VPN system in mobile IP network, and method of setting VPN

US 7,068,640 B2
Filed: 03/08/2001
Issued: 06/27/2006
Est. Priority Date: 07/26/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a mobile terminal has moved between different IP network, the server apparatus comprising:

memory means that stores VPN information for constructing a safe communication path within an IP network in relation to the terminal, the VPN information containing VPN pathdistribution means that distributes the VPN information to a first network apparatus, a second network apparatus, and a third network apparatus at the time of transmitting an authentication response message to a position registration request message from the terminal, the first network apparatus having a security gateway function of the home network, the second network apparatus a security gateway function of the external network of a move destination, the third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, whereinthe respective network apparatuses set a VPN path by the IP Sec. based on the distributed VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Linked with a position registration procedure in a mobile IP, the invention provides a VPN setting service using an IP Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function. This service is provided by a mobile terminal, authentication servers, a VPN database, and network apparatuses. A home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal. The home authentication server then posts the VPN information to each network apparatus using a predetermined position registration message and an authentication response message. Based on the posted VPN information, the network apparatuses set a VPN path by the IP Sec. to between a home network apparatus and an external network apparatus, between the home network apparatus and a predetermined network apparatus, and/or the external network apparatus and the predetermined network apparatus, respectively.

Citations

22 Claims

1. A server apparatus provided in a home network of an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a mobile terminal has moved between different IP network, the server apparatus comprising:
- memory means that stores VPN information for constructing a safe communication path within an IP network in relation to the terminal, the VPN information containing VPN pathdistribution means that distributes the VPN information to a first network apparatus, a second network apparatus, and a third network apparatus at the time of transmitting an authentication response message to a position registration request message from the terminal, the first network apparatus having a security gateway function of the home network, the second network apparatus a security gateway function of the external network of a move destination, the third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, whereinthe respective network apparatuses set a VPN path by the IP Sec. based on the distributed VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively.
- View Dependent Claims (2)
- - 2. The server apparatus according to claim 1, whereinthe distribution means distributes the VPN information after receiving a communication packet from the correspondent node (CN) that becomes the communication destination.

3. A VPN system in a mobile IP network, the VPN system comprising:
- a mobile terminal;
  
  a home authentication server provided in a home network of a user and an external authentication server provided in other external network;
  
  a VPN database provided in the home network, the VPN database containing VPN information having VPN path setting information and security information of a virtual private network;
  
  a first network apparatus having a security gateway function of the home network;
  
  a second network apparatus having a security gateway function of the other external network;
  
  a third network apparatus having a security gateway function of a predetermined network in which a correspondent node CN with whom the terminal communicates exists, whereinthe home authentication server extracts from the VPN database the VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, andthe respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the first network apparatus and the second network apparatus, between the first network apparatus and the third network apparatus, and/or between the second network apparatus and the third network apparatus respectively.
- View Dependent Claims (4, 5)
- - 4. The VPN system according to claim 3, whereinthe authentication sever and the network apparatus update VPN information cached in the authentication server and the network apparatus to new path information or rewrite the VPN information with position information linked with a position registration request based on a move of a mobile terminal, thereby to automatically update each VPN path between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus, to a new VPN path based on the IP Sec. respectively.
  - 5. The VPN system according to claim 3, whereineach network apparatus includes:
    - an MA protocol processing section that controls protocols relating to a service profile in which the VPN information has been set by caching; and
      
      an MAVPN control section that sets a QoS control for guaranteeing the service quality and a tunnel for guaranteeing the security between the security gateways according to the service profile.

6. A VPN system in a mobile IP network, the VPN system comprising:
- a mobile terminal;
  
  a home authentication server provided in a home network of a user and an external authentication server provided in other external network;
  
  a VPN database provided in the home network; and
  
  network apparatuses that have gateway functions of a home network, an external network, a predetermined communication host and/or an agent server therefor;
  
  whereinthe home authentication server includes;
  
  an AAAVPN control section hat specifies a VPN set path from the information of the external network apparatus connected by the mobile terminal set in a predetermined authentication request message and the information of the home network apparatus of the mobile terminal, by using a correspondence table showing a correspondence between the VPN information of the VPN database and a predetermined network apparatus accommodating a communication host held by itself; and
  
  an AAA protocol processing apparatus that sets a service quality between the network apparatuses and security information to a predetermined authentication response message to an access network and to a position registration message to the home network, as service profiles, whereinthe home authentication server extracts form a VPN database VPN information of a user who has requested an authentication at the time of a position registration request from a mobile terminal, and posts this VPN information to each network apparatus by using a predetermined position registration message and an authentication response message, and whereinthe respective network apparatuses set a VPN path by the IP Sec. based on posted VPN information, to between the home network apparatus and the external network apparatus, between the home network apparatus and the predetermined network apparatus, and/or between the external network apparatus and the predetermined network apparatus respectively.

7. An external authentication server existing with a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when the terminal has moved between different IP networks, the external authentication server comprising:
- means that extracts VPN path information corresponding to a user included in an authentication response message from a home authentication server when the mobile terminal has made a position registration request; and
  
  VPN path construction instruction means that instructs a network apparatus accommodating the mobile terminal to construct a VPN path between this apparatus and a network apparatus having a security gateway function of a home network, and a VPN path between this network apparatus and a network apparatus accommodating a correspondent node CN as a communication destination, based on the extracted VPN path information.
- View Dependent Claims (8, 9)
- - 8. The external authentication server according to claim 7, whereinthe safe communication path is a communication path realized by a virtual private network, and the safety path information includes set path information and security information of the virtual private network.
  - 9. The external authentication server according to claim 8, whereinthe safe communication path is a VPN path according to the IP Sec.

10. A network apparatus for accommodating a mobile terminal in an IP network using a protocol that automates the management of an IP address and the transfer of a communication packet to a move destination when a terminal has moved between different IP networks, the network apparatus comprising:
- means that receives a VPN path construction instruction based on VPN path information corresponding to a user included in an authentication response message from a home authentication server when the mobile terminal has made a position registration request; and
  
  VPN path construction means that constructs a VPN path between this apparatus and a network apparatus having a security gateway function of a home network, and a VPN path between this network apparatus and a network apparatus accommodating a correspondent node CN as a communication destination, based on the received VPN path construction information.
- View Dependent Claims (11, 12)
- - 11. The network apparatus according to claim 10, whereinthe safe communication path is a communication path realized by a virtual private network, and the safety path information includes set path information and security information of the virtual private network.
  - 12. The network apparatus according to claim 11, whereinthe safe communication path is a VPN path according to the IP Sec.

13. A VPN setting method in a mobile IP network comprising the steps:
- that a user network apparatus sets VPN path by a stationary IP Sec. tunnel directed from the user network apparatus to its home agent;
  
  that a user mobile terminal transmits a position registration request message to a foreign agent;
  
  that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
  
  that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, caches the extracted information as VPN information between the foreign agent and the home agent and between the user network apparatus and the home agent, and transmits the position registration request message including this information to the home agent;
  
  that the home agent caches the received position registration request message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the home agent to the user network apparatus as a communication destination host and to the foreign agent respectively, and transmits a position registration response message to the home authentication server after finishing the position registration processing;
  
  that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the foreign agent;
  
  that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information between the home agent and the foreign agent; and
  
  that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
- View Dependent Claims (14, 15, 21, 22)
- - 14. The VPN setting method according to claim 13, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within the same network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the local authentication server;
      
      that the local authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits an authentication response message including this information to the new foreign agent;
      
      that the new foreign agent transfers the received position registration request message to the home agent;
      
      that, based on the received position registration request information, the home agent rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, deletes the VPN path directed from the home agent to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the home agent set with the assigned security service to the new foreign agent, and transmits a position registration response message to the new foreign agent after finishing the position registration processing; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
  - 15. The VPN setting method according to claim 13, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within a different network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the home authentication server of the user via a local authentication server of the new foreign agent;
      
      that the home authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits the position registration request message including this information to the home agent;
      
      that, based on the received position registration request information, the home agent updates the cached VPN information, deletes the VPN path directed from the home agent to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the home agent set with the assigned security service to the new foreign agent, and transmits a position registration response message to the home authentication server after finishing the position registration processing;
      
      that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the home agent, to a local authentication server of the new foreign agent;
      
      that the local authentication server transmits the received authentication response message to the new foreign agent after updating the cached VPN information; and
      
      that the new foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the home agent, and then returns the position registration response message to the user mobile terminal.
  - 21. The VPN setting method according to claim 14 or 17, further comprising the steps:
    - that the new foreign agent copies the cached VPN information, and transmits a binding update message added with the VPN information with the transmission origin rewritten to the old foreign agent and with the transmission destination rewritten to the new foreign agent, to the old foreign agent; and
      
      that, the old foreign agent caches the VPN information of the received binding update message, deletes the VPN path directed from the old foreign agent to the home agent, sets a VPN path by an IP Sec. tunnel directed from the old foreign agent set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the new foreign agent.
  - 22. The VPN setting method according to claim 15 or 18, further comprising the steps:
    - that the new foreign agent copies the cached VPN information when the authentication response message includes the information of the old foreign agent, and transmits a binding update message added with the VPN information with the transmission origin rewritten to the old foreign agent and with the transmission destination rewritten to the new foreign agent, to the old foreign agent; and
      
      that, the old foreign agent caches the VPN information of the received coupling update message, deletes the VPN path directed from the old foreign agent to the home agent, sets a VPN path by an IP Sec. tunnel directed from the old foreign agent set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the new foreign agent.

16. A VPN setting method in a mobile IP network comprising the steps:
- that a user mobile terminal transmits a position registration request message from the user mobile terminal to a foreign agent;
  
  that the foreign agent transmits an authentication request message including the received position registration request information to a user home authentication server via a local authentication server of the foreign agent;
  
  that, based on the received authentication request message, the home authentication server refers to its own database and extracts a communication destination host, a type of the network apparatus, and security service information by users, sets a VPN between the foreign agent and the communication destination network apparatus to a VPN cache when the type of the network apparatus is a one to which a VPN can be set dynamically, and transmits the position registration request message including this information to the home agent;
  
  that the home agent caches the received position registration request message, and transmits a binding update message added with this VPN information to the communication destination host after finishing the position registration processing, when the type of the network apparatus is a one to which a VPN can be set dynamically;
  
  that the network apparatus receives the binding update message on behalf of the communication destination host, caches the VPN information added to this message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the network apparatus to the foreign agent, and thereafter transmits a binding authorization message to the home agent;
  
  that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the home authentication server;
  
  that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the foreign agent;
  
  that the local authentication server transmits the received authentication response message to the foreign agent after caching the VPN information added to this message; and
  
  that the foreign agent caches the VPN information included in the received authentication response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The VPN setting method according to claim 16, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within the same network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the local authentication server;
      
      that the local authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the network apparatus to the information of the new foreign agent, and transmits an authentication response message including this information to the new foreign agent;
      
      that the new foreign agent transfers the received position registration request message to the home agent;
      
      that, based on the received position registration request information, the home agent rewrites the foreign agent information of the cached VPN information between the foreign agent and the network apparatus to the information of the new foreign agent, and transmits a binding update message added with this VPN information to the communication destination host, when the type of the network apparatus is a one to which a VPN can be set dynamically;
      
      that, based on the received binding update message, the network apparatus updates the cached VPN information, deletes the VPN path directed from the network apparatus to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the network apparatus set with the assigned security service to the new foreign agent, and thereafter transmits a coupling authorization message to the home agent;
      
      that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the new foreign agent; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
  - 18. The VPN setting method according to claim 16, further comprising the steps:
    - that the user mobile terminal moves to an area of a new foreign agent within a different network, and transmits from there a position registration request message including position information of the old foreign agent;
      
      that the new foreign agent transmits an authentication request message including the received position registration request information to the home authentication server of the user via a local authentication server of the new foreign agent;
      
      that the home authentication server rewrites the foreign agent information of the cached VPN information between the foreign agent and the home agent to the information of the new foreign agent, and transmits the position registration request message including this information to the home agent;
      
      that, based on the received position registration request information, the home agent updates the cached VPN information, and transmits a binding update message added with this VPN information to the communication destination host when the type of the network apparatus is a one to which a VPN can be set dynamically;
      
      that, based on the received binding update message, the network apparatus updates the cached VPN information, deletes the VPN path directed from the network apparatus to the old foreign agent, sets a VPN path by an IP Sec. tunnel directed from the network apparatus set with the assigned security service to the new foreign agent, and thereafter transmits a binding authorization message to the home agent;
      
      that, upon receiving the binding authorization message, the home agent transmits a position registration response message to the new foreign agent;
      
      that, based on the reception of the position registration response message, the home authentication server transmits the authentication response message added with the cached VPN information between the foreign agent and the network apparatus, to a local authentication server of the new foreign agent;
      
      that the local authentication server transmits the received authentication response message to the new foreign agent after caching the VPN information added to this message; and
      
      that the new foreign agent caches the VPN information included in the received position registration response message, sets the assigned security service, sets a VPN path by an IP Sec. tunnel directed from the new foreign agent to the network apparatus, and then returns the position registration response message to the user mobile terminal.
  - 19. The VPN setting method according to claim 16, further comprising the steps:
    - that the user customizes the user VPN information by making access to a database of the home authentication server by predetermined communication means, and thereby changes the communication destination to a network apparatus of the type of the network apparatus to which a VPN can be set dynamically; and
      
      the user mobile terminal transmits a position registration request message added with a service update request, to a foreign agent.
  - 20. The VPN setting method according to claim 19, further comprising the steps:
    - that the network apparatus measures a lifetime of a communication host under its management, transmits a binding request message to the home agent that has posted the VPN information when the remaining lifetime has become less than a predetermined threshold value, and deletes the VPN information when the binding update message has not been received; and
      
      the home agent retrieves the cached VPN information from the user mobile terminal information included in the received binding request message, transmits a binding update message when the information of the network apparatus exists, and leaves it as it is when the information of the network apparatus does not exist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Yamamura, Shinya, Igarashi, Yoichiro, Murata, Kazunori, Kakemizu, Mitsuaki, Wakamoto, Masaaki
Primary Examiner(s)
FERRIS, DERRICK W

Application Number

US09/801,557
Publication Number

US 20020018456A1
Time in Patent Office

1,937 Days
Field of Search

370/310, 370/328, 370/329, 370/331, 370/437, 370/349, 370/401, 709/227, 709/228, 455/422.1, 455/432.1, 455/433, 455/435.1
US Class Current

370/349
CPC Class Codes

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

VPN system in mobile IP network, and method of setting VPN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

VPN system in mobile IP network, and method of setting VPN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links