Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-09-09
2003-10-14
Kizou, Hassan (Department: 2662)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C709S249000
Reexamination Certificate
active
06633571
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to a method of composing a VPN (Virtual Private Network) on the Internet and an interwork router used to connect Internet service providers to each other.
Various applications such as E-mail and WWW (World Wide Web) programs can be used on any Internet Protocol (IP) networks. In addition, such IP networks can be composed at lower costs than the conventional switching networks that use are associated with telephones. This is why the Internet has rapidly come into wide use in recent years. Under such circumstances, intracompany networks (intranets) composed on the IP level are now indispensable for facilitating the activities of those companies.
Companies are often distributed unevenly in local areas. In such a situation, therefore, there will appear a demand that the intranets in those local areas should be connected into one network as a logical consequence. In such a case, there are the following two methods possible for connecting those intranets to each other in local areas.
Firstly, private lines are used for connecting those intranets in local areas. In this case, each of those intranets can be isolated from external networks for ensuring security.
Secondly, the IPsec (IP security protocol) technique is used to provide each terminal with a function for identifying packets of its own company's network, so that those packets are transferred on the Internet as IP packets using global addresses. This identifying function, when combined with an encoding technique, can make up a Virtual Private Network (VPN) so as to be protected from the attacks of malicious users.
If such private lines are used; however, some problems arise; for example, the network cost is increased, and furthermore, the VPN realized by the IPsec method cannot be protected from the attacks and invasions of malicious users who can crack the codes. In addition, the encoding processing becomes a bottleneck of increasing the speeds for fast networks and terminal costs are increased.
Along with the rapid spread of the Internet, as well as the cost reduction of using the Internet, there have appeared strong demands for forming virtual private networks on the Internet using the functions of lower layers than the IP layer provided by networks, while suppressing the cost and isolating each of those virtual private networks from external networks so as to assure the security and quality thereof.
In order to meet such demands, the following VPN is proposed. A packet is encapsulated at the inlet of the object network of an Internet Service Provider (ISP) that provides the VPN. On the ISP network, each packet is transferred according to the capsule header, then the capsule header is removed at the outlet of the network. According to this VPN composing method, since a packet is encapsulated peculiarly to the VPN, the VPN is isolated from external networks, thereby assuring the security of the VPN. More concretely, for such an encapsulation protocol various methods are available, such as IP encapsulation, MPOA (Multi Protocol over ATM), MPLS (Multi Protocol Layer Switching), etc. Since February of 1999, those methods have been under examination in such standardization groups as ITU-T SG13 (International Telecommunications Union-Telecommunications Standardization Section, Study Group 13), IETF (Internet Engineering Task Force), etc. In addition, ITU-T SG13 is also examining the Core Protocol of the Global Multi-media Network Connection Less (GMN-CL) for transferring packets encapsulated according to E.164 addresses in the object network.
“Access Network Systems and Edge Nodes Systems for the Next-Generation Computer Network”, pp.425-434, NTT R&D vol.47 No.4, 1998 (issued on Apr. 10, 1998) has also proposed a method for composing an edge node in an accessing system used to interwork between each of a plurality of user networks and the core network in the GMN-CL.
SUMMARY OF THE INVENTION
In recent years, the areas of activities in companies have expanded more and more widely. For example, many Japanese companies have offices at overseas, including the United States of America and European countries. Under such circumstances, it would be natural for those companies to consider it important to connect the intranets composed in their offices to each other via a VPN.
On the other hand, since each ISP generally provides the services only in a specific area, the VPN must be composed over a plurality of ISPs in order to connect the networks (intranets) in those areas through the VPN.
And, if a plurality of ISPs are connected to each other in such a way, an interwork gateway (interwork router) needs to be formed for such connection. In this interwork router, the interwork is realized so as to transfer each of the packets from one of the ISP networks to the other according to the IP header. In addition, a system referred to as an IX (Internet Exchange) is used for connecting both networks to each other so as to realize the interwork among a plurality of networks as described in “Commercial IX”, pp.146-155, Nikkei Communications 1997.12.15. And, this IX may also be used to transfer IP packets among those networks. Such an IX includes some methods that use a “layer 3 forwarding” function for identifying and transferring each of the IP packets, as well as a “layer 2 forwarding” function for transferring each of the IP packets by identifying the header in the lower layer in the ATM (Asynchronous Transfer Mode) communication system, etc.
The present inventors have examined the problems which arise when a VPN is composed over a plurality of ISP networks. At first, packets are encapsulated in order to compose a VPN for the network of each Internet Service Provider. Generally, the encapsulation protocol of each network differs from other networks. In this case, the IP header information of each IP packet is retrieved by the interwork router, thereby determining the route to the destination. In this case, the retrieving must also include a check to determine whether or not the packet is to be transferred to another network. The IP header information is common for both of the networks.
However, the interwork router terminates the protocol of each layer lower than the IP layer at the interface. Therefore, the capsule header given in the previous network so as to compose the VPN is removed in the process of retrieving the IP address, so that information as to the next leg of the route can be determined. After that, a new capsule header must be generated and added to the packet so as to compose the VPN in the next network. Consequently, packets in the VPN are mixed with packets in other networks in the interwork router. And, this might cause a problem that malicious users are able to change the headers to those packets and invade the VPN through the interwork router.
Some companies do not use global addresses, but use private addresses for composing their VPNs. In such a case, once the interwork router removes the capsule header of a packet, the receiving ISP cannot distinguish the packet from others if the packet has the same address as those of other packets. This is because each of a plurality of VPNs use internal addresses uniquely. Consequently, the receiving ISP receiving cannot determine the destination of the packet. If a VPN is composed over a plurality of ISPs on the Internet, therefore, the problem as described above be solved by all means.
In addition, the types of services are not the same among ISPs. As for the communication quality, for example, assume that one ISP uses an ATM VC (Virtual Channel) for forming a communication path, thereby assuring the quality of each VPN and the other ISP uses Diffserv (Differentiated Services) to assure the quality of the communication. If the VPNs composed for both networks are to be connected to each other in such a case, it will be difficult to provide the communication quality on an end-to-end level.
As described above, it is difficult to compose a VPN over a plurality of ISPs on the Internet for practical use.
Under such circumsta
Endo Noboru
Hoshino Kazuyoshi
Sakamoto Ken'ichi
Tanabe Shiro
Wakayama Koji
Antonelli Terry Stout & Kraus LLP
Hitachi , Ltd.
Kizou Hassan
Levitan Dmitry
LandOfFree
VPN composing method, interwork router, packet communication... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with VPN composing method, interwork router, packet communication..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and VPN composing method, interwork router, packet communication... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3166120