WO2006002598A1 - A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof - Google Patents

A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof Download PDF

Info

Publication number
WO2006002598A1
WO2006002598A1 PCT/CN2005/000959 CN2005000959W WO2006002598A1 WO 2006002598 A1 WO2006002598 A1 WO 2006002598A1 CN 2005000959 W CN2005000959 W CN 2005000959W WO 2006002598 A1 WO2006002598 A1 WO 2006002598A1
Authority
WO
WIPO (PCT)
Prior art keywords
ipv4
ipv6
route
domain
site
Prior art date
Application number
PCT/CN2005/000959
Other languages
French (fr)
Chinese (zh)
Inventor
Defeng Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006002598A1 publication Critical patent/WO2006002598A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/167Adaptation for transition between two IP versions, e.g. between IPv4 and IPv6

Definitions

  • the present invention relates to a virtual private network technology, and in particular, to a virtual network hybrid network of the Internet Protocol version 4 (IPv4) and the Internet Protocol version 6, IPv6 hybrid network. Private network system and its implementation method. Background of the invention
  • VPN Virtual Private Networking
  • Internet Internet public network or carrier network resources as a continuation of the enterprise-specific network, saving expensive leased line charges, while VPN can be guaranteed by tunneling protocols, authentication and data encryption technologies. The security of communication is welcomed by business users.
  • VPN virtual private network
  • enterprises can bring many benefits. For example, by using VPN, enterprises can save a lot of daily communication costs of enterprises; can conduct distance education and remote monitoring to achieve unified management of enterprises; safety. It can be foreseen that VPN is an inevitable trend of enterprise internal network design, information management and circulation.
  • the applied VPNs are based on IPv4 networks, that is, the backbone networks and sites that make up the VPN are all in the IPv4 network.
  • RFC Request for Comments
  • the VPN device is located on the network side.
  • the carrier provides VPN services for users.
  • the user equipment does not need to be aware of VPN. It is only connected to the PE provided by the operator. Ready.
  • the following is a brief introduction to the basic principles of implementing this solution.
  • the model of Multi-Protocol Label Switching (MPLS) Layer 3 (L3) VPN defined by RFC2547bis is shown in Figure 1.
  • the model consists of three components: The edge of the user network at the edge of the customer premises network A Custom Edge Router (CE), a Provider Edge Router (PE) at the edge layer of the backbone network, and a Provider Router (P) at the core layer of the backbone network.
  • CE Custom Edge Router
  • PE Provider Edge Router
  • P Provider Router
  • the CE router is an integral part of the customer premises network.
  • the interface is directly connected to the carrier's backbone network.
  • the CE router does not know the existence of the VPN and does not need to maintain the entire routing information of the VPN.
  • the PE router is the carrier.
  • the edge device of the network is directly connected to the CE router of the user.
  • the MPLS network all processing of the VPN is performed on the PE router; the P router is in the carrier network and is not directly connected to the CE router, and the P. router has MPLS. Basic signaling capabilities and forwarding capabilities.
  • Those skilled in the art can understand that the division of CE and PE is mainly divided by the management scope of operators and users, and CE and PE are the boundaries of the management scope of both.
  • An external border gateway protocol can be used between the CE router and the PE router (External
  • BGP EBGP
  • IGP Interior Gateway Protocol
  • Static routes can also be used.
  • the CE does not need to support MPLS. It does not need to perceive the entire network route of the VPN.
  • the entire network route of the VPN is outsourced to the operator.
  • the PE exchanges the entire network routing information of the VPN through the Multi-Protocol Border Gateway Protocol (MP-BGP).
  • MP-BGP Multi-Protocol Border Gateway Protocol
  • the VPN is composed of multiple user sites (Site).
  • each site corresponds to a VPN routing/forwarding instance (VRF), which mainly includes: Protocol (Internet Protocol, IP) routing table, labeling of the forwarding table, a series of interfaces using the label forwarding table, and management information.
  • the interface and management information includes a route distinguisher (RD), a route filtering policy, and Member interface list, etc.
  • RD route distinguisher
  • RD route filtering policy
  • Member interface list etc.
  • each site is associated with a separate VRF.
  • the VRJF of the Site in the VPN actually integrates the VPN membership and routing rules of the site.
  • the system maintains a separate routing table and label forwarding table for each VRF, and stores packet forwarding information in each VRF routing table and label forwarding table. This prevents data from leaking out of the VPN and prevents data from entering outside the VPN.
  • the routers use the Border Gateway Protocol (BGP) to advertise VPN routes.
  • BGP communication is performed at two levels.
  • the internal autonomous system (AS) uses the internal border gateway protocol (IBGP), AS.
  • EBGP is used between.
  • a PE-PE session is an IBGP session, and IGP or BGP can be used between the PE and the CE.
  • the VPN composition information and route propagation between BGP routers are implemented by BGP (Multiprotocol extensions BGP, MP-BGP).
  • MP-BGP Multiprotocol extensions BGP, MP-BGP is backward compatible. It can support both traditional IPv4 address families and other address families, such as VPN-IPv4 address families.
  • the route target carried by MP-BGP ensures that the route of a specific VPN can only be known by other members of the VPN, making communication between BGP MPLS VPN members possible. For details about MP-BGP, see RFC2283.
  • CE and PE communicate routing information through Interior Gateway Protocol (IGP) or EBGP.
  • IGP Interior Gateway Protocol
  • EBGP EBGP
  • the PE obtains the routing table of the VPN and stores it in a separate VRF.
  • Each PE uses IGP to ensure normal IP connectivity, and IBGP is used to propagate VPN composition information and 'routes' and complete their VRF updates.
  • the PE then updates the routing table of the CE through the routing exchange with the directly connected CE, thereby completing the routing exchange between the CEs.
  • a VPN-IPv4 address has 12 bytes, starting with an 8-byte RD, followed by ' 4-byte IPv4 address.
  • the PE uses RD to identify routing information from different VPNs. Operators can allocate RDs independently, but they need to use their dedicated AS number as part of the RD to guarantee the global uniqueness of each RD.
  • a VPN-IPv4 address with zero RD is synonymous with a globally unique IPv4 address.
  • the VPN-IPv4 address can remain globally unique even if the 4-byte IPv4 address contained in the VPN-IPv4 address overlaps.
  • the route that the PE receives from the CE is an IPv4 route and needs to be imported into the VRF routing table. In this case, an R is required. In a typical implementation, the same RD is set for all routes from the same user site.
  • the Route Target attribute is used to identify the set of sites that can use a route, that is, which stations can be received by the site, and which PE routers can receive which routes are transmitted by the site.
  • a PE router connected to the site specified in the Route Target will receive a route with this attribute. After receiving the route containing this attribute, the PE router adds it to the corresponding routing table.
  • a PE router has two sets of Route Target attributes: one set is attached to the route received from a certain site, called Export Route Targets; the other set is used to determine which routes can be imported into the routing table of the site, You can obtain the VPN membership by using the Route Target attribute carried in the route.
  • the matching route target attribute can be used to filter the routing information received by the PE router.
  • Figure 2 is a schematic diagram of filtering received routes by matching the Route Target attribute.
  • the MPLS VPN routing information enters the PE router, if the Export Route Targets collection has the same item as the Import Route Targets collection, the route is received. If the Export Route Targets collection has no identical items with the Import Route Targets collection, the route is rejected.
  • VPN packet forwarding uses a two-layer labeling method.
  • the first layer that is, the outer label is exchanged inside the backbone network, and represents a Label Switched Path (LSP) from the PE to the peer (PEER) PE.
  • LSP Label Switched Path
  • PEER peer
  • the VPN packet uses this layer.
  • the tag can then reach the peer PE along the LSP.
  • the second layer that is, the inner layer label, is used when the peer PE arrives at the CE.
  • the inner label indicates which station the message arrives, or more specifically, which CE is reached. In this way, according to the inner label, the interface for forwarding the message can be found.
  • the problem of how to reach the peer PE does not exist. It only needs to be solved how to reach the peer CE.
  • IPv4 Internet Engineering Task Force
  • IPv6 In order to continue to provide various services in the IPv4 environment during the evolution from IPv4 to IPv6, the VPN solution on the IPv6 network must be studied simultaneously. Since IPv6 itself is still in the experimental stage, there is no formal large-scale commercial use, and there is no formal VPN service application under the IPv6 network.
  • Each IPv6 site is connected to at least one dual stack of the IPv4 backbone network and supports MP-BGP PE routers, that is, the 6PE routers shown in FIG.
  • the 6PE router is called a double stack BGP (DS-BGP) router, that is, a DS-BGP router.
  • the DS-BGP router has at least one IPv4 address on the IPv4 side and at least one IPv6 address on the IPv6 side, and the IPv4 address must be routable in the IPv4 network.
  • Routes in IPv6 sites follow standard IPv6 routing protocols, such as Open Shortest Path First Version 3 (OSPFv3), Information Society Initiatives in Standardization version 6, ISISv6, or Next Generation Routing Information Protocol Information Protocol next generation (RIPng), which does not need to be advertised to the IPv4 backbone network. It only needs to be terminated by BGP4+ on the DS-BGP router, but it needs to exchange IPv6 network layer reachability information through the MP-BGP4 between the DS-BGP routers.
  • OSPFv3 Open Shortest Path First Version 3
  • ISISv6 Information Society Initiatives in Standardization version 6
  • RIPng Next Generation Routing Information Protocol Information Protocol next generation
  • the outgoing DS-BGP router uses its own address as the next hop for these routes when advertising routes to the ingress DS-BGP router; IPv6 data from the ingress DS-BGP router when the packet is forwarded
  • the packet is transparently transmitted to the egress DS-BGP router through an MPLS tunnel, that is, an LSP.
  • the DS-BGP router advertises its own address as the next hop of the BGP route. It can use the IPv4 address and use the MPLS tunnel or other IPv4 address-based tunnels, such as the Generic Route Encapsulation (GRE) protocol tunnel, and the IP security protocol.
  • GRE Generic Route Encapsulation
  • IP Security Protocol IPsec
  • IPsec IP Security Protocol
  • IASATAP Intra-Site Automatic Tunnel Access Protocol
  • IPv4 networks and IPv6 networks both user networks and backbone networks may be IPv4 networks or IPv6 networks, or IPv4/IPv6 hybrid networks. This requires VPN services under the new generation network to adapt to complex network environments and can be applied to IPv4 networks, IPv6 networks, or IPv4/IPv6 hybrid networks.
  • the DS-BGP used in this solution cannot support the IPv4 site. If the ordinary BGP router is used instead, the NLRI exchange cannot be implemented.
  • the function and the routing learning and publishing of the VPN in the existing technical solution are performed in the IPv4 network, and the router learning and publishing in the hybrid backbone network cannot be supported, so the routing learning release of the VPN based on the hybrid backbone network is not supported and Data forwarding. Summary of the invention
  • a main object of the present invention is to provide a virtual private network system of a hybrid site hybrid backbone network, in which sites based on different IP versions can access each other and perform VPN through backbone networks based on different IP versions. business.
  • Another main object of the present invention is to provide a method for implementing a virtual private network of a hybrid site hybrid backbone network, which enables sites based on different IP versions to access each other and perform VPN services through backbone networks based on different IP versions. .
  • the present invention provides a virtual private network system of a hybrid site hybrid backbone network, including a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a bone network.
  • the user sites transmit data to each other through the CE and the PE accessing the backbone network
  • the virtual private network system includes a user site based on the Internetwork Interconnection Protocol version 4 IPv4 and the sixth version IPv6;
  • the backbone network includes multiple IPv4 autonomous domains and IPv6 autonomous domains;
  • An autonomous domain in the backbone network is the primary autonomous domain PAS, and the non-PAS autonomous domain in the backbone network is the secondary autonomous domain DAS; the PAS and the DAS communicate with each other through an autonomous system border router ASBR supporting IPv4 and IPv6 dual protocol stacks. Connection
  • the ASBR of the PAS stores an inter-domain route established by the PE with the DAS;
  • the CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes or/and IPv6 routes;
  • the PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, and the PE of the PAS stores an IPv4 route and an IPv6 route; the PE of the DAS stores an IPv4 route, an IPv6 route, and an ASBR established with the PAS. Cross-domain routing;
  • the user sites transmit data according to routes stored by the CE and the PE.
  • the primary autonomous domain may be an IPv6 autonomous domain that includes the most PEs connecting the sites in the backbone network.
  • the DAS directly connected to the PAS in the backbone network may be a first layer of DAS; the system further includes one or more layers of DAS, and the next layer of DAS is connected to the upper layer of DAS through the ASBR;
  • the ASBR of the upper-layer DAS stores the inter-domain routes established with the PEs of the next-layer DAS.
  • the PEs of the next-layer DAS store the IPv4 routes, IPv6 routes, and inter-domain routes established with the ASBRs of the upper-layer DAS.
  • the CE and the PE that are connected to the user site and the autonomous domain support an IPv4 and IPv6 dual protocol stack.
  • the CE stores IPv4 routes and IPv6 routes for the IPv4 user sites that need to access the IPv6 user site.
  • the CE that stores IPv6 user sites that need to access IPv4 user sites only stores IPv6 routes.
  • the CE For a IPv4 user site that only accesses an IPv4 user site, the CE only stores IPv4 routes.
  • the present invention provides a method for implementing a virtual private network of a hybrid site hybrid backbone network.
  • the method uses the above-mentioned virtual private network system.
  • the process of the virtual private network service includes the following steps:
  • IPv4 and IPv6 user sites Addressing IPv4 and IPv6 user sites to form IPv4 and IPv6 address information in a uniform format
  • the user site and the backbone network learn and advertise the routes, and advertise the inter-domain routes established by the IPv4 routing, the IPv6 routing, and the ASBR of the PAS and the PE of the DAS to the PE in the system and the CE connected to the PE;
  • the data packet of the user site is based on the path learned by the CE and the PE in the step B.
  • the method for addressing the IPv4 and IPv6 user sites in the step A may be:
  • the IPv4 user site adopts a "router classifier + IPv4 address" form to form an IPv4 address with an address family identifier of 1; a route distinction is used between an IPv4 user site and an IPv6 user site, and between IPv6 user sites.
  • the format of the character + IPv6 address which constitutes an IPv6 address with an address family identifier of 2.
  • the IPv4 user site that communicates with the IPv6 user site, after mapping the IPv4 address A.B.C.D to the IPv6 address in the form of 0::A:B:C:D, combines with the route specifier to form an IPv6 address with an address family identifier of 2.
  • the method may further include: layering the backbone network when the backbone network further includes a DAS not directly connected to the PAS; setting the DAS directly connected to the PAS as the first layer DAS, and the DAS connected to the first layer DAS For the second layer, and so on;
  • the step B may include:
  • the CE advertises the route of the aggregated IPv4 user site or IPv6 user site to the PE connected to it;
  • the PE of the upper layer advertises the route learned by the CE to the PE and/or ASBR of the local domain.
  • the PE of the next layer advertises the route from the CE or the learned PE to the PE in the local domain and the upper-layer autonomous domain and the local domain. Connected ASBR;
  • the ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE of the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE of the local domain.
  • the PE routers in each autonomous domain advertise routes learned from other PE routers or / and ASBRs to the CE routers connected to them; the CE routers save them after receiving IPv4 routes or / and IPv6 routes.
  • the step B2 may further include:
  • the 'inter-area route between the next-layer PE and the ASBR connected to the local domain in the upper-layer autonomous domain is stored.
  • the step B2 may further include: The PE router learns the IPv4 route and the IPv6 route learned from the CE router according to the VPN and route IP version to which the route identifier D, the address family identifier AFL, and the subsequent address family identifier SAFI are formed.
  • the RD, the AFL SAFI, and the route target group are formed. Route information of the route type, IPv4 address, or IPv6 address.
  • step B2 routing between the PE and the PE in the autonomous domain, and between the PE and the ASBR through the internal border gateway protocol based on the IP version of the local autonomous domain, and the user site of the CE connected to the PE;
  • the next-layer PE advertises the route to the ASBR connected to the local domain in the upper-layer autonomous domain by using the multi-protocol external border gateway protocol based on the IP version of the local autonomous domain.
  • the ASBR in the upper-layer autonomous domain advertises the route to the PE of the lower-layer autonomous domain through the multi-protocol external border gateway protocol based on the IP version of the next-layer autonomous domain; and the internal version based on the IP version of the local autonomous domain
  • the border gateway protocol advertises the learned route to the PE of the local domain
  • the PE advertises the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the local autonomous domain.
  • the step B4 may include the following substeps:
  • the CE connected to the IPv4 user site and the PE connected to the CE, and run the IPv6-based routing protocol to learn the route; the PE converts the saved IPv4 user site route from the ABCD/H form to 0::A: B: C: D / (96 + n) IPv6 routing, issued to the CE through the IPv6 routing protocol;
  • the CE restores the IPv6 route to the IPv4 route in the form of ABCD/n, and saves the route of the IPv6 user site as IPv6. routing.
  • the step B4 may be packaged.
  • the following substeps are included:
  • the CE connected to the IPv6 user site and the PE connected to the CE, and run an IPv6-based routing protocol to learn the route;
  • the CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0::A:B:C:D/(96+n), and saves the route of the IPv6 user site to the original form.
  • step B For an IPv4 user site that only accesses the IPv4 user site, in the step B, only the IPv4 routing protocol is run between the CE connected to the IPv4 user site and the PE connected to the CE, and only other IPv4 user sites are learned and saved. IPv4 routes, dropping IPv6 routes.
  • the PE determines whether to learn and publish to the user site according to the route target extended community attribute of the multi-protocol border gateway protocol.
  • step C the inner label is allocated by the ingress PE, and is used to distinguish different user sites that are connected by the same ingress PE, and the inner label is advertised to the corresponding egress PE along with the route when the route is advertised;
  • the outer label is allocated in autonomous domain by a label distribution protocol running a label distribution protocol, a resource reservation protocol-traffic engineering or a constraint routing, and between different autonomous domains, the ASBR passes between the autonomous domains.
  • the protocol external border gateway protocol is allocated for the bidirectional connection of the ASBR, and is used for forwarding data packets in the backbone network.
  • the step D may include the following sub-steps:
  • the egress PE performs data forwarding of the inter-network interconnection protocol between the egress PE and the destination user site according to the inner layer label and the stored routing table.
  • the step D2 may include the following sub-steps: D21, after adding the inner layer label of the destination station to the data packet on the ingress PE, adding an outer label allocated in the autonomous domain where the ingress PE is located;
  • the ASBR forwards the data packet to an ASBR of a next adjacent autonomous domain according to an outer label allocated between the ASBRs;
  • the ASBR forwards the data packet to the egress PE.
  • the topology relationship between the user sites can be implemented by matching route target community attributes.
  • the virtual private network system of the hybrid site hybrid backbone network of the present invention and the implementation method thereof are different from the prior art in that: the present invention performs a master-slave relationship on the autonomous domain of the multi-domain backbone network.
  • the route is advertised by the corresponding MP-IBGP according to the IP version of the local autonomous domain.
  • Multi-hop MP-EBGP is used to advertise routes between neighboring autonomous domains, and IPv4/IPv6 dual routes are run on the CE and PE.
  • the VPN forwards the VPN data according to the IP address distribution label in the autonomous domain, so as to implement the VPN of the multi-domain backbone network of the hybrid site.
  • the VPN can be formed when the user network and the backbone network transition from IPv4 to IPv6, so that the solution of the VPN during the transition period has greater flexibility.
  • FIG. 1 is a schematic diagram of a system composition of an MPLS L3 VPN defined by RFC 2547 bis;
  • FIG. 2 is a schematic diagram of filtering received routes by matching a Route Target attribute;
  • 3 is a schematic diagram of a system configuration of a 6PE solution implementing BGP/MPLS VPN;
  • FIG. 4 is a schematic diagram of a VPN system configuration of a hybrid site hybrid backbone network according to a first preferred embodiment of the present invention;
  • FIG. 5 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a second preferred embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a third preferred embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a fourth preferred embodiment of the present invention. Mode for carrying out the invention
  • DAS Dependent ASs
  • the hierarchical relationship of each DAS can also be determined according to the connection relationship between the DAS and the PAS.
  • the DAS directly connected to the PAS is the first layer DAS
  • the DAS connected to the first layer DAS and not directly connected to the PAS is the second layer DAS, and so on, determining the hierarchical relationship of each autonomous domain in the backbone network.
  • Multi-Probt External BGP (Multi-hop MP) is established between the Autonomous System Border Router (ASBR) in the PAS or the upper-layer DAS and the PE in the next-layer DAS.
  • -EBGP Autonomous System Border Router
  • -EBGP Internet Engineering Task Force
  • Data forwarding, and the VPN route advertisement and data forwarding between the PEs in each autonomous domain respectively pass the multi-protocol internal border gateway protocol based on the IP protocol version (IPv4 or IPv6) of the local autonomous domain in the local autonomous domain (Multi- Protocol Internal BGP, MP-IBGP) and intra-domain tunneling.
  • IPv4 or IPv6 IP protocol version
  • MP-IBGP Multi- Protocol Internal BGP
  • a certain address and route conversion processing is also performed.
  • the virtual private network system of the hybrid site hybrid backbone network of the present invention comprises a backbone network and a user network.
  • the backbone network is used to advertise VPN routes, establish switching paths, and complete data exchange.
  • the backbone network consists of autonomous domains with different address families.
  • the ASs are connected by ASBRs at the edge of the autonomous domain. That is, the backbone network may include one or more IPv4 autonomous domains and one or more IPv6 autonomous domains.
  • the IPv4 autonomous domain and the IPv6 autonomous domain are connected by an ASBR that supports the IPv4 and IPv6 dual protocol stacks.
  • each autonomous domain also includes the original P router and PE router.
  • the PE router configures the IPv4 protocol stack or the IPv6 protocol stack or the IPv4 and IPv6 dual protocol stacks according to the network connection.
  • the routes advertised by the backbone network include VPN-IPv4 routes and VPN-IPv6 routes. Route learning is performed on the backbone network to establish a VPN switching path.
  • the route of the user site connected to the PE router is advertised.
  • the PE of the upper-layer autonomous system and the ASBR also advertise the routes of the user sites connected to the PE routers based on the MP-IBGP version of the IP protocol of the local autonomous domain.
  • the ASBR of the upper-layer autonomous system advertises the received route to the PE of the local autonomous domain and the ASBR of the upper-layer autonomous system (if any), and then the ASBR of the upper-layer autonomous system advertises the received route to the PE of the local autonomous domain.
  • the ASBR of the upper-level autonomous system (if any) is issued in turn until the PE and ASBR in the PAS.
  • the user network contains the CE router connected to the backbone network and the user stations connected to it.
  • the user site has both an IPv4 site and an IPv6 site, and each user site contains multiple hosts with different addresses.
  • the CE router supports the corresponding protocol stack according to the IP version of the user network and the IP version of the autonomous system to which it is connected.
  • the PE router supports the corresponding protocol stack according to the IP version of the autonomous system to which it belongs and the IP version of the user site to which it is connected. For example, the CE router and the corresponding PE router of the IPv4 site connected to the IPv4 backbone network only need to support the IPv4 protocol stack.
  • the CE and the corresponding PE of the IPv6 site connected to the IPv6 backbone network only need to support the IPv6 protocol stack and connect to the IPv4 backbone.
  • the CE of the IPv6 site of the network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE device accessing these CEs all need to support the IPv4/IPv6 dual protocol stack.
  • routers in IPv4 sites that need to access IPv6 sites need to save IPv6 routes. That is, these IPv4 sites need to support IPv4-IPv6 hybrid address scheme.
  • the backbone network includes an IPv4 autonomous domain and an IPv6 autonomous domain two autonomous domains.
  • the IPv6 autonomous domain is the PAS
  • the IPv4 autonomous domain is the DAS.
  • the multi-hop MP-EBGP and the inter-domain tunnel are established between the ASBR in the PAS and the PE in the DAS.
  • the route advertisement and VPN data forwarding of the inter-AS VPN are respectively performed, and the VPN route advertisement and data forwarding between the PEs in each autonomous domain respectively pass the IP protocol version (IPv4 or IPv6) based on the local autonomous domain.
  • IPv4 or IPv6 IP protocol version
  • FIG. 4 is a hybrid site hybrid backbone network according to a first preferred embodiment of the present invention.
  • the solid double arrow in Figure 4 indicates multi-hop MP-EBGP between the upper layer ASBR and the adjacent DAS domain PE; the dashed double arrow indicates MP-IBGP in the PAS or DAS domain, as shown in Figure 5 to Figure 7.
  • the backbone network is dual-domain. It includes: a backbone network that includes an IPv4 autonomous domain and an IPv6 autonomous domain, and a PE router at the edge of the backbone network: PE1 ⁇ PE4; P router inside the backbone network. (not shown in Figure 1); CE router at the edge of the customer network: CE1 CE8; and user sites connected to the PE through the CE; each user site contains one or more hosts with different addresses.
  • the IPv4 domain and the IPv6 domain are connected to each other through ASBR1 and ASBR2.
  • the system shown in Figure 4 contains two VPNs, VPNA and VPNB.
  • the VPNA includes IPv4 and IPv6 sites: IPv6 stations connected to CE1, IPv4 stations connected to CE4, IPv6 stations connected to CE5, and IPv4 stations connected to CE8.
  • the IPv4 site is included in the VPNB.
  • only the VPNA and the VPNB are used as an example.
  • the physical network may include only one IPv4 domain and one IPv6 domain.
  • the system may include more than four VPNs, and the backbone network may also include multiple domains.
  • the CE router and the corresponding PE router of the IPv4 site connected to the IPv4 backbone network support only the IPv4 protocol stack.
  • the CE and the corresponding PE of the IPv6 site connected to the IPv6 backbone network only support the IPv6 protocol stack and connect to the IPv4 backbone.
  • the CE of the IPv6 site of the network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE device accessing these CEs all need to support the IPv4/IPv6 dual protocol stack.
  • the CE router that connects to the IPv4 site and connects to the IPv6 site also stores the IPv4 and IPv6 routes of other user sites in the VPN learned from the PE router, and performs routing matching when accessing other sites.
  • the following embodiment implements hybrid site mixing.
  • the method of the backbone network VPN is described in detail.
  • the user site addressing method of the VPN system of the embodiment shown in FIG. 4 will be described.
  • only the VPN user is considered to perform unicast communication, and the hosts in each site of the VPN are required to use a unicast address, that is, only one IPv4 address or one IPv6 address is used.
  • the Address Family Identifier (AFI) domain in the MP-BGP uses the value assigned by the RFC1700 to the IPv4 address family.
  • the mutual communication between the IPv6 sites and the mutual communication between the two IPv6 sites uses the IPv6 address.
  • the AFI domain in the MP-BGP can use the value 2 assigned by the RPC 1700 to the IPv6 address family. It should be noted that when an IPv4 site and an IPv6 site communicate with each other, the IPv4 address A.B.C.D in the IPv4 site is mapped to the corresponding IPv6 address in the form of 0::A:B:C:D.
  • the Subsequence Address Family Identifier (SAFI) field of the subsequent VPN address uses 128, which indicates the VPN-IPv4 address or the VPN-IPv6 address.
  • SAFI Subsequence Address Family Identifier
  • IPv4 sites in the VPN are allowed to continue to use private IPv4 addresses, and sites of different VPNs are allowed to use the same private. IPv4 address.
  • a VPN-IPV4 address with AFI of 1 is formed by using RD+ (IPv4 address), and AFI is 2 by using RD+ (IPv6 address) between IPv4 sites and IPv6 sites or between two IPv6 sites.
  • IPv4 address IPv4 address
  • IPv6 address IPv6 address
  • IPv4 address ABCD in the IPv4 site that communicates with the IPv6 site is mapped to the IPv6 address in the form of 0::A:B:C:D, and then combined with the RD to form the VPN-IPv6. address.
  • each MP-BGP speaker It can parse the corresponding IPv4/IPv6 routing entries according to AFI and support the simultaneous storage of IPv4/IPv6 routing tables. IPv4 routes and IPv6 routes can be stored in different routing tables respectively.
  • each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, routing learning and distribution processing of the VPN site, processing of label distribution, and processing of VPN data forwarding can be performed. These processes are described in detail below.
  • the method includes the following process:
  • the CE router advertises the aggregated route to the PE router connected to it.
  • the CE of the IPv6 site connected to the IPv4 backbone network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE devices accessing the CEs all support the IPv4/IPv6 dual protocol stack. Therefore, PE can learn IPv4 or / and IPv6 routes issued by CE.
  • CE1 and CE2 advertise routes to PE1, CE3, and CE4 to advertise routes to PE2.
  • CE5 and CE6 advertise the route to PE3, CE7, and CE8 to advertise the route to process 2.
  • the egress PE adds a corresponding inner label to the route received from the CE.
  • the inner label is allocated by the PE to the site connected to the CE. It is used to distinguish between different sites, and the routes carrying the labels are advertised to the ingress PE or ASBR in the local domain through the MP-IBGP or advertised to the ASBR in the upper-layer autonomous domain to connect to the local domain through the Multi-hop MP-EBGP.
  • the PE routers in the DAS send IPv4 routes and IPv6 routes learned from the CE routers to other PE routers in the AS and ASBRs of the upper-layer autonomous system.
  • PAS is the upper layer
  • DAS is the next layer.
  • the PE router in the PAS sends IPv4 routes and IPv6 routes learned from the CE router. Bring to other PE routers and ABSRs within the autonomous system.
  • PE1 of the DAS advertises the route to PE2 of the autonomous system and its upper-layer autonomous system: ASBR2 of the PAS; PE2 of the DAS advertises the route to the PE1 of the autonomous system and the ASBR2 of the PAS.
  • PE3 in the PAS advertises routes to PE4 and ASBR2.
  • PE4 advertises routes to PE3 and ASBR2.
  • the PE router learns the IPv4 routes and IPv6 routes learned from the CE routers based on the VPN and routing IP versions plus RD, AFI, and SAFI to form RD, AFI, SAFI, Route Target, and IPv4/IPv6 routes. Unified form of routing information.
  • the PE router still uses the VRF to save routes of different VPNs.
  • the 'VRF separate IPv4 routes and IPv6 routes are saved for different AFIs of each VPN.
  • PE routers For PE routers to advertise routes to PE routers: Since other PE routers also support dual protocol stacks, other PE routers can receive IPv4 routes and IPv6 routes.
  • the PE router advertises the route to the ASBR in the local AS: When the PE is an IPv4 network, the IPv4-based PE4 and the ASBR of the local AS pass the IPv4-based fully-connected multi-protocol internal border gateway protocol. Multi-Protocol Internal BGP, MP-IBGP) or route reflectors are used to advertise routes to VPN user sites connected to PEs of the IPv4 network; when the autonomous system where the PE is located is an IPv6 network, the PE routers and protocols in the IPv6 network The ASBRs within the autonomous domain advertise the routes of the VPN sites connected to the PE routers of the IPv6 network through the IPv6-based fully-connected MP-IBGP or the applicable route reflector.
  • MP-IBGP MP-IBGP
  • IPv4 routes and IPv6 routes are only sent as transmitted data when MP-IBGP is used to advertise routes.
  • IPv4-based MP-IBGP or IPv6-based MP-IBGP is used. Only related to the version of the network is independent of the specific data, so no matter which data is transmitted, it is specifically IPv4 routing and
  • the PE router advertises the route to the ASBR of the upper-layer autonomous domain.
  • the PE router of the IPv4 network and the upper-layer ASBR advertise the PE connection with the IPv4 network through the IPv4-based Multi-hop MP-EBGP.
  • Routing of the VPN user site when the autonomous system of the PE is an IPv6 network, the VPN router connected to the PE router of the IPv6 network is advertised between the PE router and the upper-layer ASBR in the IPv6 network through the IPv6-based Multi-hop MP-EBGP. The route to the site.
  • the inter-domain route of the VPN to which the PE1 and the PE2 belong to the DAS in which the MP-EBGP PEER is established is reserved.
  • the inter-domain routes established by the ASBR2 with the PAS are also stored in the PE1 and the PE2.
  • Procedure 3 The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the next-level autonomous domain, and advertises the route learned from the next-layer autonomous domain to the PE in the local domain.
  • the ASBR in the upper-layer autonomous domain can advertise routes to the PEs of the next-level autonomous domain based on the IP-based Multi-hop MP-EBGP of the next-layer autonomous domain.
  • the MP-IBGP based on the local IP version is applied to the local domain.
  • the PE issues routes.
  • the ASBR2 of the PAS in Figure 4 advertises the routes learned from PE4 and PE3 to PE1 and PE2 in the DAS.
  • the routes learned from PE1 and PE2 are advertised to PE3 and PE4.
  • Procedure 4 The PE routers in each autonomous domain advertise routes learned from other PE routers or / and ASBRs to the CE routers connected to them. The CE router saves after receiving IPv4 routing or / and IPv6 routes.
  • PE1 in the DAS advertises the routes received from ASBR2 of PE2 and PAS to CE1 and CE2.
  • the PE2 in the DAS advertises the routes received from ASBR2 of PE1 and PAS to CE3 and CE4.
  • the PE3 in the PAS advertises the routes received from PE4 and ASBR2 to CE5 and CE6.
  • PE4 in the PAS advertises the routes received from PE3 and ASBR2 to CE7 and CE8.
  • the corresponding IPv4 route and the IPv6 route are saved in the CE router in the IPv4 site of the VPN, and the CE router is used as a proxy (Proxy) when the VPN site accesses other sites.
  • the destination user site included in the access is an IPv4 user site or an IPv6 user site that matches IPv4 routes or IPv6 routes, respectively.
  • the CE router of the IPv6 user site in the VPN only saves the IPv6 route. Before the PE router accessing the IPv6 site advertises the routes of other IPv4 sites to the site, the IPv4 route ABCD/n needs to be converted to 0::A: B: C: D / (96 + n) IPv6 route.
  • the CE router and the PE router that need to access the IPv4 user site of the IPv6 VPN user site run IPv6-based routing protocols to learn IPv6 routes and IPv4 routes simultaneously, and route IPv4 in the VRF of the PE router.
  • ABCD/n is converted to 0::A:B:C:D/(96+n) IPv6 routes, which are advertised to the CE router through the IPv6 routing protocol, and restored to the ABCD/n IPv4 route in the CE router.
  • the IPv6 routes of other IPv6 user sites are still saved as IPv6 routes in the CE router.
  • the IPv4 route is matched when the IPv4 user site accesses the IPv4 site, and the IPv6 route is matched when the IPv6 site is accessed.
  • an IPv6 user site that needs to access an IPv4 VPN user site is also required to run an IPv6-based routing protocol between the CE router and the PE router to learn routes of other sites, and directly store the routes of other IPv4 user sites as 0::A:B:C:D/(96+n).
  • the form of IPv6 route is saved to the original IPv6 user site.
  • A.B.C.D/n mentioned above, A.B.C.D is the network segment address, and n is the mask.
  • the CE also routes the router to the user site, and is stored by the router of the user site.
  • the routing table of the user site if the user site connected by the CE does not include a router, in process five, the CE stores the routing table of the user site.
  • IPv4-based routing protocol needs to be run between the CE router and the PE router, and only the learning protocol is required. And save IPv4 routes of other IPv4 user sites, and discard them for IPv6 routes.
  • the PE router After receiving the VPN route, the PE router determines whether to learn and publish to the corresponding user site according to the MP-BGP route target extension community attribute.
  • BGP PEER BGP peer
  • the egress PE advertises a VPN route to its BGP peer (BGP PEER)
  • BGP PEER BGP peer
  • the inner layer label is allocated, and the BGP PEER receives the corresponding route.
  • the Import Route Target configured on the BGP PEER is matched. If the match is successful, the route is received and advertised to the corresponding VRF site. If the BGP PEER is an ASBR between the two ASs, the route needs to be advertised.
  • BGP PEER is an ASBR between the two ASs
  • PEER in the DAS domain and the MP-IBGP PEER in the PAS domain, these PEERs perform Route Target matching to determine whether to accept and publish these cross-domain VPN routes to the connected sites. This process is the same as the prior art and will not be described here.
  • processing of label distribution can be performed in the manner described below.
  • packets are forwarded in the backbone network based on the outer label.
  • the distribution of the outer label is the same as in the prior art, and includes label distribution in the autonomous domain and label distribution between the autonomous domains.
  • the outer label in the PAS domain and the DAS domain can be followed by the Label Distribution Protocol (LDP) or the Resource Reservation Protocol (RSVP)-Traffic Engineering (TE)/Constrained Routing
  • LDP Label Distribution Protocol
  • RSVP Resource Reservation Protocol
  • TE Resource Reservation Protocol
  • TE Resource Reservation Protocol
  • TE Resource Reservation Protocol
  • TE Resource Reservation Protocol
  • C-LDP Constraint-Routing Label Distribution Protocol
  • Each next-hop router in the autonomous domain distributes outer labels for its previous hop router, including label distribution between P routers, label distribution between P routers and PEs, and label distribution between PE routers and ASBRs.
  • the assignment of the outer labels of the two ASBRs between adjacent autonomous domains is allocated through the BGP protocol between the autonomous domains.
  • the present invention adopts label forwarding. Therefore, a tunnel is determined between the PE routers in each domain or between the PE routers and the ASBRs and between the ASBRs in the adjacent domains through the exchange relationship of the outer labels.
  • the data forwarding between the VPN sites connected to the PE routers in the domain is performed through the intra-domain tunnels.
  • the data forwarding between the VPN sites connected to the PE routers of different autonomous domains passes through the intra-domain tunnels of the ingress PE and the egress PE.
  • the ASBR between the two autonomous domains is completed by the inter-domain tunnel determined by the label allocated by MP-BGP.
  • the specific data forwarding process is also basically the same as the prior art, including the following types of forwarding: IP data forwarding between the source user site to the ingress PE router; the Ingress PE router to the Egress PE router. Label data forwarding between; Egress PE to IP data forwarding between destination user sites. The following are described separately.
  • the IP packet forwarding between PE routers follows the 'normal IP forwarding process.
  • the IPv4/IPv6 routing table is saved in the user site.
  • the destination user site can be IPv4 or IPv6.
  • the site queries the corresponding routing table and forwards the packet to the Ingress PE according to the corresponding routing table.
  • the access between the VPN sites in a single autonomous domain can be forwarded by using the intra-domain data forwarding mode in the prior art.
  • the outer label of the label distribution protocol (LDP/RSVP-TE/CR-LDP) in the autonomous domain of the ingress PE forwards the data packet to the Egress PE along the outer label of the LSR of the LSP.
  • the ingress PE After the access between the VPN sites in the different autonomous domains, the ingress PE adds the egress PE to the inner label of the site where the destination is located, and then adds the label distribution protocol (LDP RSVP) in the autonomous domain where the ingress PE resides.
  • LDP RSVP label distribution protocol
  • -TE/CR-LDP The outer label is allocated, and the data packet is forwarded along the outer label of the LSP according to the outer label to the local ASBR of the neighboring autonomous domain, and then according to the ASBR of the neighboring autonomous domain.
  • the outer label assigned by the MP-EBGP between the ASBRs is forwarded to the ASBR of the next neighboring autonomous domain, and then the LSP is forwarded to the egress PE along the LSP in the next neighboring autonomous domain.
  • the egress PE determines the destination user site by distinguishing the inner layer label after receiving the data packet containing the inner layer label, and follows the corresponding source user site and destination user site type.
  • the routing table is forwarded to the destination host. In this step, the IPv4 routing table is queried only when the source user site and the destination user site are both IPv4 sites. In other cases, the IPv6 routing table is queried.
  • the method in RFC 2547bis can still be used, that is, by matching Route Target is implemented. This is the same as the mechanism for routing and learning between the PEs mentioned above. That is, according to the topology relationship of the VPN, it is determined whether to learn the routing table, and the topology relationship of the VPN is implemented according to the routing table.
  • IPv4/IPv6 which are called Basic Hybrid Network (BHN).
  • IPv6 domains containing a large number of PE devices will be included.
  • the other autonomous domains are DAS.
  • the DAS in BHN is the first layer of DAS, and the DAS connected to it and not directly connected to the PAS is the Layer 2 DAS.
  • a VPN system with a hybrid site with three autonomous domains There are two cases for a VPN system with a hybrid site with three autonomous domains: The first one: A DAS is connected to a DAS in the BHN and is not directly connected to the PAS in the BHN. The second type: A DAS is connected to the PAS in the BHN and is not directly connected to the 'DAS in the BHN. The following description will be respectively made.
  • FIG. 5 is a schematic structural diagram of a VPN system of a hybrid site hybrid backbone network according to a second preferred embodiment of the present invention. This embodiment is the first case described above.
  • the backbone network includes three autonomous domains: two IPv4 autonomous domains and one IPv6 autonomous domain.
  • the IPv6 autonomous domain that has many PEs connected to the VPN site is set to PAS, and the other two IPv4 autonomous domains are set to DAS1 and DAS2.
  • PAS and DAS2 are included in the BHN, and DAS1 is only connected to DAS2 and not connected to PAS. That is to say, this embodiment is divided into three layers: the highest layer is PAS, the first layer is DAS2, and the second layer is DAS1.
  • the user site addressing method of the VPN system of this embodiment is exactly the same as that of the embodiment shown in FIG. 4, and the repeated description is not repeated here.
  • each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, it is possible to perform routing learning and processing of the VPN site, processing of label distribution, and processing of VPN data forwarding.
  • routing learning and publishing processing methods of the VPN site are described in detail.
  • the principle of routing learning and publishing of the VPN site is the same as that of the embodiment shown in FIG. 4, and the method includes the following processes:
  • Procedure 1 The CE router advertises the aggregated route to the PE router connected to it. For example, in Figure 5, CE1 and CE2 advertise the route to PE1, CE3, and CE4 to advertise the route to PE2.
  • CE5 advertises the route to PE3, CE6, and CE7 to advertise the route to PE4.
  • CE8 And CE9 issues the route to PE5.
  • the egress PE adds a corresponding inner label to the route received from the CE, where the inner label is allocated by the PE to the station connected to the CE, and is used to distinguish different sites, and route the labels. It is advertised to the ingress PE or ASBR in the local domain through MP-IBGP or advertised to the ASBR in the upper-layer autonomous domain through the Multi-hop MP-EBGP.
  • PE1 in DAS1 advertises the routes received from CE1 and CE2 to ASBR2 of PE2 and DAS2.
  • PE2 advertises the routes received from CE3 and CE4 to ASBR2 of PE1 and DAS2.
  • PE3 advertises the routes learned from CE5 to ASBR4 in ABSR2 and PAS.
  • ASBR2 advertises the routes learned from PE1 and PE2 to ASBR4 in PAS.
  • PE4 advertises the routes learned from CE6 and CE7 to PE5 and ASBR4.
  • PE5 advertises the routes learned from CE8 and CE9 to PE4 and ASBR4.
  • the inter-domain route of the VPN established with the PE1 and the PE2 in the DAS1 is stored.
  • the inter-domain routes established by the ASBR2' of the PAS are also stored in the PE1 and the PE2.
  • the ASBR4 in the PAS stores the inter-domain routes established between it and the ASBR4.
  • the PE3 and the ASBR2 store the inter-AS routes established with ASBR4.
  • the ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE in the local domain.
  • DAS2 in Figure 5 is used as the upper-layer domain of DAS1.
  • the routes learned from PE3 and ASBR4 are advertised to PE1 and PE2.
  • the routes learned from PE1 and PE2 are advertised to PE3.
  • the PAS advertises the routes learned from PE4 and PE5 to PE3 and ABSR2.
  • the routes learned from PE3 and ABSR2 are advertised to PE5 and PE4.
  • PE routers in each autonomous domain will be from other PE routers or/and ASBs.
  • the learned route is published to the CE router connected to it.
  • the CE router saves after receiving IPv4 routes or / and IPv6 routes.
  • PE1 advertises the routes learned from PE2 and ASBR2 to CE1 and CE2.
  • PE2 advertises the routes learned from PE1 and ASBR2 to CE3 and CE4.
  • PE3 advertises the routes learned from ASBR2 and ASBR4 to PE3.
  • PE4 advertises the routes learned from PE5 and ASBR4 to CE6 and CE7.
  • PE5 advertises the routes learned from PE4 and ASBR4 to CE8 and CE9.
  • the processing of the label distribution and the processing of the VPN data forwarding in this embodiment are basically the same as those in the embodiment shown in FIG. 4, and those skilled in the art can refer to the process for processing, and the description is not repeated here.
  • Figure 6 is a schematic diagram showing the composition of a VPN system of a hybrid site hybrid backbone network according to a preferred embodiment of the present invention. This embodiment is the first case described above.
  • the backbone network includes three autonomous domains: two IPv4 autonomous domains and one IPv6 autonomous domain.
  • the IPv6 autonomous domain that has many PEs connected to the VPN site is set to PAS, and the other two IPv4 autonomous domains are set to DAS1 and DAS2.
  • PAS and DAS2 are included in the BHN, and DAS1 is connected to the PAS. That is to say, the embodiment is divided into two layers: The highest layer is PAS, DAS1 and DAS2 are the first layer DAS.
  • the user site addressing method of the VPN system of this embodiment is exactly the same as that of the embodiment shown in FIG. 4, and the repeated description is not repeated here.
  • each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, routing learning and distribution processing of the VPN site, processing of label distribution, and processing of VPN data forwarding can be performed.
  • Procedure 1 The CE router advertises the aggregated route to the PE router connected to it. This process is the same as the previous two embodiments and will not be repeated here.
  • the egress PE adds a corresponding inner label to the route received from the CE.
  • the inner label is allocated by the PE to the site connected to the CE, and is used to distinguish different sites, and the routes carrying the labels are passed.
  • the MP-IBGP is advertised to the ingress PE or the ASBR in the local domain or advertised to the ASBR in the upper-layer autonomous domain through the Multi-hop MP-EBGP.
  • PE1 in DAS1 advertises the routes received from CE1 and CE2 to ASBR2 of PE2 and DAS2.
  • PE2 advertises the routes received from CE3 and CE4 to ASBR2 of PE1 and DAS2.
  • PE4 in the PAS advertises the routes learned from CE7 to PE3, ASBR2, and ASBR3; ASBR2 and ASBR3.
  • PE5 advertises the routes learned from CE8 and CE9 to ASBR3.
  • the ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE in the local domain.
  • ASBR2 advertises the routes learned from PE3, PE4, and ASBR3 to PE1 and PE2 in DAS1.
  • ASBR3 advertises the routes learned from PE3, PE4, and ASBR2 to PE5 in DAS2.
  • ASBR3 advertises the routes learned from PE5 to PE3, PE4, and ASBR2.
  • ASBR2 advertises routes learned from PE1 and PE2 to PE3, PE4, and ASBR3.
  • Process 4 The PE routers in each autonomous domain advertise routes learned from other PE routers or/and ASBRs to the CE routers connected to them.
  • the CE router saves after receiving IPv4 routes or / and IPv6 routes.
  • This process is basically the same as that shown in Figure 5 and will not be repeated here.
  • the illustrated embodiment is basically the same, and those skilled in the art can refer to the process for processing, and the description is not repeated here.
  • FIG. 7 is a schematic diagram showing the composition of a VPN system of a hybrid site hybrid backbone network according to a fourth preferred embodiment of the present invention.
  • This embodiment also includes two slave domains of DAS1 and DAS2, and the hierarchical relationship between DAS and PAS is the same as that of the embodiment shown in FIG. 6.
  • the difference between this embodiment and the embodiment shown in FIG. 6 is that in the PAS, the two ports of the ASBR2 are connected to the ASBR1 of the DAS1 and the ASBR4 of the DAS2, respectively.
  • PE2 in DAS1 and ASBR2 in PAS establish MP-EBGP connections through one port of ASBR2, and pass VPN routes to each other, and pass data to each other through the port;
  • PE5 in DAS2 and ASB 2 in PAS pass through ASBR2.
  • a port establishes an MP-EBGP connection, passes VPN routes to each other, and passes data to each other through the port.
  • the virtual private network system of the hybrid site hybrid backbone network of the present invention and the implementation method thereof can form a VPN when the user network and the backbone network transition from IPv4 to IPv6, so that the network transition period
  • the VPN solution has greater flexibility, reduces the complexity of network equipment upgrades, smoothes the transition from IPv4 to IPv6, and greatly improves the economics and feasibility of network upgrades.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A VPN system of a hybrid-site hybrid backbone network and an implementing method thereof about VPN technology, which enables the sites based on different IP versions to access each other and to develop VPN service via the backbone network based on different IP versions. It can solve the develop problem of VPN service of hybrid network during the transition period. The VPN system of a hybrid-site hybrid backbone network and the implementing method thereof divide the autonomous domain of the multi-domain backbone network into the primary and the dependent, issue the route using the corresponding MP-IBGP according to the IP version of the own autonomous domain in the autonomous domains, and issue the route using Multi-hop MP-EBGP between the adjacent autonomous domains. Synchronously, they perform IPv4/IPv6 double routing list on CE and PE, and perform the tunnel forwarding of the VPN data according to their IP version distribution label in the autonomous domains. So it can implement VPN of the hybrid-site multi-domain backbone network.

Description

混合站点混合骨干网的虛拟专用网系统及其实现方法  Virtual private network system of hybrid site hybrid backbone network and implementation method thereof
技术领域 Technical field
本发明涉及虚拟专用网技术, 特别涉及一种网间互联协议第 4 版 ( Internet Protocol version 4 , IPv4 )和网间互联协议第 6版 ( Internet Protocol version 6, IPv6 )混合站点混合骨干网的虚拟专用网系统及其实 现方法。 发明背景  The present invention relates to a virtual private network technology, and in particular, to a virtual network hybrid network of the Internet Protocol version 4 (IPv4) and the Internet Protocol version 6, IPv6 hybrid network. Private network system and its implementation method. Background of the invention
虛拟专用网 (Virtual Private Networking, VPN )是在公众网络上所 建立的虚拟的专用网络, 它具有与专用网络同样卓越的安全性、 可靠性 和易管理性。 VPN替代了传统的拨号访问, 利用因特网(Internet )公众 网或者运营商网絡资源作为企业专用网络的延续, 节省昂贵的专线租用 费用, 同时 VPN可以使用隧道协议、 身份验证和数据加密等技术保证 了通信的安全性, 受到企业用户的欢迎。  Virtual Private Networking (VPN) is a virtual private network built on the public network. It has the same excellent security, reliability and manageability as a private network. VPN replaces traditional dial-up access, using the Internet (Internet) public network or carrier network resources as a continuation of the enterprise-specific network, saving expensive leased line charges, while VPN can be guaranteed by tunneling protocols, authentication and data encryption technologies. The security of communication is welcomed by business users.
企业通过 VPN的建设, 可以带来很多好处, 例如, 通过使用 VPN, 企业可以节省大量企业日常通讯的费用; 可以进行远程教学和远程监控 以达到企业管理统一; 还可以提高企业内部业务信息流通的安全性。 可 以预见, VPN是企业内部网络设计, 信息管理、 流通的必然趋势。  Through the construction of VPN, enterprises can bring many benefits. For example, by using VPN, enterprises can save a lot of daily communication costs of enterprises; can conduct distance education and remote monitoring to achieve unified management of enterprises; safety. It can be foreseen that VPN is an inevitable trend of enterprise internal network design, information management and circulation.
目前, 已应用的 VPN是基于 IPv4网络的, 即组成 VPN的骨干网络 和站点都处于 IPv4网络中。作为其中的典型代表,请求评注(Request for Comments, RFC )标准 2547bis中对如何实现 VPN作了具体描述, 详 细说明可以参照 RFC 2547bis。 它是一种运营商提供的 VPN(Provider Provide VPN, PP VPN), VPN设备位于网络侧, 由运营商为用户提供 VPN服务, 用户设备不需要感知 VPN, 只要连接到运营商提供的 PE设 备。 下面对实现该方案的基本原理作简要介绍。 Currently, the applied VPNs are based on IPv4 networks, that is, the backbone networks and sites that make up the VPN are all in the IPv4 network. As a typical representative, the Request for Comments (RFC) standard 2547bis describes how to implement VPN. For details, refer to RFC 2547bis. It is a provider-provided VPN (Provider Provide VPN, PP VPN). The VPN device is located on the network side. The carrier provides VPN services for users. The user equipment does not need to be aware of VPN. It is only connected to the PE provided by the operator. Ready. The following is a brief introduction to the basic principles of implementing this solution.
RFC2547bis定义的多协议标记交换( Multiprotocol Label Switching, MPLS )三层(Layer 3 , L3 ) VPN的模型如图 1所示, 该模型包括三个. 组成部份: 位于用户驻地网络边缘的用户网边缘路由器(Custom Edge Router, CE )、 位于骨干网边缘层的骨干网边缘路由器 ( Provider Edge Router, PE )和位于骨干网核心层的骨干网路由器(Provider Router, P )。  The model of Multi-Protocol Label Switching (MPLS) Layer 3 (L3) VPN defined by RFC2547bis is shown in Figure 1. The model consists of three components: The edge of the user network at the edge of the customer premises network A Custom Edge Router (CE), a Provider Edge Router (PE) at the edge layer of the backbone network, and a Provider Router (P) at the core layer of the backbone network.
其中, CE路由器是用户驻地网络的一个组成部分,有接口直接与运. 营商的骨干网络相连, CE路由器感知不到 VPN的存在, 也不需要维护 VPN的整个路由信息; PE路由器是运营商网絡的边缘设备, 与用户的 CE路由器直接相连, 在 MPLS网络中, 对 VPN的所有处理都在 PE路 由器上完成; P路由器处于运营商网络中, 不和 CE路由器直接相连, P. 路由器有 MPLS基本信令能力和转发能力。 熟悉本领域的技术人员可以 理解, CE和 PE的划分主要是从运营商与用户的管理范围来划分的, CE 和 PE是两者管理范围的边界。  The CE router is an integral part of the customer premises network. The interface is directly connected to the carrier's backbone network. The CE router does not know the existence of the VPN and does not need to maintain the entire routing information of the VPN. The PE router is the carrier. The edge device of the network is directly connected to the CE router of the user. In the MPLS network, all processing of the VPN is performed on the PE router; the P router is in the carrier network and is not directly connected to the CE router, and the P. router has MPLS. Basic signaling capabilities and forwarding capabilities. Those skilled in the art can understand that the division of CE and PE is mainly divided by the management scope of operators and users, and CE and PE are the boundaries of the management scope of both.
CE路由器与 PE路由器之间可以使用外部边界网关协议 ( External An external border gateway protocol can be used between the CE router and the PE router (External
BGP , EBGP )或是内部网关协议 ( Interior Gateway Protocol, IGP )等 路由协议交换路由信息, 也可以使用静态路由。 CE不必支持 MPLS, 不 需要感知 VPN的整网路由, VPN的整网路由外包给运营商来完成。 PE 之间通过多协议边界网关协议 ( Multi-Protocol Border Gateway Protocol, MP-BGP ) 交换 VPN的整网路由信息。 BGP, EBGP) or the Interior Gateway Protocol (IGP) routing protocol exchanges routing information. Static routes can also be used. The CE does not need to support MPLS. It does not need to perceive the entire network route of the VPN. The entire network route of the VPN is outsourced to the operator. The PE exchanges the entire network routing information of the VPN through the Multi-Protocol Border Gateway Protocol (MP-BGP).
如图 1所示, VPN是由多个用户站点(Site )组成的, 在 PE上, 每 个站点对应一个 VPN路由 /转发实例( VPN Routing/Forwarding instance, VRF ), 它主要包括: 网间互联协议(Internet Protocol, IP )路由表、 标' 签转发表、 使用标签转发表的一系列接口以及管理信息。 其中, 接口和 管理信息包含路由区分符(Route Distinguisher, RD )、 路由过滤策略、 成员接口列表等。 由图 1可见, 用户站点和 VPN不存在一对一的关系, 一个站点可以同时属于多个 VPN。 在具体实现时, 每一个站点关联一个 单独的 VRF。VPN中 Site的 VRJF实际上综合了该站点的 VPN成员关系 和路由规则。 系统为每个 VRF维护一套独立的路由表和标签转发表,在 每个 VRF的路由表和标签转发表中存储报文转发信息。从而防止了数据 泄漏出 VPN之外, 同时防止了 VPN之外的数据进入。 As shown in Figure 1, the VPN is composed of multiple user sites (Site). On the PE, each site corresponds to a VPN routing/forwarding instance (VRF), which mainly includes: Protocol (Internet Protocol, IP) routing table, labeling of the forwarding table, a series of interfaces using the label forwarding table, and management information. The interface and management information includes a route distinguisher (RD), a route filtering policy, and Member interface list, etc. As can be seen from Figure 1, there is no one-to-one relationship between the user site and the VPN, and one site can belong to multiple VPNs at the same time. In the specific implementation, each site is associated with a separate VRF. The VRJF of the Site in the VPN actually integrates the VPN membership and routing rules of the site. The system maintains a separate routing table and label forwarding table for each VRF, and stores packet forwarding information in each VRF routing table and label forwarding table. This prevents data from leaking out of the VPN and prevents data from entering outside the VPN.
路由器之间使用边界网关协议 ( Border Gateway Protocol, BGP ) 来发布 VPN路由 , BGP通信在两个层次上进行, 自治系统( Autonomous System, AS ) 内部采用内部边界网关协议( Internal BGP, IBGP ), AS 之间采用 EBGP。 例如, PE-PE会话是 IBGP会话, PE和 CE之间可以 采用 IGP或 BGP。 BGP在 PE路由器之间的 VPN组成信息和路由传播, 通过多协议扩展 BGP ( Multiprotocol extensions BGP, MP-BGP )来实现。 MP-BGP向下兼容, 既可以支持传统的 IPv4地址族, 又可以支持其它地 址族, 例如 VPN-IPv4地址族。 通过 MP-BGP携带的路由目标(Route Target )确保了特定 VPN的路由只能被这个 VPN的其它成员知道, 使 BGP MPLS VPN成员间的通信成为可能。 其中, 关于 MP-BGP的详细 说明请参见 RFC2283。  The routers use the Border Gateway Protocol (BGP) to advertise VPN routes. BGP communication is performed at two levels. The internal autonomous system (AS) uses the internal border gateway protocol (IBGP), AS. EBGP is used between. For example, a PE-PE session is an IBGP session, and IGP or BGP can be used between the PE and the CE. The VPN composition information and route propagation between BGP routers are implemented by BGP (Multiprotocol extensions BGP, MP-BGP). MP-BGP is backward compatible. It can support both traditional IPv4 address families and other address families, such as VPN-IPv4 address families. The route target carried by MP-BGP ensures that the route of a specific VPN can only be known by other members of the VPN, making communication between BGP MPLS VPN members possible. For details about MP-BGP, see RFC2283.
在 RFC2547bis标准中, CE与 PE之间通过内部网关协议 ( Interior Gateway Protocol, IGP )或 EBGP来传播路由信息  In the RFC2547bis standard, CE and PE communicate routing information through Interior Gateway Protocol (IGP) or EBGP.
, PE得到该 VPN的路由表, 存储在单独的 VRF中。 各个 PE之间 通过 IGP来保证通常 IP的连通性, 通过 IBGP来传播 VPN组成信息和' 路由, 并完成各自 VRF的更新。 PE再通过与直接相连 CE之间的路由 交换来更新 CE的路由表, 由此完成各个 CE之间的路由交换。  The PE obtains the routing table of the VPN and stores it in a separate VRF. Each PE uses IGP to ensure normal IP connectivity, and IBGP is used to propagate VPN composition information and 'routes' and complete their VRF updates. The PE then updates the routing table of the CE through the routing exchange with the directly connected CE, thereby completing the routing exchange between the CEs.
其中,使用 BGP来发布 VPN路由时,使用了新的地址族 - VPN-IPv4 地址。 一个 VPN-IPv4地址有 12个字节, 开始是 8字节的 RD, 后面是' 4字节的 IPv4地址。 PE使用 RD对来自不同 VPN的路由信息进行标识。 运营商可以独立地分配 RD,但是需要把他们专用的 AS号作为 RD的一 部分来保证每个 RD的全局唯一性。 RD为零的 VPN-IPv4地址同全局唯 一的 IPv4地址是同义的。 这样处理以后 , 即使 VPN-IPv4地址中包含的 4字节 IPv4地址重叠, VPN-IPv4地址仍可以保持全局唯一。 其中, PE 从 CE接收的路由是 IPv4路由, 需要引入 VRF路由表中, 此时需要附 加一个 R 。 在通常的实现中, 为来自于同一个用户站点的所有路由设 置相同的 RD。 Among them, when BGP is used to advertise VPN routes, a new address family - VPN-IPv4 address is used. A VPN-IPv4 address has 12 bytes, starting with an 8-byte RD, followed by ' 4-byte IPv4 address. The PE uses RD to identify routing information from different VPNs. Operators can allocate RDs independently, but they need to use their dedicated AS number as part of the RD to guarantee the global uniqueness of each RD. A VPN-IPv4 address with zero RD is synonymous with a globally unique IPv4 address. After this processing, the VPN-IPv4 address can remain globally unique even if the 4-byte IPv4 address contained in the VPN-IPv4 address overlaps. The route that the PE receives from the CE is an IPv4 route and needs to be imported into the VRF routing table. In this case, an R is required. In a typical implementation, the same RD is set for all routes from the same user site.
在 RFC2547bis标准中, 采用 Route Target属性标识了可以使用某路 由的站点的集合,即该路由可以被哪些站点所接收, PE路由器可以接收 哪些站点传送来的路由。与 Route Target中指明的站点相连的 PE路由器, 都会接收到具有这种属性的路由。 PE路由器接收到包含此属性的路由 后, 将其加入到相应的路由表中。 PE路由器存在两个 Route Target属性 的集合: 一个集合用于附加到从某个站点接收的路由上, 称为 Export Route Targets; 另一个集合用于决定哪些路由可以引入此 Site的路由表 中,称为 Import Route Targets„通过匹配路由所携带的 Route Target属性, 可以获得 VPN的成员关系。 匹配 Route Target属性可以用来过滤 PE路 由器接收的路由信息。  In the RFC 2547 bis standard, the Route Target attribute is used to identify the set of sites that can use a route, that is, which stations can be received by the site, and which PE routers can receive which routes are transmitted by the site. A PE router connected to the site specified in the Route Target will receive a route with this attribute. After receiving the route containing this attribute, the PE router adds it to the corresponding routing table. A PE router has two sets of Route Target attributes: one set is attached to the route received from a certain site, called Export Route Targets; the other set is used to determine which routes can be imported into the routing table of the site, You can obtain the VPN membership by using the Route Target attribute carried in the route. The matching route target attribute can be used to filter the routing information received by the PE router.
图 2为通过匹配 Route Target属性过滤接收路由的示意图。 MPLS VPN路由信息进入 PE路由器时,如果 Export Route Targets集合与 Import Route Targets 集合存在相同项, 则该路由被接收; 如果 Export Route Targets集合与 Import Route Targets集合没有相同项, 则该路由被拒绝。  Figure 2 is a schematic diagram of filtering received routes by matching the Route Target attribute. When the MPLS VPN routing information enters the PE router, if the Export Route Targets collection has the same item as the Import Route Targets collection, the route is received. If the Export Route Targets collection has no identical items with the Import Route Targets collection, the route is rejected.
在 RFC2547bis标准中, VPN报文转发使用两层标签方式。 第一层, 即外层标签在骨干网内部进行交换, 代表了从 PE到对端 (PEER ) PE 的一条标签交换路径 ( Label Switched Path, LSP), VPN报文利用这层 标签,就可以沿着 LSP到达对端 PE。从对端 PE到达 CE时使用第二层, 即内层标签, 内层标签指示了报文到达哪个站点, 或者更具体一些, 到 达哪一个 CE。 这样, 根据内层标签, 就可以找到转发报文的接口。 特 殊情况下, 属于同一个 VPN的两个站点连接到同一个 PE, 则如何到达 对方 PE的问题不存在, 只需要解决如何到达对端 CE。 In the RFC2547bis standard, VPN packet forwarding uses a two-layer labeling method. The first layer, that is, the outer label is exchanged inside the backbone network, and represents a Label Switched Path (LSP) from the PE to the peer (PEER) PE. The VPN packet uses this layer. The tag can then reach the peer PE along the LSP. The second layer, that is, the inner layer label, is used when the peer PE arrives at the CE. The inner label indicates which station the message arrives, or more specifically, which CE is reached. In this way, according to the inner label, the interface for forwarding the message can be found. In a special case, if two sites belonging to the same VPN are connected to the same PE, the problem of how to reach the peer PE does not exist. It only needs to be solved how to reach the peer CE.
而随着通信网络技术的发展, 传统的 IPv4 网络暴露出了一系列缺 点, 体现在地址空间不足、 移动性差、 安全性差和配置复杂等方面, 因 此互联网工程任务组( Internet Engineer Task Force, IETF )提出了 IPv6 以解决这些问题。 经过几年的发展, IPv6技术已经日渐成熟, 较为成功 的解决了 IPv4所存在的问题, 成为下一代互联网的标准。  With the development of communication network technology, the traditional IPv4 network has exposed a series of shortcomings, such as insufficient address space, poor mobility, poor security and complex configuration. Therefore, the Internet Engineering Task Force (IETF) IPv6 was proposed to address these issues. After several years of development, IPv6 technology has matured, and it has successfully solved the problems of IPv4 and become the standard of the next generation Internet.
为了在从 IPv4向 IPv6演进的过程中继续提供 IPv4环境下的各种业 务, 必须同步研究 IPv6网络上的 VPN解决方案。 由于 IPv6本身也还处. 于试验阶段, 还没有正式大规模商用, 更没有存在 IPv6 网络下的正式 VPN业务应用。  In order to continue to provide various services in the IPv4 environment during the evolution from IPv4 to IPv6, the VPN solution on the IPv6 network must be studied simultaneously. Since IPv6 itself is still in the experimental stage, there is no formal large-scale commercial use, and there is no formal VPN service application under the IPv6 network.
对于如何在骨干网络为 IPv4网络, VPN站点全部为 IPv6网络的情 况下实现 VPN,可以采用 6PE技术方案,该技术方案的网络组成示意图. 如图 3所示。 6PE方案实现的基本思想是: 每个 IPv6站点连接到 IPv4 骨干网络的至少一个双栈并且支持 MP-BGP的 PE路由器, 即图 3所示 的 6PE路由器。 其中, 6PE路由器称为双栈 BGP ( Double Stack BGP, DS-BGP )路由器, 即 DS-BGP路由器。 DS-BGP路由器在 IPv4侧至少. 有一个 IPv4地址, 在 IPv6侧至少有一个 IPv6地址, 并且该 IPv4地址 必须在 IPv4网络中可路由。 IPv6站点中的路由遵循标准的 IPv6路由协 议,例如开放最短路径优先协议第 3版( Open Shortest Path First Version3, OSPFv3 ), 标准化发起信息学会第 6版( Information Society Initiatives in Standardization version 6, ISISv6 )或者下一代路由信息协议 ( Routing Information Protocol next generation, RIPng ),不用向 IPv4骨干网格发布, 只需要在 DS-BGP路由器通过 BGP4+终结,但需要在 DS-BGP路由器之. 间通过 MP-BGP4 交换 IPv6 的网络层可达信息 (Network Layer Reachability Information, NLRI ),出口 DS-BGP路由器在向入口 DS-BGP 路由器通告路由时将自己的地址作为这些路由的下一跳; 在数据包转发 时, 从入口 DS-BGP路由器将 IPv6数据包通过 MPLS隧道, 即 LSP, . 透传到出口 DS-BGP路由器。 而 DS-BGP路由器通告自己的地址作为 BGP路由下一跳时可以使用 IPv4地址, 并使用 MPLS隧道或者其它基 于 IPv4地址的隧道,如通用路由封装( Generic Route Encapsulation, GRE ) 协议隧道, IP安全协议(IP Security Protocol, IPsec ) 隧道; 也可以使. 用 IPv6地址, 并使用相应的隧道, 如 6to4隧道, 站点内自动隧道接入 协议 ( Intra-Site Automatic Tunnel Access Protocol, ISATAP ) l¾道, 并 使用这些隧道要求的地址形式。 For how to implement VPN in the case where the backbone network is an IPv4 network and the VPN sites are all IPv6 networks, a 6PE technical solution can be adopted, and the network composition of the technical solution is shown in FIG. 3 . The basic idea of the 6PE solution is: Each IPv6 site is connected to at least one dual stack of the IPv4 backbone network and supports MP-BGP PE routers, that is, the 6PE routers shown in FIG. The 6PE router is called a double stack BGP (DS-BGP) router, that is, a DS-BGP router. The DS-BGP router has at least one IPv4 address on the IPv4 side and at least one IPv6 address on the IPv6 side, and the IPv4 address must be routable in the IPv4 network. Routes in IPv6 sites follow standard IPv6 routing protocols, such as Open Shortest Path First Version 3 (OSPFv3), Information Society Initiatives in Standardization version 6, ISISv6, or Next Generation Routing Information Protocol Information Protocol next generation (RIPng), which does not need to be advertised to the IPv4 backbone network. It only needs to be terminated by BGP4+ on the DS-BGP router, but it needs to exchange IPv6 network layer reachability information through the MP-BGP4 between the DS-BGP routers. Network Layer Reachability Information (NLRI), the outgoing DS-BGP router uses its own address as the next hop for these routes when advertising routes to the ingress DS-BGP router; IPv6 data from the ingress DS-BGP router when the packet is forwarded The packet is transparently transmitted to the egress DS-BGP router through an MPLS tunnel, that is, an LSP. The DS-BGP router advertises its own address as the next hop of the BGP route. It can use the IPv4 address and use the MPLS tunnel or other IPv4 address-based tunnels, such as the Generic Route Encapsulation (GRE) protocol tunnel, and the IP security protocol. (IP Security Protocol, IPsec) tunnel; can also use IPv6 address, and use the corresponding tunnel, such as 6to4 tunnel, Intra-Site Automatic Tunnel Access Protocol (IASATAP) l3⁄4 channel, and use The form of the address required for these tunnels.
但是, IPv4向 IPv6过渡是一个渐进的过程, 过渡时期将同时存在. IPv4网络和 IPv6网络,用户网络和骨干网络都既可能是 IPv4网络或 IPv6 网络, 又可能是 IPv4/IPv6混合网络。 这就要求新一代网絡下的 VPN业 务能够适应复杂的网络环境, 可以正常应用于 IPv4 网络、 IPv6 网络或 者是 IPv4/IPv6混合网络。  However, the transition from IPv4 to IPv6 is a gradual process. The transition period will exist at the same time. IPv4 networks and IPv6 networks, both user networks and backbone networks may be IPv4 networks or IPv6 networks, or IPv4/IPv6 hybrid networks. This requires VPN services under the new generation network to adapt to complex network environments and can be applied to IPv4 networks, IPv6 networks, or IPv4/IPv6 hybrid networks.
由于上述方案是针对骨干网为 IPv4网络,全部 VPN站点为 IPv6站 点的情况,该方案中使用的 DS-BGP无法支持 IPv4的站点,如果筒单地 改用普通 BGP路由器则无法实现 NLRI的交换等功能,并且现有的技术 方案中 VPN的路由学习和发布是在 IPv4网络中进行, 无法支持混合骨 ' 干网中的路由器学习和发布, 因此不支持基于混合骨干网的 VPN的路 由学习发布以及数据转发。 发明内容 Because the above solution is for the IPv4 network of the backbone network and all the VPN sites are IPv6 sites, the DS-BGP used in this solution cannot support the IPv4 site. If the ordinary BGP router is used instead, the NLRI exchange cannot be implemented. The function and the routing learning and publishing of the VPN in the existing technical solution are performed in the IPv4 network, and the router learning and publishing in the hybrid backbone network cannot be supported, so the routing learning release of the VPN based on the hybrid backbone network is not supported and Data forwarding. Summary of the invention
有鉴于此, 本发明的一个主要目的在于提供一种混合站点混合骨干 网的虚拟专用网系统,该系统中,基于不同 IP版本的站点可以通过基于 不同 IP版本的骨干网络进行相互访问并开展 VPN业务。  In view of this, a main object of the present invention is to provide a virtual private network system of a hybrid site hybrid backbone network, in which sites based on different IP versions can access each other and perform VPN through backbone networks based on different IP versions. business.
本发明的另一个主要目的在于提供一种混合站点混合骨干网的虚拟 专用网的实现方法,该方法能够使基于不同 IP版本的站点可以通过基于 不同 IP版本的骨干网絡进行相互访问并开展 VPN业务。  Another main object of the present invention is to provide a method for implementing a virtual private network of a hybrid site hybrid backbone network, which enables sites based on different IP versions to access each other and perform VPN services through backbone networks based on different IP versions. .
为达到上述目的的一个方面, 本发明提供了一种混合站点混合骨干 网的虚拟专用网系统,包含虚拟专用网用户站点、用户网边缘路由器 CE、 骨干网边缘路由器 PE和骨千网,所述用户站点之间通过所迷 CE和所述 PE接入所述骨干网互相传输数据,其特征在于:该虚拟专用网系统包含 基于网间互联协议第 4版 IPv4和第 6版 IPv6的用户站点; 所述骨干网 包含多个 IPv4自治域和 IPv6自治域;  In order to achieve the above objective, the present invention provides a virtual private network system of a hybrid site hybrid backbone network, including a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a bone network. The user sites transmit data to each other through the CE and the PE accessing the backbone network, and the virtual private network system includes a user site based on the Internetwork Interconnection Protocol version 4 IPv4 and the sixth version IPv6; The backbone network includes multiple IPv4 autonomous domains and IPv6 autonomous domains;
所述骨干网中一个自治域为主自治域 PAS, 骨干网中非 PAS的自治 域为从自治域 DAS; 所述 PAS与 DAS之间通过支持 IPv4和 IPv6双协 议栈的自治系统边界路由器 ASBR互相连接;  An autonomous domain in the backbone network is the primary autonomous domain PAS, and the non-PAS autonomous domain in the backbone network is the secondary autonomous domain DAS; the PAS and the DAS communicate with each other through an autonomous system border router ASBR supporting IPv4 and IPv6 dual protocol stacks. Connection
所述 PAS的 ASBR中存储其与 DAS的 PE建立的跨域路由; 所述 CE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由或 /和 IPv6路由;  The ASBR of the PAS stores an inter-domain route established by the PE with the DAS; the CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes or/and IPv6 routes;
所述 PE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 所述 PAS的 PE存储 IPv4路由和 IPv6路由; 所述 DAS的 PE存储 IPv4 路由、 IPv6路由和其与 PAS的 ASBR建立的跨域路由;  The PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, and the PE of the PAS stores an IPv4 route and an IPv6 route; the PE of the DAS stores an IPv4 route, an IPv6 route, and an ASBR established with the PAS. Cross-domain routing;
所述用户站点之间按照 CE和 PE存储的路由传输数据。  The user sites transmit data according to routes stored by the CE and the PE.
所述主自治域可以为骨干网中包含连接站点的 PE最多的 IPv6自治 域。 所述骨干网中与 PAS直接相连的 DAS可以为第一层 DAS; 该系统 进一步包含一层或多层 DAS,下一层 DAS与上一层 DAS通过 ASBR相 连; The primary autonomous domain may be an IPv6 autonomous domain that includes the most PEs connecting the sites in the backbone network. The DAS directly connected to the PAS in the backbone network may be a first layer of DAS; the system further includes one or more layers of DAS, and the next layer of DAS is connected to the upper layer of DAS through the ASBR;
上一层 DAS的 ASBR存储其与下一层 DAS的 PE建立的跨域路由; 下一层 DAS的 PE存储 IPv4路由、 IPv6路由和其与上一层 DAS的 ASBR建立的跨域路由。  The ASBR of the upper-layer DAS stores the inter-domain routes established with the PEs of the next-layer DAS. The PEs of the next-layer DAS store the IPv4 routes, IPv6 routes, and inter-domain routes established with the ASBRs of the upper-layer DAS.
所述用户站点和所述自治域的网间互联协议版本不同时, 连接所述 用户站点和所述自治域的所述 CE和所述 PE支持 IPv4和 IPv6双协议栈。  When the version of the inter-network interconnection protocol of the user site and the autonomous domain are different, the CE and the PE that are connected to the user site and the autonomous domain support an IPv4 and IPv6 dual protocol stack.
对于需要访问 IPv6用户站点的 IPv4用户站点的 CE存储 IPv4路由 和 IPv6路由;  The CE stores IPv4 routes and IPv6 routes for the IPv4 user sites that need to access the IPv6 user site.
对于需要访问 IPv4用户站点的 IPv6用户站点的 CE只存储 IPv6路 由;  The CE that stores IPv6 user sites that need to access IPv4 user sites only stores IPv6 routes.
对于只访问 IPv4用户站点的 IPv4用户站点的 CE只存储 IPv4路由。 为达到上述目的的一个方面, 本发明提供了一种混合站点混合骨干 网的虚拟专用网的实现方法, 该方法采用上述的虚拟专用网系统, 其实 现虚拟专用网业务的过程包括以下步骤:  For a IPv4 user site that only accesses an IPv4 user site, the CE only stores IPv4 routes. In order to achieve the above objective, the present invention provides a method for implementing a virtual private network of a hybrid site hybrid backbone network. The method uses the above-mentioned virtual private network system. The process of the virtual private network service includes the following steps:
A、对 IPv4和 IPv6用户站点进行编址,形成统一格式的 IPv4和 IPv6 地址信息;  A. Addressing IPv4 and IPv6 user sites to form IPv4 and IPv6 address information in a uniform format;
B、 用户站点和骨干网进行路由的学习和发布, 将 IPv4路由、 IPv6 路由以及 PAS的 ASBR与 DAS的 PE建立的跨域路由发布给系统中的 PE, 及与该 PE连接的 CE;  B. The user site and the backbone network learn and advertise the routes, and advertise the inter-domain routes established by the IPv4 routing, the IPv6 routing, and the ASBR of the PAS and the PE of the DAS to the PE in the system and the CE connected to the PE;
(、 所述骨干网进行内层标签和外层标签的分发;  (where the backbone network distributes the inner and outer labels;
D、所述用户站点的数据包依据所述步骤 B中 CE和 PE学习到的路 其中,步骤 A所述对 IPv4和 IPv6用户站点进行编址的方法可以为: . 所述 IPv4用户站点之间采用 "路由区分符 + IPv4地址" 的形式, 组 成地址族标识符为 1的 IPv4地址; IPv4用户站点和 IPv6用户站点之间, 以及 IPv6用户站点之间采用 "路由区分符 + IPv6地址"的形式, 组成地 址族标识符为 2的 IPv6地址。 D. The data packet of the user site is based on the path learned by the CE and the PE in the step B. The method for addressing the IPv4 and IPv6 user sites in the step A may be: The IPv4 user site adopts a "router classifier + IPv4 address" form to form an IPv4 address with an address family identifier of 1; a route distinction is used between an IPv4 user site and an IPv6 user site, and between IPv6 user sites. The format of the character + IPv6 address, which constitutes an IPv6 address with an address family identifier of 2.
其中和 IPv6用户站点通信的 IPv4用户站点, 将 IPv4地址 A.B.C.D 映射成 0::A:B:C:D形式的 IPv6地址后, 与路由区分符进行组合组成地 址族标识符为 2的 IPv6地址。  The IPv4 user site that communicates with the IPv6 user site, after mapping the IPv4 address A.B.C.D to the IPv6 address in the form of 0::A:B:C:D, combines with the route specifier to form an IPv6 address with an address family identifier of 2.
该方法可以进一步包括: 当骨干网中还包含不与 PAS 直接相连的 DAS时, 对骨干网进行分层; 将与 PAS直接相连的 DAS设置为第一层 DAS, 与第一层 DAS相连的 DAS为笫二层, 依次类推;  The method may further include: layering the backbone network when the backbone network further includes a DAS not directly connected to the PAS; setting the DAS directly connected to the PAS as the first layer DAS, and the DAS connected to the first layer DAS For the second layer, and so on;
所述步驟 B可以包括:  The step B may include:
B1、.CE将聚合的 IPv4用户站点或 IPv6用户站点路由发布给与之相 连的 PE;  B1. The CE advertises the route of the aggregated IPv4 user site or IPv6 user site to the PE connected to it;
B2、 上一层 PE将从 CE学习的路由发布给本域的 PE和 /或 ASBR; 下一层 PE将从 CE或学习的路由发布给本域的 PE和上一层自治域中与 本域连接的 ASBR;  B2. The PE of the upper layer advertises the route learned by the CE to the PE and/or ASBR of the local domain. The PE of the next layer advertises the route from the CE or the learned PE to the PE in the local domain and the upper-layer autonomous domain and the local domain. Connected ASBR;
B3、上层自治域中的 ASBR将从本域学习的路由发布给下层自治域 的 PE, 并将从下层自治域学习的路由发布给本域的 PE;  B3. The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE of the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE of the local domain.
B4、 各自治域中的 PE路由器将从其他 PE路由器或 /和 ASBR学习 到的路由发布给与其相连的 CE路由器; CE路由器接收到 IPv4路由或 /和 IPv6路由后保存。  B4. The PE routers in each autonomous domain advertise routes learned from other PE routers or / and ASBRs to the CE routers connected to them; the CE routers save them after receiving IPv4 routes or / and IPv6 routes.
所述步骤 B2可以进一步包括:  The step B2 may further include:
分别在所述下一层 PE和上一层自治域中域本域连接的 ASBR中, ' 存储下一层 PE和上一层自治域中域本域连接的 ASBR之间的跨域路由。  In the ASBR that connects the local PE and the local domain in the upper-layer autonomous domain, the 'inter-area route between the next-layer PE and the ASBR connected to the local domain in the upper-layer autonomous domain is stored.
所述步骤 B2可以进一步包括: PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由根据所属的 VPN和路由 IP版本加上路由区分符 D、 地址族标识符 AFL 后续地址 族标识符 SAFI; 形成包含 RD、 AFL SAFI、 路由目标团体属性 Route Target, IPv4地址 /IPv6地址的统一形式的路由信息。 The step B2 may further include: The PE router learns the IPv4 route and the IPv6 route learned from the CE router according to the VPN and route IP version to which the route identifier D, the address family identifier AFL, and the subsequent address family identifier SAFI are formed. The RD, the AFL SAFI, and the route target group are formed. Route information of the route type, IPv4 address, or IPv6 address.
所述步骤 B2中, 在自治域内 PE和 PE之间、 PE和 ASBR 间通过' 基于本自治域 IP版本的内部边界网关协议, 发布和该所迷 PE连接的 CE的用户站点的路由;  In the step B2, routing between the PE and the PE in the autonomous domain, and between the PE and the ASBR through the internal border gateway protocol based on the IP version of the local autonomous domain, and the user site of the CE connected to the PE;
下一层 PE通过基于本自治域 IP版本的对跳多协议外部边界网关协 议将路由发布给上一层自治域中与本域连接的 ASBR;  The next-layer PE advertises the route to the ASBR connected to the local domain in the upper-layer autonomous domain by using the multi-protocol external border gateway protocol based on the IP version of the local autonomous domain.
所述步骤 B3中, 上层自治域中的 ASBR通过基于下一层自治域 IP 版本的对跳多协议外部边界网关协议将路由发布给下层自治域的 PE;并 通过基于本自治域 IP版本的内部边界网关协议将学习的路由发布给本 域的 PE;  In the step B3, the ASBR in the upper-layer autonomous domain advertises the route to the PE of the lower-layer autonomous domain through the multi-protocol external border gateway protocol based on the IP version of the next-layer autonomous domain; and the internal version based on the IP version of the local autonomous domain The border gateway protocol advertises the learned route to the PE of the local domain;
所述步骤 B4中,在各个自治域内, PE通过基于本自治域 IP版本的 内部边界网关协议将学习到的路由向该域内部的对端 PE发布。  In the step B4, in each autonomous domain, the PE advertises the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the local autonomous domain.
对于需要访问 IPv6用户站点的 IPv4用户站点,所述步骤 B4可以包 括以下子步骤:  For an IPv4 user site that needs to access an IPv6 user site, the step B4 may include the following substeps:
B41、 与该 IPv4用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;所述 PE将保存的 IPv4用户站点的路由从 A.B.C.D/H形式转换成 0::A:B:C:D/(96+n)的 IPv6路由,通过 IPv6路由协 议发布给所述 CE;  B41. The CE connected to the IPv4 user site and the PE connected to the CE, and run the IPv6-based routing protocol to learn the route; the PE converts the saved IPv4 user site route from the ABCD/H form to 0::A: B: C: D / (96 + n) IPv6 routing, issued to the CE through the IPv6 routing protocol;
B42、 所述 CE接收到 0::A:B:C:D/(96+n)形式的 IPv6路由后, 将其 还原成 A.B.C.D/n形式的 IPv4路由,将 IPv6用户站点的路由保存为 IPv6 路由。  B42. After receiving the IPv6 route in the form of 0::A:B:C:D/(96+n), the CE restores the IPv6 route to the IPv4 route in the form of ABCD/n, and saves the route of the IPv6 user site as IPv6. routing.
对于需要访问 IPv4用户站点的 IPv6用户站点,所述步骤 B4可以包 括以下子步骤: For an IPv6 user site that needs to access an IPv4 user site, the step B4 may be packaged. The following substeps are included:
B43、 与该 IPv6用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;  B43. The CE connected to the IPv6 user site and the PE connected to the CE, and run an IPv6-based routing protocol to learn the route;
B44、所述 CE将 IPv4用户站点的路由直接存储为 0::A:B:C:D/(96+n) 形式的 IPv6路由 , 将 IPv6用户站点的路由保存为原来的形式。  B44. The CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0::A:B:C:D/(96+n), and saves the route of the IPv6 user site to the original form.
对于只访问 IPv4用户站点的 IPv4用户站点, 在所述步骤 B中, 与 该 IPv4用户站点连接的 CE和与该 CE连接的 PE之间只运行 IPv4路由 协议,并仅学习和保存其它 IPv4用户站点的 IPv4路由,丟弃 IPv6路由。  For an IPv4 user site that only accesses the IPv4 user site, in the step B, only the IPv4 routing protocol is run between the CE connected to the IPv4 user site and the PE connected to the CE, and only other IPv4 user sites are learned and saved. IPv4 routes, dropping IPv6 routes.
所述 B4中, PE在接收到 IPv4路由、 IPv6路由或跨域路由后, 根 据多协议边界网关协议的路由目标扩展团体属性决定是否学习并向所 述用户站点发布。  In the B4, after receiving the IPv4 route, the IPv6 route, or the inter-domain route, the PE determines whether to learn and publish to the user site according to the route target extended community attribute of the multi-protocol border gateway protocol.
步厥 C中, 所述内层标签由所述入口 PE分配, 其用于区分同一个 入口 PE连接的不同所述用户站点, 该内层标签在发布路由时随路由发 布给相应的出口 PE;  In step C, the inner label is allocated by the ingress PE, and is used to distinguish different user sites that are connected by the same ingress PE, and the inner label is advertised to the corresponding egress PE along with the route when the route is advertised;
所述外层标签, 在一个自治域内是通过运行标签分配协议、 资源预 留协议-流量工程或约束路由的标记分配协议分配的, 在不同自治域之 间, 是自治域之间的 ASBR通过多协议外部边界网关协议为所述 ASBR 的双向连接分配的, 其用于在所述骨干网中转发数据包。  The outer label is allocated in autonomous domain by a label distribution protocol running a label distribution protocol, a resource reservation protocol-traffic engineering or a constraint routing, and between different autonomous domains, the ASBR passes between the autonomous domains. The protocol external border gateway protocol is allocated for the bidirectional connection of the ASBR, and is used for forwarding data packets in the backbone network.
所述步骤 D可以包括以下子步驟:  The step D may include the following sub-steps:
Dl、 遵循普通的网间互联协议转发过程进行源用户站点到入口 PE 之间的网间互联协议数据转发;  Dl. Follow the normal inter-network interconnection protocol forwarding process to perform data forwarding between the source user site and the ingress PE;
D2、 进行所述入口 PE到出口 PE之间的标签数据转发;  D2, performing label data forwarding between the ingress PE and the egress PE;
D3、 所述出口 PE依据所述内层标签和其存储的路由表进行所述出 口 PE到目的用户站点之间的网间互联协议数据转发。  D3. The egress PE performs data forwarding of the inter-network interconnection protocol between the egress PE and the destination user site according to the inner layer label and the stored routing table.
所述步骤 D2可以包括以下子步骤: D21、在所述入口 PE上为数据包增加所述目的站点的所述内层标签 后, 再增加该所述入口 PE所在的所述自治域中分配的外层标签; The step D2 may include the following sub-steps: D21, after adding the inner layer label of the destination station to the data packet on the ingress PE, adding an outer label allocated in the autonomous domain where the ingress PE is located;
D22、 将所述数据包根据外层标签转发到与当前自治域相邻的自治 域的 ASBR;  D22. Forward the data packet according to an outer label to an ASBR of an autonomous domain adjacent to the current autonomous domain;
D23、 ASBR根据所述 ASBR之间分配的外层标签将所述数据包转 发到下一个相邻的自治域的 ASBR;  D23. The ASBR forwards the data packet to an ASBR of a next adjacent autonomous domain according to an outer label allocated between the ASBRs;
D24、 ASBR将数据包转发到所述出口 PE。  D24. The ASBR forwards the data packet to the egress PE.
所述用户站点之间的拓朴关系可以通过匹配路由目标团体属性实 现。  The topology relationship between the user sites can be implemented by matching route target community attributes.
由上迷的技术方案可见, 本发明的这种混合站点混合骨干网的虚拟 专用网系统及其实现方法, 与现有技术的区别在于: 本发明对多域骨干 网络的自治域进行主从关系划分,在自治域内根据本自治域的 IP版本釆 用相应的 MP-IBGP发布路由,在相邻自治域间采用 Multi-hop MP-EBGP 发布路由, 同时在 CE和 PE上运行 IPv4/IPv6双路由表, 在自治域内依 据其 IP版本分配标签进行 VPN数据的隧道转发, 从而实现混合站点多 域骨干网络的 VPN。  It can be seen from the above technical solution that the virtual private network system of the hybrid site hybrid backbone network of the present invention and the implementation method thereof are different from the prior art in that: the present invention performs a master-slave relationship on the autonomous domain of the multi-domain backbone network. In the autonomous domain, the route is advertised by the corresponding MP-IBGP according to the IP version of the local autonomous domain. Multi-hop MP-EBGP is used to advertise routes between neighboring autonomous domains, and IPv4/IPv6 dual routes are run on the CE and PE. The VPN forwards the VPN data according to the IP address distribution label in the autonomous domain, so as to implement the VPN of the multi-domain backbone network of the hybrid site.
因此, 通过采用本发明混合站点混合骨干网的 VPN其及实现方法, 可以在用户网络和骨干网络从 IPv4向 IPv6过渡的情况下组成 VPN, 使 网络过渡时期的 VPN的解决方案具有更大灵活性, 减小网络设备升级 的复杂性, 使 IPv4向 IPv6的过渡升级更加平滑, 大大提高了网络升级 的经济性和可行性。 附图简要说明  Therefore, by adopting the VPN of the hybrid site hybrid backbone network of the present invention and implementing the method, the VPN can be formed when the user network and the backbone network transition from IPv4 to IPv6, so that the solution of the VPN during the transition period has greater flexibility. Reduce the complexity of network equipment upgrades, make the transition from IPv4 to IPv6 smoother, and greatly improve the economics and feasibility of network upgrades. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为 RFC2547bis所定义 MPLS L3 VPN的系统组成示意图; 图 2为通过匹配 Route Target属性过滤接收路由的示意图; 图 3为 6PE方案实现 BGP/MPLS VPN的系统组成示意图; 图 4为本发明第一较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图; 1 is a schematic diagram of a system composition of an MPLS L3 VPN defined by RFC 2547 bis; FIG. 2 is a schematic diagram of filtering received routes by matching a Route Target attribute; 3 is a schematic diagram of a system configuration of a 6PE solution implementing BGP/MPLS VPN; FIG. 4 is a schematic diagram of a VPN system configuration of a hybrid site hybrid backbone network according to a first preferred embodiment of the present invention;
图 5为本发明第二较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图;  5 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a second preferred embodiment of the present invention;
图 6为本发明第三较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图;  6 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a third preferred embodiment of the present invention;
图 7为本发明第四较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图。 实施本发明的方式  FIG. 7 is a schematic diagram of a VPN system composition of a hybrid site hybrid backbone network according to a fourth preferred embodiment of the present invention. Mode for carrying out the invention
为使本发明的目的、 技术方案及优点更加清楚明白, 以下参照附图 并举实施例, 对本发明进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
本发明的这种混合站点混合骨干网的虚拟专用网系统及其实现方 法, 对骨干网中的多个自治域进行主从关系划分, 将多个自治域中的一 个 IPv6自治域确定为主自治域( Primary AS, PAS ), 其他自治域为从自 治域 (Dependent AS, DAS )。 另外, 如果骨干网中, 有不与 PAS直接相 连的 DAS, 则还可以根据 DAS与 PAS的连接关系确定各个 DAS的层 次关系。 例如: 与 PAS直接相连的 DAS为第一层 DAS, 与第一层 DAS相 连与 PAS不直接相连的 DAS为第二层 DAS, 依次类推, 确定骨干网中各 个自治域的层次关系。  The virtual private network system of the hybrid site hybrid backbone network of the present invention and the implementation method thereof, the master-slave relationship is divided into multiple autonomous domains in the backbone network, and one IPv6 autonomous domain in multiple autonomous domains is determined to be autonomous. Domain (Primary AS, PAS), other autonomous domains are dependent Dependent ASs (DAS). In addition, if there is a DAS in the backbone network that is not directly connected to the PAS, the hierarchical relationship of each DAS can also be determined according to the connection relationship between the DAS and the PAS. For example, the DAS directly connected to the PAS is the first layer DAS, and the DAS connected to the first layer DAS and not directly connected to the PAS is the second layer DAS, and so on, determining the hierarchical relationship of each autonomous domain in the backbone network.
在 PAS 或高层的 DAS 中的自治系统边界路由器 (Autonomous System Border Router, ASBR )和下一层 DAS中的 PE之间建立多跳多 协议外部边界网关协议 ( Multi-Protocol External BGP , Multi-hop MP-EBGP )连接和跨域隧道, 并分别进行跨域 VPN的路由发布和 VPN 数据转发, 而各自治域内部的 PE之间的 VPN路由发布和数据转发则分 別在本自治域内部通过基于本自治域的 IP协议版本( IPv4或 IPv6 ) 的 多协议内部边界网关协议(Multi-Protocol Internal BGP, MP-IBGP )和 域内隧道来完成。 同时, 为了实现不同版本地址的互通, 还进行一定的 地址和路由转换处理。 Multi-Probt External BGP (Multi-hop MP) is established between the Autonomous System Border Router (ASBR) in the PAS or the upper-layer DAS and the PE in the next-layer DAS. -EBGP) connection and inter-domain tunneling, and cross-domain VPN routing and VPN respectively Data forwarding, and the VPN route advertisement and data forwarding between the PEs in each autonomous domain respectively pass the multi-protocol internal border gateway protocol based on the IP protocol version (IPv4 or IPv6) of the local autonomous domain in the local autonomous domain (Multi- Protocol Internal BGP, MP-IBGP) and intra-domain tunneling. At the same time, in order to achieve interworking of different versions of addresses, a certain address and route conversion processing is also performed.
本发明的混合站点混合骨干网的虚拟专用网系统, 包含骨干网、 用 户网络。 骨干网用于发布 VPN路由, 建立交换路径, 完成数据的交换。 骨干网包含采用不同地址族的自治域, 自治域之间通过处于自治域边缘 ASBR连接。 也就是说, 骨干网可以包含一个或多个 IPv4自治域以及一 个或多个 IPv6自治域, IPv4自治域与 IPv6自治域之间通过支持 IPv4和 IPv6双协议栈的 ASBR相连。各个自治域中除 ASBR夕卜,还包含原有的 P路由器和 PE路由器, 其中 PE路由器根据网络连接情况配置 IPv4协 议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈。  The virtual private network system of the hybrid site hybrid backbone network of the present invention comprises a backbone network and a user network. The backbone network is used to advertise VPN routes, establish switching paths, and complete data exchange. The backbone network consists of autonomous domains with different address families. The ASs are connected by ASBRs at the edge of the autonomous domain. That is, the backbone network may include one or more IPv4 autonomous domains and one or more IPv6 autonomous domains. The IPv4 autonomous domain and the IPv6 autonomous domain are connected by an ASBR that supports the IPv4 and IPv6 dual protocol stacks. In addition to ASBR, each autonomous domain also includes the original P router and PE router. The PE router configures the IPv4 protocol stack or the IPv6 protocol stack or the IPv4 and IPv6 dual protocol stacks according to the network connection.
本发明中,骨干网发布的路由包含 VPN-IPv4路由和 VPN-IPv6路由。 在骨干网进行路由学习以建立 VPN交换路径。  In the present invention, the routes advertised by the backbone network include VPN-IPv4 routes and VPN-IPv6 routes. Route learning is performed on the backbone network to establish a VPN switching path.
在 PAS内和 DAS内的 PE之间通过基于本自治域的 IP协议版本的 ' MP-IBGP, 发布和该 PE路由器连接的用户站点的路由; 并且在本 DAS 与上层自治系统的 ASBR之间通过基于本自治域的 IP 协议版本的 MP-IBGP, 发布和 PE路由器连接的用户站点的路由。 上层自治系统的 PE和 ASBR之间也通过基于本自治域的 IP协议版本的 MP-IBGP,发布 和 PE路由器连接的用户站点的路由。  Routing between the PAS and the PEs in the DAS through the MP-IBGP version of the IP protocol of the local autonomous domain, and routing between the user stations connected to the PE router; and passing between the DAS and the ASBR of the upper-level autonomous system. Based on the MP-IBGP version of the IP protocol version of the local autonomous domain, the route of the user site connected to the PE router is advertised. The PE of the upper-layer autonomous system and the ASBR also advertise the routes of the user sites connected to the PE routers based on the MP-IBGP version of the IP protocol of the local autonomous domain.
上层自治系统的 ASBR,将接收的路由发布给本自治域的 PE和再上 层自治系统的 ASBR (如果有的话), 再上层自治系统的 ASBR, 将接收 的路由发布给本自治域的 PE和再上层自治系统的 ASBR(如果有的话), 依次发布直到 PAS中的 PE和 ASBR。 PAS内接收到路由的 PE和 DAS内接收到路由的 PE,将接收的路由 发布给与自身相连的 CE。 The ASBR of the upper-layer autonomous system advertises the received route to the PE of the local autonomous domain and the ASBR of the upper-layer autonomous system (if any), and then the ASBR of the upper-layer autonomous system advertises the received route to the PE of the local autonomous domain. The ASBR of the upper-level autonomous system (if any) is issued in turn until the PE and ASBR in the PAS. A PE that receives a route from the PE and the DAS that receives the route in the PAS, and advertises the received route to the CE connected to itself.
关于路由发布的方法, 将在下文详细叙述。  The method of routing is described in detail below.
用户网络中包含和骨干网连接的 CE路由器以及与其相连的用户站 点。 本发明中, 用户站点既有 IPv4站点也有 IPv6站点, 每个用户站点 包含多个具有不同地址的主机。 其中, CE路由器根据该用户网络的 IP 版本以及和其连接的自治系统的 IP版本支持相应的协议栈。 PE路由器 根据其所属的自治系统的 IP版本以及其连接的用户站点的 IP版本支持 相应的协议栈。 例如, 连接到 IPv4骨干网的 IPv4站点的 CE路由器和 对应的 PE路由器只需要支持 IPv4协议栈, 连接到 IPv6骨干网的 IPv6 站点的 CE和对应的 PE只需要支持 IPv6协议栈,连接到 IPv4骨干网络 的 IPv6站点的 CE和连接到 IPv6骨干网络的 IPv4站点的 CE以及接入 这些 CE的 PE设备则都需要支持 IPv4/IPv6双协议栈。 另外, 由于同一 个 VPN中的 IPv4站点和 IPv6站点可能存在互访关系 ,因此对于需要访 问 IPv6站点的 IPv4站点中的路由器需要保存 IPv6路由, 即这些 IPv4 站点需要支持 IPv4-IPv6混合地址方案。  The user network contains the CE router connected to the backbone network and the user stations connected to it. In the present invention, the user site has both an IPv4 site and an IPv6 site, and each user site contains multiple hosts with different addresses. The CE router supports the corresponding protocol stack according to the IP version of the user network and the IP version of the autonomous system to which it is connected. The PE router supports the corresponding protocol stack according to the IP version of the autonomous system to which it belongs and the IP version of the user site to which it is connected. For example, the CE router and the corresponding PE router of the IPv4 site connected to the IPv4 backbone network only need to support the IPv4 protocol stack. The CE and the corresponding PE of the IPv6 site connected to the IPv6 backbone network only need to support the IPv6 protocol stack and connect to the IPv4 backbone. The CE of the IPv6 site of the network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE device accessing these CEs all need to support the IPv4/IPv6 dual protocol stack. In addition, because IPv4 sites and IPv6 sites in the same VPN may have mutual access, routers in IPv4 sites that need to access IPv6 sites need to save IPv6 routes. That is, these IPv4 sites need to support IPv4-IPv6 hybrid address scheme.
以下首先以骨干网包含一个 IPv4 自治域和一个 IPv6 自治域两个自 治域的系统为实施例对本发明进行详细说明。  The following is a detailed description of the system in which the backbone network includes an IPv4 autonomous domain and an IPv6 autonomous domain two autonomous domains.
本实施例中对于一个 IPv6域和一个 IPv4域的情况, 以 IPv6自治域 为 PAS, IPv4自治域为 DAS, 将 PAS中的 ASBR和 DAS中的 PE之间 建立多跳 MP-EBGP和跨域隧道分别进行跨域 VPN的路由发布和 VPN 数据转发, 而各自治域内部的 PE之间的 VPN路由发布和数据转发则分 别在本自治域内部通过基于本自治域的 IP协议版本(IPv4或 IPv6 ) 的 MP-IBGP和域内隧道来完成。  In this embodiment, for an IPv6 domain and an IPv4 domain, the IPv6 autonomous domain is the PAS, and the IPv4 autonomous domain is the DAS. The multi-hop MP-EBGP and the inter-domain tunnel are established between the ASBR in the PAS and the PE in the DAS. The route advertisement and VPN data forwarding of the inter-AS VPN are respectively performed, and the VPN route advertisement and data forwarding between the PEs in each autonomous domain respectively pass the IP protocol version (IPv4 or IPv6) based on the local autonomous domain. The MP-IBGP and intra-domain tunnels are completed.
参见图 4, 图 4为本发明第一较佳实施例的混合站点混合骨干网的 VPN系统组成示意图。 图 4中实线双箭头表示上一层的 ASBR和相邻 DAS域 PE之间的多跳 MP-EBGP;虚线双箭头表示 PAS或 DAS域内的 MP - IBGP, 图 5 ~图 7相同。 Referring to FIG. 4, FIG. 4 is a hybrid site hybrid backbone network according to a first preferred embodiment of the present invention. Schematic diagram of the VPN system. The solid double arrow in Figure 4 indicates multi-hop MP-EBGP between the upper layer ASBR and the adjacent DAS domain PE; the dashed double arrow indicates MP-IBGP in the PAS or DAS domain, as shown in Figure 5 to Figure 7.
图 4所示的 VPN系统中骨干网为双域, 其包含: 包含一个 IPv4 自 治域和一个 IPv6自治域的骨干网,处于骨干网边缘的 PE路由器: PE1 ~ PE4; 处于骨干网内部的 P路由器(图 1中未示出); 处于用户网边缘的 CE路由器: CE1 CE8; 以及通过 CE与 PE相连的用户站点; 每个用户 站点包含一个或多个具有不同地址的主机。  In the VPN system shown in Figure 4, the backbone network is dual-domain. It includes: a backbone network that includes an IPv4 autonomous domain and an IPv6 autonomous domain, and a PE router at the edge of the backbone network: PE1 ~ PE4; P router inside the backbone network. (not shown in Figure 1); CE router at the edge of the customer network: CE1 CE8; and user sites connected to the PE through the CE; each user site contains one or more hosts with different addresses.
骨干网中, IPv4域和 IPv6域通过 ASBR1 和 ASBR2互相连接。  In the backbone network, the IPv4 domain and the IPv6 domain are connected to each other through ASBR1 and ASBR2.
图 4所示的系统中包含 VPNA和 VPNB两个 VPN。 其中, VPNA 中包含 IPv4和 IPv6站点: CE1连接的 IPv6站点、 CE4连接的 IPv4站 点、 CE5连接的 IPv6站点、 CE8连接的 IPv4站点。 VPNB中只包含 IPv4 站点: CE2连接的 IPv4站点、 CE3连接的 IPv4站点、 CE6连接的 IPv4 站点、 CE7连接的 IPv4站点。 本实施例中, 仅以 VPNA和 VPNB为例, 骨干网中仅以包含一个 IPv4域和一个 IPv6域为例, 实际应用中系统可 能包含 4艮多 VPN, 骨干网中也可能包含多个域。  The system shown in Figure 4 contains two VPNs, VPNA and VPNB. The VPNA includes IPv4 and IPv6 sites: IPv6 stations connected to CE1, IPv4 stations connected to CE4, IPv6 stations connected to CE5, and IPv4 stations connected to CE8. The IPv4 site is included in the VPNB. The IPv4 site connected to CE2, the IPv4 site connected to CE3, the IPv4 site connected to CE6, and the IPv4 site connected to CE7. In this embodiment, only the VPNA and the VPNB are used as an example. The physical network may include only one IPv4 domain and one IPv6 domain. In actual applications, the system may include more than four VPNs, and the backbone network may also include multiple domains.
本实施例中连接到 IPv4骨干网的 IPv4站点的 CE路由器和对应的 PE路由器只支持 IPv4协议栈,连接到 IPv6骨干网的 IPv6站点的 CE和 对应的 PE只支持 IPv6协议栈,连接到 IPv4骨干网络的 IPv6站点的 CE. 和连接到 IPv6骨干网络的 IPv4站点的 CE以及接入这些 CE的 PE设备 则都需要支持 IPv4/IPv6双协议栈。  In this embodiment, the CE router and the corresponding PE router of the IPv4 site connected to the IPv4 backbone network support only the IPv4 protocol stack. The CE and the corresponding PE of the IPv6 site connected to the IPv6 backbone network only support the IPv6 protocol stack and connect to the IPv4 backbone. The CE of the IPv6 site of the network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE device accessing these CEs all need to support the IPv4/IPv6 dual protocol stack.
对于即连接 IPv4站点也连接 IPv6站点的 CE路由器, 其中保存从 PE路由器学习到的 VPN中其它用户站点的 IPv4和 IPv6路由, 在访问. 其它站点时进行路由的匹配。  The CE router that connects to the IPv4 site and connects to the IPv6 site also stores the IPv4 and IPv6 routes of other user sites in the VPN learned from the PE router, and performs routing matching when accessing other sites.
参考图 4所示实施例的 VPN系统,以下对本发明实现混合站点混合 骨干网 VPN的方法进行详细说明。 Referring to the VPN system of the embodiment shown in FIG. 4, the following embodiment implements hybrid site mixing. The method of the backbone network VPN is described in detail.
首先,对图 4所示实施例的 VPN系统的用户站点编址方法进行说明。 在本发明中, 只考虑 VPN用户进行单播通信的情况, 要求 VPN各站点 内的主机使用单播地址, 即只采用一个 IPv4地址或者一个 IPv6地址。  First, the user site addressing method of the VPN system of the embodiment shown in FIG. 4 will be described. In the present invention, only the VPN user is considered to perform unicast communication, and the hosts in each site of the VPN are required to use a unicast address, that is, only one IPv4 address or one IPv6 address is used.
在 VPN中, IPv4站点和 IPv4站点之间的通信仍然采用 IPv4地址, 在 MP-BGP中的地址族标识符( Address Family Identifier, AFI )域使用 RFC1700为 IPv4地址族分配的值 1; IPv4站点与 IPv6站点之间的相互 通信以及两个 IPv6站点之间的相互通信均采用 IPv6地址, 在 MP-BGP 中的 AFI域可以使用 RPC 1700为 IPv6地址族分配的值 2。 需要说明的 是, 当 IPv4站点和 IPv6站点相互通信时, IPv4站点中的 IPv4地址 A.B.C.D映射成相应的 0::A:B:C:D形式的 IPv6地址。 在 MP-BGP路由 发布过程中, 为了与骨干网的路由区分开, 后继的 VPN地址的地址族 标识符( Subsequence Address Family Identifier, SAFI )域使用 128, 表 示 VPN-IPv4地址或 VPN-IPv6地址。  In the VPN, the communication between the IPv4 site and the IPv4 site still uses the IPv4 address. The Address Family Identifier (AFI) domain in the MP-BGP uses the value assigned by the RFC1700 to the IPv4 address family. The mutual communication between the IPv6 sites and the mutual communication between the two IPv6 sites uses the IPv6 address. The AFI domain in the MP-BGP can use the value 2 assigned by the RPC 1700 to the IPv6 address family. It should be noted that when an IPv4 site and an IPv6 site communicate with each other, the IPv4 address A.B.C.D in the IPv4 site is mapped to the corresponding IPv6 address in the form of 0::A:B:C:D. In the MP-BGP route advertisement process, in order to distinguish it from the routing of the backbone network, the Subsequence Address Family Identifier (SAFI) field of the subsequent VPN address uses 128, which indicates the VPN-IPv4 address or the VPN-IPv6 address.
由于在 VPN中仍然存在 IPv4站点, 考虑到公有 IPv4地址的紧缺, 在本发明的一个较佳实施例中, 允许 VPN中的 IPv4站点继续使用私有 IPv4地址, 并且允许不同 VPN的站点使用相同的私有 IPv4地址。  Since IPv4 sites still exist in the VPN, in view of the shortage of public IPv4 addresses, in a preferred embodiment of the present invention, IPv4 sites in the VPN are allowed to continue to use private IPv4 addresses, and sites of different VPNs are allowed to use the same private. IPv4 address.
具体来说, 图 4所示的实施例中, 由于使用了私有 IPv4地址, 为了 保证在骨干网絡中 VPN路由和地址的唯一性, 沿用 RFC 2547bis中的 RD的概念, 即在 IPv4站点和 IPv4站点之间通过采用 RD+ ( IPv4地址) 的形式组成 AFI为 1的 VPN-IPV4地址, 在 IPv4站点与 IPv6站点之间 或者两个 IPv6站点之间通过采用 RD+ ( IPv6地址) 的形式組成 AFI为 2的 VPN-IPv6地址。其中,需要注意的是,和 IPv6站点之间通信的 IPv4 站点中的 IPv4地址 A.B.C.D是在映射成 0::A:B:C:D形式的 IPv6地址后, 再与 RD进行组合组成 VPN-IPv6地址。本实施例中,各 MP-BGP Speaker 能够根据 AFI去解析相应的 IPv4/IPv6路由项,并支持同时存储 IPv4/IPv6 路由表, IPv4路由和 IPv6路由可以分别在不同的路由表中存储。 Specifically, in the embodiment shown in FIG. 4, since the private IPv4 address is used, in order to ensure the uniqueness of the VPN route and address in the backbone network, the concept of the RD in RFC 2547bis, that is, the IPv4 site and the IPv4 site, is used. A VPN-IPV4 address with AFI of 1 is formed by using RD+ (IPv4 address), and AFI is 2 by using RD+ (IPv6 address) between IPv4 sites and IPv6 sites or between two IPv6 sites. VPN-IPv6 address. It should be noted that the IPv4 address ABCD in the IPv4 site that communicates with the IPv6 site is mapped to the IPv6 address in the form of 0::A:B:C:D, and then combined with the RD to form the VPN-IPv6. address. In this embodiment, each MP-BGP speaker It can parse the corresponding IPv4/IPv6 routing entries according to AFI and support the simultaneous storage of IPv4/IPv6 routing tables. IPv4 routes and IPv6 routes can be stored in different routing tables respectively.
用户站点的地址确定后, 各个 CE路由器将各用户站点的地址进行 聚合形成相应的路由项。 然后, 就可以进行 VPN站点的路由学习和发 布的处理、 标签分发的处理以及 VPN数据转发的处理。 下文将对这些 处理做详细说明。  After the address of the user site is determined, each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, routing learning and distribution processing of the VPN site, processing of label distribution, and processing of VPN data forwarding can be performed. These processes are described in detail below.
然后,对 VPN站点的路由学习和发布的处理方法进行详细说明。本 实施例中, 该方法包括以下过程:  Then, the routing learning and publishing processing methods of the VPN site are described in detail. In this embodiment, the method includes the following process:
过程一、 CE路由器将聚合的路由发布给与其相连的 PE路由器。 本 发明中, 连接到 IPv4骨干网絡的 IPv6站点的 CE和连接到 IPv6骨干网 络的 IPv4站点的 CE以及接入这些 CE的 PE设备则都支持 IPv4/IPv6双. 协议栈。 因此, 这里 PE可以学习到 CE发布的 IPv4或 /和 IPv6路由。  Procedure 1. The CE router advertises the aggregated route to the PE router connected to it. In the present invention, the CE of the IPv6 site connected to the IPv4 backbone network and the CE of the IPv4 site connected to the IPv6 backbone network and the PE devices accessing the CEs all support the IPv4/IPv6 dual protocol stack. Therefore, PE can learn IPv4 or / and IPv6 routes issued by CE.
例如: 图 4中 CE1和 CE2将路由发布给 PE1、 CE3和 CE4将路由 发布给 PE2。 CE5和 CE6将路由发布给 PE3、 CE7和 CE8将路由发布给 过程二、 Egress PE为从 CE接收的路由添加相应的内层标签, 该 内层标签是由 PE为与该 CE连接的站点分配的, 用来区分不同的站点, 并将这些携带标签的路由通过 MP-IBGP发布给本域内 Ingress PE或 ASBR或者通过 Multi-hop MP-EBGP发布给上层自治域中连接本域的 ASBR。  For example, in Figure 4, CE1 and CE2 advertise routes to PE1, CE3, and CE4 to advertise routes to PE2. CE5 and CE6 advertise the route to PE3, CE7, and CE8 to advertise the route to process 2. The egress PE adds a corresponding inner label to the route received from the CE. The inner label is allocated by the PE to the site connected to the CE. It is used to distinguish between different sites, and the routes carrying the labels are advertised to the ingress PE or ASBR in the local domain through the MP-IBGP or advertised to the ASBR in the upper-layer autonomous domain to connect to the local domain through the Multi-hop MP-EBGP.
具体来说:  Specifically:
DAS中的 PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由发 布给自治系统内的其他的 PE路由器和上层自治系统的 ASBR。 本实施 例中只有两层, PAS就是上层, DAS就是下一层。  The PE routers in the DAS send IPv4 routes and IPv6 routes learned from the CE routers to other PE routers in the AS and ASBRs of the upper-layer autonomous system. In this embodiment, there are only two layers, PAS is the upper layer, and DAS is the next layer.
PAS中的 PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由发 布给自治系统内的其他的 PE路由器和 ABSR。 The PE router in the PAS sends IPv4 routes and IPv6 routes learned from the CE router. Bring to other PE routers and ABSRs within the autonomous system.
例如: 图 4中 DAS的 PE1将路由发布给本自治系统的 PE2和其上 层自治系统: PAS的 ASBR2; DAS的 PE2将路由发布给本自治系统的 PE1和 PAS的 ASBR2。 PAS中的 PE3将路由发布给 PE4和 ASBR2; PE4 将路由发布给 PE3和 ASBR2。  For example, in Figure 4, PE1 of the DAS advertises the route to PE2 of the autonomous system and its upper-layer autonomous system: ASBR2 of the PAS; PE2 of the DAS advertises the route to the PE1 of the autonomous system and the ASBR2 of the PAS. PE3 in the PAS advertises routes to PE4 and ASBR2. PE4 advertises routes to PE3 and ASBR2.
本过程中, PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由 根据所属的 VPN和路由 IP版本加上 RD、 AFI、 SAFI等信息形成包含 RD、 AFI、 SAFI、 Route Target和 IPv4/IPv6路由的统一形式的路由信息。  In this process, the PE router learns the IPv4 routes and IPv6 routes learned from the CE routers based on the VPN and routing IP versions plus RD, AFI, and SAFI to form RD, AFI, SAFI, Route Target, and IPv4/IPv6 routes. Unified form of routing information.
本实施例中, PE路由器仍然使用 VRF来保存不同 VPN的路由。 在' VRF中针对每个 VPN的不同的 AFI来分別保存 IPv4路由和 IPv6路由。  In this embodiment, the PE router still uses the VRF to save routes of different VPNs. In the 'VRF, separate IPv4 routes and IPv6 routes are saved for different AFIs of each VPN.
对于 PE路由器向 PE路由器发布路由: 由于其他 PE路由器也是支 持双协议栈的, 因此, 其他 PE路由器可以接收 IPv4路由和 IPv6路由。  For PE routers to advertise routes to PE routers: Since other PE routers also support dual protocol stacks, other PE routers can receive IPv4 routes and IPv6 routes.
对于 PE路由器向本自治域内部 ASBR发布路由: PE所在当自治系 统为 IPv4网络时, 在 IPv4网絡的 PE路由器和本自治域内部 ASBR之 间通过基于 IPv4 的全连接的多协议内部边界网关协议(Multi-Protocol Internal BGP, MP-IBGP )或者使用路由反射器发布和该 IPv4网络的 PE 连接的 VPN用户站点的路由; 当 PE所在自治系统为 IPv6网络时 , 在 ' IPv6网络中的 PE路由器和本自治域内部 ASBR之间通过基于 IPv6的全 连接的 MP-IBGP或者适用路由反射器发布和该 IPv6网络的 PE路由器 连接的 VPN站点的路由。  The PE router advertises the route to the ASBR in the local AS: When the PE is an IPv4 network, the IPv4-based PE4 and the ASBR of the local AS pass the IPv4-based fully-connected multi-protocol internal border gateway protocol. Multi-Protocol Internal BGP, MP-IBGP) or route reflectors are used to advertise routes to VPN user sites connected to PEs of the IPv4 network; when the autonomous system where the PE is located is an IPv6 network, the PE routers and protocols in the IPv6 network The ASBRs within the autonomous domain advertise the routes of the VPN sites connected to the PE routers of the IPv6 network through the IPv6-based fully-connected MP-IBGP or the applicable route reflector.
虽然发布的路由包含 IPv4路由和 IPv6路由, 但由于采用 MP-IBGP' 发布路由时, IPv4路由和 IPv6路由只作为传输的数据来发送, 采用基 于 IPv4的 MP-IBGP还是基于 IPv6的 MP-IBGP, 只与网络的版本有关 与其中的具体数据无关, 因此不论其中传输的数据具体是 IPv4路由和 Although the advertised route contains IPv4 routes and IPv6 routes, IPv4 routes and IPv6 routes are only sent as transmitted data when MP-IBGP is used to advertise routes. IPv4-based MP-IBGP or IPv6-based MP-IBGP is used. Only related to the version of the network is independent of the specific data, so no matter which data is transmitted, it is specifically IPv4 routing and
IPv6路由, 两种 MP-IBGP都可以传输。 对于 PE路由器向上层自治域 ASBR发布路由:当 PE所在自治系统 为 IPv4网絡时, 在 IPv4网络的 PE路由器和上层 ASBR之间通过基于 IPv4的 Multi-hop MP-EBGP发布和该 IPv4网络的 PE连接的 VPN用户 站点的路由; 当 PE所在自治系统为 IPv6网络时, 在 IPv6网络中的 PE 路由器和上层 ASBR之间通过基于 IPv6的 Multi-hop MP-EBGP发布和 该 IPv6网络的 PE路由器连接的 VPN站点的路由。 IPv6 routing, both MP-IBGP can be transmitted. The PE router advertises the route to the ASBR of the upper-layer autonomous domain. When the autonomous system of the PE is an IPv4 network, the PE router of the IPv4 network and the upper-layer ASBR advertise the PE connection with the IPv4 network through the IPv4-based Multi-hop MP-EBGP. Routing of the VPN user site; when the autonomous system of the PE is an IPv6 network, the VPN router connected to the PE router of the IPv6 network is advertised between the PE router and the upper-layer ASBR in the IPv6 network through the IPv6-based Multi-hop MP-EBGP. The route to the site.
由于本实施例的 ASBR都支持 IPv4和 IPv6双栈协议, 因此, 可以 通过运行基于本域 IP版本的 Multi-hop MP-EBGP来互相发布路由。  Since the ASBRs in this embodiment support the IPv4 and IPv6 dual-stack protocols, you can advertise routes to each other by running Multi-hop MP-EBGP based on the IP version of the local domain.
本实施例的 ASBR2中, 保留了和其建立 MP-EBGP PEER的 DAS 中 PE1和 PE2所属的 VPN的跨域路由; 同样 PE1和 PE2中也存储了其 与 PAS的 ASBR2建立的跨域路由。  In the ASBR2 of the present embodiment, the inter-domain route of the VPN to which the PE1 and the PE2 belong to the DAS in which the MP-EBGP PEER is established is reserved. Similarly, the inter-domain routes established by the ASBR2 with the PAS are also stored in the PE1 and the PE2.
过程三、 上一层自治域中的 ASBR将从本域学习的路由发布给下一 层自治域的 PE, 并将从下一层自治域学习的路由发布给本域的 PE。  Procedure 3: The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the next-level autonomous domain, and advertises the route learned from the next-layer autonomous domain to the PE in the local domain.
上一层自治域中的 ASBR可以通过基于下一层自治域 IP 版本的 Multi-hop MP-EBGP向下一层自治域的 PE发布路由; 通过基于本域 IP 版本的 MP-IBGP向本域的 PE发布路由。  The ASBR in the upper-layer autonomous domain can advertise routes to the PEs of the next-level autonomous domain based on the IP-based Multi-hop MP-EBGP of the next-layer autonomous domain. The MP-IBGP based on the local IP version is applied to the local domain. The PE issues routes.
例如: 图 4中 PAS的 ASBR2, 将从 PE4和 PE3学习的路由发布给 DAS中的 PE1和 PE2;并将从 PE1和 PE2学习的路由发布给 PE3和 PE4。  For example, the ASBR2 of the PAS in Figure 4 advertises the routes learned from PE4 and PE3 to PE1 and PE2 in the DAS. The routes learned from PE1 and PE2 are advertised to PE3 and PE4.
过程四、 各自治域中的 PE路由器将从其他 PE路由器或 /和 ASBR 学习到的路由发布给与其相连的 CE路由器。 CE路由器接收到 IPv4路 由或 /和 IPv6路由后保存。  Procedure 4. The PE routers in each autonomous domain advertise routes learned from other PE routers or / and ASBRs to the CE routers connected to them. The CE router saves after receiving IPv4 routing or / and IPv6 routes.
例如: 图 4中 DAS中的 PE1将从 PE2和 PAS的 ASBR2接收的路 由发布给 CE1和 CE2; DAS中的 PE2将从 PE1和 PAS的 ASBR2接收 的路由发布给 CE3和 CE4。  For example, in Figure 4, PE1 in the DAS advertises the routes received from ASBR2 of PE2 and PAS to CE1 and CE2. The PE2 in the DAS advertises the routes received from ASBR2 of PE1 and PAS to CE3 and CE4.
PAS中的 PE3将从 PE4和 ASBR2接收的路由发布给 CE5和 CE6; PAS中的 PE4将从 PE3和 ASBR2接收的路由发布给 CE7和 CE8。 The PE3 in the PAS advertises the routes received from PE4 and ASBR2 to CE5 and CE6. PE4 in the PAS advertises the routes received from PE3 and ASBR2 to CE7 and CE8.
本发明中, 在 VPN的 IPv4站点中的 CE路由器中保存相应的 IPv4 路由和 IPv6路由, 并将 CE路由器作为该 VPN站点访问其它站点时的 代理( Proxy ) , 在进行路由匹配时, 根据 Rout Target中包含的访问的目 的用户站点是 IPv4用户站点还是 IPv6用户站点分别匹配 IPv4路由或 IPv6路由。 VPN中的 IPv6用户站点的 CE路由器只保存 IPv6路由, 接 入该 IPv6站点的 PE路由器在将其它 IPv4站点的路由发布给该站点之 前, 需要先将 IPv4路由 A.B.C.D/n转换成 0::A:B:C:D/(96+n)的 IPv6路 由。  In the present invention, the corresponding IPv4 route and the IPv6 route are saved in the CE router in the IPv4 site of the VPN, and the CE router is used as a proxy (Proxy) when the VPN site accesses other sites. When performing route matching, according to Rout Target The destination user site included in the access is an IPv4 user site or an IPv6 user site that matches IPv4 routes or IPv6 routes, respectively. The CE router of the IPv6 user site in the VPN only saves the IPv6 route. Before the PE router accessing the IPv6 site advertises the routes of other IPv4 sites to the site, the IPv4 route ABCD/n needs to be converted to 0::A: B: C: D / (96 + n) IPv6 route.
具体来说, 在本实施例中, 需要访问 IPv6 VPN用户站点的 IPv4用 户站点的 CE路由器与 PE路由器运行基于 IPv6的路由协议同时学习 IPv6路由和 IPv4路由,通过将 PE路由器的 VRF中的 IPv4路由 A.B.C.D/n 转换成 0::A:B:C:D/(96+n)的 IPv6路由, 通过 IPv6路由协议发布给 CE 路由器, 在 CE路由器中将它还原成 A.B.C.D/n的 IPv4路由, 对于其它 IPv6用户站点的 IPv6路由, 则在 CE路由器中仍然保存为 IPv6路由。 在该 IPv4用户站点访问 IPv4站点时进行 IPv4路由的匹配, 访问 IPv6 站点时进行 IPv6路由的匹配。  Specifically, in this embodiment, the CE router and the PE router that need to access the IPv4 user site of the IPv6 VPN user site run IPv6-based routing protocols to learn IPv6 routes and IPv4 routes simultaneously, and route IPv4 in the VRF of the PE router. ABCD/n is converted to 0::A:B:C:D/(96+n) IPv6 routes, which are advertised to the CE router through the IPv6 routing protocol, and restored to the ABCD/n IPv4 route in the CE router. The IPv6 routes of other IPv6 user sites are still saved as IPv6 routes in the CE router. The IPv4 route is matched when the IPv4 user site accesses the IPv4 site, and the IPv6 route is matched when the IPv6 site is accessed.
在本实施例中, 需要访问 IPv4 VPN用户站点的 IPv6用户站点, 其 CE路由器和 PE路由器之间也运行基于 IPv6的路由协议, 学习其它站 点的路由,对于其它 IPv4用户站点的路由,直接存储为 0::A:B:C:D/(96+n). 形式的 IPv6路由, 对于其它 IPv6用户站点的路由, 则保存为原来的形 式。 需要说明的, 是上文所述 A.B.C.D/n中, A.B.C.D为网段地址, n为 掩码。  In this embodiment, an IPv6 user site that needs to access an IPv4 VPN user site is also required to run an IPv6-based routing protocol between the CE router and the PE router to learn routes of other sites, and directly store the routes of other IPv4 user sites as 0::A:B:C:D/(96+n). The form of IPv6 route is saved to the original IPv6 user site. It should be noted that in A.B.C.D/n mentioned above, A.B.C.D is the network segment address, and n is the mask.
另外, 如果 CE连接的用户站点除了主机还包含路由器, 则过程五. 中, CE还将路由发布给用户站点的路由器, 由用户站点的路由器存储 该用户站点的路由表; 如果 CE连接的用户站点不包含路由器, 则过程 五中, 就由 CE存储该用户站点的路由表。 In addition, if the user site connected by the CE includes a router in addition to the host, in process V., the CE also routes the router to the user site, and is stored by the router of the user site. The routing table of the user site; if the user site connected by the CE does not include a router, in process five, the CE stores the routing table of the user site.
实际应用中, 如果某些 IPv4用户站点 >据 Route Target属性确定的 拓朴关系中不需要访问其它 IPv6用户站点, 则其 CE路由器和 PE路由 器之间只需要运行基于 IPv4的路由协议, 并仅学习和保存其它 IPv4用 户站点的 IPv4路由, 对于 IPv6路由则进行丢弃。  In an actual application, if some IPv4 user sites do not need to access other IPv6 user sites in the topology relationship determined by the Route Target attribute, only the IPv4-based routing protocol needs to be run between the CE router and the PE router, and only the learning protocol is required. And save IPv4 routes of other IPv4 user sites, and discard them for IPv6 routes.
在路由的学习和发布的处理中, PE路由器在接收到 VPN路由后, 根据使用 MP-BGP的 Route Target扩展团体属性决定是否学习并向相应 的用户站点发布。 Egress PE在向其 BGP对等体(BGP PEER )发布 VPN路由时携带相应的 Export Route Target和 Egress PE为该 VPN站点 . 分配的内层标签,其 BGP PEER在收到相应的路由,在与在该 BGP PEER 上配置的 Import Route Target进行匹配, 如果能够匹配成功, 则接收该 路由并向相应的 VRF对应的站点发布, 如果 BGP PEER是两个自治域 之间的 ASBR,还需要将该路由发布给 DAS域中的 Multi-hop MP-EBGP. PEER,以及 PAS域中的 MP-IBGP PEER,由这些 PEER进行 Route Target 的匹配, 以确定是否接受并向连接的站点发布这些跨域的 VPN路由。 这个过程与现有技术相同, 这里不再赘述。  After receiving the VPN route, the PE router determines whether to learn and publish to the corresponding user site according to the MP-BGP route target extension community attribute. When the egress PE advertises a VPN route to its BGP peer (BGP PEER), it carries the corresponding Export Route Target and Egress PE for the VPN site. The inner layer label is allocated, and the BGP PEER receives the corresponding route. The Import Route Target configured on the BGP PEER is matched. If the match is successful, the route is received and advertised to the corresponding VRF site. If the BGP PEER is an ASBR between the two ASs, the route needs to be advertised. To the Multi-hop MP-EBGP. PEER in the DAS domain, and the MP-IBGP PEER in the PAS domain, these PEERs perform Route Target matching to determine whether to accept and publish these cross-domain VPN routes to the connected sites. This process is the same as the prior art and will not be described here.
在本实施例中, 标签分发的处理可以依照下文所述的方式进行。  In the present embodiment, the processing of label distribution can be performed in the manner described below.
在转发过程中, 同一个 Egress PE连接的不同 VPN站点通过 Egress PE分配不同的内层标签来区分, 该内层标签在通过 MP-BGP发布路由 时随路由发布给相应的 PE,该内层标签在骨干网络 (PAS和 DAS)中转发 时是不改变的。  During the forwarding process, different VPN sites connected to the same egress PE are assigned to different PEs by the egress PE. The inner label is advertised to the corresponding PE when the route is advertised through MP-BGP. It does not change when forwarding in the backbone network (PAS and DAS).
在 RFC 2547中, 数据包在骨干网络中转发时是根据外层标签进行 的。 在本发明中, 外层标签的分发与现有技术相同, 包含自治域内的标 签分发和自治域间的标签分发。 在 PAS域内和 DAS域内的外层标签则可以沿用标签分配协议 ( Label Distribution Protocol, LDP )或者资源预留十办议 ( Reservation Protocol, RSVP ) -流量工程(Traffic Engineering, TE ) /约束路由的标记分配协 议 ( Constraint-Routing Label Distribution Protocol, CR-LDP )等标签分 配协议进行分配。 在自治域内每个下一跳路由器为其上一跳路由器分发 外层标签, 包含 P路由器之间标签分发, P路由器与 PE间标签分发, PE路由器与 ASBR间标签分发。 相邻自治域之间的两个 ASBR外层标 签的分配通过自治域之间的 BGP协议进行分配。 In RFC 2547, packets are forwarded in the backbone network based on the outer label. In the present invention, the distribution of the outer label is the same as in the prior art, and includes label distribution in the autonomous domain and label distribution between the autonomous domains. The outer label in the PAS domain and the DAS domain can be followed by the Label Distribution Protocol (LDP) or the Resource Reservation Protocol (RSVP)-Traffic Engineering (TE)/Constrained Routing A label assignment protocol such as a Constraint-Routing Label Distribution Protocol (CR-LDP) is allocated. Each next-hop router in the autonomous domain distributes outer labels for its previous hop router, including label distribution between P routers, label distribution between P routers and PEs, and label distribution between PE routers and ASBRs. The assignment of the outer labels of the two ASBRs between adjacent autonomous domains is allocated through the BGP protocol between the autonomous domains.
本发明采用标签转发, 因此通过外层标签的交换关系在每个域内的 PE路由器之间或 PE路由器与 ASBR之间以及相邻域之间的 ASBR之间 分别确定了一条隧道。 其中, 域内 PE路由器连接的 VPN站点之间的数 据转发通过域内隧道完成, 不同自治域的 PE路由器连接的 VPN站点之' 间的数据转发则通过 Ingress PE和 Egress PE所在的自治域的域内隧道和 两个自治域之间的 ASBR通过 MP-BGP分配的标签确定的域间隧道完 成。  The present invention adopts label forwarding. Therefore, a tunnel is determined between the PE routers in each domain or between the PE routers and the ASBRs and between the ASBRs in the adjacent domains through the exchange relationship of the outer labels. The data forwarding between the VPN sites connected to the PE routers in the domain is performed through the intra-domain tunnels. The data forwarding between the VPN sites connected to the PE routers of different autonomous domains passes through the intra-domain tunnels of the ingress PE and the egress PE. The ASBR between the two autonomous domains is completed by the inter-domain tunnel determined by the label allocated by MP-BGP.
本实施例中, 具体的数据转发处理也与现有技术基本相同, 包含以' 下几种转发: 源用户站点到入口 ( Ingress ) PE路由器之间的 IP数据转 发; Ingress PE路由器到 Egress PE路由器之间的标签数据转发; Egress PE 到目的用户站点之间的 IP数据转发。 下面分别叙述。  In this embodiment, the specific data forwarding process is also basically the same as the prior art, including the following types of forwarding: IP data forwarding between the source user site to the ingress PE router; the Ingress PE router to the Egress PE router. Label data forwarding between; Egress PE to IP data forwarding between destination user sites. The following are described separately.
源用户站点到入口 (Ingress ) PE路由器之间的 IP数据包转发遵循' 普通的 IP转发过程。 如上文所述, 用户站点中保存了 IPv4/IPv6两种类 型的路由表, 对于需要访问 IPv4/IPv6 目的用户站点的源用户站点在进 行 IP数据转发时,可以根据目的用户站点是 IPv4站点还是 IPv6站点查 询相应的路由表, 遵循相应的路由表将数据包转发到 Ingress PE。  Source User Site to Ingress The IP packet forwarding between PE routers follows the 'normal IP forwarding process. As described above, the IPv4/IPv6 routing table is saved in the user site. For the source user site that needs to access the IPv4/IPv6 destination user site, the destination user site can be IPv4 or IPv6. The site queries the corresponding routing table and forwards the packet to the Ingress PE according to the corresponding routing table.
Ingress PE路由器到 Egress PE路由器之间的标签数据转发有两种情 况: 单个自治域内的 VPN站点之间的访问, 可以沿用现有技术中的域 内数据转发方式进行转发,在 Ingress PE上为数据包增加 Egress PE为目 的地所在站点的内层标签后, 再增加该 Ingress PE所在的自治域中的标 签分配协议 ( LDP/RSVP-TE/CR-LDP )分配的外层标签, 将数据包沿着 LSP的 LSR根据外层标签转发到 Egress PE。 There are two kinds of conditions for label data forwarding between the ingress PE router and the egress PE router. The access between the VPN sites in a single autonomous domain can be forwarded by using the intra-domain data forwarding mode in the prior art. After the Egress PE is added to the inner label of the site where the destination is located on the ingress PE, The outer label of the label distribution protocol (LDP/RSVP-TE/CR-LDP) in the autonomous domain of the ingress PE forwards the data packet to the Egress PE along the outer label of the LSR of the LSP.
不同自治域内的 VPN站点之间的访问,则在 Ingress PE上为数据包 增加 Egress PE为目的地所在站点的内层标签后,再增加该 Ingress PE所 在的自治域中的标签分配协议 ( LDP RSVP-TE/CR-LDP )分配的外层标 签, 将数据包沿着 LSP的 LSR根据外层标签转发到本自治域到达上层' 相邻自治域的 ASBR, 然后根据该相邻自治域的 ASBR与本 ASBR之间 的 MP-EBGP分配的外层标签转发到下一个相邻自治域的 ASBR, 然后 继续沿着下一个相邻自治域中 LSP将数据包转发到 Egress PE。  After the access between the VPN sites in the different autonomous domains, the ingress PE adds the egress PE to the inner label of the site where the destination is located, and then adds the label distribution protocol (LDP RSVP) in the autonomous domain where the ingress PE resides. -TE/CR-LDP ) The outer label is allocated, and the data packet is forwarded along the outer label of the LSP according to the outer label to the local ASBR of the neighboring autonomous domain, and then according to the ASBR of the neighboring autonomous domain. The outer label assigned by the MP-EBGP between the ASBRs is forwarded to the ASBR of the next neighboring autonomous domain, and then the LSP is forwarded to the egress PE along the LSP in the next neighboring autonomous domain.
Egress PE到目的用户站点之间的 IP数据转发需要 Egress PE在接收 到包含内层标签的数据包后, 通过区分内层标签确定目的用户站点, 并 根据源用户站点和目的用户站点类型遵循相应的路由表转发到目的主 机。 其中, 在该步骤中, 仅当源用户站点和目的用户站点均为 IPv4站点 时才查询 IPv4路由表, 其他情况均查询 IPv6路由表。  After the IP data forwarding between the egress PE and the destination user site is received, the egress PE determines the destination user site by distinguishing the inner layer label after receiving the data packet containing the inner layer label, and follows the corresponding source user site and destination user site type. The routing table is forwarded to the destination host. In this step, the IPv4 routing table is queried only when the source user site and the destination user site are both IPv4 sites. In other cases, the IPv6 routing table is queried.
另外'需要说明的是,如果为了实现 VPN的各站点之间的拓朴关系 > 如全网状组网、部分网状等拓朴形状的控制,仍然可以沿用 RFC 2547bis 中的方法, 即通过匹配 Route Target来实现,这与上文所述的 PE之间路 由发布和学习的机制完全相同, 即根据 VPN的拓朴关系来确定是否学 习路由表, 根据路由表来实现 VPN的拓朴关系。  In addition, it should be noted that if the topology relationship between the sites of the VPN is implemented > such as full mesh networking, partial mesh, etc., the method in RFC 2547bis can still be used, that is, by matching Route Target is implemented. This is the same as the mechanism for routing and learning between the PEs mentioned above. That is, according to the topology relationship of the VPN, it is determined whether to learn the routing table, and the topology relationship of the VPN is implemented according to the routing table.
对于两个以上的自治域的 VPN的技术方案,可以将在上述两个自治 域(IPv4/IPv6 ), 称为基础混合网络(Basic Hybrid Network, BHN )的 技术方案基础上讲述。 此时, 将其中一个包含 PE设备数量多的 IPv6域 为 PAS, 其他自治域为 DAS。 BHN中的 DAS就是第一层 DAS, 与其相 连而不直接与 PAS相连的 DAS就是笫二层 DAS。 The technical solution of the VPN of two or more autonomous domains can be described based on the technical solutions of the above two autonomous domains (IPv4/IPv6), which are called Basic Hybrid Network (BHN). In this case, one of the IPv6 domains containing a large number of PE devices will be included. For PAS, the other autonomous domains are DAS. The DAS in BHN is the first layer of DAS, and the DAS connected to it and not directly connected to the PAS is the Layer 2 DAS.
以下以包含三个自治域的混合站点混合骨干网的 VPN系统为例 ,进 行详细说明。 包含三个自治域的混合站点混合骨干网的 VPN 系统有两 种情况: 第一种: 一个 DAS与 BHN中的 DAS相连与 BHN 中的 PAS 不直接相连。 第二种: 一个 DAS与 BHN中的 PAS相连与 BHN 中的' DAS不直接相连。 以下分别进行说明。  The following is an example of a VPN system that includes a hybrid site with three autonomous domains and a hybrid backbone network. There are two cases for a VPN system with a hybrid site with three autonomous domains: The first one: A DAS is connected to a DAS in the BHN and is not directly connected to the PAS in the BHN. The second type: A DAS is connected to the PAS in the BHN and is not directly connected to the 'DAS in the BHN. The following description will be respectively made.
参见图 5, 图 5为本发明第二较佳实施例的混合站点混合骨干网的 VPN系统组成示意图。 本实施例为上述第一种情况。  Referring to FIG. 5, FIG. 5 is a schematic structural diagram of a VPN system of a hybrid site hybrid backbone network according to a second preferred embodiment of the present invention. This embodiment is the first case described above.
其中,骨干网包含三个自治域: 2个 IPv4自治域和 1个 IPv6自治域。 本实施例中将包含连接 VPN站点的 PE设备较多的 IPv6 自治域设置为 PAS, 其他 2个 IPv4自治域设置为 DAS1、 DAS2。 PAS和 DAS2包含在 BHN 中, DAS1只与 DAS2相连与 PAS不相连。 也就是说本实施例分 为了三层: 最高层为 PAS、 第一层为 DAS2、 第二层为 DAS1。  The backbone network includes three autonomous domains: two IPv4 autonomous domains and one IPv6 autonomous domain. In this embodiment, the IPv6 autonomous domain that has many PEs connected to the VPN site is set to PAS, and the other two IPv4 autonomous domains are set to DAS1 and DAS2. PAS and DAS2 are included in the BHN, and DAS1 is only connected to DAS2 and not connected to PAS. That is to say, this embodiment is divided into three layers: the highest layer is PAS, the first layer is DAS2, and the second layer is DAS1.
本实施例的 VPN系统的用户站点编址方法与图 4所示实施例完全相 同, 这里不再进行重复说明。  The user site addressing method of the VPN system of this embodiment is exactly the same as that of the embodiment shown in FIG. 4, and the repeated description is not repeated here.
用户站点的地址确定后, 各个 CE路由器将各用户站点的地址进行 聚合形成相应的路由项。 然后, 就可以进行 VPN站点的路由学习和发' 布的处理、 标签分发的处理以及 VPN数据转发的处理。  After the address of the user site is determined, each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, it is possible to perform routing learning and processing of the VPN site, processing of label distribution, and processing of VPN data forwarding.
首先,对 VPN站点的路由学习和发布的处理方法进行详细说明。本 实施例中, VPN站点的路由学习和发布的原理与图 4所示实施例相同, 该方法包括以下过程:  First, the routing learning and publishing processing methods of the VPN site are described in detail. In this embodiment, the principle of routing learning and publishing of the VPN site is the same as that of the embodiment shown in FIG. 4, and the method includes the following processes:
过程一: CE路由器将聚合的路由发布给与其相连的 PE路由器。 例如: 图 5中 CE1和 CE2将路由发布给 PE1、 CE3和 CE4将路由发布 给 PE2。 CE5将路由发布给 PE3、 CE6和 CE7将路由发布给 PE4; CE8 和 CE9将路由发布给 PE5。 Procedure 1: The CE router advertises the aggregated route to the PE router connected to it. For example, in Figure 5, CE1 and CE2 advertise the route to PE1, CE3, and CE4 to advertise the route to PE2. CE5 advertises the route to PE3, CE6, and CE7 to advertise the route to PE4. CE8 And CE9 issues the route to PE5.
过程二、 Egress PE为从 CE接收的路由添加相应的内层标签, 该 内层标签是由 PE为与该 CE连接的站点分配的, 用来区分不同的站点, . 并将这些携带标签的路由通过 MP-IBGP发布给本域内 Ingress PE或 ASBR或者通过 Multi-hop MP-EBGP发布给上层自治域中连接本域的 ASBR。  Procedure 2: The egress PE adds a corresponding inner label to the route received from the CE, where the inner label is allocated by the PE to the station connected to the CE, and is used to distinguish different sites, and route the labels. It is advertised to the ingress PE or ASBR in the local domain through MP-IBGP or advertised to the ASBR in the upper-layer autonomous domain through the Multi-hop MP-EBGP.
例如: 图 5中 DAS1中的 PE1将从 CE1和 CE2接收的路由发布给. PE2和 DAS2的 ASBR2; PE2将从 CE3和 CE4接收的路由发布给 PE1 和 DAS2的 ASBR2。  For example, in Figure 5, PE1 in DAS1 advertises the routes received from CE1 and CE2 to ASBR2 of PE2 and DAS2. PE2 advertises the routes received from CE3 and CE4 to ASBR2 of PE1 and DAS2.
PE3将从 CE5学习到的路由发布给 ABSR2和 PAS中的 ASBR4; ASBR2将从 PE1和 PE2学习的路由发布给 PAS中的 ASBR4。  PE3 advertises the routes learned from CE5 to ASBR4 in ABSR2 and PAS. ASBR2 advertises the routes learned from PE1 and PE2 to ASBR4 in PAS.
PE4将从 CE6和 CE7学习到的路由发布给 PE5和 ASBR4; PE5将 从 CE8和 CE9学习到的路由发布给 PE4和 ASBR4。  PE4 advertises the routes learned from CE6 and CE7 to PE5 and ASBR4. PE5 advertises the routes learned from CE8 and CE9 to PE4 and ASBR4.
本实施例的 DAS2中的 ASBR2中,存储了其与 DAS1中 PE1和 PE2 建立的 VPN的跨域路由;同样 PE1和 PE2中也存储了其与 PAS的 ASBR2' 建立的跨域路由。 PAS中的 ASBR4中存储了其与 PE3和 ASBR2建立的 跨域路由; PE3和 ASBR2分别存储了其与 ASBR4建立的跨域路由。  In the ASBR2 of the DAS2 in this embodiment, the inter-domain route of the VPN established with the PE1 and the PE2 in the DAS1 is stored. Similarly, the inter-domain routes established by the ASBR2' of the PAS are also stored in the PE1 and the PE2. The ASBR4 in the PAS stores the inter-domain routes established between it and the ASBR4. The PE3 and the ASBR2 store the inter-AS routes established with ASBR4.
过程三、 上层自治域中的 ASBR将从本域学习的路由发布给下层自 治域的 PE, 并将从下层自治域学习的路由发布给本域的 PE。  The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE in the local domain.
例如: 图 5中的 DAS2作为 DAS1的上层域, 将从 PE3和 ASBR4 学习到的路由发布给 PE1和 PE2;并将从 PE1和 PE2学习的路由发布给 PE3 o  For example, DAS2 in Figure 5 is used as the upper-layer domain of DAS1. The routes learned from PE3 and ASBR4 are advertised to PE1 and PE2. The routes learned from PE1 and PE2 are advertised to PE3.
PAS作为 DAS2的上层域, 将从 PE4和 PE5学习到的路由发布给 PE3和 ABSR2; 并将从 PE3和 ABSR2学习的路由发布给 PE5和 PE4。  As the upper-layer domain of the DAS2, the PAS advertises the routes learned from PE4 and PE5 to PE3 and ABSR2. The routes learned from PE3 and ABSR2 are advertised to PE5 and PE4.
过程四、 各自治域中的 PE路由器将从其他 PE路由器或 /和 ASB 学习到的路由发布给与其相连的 CE路由器。 CE路由器接收到 IPv4路 由或 /和 IPv6路由后保存。 Procedure 4. PE routers in each autonomous domain will be from other PE routers or/and ASBs. The learned route is published to the CE router connected to it. The CE router saves after receiving IPv4 routes or / and IPv6 routes.
例如: 图 5中, PE1将从 PE2和 ASBR2学习的路由发布给 CE1和 CE2; PE2将从 PE1和 ASBR2学习到的路由发布给 CE3和 CE4。  For example, in Figure 5, PE1 advertises the routes learned from PE2 and ASBR2 to CE1 and CE2. PE2 advertises the routes learned from PE1 and ASBR2 to CE3 and CE4.
PE3将从 ASBR2和 ASBR4学习到的路由发布给 PE3。  PE3 advertises the routes learned from ASBR2 and ASBR4 to PE3.
PE4将从 PE5和 ASBR4学习到的路由发布给 CE6和 CE7; PE5将 从 PE4和 ASBR4学习到的路由发布给 CE8和 CE9。  PE4 advertises the routes learned from PE5 and ASBR4 to CE6 and CE7. PE5 advertises the routes learned from PE4 and ASBR4 to CE8 and CE9.
本实施例的标签分发的处理以及 VPN数据转发的处理的原理与图 4 所示实施例基本相同, 本领域技术人员可以参考该过程进行处理, 这里 不再重复说明。  The processing of the label distribution and the processing of the VPN data forwarding in this embodiment are basically the same as those in the embodiment shown in FIG. 4, and those skilled in the art can refer to the process for processing, and the description is not repeated here.
图 6为本发明笫三较佳实施例的混合站点混合骨干网的 VPN系统组 成示意图。 本实施例为上述第一种情况。  Figure 6 is a schematic diagram showing the composition of a VPN system of a hybrid site hybrid backbone network according to a preferred embodiment of the present invention. This embodiment is the first case described above.
其中,骨干网包含三个自治域: 2个 IPv4自治域和 1个 IPv6自治域。 本实施例中将包含连接 VPN站点的 PE设备较多的 IPv6 自治域设置为 PAS, 其他 2个 IPv4自治域设置为 DAS1、 DAS2。 PAS和 DAS2包含在 BHN 中, DAS1与 PAS相连。 也就是说本实施例分为了二层: 最高层 为 PAS、 DAS1和 DAS2同为第一层 DAS。  The backbone network includes three autonomous domains: two IPv4 autonomous domains and one IPv6 autonomous domain. In this embodiment, the IPv6 autonomous domain that has many PEs connected to the VPN site is set to PAS, and the other two IPv4 autonomous domains are set to DAS1 and DAS2. PAS and DAS2 are included in the BHN, and DAS1 is connected to the PAS. That is to say, the embodiment is divided into two layers: The highest layer is PAS, DAS1 and DAS2 are the first layer DAS.
本实施例的 VPN系统的用户站点编址方法与图 4所示实施例完全相 同, 这里不再进行重复说明。  The user site addressing method of the VPN system of this embodiment is exactly the same as that of the embodiment shown in FIG. 4, and the repeated description is not repeated here.
用户站点的地址确定后, 各个 CE路由器将各用户站点的地址进行 聚合形成相应的路由项。 然后, 就可以进行 VPN站点的路由学习和发 布的处理、 标签分发的处理以及 VPN数据转发的处理。  After the address of the user site is determined, each CE router aggregates the addresses of the user sites to form corresponding routing entries. Then, routing learning and distribution processing of the VPN site, processing of label distribution, and processing of VPN data forwarding can be performed.
首先,对 VPN站点的路由学习和发布的处理方法进行详细说明。本 实施例中, VPN站点的路由学习和发布的原理与图 4所示实施例相同, 该方法包括以下过程: 过程一: CE路由器将聚合的路由发布给与其相连的 PE路由器。 这个过程与前述两个实施例相同, 这里不再重复。 First, the routing learning and publishing processing methods of the VPN site are described in detail. In this embodiment, the principle of routing learning and publishing of the VPN site is the same as that of the embodiment shown in FIG. 4, and the method includes the following processes: Procedure 1: The CE router advertises the aggregated route to the PE router connected to it. This process is the same as the previous two embodiments and will not be repeated here.
过程二、 Egress PE为从 CE接收的路由添加相应的内层标签, 该 内层标签是由 PE为与该 CE连接的站点分配的 , 用来区分不同的站点, 并将这些携带标签的路由通过 MP-IBGP发布给本域内 Ingress PE或 ASBR或者通过 Multi-hop MP-EBGP发布给上层自治域中连接本域的 ASBR。  Process 2: The egress PE adds a corresponding inner label to the route received from the CE. The inner label is allocated by the PE to the site connected to the CE, and is used to distinguish different sites, and the routes carrying the labels are passed. The MP-IBGP is advertised to the ingress PE or the ASBR in the local domain or advertised to the ASBR in the upper-layer autonomous domain through the Multi-hop MP-EBGP.
例如: 图 6中, DAS1中的 PE1将从 CE1和 CE2接收的路由发布给 PE2和 DAS2的 ASBR2; PE2将从 CE3和 CE4接收的路由发布给 PE1 和 DAS2的 ASBR2。  For example, in Figure 6, PE1 in DAS1 advertises the routes received from CE1 and CE2 to ASBR2 of PE2 and DAS2. PE2 advertises the routes received from CE3 and CE4 to ASBR2 of PE1 and DAS2.
PAS中的 PE4将从 CE7学习到的路由发布给 PE3、 ASBR2和 ASBR3; ASBR2和 ASBR3。  PE4 in the PAS advertises the routes learned from CE7 to PE3, ASBR2, and ASBR3; ASBR2 and ASBR3.
DAS2中 PE5将从 CE8和 CE9学习到的路由发布给 ASBR3。  On DAS2, PE5 advertises the routes learned from CE8 and CE9 to ASBR3.
过程三、 上层自治域中的 ASBR将从本域学习的路由发布给下层自 治域的 PE, 并将从下层自治域学习的路由发布给本域的 PE。  The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE in the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE in the local domain.
图 6中, 只有 PAS为上层域。 本过程中, ASBR2将从 PE3、 PE4和 ASBR3学习的路由发布给 DAS1中的 PE1和 PE2; ASBR3将从 PE3、 PE4和 ASBR2学习的路由发布给 DAS2中的 PE5。并且 ASBR3将从 PE5 学习的路由发布给 PE3、 PE4和 ASBR2; ASBR2将从 PE1和 PE2学习 的路由发布给 PE3、 PE4和 ASBR3。  In Figure 6, only PAS is the upper domain. In this process, ASBR2 advertises the routes learned from PE3, PE4, and ASBR3 to PE1 and PE2 in DAS1. ASBR3 advertises the routes learned from PE3, PE4, and ASBR2 to PE5 in DAS2. ASBR3 advertises the routes learned from PE5 to PE3, PE4, and ASBR2. ASBR2 advertises routes learned from PE1 and PE2 to PE3, PE4, and ASBR3.
过程四、 各自治域中的 PE路由器将从其他 PE路由器或 /和 ASBR 学习到的路由发布给与其相连的 CE路由器。 CE路由器接收到 IPv4路 由或 /和 IPv6路由后保存。 这个过程与图 5所示基本相同, 这里不再重 复。 所示实施例基本相同, 本领域技术人员可以参考该过程进行处理, 这里 不再重复说明。 Process 4: The PE routers in each autonomous domain advertise routes learned from other PE routers or/and ASBRs to the CE routers connected to them. The CE router saves after receiving IPv4 routes or / and IPv6 routes. This process is basically the same as that shown in Figure 5 and will not be repeated here. The illustrated embodiment is basically the same, and those skilled in the art can refer to the process for processing, and the description is not repeated here.
实际应用中, 一个自治域可以通过一个 ASBR的多个端口与相邻的 多个自治域相连, 这种方式下本发明同样可以实现。 参见图 7, 图 7为. 本发明第四较佳实施例的混合站点混合骨干网的 VPN系统组成示意图。  In an actual application, an autonomous domain can be connected to multiple adjacent autonomous domains through multiple ports of one ASBR. In this manner, the present invention can also be implemented. Referring to FIG. 7, FIG. 7 is a schematic diagram showing the composition of a VPN system of a hybrid site hybrid backbone network according to a fourth preferred embodiment of the present invention.
本实施例也包含 DAS1和 DAS2两个从域, DAS和 PAS的分层关系 与图 6所示实施例相同。本实施例与图 6所示实施例的区别在于:在 PAS 中, 通过 ASBR2的两个端口与 DAS1的 ASBR1和 DAS2的 ASBR4分 别相连。 这种情况下, DAS1 中的 PE2与 PAS的 ASBR2通过 ASBR2 的一个端口建立 MP-EBGP连接, 互相传递 VPN路由, 并且通过该端口 互相传递数据; DAS2中的 PE5与 PAS的 ASB 2通过 ASBR2的另一个 端口建立 MP-EBGP连接, 互相传递 VPN路由, 并且通过该端口互相传 递数据。  This embodiment also includes two slave domains of DAS1 and DAS2, and the hierarchical relationship between DAS and PAS is the same as that of the embodiment shown in FIG. 6. The difference between this embodiment and the embodiment shown in FIG. 6 is that in the PAS, the two ports of the ASBR2 are connected to the ASBR1 of the DAS1 and the ASBR4 of the DAS2, respectively. In this case, PE2 in DAS1 and ASBR2 in PAS establish MP-EBGP connections through one port of ASBR2, and pass VPN routes to each other, and pass data to each other through the port; PE5 in DAS2 and ASB 2 in PAS pass through ASBR2. A port establishes an MP-EBGP connection, passes VPN routes to each other, and passes data to each other through the port.
由上迷实施例可见, 本发明的这种混合站点混合骨干网的虚拟专用 网系统及其实现方法, 可以在用户网络和骨干网络从 IPv4向 IPv6过渡 的情况下组成 VPN, 使网络过渡时期的 VPN的解决方案具有更大灵活' 性, 减小网络设备升级的复杂性,使 IPv4向 IPv6的过渡升级更加平滑, 大大提高了网络升级的经济性和可行性。  It can be seen from the above embodiments that the virtual private network system of the hybrid site hybrid backbone network of the present invention and the implementation method thereof can form a VPN when the user network and the backbone network transition from IPv4 to IPv6, so that the network transition period The VPN solution has greater flexibility, reduces the complexity of network equipment upgrades, smoothes the transition from IPv4 to IPv6, and greatly improves the economics and feasibility of network upgrades.
虽然通过参照本发明的某些优选实施例, 已经对本发明进行了图示 和描述, 但本领域的普通技术人员应该明白, 可以在形式上和细节上对' 其作各种各样的改变, 而不偏离所附权利要求书所限定的本发明的精神 和范围。  Although the present invention has been illustrated and described with reference to the preferred embodiments of the present invention, it will be understood The spirit and scope of the invention is defined by the appended claims.

Claims

权利要求书 Claim
1、一种混合站点混合骨干网的虚拟专用网系统, 包含虚拟专用网用 户站点、 用户网边缘路由器 CE、 骨干网边缘路由器 PE和骨干网, 所述 用户站点之间通过所迷 CE和所述 HE接入所迷骨干网互相传输数据,其 特征在于: 该虚拟专用网系统包含基于网间互联协议第 4版 IPv4和第 6 版 IPv6的用户站点; 所述骨干网包含多个 IPv4自治域和 IPv6自治域; 所述骨干网中一个自治域为主自治域 PAS, 骨干网中非 PAS的自治 域为从自治域 DAS; 所述 PAS与 DAS之间通过支持 IPv4和 IPv6双协 议栈的自治系统边界路由器 ASBR互相连接;  A virtual private network system of a hybrid site hybrid backbone network, comprising a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a backbone network, wherein the user sites pass the CE and the The HE accesses the backbone network to transmit data to each other, wherein: the virtual private network system includes a user site based on the Internetwork Interconnection Protocol version 4 IPv4 and the sixth edition IPv6; the backbone network includes multiple IPv4 autonomous domains and An IPv6 autonomous domain; an autonomous domain in the backbone network is the primary autonomous domain PAS, and the non-PAS autonomous domain in the backbone network is the secondary autonomous domain DAS; and the autonomous system supporting the IPv4 and IPv6 dual protocol stacks between the PAS and the DAS The border routers ASBR are connected to each other;
所述 PAS的 ASBR中存储其与 DAS的 PE建立的跨域路由; 所述 CE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 其存储 IPv4路由或 /和 IPv6路由;  The ASBR of the PAS stores an inter-domain route established by the PE with the DAS; the CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes or/and IPv6 routes;
所述 PE支持 IPv4协议栈或 IPv6协议栈或 IPv4和 IPv6双协议栈, 所述 PAS的 PE存储 IPv4路由和 IPv6路由; 所述 DAS的 PE存储 IPv4 路由、 IPv6路由和其与 PAS的 ASBR建立的跨域路由;  The PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, and the PE of the PAS stores an IPv4 route and an IPv6 route; the PE of the DAS stores an IPv4 route, an IPv6 route, and an ASBR established with the PAS. Cross-domain routing;
所述用户站点之间按照 CE和 PE存储的路由传输数据。  The user sites transmit data according to routes stored by the CE and the PE.
2、根据权利要求 1所述的虚拟专用网系统, 其特征在于: 所述主自' 治域为骨干网中包含连接站点的 PE最多的 IPv6自治域。  The virtual private network system according to claim 1, wherein the primary self-administration domain is an IPv6 autonomous domain in which a PE that connects to a site is connected to the backbone network.
3、根据权利要求 1所述的虚拟专用网系统, 其特征在于: 所述骨干 网中与 PAS直接相连的 DAS为第一层 DAS; 该系统进一步包含一层或 多层 DAS, 下一层 DAS与上一层 DAS通过 ASBR相连;  The virtual private network system according to claim 1, wherein: the DAS directly connected to the PAS in the backbone network is a first layer DAS; the system further comprises one or more layers of DAS, and the next layer of DAS Connected to the upper layer DAS through the ASBR;
上一层 DAS的 ASBR存储其与下一层 DAS的 PE建立的跨域路由; 下一层 DAS的 PE存储 IPv4路由、 IPv6路由和其与上一层 DAS的 ASBR建立的跨域路由。 The ASBR of the upper-layer DAS stores the inter-domain route established with the PE of the next-layer DAS; the PE of the next-layer DAS stores the IPv4 route, the IPv6 route, and the inter-domain route established with the ASBR of the upper-layer DAS.
4、根据权利要求 1所述的虚拟专用网系统, 其特征在于: 所述用户 站点和所述自治域的网间互联协议版本不同时, 连接所述用户站点和所 述自治域的所述 CE和所述 PE支持 IPv4和 IPv6双协议栈。 The virtual private network system according to claim 1, wherein: when the version of the inter-network interconnection protocol of the user site and the autonomous domain is different, connecting the user site and the CE of the autonomous domain And the PE supports IPv4 and IPv6 dual protocol stacks.
5、根据权利要求 1所述的虚拟专用网系统, 其特征在于: 对于需要 访问 IPv6用户站点的 IPv4用户站点的 CE存储 IPv4路由和 IPv6路由; 对于需要访问 IPv4用户站点的 IPv6用户站点的 CE只存储 IPv6路 由;  The virtual private network system according to claim 1, wherein: the IPv4 user site of the IPv4 user site that needs to access the IPv6 user site stores IPv4 routes and IPv6 routes; and the CE of the IPv6 user site that needs to access the IPv4 user site only Store IPv6 routes;
对于只访问 IPv4用户站点的 IPv4用户站点的 CE只存储 IPv4路由。 For a IPv4 user site that only accesses an IPv4 user site, the CE only stores IPv4 routes.
6、一种混合站点混合骨干网的虚拟专用网的实现方法,其特征在于: 采用权利要求 1所述的虛拟专用网系统, 其实现虚拟专用网业务的过程 包括以下步骤: A method for implementing a virtual private network of a hybrid site hybrid backbone network, characterized in that: the virtual private network system according to claim 1, wherein the process of implementing the virtual private network service comprises the following steps:
A、对 IPv4和 IPv6用户站点进行编址,形成统一格式的 IPv4和 IPv6 地址信息;  A. Addressing IPv4 and IPv6 user sites to form IPv4 and IPv6 address information in a uniform format;
B、 用户站点和骨干网进行路由的学习和发布, 将 IPv4路由、 IPv6 路由以及 PAS的 ASBR与 DAS的 PE建立的跨域路由发布给系统中的 PE, 及与该 PE连接的 CE;  B. The user site and the backbone network learn and advertise the routes, and advertise the inter-domain routes established by the IPv4 routing, the IPv6 routing, and the ASBR of the PAS and the PE of the DAS to the PE in the system and the CE connected to the PE;
C、 所述骨干网进行内层标签和外层标签的分发;  C. The backbone network distributes the inner label and the outer label;
D、所述用户站点的数据包依据所述步骤 B中 CE和 PE学习到的路 由, 封装所述内层标签和所述外层标签通过所述骨干网进行转发。  D. The data packet of the user site is forwarded by the backbone network according to the route learned by the CE and the PE in the step B, and the inner label and the outer label are encapsulated.
7、 根据权利要求 6所述的实现方法, 其特征在于, 步骤 A所述对 IPv4和 IPv6用户站点进行编址的方法为:  The implementation method according to claim 6, wherein the method for addressing the IPv4 and IPv6 user sites in step A is:
所述 IPv4用户站点之间采用 "路由区分符 + IPv4地址" 的形式, 组 成地址族标识符为 1的 IPv4地址; IPv4用户站点和 IPv6用户站点之间, . 以及 IPv6用户站点之间采用 "路由区分符 + IPv6地址"的形式, 组成地 址族标识符为 2的 IPv6地址。 The IPv4 user site adopts a "routing identifier + IPv4 address" form to form an IPv4 address with an address family identifier of 1; between the IPv4 user site and the IPv6 user site, and between the IPv6 user sites, "routing" The format of the specifier + IPv6 address, which constitutes an IPv6 address with an address family identifier of 2.
8、 根据权利要求 7所述的实现方法, 其特征在于: 和 IPv6用户站 点通信的 IPv4用户站点, 将 IPv4地址 A.B.C.D映射成 0::A:B:C:D形式 的 IPv6地址后, 与路由区分符进行组合组成地址族标识符为 2的 IPv6 地址。 8. The implementation method according to claim 7, wherein: the IPv4 user station that communicates with the IPv6 user site maps the IPv4 address ABCD to an IPv6 address in the form of 0::A:B:C:D, and routes. The specifiers are combined to form an IPv6 address with an address family identifier of 2.
9、根据权利要求 6所述的实现方法, 其特征在于, 该方法进一步包. 括: 当骨干网中还包含不与 PAS直接相连的 DAS时, 对骨干网进行分 层; 将与 PAS直接相连的 DAS设置为第一层 DAS, 与第一层 DAS相 连的 DAS为第二层, 依次类推;  The method according to claim 6, wherein the method further comprises: layering the backbone network when the backbone network further includes a DAS that is not directly connected to the PAS; and directly connecting to the PAS The DAS is set to the first layer DAS, the DAS connected to the first layer DAS is the second layer, and so on;
10、 根据权利要求 9所述的实现方法, 其特征在于, 所述步骤 B包. 括 ··  10. The implementation method according to claim 9, wherein the step B includes:
Bl、 CE将聚合的 IPv4用户站点或 IPv6用户站点路由发布给与之相 连的 PE;  Bl and CE advertise the aggregated IPv4 user site or IPv6 user site route to the PE connected to it;
B2、 上一层 PE将从 CE学习的路由发布给本域的 PE和 /或 ASBR; . 下一层 PE将从 CE或学习的路由发布给本域的 PE和上一层自治域中与 本域连接的 ASBR;  B2. The PE of the upper layer advertises the route learned from the CE to the PE and/or the ASBR of the local domain. The next-layer PE advertises the route from the CE or the learned route to the PE in the local domain and the upper-layer autonomous domain. Domain-connected ASBR;
B3、上层自治域中的 ASBR将从本域学习的路由发布给下层自治域 的 PE, 并将从下层自治域学习的路由发布给本域的 PE;  B3. The ASBR in the upper-layer autonomous domain advertises the route learned from the local domain to the PE of the lower-layer autonomous domain, and advertises the route learned from the lower-layer autonomous domain to the PE of the local domain.
B4、 各自治域中的 PE路由器将从其他 PE路由器或 /和 ASB 学习 到的路由发布给与其相连的 CE路由器; CE路由器接收到 IPv4路由或 /和 IPv6路由后保存。  B4. The PE routers in each autonomous domain advertise routes learned from other PE routers or / and ASBs to the CE routers connected to them; the CE routers save them after receiving IPv4 routes or / and IPv6 routes.
11、 根据权利要求 10所述的实现方法, 其特征在于, 所述步驟 Β2· 进一步包括:  The implementation method according to claim 10, wherein the step Β2· further comprises:
分别在所述下一层 ΡΕ和上一层自治域中域本域连接的 ASBR中 , 存储下一层 PE和上一层自治域中域本域连接的 ASBR之间的跨域路由。  The inter-AS routes between the next-layer ΡΕ and the ASBRs connected to the local domain in the upper-layer autonomous domain are stored in the ASBR of the next-layer autonomous domain.
12、 根据权利要求 10或 11所述的实现方法, 其特征在于: 所述步 骤 B2进一步包括: 12. The implementation method according to claim 10 or 11, wherein: the step Step B2 further includes:
PE路由器将从 CE路由器学习的 IPv4路由和 IPv6路由根据所属的 VPN和路由 IP版本加上路由区分符 RD、 地址族标识符 AFI、 后续地址 族标识符 SAFI; 形成包含 RD、 AFI、 SAFI、 路由目标团体属性 Route Target, IPv4地址 /IPv6地址的统一形式的路由信息。  The PE router learns the IPv4 route and the IPv6 route learned from the CE router according to the VPN and route IP version to which the route identifier RD, the address family identifier AFI, and the subsequent address family identifier SAFI are formed. The RD, AFI, SAFI, and route are formed. Route information of the target group attribute Route Target, IPv4 address/IPv6 address.
13、 根据权利要求 10所述的实现方法, 其特征在于:  13. The method according to claim 10, wherein:
所述步骤 B2中, 在自治域内 PE和 PE之间、 PE和 ASBR 间通过 基于本自治域 IP版本的内部边界网关协议, 发布和该所迷 PE连接的 CE的用户站点的路由;  In the step B2, the routing of the user site of the CE connected to the PE is published between the PE and the PE in the autonomous domain, and between the PE and the ASBR through the internal border gateway protocol based on the IP version of the local autonomous domain;
下一层 PE通过基于本自治域 IP版本的对跳多协议外部边界网关协 议将路由发布给上一层自治域中与本域连接的 ASBR;  The next-layer PE advertises the route to the ASBR connected to the local domain in the upper-layer autonomous domain by using the multi-protocol external border gateway protocol based on the IP version of the local autonomous domain.
所述步骤 B3中, 上层自治域中的 ASBR通过基于下一层自治域 IP 版本的对跳多协议外部边界网关协议将路由发布给下层自治域的 PE;并 通过基于本自治域 IP版本的内部边界网关协议将学习的路由发布给本 域的 PE;  In the step B3, the ASBR in the upper-layer autonomous domain advertises the route to the PE of the lower-layer autonomous domain through the multi-protocol external border gateway protocol based on the IP version of the next-layer autonomous domain; and the internal version based on the IP version of the local autonomous domain The border gateway protocol advertises the learned route to the PE of the local domain;
所述步骤 B4中 ,在各个自治域内, PE通过基于本自治域 IP版本的 内部边界网关协议将学习到的路由向该域内部的对端 PE发布。  In the step B4, in each autonomous domain, the PE advertises the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the local autonomous domain.
14、根据权利要求 10所述的实现方法, 其特征在于: 对于需要访问 IPv6用户站点的 IPv4用户站点, 所述步骤 B4包括以下子步骤:  The implementation method according to claim 10, wherein: for an IPv4 user site that needs to access an IPv6 user site, the step B4 includes the following sub-steps:
B41、 与该 IPv4用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;所述 PE将保存的 IPv4用户站点的路由从 A.B.C.D/n形式转换成 0::A:B:C:D/(96+n)的 IPv6路由,通过 IPv6路由协 议发布给所述 CE;  B41. The CE connected to the IPv4 user site and the PE connected to the CE, and run the IPv6-based routing protocol to learn the route; the PE converts the saved IPv4 user site route from the ABCD/n form to 0::A: B: C: D / (96 + n) IPv6 routing, issued to the CE through the IPv6 routing protocol;
B42、 所述 CE接收到 0::A:B:C:D/(96+n)形式的 IPv6路由后, 将其 还原成 A.B.C.D/n形式的 IPv4路由,将 IPv6用户站点的路由保存为 IPv6 路由。 B42. After receiving the IPv6 route in the form of 0::A:B:C:D/(96+n), the CE restores the IPv6 route to the IPv4 route in the form of ABCD/n, and saves the route of the IPv6 user site as IPv6. routing.
15、根据权利要求】0所述的实现方法, 其特征在于: 对于需要访问 IPv4用户站点的 IPv6用户站点, 所述步骤 B4包括以下子步骤:  The implementation method of claim 0, wherein: for an IPv6 user site that needs to access an IPv4 user site, the step B4 includes the following sub-steps:
B43、 与该 IPv6用户站点相连的 CE和与该 CE连接 PE间, 运行基 于 IPv6的路由协议学习路由;  B43. The CE connected to the IPv6 user site and the PE connected to the CE, and run an IPv6-based routing protocol to learn the route;
B44、所述 CE将 IPv4用户站点的路由直接存储为 0::A:B:C:D/(96+n) 形式的 IPv6路由, 将 IPv6用户站点的路由保存为原来的形式。  B44. The CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0::A:B:C:D/(96+n), and saves the route of the IPv6 user site to the original form.
16、根据权利要求 10所述的实现方法,其特征在于:对于只访问 IPv4 用户站点的 IPv4用户站点, 在所述步骤 B中, 与该 IPv4用户站点连接 的 CE和与该 CE连接的 PE之间只运行 IPv4路由协议, 并仅学习和保 存其它 IPv4用户站点的 IPv4路由, 丢弃 IPv6路由。  The implementation method according to claim 10, wherein for the IPv4 user site that only accesses the IPv4 user site, in the step B, the CE connected to the IPv4 user site and the PE connected to the CE are connected. Only IPv4 routing protocols are run, and only IPv4 routes of other IPv4 user sites are learned and saved, and IPv6 routes are discarded.
17、 根据权利要求 10所述的实现方法, 其特征在于:  17. The method according to claim 10, wherein:
所述 B4中, PE在接收到 IPv4路由、 IPv6路由或跨域路由后, 根 据多协议边界网关协议的路由目标扩展团体属性决定是否学习并向所 述用户站点发布。  In the B4, after receiving the IPv4 route, the IPv6 route, or the inter-domain route, the PE determines whether to learn and publish to the user site according to the route target extended community attribute of the multi-protocol border gateway protocol.
18、 根据权利要求 6所述的实现方法, 其特征在于: 步骤 C中, 所. 述内层标签由所述入口 PE分配,其用于区分同一个入口 PE连接的不同 所述用户站点, 该内层标签在发布路由时随路由发布给相应的出口 PE; 所述外层标签, 在一个自治域内是通过运行标签分配协议、 资源预 留协议 -流量工程或约束路由的标记分配协议分配的, 在不同自治域之. 间, 是自治域之间的 ASBR通过多协议外部边界网关协议为所述 ASBR 的双向连接分配的, 其用于在所迷骨干网中转发数据包。  The implementation method according to claim 6, wherein: in step C, the inner layer label is allocated by the ingress PE, and is used to distinguish different user sites connected by the same ingress PE, The inner label is advertised to the corresponding egress PE along with the route when the route is advertised; the outer label is allocated in an autonomous domain by using a label distribution protocol, a resource reservation protocol, a traffic engineering, or a constrained routing label distribution protocol. Among the different autonomous domains, the ASBR between the autonomous domains is allocated by the multi-protocol external border gateway protocol for the bidirectional connection of the ASBR, which is used for forwarding data packets in the backbone network.
19、 如权利要求 6所述的实现方法, 其特征在于: 所迷步骤 D包括 以下子步驟:  19. The method according to claim 6, wherein the step D comprises the following substeps:
Dl、 遵循普通的网间互联协议转发过程进行源用户站点到入口 PE 之间的网间互联协议数据转发; Dl, follow the normal inter-network interconnection protocol forwarding process for the source user site to the ingress PE Data forwarding between internetworking protocols;
D2、 进行所述入口 PE到出口 PE之间的标签数据转发;  D2, performing label data forwarding between the ingress PE and the egress PE;
D3、 所述出口 PE依据所述内层标签和其存储的路由表进行所述出 口 PE到目的用户站点之间的网间互联协议数据转发。  D3. The egress PE performs data forwarding of the inter-network interconnection protocol between the egress PE and the destination user site according to the inner layer label and the stored routing table.
20、 如权利要求 19所述的实现方法, 其特征在于: 所述步骤 D2包 括以下子步骤:  20. The implementation method according to claim 19, wherein: the step D2 comprises the following sub-steps:
D21、在所述入口 PE上为数据包增加所述目的站点的所述内层标签 后, 再增加该所述入口 PE所在的所述自治域中分配的外层标签;  D21, after adding the inner layer label of the destination station to the data packet on the ingress PE, adding an outer label allocated in the autonomous domain where the ingress PE is located;
D22、 将所述数据包根据外层标签转发到与当前自治域相邻的自治 域的 ASBR;  D22. Forward the data packet according to an outer label to an ASBR of an autonomous domain adjacent to the current autonomous domain;
D23、 ASBR根据所述 ASBR之间分配的外层标签将所述数据包转 发到下一个相邻的自治域的 ASBR;  D23. The ASBR forwards the data packet to an ASBR of a next adjacent autonomous domain according to an outer label allocated between the ASBRs;
D24、 ASBR将数据包转发到所述出口 PE。  D24. The ASBR forwards the data packet to the egress PE.
21、 如权利要求 6所述的实现方法, 其特征在于: 所迷用户站点之. 间的拓朴关系通过匹配路由目标团体属性实现。  The implementation method according to claim 6, wherein: the topology relationship between the user sites is implemented by matching route target community attributes.
PCT/CN2005/000959 2004-06-30 2005-06-30 A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof WO2006002598A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200410069535.0 2004-06-30
CNB2004100695350A CN100364292C (en) 2004-06-30 2004-06-30 Virtual special network system of mixed station mixed skeleton network and its realizing method

Publications (1)

Publication Number Publication Date
WO2006002598A1 true WO2006002598A1 (en) 2006-01-12

Family

ID=35782472

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/000959 WO2006002598A1 (en) 2004-06-30 2005-06-30 A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof

Country Status (2)

Country Link
CN (1) CN100364292C (en)
WO (1) WO2006002598A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018010519A1 (en) * 2016-07-12 2018-01-18 华为技术有限公司 Method and apparatus for establishing multicast tunnel
CN111865698A (en) * 2020-07-30 2020-10-30 中国电子信息产业集团有限公司第六研究所 Geographic information-based autonomous domain-level internet topology visualization method
CN114285778A (en) * 2021-11-23 2022-04-05 南瑞集团有限公司 Power dispatching data network networking safety test system and test method

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596107C (en) * 2007-02-09 2010-03-24 华为技术有限公司 Packet forwarding method and border router of autonomous system
CN101360037B (en) * 2007-08-03 2010-12-08 中国移动通信集团公司 Data service network system and access method of data service
CN101159741B (en) * 2007-11-05 2012-07-04 中兴通讯股份有限公司 PE device and access method for VRRP device to access into VPN
CN101442468B (en) * 2007-11-20 2011-06-01 华为技术有限公司 Method and apparatus for processing local crossover of VPN route
CN101499951B (en) * 2008-02-01 2012-05-23 华为技术有限公司 Tunnel configuration method, virtual access node, virtual edge node and system
CN102696202B (en) * 2009-10-30 2016-09-28 法国电信公司 The method and apparatus of route data packet between internet protocol version four and IPv 6 network
CN102457425A (en) * 2010-10-25 2012-05-16 北京系统工程研究所 Large-scale virtual network topology generation method
CN108111417B (en) * 2013-08-15 2022-12-27 华为技术有限公司 Method and device for forwarding MPLS data packet
CN106713130B (en) * 2015-11-13 2019-11-22 华为技术有限公司 A kind of routing table update method, EVPN control equipment and EVPN system
CN111865786B (en) * 2020-06-30 2022-07-12 北京华三通信技术有限公司 Method and apparatus for propagating link markers
CN113098750A (en) * 2021-03-11 2021-07-09 网宿科技股份有限公司 Site interconnection method, system and transfer equipment
CN115941383B (en) * 2022-11-28 2023-12-22 北京神经元网络技术有限公司 Network domain distribution method, device and equipment for broadband field bus multi-domain switching system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020181464A1 (en) * 2000-07-21 2002-12-05 Hitachi, Ltd. Multicast routing method and apparatus for routing multicast packet
JP2003198639A (en) * 2001-12-27 2003-07-11 Kddi Corp Substitution name server, protocol converting device and interface device
CN1476206A (en) * 2003-07-14 2004-02-18 中国科学院计算技术研究所 Method of breakthrough NAT using dual tunnel mechanism

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020181464A1 (en) * 2000-07-21 2002-12-05 Hitachi, Ltd. Multicast routing method and apparatus for routing multicast packet
JP2003198639A (en) * 2001-12-27 2003-07-11 Kddi Corp Substitution name server, protocol converting device and interface device
CN1476206A (en) * 2003-07-14 2004-02-18 中国科学院计算技术研究所 Method of breakthrough NAT using dual tunnel mechanism

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018010519A1 (en) * 2016-07-12 2018-01-18 华为技术有限公司 Method and apparatus for establishing multicast tunnel
CN111865698A (en) * 2020-07-30 2020-10-30 中国电子信息产业集团有限公司第六研究所 Geographic information-based autonomous domain-level internet topology visualization method
CN111865698B (en) * 2020-07-30 2023-10-17 中国电子信息产业集团有限公司第六研究所 Geographic information-based self-control domain-level Internet topology visualization method
CN114285778A (en) * 2021-11-23 2022-04-05 南瑞集团有限公司 Power dispatching data network networking safety test system and test method

Also Published As

Publication number Publication date
CN100364292C (en) 2008-01-23
CN1716901A (en) 2006-01-04

Similar Documents

Publication Publication Date Title
WO2006002598A1 (en) A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof
ES2830182T3 (en) Route Calculation Element Central Controllers (PCECC) for network services
CN111865898B (en) Communication method, device and system based on flow rule protocol
JP5237391B2 (en) VPN implementation over a link state protocol controlled Ethernet network
US6789121B2 (en) Method of providing a virtual private network service through a shared network, and provider edge device for such network
Gleeson et al. A framework for IP based virtual private networks
US9843507B2 (en) Enhanced hierarchical virtual private local area network service (VPLS) system and method for ethernet-tree (E-tree) services
CN100372336C (en) MPLS VPN and its control and forwarding method
US20070115913A1 (en) Method for implementing the virtual leased line
WO2005122490A1 (en) A method for implementing virtual private network
EP1811728B2 (en) Method, system and device of traffic management in a multi-protocol label switching network
WO2014194749A1 (en) Vpn implementation processing method and apparatus for edge device
WO2005101730A1 (en) A system and method of ensuring quality of service in virtual private network
WO2006105718A1 (en) A method for realizing the mpls-vpn across the hybrid network
WO2005112350A1 (en) A METHOD FOR MANAGING THE ROUTE IN THE VIRTUAL PRIVATE NETWORK BASED ON IPv6
WO2008011818A1 (en) Method of realizing hierarchy-virtual private lan service and network system
WO2007112691A1 (en) System, method and network device for vpn customer to access public network
WO2005125103A1 (en) A virtual private network system of hybrid site and hybrid backbone network and its realizing method
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
WO2005114944A1 (en) A method for implementing ipv4 and ipv6 mixing sites virtual private network
Wu et al. YANG data model for L3VPN service delivery
US9054896B2 (en) SVC-L2 VPNs: flexible on demand switched MPLS/IP layer-2 VPNs for ethernet SVC, ATM and frame relay
Gleeson et al. RFC2764: A framework for IP based virtual private networks
CN101136832A (en) Multi-protocol label switching virtual dedicated network and its control and forwarding method
WO2006056131A1 (en) A method for realizing intercommunication between the l3 vpn

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase