VPN system in mobile IP network, and method of setting VPN

US 20020018456A1
Filed: 03/08/2001
Published: 02/14/2002
Est. Priority Date: 07/26/2000
Status: Active Grant

First Claim

Patent Images

1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the server apparatus comprising:

memory means that stores information for constructing a safe communication path within an IP network in relation to the terminal; and

distribution means that distributes the information to construct a safe communication path between the terminal within an external network of a move destination and the other terminal with whom the terminal communicates.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Linked with a position registration procedure in a mobile IP, the invention provides a VPN setting service using an IP Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function. This service is provided by a mobile terminal, authentication servers, a VPN database, and network apparatuses. A home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal. The home authentication server then posts the VPN information to each network apparatus using a predetermined position registration message and an authentication response message. Based on the posted VPN information, the network apparatuses set a VPN path by the IP Sec. to between a home network apparatus and an external network apparatus, between the home network apparatus and a predetermined network apparatus, and/or the external network apparatus and the predetermined network apparatus, respectively.

Citations

25 Claims

1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the server apparatus comprising:
- memory means that stores information for constructing a safe communication path within an IP network in relation to the terminal; and
  
  distribution means that distributes the information to construct a safe communication path between the terminal within an external network of a move destination and the other terminal with whom the terminal communicates.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The server apparatus according to claim 1, wherein the distribution means transfers the information to a router of an external network in which the other terminal exists.
  - 3. The server apparatus according to claim 1, wherein the safe communication path is a communication path realized by a virtual private network, and the information includes set path information and security information of the virtual private network.
  - 4. The server apparatus according to claim 1, wherein the distribution means distributes the information at the time of transmitting an authentication response message to a position registration request message from the terminal.
  - 5. The server apparatus according to claim 1, wherein the distribution means distributes the information after receiving a communication packet from the other terminal that becomes the communication destination.

6. A VPN system in a mobile IP network, the VPN system comprising:
- a mobile terminal;
  
  a home authentication server provided in a home network of a user and an external authentication server provided in other external network;
  
  a VPN database provided in the home network; and
  
  network apparatuses that have gateway functions of a home network, an external network, a predetermined communication host and/or an agent server therefor, wherein the home authentication server extracts from a VPN database VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, and the respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus respectively.
- View Dependent Claims (7, 8, 9)
- - 7. The VPN system according to claim 6, wherein the authentication server and the network apparatus update VPN information cached in the authentication server and the network apparatus to new path information or rewrite the VPN information with position information linked with a position registration request based on a move of a mobile terminal, thereby to automatically update each VPN path between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus, to a new VPN path based on the IP Sec. respectively.
  - 8. The VPN system according to claim 6, wherein the home authentication server includes:
    - an AAAVPN control section that specifies a VPN set path from the information of the external network apparatus connected by the mobile terminal set in a predetermined authentication request message and the information of the home network apparatus of the mobile terminal, by using a correspondence table showing a correspondence between the VPN information of the VPN database and a predetermined network apparatus accommodating a communication host held by itself; and
      
      an AAA protocol processing apparatus that sets a service quality between the network apparatuses and security information to a predetermined authentication response message to an access network and to a position registration message to the home network, as service profiles.
  - 9. The VPN system according to claim 6, wherein each network apparatus includes:
    - an MA protocol processing section that controls protocols relating to a service profile in which the VPN information has been set by caching; and
      
      an MAVPN control section that sets a QoS control for guaranteeing the service quality and a tunnel for guaranteeing the security between the security gateways according to the service profile.

10. An external authentication server existing with a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when the terminal has moved between networks on the IP network, the external authentication server comprising:
- means that extracts safety path information corresponding to a user included in a response message from a home authentication server when the mobile terminal has made a position registration request; and
  
  safety path construction instruction means that instructs a network apparatus accommodating the mobile terminal to construct a safe communication path between this network apparatus and a network apparatus accommodating the other terminal as a communication destination, based on the extracted safety path information.
- View Dependent Claims (11, 12, 14, 15, 17, 18, 20, 21, 22, 23, 24, 25)
- - 11. The external authentication server according to claim 10, wherein the safe communication path is a communication path realized by a virtual private network, and the safety path information includes set path information and security information of the virtual private network.
  - 12. The external authentication server according to claim 11, wherein the safe communication path is a VPN path according to the IP Sec.
  - 14. The network apparatus according to claim 13, wherein the safe communication path is a communication path realized by a virtual private network, and the safety path information includes set path information and security information of the virtual private network.
  - 15. The network apparatus according to claim 14, wherein the safe communication path is a VPN path according to the IP Sec.
  - 17. The VPN setting method according to claim 16, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within the same network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the local authentication server;
      
      that the local authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits an authentication response message including this information to the new foreign agent;
      
      that the new foreign agent transfers the received position registration request message to the home agent;
      
      that, based on the received position registration request information, the home agent rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, deletes the VPN path directed from the home agent to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the home agent set with the assigned security service to the new foreign agent, and transmits a position registration response message to the new foreign agent after finishing the position registration processing; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
  - 18. The VPN setting method according to claim 16, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within a different network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the home authentication server of the user via a local authentication server of the new foreign agent;
      
      that the home authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits the position registration request message including this information to the home agent;
      
      that, based on the received position registration request information, the home agent updates the cached VPN information, deletes the VPN path directed from the home agent to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the home agent set with the assigned security service to the new foreign agent, and transmits a position registration response message to the home authentication server after finishing the position registration processing;
      
      that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the new foreign agent;
      
      that the local authentication server transmits the received authentication response message to the new foreign agent after updating the cached VPN information; and
      
      that the new foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
  - 20. The VPN setting method according to claim 19, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within the same network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the local authentication server;
      
      that the local authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the network apparatus to the information of the new foreign agent, and transmits an authentication response message including this information to the new foreign agent;
      
      that the new foreign agent transfers the received position registration request message to the home agent;
      
      that, based on the received position registration request information, the home agent rewrites the foreign agent information of the cached VPN information between the foreign agent and the network apparatus to the information of the new foreign agent, and transmits a binding update message added with this VPN information to the communication destination host, when the type of the network apparatus is a one to which a VPN can be set dynamically;
      
      that, based on the received binding update message, the network apparatus updates the cached VPN information, deletes the VPN path directed from the network apparatus to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the network apparatus set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the home agent;
      
      that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the new foreign agent; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
  - 21. The VPN setting method according to claim 19, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within a different network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the home authentication server of the user via a local authentication server of the new foreign agent;
      
      that the home authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits the position registration request message including this information to the home agent;
      
      that, based on the received position registration request information, the home agent updates the cached VPN information, and transmits a binding update message added with this VPN information to the communication destination host when the type of the network apparatus is a one to which a VPN can be set dynamically;
      
      that, based on the received binding update message, the network apparatus updates the cached VPN information, deletes the VPN path directed from the network apparatus to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the network apparatus set with the assigned security service to the new foreign agent, and thereafter transmits a binding authorization message to the home agent;
      
      that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the new foreign agent;
      
      that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the new foreign agent;
      
      that the local authentication server transmits the received authentication response message to the new foreign agent after caching the VPN information added to this message; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
  - 22. The VPN setting method according to claim 17 or 20, further comprising the steps:
    - that the new foreign agent copies the cached VPN information, and transmits a binding update message added with the VPN information with the transmission origin rewritten to the old foreign agent and with the transmission destination rewritten to the new foreign agent, to the old foreign agent; and
      
      that, the old foreign agent caches the VPN information of the received binding update message, deletes the VPN path directed from the old foreign agent to the home agent, sets a VPN path by an IP Sec. tunnel directed from the old foreign agent set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the new foreign agent.
  - 23. The VPN setting method according to claim 18 or 21, further comprising the steps:
    - that the new foreign agent copies the cached VPN information when the authentication response message includes the information of the old foreign agent, and transmits a binding update message added with the VPN information with the transmission origin rewritten to the old foreign agent and with the transmission destination rewritten to the new foreign agent, to the old foreign agent; and
      
      that, the old foreign agent caches the VPN information of the received coupling update message, deletes the VPN path directed from the old foreign agent to the home agent, sets a VPN path by an IP Sec. tunnel directed from the old foreign agent set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the new foreign agent.
  - 24. The VPN setting method according to claim 19, further comprising the steps:
    - that the user customizes the user VPN information by making access to a database of the home authentication server by predetermined communication means, and thereby changes the communication destination to a network apparatus of the type of the network apparatus to which a VPN can be set dynamically; and
      
      the user mobile terminal transmits a position registration request message added with a service update request, to a foreign agent.
  - 25. The VPN setting method according to claim 24, further comprising the steps:
    - that the network apparatus measures a lifetime of a communication host under its management, transmits a binding request message to the home agent that has posted the VPN information when the remaining lifetime has become less than a predetermined threshold value, and deletes the VPN information when the binding update message has not been received; and
      
      the home agent retrieves the cached VPN information from the user mobile terminal information included in the received binding request message, transmits a binding update message when the information of the network apparatus exists, and leaves it as it is when the information of the network apparatus does not exist.

13. A network apparatus for accommodating a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between networks on the IP network, the network apparatus comprising:
- means that receives a safety path construction instruction based on safety path information corresponding to a user included in a response message from a home authentication server when the mobile terminal has made a position registration request; and
  
  safety path construction means that constructs a safe communication path between this network apparatus and a network apparatus accommodating the other terminal as a communication destination, based on the received safety path construction information.

16. A VPN setting method in a mobile IP network comprising the steps:
- that a user network apparatus sets VPN path by a stationary IP Sec. tunnel directed from the user network apparatus to its home agent;
  
  that a user mobile terminal transmits a position registration request message to a foreign agent;
  
  that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
  
  that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, caches the VPN information between the foreign agent and the home agent and between the user network apparatus and the home agent, and transmits the position registration request message including this information to the home agent;
  
  that the home agent caches the received position registration request message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the home agent to the user network apparatus as a communication destination host and to the foreign agent respectively, and transmits a position registration response message to the home authentication server after finishing the position registration processing;
  
  that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the foreign agent;
  
  that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information between the home agent and the foreign agent; and
  
  that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.

19. A VPN setting method in a mobile IP network comprising the steps:
- that a user mobile terminal transmits a position registration request message from the user mobile terminal to a foreign agent;
  
  that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
  
  that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, sets a VPN between the foreign agent and the communication destination network apparatus to a VPN cache when the type of the network apparatus is a one to which a VPN can be set dynamically, and transmits the position registration request message including this information to the home agent;
  
  that the home agent caches the received position registration request message, and transmits a binding update message added with this VPN information to the communication destination host after finishing the position registration processing, when the type of the network apparatus is a one to which a VPN can be set dynamically;
  
  that the network apparatus receives the binding update message on behalf of the communication destination host, caches the VPN information added to this message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the network apparatus to the foreign agent, and thereafter transmits a binding authorization message to the home agent;
  
  that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the home authentication server;
  
  that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the foreign agent;
  
  that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information added to this message; and
  
  that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Yamamura, Shinya, Igarashi, Yoichiro, Murata, Kazunori, Kakemizu, Mitsuaki, Wakamoto, Masaaki

Granted Patent

US 7,068,640 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

VPN system in mobile IP network, and method of setting VPN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

VPN system in mobile IP network, and method of setting VPN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links