+

WO2003007561A1 - Procede d'obtention d'un reseau securise - Google Patents

Procede d'obtention d'un reseau securise Download PDF

Info

Publication number
WO2003007561A1
WO2003007561A1 PCT/FI2002/000634 FI0200634W WO03007561A1 WO 2003007561 A1 WO2003007561 A1 WO 2003007561A1 FI 0200634 W FI0200634 W FI 0200634W WO 03007561 A1 WO03007561 A1 WO 03007561A1
Authority
WO
WIPO (PCT)
Prior art keywords
gateway node
vpn
hub
node
network
Prior art date
Application number
PCT/FI2002/000634
Other languages
English (en)
Inventor
Tatu YLÖNEN
Original Assignee
Ssh Communications Security Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ssh Communications Security Corp filed Critical Ssh Communications Security Corp
Publication of WO2003007561A1 publication Critical patent/WO2003007561A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the invention concerns security systems in packet data networks. Especially, the invention concerns virtual private networks (VPN).
  • VPN virtual private networks
  • Virtual private networking technology uses encrypted connections over a public data network such as the Internet to form a closed internal network of an organization.
  • VPN technology is typically used to connect regional offices of an organization with each other.
  • VPN technology allows the use of the public Internet for connectivity, avoiding the use of expensive, dedicated leased lines which were the norm before the development of VPN technology.
  • VPN gateways are used to connect internal local area networks of a site to a public network.
  • the VPN gateways of different sites of the organization are configured to form encrypted tunnels between each other.
  • the VPN gateways are arranged to encrypt any data packets from the internal local area network directed to any of the other VPN sites, and direct the encrypted packets to the VPN gateway of the desired site, which in turn decrypts the packets and delivers the packets into the local area network at the destination site.
  • the VPN network When the VPN network is properly configured, it is transparent to the users, all local area networks of the organization appearing as a single network.
  • the VPN gateways typically also act as firewall devices, blocking unauthorized access to the internal network.
  • IPSEC The IPSec protocol suite
  • ISP internet service providers
  • DHCP DHCP
  • RARP RARP
  • Dial-up lines are very cost effective, but they usually provide dynamic connections with dynamic addresses (using the PPP protocol [PPP], [IPCP]).
  • Wireless technology is also gaining popularity, but many low-cost wireless solutions such as WLAN technology based on the IEEE 802.11 group of standards also provide dynamic addresses only.
  • NAT network address translation
  • IPv6 The IPv6 technology is strongly oriented towards autoconfiguration (see e.g. [RFC2462]) and dynamic address allocation, which makes the ability to operate without a static address even more important. Automatic configuration with dynamic address allocation is becoming even more important, as the increasing deployment of wireless local area networking technology increases the use of secure networks within corporations.
  • An object of the invention is to avoid the problems of the prior art solutions.
  • a further object of the invention is to allow any type of internet connection to be used for connecting VPN gateways to the internet, bringing considerable cost benefits.
  • a still further object of the invention is to allow automatic configuration for VPN gateways in corporate networks.
  • a first VPN gateway node with a dynamic address is arranged to establish a tunnel to a hub gateway node having a static address.
  • Other network nodes who wish to connect to said first VPN gateway node connect to the hub gateway node, which forwards the traffic to said first VPN gateway node.
  • This allows the actual address of said first VPN gateway node to be unknown to other nodes, since the gateway node is accessible via the static address of the hub gateway node. Therefore, the actual address of said first VPN gateway node can also change without hindering communication with other nodes.
  • the inventive principle allows building of complicated and large VPN networks easily, allows the use of cheap dial-up links for connecting VPN gateways to the Internet, and allows automatic configuration for VPN gateways.
  • a company can set up one or more hub gateway nodes at the headquarters, and have all smaller regional offices use any mode of connecting to the Internet for their VPN gateways. Further, the inventive functionality allows a site to change the Internet connection provider easily, without the need for changing the VPN configuration.
  • the VPN gateway node is not connected to the public internet.
  • the first VPN gateway node connects to the internet using the services of an Internet Service Provider (ISP).
  • ISP Internet Service Provider
  • the computer system of the ISP assigns and IP address for the first gateway node.
  • the first gateway node opens and IPSec tunnel to the hub gateway node assigned to it.
  • the identification of the hub gateway node i.e.
  • the hub gateway node is able to receive any communications intended to the first VPN gateway node, and forward the communications through the tunnel to the first VPN gateway node.
  • a third node performs an IKE negotiation with the hub node to set up an IPSec tunnel to the hub node.
  • the hub node consequently receives any traffic received via the negotiated tunnel from said third node directed to the first VPN gateway node, decapsulates and decrypts the received data, then encapsulates and encrypts the data for transmission to the first VPN gateway node, and finally sends the data to the first VPN gateway node.
  • the return traffic from the first VPN gateway can advantageously be arranged in the reverse way, i.e. by having the first VPN gateway send the data to the hub gateway, which decrypts and decapsulates the data, encrypts and encapsulates the data again for sending to the third node, and then sends the data to the third node.
  • the third node can be for example a VPN gateway with a static address, or a hub node serving another VPN gateway behind a dynamic IP address.
  • the first VPN gateway negotiates a tunnel directly to the other corresponding node, such as the third node in the previous example, for any return traffic to the other node.
  • a tunnel directly to the other corresponding node, such as the third node in the previous example.
  • the VPN gateway node needs to have preconfigured identity information for example in the form of a certificate or for example a shared secret key in order to be able to negotiate a tunnel with the hub gateway node, since the hub gateway node needs to recognize the VPN gateway node to be a part of the particular VPN network.
  • NAT network address translation
  • the third node does not need to negotiate a tunnel to the hub node, if a tunnel between the third node and the hub node already exists. This may be the case if the third node is itself a another VPN gateway or a hub node for another VPN gateway.
  • the first VPN gateway can also negotiate an IPSec tunnel directly with the third node, bypassing the hub node for the return path.
  • the third node in the previous example may be a second hub node acting for a second VPN gateway node.
  • a VPN gateway needs to know the hub gateway addresses corresponding to the other VPN gateways. This information can be included in the same piece of configuration information of the VPN gateway that includes the address of its hub gateway.
  • a VPN gateway node is arranged to query information about the rest of the VPN network from its hub gateway node.
  • the hub network node address needs to be previously configured in the VPN gateway node, and other aspects of the network can be automatically requested from the hub gateway node.
  • the configuration information can also be supplied by another node than the hub gateway node, such as a node of the VPN network management system.
  • one hub node may serve more than one VPN gateway node.
  • the hub node functions as a kind of a router, directing traffic between the tunnels between the hub node and the VPN gateway nodes.
  • one hub node can serve all VPN gateway nodes of a VPN network.
  • the inventive functionality can be used in addition to such configurations in which the IP address of a VPN gateway may change, but also in order to facilitate automatic configuration of a VPN gateway even in cases, in which the IP address of a VPN gateway, once assigned, is not expected to change.
  • a VPN gateway associated with a wireless LAN (WLAN) access point.
  • WLAN wireless LAN
  • a WLAN access can be arranged with VPN gateway functionality.
  • the inventive functionality can be used, whereby the access point needs only a hub gateway address and identity information as configuration information.
  • Figure 2 illustrates a method according to an advantageous embodiment of the invention.
  • Figure 1 illustrates an example of a network structure, in which the invention can be employed.
  • Figure 1 illustrates a first local area network 110, a second local area network 111, and a third local area network 120.
  • the first and second local area networks are LANs of smaller offices of a company
  • the third local area network 120 is the LAN of the corporate headquarters.
  • the first and second LANs are connected to the a public network such as the internet 150 via VPN gateways 130, 132. These gateways 130, 132 have connections with dynamic IP addresses of the public network 150.
  • the LAN 120 of the corporate headquarters is connected to the internet via a gateway 140, which has a static address of the public network 150.
  • the corporate VPN is formed by having the VPN gateways 130, 132 of the side offices contact the headquarters gateway 140 with a static address, and having the headquarters gateway 140 forward to the second LAN traffic from the first LAN (and any other eventual LANs) destined to the second LAN, and forward to the first LAN any traffic destined to the first LAN.
  • the gateway 140 acts as a hub gateway. Since the gateway 140 has a static address, side office gateways 130, 132 are always able to contact the gateway 140 when setting up the connections.
  • Figure 2 illustrates a method for setting up a network according to an advantageous embodiment of the invention between a first network having a first VPN gateway node having a dynamic IP address of a public network and a second network having a second VPN gateway node having a dynamic IP address of the public network.
  • the method comprises at least the steps of
  • said hub gateway node to decrypt and examine packets received from said first and second VPN gateway nodes, and to send any packets destined to said first network to said first encrypted communication channel and any packets destined to said second network to said second encrypted communication channel.
  • the method further comprises the step of negotiating at least one third encrypted communication channel between said first VPN gateway node and the hub gateway node.
  • This at least one third encrypted communication channel can carry traffic destined to a different subnetwork or different subnetworks than the first encrypted communication channel.
  • the method further comprises the step of negotiating at least one fourth encrypted communication channel between said second VPN gateway node and the hub gateway node.
  • This at least one fourth encrypted communication channel can carry traffic destined to a different subnetwork or different subnetworks than the second encrypted communication channel.
  • a VPN gateway node needs to be preconfigured at least with an IP address of a hub gateway, and information required to set up a secured tunnel to that address such as identity information of the VPN gateway node and keys for encryption and decryption.
  • an inventive VPN gateway node is arranged to renegotiate a tunnel to the hub gateway node, if an old tunnel has been lost.
  • an inventive VPN gateway node has a keepalive mechanism to detect if the hub gateway node has been rebooted and the tunnel needs to be re-established.
  • An inventive VPN gateway node can also include NAT traversal functionality discussed previously.
  • a separate security association (i.e. a tunnel) may be created for each subnet.
  • SA security association
  • different subnets correspond to different local area networks or parts of local area networks at different geographical sites.
  • Negotiating a very large prefix (for example, 0/0) for a single SA between a dynamic gateway node and the hub node would allow carrying traffic from a remote LAN via the hub gateway to any of the subnetworks of the combined VPN, but such a large prefix could also cause internal traffic of the remote LAN to be passed via the connection to the hub gateway, which is undesirable. Therefore, depending on the structure of the address spaces and subnets used, it may be advantageous to negotiate a plurality of SAs for communication between a dynamic gateway and the hub gateway, one SA for each distinct subnet.
  • a modified IKE negotiation is used in order to allow the negotiation of multiple subnets for the same tunnel.
  • a VPN gateway can use more than one hub gateway node, in which case the VPN gateway is accessible through any one of these hub gateway nodes. Such a configuration provides better fault tolerance than the use of a single hub gateway node.
  • a hub gateway node is arranged to report to a network monitoring system whether a dynamic gateway assigned to the hub gateway node is connected or not.
  • a hub gateway node is arranged to obtain information about VPN gateways assigned to it from a centralized management system.
  • inventive solution can be employed in both IPv4 and IPv6 networks.
  • inventive solution can employ any method for obtaining the IP address of a VPN gateway, such as by using DHCP, PPP, IPCP, or RARP protocols.
  • IKE as an example for use for security negotiation parameters. The invention is not limited only to IKE, since other key management protocols can also be used.
  • IPCP IPCP RFC 1661, The Point-to-Point Protocol (PPP). W. Simpson, Editor. July 1994.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Selon l'invention, on prévoit une première passerelle VPN avec une adresse dynamique disposée de manière à établir un tunnel avec une passerelle pour noeud de raccordement présentant une adresse statique. D'autres noeuds de réseau souhaitant se connecter à la première passerelle VPN se connectent au noeud de raccordement qui transmet le trafic vers la première passerelle VPN. Ceci permet à l'adresse actuelle de la première passerelle VPN d'être inconnue à d'autres noeuds, étant donné que la passerelle est accessible via l'adresse statique du noeud de raccordement. Par conséquent, l'adresse actuelle de la première passerelle VPN peut également être modifiée sans pour autant entraver la communication avec d'autres noeuds.
PCT/FI2002/000634 2001-07-13 2002-07-15 Procede d'obtention d'un reseau securise WO2003007561A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20011547A FI20011547A0 (fi) 2001-07-13 2001-07-13 Turvallisuusjärjestelmä ja -menetelmä
FI20011547 2001-07-13

Publications (1)

Publication Number Publication Date
WO2003007561A1 true WO2003007561A1 (fr) 2003-01-23

Family

ID=8561662

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2002/000634 WO2003007561A1 (fr) 2001-07-13 2002-07-15 Procede d'obtention d'un reseau securise

Country Status (2)

Country Link
FI (1) FI20011547A0 (fr)
WO (1) WO2003007561A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005117392A1 (fr) * 2004-05-17 2005-12-08 Thomson Licensing Procedes et appareils permettant de gerer l'acces a un reseau prive virtuel pour des dispositifs portatifs sans client vpn
WO2008099062A1 (fr) * 2007-02-16 2008-08-21 Nokia Corporation Procédé de routage et de commande d'un trafic de données en paquets dans un système de communication
CN100421379C (zh) * 2003-09-10 2008-09-24 华为技术有限公司 一种多点可达隧道通信的方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061346A (en) * 1997-01-17 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure access method, and associated apparatus, for accessing a private IP network
WO2000078008A1 (fr) * 1999-06-15 2000-12-21 Ssh Communications Security Ltd Recours a la tunnelisation et aux corrections pour la securisation par traductions d'adresses reseau, et dispositif a cet effet
EP1071252A2 (fr) * 1999-07-21 2001-01-24 International Computers Ltd. Migration de fonctionnement chiffré à non-chiffré sur un lien de communication
WO2002017558A2 (fr) * 2000-08-18 2002-02-28 Etunnels Inc. Procede et appareil de communication de donnees entre plusieurs parties

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061346A (en) * 1997-01-17 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure access method, and associated apparatus, for accessing a private IP network
WO2000078008A1 (fr) * 1999-06-15 2000-12-21 Ssh Communications Security Ltd Recours a la tunnelisation et aux corrections pour la securisation par traductions d'adresses reseau, et dispositif a cet effet
EP1071252A2 (fr) * 1999-07-21 2001-01-24 International Computers Ltd. Migration de fonctionnement chiffré à non-chiffré sur un lien de communication
WO2002017558A2 (fr) * 2000-08-18 2002-02-28 Etunnels Inc. Procede et appareil de communication de donnees entre plusieurs parties

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100421379C (zh) * 2003-09-10 2008-09-24 华为技术有限公司 一种多点可达隧道通信的方法
WO2005117392A1 (fr) * 2004-05-17 2005-12-08 Thomson Licensing Procedes et appareils permettant de gerer l'acces a un reseau prive virtuel pour des dispositifs portatifs sans client vpn
WO2008099062A1 (fr) * 2007-02-16 2008-08-21 Nokia Corporation Procédé de routage et de commande d'un trafic de données en paquets dans un système de communication
US7809003B2 (en) 2007-02-16 2010-10-05 Nokia Corporation Method for the routing and control of packet data traffic in a communication system

Also Published As

Publication number Publication date
FI20011547A0 (fi) 2001-07-13

Similar Documents

Publication Publication Date Title
EP1709547B1 (fr) Selection de reseau de desserte et rattachement multiple par reseau d'acces ip
US7941548B2 (en) Wireless network security mechanism including reverse network address translation
US6970459B1 (en) Mobile virtual network system and method
JP4527721B2 (ja) トンネリングを用いたリモートlanのコネクティビティを改善するための装置及び方法
CA2521505C (fr) Ethernet mobile
US7444415B1 (en) Method and apparatus providing virtual private network access
JP5281644B2 (ja) ノマディック型端末に、レイヤ2レベル上でホーム・ネットワークにアクセスすることを可能にする方法および装置
US20050114490A1 (en) Distributed virtual network access system and method
US20070086382A1 (en) Methods of network access configuration in an IP network
JP2004357292A (ja) IP交換網上で伝達されるデータをIPv4ベースからIPv6ベースに変換するシステム
JP2007518349A (ja) モバイル仮想プライベートネットワークの中規模/大規模企業ネットワークへの展開を容易にする装置
US20090106831A1 (en) IPsec GRE TUNNEL IN SPLIT ASN-CSN SCENARIO
Smith et al. Network security using NAT and NAPT
US8400990B1 (en) Global service set identifiers
WO2003007561A1 (fr) Procede d'obtention d'un reseau securise
Durand et al. RFC 6333: Dual-stack lite broadband deployments following IPv4 exhaustion
Kara Private-to-private communications over the internet
Anderson et al. Stateless IP/ICMP Translation for IPv6 Internet Data Center Environments (SIIT-DC): Dual Translation Mode
Jarvinen Comparing IPv4 and IPv6 mobility and autoconfiguration for residential networks
Brustoloni et al. Application-independent end-to-end security in shared-link access networks
Vijay et al. A Secure Gateway Solution for Wireless Ad-Hoc Networks.
Vinayakray-Jani et al. An applicability of transition mechanisms for IPv6/IPv4 within the scope of GPRS with an Internet communication
Mun et al. Interconnection between IPv4 and IPv6
Buvaneswari et al. A Comprehensive Study on Next Generation Internet Protocol (Ipv6) and Security Vulnerabilities
Kaur et al. Security Enhancements in IPv6

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载