United States Patent: (75) Inventors: Mitsuaki Kakemizu, Kawasaki (JP)

USOO7068640B2
(12) United States Patent (10) Patent No.: US 7,068,640 B2

Kakemizu et al. (45) Date of Patent: Jun. 27, 2006
(54) VPN SYSTEM IN MOBILE IP NETWORK, FOREIGN PATENT DOCUMENTS
AND METHOD OF SETTING VPN
EP 1 124 396 8, 2001
(75) Inventors: Mitsuaki Kakemizu, Kawasaki (JP); OTHER PUBLICATIONS
Shinya Yamamura, Fukuoka (JP); Perkins, Charlie. “Mobile IP and Security Issue: An Over
Yoichiro Igarashi, Kawasaki (JP);
Kazunori Murata, Fukuoka (JP); view”. IEEE. 1999. pp. 131-148.*
Masaaki Wakamoto, Kawasaki (JP) Glass et al. “Mobile IP Authentication, Authorization, and
Accounting Requirements' draft-ietf-mobileip-aa-reqS-00.
(73) Assignee: Fujitsu Limited, Kawasaki (JP) txt. Oct. 5, 1999. pp. 1-21.*
European Search Report dated Aug. 5, 2004.
(*) Notice: Subject to any disclaimer, the term of this (Continued)
patent is extended or adjusted under 35
U.S.C. 154(b) by 803 days. Primary Examiner Derrick Ferris
(74) Attorney, Agent, or Firm Katten Muchin Rosenman
(21) Appl. No.: 09/801,557 LLP
(22) Filed: Mar. 8, 2001 (57) ABSTRACT

(65) Prior Publication Data Linked with a position registration procedure in a mobile IP,
the invention provides a VPN setting service using an IP
US 2002fOO1845.6 A1 Feb. 14, 2002 Sec. tunnel between optional terminals without requiring
these terminals to have a specific VPN function. This service
(30) Foreign Application Priority Data is provided by a mobile terminal, authentication servers, a
VPN database, and network apparatuses. A home authenti
Jul. 26, 2000 (JP) ............................. 2000-225857 cation server extracts from the VPN database the VPN
information of a user who has requested the authentication
(51) Int. Cl. at the time of making a position registration request from the
HD4L 29/06 (2006.01) mobile terminal. The home authentication server then posts
H04L 2/46 (2006.01) the VPN information to each network apparatus using a
(52) U.S. Cl. ....................................... 370/349; 370/401 predetermined position registration message and an authen
(58) Field of Classification Search ................ 370/310, tication response message. Based on the posted VPN infor
370/328,329, 331, 437, 349,401; 709/227, mation, the network apparatuses set a VPN path by the IP
709/228; 455/422.1,432.1, 433,435.1 Sec. to between a home network apparatus and an external
See application file for complete search history. network apparatus, between the home network apparatus
and a predetermined network apparatus, and/or the external
(56) References Cited network apparatus and the predetermined network appara
tus, respectively.
U.S. PATENT DOCUMENTS
6,728,536 B1 * 4/2004 Basilier et al. .......... 455,432.1 22 Claims, 27 Drawing Sheets
WPN INFORMATION
ACCESS INFORMATION
NETWORK RIBUTION
INFORMATION
DISTRIBUTION
IP NETWORK
(SEE IP SE)
CORRESPONDENCE
-e-s AAA PROTOCOL.
-s----s- MIP PROTOCOL
----> WPNSLA
mo DYNAMIC WPN TUNNEL
as STATIONARY WPTUNNE
Ol SECURITY GUARANTEED
Of NETWORK
SECURITY
O NONGARANTEED
NETORK
US 7,068,640 B2
Page 2
OTHER PUBLICATIONS Mitsuaki Kakemizu et al. Unified IP Service Control Archi

Atsushi Inoue, et al. IP Layer Security and Mobility Support tecture Based on Mobile Communication Scheme. Fujitsu
Design Policy and an Implementation. XVI World Telecom Scientific and Technical Journal Jun. 2001 pp. 81-86.
Congress Proceedings Sep. 21, 1997 pp. 571-577. Mooi Choo Chuah et al. Mobile Virtual Private Dial-up
Mitsuaki Kakemizu et al. Unified IP Service Control Archi Services. Bell Labs Technical Journal. Jul.-Sep. 1999 pp.
51-72.
tecture Based on Mobile Communication Scheme. The
U.S. Appl. No. 09/672,866, Fujitsu Ltd.
Institute of Electronics, Information and Communication
Engineers Nov. 1999 pp. 19-24. * cited by examiner
U.S. Patent Jun. 27, 2006 Sheet 3 of 27 US 7,068,640 B2
WPN
AAAF AAAH DATABASE
AAA PROTOCOL. AAA PROTOCOL . . 34
CONTROL SECTION CONTROL SECTION | DATABASE
SEARCH
AAAWPN AAAWPN PROTOCOL.
CONTROL SECTION CONTROL SECTION
FOREIGN HOME AGENT

AGENT (FA) (HA)
MA PROTOCOL
CONTROL SECTION
MAVPN CONTROL
SECTION
PROXY CN (PCN)
MA PROTOCOL.
CONTROL SECTION
<-e AAA PROTOCOL MAWPN CONTROL
-e---> MIP PROTOCOL SECTION
COMMUNICATION
TERMINAL (CN)
U.S. Patent Jun. 27, 2006 Sheet 7 Of 27 US 7,068,640 B2
Fig. 7
SESSION WPN INFORMATION CACHE INSTANCE 1
ID WPN INFORMATION CACHE INSTANCE 2
--
WPN INFORMATION CACHE INSTANCE in
WPN INFORMATION PROFILE n

Fig.8
ADDRESS INSTANCE 1
CN ADDRESS/ ADDRESS INSTANCE 2
NET MASK
ADDRESS INSTANCE in
CN ADDRESS/NET MASK
GW ADDRESS
GW TYPE
Fig.9
AAA PROTOCOL CONTROL S1 OO

SECTION
Fig.10
S101
OTHERS
AAAWPN CONTROL
SECTION
S103 SET WPN INFORMATION

CACHE
S104. EDIT CORRESPONDING

MESSAGE
Fig.11
MESSAGE AAA MESSAGE
AAAH HAR
READ VPN INFORMATION CORRESPONDINGS105

TO NAI FROM WPNDB
VPN PATH DETERMINATION S1 O6

CONTROL SECTION
S107
DEFAULT
INDIVIDUAL
KEY GENERATOR -S108
END
Fig.13
EXTRACT WPNGW ADDRESS AT MNSIDE

S109 FROM AMR REQUEST ORIGINATING
HOST ADDRESS
S11 O
EXTRACT WPNGW ADDRESS AT CNSIDE
FROM CN-GW CORRESPONDENCE TABLE
DYNAMIC VPN SETTING S111
NOT POSSIBLE
DYNAMIC VPN SETTING

POSSIBLE
SET PATH AT GW AS S112
FA-HA-CN. SIDE SET PATH AS FA-PCN
U.S. Patent Jun. 27, 2006 Sheet 13 Of 27 US 7,068,640 B2
Fig.15
TRANSMISSION
RISETING IPSec, INFORMATION INSTANCE 1
DESTINATION IPSec, INFORMATION
INFORMATION INSTANCE 22
ABRESS --
IPSec. INFORMATION INSTANCE in
TRANSMISSION ORIGINATING ADDRESS/NET MASK

DESTINATION ADDRESS/NET MASK
ACTUAL DESTINATION ADDRESS
TUNNEL IDENTIFIER
ESP IDENTIFIER
ESP INFORMATION INSTANCE
ESP IDENTIFIER ESP INFORMATION INSTANCE 2
ESP INFORMATION INSTANCE in
ESP IDENTIFIER
ENCAPSULATION METHOD
DIRECTION
AH AUTHENTICATION KEY LENGTH
ESP AUTHENTICATION KEY LENGTH
ESP ENCRYPTION KEY LENGTH
AH AUTHENTICATION KEY
ESP AUTHENTICATION KEY
ESP ENCRYPTION KEY
TUNNEL INFORMATION INSTANCE 1
TUNNEL TUNNEL INFORMATION INSTANCE 2
IDENTIFIER
TUNNEL INFORMATION INSTANCE in
TUNNEL IDENTIFIER
ENCAPSULATION METHOD
DIRECTION
TRANSMISSION ORIGINATING ADDRESS
DESTINATION ADDRESS
ROUTE INFORMATION 1
DESTINATION ROUTE INFORMATION 2
ADDRESS
FF
ROUTE INFORMATION n
U.S. Patent US 7,068,640 B2
fil
Al -X-HTOIMNHEA
Fig.18
START
MOBILE IP S2O 5
PROTOCOL. PROTOCOL
AAA PROTOCOL.
AAA PROTOCOL PROCESSING S2O6
SECTION
MOBILE IP PROTOCOL PROCESSING

SECTION
Fig.19
SET WPN INFORMATION S208

CACHE
EXTRACT MOBILE IP S209

PROTOCOL.
OTHERS
SEND HAA MESSAGE S211

Fig.21
RECEPTION TRANSMISSION
MESSAGE PROCESSING MA MESSAGE
REGISTRATION FA REGISTRATION
REQUEST RESPONSE
REGISTRATION
HA
FA
eu
REGISTRATION
RESPONSE RESPONSE
REGISTRATION
Fig.23
DELETE Diff-Serve INFORMATION

FROM NETWORK KERNEL
ABSENT
PRESENT
SET Diff-Serve INFORMATION
TO NETWORK KERNEL
S225
Fig.24
DELETE IPSec. INFORMATION S226

FROM ROUTE TABLE
SET OUTPUT DESTINATION OF S227

ROUTE TABLE AT DESTINATION
ADDRESS TO WIRTUAL DEVICE
SET TUNNEL INFORMATION TO S228

IPSec, INFORMATION TABLE
S229
ABSENT
PRESENT
S230
USER INDIVIDUAL
SET SPI INFORMATION TO ESP S231
INFORMATION TABLE OF IPSec.
INFORMATION TABLE
SET ESP INFORMATION TO

IPSec. EXPANSION TABLE OF -S232
IPSec. INFORMATION TABLE
END
H(dj.IN0GS-LIWOH
4
Z
?IGIT SHOW ™IN} {0MJ
S 50 V JXOHEOGIMN
U.S. Patent US 7,068,640 B2
61–
?NIWOH
US 7,068,640 B2
1. 2
VPN SYSTEM IN MOBILE IP NETWORK, normal network. Therefore, various systems for reinforcing
AND METHOD OF SETTING VPN the security are employed including the IPSec.
In the example shown in FIG. 1, an IP Sec. tunnel 6
BACKGROUND OF THE INVENTION substitutes for an IP-IP tunnel set between a mobile agent 21
(a foreign agent, FA) in a network 2 to which a user 1 (MN:
Field of the Invention Mobile Node) prescribed by the mobile IP has accessed and
a mobile agent 31 (a home agent, HA) in a user's home
In recent years, along the wide distribution of the Internet, network 3. In this case, it is necessary that VPN information
there has been an increase trend that enterprises attempt to to be used in the IP Sec. is set in advance to the mobile
decrease their communication costs by replacing their exclu 10 agents 21 and 31 respectively.
sive communication lines with a virtual path (VPN: virtual A dynamic provision of an IP Sec. tunnel 7 is also
private network) on the Internet. Reinforcing the security on included in the above proposals. However, this is a system
the Internet is essential in realizing electronic commercial that depends on an automatic key exchange (IKE) between
transactions. As a method of realizing this requirement, the mobile terminal 1 and the mobile agents 21 and 31. This
attention has been focused on the IP Security Protocol 15 system also requires a separate provision of the IPSec. using
(hereinafter to be abbreviated as the IP Sec.). an automatic key exchange (IKE) in a communication
In the mean time, with the full-scale introduction of destination host 52 (CN: Correspondent Node). In this case,
IMT-2000 near at hand, the Internet environment has already it is further necessary to change the mobile IP
started to shift toward the mobile environment. The intro In general, a VPN refers to a virtual path of a user
duction of the mobile environment into the Internet provided in the Internet using the IP Sec., the MPLS, or
increases the convenience of the users of the Internet. others. A VPN has no linkage with another Internet tech
However, this also involves an increasing risk of weakening nique, for example, a differentiated service by a user unit. As
the security of the Internet. Therefore, there has been a high a result, the service quality guarantee of the VPN is carried
demand for a provision of a framework that protects security 25
out based on a Sufficient allocation of network resources and
in the mobile environment. a uniform priority control. Such as, for example, a simple
In the IMT-2000, there have also been made many pro priority control using a protocol number of the IP Sec.
posals on the system that combines the IPSec. with the IP protocol as a filtering condition.
Mobility Support (hereinafter to be referred to as the Mobile According to the above-describe system, all the terminals
IP) prescribed in RFC202 that is a basis of the core net 30
participating in the communications need to be provided
architecture. The mobile IP (Mobile Internet Protocol) is a with the IP Sec. Therefore, there is little meaning in pro
technique for automatically carrying out the IP address viding the IPSec. service as the network. Further, there has
management and automatically transferring the communi been a problem that a network service with improved user
cation packet to a move destination of a terminal when the convenience by freely combining the security service with
terminal has moved from one IP network to another IP
35
the service quality guarantee cannot be provided to the
network. An agent function for executing the transfer of an terminals including existing terminals not equipped with the
address is provided in a router so that the router can manage IP Sec.
both the home address of a terminal as its “registered
original address' and a “care-of-address' as a current SUMMARY OF THE INVENTION
address of the terminal. When the terminal has moved from
40
one network to another network, the terminal registers a new It is, therefore, an object of the present invention to
care-of-address in the router of the network in which the provide a VPN setting service that enables the communica
home address exists. Based on a tunneling technique of this tions in the mobile IP to be carried out by using a safe
arrangement, it becomes possible for this terminal to receive communication path. Linked with a position registration
a message sent to the terminal home address from a person 45 procedure in the mobile IP, it is another object of the present
who does not know the movements of the terminal. invention to provide a VPN setting service to the commu
However, the above proposals are based on the assump nication between optional terminals without requiring the
tion that the end user terminal has the IP Sec. function, as mobile terminals and the communication terminals to have
these techniques do not guarantee the complete security on a specific VPN function. This is achieved by dynamically
the communication path, that is, between the home agent 50 setting a VPN of the IPSec. to a security gateway, for the
and the communication terminal. According to the above terminals participating in communications, connecting to a
proposals, all the terminals participating in the communica public IP network. With this arrangement, the VPN service
tions need to be equipped with the IPSec. This requirement with improved user convenience is provided. As a result, it
is not sufficient as a framework to protect the security in the becomes possible to differentiate service providers that
mobile environment. Therefore, there is little meaning in 55 provide the VPN service.
linking the mobile IP with the IP Sec. More specifically, the present invention has the following
objects.
DESCRIPTION OF THE RELATED ART 1) To provide the VPN setting service to between optional
terminals without requiring the MN 1 and the CNs 42 and 52
FIG. 1 shows one example of a structure of a network to 60 to have a specific VPN function. This service is provided by
which the linkage of the mobile IP with the IP Sec. dynamically setting a VPN of the IP Sec. to the security
according to the existing proposals, has been applied. gateways 21 and 31 of the terminals participating in com
This structure employs both the mobile IP that has been munications, connecting to the public IP network, linked
proposed by RFC2002 as the IP architecture for supporting with a position registration procedure in the mobile IP
the mobile environment, and the IPSec. as the architecture 65 2) To make it possible to set a VPN with the service
for realizing the security on the Internet. From the nature of quality, the security level, and the route, assigned by users
the mobile IP, it has weak security as compared with the based on a free combination.
US 7,068,640 B2
3 4
3) To make it possible to automatically update a VPN path destination posted by the Binding update message. The PCN
along with a move of the MN 1. of the present invention has both the security gateway
FIG. 2 shows an example of a structure of a network based function of the IP Sec. and the edge router function of a
on the present invention in comparison with the structure differentiated service. The PCN analyzes the VPN informa
shown in FIG. 1. Linked with a position registration proce tion posted by the MIP protocol, and sets a differentiated
dure in the mobile IP, this provides a VPN setting service to service to the network kernel and sets a tunnel at the
an optional terminal 1 and hosts 32 to 52 having commu assigned security level based on the analyzed VPN infor
nications. This is achieved by dynamically setting a VPN of mation.
the IP Sec. to security gateways 21 to 51 connecting to According to the present invention, the user authentica
public IP networks 2 to 5. 10 tion server and network apparatuses constitute the IP net
FIG. 3 shows an example of a functional block structure work that supports the mobile environment. When there has
of the present invention. been an initial position registration request (an authentica
Terms that are used hereinafter will be briefly explained tion request) from the terminal 1, the authentication server
below. MIP (Mobile IP) is the mobile IP protocol prescribed (AAAH) extracts the VPN information of the user who has
by the RFC2002 in all the future expansions. AAA protocol 15 requested the authentication, from the VPN database. The
is a protocol used by the AAA System. In an embodiment of authentication server then posts this VPN information to the
the present invention, the use of DIAMETER protocol network apparatuses (HA, FA) using the position registra
currently under examination by the IETF is assumed. The tion message and the authentication response message. The
AAA protocol can be implemented in all the protocols network apparatuses (HA, FA) set a VPN between the HA
capable of transmitting information on authentication, and the FA based on the posted VPN information. When the
authorization, accounting, and policy. In the transmission of communication destination terminal CN exists in other
new information that is necessary in the present invention, network 4, the network apparatus (HA) further sets a VPN
an expandable attribute parameter called AVP (Attribute to the security gateway (PCN) accommodating the commu
Value Pair) defined by the DIAMETER protocol is used. The nication destination terminal assigned by the VPN informa
expanded attribute is the information on the VPN setting. 25 tion from the HA.
MN (Mobile Node) indicates a mobile terminal that has Further, the authentication server and the network appa
the mobile IP protocol function. AAA is a name used by the ratuses update the VPN information cached to the authen
IETF for servers that carry out the above-described authen tication server and the network apparatuses linked to the
tication, authorization, and accounting. AAAH is the AAA position registration request based on the move of the
of a network that has subscriber data of an authentication 30 mobile terminal 1, into new path information. The authen
requesting user, and AAAF is the AAA of a network that tication server and the network apparatuses further rewrite
does not have subscriber data of the user. In addition to the the VPN information based on the position information
above-described functions, the AAA of the present invention posted by the mobile IP. As a result, a new IPSec. tunnel is
has the following functions. The AAA extracts VPN infor set dynamically between the new FA and the HA and
mation of an authentication-requesting user from the VPN 35 between the PCN and the new FA, and the VPN path is
database. The AAA posts the VPN information to the HA by automatically updated. Further, in order to make complete
the HA registration request message. The AAA posts the the security protection in the data packet transfer to the FA,
VPN information to the FA by an authentication response the IPSec. tunnel is also set in the binding tunnel to the FA
message via the AAAF. The AAA extracts the VPN infor at the time of a smooth-hand-off.
mation by a user unit. Further, the AAA determines a VPN 40 The authentication server (AAAH) of the present inven
path. tion has a VPN database for storing the service quality
FA (Foreign Agent) is a functional entity defined by the desired by the user, the security information between the
RFC2002, and is an agent not owning a home address security gateways, and a correspondence table between the
allocated to a mobile terminal. The FA decapsulates an VPN information by a user unit consisting of the IP
encapsulated packet transmitted to a care-of-address that is 45 addresses of the communication destination hosts (CN) for
an address of the own node, and transfers the decapsulated setting a VPN and the security gateway (VPNGW) for
packet to a link layer address corresponding to the home accommodating the communication destination host, an
address. A table called a visitor list manages this address AAAVPN control section for specifying a VPN setting path
correspondence. The FA of the present invention has both based on a security gateway (FA) address of the access
the security gateway function of the IP Sec. and the edge 50 network 2 to which the mobile terminal set in the authen
router function of a differentiated service. tication request message has been connected, a security
HA (Home Agent) is a functional entity defined by the gateway address (HA) of the home network 3 of the mobile
RFC2002, and is an agent owning a home address allocated terminal, and a security gateway (PCN: Proxy CN) address
to a mobile terminal. A packet transferred to the HA with a for accommodating the communication destination host
home address of a mobile terminal as a transmission desti 55 (CN) set in the user correspondence VPN information and
nation is encapsulated and transmitted to a care-of-address the communication destination host extracted from the cor
of the FA corresponding to the home address. A table called respondence table, and an AAA protocol processing section
a mobility binding manages this address correspondence. for setting the service quality and the security information
The HA of the present invention has both the security between the security gateways as a service profile, to the
gateway function of the IPSec. and the edge router function 60 authentication response message to the access network and
of a differentiated service. the position-registration message to the home network.
PCN (Proxy Correspondent Node) is a functional entity Further, the network apparatuses (HA, FA, PCN) consist
prescribed in Japanese Patent No. 2000-32372. On behalf of ing of the security gateways of the present invention have an
a communication node (CN: Correspondent Node) that does MA (Mobility Agent) protocol processing section for under
not support the mobile IP under the management, the PCN 65 standing the service profile file set with the VPN informa
receives a Binding update message transmitted to this CN tion, the RFC2002 and other relevant expansion protocols,
from the HA. The PCN then sets a binding tunnel to a and an MAVPN control section for setting the QoS control
US 7,068,640 B2
5 6
for guaranteeing the service quality according to the posted FIG. 13 is a diagram showing an example of a processing
service profile and a tunnel for guaranteeing the security flow of a VPN path determination control section.
between the security gateways. FIG. 14 is a diagram showing an example of a detailed
The MA protocol processing section in PCN also carries functional block structure of the MA (FA, HA, PCN).
out a protocol processing of receiving, on behalf of the CN FIG. 15 is a diagram showing an example of a structure
not supporting the mobile IP under the management, a of an IPSec. information table.
Binding update message sent from the HA to this CN, and FIG. 16 is a diagram showing an example of a structure
setting, on behalf of the CN, the binding tunnel to the FA by of a route table.
using the IPSec. tunnel, based on the service profile set with FIG. 17 is a diagram showing an example of a total
the VPN information posted by the Binding update message. 10 processing flow of the MA.
When the security protection has been requested by the FIG. 18 is a diagram showing an example of a processing
service profile at the time of setting the tunnel, the MAVPN flow of an MA protocol processing section.
control section of the network apparatus (HA) in the home FIG. 19 is a diagram showing an example of a processing
network 3 of the mobile terminal (MN) 1 sets the IP Sec. flow of an AAA protocol processing section.
tunnel in place of the normal IP-IP tunnel as the tunnel 15 FIG. 20 is a diagram showing an example of a processing
directed from the HA prescribed by the RFC2002 to the flow of a mobile IP protocol processing section.
network apparatus (FA) in the external network 2 that is the FIG. 21 is a diagram showing a message correspondence
current connection point of the mobile terminal. In the mean table in FIG. 20.
time, when the security protection has been requested by the FIG. 22 is a diagram showing an example of a processing
service profile, the MAVPN control section at the FA side flow of an MAVPN control Section.
sets the IPSec tunnel in place of the IP-IP tunnel as the FIG. 23 is a diagram showing an example of a processing
tunnel (usually called a reverse tunnel) from the FA to the flow of a QoS control section.
HA. FIG. 24 is a diagram showing an example of a processing
As described above, according to the present invention, flow of a tunnel control section.
linked with the position registration procedure in the mobile 25 FIG. 25 is a diagram showing a second embodiment.
IP, a VPN using the IP Sec. can be set dynamically to the FIG. 26 is a diagram showing a third embodiment.
security gateways of the terminals participating in commu FIG. 27 is a diagram showing a fourth embodiment.
nications, connecting to the public IP network. Therefore, it FIG. 28 is a diagram showing a fifth embodiment.
is possible to provide the VPN setting service between FIG. 29 is a diagram showing a sixth embodiment.
optional mobile terminals (MN) and communication desti 30 FIG. 30 is a diagram showing a seventh embodiment.
nation hosts (CN) without requiring the terminals and the DETAILED DESCRIPTION OF THE
hosts to have a specific VPN function. Further, as the VPN PREFERRED EMBODIMENTS
setting service can be provided at the network side, the users
can assign service quality, a security level, and a path based
on a free combination of these items by the users. 35 FIG. 4 shows a first embodiment of the present invention.
This shows an example of a setting of a VPN (when a
BRIEF DESCRIPTION OF THE DRAWINGS VPN exists between a stationary HA and a CN) at the time
of an initial position registration. This assumes a case where
The present invention will be more clearly understood a certain user has made a contract with an ISP (Internet
from the description as set forth below with reference to the 40 Service Provider) providing a VPN service that the user can
accompanying drawings. receive an automatic VPN setting service when the user
FIG. 1 is a diagram showing an example of an application makes access to the user's company through a public
of the mobile IP plus the IP Sec. according to existing network. To facilitate the understanding of the present
proposals. invention, a further detailed structure and operation of each
FIG. 2 is a diagram showing an example of a structure of 45 functional block of the present invention shown in FIG. 3
a network according to the present invention. will be explained below where necessary in the explanation
FIG. 3 is a diagram showing an example of a functional of the present embodiment.
block structure relating to the present invention. In FIG. 4, a user 1 who wants the above service first
FIG. 4 is a diagram showing a first embodiment of the makes a VPN contract (SLA: Service Level Agreement)
present invention. 50 with an enterprise 5 and a home ISP3 (CD). The contract
FIG. 5 is a diagram showing an example of a structure of covers an SPI (Security Parameter Index) and keys to be
a VPN database. used, the service quality, and a list of users that can utilize
FIG. 6 is a diagram showing an example of a detailed this VPN. Based on this SLA, the enterprise sets VPN
functional block structure of the AAA. information of a HA31 of the ISP3 to a VPNGW apparatus
FIG. 7 is a diagram showing an example of a structure of 55 51 of the own enterprise. The ISP sets a domain address of
a VPN information cache. this enterprise, SPI and the keys to a VPN database of the
user indicated to the enterprise. Further, the ISP registers the
FIG. 8 is a diagram showing a CN-GW address corre domain address of the enterprise and the address of the
spondence table. VPNGW apparatus 51 in a CN-GW correspondence table as
FIG. 9 is a diagram showing an example of a total 60 VPN information 35, and also sets the inability of dynamic
processing flow of the AAA. setting of a VPN to a GW type.
FIG. 10 is a diagram showing an example of a processing FIG. 5 shows an example of a structure of the VPN
flow of an AAA protocol processing section. database used in the present invention.
FIG. 11 is a diagram showing a message correspondence A VPN database 34 is a set of VPN data instances 1 to n
table in FIG. 10. 65 that have been set by users. Each instance corresponds to
FIG. 12 is a diagram showing an example of a processing one VPN. Each VPN data instance consists of a Profile
flow of an AAAVPN control section. Number that is an identifier for uniquely expressing this
US 7,068,640 B2
7 8
VPN information, a Network Access Identifier of the user Each of the VPN information profiles 1 to n consists of a
(NAI), a VPN share indicator (vpnshare) that expresses profile number as an identifier for uniquely identifying a
whether a security relationship shared between the security VPN, an IP address of a transmitter and an IP address of a
gateways is to be used or a user own security relationship is destination for specifying a packet to which a VPN is
to be used, an IP address of a communication destination applied, a transmitter net mask and a destination net mask,
terminal (destaddr), a QoS class in an upward direction a TOS value to be set to the packet, a security type for
(upclass), a QoS in a downward direction (downclass), an showing whether the IP Sec. is to be set by the AH, the ESP
upward SPI to be used by the IP Sec. (upSPI), and a or by only encapsulation, a transmitter gateway address and
downward SPI to be used by the IP Sec. (downSPI). a destination gateway address that are an entrance and an
When Zero (0) has been set to the VPN share indicator, it 10 exist of the IP Sec. tunnel referred to by the IP Sec. tunnel
is possible to omit the upclass, the downclass, the upSPI, and mode, a destination gateway address type for showing
the downSPI. This database is searched using the user NAI, whether a VPN can be set dynamically to the destination
and all the searched instances are recorded and added with gateway or not, an upward SPI (Security Parameter Index)
the address information into a VPN information cache to be and a downward SPI as identifiers of the security, an upward
described later. The database search protocol used for 15 ESP encryption key and a downward ESP encryption key,
searching data depends on the product of the database that and an upward authentication key and a downward authen
packages the VPN database. Usually, the LDAP (Light tication key.
Directory Access Protocol) and the SQL are used. FIG. 8 to The VPN path determination control section 313 has a
be described later shows the CN-GW correspondence table CN-GW address correspondence table 314. FIG. 8 shows an
of the VPN information 35. example of the CN-GW address correspondence table. The
Next, the user 1 connects to an optional access point of an CN-GW address correspondence table consists of address
ISP2 that has a roaming contract with the home ISP3 with instances 1 to n, each including a CN address/net mask, a
whom the enterprise has contracted, and the user 1 transmits GWaddress, and a GW type. This table is searched using the
a position registration request (Reg Req) of the mobile IP CN address/net mask (an enterprise domain address) as a
(C2)). As a result, the user 1 can utilize the network. FA21, 25 key.
that becomes a connection point of the ISP 2 having the The application server consists of a VPN database 34, and
roaming contract, includes this registration request in an a WEB application 36. The network kernel 303 is an
authentication request message (AMR) (G)), and transmits operating system for controlling a transfer to the IP packet
this authentication request message to AAA (AAAH) 33 of and a physical interface as a connection point to the network.
the home ISP 3 of the user via an AAA sever (AAAF) 23 30 The physical network device interface 304 is an interface (a
within the own ISP. hardware control driver) to a physical network device, and
The AAAH searches the VPN database 34 by the NAI is usually a NIC card of a LAN.
included in the authentication request message (AMR), and FIG. 9 to FIG. 13 show examples of a processing flow of
extracts the VPN information 35 own to this user. From the the AAA.
CN-GW address correspondence table, it can be known that 35 FIG. 9 shows an example of a total processing of the
it is not possible to dynamically set a VPN to the domain AAA. When the network kernel 303 has received a packet
address of the enterprise assigned as the communication from the physical network interface 304, the network kernel
destination in the VPN database. Therefore, the AAAH sets 303 selects an AAA signaling packet based on a port
two VPNs including a VPN between the FA and the HA and number, and delivers the information of the received packet
a VPN between the HA and the enterprise GW to a VPN 40 to the AAA protocol control section 301 (S100). FIG. 10
information cache to be described later. Next, the AAAH shows an example of a processing flow of the AAA protocol
transmits a position registration request message (HAR) processing section 311. First, the AAA protocol processing
added with the profiles of the two VPNs, to the HA (G)). section 311 makes a decision on the received message based
FIG. 6 shows an example of detailed functional blocks of on a command code AVP (an attribute parameter) of the
the AAA, and FIG. 7 to FIG. 12 show examples of their 45 received AAA protocol (S101). When the message is the
operation. authentication request message (AMR), the process pro
In FIG. 6, AAA 33 (and AAA 23) consists of an appli ceeds to step S102. When the message is an authentication
cation server 305, a network kernel 303, and physical response message (AMA) to be described later, the process
network device interface 304, in addition to the AAA proceeds to step S103. When the message is other message,
protocol control section 301, and the AAAVPN control 50 the process proceeds to step S104.
section 302, both shown in FIG. 3. The AAA protocol In the present example, the AAAVPN control section 302
control section 302 consists of an AAA protocol processing is started (S102). Next, the AAA protocol processing section
section 311 for controlling the AAA protocol. 311 sets the VPN information extracted from the VPN
The AAAVPN control Section 302 consists of a VPN database 34 to the VPN information cache (S103). Then, the
information cache 312 for caching the VPN information 55 AAA protocol processing section 311 edits the correspond
extracted from the VPN database (shown in FIG. 5), a VPN ing message according to the CN-GW correspondence table,
path determination control section 313, and a key generator for example, sets a differentiated service, and transmits a
315. FIG. 7 shows an example of the VPN information cache result (S104). A profile cache AVP to the effect that the VPN
312. The VPN information cache 312 is a set of VPN information cache has been set is set to the authentication
information cache instances 1 to n. The VPN information 60 response message (AMA) and the position registration
cache 312 is searched by using a session ID that includes request message (HAR) that are transmitted by the AAAH
unique user own information in a network effective while a 33. FIG. 11 shows a message correspondence table (a
user is making access to the network. Each of the VPN relationship among a transmission message, a reception
information cache instances 1 to n consists of a session ID message, and a processing unit of these messages) at Step
as a unique identifier, a profile number that shows a number 65 S104 shown in FIG. 10.
of VPNs set by the user, and VPN information profiles 1 to FIG. 12 shows an example of a processing flow of the
in that include set information of each VPN. AAAVPN control section 302. First, the AAAVPN control
US 7,068,640 B2
9 10
section 302 searches the VPN database 34 by the NAI of the When the AAAH33 has received the position registration
mobile terminal, and reads the corresponding VPN infor response message (HAA), the AAAH 33 extracts a VPN
mation (S105). Next, the AAAVPN control section 302 between the FA and the HA from the VPN information cache
starts the VPN path determination control section 313 312 (see S113 in FIG. 13). The AAAH33 then transmits to
(S106). When the SPI (Security Parameter Index) read from the AAAF 23 an authentication response message (AMA)
the VPN database 34 is a default SPI, the AAAVPN control added with the VPN profile to be set to the FA 21 (G6)). The
section 302 finishes the processing. When the SPI read from AAAF 23 caches the VPN information to within the AAAF
the VPN database 34 is not a default SPI, the AAAVPN 23 to follow the move within the local domain of the MN 1,
control section 302 generates a separate key with the key and transfers this VPN information to the FA 21 (reference
generator 315 (S108). 10 S101, S103 and S104 in FIG. 10).
FIG. 13 shows an example of a processing flow of the The FA 21 caches the VPN information added to the
VPN path determination control section 313. The VPN path authentication response message (AMA), and further maps
determination control section 313 extracts the address of the an assigned differentiated service. Thereafter, the FA 21 sets
VPNGW (FA) 21 at the MN 1 side from the request an IPSec. tunnel (4) from the FA 21 to the HA31. Further,
originating host address of the authentication request mes 15 the FA 21 sets the information for decoding a packet of an
sage (AMR) (S109). Further, the VPN path determination opposite-direction tunnel to the IP Sec. information table.
control section 313 searches the CN-GW address correspon Last, the FA 21 returns the registration response message
dence table 314 by the CN address read from the VPN (Reg Rep) to the MN 1 (C7)). As a result, the VPNs from the
database 34, and reads the address of the VPNGW 51 at the access point of the MN 1 to the GW 51 of the enterprise have
CN 52 side and the VPNGW type (S110). been set. Further, as a packet of a user who has not been
Next, when the VPNGW type is the one to which a VPN assigned by the enterprise is not transferred via the IPSec.
can be set dynamically, the process proceeds to step S112. tunnel, it is possible to prevent an unauthorized user from
When the VPNGW type is the one to which a VPN cannot making an illegal access to the enterprise. It is also possible
be set dynamically, the process proceeds to step S113. In the to avoid making a troublesome contract with a plurality of
present example, the processing at Step S113 is carried out. 25 ISPs and SLAS.
The VPN path determination control section 313 sets the FIG. 14 shows detailed functional blocks of the MA (FA,
address of the HA 31 to the transmission originating GW HA, PCN), and FIG. 15 to FIG. 24 show examples of
address of the VPN information posted to the HA 31, and operations.
sets the address of the GW 51 read from the CN-GW address In FIG. 14, each network apparatus of the FA, the HA and
correspondence table 314 to the destination GW address. 30 the PCN consists of an MA protocol control section 321, an
Further, the VPN path determination control section 313 sets MAVPN control section 322, a network kernel 323, and a
the address of the FA 21 to the transmission originating GW physical network device interface 324. The MA protocol
address of the VPN information to be posted to the FA 21, control section 321 consists of an AAA protocol processing
and sets the address of the HA 31 to the destination GW section 331 for controlling the AAA protocol, and a mobile
address HA 31. Then, the VPN path determination control 35 IP protocol processing section 332 for controlling the mobile
section 313 finishes the processing (sets a path to the FA, the IP. The MAVPN control Section 322 consists of a VPN
HA and the CN). information cache 333 for caching the VPN information
In the mean time, when the VPNGW type is the one to posted by the AAA or the MIP protocol, a QoS control
which a VPN can be set dynamically, the VPN path deter section 334, and a tunnel control section 335.
mination control section 313 sets the address of the FA 21 to 40 The VPN information cache 333 has a similar structure to
the destination GW address of the VPN information posted that explained with reference to FIG. 7. The QoS control
to the HA 31, and sets the address of the GW 51 read from section 334 sets to the network kernel 323 filter, information
the CN-GW address correspondence table 314 to the desti consisting of a TOS value set to the VPN information cache
nation GW address. Further, the VPN path determination 333, a transmission originating address and a destination
control section 313 sets the address of the FA 21 to the 45 address for identifying a packet that marks the TOS value,
transmission originating GW address of the VPN informa and their net masks. The tunnel control section 335 rewrites
tion to be posted to the FA 21, and sets the address of the GW an output device of a route table 337 to a virtual device in
51 read from the CN-GW address correspondence table to a destination IP address that has been set in the VPN
the destination GW address. Then, the VPN path determi information cache 333. Further, the tunnel control section
nation control section 313 finishes the processing (sets a 50 335 sets to an IPSec. information table 336, a transmission
path to between the FA and the CN (or the PCN)). originating IP address and a destination IP address, their net
Referring back to FIG. 4, the HA 31 caches the VPN masks, a security type, a transmission originating gateway
information added to the position registration request mes address and a destination gateway address, an upward SPI
sage (HAR) that has been received from the AAAH33, and and a downward SPI as identifiers of the security, an upward
further maps an assigned differentiated service. Thereafter, 55 ESP encryption key and a downward ESP encryption key,
the HA31 sets an IP Sec. tunnel (2) from the HA31 to the and an ESP authentication key. The tunnel control section
enterprise GW 51, and sets an IPSec. tunnel (3) from the HA 335 encrypts and encapsulates a packet output from the
31 to the FA 21, based on the path information received. network kernel 323 to the virtual device, by referring to the
Further, the HA 31 sets the information for decoding a IP Sec. information table 336.
packet of an opposite-direction tunnel to an IP Sec. infor 60 FIG. 15 shows an example of the IPSec. information table
mation table to be described later. As the IP Sec. tunnel (1) 333. The IP Sec. information table consists of IP Sec.
from the GW 51 at the enterprise side to the HA31 has information, ESP information, and tunnel information. The
already been fixed based on the initial contract setting IP Sec. information is a collection of IP Sec. information
(SLA), it is not necessary to set this IP Sec. tunnel (1) from instances, and is specified by a set of a transmission origi
the HA31 to the enterprise GW 51. The HA31 transmits the 65 nating address and a destination address. Each IP Sec.
position registration response message (HAA) to the AAAH information instance consists of a transmission originating
33 after finishing the position registration processing (G5)). address/net mask, a destination address/net mask, an actual
US 7,068,640 B2
11 12
destination address as an actual transfer destination of a to the routing table 337. The network kernel 323 edits the
packet, a tunnel information identifier to be applied to this packet according to a filtering condition of a differentiated
packet, and an ESP information identifier to be applied to service set in advance in the kernel. When the output
this packet. The ESP information is a collection of ESP destination is a virtual device, the process branches to step
information instances. This ESP information consists of an S204. When the output destination is a physical device, the
ESP identifier for uniquely identifying ESP information, an packet is transferred to this device.
encryption method, a direction, an AH authentication key At step S204, the network kernel 323 delivers the infor
length, an ESP authentication key length, an ESP encryption mation of the transferred packet to the MAVPN control
key length, an AH authentication key, an ESP authentication section 322, and the MAVPN control section 322 carries out
key, and an ESP encryption key. The tunnel information is 10 a tunneling and encryption of the packet based on the
a collection of tunnel information instances. The tunnel information set in advance. In the case of encapsulating the
information consists of a tunnel identifier for uniquely IP packet by the tunneling processing, the MAVPN control
identifying tunnel information, an encapsulation method, a section 322 carries over the TOS information of the original
direction, and a transmission originating address and a packet. The IP packet that has been edited is returned to the
destination address that become an entrance and an exit of 15 network kernel 323 again. Then, the network kernel 323
a tunnel. transfers the packet to a corresponding physical device by
The network kernel 323 is an operating system for con referring to the routing table 337 based on a given new
trolling a transfer of an IP packet and a physical interface as destination of the IP packet.
a connection point to the network, and has a routing table FIG. 18 shows an example of a processing flow of the MA
337 for determining a transfer route of the IP packet. The protocol control section 321. First, the MA protocol control
network kernel 323 carries out the encapsulation of the IP section 321 checks a port number of a received packet.
packet, the packet editing, and the control of packet trans When this port number is a port number of the AAA
mission queue. These functions depend on the operating protocol, the process proceeds to step S206. When this port
system, and therefore, they will not be explained in the number is a port number of the mobile IP protocol, the
present invention. 25 process proceeds to step S207 (S205). At step S206, the MA
FIG. 16 shows an example of the routing table 337. The protocol control section 321 starts the AAA protocol pro
general routing table consists of a destination address, a cessing section 331 to process the AAA protocol (reference
gateway address, a net mask, a metric, an exit interface, and FIG. 19). Thereafter, the MA protocol control section 321
other control auxiliary information. A route is determined extracts the mobile IP protocol added to the AAA protocol
based on the destination address and the metric. In the 30 as a part of the information, and delivers the processing to
present invention, a network kernel that does not depend on step S207. At step S207, the MA protocol control section
a structure of the route table but can set a virtual device to 321 starts the mobile IP protocol processing section 332, and
an output destination will be explained in detail below. The then finishes the processing.
network kernel has a function of decapsulating an encapsu FIG. 19 shows an example of a processing flow of the
lated packet upon receiving this packet. When a packet after 35 AAA protocol processing section 331. First, the AAA pro
the decapsulation includes the ESP header, the network tocol processing section 331 extracts the VPN information
kernel has a function of decoding the encrypted packet by from a received AAA protocol, and then delivers this VPN
referring to the ESP information held in the tunnel control information to the VPN information cache 333. Next, the
section 335. The physical network device interface 324 is an AAA protocol processing section 331 sets a flag on a shared
interface (a hard control driver) to a physical network 40 memory to indicate that the cache has been set and updated,
device. The physical network device is a package or an NIC for the mobile IP protocol processing section 332 to refer to
card of, for example, a LAN, an ISDN, an ATM, etc. this fact (S208). After finishing the AAA protocol process
FIG. 17 to FIG. 24 show examples of a processing flow ing, the AAA protocol processing section 331 extracts the
of the MA. The MA processing according to the present mobile IP protocol added to the AAA protocol as a part of
invention will be explained below with reference to these 45 the information (S209). When the received message is a
examples of the processing flow. position registration request message (HAR), the AAA pro
FIG. 17 shows a total processing flow of the MA. Upon tocol processing section 331 transmits a position registration
receiving a packet from the physical network interface 324. response message (HAA) (S210 and S211).
the network kernel 323 decapsulates and decodes the FIG. 20 shows an example of a processing flow of the
encrypted packet as briefly explained above, and then dis 50
mobile IP protocol processing section 332. At step S212, the
criminates the received packet between a signaling packet mobile IP protocol processing section 332 makes a decision
and a data packet (S200). The selection of a signaling packet on the type of a received mobile IP protocol message. When
is determined based on whether the packet has been received the type of the received mobile IP protocol message is a
by a port number assigned by the MA protocol control registration request, the process proceeds to step S213.
section 321 or not. When the received packet is a signaling 55
When the type of the received mobile IP protocol message
packet, the process proceeds to step S201, and when the is a registration response, the process proceeds to step S220.
received packet is not a signaling packet, the process pro When the type of the received mobile IP protocol message
ceeds to step S203. is a BU (Binding Update) or a BA (Binding Acknowledge),
When the received packet is a signaling packet, the the process proceeds to step S218.
network interface 324 delivers the information of the 60
received packet to the MA protocol control section 321, and A. In the Case of the Registration Request
then the MA protocol control section 321 carries out the When the MA that has received the registration request is
AAA protocol processing 331 and the mobile IP protocol the HA, the mobile IP protocol processing section 332
processing 332 (S201). Next, the MAVPN control section compares the care-of-address of the registration request
322 is started to carry out the VPN information (S202). At 65 message with the old care-of-address within the mobility
step S203, the network kernel 323 determines the interface binding. When these care-of-addresses do not coincide with
to the output destination of the received packet by referring each other as a result of the comparison, the process pro
US 7,068,640 B2
13 14
ceeds to step S214. When these care-of-addresses coincide deletes the information in the route table 337 that has been
with each other as a result of the comparison or when the set to the network kernel 323 and the corresponding infor
MA that has received the registration request is the FA, the mation in the information table 336 based on the information
process branches to step S217 (S213). At step S214, the of the VPN information instance (S226). Next, the tunnel
mobile IP protocol processing section 332 specifies the VPN control section sets the output destination of the route table
information cache instance of the MN that has transmitted at the destination address set in the VPN information profile
the position registration message, and rewrites the destina of the VPN information instance to a virtual device (S227).
tion GW address of the VPN information cache 333 to the Further, the tunnel control section sets the tunnel informa
address posted by the care-of-address. tion instance of the IP Sec. information table 336 by refer
This specification method can be achieved by providing 10 ring to the VPN information profile of the VPN information
an IP address of the MN to the session ID, or by providing instance (S228).
a link between the mobility binding and the VPN informa At step S229, the tunnel control section refers to the
tion cache instance. The HA searches all the VPN informa security type within the VPN information profile of the VPN
tion profiles set in the specified VPN information cache information instance. When the ESP or the AH has been
instance. When the destination GW type is one to which a 15 assigned, the process branches to step S230. When the ESP
dynamic VPN can be set, the HA edits the BU message that or the AH has not been assigned, the tunnel control section
has set the VPN information to the transmission originating finishes the processing. At step S230, the tunnel control
address of this profile, and transmits this edited BU message section refers to the SPI within the VPN information profile
(S215). At step S216, the mobile IP protocol processing of the VPN information instance. When the SPI is a user
section 332 starts the MAVPN control section 322, and edits individual SPI, the process proceeds to step S231. When the
the reception message and the message specified by the SPI is a default SPI, the process proceeds to step S232. It is
processing MA as shown in a message correspondence table assumed that this default SPI has been set to MA in advance
in FIG. 21, and transmits the edited result (S217). at the time of the initial structuring or from a local mainte
B. In the Case of the Registration Response nance console of the MA. At step S231, the tunnel control
At step S220, the mobile IP protocol processing section 25 section sets the key information relevant to the SPI of the
332 refers to the cache update information set in advance in VPN information profile of the VPN information instance to
the shared memory by the AAA protocol processing section the ESP information instance. At step S232, the tunnel
control section sets the ESP identifier to the IP Sec. infor
331. When there has been an updating in the cache, the mation instance.
process branches to step S216. When there has been no 30 Various other embodiments of the present invention sepa
updating in the cache, the process branches to step S217. rate from the above-described first embodiment will be
C. In the Case of the BU or BA explained below in order to further enhance the understand
At step S218, when the received message is the BU, the ing of the operation of the present invention, based on the
process branches to step S219, and when the received items described above.
message is the BA, the process branches to step S217. When 35 FIG. 25 shows a second embodiment of the present
the processing MA is the PCN, the mobile IP protocol invention.
processing section 332 receives all the BU messages This shows an example of a setting of a VPN (when a
addressed to the CN under the management of the PCN, on VPN exists between a stationary HA and a CN) at the time
behalf of the CN. This system can be achieved by, for of a move within the same domain. This schematically
example, the method disclosed in Japanese Patent No. 40 shows how a VPN is reconstructed when the MN 1 of a user
2000-32372. When the processing MA is the PCN, the has moved from the FA 21 of the roaming-contracted ISP 2
mobile IP protocol processing section 332 sets the VPN of the first embodiment to other FA21' of the same roaming
information set in the BU message to the VPN information contracted ISP 2 after a VPN has been set to the GW 51 of
cache 333, or substitutes the message with this VPN infor the enterprise domain.
mation. When the processing MA is the FA, the mobile IP 45 In FIG. 25, when the MN 1 of the user has moved from
protocol processing section 332 updates the destination GW the FA 21 to a new FA 21' within the same domain, a
address of the VPN information cache 333 to a new FA registration request message (Reg Req) that includes the
address (S219). address of the old FA 21 is transmitted as prescribed in the
FIG. 22 shows an example of a processing flow of the mobile IP path optimization draft (draft-ietf-mobileip-op
MAVPN control section 322. The MAVPN control Section 50 tim-09) (CD). The new FA 21' includes this registration
322 starts the QoS control section 334 at step S221, and request into an authentication request message (AMR) (C2)),
starts the tunnel control section 335 at the next step S222. and transmits this authentication request message (AMR) to
FIG. 23 shows an example of a processing flow of the the local AAA server (AAAF) 23 within its own ISP2. When
QoS control section 334. First, at step S223, the QoS control the authentication request message (AMR) includes the old
section 334 deletes the information of the differentiated 55 FA 21, the AAAF 23 extracts the VPN between the FA and
service that has been set to the network kernel 323 based on the HA from the VPN information cache, and substitutes the
the information of the VPN information instance. Next, address of the FA 21 with the address of the new FA 21'.
when the TOS value of the VPN information instance is Then, the AAAF 23 returns to the new FA 21' an authenti
other than Zero (0), the QoS control section 334 branches the cation response message (AMA) that is added with a profile
process to step S225. When the TOS value of the VPN 60 of the VPN to be set to the FA (G)).
information instance is not other than Zero (0), the QoS The FA 21' transfers the registration request message (Reg
control section 334 finishes the processing (S224). At step Req) received from the MN 1 to the HA31 (G)). The HA
S225, the QoS control section 334 sets the information of the 31 specifies a VPN profile from the HA to the FA from the
differentiated service to the network kernel based on the VPN information cache, and rewrites the address of the FA
information of the VPN information instance (S225). 65 to the address of the new FA 21'. Next, the HA31 deletes the
FIG. 24 shows an example of a processing flow of the IPSec. tunnel to the old FA21, and sets a new IPSec. tunnel
tunnel control section. First, the tunnel control section (1) to the new FA 21'. The HA 31 finishes a position
US 7,068,640 B2
15 16
registration processing, and then returns the registration added with the VPN profile to be set to the FA (G5)). The
response message (Reg Rep) to the FA 21' (G5)). AAAF 23 caches the VPN information to within the AAAF
The FA 21" maps an assigned differentiated service by in order to correspond to the move within the local domain
referring to the VPN information cache, and then sets an IP of the MN1, and transfers this information to the FA21'. The
Sec. tunnel (2) from the FA 21' to the HA31. The FA 21' then FA 21' caches the VPN information added to the authenti
sets the information for decoding a packet of an opposite cation response message (AMA), maps an assigned differ
direction tunnel to the IPSec. information table. Further, the entiated service, and then sets an IPSec. tunnel (2) from the
FA 21' copies the VPN information cache, and rewrites the FA 21' to the HA31. Further, the FA 21' sets the information
transmission originating GW address to the address of the for decoding a packet of an opposite-direction tunnel to the
old FA 21 and rewrites the destination GW address to the 10 IP Sec. information.
address of the new FA 21'. Thereafter, the FA 21' adds this Further, when the authentication response message
VPN information to the BU message, and transmits this (AMA) includes the old FA address, the FA 21' copies the
message to the old FA 21 (6)). VPN information cache, and rewrites the transmission origi
The old FA 21 caches the VPN information added to the nating GW address to the address of the old FA 21 and
BU message, deletes the IPSec. tunnel directed from the FA 15 rewrites the destination GW address to the address of the
21 to the HA31, and maps an assigned differentiated service. new FA 21'. Thereafter, the FA 21' adds this VPN informa
Thereafter, the FA 21 sets an IP Sec. tunnel (3) at the tion to the BU message, and transmits this message to the old
smooth-hand-off time from the old FA 21 to the new FA 21'. FA 21 (G6)). The old FA 21 caches the VPN information
As a result, all the packets addressed to the MN 1 and added to the BU message, deletes the IPSec. tunnel directed
received by the old FA 21 before the changeover of the IP from the FA 21 to the HA 31, and maps an assigned
Sec. to the new IP Sec. tunnel (1) tunnel by the HA31 are differentiated service. Thereafter, the FA 21 sets an IPSec.
transferred to the new FA 21' via this IPSec. tunnel (3). The tunnel (3) at the hand-off time from this FA21 to the new FA
old FA 21 returns the BA message to the MN after com 21'.
pleting the setting of the IP Sec. tunnel (3) (C7)). Based on As a result, all the packets addressed to the MN 1 and
this, the new FA 21' returns the registration response mes 25 received by the old FA 21 before the changeover of the IP
sage (Reg Rep) to the MN 1 (C8)). Sec. tunnel to the new IPSec. tunnel (1) by the HA31 are
FIG. 26 shows a third embodiment of the present inven transferred to the new FA 21' via this IPSec. tunnel (3). The
tion. FA 21 returns the BA message to the new FA 21' after
This shows an example of a setting of a VPN (when a completing the setting of the IPSec. tunnel (3) (C7)). Based
VPN exists between a stationary HA and a CN) at the time 30 on this, the new FA 21' returns the registration response
of a move between different domains. This schematically message (Reg Rep) to the MN 1 ((8)).
shows how a VPN is reconstructed when the MN 1 of a user According to the above-described second and third
has moved from the FA 21 of the roaming-contracted ISP 2 embodiments, a user who communicates with the enterprise
of the first embodiment to other FA 21' of a different via the ISP can receive the service of a VPN corresponding
roaming-contracted ISP2 after a VPN has been set from the 35 to a mobile terminal provided by the ISP, without requiring
FA 21 to the GW 51 of the enterprise domain. the GW apparatus of the enterprise to have a specific
In FIG. 26, when the MN 1 of the user has moved between function.
different domains 2 and 2', the user transmits a registration FIG. 27 shows a fourth embodiment of the present inven
request (Reg Req) in a procedure similar to that of a normal tion.
initial position registration as prescribed in the DIAMETER 40 This shows an example of a setting of a VPN (when a
mobile expansion draft (draft-ietf-calhoun-diameter-mo PCN exists) at the time of an initial position registration.
bileip-o8) (CD). The FA 21' of the move destination includes This schematically shows an example of a setting of a VPN
this registration request into the authentication request mes when a roaming-contracted ISP of a communication desti
sage (AMR) (C2)), and transmits this authentication request nation has a VPN and a GW (PCN) to which a VPN can be
message (AMR) to the AAA (AAAH) 33 of the user home 45 set dynamically. The ISP that has a VPNGW to which a VPN
ISP via a local AAA server (AAAF) 22 within the own FA can be set dynamically registers a domain address of the ISP
21". and a GW apparatus address in the CN-GW correspondence
As the two VPNs including the VPN between the FA and table of each provider at the time of making the roaming
the HA and the VPN between the HA and the enterprise GW contract between ISPs, thereby making it possible to
have already been set to the VPN information cache, the 50 dynamically set a VPN by type of GW.
AAAH 33 rewrites the address of the FA of the VPN In FIG. 27, a user joining any one ISP among the
between the FA and the HA to the address of the new FA 21'. roam-contracted ISPs connects to a near access point, and
Next, the AAAH 33 transmits to this HA 31 a position transmits a position registration request (Reg Req) of the
registration request message (HAR) added with the profiles mobile IP from this MN 1 (CD). The FA21 includes this
of the two VPNs (G)). The HA31 updates the cache based 55 registration request in an authentication request message
on the VPN information added to the position registration (AMR), and transmits this authentication request message to
request message (HAR), deletes the IPSec. tunnel directed the AAA (AAAH)33 of the home ISP3 of the user via the
from the HA 31 to the old FA 21, and sets a new IP Sec. local AAA sever (AAAF) 23 within the own ISP (G2)).
tunnel (1) to the new FA 21'. Then, after finishing the The AAAH searches the VPN database 34 by the NAI
position registration processing, the HA 31 returns the 60 included in the authentication request message (AMR), and
position registration response message (HAA) to the AAAH extracts the VPN information own to this user. When an
((4)). In this case, the HA31 returns the address information address assigned as a user communication destination in the
of the old FA 21 as additional information. VPN database 34 is within the roaming-contracted ISP 4, it
Upon receiving the position registration response mes can be known from the CN-GW address correspondence
sage (HAA), the AAAH33 extracts the VPN between the FA 65 table that it is possible to dynamically set a VPN. Therefore,
and the HA from the VPN information cache, and transmits the AAAH sets a VPN of the GW (PCN) between the FA and
to an AAAF 23' an authentication response message (AMA) the communication ISP 4 to the VPN information cache.
US 7,068,640 B2
17 18
Next, the AAAH transmits a position registration request The HA 31 specifies a VPN profile of the VPN utilized by
message (HAR) added with the profile of this VPN, to the this MN 1 from the VPN information cache, and rewrites the
HA31 (G)). The HA31 caches the VPN information added address of the FA to the address of the new FA 21'. In the
to the position registration request message (HAR). After present embodiment, the VPN has already been directly set
finishing the position registration processing, the HA31 can 5 to between the FA21 and the PCN 41. Therefore, the HA31
dynamically set a VPN by referring to a type of the GW of posts this effect to the PCN 41 by the BU message (G5)).
the communication destination GW 41 set to the VPN Whether the BU message is to be transmitted or not is
information. Therefore, the HA31 transmits an MIP Binding determined based on whether the type of the communication
update message BU added with this VPN information destination GW of the VPN information cache is the one to
addressed to a communication terminal CN 42 (G)). 10 which a VPN can be set dynamically or not.
A PCN 41 receives the BU transmitted to the CN 42 on Next, the PCN 41 deletes the IPSec. tunnel to the old FA
behalf of the CN 42, and caches the VPN information added 21 based on the reception of the BU, and sets a new IPSec.
to the BU. Th PCN 41 maps a differentiated service accord tunnel (1) to the new FA 21'. Thereafter, the PCN 41
ing to the posted VPN information, and sets an IPSec. tunnel transmits the BA message to the HA31 (G6)). Based on the
(1) from the PCN 41 to the FA 21. Thereafter, the PCN 41 15 reception of the BA message, the HA 31 transmits the
transmits an MIP Binding Acknowledge message BA to the registration response message (Reg Rep) to the new FA 21
HA31 (G5)). When the HA31 has received the BA, the HA (C7)). The new FA 21" maps an assigned differentiated
31 returns the position registration response message (HAA) service by referring to the VPN information cache, and then
to the AAAH 33 (G6)). Upon receiving the position regis sets an IP Sec. tunnel (2) from the new FA 21' to the PCN
tration response message (HAA), the AAAH 33 extracts a 41. The FA 21' then sets the information for decoding a
VPN of the GW (PCN) between the FA and the communi packet of an opposite-direction tunnel to the IPSec. infor
cation destination ISP 4 from the VPN information cache. mation table. Further, the FA 21' copies the VPN information
The AAAH 33 then transmits to the AAAF 23 an authenti cache, and rewrites the transmission originating GW address
cation response message (AMA) added with the VPN profile to the address of the old FA 21 and rewrites the destination
to be set to the FA 21 (C7)). The AAAF 23 caches the VPN 25 GW address to the address of the new FA21'. Thereafter, the
information within the AAAF 23 to follow the move within FA 21' adds this VPN information to the BU message, and
the local domain of the MN 1, and transfers this VPN transmits this message to the old FA 21 ((8)).
information to the FA 21. The old FA 21 caches the VPN information added to the
The FA 21 caches the VPN information added to the
authentication response message (AMA), and further maps 30
BU message, deletes the IPSec. tunnel directed from the old
FA 21 to the PCN 41, and maps an assigned differentiated
an assigned differentiated service. Thereafter, the FA 21 sets service. Thereafter, the FA 21 sets an IPSec. tunnel (3) at the
an IPSec. tunnel (2) from the FA 21 to the PCN41. Further, smooth-hand-off time from the old FA 21 to the new FA 21'.
the FA 21 sets the information for decoding a packet of an As a result, all the packets addressed to the MN 1 from the
opposite-direction tunnel to the IP Sec. information table. PCN 41 and received by the FA 21 before the changeover of
Thereafter, the FA 21 returns the registration response mes 35
the IP Sec. tunnel to the new IP Sec. tunnel (1) are trans
sage (Reg Rep) to the MN (C8)). As a result, the user can ferred to the new FA 21' via this IP Sec. tunnel (3). The old
carry out a VPN communication with an optional commu FA 21 returns the BA message to the MN after completing
nication destination within the roaming-contracted ISP the setting of the IPSec. tunnel (3) ((9)). Based on this, the
group. new FA 21' returns the registration response message (Reg
FIG. 28 shows a fifth embodiment of the present inven 40
Rep) to the MN 1 ((9)).
tion.
This shows an example of a setting of a VPN (when a FIG. 29 shows a sixth embodiment of the present inven
tion.
PCN exists) at the time of a move within the same domain.
This schematically shows how a VPN is reconstructed when This shows an example of a setting of a VPN (when a
the MN 1 of a user has moved from the FA 21 of the 45 PCN exists) at the time of a move between different man
roaming-contracted ISP2 of the fourth embodiment to other agement domains. This schematically shows how a VPN is
FA 21' of the same roaming-contracted ISP2 after a VPN has reconstructed when the MN 1 of a user has moved from the
been set from this FA 21 to a PCN 41 of other optional FA 21 of the roaming-contracted ISP2 of the fourth embodi
roaming-contracted ISP 4. ment to other FA 21' of a different roaming-contracted ISP
In FIG. 28, when the MN 1 of the user has moved from 50 2" after a VPN has been set from this FA 21 to a PCN 41 of
the FA 21 to the FA 21' within the same domain, a regis other optional roaming-contracted ISP 4.
tration request message (Reg Req) that includes the address In FIG. 29, when the MN 1 of the user has moved between
of the old FA 21 is transmitted as prescribed in the mobile different domains 2 and 2', the user transmits a registration
IP path optimization draft (draft-ietf-mobileip-optim-09) request message (Reg Req) in a procedure similar to that of
(CD). The new FA 21' includes this registration request into 55 a normal initial position registration as prescribed in the
an authentication request message (AMR), and transmits DIAMETER mobile expansion draft (draft-ietf-calhoun-di
this authentication request message (AMR) to the local AAA ameter-mobileip-o8) (OD). The FA 21' of the move destina
server (AAAF) 23 within its own ISP 2 (O)). When the tion includes this registration request message into the
authentication request message (AMR) includes the old FA authentication request message (AMR), and transmits this
21, the AAAF 23 extracts the VPN between the FA and the 60 authentication request message (AMR) to the AAA (AAAH)
PCN from the VPN information cache, and substitutes the 33 of the user home ISP via a local AAA server (AAAF) 23'
address of the FA 21 with the address of the new FA 21'. within the own ISP(O)). As the VPN between the FA21 and
Then, the AAAF 23 returns to the new FA 21' an authenti the PCN 41 has already been set to the VPN information
cation response message (AMA) that is added with a profile cache, the AAAH33 rewrites the address of this FA21 to the
of the VPN to be set to the FA (G)). 65 address of the new FA 21'. Next, the AAAH 33 transmits to
The FA21' transfers the registration request message (Reg this HA 31 a position registration request message (HAR)
Req) previously received from the MN 1 to the HA31 ((4)). added with the profiles of this VPN (G)).
US 7,068,640 B2
19 20
The HA 31 updates the cache based on the VPN infor changes the VPN information of the user in a VPN database
mation added to the position registration request message 34 to the information assigned by the user (CD). When the
(HAR), and transmits the BU message to the PCN 41 ((4)). customizing has been finished, the MN 1 of the user trans
Upon receiving the BU message, the PCN 41 deletes the IP mits a position registration request message (Reg Req)
Sec. tunnel to the old FA 21, and sets a new IPSec. tunnel added with a service update request to an FA21 to which the
(1) to the new FA 21'. Thereafter, the PCN 41 transmits the user is currently connected (C2)). Upon receiving the regis
BA message to the HA 31 (G5)). Upon receiving the BA tration request added with the service update request, the FA
message, the HA 31 returns the position registration 21 includes this registration request into an authentication
response message (HAA) to the AAAH 33 (C6)). In this request message (AMR), and transmits this authentication
case, the HA31 returns the address information of the old FA 10
request message (AMR) to an AAA (AAAH) 33 of the user
21 as additional information.
Upon receiving the position registration response mes home ISP via a local AAA server (AAAF) 23 within the own
sage (HAA), the AAAH33 extracts the VPN between the FA ISP (G)).
and the HA from the VPN information cache, and transmits The AAAH 33 receives the message added with the
to an AAAF 23' an authentication response message (AMA) 15 service update request regardless of whether the VPN infor
added with the VPN profile to be set to the FA (C7)). The mation cache already exists or not, and searches a VPN
AAAF 23 caches the VPN information within the AAAF in database 34 with an NAI included in the authentication
order to correspond to the move within the local domain of request message (AMR), and extracts the VPN information
the MN 1, and transfers this information to the new FA 21'. to this user. When the address assigned as the user commu
The new FA 21" caches the VPN information added to the nication destination in the VPN database 34 is within the
authentication response message (AMA), maps an assigned roaming-contracted ISP, it can be known from a CN-GW
differentiated service, and then sets an IP Sec. tunnel (2) address correspondence table that a VPN can be dynami
from the FA 21' to the PCN 41. Further, the FA 21' sets the cally set to this communication destination. Therefore,
information for decoding a packet of an opposite-direction according to the present embodiment, the AAAH 33 sets a
tunnel to the IP Sec. information. 25
When the authentication response message (AMA) VPN for a GW (PCN) 41' between the FA 21 and the
communication destination ISP in the VPN information
includes the address of the old FA 21 like this case, the FA cache. Then, the AAAH33 transmits to the HA31 a position
21' copies the VPN information cache, and rewrites the registration request message (HAR) added with the profile
transmission originating GW address to the address of the of this VPN (G)).
old FA 21 and rewrites the destination GW address to the 30
address of the new FA 21'. Thereafter, the FA 21' adds this The HA 31 caches the VPN information added to the
VPN information to the BU message, and transmits this position registration request message (HAR). After finishing
message to the old FA 21 (C8)). The old FA 21 caches the the position registration processing, the HA31 can dynami
VPN information added to the BU message, deletes the IP cally set a VPN by referring to a type of the GW of the
Sec. tunnel directed from the old FA 21 to the PCN 41, and 35 communication destination GW. 41' set to the VPN infor
maps an assigned differentiated service. Thereafter, the FA mation. Therefore, the HA 31 transmits an MIP Binding
21 sets an IP Sec. tunnel (3) at the smooth-hand-off time update message BU added with this VPN information
from this FA 21 to the new FA 21'. addressed to a communication terminal CN 42 (G5)).
As a result, all the packets addressed to the MN 1 from the The PCN 41' receives the BU transmitted to the CN 42 on
PCN41 and received by the old FA21 before the changeover 40
behalf of the CN 42", and caches the VPN information added
of the IPSec. tunnel are transferred to the new FA 21' via this
IP Sec. tunnel (3). The old FA 21 returns the BA message to to the BU message. Th PCN 41' maps a differentiated service
the MN after completing the setting of the IPSec. tunnel (3) according to the posted VPN information, and sets an IPSec.
((9)). Based on this, the new FA 21' returns the registration tunnel (1) from the PCN 41' to the FA 21. Thereafter, the
response message (Reg Rep) to the MN 1 (9)). As shown 45 PCN 41' transmits an MIP Binding Acknowledge message
in the fifth and sixth embodiments, according to the present BA to the HA31 (G6)).
invention, a user who is a member of the roaming-contract When the HA31 has received the BA message, the HA31
ISP group can set a VPN with any optional communication returns the position registration response message (HAA) to
destination within this group. Further, this user can move the AAAH33 (C7)). Upon receiving the position registration
freely within this group with the VPN unchanged. 50 response message (HAA), the AAAH 33 extracts a VPN of
FIG. 30 shows a seventh embodiment of the present the GW (PCN)41' between the FA 21 and the communica
invention. tion destination ISP from the VPN information cache. The
This shows an example of a setting of a VPN between AAAH 33 then transmits to the AAAF 23 an authentication
optional terminals assigned by the user. While the above response message (AMA) added with the VPN profile to be
explained examples are for setting a VPN to a specific 55
set to the FA 21 (C8)). The AAAF 23 caches the VPN
communication destination assigned by the user, it is also information to within the AAAF 23 to follow the move
possible for the user to dynamically set a VPN to a com within the local domain of the MN1, and transfers this VPN
munication destination. The present embodiment shows an information to the FA 21.
example of case where the user sets a VPN to a communi The FA 21 caches the VPN information added to the
cation destination other than the communication destination 60
that has been assigned by the user when the contract was authentication response message (AMA), and further maps
made. an assigned differentiated service. Thereafter, the FA 21 sets
A user who wants a change of a VPN setting destination an IPSec. tunnel (2) from the FA 21 to the PCN 41'. Further,
makes access to a home page of a VPN service customize the FA 21 sets the information for decoding a packet of an
provided by a home ISP 3 of the user. The user sets an 65 opposite-direction tunnel to the IP Sec. information table.
address of a communication destination through this home Thereafter, the FA 21 returns the registration response mes
page. A WEB application 36 linked with this home page sage (Reg Rep) to the MN (G9)). When a VPN that has been
US 7,068,640 B2
21 22
set before the change of the VPN exists, the PCN 41 network apparatus, between the first network apparatus
transmits a Binding request message BR to the HA31 that and the third network apparatus, and/or between the
has posted this VPN information and asks whether the VPN second network apparatus and the third network appa
can be deleted or not, when the remaining lifetime has ratus respectively.
become less than a threshold value (9)). 5 2. The server apparatus according to claim 1, wherein
Upon receiving this BR message, the HA 31 searches a the distribution means distributes the VPN information
VPN information cache from the information of the MN 1 after receiving a communication packet from the cor
that has been set to this message, and checks whether the respondent node (CN) that becomes the communica
VPN relating to this PCN 41 still exists in the cache. When tion destination.
this VPN has still been cached, the HA 31 transmits a BU 10
3. AVPN system in a mobile IP network, the VPN system
message to the PCN41. When the VPN has not been cached, compr1S1ng:
the HA 31 transmits no BU message to the PCN 41. In the a mobile terminal;
present example, the PCN 41 deletes an existing VPN as no
BU can be received until the completion of the lifetime. As a home authentication server provided in a home network
explained above, the user can also dynamically assign a 15 of a user and an external authentication server provided
VPN setting destination. In the present embodiment, an in other external network;
example of assigning a VPN setting destination only through a VPN database provided in the home network, the VPN
the WEB has been shown. However, the gist of the present database containing VPN information having VPN path
invention is the distribution of the VPN information to an setting information and security information of a virtual
assigned setting destination and the setting/releasing means private network;
of this VPN information under a mobile environment. There a first network apparatus having a security gateway func
are various methods of assigning a communication destina tion of the home network;
tion and means for reflecting them to the VPN database 34. a second network apparatus having a security gateway
For example, there are various applications such as a dialing function of the other external network;
of a VPN code with a communication destination using a 25
a third network apparatus having a security gateway
portable telephone, and a one-click setting of a VPN from a function of a predetermined network in which a corre
communication server, etc. spondent node CN with whom the terminal communi
As explained above, the present invention has the follow cates exists, wherein
ing effects. the home authentication server extracts from the VPN
1) It is possible to provide a VPN setting service to 30
database the VPN information of a user who has
between optional terminals without requiring an MN and a requested an authentication at the time of a position
CN to have a specific VPN function. This is achieved by registration request from a mobile terminal, and posts
dynamically setting a VPN of the IP Sec. to a security
gateway of terminals participating in communications, to a this VPN information to each network apparatus by
public IP network, linked with a position registration pro 35
using a predetermined position registration message
cedure in the mobile IP. and an authentication response message, and
2) It is possible to set a VPN with the service quality, the the respective network apparatuses set a VPN path by the
security level, and the route, assigned by users based on a IP Sec. based on posted VPN information, to between
free combination. the first network apparatus and the second network
3) It is possible to automatically update a VPN path along 40 apparatus, between the first network apparatus and the
with a move of an MN. third network apparatus, and/or between the second
What is claimed is: network apparatus and the third network apparatus
1. A server apparatus provided in a home network of an respectively.
IP network using a protocol that automates the management 4. The VPN system according to claim 3, wherein
of an IP address and the transfer of a communication packet 45 the authentication sever and the network apparatus update
to a move destination when a mobile terminal has moved VPN information cached in the authentication server
between different IP network, the server apparatus compris and the network apparatus to new path information or
1ng: rewrite the VPN information with position information
memory means that stores VPN information for construct linked with a position registration request based on a
ing a safe communication path within an IP network in 50 move of a mobile terminal, thereby to automatically
relation to the terminal, the VPN information contain update each VPN path between the home network
ing VPN path apparatus and the external network apparatus, between
distribution means that distributes the VPN information to the home network apparatus and the predetermined
a first network apparatus, a second network apparatus, network apparatus, and/or between the external net
and a third network apparatus at the time of transmit 55 work apparatus and the predetermined network appa
ting an authentication response message to a position ratus, to a new VPN path based on the IPSec. respec
registration request message from the terminal, the first tively.
network apparatus having a security gateway function 5. The VPN system according to claim 3, wherein
of the home network, the second network apparatus a each network apparatus includes:
security gateway function of the external network of a 60
move destination, the third network apparatus having a an MA protocol processing section that controls protocols
security gateway function of a predetermined network relating to a service profile in which the VPN infor
in which a correspondent node CN with whom the mation has been set by caching; and
terminal communicates exists, wherein an MAVPN control section that sets a QoS control for
the respective network apparatuses set a VPN path by the 65 guaranteeing the service quality and a tunnel for guar
IP Sec. based on the distributed VPN information, to anteeing the security between the security gateways
between the first network apparatus and the second according to the service profile.
US 7,068,640 B2
23 24
6. A VPN system in a mobile IP network, the VPN system path information includes set path information and
comprising: security information of the virtual private network.
a mobile terminal; 9. The external authentication server according to claim 8.
a home authentication server provided in a home network wherein
of a user and an external authentication server provided 5 the safe communication path is a VPN path according to
in other external network; the IP Sec.
a VPN database provided in the home network; and 10. A network apparatus for accommodating a mobile
network apparatuses that have gateway functions of a terminal in an IP network using a protocol that automates the
home network, an external network, a predetermined management of an IP address and the transfer of a commu
communication host and/or an agent server therefor; 10 nication packet to a move destination when a terminal has
wherein moved between different IP networks, the network apparatus
the home authentication server includes: comprising:
an AAAVPN control section hat specifies a VPN set path means that receives a VPN path construction instruction
from the information of the external network apparatus based on VPN path information corresponding to a user
connected by the mobile terminal set in a predeter 15 included in an authentication response message from a
mined authentication request message and the informa home authentication server when the mobile terminal
tion of the home network apparatus of the mobile has made a position registration request; and
terminal, by using a correspondence table showing a VPN path construction means that constructs a VPN path
correspondence between the VPN information of the between this apparatus and a network apparatus having
VPN database and a predetermined network apparatus a security gateway function of a home network, and a
accommodating a communication host held by itself. VPN path between this network apparatus and a net
and work apparatus accommodating a correspondent node
an AAA protocol processing apparatus that sets a service CN as a communication destination, based on the
quality between the network apparatuses and security 25
received VPN path construction information.
information to a predetermined authentication response 11. The network apparatus according to claim 10, wherein
message to an access network and to a position regis the safe communication path is a communication path
tration message to the home network, as service pro realized by a virtual private network, and the safety
files, wherein path information includes set path information and
the home authentication server extracts form a VPN
30
security information of the virtual private network.
database VPN information of a user who has requested 12. The network apparatus according to claim 11, wherein
an authentication at the time of a position registration the safe communication path is a VPN path according to
request from a mobile terminal, and posts this VPN the IP Sec.
information to each network apparatus by using a 13. A VPN setting method in a mobile IP network
predetermined position registration message and an 35
comprising the steps:
authentication response message, and wherein that a user network apparatus sets VPN path by a station
the respective network apparatuses set a VPN path by the ary IP Sec. tunnel directed from the user network
IP Sec. based on posted VPN information, to between apparatus to its home agent;
the home network apparatus and the external network that a user mobile terminal transmits a position registra
apparatus, between the home network apparatus and 40 tion request message to a foreign agent;
the predetermined network apparatus, and/or between that the foreign agent transmits an authentication request
the external network apparatus and the predetermined message including the received position registration
network apparatus respectively. request information to a user home authentication
7. An external authentication server existing with a server via a local authentication server of the foreign
mobile terminal in an IP network using a protocol that 45 agent,
automates the management of an IP address and the transfer that, based on the received authentication request mes
of a communication packet to a move destination when the Sage, the home authentication server refers to its own
terminal has moved between different IP networks, the database and extracts a communication destination
external authentication server comprising: host, a type of the network apparatus, and security
means that extracts VPN path information corresponding 50 service information by users, caches the extracted
to a user included in an authentication response mes information as VPN information between the foreign
Sage from a home authentication server when the agent and the home agent and between the user network
mobile terminal has made a position registration apparatus and the home agent, and transmits the posi
request; and tion registration request message including this infor
VPN path construction instruction means that instructs a 55 mation to the home agent;
network apparatus accommodating the mobile terminal that the home agent caches the received position regis
to construct a VPN path between this apparatus and a tration request message, sets the assigned security
network apparatus having a security gateway function service, sets a VPN path by an IPSec. tunnel directed
of a home network, and a VPN path between this from the home agent to the user network apparatus as
network apparatus and a network apparatus accommo 60 a communication destination host and to the foreign
dating a correspondent node CN as a communication agent respectively, and transmits a position registration
destination, based on the extracted VPN path informa response message to the home authentication server
tion. after finishing the position registration processing:
8. The external authentication server according to claim 7. that, based on the reception of the position registration
wherein 65 response message, the home authentication server
the safe communication path is a communication path transmits the authentication response message added
realized by a virtual private network, and the safety with the cached VPN information between the foreign
US 7,068,640 B2
25 26
agent and the home agent, to a local authentication information, deletes the VPN path directed from the
server of the foreign agent; home agent to the old foreign agent, sets a VPN path by
that the local authentication server transmits the received an IPSec. tunnel directed from the home agent set with
authentication response message to the foreign agent the assigned security service to the new foreign agent,
after caching the VPN information between the home and transmits a position registration response message
agent and the foreign agent; and to the home authentication server after finishing the
that the foreign agent caches the VPN information position registration processing:
included in the received authentication response mes that, based on the reception of the position registration
Sage, sets the assigned security service, sets a VPN path response message, the home authentication server
by an IPSec. tunnel directed from the foreign agent to 10 transmits the authentication response message added
the home agent, and then returns the position registra with the cached VPN information between the foreign
tion response message to the user mobile terminal. agent and the home agent, to a local authentication
14. The VPN setting method according to claim 13, server of the new foreign agent;
further comprising the steps: that the local authentication server transmits the received
that the user mobile terminal moves to an area of a new 15 authentication response message to the new foreign
foreign agent within the same network, and transmits agent after updating the cached VPN information; and
from there a position registration request message that the new foreign agent caches the VPN information
including position information of the old foreign agent; included in the received authentication response mes
that the new foreign agent transmits an authentication Sage, sets the assigned security service, sets a VPN path
request message including the received position regis by an IP Sec. tunnel directed from the new foreign
tration request information to the local authentication agent to the home agent, and then returns the position
server; registration response message to the user mobile ter
that the local authentication server rewrites the foreign minal.
agent information of the cached VPN information 16. A VPN setting method in a mobile IP network
between the foreign agent and the home agent to the 25 comprising the steps:
information of the new foreign agent, and transmits an that a user mobile terminal transmits a position registra
authentication response message including this infor tion request message from the user mobile terminal to
mation to the new foreign agent; a foreign agent,
that the new foreign agent transfers the received position that the foreign agent transmits an authentication request
registration request message to the home agent; 30 message including the received position registration
that, based on the received position registration request request information to a user home authentication
information, the home agent rewrites the foreign agent server via a local authentication server of the foreign
information of the cached VPN information between agent,
the foreign agent and the home agent to the information that, based on the received authentication request mes
of the new foreign agent, deletes the VPN path directed 35 Sage, the home authentication server refers to its own
from the home agent to the old foreign agent, sets a database and extracts a communication destination
VPN path by an IPSec. tunnel directed from the home host, a type of the network apparatus, and security
agent set with the assigned security service to the new service information by users, sets a VPN between the
foreign agent, and transmits a position registration foreign agent and the communication destination net
response message to the new foreign agent after fin 40 work apparatus to a VPN cache when the type of the
ishing the position registration processing; and network apparatus is a one to which a VPN can be set
that the new foreign agent caches the VPN information dynamically, and transmits the position registration
included in the received position registration response request message including this information to the home
message, sets the assigned security service, sets a VPN agent,
path by an IPSec. tunnel directed from the new foreign 45 that the home agent caches the received position regis
agent to the home agent, and then returns the position tration request message, and transmits a binding update
registration response message to the user mobile ter message added with this VPN information to the com
minal. munication destination host after finishing the position
15. The VPN setting method according to claim 13, registration processing, when the type of the network
further comprising the steps: 50 apparatus is a one to which a VPN can be set dynami
that the user mobile terminal moves to an area of a new cally;
foreign agent within a different network, and transmits that the network apparatus receives the binding update
from there a position registration request message message on behalf of the communication destination
including position information of the old foreign agent; host, caches the VPN information added to this mes
that the new foreign agent transmits an authentication 55 Sage, sets the assigned security service, sets a VPN path
request message including the received position regis by an IPSec. tunnel directed from the network appa
tration request information to the home authentication ratus to the foreign agent, and thereafter transmits a
server of the user via a local authentication server of the binding authorization message to the home agent;
new foreign agent; that, upon receiving the binding authorization message,
that the home authentication server rewrites the foreign 60 the home agent transmits a position registration
agent information of the cached VPN information response message to the home authentication server;
between the foreign agent and the home agent to the that, based on the reception of the position registration
information of the new foreign agent, and transmits the response message, the home authentication server
position registration request message including this transmits the authentication response message added
information to the home agent; 65 with the cached VPN information between the foreign
that, based on the received position registration request agent and the network apparatus, to a local authenti
information, the home agent updates the cached VPN cation server of the foreign agent;
US 7,068,640 B2
27 28
that the local authentication server transmits the received that the home authentication server rewrites the foreign
authentication response message to the foreign agent agent information of the cached VPN information
after caching the VPN information added to this mes between the foreign agent and the home agent to the
Sage; and information of the new foreign agent, and transmits the
that the foreign agent caches the VPN information 5 position registration request message including this
included in the received authentication response mes information to the home agent;
Sage, sets the assigned security service, sets a VPN path that, based on the received position registration request
by an IPSec. tunnel directed from the foreign agent to information, the home agent updates the cached VPN
the network apparatus, and then returns the position information, and transmits a binding update message
registration response message to the user mobile ter 10 added with this VPN information to the communication
minal. destination host when the type of the network apparatus
17. The VPN setting method according to claim 16, is a one to which a VPN can be set dynamically:
further comprising the steps: that, based on the received binding update message, the
that the user mobile terminal moves to an area of a new network apparatus updates the cached VPN informa
foreign agent within the same network, and transmits 15 tion, deletes the VPN path directed from the network
from there a position registration request message apparatus to the old foreign agent, sets a VPN path by
including position information of the old foreign agent; an IPSec. tunnel directed from the network apparatus
that the new foreign agent transmits an authentication set with the assigned security service to the new foreign
request message including the received position regis agent, and thereafter transmits a binding authorization
tration request information to the local authentication message to the home agent;
server; that, upon receiving the binding authorization message,
that the local authentication server rewrites the foreign the home agent transmits a position registration
agent information of the cached VPN information response message to the new foreign agent;
between the foreign agent and the network apparatus to that, based on the reception of the position registration
the information of the new foreign agent, and transmits 25 response message, the home authentication server
an authentication response message including this transmits the authentication response message added
information to the new foreign agent; with the cached VPN information between the foreign
that the new foreign agent transfers the received position agent and the network apparatus, to a local authenti
registration request message to the home agent; cation server of the new foreign agent;
that, based on the received position registration request 30 that the local authentication server transmits the received
information, the home agent rewrites the foreign agent authentication response message to the new foreign
information of the cached VPN information between agent after caching the VPN information added to this
the foreign agent and the network apparatus to the message; and
information of the new foreign agent, and transmits a that the new foreign agent caches the VPN information
binding update message added with this VPN informa 35
included in the received position registration response
tion to the communication destination host, when the message, sets the assigned security service, sets a VPN
type of the network apparatus is a one to which a VPN path by an IPSec. tunnel directed from the new foreign
can be set dynamically: agent to the network apparatus, and then returns the
that, based on the received binding update message, the position registration response message to the user
network apparatus updates the cached VPN informa 40
mobile terminal.
tion, deletes the VPN path directed from the network 19. The VPN setting method according to claim 16,
apparatus to the old foreign agent, sets a VPN path by further comprising the steps:
an IPSec. tunnel directed from the network apparatus
set with the assigned security service to the new foreign that the user customizes the user VPN information by
agent, and thereafter transmits a coupling authorization 45 making access to a database of the home authentication
message to the home agent; server by predetermined communication means, and
that, upon receiving the binding authorization message, thereby changes the communication destination to a
the home agent transmits a position registration network apparatus of the type of the network apparatus
response message to the new foreign agent; and to which a VPN can be set dynamically; and
that the new foreign agent caches the VPN information 50 the user mobile terminal transmits a position registration
included in the received position registration response request message added with a service update request, to
message, sets the assigned security service, sets a VPN a foreign agent.
path by an IPSec. tunnel directed from the new foreign 20. The VPN setting method according to claim 19,
agent to the network apparatus, and then returns the further comprising the steps:
position registration response message to the user 55 that the network apparatus measures a lifetime of a
mobile terminal. communication host under its management, transmits a
18. The VPN setting method according to claim 16, binding request message to the home agent that has
further comprising the steps: posted the VPN information when the remaining life
that the user mobile terminal moves to an area of a new time has become less than a predetermined threshold
foreign agent within a different network, and transmits 60 value, and deletes the VPN information when the
from there a position registration request message binding update message has not been received; and
including position information of the old foreign agent; the home agent retrieves the cached VPN information
that the new foreign agent transmits an authentication from the user mobile terminal information included in
request message including the received position regis the received binding request message, transmits a bind
tration request information to the home authentication 65 ing update message when the information of the net
server of the user via a local authentication server of the work apparatus exists, and leaves it as it is when the
new foreign agent; information of the network apparatus does not exist.
US 7,068,640 B2
29 30
21. The VPN setting method according to claim 14 or 17, that the new foreign agent copies the cached VPN infor
further comprising the steps: mation when the authentication response message
that the new foreign agent copies the cached VPN infor includes the information of the old foreign agent, and
mation, and transmits a binding update message added transmits a binding update message added with the
with the VPN information with the transmission origin VPN information with the transmission origin rewritten
rewritten to the old foreign agent and with the trans to the old foreign agent and with the transmission
mission destination rewritten to the new foreign agent, destination rewritten to the new foreign agent, to the
to the old foreign agent; and old foreign agent; and
that, the old foreign agent caches the VPN information of that, the old foreign agent caches the VPN information of
the received binding update message, deletes the VPN 10 the received coupling update message, deletes the VPN
path directed from the old foreign agent to the home path directed from the old foreign agent to the home
agent, sets a VPN path by an IPSec. tunnel directed agent, sets a VPN path by an IP Sec. tunnel directed
from the old foreign agent set with the assigned secu- from the old foreign agent set with the assigned secu
rity service to the new foreign agent, and thereafter rity service to the new foreign agent, and thereafter
transmits a coupling authorization message to the new 15 transmits a coupling authorization message to the new
foreign agent. foreign agent.
22. The VPN setting method according to claim 15 or 18,
further comprising the steps:

United States Patent: (75) Inventors: Mitsuaki Kakemizu, Kawasaki (JP)

Uploaded by

Copyright:

Available Formats

You might also like

United States Patent: (75) Inventors: Mitsuaki Kakemizu, Kawasaki (JP)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

United States Patent: (75) Inventors: Mitsuaki Kakemizu, Kawasaki (JP)

Uploaded by

Copyright:

Available Formats

USOO7068640B2

(12) United States Patent (10) Patent No.: US 7,068,640 B2

(22) Filed: Mar. 8, 2001 (57) ABSTRACT

OTHER PUBLICATIONS Mitsuaki Kakemizu et al. Unified IP Service Control Archi

FOREIGN HOME AGENT

WPN INFORMATION PROFILE n

AAA PROTOCOL CONTROL S1 OO

S103 SET WPN INFORMATION

S104. EDIT CORRESPONDING

READ VPN INFORMATION CORRESPONDINGS105

VPN PATH DETERMINATION S1 O6

EXTRACT WPNGW ADDRESS AT MNSIDE

DYNAMIC VPN SETTING

TRANSMISSION ORIGINATING ADDRESS/NET MASK

ESP INFORMATION INSTANCE in

MOBILE IP PROTOCOL PROCESSING

SET WPN INFORMATION S208

EXTRACT MOBILE IP S209

SEND HAA MESSAGE S211

DELETE Diff-Serve INFORMATION

DELETE IPSec. INFORMATION S226

SET OUTPUT DESTINATION OF S227

SET TUNNEL INFORMATION TO S228

SET ESP INFORMATION TO

You might also like