route Target attributes
  • FIG. 3 is a schematic diagram of a system composition for implementing a BGP / MPLS VPN with a 6PE solution
  • FIG. 4 is a schematic diagram of a hybrid site hybrid backbone network VPN system composition according to a preferred embodiment of the present invention .
  • the virtual private network system of the mixed-site hybrid backbone network of the present invention and an implementation method thereof run an IPv4 / IPv6 dual routing table on a CE router and a PE router, and configure IPv4 and IPv6 based on the network connection between the CE router and the PE router.
  • a protocol stack that performs VPN addressing and necessary IPv4 and IPv6 address translation for VPN user sites, and then publishes and distributes routes, and implements data forwarding through the use of multi-layer labels. This is achieved in the case of mixed-site hybrid backbone networks. VPN.
  • the virtual private network system of the hybrid site hybrid backbone network of the present invention includes a backbone network and a user network.
  • the backbone network is used to advertise VPN routes, establish switching paths, and complete data exchange.
  • the backbone network includes autonomous systems using different address families.
  • the autonomous systems are connected through an autonomous system border router (ASBR) at the edge of the autonomous system.
  • ASBR autonomous system border router
  • a single domain can be considered as an autonomous system, that is, the backbone network can include one or more IPv4 single domains and one or more IPv6 single domains.
  • the IPv4 single domain and IPv6 single domain support IPv4 and IPv6 dual protocols.
  • the ASBRs of the stack are connected.
  • each single domain also contains the original P router and PE router.
  • the PE router configures the IPv4 protocol stack or IPv6 protocol stack or the IPv4 and IPv6 dual protocol stacks according to the network connection.
  • the routes published by the backbone network include VPN-IPv4 routes and VPN-IPv6 routes.
  • the routes of user sites connected to PE routers in the autonomous system are first advertised between PEs and ASBRs in the autonomous system, and then ASBRs publish the learned routes to each other through EBGP.
  • the route is then advertised by the ASBR to the peer inside the autonomous system to which it belongs through the IBGP, that is, the PE router, and finally the PE router advertises the route to the CE router.
  • the route advertisement method will be described in detail below.
  • the user network includes a CE router connected to the backbone network and user stations connected to it.
  • the user site includes both an IPv4 site and an IPv6 site, and each user site includes multiple hosts with different addresses.
  • the CE router supports a corresponding protocol stack according to the IP version of the user network and the IP version of the autonomous system connected to the CE router.
  • the PE router supports the corresponding protocol stack according to the IP version of the autonomous system to which it belongs and the IP version of the user site to which it is connected.
  • a CE router and a corresponding PE router connected to an IPv4 site of an IPv4 backbone network need only support the IPv4 protocol stack, and a CE and a corresponding PE connected to an IPv6 site of the IPv6 backbone network only need to support the IPv6 protocol stack and connect to the IPv4 backbone
  • the CEs of the IPv6 sites of the network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE equipment accessing these CEs need to support the IPv4 / IPv6 dual protocol stack.
  • IPv4 sites and IPv6 sites in the same VPN may have a mutual access relationship
  • routers in IPv4 sites that need to access IPv6 sites need to save IPv6 routes, that is, these IPv4 sites need to support IPv4-IPv6 mixed address schemes.
  • FIG. 4 is a schematic diagram of a composition of a VPN system for a hybrid site hybrid backbone network according to a preferred embodiment of the present invention.
  • the backbone network in the VPN system shown in FIG. 4 is a dual domain, which includes: a backbone network including an IPv4 single domain and an IPv6 single domain, PE routers at the edge of the backbone network: PE1 ⁇ PE4; P routers inside the backbone network (Not shown in Figure 1); CE routers at the edge of the user network: CE1 ⁇ CE8; and user sites connected to the PE through the CE; each user site contains one or more hosts with different addresses.
  • the IPv4 domain and the IPv6 domain are connected to each other through ASBR1 and ASBR2.
  • VPNA includes IPv4 and IPv6 sites: an IPv6 site connected by CE1, an IPv4 site connected by CE4, an IPv6 site connected by CE5, and an IPv4 site connected by CE8.
  • VPNB contains only IPv4 sites: IPv4 sites connected by CE2, IPv4 sites connected by CE3, IPv4 sites connected by CE6, and IPv4 sites connected by CE7.
  • only VPNA and VPNB are taken as examples, and the backbone network includes only one IPv4 domain and one IPv6 domain as an example.
  • the system may include many VPNs, and the backbone network may also include multiple domains.
  • the Address Family Identifier (AFI) domain in MP-BGP uses the value 1 assigned to the IPv4 address family by RFC 1700; IPv4 sites The mutual communication with the IPv6 site and the mutual communication between the two IPv6 sites use IPv6 addresses.
  • the AFI domain in MP-BGP can use the value 2 assigned to the IPv6 address family by RFC 1700. It should be noted that when the IPv4 site and the IPv6 site communicate with each other, the IPv4 address A.B.C.D in the IPv4 site is mapped to the corresponding IPv6 address in the form of 0 :: A: B: C: D.
  • SAFI VPN address address family identifier
  • IPv4 sites in the VPN are allowed to continue to use private IPv4 addresses, and allow sites of different VPNs to use the same private IPv4 address.
  • RD + IPv4 address
  • IPv6 address IPv6 address
  • IPv4 address ABCD in the IPv4 site communicating with the IPv6 site is mapped into an IPv6 address of the form 0 :: A: B: C: D, and then combined with the RD to form VPN-IPv6. address.
  • each CE router aggregates the address of each user site to form a corresponding routing entry. Then, the routing learning and distribution processing of VPN sites, the processing of label distribution, and the processing of VPN data forwarding can be performed. These processes are explained in detail below.
  • the processing of VPN site routing learning and publishing includes the following processes:
  • CE routers distribute the aggregated routes to PE routers connected to them.
  • the CEs of the IPv6 sites connected to the IPv4 backbone network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE devices accessing these CEs all support the IPv4 / IPv6 dual protocol stack. Therefore, the PE here can learn the IPv4 or / and IPv6 routes published by the CE.
  • Step 2 The PE router distributes the IPv4 routes and IPv6 routes learned from the CE router to other PE routers and ASBRs in the autonomous system.
  • VPN and routing IP version plus RD, AFI, SAFI and other information form a unified form of routing information including RD, AFI, SAFI, Route Target and IPv4 / IPv6 routing.
  • the PE router still uses VRF to save routes of different VPNs.
  • VRF an IPv4 route and an IPv6 route are separately saved for different AFIs of each VPN.
  • the IPv4 based PE router and ASBR are routed through a fully-connected IPv4-based multi-protocol internal border gateway protocol (Multi-Protocol Internal BGP, MP-IBGP) or Use a route reflector to advertise the route of the VPN user site connected to the PE of the IPv4 network.
  • MP-IBGP Multi-Protocol Internal BGP
  • the PE router in the IPv6 network and its ASBR pass through a fully-connected IPv6-based MP-IBGP or The route reflector advertises the route of the VPN site connected to the PE router of the IPv6 network.
  • IPv4 routes and IPv6 routes are only sent as transmitted data.
  • IPv4-based MP-IBGP or IPv6-based MP-IBGP is used only. It is related to the version of the network and has nothing to do with the specific data in it, so regardless of whether the data transmitted in it is an IPv4 route or an IPv6 route, both MP-IBGP can be transmitted.
  • the ASBR advertises the learned route to the ASBR of another autonomous system.
  • ASBRs between IPv4 and IPv6 networks publish corresponding routes to their peers through an IPv6-based Multi-Protocol External Border Gateway Protocol (Multi-Protocol External BGP, MP-IBGP). Since the ASBRs in this embodiment both support IPv4 and IPv6 dual stack protocols, no matter whether the two autonomous systems are IPv4 or IPv6, they can advertise routes to each other by running IPv6 based on MP-IBGP.
  • MP-IBGP Multi-Protocol External Border Gateway Protocol
  • the ASBR of another autonomous system advertises the learned route to the PE of the autonomous system.
  • the ASBR runs the MP-IBGP protocol of the autonomous system version, and distributes the learned routes IPv4 and IPv6 to the PE of the autonomous system.
  • the PE router advertises the routes learned from the ASBR and other PE routers to the CE routers connected to it. After CE router receives IPv4 route and / or IPv6 route Save.
  • the corresponding IPv4 route and IPv6 route are stored in the CE router in the IPv4 site of the VPN, and the CE router is used as a proxy (Proxy) when the VPN site accesses other sites.
  • the CE router is used as a proxy (Proxy) when the VPN site accesses other sites.
  • routing matching is performed, according to the Rout Target Whether the destination user site included in the visit is an IPv4 user site or an IPv6 user site matches an IPv4 route or an IPv6 route, respectively.
  • the CE router of the IPv6 user site in the VPN only saves IPv6 routes.
  • IPv6 routing Before the PE router connected to the IPv6 site advertises the routes of other IPv4 sites to the site, it needs to convert the IPv4 route ABCD / n to 0 :: A: B: C: D / (96 + n) IPv6 routing.
  • a CE router and a PE router that need to access an IPv4 user site of an IPv6 VPN user site run an IPv6-based routing protocol to learn both an IPv6 route and an IPv4 route at the same time.
  • ABCD / n is converted into an IPv6 route of 0 :: A: B: C: D / (96 + n), which is advertised to the CE router through the IPv6 routing protocol, and restored to the IPv4 route of ABCD / n in the CE router.
  • the IPv6 routes of other IPv6 user sites are still saved as IPv6 routes in the CE router. Match the IPv4 route when the IPv4 user site visits the IPv4 site, and match the IPv6 route when the IPv6 site is visited.
  • an IPv6 user site that needs to access an IPv4 VPN user site.
  • the CE router and the PE router also run IPv6-based routing protocols to learn the routes of other sites. For the routes of other IPv4 user sites, they are directly stored as 0. :: A: B: C: D / (96 + n) forms of IPv6 routes. For routes of other IPv6 user sites, the original form is saved. It should be noted that in A.B.C.D / n described above, A.B.C.D is the network segment address and n is the mask.
  • the CE also advertises the route to the router at the user site, which is stored by the router at the user site.
  • the routing table of the user site if the user site to which the CE connects does not include a router, then in step 5, the CE stores the routing table of the user site.
  • IPv4 user sites do not need to access other IPv6 user sites in the topology relationship determined by the Route Target attribute, their CE routers and PE routers need only run IPv4-based routing protocols, and only Learn and save IPv4 routes of other IPv4 user sites, and discard IPv6 routes.
  • the PE router decides whether to learn and publish it to the corresponding user site according to the MP-BGP Route Target extended community attribute.
  • an egress PE router advertises a VPN route to its BGP peer, it carries the corresponding Export Route Target and the inner label assigned by the egress PE to the VPN site.
  • the BGP peer is not an ASBR, the received VPN route is matched with the Import Route Target configured on the BGP peer. If the match is successful, the route is received and published to the user site corresponding to the corresponding VRF.
  • BGP The peer is an ASBR between two autonomous systems, and is sent to the peer ASBR through EBGP.
  • the peer ASBR advertises the route to the IBGP peer in the local domain, and performs route target matching on the IBGP peer to determine whether to accept it. And publish the route to the corresponding user site.
  • the process of label distribution may be performed in a manner described below.
  • Different VPN sites connected to the same egress PE are distinguished by the egress PE assigning different inner labels.
  • the inner labels are advertised to the corresponding PE along with the routes when the routes are advertised through MP-BGP.
  • both the IPv4 backbone network and the IPv6 backbone network run a Label Distribution Protocol (LDP) or a Resource Reservation Protocol (RSVP)-Traffic Engineering (TE) / Constrained Routing.
  • LDP Label Distribution Protocol
  • RSVP Resource Reservation Protocol
  • TE Traffic Engineering
  • CR-LDP Label Distribution Protocol
  • This outer label is only used for forwarding between the two ASBRs.
  • how to assign the outer label of the LSP to the ASBR bidirectional connection through MP-EBGP can refer to RFC3107 »
  • the data forwarding process includes the following types of forwarding: IP data forwarding between the source user site and the ingress (Ingress) PE router; label data forwarding between the Ingress PE router and the Egress PE router; and Egress PE to IP data forwarding between destination user sites. They are described separately below.
  • the forwarding of IP data packets from the source user site to the ingress PE router follows a normal IP forwarding process.
  • the CE router at the user site stores two types of IPv4 / IPv6 routing tables.
  • IPv4 / IPv6 routing tables When the source user site that needs to access the IPv4 / IPv6 destination user site performs IP data forwarding, it can be based on the destination user site being IPv4.
  • the station or IPv6 station queries the corresponding routing table and forwards the data packet to the Ingress PE according to the corresponding routing table.
  • the label data forwarding between the Ingress PE router and the Egress PE router requires adding an Egress PE as the destination site's inner label to the packet on the Ingress PE, and then adding a label distribution protocol in the autonomous domain where the Ingress PE is located.
  • LDP RSVP-TE / CR-LDP LDP RSVP-TE / CR-LDP
  • the outer label assigned by MP-EBGP between the ASBR of the system and the local ASBR is forwarded to the ASBR of the next neighboring autonomous system, and then the data packet is forwarded to the egress PE along the LSP in the next neighboring autonomous system.
  • the IP data forwarding from the egress PE to the destination user site requires that the egress PE determine the destination user site by distinguishing the inner tags after receiving the data packet containing the inner tag, and follow the corresponding rules based on the source user site and the destination user site type.
  • the routing table is forwarded to the destination master Machine. In this step, the IPv4 routing table is queried only when the source user site and the destination user site are both IPv4 sites, and in other cases, the IPv6 routing table is queried.
  • the method in RFC 2547bis can still be used, that is, by matching This is achieved by using Route Target.
  • Route Target This is exactly the same as the mechanism for advertising and learning routes between PEs, that is, determining whether to learn the routing table based on the topology of the VPN, and implementing the topology of the VPN according to the routing table.

Abstract

A Virtual Private Network system of hybrid site and hybrid backbone network and its realizing method, relating to the Virtual Private Network technology, make the sites based on different IP versions access each other and develop VPN service through the backbone network based on different IP versions. The Virtual Private Network system of hybrid site and hybrid backbone network and its realizing method, run double routing list on CE router and PE router, configure the IPv4 and IPv6 protocol stack according to the connecting condition of CE router and PE router, perform route release and distribution after VPN addressing for VPN user sites and necessary address conversion of IPv4 and IPv6, and realize data transmission by using multi-label, thereby realize VPN in the case of hybrid site and hybrid backbone network.

Description

混合站点混合骨干网的虚拟专用网系统及其实现方法  Virtual private network system of hybrid site mixed backbone network and its implementation method
技术领域 Technical field
本发明涉及虛拟专用网技术, 特别涉及一种网间互联协议第 4 版 ( Internet Protocol version 4 , IPv4 )和网间互联协议第 6 版 ( Internet Protocol version 6, IPv6 )混合站点混合骨干网的虚拟专用网系统及其实 现方法。 发明背景  The present invention relates to virtual private network technology, and in particular, to a virtual backbone of a hybrid site hybrid backbone network with Internet Protocol version 4 (Internet Protocol version 4) and Internet Protocol version 6 (IPv6). Private network system and its implementation method. Background of the invention
虚拟专用网 (Virtual Private Networking, VPN )是在公众网络上所 建立的虛拟的专用.网络, 它具有与专用网络同样卓越的安全性、 可靠性 和易管理性。 VPN替代了传统的拨号访问, 利用因特网(Internet )公众 网或者运营商网络资源作为企业专用网络的延续, 节省昂贵的专线租用 费用, 同时 VPN可以使用隧道协议、 身份验证和数据加密等技术保证 了通信的安全性, 受到企业用户的欢迎。  A virtual private network (Virtual Private Networking, VPN) is a virtual private network established on a public network. It has the same excellent security, reliability, and manageability as a private network. VPN replaces traditional dial-up access, using the Internet (Internet) public network or operator network resources as a continuation of the enterprise's private network, saving expensive leased line lease fees. At the same time, VPNs can use tunneling protocols, identity verification and data encryption technologies to ensure The security of communication is welcomed by enterprise users.
企业通过 VPN的建设, 可以带来很多好处, 例如, 通过使用 VPN, 企业可以节省大量企业日常通讯的费用; 可以进行远程教学和远程监控 以达到企业管理统一; 还可以提高企业内部业务信息流通的安全性。 可 以预见, VPN是企业内部网络设计, 信息管理、 流通的必然趋势。  Enterprises can bring many benefits through the construction of VPNs. For example, by using VPNs, enterprises can save a lot of expenses for daily communication of enterprises; they can conduct remote teaching and remote monitoring to achieve unified corporate management; and they can also improve the internal business information circulation of enterprises. safety. It is foreseeable that VPN is the inevitable trend of enterprise internal network design, information management, and circulation.
目前, 已应用的 VPN是基于 IPv4网络的, 即组成 VPN的骨干网络 和站点都处于 IPv4网络中。作为其中的典型代表,请求评注( Request for Comments, RFC )标准 2547bis中对如何实现 VPN作了具体描述, 详 细说明可以参照 RFC 2547bis。 下面对实现该方案的基本原理作简要介 MPLS )三层(Layer 3, L3 ) VPN的模型如图 1所示, 该模型包括三个 组成部份: 位于用户驻地网络边缘的用户网边缘路由器( Custom Edge Router, CE )、 位于骨干网边缘层的骨干网边缘路由器 ( Provider Edge Router, PE )和位于骨干网核心层的骨干网路由器(Provider Router, P )。 At present, the applied VPN is based on the IPv4 network, that is, the backbone network and the sites constituting the VPN are in the IPv4 network. As a typical representative among them, the Request for Comments (RFC) standard 2547bis specifically describes how to implement a VPN. For details, refer to RFC 2547bis. The following briefly introduces the basic principles of implementing this program The MPLS (Layer 3, L3) VPN model is shown in Figure 1. The model includes three components: a user edge router (Custom Edge Router, CE) located at the edge of the customer premise network, and located at the edge of the backbone network. The backbone network edge router (Provider Edge Router, PE) at the layer and the backbone network router (Provider Router, P) at the core layer of the backbone network.
其中, CE路由器是用户驻地网络的一个组成部分,有接口直接与运 营商的骨干网络相连, CE路由器感知不到 VPN的存在, 也不需要维护 VPN的整个路由信息; PE路由器是运营商网络的边缘设备, 与用户的 CE路由器直接相连, 在 MPLS网络中, 对 VPN的所有处理都在 PE路. 由器上完成; P路由器处于运营商网络中, 不和 CE路由器直接相连, P 路由器有 MPLS基本信令能力和转发能力。 熟悉本领域的技术人员可以 理解, CE和 PE的划分主要是从运营商与用户的管理范围来划分的, CE 和 PE是两者管理范围的边界。  Among them, the CE router is an integral part of the customer premises network, and there are interfaces directly connected to the backbone network of the operator. The CE router does not sense the existence of the VPN and does not need to maintain the entire routing information of the VPN. The PE router is the operator network. The edge device is directly connected to the CE router of the user. In the MPLS network, all processing of the VPN is done on the PE router. The P router is in the carrier network and is not directly connected to the CE router. The P router has MPLS. Basic signaling capabilities and forwarding capabilities. Those skilled in the art can understand that the division of CE and PE is mainly divided from the management scope of operators and users, and CE and PE are the boundaries of the management scope of both.
CE路由器与 PE路由器之间可以使用外部边界网关协议(External BGP, EBGP )或是内部网关协议 ( Interior Gateway Protocol, IGP )等 路由协议交换路由信息, 也可以使用静态路由。 CE不必支持 MPLS, 不 需要感知 VPN的整网路由, VPN的整网路由外包给运营商来完成。 PE. 之间通过多协议边界网关协议 ( Multi-Protocol Border Gateway Protocol, MP-BGP ) 交换 VPN的整网路由信息。  CE routers and PE routers can use routing protocols such as External Border Gateway Protocol (External BGP, EBGP) or Interior Gateway Protocol (Interior Gateway Protocol, IGP) to exchange routing information, or static routes. The CE does not need to support MPLS and does not need to sense the entire network route of the VPN. The entire network route of the VPN is outsourced to the operator to complete. PE. The entire network routing information of the VPN is exchanged through the Multi-Protocol Border Gateway Protocol (MP-BGP).
如图 1所示, VPN是由多个用户站点(Site )组成的, 在 PE上, 每 个站点对应一个 VPN路由 /转发实例( VPN Routing/Forwarding instance, VRF ), 它主要包括: 网间互联协议(Internet Protocol, IP )路由表、 标 签转发表、 使用标签转发表的一系列接口以及管理信息。 其中, 接口和 管理信息包含路由区分符(Route Distinguishes RD )、 路由过滤策略、 成员接口列表等。 由图 1可见, 用户站点和 VPN不存在一对一的关系, 一个站点可以同时属于多个 VPN。 在具体实现时, 每一个站点关联一个 单独的 VRF。 VPN中 Site的 VRF实际上综合了该站点的 VPN成员关系 和路由规则。 系统为每个 VRF维护一套独立的路由表和标签转发表,在 每个 VRF的路由表和标签转发表中存储报文转发信息。从而防止了数据 泄漏出 VPN之外, 同时防止了 VPN之外的数据进入。 As shown in Figure 1, a VPN is composed of multiple user sites (Sites). On the PE, each site corresponds to a VPN Routing / Forwarding instance (VRF). It mainly includes: Protocol (Internet Protocol, IP) routing table, label forwarding table, a series of interfaces using label forwarding table, and management information. The interface and management information include a route distinguishing identifier (Route Distinguishes RD), a route filtering policy, and a list of member interfaces. It can be seen from Figure 1 that there is no one-to-one relationship between a user site and a VPN, and a site can belong to multiple VPNs at the same time. In specific implementation, each site is associated with one Separate VRF. The site's VRF in VPN actually integrates the site's VPN membership and routing rules. The system maintains a separate set of routing tables and label forwarding tables for each VRF, and stores message forwarding information in the routing table and label forwarding tables of each VRF. This prevents data from leaking out of the VPN and prevents data from entering outside the VPN.
路由器之间使用边界网关协议( Border Gateway Protocol, BGP ) 来发布 VPN路由, BGP通信在两个层次上进行, 自治系统( Autonomous System, AS ) 内部采用内部边界网关协议( Internal BGP, IBGP ), AS 之间采用 EBGP。例如, PE-PE会话是 IBGP会话,而 PE-CE会话是 EBGP 会话。 BGP在 PE路由器之间的 VPN组成信息和路由传播,通过多协议 扩展 BGP ( Multiprotocol extensions BGP, MBGP )来实现。 MBGP向下 兼容, 既可以支持传统的 IPv4地址族, 又可以支持其它地址族, 例如 VPN-IPv4地址族。 通过 MBGP携带的路由目标( Route Target )确保了 特定 VPN的路由只能被这个 VPN的其它成员知道,使 BGP/MPLS VPN 成员间的通信成为可能。其中,关于 MBGP的详细说明请参见 RFC2283。  Routers use Border Gateway Protocol (BGP) to advertise VPN routes. BGP communication is performed at two levels. The Autonomous System (AS) uses the Internal Border Gateway Protocol (Internal BGP, IBGP), AS. EBGP is used between them. For example, a PE-PE session is an IBGP session, and a PE-CE session is an EBGP session. BGP VPN composition information and route propagation between PE routers are implemented through Multiprotocol extensions BGP (Multiprotocol extensions BGP, MBGP). MBGP is backward compatible. It can support both traditional IPv4 address family and other address families, such as VPN-IPv4 address family. The route target (Route Target) carried by MBGP ensures that the route of a specific VPN can only be known by other members of this VPN, which makes communication between BGP / MPLS VPN members possible. For details about MBGP, see RFC2283.
在 RFC2547bis标准中, CE与 PE之间通过内部网关协议 ( Interior Gateway Protocol, IGP )或 EBGP来传播路由信息, PE得到该 VPN的 路由表,存储在单独的 VRF中。 PE之间通过 IGP来保证通常 IP的连通 性, 通过 IBGP来传播 VPN组成信息和路由, 并完成各自 VRF的更新。 成各个 CE之间的路由交换。  In the RFC2547bis standard, routing information is transmitted between the CE and the PE through the Interior Gateway Protocol (IGP) or EBGP. The PE obtains the VPN routing table and stores it in a separate VRF. PEs use IGP to ensure normal IP connectivity, and use IBGP to propagate VPN composition information and routes, and update their VRFs. Route exchange between CEs.
其中 ,使用 BGP来发布 VPN路由时,使用了新的地址族 - VPN-IPv4 地址。 一个 VPN-IPv4地址有 12个字节, 开始是 8字节的 RD, 后面是 4字节的 IPv4地址。 PE使用 RD对来自不同 VPN的路由信息进行标识。 运营商可以独立地分配 RD,但是需要把他们专用的 AS号作为 RD的一 部分来保证每个 RD的全局唯一性。 RD为零的 VPN-IPv4地址同全局唯 一的 IPv4地址是同义的。 这样处理以后, 即使 VPN-IPv4地址中包含的 4字节 IPv4地址重叠, VPN-IPv4地址仍可以保持全局唯一。 其中, PE 从 CE接收的路由是 IPv4路由, 需要引入 VRF路由表中, 此时需要附 加一个 RD。 在通常的实现中, 为来自于同一个用户站点的所有路由设 置相同的 RD。 Among them, when using BGP to advertise VPN routes, a new address family-VPN-IPv4 address is used. A VPN-IPv4 address has 12 bytes, starting with an 8-byte RD, followed by a 4-byte IPv4 address. PE uses RD to identify routing information from different VPNs. Operators can assign RDs independently, but need to use their dedicated AS number as part of the RD to ensure the global uniqueness of each RD. VPN-IPv4 address with RD zero is the same as globally unique An IPv4 address is synonymous. After processing in this way, even if the 4-byte IPv4 address contained in the VPN-IPv4 address overlaps, the VPN-IPv4 address can still be globally unique. The route received by the PE from the CE is an IPv4 route and needs to be imported into the VRF routing table. At this time, an RD needs to be attached. In a common implementation, set the same RD for all routes from the same user site.
在 RFC2547bis标准中, 采用 Route Target属性标识了可以使用某路 由的站点的集合, 即该路由可以被哪些站点所接收, PE路由器可以接收 哪些站点传送来的路由。与 Route Target中指明的站点相连的 PE路由器, 都会接收到具有这种属性的路由。 PE路由器接收到包含此属性的路由 后, 将其加入到相应的路由表中。 PE路由器存在两个 Route Target属性 的集合: 一个集合用于附加到从某个站点接收的路由上, 称为 Export Route Targets; 另一个集合用于决定哪些路由可以引入此 Site的路由表 中,称为 Import Route Targets。通过匹配路由所携带的 Route Target属性 , 可以获得 VPN的成员关系。 匹配 Route Target属性可以用来过滤 PE路 由器接收的路由信息。  In the RFC2547bis standard, the Route Target attribute is used to identify the set of sites that can use a route, that is, which sites can receive the route, and which sites can receive the routes transmitted by the PE router. All PE routers connected to the site specified in the Route Target will receive routes with this attribute. After the PE router receives the route containing this attribute, it adds it to the corresponding routing table. A PE router has two sets of Route Target attributes: one set is used to attach to routes received from a site, and is called Export Route Targets; the other set is used to determine which routes can be imported into the routing table of this site, called Is Import Route Targets. Membership of the VPN can be obtained by matching the Route Target attribute carried in the route. Matching the Route Target attribute can be used to filter the routing information received by the PE router.
图 2为通过匹配 Route Target属性过滤接收路由的示意图。 MPLS VPN路由信息进入 PE路由器时,如果 Export Route Targets集合与 Import Route Targets 集合存在相同项, 则该路由被接收; 如果 Export Route Targets集合与 Import Route Targets集合没有相同项, 则该路由被拒绝。  Figure 2 is a schematic diagram of filtering received routes by matching the Route Target attribute. When the MPLS VPN routing information enters the PE router, if the Export Route Targets set and the Import Route Targets set have the same entry, the route is received; if the Export Route Targets set does not have the same entry as the Import Route Targets set, the route is rejected.
在 RFC2547bis标准中, VPN 4艮文转发使用两层标签方式。 第一层, 即外层标签在骨干网内部进行交换, 代表了从 PE到对端 (PEER ) PE 的一条标签交换路径 ( Label Switched Path, LSP), VPN报文利用这层 标签,就可以沿着 LSP到达对端 PE。从对端 PE到达 CE时使用第二层, 即内层标签, 内层标签指示了报文到达哪个站点, 或者更具体一些, 到 达哪一个 CE。 这样, 根据内层标签, 就可以找到转发报文的接口。 特 殊情况下, 属于同一个 VPN的两个站点连接到同一个 PE, 则如何到达 对方 PE的问题不存在, 只需要解决如何到达对端 CE。 In the RFC2547bis standard, VPN 4 text forwarding uses two layers of labeling. The first layer, that is, the outer label is exchanged inside the backbone network, represents a Label Switched Path (LSP) from PE to the peer (PEER). VPN packets can use this layer label to The LSP reaches the peer PE. When reaching the CE from the opposite PE, the second layer, that is, the inner label, is used. The inner label indicates to which site the packet arrives, or more specifically, to which CE. In this way, the interface that forwards the packet can be found based on the inner label. Special Under special circumstances, if two sites that belong to the same VPN are connected to the same PE, the problem of how to reach the other PE does not exist, but only how to reach the peer CE.
而随着通信网络技术的发展, 传统的 IPv4 网络暴露出了一系列缺 点, 体现在地址空间不足、 移动性差、 安全性差和配置复杂等方面, 因 此互联网工程任务组( Internet Engineer Task Force, IETF )提出了 IPv6 以解决这些问题。 经过几年的发展, IPv6技术已经日渐成熟, 较为成功 的解决了 IPv4所存在的问题, 成为下一代互联网的标准。  With the development of communication network technology, the traditional IPv4 network has exposed a series of shortcomings, such as insufficient address space, poor mobility, poor security, and complicated configuration. Therefore, the Internet Engineering Task Force (IETF) IPv6 was proposed to address these issues. After several years of development, IPv6 technology has gradually matured, and it has successfully solved the problems existing in IPv4, becoming the standard of the next generation Internet.
为了在从 IPv4向 IPv6演进的过程中继续提供 IPv4环境下的各种业 务, 必须同步研究 IPv6网络上的 VPN解决方案。 由于 IPv6本身也还处 于试验阶段, 还没有正式大规模商用, 更没有存在 IPv6 网络下的正式 VPN业务应用。  In order to continue to provide various services in the IPv4 environment during the evolution from IPv4 to IPv6, VPN solutions on IPv6 networks must be studied simultaneously. Because IPv6 itself is still in the experimental stage, there is no formal large-scale commercial use, and there is no formal VPN service application under IPv6 networks.
对于如何在骨干网络为 IPv4网络, VPN站点全部为 IPv6网络的情 况下实现 VPN,可以釆用 6PE技术方案,该技术方案的网络组成示意图 如图 3所示。 6PE方案实现的基本思想是: 每个 IPv6站点连接到 IPv4 骨干网络的至少一个双栈并且支持 MP-BGP的 PE路由器, 即图 3所示 的 6PE路由器。 其中, 6PE路由器称为双栈 BGP ( Double Stack BGP, DS-BGP )路由器, 即 DS-BGP路由器。 DS-BGP路由器在 IPv4侧至少 有一个 IPv4地址, 在 IPv6側至少有一个 IPv6地址, 并且该 IPv4地址 必须在 IPv4网络中可路由。 IPv6站点中的路由遵循标准的 IPv6路由协 议,例如开放最短路径优先协议第 3版( Open Shortest Path First Version3, OSPFv3 ), 标准化发起信息学会第 6版 ( Information Society Initiatives in Standardization version 6, ISISv6 )或者下一代路由信息协议(Routing Information Protocol next generation, RIPng ),不用向 IPv4骨干网络发布, 只需要在 DS-BGP路由器通过 BGP4+终结,但需要在 DS-BGP路由器之 间通过 MP-BGP4 交换 IPv6 的网络层可达信息 (Network Layer Reachability Information, NLRI ),出口 DS-BGP路由器在向入口 DS-BGP 路由器通告路由时将自己的地址作为这些路由的下一跳; 在数据包转发 时, 从入口 DS-BGP路由器将 IPv6数据包通过 MPLS隧道, 即 LSP, 透传到出口 DS-BGP路由器。 而 DS-BGP路由器通告自己的地址作为 BGP路由下一跳时可以使用 IPv4地址, 并使用 MPLS隧道或者其它基 于 IPv4地址的隧道,如通用路由封装( Generic Route Encapsulation, GRE ) 协议隧道, IP安全协议(IP Security Protocol, IPsec ) 隧道; 也可以使 用 IPv6地址, 并使用相应的隧道, 如 6to4隧道, 站点内自动隧道接入 协议 ( Intra-Site Automatic Tunnel Access Protocol, ISATAP ) 隧道, 并 使用这些隧道要求的地址形式。 For how to implement a VPN when the backbone network is an IPv4 network and the VPN sites are all IPv6 networks, the 6PE technology solution can be used. The network composition diagram of this technology solution is shown in Figure 3. The basic idea of the 6PE solution implementation is: Each IPv6 site is connected to at least one dual stack of the IPv4 backbone network and supports the MP-BGP PE router, that is, the 6PE router shown in FIG. 3. The 6PE router is called a Double Stack BGP (DS-BGP) router, that is, a DS-BGP router. The DS-BGP router has at least one IPv4 address on the IPv4 side and at least one IPv6 address on the IPv6 side, and the IPv4 address must be routable in the IPv4 network. The routing in IPv6 sites follows standard IPv6 routing protocols, such as Open Shortest Path First Version 3 (OSPFv3), Information Society Initiatives in Standardization version 6, ISISv6, or The Routing Information Protocol next generation (RIPng) does not need to be advertised to the IPv4 backbone network. It only needs to be terminated by BGP4 + on the DS-BGP routers, but the IPv6 network needs to be exchanged between the DS-BGP routers through MP-BGP4. 2. layer reachability information Reachability Information (NLRI). When the egress DS-BGP router advertises routes to the ingress DS-BGP router, it uses its own address as the next hop of these routes. When the data packet is forwarded, the ingress DS-BGP router passes the IPv6 data packet. The MPLS tunnel, that is, the LSP, is transparently transmitted to the egress DS-BGP router. The DS-BGP router can use its IPv4 address when advertising its own address as the next hop of the BGP route, and use MPLS tunnels or other IPv4 address-based tunnels, such as Generic Route Encapsulation (GRE) protocol tunnels, IP security protocols. (IP Security Protocol, IPsec) tunnels; IPv6 addresses can also be used and corresponding tunnels, such as 6to4 tunnels, Intra-Site Automatic Tunnel Access Protocol (ISATAP) tunnels, and use these tunnel requirements Address form.
但是, IPv4向 IPv6过渡是一个渐进的过程, 过渡时期将同时存在 IPv4网络和 IPv6网络,用户网络和骨干网络都既可能是 IPv4网络或 IPv6 网络, 又可能是 IPv4/IPv6混合网络。 这就要求新一代网絡下的 VPN业 务能够适应复杂的网络环境, 可以正常应用于 IPv4 网络、 IPv6网络或 者是 IPv4/IPv6混合网络。  However, the transition from IPv4 to IPv6 is a gradual process. During the transition period, there will be both IPv4 and IPv6 networks. Both user networks and backbone networks may be IPv4 networks or IPv6 networks, or IPv4 / IPv6 mixed networks. This requires that the VPN services under the new generation network can adapt to complex network environments and can be applied to IPv4 networks, IPv6 networks, or mixed IPv4 / IPv6 networks.
由于上述方案是针对骨干网为 IPv4网络, 全部 VPN站点为 IPv6站 点的情况,该方案中使用的 DS-BGP无法支持 IPv4的站点,如果简单地 改用普通 BGP路由器则无法实现 NLRI的交换等功能,并且现有的技术 方案中 VPN的路由学习和发布是在 IPv4网络中进行, 无法支持混合骨 干网中的路由器学习和发布, 因此不支持基于混合骨干网的 VPN的路 由学习发布以及数据转发。 发明内容  The above solution is for the case where the backbone network is an IPv4 network and all VPN sites are IPv6 sites. DS-BGP used in this solution cannot support IPv4 sites. If you simply use ordinary BGP routers, you cannot achieve NLRI exchange and other functions. In addition, in the existing technical solutions, VPN route learning and publishing are performed in an IPv4 network, and cannot support router learning and publishing in a hybrid backbone network. Therefore, routing learning publishing and data forwarding of a VPN based on a hybrid backbone network are not supported. Summary of the invention
有鉴于此, 本发明的一个主要目的在于提供一种混合站点混合骨干 网的虚拟专用网系统,该系统中,基于不同 IP版本的站点可以通过基于 不同 IP版本的骨千网络进行相互访问并开展 VPN业务。 In view of this, a main object of the present invention is to provide a virtual private network system with a mixed-site hybrid backbone network. In this system, sites based on different IP versions can be The bone-thousand networks of different IP versions access each other and carry out VPN services.
本发明的另一个主要目的在于提供一种混合站点混合骨干网的虚拟 专用网的实现方法,该方法能够使基于不同 IP版本的站点可以通过基于 不同 IP版本的骨干网络进行相互访问并开展 VPN业务。  Another main objective of the present invention is to provide a method for implementing a virtual private network of a mixed-site hybrid backbone network, which can enable sites based on different IP versions to access each other and develop VPN services through backbone networks based on different IP versions .
为达到上述目的的一个方面, 本发明提供了一种混合站点混合骨干. 网的虚拟专用网系统, 该系统包含虛拟专用网用户站点、 用户网边缘路 由器 CE、 骨干网边缘路由器 PE和骨干网, 所述用户站点之间通过所述 CE和所述 PE接入所述骨干网互相传输数据,该虚拟专用网系统包含基 于网间互联协议第 4版 IPv4和第 6版 IPv6的用户站点; 所述骨干网包 含 IPv4单域和 IPv6单域;  In order to achieve one aspect of the foregoing object, the present invention provides a virtual private network system of a hybrid site and hybrid backbone. The system includes a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a backbone network. The user site accesses the backbone network to transmit data to each other through the CE and the PE, and the virtual private network system includes a user site based on the internetworking protocol version 4 IPv4 and version 6 IPv6; The backbone network includes IPv4 single domain and IPv6 single domain;
所述 IPv4单域和 IPv6单域之间通过支持 IPv4和 IPv6双协议栈的自 治系统边界路由器 ASBR互相连接;  The IPv4 single domain and the IPv6 single domain are connected to each other through an ASBR that supports IPv4 and IPv6 dual protocol stacks.
所述 CE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由或 /和 IPv6路由;  The CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and / or IPv6 routes;
所述 PE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由和 IPv6路由;  The PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and IPv6 routes;
所述用户站点之间按照 CE和 PE存储的路由传输数据。  Data is transmitted between the user sites according to the routes stored by the CE and the PE.
其中, 所述用户站点和所述单域的网间互联协议版本不同时, 连接 所述用户站点和所述单域的所述 CE和所述 PE支持 IPv4和 IPv6双协议 栈。  Wherein, when the version of the internetworking protocol between the user site and the single domain is different, the CE and the PE connecting the user site and the single domain support the IPv4 and IPv6 dual protocol stacks.
对于需要访问 IPv6用户站点的 IPv4用户站点的 CE存储 IPv4路由 和 IPv6路由; 对于需要访问 IPv4用户站点的 IPv6用户站点的 CE只存 储 IPv6路由; 对于只访问 IPv4用户站点的 IPv4用户站点的 CE只存储 IPv4路由。  For CEs of IPv4 user sites that need to access IPv6 user sites, store IPv4 routes and IPv6 routes; For CEs of IPv6 user sites that need to access IPv4 user sites, only IPv6 routes are stored; for CEs of IPv4 user sites that only access IPv4 user sites, only CE IPv4 routing.
为达到上述目的的一个方面, 本发明提供了一种混合站点混合骨干 网的虚拟专用网的实现方法, 该方法采用上述的虛拟专用网系统, 其实 现虚拟专用网业务的过程包括以下步骤: In order to achieve one aspect of the foregoing objective, the present invention provides a hybrid site hybrid backbone A method for implementing a virtual private network of a network. The method uses the above-mentioned virtual private network system, and a process of implementing a virtual private network service includes the following steps:
A、对 IPv4和 IPv6用户站点进行编址,形成统一格式的 IPv4和 IPv6 地址信息;  A. Address IPv4 and IPv6 user sites to form a unified format of IPv4 and IPv6 address information;
B、 用户站点和骨干网进行路由的学习和发布, 将 IPv4路由和 IPv6 路由发布给系统中的 PE, 及与该 PE连接的 CE;  B. The user site and the backbone network learn and advertise routes, and publish IPv4 routes and IPv6 routes to the PE in the system and the CE connected to the PE;
C、 所述骨干网进行内层标签和外层标签的分发;  C. The backbone network distributes inner labels and outer labels;
D、所述用户站点的数据包依据所述步骤 B中 CE和 PE学习到的路 由 , 封装所述内层标签和所述外层标签通过所述骨干网进行转发。  D. According to the route learned by the CE and PE in step B, the data packet of the user site is encapsulated and forwarded through the backbone network by encapsulating the inner label and the outer label.
其中, 所述 IPv4用户站点之间采用 "路由区分符 + IPv4地址" 的形 式, 组成地址族标识符为 1的 IPv4地址; IPv4用户站点和 IPv6用户站. 点之间, 以及 IPv6用户站点之间采用 "路由区分符 + IPv6地址"的形式, 组成地址族标识符为 2的 IPv6地址。  Wherein, the form of "route distinguisher + IPv4 address" is adopted between the IPv4 user sites to form an IPv4 address with an address family identifier of 1; between an IPv4 user site and an IPv6 user site. Between points, and between IPv6 user sites It takes the form of "route distinguisher + IPv6 address" to form an IPv6 address with an address family identifier of 2.
和 IPv6用户站点通信的 IPv4用户站点, 可以将 IPv4地址 A.B.C.D 映射成 0::A:B:C:D形式的 IPv6地址后, 与路由区分符进行组合组成地. 址族标识符为 2的 IPv6地址。  An IPv4 user site that communicates with an IPv6 user site can map the IPv4 address ABCD to an IPv6 address of the form 0 :: A: B: C: D, and then combine it with a routing identifier to form a place. IPv6 with an address family identifier of 2 address.
步骤 B所述用户站点和骨干网'进行路由的学习和发布的方法可以包 括:  The method for user site and backbone network 'learning and publishing described in step B may include:
Bl、 CE将聚合的 IPv4用户站点或 IPv6用户站点路由发布给与之相 连的 PE;  Bl, CE advertises the aggregated IPv4 user site or IPv6 user site route to the connected PE;
B2、 PE将从 CE学习到的 IPv4路由和 IPv6路由发布给本单域内其 他 PE和 ASBR;  B2. The PE advertises IPv4 routes and IPv6 routes learned from the CE to other PEs and ASBRs in the single domain.
B3、 ASBR将从 PE学习到的 IPv4路由和 IPv6路由发布给另一单 域中的 ASBR;  B3. The ASBR advertises the IPv4 routes and IPv6 routes learned from the PE to the ASBR in another single domain.
B4、 另一单域中的 ASBR将从源单域的 ASBR学习到的 IPv4路由 和 IPv6路由发布给本单域的 PE; B4. The ASBR in another single domain will learn IPv4 routes from the source ASBR in the single domain. And IPv6 routes are advertised to PEs in this single domain;
B5、 PE将从其他 PE学习的 IPv4路由和 IPv6路由以及从 ASBR学 习的 IPv4路由和 IPv6路由发布给与之相连的 CE。  B5. The PE advertises IPv4 routes and IPv6 routes learned from other PEs and IPv4 routes and IPv6 routes learned from ASBR to the CEs connected to it.
所述步骤 B2可以进一步包括:  The step B2 may further include:
PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由根据所属的 VPN和路由 IP版本加上路由区分符 RD、 地址族标识符 AFI、 后续地址 族标识符 SAFI; 形成包含 RD、 AFI、 SAFL 路由目标团体属性 Route Target, IPv4地址/ IPv6地址的统一形式的路由信息。  The PE router learns the IPv4 route and IPv6 route learned from the CE router, plus the routing identifier RD, address family identifier AFI, and subsequent address family identifier SAFI according to the VPN and routing IP version to which it belongs; forming a routing target that includes RD, AFI, and SAFL Community attributes Route Target, a unified form of routing information for IPv4 addresses / IPv6 addresses.
所述步骤 B2中, PE和 PE之间、 PE和 ASBR 间可以通过基于本单 域 IP版本的内部边界网关协议, 发布和该所述 PE连接的 CE的用户站 点的路由;  In the step B2, between the PE and the PE, and between the PE and the ASBR, the internal border gateway protocol based on the single domain IP version may be used to publish the route of the user site of the CE connected to the PE;
所述步骤 B3中, ASBR通过基于 IPv6的多协议外部边界网关协议 向另一不同版本单域的 ASBR发布路由;  In step B3, the ASBR publishes a route to another different version of the single-domain ASBR through the IPv6-based multi-protocol external border gateway protocol;
所述步骤 B4中, 所述 ASBR通过基于本单域 IP版本的内部边界网 关协议将学习到的路由向该域内部的对端 PE发布。  In step B4, the ASBR publishes the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the single domain.
对于需要访问 IPv6用户站点的 IPv4用户站点,所述步骤 B5可以包 括以下子步骤:  For an IPv4 user site that needs to access an IPv6 user site, the step B5 may include the following sub-steps:
B51、 与该 IPv4用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;所述 PE将保存的 IPv4用户站点的路由从 A.B.C.D/n形式转换成 0::A:B:C:D/(96+n)的 IPv6路由,通过 IPv6路由协 议发布给所述 CE;  B51. The CE connected to the IPv4 user site and the PE connected to the CE run an IPv6-based routing protocol to learn routes; the PE converts the saved IPv4 user site route from the ABCD / n form to 0 :: A: B: C: D / (96 + n) IPv6 route, published to the CE through IPv6 routing protocol;
B52、 所述 CE接收到 0::A:B:C:D/(96+n)形式的 IPv6路由后, 将其 还原成 A.B.C.D/n形式的 IPv4路由,将 IPv6用户站点的路由保存为 IPv6 路由。  B52. After receiving the IPv6 route in the form of 0 :: A: B: C: D / (96 + n), the CE restores the IPv4 route in the form of ABCD / n, and saves the route of the IPv6 user site as IPv6. routing.
对于需要访问 IPv4用户站点的 IPv6用户站点,所述步骤 B5可以包 括以下子步骤: For an IPv6 user site that needs to access an IPv4 user site, the step B5 may include Include the following sub-steps:
B53、 与该 IPv6用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;  B53. The CE connected to the IPv6 user site and the PE connected to the CE run a routing protocol based on IPv6 to learn routes;
B54、所述 CE将 IPv4用户站点的路由直接存储为 0::A:B:C:D/(96+n) 形式的 IPv6路由, 将 IPv6用户站点的路由保存为原来的形式。  B54. The CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0 :: A: B: C: D / (96 + n), and saves the route of the IPv6 user site in the original form.
对于只访问 IPv4用户站点的 IPv4用户站点, 在所述步骤 B中, 与 该 IPv4用户站点连接的 CE和与该 CE连接的 PE之间可以只运行 IPv4 路由协议, 并仅学习和保存其它 IPv4用户站点的 IPv4路由, 丟弃 IPv6 路由。  For an IPv4 user site that only accesses an IPv4 user site, in step B, only a IPv4 routing protocol can be run between a CE connected to the IPv4 user site and a PE connected to the CE, and only learn and save other IPv4 users. IPv4 routes for the site, and IPv6 routes are discarded.
所述 B5中, PE在接收到 IPv4路由或 IPv6路由后 , 可以根据多协 议边界网关协议的路由目标扩展团体属性决定是否学习并向所述用户 站点发布。  In the B5, after receiving the IPv4 route or the IPv6 route, the PE may decide whether to learn and publish to the user site according to the extended target community attribute of the multi-protocol border gateway protocol.
步骤 C中, 所述内层标签由所述入口 PE分配, 其用于区分同一个 入口 PE连接的不同所述用户站点, 该内层标签在发布路由时随路由发 布给相应的出口 PE;  In step C, the inner label is allocated by the ingress PE, which is used to distinguish different user sites connected by the same ingress PE, and the inner label is distributed to the corresponding egress PE along with the route when the route is advertised;
所述外层标签, 在一个单域内是通过运行标签分配协议、 资源预留 协议 -流量工程或约束路由的标记分配协议分配的,在不同单域之间,是 议外部边界网关协 ϋ  The outer label is allocated in a single domain by running a label allocation protocol, a resource reservation protocol-traffic engineering, or a label allocation protocol that constrains routing. Between different single domains, it is an external border gateway protocol.
接分配的, 其用于在所述骨干网中转发数据包。 It is allocated for forwarding data packets in the backbone network.
所述步骤 D可以包括以下子步骤:  The step D may include the following sub-steps:
Dl、 遵循普通的网间互联协议转发过程进行源用户站点到入口 PE 之间的网间互联协议数据转发;  Dl. Follow the normal Internetworking protocol forwarding process to perform Internetworking protocol data forwarding from the source user site to the ingress PE;
D2、 进行所述入口 PE到出口 PE之间的标签数据转发;  D2. Forward label data between the ingress PE and the egress PE.
D3、 所述出口 PE依据所述内层标签和其存储的路由表进行所述出 口 PE到目的用户站点之间的网间互联协议数据转发。 所述步骤 D2可以包括以下子步骤: D3. The egress PE forwards the data of the Internet Protocol between the egress PE and the destination user site according to the inner label and the routing table stored by the egress PE. The step D2 may include the following sub-steps:
D21、在所述入口 PE上为数据包增加所述目的站点的所述内层标签 后, 再增加该所述入口 PE所在的所述单域中分配的外层标签;  D21. After adding the inner label of the destination site to the data packet on the ingress PE, add the outer label assigned in the single domain where the ingress PE is located;
D22、 将所述数据包根据外层标签转发到与当前单域相邻的单域的 ASBR;  D22, forwarding the data packet to an ASBR in a single domain adjacent to the current single domain according to the outer label;
D23、 ASBR根据所述 ASBR之间分配的外层标签将所述数据包转 发到下一个相邻的单域的 ASBR;  D23, the ASBR forwards the data packet to the next adjacent single-domain ASBR according to the outer label allocated between the ASBRs;
D24、 ASBR将数据包转发到所述出口 PE。  D24. The ASBR forwards the data packet to the egress PE.
所述用户站点之间的拓朴关系可以通过匹配路由目标团体属性实 现。  The topology relationship between the user sites can be achieved by matching the routing target community attributes.
由上述的技术方案可见, 本发明的这种混合站点混合骨干网的虛拟 专用网系统及其实现方法, 与现有技术的区别在于, 本发明在 CE路由 器和 PE路由器上运行 IPv4/IPv6双路由表, 根据 CE路由器和 PE路由 器的网络连接情况配置 IPv4和 IPv6的协议栈,对 VPN的用户站点进行 VPN编址和必要的 IPv4地址和 IPv6地址转换后进行路由发布和分配, 并通过使用多层标签实现数据的转发, 从而在混合站点混合骨干网的情 况下实现 VPN。  As can be seen from the above technical solution, the virtual private network system of the mixed-site hybrid backbone network of the present invention and the implementation method thereof differ from the prior art in that the present invention runs IPv4 / IPv6 dual routing on CE routers and PE routers. Table, configure IPv4 and IPv6 protocol stacks according to the network connection between CE routers and PE routers, perform VPN addressing and necessary IPv4 address and IPv6 address translation for VPN user sites, and then advertise and assign routes, and use multiple layers The label realizes the data forwarding, so as to realize the VPN in the case of the mixed site mixed backbone network.
因此,通过采用本发明实现混合站点混合骨干网 VPN的方案,可以 在用户网络和骨干网络从 IPv4向 IPv6过渡的情况下组成 VPN, 使网络 过渡时期的 VPN的解决方案具有更大灵活性, 减小网络设备升级的复 杂性, 使 IPv4向 IPv6的过渡升级更加平滑, 大大提高了网络升级的经 济性和可行性。 附图简要说明  Therefore, by adopting the solution for implementing a hybrid site hybrid backbone network VPN of the present invention, a VPN can be formed in the case where the user network and the backbone network transition from IPv4 to IPv6, so that the VPN solution in the network transition period has greater flexibility and reduces The complexity of small network equipment upgrades makes the transition from IPv4 to IPv6 smoother and greatly improves the economics and feasibility of network upgrades. Brief description of the drawings
图 1为 RFC2547bis所定义 MPLS L3 VPN的系统组成示意图; 图 2为通过匹配 Route Target属性过滤接收路由的示意图; 图 3为 6PE方案实现 BGP/MPLS VPN的系统组成示意图; 图 4为本发明一个较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图。 实施本发明的方式 Figure 1 is a schematic diagram of the system composition of MPLS L3 VPN defined by RFC2547bis; FIG. 2 is a schematic diagram of filtering received routes by matching Route Target attributes; FIG. 3 is a schematic diagram of a system composition for implementing a BGP / MPLS VPN with a 6PE solution; FIG. 4 is a schematic diagram of a hybrid site hybrid backbone network VPN system composition according to a preferred embodiment of the present invention . Mode of Carrying Out the Invention
为使本发明的目的、 技术方案及优点更加清楚明白, 以下参照附图 并举实施例, 对本发明进一步详细说明。  In order to make the objectives, technical solutions, and advantages of the present invention clearer, the present invention is further described in detail below with reference to the accompanying drawings and embodiments.
本发明的这种混合站点混合骨干网的虚拟专用网系统及其实现方 法, 在 CE路由器和 PE路由器上运行 IPv4/IPv6双路由表, 根据 CE路 由器和 PE路由器的网络连接情况配置 IPv4和 IPv6的协议栈, 对 VPN 的用户站点进行 VPN编址和必要的 IPv4地址和 IPv6地址转换后进行路 由发布和分配, 并通过使用多层标签实现数据的转发, 从而在混合站点 混合骨干网的情况下实现 VPN。  The virtual private network system of the mixed-site hybrid backbone network of the present invention and an implementation method thereof run an IPv4 / IPv6 dual routing table on a CE router and a PE router, and configure IPv4 and IPv6 based on the network connection between the CE router and the PE router. A protocol stack that performs VPN addressing and necessary IPv4 and IPv6 address translation for VPN user sites, and then publishes and distributes routes, and implements data forwarding through the use of multi-layer labels. This is achieved in the case of mixed-site hybrid backbone networks. VPN.
本发明的混合站点混合骨干网的虚拟专用网系统, 包含骨干网、 用 户网络。 骨干网用于发布 VPN路由, 建立交换路径, 完成数据的交换。 骨干网包含采用不同地址族的自治系统, 自治系统之间通过处于自治系 统边缘的自治系统边界路由器 (Autonomous System Border Router, ASBR )连接。 一个单域可以认为是一个自治系统, 也就是说, 骨干网 可以包含一个或多个 IPv4单域以及一个或多个 IPv6单域, IPv4单域与 IPv6单域之间通过支持 IPv4和 IPv6双协议栈的 ASBR相连。各个单域 中除 ASBR外, 还包含原有的 P路由器和 PE路由器, 其中 PE路由器 根据网络连接情况配置 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协 议栈。  The virtual private network system of the hybrid site hybrid backbone network of the present invention includes a backbone network and a user network. The backbone network is used to advertise VPN routes, establish switching paths, and complete data exchange. The backbone network includes autonomous systems using different address families. The autonomous systems are connected through an autonomous system border router (ASBR) at the edge of the autonomous system. A single domain can be considered as an autonomous system, that is, the backbone network can include one or more IPv4 single domains and one or more IPv6 single domains. The IPv4 single domain and IPv6 single domain support IPv4 and IPv6 dual protocols. The ASBRs of the stack are connected. In addition to ASBR, each single domain also contains the original P router and PE router. The PE router configures the IPv4 protocol stack or IPv6 protocol stack or the IPv4 and IPv6 dual protocol stacks according to the network connection.
本发明中,骨干网发布的路由包含 VPN-IPv4路由和 VPN-IPv6路由。 在骨干网进行路由学习以建立 VPN 交换路径时, 首先在自治系统内的 PE和 ASBR之间发布和该自治系统的 PE路由器连接的用户站点的路 由, 接着 ASBR之间通过 EBGP互相发布学习到的路由, 然后由 ASBR 通过 IBGP向其所属自治系统内部的对端,即 PE路由器发布学习到的路 由, 最后由 PE路由器向 CE路由器发布路由。 关于路由发布的方法, 将 在下文详细叙述。 In the present invention, the routes published by the backbone network include VPN-IPv4 routes and VPN-IPv6 routes. When the backbone network performs route learning to establish a VPN switching path, the routes of user sites connected to PE routers in the autonomous system are first advertised between PEs and ASBRs in the autonomous system, and then ASBRs publish the learned routes to each other through EBGP. The route is then advertised by the ASBR to the peer inside the autonomous system to which it belongs through the IBGP, that is, the PE router, and finally the PE router advertises the route to the CE router. The route advertisement method will be described in detail below.
用户网络中包含和骨干网连接的 CE路由器以及与其相连的用户站 点。 本发明中, 用户站点既有 IPv4站点也有 IPv6站点, 每个用户站点 包含多个具有不同地址的主机。 其中, CE路由器根据该用户网络的 IP 版本以及和其连接的自治系统的 IP版本支持相应的协议栈。 PE路由器 根据其所属的自治系统的 IP版本以及其连接的用户站点的 IP版本支持 相应的协议栈。 例如, 连接到 IPv4骨干网的 IPv4站点的 CE路由器和 对应的 PE路由器只需要支持 IPv4协议栈, 连接到 IPv6骨干网的 IPv6 站点的 CE和对应的 PE只需要支持 IPv6协议栈,连接到 IPv4骨干网络 的 IPv6站点的 CE和连接到 IPv6骨干网络的 IPv4站点的 CE以及接入 这些 CE的 PE设备则都需要支持 IPv4/IPv6双协议栈。 另外, 由于同一 个 VPN中的 IPv4站点和 IPv6站点可能存在互访关系 ,因此对于需要访 问 IPv6站点的 IPv4站点中的路由器需要保存 IPv6路由, 即这些 IPv4 站点需要支持 IPv4-IPv6混合地址方案。  The user network includes a CE router connected to the backbone network and user stations connected to it. In the present invention, the user site includes both an IPv4 site and an IPv6 site, and each user site includes multiple hosts with different addresses. The CE router supports a corresponding protocol stack according to the IP version of the user network and the IP version of the autonomous system connected to the CE router. The PE router supports the corresponding protocol stack according to the IP version of the autonomous system to which it belongs and the IP version of the user site to which it is connected. For example, a CE router and a corresponding PE router connected to an IPv4 site of an IPv4 backbone network need only support the IPv4 protocol stack, and a CE and a corresponding PE connected to an IPv6 site of the IPv6 backbone network only need to support the IPv6 protocol stack and connect to the IPv4 backbone The CEs of the IPv6 sites of the network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE equipment accessing these CEs need to support the IPv4 / IPv6 dual protocol stack. In addition, since IPv4 sites and IPv6 sites in the same VPN may have a mutual access relationship, routers in IPv4 sites that need to access IPv6 sites need to save IPv6 routes, that is, these IPv4 sites need to support IPv4-IPv6 mixed address schemes.
参见图 4, 图 4为本发明一个较佳实施例的混合站点混合骨干网的 VPN系统组成示意图。 图 4所示的 VPN系统中骨干网为双域, 其包含: 包含一个 IPv4单域和一个 IPv6单域的骨干网, 处于骨干网边缘的 PE 路由器: PE1 ~ PE4; 处于骨干网内部的 P路由器(图 1中未示出); 处 于用户网边缘的 CE路由器: CE1~CE8; 以及通过 CE与 PE相连的用户 站点; 每个用户站点包含一个或多个具有不同地址的主机。 骨干网中, IPv4域和 IPv6域通过 ASBR1 和 ASBR2互相连接。 图 4所示的系统中包含 VPNA和 VPNB两个 VPN。 其中, VPNA 中包含 IPv4和 IPv6站点: CE1连接的 IPv6站点、 CE4连接的 IPv4站 点、 CE5连接的 IPv6站点、 CE8连接的 IPv4站点。 VPNB中只包含 IPv4 站点: CE2连接的 IPv4站点、 CE3连接的 IPv4站点、 CE6连接的 IPv4 站点、 CE7连接的 IPv4站点。 本实施例中, 仅以 VPNA和 VPNB为例, 骨干网中仅以包含一个 IPv4域和一个 IPv6域为例 , 实际应用中系统可 能包含很多 VPN, 骨干网中也可能包含多个域。 Referring to FIG. 4, FIG. 4 is a schematic diagram of a composition of a VPN system for a hybrid site hybrid backbone network according to a preferred embodiment of the present invention. The backbone network in the VPN system shown in FIG. 4 is a dual domain, which includes: a backbone network including an IPv4 single domain and an IPv6 single domain, PE routers at the edge of the backbone network: PE1 ~ PE4; P routers inside the backbone network (Not shown in Figure 1); CE routers at the edge of the user network: CE1 ~ CE8; and user sites connected to the PE through the CE; each user site contains one or more hosts with different addresses. In the backbone network, the IPv4 domain and the IPv6 domain are connected to each other through ASBR1 and ASBR2. The system shown in Figure 4 includes two VPNs, VPNA and VPNB. Among them, VPNA includes IPv4 and IPv6 sites: an IPv6 site connected by CE1, an IPv4 site connected by CE4, an IPv6 site connected by CE5, and an IPv4 site connected by CE8. VPNB contains only IPv4 sites: IPv4 sites connected by CE2, IPv4 sites connected by CE3, IPv4 sites connected by CE6, and IPv4 sites connected by CE7. In this embodiment, only VPNA and VPNB are taken as examples, and the backbone network includes only one IPv4 domain and one IPv6 domain as an example. In actual applications, the system may include many VPNs, and the backbone network may also include multiple domains.
参考图 4所示实施例的 VPN系统,以下对本发明实现混合站点混合 骨干网 VPN的方法进行详细说明。  Referring to the VPN system of the embodiment shown in FIG. 4, a method for implementing a hybrid site hybrid backbone network VPN according to the present invention will be described in detail below.
首先,对图 4所示实施例的 VPN系统的用户站点编址方法进行说明。 在本发明中, 只考虑 VPN用户进行单播通信的情况, 要求 VPN各站点 内的主机使用单播地址 , 即只采; ij一个 IPv4地址或者一个 IPv6地址。  First, the user site addressing method of the VPN system of the embodiment shown in FIG. 4 will be described. In the present invention, only a case where a VPN user performs unicast communication is considered, and a host in each VPN site is required to use a unicast address, that is, only an IPv4 address or an IPv6 address is adopted.
在 VPN中 , IPv4站点和 IPv4站点之间的通信仍然采用 IPv4地址, 在 MP-BGP中的地址族标识符( Address Family Identifier, AFI )域使用 RFC 1700为 IPv4地址族分配的值 1; IPv4站点与 IPv6站点之间的相互 通信以及两个 IPv6站点之间的相互通信均采用 IPv6地址, 在 MP-BGP 中的 AFI域可以使用 RFC 1700为 IPv6地址族分配的值 2。 需要说明的 是, 当 IPv4站点和 IPv6站点相互通信时, IPv4 站点中的 IPv4地址 A.B.C.D映射成相应的 0::A:B:C:D形式的 IPv6地址。 在 MP-BGP路由 发布过程中, 为了与骨干网的路由区分开, 后继的 VPN地址的地址族 标识符 ( Subsequence Address Family Identifier, SAFI )域使用 128, 表 示 VPN-IPv4地址或 VPN-IPv6地址。  In VPNs, the communication between IPv4 sites and IPv4 sites still uses IPv4 addresses. The Address Family Identifier (AFI) domain in MP-BGP uses the value 1 assigned to the IPv4 address family by RFC 1700; IPv4 sites The mutual communication with the IPv6 site and the mutual communication between the two IPv6 sites use IPv6 addresses. The AFI domain in MP-BGP can use the value 2 assigned to the IPv6 address family by RFC 1700. It should be noted that when the IPv4 site and the IPv6 site communicate with each other, the IPv4 address A.B.C.D in the IPv4 site is mapped to the corresponding IPv6 address in the form of 0 :: A: B: C: D. During the MP-BGP route advertisement process, in order to distinguish it from the backbone network route, the subsequent VPN address address family identifier (SAFI) domain uses 128, which represents the VPN-IPv4 address or VPN-IPv6 address.
由于在 VPN中仍然存在 IPv4站点, 考虑到公有 IPv4地址的紧缺, 在本发明的一个较佳实施例中, 允许 VPN中的 IPv4站点继续使用私有 IPv4地址, 并且允许不同 VPN的站点使用相同的私有 IPv4地址。 Since there are still IPv4 sites in the VPN, considering the shortage of public IPv4 addresses, in a preferred embodiment of the present invention, IPv4 sites in the VPN are allowed to continue to use private IPv4 addresses, and allow sites of different VPNs to use the same private IPv4 address.
具体来说, 图 4所示的实施例中, 由于使用了私有 IPv4地址, 为了 保证在骨干网络中 VPN路由和地址的唯一性, 沿用 RFC 2547bis中的 RD的概念, 即在 IPv4站点和 IPv4站点之间通过采用 RD+ ( IPv4地址) 的形式组成 AFI为 1的 VPN-IPV4地址, 在 IPv4站点与 IPv6站点之间 或者两个 IPv6站点之间通过采用 RD+ ( IPv6地址) 的形式组成 AFI为 2的 VPN-IPv6地址。其中,需要注意的是,和 IPv6站点之间通信的 IPv4 站点中的 IPv4地址 A.B.C.D是在映射成 0::A:B:C:D形式的 IPv6地址后, 再与 RD进行组合组成 VPN-IPv6地址。  Specifically, in the embodiment shown in FIG. 4, since a private IPv4 address is used, in order to ensure the uniqueness of VPN routes and addresses in the backbone network, the concept of RD in RFC 2547bis is used, that is, at the IPv4 site and the IPv4 site The RD + (IPv4 address) is used to form a VPN-IPV4 address with an AFI of 1, and the IPv4 and IPv6 sites or between two IPv6 sites are formed using an RD + (IPv6 address) to form an AFI of 2. VPN-IPv6 address. It should be noted that the IPv4 address ABCD in the IPv4 site communicating with the IPv6 site is mapped into an IPv6 address of the form 0 :: A: B: C: D, and then combined with the RD to form VPN-IPv6. address.
用户站点的地址确定后, 各个 CE路由器将各用户站点的地址进行 聚合形成相应的路由项。 然后, 就可以进行 VPN站点的路由学习和发 布的处理、 标签分发的处理以及 VPN数据转发的处理。 下文将对这些 处理做详细说明。  After the address of the user site is determined, each CE router aggregates the address of each user site to form a corresponding routing entry. Then, the routing learning and distribution processing of VPN sites, the processing of label distribution, and the processing of VPN data forwarding can be performed. These processes are explained in detail below.
VPN站点的路由学习和发布的处理包括以下过程:  The processing of VPN site routing learning and publishing includes the following processes:
过程一、 CE路由器将聚合的路.由发布给与其相连的 PE路由器。 本 发明中, 连接到 IPv4骨千网络的 IPv6站点的 CE和连接到 IPv6骨干网 络的 IPv4站点的 CE以及接入这些 CE的 PE设备则都支持 IPv4/IPv6双 协议栈。 因此, 这里 PE可以学习到 CE发布的 IPv4或 /和 IPv6路由。  Process 1. CE routers distribute the aggregated routes to PE routers connected to them. In the present invention, the CEs of the IPv6 sites connected to the IPv4 backbone network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE devices accessing these CEs all support the IPv4 / IPv6 dual protocol stack. Therefore, the PE here can learn the IPv4 or / and IPv6 routes published by the CE.
过程二、 PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由发 布给自治系统内的其他的 PE路由器和 ASBR。  Step 2: The PE router distributes the IPv4 routes and IPv6 routes learned from the CE router to other PE routers and ASBRs in the autonomous system.
VPN和路由 IP版本加上 RD、 AFI、 SAFI等信息形成包含 RD、 AFI、 SAFI、 Route Target和 IPv4/IPv6路由的统一形式的路由信息。 VPN and routing IP version plus RD, AFI, SAFI and other information form a unified form of routing information including RD, AFI, SAFI, Route Target and IPv4 / IPv6 routing.
本实施例中, PE路由器仍然使用 VRF来保存不同 VPN的路由。 在 VRF中针对每个 VPN的不同的 AFI来分别保存 IPv4路由和 IPv6路由。 对于 PE路由器向 PE路由器发布路由: 由于其他 PE路由器也是支 持双协议栈的, 因此, 其他 PE路由器可以接收 IPv4路由和 IPv6路由。 In this embodiment, the PE router still uses VRF to save routes of different VPNs. In the VRF, an IPv4 route and an IPv6 route are separately saved for different AFIs of each VPN. For PE routers to publish routes to PE routers: Since other PE routers also support dual protocol stacks, other PE routers can receive IPv4 routes and IPv6 routes.
对于 PE路由器向 ASBR路由: 当自治系统为 IPv4网络时, 在 IPv4 网络的 PE路由器和 ASBR之间通过基于 IPv4的全连接的多协议内部边 界网关协议(Multi-Protocol Internal BGP, MP-IBGP )或者使用路由反 射器发布和该 IPv4网络的 PE连接的 VPN用户站点的路由; 当自治系 统为 IPv6网络时, 在 IPv6网络中的 PE路由器和其 ASBR之间通过基 于 IPv6的全连接的 MP-IBGP或者适用路由反射器发布和该 IPv6网络的 PE路由器连接的 VPN站点的路由。  For PE router to ASBR routing: When the autonomous system is an IPv4 network, the IPv4 based PE router and ASBR are routed through a fully-connected IPv4-based multi-protocol internal border gateway protocol (Multi-Protocol Internal BGP, MP-IBGP) or Use a route reflector to advertise the route of the VPN user site connected to the PE of the IPv4 network. When the autonomous system is an IPv6 network, the PE router in the IPv6 network and its ASBR pass through a fully-connected IPv6-based MP-IBGP or The route reflector advertises the route of the VPN site connected to the PE router of the IPv6 network.
虽然发布的路由包含 IPv4路由和 IPv6路由, 但由于采用 MP-IBGP 发布路由时, IPv4路由和 IPv6路由只作为传输的数据来发送, 采用基 于 IPv4的 MP-IBGP还是基于 IPv6的 MP-IBGP, 只与网络的版本有关 与其中的具体数据无关, 因此不论其中传输的数据具体是 IPv4路由和 IPv6路由, 两种 MP-IBGP都可以传输。  Although the routes advertised include IPv4 routes and IPv6 routes, because when MP-IBGP is used to advertise routes, IPv4 routes and IPv6 routes are only sent as transmitted data. IPv4-based MP-IBGP or IPv6-based MP-IBGP is used only. It is related to the version of the network and has nothing to do with the specific data in it, so regardless of whether the data transmitted in it is an IPv4 route or an IPv6 route, both MP-IBGP can be transmitted.
过程三、 ASBR将学习到的路由发布给另一自治系统的 ASBR。 IPv4 和 IPv6网络之间的 ASBR之间通过基于 IPv6的多协议外部边界网关协 议( Multi-Protocol External BGP, MP-IBGP ) 向对端发布相应的路由。 由于本实施例的 ASBR都支持 IPv4和 IPv6双栈协议, 因此, 不论两个 自治系统是 IPv4还是 IPv6,都可以通过运行基于 IPv6 MP-IBGP来互相 发布路由。  Process 3. The ASBR advertises the learned route to the ASBR of another autonomous system. ASBRs between IPv4 and IPv6 networks publish corresponding routes to their peers through an IPv6-based Multi-Protocol External Border Gateway Protocol (Multi-Protocol External BGP, MP-IBGP). Since the ASBRs in this embodiment both support IPv4 and IPv6 dual stack protocols, no matter whether the two autonomous systems are IPv4 or IPv6, they can advertise routes to each other by running IPv6 based on MP-IBGP.
过程四、 另一自治系统的 ASBR将学习到的路由发布给本自治系统 的 PE。 ASBR运行本自治系统版本的 MP-IBGP协议, 将学习到的路由 IPv4和 IPv6发布给本自治系统的 PE。  Process 4. The ASBR of another autonomous system advertises the learned route to the PE of the autonomous system. The ASBR runs the MP-IBGP protocol of the autonomous system version, and distributes the learned routes IPv4 and IPv6 to the PE of the autonomous system.
过程五、 PE路由器将从 ASBR和其他 PE路由器学习到的路由发布 给与其相连的 CE路由器。 CE路由器接收到 IPv4路由或 /和 IPv6路由后 保存。 Process 5. The PE router advertises the routes learned from the ASBR and other PE routers to the CE routers connected to it. After CE router receives IPv4 route and / or IPv6 route Save.
本发明中 , 在 VPN的 IPv4站点中的 CE路由器中保存相应的 IPv4 路由和 IPv6路由, 并将 CE路由器作为该 VPN站点访问其它站点时的 代理( Proxy ), 在进行路由匹配时, 根据 Rout Target中包含的访问的目 的用户站点是 IPv4用户站点还是 IPv6用户站点分别匹配 IPv4路由或 IPv6路由。 VPN中的 IPv6用户站点的 CE路由器只保存 IPv6路由, 接 入该 IPv6站点的 PE路由器在将其它 IPv4站点的路由发布给该站点之 前, 需要先将 IPv4路由 A.B.C.D/n转换成 0::A:B:C:D/(96+n)的 IPv6路 由。  In the present invention, the corresponding IPv4 route and IPv6 route are stored in the CE router in the IPv4 site of the VPN, and the CE router is used as a proxy (Proxy) when the VPN site accesses other sites. When routing matching is performed, according to the Rout Target Whether the destination user site included in the visit is an IPv4 user site or an IPv6 user site matches an IPv4 route or an IPv6 route, respectively. The CE router of the IPv6 user site in the VPN only saves IPv6 routes. Before the PE router connected to the IPv6 site advertises the routes of other IPv4 sites to the site, it needs to convert the IPv4 route ABCD / n to 0 :: A: B: C: D / (96 + n) IPv6 routing.
具体来说, 在本实施例中, 需要访问 IPv6 VPN用户站点的 IPv4用 户站点的 CE路由器与 PE路由器运行基于 IPv6的路由协议同时学习 IPv6路由和 IPv4路由,通过将 PE路由器的 VRF中的 IPv4路由 A.B.C.D/n 转换成 0::A:B:C:D/(96+n)的 IPv6路由, 通过 IPv6路由协议发布给 CE 路由器, 在 CE路由器中将它还原成 A.B.C.D/n的 IPv4路由, 对于其它 IPv6用户站点的 IPv6路由, 则在 CE路由器中仍然保存为 IPv6路由。 在该 IPv4用户站点访问 IPv4站点时进行 IPv4路由的匹配, 访问 IPv6 站点时进行 IPv6路由的匹配。  Specifically, in this embodiment, a CE router and a PE router that need to access an IPv4 user site of an IPv6 VPN user site run an IPv6-based routing protocol to learn both an IPv6 route and an IPv4 route at the same time. ABCD / n is converted into an IPv6 route of 0 :: A: B: C: D / (96 + n), which is advertised to the CE router through the IPv6 routing protocol, and restored to the IPv4 route of ABCD / n in the CE router. The IPv6 routes of other IPv6 user sites are still saved as IPv6 routes in the CE router. Match the IPv4 route when the IPv4 user site visits the IPv4 site, and match the IPv6 route when the IPv6 site is visited.
在实施例中,需要访问 IPv4 VPN用户站点的 IPv6用户站点,其 CE 路由器和 PE路由器之间也运行基于 IPv6的路由协议, 学习其它站点的 路由, 对于其它 IPv4用户站点的路由, 直接存储为 0::A:B:C:D/(96+n) 形式的 IPv6路由, 对于其它 IPv6用户站点的路由, 则保存为原来的形 式。 需要说明的, 是上文所述 A.B.C.D/n中, A.B.C.D为网段地址, n为 掩码。  In an embodiment, an IPv6 user site that needs to access an IPv4 VPN user site. The CE router and the PE router also run IPv6-based routing protocols to learn the routes of other sites. For the routes of other IPv4 user sites, they are directly stored as 0. :: A: B: C: D / (96 + n) forms of IPv6 routes. For routes of other IPv6 user sites, the original form is saved. It should be noted that in A.B.C.D / n described above, A.B.C.D is the network segment address and n is the mask.
另外, 如果 CE连接的用户站点除了主机还包含路由器, 则过程五 中, CE还将路由发布给用户站点的路由器, 由用户站点的路由器存储 该用户站点的路由表; 如果 CE连接的用户站点不包含路由器, 则过程 五中, 就由 CE存储该用户站点的路由表。 In addition, if the user site to which the CE is connected includes a router in addition to the host, in the fifth process, the CE also advertises the route to the router at the user site, which is stored by the router at the user site. The routing table of the user site; if the user site to which the CE connects does not include a router, then in step 5, the CE stores the routing table of the user site.
实际应用中, 如果某些 IPv4用户站点才艮据 Route Target属性确定的 拓朴关系中不需要访问其它 IPv6用户站点, 则其 CE路由器和 PE路由 器之间只需要运行基于 IPv4的路由协议, 并仅学习和保存其它 IPv4用 户站点的 IPv4路由 , 对于 IPv6路由则进行丢弃。  In practical applications, if some IPv4 user sites do not need to access other IPv6 user sites in the topology relationship determined by the Route Target attribute, their CE routers and PE routers need only run IPv4-based routing protocols, and only Learn and save IPv4 routes of other IPv4 user sites, and discard IPv6 routes.
在路由的学习和发布的处理中, PE路由器在接收到 VPN路由后, 根据使用 MP-BGP的 Route Target扩展团体属性决定是否学习并向相应 的用户站点发布。 在本发明的一个较佳实施例中, 出口 ( Egress ) PE路 由器在向其 BGP对端发布 VPN路由时,携带相应的 Export Route Target 和 Egress PE为该 VPN站点分配的内层标签。如果 BGP对端不是 ASBR, 则将接收的 VPN路由与在该 BGP对端上配置的 Import Route Target进 行匹配,如果能够匹配成功,则接收该路由并向相应的 VRF对应的用户 站点发布; 如果 BGP对端是两个自治系统之间的 ASBR, 则通过 EBGP 发给对端 ASBR, 对端 ASBR将该路由发布给本域内的 IBGP对端, 在 IBGP对端进行 Route Target的匹配, 以确定是否接受并向相应用户站点 发布该路由。  In the process of route learning and publishing, after receiving the VPN route, the PE router decides whether to learn and publish it to the corresponding user site according to the MP-BGP Route Target extended community attribute. In a preferred embodiment of the present invention, when an egress PE router advertises a VPN route to its BGP peer, it carries the corresponding Export Route Target and the inner label assigned by the egress PE to the VPN site. If the BGP peer is not an ASBR, the received VPN route is matched with the Import Route Target configured on the BGP peer. If the match is successful, the route is received and published to the user site corresponding to the corresponding VRF. If BGP The peer is an ASBR between two autonomous systems, and is sent to the peer ASBR through EBGP. The peer ASBR advertises the route to the IBGP peer in the local domain, and performs route target matching on the IBGP peer to determine whether to accept it. And publish the route to the corresponding user site.
在本实施例中, 标签分发的处理可以依照下文所述的方式进行。 同一个 Egress PE连接的不同 VPN站点通过 Egress PE分配不同的 内层标签来区分,该内层标签在通过 MP-BGP发布路由时随路由发布给 相应的 PE。 对于外层标签, 在 IPv4骨干网络和 IPv6骨干网络内均通过 运行标签分配协议( Label Distribution Protocol , LDP )或者资源预留协 议 ( Reservation Protocol, RSVP ) -流量工程 ( Traffic Engineering, TE ) /约束路由的标记分配协议 ( Constraint-Routing Label Distribution Protocol, CR-LDP )进行标签分配, 但在两个自治域的 ASBR之间运行 MP-EBGP, 并通过 MP-EBGP为 ASBR的双向连接分配这段 LSP的外 层标签, 该外层标签仅仅用于这两个 ASBR之间的转发。 其中, 具体如 何通过 MP-EBGP为 ASBR的双向连接分配 LSP的外层标签可以参照 RFC3107» In this embodiment, the process of label distribution may be performed in a manner described below. Different VPN sites connected to the same egress PE are distinguished by the egress PE assigning different inner labels. The inner labels are advertised to the corresponding PE along with the routes when the routes are advertised through MP-BGP. For the outer label, both the IPv4 backbone network and the IPv6 backbone network run a Label Distribution Protocol (LDP) or a Resource Reservation Protocol (RSVP)-Traffic Engineering (TE) / Constrained Routing. Label Distribution Protocol (Constraint-Routing Label Distribution Protocol, CR-LDP) for label distribution, but runs between ASBRs in two autonomous domains MP-EBGP, and uses MP-EBGP to allocate the outer label of this LSP for the two-way ASBR connection. This outer label is only used for forwarding between the two ASBRs. Among them, how to assign the outer label of the LSP to the ASBR bidirectional connection through MP-EBGP can refer to RFC3107 »
在本实施例中, 数据转发的处理包含以下几种转发: 源用户站点到 入口( Ingress )PE路由器之间的 IP数据转发; Ingress PE路由器到 Egress PE路由器之间的标签数据转发; Egress PE到目的用户站点之间的 IP数 据转发。 下面分别叙述。  In this embodiment, the data forwarding process includes the following types of forwarding: IP data forwarding between the source user site and the ingress (Ingress) PE router; label data forwarding between the Ingress PE router and the Egress PE router; and Egress PE to IP data forwarding between destination user sites. They are described separately below.
源用户站点到入口 (Ingress ) PE路由器之间的 IP数据包转发遵循 普通的 IP 转发过程。 如上文所述, 用户站点的 CE路由器中保存了 IPv4/IPv6两种类型的路由表, 对于需要访问 IPv4/IPv6目的用户站点的 源用户站点在进行 IP数据转发时, 可以根据目的用户站点是 IPv4站点 还是 IPv6 站点查询相应的路由表, 遵循相应的路由表将数据包转发到 Ingress PE。  The forwarding of IP data packets from the source user site to the ingress PE router follows a normal IP forwarding process. As mentioned above, the CE router at the user site stores two types of IPv4 / IPv6 routing tables. When the source user site that needs to access the IPv4 / IPv6 destination user site performs IP data forwarding, it can be based on the destination user site being IPv4. The station or IPv6 station queries the corresponding routing table and forwards the data packet to the Ingress PE according to the corresponding routing table.
Ingress PE路由器到 Egress PE路由器之间的标签数据转发需要在 Ingress PE上为数据包增加 Egress PE为目的地所在站点的内层标签后, 再增加该 Ingress PE 所在的 自 治域中 的标签分配协议 ( LDP RSVP-TE/CR-LDP )分配的外层标签, 然后将数据包沿着 LSP的 LSR 根据外层标签转发到本自治系统到达下一个相邻自治系统的 ASBR, 然后根据下一个相邻自治系统的 ASBR 与本 ASBR之间的 MP-EBGP分配的外层标签转发到下一个相邻自治系统的 ASBR,然后继 续沿着下一个相邻自治系统中 LSP将数据包转发到 Egress PE。  The label data forwarding between the Ingress PE router and the Egress PE router requires adding an Egress PE as the destination site's inner label to the packet on the Ingress PE, and then adding a label distribution protocol in the autonomous domain where the Ingress PE is located. LDP RSVP-TE / CR-LDP), and then forward the data packet along the LSR of the LSP to the autonomous system to the ASBR of the next neighboring autonomous system based on the outer label, and then according to the next neighboring autonomous system The outer label assigned by MP-EBGP between the ASBR of the system and the local ASBR is forwarded to the ASBR of the next neighboring autonomous system, and then the data packet is forwarded to the egress PE along the LSP in the next neighboring autonomous system.
Egress PE到目的用户站点之间的 IP数据转发需要 Egress PE在接收 到包含内层标签的数据包后, 通过区分内层标签确定目的用户站点, 并 根据源用户站点和目的用户站点类型遵循相应的路由表转发到目的主 机。 其中, 在该步骤中, 仅当源用户站点和目的用户站点均为 IPv4站点 时才查询 IPv4路由表, 其他情况均查询 IPv6路由表。 The IP data forwarding from the egress PE to the destination user site requires that the egress PE determine the destination user site by distinguishing the inner tags after receiving the data packet containing the inner tag, and follow the corresponding rules based on the source user site and the destination user site type. The routing table is forwarded to the destination master Machine. In this step, the IPv4 routing table is queried only when the source user site and the destination user site are both IPv4 sites, and in other cases, the IPv6 routing table is queried.
另外,需要说明的是,如果为了实现 VPN的各站点之间的拓朴关系, 如全网状组网、部分网状等拓朴形状的控制,仍然可以沿用 RFC 2547bis 中的方法, 即通过匹配 Route Target来实现,这与上述的 PE之间路由发 布和学习的机制完全相同, 即根据 VPN 的拓朴关系来确定是否学习路 由表, 根据路由表来实现 VPN的拓朴关系。  In addition, it should be noted that, in order to achieve the topology relationship between VPN sites, such as full mesh networking, partial mesh control, and other topology shapes, the method in RFC 2547bis can still be used, that is, by matching This is achieved by using Route Target. This is exactly the same as the mechanism for advertising and learning routes between PEs, that is, determining whether to learn the routing table based on the topology of the VPN, and implementing the topology of the VPN according to the routing table.
熟悉本领域的技术人员可以理解, 对于 VPN 骨干网络包含多个 IPv4/IPv6 自治系统的情况, 可以利用在上文中讲述的原理进行地址分 配、 路由学习、 数据包转发以及 VPN拓朴关系实现, 即通过在新增加 的自治系统和现有网络之间的 ASBR之间通过 MP-BGP在新增加的自治 系统和现有网络之间发布 VPN路由, 并分配外层标签来接续 VPN骨干 网络中的标签转发。  Those skilled in the art can understand that for the case where the VPN backbone network includes multiple IPv4 / IPv6 autonomous systems, the principles described above can be used to implement address allocation, route learning, data packet forwarding, and VPN topology relationships, that is, MP-BGP is used to advertise VPN routes between the newly added autonomous system and the ASBR between the newly added autonomous system and the existing network, and distribute outer labels to connect the labels in the VPN backbone network. Forward.
虽然通过参照本发明的某些优选实施例, 已经对本发明进行了图示 和描述, 但本领域的普通技术人员应该明白, 可以在形式上和细节上对 其作各种各样的改变, 而不偏离所附权利要求书所限定的本发明的精神 和范围。  Although the present invention has been illustrated and described with reference to certain preferred embodiments of the present invention, those skilled in the art should understand that various changes can be made in form and details, and Without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

权利要求书 Claim
1、一种混合站点混合骨干网的虚拟专用网系统, 包含虚拟专用网用 户站点、 用户网边缘路由器 CE、 骨干网边缘路由器 PE和骨干网, 所述 用户站点之间通过所述 CE和所述 PE接入所述骨干网互相传输数据,其 特征在于: 该虛拟专用网系统包含基于网间互联协议第 4版 IPv4和第 6 版 IPv6的用户站点; 所述骨干网包含 IPv4单域和 IPv6单域;  1. A virtual private network system of a mixed-site hybrid backbone network, comprising a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a backbone network, wherein the user site passes the CE and the The PE accesses the backbone network to transmit data to each other, and is characterized in that: the virtual private network system includes user sites based on the internetworking protocol version 4 IPv4 and version 6 IPv6; the backbone network includes an IPv4 single domain and an IPv6 single area;
所述 IPv4单域和 IPv6单域之间通过支持 IPv4和 IPv6双协议栈的自 治系统边界路由器 ASBR互相连接;  The IPv4 single domain and the IPv6 single domain are connected to each other through an ASBR that supports IPv4 and IPv6 dual protocol stacks.
所述 CE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由或 /和 IPv6路由;  The CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and / or IPv6 routes;
所述 PE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由和 IPv6路由;  The PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and IPv6 routes;
所述用户站点之间按照 CE和 PE存储的路由传输数据。  Data is transmitted between the user sites according to the routes stored by the CE and the PE.
2、 如权利要求 1所述的虚拟专用网系统, 其特征在于: 所述用户站 点和所述单域的网间互联协议版本不同时 , 连接所述用户站点和所述单 域的所述 CE和所述 PE支持 IPv4和 IPv6双协议栈。  2. The virtual private network system according to claim 1, wherein: when the version of the inter-network interconnection protocol of the user site and the single domain is different, the CE connecting the user site and the single domain And the PE supports IPv4 and IPv6 dual protocol stacks.
3、 如权利要求 1所述的虛拟专用网系统, 其特征在于: 对于需要访 问 IPv6用户站点的 IPv4用户站点的 CE存储 IPv4路由和 IPv6路由; 对于需要访问 IPv4用户站点的 IPv6用户站点的 CE只存储 IPv6路 由;  3. The virtual private network system according to claim 1, wherein: the CEs of the IPv4 user site that needs to access the IPv6 user site store IPv4 routes and IPv6 routes; and the CEs of the IPv6 user site that need to access the IPv4 user site only Store IPv6 routes;
对于只访问 IPv4用户站点的 IPv4用户站点的 CE只存储 IPv4路由。 CEs for IPv4 user sites that only access IPv4 user sites store only IPv4 routes.
4、一种混合站点混合骨干网的虚拟专用网的实现方法,其特征在于: 采用权利要求 1所述的虛拟专用网系统, 其实现虛拟专用网业务的过程 包括以下步骤: A、对 IPv4和 IPv6用户站点进行编址,形成统一格式的 IPv4和 IPv6 地址信息; 4. A method for implementing a virtual private network of a hybrid site hybrid backbone network, characterized in that: the virtual private network system of claim 1 is adopted, and the process of implementing the virtual private network service includes the following steps: A. Addressing IPv4 and IPv6 user sites to form a unified format of IPv4 and IPv6 address information;
B、 用户站点和骨干网进行路由的学习和发布, 将 IPv4路由和 IPv6 路由发布给系统中的 PE, 及与该 PE连接的 CE;  B. The user site and the backbone network learn and advertise routes, and publish IPv4 routes and IPv6 routes to the PE in the system and the CE connected to the PE;
C、 所述骨干网进行内层标签和外层标签的分发;  C. The backbone network distributes inner labels and outer labels;
D、所迷用户站点的数据包依据所述步骤 B中 CE和 PE学习到的路 由, 封装所述内层标签和所述外层标签通过所述骨干网进行转发。  D. According to the route learned by the CE and PE in step B, the data packet of the fan site is encapsulated and forwarded through the backbone network by encapsulating the inner label and the outer label.
5、 如权利要求 4所述的实现方法, 其特征在于: 所述 IPv4用户站 点之间采用 "路由区分符 + IPv4地址,, 的形式, 组成地址族标识符为 1 的 IPv4地址; IPv4用户站点和 IPv6用户站点之间, 以及 IPv6用户站点 之间采用 "路由区分符 + IPv6地址" 的形式, 组成地址族标识符为 2的 IPv6地址。  5. The implementation method according to claim 4, characterized in that: the form of "route distinguisher + IPv4 address" is used between the IPv4 user sites to form an IPv4 address with an address family identifier of 1; an IPv4 user site The form of "route distinguisher + IPv6 address" is used between the IPv6 user site and the IPv6 user site to form an IPv6 address with an address family identifier of 2.
6、 如权利要求 5所述的实现方法, 其特征在于: 和 IPv6用户站点 通信的 IPv4用户站点, 将 IPv4地址 A.B.C.D映射成 0::A:B:C:D形式的 IPv6地址后, 与路由区分符进行组合组成地址族标识符为 2的 IPv6地 址。  6. The implementation method according to claim 5, wherein: the IPv4 user site communicating with the IPv6 user site maps the IPv4 address ABCD to an IPv6 address in the form of 0 :: A: B: C: D, and then The identifiers are combined to form an IPv6 address with an address family identifier of 2.
7、 如权利要求 4所述的实现方法, 其特征在于, 步骤 B所述用户 站点和骨干网进行路由的学习和发布的方法包括:  7. The implementation method according to claim 4, wherein the method for learning and publishing the route between the user site and the backbone network in step B comprises:
Bl、 CE将聚合的 IPv4用户站点或 IPv6用户站点路由发布给与之相 连的 PE;  Bl, CE advertises the aggregated IPv4 user site or IPv6 user site route to the connected PE;
B2、 PE将从 CE学习到的 IPv4路由和 IPv6路由发布给本单域内其 他 PE和 ASBR;  B2. The PE advertises IPv4 routes and IPv6 routes learned from the CE to other PEs and ASBRs in the single domain.
B3、 ASBR将从 PE学习到的 IPv4路由和 IPv6路由发布给另一单 域中的 ASBR;  B3. The ASBR advertises the IPv4 routes and IPv6 routes learned from the PE to the ASBR in another single domain.
B4、 另一单域中的 ASBR将从源单域的 ASBR学习到的 IPv4路由 和 IPv6路由发布给本单域的 PE; B4. The ASBR in another single domain will learn IPv4 routes from the source ASBR in the single domain. And IPv6 routes are advertised to PEs in this single domain;
B5、 PE将从其他 PE学习的 IPv4路由和 IPv6路由以及从 ASBR学 习的 IPv4路由和 IPv6路由发布给与之相连的 CE。  B5. The PE advertises IPv4 routes and IPv6 routes learned from other PEs and IPv4 routes and IPv6 routes learned from ASBR to the CEs connected to it.
8、 如权利要求 7所述的实现方法, 其特征在于: 所述步骤 B2进一 步包括:  8. The method according to claim 7, wherein the step B2 further comprises:
PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由根据所属的 VPN和路由 IP版本加上路由区分符 RD、 地址族标识符 AFI、 后续地址 族标识符 SAFI; 形成包含 RD、 AFI、 SAFI、 路由目标团体属性 Route Target, IPv4地址 /IPv6地址的统一形式的路由信息。  The PE router will learn the IPv4 route and IPv6 route learned from the CE router, plus the route distinguisher RD, address family identifier AFI, and subsequent address family identifier SAFI according to the VPN and routing IP version to which it belongs; form RD, AFI, SAFI, and route The target community attribute is Route Target, a unified form of routing information for IPv4 addresses / IPv6 addresses.
9、 如权利要求 7所述的实现方法, 其特征在于:  9. The method according to claim 7, wherein:
所述步骤 B2中, PE和 PE之间、 PE和 ASBR 间通过基于本单域 IP版本的内部边界网关协议, 发布和该所述 PE连接的 CE的用户站点 的路由;  In step B2, between the PE and the PE, and between the PE and the ASBR, an internal border gateway protocol based on the single domain IP version is used to publish the route of the user site of the CE connected to the PE;
所述步骤 B3中, ASBR通过基于 IPv6的多协议外部边界网关协议 向另一不同版本单域的 ASBR发布路由;  In step B3, the ASBR publishes a route to another different version of the single-domain ASBR through the IPv6-based multi-protocol external border gateway protocol;
所述步骤 B4中, 所述 ASBR通过基于本单域 IP版本的内部边界网 关协议将学习到的路由向该域内部的对端 PE发布。  In step B4, the ASBR publishes the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the single domain.
10、如权利要求 7所述的实现方法,其特征在于:对于需要访问 IPv6 用户站点的 IPv4用户站点, 所述步骤 B5包括以下子步骤:  10. The method according to claim 7, wherein for an IPv4 user site that needs to access an IPv6 user site, the step B5 includes the following sub-steps:
B51、 与该 IPv4用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;所述 PE将保存的 IPv4用户站点的路由从 A.B.C.D/n形式转换成 0::A:B:C:D/(96+n)的 IPv6路由 ,通过 IPv6路由协 议发布给所述 CE;  B51. The CE connected to the IPv4 user site and the PE connected to the CE run an IPv6-based routing protocol to learn routes; the PE converts the saved IPv4 user site route from the ABCD / n form to 0 :: A: B: C: D / (96 + n) IPv6 route, published to the CE through IPv6 routing protocol;
B52、 所述 CE接收到 0::A:B:C:D/(96+n)形式的 IPv6路由后, 将其 还原成 A.B.C.D/n形式的 IPv4路由,将 IPv6用户站点的路由保存为 IPv6 路由。 B52. After receiving the IPv6 route in the form of 0 :: A: B: C: D / (96 + n), the CE restores the IPv4 route in the form of ABCD / n, and saves the route of the IPv6 user site as IPv6. routing.
11、如权利要求 7所述的实现方法,其特征在于:对于需要访问 IPv4 用户站点的 IPv6用户站点, 所述步骤 B5包括以下子步骤:  11. The method according to claim 7, wherein for an IPv6 user site that needs to access an IPv4 user site, the step B5 includes the following sub-steps:
B53、 与该 IPv6用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;  B53. The CE connected to the IPv6 user site and the PE connected to the CE run a routing protocol based on IPv6 to learn routes;
B54、所述 CE将 IPv4用户站点的路由直接存储为 0::A:B:C:D/(96+n) 形式的 IPv6路由, 将 IPv6用户站点的路由保存为原来的形式。  B54. The CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0 :: A: B: C: D / (96 + n), and saves the route of the IPv6 user site in the original form.
12、 如权利要求 7所述的实现方法, 其特征在于: 对于只访问 IPv4 用户站点的 IPv4用户站点, 在所述步骤 B中, 与该 IPv4用户站点连接 的 CE和与该 CE连接的 PE之间只运行 IPv4路由协议, 并仅学习和保 存其它 IPv4用户站点的 IPv4路由, 丟弃 IPv6路由。  12. The implementation method according to claim 7, characterized in that: for an IPv4 user site accessing only an IPv4 user site, in the step B, the CE connected to the IPv4 user site and the PE connected to the CE It only runs IPv4 routing protocols, and only learns and saves IPv4 routes from other IPv4 user sites, and discards IPv6 routes.
13、 如权利要求 7所述的实现方法, 其特征在于:  13. The implementation method according to claim 7, characterized in that:
所述 B5中, PE在接收到 IPv4路由或 IPv6路由后, 根据多协议边 界网关协议的路由目标扩展团体属性决定是否学习并向所述用户站点 发布。  In the B5, after receiving the IPv4 route or the IPv6 route, the PE decides whether to learn and publish to the user site according to the route target extended community attribute of the multi-protocol border gateway protocol.
14、 如权利要求 4所述的实现方法, 其特征在于: 步骤 C中, 所述. 内层标签由所述入口 PE分配,其用于区分同一个入口 PE连接的不同所 述用户站点, 该内层标签在发布路由时随路由发布给相应的出口 PE; 所述外层标签, 在一个单域内是通过运行标签分配协议、 资源预留 协议 -流量工程或约束路由的标记分配协议分配的,在不同单域之间,是. 接分配的, 其用于在所述骨干网中转发数据包。  14. The method according to claim 4, characterized in that: in step C, the inner label is allocated by the ingress PE, and is used to distinguish different user sites connected by the same ingress PE, the The inner label is distributed to the corresponding egress PE along with the route when the route is advertised; the outer label is allocated in a single domain by running a label allocation protocol, a resource reservation protocol-traffic engineering, or a label allocation protocol that constrains routing, It is allocated between different single domains and is used to forward data packets in the backbone network.
15、 如权利要求 4所述的实现方法, 其特征在于: 所述步骤 D包括 以下子步骤:  15. The method according to claim 4, wherein: said step D comprises the following sub-steps:
Dl、 遵循普通的网间互联协议转发过程进行源用户站点到入口 PE 之间的网间互联协议数据转发; Dl. Follow the common internetworking protocol forwarding process from the source user site to the ingress PE Inter-Internet Protocol data forwarding between the networks;
D2、 进行所述入口 PE到出口 PE之间的标签数据转发;  D2. Forward label data between the ingress PE and the egress PE.
D3、 所述出口 PE依据所述内层标签和其存储的路由表进行所述出 口 PE到目的用户站点之间的网间互联协议数据转发。  D3. The egress PE forwards the data of the Internet Protocol between the egress PE and the destination user site according to the inner label and the routing table stored by the egress PE.
16、 如权利要求 15所述的实现方法, 其特征在于: 所述步骤 D2包 括以下子步骤:  16. The method according to claim 15, wherein the step D2 comprises the following sub-steps:
D21、在所述入口 PE上为数据包增加所述目的站点的所述内层标签 后, 再增加该所述入口 PE所在的所述单域中分配的外层标签;  D21. After adding the inner label of the destination site to the data packet on the ingress PE, add the outer label assigned in the single domain where the ingress PE is located;
D22、 将所述数据包根据外层标签转发到与当前单域相邻的单域的 ASBR;  D22, forwarding the data packet to an ASBR in a single domain adjacent to the current single domain according to the outer label;
D23、 ASBR根据所述 ASBR之间分配的外层标签将所述数据包转 发到下一个相邻的单域的 ASBR;.  D23, the ASBR forwards the data packet to the next adjacent single-domain ASBR according to the outer label allocated between the ASBRs;
D24、 ASBR将数据包转发到所述出口 PE。  D24. The ASBR forwards the data packet to the egress PE.
17、 如权利要求 4所述的实现方法, 其特征在于: 所述用户站点之 间的拓朴关系通过匹配路由目标团体属性实现。  17. The implementation method according to claim 4, wherein: the topology relationship between the user sites is implemented by matching a routing target community attribute.
PCT/CN2005/000869 2004-06-16 2005-06-16 A virtual private network system of hybrid site and hybrid backbone network and its realizing method WO2005125103A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2004100494741A CN100440844C (en) 2004-06-16 2004-06-16 System and method for realizing virtual special network of hybrid backbond network of hybrid station
CN200410049474.1 2004-06-16

Publications (1)

Publication Number Publication Date
WO2005125103A1 true WO2005125103A1 (en) 2005-12-29

Family

ID=35510100

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/000869 WO2005125103A1 (en) 2004-06-16 2005-06-16 A virtual private network system of hybrid site and hybrid backbone network and its realizing method

Country Status (2)

Country Link
CN (1) CN100440844C (en)
WO (1) WO2005125103A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10623374B2 (en) 2017-06-09 2020-04-14 Microsoft Technology Licensing, Llc Automatic network identification for enhanced communications administration

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043411B (en) * 2006-03-24 2012-05-23 华为技术有限公司 Method and system for realizing mobile VPN service in hybrid network
CN101114971A (en) * 2006-07-27 2008-01-30 华为技术有限公司 Method for implementing virtual private network based on IPv6 address structure
CN101102228B (en) * 2007-08-08 2010-06-02 华为技术有限公司 A method and device for flow statistics
CN101753417B (en) * 2008-12-03 2012-05-23 华为技术有限公司 Method for calculating and determining routing, path calculating unit and system for determining routing
CN101931584A (en) * 2009-06-22 2010-12-29 中兴通讯股份有限公司 Method and system supporting data forwarding among multiple protocol stacks in same system
CN101841481B (en) * 2010-04-30 2015-08-12 中兴通讯股份有限公司 The implementation method of routing transmitting example of virtual private network and device
CN102571523A (en) * 2012-01-19 2012-07-11 福建星网锐捷网络有限公司 Method, device and system for determining configuration information

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010016914A1 (en) * 2000-02-21 2001-08-23 Nec Corporation IP virtual private network constructing method and IP virtual private network
CN1414749A (en) * 2002-08-23 2003-04-30 华为技术有限公司 Three layer virtual private network and its construction method
KR20030089922A (en) * 2002-05-20 2003-11-28 전민희 Online accounting transmit-receive apparatus and method in communication processing system using a virtual private network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1199405C (en) * 2002-07-23 2005-04-27 华为技术有限公司 Enterprise external virtual special network system and method using virtual router structure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010016914A1 (en) * 2000-02-21 2001-08-23 Nec Corporation IP virtual private network constructing method and IP virtual private network
KR20030089922A (en) * 2002-05-20 2003-11-28 전민희 Online accounting transmit-receive apparatus and method in communication processing system using a virtual private network
CN1414749A (en) * 2002-08-23 2003-04-30 华为技术有限公司 Three layer virtual private network and its construction method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10623374B2 (en) 2017-06-09 2020-04-14 Microsoft Technology Licensing, Llc Automatic network identification for enhanced communications administration

Also Published As

Publication number Publication date
CN1710877A (en) 2005-12-21
CN100440844C (en) 2008-12-03

Similar Documents

Publication Publication Date Title
CN111865898B (en) Communication method, device and system based on flow rule protocol
US9843507B2 (en) Enhanced hierarchical virtual private local area network service (VPLS) system and method for ethernet-tree (E-tree) services
CN111865796B (en) Path Computation Element Central Controller (PCECC) for network traffic
WO2006002598A1 (en) A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof
Gleeson et al. A framework for IP based virtual private networks
EP1713197B1 (en) A method for implementing the virtual leased line
US7339929B2 (en) Virtual private LAN service using a multicast protocol
US8098656B2 (en) Method and apparatus for implementing L2 VPNs on an IP network
US6789121B2 (en) Method of providing a virtual private network service through a shared network, and provider edge device for such network
CN107040469A (en) The network equipment and method
EP1811728B2 (en) Method, system and device of traffic management in a multi-protocol label switching network
WO2006005260A1 (en) A virtual private network and the method for the control and transmit of the route
WO2005122490A1 (en) A method for implementing virtual private network
WO2005101730A1 (en) A system and method of ensuring quality of service in virtual private network
KR20040019129A (en) A Method of Setting the QoS supported bi-directional Tunnel and distributing L2 VPN membership Information for L2VPN using LDP-extension
JP2013158034A (en) Implementation of vpns over link state protocol controlled ethernet network
WO2006105718A1 (en) A method for realizing the mpls-vpn across the hybrid network
WO2005112350A1 (en) A METHOD FOR MANAGING THE ROUTE IN THE VIRTUAL PRIVATE NETWORK BASED ON IPv6
WO2005125103A1 (en) A virtual private network system of hybrid site and hybrid backbone network and its realizing method
WO2007112691A1 (en) System, method and network device for vpn customer to access public network
WO2008011818A1 (en) Method of realizing hierarchy-virtual private lan service and network system
WO2005114944A1 (en) A method for implementing ipv4 and ipv6 mixing sites virtual private network
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
US20180309594A1 (en) Systems and Methods for Creating an Integrated Layer 2-Layer 3 Hybrid VPN Network
Gleeson et al. RFC2764: A framework for IP based virtual private networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase