WO2007109963A1 - A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method - Google Patents

Abstract

A VPN gateway and a IPv6 network system and a system for realizing mobile VPN in hybrid network and the method, the present invention is used in the hybrid network including IPv4 network and IPv6 network, in which, a VPN gateway is set, the VPN gateway provides the inner interface of IPv6 address and the external interface of IPv4; and includes that: first, a tunnel is set up between the VPN gateway and the external network so as to transmit the packets interacted between the external network and IPv6 network inside the VPN, the dual end addresses of the tunnel are the IPv4 address of the external network and the IPv4 address of the external interface provided by VPN gateway; then, transmits the VPN packets which need to be transmitted by the said tunnel, so as to realize the VPN service. By realizing the present invention, during the evolvement from IPv4 network to IPv6, the mobile VPN service also can be realized by the hybrid network.

Description

 System and method for implementing mobile VPN in VPN gateway and IPv6 network system and hybrid network

 The present invention relates to the field of network communication technologies, and in particular, to a technology for implementing a mobile VPN. Background of the invention

 Mobile VPN (Virtual Private Network) is a new VPN solution combining traditional VPN and mobile technologies. The MN (mobile node) supporting the VPNrt unit maintains communication with the VPN internal node by establishing a tunnel with the VPN gateway on the external network. IPsec VPN (IP network security protocol VPN) uses IPsec (IP network security protocol) as the security guarantee of the tunnel technology to implement VPN, which can provide good security for the communication nodes at both ends of the tunnel in the IP network, and thus ensure the VPN service. safety. IPsec VPN combines the standard mobile IPv4 protocol to provide the basic framework for mobile VPN.

 In a pure IPv4 network environment, when a typical IPsec VPN is combined with MIPv4 (Mobile IPv4), there are two common problems:

 (1) When the mobile node moves outside the VPN, if the care-of address is obtained through the FA (foreign agent) of the external network, since the foreign agent is configured by the administrator of the other network, it usually does not support IPSec, thus causing the mobile node Unable to register with i-HA (internal home agent) located in the VPN;

 (2) If the mobile node obtains the configuration care-of address on the external network, it can complete registration with the home agent in the VPN by establishing an IPSec tunnel with the VPN gateway, but the mobile node renegotiates with the VPN gateway every time the configuration of the care-of address is changed. The IPSec tunnel, in this case, increases the delay of network switching and reduces the mobility of the node when the node moves frequently.

 Currently, a solution to the above problem is: In the IPv4 environment, outside the VPN gateway: Six-HA (external home agent), the mobile node first registers with the external home agent, and then through the external home agent and VPN The gateway establishes an IPsec tunnel to complete registration with the νΡΝ| department agent, thus solving the above two problems.

 The corresponding network structure is shown in Figure 1. Χ-ΗΑ indicates the home agent set up in the external network. External Internet (External Network) supporting Mobile IPv4 exists in the Internet (W network). At the same time, it also exists inside the VPN. Home Net (Home Network) and Fore ign Net (Foreign Network) supporting Mobile IPv4.

 After the mobile node moves to the external network and obtains the care-of address, it first registers with the external home agent and obtains c-I-IoA (external home address); then uses the external home address to communicate with the VPN gateway for IKE (Internet Key Exchange) The IPsec tunnel is negotiated and registered with the home agent inside the VPN through the IPsec tunnel, so that the mobile node can communicate with the VPN internal network node.

 The following takes the external network of the mobile node in the configuration x-FA (foreign agent of the external network) as an example to describe the registration process of the mobile node and the way the data packet is encapsulated.

 After the mobile node enters the external network configuring the external home agent, the foreign agent care-of address is obtained; at the same time, the mobile node also needs to send a standard mobile IPv4 registration request to the external home agent and the internal home agent;

 Since the mobile node is located in the external network, it can only receive the registration response from the external home agent, and according to the response message, the mobile node obtains the x-HoA assigned by the external home agent and acts as a handover of the mobile node on the external network. Address

The mobile node uses the obtained x-HoA as the endpoint address of the IKE negotiation and IPsec tunnel to establish a tunnel with the VPN gateway; during the negotiation with the VPN gateway, the VPN gateway assigns a VPN-TIA (VPN tunnel internal address) to the mobile node; The node uses the VPN-TIA as the care-of address registered with the internal home agent, and encapsulates it in the IPsec tunnel to register with the internal home agent; After the registration is completed, the mobile node and the communication node inside the VPN can communicate. The communication packet is encapsulated three times. The specific encapsulation result is shown in Figure 2. The outermost x-MIP indicates the mobile IPv4 encapsulation of the mobile node to the external home agent, and the middle layer is from the X-HA to the VPN gateway. VPN GW) IPsec encapsulation, the innermost i-MIP is the VPN internal mobile IPv4 encapsulation. As can be seen from FIG. 2, the mobile node can complete registration with the home agent inside the VPN in the external network configuring the foreign agent. When the mobile node's care-of address changes, it does not affect the maintenance of the IPsec tunnel. Therefore, this implementation effectively solves the above two problems.

 However, due to the introduction of the external home agent in the above implementation scheme, the VPN network structure is more complicated and the maintenance cost is increased. At the same time, the introduction of the external home agent also brings some new problems, such as the location selection problem of the external home agent, and External home agent is subject to trust issues.

 At present, another solution for solving the above two problems is as follows: In the IPv4 environment, IPsec supporting the MOBIKE (IKEv2 Mobile and Multi-Interface Protocol) protocol is used as a tunneling technology between the mobile node and the VPN gateway to solve the above two Questions.

 The MOBIKE is an extension protocol based on IKEv2, which effectively supports the mobility of both ends of the IPsec tunnel communication. When the mobile node starts to negotiate with the VPN gateway to establish an IPsec tunnel, it will generate IKE SA and IPsec SAs. The MOBIKE protocol allows the nodes at both ends of the tunnel to update their IP addresses while maintaining IKE SA and IPsec SAs. That is, the original IPsec tunnel can still be maintained after the node addresses on both ends of the tunnel are changed, without renegotiation.

 The network structure based on MOBIKE is shown in Figure 3. There is External Net supporting mobile IPv4 on the Internet. At the same time, Home Net and Foreign Net supporting mobile IPv4 exist in the VPN internal network.

 When the mobile node is located in a foreign network inside the VPN, it uses standard mobile IPv4 to communicate with the home agent and communication node inside the VPN. When the mobile node leaves the VPN internal network and enters the external network, it performs IKE negotiation with the VPN gateway to establish an IPsec tunnel that supports MOBIKE. At the same time, within the VPN, the mobile node and the home agent still maintain a valid mobile IPv4 binding cache, and the mobile node uses the VPN-TIA designated by the VPN gateway as the configuration care-of address of the VPN internal network to register with the internal home agent.

 After the mobile node enters another external network from one external network due to the change of location, a new mobile IPv4 care-of address is obtained. At this point, the mobile node starts to use the MOBIKE protocol to update the IP addresses of the IKE SA and IPsec SAs of the endpoint, and advertises the VPN gateway to update the IP address of the corresponding SA. After completing the address update of the SA, the communication is continued using the original IPsec tunnel.

 It can be seen that the scheme proposes two problems described in the pure IPv4 network environment using MOBIKE. However, since the development direction of the Internet is IPv6, and in the process of IPv4 replacing IPv4, the hybrid network of "IPv6 island" and "IPv4 ocean" will inevitably exist for a long time. Therefore, it is necessary to solve the corresponding problems in the hybrid network. However, the existing technical solutions cannot solve the application problem of mobile VPN under the hybrid network including IPv4 and IPv6. SUMMARY OF THE INVENTION Embodiments of the present invention provide a VPN gateway, an IPv6 network system, and a system and method for implementing a mobile VPN in a hybrid network, to solve the application problem of the mobile VPN under the corresponding IPv4 and IPv6 hybrid network, so that the existing In the network scenario, it is possible to conduct VPN services based on IPv6 networks.

The embodiment of the present invention provides a VPN gateway, which includes an IPv4 packet processing unit, an IPv4 interface, an IPv6 packet processing unit, and an IPv6 interface, where the IPv4 interface is used to perform IPv4 packet interaction with the IPv4 network. IPv4 message processing unit is used to enter The IPv6 packet is encapsulated or decapsulated. The IPv6 interface is used to perform IPv6 packet exchange with the IPv6 network. The IPv6 packet processing unit is configured to encapsulate or decapsulate the IPv6 packet.

 The embodiment of the present invention provides an IPv6 network system, where the system can traverse the IP v4 network and communicate with the IPv6 network inside the VPN through the VPN gateway. The internal interface provided by the VPN gateway is an IPv6 interface, and the external interface is an IPv4 interface. The system further includes: a tunnel establishment module: configured to establish, between the VPN gateway and the external network, a tunnel that can transmit VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively an IPv4 address of the external network and The IPv4 address of the external interface provided by the VPN gateway.

 The packet encapsulation and delivery module is configured to be configured to send the VPN packet to be sent to the peer end through the tunnel.

 The embodiment of the present invention provides a system for implementing a mobile VPN in a hybrid network, including an external network, an IPv4 network, a VPN, and a VPN gateway. The VPN internal network is an IPv6 network, and the internal interface provided by the VPN gateway is IPv6. The external interface is an IPv4 interface, and the external network includes an IPv4 external network and an IPv6 external network, and the system further includes:

 The tunnel establishment module is configured to establish a tunnel between the VPN gateway and the external network, which can transmit the VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively provided by the IPv4 address of the external network and the VPN gateway. IPv4 address of the external interface;

 The packet encapsulation and delivery module is configured to be configured to be configured to be configured to send the VPN packet to be sent to the peer end by using the tunnel.

 Embodiments of the present invention provide a method for implementing a mobile VPN in a hybrid network, where the method is applied to a hybrid network including an IPv4 network and an IPv6 network inside a mobile virtual private network VPN, and a VPN is set in the hybrid network. The VPN gateway, the VPN gateway provides an internal interface with an IPv6 address and an external interface of an IPv4 address, and the method includes:

 Establishing a tunnel between the VPN gateway and the external network, where the tunnel is used to transmit a VPN packet exchanged between the external network and the IPv6 network inside the VPN, and the addresses at both ends of the tunnel are respectively the IPv4 address of the external network. And an IPv4 address of the external interface provided by the VPN gateway, where the external network is an IPv4 external network or an IPv6 external network;

 After the VPN packet to be transmitted is encapsulated in the IPv4 header, the VPN packet is transmitted through the tunnel to implement the VPN service in the hybrid network.

 It can be seen that the embodiment of the present invention implements the mobile VPN service in the IPv4 and IPv6 hybrid network by using the IPv6 in IPv4 tunneling technology, so that the mobile VPN service can still be implemented in the process of transitioning from the IPv4 network to the IPv6. BRIEF DESCRIPTION OF THE DRAWINGS

 Figure 1 shows the structure of a mobile VPN configured with an external home agent in an IPv4 environment;

 2 is a schematic diagram of a data packet encapsulation structure;

 Figure 3 shows the structure of a mobile VPN configured with M0BIKE in an IPv4 environment;

 4 is a schematic structural diagram of a network of a mobile VPN of a hybrid network according to an embodiment of the present invention;

 FIG. 5 is a schematic diagram of a DNS request forwarding process in FIG. 3;

 FIG. 6 is a schematic diagram of the DNS response forwarding processing process in FIG. 3. Mode for carrying out the invention

With the development of network communication technology, in the development process of IPv6 network replacing IPv4 network, due to the extensive range of existing IPv4 networks Application, making the IPv4-v6 hybrid network based on "IPv6 island" and "IPv4 ocean" will exist for a long time. The embodiment of the present invention provides a hybrid network with a mobile network structure and corresponding device functions in an IPv4-v6 hybrid network, and a method for the mobile node to access the VPN in different types of networks, thereby Resolve an issue where the mobile node's SA (Security Association) address is updated when the mobile node switches between different types of networks.

 The specific embodiment of the present invention uses the "IPv6 island" and "IPv4 ocean" ΙΡν4-ν6 bubble network as the basic network framework, and solves the problem of updating the SA address of the mobile node by introducing the M0BIKE extension protocol; and adopts the IPv6 in IPv4 tunnel technology to combine The method of domain name resolution enables the mobile node to communicate with the VPN gateway in the IPv6 network and the IPv4 network, so that the mobile node can communicate with the internal node of the VPN in the mobile node-multiple types of networks.

 That is to say, the embodiment of the present invention mainly adopts the idea of IPv6 in IPv4 tunneling technology, and configures a device such as a DNS-ALG (Domain Name Server-Application Layer Gateway) to implement a mobile node located in an IPv6 external network to query a WN gateway through an IPv4 network. IPv6 address, and communicate accordingly. Therefore, when the mobile node is located in the IPv6 external network, the IPv4 network can still communicate with the VPN gateway, thereby implementing the mobile VPN service under the hybrid network of IPv4 and IPv6.

 Specifically, in the hybrid network, depending on the location of the mobile node, the mobile node is located in the IPv6 internal network (that is, inside the VPN), the IPv4 external network, and the IPv6 external network. Different situations require different communication methods, so that mobile VPN services can be implemented in a hybrid network.

 In order to distinguish the communication modes used in different situations, when the IP address of the mobile node changes, the communication with other nodes is first stopped, and the type of the current network is determined according to the IP address type; The method of querying the VPN address determines whether the mobile node is located in the internal network or the external network, and establishes an IPsec tunnel or updates the address of the original IPsec SA according to the situation; after completing the corresponding processing, the previous communication is resumed.

 In the process of implementing the specific embodiment of the present invention, an x-AR (external access router) at the edge of the IPv6 external network is specifically required, ::

The IPv4 and IPv6 dual protocol stacks are set in the DNS-ALG and the DNS server, and the dual protocol stack is set in the VPN gateway. Meanwhile, the x-AR and the VPN gateway need to have the IPv6 in IPv4 tunnel encapsulation and decapsulation processing functions.

 After the above settings, different communication processing modes can be adopted for different situations to implement the mobile VPN service in the hybrid network. Taking the mobile node as an external IPv6 network as an example, the corresponding process mainly includes the following processes:

 (1) After the mobile node enters the IPv6 external network, indirectly query the IPv6 address of the VPN gateway by means of domain name resolution;

(2) The IPv6 DNS request of the VPN node of the mobile node is converted into an IPv4 DNS request by the DNS-ALG, and then forwarded to the IPv4 network;

 (3) After the IPv4 network returns the IPv4 address of the VPN gateway, it first sends it to the DNS-ALG. The DNS-ALG adds a specific prefix to the IPv4 address to form an IPv6 address, and finally returns the address to the mobile node.

 (4) The mobile node constructs a data packet according to the returned VPN gateway IPv6 address, and communicates with the VPN gateway; wherein, the data packets communicated by the mobile node and the VPN gateway are encapsulated and decapsulated by the IPv6 in IPv4 tunnel to implement different protocols. Communication between type nodes.

 After the above processing, the interworking of the mobile VPN service can be implemented in the hybrid network.

The embodiment of the present invention provides a system for implementing a mobile VPN in a hybrid network, which includes an external network, an IPv4 network, a VPN, and a VPN gateway. The VPN internal network is an IPv6 network, and the internal interface provided by the VPN gateway is An IPv6 interface, the external interface is an IPv4 interface, and the external network includes an IPv4 external network and an IPv6 external network, and the system further includes tunnel establishment. Module and message encapsulation transfer module, where:

 The tunnel establishing module is configured to establish, between the VPN gateway and the external network, a tunnel that can transmit VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively an IPv4 address and a VPN of the external network. The IPv4 address of the external interface provided by the gateway, that is, the IPv4 packet is transmitted through the tunnel.

 The packet encapsulation and delivery module is configured at the two ends of the tunnel, and is configured to encapsulate the VPN packet to be sent into the IPv4 packet header, and send the packet to the peer end through the tunnel, so that the opposite end Whether the IPv4 network or the IPv6 network can identify the IPv4 packet, so that the communication interaction can be performed normally.

 In an embodiment of the system, to further implement the mobile VPN technical solution, the IPv6 external network may be specifically implemented by using any one of the following two solutions:

 (1) The first solution is that the IPv6 external network further includes the following functional entities -

The DNS-ALG is configured as an IPv4 and IPv6 dual protocol stack, and is configured to provide an IPv6 address corresponding to the VPN gateway in the process of performing a VPN service through an IPv6 external network.

 DNS in an IPv6 network: Configure its upper-level DNS as the described DNS-ALG;

 External access routers: Configured as an IPv4 and IPv6 dual protocol stack, which is used to encapsulate IPv6 packets on IPv6 packets and decapsulate corresponding packets.

 (2) The second solution is that the IPv6 external network may further include the following functional entities:

 The DNS-ALG is configured to provide the IPv6 address corresponding to the VPN gateway in the process of performing the VPN service through the IPv6 external network.

 DNS in an IPv6 network: Configure its upper-level DNS in the DNS as the DNS-ALG;

 NAT-PT entity: used for communication with an external access router, and performs conversion between the corresponding IPv6 address and the IPv4 address of the packet passing through the entity;

 The external access router is configured to send the packet converted by the NAT-PT entity to the VPN gateway, and receive the packet sent by the VPN gateway.

 In this second scheme, the main difference from the first scheme is that the NAT-PT entity is added, thereby simplifying the processing of the external access router.

 In order to facilitate the understanding of the present invention, the specific embodiment of the system will be described in detail below by taking the first scheme to implement the IPv6 external network as an example.

 FIG. 4 shows a networking structure of a technical solution for implementing a mobile VPN in an IPv4-v6 hybrid network according to an embodiment of the present invention. In Figure 4, the VPN is internally an IPv6 network environment. At the same time, there are Home Net and Foreign Net supporting Mobile IPv6 inside the VPN. The external network in the network is IPv4-based Internet, and there is also support for Mobile IPv4. External Net IPv4 (External Net IPv4) and External Net IPv6 (IPv6 External Network) supporting Mobile IPv6. The DNS-ALG device is set on the edge of the IPv6 external network, so that the mobile node can obtain the VPN gateway address in the IPv4 network through the domain name query on the IPv6 external network. The IPv6 network further includes a tunnel establishment module and a packet encapsulation transmission module.

 In the network system shown in Figure 4, the functions of each component device are as follows:

 (1) Li (mobile node)

Configure IPv4-v6 dual protocol stack, support standard MIPv4 (mobile IPv4) / ΜΙΡνθ (mobile IPv6), configuration support M0BIKE IPsec protocol;

 (2) VPN gateway

 The connection is set on the path between the internal network and the external network, and provides an interface for communicating with the internal network and the external network respectively, and the external interface address provided with the external network is an IPv4 address, and the internal interface address of the internal network is An IPv6 address, an IPv4-v6 dual protocol stack is configured on the VPN gateway, and the VPN gateway has an IPv6 in IPv4 tunnel (the technology of transmitting IPv6 packets by using an IPv4 tunnel), and has an IPv4 packet processing unit. It is used to encapsulate or decapsulate IPv4 packets. The IPv6 packet processing unit is used to encapsulate or decapsulate IPv6 packets. The VPN gateway also supports standard MIPv6 (Mobile IPv6 protocol) and supports MOBIKE ( IPsec protocol for IKEv2 mobile and multi-interface protocol);

 The VPN gateway further includes an IPv4 address allocation unit, configured to allocate a VPN tunnel internal address to the mobile node moving to the IPv4 external network, where the address is a care-of address of the mobile node in the home network.

 (3) DNS-ALG (Domain Name Server - Application Layer Gateway) and DNS (Domain Name Server)

 It is configured in an IPv6 external network, where the DNS-ALG configures an IPv4 v6 dual protocol stack, that is, supports both IPv6 and IPv4 protocols, provides IPv4 address information of the VPN gateway, and adds a specific prefix to the corresponding IPv4 address. Converted to the corresponding IPv6 address, and acts as the upper-level DNS of the DNS in the IPv6 network. (When the DNS in the IPv6 network cannot perform domain name resolution, the corresponding domain name resolution request is sent to the DNS-ALG, and the DNS ALG Processing) The DNS in the IPv6 network can only be configured with the SlPv6 protocol stack;

(4) x-AR (external access router)

 Configured on the IPv6 external network edge, the IPv4-v6 dual protocol stack is encapsulated and decapsulated. In the system shown in Figure 4, the corresponding IP address configuration in the VPN is as follows:

 The VPN of a traditional IPv4 network is internally configured with a private network address and can only be used inside the VPN. In the IPv6 address classification, the site local unicast address is very suitable for the application of the VPN. Therefore, in the embodiment of the present invention, the VPN internal network is configured with an IPv6 site local unicast address. The site local unicast address can only be used to transmit data inside the VPN network. The routers in the site can only forward the data packets of the address type within the site, but cannot forward them to the site. The structure of the site local unicast address may be: 1111111011 + 38 bits of "0" + 16 bit subnet identifier + 64 bit interface identifier.

 Based on the system shown in FIG. 4, a specific implementation of the access mode of the mobile node provided by the specific embodiment of the present invention will be described below.

 In the mobile VPN of the IPv4-v6 hybrid network, there are three ways for the mobile node to access the VPN. The following describes the three methods and the corresponding VPN service processing methods:

 (1) In a network environment where the VPN internal network is pure IPv6, the mobile node inside the VPN communicates with the internal home agent and the communication node by using standard mobile IPv6;

 When the mobile node is in the VPN internal network, the corresponding application examples of the VPN service are:

 The whole internal network is regarded as a common IPv6 network, and the mobility of the mobile node is implemented by mobile IPv6; that is, in the internal home network, the mobile node communicates through the IPv6 routing mechanism; when the mobile node moves out of the home network, enters the mobile IPv6-enabled network. In the case of the foreign network, the mobile IPv6 care-of address is obtained through the access router, and the home agent and the communication node are registered, and the binding update is completed, thereby implementing mobile communication on the internal network.

(2) In the IPv4 external network, the mobile node outside the VPN supports mobile IPv4, obtains the IPv4 care-of address, performs IKE negotiation with the VPN gateway through the obtained care-of address, and establishes an IPsec tunnel, thereby implementing internal communication with the VPN through the tunnel. node ― communication between

 When the mobile node moves out of the VPN internal network and enters an IPv4 external network that supports mobile IPv4, the corresponding embodiments of the VPN service processing process specifically include:

 A mobile node entering an IPv4 external network is assigned an IPv4 foreign agent care-of address or an IPv4 proxy care-of address. After the identity authentication is completed with the VPN gateway, the mobile node starts IKE negotiation with the VPN gateway to establish an IPsec tunnel. The addresses at both ends of the tunnel are the care-of address of the mobile node and the IPv4 address of the external interface of the VPN gateway.

 During IKE negotiation, the VPN gateway gives a VPN-TAA (VPN tunnel internal address) and advertises the address to the mobile node; after moving out of the internal network, the mobile node still maintains a move with the VPN internal home agent or communication node. IPv6 binding cache, VPN-TIA is a mobile IPv6 care-of address used as a mobile node to register with an internal home agent or communication node.

 That is to say, the mobile node does not use the care-of address obtained by the external network as the care-of address registered with the home agent of the internal network, but uses the VPN-TIA as the internal network care-of address of the mobile node; its purpose is: to make the VPN The internal home agent and communication node can be affected by the change of the mobile node's care-of address in the external network, reducing the frequent transmission of control information such as registration updates, and avoiding the mobile node obtaining the IPv4 care-of address but moving to the internal home agent of the mobile IPv6. The problem caused by registration.

 After the IPsec tunnel is established, the mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol, the source address is VPN-TIA, and the destination address is the address of the internal home agent or the communication node; then the data packet is further encapsulated by IPsec, the source The address is the external network IPv4 care-of address of the mobile node, and the destination address is the IPv4 address of the external interface of the VPN gateway.

 The structure of the packet after two encapsulation is shown in Table 1, where: i HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node on the external network, and the v4-v6 mark in front of the address Indicates the address type.

Table 1

(3) In the IPv6 external network, the mobile node outside the VPN supports mobile IPv6 and obtains the IPv6 care-of address. The VPN gateway in the x-AR and IPv4 networks of the IPv6 external network utilizes the IPv6 in IPv4 tunnel encapsulation technology to enable the mobile node in the IPv6 external network to communicate with the VPN gateway in the IPv4 network;

 The mobile node is located in the IPv6 external network, that is, in the case of the VPN external, the process of communicating with the VPN internal node is as follows: (1) When the mobile node enters an external network supporting mobile IPv6, the access router in the network (ie, X-AR) will provide a wireless interface to the external network, that is, the mobile node will obtain the corresponding IPv6 care-of address to facilitate network communication using the IPv6 care-of address;

 (2) After obtaining the corresponding IPv6 care-of address, the mobile node uses the IPv6 in IPv4 tunneling technology to encapsulate and decapsulate IPv6 packets in the IPv6 external network's x-AR and IPv4 network VPN gateways respectively to implement IPv4. Interworking between the host and the IPv6 host;

The reason for using IPv6 in IPv4 tunneling technology is: After the mobile node obtains the IPv6 care-of address, if it communicates with the VPN gateway located in the IPv4 network, it will still be unable to process its own IP because of the different address structures at both ends. The IP packets of different versions cannot communicate directly. To this end, IPv6 packets need to be encapsulated in IPv4 so that the peer VPN gateway can identify them. Received message.

 In the following, an embodiment of a process of communicating with a VPN internal node in the case where the mobile node is located outside the VPN (i.e., an IPv6 external network) will be described.

 In the embodiment provided by the present invention, the basis for establishing communication between the IPv4 host and the IPv6 host is to associate by domain name. That is, the mobile node does not need to know whether the VPN gateway that needs to communicate is an IPv4 address or an IPv6 address, but only needs to know the FQDN (Full Qualified Domain Name) of the VPN gateway. In this way, after the domain name is resolved, the communication address of the VPN gateway can be obtained, and corresponding data packets can be constructed to implement communication with each other.

 First, the specific processing procedure of the VPN gateway domain name resolution through the DNS (Domain Name Server) is described. The specific process includes two processing stages: the domain name resolution request and the domain name resolution response.

 As shown in FIG. 5, it is a schematic diagram of a DNS request forwarding process. In the corresponding domain name resolution request phase, the main processing S includes:

(1) The mobile node sends a DNS request to the DNS server in the IPv6 site, that is, sends a DNS request ("AAAA") to the corresponding IPv6 DNS server to request to resolve the FQDN of the destination host to obtain the address information of the VPN gateway;

 For the IPv6 host (ie, the mobile node MN) that initiates the communication, it does not know that the communication partner is an IPv4 host or an IPv6 host, and the mobile node only has the FQDN of the destination host (VPN gateway), for example, ww.vpngw.com, Therefore, it is necessary to obtain the address of the VPN gateway through the domain name resolution request.

 (2) After the DNS request of the mobile node reaches the DNS server of the IPv6 external network, it will be forwarded to the DNS-ALG;

 This is because the DNS server of the IPv6 site receives the DNS request of the mobile node, which is actually the FQDN of the VPN gateway in the IPv4 network, so the DNS server cannot resolve the domain name and will forward the request to the upper-level DNS server. In the IPv6 external network, the address of the upper-level DNS server configured in the DNS server is the address of the intra-site DNS-ALG, and therefore, the DNS request sent by the mobile node MN is forwarded by the DNS server to the DNS-ALG;

 (3) The DNS-ALG holds the DNS server address of the IPv4 network. When it receives the mobile node deleted ("AAAA") IPv6 DNS request forwarded by the DNS server, the DNS-ALG determines the VPN according to the stored DNS server list. The DNS server address of the gateway, because the external interface of the VPN gateway of the internal network is an IPv4 interface, the corresponding address is an IPv4 address, and the corresponding DNS server is a DNS server in the IPv4 network. Therefore, it is necessary to convert this IPv6 DNS request. An IPv4 DNS request ("A") and sent to the DNS server of the IPv4 network;

 (4) Since the DNS-ALG is connected to the X-AR, the DNS-ALG sends the IPv4 DNS request to the x-AR first, and then the x-AR sends it to the IPv4 network.

 The corresponding domain name resolution response process, that is, the DNS response forwarding process is as shown in FIG. 6. After receiving the request, the DNS server in the IPv4 network returns a DNS response, and the response message includes the IPv4 address of the VPN gateway, and the response message It will be returned to the mobile node in the IPv6 network. The specific DNS response process includes the following processing:

 (1) The DNS-ALG in the IPv6 network receives the DNS response from the DNS server of the IPv4 network, and the result is the IPv4 address of the VPN gateway; the DNS-ALG needs to add a specific address prefix to the VPN gateway address, with the prefix Packets are routed to x-AR;

The prefix route can be configured and distributed in advance in the routing device of the IPv6 network. For example, the prefix is 5ef0: 3248 : : /64, and the IPv4 address of the VPN gateway is 200. 0. 0. 1, then the DNS-ALG will This prefix is added to the IPv4 address of the VPN gateway, and is configured as a DNS server in the form of 5ef0: 3248: : 200. 0. 0. 1 to the DNS server in the IPv6 network; (2) After receiving the IPv6 address with a specific prefix returned by the DNS-ALG, the DNS server in the IPv6 network corresponds to the DNS request of the mobile node, and writes the corresponding address as the address of the VPN gateway to the cache, that is, in IPv6. The correspondence between the IPv6 format address of the VPN gateway and its domain name is saved on the DNS in the network;

 It should be noted that: After a DNS resolution of the VPN gateway, the process will not be repeated, and then the host communicating with the VPN gateway through the domain name can directly obtain the converted office in the DNS server of the IPv6 network. The address of the VPN gateway, and the address is an IPv6 address;

 (3) After the parsing result (that is, the IPv6 address with the specific prefix) is written into the cache, the DNS server also returns the IPv6 address formed by the specific address prefix and the IPv4 address of the VPN gateway to the mobile node, so that the mobile node Obtained the address information of the VPN gateway required to carry out the mobile VPN service.

 After the mobile node MN and the DNS server obtain the address information of the VPN gateway, the mobile point can implement communication with the node in the VPN intranet through data packet conversion and forwarding processing, and corresponding specific communication. The process includes:

 (1) The mobile node receives the IPv6 address returned by the DNS server. The address is an IPv6 address of the VPN gateway's IPv4 address added with a specific address prefix. The mobile node constructs an IPv6 packet with this address as the destination address.

(2) Since the prefix route of the destination address has been configured and advertised in the IPv6 network, the IPv6 packets with the address prefix are all directed to the X AR, so the IPv6 packets sent by the mobile node are routed to the _X- AR. Assuming that the specific address prefix is 5ef0 : 3248 : : /64, and the IPv4 address of the VPN gateway is 200. 0. 0. 1;

 (3) The X-AR receives an IPv6 packet whose destination prefix is 5ef 0: 3248:: /64, and identifies the specific prefix whose prefix is DNS-ALG, and then performs IPv6 in IPv4 tunnel for the TPv6 packet. Package, the specific packaging method is:

The X-AR extracts the IPv4 address of the VPN gateway from the destination address entry of the IPv6 packet as the destination address of the IPv4 tunnel header, and uses the IPv4 address of the _X- AR as the source address of the IPv4 tunnel header, and the newly constructed IPv4 packet structure. As shown in Table 2, the corresponding packet structure encapsulated by IPv4 tunnel is shown in Table 2:

 Table 2

IPv4 header IPv6 header IPv6 valid data

(4) The x-AR sends the encapsulated IPv4 data packet to the IPv4 network;

 (5) The IPv4 data packet received by the VPN gateway may be a data packet from an IPv4 external network mobile node, or may be a data packet encapsulated by an IPv4 external network from a mobile node of the IPv6 external network; to identify the source of the data packet, the VPN gateway needs to If the next packet header is an IPv6 address, the packet is determined to be from the IPv6 external network and decapsulated. The unencapsulated IPv6 packet is forwarded to other modules for further processing. The processing is the same as that of ordinary IPv6 packets, so it will not be described in detail.

When a node that is inside a VPN needs to send information to a mobile node that is in an IPv6 external network, it needs to encapsulate the IPv4 header on the IPv6 packet that the VPN gateway needs to send to the mobile node, and pass the x-AR. The tunnel between the VPN gateway and the VPN gateway is sent to the mobile node. The destination address of the IPv4 packet header encapsulated by the VPN gateway IPv4 tunnel is the IPv4 address of the x-AR, and the source address is the VPN gateway IPv4 address. When the x-AR receives the IPv4 packet, reads the IPv4 header, and finds that the next packet is IPv6, decapsulates the IPv4 packet and forwards the decapsulated IPv6 packet to the mobile node. The specific process can be seen as a mobile node to a VPN gateway. An inverse process of sending a packet.

 In the above process, when the mobile node is in the IPv6 external network, if the mobile node communicates with the VPN internal node, it needs to establish a tunnel with the VPN gateway, that is, how to establish a tunnel to ensure the IPv6 external network and the VPN internal Letters are the key to implementing VPN communications in a hybrid network. To this end, the following is a detailed description of the establishment of the corresponding IPsec tunnel and the forwarding process of the data packet when the mobile node is in the IPv6 external network.

 Usually, the communication between the mobile node and the VPN gateway supports the IKEv2 negotiation of M0BIKE, establishes an IPsec tunnel, and then the data packet is transmitted in the IPsec ESP (IPsec Encapsulated Security Payload) tunnel mode encapsulation. However, in the scenario described in the embodiment of the present invention, since the mobile node and the VPN gateway are located in different types of networks, the signaling information of the IKE negotiation and the subsequent IPsec encapsulated data packets pass through the IPv6 in IPv4 tunnel. Encapsulation and decapsulation, therefore, for a mobile node in an IPv6 external network to communicate with a VPN internal node, it is necessary to establish an IPsec tunnel with an IPv4 address at both ends, that is, a tunnel supporting IPv6 in IPv4 encapsulation and decapsulation. The IPv6 in IPv4 packet is encapsulated and delivered through the tunnel.

 In the application example of the present invention, for the established tunnel, the SPI (Security Parameter Index) destination address entry of the mobile node SA is the IPv6 address of the VPN gateway, and the SPI destination address entry of the VPN gateway SA is the IPv6 address of the mobile node. During the IKE negotiation process, the VPN gateway also obtains its own IPv6 address, that is, the corresponding specific prefix plus its own IPv4 address.

 After the IPsec tunnel is established, the data packet needs to be transmitted through the tunnel. The following describes the forwarding process of the corresponding data packet.

 The mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol. The source address is VPN-TIA (VPN Tunnel Inner Address), and the destination address is the node inside the VPN (including the internal home agent or communication 'point). address.

 After that, the IPsec encapsulation is performed, and the source address is the external network IPv6 care-of address of the mobile node, and the destination address is the IPv6 address of the external interface of the VPN gateway. The address is generated by the VPN gateway IPv4 address plus a specific prefix.

 The structure of the IPv6 packet after the corresponding packet is encapsulated twice is shown in Table 3. i-HoA is the home address of the mobile node in the internal network, and x-CoA is the care-of address obtained by the mobile node on the external network. VPN- GW is an IPv6 address with a specific prefix. The v4/v6 flag in front of the address indicates the address type.

由于该数据包目的地址的前缀路由已经在 IPv6网络内进行配置和发布， 凡具有该地址前缀的 IPv6包均指向 X- AR, 因此移动节点发送的 IPv6数据包被路由到 X - AR。 table 3

Since the prefix route of the destination address of the data packet has been configured and advertised in the IPv6 network, all IPv6 packets with the address prefix are directed to the X-AR, and the IPv6 data packet sent by the mobile node is routed to the X-AR.

 The X-AR identifies the IPv6 in IPv4 tunnel encapsulation of the IPv6 packet, and the X-AR extracts the IPv4 of the VPN gateway from the destination address entry of the IPv6 packet. Address, as the destination address of the IPv4 tunnel header, the IPv4 address of the x-AR is used as the source address of the IPv4 tunnel header. The IPv4 packet format encapsulated by the IPv4 tunnel is shown in Table 4, where the outermost header is IPv4. The packet header, the original entire IPv6 packet is encapsulated in the IPv4 packet as an IPv payload. The x-AR in the outermost packet header is the IPv4 address of the access router, and the VPN-GW is the IPv4 address of the VPN gateway.

经过隧道封装的 IPv4数据包转发由 x-AR转发至 IPv4网络中。 VPN网关接收到数据包后， 先解除 IPv4隧道封装； 再转交给 IPsec功能模块， 解除 IPsec封装， 转发给内部家乡代理或通信 点， 实现 移动节点和 WN内部节点的通信。 Table 4

The tunnel encapsulated IPv4 packet forwarding is forwarded by the x-AR to the IPv4 network. After receiving the data packet, the VPN gateway first decapsulates the IPv4 tunnel; then forwards it to the IPsec function module, releases the IPsec encapsulation, and forwards it to the internal home agent or communication point to implement communication between the mobile node and the WN internal node.

 The forwarding and conversion of the data packets transmitted by the internal nodes of the VPN to the mobile node can be regarded as the reverse process of the above steps, and therefore will not be described here. In the specific implementation process, when the mobile node moves to the IPv6 external network, the implementation of the communication between the mobile node and the internal node of the VPN can also be implemented by the following scheme.

 In the IPv4-v6 hybrid network, in order to implement communication between the host (mobile node) located in the IPv6 network and the host (VPN gateway) located in the IPv4 network, refer to the second implementation scheme of the IPv6 external network described above, except In addition to the IPv6 in IPv4 tunneling technology, NAT-PT (Network Address Translation - Protocol Translation) technology can also be implemented.

 That is, the implementation of the present invention can also be applied to the IPv4-v6 hybrid network to implement the mobile VPN according to the basic technology and idea of the NAT-PT, and then the mobile node located in the IPv6 network and the IPv4 network under the structure are proposed. The communication scheme of the VPN gateway.

 In this embodiment, the corresponding NAT-PT entity, that is, the NAT-PT device, needs to be configured on the edge of the IPv6 external network. Specifically, the MT-PT and the previously described DNS-ALG can be combined into the same device.

 The specific implementation process of the communication between the mobile node located in the IPv6 external network and the VPN gateway in the IPv4 network will be described in detail below.

 The mobile node still obtains the IPv6 address of the VPN gateway by using the domain name query method. The specific query process has been described in the foregoing description and will not be described in detail herein. The IPv6 address is the VPN gateway IPv4 address plus a specific address prefix. The mobile node constructs a packet with this address as the destination address.

 The IPv6 packet with the specific address prefix is routed to the NAT-PT by default. The MT-PT determines that the packet is sent to the host in the IPv4 network according to the specific address prefix, and therefore performs protocol conversion on the IPv6 packet. The NAT-PT maps the received source address of the IPv6 packet (the care-of address of the mobile node) to an IPv4 address as the source address of the translated IPv4 packet, and the 32-bit address of the destination address is used as the destination address for converting the IPv4 packet to the IPv6 packet. Each field is grammatically and semantically converted (ie, NAT-PT), and the destination address of the converted IPv4 packet is the IPv4 address of the VPN gateway;

Both NAT-PT and X-AR are dual-stack devices. NAT-PT sends the converted IPv4 packets to _X- AR, which then sends the packets to the IPv4 network.

 The process of converting an IPv4 packet into an IPv6 packet is the reverse of the above steps. When the x-AR receives the IPv4 data packet, it first routes to the NAT-PT, and the NAT-PT extracts the IPv4 packet destination address, searches the address mapping table, and finds the IPv6 address corresponding to the IPv4 destination address as the destination address of the IPv6 data packet; The source address of the IPv4 packet is added as a source address of the IPv4 packet, and the fields in the IPv4 packet are grammatically and semantically converted, and the IPv6 data packet is constructed and finally forwarded to the mobile node.

In the following, in the case where the NAT-PT entity is set, the mobile node in the IPv6 external network is internally communicated with the VPN. The process of establishing the tunnel and the process of forwarding the data packet are described in detail.

 First, the tunnel establishment process is as follows:

 Similarly, the initial communication between the mobile node and the VPN gateway is to support M0BIKE IKEv2 negotiation, establish an IPsec tunnel, and then the data packet is transmitted after IPsec ESP tunnel mode encapsulation. Due to the existence of the NAT-PT, the signaling information of the IKE negotiation and the subsequent IPsec encapsulated data packets are converted by IPv4 to IPv6 or IPv6 to IPv4, and the SPI destination address entry of the mobile node SA is the IPv6 address of the VPN gateway, and the VPN gateway The SPI destination address entry of the SA is the IPv4 address of the mobile node, and the two parties do not know that the communication peer is a different host of its own network type. This does not affect the establishment of tunnels and data transmission between the two parties. It also brings convenience for mobile nodes to switch between different types of external networks: Regardless of whether the mobile node is in an IPv4 external network or an IPv6 external network, the VPN gateway always considers the mobile node to be In an IPv4 network.

 After that, the process of forwarding the data packet by the 3⁄4 tunnel is as follows:

 After the IPsec tunnel is established, the mobile node first performs the mobile IPv6 encapsulation of the data packet of the upper layer protocol, the source address is VPN-TAA, and the destination address is the address of the internal home agent or the communication node; then the IPsec encapsulation is performed, and the source address is the mobile node. The external network IPv6 care-of address, the destination address is the IPv6 address of the VPN gateway external interface, which is generated by the VPN gateway IPv4 address plus a specific prefix. The IPv6 packet structure of the mobile node located in the IPv6 external network twice encapsulated is shown in Table 5, where i-HoA is the home address of the mobile node in the internal network, and x-CoA is the care-of address obtained by the mobile node on the external network. - GW (VPN Gateway) is an IPv6 address with a specific prefix. The v4/v6 tag in front of the address indicates the address type.

table 5

 After the data packet is routed to the NAT-PT, the NAT-PT maps the received source address of the IPv6 packet (the care-of address of the mobile node) to an IPv4 address, which is used as the source address for converting the IPv4 packet, and the destination address is 32 bits as the conversion. The destination address of the IPv4 packet, grammatically and semantically converts the fields in the IPv6 packet, and constructs an IPv4 packet whose destination address is the IPv4 address of the VPN gateway. Table 6 shows the NAT-PT-converted IPv4 packet format, at which point the outermost IPsec header has been converted to an IPv4 address. The x-CoA is the IPv4 care-of address obtained by the mobile node from the IPv6 care-of address mapping, and the VPN-GW is the IPv4 address of the VPN gateway.

 The structure of the IPv4 packet after NAT-PT conversion is shown in Table 6:

经过 NAT- PT转换的 IPv4数据包转发至 x-AR, 再由 x- AR转发至 IPv4网络中。 VPN网关接收到数据包 后， 解除 IPsec封装， 再转发给内部家乡代理或通信节点， 实现移动节点和 VPN内部节点的通信。 Table 6

The NAT-PT-converted IPv4 packets are forwarded to the x-AR, which is then forwarded by the x-AR to the IPv4 network. After receiving the data packet, the VPN gateway releases the IPsec encapsulation and forwards it to the internal home agent or communication node to implement communication between the mobile node and the VPN internal node.

The forwarding and conversion of the data packets sent by the VPN internal node to the mobile node is completely the reverse process of the above steps, and will not be described here. In the embodiment of the present invention, the mobility of the mobile node determines the process of the handover of the mobile node between different types of networks and the update of the SA address in the specific implementation process of the embodiment of the present invention. Carry out detailed instructions. The IPv4-v6 hybrid network has an IPv4 external network supporting mobile IPv4 and an IPv6 external network supporting mobile IPv6. The heterogeneous network refers to the IPv4 and IPv6 networks respectively, and the similar network refers to the same IPv4 network or the same IPv6 network.

 After the mobile node accesses the VPN using the IPsec tunnel, it may move between different networks. In a specific embodiment of the present invention, when the mobile node is located in the internal network, standard mobile IPv6 communication may be used; when the mobile node roams from the internal network to the external network, the IPsec tunnel needs to be established to communicate with the VPN internal node; After the mobile node enters a new heterogeneous or homogeneous external network from the current external network, it can update the SA address with the newly obtained care-of address through the M0BIKE protocol, maintain the original IPsec tunnel, and continue to communicate with the VPN internal node.

 After the handover address of the mobile node is changed, in order to avoid the renegotiation, the original IPsec tunnel is used to continue the communication. In the embodiment provided by the present invention, the M0BIKE protocol is used to implement the IPsec protocol to support the mobility of the node, thereby allowing After the mobile node care-of address changes, the original IPsec tunnel continues to be communicated through the SA address update.

 To clearly illustrate this technical point in this embodiment, the following describes the existing M0BIKE protocol.

 M0BIKE, an extension protocol based on IKEv2, effectively supports mobility at both ends of IPsec tunnel communication. M0BIKE allows the nodes at both ends of the tunnel to update their IP addresses while maintaining the IKE SA and IPsec SA. That is, the original IPsec tunnel can be maintained after the IP addresses of the nodes at both ends of the tunnel are changed. A key application scenario of the M0BIKE protocol is that the IPsec VPN mobile node still maintains the original IPsec tunnel with the VPN gateway after the external network changes its care-of address.

 The M0BIKE support communication has multiple addresses on both sides, and the initiator address of the IKE-SA (Internet Key Exchange-Security Association) determines the end address pair of the tunnel to be used. When the IPsec SA address is updated, the update address request is also issued by the initiator of the IKE-SA. The setting of M0BIKE is very suitable for the application scenario of mobile VPN. In a mobile VPN, it is often the case that the mobile node initiates an IKE negotiation to the VPN gateway when the external network is in the external network, and establishes an IPsec tunnel. After the mobile node care-of address changes, the mobile node initiates an update address request, and begins to update the address of the mobile node in the IKE SA and IPsec SAs (IPsec SA).

 Since M0BIKE is an extended protocol of IKEv2, its implementation is completed in the negotiation exchange of IKEv2. M0BIKE defines some new advertising payloads, which are used to implement M0BIKE support in the negotiation exchange of IKEv2's three switching types (IKE-SA switching, IPsec SA switching, and information exchange).

 If you want to support the M0BIKE protocol in the established IPsec tunnel, firstly, when the IKE-SA is initialized, add the MOBIKE-SUPPORTED (support M0BIKE) advertisement payload to the IKEJIUTH (IKE-initiated authentication exchange) exchange, indicating that both nodes support M0BIKE protocol.

 The M0BIKE protocol supports entities at both ends of the communication to have multiple addresses at the same time. The initiator and the responder can add ADDITI0NAL_IPv4_ADDRESS (adding IPv4 address) or ADDITIONAL-IPv6-ADDRESS in the IKE JVUTH exchange (that is, the last two messages exchanged by IKEv2). (Join the IPv6 address) Announce the payload.

 When the M0BIKE protocol is implemented, the update process of the corresponding IPsec SAs address is as follows:

In M0BIKE, the initiator of IKE_SA determines the address used in IPsec SAs. That is, the responder updates the IP address of the IPsec SAs only after receiving the UPDATE_SA_ADDRESSES request from the initiator. After the initiator determines that the address is to be updated, update the IP address in IKE-SA and IPsec SAs, set the "pending-update" flag in IKE-SA; if it is sent to the responder but has not received it yet Responding to the IKEv2 request, retransmitting the request with the updated IP address; when the window size allows, sending a message exchange if request containing the UPDATE_SA_ADDRESSES notification payload, and clearing the "pending_update"flag; Waiting for the message exchange response period address 乂 has changed, it starts again from the first step The returned response message is ignored.

 When processing a message exchange request containing UPDATE_SA_ADDRESSES, the corresponding responder needs to handle the following:

1. Since the responder uses a window size greater than 1, it is possible that the order of the received request is reversed. Therefore, it is necessary to check whether the UPDATE has been received more than the new_SA_ADDRESSES request. If there is, only one response is replied. Perform other actions;

 2. Check whether the source address and destination address of the IP header are acceptable according to the local policy. If not, return a response.

UNACCEPTABLE—ADDRESS advertises the payload, indicating unacceptable;

 3. Update the IP address in the IKE-SA by using the IP address in the IP header sent by the initiator;

 4. Replying to an information exchange response indicates that the information has been updated;

 When the initiator receives the response, it needs to perform the corresponding processing as follows:

 1. If the IP address changes again before the response arrives, do not process the response, send a new one.

UPDATE—SA—ADDRESSESi seeking;

 2. If the response contains a UNACCEPTABLE_ADDRESSES notification payload, the initiator can choose another address and re-exchange, or continue to use the current address, or disconnect.

In the MOBIKE protocol, the Return Routabiity Check function is also included, which is: Whether the initiator or the responder can selectively confirm whether the other party can receive the data packet by using the current address. . The return route reachability check can be performed before or after updating the IPsec SAs, or during a normal connection. By default, a return route reachability check is required after the IPsec SAs update is completed. One party initiates an IKE information exchange request, which contains a _C00 kie2 advertisement payload; the other party sends an information exchange response after receiving the information exchange request, copies the received c ₀ okie2 advertisement payload and is included in the information exchange response; After receiving the information exchange response, the party checks whether the received cookie2 advertisement payload is exactly the same as that sent by itself, thus completing the return route reachability check.

 After the MOBIKE protocol is introduced, the following describes the process of network switching and SA address update for mobile nodes.

 The switching of mobile nodes on the external network can be divided into two situations:

 For the switching between similar networks, the switching between the similar networks refers to the mobile node roaming from one IPv4 external network to another IPv4 external network, or roaming from one IPv6 external network to another IPv6 external network;

 Switching between heterogeneous networks, the heterogeneous network switching refers to the mobile node roaming from an IPv4 external network to an IPv6 external network, or roaming from an IPv6 external network to an IPv4 external network.

 In addition, the mobile node roaming from the IPv6 internal network to the external network can be divided into two cases: moving to the IPv4 external network and the mobile IPv6 external network.

 The following describes the configuration of the mobile node and the update of the SA address in each case.

 (1) The mobile node is located in the internal network

 The mobile node is located on the internal network. If it is not in the home network, it communicates with the VPN internal home agent and communication node through standard mobile IPv6. When the mobile node located in the internal network moves, when the IP address changes, it needs to immediately stop communication with other nodes in the VPN, and includes:

(1) If the IPv4 care-of address is obtained, it is determined that the mobile node is located in an IPv4 external network, and the IPv4 care-of address is used to perform IKE negotiation with the VPN gateway to support MOBIKE, and an IPsec tunnel is established; the mobile node generates the VPN gateway. The VPN-TIA sends a registration request to the i-HA (internal home agent) through the IPsec tunnel as the internal MIPv6 care-of address, and passes the registration response. The established IPsec tunnel communicates with the internal network node;

 (2) If the mobile node obtains the IPv6 care-of address, the domain name is used to indirectly query the IPv6 address of the VPN gateway. The specific query process has been described above and will not be described here. At the same time, the mobile node needs to play the VPN internal hometown. The proxy sends a standard mobile IPv6 registration request, and the mobile node performs corresponding communication processing according to whether the corresponding mobile IPv6 registration response is received, specifically: if the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, Then, it is determined that the network where the mobile node EI is located is still in the VPN internal network, so that after completing the registration update, the mobile node can communicate with the VPN internal node by using the new IPv6 care-of address;

 If the mobile IPv6 registration response corresponding to the mobile IPv6 registration request is not received, and the IPv6 address of the VPN gateway is successfully queried, the mobile node should be located in an IPv6 external network, and use the new IPv6 address and the VPN gateway to support M0BIKE. The IKE negotiation establishes an IPsec tunnel. At this time, the specific process of establishing an IPsecP tunnel is as follows: The mobile node uses the VPN-TIA generated by the VPN gateway as the internal mobile IPv6 care-of address, and sends a registration request to the internal home agent through the IPsec tunnel. After receiving the registration response, it communicates with the internal network node through the established IPsec tunnel.

 (2) The mobile node is located in the external network

 When the mobile node is on the external network, an IPsec tunnel is established to communicate with the internal nodes of the VPN through the IPsec tunnel. The configuration of the mobile node in the IPv4 external network and the IPv6 external network is different. In contrast, the IPv6 external network in the mobile node needs to be encapsulated in IPv6 in IPv4 tunnel, which is more complicated.

 The following describes the mobile node roaming on the IPv4 external network and the roaming on the IPv6 external network respectively.

 1. The mobile node is located in the IPv4 external network.

 When the mobile node is located on the IPv4 external network, the IPv4 care-of address is used as the local address of the tunnel, and the VPN gateway supports the IKE negotiation of M0BIKE to establish an IPsec tunnel and communicate with the VPN internal node through the IPsec tunnel. When the mobile node moves in the IPv4 external network and the IP address changes, the communication with the internal node of the VPN is immediately stopped, and includes:

 (1) If the IPv4 care-of address is obtained, the mobile node enters another IPv4 external network, starts to initialize M0BIKE, and performs SA address update. The updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway. ;

 (2) If the mobile node obtains the IPv6 care-of address, the domain name resolution method is used to indirectly query the IPv6 address of the VPN gateway; at the same time, the mobile node also needs to send a standard mobile IPv6 registration request to the VPN internal home agent; Return the corresponding registration response for corresponding communication processing, including:

 If the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, it is determined that the mobile node now enters the VPN internal network, and after completing the registration update, the mobile node can use the new IPv6 care-of address and the VPN|Aj department. Node communication; if the MIPv6 (Mobile IPv6) registration response corresponding to the mobile IPv6 registration request is not received, and the IPv6 address of the VPN gateway is successful, the mobile node is located in an IPv6 external network, and the M0BIKE is initialized, and the SA is started. The address update, the updated SA endpoint address is the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway; after completing the IKE SA and iPsec SAs address update, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.

The SA address needs to be explained: Since the mobile node moves from the IPv4 external network to the IPv6 external network, the destination address and the source address of the mobile node (that is, the endpoint address of the SA) are changed, and the mobile node updates them to IPv6 address; for the VPN gateway, after receiving the UPDATE-SA-ADDRESSES (Update Security Association Address) notification payload, it is updated according to the address of the worker P packet. Therefore, the VPN gateway considers that the endpoint address of the SA has changed and will be updated to mobile. The IPv6 address of the node and VPN gateway. 2. The mobile node is located in the IPv6 external network.

 When the mobile node is located on the IPv6 external network, obtain the IPv6 care-of address and query the IPv6 address of the VPN gateway through domain name resolution. Then initiate IKE negotiation that supports M0BIKE and establish an IPsec tunnel. Communicate with the internal nodes of the VPN through the IPsec tunnel. When the mobile node moves in the IPv6 external network and the IP address changes, it immediately stops communication with the internal node of the VPN, and includes:

 (1) If the IPv4 care-of address is obtained, the mobile node enters another IPv4 external network, starts to initialize M0BIKE, and performs SA address update. The updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway. ;

 (2) If the mobile node obtains the IPv6 care-of address, the domain name resolution method is used to indirectly query the IPv6 address of the VPN gateway; at the same time, a standard mobile IPv6 registration request is sent to the VPN internal home agent; and the mobile node returns the registration response according to whether it is returned. Corresponding communication processing, including:

 If the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request, it is determined that the mobile node now enters the VPN internal network, and after completing the registration update, the mobile node can communicate with the VPN internal node by using the new IPv6 care-of address. If the MIPv6 registration response corresponding to the mobile IPv6 registration request is not received, and the IPv6 address of the VPN gateway is successfully queried, the mobile node is located in an IPv6 external network, and the M0BIKE is initialized, and the SA address is updated, and the updated The SA endpoint address is the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway. After completing the IKE SA and IPsec SAs address update, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.

 During the process of updating the SA address, you need to consider the security issue. Specifically, when you update the SA address, you may receive some security threats from third parties on the network. The M0BIKE protocol has designed two guarantee mechanisms in consideration of security factors: First, the return routability check ("return routability" check) can be used to check the reachability of addresses provided by both nodes of the apricot, which avoids A large amount of communication traffic is passed to third parties;

 Second, NAT prohibition makes IP addresses unmodified by any NAT, IPv4/v6, or other similar device.

 This feature is mainly used when the administrator already knows that there are no NAT devices between the two nodes, so any modification to the packet is considered an attack.

 In this embodiment, a return route reachability check is added before each SA address update, before the communication of the data stream has been resumed, ensuring that the updated address is securely routable. In the case where the mobile node enters the IPv4 external network or the IPv6 external network, it is considered that there is no necessary NAT device between the mobile node and the VPN gateway. Therefore, NAT prohibition can be used to protect the data packet from being modified.

 In summary, the embodiment provided by the present invention successfully solves the two problems mentioned in the prior art by using the M0BIKE protocol to update the address item of the SA and the method assigned by the VPN gateway to the VPN node of the mobile node. It is proposed that in the IPv4 to IPv6 transition period, the IPv4 is used as the backbone network in the IPv4-v6 hybrid environment, the mobile node implements access to the VPN service, and maintains the normal communication under the premise of switching between networks.

 Moreover, in the process of applying the specific embodiment of the present invention, no new device can be introduced based on the existing communication network, and no hardware needs to be upgraded, and only the software of the corresponding device can be improved, therefore, the whole The configuration process is simple and easy.

 The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of it within the technical scope disclosed by the specific embodiments of the present invention. Changes or substitutions are intended to be included within the scope of the invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

Rights request  A VPN gateway, comprising: an IPv4 packet processing unit, an IPv4 interface, an IPv6 packet processing unit, and an IPv6 interface, wherein the IPv4 interface is configured to perform an IPv4 packet interaction with an IPv4 network, The IPv4 packet processing unit is configured to perform the encapsulation or decapsulation processing of the IPv4 packet; the IPv6 interface is configured to exchange the IPv6 packet with the IPv6 network, and the IPv6 packet processing unit is configured to perform the IPv6 packet. Encapsulation or decapsulation processing.  2. The VPN gateway according to claim 1, further comprising an IPv4 address allocation unit, configured to allocate a VPN tunnel internal address to the mobile node moving to the IPv4 external network, where the address is a mobile node in the home network. The care-of address.  An IPv6 network system, wherein the system can traverse an IPv4 network and communicate with an IPv6 network inside the VPN through a VPN gateway. The internal interface provided by the VPN gateway is an IPv6 interface, and the external interface is an IPv4 interface. Also includes:  The tunnel establishment module is configured to establish a tunnel between the VPN gateway and the external network, which can transmit the VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively provided by the IPv4 address of the external network and the VPN gateway. IPv4 address of the external interface;  The packet encapsulation and delivery module is configured to be configured to be configured to be configured to send the VPN packet to be sent to the peer end by using the tunnel.  4. The system of claim 3, wherein the system further comprises:  Domain name server application layer gateway DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, configured to provide an IPv6 address corresponding to the VPN gateway in the process of performing a V service through an IPv6 external network;  DNS server in the IPv6 network DNS: Configure its upper-level DNS as the DNS-ALG;  External access router: Configured as an IPv4 and IPv6 dual protocol stack, it is used to encapsulate IPv6 packets on IPv6 packets. It is also used to decapsulate corresponding packets.  5. The system of claim 3, wherein the system further comprises:  DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, configured to provide an IPv6 address corresponding to the VPN gateway.  DNS in the IP v6 network: Configure its upper-level DNS in the DNS as the described DNS-ALG;  NAT-PT entity: used for communication with an external access router, and performs conversion between the corresponding IPv6 address and the IPv4 address of the packet passing through the entity;  The external access router is configured to send the packet converted by the MT-PT entity to the VPN gateway, and receive the packet sent by the VPN gateway.  A system for implementing a mobile VPN in a hybrid network, comprising: an external network, an IPv4 network, a VPN, and a VPN gateway, wherein the VPN internal network is an IPv6 network, and the internal interface provided by the VPN gateway is IPv6. The external interface is an IPv4 interface, and the external network includes an IPv4 external network and an IPv6 external network, and the system further includes:  The tunnel establishment module is configured to establish a tunnel between the VPN gateway and the external network, which can transmit the VPN packets exchanged between the two networks, and the addresses of the two ends of the tunnel are respectively provided by the IPv4 address of the external network and the VPN gateway. IPv4 address of the external interface;  The packet encapsulation and delivery module is configured to be configured to be configured to be configured to send the VPN packet to be sent to the peer end by using the tunnel.  The system for implementing a mobile VPN in a hybrid network according to claim 6, wherein in the IPv6 external network, the system further comprises: DNS-ALG: configured as an IPv4 and IPv6 dual protocol, configured to provide an IPv6 address corresponding to the VPN gateway in a process of performing a VPN service through an IPv6 external network; DNS in an IPv6 network: configure its upper-level DNS as the described DNS-ALG;  External access routers: Configured as an IPv4 and IPv6 dual protocol stack, which is used to encapsulate IPv6 packets on IPv6 packets and decapsulate corresponding packets.  8. A system for implementing a mobile VPN in a hybrid network according to claim 6, wherein in the IPv6 external network, the system further includes - DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, configured to provide an IPv6 address corresponding to the VPN gateway.  DNS in the IPv6 network: In the DNS, the upper-level DNS is the DNS-ALG;  NAT-PT entity: used for communication with an external access router, and performs conversion between the corresponding IPv6 address and the IPv4 address of the packet passing through the entity;  0 External access router: It is used to send the packets converted by the NAT-PT entity to the VPN gateway and receive the packets sent by the VPN gateway.  A method for implementing a mobile VPN in a hybrid network, the method is applied to a hybrid network including an IPv4 network and an IPv6 network inside a mobile virtual private network VPN, and the iSVPN is set in the hybrid network. The VPN gateway, the VPN gateway provides an internal interface with an IPv6 address and an external interface of an IPv4 address, and the method includes:  And establishing a tunnel between the VPN gateway and the external network, where the tunnel is used to transmit a VPN packet exchanged between the external network and the IPv6 network in the VPN, and the addresses of the two ends of the tunnel are respectively the IPv4 of the external network. The address and the IPv4 address of the external interface provided by the VPN gateway, where the external network is an IPv4 external network or an IPv6 external network;  After the VPN packet to be transmitted is encapsulated in the IPv4 header, the VPN packet is transmitted through the tunnel to implement the VPN service in the hybrid network.  The method for implementing the mobile VPN in the hybrid network according to claim 9, wherein if the mobile node is located in the IPv6 external network, the method further includes: acquiring the address of the VPN gateway, specifically:  The mobile node initiates a DNS request of the VPN gateway to the DNS in the IPv6 network, and the request arrives at the DNS in the IPv6 network, and is forwarded to the domain name server application layer gateway DNS-ALG set in the IPv6 network;  DNS-ALG determines, according to its saved DNS server information, a DNS for resolving the IPv4 address of the VPN gateway, and translates the DNS 5 request into an IPv4 format DNS request and sends the DNS request to the determined DNS;  After the DNS-ALG receives the DNS response message returned by the DNS for resolving the IPv4 address of the VPN gateway, the IPv4 address information of the VPN gateway is saved, and the IPv4 address-added prefix is converted into an IPv6 format IPv6 address and sent to the mobile node. The mobile node uses the IPv6 address as the address information of the VPN gateway.  The method for implementing a mobile VPN in a hybrid network according to claim 9 or 10, wherein the tunnel is an IPsec tunnel with an Internet Key Exchange Mobile and a Multi-Interface Protocol M0BIKE, and the establishment is performed. The process of the tunnel specifically includes: after the mobile node moves into the IPv6 external network, after establishing an IPsec tunnel between the VPN gateway and the mobile node located in the IPv6 external network to obtain the care-of address, the VPN gateway and the IPv6 external network The access router in the middle establishes an IPv6 in IPv4 tunnel for transmitting IPv6 packets. The tunnel encapsulates IPv6 packets in IPv4 packets. The addresses at both ends of the tunnel are respectively the IPv4 address of the IPv6 external network access router and the outside of the VPN gateway. IPv4 address of the interface; 5 or, After the mobile node moves to the IPv4 external network, obtains the care-of address of the IPv4 network, and the mobile node negotiates with the VPN gateway to establish the IPsec tunnel. The addresses of the two ends of the tunnel are respectively the care-of address and the IPv4 of the VPN gateway. address. The method for implementing the mobile VPN in the hybrid network according to claim 11 is characterized in that: the process of transmitting the VPN packet includes:  The mobile node located in the IPv6 external network constructs the IPv6 address corresponding to the VPN gateway and sends the packet to the external access router of the IPv6 network.  The external access router receives an IPv6 packet from the mobile node, and adds an IPv4 packet header to the packet. The Φ of the packet header is the IPv4 address of the VPN gateway, and is sent to the tunnel through the tunnel. VPN gateway  The VPN gateway parses the received packet, decapsulates the IPv4 packet into an IPv6 packet, and continues to deliver the IPv6 packet. The method for implementing the mobile VPN in the hybrid network according to claim 11 is characterized in that: the process of transmitting the VPN packet includes:  The mobile node located in the IPv6 external network constructs the packet of the IPv6 address corresponding to the VPN gateway, and sends the packet to the network address translation-protocol-switching NAT-PT entity;  Transmitting, by the MT-PT, the IPv6 address in the IPv6 packet to an IPv4 address, and sending the packet to the external access router, where the external access router sends the packet to the VPN gateway;  The VPN gateway parses the received packet and continues to deliver the packet.  14. The method for implementing a mobile VPN in a hybrid network according to claim 11, wherein if the mobile node is located in an IPv4 external network, the VPN gateway further includes determining a VPN tunnel for the mobile node. The internal address, which is the mobile IPv6 care-of address registered to the VPN as a mobile point.  The method for implementing a mobile VPN in a hybrid network according to claim 14, wherein if the mobile node is located in an IPv4 external network, the process of transmitting the VPN packet includes:  The mobile node in the IPv4 network performs the mobile IPv6 encapsulation of the data packet, and the corresponding source address is in the VPN tunnel: the department address, and the destination address uses the address of the node inside the VPN;  The data packet encapsulated by the mobile IPv6 is encapsulated in an IPsec encapsulation according to the established tunnel, and the VPN service packet encapsulated with the IPv4 header is sent to the VPN gateway through the established tunnel.  The method for implementing a mobile VPN in a hybrid network according to claim 15, wherein the mobile node performs a mobile IPv6 encapsulation process on the data packet.  17. The method for implementing a mobile VPN in a hybrid network according to claim 9, 10 or 11, wherein the mobile node in the VPN internal network stops when the IP address changes during the mobile process. Communication of other nodes in the VPN, and the method further includes:  If the mobile node obtains the IPv4 care-of address, the IPv4 care-of address is used to perform IKE negotiation with the VPN gateway to support M0BIKE, and an IPsec tunnel is established; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to initiate the internal home agent through the ramp. Registering, and communicating with the VPN network node through the tunnel after receiving the registration application answer;  Or,  If the mobile node obtains the IPv6 care-of address, the IPv6 address of the VPN gateway is indirectly queried by means of domain name resolution. Then, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent; when receiving the IPv6 registration response, it is determined. The mobile node is located inside the VPN, and the mobile node communicates with the VPN internal node using the new IPv6 care-of address. The method for implementing a mobile VPN in a hybrid network according to claim 17, wherein if the mobile node obtains an IPv6 care-of address, the method further includes: If the mobile node does not receive the mobile IPv6 registration response, and the IPv6 address of the VPN gateway is successfully determined, and the mobile node is determined to be located in the IPv6 network outside the VPN, the new IPv6 address is used to support the IKE negotiation of the M0BIKE with the VPN gateway. Establishing an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to send a registration request to the internal home agent through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving the registration response.  19. A method for implementing a mobile VPN in a hybrid network according to claim 9, 10 or 11, characterized in that, when a mobile node originally in an IPv4 external network changes its IP address during the move, it stops Communication of internal nodes of the VPN, and the method further includes:  If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to another IPv4 external network, it starts to initialize the M0BIKE and performs the SA address update. The updated endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 of the VPN gateway. Address, the mobile node continues to communicate with the VPN internal node through the tunnel;  Or,  If the mobile node obtains the IPv6 care-of address, the domain name is used to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent, and after receiving the mobile IPv6 registration response, Make sure the mobile node moves to the VPN internal network and communicates with the VPN internal node using the new IPv6 care-of address.  The method for implementing a mobile VPN in a hybrid network according to claim 19, wherein, if the mobile node obtains an IPv6 care-of address, the method further includes:  If the mobile node does not receive the mobile IPv6 registration response, and queries the VPN gateway's IPv6 address successfully, and determines that the mobile node moves to the IPv6 external network, the M0BIKE is initialized, and the SA address is updated, and the updated SA endpoint address is The newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway, the mobile node continues to communicate with the VPN internal node through the tunnel.  A method for implementing a mobile VPN in a hybrid network according to claim 9, 10 or 11, characterized in that, when a mobile node originally in an IPv6 external network changes its IP address during the move, the VPN is stopped. Communication of internal nodes, and the method described further includes:  If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to the IPv4 external network, it starts to initialize the M0BIKE and performs the SA address update. After the update, the endpoint address of the SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway. The node continues to communicate with the VPN internal node through the tunnel;  Or,  If the mobile node obtains the IPv6 care-of address, the domain name is used to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard Mobile IPv6 registration request to the VPN internal home agent, and receives the corresponding Mobile IPv6 registration response. After that, it is determined that the mobile node moves to the VPN internal network, and the mobile node communicates with the VPN internal node by using the new IPv6 care-of address.  The method for implementing a mobile VPN in a hybrid network according to claim 21, wherein if the mobile node obtains a Pv6 care-of address, the method further includes:  If the mobile node does not receive the corresponding Mobile IPv6 registration response, and queries the VPN gateway's IPv6 address successfully, and determines that the mobile node moves to another IPv6 external network, it starts to initialize the M0BIKE, performs SA address update, and updates the SA endpoint. The address is the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.