TWI300662B - - Google Patents

Description

1300662 [Technical Field] The present invention relates to a Mobile Agent (Mobile Agent) mobile agent (Home Agent) Assignment method and system, and more particularly to an Internet Protocol Security Protocol ( IPsec) On-architecture VPN, a method and system for dynamically assigning external agents to provide mobile node registration. [Prior Art] Virtual Private Network (VPN) is a network that can use a wide area network (such as the Internet) to establish a dedicated network between a remote user's computer and a local network server. Road channels for data transmission 'and provide as secure as inside a closed private area network. In order to confirm security, VPN has the following basic requirements: 1 · User authentication: VPN must be able to verify the identity of the user and strictly control only registered users to log in. 2. Address Management: The VPN must be able to assign addresses to the user on the private network and ensure address security. 3 • Data Encryption: Data transmitted over the Internet must be encrypted to ensure that other unauthorized users on the Internet cannot read the data. 4. Key Management: The VPN must be able to generate and update the encryption key of the client computer and the server. 5. Support for multiple protocols: VPNs must be able to support the basic protocols used on the Internet, including ΙΡ, ΙΡΧ, ρρτρ (point-to-point channel protocol), L2TP (layer 2 channel protocol) or ipsec ( Internet Protocol Security Protocol)...etc. Internet Protocol (Ip) is a protocol used to transmit data over a computer network (such as the Internet). However, IP does not define any security mechanisms. Therefore, the Internet Engineering Task Force (IETF) defines an IPsec protocol in the "Request f〇r Comments (RFC)" 240 1 communication standard, which is a method of encrypting IP traffic. Protect network communications to prevent data modification, third party viewing, simulation, and standards for being captured and replayed. 4 Because of the rapid development of wireless network technology, how to establish a mobile VPN for wireless transmission networks has become a very important research topic, and the mobile (M〇biie) vpN using wireless technology has also been defined in the IETF.

The Mobile IPV4 (IETF RFC 3344) protocol standard, but there are still some issues to be resolved in the Mobile IPv4 standard. For example, 'Mobile Node (hereinafter referred to as MN) (such as a mobile computer equipped with a wireless network device), when roaming on an internal network (^Intranet), will be a local agent (H〇me Agent, HA) assigns a Mobile IP (Mobile ip, hereinafter referred to as River 1) to this. When the MN roams from the internal network to an external network (Internet), such as a branch at home or in the field 'The MN will be registered by a local foreign agent (FA) into a VpN gateway (vρN Gateway) based on IPsec to register the local agent (HA) to make the vpN gate Channel

1300662

Establish an IPsec tunnel for the foreign agent (FA). The MN will get a new Care of Address (c〇A) in the roaming external network, and ask the vpN gateway to roam for a new one for the MN. Update the lpsec channel when the subnet. However, all data packet messages entering the VPN gateway will be encrypted by the IPsec security standard, and the foreign agent (FA) cannot decrypt the encrypted data packets. Therefore, the foreign agent (FA) cannot Transfer the 1? message. In order to solve the above problems, IETF's Mobile IPv4 Working Group (WG) proposed a method to support VPN users for International Seam less Roaming (ISR) by using a fixed mechanism (Mechanism). The method is to define a local agent (HA) in the internal network as an internal home agent (i-HA), and build an external network (External Network). External Home Agent (hereinafter referred to as χ-ΗΑ), the i-HA is used as the roaming status of the MN of the internal network management (Mobi Management), and the χ-ΗΑ is when When the MN roams to the external network, it is used to manage the roaming status of the MN. The extra X-HA can encapsulate the established IPsec tunnel under the X-MIP tunnel without changing to the established IPsec tunnel, so when the MN obtains a new CoA from the VPN gateway After that, the IP channel established by the VPN gateway will not be destroyed, and therefore the external agent (FA) can decrypt the message, so this method does not need to be used.

1300662 V. INSTRUCTIONS (4) Modify the Mobile IPv4 standard and the IPsec standard to change only the transit address (CoA) that some mobile nodes must have. As shown in the first figure, it is a schematic diagram of the mobile VPN standard architecture defined by the IETF. In the first figure, a MN 1 roams through an i-HA 11 in an internal network 10, and when the Μ N 1 is moved from the internal network 1 to an external network 20, the ΜΝ 1 must Registering with a χ-ΗΑ 21 to obtain a new CoA, the χ-ΗΑ 21 then requests a VPN gateway 22 to establish an ipsec channel connection to the X-HA 21. Finally, the VPN gateway 22 registers the VPN-TIA (VPN Tunnel lnner Address) of the ΜΝ 1 with the i-HA 11 to connect the established IP sec channel to the i-HA 11, and is formed by the external network 20 and A virtual private network (vpN) that can be roamed on the internal network. The IPsec channel message 33 is covered with a message 3... A layer of external mobile IP (X-MIP)

The second picture is a schematic diagram of the message structure of the established channel of the mobile VPN, which is a channel signal data packet 30 that is roamed by the internal network 1 to the external network 2, which includes a layer of original The data packet (Original Packet) 31 is wrapped with an internal mobile IP (i-MIP) channel message 32 (from the HA to the vpN inter-channel device 22) before the original data packet 31. Move]^ channel message 32 is further covered with a layer of IPsec channel message 33 (from the VPN gateway 22 to the X-HA 21), ^ but in the conventional IETF method 5 Hai X-HA 2 1 deer Aunt is cut v, X-HA is safe? Since it is built in the external network 20 in the conventional IETF method.

Page 8 1300662 V. Invention Description (5) - Static x-HA 21, if the external network 2〇 contains several subnets, how to arrange the placement of the χ_ΗΑ 21 =, will affect the Handoff time delay between the external agent (FA) and the χ_ΗΑ 21 between roaming subnets, and the end-to-end between roaming subnets Time delay issue. And because the χ_ΗΑ 21 fVPN gateway 22 cannot control the external network 2, can it be true that the x-HA 21 really meets the iPsec security standard? The job is that the inventor of this case is to solve the above-mentioned needs of the current mobile VPN, as well as the problem, and to study and cooperate with the application of the theory, to propose a mobile VPN dynamic agent (X-HA) assignment method and The system, the mobile the local agent (HA) close to the MN as the χ_ΗΑ, so the Handoff delay and the End-to-End (Ejid) delay between the networks can be minimized. And it can be fully integrated with safety control, which is reasonable and can effectively improve the above-mentioned invention. SUMMARY OF THE INVENTION The object of the present invention is to provide a dynamic proxy for a mobile VPN, "Pat = Method and System, which can dynamically assign an external local agent that is close to the j mobile node in the roaming external network as the mobile node. Registration agent, when the mobile node roams in the same external network, (just need to register with the local agent, and no longer need to register with the internal network. _IETF The method can also be used to minimize the Handof f delay and End t〇 End delay during roaming, and fully integrate with the VPN I Psec security control.

Page 9 1300662 V. Description of the Invention (6) In order to achieve the above object, the present invention mainly provides a dynamic proxy assignment method for a mobile VPN, which can establish a VPN between at least one external network and an internal network. When a mobile node roams in the external network for the first time, an IP address is assigned by a DHCP server, and a registration request is sent to the external local agent as a transit address of the mobile node, the external local agent The device sends an authorization confirmation request message to an external AAA server, so that the foreign AAA server fills the network access identifier of at least one external local agent into the authorization confirmation request message, and then forwards the message to a local AAA server. Then, after the local AAA server successfully authenticates the MN, establish a secure connection between the external local agent and the mobile node, and generate a local agent request message to be sent to the external local agent; the external local agent Assign an external local address to the mobile operator, and set the external local address and its own address to a local agent to answer the message. 'Send to the local AAA server; then, the local aaa server uses the external local address as the transfer address of the mobile node to register with the internal local agent' After the registration is completed, the internal local agent Authorizing the local AAA server to send an authorization confirmation response message to the external local agent; finally, the external local agent obtains the package 3 from the authorization confirmation response message and the external local address and the local agent address The registration reply message is forwarded to the mobile node, and then the mobile node can use the external local address to register with the local agent of the local agent address when the external network roams. The present invention further provides a dynamic external proxy assignment system for a mobile VPN, which can establish a VPN between at least one external network and an internal network.

1300662 V. Invention Description (7): In the external network, the system tunnel, at least - the f, to the parent an external local agent, a VPN gate internal local agent Lu assigner and At least one dhcp feeding device 'where the roaming drum in the road: A) is used to manage the mobile node in the intranet of the mobile node at the 誃': the external local agent (χ-ΗΑ) is established as a management network Roaming registration in the network; the VPN intercommunicator can be used with the external local code = channel in the internal network; the agent assigner is used to move away from the stomach: Roaming: Move the node's external local agent to perform the mobile session; the device is used to allow the mobile node to write, 兮丄/automatically assign a 1p address to the external local pirate. The server and the internal local agent roaming note: after the channel between the two and the VPN gateway, the mobile node = the external network only needs to be closest to the external local generation; You can register. Buried state [Embodiment] ^ The technical, means and functions adopted by the review committee to further understand the present invention for the purpose, and the following related information = Ϊ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The features and characteristics of the present invention are to be understood as a matter of in-depth and specific understanding. Therefore, referring to the third figure, it is not intended to be a system architecture of the mobile type of the present invention. The invention is mainly capable of dynamically assigning an external network to be the closest

Page 11 1300662

: The local agent (HA) of the mobile node (MN) 80 acts as an external local agent = (x-HA) 54, so that the 〇8〇 registers with the χ-ΗΑ to complete the dynamic virtual private network ( Mobile vpN) Establishment of IPsec channel. The present invention can utilize the DHCp servo port AAA (Authentication, Authorization and used in the field of external network).

Accounting) Server or DNS server...etc. can be used to dynamically assign, x-HA, to select the local agent (HA) closest to the M 8〇 in the external network to be assigned to the x-hA 54, And since the x-hA 54 is closest to the MN 80 ', the delay between the x-hA 54 and the MN 80 can be minimized. The end-to-end transfer (Handof f) between the inter-subnets in the external network will also become faster, and another local agent in the external network (or another local agent in the external network) HA) is used for load balancing. Nonetheless 'but the most important issue is the security mechanism of the X_HA 54, so it is better to use the AAA server to assign the X-HA. For example, we can use the Diameter Base on Protocol (IETF RFC). 3588) As the AAA server, not only can the x-HA be assigned, but also a security association can be established between mobile agents that move and change during roaming.

Hereinafter referred to as SA), and as a Key Distribution Center (KDC), an internal network (Intranet) 40 and at least one external network (11^61'1161:) 50 are shown in the third figure. The internal network 40 is a protected private network, and has a DHCP server 41 and an internal router 42 connected to the internal network.

Page 12 1300662, invention description (9) The router 42 is connected to a non-regulated area (DMZ) 60, which is a physical area behind the network = network, facing the firewall in the protection back end system and The second layer of the data is in front of the firewall, and the non-regulated area (DMZ) 6 () is connected to a local AAA server (hereinafter referred to as AAAH) 61, a VPN gateway 62 and an external router 51. The external router 51 is connected to the external network 50 (Internet). In the internal network 40, a plurality of subnets 43 may be included, and each subnet 43 is connected to at least one wireless access point ( WAP) 44 for wirelessly connecting at least one. The MN 80. In the internal network, there is a HA 45 and an internal foreign agent (hereinafter referred to as i-FA) 46. As shown in FIG. 3, the i-HA 45 is connected to the first. The subnet (subnet 1) is connected to the second subnet (Subnet 2), and the DHCP server 41 is connected to the third subnet (Subne1: 3). Please refer to the fourth and fifth figures together for the registration flow chart of the MN 80 roaming on the internal network 40. Since the function of the DHCp server 41 is mainly for dynamically allocating the 丨p address of each computer in the network, the DHCP server 41 will continuously send a broadcast & Query message 100 to detect whether there is a network. New computer connection (^2〇〇). Therefore, when the MN 80 roams to other subnets of the internal network 4, when roaming from the second subnet 2 to the third subnet (Subnet 3), The DHCP server 41 will discover the MN 80, and the MN 80 will send an IP address request message 1〇5 to the DHCP server 41, and the DHCP server 41 will assign a new dynamic IP address to the DHCP server 41. The off

Page 13 1300662 V. Description of Invention (10) (S205) The MN 80 can then use the new IP address as a transit address (CoA) to issue a registration to the internal local agent (i_HA) 45. Request (Registration Request, hereinafter referred to as Reg-Req) message 115 (S210), since the i-HA 45 originally knew the MN 80, it will perform the 0 main volume 'and will reply to the MN 80 - Registration Reply (Registration Reply, Hereinafter referred to as Reg-Reply message 120 (S215), to complete the roaming registration process of the internal network. Please refer to the third figure. The external network (Internet) 50 is an unprotected public network (Unprotected Public Network), which may include a plurality of external networks, as shown in the third figure. An external network and a second external network, and each external network may include a plurality of sub-networks, and may be respectively connected with a foreign AAA server (AAAF) 53, a x-HA 54 , an external foreign agent (x-FA) 55, a DHCP server 56 and at least one wireless base station (WAP) 57 Please refer to the sixth and seventh diagrams together. A and B are schematic diagrams of the registration flow chart of the MN 80 roaming on the external network 50. When the MN 80 roams from the internal network 40 to the external network 5, similarly, the local DHCP server 56 automatically allocates a dynamic ip address to the question 8 (S4〇〇), which The MN 80 uses the IP address as a transit address (c〇A) 3〇〇 and sends a Reg-Req message 305 to the X-HA 54 (S405). And the Reg-Req information 305 should contain a status address (Home

Page 14 1300662 V. Description of invention (11)

Address, hereinafter referred to as HoA), a HA address, a authentication information to be authorized by the AAAH 61, and a request for a MN's Network Access Identifier (ΝΑΙ), etc. And in the Reg-Req message 305 received by the χ-ΗΑ 54, the HoA and the HA address should be set to 〇·〇·〇·〇, indicating that the gateway 80 is intended to be on the external network. An external location address (EX terna 1 Η 〇me Address, hereinafter referred to as χ-HoA) is obtained in the road, so the x-HA 54 generates a MIP-Feature-Vector attribute value pair (Attribute Value

Pair, hereinafter referred to as AVP), which sets the MN 80's local address request (hereinafter referred to as Home-Address-Requested), and the local proxy request (hereinafter referred to as Home-A gent-Requested and a public address request (hereinafter referred to as

Co - Located - Mobile - Node-Re quested) Flag is "1" 〇 At this time, the IP-ΗΑ 45 will set the MIP-Feature-Vector AVP to an authorization confirmation request (AA-Mobile-Node) In the -Request, hereinafter referred to as AMR message 31, the necessary information is obtained from the Reg-Req message and added to the associated AVP, and the AMR message 310 is sent to the local AAAF 53 (S410). The AAAF 53 first checks if the Home-Agent-Requested Flag bit in the MIP-Feature-Vector AVP is 丨丨1丨丨. If ”, the AAAF 53 will require the AAAH 61 to allow an x-HA 54 in the roaming external network to be assigned as the local agent (HA) of the MN 80, so the AAAF 53 will receive In the AMR message 310, the MIP-Feature - Vector AVP is set to a local agent available in the field.

Page 15 1300662 V. Invention Description (12) (hereinafter referred to as the "Foreign-Home-Agent-Available") flag, and filled in a candidate local agent host (hereinafter referred to as MIP-Candidate-Home-Agent-ost) AVP At least one candidate x-HA 54 is received by the network (标示), and then the AAAF 53 transmits the AMR message 310 to the AAAH 61 (S415). When the AAAH 61 receives the AMR from the AAAF 53 After the message 310, it is necessary to authorize the Reg-Req message 30 5 of the MN 80, so the AAAH 61 can authorize the working indicator through one of the settings set in the AMR message 310.

(MN-AAA-SPI, Security Paremeters Index) to determine which MN 80 is used for security policies, such as encryption algorithms and long-term sharing. If the AAAH 61 authorization is successful, the flag of the Home-Agent-Requested flag in the MIP-Feature-Vector AVP of the AMR message 310 and the flag bit of the Foreign-Home-Agent-Avai 1 able are checked. Both are equal to π 1π , and if so, it means that an x-HA 54 is dynamically assigned in the roamed external network area, and the AAAH 61 also establishes the X-HA 54 in the roaming external network area. Safety Connection (SA) between 〇 (S420). To this end, the AAAH 61 will generate a Key Materials of at least 128-bit random numbers, generally referred to as Nonces, and the Nonces can be used to generate a Communication Key to confirm the secure connection (SA). ) security. The MIP-Feature-Vector AVP in the AMR message 310 sent by the x-HA 54 and the AAAF 53 also includes the MN 80 and the local agent.

Page 16 1300662 V. Invention Description (13) Key-Requested between (HA). The Session Key can be securely transmitted to the x-ha 54 via the DIA server of the Diameter Protocol. This is because IPsec standard or transport layer security (Transport)

The Layer Security (TLS) standard (IETF RFC 2246) is mandatory for the protection of communication data between Diameter nodes (including servers, clients and agents). However, the session key is not directly passed to the MN 80. 'Because this will expose the session key to the unprotected network protocol, only the MN 80 will be given the key. Therefore, the AAAH 61 will generate a Home-Agent-MIP-Request (HAR) message 315 to encapsulate the Session Key and Reg-Req messages in the HAR message. The associated AVP of 315 is transmitted through the AAAF 53 to the candidate χ-ΗΑ 54 (S425), which primarily acts as a proxy server (pr0Xy). Therefore, the χ-ΗΑ 54 can obtain the X-HA 54 and the MN 80's Golden Element (Nonces) from the associated AVP in the HAR message 315. And the χ-ΗΑ 54 does not include the address of the MN80 (hereinafter referred to as MIP-Mobile-Node-Address) AVP in the received HAR message 315, and the Home-Agent in the MIP-Feature-Vector AVP When the flag bit of -Address-Requested is set to π 1", the x-HA 54 will automatically assign a χ-HoA to the MN 80 in the MIP-Mobile-Node-Address AVP, and the χ-ΗΑ 54 will automatically set its own address to the MIP-Home -Agent-Address AVP.

Page 17 1300662 V. Description of Invention (14) Next, the x-HA 54 stores the communication key between the MN 80 and the X-HA 54 and the key element (Nonces) Copying to a Reg-Repiy, the --ΗΑ 54 generates a Home-Agent-MIP-Answer (HAA) message 320 through which the AAAF 53 is transmitted to the AAAH. 61 (S430) 'The HAA message 320 includes at least one registration reply (hereinafter referred to as MIP-Reg-Reply) AVP including a nucleus component (Nonces), and a result code (1^31111:-(:〇 (16) Person ¥?, an elbow 1?-Mobile-Node-address AVP containing the 〇80乂-11 (^), and a MIP-Home-Agent-Address AVP containing the x-HA 54 address After receiving the HAA message 320 sent by the AAAF 53 by the AAAH 61, the AAAH 61 obtains the X-HoA of the MN 80 from the MIP-Mobile-Node-Address AVP, and The address of the χ-ΗΑ 54 is obtained from the MIP-Home-Agent-Address AVP. Then the AAAH 61 will create a new HAR message 325 and fill the X-HoA and x-HA addresses into the MIP respectively. - Mobi le-Node-Address and MIP-Home-Agent-Address AVP, then the AAAH 61 sends the HAR message 325 to register with the i-HA 45 (S435). When the i-HA 45 receives the HAR message 325 After the i-HA 45 obtains the X-HoA from the AVP in the HAR message 325, the address of the obtained x-HoA 54 is registered as the public CoA of the MN 80, so that the i-HA 45 recognizes the After the HAR message 325, a new HAA message 33 0 is established and transmitted to the AAAH 61 (S440). Then, the AAAH 61 receives the HAA message sent by the i-HA 45.

Page 18 1300662 V. Invention Description (15) After the interest 330, the Result-Code AVP can be used to indicate that the authorization is successful. Therefore, the AAAH 61 will establish an AA-Mobile-Node-Answer (hereinafter referred to as ΑΜΑ) message 335 to be transmitted to the χ-ΗΑ 54 through the AAAF 53 (S445), and include a DIAMETER in the ΑΜΑ message 335. Successful result code (Result-Code), the MIP-Home-Agent-Address AVP, the MIP-Mobile-Node-Address AVP, and the MIP-Reg-Reply AVP, and the AVPs can receive the HAA from the received The message 330 is copied. After the X-HA 54 receives the ΑΜΑ message 335 sent by the AAAH 61, it can display the authorized success from the Result-Code AVP, then the χ-ΗΑ 54 will be from the ΑΜΑ A Reg-Reply message 340 is obtained in the MIP-Reg-Reply AVP of message 335, and the Reg-Reply message 340 is forwarded to the MN 80 (S450). Otherwise, the χ-ΗΑ 54 will silently discard the ΑΜΑ message 335. Once the ΜΝ 80 receives the Reg_Reply message 340, the ΜΝ 80 can obtain the new X-HoA, the χ-ΗΑ address, and the key element (Ν ο nces ), and then the Μ N 8 0 The received key element (Nonces) and the same hash algorithm and long term shared key as the AAAH 61 calculate the correct communication key (Sessi〇n Key). Therefore, when the MN 80 passes The AAAH 61 is authorized, and after the X-HA 54 and i-HA 45 are registered with the Mobile IPv4 security standard, the x_HoA can be used to connect with the VPN gateway to make the MN 80 and the vpn inter-channel device Establish IPsec channel 345 (S455), restore image like

Page 19 1300662 V. Invention Description (16) Safe communication. After the assignment of the X-Η A 5 4 is completed, a secure connection (SA) between the local local agents (HAs) in the roaming external network will also be established. Thereafter, the MN 80 can directly register with the local x-HA 54 using the MIPv4 standard without having to pass through the aaa server, that is, when the MN 80 obtains a new one in the external network. After the transfer address (Co A), it is as simple as roaming within the internal network, and only need to register with the assigned x-HA 54 without having to register with the i-HA 45. Moreover, there is no need to re-establish the IPsec channel in the same external network. However, the Session Key has a longevity. If the lifetime is terminated, a new communication needs to be generated through the Diameter-based AAA server. Key (Session Key), if the MN 80 moves to another external network and must request registration from a new local x-HA, the above process will be executed again, let the χ — ΗΑ is assigned again and the IP sec channel will be re-established. However, the present invention can provide a technique for replacing a stationary X-HA using a dynamic assignment X-HA by the above-disclosed technology, and thus the local agent (HA) transfer delay (Handoff) delay and the end when roaming. The delay to End to End will be significantly reduced' and the invention is a secure connection (SA) established between the transited local agents (jj a ) by Diameter Μ IP v 4 'so this χ-ΗΑ can be used, and the registration action for the 乂-HA and the i-HA is completed at the same time. Therefore, the present invention realizes a mobile VPN system platform, which is different from the design of the prior person, can improve the overall use value, and is not seen in the publication or public use before the application, sincerely

Page 20 1300662 V. INSTRUCTIONS (17) The requirements of the invention patent have been met, and the invention patent application has been filed according to law. However, the drawings and descriptions disclosed above are only examples of the present invention, and those skilled in the art can make various other modifications according to the above description, and these changes still belong to the inventive spirit of the present invention. The scope of the patents defined below.

Page 21 1300662 Brief description of the diagram [Simple description of the diagram] The first diagram is a schematic diagram of the mobile VPN standard architecture defined by the IETF, and the second diagram is a schematic diagram of the message structure of the established channel of the mobile VPN; The third diagram is a schematic diagram of the system architecture of the mobile VPN of the present invention; the fourth diagram is a registration flow chart of the MN roaming on the internal network; the fifth diagram is a schematic diagram of the tense of the MN roaming on the internal network; The six diagrams are the registration flowchart of the MN roaming on the external network; and the seventh diagrams A and B are the state diagrams of the MN roaming on the external network. [Main component symbol description] 1 Mobile node (Μ N ) 11 Internal local agent (i-HA) 10 Internal network 20 External network 21 External local agent (x-HA) 22 VPN gateway 30 Channel signal data Packet 31 Raw Data Packet 32 Internal Mobile IP Channel Message 33 IPsec Channel Message 34 External Mobile IP Channel Message 80 Mobile Node (MN)

Page 22 1300662 Simple illustration

Page 23 54 External Local Agent (X-HA) 40 Internal Network 41 DHCP Server 42 Internal Router 43 Subnet 44 Wireless Base Station 45 Internal Local Agent (i-HA) 46 Internal Foreign Agent (i- FA) 50 External network 51 External router 53 Foreign AAA server (AAAF) 54 External local agent (x-HA) 55 External foreign agent (x-FA) 56 DHCP server 57 Wireless base station 60 Non-regulated area 61 Local AAA Server (AAAH) 62 VPN Gateway

Claims (1)

1300662 VI. Application for Patent Scope 1. A dynamic proxy for mobile VPN - establishes between an external network and an internal network. Virtual = = 2 can be at least Private Network, VPN), so that at least one inscription - 1 rtual Node, _ The mobile node first roamed in the external network, $ rm: turn? The address is given to the mobile node, so that the mobile node can send a message to the local-external local agent, the registration request packet 3 - an external local address request and a local proxy address request; The local agent sends an authorization confirmation request message to a foreign mail server, so that the foreign mail server identifies the network access identifier of at least one candidate external geographic device (Network Access Identifier*, MAI:» fill in the authorization. The confirmation request message is forwarded to a local AAA server as, and the local AAA server establishes a security association (gecurity A ssociati on) between the external local agent and the external external geographic device and generates a local agent request message is sent to the external local agent; the external local agent assigns an external local address to the mobile node, and sets the external local address and its own address to a local agent to answer In the message, sent to the local AAA server; the local AAA server uses the external local address as the mobile node Forwarding address, the local agent to the internal registers, the registration is completed, the inner home agent is authorized to issue the local AAA server answers an authorization confirmation message to the external foreign agent; and Page 24 1300662 Eight, the external foreign agent from the authorization confirmation response message > 3 external local address and the registration of the local agent address back to the second. :Send: The mobile node 'The mobile node thereafter registers with the local agent' local agent. η 代 心 位 I I 请 请 请 范围 范围 范围 范围 范围 范围 范围 范围 范围 范围 范围 范围 范围 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态 动态匕3·The mobile agent of the mobile type νρΝ as described in claim 1 Before the step of roaming the external network for the first time, the method further includes: continuously sending an advertisement message to the external network by the DHCP server to query Is there any mobile node on the network roaming in the network? If yes, a dynamic IP address is automatically assigned to the mobile node; and the mobile node uses the IP address as the transit address (c〇A) To issue the registration request to the external local agent. 4. The dynamic agent assignment method for mobile sVpN as described in claim 1 wherein the registration request message further includes authentication information and one of the mobile nodes to be authorized by the local AAA feeder Road access indication (NAI). 5. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the step of the mobile node roaming the external network for the first time further comprises: Page 25 1300662 VI. Shen Qing Patent Scope After receiving the registration request message, the external foreign agent generates a Mip — Feature-Vector Attribute Value Pa lr ' where the mobile node is set The local address request flag and the local proxy request flag; and the special micro vector attribute value pair is set in the authorization confirmation request message. 6. The dynamic svpN dynamics as described in claim 1 The agent assignment method, wherein the step of the external local agent issuing the authorization confirmation request message further comprises: after the local AAA server receives the authorization confirmation request sent by the foreign aAA server, the request can be confirmed through the authorization One of the settings (MN-A A-Security Parameters Index) is used to confirm that the mobile node uses the security policy for authorization authentication. The mobile agent assigning method of the mobile vpN according to claim 1, wherein the step of establishing the secure connection by the local AAA server further comprises: the local AAA server generating a minimum of 128 bits Key material, which can be used to calculate a session key to confirm the security of the secure connection; and set the communication key to the local agent request In the message. 8. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the local AAA server establishes a secure connection, and the local proxy request message is transmitted through the foreign AAA server. Give the external local agent. Page 26 1300662 VI. Scope of Application for Patent--- ·-, · For example, the dynamic proxy method for mobile VPN as described in claim 1 of the patent scope, wherein the local AAA server establishes a secure connection step The proxy request message contains a key element and a communication key between the mobile node and the external local agent. 4. The dynamic proxy assignment method of the mobile VPN according to claim 1, wherein the external local agent assigns an external local address to the mobile node, and the local proxy answers the message through The foreign AAA server is transmitted to the local AAa server. 11. The dynamic proxy assignment method of the mobile VPN according to claim i, wherein the external local proxy forwards the registration reply message to the mobile node, further comprising: the mobile node using the external The local address is connected to a yp N gateway to establish an IPsec channel between the mobile node and the VPN gateway. 12. A dynamic external proxy assignment system for a mobile VPN, which establishes a virtual private network (VPN) between at least one external network and an internal network, so that at least one mobile node (Mobile) Node, MN) can safely roam the external network, and the system includes: an internal home agent (i-HA), which is located in the internal network, and manages the mobile node in the internal Roaming registration in the network; at least one external local agent (External H()me Agent, x-HA) is installed in the external network as a roaming registration for managing the mobile node in the external network;