WO2011032472A1 - 虚拟专用网络的实现方法及系统 - Google Patents
虚拟专用网络的实现方法及系统 Download PDFInfo
- Publication number
- WO2011032472A1 WO2011032472A1 PCT/CN2010/076777 CN2010076777W WO2011032472A1 WO 2011032472 A1 WO2011032472 A1 WO 2011032472A1 CN 2010076777 W CN2010076777 W CN 2010076777W WO 2011032472 A1 WO2011032472 A1 WO 2011032472A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vpn
- mapping
- host
- attribute
- destination host
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/54—Store-and-forward switching systems
- H04L12/56—Packet switching systems
- H04L12/5601—Transfer mode dependent, e.g. ATM
- H04L2012/5603—Access techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/69—Types of network addresses using geographic information, e.g. room number
Definitions
- the present invention relates to a location identity separation technique, and more particularly to a method and system for implementing a virtual private network.
- 4G is the abbreviation of the 4th generation mobile communication system.
- the goal of 4G is to provide an IP bearer network-based solution for voice, data and streaming services, enabling users to get a more "anytime, anywhere, any business”. High-speed communication environment.
- NGN Next Generation Network
- NGN Next Generation Network
- 3G and 4G are the core of the research on next-generation networks in the field of wireless communications, aiming to improve the quality of wireless mobile communications based on the all-IP packet core network; NGN and NGI (Next-Generation Internet) are the telecommunications network and the Internet.
- Research on next-generation network convergence; CNGI China's Next Generation Internet
- CNGI China's Next Generation Internet
- Northern Jiaotong University's "Integrated Trusted Network and Pervasive Service System Basic Research” hopes to build A unified new packet network.
- the widely accepted view of various studies is that the future network is a unified bearer network based on packets. Therefore, research on the next generation network architecture will use the Internet as the main reference.
- the Internet has maintained rapid growth since its birth. It has become the most successful and most vital communication network in the world. Its flexible and extensible, efficient packet switching, and powerful functions of the terminal are in line with the design requirements of the new generation network.
- the Internet will be the main reference blueprint for the new generation network design. .
- the structure of the Internet is far from optimal, and there are many major design issues.
- Internet invention in the 1970s it is difficult to predict that there will be a large number of mobile terminals and multiple township terminals in the world today, so the Internet Protocol at the time
- the stack is primarily designed for terminals that are connected in a "fixed" manner.
- the transmitted address is the received address, and the path is reversible, so the IP address with dual attributes of identity and location can work very well.
- the IP address also represents the identity and location that exactly met the network needs of the time. From the perspective of the network environment at the time, this design scheme is effective and simplifies the hierarchy of the protocol stack. But there is no doubt that there is an internal contradiction between the identity attribute of the IP address and the location attribute.
- the identity attribute of an IP address requires that any two IP addresses be equal.
- IP address can be assigned according to the organization, there is no necessary relationship between consecutively encoded IP addresses, or at least there is no necessary relationship in the topological position.
- the location attribute of the IP address requires that the IP address be assigned based on the network topology (rather than the organization).
- the IP addresses in the same subnet should be in a contiguous block of IP addresses so that the network topology can be made.
- IP address prefix aggregation which reduces the routing table entries of router devices and ensures the scalability of the routing system.
- DHCP Dynamic Host Configuration Protocol
- Routing scalability issues There is a basic assumption about the scalability of the Internet routing system: "The address is allocated according to the topology, or the topology is deployed according to the address, and the second one is selected.
- the identity attribute of the IP address requires the IP address to be based on the terminal.
- the organization (rather than the network topology) is allocated, and this allocation must be stable and cannot be changed frequently; and the location attribute of the IP address requires the IP address to be assigned based on the network topology to ensure the routing system is available.
- Scalability In this way, the two attributes of the IP address create conflicts, which eventually leads to the scalability problem of the Internet routing system. 2. Mobility problem.
- the identity attribute of the IP address requires that the IP address should not change as the location of the terminal changes. This ensures that the communication on the identity is not interrupted, and that the terminal can still use its identity after the terminal is moved.
- the communication link is established; the location attribute of the IP address requires the IP address to change as the terminal location changes, so that the IP address can be aggregated in the new network topology, otherwise the network must reserve a separate route for the mobile terminal.
- Information which causes a sharp increase in routing table entries.
- a number of township issues A plurality of townships usually refer to terminals or networks that access the Internet through a network of multiple ISPs (Internet Service Providers).
- ISPs Internet Service Providers
- the advantages of multiple township technologies include increased network reliability, support for traffic load balancing across multiple ISPs, and increased overall available bandwidth.
- the identity attribute of an IP address requires that a plurality of home terminals always display the same identity to other terminals, regardless of whether the multiple township terminals access the Internet through several ISPs; and the location attribute of the IP address requires that multiple township terminals are different. Communication is performed using different IP addresses in the ISP network to ensure that the IP address of the endpoint can be aggregated in the topology of the ISP network.
- IP address contains both the identity information and the location information of the terminal, the communication peer and the evil The intended eavesdropper can simultaneously obtain the identity information and topology location information of the terminal according to the IP address of a terminal.
- the technical environment and user groups of the Internet have undergone earth-shaking changes, and the Internet needs to be innovated.
- the dual attribute problem of IP addresses is one of the root causes that plague the Internet. It is a good way to solve the problems faced by the Internet by separating the identity attributes and location attributes of IP addresses.
- the new network will be designed based on this idea, and propose a network structure in which identity information and location information are separated and mapped to solve some serious drawbacks of the existing Internet.
- identity and location In order to solve the problem of identity and location, the industry has carried out a lot of research and exploration.
- the basic idea of all identity and location separation schemes is to separate the identity and location dual attributes originally bound to the IP address.
- URL Uniform Resource Locator
- FQDN Full Domain Name, qualified domain name
- some schemes use the application layer URL (Uniform Resource Locator, URL is an identification method for completely describing the address of web pages and other resources on the Internet) or FQDN (Fully Qualified Domain Name, qualified domain name) As a terminal identity, etc.; some schemes introduce a new namespace as an identity, such as HIP (Host Identity Protocol) to add a host identity on the network layer identified by the IP address; some solutions will be IP The address is classified, part of the IP is used as the identity, and part of the IP is used as the location identifier.
- the LID Licator/ID Separation Protocol
- EID endpoint ID
- RLOC outing Locator
- Location identification as location identification, etc.
- the LISP working group was established in the IETF.
- the charter of the LISP working group will be devoted to the LISP basic protocol (draft-farmacci-lisp-12.txt ), LISP+ALT ( LISP Alte Rnative Topology, LISP optional topology mapping system ( draft-fuller-lisp-alt-05.txt), LISP interoperability (draft-lewis-lisp-interworking-02.txt), LISP mapping server (draft-fuller-lisp-ms-OO.txt), LISP multicast (draft-farinacci-lisp-multicast-01.txt) work.
- the working group will encourage and support the work of defining requirements for interoperable LISP implementations and boundary mapping systems, and the working group is also working on the security configuration of ALT or other mapping systems.
- a VPN virtual private network
- VPN can interconnect components and resources of different networks.
- VPN can utilize the Internet network or other public internet
- the infrastructure creates tunnels for users and provides the same security and functional guarantees as private networks.
- VPNs can be implemented in a variety of ways, which can be divided into user-managed VPN solutions (CPE-VPN) and carrier-implemented VPN solutions (PP-VPN).
- CPE-VPN solution The user-managed VPN solution (CPE-VPN solution) is characterized in that the user sets, manages, and maintains the VPN gateway device, and establishes a standard VPN tunnel-based connection between each branch office and the corporate headquarters through the public IP network.
- the tunnel protocol usually It adopts Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), IPsec (Secure IP), IP m IP (IP encapsulated in IP), and Generic Routing Encapsulation (GRE), and utilizes various Encryption technology and network address translation (NAT) technology to ensure the security of data transmission.
- L2TP Layer 2 Tunneling Protocol
- PPTP Point-to-Point Tunneling Protocol
- IPsec Secure IP
- IP m IP IP encapsulated in IP
- GRE Generic Routing Encapsulation
- the establishment and management of the VPN tunnel connection is entirely the responsibility of the user. The provider does not need to adjust or change the structure and performance of the network. This method is also known as the "self-built VPN" method.
- VPN supports enterprises to establish connections with branch offices or other companies through public Internet such as the Internet for secure communication. This VPN connection established across the Internet is logically equivalent to the connection established between the two places using the WAN.
- VPN communication is based on the public internet, users feel like they are using a private network for communication, so they are named virtual private networks.
- the use of VPN technology can solve the problem that employees need to access central resources and communicate with each other in a timely and effective manner when the amount of remote communication is increasing and the global operation of the enterprise is widely distributed.
- VPN Remote user access through VPN.
- VPN supports remote access to enterprise resources through the public Internet.
- VPN users first dial the network access server (BRAS) of the local access service provider (ISP). Then, using the VPN software, create a VPN across the Internet or other public Internet between the remote user and the corporate VPN server using the connection established with the local ISP.
- BRAS network access server
- ISP local access service provider
- Branch offices and enterprise routers can use their local dedicated lines to connect to the Internet through a local ISP, or dial-up access to the ISP's broadband access server to connect to mtemet.
- Use VPN software utilize connections with local ISPs and Internet networks in branch offices and enterprise routers Create a VPN between.
- the VPN technology uses the Layer 2 Tunneling Protocol (L2TP), which allows encryption of IP, IPX (Internetwork Packet Exchange protocol) or NetBEUI (NetBIOS Extend User Interface) data streams. It is then sent over any network that supports peer-to-peer datagrams, such as IP, X.25, ⁇ Relay or ATM (Asynchronous Transfer Mode). Secure IP (IPSec) tunnel mode.
- the IPSec tunnel mode allows IP payload data to be encrypted and then encapsulated in an IP header to be sent over an enterprise IP network or a public IP internetwork such as the Internet.
- the VPN solution implemented by the operator refers to setting up a VPN gateway device on the public data communication network of the operator for dedicated line access users or remote dial-up access users.
- VPNs can be established through tunnel encapsulation, virtual routers, or MPLS (multi-protocol label switching) technologies according to specific VPN network requirements, and encryption technologies can be used to ensure data transmission security.
- MPLS multi-protocol label switching
- the establishment of the VPN connection is completely responsible for the operator and is transparent to the user. This method is also known as the "outsourcing VPN” method.
- Ethernet technology Due to the extensive use of Ethernet technology at the access network level, the current technology for implementing network partitioning based on Ethernet is mainly Virtual Local Area Network (VLAN) technology.
- VLAN Virtual Local Area Network
- VLAN is an emerging technology that implements virtual workgroups by logically, rather than physically, dividing devices within a local area network into individual network segments.
- IEEE The Institute of Electrical and Electronics Engineers, IEEE promulgated a draft of the 802.1Q protocol standard for standardizing VLAN implementations in 1999.
- the traditional Ethernet frame format defines 4096 VLANs.
- VLAN is proposed to solve the broadcast problem and security of Ethernet. It adds VLAN headers based on Ethernet frames, divides users into smaller working groups by VLAN ID, and restricts users between different working groups. Layers exchange visits, each workgroup is a virtual local area network.
- the advantage of virtual local area network is that it can limit the broadcast range, and can form a virtual work group and dynamically manage the network.
- the VLAN isolates the broadcast storm and also isolates between different VLANs. Communication, so communication between different VLANs is required to have a route to complete.
- VLANs There are several ways to divide VLANs. The first is to divide the VLAN according to the port; the way to divide the VLAN according to the port is still the most commonly used one; the second is to divide the VLAN according to the MAC (Media Access Control) address, this VLAN-based method.
- the biggest advantage is that when the user's physical location moves, that is, when switching from one switch to another, the VLAN does not need to be reconfigured. The disadvantage is that all users must be configured during initialization, resulting in reduced efficiency of the switch.
- Dividing VLANs this method of dividing VLANs is based on the network layer address or protocol type of each host (if multi-protocol is supported) rather than routing, so even if the user's physical location changes, there is no need to reconfigure the VLAN to which it belongs.
- the disadvantage is that re-parsing the frame header will reduce the efficiency;
- the VLAN is divided according to IP multicast, and IP multicast is actually a VLAN definition, that is, a multicast group is a VLAN, and this division method expands the VLAN to WAN, so this method has more flexibility, and it is easy to go through the router Extension.
- VLANs are widely used in broadband access.
- the core network or wide area network is more widely used in MPLS (Multi-Protocol Label Switching) MPLS VPN.
- MPLS Multi-Protocol Label Switching
- the network model of the MPLS VPN includes:
- the Customer Edge (CE) device can be a router or a Layer 2 switch, which is located at the client and provides access to the network provider.
- the provider edge (PE, Provider Edge) router is mainly maintained.
- the forwarding table associated with the node exchanges VPN routing information with other PE routers and forwards the VPN service using the Label Switched Path (LSP) in the MPLS network.
- LSP Label Switched Path
- the provider router (PR, Provider Router) uses the established LSP to transparently forward the VPN data, and does not maintain the routing information related to the VPN. This is the Label Switching Router (LSR) in the MPLS network.
- LSR Label Switching Router
- MPLS VPN provides anti-attack and token spoofing methods by means of route isolation, address isolation and information hiding. Therefore, MPLS VPN can provide security similar to ATM/FR VPN.
- Scalability MPLS VPN is highly scalable. On the one hand, the number of VPNs that can be accommodated in an MPLS network is large. On the other hand, the number of user nodes is allocated and managed by means of BGP (Border Gateway Protocol). Restricted, easy to expand, and enables direct communication between any node and any other node.
- BGP Border Gateway Protocol
- MPLS VPN services naturally have large bandwidth, multi-node, multi-route, abundant network and transmission resources to ensure network reliability.
- IGP Interior Gateway Protocol
- the above-mentioned virtual private network VPN technology is integrated into the existing data communication network.
- the IP address has the dual meaning of identity and location.
- the IP address is only With the location attribute, as the identifier of the geographical location of the end-host three-layer network, the identity of the end host is added for the end identity of the communication transmission, and the location identifier of the end host is determined by the geographical location and network topology of the end host.
- the change of the location causes the location identifier of the end host to change, and the identity of the end host belongs to the identifier uniquely used by the terminal identity, and does not change during the process of the terminal host moving.
- the mapping between the end host identity and the location identifier must be added, and the functional entity is required to complete the mapping relationship.
- the impact on the VPN technology implementation is affected, and the impact on the VPN solution (PP-VPN) implemented by the operator is relatively small.
- the location and identity separation mainly involve the identity and connection of the VPN user. Incoming management needs to use the identity of the end host for authentication. Management, the management system needs to be upgraded; for the user-managed VPN solution (CPE-VPN solution), the location and identity separation, the latter host no longer uses the IP address for communication, and the end host's identity EID needs to be used for communication.
- CPE-VPN solution the user-managed VPN solution
- the location and identity separation the latter host no longer uses the IP address for communication
- the end host's identity EID needs to be used for communication.
- the impact is relatively large, and the VPN software needs to be upgraded to handle the identity of the supporting host.
- the technical problem to be solved by the present invention is to provide a method and system for implementing a virtual private network to implement a virtual private network in a location identity separation network.
- the present invention provides a method for implementing a virtual private network, the method being implemented based on a Location Identity Separation Protocol (LISP) network, where the VPN network includes an input tunnel router (ITR), a mapping server, and an output tunnel.
- the router (ETR) the method includes: A. After receiving the data packet sent by the source host, the ITR sends a mapping request message to the host host VPN attribute storage network element, where the VPN attribute and the destination end of the source host are carried. The identity of the host;
- the end host VPN attribute storage network element receives the mapping request message, and determines a VPN attribute of the destination end host according to the identity identifier of the destination end host;
- C. The end host VPN attribute storage network element comparison office If the VPN attributes of the source host and the destination host are the same, the mapping query is performed and the mapping response message is returned, which carries the location identifier of the destination host. Otherwise, the unreachable information is returned.
- the ITR receives the mapping response message, and forwards the LISP data packet to the ETR according to the location identifier of the destination host, where the ETR forwards the LISP data packet to the destination host;
- the end host VPN attribute storage network element is the mapping server or ETR.
- the ITR firstly queries the local mapping relationship after receiving the data packet sent by the source host, and if the destination host identifier is found, the VPN attribute of the source host and the destination host are If the VPN attributes are the same, the location identifier of the destination host is obtained, and the data packet is forwarded to the ETR according to the location identifier of the destination host. Otherwise, step A is performed.
- the LISP data packet is forwarded to the destination host only when the ETR source host and the destination host have the same VPN attributes.
- the mapping request message and the mapping response message are sent through a LISP control message path; in step D, the data message is sent through a LISP data message path, and the datagram is sent.
- the document contains VPN attributes.
- the VPN attribute includes a VPN identifier, and different VPN identifiers represent different VPN networks.
- the VPN attribute includes information about whether the source host is a VPN end host.
- the present invention also provides an implementation system of a virtual private network, where the system includes an input tunnel router (ITR;), a mapping server, and an output tunnel router (ETR), where:
- the ITR includes a first data packet transceiver module, a packet processing module, a first control packet receiving module, a first local mapping table, and a mapping query module, where:
- the first data packet transceiver module is configured to: receive a data packet sent by the source host, and forward the LISP data packet to the ETR; the packet processing module is connected to the first data packet transceiver module And configured to parse the received data packet and notify the mapping query module, and generate a mapping request message according to the query result of the mapping query module, where the VPN attribute of the source host and the identity identifier of the destination host are carried; The mapping response message received by the first control packet transceiver module generates a LISP data packet forwarded to the ET; the first control packet transceiver module is connected to the packet processing module, and is configured as a forward host VPN.
- the attribute storage network element sends the mapping request message, and receives a mapping response message sent by the end host VPN attribute storage network element;
- the end host VPN attribute storage network element is the mapping server or ETR;
- the first local The mapping table is set to: save the mapping relationship between the VPN attribute, the identity identifier, and the location identifier;
- the mapping query module is connected to the packet processing module and the first local mapping table, and is configured to query the VPN attribute of the source host according to the identity of the source host;
- the mapping server includes the second control packet.
- Module, second local mapping table and first image a processing module wherein: the second control message transceiver module is configured to: receive a mapping request message sent by the ITR, and send a mapping response message to the ITR; the second local mapping table is set to: save a VPN a mapping relationship between the attribute, the identity identifier, and the location identifier; the first mapping processing module is connected to the second control packet transceiver module and the second local mapping table, and configured to query the second locality according to the destination host identity identifier
- the mapping table obtains the VPN attribute of the destination host, and compares whether the VPN attribute of the source host and the VPN attribute of the destination host are the same.
- the ETR includes a second data packet transceiver module, a third control packet transceiver module, a third local mapping table, and a second mapping processing module;
- the second data packet transceiver module is configured to: receive a LISP data packet sent by the ITR;
- the third control packet transceiver module is configured to: receive a mapping request message sent by the ITR, and send a mapping response message to the ITR;
- the third local mapping table is configured to: save a VPN attribute, an identity, and a location The mapping relationship of the identifier;
- the second mapping processing module is connected to the third control packet transceiver module and the third local mapping table, and configured to query the third local mapping table according to the destination host identity identifier to obtain the VPN attribute of the destination host, and Comparing whether the VPN attribute of the source host is the same as the VPN attribute of the destination host. When the comparison result is the same, querying the third local mapping table to obtain the location identifier of the destination host; and setting the mapping response message according to the query result. .
- the mapping query module of the ITR is configured to: query the first local mapping table according to the identity of the destination host, and compare whether the VPN attribute of the source host is the same as the VPN attribute of the destination host, When the same, the first local mapping table is queried to obtain the location identifier of the destination host; and is further configured to notify the packet processing module to generate a LISP forwarded to the ETR.
- the data message is configured to notify the message processing module to generate the mapping request message if the mapping relationship between the destination host is not found.
- the first control packet sending and receiving module of the ITR is further configured to: send a mapping maintenance request to the mapping server, where the type of the maintenance operation and the mapping relationship to be maintained are carried; and the third control packet of the ETR is sent and received.
- the module is further configured to: send a mapping maintenance request to the mapping server, where the maintenance operation type and the mapping relationship to be maintained are carried;
- the second control packet sending and receiving module of the mapping server is further configured to: receive the ITR or ETR transmission
- the first mapping processing module of the mapping server is further configured to: maintain the second local mapping table according to the mapping maintenance request, where the maintenance operation type includes registration, cancellation, and modification.
- the mapping request message and the mapping response message are sent by using a LISP control message path; the data message is sent through a LISP data message path, and the data message includes a VPN attribute.
- the VPN attribute includes a VPN identifier, and different VPN identifiers represent different virtual private networks.
- the VPN attribute includes information about whether the source host is a VPN end host.
- the present invention also provides another implementation method of a virtual private network, which is implemented by a virtual private (VPN) network implementation system based on a Location Identity Separation Protocol (LISP) network framework, and the VPN network is implemented.
- VPN virtual private
- LISP Location Identity Separation Protocol
- the system saves the mapping relationship between the VPN attribute, the identity identifier, and the location identifier, and the method includes: a packet receiving step, the VPN network implementing the system to receive the packet sent by the source host; and a mapping processing step, where the VPN network implements the system comparison source Whether the VPN attribute of the end host and the VPN attribute of the destination host are the same. If the mapping is the same, the mapping relationship is obtained, and the location identifier of the host is obtained. If the information is different, the unreachable information is generated. Packet processing steps, the VPN The network implementation system forwards the packet according to the location identifier of the destination host or ends the process according to the unreachable information.
- the packet forwarding is performed, otherwise the process ends.
- the mapping processing step is implemented by an input tunnel router (ITR), a mapping server or an output tunneling router (ETR) in the LISP network architecture.
- the VPN attribute includes a VPN identifier, and different VPN identifiers represent different VPN networks.
- the VPN attribute includes information about whether the source host is a VPN end host.
- the present invention further provides an implementation system of a virtual private network, which is implemented based on a network of a location identity separation architecture, and includes: a message receiving device configured to receive a packet sent by a source host And notifying the mapping processing device to perform mapping processing; the mapping processing device is connected to the packet receiving device, and is configured to save a mapping relationship between a virtual private network (VPN) attribute, an identity identifier, and a location identifier, and perform mapping
- the processing includes the following: comparing the VPN attributes of the source host and the destination host are the same, and when the same, the saved mapping relationship is obtained, and the location identifier of the destination host is obtained, and the unreachable information is generated when the source host is different;
- the mapping processing result is sent to the "3 ⁇ 4 text processing device; the message processing device is connected to the mapping processing device, and is configured to receive the mapping processing result, and perform message processing according to the mapping processing, specifically
- the method includes: forwarding the packet according to the location identifier of the destination host
- the message processing device is further configured to compare whether the VPN attributes of the source host and the destination host are the same, and if the same, the packet is forwarded, otherwise the process ends.
- the mapping processing device is implemented by an input tunnel router (ITR), a mapping server or an output tunnel router (ETR), and the message receiving device and the message processing device are implemented by the ITR.
- the VPN attribute includes a VPN identifier. Different VPN identifiers represent different VPN networks.
- the VPN attribute includes information about whether the source host is a VPN end host.
- the implementation method and system of the virtual private network of the invention is implemented based on the location identity separation network
- the VPN adds the corresponding VPN attribute in the mapping between the identity identifier and the location identifier.
- the mapping process is performed, when the VPN attribute of the source host is the same as the VPN attribute of the destination host, the location identifier of the destination host is queried. Therefore, data forwarding is implemented according to the location identifier of the destination host; when the VPN attributes are different, the unreachable information is returned, thereby effectively implementing the virtual private network, ensuring the convenience and security of the VPN host communication, and satisfying User demand for virtual private networks.
- Figure 1 is a schematic diagram of the composition of a LISP network architecture for location identity separation.
- Figure 2 is a schematic diagram of the LISP+ALT network architecture.
- FIG. 3 is a schematic diagram of an implementation system of a virtual private network according to an embodiment of the present invention.
- FIG. 4 is a schematic diagram of a method for implementing a virtual private network according to an embodiment of the present invention.
- the LISP (Locator/ID Separation Protocol) protocol network architecture is a network-based location identity separation scheme (for details, see the latest version of the technical documentation of the LISP working group of the Internet Engineering Task Forum IETF, draft-farinacci- Lisp-l l.txt ) , the IP address of the existing Internet is divided into an identity identifier (EID) and a location identifier RLOC (Routing Locator).
- EID identity identifier
- RLOC Location identifier
- the end hosts including the EID identifier (ie, the first end host 100 and the second end host 110), the input tunnel router ITR (ingress tunnel router) 200, and the output tunnel router ETR (egress tunnel router) 210, wherein the ITR and the ETR are connected by the LISP control message path 300 and the LISP data message path 400.
- the message handling the identity and location mapping uses the LISP protocol to control the message path 300 from the LISP. Forwarding, and the LISP encapsulated data message is forwarded from the LISP data message path 400.
- a mapping server is also set for mapping processing, Not shown.
- the LISP scheme implements the mapping management of the identity identifier EID (Endpoint identifier) and the location identifier RLOC (Routing Locator) by establishing a logical topology.
- EID Endpoint identifier
- RLOC Location identifier
- the path is different, where LISP3 is a development path, EID is not routable, and mapping processing is required, among which LISP+ALT (LISP Alternative Topology, LISP optional topology).
- LISP+ALT LISP Alternative Topology, LISP optional topology
- LISP+ALT uses GRE and BGP routing protocols to build an existing network.
- the overlay network of the architecture constructs a LISP control message path, and the tunnel router uses the overlay network to query and respond to the mapping relationship between the identity identifier and the location identifier, and the mapping relationship exists in the local cache (Cache) and the distributed database (the Distributed Endpoint Identifier-to-Routing Locator Mapping Database ), LISP Two access control router ITR, ETR together to complete the process and the mapping server mappings.
- the ALT rtr in Figure 2 represents the router of the ALT overlay network.
- the main idea of the implementation method and system of the virtual private network of the present invention is to implement a VPN in a location identity separation network, and add a corresponding VPN attribute in the mapping relationship between the identity identifier and the location identifier, and determine the source host when performing mapping processing. If the VPN attribute is the same as the VPN attribute of the destination host, the location identifier of the destination host is queried, and the data packet is forwarded according to the location identifier of the destination host. When the VPN attributes are different, the unreachable information is returned, and the communication fails. Therefore, the security of the host communication of the VPN end is ensured, and the user's demand for the virtual private network is satisfied.
- the method for implementing a virtual private network is implemented based on a Location Identity Separation Protocol (LISP) network, where the virtual private network includes an input tunnel router (ITR), a mapping server, and an output tunnel router (ETR), the ITR, mapping
- ITR input tunnel router
- ETR output tunnel router
- the server and the ETR save the mapping relationship between the virtual private network (VPN) attribute, the identity identifier, and the location identifier, and the method includes:
- the ITR After receiving the data packet sent by the source host, the ITR determines the VPN attribute of the source host according to the local mapping relationship, and sends a mapping request message to the mapping server or the ETR, where the VPN attribute of the source host is carried. And the identity of the destination host; Specifically, the step may be implemented as follows: The input tunnel router ITR receives the single-layer LISP packet sent by the source host (there is no LISP header), and sends a mapping request message, waiting for the response to be LISP encapsulated;
- the mapping server or the ETR may be referred to as an end host VPN attribute storage network element.
- the ITR sends a mapping request message to the mapping server. If the ITR has determined the corresponding ETR of the data packet forwarding, the ITR may also send the mapping to the ETR. Mapping request message;
- the mapping server or the ETR receives the mapping request message, and determines a VPN attribute of the destination host according to the identity of the destination host.
- the mapping server or the ETR compares whether the VPN attributes of the source host and the destination host are the same. When they are the same, return a mapping response message to the ITR, where the location identifier (RLOC) of the destination host is carried, otherwise, return Unreachable information, the process ends;
- the ITR receives the mapping response message, and forwards the LISP data packet to the ETR according to the location identifier of the destination host, where the ETR forwards the LISP data packet to the destination host.
- the IT may update the local mapping relationship according to the mapping relationship of the mapping or the complete destination host, so that the ITR receives the subsequent data packet sent by the source host.
- the mapping process and the data transfer process can be directly performed according to the local mapping relationship.
- the mapping process of the ITR is the same as the mapping process of the mapping server and the ETR, that is, the local mapping relationship is queried, and if the destination host identity is found, the source is When the VPN attribute of the host is the same as the VPN attribute of the destination host, the location identifier of the destination host is obtained. If the local mapping relationship does not match the identity of the destination host, the ITR, mapping server, and ETR have different processing.
- the mapping request message is sent to the mapping server; for the mapping server, if the identity of the destination host is not queried locally, then ETR forwards the mapping request message; for ETR, if it is queried locally
- the identity of the destination host by mapping the server returns to the ITR unreachable information.
- the ITR first encapsulates the data packet with LISP.
- the source and destination addresses of the outer header of the encapsulated packet in the LISP protocol are the IP address of the ITR and the ETP, respectively.
- the address that is, the RLOC, forwards the data packet encapsulated by the LISP to the ETR router through the data packet path, and the ETR performs the LISP decapsulation, and then sends the data packet to the EID terminal.
- the EID of one end host can map one or several RLOCs.
- mapping request message and the mapping response message mentioned above are sent through the LISP control message path; and the data message is sent through the LISP data message path.
- VPN attributes have different meanings. The following situations exist:
- the location identity separation network includes multiple end hosts of the VPN network. Different VPNs set different VPN IDs, and the VPN attribute refers to the VPN ID of the host. 2.
- the location identity separation network includes an end host of the VPN network and an end host of the non-VPN network,
- the VPN attribute indicates whether the host belongs to the VPN host.
- the location identity separation network includes multiple end hosts of the VPN network and end hosts of the non-VPN network.
- the VPN attribute refers to whether the host belongs to the VPN host and the VPN ID to which the VPN host belongs. For a VPN-side host, only the VPN IDs are the same, so that communication between VPN users can be established. Otherwise, communication cannot be established, ensuring that the VPN-side host cannot establish communication with the end hosts other than the VPN, and the end hosts other than the VPN cannot access the VPN network. , to ensure VPN network security.
- the ITR and the ETR control the message to be sent to the mapping server by the LISP control packet path, where the maintenance operation type and the mapping relationship to be maintained are carried; the mapping server performs the local mapping table according to the mapping maintenance request. Maintenance, the types of maintenance operations include registration, cancellation, and modification. In addition, the ITR and the mapping server may also update the local mapping relationship according to the mapping relationship carried in the mapping response message.
- the ITR and ETR referred to in the present invention are mutually input tunnel routers and output tunnel routers. For convenience of description, the present invention defines an input tunnel router and an output tunnel router according to the transmission direction of the data message.
- Embodiment A virtual private network VPN embodying the present invention under a LISP (Locator/ID Separation Protocol) protocol network architecture.
- LISP Licator/ID Separation Protocol
- the mapping between the mapping between the host and the non-VPN host can be saved in different mapping tables or in the same mapping table. It can reflect the mapping relationship between VPN attributes, identity and location identifiers.
- the following is an example of saving the sub-tables as follows: First, set the VPN ID for the end host of the virtual private network VPN whose identity is EID, and construct a mapping table dedicated to the VPN of the virtual private network, including the VPN identifier and all client hosts belonging to the VPN. The mapping between the identity identifier EID and the location identifier RLOC.
- the VPN attribute can be embodied only by the VPN identifier.
- the VPN host and the non-VPN host coexist, there are two mapping tables in the LISP network architecture, one is the LISP mapping table, there is no VPN identifier, and the other is the VPN mapping table with the VPN identifier.
- the VPN attribute of the end host is the default non-VPN end host.
- the LISP mapping table and the VPN mapping table are collectively referred to as a mapping table.
- Each VPN network has a VPN identifier (VPN-ID) for identification.
- VPN-ID VPN identifier
- mapping relationship between the client hosts in the VPN mapping table can be dynamically added or deleted.
- the ITR After receiving the LISP packet from the host, if the source EID of the packet belongs to the VPN, the ITR can only query the VPN mapping table of the VPN to which the user belongs, that is, the VPN identifier must be the same. In order to establish communication between VPN users, communication cannot be established, and communication with users other than the VPN mapping table cannot be established. Users outside the VPN mapping table cannot query the VPN mapping table and cannot access the VPN network to ensure VPN network security. Similarly, when the output tunnel router and the mapping server do mapping processing, it is also necessary to compare whether the VPN IDs of both parties are the same, and ensure that communication can only be established inside the VPN.
- VPN mapping table construction example The first virtual private network VPN, the user is EID 1 , . . . , kl ) , assign VPN Identify VPN_ID—(1), you can build a VPN mapping table as follows:
- the second virtual private network, the user is EID (a2, . . . , k2 ), and the VPN ID VPN_ID_(2) is assigned.
- the VPN mapping table owned by the user is as follows:
- the distribution of the VPN mapping table in the device of the LISP network architecture is as follows:
- the input tunnel router ITR is the entry of the source EID terminal to access the VPN network, and the VPN identifier is set for the source EID belonging to the VPN.
- the output tunnel router ETR stores the mapping database of the destination EID, and sets the VPN identifier for the destination EID belonging to the VPN.
- LISP data packets The following describes the format of LISP data packets, LISP control packets, and LISP messages:
- LISP data packet header format In the present invention, the LISP data packet header carries a VPN identifier, and the specific location is behind the Nonce column of the LISP message.
- the format of the LISP VPN data packet header is as follows: /s/u O /-/-/-isosld isoiAV
- IH inner header
- OH outer header
- VPN-ID indicates the VPN identifier
- the LISP control packet header carries a VPN identifier, and the specific location is in the LISP message.
- a mapping request message is sent when the ITR router needs an EID to RLOC mapping. Triggered by the mapping request message, the ETR returns an RLOC containing the EID matching of the mapping request.
- the mapping registration message is used to register the mapping relationship between the EID and the RLOC to the mapping server, for example, the ETR issues an EID mapping relationship to the mapping server. In the packet, you can further increase whether the end host is the VPN address of the VPN terminal. When the packet is
- the invention realizes the VPN under the LISP network architecture has the following characteristics: ( ⁇ ) setting the VPN attribute for the end host of the virtual private network VPN whose identity is EID, specifically the local mapping database of the input tunnel router ITR and the output tunnel router ETR (database) And setting the VPN attribute for the terminal of the identity EID in the mapping server (Map-server);
- the IT When the IT sends the mapping request message, it uses the LISP VPN control packet header format, where the VPN attribute is the VPN attribute of the source EID.
- the LISP VPN control packet header format is used, where the VPN attribute is the VPN attribute of the EID managed by the ETR.
- the IT router encapsulates the LISP packet, the LISP VPN data packet header format of the present invention is used, and the VPN attribute is included.
- mapping processing devices including ITR, mapping
- mapping processing devices under the LISP network architecture
- the mapping process is performed, the VPN attributes of the source EID and the destination EID are compared.
- the mapping processing is performed only when they are the same, otherwise the unreachable information is returned.
- the ETR When the ETR processes the mapping request message, it compares the VPN attribute of the source EID with the VPN attribute of the destination EID. When the ETR is the same, the LISP mapping process is performed, and the mapping response message is returned. Otherwise, the unreachable message is returned.
- the mapping server performs mapping processing, only the VPN attribute of the source EID and the VPN attribute of the destination EID are equal, and the mapping message is processed. The processing of mapping messages of other LISP VPNs needs to compare the VPN identifiers to ensure the security of VPN communication. There are 12 kinds of mapping messages
- the ETR output tunnel router decapsulates the LISP data packet, check whether the VPN attribute in the LISP VPN data packet header is the same as the VPN attribute of the destination EID. If the data is forwarded, the data is forwarded. For a VPN host, only the VPN ID is the same, the communication between the VPN hosts can be established. Otherwise, communication cannot be established, and communication with the end hosts other than the VPN cannot be established. The host other than the VPN cannot access the VPN network. VPN network security.
- the present invention also provides an implementation system of a virtual private network, the system includes an input tunneling router (ITR), a mapping server, and an output tunneling router (ETR), where: the ITR includes a first data packet transceiver module, a packet processing module, a first control packet transceiver module, and a first local mapping.
- ITR input tunneling router
- ETR output tunneling router
- the first data packet transceiver module is configured to receive a data packet sent by the source host, and forward the LISP data packet to the ETR; the packet processing module, and the first data
- the packet sending and receiving module is configured to parse the received data packet and notify the mapping query module, and generate a mapping request message according to the query result of the mapping query module, where the VPN attribute of the source host and the identity identifier of the destination host are carried;
- the method further includes: generating, according to the mapping response message received by the first control packet transceiver module, a LISP data packet forwarded to the ETR; the first control packet transceiver module is connected to the packet processing module, and configured to And a mapping response message sent by the end host and the end host VPN attribute storage network element; and is further configured to serve the mapping
- the device sends a mapping maintenance request, where the maintenance operation type and the mapping relationship to be maintained are carried;
- the first local mapping table is configured to save the mapping relationship between the VPN attribute, the identity identifier
- the mapping query module is connected to the packet processing module and the first local mapping table, and configured to query the VPN attribute of the source host according to the identity of the source host; and query the first local according to the identity of the destination host
- the mapping table is further configured to compare whether the VPN attribute of the source host is the same as the VPN attribute of the destination host, and if the comparison result is the same, query the first local mapping table to obtain the location identifier of the destination host;
- the message processing module is configured to generate the LISP data forwarded to the ETR. When the mapping relationship of the destination host is not found, the message processing module is further configured to notify the text processing module to generate the mapping request message.
- the mapping server includes a second control packet transceiver module, a second local mapping table, and a first mapping processing module, where: the second control packet transceiver module is configured to receive the mapping request message sent by the ITR, And sending a mapping response message to the ITR; the second local mapping table is configured to save a mapping relationship between the VPN attribute, the identity identifier, and the location identifier;
- the first mapping processing module is connected to the second control packet sending and receiving module and the second local mapping table, and configured to query the second local mapping table according to the destination host identity to obtain the VPN attribute of the destination host, and compare Whether the VPN attribute of the source host is the same as the VPN attribute of the destination host, and when the comparison result is the same, querying the second local mapping table to obtain the location identifier of the destination host; and setting the mapping response message according to the query result;
- the ETR includes a second data packet transceiver module, a third control packet transceiver module, a third local mapping table, and a second mapping processing module.
- the second data packet transceiver module is configured to receive the LISP data sent by the ITR.
- a third control message transceiver module configured to receive a mapping request message sent by the ITR, and send a mapping response message to the ITR; a third local mapping table configured to save a VPN attribute, an identity identifier, and a location identifier Mapping relationship; a second mapping processing module, and the third control packet transceiver module and The local mapping table is connected, and is configured to query the third local mapping table according to the destination host identity to obtain the VPN attribute of the destination host, and compare whether the VPN attribute of the source host is the same as the VPN attribute of the destination host, and compare When the result is the same, the third local mapping table is queried to obtain the location identifier of the destination host; and is further configured to generate a mapping response message according to the query result.
- the mapping request message and the mapping response message are sent through a LISP control path; the data message is sent through a LISP data message path.
- the third control packet sending and receiving module of the ETR is further configured to send a mapping maintenance request to the mapping server, where the maintenance operation type and the mapping relationship to be maintained are carried; the second control packet sending and receiving module of the mapping server is further configured to receive the ITR. Or a mapping maintenance request sent by the ETR; the first mapping processing module of the mapping server is further configured to perform a second according to the mapping maintenance request
- the local mapping table performs maintenance, and the types of maintenance operations include registration, logout, and modification.
- the implementation system of the virtual private network according to the embodiment of the present invention is implemented based on a network of a location identity separation architecture, including
- the message receiving device 31 is configured to receive the message sent by the source host, and notify the mapping processing device 32 to perform mapping processing; the mapping processing device 32 is connected to the message receiving device 31, and saves the virtual private network (
- the mapping between the attribute, the identity, and the location identifier is set to be mapped.
- the VPN attribute of the source host and the destination host are the same. If the mapping is the same, the saved mapping relationship is obtained.
- the message processing device 33 is connected to the mapping processing device 32 and configured to receive The mapping processing result, and the packet processing according to the mapping processing, specifically includes: The packet forwarding process is performed according to the location identifier of the destination host, and the communication process is terminated according to the unreachable information. Specifically, the packet processing device 33 can be configured to compare whether the VPN attributes of the source host and the destination host are the same. Then, the message is forwarded, otherwise the process ends.
- the mapping processing device 32 can be implemented by an input tunnel router (ITR), a mapping server or an output tunnel router (ETR), and the message receiving device 31.
- the message processing device 33 is implemented by the ITR.
- the implementation method of the virtual private network in the embodiment of the present invention is implemented by a virtual private (VPN) network implementation system under the location identity separation (LISP) framework, and the VPN network The system saves the mapping relationship between the VPN attribute, the identity identifier, and the location identifier.
- the method includes: Step 401: Receive a packet receiving step, where the VPN network implements receiving a packet sent by the source host;
- Step 402 The mapping processing step, the VPN network implementation system compares the VPN of the source host Whether the attribute and the VPN attribute of the destination host are the same. If the mapping is the same, the mapping relationship is obtained, and the location identifier of the destination host is obtained. If the information is different, the unreachable information is generated.
- Step 403 Packet processing step, the VPN network The system forwards the packet according to the location identifier of the destination host or ends the process according to the unreachable information.
- the packet processing device compares the source host and the destination host
- the VPN attribute of the present invention includes at least one of "VPN identity” or "is information of the VPN terminal host", and different VPN identifiers represent different virtual private networks, and are added in LISP data packets and control messages.
- VPN properties The implementation method and system of the virtual private network of the present invention are based on the LISP network architecture of the location identity separation, and the corresponding VPN attribute is added in the mapping relationship between the identity identifier and the location identifier, and the VPN attribute and purpose of the source host are determined when the mapping process is performed.
- the location identifier of the destination host is queried, so that the data is forwarded and established according to the location identifier of the destination host.
- the unreachable information is returned, which effectively implements
- the virtual private network ensures the convenience and security of the VPN host communication, and satisfies the user's demand for the virtual private network.
- the implementation method and system of the present invention avoids the impact of implementing the existing virtual private network VPN under the network architecture of the location identity separation, and reduces the modification of the existing equipment and software to implement the VPN, especially the VPN solution implemented by the operator. (PP-VPN), the present invention can be used as one of the VPN solutions implemented by the operator.
- the present invention provides a method and system for implementing a virtual private network, which implements a VPN based on a location identity separation network, and adds a corresponding VPN attribute in a mapping relationship between an identity identifier and a location identifier, and determines a source end when performing mapping processing.
- the VPN attribute of the host is the same as the VPN attribute of the destination host
- the location identifier of the destination host is queried, so that the data packet is forwarded according to the location identifier of the destination host.
- the VPN attributes are different, the unreachable information is returned. Therefore, the virtual private network is effectively realized, the convenience and security of the communication of the VPN end host are ensured, and the user's demand for the virtual private network is satisfied.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012529108A JP2013504959A (ja) | 2009-09-18 | 2010-09-09 | バーチャルプライベートネットワークの実現方法及びシステム |
EP10816676.0A EP2466817A4 (en) | 2009-09-18 | 2010-09-09 | Virtual private network implementation method and system |
KR1020127006643A KR101399002B1 (ko) | 2009-09-18 | 2010-09-09 | 가상 사설 네트워크의 실현 방법 및 시스템 |
US13/395,966 US20120173694A1 (en) | 2009-09-18 | 2010-09-09 | Virtual private network implementation method and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009101767857A CN102025591B (zh) | 2009-09-18 | 2009-09-18 | 虚拟专用网络的实现方法及系统 |
CN200910176785.7 | 2009-09-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011032472A1 true WO2011032472A1 (zh) | 2011-03-24 |
Family
ID=43758097
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/076777 WO2011032472A1 (zh) | 2009-09-18 | 2010-09-09 | 虚拟专用网络的实现方法及系统 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20120173694A1 (zh) |
EP (1) | EP2466817A4 (zh) |
JP (1) | JP2013504959A (zh) |
KR (1) | KR101399002B1 (zh) |
CN (1) | CN102025591B (zh) |
WO (1) | WO2011032472A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012231225A (ja) * | 2011-04-25 | 2012-11-22 | Kddi Corp | マッピングサーバの制御方法及びマッピングサーバ |
Families Citing this family (74)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102868618A (zh) * | 2011-07-08 | 2013-01-09 | 中兴通讯股份有限公司 | 一种去附着方法、装置和映射服务器 |
WO2012106930A1 (zh) * | 2011-07-26 | 2012-08-16 | 华为技术有限公司 | 一种生成虚拟专用网转发表项的方法和装置 |
US10432587B2 (en) * | 2012-02-21 | 2019-10-01 | Aventail Llc | VPN deep packet inspection |
CN103457850B (zh) * | 2012-05-29 | 2018-03-20 | 中兴通讯股份有限公司 | 站点的通信方法、rtr及隧道路由器 |
US10560343B1 (en) | 2012-07-06 | 2020-02-11 | Cradlepoint, Inc. | People centric management of cloud networks via GUI |
US10135677B1 (en) | 2012-07-06 | 2018-11-20 | Cradlepoint, Inc. | Deployment of network-related features over cloud network |
US10177957B1 (en) | 2012-07-06 | 2019-01-08 | Cradlepoint, Inc. | Connecting a cloud network to the internet |
US10110417B1 (en) * | 2012-07-06 | 2018-10-23 | Cradlepoint, Inc. | Private networks overlaid on cloud infrastructure |
US9647923B2 (en) * | 2013-04-09 | 2017-05-09 | Cisco Technology, Inc. | Network device mobility |
US9641462B2 (en) * | 2013-04-23 | 2017-05-02 | Cisco Technology, Inc. | Accelerating network convergence for layer 3 roams in a next generation network closet campus |
US10749711B2 (en) | 2013-07-10 | 2020-08-18 | Nicira, Inc. | Network-link method useful for a last-mile connectivity in an edge-gateway multipath system |
US10454714B2 (en) | 2013-07-10 | 2019-10-22 | Nicira, Inc. | Method and system of overlay flow control |
JPWO2015025845A1 (ja) * | 2013-08-20 | 2017-03-02 | 日本電気株式会社 | 通信システム、スイッチ、コントローラ、アンシラリデータ管理装置、データ転送方法及びプログラム |
KR20150040113A (ko) * | 2013-10-04 | 2015-04-14 | 한국전자통신연구원 | 식별자 위치지시자 매핑 서비스의 라우팅 제어 방법 |
KR20150145327A (ko) * | 2014-06-18 | 2015-12-30 | 한국전자통신연구원 | 블룸 필터를 이용한 식별자/위치자 매핑 시스템 및 방법 |
US9894031B2 (en) | 2014-08-27 | 2018-02-13 | Cisco Technology, Inc. | Source-aware technique for facilitating LISP host mobility |
CN105471827B (zh) * | 2014-09-04 | 2019-02-26 | 华为技术有限公司 | 一种报文传输方法及装置 |
US9641417B2 (en) * | 2014-12-15 | 2017-05-02 | Cisco Technology, Inc. | Proactive detection of host status in a communications network |
US10171306B2 (en) * | 2015-02-26 | 2019-01-01 | Cisco Technology, Inc. | Automatic discovery and provisioning of multi-chassis etherchannel peers |
US10425382B2 (en) | 2015-04-13 | 2019-09-24 | Nicira, Inc. | Method and system of a cloud-based multipath routing protocol |
US10135789B2 (en) | 2015-04-13 | 2018-11-20 | Nicira, Inc. | Method and system of establishing a virtual private network in a cloud service for branch networking |
US10498652B2 (en) | 2015-04-13 | 2019-12-03 | Nicira, Inc. | Method and system of application-aware routing with crowdsourcing |
CN104954260A (zh) * | 2015-05-22 | 2015-09-30 | 上海斐讯数据通信技术有限公司 | 一种基于数据链路层的点对点vpn路由方法及系统 |
CA2931906C (en) * | 2015-06-03 | 2023-09-05 | Evertz Microsystems Ltd. | Systems and methods for determining a destination location in a network system |
CN105099941B (zh) * | 2015-06-19 | 2018-09-04 | 新华三技术有限公司 | 一种报文处理方法及装置 |
US10637889B2 (en) * | 2015-07-23 | 2020-04-28 | Cisco Technology, Inc. | Systems, methods, and devices for smart mapping and VPN policy enforcement |
US10439993B2 (en) * | 2015-08-19 | 2019-10-08 | Cisco Technology, Inc. | Mapping system assisted key refreshing |
US10530735B2 (en) | 2015-09-10 | 2020-01-07 | Cisco Technology, Inc. | Pro-active mechanism to detect LISP movable silent host |
US10044562B2 (en) * | 2015-11-04 | 2018-08-07 | Cisco Technology, Inc. | Automatic provisioning of LISP mobility networks when interconnecting DC fabrics |
CN106130907B (zh) * | 2016-05-11 | 2019-08-06 | 新华三技术有限公司 | 一种lisp组网双归属的实现方法及装置 |
CN107798359B (zh) * | 2016-09-05 | 2021-04-06 | 阚立坤 | 一种无线设备管理控制方法 |
CN110431827B (zh) * | 2017-01-24 | 2022-07-05 | 瑞典爱立信有限公司 | 使用位置标识符分离协议来实现分布式网关架构以用于3gpp移动性 |
US11121962B2 (en) | 2017-01-31 | 2021-09-14 | Vmware, Inc. | High performance software-defined core network |
US11252079B2 (en) | 2017-01-31 | 2022-02-15 | Vmware, Inc. | High performance software-defined core network |
US10992568B2 (en) | 2017-01-31 | 2021-04-27 | Vmware, Inc. | High performance software-defined core network |
US11706127B2 (en) | 2017-01-31 | 2023-07-18 | Vmware, Inc. | High performance software-defined core network |
US20180219765A1 (en) | 2017-01-31 | 2018-08-02 | Waltz Networks | Method and Apparatus for Network Traffic Control Optimization |
US10992558B1 (en) | 2017-11-06 | 2021-04-27 | Vmware, Inc. | Method and apparatus for distributed data network traffic optimization |
US20200036624A1 (en) | 2017-01-31 | 2020-01-30 | The Mode Group | High performance software-defined core network |
US10778528B2 (en) | 2017-02-11 | 2020-09-15 | Nicira, Inc. | Method and system of connecting to a multipath hub in a cluster |
US10917927B2 (en) | 2017-05-12 | 2021-02-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Local identifier locator network protocol (ILNP) breakout |
US10523539B2 (en) | 2017-06-22 | 2019-12-31 | Nicira, Inc. | Method and system of resiliency in cloud-delivered SD-WAN |
US10666460B2 (en) | 2017-10-02 | 2020-05-26 | Vmware, Inc. | Measurement based routing through multiple public clouds |
US11089111B2 (en) | 2017-10-02 | 2021-08-10 | Vmware, Inc. | Layer four optimization for a virtual network defined over public cloud |
US11115480B2 (en) | 2017-10-02 | 2021-09-07 | Vmware, Inc. | Layer four optimization for a virtual network defined over public cloud |
US10999100B2 (en) | 2017-10-02 | 2021-05-04 | Vmware, Inc. | Identifying multiple nodes in a virtual network defined over a set of public clouds to connect to an external SAAS provider |
US10999165B2 (en) | 2017-10-02 | 2021-05-04 | Vmware, Inc. | Three tiers of SaaS providers for deploying compute and network infrastructure in the public cloud |
US10959098B2 (en) * | 2017-10-02 | 2021-03-23 | Vmware, Inc. | Dynamically specifying multiple public cloud edge nodes to connect to an external multi-computer node |
US11223514B2 (en) | 2017-11-09 | 2022-01-11 | Nicira, Inc. | Method and system of a dynamic high-availability mode based on current wide area network connectivity |
CN108282462B (zh) * | 2017-12-25 | 2021-08-31 | 中科曙光信息产业成都有限公司 | 一种隔离业务网和管理网的装置 |
CN110650076B (zh) * | 2018-06-26 | 2021-12-24 | 华为技术有限公司 | Vxlan的实现方法,网络设备和通信系统 |
CN108551496B (zh) * | 2018-07-26 | 2021-03-02 | 杭州云缔盟科技有限公司 | 一种防止vpn客户端地址与本地地址冲突的解决方法 |
US11129061B1 (en) | 2018-11-07 | 2021-09-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Local identifier locator network protocol (ILNP) breakout |
US10855584B2 (en) * | 2018-12-28 | 2020-12-01 | Alibaba Group Holding Limited | Client-equipment-peering virtual route controller |
US11252105B2 (en) | 2019-08-27 | 2022-02-15 | Vmware, Inc. | Identifying different SaaS optimal egress nodes for virtual networks of different entities |
US11044190B2 (en) | 2019-10-28 | 2021-06-22 | Vmware, Inc. | Managing forwarding elements at edge nodes connected to a virtual network |
US11489783B2 (en) | 2019-12-12 | 2022-11-01 | Vmware, Inc. | Performing deep packet inspection in a software defined wide area network |
US11394640B2 (en) | 2019-12-12 | 2022-07-19 | Vmware, Inc. | Collecting and analyzing data regarding flows associated with DPI parameters |
US11722925B2 (en) | 2020-01-24 | 2023-08-08 | Vmware, Inc. | Performing service class aware load balancing to distribute packets of a flow among multiple network links |
US11165702B1 (en) | 2020-05-01 | 2021-11-02 | Cisco Technology, Inc. | Communication of policy changes in LISP-based software defined networks |
US11245641B2 (en) | 2020-07-02 | 2022-02-08 | Vmware, Inc. | Methods and apparatus for application aware hub clustering techniques for a hyper scale SD-WAN |
US11709710B2 (en) | 2020-07-30 | 2023-07-25 | Vmware, Inc. | Memory allocator for I/O operations |
US11575591B2 (en) | 2020-11-17 | 2023-02-07 | Vmware, Inc. | Autonomous distributed forwarding plane traceability based anomaly detection in application traffic for hyper-scale SD-WAN |
US11575600B2 (en) | 2020-11-24 | 2023-02-07 | Vmware, Inc. | Tunnel-less SD-WAN |
US11929903B2 (en) | 2020-12-29 | 2024-03-12 | VMware LLC | Emulating packet flows to assess network links for SD-WAN |
CN116783874A (zh) | 2021-01-18 | 2023-09-19 | Vm维尔股份有限公司 | 网络感知的负载平衡 |
US11979325B2 (en) | 2021-01-28 | 2024-05-07 | VMware LLC | Dynamic SD-WAN hub cluster scaling with machine learning |
US11388086B1 (en) | 2021-05-03 | 2022-07-12 | Vmware, Inc. | On demand routing mesh for dynamically adjusting SD-WAN edge forwarding node roles to facilitate routing through an SD-WAN |
US11729065B2 (en) | 2021-05-06 | 2023-08-15 | Vmware, Inc. | Methods for application defined virtual network service among multiple transport in SD-WAN |
US11489720B1 (en) | 2021-06-18 | 2022-11-01 | Vmware, Inc. | Method and apparatus to evaluate resource elements and public clouds for deploying tenant deployable elements based on harvested performance metrics |
US11785493B2 (en) | 2021-07-23 | 2023-10-10 | Cisco Technology, Inc. | Prioritizing wireless access technologies in an enterprise fabric |
US11375005B1 (en) | 2021-07-24 | 2022-06-28 | Vmware, Inc. | High availability solutions for a secure access service edge application |
US11943146B2 (en) | 2021-10-01 | 2024-03-26 | VMware LLC | Traffic prioritization in SD-WAN |
US11909815B2 (en) | 2022-06-06 | 2024-02-20 | VMware LLC | Routing based on geolocation costs |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801764A (zh) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
US20070115990A1 (en) * | 2005-11-22 | 2007-05-24 | Rajiv Asati | Method of providing an encrypted multipoint VPN service |
CN101123536A (zh) * | 2007-09-19 | 2008-02-13 | 北京交通大学 | 实现一体化网络位置管理的方法 |
CN101355516A (zh) * | 2008-09-09 | 2009-01-28 | 中兴通讯股份有限公司 | 一种为不同虚拟专用网提供服务质量策略的方法和系统 |
CN101459698A (zh) * | 2007-12-14 | 2009-06-17 | 中国人民解放军信息工程大学 | 域内和域间的网络互连方法及其系统 |
CN101534240A (zh) * | 2008-03-14 | 2009-09-16 | 华为技术有限公司 | 一种映射信息的发送方法、系统和装置 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5964837A (en) * | 1995-06-28 | 1999-10-12 | International Business Machines Corporation | Computer network management using dynamic switching between event-driven and polling type of monitoring from manager station |
US6006258A (en) * | 1997-09-12 | 1999-12-21 | Sun Microsystems, Inc. | Source address directed message delivery |
JP2000183968A (ja) | 1998-12-17 | 2000-06-30 | Nippon Telegr & Teleph Corp <Ntt> | パケット通信システムおよびそれを構成するノードとエッジ装置 |
US20030088699A1 (en) * | 1999-11-04 | 2003-05-08 | James V. Luciani | System, device, and method for supporting virtual private networks in a label switched communication network |
JP2001237876A (ja) * | 2000-02-21 | 2001-08-31 | Nec Corp | Ip仮想プライベート網の構築方法及びip仮想プライベート網 |
US7136374B1 (en) * | 2001-03-19 | 2006-11-14 | Juniper Networks, Inc. | Transport networks supporting virtual private networks, and configuring such networks |
US7139818B1 (en) * | 2001-10-04 | 2006-11-21 | Cisco Technology, Inc. | Techniques for dynamic host configuration without direct communications between client and server |
US7389534B1 (en) * | 2003-06-27 | 2008-06-17 | Nortel Networks Ltd | Method and apparatus for establishing virtual private network tunnels in a wireless network |
US7373660B1 (en) * | 2003-08-26 | 2008-05-13 | Cisco Technology, Inc. | Methods and apparatus to distribute policy information |
JP4207078B2 (ja) * | 2006-10-11 | 2009-01-14 | 村田機械株式会社 | 中継サーバ |
EP2178265B1 (en) * | 2008-10-17 | 2013-09-04 | Alcatel Lucent | System and method for mobile IP |
KR101084769B1 (ko) * | 2008-12-23 | 2011-11-21 | 주식회사 케이티 | 위치자/식별자 분리 기반의 네트워크 이동성 지원 시스템 및 그 방법 |
-
2009
- 2009-09-18 CN CN2009101767857A patent/CN102025591B/zh active Active
-
2010
- 2010-09-09 WO PCT/CN2010/076777 patent/WO2011032472A1/zh active Application Filing
- 2010-09-09 US US13/395,966 patent/US20120173694A1/en not_active Abandoned
- 2010-09-09 JP JP2012529108A patent/JP2013504959A/ja active Pending
- 2010-09-09 KR KR1020127006643A patent/KR101399002B1/ko active IP Right Grant
- 2010-09-09 EP EP10816676.0A patent/EP2466817A4/en not_active Withdrawn
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070115990A1 (en) * | 2005-11-22 | 2007-05-24 | Rajiv Asati | Method of providing an encrypted multipoint VPN service |
CN1801764A (zh) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
CN101123536A (zh) * | 2007-09-19 | 2008-02-13 | 北京交通大学 | 实现一体化网络位置管理的方法 |
CN101459698A (zh) * | 2007-12-14 | 2009-06-17 | 中国人民解放军信息工程大学 | 域内和域间的网络互连方法及其系统 |
CN101534240A (zh) * | 2008-03-14 | 2009-09-16 | 华为技术有限公司 | 一种映射信息的发送方法、系统和装置 |
CN101355516A (zh) * | 2008-09-09 | 2009-01-28 | 中兴通讯股份有限公司 | 一种为不同虚拟专用网提供服务质量策略的方法和系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2466817A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012231225A (ja) * | 2011-04-25 | 2012-11-22 | Kddi Corp | マッピングサーバの制御方法及びマッピングサーバ |
Also Published As
Publication number | Publication date |
---|---|
CN102025591A (zh) | 2011-04-20 |
JP2013504959A (ja) | 2013-02-07 |
US20120173694A1 (en) | 2012-07-05 |
CN102025591B (zh) | 2013-12-18 |
EP2466817A4 (en) | 2017-11-22 |
KR20120055687A (ko) | 2012-05-31 |
KR101399002B1 (ko) | 2014-05-27 |
EP2466817A1 (en) | 2012-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101399002B1 (ko) | 가상 사설 네트워크의 실현 방법 및 시스템 | |
US8661525B2 (en) | Implementation method and system of virtual private network | |
EP2489172B1 (en) | Virtual layer 2 and mechanism to make it scalable | |
US9448821B2 (en) | Method and system for realizing virtual machine mobility | |
JP5410614B2 (ja) | クラウドコンピューティングにおける企業のレイヤ2シームレスサイト拡張 | |
WO2015131560A1 (zh) | 一种分配分段路由标记的方法和分段路由节点 | |
Komilov et al. | Improving the use of virtual lan (vlan) technology | |
WO2011069399A1 (zh) | 地址映射方法及接入业务节点 | |
WO2011124132A1 (zh) | 数据通信系统及方法 | |
WO2012106919A1 (zh) | 一种三层虚拟专有网路由控制方法、装置及系统 | |
WO2011103781A2 (zh) | 身份标识与位置分离的实现方法、设备及数据封装方法 | |
WO2012106935A1 (zh) | 数据通信网络配置方法、网关网元及数据通信系统 | |
EP2584742B1 (en) | Method and switch for sending packet | |
WO2007112645A1 (fr) | Procédé et système de mise en oeuvre d'un réseau privé virtuel mobile | |
WO2008014723A1 (fr) | Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6 | |
WO2014186978A1 (zh) | 用于以太虚拟专用网的方法和设备 | |
WO2011131084A1 (zh) | 数据通信系统及方法 | |
US8437357B2 (en) | Method of connecting VLAN systems to other networks via a router | |
US20060182120A1 (en) | IP to VPLS interworking | |
EP3477897B1 (en) | Method for routing data packets in a network topology | |
JP2013162466A (ja) | Lispネットワークの通信方法および通信中継装置 | |
WO2011124121A1 (zh) | 网间数据通讯系统及方法 | |
EP3190752A1 (en) | Method, system and medium for avoiding traffic flooding due to asymmetric mac learning and achieving predictable convergence for pbb-evpn active-active redundancy | |
Singh | BGP MPLS based EVPN And its implementation and use cases | |
CN115604056A (zh) | 下游vxlan标识符的高效存储实现 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10816676 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20127006643 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13395966 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012529108 Country of ref document: JP Ref document number: 2010816676 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |