CN101510889A - Method and equipment for obtaining dynamic route - Google Patents
Method and equipment for obtaining dynamic route Download PDFInfo
- Publication number
- CN101510889A CN101510889A CNA2009101300500A CN200910130050A CN101510889A CN 101510889 A CN101510889 A CN 101510889A CN A2009101300500 A CNA2009101300500 A CN A2009101300500A CN 200910130050 A CN200910130050 A CN 200910130050A CN 101510889 A CN101510889 A CN 101510889A
- Authority
- CN
- China
- Prior art keywords
- route
- terminal equipment
- local terminal
- message
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a dynamic route obtaining method and equipment thereof, wherein the method is applied to local terminal equipment and opposite terminal equipment which are connected by using an IPSec channel of the three-layer tunneling encryption protocol; the method comprises the following steps: after the IPSec tunnel is successfully created, the local terminal equipment generates a routing message according to the routing information of the local terminal equipment; the local terminal equipment sends the routing message to the opposite terminal equipment by the IPSec tunnel; the routing message carries the routing information of the local terminal equipment; and the local terminal equipment receives a routing message carrying the routing information of the opposite terminal equipment sent by the opposite terminal equipment through the IPSec tunnel and obtains the routing information of the opposite terminal equipment. In the invention, the routing message is used for transmitting the routing information of two ends of the IPSec tunnel, thus realizing the dynamic route alternation of the two ends of the IPSec tunnel.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of method and apparatus that obtains dynamic routing.
Background technology
VPN (Virtual Private Network, Virtual Private Network) is a kind of new technology that develops rapidly along with the extensive use of Internet (internet) in recent years, makes up private dedicated network on the common network in order to be implemented in.The specific implementation of VPN is to adopt so-called tunneling technique, and the tunnel is encapsulated in new packet inside with raw data packets.New packet can comprise new addressing and routing iinformation, and this is able in transmission over networks new packet.When the tunnel combines with confidentiality, the people of eavesdropping communication can't obtain the raw data packets data on network, guarantee the fail safe that data flow on public network.
In the practical application of VPN, IPSec (three layer tunnel cryptographic protocol, IP Security) tunnel is most widely used a kind of tunnel.
Ipsec tunnel is realized above-mentioned target by AH (authentication header, Authentication Header) and these two security protocols of ESP (ESP, Encapsulating Security Payload).And IKE (the Internet Key Exchange, Internet KeyExchange) has simplified configuration and the maintenance work of IPSec for IPSec provides automatic negotiation interchange key, the set up SA service of (Security Association, Security Association).IKE uses the ISAKMP (Internet Security Association and IKMP, Internet Security Association and Key Management Protocol) in two stages to set up the SA of ipsec tunnel.Phase I, IKE uses ISAKMP to set up SA, and promptly communicating pair has been set up a passage by authentication and safeguard protection to each other.Second stage, IKE utilizes this SA that has passed through checking and safeguard protection, is another different agreement, and for example IPSec consults concrete security service, sets up the SA of IPSec.SA is to the agreement of some key element between communication-peers; for example; use which kind of agreement (using AH, ESP or both to be used in combination separately), agreement operator scheme (transmission mode or tunnel mode), cryptographic algorithm (DES (Data Encryption Standard, DEA) or 3DES), the shared key of protected data and life cycle of SA etc. in the specific stream.
Ipsec tunnel is most widely used a kind of tunnel in the realization of VPN, still, if the neighbours of dynamic routing protocol can not be set up not at the same network segment in the two ends of ipsec tunnel, also just can not transmit routing iinformation dynamically.Need to carry out the communication between the private network of ipsec tunnel two ends by at the two ends of ipsec tunnel configuration ACL (access control lists, Access Control List).For example: when private network A and private network B will communicate by ipsec tunnel, at first set up the ipsec tunnel between the gateway device D of the gateway device C of private network A and private network B, and on equipment C and equipment D the corresponding ACL of configuration:
Equipment C source address 10.1.1.0/24 destination address 10.2.1.0/24
Equipment D source address 10.2.1.0/24 destination address 10.1.1.0/24
Above-mentioned ACL configuration is finished, and behind the ipsec tunnel between apparatus for establishing C and the equipment D, the address is the user of 10.1.1.0/24 scope among the private network A, and in the time of visiting the 10.2.1.0/24 network segment, the message of transmission all can be encrypted the back by equipment C and send on the equipment D by ipsec tunnel.When equipment D when the route of the 10.2.1.0/24 network segment disappears, remove moving this ACL of deletion of non-network management personnel hand, equipment C still can send to equipment D after the message encryption encapsulation, therefore may cause waste of network resources.
In order to realize that the ipsec tunnel two ends can obtain dynamic routing information, support the dynamic routing protocol at ipsec tunnel two ends in the prior art by the VTI (virtual channel interface, Virtual Tunnel Interfaces) that uses static state.
What static VTI used is Tunnel (tunnel) interface, and the address of this Tunnel interface is the IP address of same network segment, the neighbours that can set up dynamic routing protocol, thus can realize the mutual of dynamic routing information.
The packaged type of interface is the IPSec encapsulation among the static VTI, and the connection of ipsec tunnel is initiated as the address of IKE-PEER (ipsec peer) in the address, opposite end that disposes on the equipment use Tunnel interface.
For example, set up between device A and the equipment B ipsec tunnel can for: the address 1.2.1.1 that device A at first disposes on the Tunnel of equipment B interface initiates being connected of ipsec tunnel, after IPSec SA set up successfully, all messages that send out on the Tunnel interface of device A all can use IPSec SA to encrypt encapsulation and send to opposite equip. B.Message on the Tunnel interface of equipment B equally all can send to opposite equip. A through the encryption encapsulation of IPSec.Like this, the message on two Tunnel comprises multicast message and broadcasting packet, can both arrive the other side's Tunnel interface, and both sides just can enable dynamic Routing Protocol.
But, the method of the Tunnel interface of available technology adopting is changed bigger to the data receiver formula of ipsec tunnel, and need to specify the local terminal of ipsec tunnel and the public network IP address of opposite end, when the public network IP address of ipsec tunnel one end is dynamically to obtain, NAT (network address translation is perhaps arranged in the carrier network, Network Address Translation) when existing, can't accurately obtain the public network IP address of opposite end, this method can not be used.
Summary of the invention
The invention provides a kind of method and apparatus that obtains dynamic routing, transmit the routing iinformation at ipsec tunnel two ends, make the ipsec tunnel two ends realize the mutual of dynamic routing by the route message.
The invention provides a kind of method of obtaining dynamic routing, be applied to use the local terminal equipment and the opposite equip. of three layer tunnel cryptographic protocol ipsec tunnel connection, described method comprises:
After described ipsec tunnel was set up successfully, described local terminal equipment generated the route message according to the routing iinformation of described local terminal equipment;
Described local terminal equipment sends by described ipsec tunnel described route message to described opposite equip.; Described route message carries the routing iinformation of described local terminal equipment;
Described local terminal equipment receives the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, obtains the routing iinformation of described opposite equip..
Described local terminal equipment sends by described ipsec tunnel described route message and comprises to described opposite equip.:
Described local terminal equipment is encrypted described route message according to the security alliance SA of described ipsec tunnel;
The route message of described local terminal equipment after described opposite equip. sends described encryption.
Described local terminal equipment receives the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, and the routing iinformation that obtains described opposite equip. comprises:
Described local terminal equipment receives the route message after the encryption that described opposite equip. sends;
Described local terminal equipment is deciphered described route message according to the SA of described ipsec tunnel, obtains the routing iinformation of described opposite equip.;
Described local terminal equipment generates routing table, the routing iinformation of the described opposite equip. that storage is obtained.
Method provided by the invention also comprises:
When the routing iinformation of described local terminal equipment changed, described local terminal equipment generated the secondary route message according to the variation of described routing iinformation;
Described local terminal equipment sends by described ipsec tunnel described secondary route message to described opposite equip., make described opposite equip. according to the variation that described route message obtains the routing iinformation of described local terminal equipment, revises the routing table of described opposite equip..
Described routing iinformation comprises the routing iinformation of described local terminal equipment to private network, and the variation of described routing iinformation comprises increases described local terminal equipment to the route of private network or cancel the route of existing described local terminal equipment to private network.
When the routing iinformation of described local terminal equipment changed, described local terminal equipment comprised according to the variation generation secondary route message of described routing iinformation:
When being changed to of described routing iinformation increased described local terminal equipment to the route of private network, described local terminal equipment generated route according to the variation of described routing iinformation and issues message; The address information of carrying described private network in the described route issue message;
When being changed to of described routing iinformation cancelled existing described local terminal equipment to the route of private network, described local terminal equipment generated the route withdraw message according to the variation of described routing iinformation; The address information of carrying described private network in the described route withdraw message.
Described local terminal equipment sends by described ipsec tunnel described secondary route message to described opposite equip., make described opposite equip. according to the variation that described route message obtains the routing iinformation of described local terminal equipment, revises described routing table and comprises:
When described opposite equip. receives the route withdraw message that described local terminal equipment sends,, delete that the address information with described private network is the route table items of destination address in the described routing table according to the address information of the private network that carries in the described route withdraw message;
When described opposite equip. received the route issue message of described local terminal equipment transmission, according to the address information of the private network that carries in the described route issue message, the address information that increases with described private network in described routing table was the route table items of destination address.
Comprise the address information of private network in the described route table items, with the address information of the corresponding local terminal equipment of the address information of described private network and be connected described opposite equip. and the security alliance SA of the ipsec tunnel of local terminal equipment.
Described local terminal equipment passed through described ipsec tunnel before described opposite equip. sends with described secondary route message, also comprised:
Described local terminal equipment is provided with timer, the preset delay time;
The described secondary route message of described local terminal equipment buffer memory starts described timer timing, judges whether the routing iinformation of described local terminal equipment in described time of delay changes;
Judged result is when changing, and described local terminal equipment generates new route message, zero clearing timer according to the variation of described routing iinformation;
Judged result continues executable operations for not the time.
Described local terminal equipment passes through described ipsec tunnel after described opposite equip. sends with described route message, also comprises:
Whether described local terminal Equipment Inspection receives the affirmation information that described opposite equip. sends in Preset Time;
If described testing result is that described local terminal equipment is not retransmitted described route message to described opposite equip..
Described route message and described secondary route message are IKE protocol message body.
The invention provides a kind of equipment that obtains dynamic routing, as setting up ipsec tunnel between local terminal equipment and the opposite equip., described equipment comprises:
The message generation unit is used for after described ipsec tunnel is set up successfully, according to the routing iinformation generation route message of described local terminal equipment;
Packet sending unit is connected with described message generation unit, and the route message that is used for described message generation unit is generated sends to described opposite equip. by described ipsec tunnel; Described route message carries the routing iinformation of described local terminal equipment;
The route acquisition unit is used to receive the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, obtains the routing iinformation of described opposite equip..
Described packet sending unit comprises:
Encrypt subelement, be used for encrypting described route message according to the security alliance SA of described ipsec tunnel;
Send subelement, be connected, be used for the route message after described opposite equip. sends described encryption subelement encryption with described encryption subelement.
Described route acquisition unit comprises:
Encrypt to receive subelement, be used to receive the route message after the encryption that described opposite equip. sends;
Subelement is obtained in deciphering, receives subelement with described encryption and is connected, and is used for deciphering the route message that described encryption receives the subelement reception according to the SA of described ipsec tunnel, obtains the routing iinformation of described opposite equip.;
Table generates subelement, obtains subelement with described deciphering and is connected, and is used to generate routing table, stores the routing iinformation that the described opposite equip. that subelement obtains is obtained in described deciphering.
Equipment provided by the invention also comprises:
The second message generation unit when routing iinformation that is used for described local terminal equipment changes, generates the secondary route message according to the variation of described routing iinformation;
Second packet sending unit is connected with the described second message generation unit, and the secondary route message that is used for the described second message generation unit is generated sends to described opposite equip. by described ipsec tunnel.
Equipment provided by the invention also comprises:
Timer is used for the preset delay time;
Judging unit is used to judge whether the routing iinformation of described local terminal equipment changes in the time of delay of described timer setting;
When the judged result of described judging unit when changing, the described second message generation unit also is used for generating new route message, zero clearing timer according to the variation of described routing iinformation;
When the judged result of described judging unit for not the time, continue executable operations.
Equipment provided by the invention also comprises:
Confirm detecting unit, be used to detect the affirmation information that described opposite equip. sends that whether in Preset Time, receives;
Described packet sending unit also is connected with described affirmation detecting unit, when being used for described affirmation detecting unit not receiving the affirmation information that described opposite equip. sends in Preset Time, retransmits described route message to described opposite equip..
Compared with prior art, the present invention has the following advantages at least:
After ipsec tunnel is set up successfully, local terminal equipment can send the route message that carries routing iinformation by ipsec tunnel to opposite equip., carry out the mutual of routing iinformation with opposite equip., thereby can be under the situation that does not change existing ipsec tunnel pattern, the dynamic transmission of route is carried out in realization by ipsec tunnel, IP address for the ipsec tunnel terminal device does not require, and has improved the efficient that ipsec tunnel carries out the dynamic transmission of route.
Description of drawings
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in the present invention or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet that obtains the method for dynamic routing provided by the invention;
Fig. 2 is another schematic flow sheet that obtains the method for dynamic routing provided by the invention;
Fig. 3 is another detailed process schematic diagram that obtains the method for dynamic routing provided by the invention;
Fig. 4 is the schematic flow sheet of method in an application scenarios that obtains dynamic routing provided by the invention;
Fig. 5 is the structural representation that obtains the equipment of dynamic routing provided by the invention;
Fig. 6 is another structural representation that obtains the equipment of dynamic routing provided by the invention;
Fig. 7 is another structural representation that obtains the equipment of dynamic routing provided by the invention.
Embodiment
Below in conjunction with the accompanying drawing among the present invention, the technical scheme among the present invention is clearly and completely described, obviously, the embodiments described below only are the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The invention provides a kind of method of obtaining dynamic routing, main thought is: set up ipsec tunnel between the ipsec peer, the two ends of ipsec tunnel are local terminal equipment and opposite equip. each other; Wherein, after ipsec tunnel is set up successfully, send the route message by ipsec tunnel between local terminal equipment and the opposite equip. and carry out the mutual of dynamic routing information, when the routing iinformation of local terminal equipment changed, the route message that local terminal equipment will carry this variation sent to opposite equip. by ipsec tunnel.After opposite equip. receives this route message, obtain the variation of local terminal equipment routing iinformation, revise in the route table items of storage and change corresponding routing iinformation with this, according to amended route table items to the local terminal equipment sending data, thereby realized obtaining of dynamic routing between the ipsec peer.
The invention provides a kind of method of obtaining dynamic routing, be applied to use the local terminal equipment and the opposite equip. of ipsec tunnel connection, as shown in Figure 1, may further comprise the steps:
Step s101, after described ipsec tunnel was set up successfully, described local terminal equipment generated the route message according to the routing iinformation of described local terminal equipment;
Step s102, described local terminal equipment sends by described ipsec tunnel described route message to described opposite equip.; Described route message carries the routing iinformation of described local terminal equipment;
Step s103, described local terminal equipment receive the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, obtain the routing iinformation of described opposite equip..
Following mask body is introduced method provided by the invention, the dynamic interaction that carries out routing iinformation with A equipment and B equipment is an example, and wherein A equipment and B equipment are the interface equipment at ipsec tunnel two ends, by the mutual routing iinformation of ipsec tunnel, as shown in Figure 2, may further comprise the steps:
Set up ipsec tunnel between the step s201, A equipment and B equipment and be connected, mutual routing iinformation.
Wherein, after A equipment and B equipment are set up ipsec tunnel and are connected, A equipment sends by ipsec tunnel the routing iinformation of the A equipment form with the route message to B equipment, after B equipment receives this route message, to A device replied confirmation, and send the route message of the routing iinformation carry B equipment to A equipment.The routing iinformation that A equipment carries in the route message that B equipment sends comprises the routing iinformation of A equipment to private network, and the routing iinformation that B equipment carries in the route message that A equipment sends comprises the routing iinformation of B equipment to private network.
After A equipment and B equipment are received the route message of opposite end transmission mutually, the routing iinformation of storage opposite equip..Concrete, A equipment and B equipment can generate corresponding route table items according to the routing iinformation in the route message of receiving respectively in routing table, the address information of storage private network, with the address information of the corresponding opposite equip. of address information of private network, and with the corresponding SA of address information of this private network etc.
After A equipment and B equipment are stored the other side's routing iinformation mutually, can use the ipsec tunnel between A equipment and the B equipment to communicate.For example, comprise the network segment of private network 1 in the routing iinformation of A equipment, when comprising the network segment of private network 2 in the routing iinformation of B equipment, if the equipment of the equipment in the private network 1 in private network 2 is initiated communication, then the equipment in the private network 1 sends data to A equipment.A equipment receives this data, searches routing table, obtains corresponding route table items according to the address information of private network in the routing table 2, finds and the corresponding SA of the network segment of private network 2, to this data encryption; And then according to the purpose IP address in the route table items, promptly the address information of B equipment sends data encrypted to B equipment, by B equipment to this data decryption and be forwarded to equipment in the private network 2.
Step s202, when the routing iinformation of A equipment changed, A equipment generated the route message, with the change notification B equipment of routing iinformation.
When the routing iinformation of A equipment changes, for example cancel or when increasing A equipment to the route of private network l, A equipment obtains the variation that this routing iinformation takes place, and generate the route message according to the variation of this routing iinformation, this routing iinformation comprises information such as the network segment of private network 1 and subnet mask, and the route message that generates is sent to B equipment.
After B equipment was received this route message, routing table was revised in the variation of obtaining the routing iinformation of A equipment, and increase or deletion and private network 1 corresponding route table items send data according to amended routing table.A equipment according to the variation generation route message of routing iinformation is:
When A equipment was increased to the route of private network 1, A equipment generated corresponding route issue message according to the network segment of private network 1, subnet mask etc., and this message is sent to B equipment, and notice B equipment local terminal has increased the route to private network 1; When the A device revocation during to the route of private network 1, A equipment generates the route withdraw message according to the information such as the network segment of private network 1, and this route withdraw message is sent to B equipment, notice B equipment local terminal has been cancelled the route of private network 1.
After B equipment receives the route message of A equipment transmission, revise the routing table of storage.If A equipment is increased to the route of private network 1, then in routing table, be increased to the route table items of private network 1; If the A device revocation to the route of private network 1, then in routing table, delete the route table items of private network 1.When private network 2 passes through B equipment when private network 1 is transmitted data, B equipment is searched amended routing table, if there is the corresponding list item of the network segment with private network 1 place in the routing table, then B equipment can be forwarded to A equipment by ipsec tunnel with data, by A equipment again with this data forwarding to private network 1; If deleted the corresponding list item of the network segment with private network 1 place in the routing table, then B equipment can not carry out forwarding of data.
Because the variation of A equipment routing iinformation may be too frequent, thereby cause the frequent transmission of route message, the route message that sends before making it lost efficacy, and caused the wasting of resources.In the present embodiment, in the A equipment timer can be set, and pre-configured time of delay, generate after the route message, at first this route message of buffer memory.In pre-configured time of delay,, then send this route message to B equipment if the routing iinformation of A equipment does not change; Otherwise the timer zero clearing generates new route message according to the variation of routing iinformation, and computing relay time again.
In the present embodiment, mutual route message is an IKE protocol message body between A equipment and the B equipment.
Among the present embodiment step s202, be that example is introduced when changing with the route of A equipment and private network 1, when the route of B equipment and private network 2 changes can according to above-mentioned same or analogous process realize with A equipment between routing iinformation alternately.
In the present embodiment, the dynamic transmission of routing iinformation is present between A equipment and the B equipment, those skilled in the art is to be understood that, routing table in the B equipment can comprise a plurality of route table items, therefore each route table items can be used for identifying a routing iinformation, and for the dynamic transmission of routing iinformation between a plurality of equipment, the B device just is divided according to the routing variable of a plurality of equipment and do not revised corresponding route table items and get final product, method provided by the invention is suitable equally, does not repeat them here.
Be described in further detail method provided by the invention below, as shown in Figure 3, initiate to set up ipsec tunnel to B equipment with A equipment, both mutual dynamic routing informations are example, and this method specifically can may further comprise the steps:
Step s301, A equipment and B equipment send message mutually, protect ipsec tunnel to set up the Data Matching of process.
Concrete, A equipment sends first message to B equipment, carries the data of protection tunnel establishment procedure in this first message, for example encryption mechanism DES (Data EncryptionStandard, DEA) etc.; After B equipment receives first message of A equipment transmission, return second message to A equipment, the data of carrying in this second message are similarly the data of protection tunnel establishment procedure, compare with the data of carrying in first message, when comparative result does not match, carry out the comparison of next group data,, then stop to set up ipsec tunnel if finally all can not find coupling; If comparative result is coupling, then continue.
Step s302, A equipment send DH (Diffie-Hellman) common value of A equipment to B equipment.
Step s303, B equipment send the DH common value of B equipment to A equipment.
Need to consult same KEY (key) value between A equipment and the B equipment, further set up the ipsec tunnel between A equipment and the B equipment.The generation of KEY value need be according to the DH common value of A equipment and B equipment, when A equipment has been received the DH common value that B equipment sends, and B equipment has also been received the DH common value of A equipment, and then A equipment and B equipment can generate same KEY value according to default KEY value computing formula.
Step s304, A equipment sends authentication information to B equipment.Carry A equipment in this information and wish to set up the identity information of the opposite equip. that ipsec tunnel connects, this identity information can be for digital signature etc.
Step s305, B equipment sends response message to A equipment.When B equipment meets the authentication information of A equipment transmission, send confirmation to A equipment, this confirmation is included in the above-mentioned response message.B equipment can also send the authentication information that B equipment wishes to set up the opposite equip. that ipsec tunnel connects to A equipment, and this authentication information can be included in the above-mentioned response message, and perhaps the form with other message sends to A equipment.
Step s306, A equipment sends IPSec SA message to B equipment, carries the converting attribute of IPSec SA in this message.
In the converting attribute message of this IPSec SA, can comprise:
Encapsulation-ESP (Encapsulation Security Payload, encapsulating security payload agreement) and/or AH (Authentication Header, authentication header agreement), pattern-tunnel etc.
Step s307, B equipment agree the converting attribute of the IPSec SA in the above-mentioned IP Sec SA message to the A equipment sending message, set up the IPSec SA of A equipment and B equipment.Step s308, A equipment sends the route message to B equipment, carries the routing iinformation of A equipment in this route message.Mainly comprise the route of A equipment in this routing iinformation, after B equipment receives this route message, obtain the routing iinformation in this route message, generate corresponding route table items, in route table items, write down routing iinformation according to this routing iinformation to private network.B equipment can also return the routing iinformation of confirmation and B equipment to A equipment.After A equipment obtains the routing iinformation of B equipment, in routing table, add corresponding route table items according to this routing iinformation.
Step s309, when the routing iinformation of A equipment changed, A equipment generated corresponding route message according to the variation of this routing iinformation, this route message of buffer memory.
Step s310, A equipment judge whether routing iinformation changes in preset delay time.If change, execution in step s309 then, otherwise, execution in step s311.
In the present embodiment, in the A equipment timer can be set, and pre-configured time of delay.In pre-configured time of delay, if the routing iinformation of A equipment does not change, then execution in step s311 sends this route message to B equipment; Otherwise the timer zero clearing generates new route message according to the variation of routing iinformation, and computing relay time again, execution in step s309.
Step s311, A equipment sends the route message to B equipment, the variation of notice B equipment local terminal routing iinformation.
For example, A equipment is when the route of private network 1 changes, and A equipment needs the change notification B equipment with this route.Concrete, A equipment generates a route message according to the variation of this routing iinformation, carried the information such as the network segment, subnet address of private network 1 in this route message, and shown the situation of change of this route, for example increased A equipment to the route of private network 1 or cancel the route of A equipment to private network 1.A equipment sends the route message that generates to B equipment, B equipment receives this route message, knows the variation of A equipment routing iinformation, revises corresponding route table items in the routing table.When the routing iinformation of A equipment be changed to the route that is increased to private network 1 time, B equipment increases corresponding route table items in routing table, and information such as the address of the private network 1 that record increases in route table items, SA, next-hop ip address, wherein the IP address of next-hop ip address sign A equipment; When the routing iinformation of A equipment be changed to the route of cancelling private network 1 time, the corresponding route table items of B unit deletion.
B equipment returns response message to A equipment, comprises the affirmation information of B equipment to the route message of above-mentioned A equipment transmission in this message.If A equipment is not received the affirmation information that B equipment sends in the given time, then A equipment sends above-mentioned route message to B equipment again.In the present embodiment, with A equipment when the route of private network 1 changes, it is that example is introduced that A equipment sends dynamic routing information to B equipment, when B equipment when the routing iinformation of private network 2 changes, also can send dynamic routing information to A equipment by B equipment, its process and above-mentioned steps s308 are similar to step s309, do not repeat them here.
Below in conjunction with a concrete application scenarios method of obtaining dynamic routing provided by the invention is further introduced.Should be with in the scene, the route message carries Route payload (route load), and the routing iinformation among this Route payload is local dynamic routing.After opposite equip. receives this Route payload, wherein routing iinformation is added in the routing table, next is jumped the IP address of pointing to local terminal equipment, realized the issue of dynamic routing information.Wherein, ipsec peer is an example with A equipment and B equipment still, and A equipment is in private network 1, and B equipment is in private network 2.
The invention provides a kind of method of obtaining dynamic routing, as shown in Figure 4, may further comprise the steps:
Step s401, the route of local terminal equipment changes, and the structure route is issued message and is sent to opposite equip..
Ipsec tunnel between local terminal device A equipment and the opposite equip. B equipment is set up on the process among the embodiment by the agency of, no longer repeats at this.After this ipsec tunnel is set up successfully, when A equipment is increased to the route of private network 1, A device build route issue message, notice B equipment.
In the present embodiment, the form of route issue message is followed the IKE protocol format, and is as shown in table 1:
The form of table 1 route issue message
Wherein, Next payload represents next load (1 eight bit byte), i.e. the load type identifier of next load in the message.If current load is in the last of message, this field is 0.
RESERVED keeps (1 eight bit byte), and usefulness is not changed to 0.
Payload Length represents loaded length (2 eight bit bytes), is unit with the eight bit byte, represents the length of current load, comprises common payload header.
Route Payload is the routing iinformation data, and its form is as shown in table 2:
The form of table 2 Route Payload
In the table 2, the type of Command sign message, value are to represent that route released news at 0 o'clock, and value is to represent the route confirmation at 1 o'clock;
Type represents the routing iinformation type, and value is to represent to issue effective routing iinformation at 1 o'clock, and value is to represent to cancel useless routing iinformation at 0 o'clock.
IP address represents the purpose IP address of this route can be nature network segment address, subnet address or host address, the address information of sign private network or the address information of local terminal equipment.
Subnet mask, the mask of expression destination address.
As shown in table 3, when A equipment was increased to the route of private network 1, A equipment sent a route issue message to B equipment, can comprise a plurality of routing iinformations in the route load of this message, comprising the network segment 10.1.1.0/24 of private network 1, wait for the other side's affirmation information then.
Table 3 route issue message
Step s402, B equipment receive the route issue message that A equipment sends, and send confirmation to A equipment.
After B equipment receives the route issue message of A equipment transmission, reply confirmation, routing iinformation according to the A equipment that carries in this message, in routing table, add or the deletion route table items, because this message is from A equipment, B equipment records this private network when adding route table items SA for and A equipment between the SA of ipsec tunnel.
B equipment can postback a route message to A equipment after receiving this message, this message is at first confirmed the routing iinformation that A equipment sends, if message size also has living space, then can in this message, issue the variation of the routing iinformation of local terminal to the other side, for example increased to route of a private network etc., and wait the other side's affirmation information, as shown in table 4.
The route message of table 4 B device replied
Step s403, A equipment receives the route message that B equipment sends, and sends confirmation to B equipment.
A equipment can send confirmation to B equipment by responding the route message, and is as shown in table 5:
The route message of table 5 A device replied
The peer-to-peer A equipment of ipsec tunnel and B equipment have just been finished the mutual of route like this, add new route table items on A equipment:
Destination/Mask Protocol Nexthop Interface
10.2.1.0/24IP Sec 1.2.1.1 receives the SA of this routing iinformation
On B equipment, add new route table items:
Destination/Mask Protocol?Nexthop Interface
10.1.1.0/24I PSec 1.1.1.1 receives the SA of this routing iinformation
Wherein, the route table items that adds with A equipment is an example, and 10.2.1.0 is an address information, and 24 is mask information, i.e. 255.255.255.0; 1.2.1.1 be the address information of B equipment, receive that the SA of this routing iinformation is the SA of the ipsec tunnel that connects A equipment and B equipment.
Step s404, when A equipment outwards sends message, at first search routing table, in routing table, find with the corresponding SA of destination address and encrypt encapsulation, and then search routing table, message is sent to the corresponding opposite equip. of this destination address be decrypted forwarding.
In the present embodiment, transmit data instance with A equipment to private network 2, A equipment is at first searched the IP address in the routing table, finds the network segment address of private network 2, utilize corresponding SA that these data are encrypted encapsulation, the destination address after the encapsulation is the IP address of B equipment.Then, A equipment finds the IP address of B equipment in routing table, and data are sent to B equipment, is transmitted to private network 2 after with data decryption by B equipment.
In the present embodiment, if A equipment is invalid to the route 10.1.1.0/24 of private network 1, then A equipment sends the route withdraw message to B equipment, and is as shown in table 6:
Table 6 route withdraw message
After B equipment is received this message, with the corresponding route table items of this route, and send confirmation in the deletion routing table to A equipment, as shown in table 7:
Table 7 confirmation message
Should be with the method that provides in the scene, route message with the IKE protocol format is that example describes, those of ordinary skill in the art is to be understood that, the form of route message can but be not limited to the IKE protocol format, can realize that the message format that carries the routing iinformation purpose among the present invention can be suitable for.
By adopting method provided by the invention, after ipsec tunnel is set up successfully, local terminal equipment can send the route message that carries routing iinformation by ipsec tunnel to opposite equip., carry out the mutual of routing iinformation with opposite equip., thereby can be under the situation that does not change existing ipsec tunnel pattern, realization is carried out the dynamic transmission of route by ipsec tunnel, does not require for the IP address of ipsec tunnel terminal device, has improved the efficient that ipsec tunnel carries out the dynamic transmission of route.
The invention provides a kind of equipment that obtains dynamic routing,, as shown in Figure 5, comprising as having set up ipsec tunnel between local terminal equipment and the opposite equip.:
Optionally, as shown in Figure 6, described packet sending unit 52 comprises:
Encrypt subelement 521, be used for encrypting described route message according to the security alliance SA of described ipsec tunnel;
Send subelement 522, be connected, be used for the route message after described opposite equip. sends described encryption subelement 521 encryptions with described encryption subelement 521.
Described route acquisition unit 53 comprises:
Encrypt to receive subelement 531, be used to receive the route message after the encryption that described opposite equip. sends;
Subelement 532 is obtained in deciphering, receives subelement 531 with described encryption and is connected, and is used for deciphering the route message that described encryption receives subelement 531 receptions according to the SA of described ipsec tunnel, obtains the routing iinformation of described opposite equip.;
Table generates subelement 533, obtains subelement 532 with described deciphering and is connected, and is used to generate routing table, stores the routing iinformation that the described opposite equip. that subelement 532 obtains is obtained in described deciphering.
Optionally, as shown in Figure 7, equipment provided by the invention can also comprise:
The second message generation unit 54 when the routing iinformation that is used for described local terminal equipment changes, generates the secondary route message according to the variation of described routing iinformation;
Second packet sending unit 55 is connected with the described second message generation unit 54, is used for the secondary route message that the described second message generation unit 54 generates is sent to described opposite equip. by described ipsec tunnel.
Equipment provided by the invention can also comprise:
Judging unit 57 is used to judge whether the routing iinformation of described local terminal equipment changes in the time of delay of described timer 56 settings;
When the judged result of described judging unit 57 when changing, the described second message generation unit 54 also is used for generating new route message, zero clearing timer according to the variation of described routing iinformation;
When the judged result of described judging unit 57 for not the time, second packet sending unit 55 sends described route message.
Equipment provided by the invention can also comprise:
Confirm detecting unit 58, be used to detect the affirmation information that described opposite equip. sends that whether in Preset Time, receives;
Described packet sending unit 52 also is connected with described affirmation detecting unit 58, when being used for described affirmation detecting unit 58 not receiving the affirmation information that described opposite equip. sends in Preset Time, retransmits described route message to described opposite equip..
Described second packet sending unit 55 also can be connected with described affirmation detecting unit 58, when being used for described affirmation detecting unit 58 and in Preset Time, not receiving the affirmation information that described opposite equip. sends, retransmit described secondary route message to described opposite equip..
By adopting equipment provided by the invention, after ipsec tunnel is set up successfully, local terminal equipment can send the route message that carries routing iinformation by ipsec tunnel to opposite equip., carry out the mutual of routing iinformation with opposite equip., thereby can be under the situation that does not change existing ipsec tunnel pattern, realization is carried out the dynamic transmission of route by ipsec tunnel, does not require for the IP address of ipsec tunnel terminal device, has improved the efficient that ipsec tunnel carries out the dynamic transmission of route.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1, a kind of method of obtaining dynamic routing is characterized in that, is applied to use the local terminal equipment and the opposite equip. of three layer tunnel cryptographic protocol ipsec tunnel connection, and described method comprises:
After described ipsec tunnel was set up successfully, described local terminal equipment generated the route message according to the routing iinformation of described local terminal equipment;
Described local terminal equipment sends by described ipsec tunnel described route message to described opposite equip.; Described route message carries the routing iinformation of described local terminal equipment;
Described local terminal equipment receives the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, obtains the routing iinformation of described opposite equip..
2, the method for claim 1 is characterized in that, described local terminal equipment sends by described ipsec tunnel described route message and comprises to described opposite equip.:
Described local terminal equipment is encrypted described route message according to the security alliance SA of described ipsec tunnel;
The route message of described local terminal equipment after described opposite equip. sends described encryption;
Described local terminal equipment receives the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, and the routing iinformation that obtains described opposite equip. comprises:
Described local terminal equipment receives the route message after the encryption that described opposite equip. sends;
Described local terminal equipment is deciphered described route message according to the SA of described ipsec tunnel, obtains the routing iinformation of described opposite equip.;
Described local terminal equipment generates routing table, the routing iinformation of the described opposite equip. that storage is obtained.
3, the method for claim 1 is characterized in that, also comprises:
When the routing iinformation of described local terminal equipment changed, described local terminal equipment generated the secondary route message according to the variation of described routing iinformation;
Described local terminal equipment sends by described ipsec tunnel described secondary route message to described opposite equip., make described opposite equip. according to the variation that described route message obtains the routing iinformation of described local terminal equipment, revises the routing table of described opposite equip..
4, method as claimed in claim 3, it is characterized in that, described routing iinformation comprises the routing iinformation of described local terminal equipment to private network, and the variation of described routing iinformation comprises increases described local terminal equipment to the route of private network or cancel the route of existing described local terminal equipment to private network.
5, method as claimed in claim 4 is characterized in that, when the routing iinformation of described local terminal equipment changed, described local terminal equipment comprised according to the variation generation secondary route message of described routing iinformation:
When being changed to of described routing iinformation increased described local terminal equipment to the route of private network, described local terminal equipment generated route according to the variation of described routing iinformation and issues message; The address information of carrying described private network in the described route issue message;
When being changed to of described routing iinformation cancelled existing described local terminal equipment to the route of private network, described local terminal equipment generated the route withdraw message according to the variation of described routing iinformation; The address information of carrying described private network in the described route withdraw message.
6, method as claimed in claim 5, it is characterized in that, described local terminal equipment sends by described ipsec tunnel described secondary route message to described opposite equip., make described opposite equip. according to the variation that described route message obtains the routing iinformation of described local terminal equipment, revise described routing table and comprise:
When described opposite equip. receives the route withdraw message that described local terminal equipment sends,, delete that the address information with described private network is the route table items of destination address in the described routing table according to the address information of the private network that carries in the described route withdraw message;
When described opposite equip. received the route issue message of described local terminal equipment transmission, according to the address information of the private network that carries in the described route issue message, the address information that increases with described private network in described routing table was the route table items of destination address.
7, method as claimed in claim 6, it is characterized in that, comprise the address information of private network in the described route table items, with the address information of the corresponding local terminal equipment of the address information of described private network and be connected described opposite equip. and the security alliance SA of the ipsec tunnel of local terminal equipment.
8, method as claimed in claim 3 is characterized in that, described local terminal equipment passed through described ipsec tunnel before described opposite equip. sends with described secondary route message, also comprised:
Described local terminal equipment is provided with timer, the preset delay time;
The described secondary route message of described local terminal equipment buffer memory starts described timer timing, judges whether the routing iinformation of described local terminal equipment in described time of delay changes;
Judged result is when changing, and described local terminal equipment generates new route message, zero clearing timer according to the variation of described routing iinformation;
Judged result continues executable operations for not the time.
9, the method for claim 1 is characterized in that, described local terminal equipment passes through described ipsec tunnel after described opposite equip. sends with described route message, also comprises:
Whether described local terminal Equipment Inspection receives the affirmation information that described opposite equip. sends in Preset Time;
If described testing result is that described local terminal equipment is not retransmitted described route message to described opposite equip..
10, method as claimed in claim 3 is characterized in that, described route message and described secondary route message are IKE protocol message body.
11, a kind of equipment that obtains dynamic routing is characterized in that, as setting up ipsec tunnel between local terminal equipment and the opposite equip., described equipment comprises:
The message generation unit is used for after described ipsec tunnel is set up successfully, according to the routing iinformation generation route message of described local terminal equipment;
Packet sending unit is connected with described message generation unit, and the route message that is used for described message generation unit is generated sends to described opposite equip. by described ipsec tunnel; Described route message carries the routing iinformation of described local terminal equipment;
The route acquisition unit is used to receive the route message of described opposite equip. by the routing iinformation that carries described opposite equip. of described ipsec tunnel transmission, obtains the routing iinformation of described opposite equip..
12, equipment as claimed in claim 11 is characterized in that, described packet sending unit comprises:
Encrypt subelement, be used for encrypting described route message according to the security alliance SA of described ipsec tunnel;
Send subelement, be connected, be used for the route message after described opposite equip. sends described encryption subelement encryption with described encryption subelement;
Described route acquisition unit comprises:
Encrypt to receive subelement, be used to receive the route message after the encryption that described opposite equip. sends;
Subelement is obtained in deciphering, receives subelement with described encryption and is connected, and is used for deciphering the route message that described encryption receives the subelement reception according to the SA of described ipsec tunnel, obtains the routing iinformation of described opposite equip.;
Table generates subelement, obtains subelement with described deciphering and is connected, and is used to generate routing table, stores the routing iinformation that the described opposite equip. that subelement obtains is obtained in described deciphering.
13, equipment as claimed in claim 11 is characterized in that, also comprises:
The second message generation unit when routing iinformation that is used for described local terminal equipment changes, generates the secondary route message according to the variation of described routing iinformation;
Second packet sending unit is connected with the described second message generation unit, and the secondary route message that is used for the described second message generation unit is generated sends to described opposite equip. by described ipsec tunnel.
14, equipment as claimed in claim 13 is characterized in that, also comprises:
Timer is used for the preset delay time;
Judging unit is used to judge whether the routing iinformation of described local terminal equipment changes in the time of delay of described timer setting;
When the judged result of described judging unit when changing, the described second message generation unit also is used for generating new route message, zero clearing timer according to the variation of described routing iinformation;
When the judged result of described judging unit for not the time, continue executable operations.
15, equipment as claimed in claim 11 is characterized in that, also comprises:
Confirm detecting unit, be used to detect the affirmation information that described opposite equip. sends that whether in Preset Time, receives;
Described packet sending unit also is connected with described affirmation detecting unit, when being used for described affirmation detecting unit not receiving the affirmation information that described opposite equip. sends in Preset Time, retransmits described route message to described opposite equip..
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101300500A CN101510889A (en) | 2009-04-03 | 2009-04-03 | Method and equipment for obtaining dynamic route |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101300500A CN101510889A (en) | 2009-04-03 | 2009-04-03 | Method and equipment for obtaining dynamic route |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101510889A true CN101510889A (en) | 2009-08-19 |
Family
ID=41003152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009101300500A Pending CN101510889A (en) | 2009-04-03 | 2009-04-03 | Method and equipment for obtaining dynamic route |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101510889A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102164090A (en) * | 2011-05-13 | 2011-08-24 | 杭州华三通信技术有限公司 | Message forwarding method, system and equipment based on generic routing encapsulation tunnel |
| WO2012040971A1 (en) * | 2010-09-28 | 2012-04-05 | 中兴通讯股份有限公司 | Key management method and system for routing protocol |
| CN102447674A (en) * | 2010-10-08 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for security negotiation |
| CN102739497A (en) * | 2012-06-07 | 2012-10-17 | 杭州华三通信技术有限公司 | Automatic generation method for routes and device thereof |
| CN102769570A (en) * | 2012-07-30 | 2012-11-07 | 杭州华三通信技术有限公司 | Route notification method and equipment |
| CN102882797A (en) * | 2012-10-16 | 2013-01-16 | 杭州华三通信技术有限公司 | VPNv4 or VPNv6 route batch deleting method and PE (Provider Edge) |
| CN103107950A (en) * | 2013-01-28 | 2013-05-15 | 杭州华三通信技术有限公司 | Internet protocol security security association deleting method and equipment |
| CN104426775A (en) * | 2013-08-19 | 2015-03-18 | 中兴通讯股份有限公司 | Method and device for realizing routing update |
| CN105227534A (en) * | 2014-06-30 | 2016-01-06 | 中兴通讯股份有限公司 | Message format processing method and device |
| CN105704122A (en) * | 2016-01-08 | 2016-06-22 | 北京北方烽火科技有限公司 | Route encryption system |
| CN106254253A (en) * | 2016-09-12 | 2016-12-21 | 杭州华三通信技术有限公司 | VPN route generates method and device |
| CN107250981A (en) * | 2014-10-06 | 2017-10-13 | 邻客音公司 | Dynamic loading of routes in single-page applications |
| WO2021238763A1 (en) * | 2020-05-25 | 2021-12-02 | 华为技术有限公司 | Routing management method, device and system |
-
2009
- 2009-04-03 CN CNA2009101300500A patent/CN101510889A/en active Pending
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012040971A1 (en) * | 2010-09-28 | 2012-04-05 | 中兴通讯股份有限公司 | Key management method and system for routing protocol |
| CN102420740A (en) * | 2010-09-28 | 2012-04-18 | 中兴通讯股份有限公司 | Method and system for managing keys of routing protocol |
| CN102447674A (en) * | 2010-10-08 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for security negotiation |
| CN102447674B (en) * | 2010-10-08 | 2016-06-29 | 中兴通讯股份有限公司 | A kind of method of security negotiation and device |
| CN102164090A (en) * | 2011-05-13 | 2011-08-24 | 杭州华三通信技术有限公司 | Message forwarding method, system and equipment based on generic routing encapsulation tunnel |
| CN102164090B (en) * | 2011-05-13 | 2013-12-25 | 杭州华三通信技术有限公司 | Message forwarding method, system and equipment based on generic routing encapsulation tunnel |
| US8767712B2 (en) | 2011-05-13 | 2014-07-01 | Hangzhou H3C Technologies Co., Ltd. | Message forwarding using GRE tunneling protocol |
| CN102739497A (en) * | 2012-06-07 | 2012-10-17 | 杭州华三通信技术有限公司 | Automatic generation method for routes and device thereof |
| CN102739497B (en) * | 2012-06-07 | 2015-07-08 | 杭州华三通信技术有限公司 | Automatic generation method for routes and device thereof |
| CN102769570B (en) * | 2012-07-30 | 2015-05-20 | 杭州华三通信技术有限公司 | Route notification method and equipment |
| CN102769570A (en) * | 2012-07-30 | 2012-11-07 | 杭州华三通信技术有限公司 | Route notification method and equipment |
| CN102882797A (en) * | 2012-10-16 | 2013-01-16 | 杭州华三通信技术有限公司 | VPNv4 or VPNv6 route batch deleting method and PE (Provider Edge) |
| CN102882797B (en) * | 2012-10-16 | 2018-03-23 | 新华三技术有限公司 | Batch deletes the method and PE of VPNv4 or VPNv6 routes |
| CN103107950B (en) * | 2013-01-28 | 2016-05-11 | 杭州华三通信技术有限公司 | A kind of method and apparatus of deleting internet protocol secure Security Association |
| CN103107950A (en) * | 2013-01-28 | 2013-05-15 | 杭州华三通信技术有限公司 | Internet protocol security security association deleting method and equipment |
| CN104426775A (en) * | 2013-08-19 | 2015-03-18 | 中兴通讯股份有限公司 | Method and device for realizing routing update |
| CN105227534A (en) * | 2014-06-30 | 2016-01-06 | 中兴通讯股份有限公司 | Message format processing method and device |
| CN107250981A (en) * | 2014-10-06 | 2017-10-13 | 邻客音公司 | Dynamic loading of routes in single-page applications |
| CN107250981B (en) * | 2014-10-06 | 2021-04-02 | 微软技术许可有限责任公司 | Dynamic loading of routes in single-page applications |
| CN105704122A (en) * | 2016-01-08 | 2016-06-22 | 北京北方烽火科技有限公司 | Route encryption system |
| CN105704122B (en) * | 2016-01-08 | 2018-12-18 | 北京北方烽火科技有限公司 | A kind of routing encryption system |
| CN106254253A (en) * | 2016-09-12 | 2016-12-21 | 杭州华三通信技术有限公司 | VPN route generates method and device |
| CN106254253B (en) * | 2016-09-12 | 2019-12-06 | 新华三技术有限公司 | Private network route generation method and device |
| WO2021238763A1 (en) * | 2020-05-25 | 2021-12-02 | 华为技术有限公司 | Routing management method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101510889A (en) | Method and equipment for obtaining dynamic route | |
| JP4707992B2 (en) | Encrypted communication system | |
| JP4823359B2 (en) | Sending management traffic over multihop mesh networks | |
| CN101499972B (en) | IP security packet forwarding method and apparatus | |
| EP1495621B1 (en) | Security transmission protocol for a mobility ip network | |
| US8179890B2 (en) | Mobile IP over VPN communication protocol | |
| US8838972B2 (en) | Exchange of key material | |
| KR100739781B1 (en) | Method and apparatus for transmitting message to each of wireless device groups | |
| CN101305541B (en) | Technique for maintaining secure network connections | |
| CN109981820B (en) | Message forwarding method and device | |
| CN101572644B (en) | Data encapsulation method and equipment thereof | |
| JP2004056762A (en) | Wireless communication method and equipment, communication control program and controller, key management program, wireless lan system, and recording medium | |
| CN113852552A (en) | Network communication method, system and storage medium | |
| JP2013506388A (en) | Efficient NEMO security with IBE | |
| JP2011176395A (en) | IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM | |
| JP2007036641A (en) | Home agent device, and communication system | |
| JP4305087B2 (en) | Communication network system and security automatic setting method thereof | |
| CN110650476B (en) | Management frame encryption and decryption | |
| JP2005244379A (en) | Vpn system, vpn apparatus, and encryption key distribution method used for them | |
| US20100303233A1 (en) | Packet transmitting and receiving apparatus and packet transmitting and receiving method | |
| JP3979390B2 (en) | Mobile router device and home agent device | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
| WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
| CN109361684B (en) | Dynamic encryption method and system for VXLAN tunnel | |
| JP2005184322A (en) | Multi-hop communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090819 |