WO2010068018A2 - Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé - Google Patents

Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé Download PDF

Info

Publication number
WO2010068018A2
WO2010068018A2 PCT/KR2009/007315 KR2009007315W WO2010068018A2 WO 2010068018 A2 WO2010068018 A2 WO 2010068018A2 KR 2009007315 W KR2009007315 W KR 2009007315W WO 2010068018 A2 WO2010068018 A2 WO 2010068018A2
Authority
WO
WIPO (PCT)
Prior art keywords
teed
tunnel
closed
control server
control
Prior art date
Application number
PCT/KR2009/007315
Other languages
English (en)
Other versions
WO2010068018A3 (fr
Inventor
Sun-Cheul Kim
Ho-Yong Ryu
Sung-Back Hong
Kyeong-Ho Lee
Original Assignee
Electronics And Telecommunications Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020090064814A external-priority patent/KR101210388B1/ko
Application filed by Electronics And Telecommunications Research Institute filed Critical Electronics And Telecommunications Research Institute
Priority to US13/133,540 priority Critical patent/US8621087B2/en
Publication of WO2010068018A2 publication Critical patent/WO2010068018A2/fr
Publication of WO2010068018A3 publication Critical patent/WO2010068018A3/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • the present invention relates to a method for configuring a Closed User Network (CUN) using an IP tunneling mechanism and a CUN system and, more particularly, to a technique of establishing a tunnel between a tunnel end edge device (TEED) and a control server by using an IP tunneling mechanism to allow terminals connected to the TEED to perform communications by using a closed IP, enabling the TEED to provide a network address translation (NAT) function so that the TEED can perform data forwarding like a general NAT, without performing tunneling on a destination IP outside the closed IP section, to perform communications, and allowing a terminal located in an area where the TEED is not provided to directly establish a tunnel with the control server by using client software to thereby perform communications with a terminal or a server connected to the TEED by using the closed IP.
  • CUN Closed User Network
  • FIG. 1 illustrates related art type Internet access by user terminals, in which the type of Internet access by user terminals may be classified into a wired type and a wireless type, and the wireless type may be classified into WiFi, WiBro, and HSDPA.
  • a private IP requiring a network address translation (NAT) is used, or a public IP without the necessity of NAT is used.
  • NAT network address translation
  • a current IPv4-based network is short of IP addresses, making many users access the Internet by using a private IP requiring the NAT.
  • NAT Network Address Translators
  • TURN Traversal Using Relay NAT
  • Firewalls employing packet filtering are high-priced, so it may be highly burdensome for a small organization, having built an Intranet, to then install a firewall.
  • IPv6 technique is being distributed to solve the shortage of IP addresses; however, this is not the main course of action. Namely, a substantial network-based IPv6 function is very rarely installed in a field and operated, causing a problem in that there are few IPv6 application programs.
  • An aspect of the present invention provides a method for configuring a Closed User Network (CUN) using an IP tunneling mechanism and a CUN system capable of establishing a tunnel between a tunnel end edge device (TEED) and a control server by using an IP tunneling mechanism to allow terminals connected to the TEED to perform communications by using a closed IP, enabling the TEED to provide a network address translation (NAT) function so that the TEED can perform data forwarding like a general NAT, without performing tunneling on a destination IP outside the closed IP section, to perform communication, and allowing a terminal located in an area where the TEED is not provided to directly establish a tunnel with the control server by using a client software to thereby perform communications with a terminal or a server connected to the TEED by using the closed IP.
  • CUN Closed User Network
  • a method for configuring a Closed User Network including: establishing a control tunnel between a TEED and a control server; allocating, by the TEED, a closed IP to a terminal that is connected to the TEED within a closed IP section allocated from the control server; and determining, by the TEED, whether to forward a packet which has been received from the terminal to the CUN or to a general network.
  • CUN Closed User Network
  • the method for configuring a CUN may further include: transmitting, by the TEED, a registration request message to the control server; and receiving, by the TEED, the closed IP section as allocated from the control server, before the control tunnel is established.
  • the method for configuring a CUN may further include: receiving, by the TEED, closed IP section information of all the CUNs managed by the control server from the control server. In this case, the determining of whether to forward the packet which has been received from the terminal, by the TEED, to the CUN or to the general network may be made based on the closed IP section information of all the CUNs.
  • the establishing of the control tunnel may include: establishing, by the control server, the control tunnel according to a tunnel request message received from the TEED and connecting the closed IP section information, which has been allocated to the TEED, to the established control tunnel; and establishing, by the TEED, the control tunnel according to a tunnel response message which has been received from the control server, and connecting the closed IP section information of all the CUNs to the established control tunnel.
  • the establishing of the control tunnel may include: establishing, by the control server, the control tunnel, by reflecting changed source IP address and UDP port information of a tunnel request message received from the TEED and connecting the closed IP section information, which has been allocated to the TEED, to the established control tunnel; and establishing, by the TEED, the control tunnel according to the tunnel response message received from the control server, and connecting the closed IP section information of all the CUNs to the established control tunnel.
  • the method for configuring a CUN may further include: establishing a direct tunnel between the TEED and a second TEED previously registered to the control server, wherein the establishing of the direct tunnel may include: determining whether or not direct communications between the TEED and the second TEED are available by checking a network access type of the TEED and that of the second TEED according to a STUN (Simple Traversal of User Datagram Protocol [UDP] Through Network Address Translators [NATs]) method; if direct communications is available, acquiring, by the TEED, an IP address and a port number to be used for communications with the second TEED; exchanging a tunnel request message and a tunnel response message between the TEED and the second TEED; and setting tunnel information and route information in the TEED and the second TEED.
  • STUN Simple Traversal of User Datagram Protocol [UDP] Through Network Address Translators [NATs]
  • the method for configuring a CUN may further include: establishing a direct tunnel between the TEED and a user terminal which has not been connected to the TEED, wherein the establishing of the direct tunnel may include: determining whether or not direct communications between the TEED and the user terminal are available by checking a TEED network access type and that of the user terminal according to a STUN method; if direct communications are available, acquiring, by the user terminal, an IP address and a port number to be used for communications with the TEED; exchanging a tunnel request message and a tunnel response message between the TEED and the user terminal; and setting tunnel information and route information in the TEED and the user terminal.
  • a CUN system including: a control server configured to establish a control tunnel with a tunnel endpoint edge device (TEED) and forward a packet transmitted and received to and from the TEED by using closed IP section information which has been allocated to the TEED; and the TEED configured to establish the control tunnel with the control server and allocate a closed IP to a terminal connected to the TEED, within a closed IP section allocated from the control server.
  • TEED tunnel endpoint edge device
  • the TEED may have a network address translation (NAT) function, and perform tunneling on a packet within the allocated closed IP section, and may not perform tunneling on a packet outside the allocated closed IP section but forward the packet through the NAT function.
  • NAT network address translation
  • the CUN system may further include: a user terminal equipped with client software for performing tunneling with the control server and not being connected with the TEED, wherein the user terminal may establish a control tunnel with the control server by executing the client software, and may be allocated a closed IP from the control server to communicate with terminals connected with the TEED.
  • the user terminal may establish a direct tunnel with the TEED and perform communications with the terminals connected with the TEED through the direct tunnel.
  • network access is only open between closed users, and those accessing the closed network from an external network can be fundamentally interrupted, so a network for a particular purpose can be effectively configured for only limited users.
  • the TEED provides the NAT function
  • respective terminals are recognized as they are connected to a public network in spite of using the closed IP, and accordingly, direct communications are available between terminals or servers using a private IP and P2P communications are available between terminals using a closed IP without considering an issue such as a NAT or firewall.
  • IPv6 as well as IPv4 can be used as the closed IP employed in the exemplary embodiment of the present invention, construction of CUN based on IPv6 would lead to the creation of a greater range of IPv6 application programs.
  • an organization intending to establish a closed network having a particular purpose such as serving an army or police force, an institution or agency intending to establish a closed Intranet, an organization intending to perform inter-group closed direct communications by associating small groups such as small office/home office (SOHO) which are separately located, or a home intending to construct a home network available for closed direct communications can effectively configure a network by using the present invention.
  • a closed network having a particular purpose such as serving an army or police force
  • an institution or agency intending to establish a closed Intranet an organization intending to perform inter-group closed direct communications by associating small groups such as small office/home office (SOHO) which are separately located, or a home intending to construct a home network available for closed direct communications can effectively configure a network by using the present invention.
  • SOHO small office/home office
  • FIG. 1 illustrates the related art Internet access type of user terminals
  • FIG. 2 illustrates the configuration of a Closed User Network (CUN) according to an exemplary embodiment of the present invention
  • FIG. 3 illustrates a tunnel structure for communications between a terminal connected with a tunnel end edge device (TEED) of a CUN and a terminal located outside the CUN;
  • TEED tunnel end edge device
  • FIG. 4 illustrates the process of performing registration by the TEED of the CUN to a control server
  • FIG. 5 illustrates the process of establishing a control tunnel between a TEED connected to a public network and the control server
  • FIG. 6 illustrates the process of establishing a control tunnel between a TEED connected to a private network and the control server
  • FIG. 7 illustrates a direct tunnel establishment structure between TEEDs
  • FIG. 8 illustrates the process of establishing a direct tunnel between the TEEDs
  • FIG. 9 illustrates a tunnel structure for a terminal located outside a CUNG to communicate with a terminal located within the CUNG;
  • FIG. 10 illustrates the process of establishing a control tunnel for the terminal located outside the CUNG to communicate with the terminal located within the CUNG;
  • FIG. 11 illustrates the process of establishing a direct tunnel for the terminal located outside the CUNG to communicate with the terminal located within the CUNG;
  • FIG. 12 illustrates a tunnel structure for interworking between CUNs.
  • IPv6 as well as IPv4 can be used as a closed IP.
  • IPv4 is used as the closed IP
  • IPv6 is used as the closed IP
  • IPv6 is used as the closed IP
  • IPv6 over UDP over IPv4 tunneling method is employed.
  • IPv4 over UDP over IPv4 tunneling method will be described for the sake of brevity, but the present invention is not meant to be limited thereto.
  • FIG. 2 illustrates the configuration of a Closed User Network (CUN) according to an exemplary embodiment of the present invention, in which the CUN includes a control server 10, tunnel endpoint edge devices (TEEDs) 21 to 27, and terminals 31 to 36.
  • CUN Closed User Network
  • TEEDs tunnel endpoint edge devices
  • tunnels are established at least between the control server 10 and the TEEDs 21 to 27, between the control server 10 and the terminals 31 to 36, between the TEEDs 21 to 27, and between the TEEDs 21 to 27 and the terminals 31 to 36, to establish a network environment in which the terminal can directly perform communications by using a closed IP.
  • a closed IP namely, a private IP
  • tunneling accessing by a general Internet terminal located outside the CUN is not possible.
  • the control server 10 located in the network establishes a tunnel with the terminals 31 to 36 or the TEEDs 21 to 27 and serves to forward a packet transmitted or received to or from the terminals 31 to 36 or the TEEDs 21 to 27.
  • control server 10 establishes a tunnel with the TEEDs 21 to 27 according to a request from the corresponding TEEDs 21 to 27. According to circumstances, the control server 10 may directly establish a tunnel with the terminals 31 to 36. In addition, the control server 10 may allocate a closed IP section to each of the TEEDs 21 to 27, and forward a packet transmitted or received between the TEEDs 21 to 27 by reflecting the allocated closed IP section information on a route table.
  • the TEEDs 21 to 27 which are located in the same manner as the existing wired NAT device or a wireless NAT device, are edge devices having an NAT function allowing the terminals 31 to 36 to perform communications by using a private IP, and being available for tunneling with the control server 10. Also, the TEEDs 21 to 27 may allocate a closed IP to each of the terminals 31 to 36 within the closed IP section allocated from the control server 10.
  • the TEEDs 21 to 27 forward a packet, which has been received from the terminals 31 to 36, in the form of a tunneled packet to the control server 10, and forward the tunneled packet received from the control server 10, in the form of a pure closed IP packet to the terminals 31 to 36.
  • a NAT or firewall may exist between the TEEDs 21 to 27 and the control server 10.
  • the TEEDs 21 to 27 and the control server 10 has a NAT traversal function in the process of establishing the tunnels by the TEEDs 21 to 27 and the control server 10.
  • the TEEDs 21 to 27 generate sub-networks called CUN groups (CUNGs) 51 to 57, respectively.
  • CUNGs CUN groups
  • the number of CUNGs is consistent with the number of the TEEDs.
  • a network configured by the CUNGs 51 to 57 generated by the plurality of TEEDs 21 to 27 in association with the control server 10 is called the CUN, and in this case, the terminal which has established a direct tunnel with the control server 10 may be an element of the CUN.
  • Each of the terminals 31 to 36 is a terminal device that can be allocated a closed IP from the TEEDs 21 to 27 to communicate with another terminal located in a closed IP area without using any client software.
  • the terminal includes a desktop computer, a notebook computer, a personal digital assistant (PDA), and the like.
  • the terminals 31 to 36 may use the existing Internet. This is because, the TEEDs 21 to 27 perform an operation in the same manner as the existing NAT without performing tunneling on packets outside the closed IP section allocated from the control server 10.
  • a server farm can be configured as a closed network by using the TEED#7 27 without using high-priced equipment such as a firewall.
  • high-priced equipment such as a firewall.
  • an external Internet user is fundamentally prevented from accessing respective servers 41 to 43 of the server farm.
  • WiBro allocates a public IP to the terminals but uses a firewall
  • HSDPA allocates a private IP to the terminals making it difficult to perform direct communications with an Internet user located outside of the CUN.
  • configuration of the CUN by using the TEED allows for direct communications between users each having a different access form (e.g., Ethernet, Wi-Fi, HSDPA, etc.).
  • FIG. 3 illustrates a tunnel structure for communications between a terminal connected with the TEED of the CUN and a terminal located outside the CUN.
  • the terminal #1 31 which has performed communications in the CUN, moves to a different location so that it is connected with the general Internet without the TEED, because the CUN has the structure to fundamentally prevent network access from outside the CUN based on the closed IP, the terminal #1 31 cannot access the user network.
  • the terminal #1 31, equipped with a client performing tunneling with the control server 10 can execute the client in order to establish a direct tunnel with the control server 10, and be allocated a closed IP to access the CUN, whereby the terminal #1 31 can perform communications with a particular server or terminal located in the CUN.
  • FIG. 4 illustrates the process of performing registration by the TEED of the CUN to the control server.
  • the control server 10 includes a CUNG route database 11 to be allocated to each TEED.
  • the CUNG route database may be allocated to each TEED according to a subscription procedure, may be provisioned, or may be allocated according to an automatically calculated algorithm.
  • a table shown in Table 2 below is stored in the CUNG route database 11.
  • the control server 10 allocates the closed IP section information of 192.101.1.1/24, a corresponding closed IP section, to the TEED #1 21 with reference to the CUNG route database 11 provided therein (S42).
  • the control server 10 allocates the closed IP section information of 192.102.1.1/24, a corresponding closed IP section, to the TEED #2 22 with reference to the CUNG route database 11 provided therein (S44).
  • control server 10 reflects the closed IP section information allocated to each TEED on a tunnel and forwarding table to be established afterward, so as to use it as information in determining to which TEED an input packet should be forwarded.
  • the TEED #1 21 and TEED #2 22 use the closed IP section information allocated from the control server 10 as an IP pool to be allocated to each terminal connected to each of them later.
  • control server 10 provides the closed IP section information, i.e., 192.1.1.1/8 information, of every CUN managed by the control server 10 to the TEED #1 21 and TEED #2 22. Based on this information, the TEED #1 21 and TEED #2 22 can determine whether a packet received from a terminal should be forwarded to the CUN or to the existing Internet. In other words, if a destination IP address corresponds to a route of the CUN, the control server 10 forwards the received packet to the CUN through tunneling, or otherwise, the control server 10 forwards the received packet to the existing Internet according to its destination, rather than tunneling it.
  • the closed IP section information i.e., 192.1.1.1/8 information
  • FIG. 5 illustrates the process of establishing a control tunnel between the TEED connected to a public network and the control server.
  • the TEED #1 21 must be allocated closed IP section information from the control server 10 and receive all the closed IP section information of the CUN.
  • the TEED #1 21 and the control sever 10 must have the NAT traversal function.
  • an IP address of the control server 10 is 129.254.197.158 and a UDP port to be used for tunneling is 48702.
  • an IP address in a WAN direction of the TEED #1 21 is 129.254.191.31 and a UDP port to be used for tunneling is 48702.
  • a tunneling process is performed between the TEED #1 21 and the control server 10 according to the following procedure.
  • the TEED #1 21 finishes a procedure for registration with the control server 10 and then transmits a tunnel request message to the control server 10.
  • the control server 10 Upon receiving the tunnel request message, the control server 10 establishes a tunnel, connects the route information allocated to the TEED #1 21 to the established tunnel, and then transmits a tunnel response message to the TEED #1 21 (S52).
  • the route information is used to determine whether to forward a packet, which has been received from a different TEED, to the TEED #1 21.
  • the TEED #1 21 Upon receiving the tunnel response message, the TEED #1 21 establishes a tunnel with the control server 10 (S53) and then connects the closed IP section information (192.1.1.1/8) of every CUN, which has been received from the control server 10, to the established tunnel.
  • the closed IP section information of every CUN is used to determine whether the TEED #1 21 should forward a packet, which has been received from the terminal, to the CUN through tunneling or to the existing Internet.
  • the TEED #1 21 may allocate an IP address to the terminal connected to the TEED #1 21 within the address of 192.101,1.xxx/24.
  • Table 3 and Table 4 below show the tunnel establishment results, each showing the structure of tunnel table of the control server and that of the TEED #1.
  • FIG. 6 illustrates the process of establishing a control tunnel between a TEED connected to a private network and the control server.
  • an IP address of the control server 10 is 129.254.197.158 and a UDP port to be used for tunneling is 48702. Also, it is assumed that an IP address in a WAN direction of the TEED #2 22 is 192.168.1.2 and a UDP port to be used for tunneling is 48702. Also, it is assumed that an IP address in the WAN direction of the NAT 62 is 129.254.191.42 and an IP address in a private LAN direction of the NAT 62 is 192.168.1.1/24. In this network environment, a tunneling procedure between the TEED #2 22 and the control server 10 is performed according to the following procedure.
  • the TEED #2 22 finishes registration procedure with the control server 10 and transmits a tunnel request message to the control server 10 via the NAT 62 (S61, S62).
  • a tunnel request message to the control server 10 via the NAT 62 (S61, S62).
  • a source IP address (Src IP) and a UDP port are changed to 129.254.191.42 and 1024.
  • control server 10 checks the changed source IP address and the UDP port of the received tunnel request message and reflects them on tunnel information to be set.
  • tunnel information to be set for the TEED #2 22 a destination IP and a UPT port are 129.254.191.42 and 1024, the IP address and port, which have been changed when passed through the NAT 62.
  • the control server 10 Upon receiving the tunnel request message, the control server 10 establishes a tunnel, connects route information, which has been allocated to the TEED #2 22, to the established tunnel, and transmits a tunnel response message to the TEED #2 22 (S63, S64). Also, in this case, the control server uses the changed IP address and port, and the tunnel response message is restored to the original IP address and port while passing through the NAT 62 so as to be transferred to the TEED #2 22.
  • a control tunnel is established between the TEED #2 22 and the control server 10 (S65), and the TEED #2 22 connects the closed IP section information (192.1.1.1/8) of every CUN provided from the control server 10 to the established tunnel.
  • the TEED #2 22 may allocate an IP address to the terminals connected to the TEED #2 22 within an address 192.102.1.xxx/24.
  • Table 5 and Table 6 below show the tunnel establishment results, each showing the structure of tunnel table of the control server and that of the TEED #2.
  • Table 7 below shows the possibility (or availability) of direct communications between terminals according to each connection type in the CUN, including the control server, the TEED and the terminal, according to an exemplary embodiment of the present invention.
  • Table 7 shows the possibility (or availability) of direct communications between terminals according to each connection type in the CUN, including the control server, the TEED and the terminal, according to an exemplary embodiment of the present invention.
  • Table 7 it is noted that the use of the tunneling function between the TEED having the NAT traversal function and the control server as shown in FIG. 5 allows for direct communications between terminals in any event in spite of the use of a closed IP, namely, a private IP.
  • FIG. 7 illustrates a direct tunnel establishment structure between TEEDs, in which a direct tunnel may be established between TEEDs to route data traffic around the control server to thus reduce the control server's data forwarding burden.
  • a direct tunnel is established between the TEEDs, data traffic for the communications between the terminals connected to the CUNG #1 51 of the TEED #1 21 and the CUNG #2 52 of the TEED #2 22 can be forwarded through the established direct tunnel, so the burden of data forwarded to the control server 10 can be minimized.
  • FIG. 8 illustrates the process of establishing a direct tunnel between the TEEDs, in which the terminal #1 31 and the terminal #2 32 located respectively in the CUNG #1 and the CUNG #2 generated by the TEED #1 21 and the TEED #2 22 can communicate through a control channel.
  • an IP address and a port number of the TEED #1 21 and the TEED #2 22 may be set by the user or information of the counterpart TEED may be obtained through the control server 10 to thereby perform a tunneling process.
  • the respective TEEDs must exchange a message with a counterpart TEED by using an allocated IP address and port number, learn a changed IP address and port number of the counterpart TEED through message exchanging, and use the learned IP address and port number as tunnel establishment information.
  • the method of checking the IP address and port number changing in the NAT environment and checking whether or not there is firewall may be referred to a STUN document.
  • FIG. 8 shows the process of establishing the direct tunnel between the TEED #1 21 and the TEED #2 22 when the TEED #1 21 and the TEED #2 22 are both connected to a public network.
  • the TEED #1 21 and the TEED #2 22 determine a network access type according to the STUN method to check a direct communications availability. If direct communications are possible, the TEED #1 21 acquires information about an IP address and port number to be used for communications with the TEED #2 22 (S81). Meanwhile, if direct communications between the TEED #1 21 and the TEED #2 22 are not possible (for example, if the TEED #1 21 and the TEED #2 22 are both connected to a symmetric NAT), they perform communications by using an established control tunnel, rather than by performing direct tunneling.
  • the TEED #1 21 and the TEED #2 22 perform a tunneling process by using the acquired IP address and port number.
  • the TEED #1 21 and the TEED #2 22 must have information about an established tunnel to the control server 10.
  • tunnel information and route information (192.101.1.1/24) to the TEED #1 21 are set in the TEED #2 22 and tunnel information and route information (192.102.1.1/24) to the TEED #1 21 are set in the TEED #1 21.
  • the route information is subnet information used in the CUNG generated by each TEED, which can be directly acquired from the control server 10 or from the counterpart TEED during a tunneling process.
  • the terminal #1 31 and the terminal #2 32 can directly communicate through the established direct tunnel.
  • FIG. 9 illustrates a tunnel structure for a terminal located outside CUNG to communicate with a terminal located within CUNG.
  • the CUN interrupts a packet from general Internet terminals basically at an IP layer.
  • the terminal #1 31 when the terminal #1 31 is not located within the CUN and connects to a general network, it includes and operates client software allowing for tunneling to communicate with a terminal located within the CUN.
  • a first one is a method in which the terminal #1 31 establishes a control tunnel to the control server 10 in order to connect to the CUNG #2 52 by way of the control server 10; and a second one is a method in which the terminal #1 31 establishes a control tunnel to the TEED #2 22 which has generated the CUNG #2 52 with which the terminal #1 31 wants to communicate, and connects to the CUNG #2 52 without going through the control server 10.
  • FIG. 10 illustrates the process of establishing a control tunnel for the terminal located outside the CUNG to communicate with the terminal located within the CUNG.
  • the TEED #2 22 has already generated the CUNG #2 through registration and tunneling to the control server 10, and information regarding tunnel and route to the CUNG #2 has been set in the control server 10.
  • the terminal #1 31 performs tunneling with the control sever 10 by using an IP address (CoA) which has been allocated from the connected general network and an IP address (HoA) which has been allocated from the control server 10.
  • CoA IP address
  • HoA IP address
  • the CoA is used as tunneling and tunnel information
  • the HoA is used as information about a route connected to the tunnel.
  • the control server 10 configures information about a tunnel and route to the terminal #1 31 and transmits a tunnel response message to the terminal #1 31 (S102).
  • the terminal #1 31 establishes a control tunnel to the control server 10 and connects the CUN route information, which has been allocated from the control server 10, to the tunnel to thereby connect to the CUN (S103).
  • the terminal #1 31 can communicate with every terminal connected to the CUNG #2, as well as with the CUNG #2 (S104).
  • FIG. 11 illustrates the process of establishing a direct tunnel for the terminal located outside the CUNG to communicate with the terminal located within the CUNG.
  • the terminal #1 31 located outside the CUNG #2 establishes a direct tunnel with the TEED #2 22 in order to communicate with the terminal #2 32 within the CUNG #2.
  • the terminal #1 31 and the terminal #2 32 located within the CUNG #2 which has been generated by the TEED #2 22 are in a communications-available state.
  • the terminal #1 31 In order for the terminal #1 31 to establish a direct tunnel with the TEED #2 22, whether or not the TEED #2 22 is located within a NAT or firewall should be considered.
  • the user may set an IP address and port number of the TEED #2 22 or information can be obtained through the control server 10 to perform the tunneling process.
  • the terminal #1 31, the control server 10, and the TEED #2 22 determine whether direct communications are possible by checking a network access type of the terminal #1 31 and the TEED #2 22 according to the STUN method. If direct communications are possible, the terminal #1 31 acquires information regarding an IP address and port number to be used for communications with the TEED #2 22 (S112). Meanwhile, if direct communications between the terminal #1 31 and the TEED #2 22 are not possible (for example, the terminal #1 31 and the TEED #2 22 are all connected to a symmetric NAT), the terminal #1 31 and the TEED #2 22 do not perform direct tunneling but perform communications by using a previously established control tunnel.
  • the terminal #1 31 and the TEED #2 22 perform a tunneling process by using the acquired IP address and port number.
  • the terminal #1 31 and the TEED #2 22 must have information regarding an established tunnel to the control server 10.
  • the terminal #1 31 exchanges tunnel request and tunnel response messages with the TEED #2 22
  • information regarding the tunnel and route to the terminal #1 31 are set in the TEED #2 22 and information regarding the tunnel and route to the TEED #2 22 are set in the terminal #1 31 (S113, S114).
  • the information regarding the route for connecting the terminal #1 31 to the tunnel to the TEED #2 22 is route information of the CUNG #2 which has been generated by the TEED #2 22, which can be directly acquired from the control server 10 or from the TEED #2 22 during the tunneling process.
  • the terminal #1 31 can directly communicate with every terminal located within the CUNG #2 through the direct tunnel.
  • FIG. 12 illustrates a tunnel structure for interworking between CUNs.
  • a single control server forms a single CUN, and several CUNs may exist.
  • the head office and the branch offices may form a CUN, respectively, and a control server of each branch office may establish a control tunnel with a control server of the head office between CUNs.
  • a closed IP section (192.1.0.0/16, 192.2.0.0/16) to be used in each CUN is allocated to each CUN, and a closed IP section (192.0.0.0/8) including the closed IP section to be used in every CUN is allocated to a terminal located outside the TEED and the CUN, whereby a terminal connected to a group #1 of the CUN #1 can communicate with a terminal located in a group #2 of the CUN #2 through the control tunnel between the CUNs.
  • each control server is constantly located in the public network, the control tunnel between the CUNs may be manually established or may be established by exchanging tunnel request/response messages.
  • a representative CUN may be designated and a plurality of CUNs may establish a tunnel to the representative CUN or each tunnel may be established in a mesh form between CUNs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé pour configurer un réseau d'utilisateur fermé (CUN) à l'aide d'un mécanisme de tunnellisation IP et un système CUN. En particulier, l'invention concerne une technique d'établissement d'un tunnel entre un dispositif de périphérie d'extrémité de tunnel (TEED) et un serveur de commande par l'utilisation d'un mécanisme de tunnellisation IP destiné à permettre à des terminaux connectés au TEED de réaliser des communications par l'utilisation d'un IP fermé, permettant au TEED d'obtenir une fonction de traduction d'adresses de réseau (NAT) de sorte que le TEED peut réaliser un transfert de données comme un NAT général, sans réaliser de tunnellisation sur un IP destinataire en dehors de la section IP fermée, pour effectuer une communication, et permettre à un terminal situé dans une zone où le TEED n'est pas disposé d'établir directement un tunnel avec le serveur de commande par l'utilisation d'un logiciel client pour réaliser de ce fait des communications avec un terminal ou un serveur connecté au TEED grâce à l'utilisation de l'IP fermé.
PCT/KR2009/007315 2008-12-08 2009-12-08 Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé WO2010068018A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/133,540 US8621087B2 (en) 2008-12-08 2009-12-08 Method for configuring closed user network using IP tunneling mechanism and closed user network system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2008-0124010 2008-12-08
KR20080124010 2008-12-08
KR1020090064814A KR101210388B1 (ko) 2008-12-08 2009-07-16 Ip 터널링 기술을 이용한 폐쇄 사용자 네트워크 구성 방법 및 폐쇄 사용자 네트워크 시스템
KR10-2009-0064814 2009-07-16

Publications (2)

Publication Number Publication Date
WO2010068018A2 true WO2010068018A2 (fr) 2010-06-17
WO2010068018A3 WO2010068018A3 (fr) 2010-08-05

Family

ID=42243202

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2009/007315 WO2010068018A2 (fr) 2008-12-08 2009-12-08 Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé

Country Status (1)

Country Link
WO (1) WO2010068018A2 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036784A (zh) * 2011-10-04 2013-04-10 丛林网络公司 用于自组织二层企业网络架构的方法和装置
US9118687B2 (en) 2011-10-04 2015-08-25 Juniper Networks, Inc. Methods and apparatus for a scalable network with efficient link utilization
US9374835B2 (en) 2011-10-04 2016-06-21 Juniper Networks, Inc. Methods and apparatus for enforcing a common user policy within a network
US9407457B2 (en) 2011-10-04 2016-08-02 Juniper Networks, Inc. Apparatuses for a wired/wireless network architecture
WO2017219816A1 (fr) * 2016-06-22 2017-12-28 中兴通讯股份有限公司 Procédé de transmission de données, et dispositif de traduction d'adresse réseau
US10148550B1 (en) 2011-10-04 2018-12-04 Juniper Networks, Inc. Methods and apparatus for a scalable network with efficient link utilization
CN113472913A (zh) * 2021-06-25 2021-10-01 新华三信息安全技术有限公司 通信方法及装置
CN116032690A (zh) * 2022-12-12 2023-04-28 北京秒如科技有限公司 一种边缘计算场景下的虚拟网络调度方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004023838A2 (fr) * 2002-09-09 2004-03-18 Nortel Networks Limited Reseaux prives virtuels svc-l2: reseaux prives virtuels flexibles de couche 2 a commutation mpls/ip sur demande pour svc ethernet, atm et relais de trame
WO2005043817A1 (fr) * 2003-10-30 2005-05-12 Nortel Networks Limited Decouverte automatique pour reseaux virtuels

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004023838A2 (fr) * 2002-09-09 2004-03-18 Nortel Networks Limited Reseaux prives virtuels svc-l2: reseaux prives virtuels flexibles de couche 2 a commutation mpls/ip sur demande pour svc ethernet, atm et relais de trame
WO2005043817A1 (fr) * 2003-10-30 2005-05-12 Nortel Networks Limited Decouverte automatique pour reseaux virtuels

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10148550B1 (en) 2011-10-04 2018-12-04 Juniper Networks, Inc. Methods and apparatus for a scalable network with efficient link utilization
US10015046B2 (en) 2011-10-04 2018-07-03 Juniper Networks, Inc. Methods and apparatus for a self-organized layer-2 enterprise network architecture
US9374835B2 (en) 2011-10-04 2016-06-21 Juniper Networks, Inc. Methods and apparatus for enforcing a common user policy within a network
US9407457B2 (en) 2011-10-04 2016-08-02 Juniper Networks, Inc. Apparatuses for a wired/wireless network architecture
US9667485B2 (en) 2011-10-04 2017-05-30 Juniper Networks, Inc. Methods and apparatus for a self-organized layer-2 enterprise network architecture
US9800494B2 (en) 2011-10-04 2017-10-24 Juniper Networks, Inc. Method and media for a tunneled wired/wireless network
US9118687B2 (en) 2011-10-04 2015-08-25 Juniper Networks, Inc. Methods and apparatus for a scalable network with efficient link utilization
US10848414B1 (en) 2011-10-04 2020-11-24 Juniper Networks, Inc. Methods and apparatus for a scalable network with efficient link utilization
CN103036784A (zh) * 2011-10-04 2013-04-10 丛林网络公司 用于自组织二层企业网络架构的方法和装置
WO2017219816A1 (fr) * 2016-06-22 2017-12-28 中兴通讯股份有限公司 Procédé de transmission de données, et dispositif de traduction d'adresse réseau
CN107528932A (zh) * 2016-06-22 2017-12-29 中兴通讯股份有限公司 一种数据传输方法、网络地址转换设备
CN113472913A (zh) * 2021-06-25 2021-10-01 新华三信息安全技术有限公司 通信方法及装置
CN113472913B (zh) * 2021-06-25 2023-04-25 新华三信息安全技术有限公司 通信方法及装置
CN116032690A (zh) * 2022-12-12 2023-04-28 北京秒如科技有限公司 一种边缘计算场景下的虚拟网络调度方法
CN116032690B (zh) * 2022-12-12 2023-11-03 北京秒如科技有限公司 一种边缘计算场景下的虚拟网络调度方法

Also Published As

Publication number Publication date
WO2010068018A3 (fr) 2010-08-05

Similar Documents

Publication Publication Date Title
WO2010068018A2 (fr) Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé
US8621087B2 (en) Method for configuring closed user network using IP tunneling mechanism and closed user network system
JP4087848B2 (ja) モバイルネットワークをセキュリティベースのvpnと統合するシステム及び方法
US6591306B1 (en) IP network access for portable devices
US6856624B2 (en) Temporary unique private address
AU2005212962B2 (en) Address solving apparatus, address solving method, and communication system using the same
WO2010110530A1 (fr) Procédé d'interception et de recherche d'un hôte dans un réseau ipv6
US8009614B2 (en) Mobile communications system conforming to mobile IP, and home agent, mobile node and method used in the mobile communications system
CA2328840C (fr) Controleur telephonique pour svsi
US20100014521A1 (en) Address conversion device and address conversion method
WO2012053807A1 (fr) Procédé et appareil pour partager une connexion internet sur la base d'une configuration automatique d'une interface réseau
US7558249B2 (en) Communication terminal, and communication method
KR20000010612A (ko) 인터넷 프로토콜 필터
US20030169766A1 (en) Communications apparatus and network system
JPWO2007136101A1 (ja) 通信モジュール及びこの通信モジュールを備えたアプリケーションプログラム
WO2021010661A1 (fr) Dispositif de gestion d'informatique en périphérie et son procédé de fonctionnement
WO2017054446A1 (fr) Procédé de communication en réseau, dispositif, et dispositif de stockage rattaché à un réseau
JP4253520B2 (ja) ネットワーク認証装置及びネットワーク認証システム
WO2012144820A2 (fr) Appareil et procédé pour transmettre et recevoir des informations ip dans un réseau de communication sans fil
WO2012163000A1 (fr) Procédé de transfert de message, et dispositif et système associés
WO2020226349A1 (fr) Dispositif de relais destiné au traitement d'appel, procédé de traitement d'appel réalisé par un dispositif de relais, et support d'enregistrement dans lequel un programme permettant d'exécuter un procédé de traitement d'appel est enregistré
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2020226350A1 (fr) Système de réseau distribué pour traitement d'appel et procédé de traitement d'appel réalisé par un système de réseau distribué et support d'enregistrement, dans lequel un programme pour exécuter le procédé de traitement d'appel est enregistré
JP2007174583A (ja) ネットワーク中継装置
KR100882353B1 (ko) 인터넷 프로토콜 버전 4 네트워크의 서버에서의 터널네트워크인터페이스 구축 및 터널네트워크인터페이스를 이용한 패킷 송/수신 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09832103

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 13133540

Country of ref document: US

122 Ep: pct application non-entry in european phase

Ref document number: 09832103

Country of ref document: EP

Kind code of ref document: A2