VPN system in mobile IP network, and method of setting VPN
First Claim
1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a mobile terminal has moved between different IP network, the server apparatus comprising:
- memory means that stores VPN information for constructing a safe communication path within an IP network in relation to the terminal, the VPN information containing VPN pathdistribution means that distributes the VPN information to a first network apparatus, a second network apparatus, and a third network apparatus at the time of transmitting an authentication response message to a position registration request message from the terminal, the first network apparatus having a security gateway function of the home network, the second network apparatus a security gateway function of the external network of a move destination, the third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, whereinthe respective network apparatuses set a VPN path by the IP Sec. based on the distributed VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively.
1 Assignment
0 Petitions
Accused Products
Abstract
Linked with a position registration procedure in a mobile IP, the invention provides a VPN setting service using an IP Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function. This service is provided by a mobile terminal, authentication servers, a VPN database, and network apparatuses. A home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal. The home authentication server then posts the VPN information to each network apparatus using a predetermined position registration message and an authentication response message. Based on the posted VPN information, the network apparatuses set a VPN path by the IP Sec. to between a home network apparatus and an external network apparatus, between the home network apparatus and a predetermined network apparatus, and/or the external network apparatus and the predetermined network apparatus, respectively.
-
Citations
22 Claims
-
1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a mobile terminal has moved between different IP network, the server apparatus comprising:
-
memory means that stores VPN information for constructing a safe communication path within an IP network in relation to the terminal, the VPN information containing VPN path distribution means that distributes the VPN information to a first network apparatus, a second network apparatus, and a third network apparatus at the time of transmitting an authentication response message to a position registration request message from the terminal, the first network apparatus having a security gateway function of the home network, the second network apparatus a security gateway function of the external network of a move destination, the third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, wherein the respective network apparatuses set a VPN path by the IP Sec. based on the distributed VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively. - View Dependent Claims (2)
-
-
3. A VPN system in a mobile IP network, the VPN system comprising:
-
a mobile terminal; a home authentication server provided in a home network of a user and an external authentication server provided in other external network; a VPN database provided in the home network, the VPN database containing VPN information having VPN path setting information and security information of a virtual private network; a first network apparatus having a security gateway function of the home network; a second network apparatus having a security gateway function of the other external network; a third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, wherein the home authentication server extracts from the VPN database the VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, and the respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively. - View Dependent Claims (4, 5)
-
-
6. A VPN system in a mobile IP network, the VPN system comprising:
-
a mobile terminal; a home authentication server provided in a home network of a user and an external authentication server provided in other external network; a VPN database provided in the home network; and network apparatuses that have gateway functions of a home network, an external network, a predetermined communication host and/or an agent server therefor;
whereinthe home authentication server includes; an AAAVPN control section hat specifies a VPN set path from the information of the external network apparatus connected by the mobile terminal set in a predetermined authentication request message and the information of the home network apparatus of the mobile terminal, by using a correspondence table showing a correspondence between the VPN information of the VPN database and a predetermined network apparatus accommodating a communication host held by itself; and an AAA protocol processing apparatus that sets a service quality between the network apparatuses and security information to a predetermined authentication response message to an access network and to a position registration message to the home network, as service profiles, wherein the home authentication server extracts form a VPN database VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, and wherein the respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus respectively.
-
-
7. An external authentication server existing with a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when the terminal has moved between different IP networks, the external authentication server comprising:
-
means that extracts VPN path information corresponding to a user included in an authentication response message from a home authentication server when the mobile terminal has made a position registration request; and VPN path construction instruction means that instructs a network apparatus accommodating the mobile terminal to construct a VPN path between this apparatus and a network apparatus having a security gateway function of a home network, and a VPN path between this network apparatus and a network apparatus accommodating a correspondent node CN as a communication destination, based on the extracted VPN path information. - View Dependent Claims (8, 9)
-
-
10. A network apparatus for accommodating a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between different IP networks, the network apparatus comprising:
-
means that receives a VPN path construction instruction based on VPN path information corresponding to a user included in an authentication response message from a home authentication server when the mobile terminal has made a position registration request; and VPN path construction means that constructs a VPN path between this apparatus and a network apparatus having a security gateway function of a home network, and a VPN path between this network apparatus and a network apparatus accommodating a correspondent node CN as a communication destination, based on the received VPN path construction information. - View Dependent Claims (11, 12)
-
-
13. A VPN setting method in a mobile IP network comprising the steps:
-
that a user network apparatus sets VPN path by a stationary IP Sec. tunnel directed from the user network apparatus to its home agent; that a user mobile terminal transmits a position registration request message to a foreign agent; that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent; that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, caches the extracted information as VPN information between the foreign agent and the home agent and between the user network apparatus and the home agent, and transmits the position registration request message including this information to the home agent; that the home agent caches the received position registration request message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the home agent to the user network apparatus as a communication destination host and to the foreign agent respectively, and transmits a position registration response message to the home authentication server after finishing the position registration processing; that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the foreign agent; that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information between the home agent and the foreign agent; and that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal. - View Dependent Claims (14, 15, 21, 22)
-
-
16. A VPN setting method in a mobile IP network comprising the steps:
-
that a user mobile terminal transmits a position registration request message from the user mobile terminal to a foreign agent; that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent; that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, sets a VPN between the foreign agent and the communication destination network apparatus to a VPN cache when the type of the network apparatus is a one to which a VPN can be set dynamically, and transmits the position registration request message including this information to the home agent; that the home agent caches the received position registration request message, and transmits a binding update message added with this VPN information to the communication destination host after finishing the position registration processing, when the type of the network apparatus is a one to which a VPN can be set dynamically; that the network apparatus receives the binding update message on behalf of the communication destination host, caches the VPN information added to this message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the network apparatus to the foreign agent, and thereafter transmits a binding authorization message to the home agent; that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the home authentication server; that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the foreign agent; that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information added to this message; and that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal. - View Dependent Claims (17, 18, 19, 20)
-
Specification