KR100431207B1 - Exteranet ip-vpn service provinding methode in mpls based network - Google Patents

Abstract

The present invention relates to a method of providing an extranet IP-VPN service in a multi-protocol label switching network (MPLS) network. When a firewall for access authentication is located at one or more sites of a specific subscriber site, all hosts that want to access the extranet are provided. This is a method for providing an extranet IP-VPN service in an MPLS-based network that allows a user to access a destination through a site where a firewall is located. The route delimiter (RD) is used to distinguish between an intranet and an extranet. In this paper, we propose a procedure for delivering VPN routing and forwarding information in the edge device so that the extranet route information can operate in the form of hub and spoke. It is possible to provide VPN service to both intranet / extranet at the same time. Even if the configuration information of the site is changed, it is not automatically reconfigured to all sites, but is automatically reconfigured by notifying only the site where the firewall system is located, thereby simplifying the service configuration and operation procedure.

Description

How to provide extranet IPVP service in MPLS based network {EXTERANET IP-VPN SERVICE PROVINDING METHODE IN MPLS BASED NETWORK}

The present invention relates to a method for providing an extranet IP-VPN service in a multi-protocol label switching network (MPLS) -based network. In particular, when a firewall system is located at a specific subscriber site, all hosts that want to access the extranet are located in a firewall. The present invention relates to a method for providing an extranet IP-VPN service in an MPLS-based network that can access a destination via a site.

The existing MPLS VPN service provisioning method uses the function of configuring routing and forwarding information so that closed user group can be configured for each VPN group in a provider edge (PE) system, and using routing and forwarding information. It consists of a function of forwarding VPN packets to a destination, and typically provides an intranet service that supports an unlimited connection between sites belonging to the same VPN group, but does not provide an extranet service.

In general, MPLS-based IP-VPN service provides private network service by tunneling between labels belonging to the same VPN group through Label Switched Path, and its structure and method are defined in IETF RFC 2547. have.

According to the RFC 2547 standard, in order to provide an intranet service, VPN route information is directly distributed through iBGP peering, and a set route route filter (E-RT) and a route reflection filter (Import Route Target) are set. Since the root information is updated only in a specific VPN group by the value of I_RT), a VPN Routing Forwarding table (also referred to as a VRF) for a closed user group is configured.

However, in order to simultaneously provide an extranet service, hosts allowed to simultaneously access the intranet and the extranet must provide two different route information to remote sites. That is, BMP4 extension path information for general MPLS-VPN is distributed directly to remote PEs for the sites belonging to the intranet, and indirect distribution to the remote PEs indirectly through the firewall system for the sites belonging to the extranet. Should be.

In order to do this, each PE system must know the configuration information of intranet and extranet sites. Therefore, if the VPN route information is changed, it must determine whether the intranet and extranet paths are appropriate and notify remote PEs individually. There is a problem in that scalability is limited and function implementation is complicated.

The present invention has been proposed to solve the above-mentioned conventional problems, and its object is to affect the existing intranet service provision mechanism when a firewall system is located at a specific subscriber site in intranet / extranet VPN path distribution process. It is to provide an extranet IP-VPN service providing method in an MPLS-based network that can provide an extranet service simultaneously.

1 is a configuration diagram of an extranet service system when a firewall is located at a specific subscriber site in an MPLS-based network.

2 is a logical diagram of an extranet IP-VPN service providing system according to the present invention.

3 is a flowchart illustrating a process of distributing and filtering path information between extranet sites according to the present invention.

4 is a signal processing diagram showing a user packet transfer procedure between extranet sites according to the present invention.

5 is a procedure for processing intranet and extranet path information according to the present invention in a PE system.

In order to achieve the above object, the present invention provides an extranet IP-VPN service in an MPLS-based network that connects a plurality of subscriber sites in which a firewall system, an extranet server, and an extranet client system are distributed to a virtual private network. In the method,

A first to create a VPN routing / forwarding table for the extranet on the first network edge device connected to the firewall system, the second network edge device connected to the extranet server side, and the third network edge device connected to the extranet client system side, respectively; step;

The VPN routing / forwarding table of the first network edge device has route information (RT) of other second and third network edge devices at the same time, and the VPN routing / forwarding table of the second and third network edge devices is itself and the first network. A second step of allocating so as to have only route information (RT) of the edge device; And,

Each network edge device has a third step of assigning a VPN label to distinguish access to an extranet host.

The extranet server side and the extranet client side exchange route information through a subscriber site equipped with a firewall, but the route information is not directly distributed.

In addition, the method may further include assigning a route descriptor (RD) of the VPN routing / forwarding table for extranets of the first to third network edge devices to a value different from that of the intranet VPN routing / forwarding table. Including two more steps, it is characterized in that it supports the intranet and extranet services at the same time.

In addition, the service providing method according to the present invention, if the path information for the extranet server is added, transmitting the information to the second network edge equipment connected to the extranet server;

Determining, by the second network edge device, whether an intranet and an extranet are connected by searching for a path separator assigned to a subscriber site side access interface;

Transmitting path update information for the extranet to the first network edge device;

Receiving the route update message at a first network edge device and reflecting the route update message to an extra VPN routing / forwarding table table;

Retransmitting the first network edge device to other network edge devices by modifying the reachability information and the route information (RT) of the received route information while simultaneously transmitting the received route information to the subscriber site; And

Reflecting the information received by the third network edge device receiving the route information relayed by the first network edge equipment, and transmitting to the subscriber site, characterized in that for reconfiguring the bypass route.

In addition, when the packet destined for the extranet server side from the extranet client side is input to the third network edge device, the third network edge device looks up the VPN routing / forwarding table table for the extranet to the first network edge device. Forwarding packets to the connected firewall system;

Transmitting, by the first network edge device, an input packet to a firewall system by referring to a VPN label value;

If there is no problem after access authentication in the firewall system, transferring the information back to the first network edge device;

The first network edge device looks up the VPN routing / forwarding table table for the extranet and forwards the received packet to the second network edge device on the extranet server side as a final destination. And

Receiving the packet at the second network edge device, and forwarding the packet to the extranet server side of the final destination by referring to the VPN label value,

The user packet is forwarded to the final destination through the firewall system of the subscriber site.

The invention also includes a recording medium on which a program for executing each of the above-described steps is recorded.

EMBODIMENT OF THE INVENTION Hereinafter, the structure and effect | action of this invention are demonstrated.

The IP-VPN service provision according to the present invention is generally composed as follows.

In order to provide extranet service, a firewall system, an extranet server, and an extranet client system are distributed in one or more subscriber sites within the subscriber site.

In order to improve service scalability and reliability, and to reduce the complexity of functions, a firewall system is located at the side of one or more subscriber sites in the network, and the network edge device (hereinafter referred to as PE) to which the firewall system is connected is referred to as extranet path information and user. Configured to act as a hub in the packet forwarding process (hereinafter referred to as PE-hub). The PE-hub system serves as a relay for distributing routing information for the extranet group and for filtering the extranet packet.

The PE system to which the extranet sharing server is connected (hereinafter referred to as PE-spoke) sends the route information about the extranet sharing server to the PE-hub system primarily, and the PE-hub system sends the route information to the corresponding extranet group. Refer to the configuration information and relay to remote PE-spoke systems. In order to indirectly distribute the extranet route information, the root information (RT) value should be set to operate in a hub-and-spoke form. Extranet VPN packets are routed through the extranet firewall system to the final destination PE. That is, when a packet destined for the extranet server side from the extranet client side is input to the PE-spoke side, the PE-spoke looks up the extranet VPN routing / forwarding table table and forwards the packet to the firewall system connected to the PE-hub. . When the packet is input from PE-spoke, the PE-hub forwards the packet to the firewall system by referring to the VPN label value, and the firewall system authenticates the connection and passes it back to the original destination extranet server if there is no problem. Send the packet to PE-hub again.

The PE-hub then looks up the extranet VPN routing / forwarding table table and forwards the packet to the final destination extranet server side PE-spoke, and the PE-spoke refers to the VPN label value and forwards the packet to the final destination extranet server side. Will be delivered.

Hereinafter, with reference to the accompanying drawings an embodiment of the present invention will be described in detail.

1 is a diagram illustrating an example of a configuration of an intranet / extranet MPLS service system to which the present invention is applied. In FIG. 1, four subscriber sites 121 to 124 are connected to the provider MPLS network 101 to configure a VPN, where a first virtual private network (hereinafter referred to as vpn_intra1) 102 that is an intranet is a subscriber site. CE1 121, CE2 122, and CE3 123. Among the subscriber sites, the CE4 124 has access rights to some of the extranet servers located in the CE1 121 as a partner of the intranet 102, and for this purpose, the second virtual private network (hereinafter referred to as vpn_extra2). 103) is configured. Firewall system 153 for access rights authentication is located within CE3 123.

According to the RFC 2547 standard, the MPLS network 101 is composed of a plurality of PE systems 111, 112, 113, and 114 and P systems 115 and 116.

The PE system (111, 112, 113, 114) has a VPN routing / forwarding table configuration for VPN service and forwarding function of the VPN packet, P system (115, 116) has a packet switching function by the general label swapping.

Each subscriber site is connected to the MPLS network 101 by a LSP in a logical private network. Therefore, the CE1 to CE4 are also referred to as VPN sites. The CE1 to CE4 (121, 122, 123, 124) is composed of a single host, router or switch system, the subscriber side edge device does not have a separate function for the VPN service. Subscriber edge equipment of each site is connected to the PE of the MPLS network 101 through a specific interface (132, 142, 152, 162) in order to receive a VPN service, PE (111, 112, 113, 114) network edge equipment of the operator network 101 And route information about the site through the general routing protocol or manual configuration.

A configuration and procedure for providing an extranet service in the system configuration as shown in FIG. 1 are as follows.

The intranet / extranet sharing server 134 in the CE1 121 is connected to the PE1 111, and the firewall system 153 is located at the CE3 123. Therefore, PE1 111 and PE4 114 become PE-spoke, and PE3 113 becomes PE-hub.

Each PE node has a VPN routing / forwarding table for vpn_intra1 (102) and a VPN routing / forwarding table for vpn_extra2 (103), and the VPN routing / forwarding table for vpn_intra1 (102) is configured and operated. The procedure is in accordance with RFC 2547. For the extranet, VPN routing / forwarding tables (162, 163, 164) for the extranet are created in PE1 (111), PE3 (113) and PE4 (114), respectively, and the routing descriptor (RD) and the route information (RT) values are The path separator assigned to this VPN routing / forwarding table is assigned a value different from that of the intranet. Route information (RT) values are assigned to enable PEs to operate in a hub-and-spoke structure. That is, a unique route information (RT) value is allocated to each of the PE-spoke and the PE-hub, and the PE-hub has the root information (RT) values of all other PE-spokes at the same time. It is configured to have only the root information (RT) value of PE-hub. In this configuration, the PE-hub 113 and the PE-spokes 111 and 114 exchange path information with each other, but the path information between the PE-spokes is not distributed.

The process of distributing the path information of the extranet sharing server in the vpn_extra1 sites in the system configuration as described above will be described with reference to FIGS.

2 illustrates a logical system configuration for vpn_extra2 103 in the system configuration of FIG. vpn_extra2 consists of three subscriber sites CE1 (121), CE3 (123), and CE4 (124). Logically, CE3 (123) having the firewall system acts as a hub and connects to the PE of the MPLS network (101). Site CE1 (121) and CE4 (124) is composed of a hub and spoke structure that serves as a spoke.

In addition, an arbitrary path separator is allocated to simultaneously support an intranet service and an extranet service through the same interface. In FIG. 2, a path separator is assigned as 100: 2. Subsequently, a root information (RT) value is allocated to each PE for path information filtering on vpn_extra2. The root information (RT) value is assigned a 100: 1 value for the PE3 113 which is the hub node, and 100: 2 and 100: 3 for the PE1 111 and the PE4 114 which are the spoke nodes, respectively.

As a result, the VPN routing / forwarding table of the PE3 113, which is the hub node, has route information (RT) values of 100: 1, 100: 2, and 100: 3, and vpn_extra2 (with PE1 111 or PE4 114). The route information for 103 is shared. On the other hand, the route information (RT) of the VPN routing / forwarding table of the spoke nodes PE1 111 and PE4 114 has only the route information (RT) of itself and the hub, and thus direct route information with other spoke nodes. The exchange is blocked.

Each PE then assigns a vpn_label to identify the egress connection to the vpn_extra2 host.

FIG. 3 is a diagram illustrating a procedure of transferring path information of a shared server 134 to a hub node PE3 and another spoke node PE4 in a system configured as shown in FIG. 2.

That is, when the route information for the shared server 121 is added (231), this information is transmitted to the PE1 111 connected to the CE1 121 by a routing protocol or a static setting (232). ). The PE1 111 searches for a path separator assigned to the CE1 access interface and determines that vpn_intra1 102 and vpn_extra2 103 are connected (233).

Next, the route update information is distributed to BGP peers by setting the root information (RT) value (E_root information (RT)) for the extranet to 100: 2 (234). The distributed information is extended attributes such as "VPN_IPv4 address information of shared server, BGP Next Hop = PE1, VPN_Label = 2000, E_RT = 100: 2", and the like.

The route update message is delivered to each peered PE, and the update message is reflected in the vpn_extra2 table of PE3 113 having a 100: 2 value in the intranet route information (RT) (I_RT) among a plurality of PEs ( 235).

The PE3 113 transmits the route information to the subscriber side 123 (236), and also modifies the reachability information and the route information (RT) of the received route information (237) to serve as a hub. Then relay to other PEs. At this time, it modifies "VPN_IPv4 address information of shared server, BGP Next Hop = PE3, VPN_Label = 1000, E_RT = 100: 1" and delivers it to other peered PEs (238).

The received information is reflected in the vpn_extra2 table of the PE4 124 having a value of 100: 1 in the intranet RT (I_RT) value among the PEs receiving the route information relayed by the PE3 113 (239). The PE4 124 forwards the route information to the subscriber side 124 (240).

As shown in FIG. 4, the data transmission process for the extranet client to access the extranet sharing server in the state in which the route information is distributed as described above.

Referring to FIG. 4, when an extranet client side located at CE4 124 arrives at the PE4 114 of the MPLS network 101 through a preset interface, a user packet destined for the shared server side of CE1 121 arrives ( 301), the PE4 114 looks up the VPN routing / forwarding table table of vpn_extra2 103 so that the BGP Next Hop is PE3 113, the VPN label is 1000 and the PE4 114 is directed to PE3 113. The label is found and the packet is encoded into an MPLS frame (302, 303).

The data packet encoded with the MPLS frame is then forwarded to PE3 113 (304).

The PE3 113 determines the output interface with reference to the VPN label value carried in the received packet (305), decodes the MPLS frame, and forwards it to the CE3 123 (306).

The firewall system 153 provided in the CE3 123 checks the service use and access authority with respect to the packet received from the PE3 113 (307), and there is no problem in the use authority, that is, when the connection is authenticated. The packet is sent back to the PE3 113 through the previously set interface (308).

The PE3 113 looks up the VPN routing / forwarding table table of vpn_extra2 103 so that the BGP Next hop is PE1 111 and the VPN label is 2000 and the top label from PE3 113 to PE1 111. And encode the packet into an MPLS frame (309, 310). Then, the encoded packet is transmitted to the PE1 111 (311).

The PE1 111 determines the output interface with reference to the VPN label value carried in the received packet (312), decodes the received MPLS frame and delivers it to the shared server 134 on the CE1 121 side (313). .

FIG. 5 is a flowchart illustrating a procedure for processing intranet and extranet path information in the PE system.

When the PE system (PE1, PE2, PE3, PE4, etc.) receives the route information update message (401), it checks whether the received route information is a local address or received from a remote peer (402).

As a result of the check, if the received route information is a local route, the route separator is examined from the connected interface information to find the corresponding VPN routing / forwarding tables, and then the received route information is inserted into the VPN routing / forwarding table. After (403), the VPN route information is generated (404), and the VPN route information generated is "VPN_IPv4 address, BGP Next Hop = Local PE address, VPN Label = Local assigned interface label, E_RT = The VPN E_RT "of the routing / forwarding table.

The VPN route update message made as above is distributed to all iBGP peers (405).

However, when the received route information is a remote route, the VPN routing / forwarding tables matching the E_RT value of the received route and the I_RT values of the VPN routing / forwarding tables of the PE are searched for (412).

If there is no matching VPN routing / forwarding table, the received route information is discarded and the procedure is terminated. If there is a matching VPN routing / forwarding table, the received route information is stored in the corresponding VPN routing / forwarding table table (414). In step 415, route information is selectively transmitted to the subscriber site.

Then, it searches (416) whether the VPN routing / forwarding table table being processed is Hub type, to determine if it is a route for an extranet service.

As a result of the determination, the route information processing procedure is terminated in the case of the general VPN route, but in the case of the extranet route, the received route message is reprocessed to transmit the bypass route information passing through the firewall to the peers (418 and 419).

In other words, the received route message is labeled "Dest = VPN_IPv4 address of the original host, BGP Next Hop = Firewall connection PE, VPN label = Label assigned to the firewall access interface, E_RT = PE_hub (that is, the RT of the current VPN routing / forwarding table Reprocessing and forwarding to iBGP peers terminates the route information processing).

As described above, when the firewall system is located at a specific subscriber site side in the MPLS network, the present invention can simply and easily support the extranet service without affecting the existing intranet service providing mechanism. By assigning one or more path separators for a network, you can support both intranet and extranet services simultaneously.

Claims (5)

How to provide extranet IP-VPN service in MPLS-based network that connects multiple subscriber sites with distributed firewall system, extranet server and extranet client system to virtual private network To A first to create a VPN routing / forwarding table for the extranet on the first network edge device connected to the firewall system, the second network edge device connected to the extranet server side, and the third network edge device connected to the extranet client system side, respectively; step; The VPN routing / forwarding table of the first network edge device simultaneously has the route information (RT) values of other second and third network edge devices, and the VPN routing / forwarding table of the second and third network edge devices is itself and the first network. A second step of allocating so as to have only route information (RT) of the edge device; And, Each network edge device consists of a third step of assigning a vpn_label to distinguish egress connections to the extranet host. Extranet server in MPLS-based network, wherein the extranet server side and the extranet client side exchange route information through a subscriber site equipped with a firewall, but route information is not directly distributed. How to Provide IP-VPN Services. The method of claim 1 wherein the method is And further comprising allocating a path separator of an extranet VPN routing / forwarding table of the first to third network edge devices to a value different from that of the intranet VPN routing / forwarding table. A method for providing an extranet IP-VPN service in an MPLS-based network, which simultaneously supports intranet and extranet services. The method of claim 1 wherein the method If the route information for the extranet server is added, transferring the information to a second network edge device to which the extranet server is connected; Determining, by the second network edge device, whether an intranet and an extranet are connected by searching for a path separator assigned to a subscriber site side access interface; Transmitting path update information for the extranet to the first network edge device; Receiving the route update message at a first network edge device and reflecting the route update message to an extra VPN routing / forwarding table table; Retransmitting the first network edge device to other network edge devices by modifying the reachability information and the route information (RT) of the received route information while simultaneously transmitting the received route information to the subscriber site; And MPLS, characterized in that the bypass path is reconfigured by reflecting the information received by the third network edge device receiving the route information relayed by the first network edge device and transmitting the information to the subscriber site. ) How to provide extranet IP-VPN service in infrastructure network. The method of claim 1 wherein the method is When a packet destined for the extranet server side from the extranet client side is input to the third network edge device, the third network edge device looks up the VPN routing / forwarding table table for the extranet to the firewall system connected to the first network edge device. Forwarding the packet; Transmitting, by the first network edge device, an input packet to a firewall system by referring to a VPN label value; If there is no problem after access authentication in the firewall system, transferring the information back to the first network edge device; The first network edge device looks up the VPN routing / forwarding table table for the extranet and forwards the received packet to the second network edge device on the extranet server side as a final destination. And Receiving the packet at the second network edge device, and forwarding the packet to the extranet server side of the final destination by referring to the VPN label value, A method of providing an extranet IP-VPN service in an MPLS-based network, wherein the user packet is forwarded to a final destination through a firewall system of a subscriber site. Extranet IP-VPN (IP-VPN) service providing system in MPLS-based network that connects multiple subscriber sites in which firewall system, extranet server and extranet client system are distributed. To A first to create a VPN routing / forwarding table for the extranet on the first network edge device connected to the firewall system, the second network edge device connected to the extranet server side, and the third network edge device connected to the extranet client system side, respectively; step; The VPN routing / forwarding table of the first network edge device simultaneously has the route information (RT) values of other second and third network edge devices, and the VPN routing / forwarding table of the second and third network edge devices is itself and the first network. A second step of allocating so as to have only route information (RT) of the edge device; And, A computer-readable recording medium having recorded thereon a program that executes the third step of allocating a VPN label to distinguish an exit connection to an Ettanet host.