WO2007112645A1

WO2007112645A1 - A method and system for implementing a mobile virtual private network

Info

Publication number: WO2007112645A1
Application number: PCT/CN2007/000525
Authority: WO
Inventors: Hongke Zhang; Gang Cheng; Hong Zhu; Hui Zhang
Original assignee: Huawei Technologies Co., Ltd.; Beijing Jiaotong University
Priority date: 2006-04-05
Filing date: 2007-02-14
Publication date: 2007-10-11
Also published as: CN101052207A; CN101052207B

Abstract

A method for implementing a mobile virtual private network, includes that a first mobile user device sends routing information to a second provider edge device through a first provider edge device (s101); a second mobile user device obtains the routing information through the second provider edge device (s102); a mobile sub-network, which the second mobile user device belongs to, communicates data with the first mobile user device through a third provider edge device (s105), according to a new label of the second mobile user device which is queried (s103); or when a new label is not existed, the second mobile user device communicates data with the first mobile user device through the second provider edge device (s104). A mobile virtual private network system can be implemented. A solution to support the mobility of BGP/MPLS VPN, in which the MPLS bone network and the mobile sub-network are combined organically, solves the shortness problem of non-supporting the mobility of virtual private network in the prior art.

Description

The present invention claims to be submitted to the Chinese Patent Office on April 5, 2006, the application number is 200610067144.4, and the invention name is "a method and system for implementing a mobile virtual private network". Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field

The present invention relates to the field of network and communication technologies, and in particular, to a virtual private network technology, and in particular, to a method and system for implementing a mobile virtual private network. Background technique

Virtual Private Network (VPN) technology refers to the establishment of a private network in a network provided by a public network service provider. User data is transmitted through the public network through a secure channel. VPNs enable business users to enjoy the same security, priority, manageability, and reliability as the user's private network, while reducing business overhead. As a result, VPNs have become a trend in enterprise networks.

Among them, Multi-Protocol Label Switching (MPLS) VPN technology is one of the most interesting VPN solutions, including Layer 3 MPLS VPN and Layer 2 MPLS VPN. The Layer 3 MPLS VPN also includes BGP. (Border Gateway Protocol) / MPLS VP and VR (Virtual Router) VPN implementation. MPLS provides a label for each IP packet, and encapsulates the label and IP packet into a new MPLS packet, thereby determining the transmission path and priority of the IP packet; and the MPLS-compatible router will be IP. Before the data packet is forwarded according to the corresponding path, only the header tag of the MPLS data packet is read, and the information such as the IP address in each IP data packet is not required to be read, so the exchange and forwarding speed of the data packet is greatly accelerated.

In BGP/MPLS VPN, Multiprotocol Border Gateway Protocol (MBGP) is used to distribute routes in the service provider backbone network. MPLS is used to forward data packets in the backbone network. In PE (Provider Edge, Provider edge device) establishes different virtual route forwarding (VRF) for different VPN users on the router, and then forms an MPLS forwarding table. The BGP protocol multi-protocol extended bearer capability is used to forward VPN membership and Reachability information, between VPN users Implement route isolation and advertisement, forward service flows, and allow service providers to use the public network to provide users with a new type of VPN service. While providing all the functions of the original VPN network, it can also provide powerful Quality of Service (QoS) capabilities, featuring high reliability, high security, strong scalability, flexible control strategy, and strong management capabilities. .

With the next generation Internet standards, Internet Protocol version 6 (IPv6, nternet Protocol)

Version 6) is maturing, and more and more vendors have provided support for IPv6 networks. When each site in a VPN supports IPv6 and connects to the service provider backbone through an IPv6 interface and sub-interface of the PE, the VPN here refers to the IPv6 VPN. BGP and its extended attributes are used to describe the routes that IPv6 VPN sites connect to other IPv6 VPN sites through PE routers. The PE maintains the reachability information and forwarding information of each IPv6 VP by establishing a VRF.

Each IPv6 VPN is allowed to have its own private IPv6 address space in IPv6, which means that a given address represents a different system in a different VPN. This is achieved through a new family of addresses, the VPN-IPv6 address family. The VPN-IPv6 address has 24 bytes and consists of an 8-byte route distinguisher (RD, Route Distinguisher) and a 16-byte IPv6 address. If two VPNs use the same IPv6 address prefix (representing different physical systems), the PE translates into a unique VPN-IPv6 address prefix through different RD 4 bar VPNs, thereby ensuring that when two different VPNs use the same address, The address will be loaded into two completely different routes, one for each VPN. The VPN-IPv6 address is always considered to be unique by BGP, and the BGP extended attribute allows BGP to carry routing information and MPLS label information from the extended address family.

In addition to encapsulation over the MPLS label switched path, the BGP/MPLS VPN solution has been extended to allow encapsulation through other tunneling technologies including GRE tunnels, IP-in-IP tunnels, and IPsec tunnels. Similarly, support for IPv6 VPN services is allowed through MPLS LSPs and other tunneling technologies including GRE tunnels, IP-in-IP tunnels, or IPsec tunnels.

In addition, in the process of IPv6 and Internet Protocol Version 4, the IPv4 network will still exist for a long time due to the widespread application of the existing IPv4 network, among which the IPv4 network environment IPv6 The network environment is basically the same, except that the IPv4 VPN identification message is different from the IPv6 VPN identification message. With the continuous evolution of Internet technology and the support of next-generation Internet Protocol for network mobility, the mobility requirements of protocols and devices in the network will be increasingly improved, and the support for mobility will also have high practical value. However, the existing BGP/MPLS VPN technology cannot solve the problem of support for its user network mobility. Summary of the invention

The embodiments of the present invention provide a method and a system for implementing a mobile virtual private network, so as to solve the defect that the user network mobility support cannot be provided in the prior art.

The embodiment of the invention provides a method for implementing a mobile virtual private network, which includes the following steps:

The first mobile user equipment advertises routing information to the second provider edge device by using the first provider edge device;

The second mobile user equipment obtains the routing information by the second provider edge device, the second provider edge device queries whether the second mobile user equipment has a new label, and if so, the second mobile user equipment belongs to Mobile subnet performs data transmission with the first mobile user equipment through a third provider edge device;

Otherwise, the second mobile user equipment performs data transmission with the first mobile user equipment by using the second provider edge device.

An embodiment of the present invention provides a system for implementing a mobile virtual private network, including a first provider edge device and a second provider edge device, where the first user edge device and the mobile user device belong to the same virtual private network;

The first mobile user equipment sends routing information to the second provider edge device by using the first provider edge device;

The second mobile user equipment obtains the routing information through the second provider edge device to communicate with the first user edge device;

The mobile user equipment performs data transmission with the first mobile user equipment through the second provider edge device and the first provider edge device.

An embodiment of the present invention provides a mobile virtual private network system, including a first provider edge device, a second provider edge device, and a third provider edge device, where the first and second The third provider edge device belongs to the same virtual private network; the system further includes a mobile subnet, the mobile subnet moving to an area controlled by the third provider edge device, according to the received third provider The address prefix information sent by the edge device configures the care-of address, and binds the multi-protocol packet label allocated by the third provider edge device to the care-of address to form a new label.

The first provider edge device, configured to send a data packet from the first mobile user equipment to the second provider edge device, and match a destination address of the first mobile user equipment from the mobile subnet The data packet is forwarded to the first mobile user equipment;

The second provider edge device is configured to send a data packet to the third provider edge device according to the new label, and query whether a virtual routing forwarding table matches a destination address of the first mobile user equipment. An entry that forwards the matched data packet and the new label to the first provider edge device;

The third provider edge device forwards the data packet to the mobile subnet by querying a virtual routing forwarding table, and determines whether the data packet sent by the mobile subnet matches the destination address of the first mobile user equipment. And forwarding the matched data packet to the first provider edge device, and notifying the new tag, forwarding the unmatched data packet to the second provider edge device.

In the solution provided by the embodiment of the present invention, the network structure composed of the MPLS backbone network platform and the user network improves the related virtual private network device and the corresponding data packet transmission process, and proposes an MPLS backbone network and mobile The subnet implements an organically combined BGP/MPLS VPN mobility support solution that addresses the shortcomings of the prior art that cannot support virtual private network mobility.

The solution provided by the embodiment of the present invention can apply the subnet mobility function to a conference in a mobile environment. At this time, all user equipments in the entire mobile environment constitute a mobile site, that is, a mobile subnet formed inside the company. , in which there will be multiple user devices that need to be in constant contact with other sites of the company for a long time.

The solution provided by the embodiment of the present invention does not need to upgrade hardware, and only needs to improve the software of the PE device, and the configuration mode is simple and easy. In addition, the structure of the invention conforms to the current popular mobile subnet system, and has good scalability and market promotion. DRAWINGS

The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the invention. 2 is a system structural diagram of a mobile virtual private network in an embodiment of the present invention;

3 is a flow chart of issuing VPN routing information in an embodiment of the present invention;

4 is a flow chart of data transfer of a specific embodiment of the system of FIG. 2;

5 is a system structural diagram of a removable virtual private network in another embodiment of the present invention; FIG. 6 is a flow chart of forming a care-of address and a new label in the system shown in FIG. 5;

7 is a flow chart of transmitting data of a fixed user equipment to a mobile subnet in the system shown in FIG. 5. FIG. 8 is a flow chart of transmitting data from a mobile subnet to a fixed user equipment in the system shown in FIG. 5. detailed description

The embodiments of the present invention will be described in detail below with reference to the drawings.

The flow of the implementation method of the removable virtual private network in the embodiment of the present invention is as shown in FIG. 1 , and includes the following steps:

Step S101: The first mobile user equipment sends routing information to the second provider edge device through the first provider edge device.

Step S102: The second mobile user equipment obtains the routing information by using the second provider edge device.

Step S103, the second provider edge device queries whether the second mobile user equipment has a new label, if yes, indicating that the second mobile user equipment is a mobile subnet, then step s105; otherwise, indicating that the second mobile user equipment is Move the user equipment, then go to step sl04. The forming process of the new label includes: moving the mobile subnet from the second provider edge device control area to the third provider edge device control area, and receiving the agent advertisement information sent by the third provider edge device; The care-of address is configured according to the address prefix information in the proxy advertisement information; the third provider edge device allocates a multi-protocol packet label to the mobile subnet, and binds to the care-of address to form a new label.

Step S104, the mobile user equipment passes the second provider edge device and the first Mobile user equipment for data transmission.

Step S1Q5, the mobile subnet performs data transmission with the first mobile user equipment by using a third provider edge device.

The present invention is also applicable to an IPv4 network environment, except that the IPv4 VPN identification message is different from the IPv6 VPN identification message. In Mobile IPv4, the mobile node informs its home address of its care-of address through the registration information carried in the UDP/IP packet. The proxy, and the mobile node in Mobile IPv6 uses the Destination Address to notify other nodes of its care-of address, so that the protocol used by the mobile node to obtain the proxy advertisement from the third provider edge device is different, and the process is similar. Therefore, the following is only explained in the IPv6 network environment.

Because BGP/MPLS VPNs generally do not have mobile devices in their MPLS backbone networks, their mobility support is mainly concentrated in the following two situations: First, they are implemented inside BGP/MPLS VPN sites. Mobility support in the IPv6 network environment, that is, the user edge device CE is fixed and the user equipment is mobile. Second, the user equipment and each CE to which each site belongs have mobility support for the IPv network environment, so that the entire CE is connected. The site, the subnet, implements the mobile feature. Thus, embodiments of the present invention are also described in terms of both user device mobility and subnet mobility.

The mobility implementation system implemented in the IPv6 network environment in each BGP/MPLS VPN site is shown in Figure 2, including: MPLS backbone network, site 1, site 2, site 3, site 4, user edge devices CE1, CE2. CE3 and CE4, where the mobile user equipment 1 is the first user equipment and the mobile user equipment 2 is the second user equipment; the backbone network includes: the provider edge equipment PE1, PE2, Pl, the provider equipment P2 and P3, PE1 and PE2 There are two virtual routing forwarding tables VRPA and VRFB respectively; Site 1 and Site 2 belong to Virtual Private Network A, Site 3 and Site 4 belong to Virtual Private Network B; CE2 has Cell a and Cell b, all P, PE and CE The routers are all fixed, and the user equipment 2 in the station can move between the cell a and the cell b. The above network is an IPv6 domain, and all devices support IPv6.

First, the VPN routing information is released.

As shown in FIG. 3, step S101 and step S102 in FIG. 1 further include: CE1 obtains the address information of the user equipment 1 by means of manual configuration or automatic discovery, and then broadcasts its own IPv6 route prefix to the PE1; PE1 learns through the route. The mechanism obtains the routing letter of CE1 PE1 writes the address prefix in the routing information of user equipment 1 to the virtual routing forwarding table; before broadcasting the routing, PE1 allocates the bottom label of the multi-protocol packet label for the routing information. The PE2 obtains the routing information of the user equipment 1 from the PE1 through the multi-protocol border gateway protocol. The broadcast includes: the VPN-IPv6 address prefix of the route, the return address of the PE1 as the BGP next hop, and the MPLS label assigned to the route. The routing destination attribute of the routing VRF configuration (that is, the routing output policy); PE2 compares the routing information with the virtual routing forwarding table input policy. If it matches, PE2 writes the routing information to the virtual private network IPv6 routing information database VPN- The IPv6.RIB, the user equipment 2 obtains the routing information from the PE2; otherwise, the routing information is discarded. Step S104, as shown in FIG. 4, further includes:

If the user equipment 2 wants to advertise the VPN service to the user equipment 1, the data packet is sent to the CE2, and the CE2 performs the longest matching route query, and then forwards the data packet to the directly connected PE2. The PE2 queries the corresponding VRF based on the sub-interface. If the destination address has a matching entry, the route queries the next hop and the outgoing sub-interface; PE2 allocates the top label and reaches the PE1 through the MPLS backbone network; at PE1, the bottom label is used to query the corresponding CE1, and then the packet is forwarded through the IP layer. Go to CE1 and query the routing table to forward to user equipment 1.

The mobility implementation system implemented in the IPv6 network environment in the BGP/MPLS VPN is as shown in Figure 5, including: MPLS backbone network, site 1, site 2, CE1, and CE2, where CE1 is the first edge user. The device and CE2 are second user edge devices. The backbone network includes: PE PE2, PE3, PE4, P1, P2, and P3. PE1, PE2, PE3, and PE4 have virtual routing forwarding table VRPA. Site 1 and station 2 are virtual dedicated. Network A; The entire network is an IPv6 domain, in which all devices support IPv6; all P and PE routers are fixed, all user equipments in site 2 and their corresponding CE2 are moved, so that the entire site connected to the CE is moved. Features.

In this case, the process of publishing the VPN routing information is the same as that of the mobile user equipment.

Assume that the entire site 2 is in a mobile state. At this time, each mobile user equipment in the site 2 does not need to complete the work of separately finding the access router AR and registering with the home agent HA when leaving the local or the handover, and still work as a fixed user equipment. . Real The embodiment selects CE2 as the unified proxy router of mobile station 2, which is equivalent to a mobile router (MR, Mobile Router), to complete a series of work similar to a single ΜΙΡ.

When Site 2 moves from the local (Zone) to the Foreign (Zone 2), there must be a fixed router locally as the Home Agent (HA). In this embodiment, ΡΕ2 is selected as ΗΑ, and ΡΕ3 is selected as the access router (AR, Access Router). The specific process of communication after the mobile subnet arrives in the field is as shown in FIG. 6:

After the site 2 moves from the first zone to the second zone, the CE2 receives the agent advertisement information periodically sent by the ΡΕ3. In the IPv6 network environment, the CE2 completes the router search function by the ICMPv6 router request and the router broadcast message in the neighbor discovery mechanism, and obtains the proxy. Announcement information. Both PE3 and PE2 periodically send route broadcast messages with prefix messages on the local link. Of course, CE2 can also send router request messages. Each router that receives this message should reply with a router broadcast message. After receiving the proxy advertisement message, CE2 knows that its own site has been moved to the foreign link, and will automatically configure a care-of address based on the new address prefix information. There are two ways to get the care-of address: passive address autoconfiguration and active address autoconfiguration. At this time, PE3 will assign a new MPLS label to CE2 and bind it to its care-of address.

CE2 sends a registration request message to its home agent PE2 through PE3. At this time, CE2 needs to carry a tag <R> in the binding update sent to PE2 to indicate the mobile router instead of the ordinary mobile node. The same binding update also includes the mobile network prefix, which can be borrowed from a new mobility header option proposed in NEMO. The details are as follows: After assigning a new label to CE2, PE3 will search for the address of PE2 to which CE2 belongs by querying the corresponding VRFA. PE3 then sends the Binding Update message and the MP-BGP Route Update message (including the tag < >, the care-of address of CE2 and the new tag, etc.) to PE2.

PE2 sends a binding response message to CE2 through PE3. After PE2 receives the binding update message of CE2, PE2 can confirm its binding update, and obtain the care-of address and new label of CE2 and write the part corresponding to CE2 in VRFA, and then use P-BGP. The binding response message is sent to CE2 through the MPLS backbone network. When PE3 receives this response message, it binds the route to CE2 in its VRPA to the new label.

Because it is in the IPv6 network environment, CE2 uses the advertisement method to simultaneously send to PE2. And other sites of VPNA to inform them of the care-of address and new label (if in the IPv4 network environment, CE2 uses the notification mode to simultaneously notify its PE2 and other sites of VPNA of its care-of address and new label). Among them, the bulletin includes three types of message: binding update, binding response and binding request, which are placed in an extension header of IPv6 - destination optional header.

PE2. The binding request is: When the time-to-live field in the binding update message previously received by other sites of the VPNA is to expire, the message is sent to request CE2 to send it a new binding update to obtain the available Care-of address and new label.

Assume that the user equipment 1 in the site 1 is to advertise the VPN service to the user equipment in the mobile subnet to which the CE2 belongs. The specific process is shown in Figure 7. The mobile user equipment 1 forwards the data packet to the PE2 through the MPLS backbone network. The corresponding VRFA finds that CE2 has gone to the field, so the new label of CE2 is queried in the table. Then, PE3 is found in the same way as the two-layer label. PE3 sends the packet to CE2 by looking up the corresponding VRFA, and CE2 queries the corresponding The routing table sends it to the destination mobile user device.

When the mobile user equipment in CE2 wants to send data to the user equipment 1 in the station 1, the specific process is as shown in FIG. 8. The mobile user equipment sends the data packet to the CE2 by querying the routing table, and the CE2 queries the routing table to the data. The packet is sent to PE3, and PE3 queries the corresponding VRFA. If the destination address has a matching entry, the route queries its next hop and outbound subinterface. Then 'forward the packet to the destination through the MPLS backbone. In this process, CE2 will advertise the new label to PE1 through MP-BGP. When PE1 receives this message, it will update the corresponding VRFA. Communication with the mobile user equipment in Site 2 is then sent to the link represented by this tag, which also avoids the triangular routing problem that exists in EMO.

When the station 2 moves back to a zone, CE2 will receive the agent advertisement message sent by the PE2, thereby judging that it has returned to the home link, and the CE2 will cancel the current care-of address and the new label to the PE2, so that It works like a fixed node.

For example, during the communication between the user equipment 1 and the mobile node located in the station 2, the station 2 moves from the second area to the other three areas, and at this time, the user equipment 1 is sending a data packet to the PE3, then the time is A mechanism called "timeout retransmission" through the TCP layer, that is, as long as it is within the range of a<time<b (a, b can be artificially defined), it is considered to be a packet loss rather than a recognition. The transfer processing of the packet is abandoned for the network to fail. And in the process, all in the second zone with

The node information that CE2 has established communication will be recorded in its forwarding table. CE2 will send a message to these nodes to update its care-of address and label, so PE1 will update the corresponding content in VRFA after getting this message, and then The packet of the user equipment 1 is sent to the PE4, so that the mobile user equipment receives the data packet, and the problem of packet loss or manual retransmission may be avoided due to handover. After confirming the handover, the CE2 should immediately send a binding update message to the user equipment 1 and all the CNs in contact with the second area. After the services of the CN and the CE2 are restored, the CE2 sends a binding update to the PE2. Priority is given to ensuring existing services, and then considering the established service strategy for new services.

The above embodiments are intended to illustrate and explain the principles of the invention. It is to be understood that the specific embodiments of the present invention are not limited thereto. Various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention is defined by the claims.

Claims

Rights request

A method for implementing a mobile virtual private network, comprising: the following steps: the first mobile user equipment advertises routing information to the second provider edge device by using the first provider edge device;

2. The method according to claim 1, wherein the forming process of the new tag comprises:

Transmitting the mobile subnet from the second provider edge device control area to the third provider edge device control area, and receiving the agent advertisement information sent by the third provider edge device;

The mobile subnet configures the handover address according to the address prefix information in the proxy advertisement information;

The third provider edge device assigns a multi-protocol packet tag to the mobile subnet and binds to the care-of address to form the new tag.

3. The method for implementing a removable virtual private network according to claim 2, wherein after forming a new label, the method further comprises:

Transmitting, by the third provider edge device, the mobile subnet sends registration request information to the second provider edge device;

The second provider edge device sends binding acknowledgement information to the mobile subnet through the third provider edge device.

4. The method according to claim 3, wherein the registration request information comprises binding update information and multi-protocol border gateway protocol MP-BGP routing update information.

5. The method of claim 3, further comprising: Before the sending the binding response information to the mobile subnet, the second provider edge device determines whether it is the home agent of the mobile subnet by binding the update information, and if yes, handing over the second mobile user equipment The address and the new tag are written to the routing forwarding table, otherwise, the binding update information is discarded.

The method of claim 3, further comprising:

The third provider edge device periodically sends routing broadcast information to the second provider edge device, where the information carries prefix address information on the local link, and the second mobile user device determines according to the prefix address information. The location of the second mobile user equipment.

7. The method of claim 3, further comprising:

0: The second mobile user equipment broadcasts router request information, and the provider edge device that receives the request information responds, so that the second mobile user equipment knows its own location.

,

The method for implementing the mobile virtual private network according to claim 1, wherein the second mobile user equipment performs data transmission with the first mobile user equipment by using the second provider edge device, and specifically includes:

The second mobile user equipment sends a data packet to the second mobile user edge device;

Transmitting, by the second user edge device, the data packet to the second provider edge device;

The second provider edge device determines whether the destination address in the data packet matches by querying the virtual routing forwarding table, and if yes,

0 that the second provider edge device queries the next hop and the outbound interface, and allocates a top label, and sends the label to the first provider edge device; otherwise, discards the data packet;

Receiving, by the first provider edge device, the data packet by using a backbone network;

The first mobile user equipment acquires the data packet from the first provider edge device.

The method of claim 1, wherein the mobile subnet performs data transmission with the first mobile user equipment by using a third 5 provider edge device, specifically: the first mobile user equipment to the first Two provider edge devices;

The second provider edge device receives the data packet sent by the first mobile user equipment, and sends the data packet to the third provider edge device by using a new label;

The third provider edge device forwards the data packet by querying a virtual routing forwarding table Send to the mobile subnet.

The method of claim 1, wherein the mobile subnet performs data transmission with the first mobile user equipment by using a third provider edge device, specifically: the mobile subnet will be a data packet. Sent to the third provider edge device;

The third provider edge device determines whether the data packet matches the destination address of the first mobile user equipment by querying the virtual routing forwarding table, and if yes,

Then the third provider edge device forwards the data packet to the first provider edge device and notifies the new tag;

Transmitting, by the first provider edge device, the data packet to the first mobile user equipment, and updating information in the virtual routing forwarding table VRF;

Otherwise, the third provider edge device forwards the data packet to the second provider edge device;

The second provider edge device queries whether there is an entry in the virtual routing forwarding table VRF that matches the destination address of the first mobile user equipment, and if so, forwards the data packet to the first provider edge device, and informs the Describe the new label; otherwise, discard the packet.

The method of claim 1, wherein the step of obtaining, by the second mobile user equipment, the routing information further includes:

The second provider edge device obtains routing information of the first mobile user equipment from the first provider edge device by using a multi-protocol border gateway protocol;

The second provider edge device compares the routing information with a virtual routing forwarding table input policy, if it matches,

And the second provider edge device writes the routing information to the virtual private network routing information database;

The second mobile user equipment acquires the routing information from the second provider edge device;

Otherwise, the routing information is discarded.

The method according to claim 11, wherein the Provider Edge device adopts a multi-protocol border gateway protocol, where the multi-protocol border gateway protocol information includes: a network address prefix, the first providing The loopback address of the edge device as the border gateway protocol The next hop, the multi-protocol packet label to which the routing information is assigned, and the routing destination attribute of the routing information.

13. The method of claim 1, further comprising:

When the mobile subnet moves back to the original home agent, the mobile subnet receives the proxy advertisement message sent by the second provider edge device, thereby determining that it has returned to the local link, and the mobile subnet is Deregistering the current care-of address and the new tag to the second provider edge device.

The method for implementing the mobile virtual private network according to claim 1, further comprising: during the communication between the first mobile user equipment and the mobile subnet, the mobile subnet from the When the third provider edge device control area moves to the fourth provider edge device control area, the first mobile user equipment sends the data packet to the third provider edge device, and adopts a timeout retransmission of the transmission control protocol layer. The way to data transmission.

The method for implementing a removable virtual private network according to claim 14, further comprising:

The mobile subnet sends a message to all provider edge devices with which it has established communication to update its care-of address and tag;

After the first provider edge device obtains the message, the content of the virtual routing forwarding table is updated;

Transmitting, by the first provider edge device, the data packet of the first mobile user equipment to the fourth provider edge device;

The fourth provider edge device sends the data packet to the mobile subnet.

An implementation system of a removable virtual private network, comprising a first provider edge device and a second provider edge device, wherein the first user edge device and the mobile user device belong to the same virtual private network;

The mobile user equipment passes the second provider edge device and the first provider edge device Data transmission with the first mobile user equipment.

17. A removable virtual private network system, comprising a first provider edge device, a second provider edge device, and a third provider edge device, wherein the first, second, and third provider edge devices belong to the same virtual a private network; the system further includes a mobile subnet, the mobile subnet moving to an area controlled by the third provider edge device, according to the received address sent by the third provider edge device The prefix information configures the care-of address, and binds the multi-protocol packet label allocated by the third provider edge device to the care-of address to form a new label;

18. The system of claim 17, further comprising:

a fourth provider edge device, configured to receive, when the mobile subnet moves to a fourth provider edge device control area, a data packet that is forwarded by the first provider edge device from the first mobile user device, And sending the data packet to the mobile subnet.