WO2011032473A1 - 虚拟专用网络的实现方法及系统 - Google Patents
虚拟专用网络的实现方法及系统 Download PDFInfo
- Publication number
- WO2011032473A1 WO2011032473A1 PCT/CN2010/076788 CN2010076788W WO2011032473A1 WO 2011032473 A1 WO2011032473 A1 WO 2011032473A1 CN 2010076788 W CN2010076788 W CN 2010076788W WO 2011032473 A1 WO2011032473 A1 WO 2011032473A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vpn
- host
- mapping
- identity
- attribute
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/69—Types of network addresses using geographic information, e.g. room number
Definitions
- the present invention relates to an identity location separation technique, and more particularly to a method and system for implementing a virtual private network in an identity location separation network.
- 4G is the abbreviation of the 4th generation mobile communication system.
- the goal of 4G is to provide an IP bearer network-based solution for voice, data and streaming services, enabling users to get a more "anytime, anywhere, any business”. High-speed communication environment.
- NGN Next Generation Network
- IP packet bearer network is a next-generation network based on telecommunication networks, aiming to establish a unified IP-based packet switching-based transport layer.
- IPv4 IP-based packet switching-based transport layer.
- IP addresses allocated to developing countries with large populations are less, resulting in fewer IP addresses.
- the development of IP packet bearer networks and various communication networks in developing countries is constrained by the lack of IP addresses. For example, the number of Internet users in China has exceeded the number of IPv4 addresses owned by China, and the number of Internet users in China is still increasing at a high speed.
- IPv6 down-to-earth network architecture technology
- 3G and 4G are the core of the research on next-generation networks in the field of wireless communications, aiming to improve the quality of wireless mobile communications based on the all-IP packet core network; NGN and NGI (Next-Generation Internet) are the telecommunications network and the Internet.
- Research on next-generation network convergence; CNGI China's Next Generation Internet aims to build a next-generation Internet based on IPv6; Northern Jiaotong University's "Integrated Trusted Network and Pervasive Service System Basic Research" hopes to build A unified new packet network.
- the future network is a unified bearer network for packets. Therefore, research on the next generation network architecture will use the Internet as the main reference.
- the Internet has maintained rapid development since its birth. It has become the most successful and most vital communication network. Its flexible and scalable, efficient packet switching, and powerful functions of the terminal are in line with the design needs of the new generation network. It will be the main reference blueprint for next-generation network design. However, the structure of the Internet is far from optimal, and there are many major design issues. In addition to the above IP address space can not meet the application needs, but also mainly in the following aspects: Internet invention in the 1970s, it is difficult to predict that there will be a large number of mobile terminals and multiple township terminals in the world today, so the Internet Protocol at the time The stack is primarily designed for terminals that are connected in a "fixed" manner.
- the transmitted address is the received address, and the path is reversible, so the IP address with dual attributes of identity and location can work very well.
- the IP address also represents the identity and location that exactly met the network needs of the time. From the perspective of the network environment at the time, this design scheme is simple and effective, simplifying the hierarchy of the protocol stack. But there is no doubt that there is an internal contradiction between the identity attribute of the IP address and the location attribute.
- the identity attribute of an IP address requires that any two IP addresses be equal.
- IP address location attribute requires IP address
- the addresses are assigned based on the network topology (not the organization).
- the IP addresses in the same subnet should be in a contiguous IP address block, so that the IP address prefixes in the network topology can be aggregated, thus reducing the router.
- the entry of the routing table of the device ensures the scalability of the routing system.
- DHCP Dynamic Host Configuration Protocol
- Routing scalability issues There is a basic assumption about the scalability of the Internet routing system: "The address is allocated according to the topology, or the topology is deployed according to the address, and the second one is selected.
- the identity attribute of the IP address requires the IP address to be based on the terminal.
- the organization (rather than the network topology) is allocated, and this allocation must be stable and cannot be changed frequently; and the location attribute of the IP address requires the IP address to be assigned based on the network topology to ensure the routing system is available.
- Scalability In this way, the two attributes of the IP address create a conflict, which eventually leads to the scalability problem of the Internet routing system.
- the identity attribute of the IP address requires that the IP address should not change as the location of the terminal changes. This ensures that the communication on the identity is not interrupted, and that the terminal can still use its identity after the terminal is moved.
- the communication link is established; the location attribute of the IP address requires the IP address to change as the terminal location changes, so that the IP address can be aggregated in the new network topology, otherwise the network must reserve a separate route for the mobile terminal. Information, resulting in a routing table The number of entries has grown dramatically.
- a number of township issues A plurality of townships usually refer to terminals or networks that access the Internet through a network of multiple ISPs (Internet Service Providers).
- ISPs Internet Service Providers
- the advantages of multiple township technologies include increased network reliability, support for traffic load balancing across multiple ISPs, and increased overall available bandwidth.
- the identity attribute of an IP address requires that a plurality of home terminals always display the same identity to other terminals, regardless of whether the multiple township terminals access the Internet through several ISPs; and the location attribute of the IP address requires that multiple township terminals are different. Communication is performed using different IP addresses in the ISP network to ensure that the IP address of the endpoint can be aggregated in the topology of the ISP network.
- IP address contains both the identity information and the location information of the terminal
- both the communication peer and the malicious eavesdropper can obtain the identity information and the topology location information of the terminal according to the IP address of the terminal.
- the dual attribute problem of IP address is one of the root causes that plague the Internet. It is a good idea to solve the problem faced by the Internet by separating the identity attribute and location attribute of the IP address.
- the new network will be designed based on this idea, and propose a network structure of separate mapping of identity information and location information to solve some serious drawbacks of the existing Internet.
- the HIP Host Identity Protocol
- Some schemes classify IP addresses, some IPs are used as identity identifiers, and some IPs are used as location identifiers.
- LISP Licator/ID Separation Protocol
- Chinese patent application CN1801764 which was published on July 12, 2006, was applied by Zhang Hongke and others of Northern Jiaotong University. Internet access method", the method uses the IP address as the location identifier of the host, and introduces the host host identifier as the identity identifier to solve the problem of identity and location separation.
- host-based solutions require modifications to the host protocol stack, such as HIP; network-based solutions require improvements to routers at specific locations.
- network-based solutions require improvements to routers at specific locations.
- routers that perform identity and location mapping functions are located in different locations on the network.
- Some schemes clearly define that the router that performs the mapping function is located at the boundary of the user network, that is, the mapping function router belongs to the user network; some (LISP, TID (Tunneled Inter-domain Routing) and Ivip (Internet Vastly Improved Plumbing, Internet) Juli upgrade pipeline))
- There is no limit to the location of the router in the network to complete the mapping function There is no limit to the location of the router in the network to complete the mapping function; some explicitly solve the routing scalability problem and ensure the mapping of identity and location information only the network administrator can know, strictly limit the completion of the mapping function
- the router is the core network access router, that is, the mapping function router belongs to the core network.
- IPNL is designed to give IPv4 networks a longer life and avoid the challenge of replacing the IPv4 protocol with the replacement of the IPv4 protocol.
- TRIAD is designed to address the various issues that NAT brings to the Internet, while providing some support for mobility and policy routing.
- HIP was originally proposed to solve security problems, and then did a lot of work on mobility support, and conducted a number of township-supported research.
- SHIM6 Level 3 Shim for IPv6
- LIN6 Location Independent Networking for IPv6, a location-independent network for IPv6, is designed to provide an alternative mobility and multiple township solution for the IPv6 protocol.
- the ILNP Identity Locator Network Protocol
- GSE Global, Site and End-System Designator
- TIDR is designed to enhance the routing and forwarding capabilities of the existing Internet, and to address global routing table bloat, inter-domain routing security, and multiple township issues.
- LISP is primarily designed for routing scalability issues.
- a VPN virtual private network
- VPNs can interconnect components and resources of different networks.
- VPNs can leverage the infrastructure of an Internet or other public Internet to create tunnels for users and provide the same security and functional protection as private networks.
- VPNs can be implemented in a variety of ways, which can be divided into user-managed VPN solutions (CPE-VPN) and carrier-implemented VPN solutions (PP-VPN).
- CPE-VPN solution The user-managed VPN solution (CPE-VPN solution) is characterized in that the user sets, manages, and maintains the VPN gateway device, and establishes a standard VPN tunnel-based connection between each branch office and the corporate headquarters through the public IP network.
- the tunnel protocol usually Use Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), IPsec (secure IP), IP in IP (IP in IP), and GRE (Generic Routing Encapsulation), and use each Encryption technology and NAT technology to ensure the security of data transmission.
- L2TP Layer 2 Tunneling Protocol
- PPTP Point-to-Point Tunneling Protocol
- IPsec secure IP
- IP in IP IP in IP
- GRE Generic Routing Encapsulation
- the establishment and management of the VPN tunnel connection is entirely the responsibility of the user.
- the provider does not need to adjust or change the structure and performance of the network.
- This method is also known as the "self-built VPN" method.
- VPN supports enterprises to establish connections with branches or other companies through public Internet such as the Internet for secure communication. This VPN connection established across the Internet is logically equivalent to the connection established between the two places using the WAN.
- VPN communication is based on the foundation of the public internet On, but the user feels like using a private network for communication when using VPN, so it is named virtual private network.
- Using VPN technology can solve the problem that employees need to access central resources and enterprises must communicate with each other in a timely and effective manner when the amount of remote communication is increasing and the global operation of the enterprise is widely distributed.
- Basic use of VPN Remote user access through VPN.
- VPN supports remote access to enterprise resources through the public Internet. For example, VPN users first dial the network access server (BRAS) of the local access service provider (ISP).
- BRAS network access server
- ISP local access service provider
- VPN software create a VPN across the Internet or other public internet between the remote user and the corporate VPN server using the connection established with the local ISP.
- Using a VPN to connect to a remote local area network you do not need to use expensive long-distance dedicated circuits.
- Branch offices and enterprise routers can use their local dedicated lines to connect to the Internet through a local ISP, or dial-up access to the ISP's broadband access server to connect to mtemet. .
- Use the VPN software to create a VPN between the branch office and the enterprise router using the connection to the local ISP and the Internet network.
- the VPN solution implemented by the operator refers to setting up a VPN gateway device on the public data communication network of the operator for dedicated line access users or remote dial-up access users.
- VPNs can be established through tunnel encapsulation, virtual routers, or MPLS (multi-protocol label switching) technologies according to specific VPN network requirements, and encryption technologies can be used to ensure data transmission security.
- MPLS multi-protocol label switching
- the establishment of the VPN connection is completely responsible for the operator and is transparent to the user. This method is also known as the "outsourcing VPN" method.
- VLAN Virtual Local Area Network
- IEEE The Institute of Electrical and Electronics Engineers, International Institute of Electrical and Electronics Engineers In 1999, a draft of the 802.1Q protocol standard to standardize VLAN implementation was promulgated in 1999.
- the traditional Ethernet frame format defines 4096 VLANs.
- the VLAN is proposed to solve the broadcast problem and security of Ethernet. It adds a VLAN header to the Ethernet frame and divides the user into more VLAN IDs. A small working group restricts users' mutual access between different working groups.
- Each working group is a virtual local area network.
- the benefits of virtual local area networks are that they can limit the range of broadcasts and form virtual workgroups and dynamic governance networks.
- the VLAN isolates the broadcast storm and also isolates the communication between different VLANs. Therefore, communication between different VLANs needs to be completed by a router.
- the advantage is that when the user's physical location moves, that is, when switching from one switch to another, the VLAN does not need to be reconfigured.
- IP multicast is actually a VLAN definition, that is, a multicast group is a VLAN. This division method extends the VLAN to the WAN. , so this method has more flexibility, and it is easy to enter through the router Extension.
- VLAN as a VPN technology in a specific Ethernet communication environment has been widely applied in broadband access.
- the core network or wide area network is more widely used in multi-protocol label switching (MPLS)-based VPN.
- MPLS Multi-Protocol Label Switching
- the emergence of Multi-Protocol Label Switching (MPLS) technology has changed the architecture of the entire Internet.
- the technical solution of VPN implementation using MPLS technology will greatly improve the defects of the traditional IP network, and provide the same security guarantee as the Frame Relay or ATM (Asynchronous Transfer Mode) network, which can be well adapted to the VPN service. demand.
- the network model of the MPLS VPN includes: a Customer Edge (CE) device, which can be a router or a Layer 2 switch, which is located at the client and provides access to the network provider;
- the Provider Edge (PE) router maintains the forwarding table related to the node, exchanges VPN routing information with other PE routers, and forwards the VPN service using the Label Switched Path (LSP) in the MPLS network.
- LSP Label Switched Path
- MPLS Label Edge Router
- PR Provider Router
- LSR Label Switching Router
- MPLS VPN provides anti-attack and token spoofing methods by means of route isolation, address isolation and information hiding. Therefore, MPLS VPN can provide similar functions to ATM/FR VPN.
- Scalability MPLS VPN is highly scalable. On the one hand, the number of VPNs that can be accommodated in an MPLS network is large. On the other hand, the number of user nodes is allocated and managed by means of BGP (Border Gateway Protocol), and the number of user nodes in the same VPN is not Restricted, easy to expand, and enables direct communication between any node and any other node.
- BGP Band Gateway Protocol
- MPLS VPN services naturally have large bandwidth, multi-node, multi-route, abundant network and transmission resources to ensure network reliability.
- IGP Interior Gateway Protocol
- identity and location separation Under the technical solution of identity and location separation, it has an impact on the implementation of the VPN technology mentioned above, and has an impact on the VPN solution (PP-VPN) implemented by the operator, especially the solution involving the three-layer IP address is relatively large, and the location is relatively large.
- Separation of identity and identity mainly involves the identity and communication protocol of the VPN user.
- VPN access management needs to use the identity of the terminal host for authentication management.
- the system is upgraded; for the user-managed VPN solution (CPE-VPN scheme), the location and identity are separated.
- the host is no longer using the IP address for communication.
- the identity of the host is used to communicate with the EID.
- the VPN software needs to be upgraded to handle the identity of the supported host.
- the technical problem to be solved by the present invention is to provide a virtual private network to implement the method and system to conveniently implement a virtual private network in an identity location separation network.
- the present invention provides a method for implementing a virtual private network, where the virtual private network is implemented based on an identity location separation network, and the method includes:
- the mapping plane of the identity location separation network sets a VPN private mapping table and a common mapping table of the virtual private network (VPN), and the VPN dedicated mapping table includes a mapping relationship between the VPN terminal host identity and the location identifier of the same VPN network;
- the normal mapping table includes a mapping relationship between the common end host identity and the location identifier;
- the mapping plane queries a VPN-specific mapping table or a common mapping table that is consistent with the source host attribute according to the destination host identity identifier. If the mapping relationship to the destination host is queried, the identity location separation network implements the source host and destination. Communication between end hosts, otherwise communication fails.
- the attribute refers to whether the host belongs to the VPN host.
- the mapping plane queries the VPN-specific mapping table. Otherwise, Query the normal mapping table.
- the mapping plane includes a plurality of VPN-specific mapping tables, and different VPN-specific mapping tables correspond to different VPN networks, and have different VPN identifiers; the attribute refers to whether the terminal host belongs to the VPN-end host, and belongs to the VPN-side host.
- the mapping plane queries the VPN-specific mapping table corresponding to the VPN identifier, otherwise the common mapping table is queried.
- the step B includes: Bl, the access service node (ASN) receives the packet sent by the source host, where the source host identifier and the destination host identifier are carried;
- the ASN obtains a source table according to an attribute table set by the source host identity identifier.
- the machine attributes and forwards the message to the mapping plane or sends a query request, where the source host attribute and the destination host identity identifier are carried;
- the mapping plane queries the VPN-specific mapping table or the common mapping table that is consistent with the source host attribute according to the destination host identity identifier. B4. If the query result includes the location identifier of the destination host, the ASN or the mapping plane is located. The destination access service node corresponding to the destination location identifier forwards the message to implement communication, otherwise the communication fails. Preferably, after the step B4, the destination access service node receives the packet and forwards the packet to the destination host, and records the mapping relationship between the source host identity and the location identifier and the VPN attribute of the source host in the local mapping table.
- the destination access service node receives the 4 ⁇ message sent by the destination host, and then queries the local mapping table to determine the direct forwarding of the packet when the source host and the destination host have the same attributes.
- the present invention further provides an implementation method of another virtual private network, wherein: the virtual private network is implemented based on an identity location separation network, and the method includes: A. mapping plane setting of the identity location separation network a virtual private network (VPN) dedicated mapping table, where the VPN dedicated mapping table includes a mapping relationship between a VPN end host identity and a location identifier of the same VPN network;
- VPN virtual private network
- the mapping plane queries the VPN-specific mapping table. If the mapping relationship of the destination host is queried, the identity separation network implements communication between the source host and the destination host, otherwise the communication fails. Preferably, the mapping plane sets a plurality of VPN-specific mapping tables at the same time, and different VPN-specific mapping tables correspond to different VPNs and have different VPN identifiers.
- the mapping planes are queried and sourced according to the destination host identity identifiers. If the mapping between the source host and the destination host is performed, the mapping between the source host and the destination host is performed. If the mapping between the source host and the destination host is not found, Then the communication fails.
- Step B includes: The access service node (ASN) receives the packet sent by the source host, where the source and destination host identifiers are carried;
- ASN access service node
- the ASN obtains the attribute of the source host according to the attribute table set by the source host identity identifier, and forwards the packet to the mapping plane or sends a query request, where the source host attribute and the destination host identity identifier are carried;
- mapping plane queries a VPN-specific mapping table consistent with the source host attribute according to the destination host identity identifier.
- the ASN or the mapping plane forwards the packet to the destination access service node corresponding to the destination location identifier, otherwise the communication fails.
- the destination access service node receives the packet and forwards the packet to the destination host, and records the mapping relationship between the source host identity and the location identifier and the VPN attribute of the source host in the local mapping table.
- the destination access service node receives the 4 ⁇ message sent by the destination host, and then queries the local mapping table to directly forward the packet when the source and destination host attributes are the same.
- the present invention further provides an implementation system of a virtual private network, where the system is implemented based on an identity location separation architecture network, including a service access node (ASN) and a mapping plane connected through a network, the ASN, The first transceiver module, the attribute table and the attribute table query module are included, wherein:
- the first transceiver module is configured to: receive a packet sent by the source host, and carry the source and destination host identifiers, and notify the attribute table query module; and forward the packet to the mapping plane or send a query request, where the packet is carried
- the source host attribute and the destination host identity identifier are sent to the mapping plane, and are further configured to receive the query result sent by the mapping plane, and if the mapping relationship of the destination host is queried, the result is also set according to the query result.
- the attribute table is set to: a correspondence between the storage host and its attribute;
- the attribute table query module is connected to the first transceiver module and the attribute table, and is set according to the source end
- the host identity identifier queries the attribute table, obtains the source host attribute, and notifies the first transceiver module;
- the mapping plane includes a second transceiver module, a mapping database, and a database query module, where: the second transceiver module is configured to: receive the ASN forwarded message or the sent query request, and notify the database query module; When the request is queried, it is set to send the query result to the ASN; when the forwarded message is received, if the mapping relationship to the destination host is queried, the message is forwarded according to the query result, otherwise the communication fails; the mapping database is set to And storing a virtual private network (VPN) private mapping table and a common mapping table, where the VPN dedicated mapping table includes a mapping relationship between a VPN end host identity and a location identifier of the
- the database query module is connected to the second transceiver module and the mapping database, and configured to query a VPN-specific mapping table or a common mapping table that is consistent with the source host attribute according to the destination host identity identifier. And notifying the second transceiver module of the query result.
- the attribute refers to whether the host belongs to the VPN host. If the attribute of the source host indicates that the source host is a VPN host, the database query module of the mapping plane queries the VPN-specific mapping table, otherwise the query is performed.
- a general mapping table is used to query a VPN-specific mapping table or a common mapping table that is consistent with the source host attribute according to the destination host identity identifier.
- the mapping database of the mapping plane includes a plurality of VPN-specific mapping tables, and different VPN-specific mapping tables correspond to different VPN networks, and have different VPN identifiers; the attribute refers to whether the terminal host belongs to the VPN-end host, and belongs to If the source of the host is a VPN host, the database query module of the mapping plane queries the VPN-specific mapping table corresponding to the VPN identifier, otherwise the query is performed. Normal mapping table.
- the present invention further provides a method for implementing a virtual private network, where the virtual private network is implemented based on an identity location separation network, and the method includes:
- the mapping plane of the identity location separation network sets a virtual private network (VPN) dedicated mapping table, where the VPN dedicated mapping table includes a mapping relationship between the VPN end host identity and the location identifier of the same VPN network;
- VPN virtual private network
- the identity location separation network implements communication between the VPN end hosts in the VPN according to the VPN dedicated mapping table.
- the mapping plane simultaneously sets a plurality of VPN-specific mapping tables, and different VPN-specific mapping tables correspond to different VPN networks, and have different VPN identifiers; in step B, the identity-location separated network is consistent with the source host VPN identifier.
- the VPN-specific mapping table implements communication between the VPN-side hosts in the corresponding VPN.
- the invention saves the VPN dedicated mapping table of the VPN in the mapping plane of the identity location separation network, and determines whether to implement communication between the VPN end host users in the VPN according to the VPN dedicated mapping table, thereby being effective in the identity location separation network.
- the virtual private network is realized, which satisfies the user's demand for the virtual private network, and eliminates the influence of the technical solution of identity and location separation on the traditional virtual private network VPN service.
- FIG. 1 is a schematic diagram of a method for implementing a virtual private network according to an embodiment of the present invention.
- FIG. 2 is a schematic diagram of an identity location separation architecture for implementing a virtual private network according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram of implementing a virtual private network in the identity location separation network described in FIG. 2.
- Figure 4 is a flow chart showing an application example for implementing packet processing in the network architecture of Figure 3.
- FIG. 5 is a schematic structural diagram of a module of a virtual private network implementation system according to an embodiment of the present invention.
- the data communication network with separate identity and location has such characteristics that the identity attribute and the location attribute of the traditional IP address are inevitably separated.
- the IP address only has the location attribute, and is used as the identifier of the end host geographical location, and the identity of the end host is newly added.
- the location identifier of the end host is determined by the geographical location and network topology of the end host.
- the location change causes the location identifier of the end host to change, and the location identifier of the end host is changed.
- the identity is the only identifier used by the terminal identity and will not change during the process of the terminal host moving.
- the mapping between the end host identity and the location identifier must be added, and the functional entity is required to complete the mapping relationship.
- the present invention refers to the functional entity as a mapping plane.
- the mapping plane is also called differently.
- Zhang Hongke's patent ZL200610001825.0 of Beijing Jiaotong University explains this.
- the identity resolver is introduced, which is responsible for the resolution of the host identifier EID and IP address.
- the mapping relationship between the EID and the IP address of the update host ID is dynamically maintained.
- the LISP3 scenario uses a mapping database to provide an identity identifier EID and a location identifier RLOC.
- the mapping database is under study.
- mapping servers Some of the other schemes are also referred to as mapping servers, and are collectively referred to as mapping planes in the present invention.
- the main idea of the implementation method and implementation system of the virtual private network of the present invention is to store a VPN-specific mapping table of a virtual private network (VPN) in the mapping plane of the identity location separation network, when the source host is a VPN host.
- the identity location separation network implements communication between the VPN end hosts in the VPN according to the VPN dedicated mapping table, thereby effectively implementing the virtual private network in the identity location separation network, and satisfying the user to the virtual private network.
- the demand eliminates the impact of the technical solution of identity and location separation on the traditional virtual private network VPN service. As shown in FIG.
- the implementation method of the virtual private network in the embodiment of the present invention is implemented based on an identity location separation network, and the method includes: Step 101: Setting a mapping plane of the identity location separation network and setting a VPN private mapping table of the virtual private network (VPN) And a common mapping table, where the VPN-specific mapping table includes a mapping relationship between a VPN-end host identity and a location identifier of the same VPN network; the common mapping table includes a mapping relationship between the common-end host identity and the location identifier;
- Step 102 The mapping plane queries a VPN-specific mapping table or a common mapping table that is consistent with the source host attribute according to the destination host identity identifier. If the mapping relationship to the destination host is queried, the identity location separation network implements the source and destination ends. Communication between hosts, otherwise communication fails. The above embodiment implements separate communication in the same identity location, while implementing normal communication and one VPN network communication. For the case where the mapping plane has only one VPN-specific mapping table, the attribute refers to whether the end host belongs to the VPN end host. In step 102, if the attribute of the source host indicates that the source host is a VPN. The end host, the mapping plane queries the VPN-specific mapping table, and otherwise queries the normal mapping table.
- multiple VPN-specific mapping tables are set in the mapping plane, and different VPN-specific mapping tables correspond to different VPN networks, and have different VPN identifiers;
- the VPN ID belongs to the VPN.
- the mapping plane queries the VPN for the VPN ID. Map the table, otherwise query the normal mapping table.
- the present invention is also applicable to setting a plurality of VPN-specific mapping tables in the mapping plane, and not setting a common mapping table to implement multiple different VPNs in the identity location separation network.
- the virtual private network implementation method can be summarized as:
- the mapping plane of the identity location separation network sets a plurality of virtual private network (VPN) dedicated mapping tables, and each VPN dedicated mapping table includes a mapping relationship between the VPN end host identity and the location identifier of the same VPN network; different VPN dedicated mappings The table corresponds to different VPN networks and has different VPN identifiers;
- VPN virtual private network
- the mapping plane queries the VPN-specific mapping table that is consistent with the source host VPN identifier according to the destination host identity identifier. If the mapping relationship to the destination host is queried, the identity location separation network implements the source and destination hosts. Communication, otherwise communication fails.
- the identity location separation network includes the access service node and the mapping plane.
- the packet is forwarded through the mapping plane or the forwarding plane is forwarded through the forwarding plane, including: a.
- the access service node (ASN) receives the packet sent by the source host, and carries the source and destination host identity identifiers.
- the ASN obtains the source host attribute according to the attribute table set by the source host identity identifier. And forwarding a message or sending a query request to the mapping plane, where the source host attribute and the destination host identity identifier are carried;
- the mapping plane queries the VPN-specific mapping table that is consistent with the source host attribute according to the destination host identity identifier.
- the ASN or the mapping plane identifies the destination location.
- the corresponding destination access service node forwards the packet to implement communication, otherwise the communication fails.
- a method for implementing a virtual private network where the virtual private network is implemented based on an identity location separation network, where the method includes: A. A mapping plane of the identity location separation network Setting a virtual private network (VPN) dedicated mapping table, where the VPN dedicated mapping table includes a mapping relationship between a VPN end host identity and a location identifier of the same VPN network;
- VPN virtual private network
- the identity location separation network implements communication between the VPN hosts in the VPN according to the VPN-specific mapping table.
- the mapping plane can simultaneously set a plurality of VPN-specific mapping tables, and different VPN-specific mapping tables correspond to different VPN networks, and have different VPN identifiers; in step B, the identity-location separated network is based on the source-side host VPN identifier.
- a consistent VPN-specific mapping table is used to implement communication between VPN-side hosts in the VPN.
- the implementation method of the present invention is further described in detail below by taking the mapping plane as the example.
- the architecture of the identity location separation network is shown in Figure 2.
- the user's end host that is, the terminal, as shown in Figure 2)
- the first end host 100 and the second end host 110 shown in the figure communicate with the identity EID, each end host has a unique identity; the network access service node ASN (Access Service Node) (as shown in the figure)
- the first ASN 200 and the second ASN 210 are configured to encapsulate, map, and forward the packet sent or received by the terminal, and query the mapping plane 300 to map the identity of the host and the location identifier.
- mapping Plane 400 negative responsible for forwarding the ASN mapping process of the access service node; the mapping plane 300 maintains the mapping relationship between the identity of the host and the location identifier and maintains the timely update of the mapping relationship, provides a mapping query to the ASN, and queries the location identifier through the identity identifier. .
- the mapping plane 300 stores the correspondence between the identity EID and the location identifier LID of all terminals of the network, as shown in the following table:
- the access service node ASN processes the message: the first ASN 200 receives the packet from the first end host 100 to the second end host 110, and the sent message includes the identity identifier EID (1), and according to the destination EID (2) Find the local mapping relationship table. If the query is obtained, the packet is encapsulated according to the LID ( 2 ) and the LID ( 1 ) of the query. The packet is encapsulated and forwarded to the forwarding plane. If the query is not available, the packet is sent to the forwarding plane. The mapping plane is queried for LID ( 2 ).
- the second ASN 210 of the communication peer receives the packet encapsulated by the LID (2) address, and performs decapsulation, and forwards the decapsulated EID (2) packet to the second end host 110, and learns the packet at the same time.
- the mapping relationship between the source LID (1) and the EID (1); the second ASN 210 receives the > ⁇ text sent by the second end host 110 to the first end host 100, because the peer second ASN 210 has learned the EID in the above process ( 1) The mapping relationship with LID (1), so the local ASN 210 mapping relationship must be found, without querying the mapping plane 300. At this time, the LID (1) is directly encapsulated on the second ASN 210 for forwarding.
- the mapping plane dedicated to the virtual private network VPN is set in the mapping plane 300, including the mapping relationship between the identity identifiers and the location identifiers of all client hosts of the VPN.
- the mapping plane has two mapping tables, one is a normal mapping table, and the other is a VPN-specific mapping table.
- the VPN attribute table accessed by the VPN network user is set on the access service node ASN, and when the ASN processes the host host message, the ASN can only query the VPN-specific mapping table of the VPN to which the user belongs, and establish communication between the VPN users. Users cannot establish communication with users other than the VPN-specific mapping table. Users other than the VPN-specific mapping table cannot query the VPN-specific mapping table and cannot access the VPN network to ensure VPN network security.
- Each VPN-specific mapping table has a VPN identifier: VPN ID.
- VPN ID VPN identifier
- the mapping relationship between the client hosts in the VPN-specific mapping table can be dynamically added or deleted.
- the VPNJD of the VPN to which the user belongs should be included. It is convenient to query the mapping table of the VPN ID_VPN_ID of the mapping plane.
- the user access VPN attribute on the ASN can be fixedly configured or obtained from the mapping plane 300.
- the VPN technology solution provided by the existing carrier can be implemented in the forwarding plane, for example, the MPLS VPN technology, and provides the secure forwarding of the data flow and the QOS guarantee.
- the identity of the peer user can be authenticated.
- FIG. 1 A schematic diagram of an application example for implementing an identity location separation network architecture of a VPN network is shown in FIG.
- VPN-specific mapping table instance The first virtual private network, assign VPN ID VPN-ID_(1), and its VPN-specific mapping table is as follows: Identity EID ( al ) Location ID LID ( al )
- the VPN attribute of the host at one end (which may include only the VPN ID) and the destination identity;
- Step 403 The mapping plane queries the VPN identifier as VPN_ID—(1) according to the destination identity.
- the VPN-specific mapping table returns the query result to the first ASN; Step 404: The first ASN performs packet processing according to the query result; if the destination identity is EID 2), the query result returned from the mapping plane is that there is no such peer. It is an invalid peer and cannot communicate. It can only communicate with users inside the VPN. If the destination identity is EID ( bl ), The result of the query returned from the mapping plane is the location identifier LID ( bl ). The first ASN performs the normal forwarding process, and the packet is sent to the forwarding plane. If the forwarding plane supports the existing VPN technology, the VPN ID of the forwarding plane can be established.
- Step 405 The second ASN of the communication peer receives the packet encapsulated by the LID ( bl ) address, performs decapsulation, and forwards the decapsulated EID ( bl ) packet to the second end host, and learns the report.
- Step 406 The second ASN receives the message sent by the second end host to the first end host;
- Step 407 Because the second ASN is at the opposite end I have learned EID ( bl ) and
- the present invention also provides a virtual private network implementation system.
- the virtual private network (VPN) implementation system includes a service access node (ASN) 500 and a mapping plane connected through a network.
- ASN service access node
- the first transceiver module 501 is configured to: receive a packet sent by the source host, where the source and destination are carried Ending the host identity, and notifying the attribute table querying module 503; and forwarding the message or sending the query request to the mapping plane 510, where the source host attribute and the destination host identity are carried; when the query request is sent to the mapping plane 510, It is further configured to receive the query result sent by the mapping plane 510, and if the mapping relationship of the destination host is queried, the packet is forwarded according to the query result, otherwise the communication fails; and is also set to the mapping plane when the mapping relationship changes.
- the attribute table 502 is set to: a correspondence between the storage host and its attributes;
- the attribute table query module 503 is connected to the first transceiver module 501 and the attribute table 502. Querying the attribute table 502 according to the source host identity, obtaining the source host attribute, and notifying the first transceiver module 501;
- the mapping plane 510 includes the second transceiver module 511, the mapping database 512, and the database
- the query module 513 and the maintenance module 514 are configured to: receive the message forwarded by the ASN 500 or the sent query request, and notify the database query module 513; when receiving the query request, go to the The ASN500 sends the query result.
- the mapping database 512 is configured to: save a VPN dedicated mapping table and a normal mapping table,
- the VPN-specific mapping table includes a mapping relationship between the VPN-side host identity and the location identifier of the same VPN network; the common mapping table includes a mapping relationship between the common-end host identity and the location identifier; the database query module 513, and the The two transceiver modules 511 and the mapping database 512 are connected, and are configured to query a VPN-specific mapping table or a common mapping table that is consistent with the source host attribute according to the destination host identity identifier, and is also used to notify the second transceiver module 511 of the query result. If there is only one VPN-specific mapping table, the attribute refers to whether the host belongs to the VPN host.
- the database query module of the mapping plane queries the VPN-specific mapping table, otherwise query the ordinary mapping table.
- different VPN-specific mapping tables correspond to different VPN networks and have different VPN identifiers; the attribute refers to whether the host belongs to the VPN-side host and belongs to the VPN-side host, and belongs to If the attribute of the source host indicates that the source host is a VPN host, the database query module 513 of the mapping plane queries the VPN-specific mapping table corresponding to the VPN identifier, and otherwise queries the normal mapping table.
- the maintenance module 514 is connected to the second transceiver module 511, the normal mapping table, and the VPN-specific mapping table (ie, the mapping database 512) of the mapping plane, and is configured to add or delete the normal mapping table according to the registration or deregistration request of the ASN 500. Or the mapping relationship in the VPN-specific mapping table.
- the invention saves the VPN private mapping table of the VPN by mapping the mapping plane of the identity location, and determines whether to implement between the VPN end host users in the VPN according to the VPN dedicated mapping table.
- the communication thus effectively implementing the virtual private network in the identity location separation network, satisfies the user's demand for the virtual private network, eliminates the influence of the identity and location separation technology scheme on the traditional VPN service, and reduces the implementation of the VPN pair.
- the existing equipment and software are modified, in particular, the VPN solution (PP-VPN) implemented by the operator.
- the method of the present invention is implemented by a mapping plane, and belongs to a VPN solution implemented by an operator.
- the present invention provides a method and system for implementing a virtual private network, by storing a VPN-specific mapping table of a VPN in a mapping plane of an identity location separation network, and determining whether to implement a VPN-side host in the VPN according to the VPN-specific mapping table.
- the communication between users which effectively implements the virtual private network in the identity location separation network, satisfies the user's demand for the virtual private network, and eliminates the influence of the technical solution of identity and location separation on the traditional VPN service, reducing the pair Implement VPN changes to existing devices and software.
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012529109A JP5579853B2 (ja) | 2009-09-18 | 2010-09-10 | バーチャル・プライベート・ネットワークの実現方法及びシステム |
KR1020127009926A KR101340495B1 (ko) | 2009-09-18 | 2010-09-10 | 가상 전용 네트워크의 구현 방법 및 시스템 |
EP10816677.8A EP2466818A4 (en) | 2009-09-18 | 2010-09-10 | METHOD AND SYSTEM FOR ESTABLISHING A VIRTUAL PRIVATE NETWORK |
US13/496,284 US8661525B2 (en) | 2009-09-18 | 2010-09-10 | Implementation method and system of virtual private network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910176529.8A CN102025589B (zh) | 2009-09-18 | 2009-09-18 | 虚拟专用网络的实现方法及系统 |
CN200910176529.8 | 2009-09-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011032473A1 true WO2011032473A1 (zh) | 2011-03-24 |
Family
ID=43758098
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/076788 WO2011032473A1 (zh) | 2009-09-18 | 2010-09-10 | 虚拟专用网络的实现方法及系统 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8661525B2 (zh) |
EP (1) | EP2466818A4 (zh) |
JP (1) | JP5579853B2 (zh) |
KR (1) | KR101340495B1 (zh) |
CN (1) | CN102025589B (zh) |
WO (1) | WO2011032473A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012231225A (ja) * | 2011-04-25 | 2012-11-22 | Kddi Corp | マッピングサーバの制御方法及びマッピングサーバ |
Families Citing this family (55)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7162035B1 (en) | 2000-05-24 | 2007-01-09 | Tracer Detection Technology Corp. | Authentication method and system |
US8171567B1 (en) | 2002-09-04 | 2012-05-01 | Tracer Detection Technology Corp. | Authentication method and system |
US10469556B2 (en) | 2007-05-31 | 2019-11-05 | Ooma, Inc. | System and method for providing audio cues in operation of a VoIP service |
US8560634B2 (en) * | 2007-10-17 | 2013-10-15 | Dispersive Networks, Inc. | Apparatus, systems and methods utilizing dispersive networking |
US7995196B1 (en) | 2008-04-23 | 2011-08-09 | Tracer Detection Technology Corp. | Authentication method and system |
CN102131197B (zh) * | 2010-01-20 | 2015-09-16 | 中兴通讯股份有限公司 | 一种在公共设备上接入网络的方法及系统 |
CN102130887B (zh) * | 2010-01-20 | 2019-03-12 | 中兴通讯股份有限公司 | 一种在公共设备上接入网络的方法及系统 |
CN102868618A (zh) * | 2011-07-08 | 2013-01-09 | 中兴通讯股份有限公司 | 一种去附着方法、装置和映射服务器 |
CN103051541B (zh) * | 2011-10-14 | 2017-04-05 | 中兴通讯股份有限公司 | 一种标识网内的报文转发方法、asr及isr |
US9069761B2 (en) * | 2012-05-25 | 2015-06-30 | Cisco Technology, Inc. | Service-aware distributed hash table routing |
US8879394B2 (en) * | 2012-10-22 | 2014-11-04 | Telefonaktiebolaget L M Ericsson (Publ) | Method and system of packet based identifier locator network protocol (ILNP) load balancing and routing |
US9185071B2 (en) * | 2012-12-31 | 2015-11-10 | Telefonaktiebolaget L M Ericsson (Publ) | Methods and systems for seamless network communications between devices running internet protocol version 6 and internet protocol version 4 |
US9882713B1 (en) | 2013-01-30 | 2018-01-30 | vIPtela Inc. | Method and system for key generation, distribution and management |
US20140229945A1 (en) * | 2013-02-12 | 2014-08-14 | Contextream Ltd. | Network control using software defined flow mapping and virtualized network functions |
US9294393B1 (en) * | 2013-04-30 | 2016-03-22 | Cisco Technology, Inc. | Interconnecting virtual private networks |
US9479433B1 (en) | 2013-04-30 | 2016-10-25 | Cisco Technology, Inc. | Interconnecting virtual private networks |
US9508114B2 (en) * | 2013-06-13 | 2016-11-29 | Autodesk, Inc. | File format and system for distributed scene graphs |
US9386148B2 (en) | 2013-09-23 | 2016-07-05 | Ooma, Inc. | Identifying and filtering incoming telephone calls to enhance privacy |
US9749290B2 (en) * | 2013-11-14 | 2017-08-29 | Verizon Patent And Licensing Inc. | Distributing and virtualizing a network address translation (NAT) |
US9467478B1 (en) | 2013-12-18 | 2016-10-11 | vIPtela Inc. | Overlay management protocol for secure routing based on an overlay network |
US10542004B1 (en) | 2014-02-24 | 2020-01-21 | C/Hca, Inc. | Providing notifications to authorized users |
US10769931B2 (en) | 2014-05-20 | 2020-09-08 | Ooma, Inc. | Network jamming detection and remediation |
US9633547B2 (en) | 2014-05-20 | 2017-04-25 | Ooma, Inc. | Security monitoring and control |
US10553098B2 (en) | 2014-05-20 | 2020-02-04 | Ooma, Inc. | Appliance device integration with alarm systems |
US11330100B2 (en) | 2014-07-09 | 2022-05-10 | Ooma, Inc. | Server based intelligent personal assistant services |
US9894031B2 (en) | 2014-08-27 | 2018-02-13 | Cisco Technology, Inc. | Source-aware technique for facilitating LISP host mobility |
CN105471827B (zh) * | 2014-09-04 | 2019-02-26 | 华为技术有限公司 | 一种报文传输方法及装置 |
US9935850B1 (en) | 2014-11-18 | 2018-04-03 | Berryville Holdings, LLC | Systems and methods for implementing an on-demand computing network environment |
CN105721270B (zh) * | 2014-12-04 | 2020-05-08 | 成都鼎桥通信技术有限公司 | 一种集群通信虚拟网的控制方法 |
US9819513B2 (en) * | 2015-01-27 | 2017-11-14 | Anchorfree Inc. | System and method for suppressing DNS requests |
US10021065B2 (en) | 2015-01-27 | 2018-07-10 | Anchorfree Inc. | System and method for suppressing DNS requests |
CN104767686B (zh) * | 2015-04-08 | 2018-03-20 | 新华三技术有限公司 | 一种alt网络中的路由信息查询方法和装置 |
CN106209485B (zh) * | 2015-04-30 | 2019-05-24 | 中国南方电网有限责任公司 | 一种vpn私网链路检测方法及装置 |
US10911368B2 (en) | 2015-05-08 | 2021-02-02 | Ooma, Inc. | Gateway address spoofing for alternate network utilization |
US11171875B2 (en) | 2015-05-08 | 2021-11-09 | Ooma, Inc. | Systems and methods of communications network failure detection and remediation utilizing link probes |
US10771396B2 (en) * | 2015-05-08 | 2020-09-08 | Ooma, Inc. | Communications network failure detection and remediation |
US10009286B2 (en) | 2015-05-08 | 2018-06-26 | Ooma, Inc. | Communications hub |
CA2931906C (en) * | 2015-06-03 | 2023-09-05 | Evertz Microsystems Ltd. | Systems and methods for determining a destination location in a network system |
US20160373297A1 (en) * | 2015-06-18 | 2016-12-22 | At & T Intellectual Property I, L.P. | Device, system, and method for managing virtual and physical components of a network via use of a registry |
KR101977726B1 (ko) | 2015-11-17 | 2019-05-14 | 한국전자통신연구원 | 가상 데스크탑 서비스 방법 및 장치 |
US9980303B2 (en) | 2015-12-18 | 2018-05-22 | Cisco Technology, Inc. | Establishing a private network using multi-uplink capable network devices |
WO2018138544A1 (en) * | 2017-01-24 | 2018-08-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Using location identifier separation protocol to implement a distributed gateway architecture for 3gpp mobility |
WO2018138545A1 (en) | 2017-01-24 | 2018-08-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Lossless handover for mobility with location identifier separation protocol in 3rd generation partnership project networks |
CN108259379B (zh) * | 2017-05-08 | 2021-11-02 | 新华三技术有限公司 | 一种流量转发方法及装置 |
EP3622777B1 (en) | 2017-05-12 | 2021-07-07 | Telefonaktiebolaget LM Ericsson (Publ) | Local identifier locator network protocol (ilnp) breakout |
US10523563B2 (en) | 2018-04-10 | 2019-12-31 | Cisco Technology, Inc. | Mechanism and procedures for multi-domain enterprise fabric domain federations |
US11539817B1 (en) | 2018-09-27 | 2022-12-27 | C/Hca, Inc. | Adaptive authentication and notification system |
WO2020096594A1 (en) | 2018-11-07 | 2020-05-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Local identifier locator network protocol (ilnp) breakout |
US11652791B2 (en) | 2019-08-07 | 2023-05-16 | Cisco Technology, Inc. | Consolidated routing table for extranet virtual networks |
CN111711556B (zh) * | 2020-06-17 | 2021-11-23 | 北京字节跳动网络技术有限公司 | 虚拟专用网络的选路方法、装置、系统、设备及存储介质 |
CN111857979B (zh) * | 2020-06-28 | 2023-08-15 | 厦门极致互动网络技术股份有限公司 | 一种分布式系统的信息管理方法、系统、存储介质及设备 |
CN112187644B (zh) * | 2020-10-28 | 2022-02-22 | 郑州芯兰德网络科技有限公司 | 一种基于标识解析路由的组播系统及组播方法 |
CN113596059B (zh) * | 2021-08-19 | 2023-06-20 | 中国电子科技集团公司电子科学研究院 | 一种在标识网络中实现实时三层网络隔离的方法及系统 |
CN114697300A (zh) * | 2022-04-15 | 2022-07-01 | 武汉中元通信股份有限公司 | 一种高时效通信系统的数据组播实现方法 |
CN114885443B (zh) * | 2022-07-01 | 2022-11-08 | 之江实验室 | 一种支持终端移动接入的多模态网络控制系统和方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1485759A (zh) * | 2002-09-23 | 2004-03-31 | 华为技术有限公司 | 实现销售点终端多应用的方法 |
CN1501720A (zh) * | 2002-11-12 | 2004-06-02 | 华为技术有限公司 | 一种无线因特网协议语音核心网端到端的路由方法 |
CN1801764A (zh) | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
CN101222414A (zh) * | 2007-01-11 | 2008-07-16 | 华为技术有限公司 | 实现组播通信的装置、系统和方法 |
CN101753424A (zh) * | 2008-11-28 | 2010-06-23 | 华为技术有限公司 | 一种数据通信系统、路由器、数据发送及移动性管理方法 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6442169B1 (en) * | 1998-11-20 | 2002-08-27 | Level 3 Communications, Inc. | System and method for bypassing data from egress facilities |
JP2000183968A (ja) | 1998-12-17 | 2000-06-30 | Nippon Telegr & Teleph Corp <Ntt> | パケット通信システムおよびそれを構成するノードとエッジ装置 |
US6693878B1 (en) * | 1999-10-15 | 2004-02-17 | Cisco Technology, Inc. | Technique and apparatus for using node ID as virtual private network (VPN) identifiers |
JP3620719B2 (ja) * | 2001-06-22 | 2005-02-16 | 日本電気株式会社 | データ交換装置におけるルーティング処理システム |
US7283529B2 (en) * | 2003-03-07 | 2007-10-16 | International Business Machines Corporation | Method and system for supporting a dedicated label switched path for a virtual private network over a label switched communication network |
JP4207078B2 (ja) * | 2006-10-11 | 2009-01-14 | 村田機械株式会社 | 中継サーバ |
US7894450B2 (en) * | 2007-12-31 | 2011-02-22 | Nortel Network, Ltd. | Implementation of VPNs over a link state protocol controlled ethernet network |
KR101084769B1 (ko) * | 2008-12-23 | 2011-11-21 | 주식회사 케이티 | 위치자/식별자 분리 기반의 네트워크 이동성 지원 시스템 및 그 방법 |
US9049653B2 (en) * | 2009-07-02 | 2015-06-02 | Futurewei Technologies, Inc. | Handover in core-edge separation technology in wireless communications |
EP2589208A1 (en) * | 2010-06-29 | 2013-05-08 | Huawei Technologies Co., Ltd. | Delegate gateways and proxy for target hosts in large layer 2 and address resolution with duplicated internet protocol addresses |
-
2009
- 2009-09-18 CN CN200910176529.8A patent/CN102025589B/zh active Active
-
2010
- 2010-09-10 WO PCT/CN2010/076788 patent/WO2011032473A1/zh active Application Filing
- 2010-09-10 EP EP10816677.8A patent/EP2466818A4/en not_active Withdrawn
- 2010-09-10 US US13/496,284 patent/US8661525B2/en active Active
- 2010-09-10 KR KR1020127009926A patent/KR101340495B1/ko active IP Right Grant
- 2010-09-10 JP JP2012529109A patent/JP5579853B2/ja active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1485759A (zh) * | 2002-09-23 | 2004-03-31 | 华为技术有限公司 | 实现销售点终端多应用的方法 |
CN1501720A (zh) * | 2002-11-12 | 2004-06-02 | 华为技术有限公司 | 一种无线因特网协议语音核心网端到端的路由方法 |
CN1801764A (zh) | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
CN101222414A (zh) * | 2007-01-11 | 2008-07-16 | 华为技术有限公司 | 实现组播通信的装置、系统和方法 |
CN101753424A (zh) * | 2008-11-28 | 2010-06-23 | 华为技术有限公司 | 一种数据通信系统、路由器、数据发送及移动性管理方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2466818A4 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012231225A (ja) * | 2011-04-25 | 2012-11-22 | Kddi Corp | マッピングサーバの制御方法及びマッピングサーバ |
Also Published As
Publication number | Publication date |
---|---|
JP5579853B2 (ja) | 2014-08-27 |
US20120180122A1 (en) | 2012-07-12 |
JP2013504960A (ja) | 2013-02-07 |
KR101340495B1 (ko) | 2013-12-12 |
EP2466818A4 (en) | 2015-03-04 |
CN102025589B (zh) | 2015-04-01 |
CN102025589A (zh) | 2011-04-20 |
US8661525B2 (en) | 2014-02-25 |
KR20120100927A (ko) | 2012-09-12 |
EP2466818A1 (en) | 2012-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8661525B2 (en) | Implementation method and system of virtual private network | |
KR101399002B1 (ko) | 가상 사설 네트워크의 실현 방법 및 시스템 | |
EP2489172B1 (en) | Virtual layer 2 and mechanism to make it scalable | |
US7656872B2 (en) | Packet forwarding apparatus and communication network suitable for wide area Ethernet service | |
CN108200225B (zh) | 不对称网络地址封装 | |
AU2011315150B2 (en) | Multipath transmission control protocol proxy | |
EP1875668B1 (en) | Scalable system method for dsl subscriber traffic over an ethernet network | |
Komilov et al. | Improving the use of virtual lan (vlan) technology | |
WO2011069399A1 (zh) | 地址映射方法及接入业务节点 | |
US20050025157A1 (en) | System for converting data based upon IPv4 into data based upon IPv6 to be transmitted over an IP switched network | |
WO2013170790A1 (zh) | 一种虚拟网络的接入方法和系统 | |
WO2011124132A1 (zh) | 数据通信系统及方法 | |
WO2008014723A1 (fr) | Procédé et dispositif permettant la mise en oeuvre d'un réseau privé virtuel (vpn) fondé sur une structure d'adresse ipv6 | |
EP2584742B1 (en) | Method and switch for sending packet | |
WO2012106935A1 (zh) | 数据通信网络配置方法、网关网元及数据通信系统 | |
WO2011147342A1 (zh) | 交换路由信息的方法、设备和系统 | |
WO2006122502A1 (fr) | Méthode de transmission de message en couche 2 et dispositif d’accès | |
WO2019204098A1 (en) | Multi-vrf universal device internet protocol address for fabric edge devices | |
WO2007112691A1 (fr) | Système, procédé et dispositif réseau permettant à un client de réseau privé virtuel (vpn) d'accéder à un réseau public | |
JP2013162466A (ja) | Lispネットワークの通信方法および通信中継装置 | |
Cui et al. | State management in IPv4 to IPv6 transition | |
SE541314C2 (en) | Methods and apparatuses for routing data packets in a network topology | |
WO2012075768A1 (zh) | 身份位置分离网络的监听方法和系统 | |
WO2011124121A1 (zh) | 网间数据通讯系统及方法 | |
WO2012075770A1 (zh) | 身份位置分离网络的阻断方法和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10816677 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13496284 Country of ref document: US Ref document number: 2012529109 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010816677 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 20127009926 Country of ref document: KR Kind code of ref document: A |