VPN system in mobile IP network, and method of setting VPN
First Claim
1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the server apparatus comprising:
- memory means that stores information for constructing a safe communication path within an IP network in relation to the terminal; and
distribution means that distributes the information to construct a safe communication path between the terminal within an external network of a move destination and the other terminal with whom the terminal communicates.
1 Assignment
0 Petitions
Accused Products
Abstract
Linked with a position registration procedure in a mobile IP, the invention provides a VPN setting service using an IP Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function. This service is provided by a mobile terminal, authentication servers, a VPN database, and network apparatuses. A home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal. The home authentication server then posts the VPN information to each network apparatus using a predetermined position registration message and an authentication response message. Based on the posted VPN information, the network apparatuses set a VPN path by the IP Sec. to between a home network apparatus and an external network apparatus, between the home network apparatus and a predetermined network apparatus, and/or the external network apparatus and the predetermined network apparatus, respectively.
-
Citations
25 Claims
-
1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the server apparatus comprising:
-
memory means that stores information for constructing a safe communication path within an IP network in relation to the terminal; and
distribution means that distributes the information to construct a safe communication path between the terminal within an external network of a move destination and the other terminal with whom the terminal communicates. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A VPN system in a mobile IP network, the VPN system comprising:
-
a mobile terminal;
a home authentication server provided in a home network of a user and an external authentication server provided in other external network;
a VPN database provided in the home network; and
network apparatuses that have gateway functions of a home network, an external network, a predetermined communication host and/or an agent server therefor, wherein the home authentication server extracts from a VPN database VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, and the respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus respectively. - View Dependent Claims (7, 8, 9)
-
-
10. An external authentication server existing with a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when the terminal has moved between networks on the IP network, the external authentication server comprising:
-
means that extracts safety path information corresponding to a user included in a response message from a home authentication server when the mobile terminal has made a position registration request; and
safety path construction instruction means that instructs a network apparatus accommodating the mobile terminal to construct a safe communication path between this network apparatus and a network apparatus accommodating the other terminal as a communication destination, based on the extracted safety path information. - View Dependent Claims (11, 12, 14, 15, 17, 18, 20, 21, 22, 23, 24, 25)
-
-
13. A network apparatus for accommodating a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the network apparatus comprising:
-
means that receives a safety path construction instruction based on safety path information corresponding to a user included in a response message from a home authentication server when the mobile terminal has made a position registration request; and
safety path construction means that constructs a safe communication path between this network apparatus and a network apparatus accommodating the other terminal as a communication destination, based on the received safety path construction information.
-
-
16. A VPN setting method in a mobile IP network comprising the steps:
-
that a user network apparatus sets VPN path by a stationary IP Sec. tunnel directed from the user network apparatus to its home agent;
that a user mobile terminal transmits a position registration request message to a foreign agent;
that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, caches the VPN information between the foreign agent and the home agent and between the user network apparatus and the home agent, and transmits the position registration request message including this information to the home agent;
that the home agent caches the received position registration request message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the home agent to the user network apparatus as a communication destination host and to the foreign agent respectively, and transmits a position registration response message to the home authentication server after finishing the position registration processing;
that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the foreign agent;
that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information between the home agent and the foreign agent; and
that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
-
-
19. A VPN setting method in a mobile IP network comprising the steps:
-
that a user mobile terminal transmits a position registration request message from the user mobile terminal to a foreign agent;
that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, sets a VPN between the foreign agent and the communication destination network apparatus to a VPN cache when the type of the network apparatus is a one to which a VPN can be set dynamically, and transmits the position registration request message including this information to the home agent;
that the home agent caches the received position registration request message, and transmits a binding update message added with this VPN information to the communication destination host after finishing the position registration processing, when the type of the network apparatus is a one to which a VPN can be set dynamically;
that the network apparatus receives the binding update message on behalf of the communication destination host, caches the VPN information added to this message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the network apparatus to the foreign agent, and thereafter transmits a binding authorization message to the home agent;
that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the home authentication server;
that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the foreign agent;
that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information added to this message; and
that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
-
Specification