CA2468480C - System for converting data based upon ipv4 into data based upon ipv6 to be transmitted over an ip switched network - Google Patents
System for converting data based upon ipv4 into data based upon ipv6 to be transmitted over an ip switched network Download PDFInfo
- Publication number
- CA2468480C CA2468480C CA002468480A CA2468480A CA2468480C CA 2468480 C CA2468480 C CA 2468480C CA 002468480 A CA002468480 A CA 002468480A CA 2468480 A CA2468480 A CA 2468480A CA 2468480 C CA2468480 C CA 2468480C
- Authority
- CA
- Canada
- Prior art keywords
- packet
- protocol
- network
- ipv6
- workstation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/251—Translation of Internet protocol [IP] addresses between different IP versions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2557—Translation policies or rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/167—Adaptation for transition between two IP versions, e.g. between IPv4 and IPv6
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/604—Address structures or formats
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
System for converting data packets based upon the IPv4 protocol into data packets based upon the IPv6 protocol to be transmitted over a Virtual Private Network (VPN) in a data transmission system comprising an IP switched network (25) to which are connected a first workstation (20) via a first Provider Edge (PE) device (24) and a second workstation (26) via a second PE device (30), the workstations operating with the IPv4 protocol whereas the IP switched network operates with the IPv6 protocol. this system comprises a first packet builder (22) between the first workstation and the IP switched network for converting any data packet based upon the IPv4 protocol received from the first workstation and transmitted to the IP switched network into the IPv6 protocol and reciprocally, and a second packet builder (28) between the IP switched network and the second workstation for converting any data packet based upon the IPv6 protocol received from the network and transmitted to the second workstation into the IPv4 protocol and reciprocally.
Description
1 SYSTEM FOR CONVERTING DATA BASED UPON IPv4 INTO
2 DATA BASED UPON IPv6 TO BE TRANSMITTED OVER AN IP
3 SWITCHED NETWORK
4 Technical field 7 The present invention generally relates to the 8 transmission of data packets within an IP switched 9 network such as a Multi-Protocol Label Switching (MPLS) network and relates in particular to a 11 system for converting data based upon IPv4 into 12 data based upon IPv6 to be transmitted over such a 13 network.
Background 17 There are more and more Virtual Private Networks 18 (VPNs) being implemented to enable private 19 communications among devices, even if some or all these communications are transmitted over a public 21 network. Most VPNs are built to support as layer 3 22 the IP protocol rules and mainly the IPv4 flavor of 23 the IP protocol.
There is today a problem with the IPv4 protocol, 26 which is raised by the well-known limitation of the 27 address space within IPV4, but also a problem 28 raised by the forwarding rules of IPv4 wherein the 29 routing actions are based on the destination address without any influence due to the source 31 address. Since any IPv4 network can be located 32 anywhere in the world, the routers must maintain a 1 record for every active network. This is not only 2 true for the Internet network, but also for VPNs, 3 intranets and extranets.
The real, long term solution to these problems is a 6 much larger address space, allowing for more 7 addressing structure, less stringent allocation 8 policies and more efficient routing. This is what 9 IPv6 offers, which makes it attractive for backbone usage. The IP scalability and ease of management 11 are some of the objectives of IPv6. But as all the 12 devices are not v6, there is a need to find 13 mechanisms to take advantage of v6 today. In 14 addition, current proposed uses of IPv6 headers are not really associated with the label switching and 16 VPN support capability of protocols like Multi-17 Protocol Label Switching (MPLS).
19 Native use of IPv6 based only on IPv6 address fields is even more complex than IPv4, if route 21 filtering is used to provide connectivity and build 22 VPNs due to the length of the address field on 23 which a lookup should be performed. Such a "route 24 filtering" can be implemented to control route propagation such that certain networks receive 26 routes for other networks within their own 27 community of interest (i.e., VPN).
29 Route filtering is based on the proposition that some network subset of an underlying IP network 31 supporting the VPN (such as the Internet) actually 32 forms the VPN. Routes associated with this network 1 subset are filtered such that they are not 2 announced to any other networks) connected to the 3 network subset forming the VPN. Conversely, no 4 other non-VPN route is announced to the network subset. Route filtering on IPv4 implies that VPNs 6 use different address spaces. IPv6 simplifies this 7 filtering since VPNs are identified in the IP
8 address field but opens a security hole.
For privacy of services on a network-layer, route-11 filtering VPN is implemented by restricting any of 12 the VPN hosts from responding to packets that 13 contain source addresses from outside the VPN. Such 14 restrictions are based on access control lists ("ACLs"), which are tables that tell a device which 16 access rights each user has. That is, an ACL is a 17 list of entries that grant or deny specific access 18 rights to individuals or groups.
Route filtering VPNs, however, have various 21 difficulties associated therewith. For example, 22 such an arrangement can be wrongly configured such 23 that it erroneously accepts packets, which it 24 should not, and/or rejects packets that should be accepted. Another problem with route filtering is 26 that, when implemented behind a gateway or firewall 27 device, subscriber networks can define a router 28 external to the gateway/firewall as the default 29 router, so that users of the VPN behind the gateway/firewall can reach external networks as 31 long as they know the default router address (even 32 if it is not advertised). Additional shortcomings 1 of this technique include administrative mistakes, 2 a static nature of the design and limitations on 3 the security provided. In addition, the complexity 4 for defining and maintaining all the rules is very high, so that the technique does not scale very 6 well or very easily.
8 Various solutions have been put forward to achieve 9 different levels of network privacy when building VPNs across a shared IP backbone. Many of these 11 solutions require separate, per vPN forwarding 12 capabilities, and make use of IP or MPLS-based 13 tunnels across the backbone. Such tunnels add 14 overhead and management complexity especially in tunnel peer devices. Also, within a VPN domain, an 16 instance of routing is used to distribute VPN
17 reachability information among routers. Any routing 18 protocol can be used, and no VPN-related 19 modifications or extensions are needed to the routing protocol for achieving VPN reachability.
22 Regardless of which of the above techniques (or 23 other known techniques) is used to form a vPN, it 24 should be understood that network security is a concern. In fact, network security is a concern in 26 many contexts aside from VPNs, and, in general, 27 increasing use of remote access over public 28 networks and Internet access for inter-business 29 communication are major driving forces behind the evolution of security technology.
1 Many techniques for network security revolve around 2 the use of a firewall, which is generally known as 3 a combination of hardware and software used to 4 implement a security policy governing network
Background 17 There are more and more Virtual Private Networks 18 (VPNs) being implemented to enable private 19 communications among devices, even if some or all these communications are transmitted over a public 21 network. Most VPNs are built to support as layer 3 22 the IP protocol rules and mainly the IPv4 flavor of 23 the IP protocol.
There is today a problem with the IPv4 protocol, 26 which is raised by the well-known limitation of the 27 address space within IPV4, but also a problem 28 raised by the forwarding rules of IPv4 wherein the 29 routing actions are based on the destination address without any influence due to the source 31 address. Since any IPv4 network can be located 32 anywhere in the world, the routers must maintain a 1 record for every active network. This is not only 2 true for the Internet network, but also for VPNs, 3 intranets and extranets.
The real, long term solution to these problems is a 6 much larger address space, allowing for more 7 addressing structure, less stringent allocation 8 policies and more efficient routing. This is what 9 IPv6 offers, which makes it attractive for backbone usage. The IP scalability and ease of management 11 are some of the objectives of IPv6. But as all the 12 devices are not v6, there is a need to find 13 mechanisms to take advantage of v6 today. In 14 addition, current proposed uses of IPv6 headers are not really associated with the label switching and 16 VPN support capability of protocols like Multi-17 Protocol Label Switching (MPLS).
19 Native use of IPv6 based only on IPv6 address fields is even more complex than IPv4, if route 21 filtering is used to provide connectivity and build 22 VPNs due to the length of the address field on 23 which a lookup should be performed. Such a "route 24 filtering" can be implemented to control route propagation such that certain networks receive 26 routes for other networks within their own 27 community of interest (i.e., VPN).
29 Route filtering is based on the proposition that some network subset of an underlying IP network 31 supporting the VPN (such as the Internet) actually 32 forms the VPN. Routes associated with this network 1 subset are filtered such that they are not 2 announced to any other networks) connected to the 3 network subset forming the VPN. Conversely, no 4 other non-VPN route is announced to the network subset. Route filtering on IPv4 implies that VPNs 6 use different address spaces. IPv6 simplifies this 7 filtering since VPNs are identified in the IP
8 address field but opens a security hole.
For privacy of services on a network-layer, route-11 filtering VPN is implemented by restricting any of 12 the VPN hosts from responding to packets that 13 contain source addresses from outside the VPN. Such 14 restrictions are based on access control lists ("ACLs"), which are tables that tell a device which 16 access rights each user has. That is, an ACL is a 17 list of entries that grant or deny specific access 18 rights to individuals or groups.
Route filtering VPNs, however, have various 21 difficulties associated therewith. For example, 22 such an arrangement can be wrongly configured such 23 that it erroneously accepts packets, which it 24 should not, and/or rejects packets that should be accepted. Another problem with route filtering is 26 that, when implemented behind a gateway or firewall 27 device, subscriber networks can define a router 28 external to the gateway/firewall as the default 29 router, so that users of the VPN behind the gateway/firewall can reach external networks as 31 long as they know the default router address (even 32 if it is not advertised). Additional shortcomings 1 of this technique include administrative mistakes, 2 a static nature of the design and limitations on 3 the security provided. In addition, the complexity 4 for defining and maintaining all the rules is very high, so that the technique does not scale very 6 well or very easily.
8 Various solutions have been put forward to achieve 9 different levels of network privacy when building VPNs across a shared IP backbone. Many of these 11 solutions require separate, per vPN forwarding 12 capabilities, and make use of IP or MPLS-based 13 tunnels across the backbone. Such tunnels add 14 overhead and management complexity especially in tunnel peer devices. Also, within a VPN domain, an 16 instance of routing is used to distribute VPN
17 reachability information among routers. Any routing 18 protocol can be used, and no VPN-related 19 modifications or extensions are needed to the routing protocol for achieving VPN reachability.
22 Regardless of which of the above techniques (or 23 other known techniques) is used to form a vPN, it 24 should be understood that network security is a concern. In fact, network security is a concern in 26 many contexts aside from VPNs, and, in general, 27 increasing use of remote access over public 28 networks and Internet access for inter-business 29 communication are major driving forces behind the evolution of security technology.
1 Many techniques for network security revolve around 2 the use of a firewall, which is generally known as 3 a combination of hardware and software used to 4 implement a security policy governing network
5 traffic between two or more networks, some of which
6 being under administrative control (e. g.,
7 organizational networks) and some of which being
8 not under administrative control (e.g., the
9 Internet).
11 Regardless of the routing technique used, the 12 routing mechanism is usually not used to implement 13 security policy. That is, a routing mechanism is 14 often considered too dynamic and unreliable to perform security functions. Routing functions and 16 supporting structures are primarily designed to 17 route packets efficiently and reliably, not 18 securely. Therefore, filtering techniques that can 19 be implemented in connection with operation of a firewall (and/or router) for security purposes 21 exist, and examples of these (as referred to above) 22 are packet filtering, application proxies, and 23 dynamic filtering (stateful inspection). The fields 24 on which filtering is applied should be trusted fields, which cannot be easily the case with IPv4 26 header types. One of such necessary fields is the 27 VPN ID type.
29 Although there are many techniques for implementing and securing individual VPNs, as discussed above, 31 there is an additional need for VPNs which can 32 cross-communicate without sacrificing service to 1 their users, e.g., without reducing the security of 2 transmissions between the two (or more) VPNs or 3 within a particular VPN.
Summary of the invention 7 Accordingly, the main object of the invention is to 8 provide a system for converting the data based upon 9 IPv4 into data based upon IPv6 and transmitting the converted data over an IP switched network, such a 11 system avoiding the above-mentioned problems such 12 as route filtering and improving the network 13 security when building VPNs across a shared IP
14 backbone.
16 The invention relates therefore to a system for 17 converting data packets based upon the IPv4 18 protocol into data packets based upon the IPv6 19 protocol to be transmitted over a multiple Virtual Private Network (VPN) infrastructure in a data 21 transmission system comprising an IP switched 22 network to which are connected a first workstation 23 via a first Provider Edge (PE) device and a second 24 workstation via a second PE device, the workstations operating with the IPv4 protocol 26 whereas the IP switched network operates with the 27 IPv6 protocol. Such a system comprises a first 28 packet builder between the first workstation and 29 the IP switched network for converting any data packet based upon the IPv4 protocol received from 31 the first workstation and transmitted to the IP
32 switched network into the IPv6 protocol and 1 reciprocally, and a second packet builder between 2 the IP switched network and the second workstation 3 for converting any data packet based upon the IPv6 4 protocol received from the network and transmitted to the second workstation into the IPv4 protocol 6 and reciprocally.
8 Brief description of the drawings The above and other objects, features and 11 advantages of the invention will be better 12 understood by reading the following more particular 13 description of the invention in conjunction with 14 the accompanying drawings wherein:
~Fig. 1 represents a first embodiment of a data 16 transmission system implementing the invention;
17 ~Fig. 2A and 2B represent respectively the IPv6 18 aggregatable global unicast address and its 19 modifications for implementing the invention;
~Fig. 3 shows the packet builders according to 21 the invention connected to the information 22 servers by the intermediary of a virtual 23 network;
24 ~Fig. 4 represents a second embodiment of the invention wherein the function of the packet 26 builder is integrated in the PE device; and 27 ~Fig. 5A and 5B represent respectively the 28 change of the data packet structure as it flows 29 from the source to the destination in the first and second embodiments of the invention.
a 1 Detailed description of the invention 3 A system according to the invention is illustrated 4 in Fig. 1. In such a system, two workstations 20 and 26 exchange data through an IP switching 6 network 25. Such a network is, in a preferred 7 embodiment, based upon MPLS (Mufti Protocol Label 8 Switching) protocol which is an IP technology 9 defining PE (Provider Edge) devices which define a physical path across the network for each customer 11 flow, such a path being defined as a set of labels 12 that are swapped along the path from an ingress PE
13 such as PE1 24 to an egress PE such as PE2 30.
In IP switched network 25, which is preferably a 16 MPLS network as already mentioned, several VPNs are 17 implemented between the edge devices 24 and 30. The 18 environment of the invention is related to how a 19 specific VPN can be established and securely identified using layer 3 mechanisms like the one 21 proposed in IPv6 protocol.
23 It is assumed that the data packets sent by each 24 workstation 20 and 26 are based upon IPv4.
Therefore, the workstations are each connected to 26 an IPv4 network respectively network 21 for 27 workstation 20 and network 27 for workstation 26.
28 The IPv4 data flow sent from workstation 20 is then 29 converted, as described hereunder, by a packet builder PB1 22 into an IPv6 data flow. The packets 31 are forwarded to ingress PE1 24 through an IPv6 32 network 23, and then transmitted through network 25 1 using the label switching if this network is a MPLS
2 network.
4 At the output of network 25, the data packets in IPv6 are received by PE2 30 and transferred to a 6 packet builder PB2 28 through an IPv6 network 29.
7 The packets which have been converted, as described 8 hereunder, from IPv6 to IPv4 are forwarded to 9 workstation ST2 28 through an IPv4 network 27. This data flow is of course reversed for the packets 11 forwarded from workstation 26 to workstation 20.
13 The principle of the invention is to use an IP
14 header which is derived from the IP header proposed by the IETF (Engineering Task Force) in RFCs 2373 16 and 2374 which is illustrated in Fig. 2A. The 17 format of this global aggregatable unicast address 18 is designed to support both the current provider 19 based aggregation and a new type of aggregation used for the exchanges. The combination allows 21 efficient routing aggregation for both sites, which 22 connect directly to the providers. Sites have the 23 choice to connect to either type of aggregation 24 point.
26 Globally, in the address format illustrated in Fig.
27 2A, the first 48 bits are related to the public 28 technology, the next 16 bits are related to the 29 site topology and the remaining 64 bits are related to the interface identifier. The fields are the 31 following:
32 FP Format Prefix (3 bit) for aggregatable 1 global unicast addresses 2 TLA ID Top-Level Aggregation Identifier 3 RES Reserved for future use 4 NLA ID Next-Level Aggregation Identifier 5 SLA ID Site-Level Aggregation Identifier 6 INTERFACE ID Interface Identifier 8 This basic structure is re-used to provide a 9 transparent use of IPv6 mechanisms such as the
11 Regardless of the routing technique used, the 12 routing mechanism is usually not used to implement 13 security policy. That is, a routing mechanism is 14 often considered too dynamic and unreliable to perform security functions. Routing functions and 16 supporting structures are primarily designed to 17 route packets efficiently and reliably, not 18 securely. Therefore, filtering techniques that can 19 be implemented in connection with operation of a firewall (and/or router) for security purposes 21 exist, and examples of these (as referred to above) 22 are packet filtering, application proxies, and 23 dynamic filtering (stateful inspection). The fields 24 on which filtering is applied should be trusted fields, which cannot be easily the case with IPv4 26 header types. One of such necessary fields is the 27 VPN ID type.
29 Although there are many techniques for implementing and securing individual VPNs, as discussed above, 31 there is an additional need for VPNs which can 32 cross-communicate without sacrificing service to 1 their users, e.g., without reducing the security of 2 transmissions between the two (or more) VPNs or 3 within a particular VPN.
Summary of the invention 7 Accordingly, the main object of the invention is to 8 provide a system for converting the data based upon 9 IPv4 into data based upon IPv6 and transmitting the converted data over an IP switched network, such a 11 system avoiding the above-mentioned problems such 12 as route filtering and improving the network 13 security when building VPNs across a shared IP
14 backbone.
16 The invention relates therefore to a system for 17 converting data packets based upon the IPv4 18 protocol into data packets based upon the IPv6 19 protocol to be transmitted over a multiple Virtual Private Network (VPN) infrastructure in a data 21 transmission system comprising an IP switched 22 network to which are connected a first workstation 23 via a first Provider Edge (PE) device and a second 24 workstation via a second PE device, the workstations operating with the IPv4 protocol 26 whereas the IP switched network operates with the 27 IPv6 protocol. Such a system comprises a first 28 packet builder between the first workstation and 29 the IP switched network for converting any data packet based upon the IPv4 protocol received from 31 the first workstation and transmitted to the IP
32 switched network into the IPv6 protocol and 1 reciprocally, and a second packet builder between 2 the IP switched network and the second workstation 3 for converting any data packet based upon the IPv6 4 protocol received from the network and transmitted to the second workstation into the IPv4 protocol 6 and reciprocally.
8 Brief description of the drawings The above and other objects, features and 11 advantages of the invention will be better 12 understood by reading the following more particular 13 description of the invention in conjunction with 14 the accompanying drawings wherein:
~Fig. 1 represents a first embodiment of a data 16 transmission system implementing the invention;
17 ~Fig. 2A and 2B represent respectively the IPv6 18 aggregatable global unicast address and its 19 modifications for implementing the invention;
~Fig. 3 shows the packet builders according to 21 the invention connected to the information 22 servers by the intermediary of a virtual 23 network;
24 ~Fig. 4 represents a second embodiment of the invention wherein the function of the packet 26 builder is integrated in the PE device; and 27 ~Fig. 5A and 5B represent respectively the 28 change of the data packet structure as it flows 29 from the source to the destination in the first and second embodiments of the invention.
a 1 Detailed description of the invention 3 A system according to the invention is illustrated 4 in Fig. 1. In such a system, two workstations 20 and 26 exchange data through an IP switching 6 network 25. Such a network is, in a preferred 7 embodiment, based upon MPLS (Mufti Protocol Label 8 Switching) protocol which is an IP technology 9 defining PE (Provider Edge) devices which define a physical path across the network for each customer 11 flow, such a path being defined as a set of labels 12 that are swapped along the path from an ingress PE
13 such as PE1 24 to an egress PE such as PE2 30.
In IP switched network 25, which is preferably a 16 MPLS network as already mentioned, several VPNs are 17 implemented between the edge devices 24 and 30. The 18 environment of the invention is related to how a 19 specific VPN can be established and securely identified using layer 3 mechanisms like the one 21 proposed in IPv6 protocol.
23 It is assumed that the data packets sent by each 24 workstation 20 and 26 are based upon IPv4.
Therefore, the workstations are each connected to 26 an IPv4 network respectively network 21 for 27 workstation 20 and network 27 for workstation 26.
28 The IPv4 data flow sent from workstation 20 is then 29 converted, as described hereunder, by a packet builder PB1 22 into an IPv6 data flow. The packets 31 are forwarded to ingress PE1 24 through an IPv6 32 network 23, and then transmitted through network 25 1 using the label switching if this network is a MPLS
2 network.
4 At the output of network 25, the data packets in IPv6 are received by PE2 30 and transferred to a 6 packet builder PB2 28 through an IPv6 network 29.
7 The packets which have been converted, as described 8 hereunder, from IPv6 to IPv4 are forwarded to 9 workstation ST2 28 through an IPv4 network 27. This data flow is of course reversed for the packets 11 forwarded from workstation 26 to workstation 20.
13 The principle of the invention is to use an IP
14 header which is derived from the IP header proposed by the IETF (Engineering Task Force) in RFCs 2373 16 and 2374 which is illustrated in Fig. 2A. The 17 format of this global aggregatable unicast address 18 is designed to support both the current provider 19 based aggregation and a new type of aggregation used for the exchanges. The combination allows 21 efficient routing aggregation for both sites, which 22 connect directly to the providers. Sites have the 23 choice to connect to either type of aggregation 24 point.
26 Globally, in the address format illustrated in Fig.
27 2A, the first 48 bits are related to the public 28 technology, the next 16 bits are related to the 29 site topology and the remaining 64 bits are related to the interface identifier. The fields are the 31 following:
32 FP Format Prefix (3 bit) for aggregatable 1 global unicast addresses 2 TLA ID Top-Level Aggregation Identifier 3 RES Reserved for future use 4 NLA ID Next-Level Aggregation Identifier 5 SLA ID Site-Level Aggregation Identifier 6 INTERFACE ID Interface Identifier 8 This basic structure is re-used to provide a 9 transparent use of IPv6 mechanisms such as the
10 address lookup (longest prefix match).
11 Unfortunately, the mechanism used to build the IPv6
12 format from the IPv4 format is static and manually
13 set in the edge devices.
14 It is why the invention relates to a new Ipv6 16 format, illustrated in Fig. 2B, wherein the fields 17 are the following:
18 ~ The provider ID (e. g., AT&T), 19 ~ The PE field including the number on the PE
device attached to the IP switched network 21 (e.g., 24 or 30). The way the PE field is 22 defined is also part of the proposal and 23 includes several methods: known active 24 topology provided by network management tools, discovery at IP level: Traceroute +
26 PE database with dynamic or regular update 27 techniques, given by MPLS tools, forced or 28 predefined, 29 ~ The VPN ID which may be subdivided into areas to provide a hierarchical VPN
31 structure, 1 ~ Location ID which is the geographic 2 location of the site, 3 ~ Host ID which refers to the device that 4 uses the corresponding IPv4 address. The host may be a server, a client, a router, a 6 firewall. Different rules may then be 7 applied. In the preferred embodiment, it is 8 the MAC address if this MAC address can be 9 discovered and checked. It provides a unique identification which gives a 11 supplementary privacy information. Host ID
12 on the IPv6 address field may either 13 contain the MAC address corresponding to 14 the IPv4 address or just an equivalent ID
and the correspondence between them is just 16 maintained locally.
17 ~ IPv4 address (source or destination) which 18 is present in the incoming packet.
The major advantage of the invention is to simplify 21 the label distribution and management for VPN (MPLS
22 VPN) since the destination PE is included in the 23 destination address field of the new IPv6 header. A
24 VPN Label per flow may be used instead of flow aggregation into labels insofar as there is no 26 longer a need for a dual label implementation like 27 what is done in a MPLS VPN. Using this method, a 28 packet entering the MPLS network 25, for example on 29 PE1, directly provides in its IPv6 header the destination PE such as PE2. No need for special 1 path identification is required if PE1 knows how to 2 reach PE2.
4 Finally, for routing in the IP switched network, only the MSB bytes of the address field are used 6 while on the access only the LSB bytes are used.
7 This simplifies the address lookup mechanism even 8 at PE level, which was one of the drawbacks of IPv6 9 since, normally, a 128 bit address lookup is required. Current PEs supporting IPv6 as input 11 protocol may be used but may also be improved in 12 identifying the sub-fields in the MSB part of the 13 IPv6 address field in order to directly use the PE
14 address for routing packets.
16 The MPLS network does not need to implement any 17 additional VPN feature such as MPLS VPN as the 18 privacy is insured by the IPv6 header which 19 contains the VPN ID. As this field is not set by the user but by the Packet Builder device PB1 or 21 PB2, there is no risk to have spoofing from user 22 defined IPv6 flows. This is a security improvement 23 that is worth using even for native IPv6 incoming 24 flows. All secure fields should be validated, added or replaced at the ingress node of the network.
26 Such fields include Provider field, PE field, VPN
27 ID field, LOCATION ID field and HOST ID field if it 28 is used also for filtering. When an IPv6 packet is 29 received, it may be analyzed to verify that its header structure matches the local rules, which 31 prevents such an IPv6 spoofing. If it doesn't 32 match, depending on fields and rules, it may be 1 either modified or discarded. If modified, a swap 2 table is built to rebuild the original address 3 field for incoming packets from the network such as 4 a stateful mechanism. It works, in that case, like an IPv6 NAT to convert IPv6 flows that do not match 6 the proposed rules transparently. Such a conversion 7 is performed in PB devices.
9 The invention improves the routing scalability. The network management of such an implementation is 11 simpler since the IP header contains all the 12 necessary fields to manage a flow, which is not the 13 case today with IPv4 on one side and MPLS on the 14 other side. It also provides an increased security.
16 As far as MPLS is concerned, current vendor and 17 standard bodies are working on IPv6 through MPLS
18 called 6PE, which reuses v4 MPLS VPN mechanisms.
19 The invention consists in replacing v4 based MPLS
and BGP mechanisms by native v6 mechanisms but it 21 is still compatible with 6PE solution as an 22 intermediate implementation. The advantage of 23 introducing MPLS VPN knowledge in the IPv6 header 24 is to converge into a single transmission element that has all the necessary information at any point 26 in the network. MPLS to MPLS inter-working will 27 also become easier to implement and manage in a 28 more secure way insofar as the IPv6 header will 29 contain the necessary crossover information and no need to bridge at the label level is required.
1 For implementing the invention, it is necessary to 2 use servers that will give the value of each field 3 for the source and destination addresses in a 4 secure way. These servers include DNS, Whois, Route reflectors and also Certificate Authority since the 6 IPv6 address has to be securely given. Fig. 3 7 represents the logical connections of packet 8 builders 22 or 28 to such server devices 31 to 37 9 by means of a virtual network 39 which can be IPv4 network 21 or 27, IPv6 network 23 or 29, the MPLS
11 network 25, or any other network connected to one 12 of these networks or directly connected to the 13 packet builder.
The IPv6 source or destination address 16 reconstitution is a method for building IPv6 17 packets using IPv4 packets.
18 ~ Inverse DNS lookup on DNS server 31 and Whois 19 lookup on server 32 are used to identify the location of the destination device and the 21 owner (ISP / customer). Both are used to set 22 the LOC ID field and the VPN ID field.
23 ~ Certificate request on Certificate Authority 24 (CA) server 33 is used to validate source and / or destination IP addresses IPv4 and HOST ID
26 for security purposes. It may be used in 27 addition or as a replacement of DNS and Whois 28 servers.
29 A Directory server 34 contains the allowed subnets and authorized HOST IDs but not using 31 certificates as an alternate method for 1 Certificate use. This server or the CA may 2 also provide the VPN ID if more than one VPN
3 is supported on an interface. Otherwise, the 4 VPN ID may be defined just by the interface 5 using a one to one mapping static table as it 6 is done today with one physical or logical 7 (generally a virtual circuit) corresponding to 8 a single VPN.
9 ~ A Route Reflector RR 35 provides the PE field 10 value for the destination address. The source 11 address is filled with the locally attached PE
12 identification field. RR solves the routing 13 over the IP switching infrastructure using any 14 kind of routing techniques which allows to
18 ~ The provider ID (e. g., AT&T), 19 ~ The PE field including the number on the PE
device attached to the IP switched network 21 (e.g., 24 or 30). The way the PE field is 22 defined is also part of the proposal and 23 includes several methods: known active 24 topology provided by network management tools, discovery at IP level: Traceroute +
26 PE database with dynamic or regular update 27 techniques, given by MPLS tools, forced or 28 predefined, 29 ~ The VPN ID which may be subdivided into areas to provide a hierarchical VPN
31 structure, 1 ~ Location ID which is the geographic 2 location of the site, 3 ~ Host ID which refers to the device that 4 uses the corresponding IPv4 address. The host may be a server, a client, a router, a 6 firewall. Different rules may then be 7 applied. In the preferred embodiment, it is 8 the MAC address if this MAC address can be 9 discovered and checked. It provides a unique identification which gives a 11 supplementary privacy information. Host ID
12 on the IPv6 address field may either 13 contain the MAC address corresponding to 14 the IPv4 address or just an equivalent ID
and the correspondence between them is just 16 maintained locally.
17 ~ IPv4 address (source or destination) which 18 is present in the incoming packet.
The major advantage of the invention is to simplify 21 the label distribution and management for VPN (MPLS
22 VPN) since the destination PE is included in the 23 destination address field of the new IPv6 header. A
24 VPN Label per flow may be used instead of flow aggregation into labels insofar as there is no 26 longer a need for a dual label implementation like 27 what is done in a MPLS VPN. Using this method, a 28 packet entering the MPLS network 25, for example on 29 PE1, directly provides in its IPv6 header the destination PE such as PE2. No need for special 1 path identification is required if PE1 knows how to 2 reach PE2.
4 Finally, for routing in the IP switched network, only the MSB bytes of the address field are used 6 while on the access only the LSB bytes are used.
7 This simplifies the address lookup mechanism even 8 at PE level, which was one of the drawbacks of IPv6 9 since, normally, a 128 bit address lookup is required. Current PEs supporting IPv6 as input 11 protocol may be used but may also be improved in 12 identifying the sub-fields in the MSB part of the 13 IPv6 address field in order to directly use the PE
14 address for routing packets.
16 The MPLS network does not need to implement any 17 additional VPN feature such as MPLS VPN as the 18 privacy is insured by the IPv6 header which 19 contains the VPN ID. As this field is not set by the user but by the Packet Builder device PB1 or 21 PB2, there is no risk to have spoofing from user 22 defined IPv6 flows. This is a security improvement 23 that is worth using even for native IPv6 incoming 24 flows. All secure fields should be validated, added or replaced at the ingress node of the network.
26 Such fields include Provider field, PE field, VPN
27 ID field, LOCATION ID field and HOST ID field if it 28 is used also for filtering. When an IPv6 packet is 29 received, it may be analyzed to verify that its header structure matches the local rules, which 31 prevents such an IPv6 spoofing. If it doesn't 32 match, depending on fields and rules, it may be 1 either modified or discarded. If modified, a swap 2 table is built to rebuild the original address 3 field for incoming packets from the network such as 4 a stateful mechanism. It works, in that case, like an IPv6 NAT to convert IPv6 flows that do not match 6 the proposed rules transparently. Such a conversion 7 is performed in PB devices.
9 The invention improves the routing scalability. The network management of such an implementation is 11 simpler since the IP header contains all the 12 necessary fields to manage a flow, which is not the 13 case today with IPv4 on one side and MPLS on the 14 other side. It also provides an increased security.
16 As far as MPLS is concerned, current vendor and 17 standard bodies are working on IPv6 through MPLS
18 called 6PE, which reuses v4 MPLS VPN mechanisms.
19 The invention consists in replacing v4 based MPLS
and BGP mechanisms by native v6 mechanisms but it 21 is still compatible with 6PE solution as an 22 intermediate implementation. The advantage of 23 introducing MPLS VPN knowledge in the IPv6 header 24 is to converge into a single transmission element that has all the necessary information at any point 26 in the network. MPLS to MPLS inter-working will 27 also become easier to implement and manage in a 28 more secure way insofar as the IPv6 header will 29 contain the necessary crossover information and no need to bridge at the label level is required.
1 For implementing the invention, it is necessary to 2 use servers that will give the value of each field 3 for the source and destination addresses in a 4 secure way. These servers include DNS, Whois, Route reflectors and also Certificate Authority since the 6 IPv6 address has to be securely given. Fig. 3 7 represents the logical connections of packet 8 builders 22 or 28 to such server devices 31 to 37 9 by means of a virtual network 39 which can be IPv4 network 21 or 27, IPv6 network 23 or 29, the MPLS
11 network 25, or any other network connected to one 12 of these networks or directly connected to the 13 packet builder.
The IPv6 source or destination address 16 reconstitution is a method for building IPv6 17 packets using IPv4 packets.
18 ~ Inverse DNS lookup on DNS server 31 and Whois 19 lookup on server 32 are used to identify the location of the destination device and the 21 owner (ISP / customer). Both are used to set 22 the LOC ID field and the VPN ID field.
23 ~ Certificate request on Certificate Authority 24 (CA) server 33 is used to validate source and / or destination IP addresses IPv4 and HOST ID
26 for security purposes. It may be used in 27 addition or as a replacement of DNS and Whois 28 servers.
29 A Directory server 34 contains the allowed subnets and authorized HOST IDs but not using 31 certificates as an alternate method for 1 Certificate use. This server or the CA may 2 also provide the VPN ID if more than one VPN
3 is supported on an interface. Otherwise, the 4 VPN ID may be defined just by the interface 5 using a one to one mapping static table as it 6 is done today with one physical or logical 7 (generally a virtual circuit) corresponding to 8 a single VPN.
9 ~ A Route Reflector RR 35 provides the PE field 10 value for the destination address. The source 11 address is filled with the locally attached PE
12 identification field. RR solves the routing 13 over the IP switching infrastructure using any 14 kind of routing techniques which allows to
15 provide routing for VPN groups or type of
16 flows.
17 ~ A network management tool NM 36 provides
18 filtering rules that can be dynamically
19 applied if necessary. PB is the right place to put filtering rules at the network ingress 21 point in order to avoid spoofing, for example.
22 NM can easily identify attacks on the 23 destination network and find from which 24 ingress point these packets are sent and take appropriate measures.
26 ~ An ARP proxy AP 37 provides the MAC address of 27 the sending device if this function is used 28 for improved security and device 29 identification. In some cases, the proxy can just be the default access router when no 31 other routers are in between. In that case, 1 such a router should have been enabled to 2 answer t o ARP requests. The MAC address may 3 also be pre-stored in DNS or Directory Server 4 or in a Certificate. The advantage of ARP
proxy or ARP request to default router is that 6 the MAC address is dynamically validated 7 against the source IP address of the flow.
So, 8 for example, a known MAC address may be 9 granted even if it is not connected on the regular LAN network. An unknown MAC address 11 from all servers may be forbidden to connect 12 to some networks as another example of rule.
14 The IPv6 fields to be filled this way include the source address and the destination address. The 16 figure shows an implementation where both PB
17 devices have access to all servers in order to get 18 information for both source and destination address 19 fields. An alternate implementation is for the local Route Reflector to provide the IP address of 21 the destination Packet builder (like PB2) when PE2 22 is given as the destination in order for PB1 to get 23 destination information directly from PB2 and not 24 from the servers. The advantage of such an implementation is the performance since each Packet 26 builder device maintains a list of all locally 27 accessible devices with associated parameters.
28 Thus, in one call to the remote PB, all information 29 may be provided. If the remote PB doesn't have this device in its cache, it will join the servers to 31 get it. This analysis is only done once per flow 32 (on the first packet) and the level of analysis 1 performed may depend on the network on which the 2 packet should be sent to. In fact, it is less than 3 once per flow insofar as only the source part (or 4 the destination part if new) is processed and information is kept in a cache, which minimizes 6 performance impact of such an implementation.
8 According to another embodiment, the packet builder 9 is integrated in the PE device as illustrated in Fig. 4. In such a case, there is of course no IPv6 11 network as in the general embodiment illustrated in 12 Fig. 1. Instead, the packet builder and the PE
13 device constitute a single block, that is the block 14 V6 PE1 41 replacing PB1 22 and PEl 24 and the block V6 PE2 replacing PB2 28 and PE2 30.
17 This proposed implementation is also used to 18 perform the function on the PE itself, which is 19 more efficient since the PE field of the address can directly be used by the PE for forwarding on 21 the MPLS core without additional path discovery and 22 additional level of Label like on MPLS VPN. In 23 fact, a label may be used as a compressed header 24 instead of transmitting the full IPv6 header, which means one label by transmission flow. The 26 transmission of both (label followed by a full IPv6 27 header) would be redundant but possible. Several 28 compatible implementations may be used in the core 29 for packet transmission using IP switching labels.
The need is to recover at the egress PE or PB the 31 original IPv6 header on each packet.
1 The change of the data packet as it flows from the 2 sending workstation to the receiving workstation is 3 illustrated in Fig. 5A. In workstation 20, the data 4 packet is a standard IPv4 packet format with an IPv4 header and a data payload. The packet is sent 6 to PB1 device at step 61. The packet builder 7 validates the IPv4 header fields and finds, thanks 8 to the servers defined in Fig. 3, the value for the 9 fields used to build the corresponding IPv6 header.
It mainly includes the IPv6 destination address and 11 the IPv6 source address. PB1 can perform additional 12 filtering if defined.
14 The new packet is forwarded to PEl at step 62. PE1 identifies the destination PE and forwards the 16 packet to PE2 at step 63. PE1 can add a label such 17 as a MPLS label for improving the packet switching 18 in the core. PE2 receives the packet and removes 19 the switching label if present. It then forwards the packet to PB2 at step 64 which first can again 21 perform filtering and then remove the IPv6 header 22 and easily rebuild the IPv4 packet insofar as the 23 IPv6 packet header contains all the necessary 24 fields. This IPv4 packet is then forwarded to the destination workstation 26 on step 65.
27 It should be noted that this process seems complex 28 but in fact needs to be fully performed only once 29 especially on PBl and PB2. Further packets of the same flow may just need header fields swapping 31 using the same field values. Therefore a swap table 1 can be implemented on Packet Builders to speed up 2 the processing of swapping headers.
4 Rebuilding or adding packets checksums and rebuilding other IPv4 header fields are not 6 detailed here insofar as these functions may be 7 done using standard rules and translation 8 mechanisms such as RFC2766 or other IETF RFCs or 9 drafts.
11 If the second embodiment wherein the function of 12 the packet builder is integrated in the PE device 13 is used, the flow of the data packet (and the 14 structure change) as illustrated in Fig. 5B is simplified but very similar to the data flow of the 16 general embodiment.
22 NM can easily identify attacks on the 23 destination network and find from which 24 ingress point these packets are sent and take appropriate measures.
26 ~ An ARP proxy AP 37 provides the MAC address of 27 the sending device if this function is used 28 for improved security and device 29 identification. In some cases, the proxy can just be the default access router when no 31 other routers are in between. In that case, 1 such a router should have been enabled to 2 answer t o ARP requests. The MAC address may 3 also be pre-stored in DNS or Directory Server 4 or in a Certificate. The advantage of ARP
proxy or ARP request to default router is that 6 the MAC address is dynamically validated 7 against the source IP address of the flow.
So, 8 for example, a known MAC address may be 9 granted even if it is not connected on the regular LAN network. An unknown MAC address 11 from all servers may be forbidden to connect 12 to some networks as another example of rule.
14 The IPv6 fields to be filled this way include the source address and the destination address. The 16 figure shows an implementation where both PB
17 devices have access to all servers in order to get 18 information for both source and destination address 19 fields. An alternate implementation is for the local Route Reflector to provide the IP address of 21 the destination Packet builder (like PB2) when PE2 22 is given as the destination in order for PB1 to get 23 destination information directly from PB2 and not 24 from the servers. The advantage of such an implementation is the performance since each Packet 26 builder device maintains a list of all locally 27 accessible devices with associated parameters.
28 Thus, in one call to the remote PB, all information 29 may be provided. If the remote PB doesn't have this device in its cache, it will join the servers to 31 get it. This analysis is only done once per flow 32 (on the first packet) and the level of analysis 1 performed may depend on the network on which the 2 packet should be sent to. In fact, it is less than 3 once per flow insofar as only the source part (or 4 the destination part if new) is processed and information is kept in a cache, which minimizes 6 performance impact of such an implementation.
8 According to another embodiment, the packet builder 9 is integrated in the PE device as illustrated in Fig. 4. In such a case, there is of course no IPv6 11 network as in the general embodiment illustrated in 12 Fig. 1. Instead, the packet builder and the PE
13 device constitute a single block, that is the block 14 V6 PE1 41 replacing PB1 22 and PEl 24 and the block V6 PE2 replacing PB2 28 and PE2 30.
17 This proposed implementation is also used to 18 perform the function on the PE itself, which is 19 more efficient since the PE field of the address can directly be used by the PE for forwarding on 21 the MPLS core without additional path discovery and 22 additional level of Label like on MPLS VPN. In 23 fact, a label may be used as a compressed header 24 instead of transmitting the full IPv6 header, which means one label by transmission flow. The 26 transmission of both (label followed by a full IPv6 27 header) would be redundant but possible. Several 28 compatible implementations may be used in the core 29 for packet transmission using IP switching labels.
The need is to recover at the egress PE or PB the 31 original IPv6 header on each packet.
1 The change of the data packet as it flows from the 2 sending workstation to the receiving workstation is 3 illustrated in Fig. 5A. In workstation 20, the data 4 packet is a standard IPv4 packet format with an IPv4 header and a data payload. The packet is sent 6 to PB1 device at step 61. The packet builder 7 validates the IPv4 header fields and finds, thanks 8 to the servers defined in Fig. 3, the value for the 9 fields used to build the corresponding IPv6 header.
It mainly includes the IPv6 destination address and 11 the IPv6 source address. PB1 can perform additional 12 filtering if defined.
14 The new packet is forwarded to PEl at step 62. PE1 identifies the destination PE and forwards the 16 packet to PE2 at step 63. PE1 can add a label such 17 as a MPLS label for improving the packet switching 18 in the core. PE2 receives the packet and removes 19 the switching label if present. It then forwards the packet to PB2 at step 64 which first can again 21 perform filtering and then remove the IPv6 header 22 and easily rebuild the IPv4 packet insofar as the 23 IPv6 packet header contains all the necessary 24 fields. This IPv4 packet is then forwarded to the destination workstation 26 on step 65.
27 It should be noted that this process seems complex 28 but in fact needs to be fully performed only once 29 especially on PBl and PB2. Further packets of the same flow may just need header fields swapping 31 using the same field values. Therefore a swap table 1 can be implemented on Packet Builders to speed up 2 the processing of swapping headers.
4 Rebuilding or adding packets checksums and rebuilding other IPv4 header fields are not 6 detailed here insofar as these functions may be 7 done using standard rules and translation 8 mechanisms such as RFC2766 or other IETF RFCs or 9 drafts.
11 If the second embodiment wherein the function of 12 the packet builder is integrated in the PE device 13 is used, the flow of the data packet (and the 14 structure change) as illustrated in Fig. 5B is simplified but very similar to the data flow of the 16 general embodiment.
Claims
2 1. System for converting data packets based upon 3 the IPv4 protocol into data packets based upon the 4 IPv6 protocol to be transmitted over a multiple Virtual Private Network (VPN) infrastructure in a 6 data transmission system comprising an IP switched 7 network (25) to which are connected a first 8 workstation (20) via a first Provider Edge (PE) 9 device (24) and a second workstation (26) via a second PE device (30), said workstations operating 11 with the IPv4 protocol whereas said IP switched 12 network operates with the IPv6 protocol;
13 said system being characterized in that it 14 comprises a first packet builder (22) between said first workstation and said IP switched network for 16 converting any data packet based upon the IPv4 17 protocol received from said first workstation and 18 transmitted to said IP switched network into the 19 IPv6 protocol and reciprocally, and a second packet builder (28) between said IP switched network and 21 said second workstation for converting any data 22 packet based upon the IPv6 protocol received from 23 said network and transmitted to said second 24 workstation into the IPv4 protocol and reciprocally; and 26 said system further comprising at least a 27 server (31 to 37) accessed by each of said first 28 packet builder (22) or said second packet builder 29 (28) for providing thereto the information used to convert a data packet based upon the IPv4 protocol 31 into a data packet based upon the IPv6 protocol, 32 wherein any data packet which has been converted 33 into the IPvG protocol by one of said first packet 34 builder (22) or said second packet builder (28) 1 includes a packet header containing a PE field 2 corresponding to the first PE device (24) or the 3 second PE device (30) to be used either as source 4 PE or destination PE and a VPN identification field further to an IPv4 address which was in said 6 packet header before the conversion.
7 2. System according to claim 1, wherein any data 8 packet which has been converted into the IPv6 9 protocol by one of said packet builders (22, 28) further includes a location (LOC) identification 11 field referring to a geographic location of a site 12 and a HOST identification field referring to the 13 first workstation (20) or the second workstation 14 (26) that has transmitted said data packet.
3. System according to claim 1, wherein the 16 server (31 to 37) providing the information used 17 to convert the data packet based upon the IPv4 18 protocol into the data packet based upon the IPv6 19 protocol can be accessed by each of said first and second packet builders through a virtual network 21 (39).
22 4. System according to claim 3, wherein said 23 server can be one of several servers among a Domain 24 Name Server (31), a Whois server (32), a Certificate Authority server (33), a Directory 26 server (34), a Route Reflector (35), a Network 27 Management tool (36) and a Proxy (37).
28 5. System according to claim 1, wherein said 29 first packet builder (22) or said second packet builder (28) is connected to said first PE device 31 (24) or said second PE device (30) by a network 32 based upon the IPv6 protocol (23 or 29).
1 6. System according to claim 1, wherein said 2 first packet builder (22) or said second packet 3 builder (28) is integrated into said first PE device 4 (24) or said second PE device (30).
7. Method for converting data packets based upon 6 the IPv4 protocol into data packets based upon the 7 IPv6 protocol to be transmitted over a Virtual 8 Private Network (VPN) in a data transmission 9 system comprising an IP switched network (25) to which are connected a first workstation (20) via a 11 first Provider Edge (PE) device (24) and a second 12 workstation (26) via a second PE device (30), said 13 workstations operating with the IPv4 protocol 14 whereas said IP switched network operates with the IPv6 protocol, 16 said method being characterized by the steps 17 comprising:
18 - converting any data packet based upon 19 the IPv4 protocol into a data packet based upon the IPv6 protocol before transmitting it 21 to said IP switched network using information 22 provided by an external server, and 23 - converting any data packet based upon 24 the IPv6 protocol provided by said IP
switched network into a data packet based 26 upon the IPv4 protocol before transmitting it 27 to said first or second workstation, wherein 28 any data packet which has been converted into 29 the IPv6 protocol by one of said first packet builder (22) or said second packet builder 31 (28) includes a packet header containing a PE
32 field corresponding to the first PE device 33 (24) or the second PE device (30) to be used either as source PE or destination PE and a VPN identification field further to an IPv4 address which was in said packet header before the conversion.
8. Method according to claim 7, wherein any data packet which has been converted into the IPv6 protocol by one of said packet builders (22, 28) further includes a location (LOC) identification field referring to a geographic location of a site and a HOST identification field referring to the first workstation (20) or the second workstation (26) that has transmitted said data packet.
9. Method according to claim 8, wherein a server providing information for said conversion is one of several servers comprising a Domain Name Server (31), a Whois server (32), a Certificate Authority server (33), a Directory server (34), a Route Reflector (35), a Network Management tool (36) and a Proxy (37).
13 said system being characterized in that it 14 comprises a first packet builder (22) between said first workstation and said IP switched network for 16 converting any data packet based upon the IPv4 17 protocol received from said first workstation and 18 transmitted to said IP switched network into the 19 IPv6 protocol and reciprocally, and a second packet builder (28) between said IP switched network and 21 said second workstation for converting any data 22 packet based upon the IPv6 protocol received from 23 said network and transmitted to said second 24 workstation into the IPv4 protocol and reciprocally; and 26 said system further comprising at least a 27 server (31 to 37) accessed by each of said first 28 packet builder (22) or said second packet builder 29 (28) for providing thereto the information used to convert a data packet based upon the IPv4 protocol 31 into a data packet based upon the IPv6 protocol, 32 wherein any data packet which has been converted 33 into the IPvG protocol by one of said first packet 34 builder (22) or said second packet builder (28) 1 includes a packet header containing a PE field 2 corresponding to the first PE device (24) or the 3 second PE device (30) to be used either as source 4 PE or destination PE and a VPN identification field further to an IPv4 address which was in said 6 packet header before the conversion.
7 2. System according to claim 1, wherein any data 8 packet which has been converted into the IPv6 9 protocol by one of said packet builders (22, 28) further includes a location (LOC) identification 11 field referring to a geographic location of a site 12 and a HOST identification field referring to the 13 first workstation (20) or the second workstation 14 (26) that has transmitted said data packet.
3. System according to claim 1, wherein the 16 server (31 to 37) providing the information used 17 to convert the data packet based upon the IPv4 18 protocol into the data packet based upon the IPv6 19 protocol can be accessed by each of said first and second packet builders through a virtual network 21 (39).
22 4. System according to claim 3, wherein said 23 server can be one of several servers among a Domain 24 Name Server (31), a Whois server (32), a Certificate Authority server (33), a Directory 26 server (34), a Route Reflector (35), a Network 27 Management tool (36) and a Proxy (37).
28 5. System according to claim 1, wherein said 29 first packet builder (22) or said second packet builder (28) is connected to said first PE device 31 (24) or said second PE device (30) by a network 32 based upon the IPv6 protocol (23 or 29).
1 6. System according to claim 1, wherein said 2 first packet builder (22) or said second packet 3 builder (28) is integrated into said first PE device 4 (24) or said second PE device (30).
7. Method for converting data packets based upon 6 the IPv4 protocol into data packets based upon the 7 IPv6 protocol to be transmitted over a Virtual 8 Private Network (VPN) in a data transmission 9 system comprising an IP switched network (25) to which are connected a first workstation (20) via a 11 first Provider Edge (PE) device (24) and a second 12 workstation (26) via a second PE device (30), said 13 workstations operating with the IPv4 protocol 14 whereas said IP switched network operates with the IPv6 protocol, 16 said method being characterized by the steps 17 comprising:
18 - converting any data packet based upon 19 the IPv4 protocol into a data packet based upon the IPv6 protocol before transmitting it 21 to said IP switched network using information 22 provided by an external server, and 23 - converting any data packet based upon 24 the IPv6 protocol provided by said IP
switched network into a data packet based 26 upon the IPv4 protocol before transmitting it 27 to said first or second workstation, wherein 28 any data packet which has been converted into 29 the IPv6 protocol by one of said first packet builder (22) or said second packet builder 31 (28) includes a packet header containing a PE
32 field corresponding to the first PE device 33 (24) or the second PE device (30) to be used either as source PE or destination PE and a VPN identification field further to an IPv4 address which was in said packet header before the conversion.
8. Method according to claim 7, wherein any data packet which has been converted into the IPv6 protocol by one of said packet builders (22, 28) further includes a location (LOC) identification field referring to a geographic location of a site and a HOST identification field referring to the first workstation (20) or the second workstation (26) that has transmitted said data packet.
9. Method according to claim 8, wherein a server providing information for said conversion is one of several servers comprising a Domain Name Server (31), a Whois server (32), a Certificate Authority server (33), a Directory server (34), a Route Reflector (35), a Network Management tool (36) and a Proxy (37).
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR0306308A FR2855697B1 (en) | 2003-05-26 | 2003-05-26 | IPv4-BASED DATA CONVERSION SYSTEM IN IPv6-BASED DATA TO BE TRANSMITTED THROUGH IP-SWITCHED NETWORK |
| FR0306308 | 2003-05-26 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2468480A1 CA2468480A1 (en) | 2004-11-26 |
| CA2468480C true CA2468480C (en) | 2010-01-19 |
Family
ID=33104469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002468480A Expired - Fee Related CA2468480C (en) | 2003-05-26 | 2004-05-26 | System for converting data based upon ipv4 into data based upon ipv6 to be transmitted over an ip switched network |
Country Status (7)
| Country | Link |
|---|---|
| US (2) | US7369560B2 (en) |
| EP (1) | EP1482678B1 (en) |
| JP (1) | JP2004357292A (en) |
| KR (1) | KR20040101933A (en) |
| CA (1) | CA2468480C (en) |
| DE (1) | DE602004029419D1 (en) |
| FR (1) | FR2855697B1 (en) |
Families Citing this family (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7006526B1 (en) * | 2001-07-31 | 2006-02-28 | Cisco Technology, Inc. | Mechanisms for avoiding problems associated with network address protocol translation |
| CN100407683C (en) * | 2004-12-01 | 2008-07-30 | 华为技术有限公司 | Method for realizing IPv6 network intercommunication based on heteromedium |
| CN100387019C (en) * | 2005-04-04 | 2008-05-07 | 华为技术有限公司 | Method for realizing cross-mixed network multi-protocol tag exchange virtual special network |
| US20060277267A1 (en) * | 2005-05-16 | 2006-12-07 | Simon Lok | Unified memory IP packet processing platform |
| CN100433691C (en) * | 2005-11-02 | 2008-11-12 | 华为技术有限公司 | Routing method of virtual special network |
| CN100414919C (en) * | 2005-11-14 | 2008-08-27 | 华为技术有限公司 | Method for realizing virtual special network of over-muti-autonomous system mixed network |
| JP4706542B2 (en) * | 2006-04-10 | 2011-06-22 | 株式会社日立製作所 | Communication device |
| US8301753B1 (en) | 2006-06-27 | 2012-10-30 | Nosadia Pass Nv, Limited Liability Company | Endpoint activity logging |
| US7668954B1 (en) * | 2006-06-27 | 2010-02-23 | Stephen Waller Melvin | Unique identifier validation |
| US8181227B2 (en) * | 2006-08-29 | 2012-05-15 | Akamai Technologies, Inc. | System and method for client-side authenticaton for secure internet communications |
| US8112803B1 (en) * | 2006-12-22 | 2012-02-07 | Symantec Corporation | IPv6 malicious code blocking system and method |
| US8373698B2 (en) | 2007-05-10 | 2013-02-12 | International Business Machines Corporation | Holographic enterprise network |
| US20080288220A1 (en) * | 2007-05-17 | 2008-11-20 | Dillenberger Donna N | Use of a three-dimensional (3d) data center to share service operations |
| KR101366254B1 (en) * | 2007-08-03 | 2014-02-20 | 삼성전자주식회사 | Method for compressing and restoring IP packets transmitted through broadcast network |
| JP4827868B2 (en) * | 2008-03-11 | 2011-11-30 | 日本電信電話株式会社 | Network connection control system, network connection control program, and network connection control method |
| WO2009151729A1 (en) * | 2008-03-31 | 2009-12-17 | Amazon Technologies, Inc. | Configuring communications between computing nodes |
| US8046480B2 (en) * | 2008-03-31 | 2011-10-25 | Amazon Technologies, Inc. | Embedding overlay virtual network addresses in underlying substrate network addresses |
| US8429739B2 (en) | 2008-03-31 | 2013-04-23 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
| US7995504B2 (en) * | 2008-05-12 | 2011-08-09 | Microsoft Corporation | Locality-based routing table generation |
| KR100948693B1 (en) * | 2008-10-08 | 2010-03-18 | 한국전자통신연구원 | Ip conversion apparatus and method for supporting interoperability between different networks using virtualization platform |
| US8004968B2 (en) * | 2008-12-24 | 2011-08-23 | Cisco Technology, Inc. | Provider edge-controlled redundancy using pseudo link aggregation control protocol |
| JP5328472B2 (en) * | 2009-05-13 | 2013-10-30 | キヤノン株式会社 | Network communication apparatus and method and program |
| US8234377B2 (en) * | 2009-07-22 | 2012-07-31 | Amazon Technologies, Inc. | Dynamically migrating computer networks |
| JP5241665B2 (en) * | 2009-09-28 | 2013-07-17 | 三菱電機株式会社 | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD |
| CN102859972A (en) * | 2010-04-26 | 2013-01-02 | 诺基亚公司 | Method and apparatus for synthesized address detection |
| US8683023B1 (en) | 2010-06-30 | 2014-03-25 | Amazon Technologies, Inc. | Managing communications involving external nodes of provided computer networks |
| US8923133B2 (en) * | 2010-12-27 | 2014-12-30 | Symbol Technologies, Inc. | Detection of unauthorized changes to an address resolution protocol cache in a communication network |
| CN102904814B (en) * | 2012-10-19 | 2015-09-16 | 福建星网锐捷网络有限公司 | Data transmission method, source PE, object PE and data transmission system |
| US8937955B2 (en) * | 2012-12-05 | 2015-01-20 | Cisco Technology, Inc. | System and method for scaling IPv6 addresses in a network environment |
| WO2015059690A1 (en) | 2013-10-24 | 2015-04-30 | Yeda Research And Development Co. Ltd. | Polynucleotides encoding brex system polypeptides and methods of using s ame |
| US10326710B1 (en) | 2015-09-02 | 2019-06-18 | Amazon Technologies, Inc. | Propagating access rules on virtual networks in provider network environments |
| US10666536B1 (en) | 2015-12-11 | 2020-05-26 | Expanse, Inc. | Network asset discovery |
| US10257280B2 (en) | 2015-12-28 | 2019-04-09 | Carbonite, Inc. | Systems and methods for remote management of appliances |
| US20180375762A1 (en) * | 2017-06-21 | 2018-12-27 | Microsoft Technology Licensing, Llc | System and method for limiting access to cloud-based resources including transmission between l3 and l7 layers using ipv6 packet with embedded ipv4 addresses and metadata |
| CN112261054B (en) * | 2020-10-23 | 2022-07-15 | 重庆邮电大学 | Ethernet/IP and IPv6 protocol conversion system and method based on application service quality of service |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6580717B1 (en) * | 1996-07-04 | 2003-06-17 | Hitachi, Ltd. | Packet communication method and apparatus and a recording medium storing a packet communication program |
| US6690669B1 (en) * | 1996-11-01 | 2004-02-10 | Hitachi, Ltd. | Communicating method between IPv4 terminal and IPv6 terminal and IPv4-IPv6 converting apparatus |
| US6339595B1 (en) * | 1997-12-23 | 2002-01-15 | Cisco Technology, Inc. | Peer-model support for virtual private networks with potentially overlapping addresses |
| US7369556B1 (en) * | 1997-12-23 | 2008-05-06 | Cisco Technology, Inc. | Router for virtual private network employing tag switching |
| JP3859591B2 (en) * | 2000-06-16 | 2006-12-20 | 富士通株式会社 | Communication device including VPN accommodation function |
| WO2001099457A1 (en) * | 2000-06-20 | 2001-12-27 | Nokia Networks Oy | A method for performing a mobile user terminal route update in a telecommunication network operated based on the internet protocol |
| US6907470B2 (en) * | 2000-06-29 | 2005-06-14 | Hitachi, Ltd. | Communication apparatus for routing or discarding a packet sent from a user terminal |
| JP2002033764A (en) * | 2000-07-14 | 2002-01-31 | Fujitsu Ltd | Communication service providing system, mobile terminal equipment to be used for the same, address server device and router system |
| JP4183379B2 (en) * | 2000-11-27 | 2008-11-19 | 富士通株式会社 | Network and edge router |
| US7136374B1 (en) * | 2001-03-19 | 2006-11-14 | Juniper Networks, Inc. | Transport networks supporting virtual private networks, and configuring such networks |
| JP4236398B2 (en) * | 2001-08-15 | 2009-03-11 | 富士通株式会社 | Communication method, communication system, and communication connection program |
| US20030172177A1 (en) * | 2001-12-06 | 2003-09-11 | Kersley Ian P. | System and method for verifying a device |
| JP4349789B2 (en) * | 2002-11-06 | 2009-10-21 | 富士通株式会社 | Safety judgment device and safety judgment method |
| WO2005045642A2 (en) * | 2003-11-04 | 2005-05-19 | Nexthop Technologies, Inc. | Secure, standards-based communications across a wide-area network |
-
2003
- 2003-05-26 FR FR0306308A patent/FR2855697B1/en not_active Expired - Fee Related
-
2004
- 2004-05-24 JP JP2004153034A patent/JP2004357292A/en active Pending
- 2004-05-24 EP EP04012230A patent/EP1482678B1/en not_active Expired - Fee Related
- 2004-05-24 DE DE602004029419T patent/DE602004029419D1/en active Active
- 2004-05-25 KR KR1020040037368A patent/KR20040101933A/en not_active Application Discontinuation
- 2004-05-25 US US10/852,945 patent/US7369560B2/en active Active
- 2004-05-26 CA CA002468480A patent/CA2468480C/en not_active Expired - Fee Related
-
2008
- 2008-04-11 US US12/101,313 patent/US7920589B2/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| US7369560B2 (en) | 2008-05-06 |
| JP2004357292A (en) | 2004-12-16 |
| EP1482678A1 (en) | 2004-12-01 |
| FR2855697A1 (en) | 2004-12-03 |
| EP1482678B1 (en) | 2010-10-06 |
| CA2468480A1 (en) | 2004-11-26 |
| US7920589B2 (en) | 2011-04-05 |
| FR2855697B1 (en) | 2005-09-23 |
| US20080192771A1 (en) | 2008-08-14 |
| US20050025157A1 (en) | 2005-02-03 |
| DE602004029419D1 (en) | 2010-11-18 |
| KR20040101933A (en) | 2004-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2468480C (en) | System for converting data based upon ipv4 into data based upon ipv6 to be transmitted over an ip switched network | |
| Carpenter et al. | Connection of IPv6 domains via IPv4 clouds | |
| Farinacci et al. | The locator/ID separation protocol (LISP) | |
| US8661525B2 (en) | Implementation method and system of virtual private network | |
| US7379465B2 (en) | Tunneling scheme optimized for use in virtual private networks | |
| US7624195B1 (en) | Method and apparatus for distributed network address translation processing | |
| EP2466817A1 (en) | Virtual private network implementation method and system | |
| Atkinson et al. | ILNP: mobility, multi-homing, localised addressing and security through naming | |
| US20040249975A1 (en) | Computer networks | |
| US20020165972A1 (en) | Methods and apparatus for use in reducing traffic over a communication link used by a computer network | |
| US20080046597A1 (en) | Method for Switching Ip Packets Between Client Networks and Ip Provider Networks by Means of an Access Network | |
| Smith et al. | Network security using NAT and NAPT | |
| Farinacci et al. | Rfc 6830: The locator/id separation protocol (lisp) | |
| Steffann et al. | A Comparison of IPv6-over-IPv4 tunnel mechanisms | |
| Atkinson et al. | A proposal for unifying mobility with multi-homing, NAT, & security | |
| Carpenter et al. | RFC3056: Connection of IPv6 Domains via IPv4 Clouds | |
| Cui et al. | State management in IPv4 to IPv6 transition | |
| Albuquerque et al. | Global information grid (GIG) edge network interface architecture | |
| Cisco | IP Addressing Commands | |
| US20230388397A1 (en) | Resolving Overlapping IP Addresses in Multiple Locations | |
| Davies | TCP/IP Fundamentals for Microsoft Windows | |
| Atkinson et al. | Harmonised resilience, security and mobility capability for IP | |
| Gagliano | IPv6 Deployment in Internet Exchange Points (IXPs) | |
| Tian et al. | Network Addressing Architecture | |
| Ford | The Current State and Future Developments of IPv6 Multihoming |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20160526 |