[go: up one dir, main page]

WO2008014723A1 - Method and device for implementing vpn based on ipv6 address structure - Google Patents

Method and device for implementing vpn based on ipv6 address structure Download PDF

Info

Publication number
WO2008014723A1
WO2008014723A1 PCT/CN2007/070376 CN2007070376W WO2008014723A1 WO 2008014723 A1 WO2008014723 A1 WO 2008014723A1 CN 2007070376 W CN2007070376 W CN 2007070376W WO 2008014723 A1 WO2008014723 A1 WO 2008014723A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
site
address
packet
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2007/070376
Other languages
French (fr)
Chinese (zh)
Inventor
Bin Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008014723A1 publication Critical patent/WO2008014723A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to the field of communications, and in particular, to a technology for implementing a virtual private network based on an IPv6 address structure.
  • IPv6 address is more clearly layered, for example:
  • the IPv6 address is divided into multiple global routing levels.
  • the Internet address authority assigns address blocks to the top-level aggregation (TLA), which can be assigned to permanent Internet service providers and telecom operators.
  • TLA top-level aggregation
  • NLA next level of aggregation
  • the NLA provider
  • the NLA can divide its address down to its subscribers. Since the NLA addresses under the same TLA have the same TLA prefix, the routing efficiency is better. Moreover, subscribers with the same provider have the same NLA address prefix.
  • the aggregation-based allocation scheme is based on a number of high-level switching nodes through which permanent Internet service providers and telecom operators are interconnected. Because information exchange is global, these switching nodes with IPv6 address classes have a certain geographical distribution. Typically, these nodes are provided to large operators.
  • the first three addresses are address types such as unicast or multicast.
  • the next 13 bits are assigned to different TLAs in the world.
  • the next 32 bits are assigned to the next level of providers and orderers.
  • next level of aggregation can be divided into NLA address fields to create their own level, such as mapping NLA addresses to existing larger ISPs, subdividing them to smaller ISPs, and so on.
  • IPv6 class routing is the only way for the backbone router to control the routing table.
  • the subscriber's internal network segment can be accessed through the advanced aggregation point, which allows the backbone router to summarize the routing table through the TLA address prefix.
  • a higher level (hierarchical) router can only look at the TLA address prefix to quickly calculate the route.
  • the large hierarchical address space of IPv6 allows for more distributed address allocation.
  • the aggregate-based address is only part of the IPv6 address space, and other address ranges are assigned to the site-local address and the link-local address when multicasting, or when there is only one unique address within a limited range.
  • Link-local address Used internally by the enterprise, not used by public registries. Link-local addresses are used for a link-wide application, or as a temporary, "over” before some sites get global unicast addresses. """"bootstrapping") site address.
  • Site-local address The address used in the site, similar to the IPv4 private network address.
  • Multicast address Define a set of interfaces. Packets sent to a multicast address will be sent to all interfaces of the multicast group, and there is no broadcast address in IPV6. The broadcast address is replaced by a multicast address.
  • Ffxl The local scope of the node, which will not be forwarded out.
  • Ffx2 Link local range, not forwarded by the router. (for link range)
  • Ffx5 Site-local address, will not be forwarded out of the site.
  • Ffx8 Organization local address, will not be forwarded out of the organization. This type of address is controlled by a routing protocol. Ffxe : Worldwide.
  • Anycast address Used for a set of interfaces. However, packets forwarded to anycast address will be routed to the nearest interface in the set of interfaces that have the address. The anycast address and the global address are in the same range.
  • IPv6 address embedded in IPv4 address The IPv6 transition mechanism provides a technology for transmitting IPv6 packets in a tunnel manner through the IPv4 routing structure.
  • An IPv6 node using this technique is assigned to a special IPv6 unicast address, the lower 32 bits of which are IPv4 addresses. This address is called "IPv4-compatible IPv6 address" and has the following format:
  • IPv4-compatible IPv6 address must be a unique global unicast IPv4 address.
  • IPv6 address embedded in an IPv4 address is defined. This address uses an IPv6 address to represent an IPv4 node. This address is called “map IPv4 IPv6 address" and has the following format:
  • the prior art related to the present invention is the IPv6 over BGP/MPLS VPN technology.
  • the backbone network must be required to support MPLS.
  • Some label distribution protocol, such as the LDP protocol, must be run to bring additional overhead.
  • the embodiment of the invention provides a method and a device for implementing a virtual private network based on an IPv6 address structure, so as to carry the VPN traffic on the pure IPv6 network, and the prior art backbone network must support MPLS, and the MPLS encapsulated IPv6 packet band is adopted. To add overhead issues.
  • An embodiment of the present invention provides a method for implementing a virtual private network based on an IPv6 address structure, including:
  • the embodiment of the present invention provides a method for implementing a virtual private network, including:
  • An embodiment of the present invention provides a device for implementing a virtual private network, including:
  • the routing information establishing unit is configured to establish routing information of each site in the VPN according to a VPN local address and a VPN global address of each site in the VPN, where the VPN local address and the VPN global address of each site in the VPN are based on
  • the VPN packet transmission processing unit is configured to transmit, according to the routing information established by the routing information, a VPN packet exchanged between sites in the VPN.
  • the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then according to the set local address and global address. Establishing routing information of each site in the VPN, and transmitting VPN packets through each site in the VPN according to the routing information.
  • the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, thereby solving the problem that the prior art backbone network must support.
  • MPLS and the additional overhead caused by MPLS encapsulating IPv6 packets;
  • Figure 1 is a schematic diagram of a VPN structure
  • the embodiments of the present invention provide a technical solution for implementing a virtual private network based on an IPv6 address structure, which mainly includes: first setting a VPN local address and a VPN global address of each site in a virtual private network VPN based on an IPv6 address structure; The set local address and the global address establish routing information of each site in the VPN, and transmit VPN packets through each site in the VPN according to the routing information.
  • the mapping relationship between the VPN local address and the VPN global address is also established, so as to perform VPN according to the mapping relationship. Forwarding of packets.
  • the process of establishing the routing information of each site in the VPN according to the local address and the global address, and transmitting the VPN packet between the sites in the VPN according to the routing information may include:
  • the step (1) may specifically include any of the following implementation manners:
  • the PE device When a unicast packet exists in the VPN, the PE device generates an IPv6 aggregation route of each site in the VPN according to the VPN site ID.
  • the PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol; the P device and/or the destination PE are configured according to the VPN ID information included in the VPN site ID, and the local configuration.
  • the VPN IDs in the VPN site ID are compared. If they are the same, the route is saved. Otherwise, the route is discarded.
  • the VPN site is configured with the VPN group ID and the VPN group ID information is assigned to it.
  • the assigned VPN group ID information is added to the multicast through the multicast routing protocol.
  • Implementation mode three
  • the PEs of the VPN configure each site in the VPN, and allocate VPN site ID information, ingress route target RT information, and egress RT information for each site.
  • the PE device When a unicast packet exists in the VPN, the PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information, and adds the RT extension included in the egress RT information to the IPv6 aggregate routing information.
  • the community attribute is then advertised to the P device and/or destination PE of the VPN through a routing protocol;
  • the P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, and if at least one RT extended community attribute information is the same, Then save this route; otherwise discard the route.
  • the step ( 2 ) may be configured to statically configure routing information between the VPN site and the associated site at each VPN site; or, by using a routing protocol between the PE device and the PE device at each VPN site, The routing information of the site associated with the site. If the latter implementation is adopted, the corresponding processing may specifically include:
  • the VPN routing information is sent to the target PE device by using the site set on the local PE device, where the VPN routing information carries the VPN site ID information of the site;
  • the target PE When receiving the VPN routing information, the target PE checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.
  • the corresponding processing when the packets are forwarded between the sites in the VPN, the corresponding processing may include:
  • the source address and the destination address of the VPN packet are configured according to the VPN local address of each site in the set VPN. According to the routing information configured on the site, the standard single/multicast forwarding mechanism is used to forward the VPN packet. Forward to the site corresponding to the destination address.
  • the corresponding processing may specifically include any one of the following two methods:
  • the ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;
  • the ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;
  • the destination address of the packet is converted to the destination VPN global multicast address by adding the VPN site ID information of the corresponding site to the source VPN global address.
  • the multicast group information stored on the PE device is searched according to the VPN group ID information, and the destination VPN site ID information is obtained, and the packet is multicasted to the corresponding site according to the destination VPN site ID information.
  • the corresponding processing may include: when the P device receives the unicast packet, adopts the standard IPv6 route according to the obtained aggregated route of the destination site.
  • the method forwards the packet to the egress PE; or, when the P device receives the multicast packet, searches for the multicast route according to the VPN group ID information in the VPN global multicast address carried in the packet.
  • the information is obtained, and the site ID information of each site in the corresponding multicast group is obtained.
  • the multicast packet is multicasted to each site in the corresponding multicast group according to the obtained site ID information.
  • the corresponding processing may specifically include any of the following implementation manners:
  • the source and destination global addresses of the packet are translated into a unicast local address in the VPN.
  • the source global address of the packet is translated into a local address in the VPN.
  • the packet is forwarded according to the group ID information in the multicast local address of the VPN.
  • the corresponding processing may include: converting, by the VPN site, the source local address of the site in the VPN to the source global address according to the VPN site ID information, and The local address is translated to the Internet global address, and the Internet is accessed based on the converted Internet global address.
  • the method before performing the step (3), further includes: configuring, by the ingress PE device, an interface that is connected to the VPN site to receive only the packet whose destination address is a VPN local address and an Internet global address, And refusing to receive the packet whose destination address is the VPN global address; and configuring the P device to reject the packet whose source IP address is the VPN local address.
  • the method may further include:
  • the egress PE After receiving the packet, the egress PE extracts the VPN site ID information in the source address of the packet, and checks whether the interface that the packet enters the egress PE is obtained by using the VPN site ID information. Site The interface that aggregates routes. If yes, the packet is forwarded through the egress PE. Otherwise, the packet is discarded.
  • the corresponding step (2) may further include: allocating an IPv4 VPN site ID to the IPv4 site on the PE device, and according to the allocated IPv4 site ID.
  • the IPv4 routing information of each IPv4 site is configured on the PE device; or the IPv4 VPN group ID is assigned to the IPv4 site on the PE device, and the allocated IPv4 is configured on the PE device by using a multicast routing protocol.
  • the VPN group ID information is added to each VPN site in the multicast group.
  • the corresponding step (2) may further include: allocating IPv4 VPN site ID information to the IPv4 site on each IPv4 site, and configuring the association with each IPv4 site according to the allocated IPv4 site ID information.
  • IPv4 inter-office IPv4 routing information assigning an IPv4 VPN group ID to the IPv4 site at each IPv4 site, and transmitting the assigned IPv4 VPN group ID information at each IPv4 site through a multicast routing protocol. Join the VPN sites in the multicast group.
  • the step (3) may include any one of the following processing modes:
  • the source IPv4 address of the packet is first analyzed, and the configured IPv4 routing information is searched according to the source address information to obtain the corresponding destination IPv4 address information, and then the The source and destination IPv4 addresses are translated into an IPv6 unicast address of the embedded IPv4, and the IPv4 packet is forwarded according to the destination address;
  • the egress device determines, according to the IPv4 VPN site ID information carried in the packet, that the site corresponding to the destination address of the packet is an IPv4 site, and then searches for the IPv4 routing information, and converts the destination IPv6 address into an IPv4 destination address. And forwarding the packet to the corresponding destination site according to the IPv4 destination address;
  • the ingress PE When receiving the IPv4 multicast packet, the ingress PE first analyzes the source IPv4 address of the packet, and searches for the configured IPv4 routing information according to the source address information to obtain the corresponding destination IPv4 address information, and then The source and destination IPv4 addresses are translated into an IPv6 unicast address with an embedded IPv4, and the IPv4 packet is forwarded in the IPv6 network according to the destination address;
  • the egress PE device When the packet arrives at the egress PE device, the egress PE device is based on the IPv4 VPN group carried in the packet.
  • the ID information determines that the site corresponding to the destination address of the packet is an IPv4 site, it searches for IPv4 routing information, translates the destination IPv6 address into an IPv4 destination address, and forwards the packet to the IPv4 destination address. Corresponding destination site.
  • the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then establishes routing information of each site in the VPN according to the set local address and the global address, and According to the routing information, VPN packets are transmitted through each site in the VPN.
  • the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, which solves the problem that the prior art backbone network must support MPLS and adopts MPLS encapsulation. Additional overhead caused by IPv6 packets;
  • each site can simultaneously access the Internet and
  • VPN which is easy to implement; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system, and the autonomous system border router does not need to store/forward VPN routes, and does not need a multi-layer label stack.
  • the VPN composition relationship is clear, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing; and the VPN site prefix is added by the operator PE, and the legality check is performed at the ingress PE.
  • the egress PE is used for RPF check to ensure the security of the VPN.
  • the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.
  • the first embodiment provided by the embodiment of the present invention is based on a VPN structure provided by a conventional operator as shown in FIG. 1 , and includes a CE device, an ingress PE device, a P device, and an egress PE device in the VPN.
  • the PE device and the P device form a VPN public network
  • the CE device and the PE device form a VPN intranet.
  • Each site has an ID. There is one internal/global one. They are called the VPN local site ID and the global site ID.
  • the global site is called the global site.
  • the ID can be the same as the site ID of the VPN public network address, but with a different prefix.
  • Step 100 Set a virtual private network VPN local address and a VPN global address of each site based on the IPv6 address structure, and use the site ID to identify each site in the VPN global address.
  • the VPN local address is set.
  • the VPN local address is valid only in the VPN intranet, and the devices in the VPN intranet access each other.
  • the unicast VPN local address structure is set to the structure shown below:
  • the VPN local address structure is set to the following structure:
  • V bit (bit 10) in the figs field to 1, indicating that it is a VPN multicast address; to be compatible with RFC3306, set the 11th bit to 0; T bit (bit 12) is set to 1 , identifying that the multicast address is non-permanent.
  • the scop segment (13-16 bits) is 1000, indicating a valid multicast address in the VPN intranet. After this setting, the following format is formed: 80 32
  • the VPN global address is used to address the destination address in the VPN on the carrier network, that is, the VPN public network.
  • the operator only cares about how the router arrives at a VPN site and which VPN site it arrives, regardless of how it reaches the VPN internal destination site.
  • the VPN global address is different from the global public address.
  • the router must prevent VPN global addresses of different VPNs from reaching each other.
  • the unicast VPN global address is set to the following structure:
  • the vpn global routing prefix is set to include a prefix 002, and a VPN Site ID structure; the Subnet ID and the interface ID are only used to save the VPN internal unicast address. It is ignored when addressing on the VPN public network.
  • the multicast VPN global address is set to the following structure:
  • the VPN group ID indicates the multicast group that propagates multicast packets between sites in the VPN.
  • the scop field is set to 1110, it indicates that the address is a globally valid multicast address.
  • the group ID is only used to save the multicast address inside the VPN and is ignored when addressing on the public network.
  • the unicast VPN local address and the VPN global address can be mapped to each other.
  • mapping the Interface ID and subnet ID fields remain unchanged during mapping.
  • processing other fields add different prefixes according to the structural characteristics of the global/local address, and add or clear the VPN site ID information.
  • the multicast VPN global address is mapped by the VPN local address.
  • mapping set the scop field according to the characteristics of the global/local address, and add or clear the VPN group ID.
  • Step 200 Establish a connection relationship between the sites, that is, a topology relationship of the VPN.
  • the establishment of a VPN topology relationship includes the following three methods:
  • the first type uses a part of the VPN Site ID field in the unicast VPN global address to identify the VPN, that is, the VPN ID. If some Sites belong to the same VPN network, they have the same VPN ID.
  • the format of the VPN site ID is as follows:
  • the second method is to add a route attribute to the VPN site ID field in the unicast VPN global address to express the VPN topology.
  • This routing attribute can be in the format of the Route Target (RT) in the BGP extended community attribute.
  • a VPN relationship between a site and other associated sites is statically configured on the PE device in the VPN to form a VPN topology relationship.
  • Step 300 Configure routing attribute information of each site device in the VPN.
  • step 300 The specific implementation process of step 300 is as follows:
  • Step 310 Configure routing information between the sites in the VPN on the PE.
  • the PE device configures the VPN during initialization.
  • Each site in the network is assigned a corresponding VPN site ID information, and the PE device generates an IPv6 aggregation route, which is called a VPN site route, for example, 002: VPN site ID: : /48, and routes through the VPN site ID information.
  • the protocol is issued to the P device of the VPN and other PE devices.
  • the destination PE device matches the VPN ID in the locally configured VPN site ID according to the VPN ID information included in the VPN site ID information. If the information is the same, the route is saved. Otherwise, the route is discarded.
  • the specific real-time process includes the following steps:
  • Step 311 Set a VPN site in the PE device, and assign a VPN site ID to the PE device.
  • Step 312 The PE device generates an IPv6 aggregation route, that is, a VPN site route, according to the VPN site ID.
  • Step 313 The PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol.
  • Step 314 The P device and/or the destination PE compares the VPN ID information included in the VPN site ID with the VPN ID in the locally configured VPN site ID. If the information is the same, the route is saved; otherwise, the route is saved. Said routing.
  • the sites belonging to the same VPN are reachable, and the sites that do not belong to the same VPN are unreachable.
  • the VPN site ID information is assigned to the VPN site (that is, the VPN site configured for the PE device) and is added to the VPN site through the multicast routing protocol. In the VPN site in the multicast group.
  • the sites in the VPN are configured on the PEs of the VPN, and the VPNs are respectively allocated to the sites.
  • the PE device Based on the information, the PE device generates an IPv6 aggregation routing information, for example, 002: VPN site ID: : /48, and adds the RT extended community attribute contained in the egress RT list to the P device and other PE devices through the routing protocol.
  • the PE device matches the RT list in the VPN route with the local ingress RT list. If at least one RT extension attribute is the same, the route is saved. Otherwise, the route is discarded.
  • VPN topologies such as full mesh and hub-spoke can be constructed, and intranet (intranet) and extranet can be constructed. External network) and so on.
  • the specific implementation process includes the following steps:
  • Step 315 During initialization, configure a site in the VPN through the PE device of the VPN, and allocate VPN site ID information, ingress route target RT information, and exit RT information for each site.
  • Step 316 The PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information.
  • Step 317 Add, in the IPv6 aggregate routing information, the RT extended community attribute included in the egress RT information, and advertise the same to the P device and/or the destination PE of the VPN through the routing protocol.
  • Step 318 The P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, if at least one RT extended community attribute exists. If the information is the same, the route is saved; otherwise the route is discarded.
  • the VPN group ID information is allocated to each site when the PEs are configured with the sites in the VPN. Then, the PE device adds the VPN group ID information to the group through the multicast routing protocol. Each site of the group.
  • a routing list is formed for each site on the PE, and the site ID information of each site having a VPN relationship with the site is included in the list.
  • Step 320 Configure routing information of the site on each site.
  • the specific implementation process includes the following steps: Step 321: Statically configure routing information between sites;
  • Step 322 Run a routing protocol between the PE device and the PE device to obtain routing information of other sites that belong to the same VPN as the site.
  • step 322 specifically includes:
  • the local PE device advertises the VPN routing information to the target PE device, where the VPN routing information carries the VPN site ID information of the site set on the local PE device.
  • the target PE When the target PE receives the VPN routing information, it checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.
  • the routing information of the Site includes routing information of the site and all sites having a VPN relationship with the site.
  • Step 400 Implement VPN message transmission based on the site routing information set by the foregoing.
  • the specific implementation process is as follows: When forwarding packets between sites within the VPN:
  • a standard single/multicast forwarding mechanism can be adopted.
  • the site forwards the VPN packet to other Site devices in the VPN through the standard unicast/multicast forwarding mechanism.
  • the source/destination addresses carried in the packet are constructed in the VPN internal address format.
  • the global VPN address can only be generated by the PE to prevent forged VPN packets.
  • other interfaces are not allowed to receive packets whose source/destination address is a VPN local address.
  • the P device does not receive packets whose source/destination address is a VPN local address.
  • the ingress PE device forwards the VPN packet, first, to identify which site the VPN packet belongs to, it is generally identified by the interface/sub-interface method, or according to the IPv6 triplet/IPv4 quintuple/VLAN/ DSCP and other methods are used for identification.
  • the VPN site ID information is added to the source address structure carried in the packet, and the source address is converted into the source VPN global address.
  • the s saved on the PE device is searched.
  • the ite routing information after the site ID information of the destination site is found, the destination address carried in the packet is converted into the destination VPN global address according to the destination site ID information, and then the VPN is globally based on the translated destination.
  • the ingress PE device When the unicast packet is forwarded by the ingress PE device, it includes:
  • Step 411 The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.
  • Step 412 Add the VPN site ID information of the site corresponding to the source address to the packet, and convert the source address into a source VPN global address.
  • Step 413 Search for routing information of the destination site according to the destination address carried in the packet, and obtain the destination VPN site ID information.
  • Step 414 Convert the destination address carried by the packet to the destination VPN global address according to the obtained destination VPN site ID, and forward the packet to the corresponding site according to the destination VPN site ID information. .
  • the ingress PE device forwards multicast packets, it includes:
  • Step 421 The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.
  • Step 422 Convert the source address to the source VPN global address by adding the corresponding VPN site ID information of the s i te;
  • Step 423 Convert the destination address carried by the packet to the destination VPN by adding the VPN group ID information.
  • Global multicast address
  • Step 424 Search for the multicast routing information saved on the PE device according to the VPN group ID information, obtain the corresponding destination VPN site ID information, and multicast the packet to the corresponding destination according to the destination VPN site ID information. Site.
  • the P device For unicast packets, the P device has obtained the aggregated route to the destination site. Therefore, the standard IPv6 route forwarding can be used to reach the egress PE. For multicast packets, you need to search for multicast routing information based on the VPN group ID information in the global multicast address of the VPN. Different from the standard multicast forwarding process, it is forwarded according to the multicast aggregation route according to the longest matching method, also known as multicast aggregation route forwarding.
  • the specific implementation process is as follows:
  • Step 431 When receiving the unicast packet, the P device forwards the packet to the egress PE by using a standard IPv6 routing manner according to the obtained aggregated route of the destination site.
  • Step 432 When receiving the multicast packet, the P device searches for multicast routing information according to the VPN group ID information in the VPN global multicast address carried in the packet, and obtains each of the corresponding multicast groups. Site ID information of the site;
  • Step 433 Multicast the multicast packet to each site in the corresponding multicast group according to the obtained site ID information.
  • the method is: after the egress PE receives the packet, first extracts the VPN site ID information in the source address in the packet; and then, according to the VPN site ID information, checks that the packet enters the egress PE. If the interface is the interface that obtains the VPN site aggregation route, the packet is forwarded by the egress PE. Otherwise, the packet is discarded.
  • the unicast packet When forwarding a VPN packet on the egress PE, the unicast packet is first converted into a unicast local address in the VPN, and then the local site is searched according to the site ID information in the translated destination address. Routing information, and forwarding the VPN packet according to the information.
  • the source address is translated into the multicast local address of the VPN
  • the destination global address is translated into the multicast local address of the VPN according to the VPN group ID information in the destination address.
  • the group ID information in the address forwards the message.
  • Step 451 When the egress PE device receives the unicast packet, the source and destination global addresses of the packet are translated into a unicast local address in the VPN.
  • Step 452 Search and obtain local route information of the corresponding site according to the VPN site ID information in the destination global address.
  • Step 453 Forward the packet according to the obtained local routing information.
  • the egress packet When the egress packet is forwarded by the egress PE device, it includes:
  • Step 454 When the egress PE device receives the multicast packet, the source global address of the packet is translated into a local address in the VPN.
  • Step 455 Search and obtain the local routing information of the corresponding site according to the VPN group ID information in the destination address of the packet, and convert the destination global address address into a multicast local address in the VPN according to the obtained local routing information.
  • Step 456 Forward the packet according to the group ID information in the multicast local address of the converted VPN.
  • the above process describes the process of accessing each site in the VPN. In addition to accessing other sites in the VPN, the VPN site can also access the Internet.
  • the VPN site When the VPN site accesses the Internet, the VPN site converts the local address of the site in the VPN into an Internet global address according to the VPN site ID information, and accesses the Internet according to the converted Internet global address.
  • the above format is RFC3587 standard format, where the global routing prefix can be automatically generated by the VPN site ID.
  • the standard IPv6 routing and forwarding mode is adopted when forwarding VPN packets. Therefore, when spanning the autonomous system, only the sites in the VPN or the multicast groups in the VPN are required. The routing information is advertised to the neighboring autonomous system, and the routes of the sites in the VPN are distributed between the PE devices belonging to the same VPN network.
  • the embodiment of the present invention can also implement interconnection of IPV4 sites, that is, multiple IPv4s through an IPv6 backbone network. The network is connected to each other or to a VPN user with an IPv4 address. For a unicast packet, the PE device in the VPN still assigns an IPv6 VPN site ID to each IPv4 site.
  • the IPv4 site For multicast packets, for each multicast packet, the IPv4 site still assigns a VPN group ID and maintains the IPv4 routing information and saves it to the IPv4 routing information. However, the IPv4 routing information carries a routing attribute, including the VPN site ID to which the IPv4 belongs.
  • the PE device After the VPN topology is discovered, after the PE device obtains the IPv4 route from the site, the PE site ID attribute is added to other PEs. The destination PE device checks whether the site belongs to the same VPN as the local site. Then save this route, otherwise discard.
  • the unicast packet from the CE device to the PE device determines which site it originates from based on the inbound interface, and then searches the IPv4 routing table, determines the destination site, and then translates the source/destination IPv4 address into an IPv6 VPN with embedded IPv4.
  • Unicast address the format is as follows:
  • the VPN site ID finds the next hop for forwarding according to the destination site.
  • the P device searches for the aggregated route of the VPN site according to the address and forwards the packet.
  • the IPv4 routing table is forwarded to the IPv4 address and the IPv4 routing table is forwarded to the CE.
  • the multicast packet that enters the PE from the CE is first determined according to the inbound interface and other information, determines the VPN site, determines the VPN group, and then translates the source address into an IPv6 VPN unicast address embedded with IPv4, and translates the destination address into the embedded address.
  • IPv4 IPv6 VPN multicast address in the following format:
  • IPv4 address 11111111
  • IPv4 address IPv4 address Then forwarded in the backbone network according to the VPN group.
  • the egress PE When the egress PE is reached, it knows that its destination is an IPv4 site, translates it to an IPv4 multicast address, and forwards it to the CE based on the VPN group ID.
  • the embodiment of the present invention utilizes an IPv6 address structure, and can form a VPN address without adding a VPN prefix.
  • the addressing of the local address and the encapsulation of VPN packets in the VPN network are all based on IPv6.
  • the address structure, the route of the site in the VPN network does not need to adopt a special method, and can be implemented by using ordinary IPv6 routes, and does not need to use a special tunnel to encapsulate VPN packets. And there is no need to save inside the VPN backbone. There is also no need to publish routing information for each site within the VPN. Therefore, it has the following significant effects:
  • IPv6 address is used to accommodate VPN information, and no additional overhead is required for VPN packets.
  • the forwarding process of the VPN packets and the common IP packets is unified, and the VPN traffic can be carried on the pure IPv6 network.
  • the P device maintains only the VPN site aggregation route, and the overhead is small.
  • the VPN has a clear relationship.
  • the VPN route only needs to carry a fixed-length site ID for easy processing.
  • the site can access the Internet and the VPN at the same time, which is easy to implement;
  • the VPN site prefix is added by the operator PE, and the legitimacy check is performed on the ingress PE, and the RPF check is performed on the egress PE to ensure the security of the VPN.
  • IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.
  • the method of crossing the autonomous system is simple to implement. There is no need for the autonomous system border router to store/forward VPN routes, and there is no need for a multi-layer label stack.
  • each site can access the Internet and the VPN at the same time, thereby facilitating the implementation; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system.
  • the autonomous system border router does not need to store/forward the VPN route, and the multi-layer label stack is not required, so that the implementation is relatively simple.
  • the VPN has a clear relationship, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing.
  • the VPN site prefix is added by the operator PE, and the entry PE performs the legality check, and the egress PE performs the RPF check to ensure the security of the VPN.
  • the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and a device for implementing Virtual Private Networking based on IPv6 address structure, mostly including: firstly, the VPN local address and the VPN global address of the respective site in Virtual Private Networking VPN are set based on the IPv6 address structure; then, the route information of the respective site in VPN is established based on the set local address and the set global address, and depending on the route information, the VPN message is transferred through the respective site in VPN. Not only the VPN information can be contained in the IPv6 address, but also according to the difference of the target address prefix, the respective site can access Internet and VPN; when the autonomous system is crossed, only the route of the VPN site and the VPN group is distributed to the adjacent autonomous system.

Description

基于 IPv6地址结构实现虚拟专用网的方法及设备 技术领域 本发明涉及通信领域, 尤其涉及一种基于 IPv6地址结构实现虚拟专用网的技术。 发明背景  The present invention relates to the field of communications, and in particular, to a technology for implementing a virtual private network based on an IPv6 address structure. Background of the invention

IPv6的地址长度的增加, 使 IPv6的地址可被更清晰的层次化, 例如: The increase in the length of the IPv6 address allows the IPv6 address to be more clearly layered, for example:

IPv6地址被划分为多个全球路由等级, 在等级的最上层, 由 Internet地址授权机构 分配地址块给顶级集聚(TLA) , 这些 TLA地址可以分配给永久的 Internet服务提供者和 电信运营商。 TLA再分配地址块给下一级集聚 (NLA) , NLA分配给大的 Internet服务提 供者和一些全球性的互联网络机构。 NLA (提供者)可以将其地址再往下分给它的定购 者。 由于在相同 TLA下的 NLA地址有相同的 TLA前缀, 所以, 路由效率较佳。 而且, 具有 相同提供者的定购者有着同样的 NLA地址前缀。  The IPv6 address is divided into multiple global routing levels. At the top level of the hierarchy, the Internet address authority assigns address blocks to the top-level aggregation (TLA), which can be assigned to permanent Internet service providers and telecom operators. The TLA redistributes the address block to the next level of aggregation (NLA), which is assigned to large Internet service providers and some global Internet organizations. The NLA (provider) can divide its address down to its subscribers. Since the NLA addresses under the same TLA have the same TLA prefix, the routing efficiency is better. Moreover, subscribers with the same provider have the same NLA address prefix.

基于集聚的分配方案是基于一定数量的高层次的交换节点,永久的 Internet服务提 供者和电信运营商通过这些节点互联。 因为信息交换是全球性的, 所以这些具有 IPv6地 址等级的交换节点有一定的地理分布。 通常, 这些节点被提供给大的运营商。  The aggregation-based allocation scheme is based on a number of high-level switching nodes through which permanent Internet service providers and telecom operators are interconnected. Because information exchange is global, these switching nodes with IPv6 address classes have a certain geographical distribution. Typically, these nodes are provided to large operators.

基于 IPV6的地址聚合结构中, 头 3个地址为单播或多播等的地址类型。 接下来的 13 位分配给世界上不同的 TLA。 接下来的 32位分配给下一层的提供者和定购者。  In the IPV6-based address aggregation structure, the first three addresses are address types such as unicast or multicast. The next 13 bits are assigned to different TLAs in the world. The next 32 bits are assigned to the next level of providers and orderers.

下一层的集聚可以再划分 NLA地址域来创建她们自己的等级, 比如可以将 NLA地址 映射到现有的较大的 ISP, 下面再划分给较小的 ISP, 等等。  The next level of aggregation can be divided into NLA address fields to create their own level, such as mapping NLA addresses to existing larger ISPs, subdividing them to smaller ISPs, and so on.

随着 Internet继续扩张, IPv6的等级路由的应用是使得骨干路由器控制路由表的 唯一办法。 通过基于集聚的地址等级, 定购者的内部网段可以通过高级集聚点来访问, 这使得骨干路由器通过 TLA地址前缀来汇总路由表。  As the Internet continues to expand, the application of IPv6 class routing is the only way for the backbone router to control the routing table. By based on the aggregated address level, the subscriber's internal network segment can be accessed through the advanced aggregation point, which allows the backbone router to summarize the routing table through the TLA address prefix.

高一等级(层次)的路由器可以只查看 TLA地址前缀来快速计算路由。 IPv6的巨大 等级地址空间允许进行更为分散的地址分配。  A higher level (hierarchical) router can only look at the TLA address prefix to quickly calculate the route. The large hierarchical address space of IPv6 allows for more distributed address allocation.

基于集聚的地址只是 IPv6地址空间的一部分, 其它的地址范围在多播时, 或只需 要在一个有限范围内具有一个唯一的地址时分配给站点本地地址和链路本地地址。下面 将对在 IPV6的地址空间中可以使用的地址概念进行说明:  The aggregate-based address is only part of the IPv6 address space, and other address ranges are assigned to the site-local address and the link-local address when multicasting, or when there is only one unique address within a limited range. The following describes the concept of addresses that can be used in the address space of IPV6:

1、 链路本地地址: 供企业内部使用, 不被公共的注册机构使用。 链路本地地址用 于一个链路范围内的应用, 也可以作为在一些站点得到全球单播地址前的临时的、 "过 渡的" ( "bootstrapping") 站点地址。 1. Link-local address: Used internally by the enterprise, not used by public registries. Link-local addresses are used for a link-wide application, or as a temporary, "over" before some sites get global unicast addresses. """"bootstrapping") site address.

2、 站点本地地址: 在站点内使用的地址, 类似于 IPv4的私网地址。  2. Site-local address: The address used in the site, similar to the IPv4 private network address.

3、 多播地址: 定义一组接口。 发给一个多播地址的数据包将被发往多播组的所有 接口, 在 IPV6中没有广播地址。 广播地址由多播地址所取代。  3. Multicast address: Define a set of interfaces. Packets sent to a multicast address will be sent to all interfaces of the multicast group, and there is no broadcast address in IPV6. The broadcast address is replaced by a multicast address.

4、 多播地址描述: 4. Multicast address description:

ffxl : 节点本地范围, 不会转发出该节点。  Ffxl : The local scope of the node, which will not be forwarded out.

ffx2 : 链路本地范围, 不会由路由器转发。 (用于链路范围)  Ffx2 : Link local range, not forwarded by the router. (for link range)

ffx5 : 站点本地地址, 不会转发出该站点。  Ffx5 : Site-local address, will not be forwarded out of the site.

ffx8 : 组织本地地址, 不会转发出该组织。 该类地址由路由协议控制。 ffxe : 全球范围。  Ffx8 : Organization local address, will not be forwarded out of the organization. This type of address is controlled by a routing protocol. Ffxe : Worldwide.

5、 任播地址: 用于一组接口。 但是转发到任播地址的数据包将被路由到具备该地 址的一组接口中最近的接口。 任播地址和全球地址在同一个范围。  5. Anycast address: Used for a set of interfaces. However, packets forwarded to anycast address will be routed to the nearest interface in the set of interfaces that have the address. The anycast address and the global address are in the same range.

6、嵌入 IPv4地址的 IPv6地址: IPv6过渡机制提供一种技术, 可以通过 IPv4的路 由结构将 IPv6的包以隧道的方式传输。使用这种技术的 IPv6节点被分配给特殊的 IPv6 单播地址, 这种地址的低 32位是 IPv4的地址。 称这种地址为 "与 IPv4兼容的 IPv6地 址" , 格式如下: 6. IPv6 address embedded in IPv4 address: The IPv6 transition mechanism provides a technology for transmitting IPv6 packets in a tunnel manner through the IPv4 routing structure. An IPv6 node using this technique is assigned to a special IPv6 unicast address, the lower 32 bits of which are IPv4 addresses. This address is called "IPv4-compatible IPv6 address" and has the following format:

16 bits 16 bits

32 bits  32 bits

80 bits  80 bits

0000000 0000000 0000 IPV4 address 0000000 0000000 0000 IPV4 address

用于 " IPv4兼容的 IPv6地址"必须是一个唯一的全球单播 IPv4地址。 另外, 定义 了一种嵌入 IPv4地址的 IPv6地址。 这种地址用 IPv6的地址来表示 IPv4节点。 该地址 被称为 "映射 IPv4的 IPv6地址" , 格式如下: The "IPv4-compatible IPv6 address" must be a unique global unicast IPv4 address. In addition, an IPv6 address embedded in an IPv4 address is defined. This address uses an IPv6 address to represent an IPv4 node. This address is called "map IPv4 IPv6 address" and has the following format:

16 bits 16 bits

32 bits  32 bits

80 bits

Figure imgf000004_0001
与本发明有关的现有技术是 IPv6 over BGP/MPLS VPN技术。 80 bits
Figure imgf000004_0001
The prior art related to the present invention is the IPv6 over BGP/MPLS VPN technology.

在实现本发明的过程中, 发明人发现上述现有技术至少存在如下缺陷:  In the process of implementing the present invention, the inventors have found that the above prior art has at least the following drawbacks:

1、 采用 MPLS封装 IPv6报文, 带来附加开销;  1. MPLS encapsulates IPv6 packets, which brings additional overhead.

2、 要求骨干网必须支持 MPLS, 必须运行某种标签分发协议, 如 LDP协议, 带来附加 开销;  2. The backbone network must be required to support MPLS. Some label distribution protocol, such as the LDP protocol, must be run to bring additional overhead.

3、 跨越自治系统的方法复杂, 开销大;  3. The method of crossing the autonomous system is complicated and expensive;

4、 访问 Internet的方法复杂;  4. The method of accessing the Internet is complicated;

5、 不能用于 IPv4 site, 通过 IPv6网络的互连, 形成 VPN。 发明内容  5, can not be used for IPv4 site, through the interconnection of IPv6 networks, form a VPN. Summary of the invention

本发明实施例提供了一种基于 IPv6地址结构实现虚拟专用网的方法及设备, 以在纯 IPv6网络上承载 VPN流量,解决了现有技术骨干网必须支持 MPLS,以及采用 MPLS封装 IPv6 报文带来附加开销问题。  The embodiment of the invention provides a method and a device for implementing a virtual private network based on an IPv6 address structure, so as to carry the VPN traffic on the pure IPv6 network, and the prior art backbone network must support MPLS, and the MPLS encapsulated IPv6 packet band is adopted. To add overhead issues.

本发明实施例提供一种基于 IPv6地址结构实现虚拟专用网的方法, 其包括: 本发明实施例提供了一种实现虚拟专用网的方法, 包括:  An embodiment of the present invention provides a method for implementing a virtual private network based on an IPv6 address structure, including: The embodiment of the present invention provides a method for implementing a virtual private network, including:

基于 IPv6地址结构设置虚拟专用网 VPN内各个站点的 VPN本地地址和 VPN全局地址; 根据所述设置的 VPN本地地址和 VPN全局地址建立所述 VPN中各站点的路由信息, 并 根据所述路由信息, VPN内各站点间传输 VPN报文。  Setting a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; establishing routing information of each site in the VPN according to the set VPN local address and the VPN global address, and according to the routing information VPN packets are transmitted between sites in the VPN.

本发明实施例提供了一种实现虚拟专用网的设备, 包括:  An embodiment of the present invention provides a device for implementing a virtual private network, including:

路由信息建立单元, 用于根据 VPN内各个站点的 VPN本地地址和 VPN全局地址建立所 述 VPN中各站点的路由信息,所述的 VPN内各个站点的 VPN本地地址和 VPN全局地址为基于 The routing information establishing unit is configured to establish routing information of each site in the VPN according to a VPN local address and a VPN global address of each site in the VPN, where the VPN local address and the VPN global address of each site in the VPN are based on

IPv6地址结构设置; IPv6 address structure setting;

VPN报文传输处理单元, 用于根据所述路由信息建立单元建立的路由信息, 传输 VPN 内各站点间交互的 VPN报文。  The VPN packet transmission processing unit is configured to transmit, according to the routing information established by the routing information, a VPN packet exchanged between sites in the VPN.

由上述本发明实施例提供的技术方案可以看出,本发明实施例基于 IPv6地址结构设 置虚拟专用网 VPN内各个站点的 VPN本地地址和 VPN全局地址; 然后根据所述设置的本地 地址和全局地址建立所述 VPN中各站点的路由信息, 并根据所述路由信息, 通过 VPN内各 站点传输 VPN报文。 本发明实施例利用 IPv6地址容纳 VPN信息, 而且统一 VPN报文与普通 IP报文的转发流程, 可在纯 IPv6网络上承载 VPN流量, 解决了现有技术骨干网必须支持 MPLS, 以及采用 MPLS封装 IPv6报文带来的附加开销问题; 附图简要说明 图 1为 VPN结构示意图; As can be seen from the technical solution provided by the foregoing embodiments of the present invention, the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then according to the set local address and global address. Establishing routing information of each site in the VPN, and transmitting VPN packets through each site in the VPN according to the routing information. In the embodiment of the present invention, the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, thereby solving the problem that the prior art backbone network must support. MPLS, and the additional overhead caused by MPLS encapsulating IPv6 packets; BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic diagram of a VPN structure;

图 2为本发明实施例的流程图。 实施本发明的方式 本发明实施例提供一种基于 IPv6地址结构实现虚拟专用网的技术方案主要包括:首 先基于 IPv6地址结构设置虚拟专用网 VPN内各个站点的 VPN本地地址和 VPN全局地址; 然 后根据所述设置的本地地址和全局地址建立所述 VPN中各站点的路由信息, 并根据所述 路由信息, 通过 VPN内各站点传输 VPN报文。  2 is a flow chart of an embodiment of the present invention. The embodiments of the present invention provide a technical solution for implementing a virtual private network based on an IPv6 address structure, which mainly includes: first setting a VPN local address and a VPN global address of each site in a virtual private network VPN based on an IPv6 address structure; The set local address and the global address establish routing information of each site in the VPN, and transmit VPN packets through each site in the VPN according to the routing information.

本发明实施例中, 在基于 IPv6地址结构设置 VPN内各个站点的 VPN本地地址和 VPN全 局地址后, 还建立所述 VPN本地地址和 VPN全局地址间的映射关系, 以便于根据该映射关 系进行 VPN报文的转发处理。  In the embodiment of the present invention, after the VPN local address and the VPN global address of each site in the VPN are set based on the IPv6 address structure, the mapping relationship between the VPN local address and the VPN global address is also established, so as to perform VPN according to the mapping relationship. Forwarding of packets.

本发明实施例中,根据所述本地地址和全局地址建立所述 VPN中各站点的路由信息, 并根据所述路由信息在 VPN内各站点间传输 VPN报文的处理过程可以包括:  In the embodiment of the present invention, the process of establishing the routing information of each site in the VPN according to the local address and the global address, and transmitting the VPN packet between the sites in the VPN according to the routing information may include:

( 1 ) 根据所述设置的本地地址和全局地址, 在 VPN内的 PE设备上配置所述 VPN中各 站点的路由信息;  (1) configuring routing information of each site in the VPN on the PE device in the VPN according to the set local address and the global address;

该步骤 (1 ) 具体可以包括以下任一实现方式:  The step (1) may specifically include any of the following implementation manners:

实现方式一  Implementation one

在初始化时, 在 PE设备中配置 VPN site, 并为其赋予 VPN site ID;  During initialization, configure the VPN site on the PE device and assign it a VPN site ID.

当 VPN内有单播报文时, PE设备根据所述 VPN site ID生成 VPN内各个站点的 IPv6聚 合路由;  When a unicast packet exists in the VPN, the PE device generates an IPv6 aggregation route of each site in the VPN according to the VPN site ID.

所述 PE设备通过路由协议将所述 IPv6聚合路由发布给 VPN的 P设备和 /或目的 PE; 所述 P设备和 /或目的 PE根据所述 VPN site ID中包含的 VPN ID信息, 与本地配置的 The PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol; the P device and/or the destination PE are configured according to the VPN ID information included in the VPN site ID, and the local configuration. of

VPN site ID中的 VPN ID进行比较, 若相同, 则保存此路由; 否则丢弃所述路由。 The VPN IDs in the VPN site ID are compared. If they are the same, the route is saved. Otherwise, the route is discarded.

实现方式二  Implementation 2

在初始化时, 在 PE设备中配置 VPN site, 并为其分配 VPN group ID信息; 当 VPN内有组播报文时, 通过组播路由协议, 将所述分配的 VPN group ID信息加入 到组播组中的各个 VPN site中。 实现方式三 During the initialization, the VPN site is configured with the VPN group ID and the VPN group ID information is assigned to it. When there is a multicast packet in the VPN, the assigned VPN group ID information is added to the multicast through the multicast routing protocol. In each VPN site in the group. Implementation mode three

在初始化时,通过 VPN的 PE设备配置 VPN内各个 site,并为所述各个 site分别分配 VPN site ID信息、 入口路由目标 RT信息和出口 RT信息;  During initialization, the PEs of the VPN configure each site in the VPN, and allocate VPN site ID information, ingress route target RT information, and egress RT information for each site.

当 VPN内有单播报文时, PE设备根据所述 VPN site ID信息、 入口 RT信息和出口 RT 信息生成 IPv6聚合路由信息,并在所述 IPv6聚合路由信息中添加出口 RT信息中包含的 RT 扩展团体属性, 然后通过路由协议将其发布给 VPN的 P设备和 /或目的 PE;  When a unicast packet exists in the VPN, the PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information, and adds the RT extension included in the egress RT information to the IPv6 aggregate routing information. The community attribute is then advertised to the P device and/or destination PE of the VPN through a routing protocol;

所述 P设备和 /或目的 PE根据所述 VPN路由中的 RT扩展团体属性信息, 与本地配置的 入口 RT信息中的 RT扩展团体属性信息进行比较, 若至少有一个 RT扩展团体属性信息相 同, 则保存此路由; 否则丢弃所述路由。  The P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, and if at least one RT extended community attribute information is the same, Then save this route; otherwise discard the route.

(2) 在每个站点上配置所述站点与与其相关联的站点间的路由信息;  (2) Configuring routing information between the site and its associated site at each site;

该步骤(2)具体可以采用在各个 VPN站点上静态配置其与与其相关联的站点间的路 由信息; 或者, 采用在各个 VPN站点上通过在 PE设备与 PE设备间运行路由协议, 获得与 所述 site相关联的站点的路由信息。 若采用其中的后一种实现方式, 则相应的处理过程 具体可以包括: The step ( 2 ) may be configured to statically configure routing information between the VPN site and the associated site at each VPN site; or, by using a routing protocol between the PE device and the PE device at each VPN site, The routing information of the site associated with the site. If the latter implementation is adopted, the corresponding processing may specifically include:

通过在本地 PE设备上设置的站点发布 VPN路由信息给目标 PE设备,所述 VPN路由信息 携带所述站点的 VPN site ID信息;  The VPN routing information is sent to the target PE device by using the site set on the local PE device, where the VPN routing information carries the VPN site ID information of the site;

所述目标 PE接收到所述 VPN路由信息时, 根据所述 VPN site ID信息检查其内是否存 在与本地 PE上设置的站点属于同一 VPN的站点, 若存在属于同一个 VPN的站点, 则将所述 站点的信息加入到本地 PE上设置的站点的路由信息中。  When receiving the VPN routing information, the target PE checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.

( 3) 根据所述路由信息, 通过 VPN内各站点传输 VPN报文;  (3) transmitting, according to the routing information, VPN packets by each station in the VPN;

在该步骤(3) 中, 当在 VPN内部的各个站点之间转发报文时, 则相应的处理过程具 体可以包括:  In the step (3), when the packets are forwarded between the sites in the VPN, the corresponding processing may include:

根据所述设置的 VPN内各个站点的 VPN本地地址构造 VPN报文的源地址和目的地址; 根据所述站点上配置的路由信息, 采用标准的单 /组播转发机制, 将所述 VPN报文转 发给所述目的地址对应的站点。  The source address and the destination address of the VPN packet are configured according to the VPN local address of each site in the set VPN. According to the routing information configured on the site, the standard single/multicast forwarding mechanism is used to forward the VPN packet. Forward to the site corresponding to the destination address.

在该步骤 (3) 中, 当在入口 PE设备转发报文时, 则相应的处理过程具体可以包括 以下两种方式中的任一种:  In the step (3), when the inbound PE device forwards the packet, the corresponding processing may specifically include any one of the following two methods:

方式一  method one

所述入口 PE对接收到的报文进行分析, 得到所述报文的源地址对应的 site;  The ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;

为所述报文添加所述源地址对应的 site的 VPN site ID信息, 并将源地址转换为源 VPN全局地址; Adding VPN site ID information of the site corresponding to the source address to the packet, and converting the source address into a source VPN global address;

根据所述报文携带的目的地址查找相应的目的 site的路由信息, 获得目的 VPN site ID信息;  Finding the routing information of the corresponding destination site according to the destination address carried in the packet, and obtaining the destination VPN site ID information;

根据所述获得的目的 VPN site ID将所述报文携带的目的地址转换为目的 VPN全局地 址, 并根据所述目的 VPN site ID信息将所述报文转发给对应的 site。  Transmitting the destination address of the packet to the destination VPN global address according to the obtained destination VPN site ID, and forwarding the packet to the corresponding site according to the destination VPN site ID information.

方式二  Way two

所述入口 PE对接收到的报文进行分析, 得到所述报文的源地址对应的 site;  The ingress PE analyzes the received packet to obtain a site corresponding to the source address of the packet;

通过添加对应的 site的 VPN site ID信息, 将源地址转换为源 VPN全局地址; 通过添加 VPN group ID信息, 将所述报文携带的目的地址转换为目的 VPN全局组播 地址;  The destination address of the packet is converted to the destination VPN global multicast address by adding the VPN site ID information of the corresponding site to the source VPN global address.

根据所述 VPN group ID信息查找在 PE设备上保存的组播路由信息, 获得相应的目的 VPN site ID信息, 并根据所述目的 VPN site ID信息将所述报文组播给对应的 site。  The multicast group information stored on the PE device is searched according to the VPN group ID information, and the destination VPN site ID information is obtained, and the packet is multicasted to the corresponding site according to the destination VPN site ID information.

在该步骤(3) 中, 当通过 P设备转发报文时, 相应的处理过程具体可以包括: 所述 P设备接收到单播报文时, 根据获得的目的 site的聚合路由, 采用标准的 IPv6路由方式 将所述报文转发给出口 PE; 或者, 在所述 P设备接收到组播报文时, 根据所述报文中携 带的 VPN全局组播地址中的 VPN group ID信息, 查找组播路由信息, 得到相应的多播组 中的各个 site的 site ID信息, 之后, 根据所述得到的各个 site ID信息将所述组播报文 组播给相应的多播组中的各个 site。  In the step (3), when the packet is forwarded by the P device, the corresponding processing may include: when the P device receives the unicast packet, adopts the standard IPv6 route according to the obtained aggregated route of the destination site. The method forwards the packet to the egress PE; or, when the P device receives the multicast packet, searches for the multicast route according to the VPN group ID information in the VPN global multicast address carried in the packet. The information is obtained, and the site ID information of each site in the corresponding multicast group is obtained. Then, the multicast packet is multicasted to each site in the corresponding multicast group according to the obtained site ID information.

在该步骤 (3) 中, 当在出口 PE设备转发报文时, 相应的处理过程具体可以包括以 下任一实现方式:  In the step (3), when the egress PE device forwards the packet, the corresponding processing may specifically include any of the following implementation manners:

实现方式一  Implementation one

当出口 PE设备接收到单播报文时, 将所述报文的源、 目的全局地址转换为 VPN内部 的单播本地地址;  When the egress PE device receives the unicast packet, the source and destination global addresses of the packet are translated into a unicast local address in the VPN.

根据目的全局地址中的 VPN site ID信息查找并获得对应的 site的本地路由信息, 根据所述获得的本地路由信息转发所述报文;  Querying and obtaining the local routing information of the corresponding site according to the VPN site ID information in the destination global address, and forwarding the packet according to the obtained local routing information;

实现方式二  Implementation 2

当出口 PE设备接收到组播报文时, 将所述报文的源全局地址转换为 VPN内部的本地 地址;  When the egress PE device receives the multicast packet, the source global address of the packet is translated into a local address in the VPN.

根据报文携带的目的地址中的 VPN group ID信息查找并获得对应的 site的本地路由 信息并根据所述获得的本地路由信息将目的全局地址地址转换为 VPN内部的组播本地地 址; Searching for and obtaining the local routing information of the corresponding site according to the VPN group ID information in the destination address carried in the packet, and converting the destination global address address into the multicast local locality of the VPN according to the obtained local routing information. Address

根据转换后的 VPN内部的组播本地地址中的 group ID信息转发所述报文。  The packet is forwarded according to the group ID information in the multicast local address of the VPN.

在该步骤 (3) 中, 当所述 VPN site访问因特网时, 相应的处理过程可以包括: 所 述 VPN site根据 VPN site ID信息将 VPN内 site的源本地地址转换为源全局地址, 并将目 的本地地址转换为因特网全局地址, 根据转换后的因特网全局地址访问因特网。  In the step (3), when the VPN site accesses the Internet, the corresponding processing may include: converting, by the VPN site, the source local address of the site in the VPN to the source global address according to the VPN site ID information, and The local address is translated to the Internet global address, and the Internet is accessed based on the converted Internet global address.

本发明实施例中, 在执行所述步骤 (3) 之前还可以包括: 在所述入口 PE设备中配 置其与 VPN site连接的接口仅接收目的地址为 VPN本地地址以及 Internet全局地址的报 文, 并拒绝接收目的地址为 VPN全局地址的报文; 以及, 在所述 P设备中配置拒绝接收源 I目的地址为 VPN本地地址的报文。  In the embodiment of the present invention, before performing the step (3), the method further includes: configuring, by the ingress PE device, an interface that is connected to the VPN site to receive only the packet whose destination address is a VPN local address and an Internet global address, And refusing to receive the packet whose destination address is the VPN global address; and configuring the P device to reject the packet whose source IP address is the VPN local address.

本发明实施例中, 在执行所述步骤 (3) 之前还可以包括:  In the embodiment of the present invention, before performing the step (3), the method may further include:

当所述出口 PE接收到报文后, 提取所述报文中的源地址中的 VPN site ID信息; 根据所述 VPN site ID信息, 检查所述报文进入本出口 PE的接口是否为获得 VPN site 聚合路由的接口, 若是, 则通过出口 PE转发所述报文, 否则, 丢弃所述报文。  After receiving the packet, the egress PE extracts the VPN site ID information in the source address of the packet, and checks whether the interface that the packet enters the egress PE is obtained by using the VPN site ID information. Site The interface that aggregates routes. If yes, the packet is forwarded through the egress PE. Otherwise, the packet is discarded.

本发明实施例中, 当 VPN内存在 IPv4站点时, 则相应的步骤(2)还可以包括: 在 PE 设备上为所述 IPv4站点分配 IPv4的 VPN site ID, 并根据所述分配的 IPv4 site ID信息 , 在 PE设备上配置各个 IPv4站点的 IPv4路由信息; 或者, 在 PE设备上为所述 IPv4站点分配 IPv4的 VPN group ID, 并通过组播路由协议, 在 PE设备上将所述分配的 IPv4的 VPN group ID信息加入到组播组中的各个 VPN site中。 相应的步骤 (2) 还可以包括: 在各个 IPv4 站点上为所述 IPv4站点分配 IPv4的 VPN site ID信息, 并根据所述分配的 IPv4 site ID 信息 , 在各个 IPv4站点上分别配置其与相关联的 IPv4站点间 IPv4路由信息; 或者, 在 各个 IPv4站点上为所述 IPv4站点分配 IPv4的 VPN group ID, 并通过组播路由协议, 在各 个 IPv4站点上将所述分配的 IPv4的 VPN group ID信息加入到组播组中的各个 VPN site中。  In the embodiment of the present invention, when the VPN exists in the IPv4 site, the corresponding step (2) may further include: allocating an IPv4 VPN site ID to the IPv4 site on the PE device, and according to the allocated IPv4 site ID. The IPv4 routing information of each IPv4 site is configured on the PE device; or the IPv4 VPN group ID is assigned to the IPv4 site on the PE device, and the allocated IPv4 is configured on the PE device by using a multicast routing protocol. The VPN group ID information is added to each VPN site in the multicast group. The corresponding step (2) may further include: allocating IPv4 VPN site ID information to the IPv4 site on each IPv4 site, and configuring the association with each IPv4 site according to the allocated IPv4 site ID information. IPv4 inter-office IPv4 routing information; or, assigning an IPv4 VPN group ID to the IPv4 site at each IPv4 site, and transmitting the assigned IPv4 VPN group ID information at each IPv4 site through a multicast routing protocol. Join the VPN sites in the multicast group.

本发明实施例中, 当通过 VPN内 IPv6骨干网转发 IPv4报文时, 所述的步骤(3)具体 可以包括以下任一处理方式:  In the embodiment of the present invention, when the IPv4 packet is forwarded through the IPv6 backbone network in the VPN, the step (3) may include any one of the following processing modes:

处理方式一  Processing method one

当入口 PE接收到 IPv4单播报文时, 首先分析所述报文的源 IPv4地址, 并根据所述源 地址信息查找所述配置的 IPv4路由信息, 得到相应的目的 IPv4地址信息, 然后将所述源 和目的 IPv4地址转换为内嵌 IPv4的 IPv6单播地址,并根据所述目的地址转发所述 IPv4报 文;  When the ingress PE receives the IPv4 unicast packet, the source IPv4 address of the packet is first analyzed, and the configured IPv4 routing information is searched according to the source address information to obtain the corresponding destination IPv4 address information, and then the The source and destination IPv4 addresses are translated into an IPv6 unicast address of the embedded IPv4, and the IPv4 packet is forwarded according to the destination address;

当所述 P设备接收到所述报文时, 根据所述 IPv6聚合路由信息转发所述报文给出口 PE设备; And when the P device receives the packet, forwarding the packet to the egress according to the IPv6 aggregate routing information. PE equipment;

出口 PE设备根据所述报文中携带的 IPv4的 VPN site ID信息确定所述报文的目的地 址对应的站点为 IPv4站点时, 则查找 IPv4路由信息, 将所述目的 IPv6地址转换为 IPv4目 的地址, 并根据所述 IPv4目的地址将所述报文转发给对应的目的站点;  The egress device determines, according to the IPv4 VPN site ID information carried in the packet, that the site corresponding to the destination address of the packet is an IPv4 site, and then searches for the IPv4 routing information, and converts the destination IPv6 address into an IPv4 destination address. And forwarding the packet to the corresponding destination site according to the IPv4 destination address;

处理方式二  Processing method 2

当入口 PE接收到 IPv4组播报文时, 首先分析所述报文的源 IPv4地址, 并根据所述源 地址信息查找所述配置的 IPv4路由信息, 得到相应的目的 IPv4地址信息, 然后将所述源 和目的 IPv4地址转换为内嵌 IPv4的 IPv6单播地址,并根据所述目的地址在 IPv6网中转发 所述 IPv4报文;  When receiving the IPv4 multicast packet, the ingress PE first analyzes the source IPv4 address of the packet, and searches for the configured IPv4 routing information according to the source address information to obtain the corresponding destination IPv4 address information, and then The source and destination IPv4 addresses are translated into an IPv6 unicast address with an embedded IPv4, and the IPv4 packet is forwarded in the IPv6 network according to the destination address;

当所述报文到达出口 PE设备时,出口 PE设备根据所述报文中携带的 IPv4的 VPN group When the packet arrives at the egress PE device, the egress PE device is based on the IPv4 VPN group carried in the packet.

ID信息确定所述报文的目的地址对应的站点为 IPv4站点时, 则查找 IPv4路由信息, 将所 述目的 IPv6地址转换为 IPv4目的地址,并根据所述 IPv4目的地址将所述报文转发给对应 的目的站点。 When the ID information determines that the site corresponding to the destination address of the packet is an IPv4 site, it searches for IPv4 routing information, translates the destination IPv6 address into an IPv4 destination address, and forwards the packet to the IPv4 destination address. Corresponding destination site.

总之,本发明实施例基于 IPv6地址结构设置虚拟专用网 VPN内各个站点的 VPN本地地 址和 VPN全局地址;然后根据所述设置的本地地址和全局地址建立所述 VPN中各站点的路 由信息, 并根据所述路由信息, 通过 VPN内各站点传输 VPN报文。 本发明实施例利用 IPv6 地址容纳 VPN信息, 而且统一 VPN报文与普通 IP报文的转发流程, 可在纯 IPv6网络上承载 VPN流量, 解决了现有技术骨干网必须支持 MPLS, 以及采用 MPLS封装 IPv6报文带来的附 加开销问题;  In summary, the embodiment of the present invention sets a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; and then establishes routing information of each site in the VPN according to the set local address and the global address, and According to the routing information, VPN packets are transmitted through each site in the VPN. In the embodiment of the present invention, the IPv6 address is used to accommodate the VPN information, and the forwarding process of the VPN packet and the common IP packet is unified, and the VPN traffic can be carried on the pure IPv6 network, which solves the problem that the prior art backbone network must support MPLS and adopts MPLS encapsulation. Additional overhead caused by IPv6 packets;

另外, 本发明实施例根据目的地址前缀的区别, 各个 site可以同时访问 Internet和 In addition, according to the difference of the destination address prefix, each site can simultaneously access the Internet and

VPN, 从而实现简便; 在跨越自治系统时, 只需将 VPN site、 VPN group的路由发布到相 邻的自治系统, 无需自治系统边界路由器存储 /转发 VPN路由, 也无需多层标签栈, 从而 实现比较简单; 另外, 通过本发明实施例, VPN组成关系清晰, VPN路由只需要携带固定 长度的 site ID, 便于处理; 而且 VPN site前缀由运营商 PE添加, 并且在入口 PE作合法 性检查, 在出口 PE作 RPF检查, 保证了 VPN的安全性。 再者, IPv4 site无需升级到 IPv6, 即可通过 IPv6骨干网互连, 形成 VPN。 VPN, which is easy to implement; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system, and the autonomous system border router does not need to store/forward VPN routes, and does not need a multi-layer label stack. In addition, in the embodiment of the present invention, the VPN composition relationship is clear, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing; and the VPN site prefix is added by the operator PE, and the legality check is performed at the ingress PE. The egress PE is used for RPF check to ensure the security of the VPN. In addition, the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.

本发明实施例提供的第一实施例, 基于如图 1所示的传统的运营商提供的 VPN结构, 在所述 VPN中, 包括 CE设备、 入口 PE设备、 P设备和出口 PE设备。 其中 PE设备和 P设备构 成 VPN公网, CE设备和 PE设备构成 VPN内网。 在上述设备中设置站点 (Site) , 每个 Site 均有 ID, 内部 /全局各有一个, 分别称为 VPN本地 Site ID和全局 Site ID, 其中, 全局 Site ID可以与 VPN公网地址的 Site ID相同, 但有不同的前缀。 The first embodiment provided by the embodiment of the present invention is based on a VPN structure provided by a conventional operator as shown in FIG. 1 , and includes a CE device, an ingress PE device, a P device, and an egress PE device in the VPN. The PE device and the P device form a VPN public network, and the CE device and the PE device form a VPN intranet. Set the site in the above device. Each site has an ID. There is one internal/global one. They are called the VPN local site ID and the global site ID. The global site is called the global site. The ID can be the same as the site ID of the VPN public network address, but with a different prefix.

其具体实现过程如图 2所示, 包括:  The specific implementation process is shown in Figure 2, including:

步骤 100、 基于 IPv6地址结构设置各个站点的虚拟专用网 VPN本地地址和 VPN全局地 址, 并在所述 VPN全局地址中使用 site ID标识各站点。  Step 100: Set a virtual private network VPN local address and a VPN global address of each site based on the IPv6 address structure, and use the site ID to identify each site in the VPN global address.

设置 VPN本地地址的过程如下:  The process of setting up a VPN local address is as follows:

类似链路本地地址和站点本地地址设置方法设置 VPN本地地址, VPN本地地址仅在 VPN内网有效, VPN内网中各设备间互访, 均采用这种地址。  Similar to the link-local address and the site-local address setting method, the VPN local address is set. The VPN local address is valid only in the VPN intranet, and the devices in the VPN intranet access each other.

单播 VPN本地地址结构设置为如下所示的结构:  The unicast VPN local address structure is set to the structure shown below:

10 bits I 54— n bits I n bits I 64 bits prefix | reserved | subnet ID interface ID 为了允许目前的主机、 路由器不加修改即可使用 VPN本地地址, 采用与站点本地地 址相同的前缀类型, 如 1111111011设置 VPN本地单播地址, 如下:  10 bits I 54- n bits I n bits I 64 bits prefix | reserved | subnet ID interface ID In order to allow the current host and router to use the VPN local address without modification, use the same prefix type as the site-local address, such as 1111111011 Set the VPN local unicast address as follows:

10 bits I 38 bits I 16 bits I 64 bits  10 bits I 38 bits I 16 bits I 64 bits

1111111011 reserved subnet ID interface ID 组播 VPN本地地址结构设置为如下所示的结构: 1111111011 reserved subnet ID interface ID Multicast The VPN local address structure is set to the following structure:

4 4 112— n l l ll l l l l | flgs | scop reserved | group ID 其中, figs字段包含 4个比特, 如下: 4 4 112— n l l ll l l l l | flgs | scop reserved | group ID where the figs field contains 4 bits, as follows:

0 V 0 T 将 figs字段中的 V比特(第 10位)设置为 1,标识其是 VPN组播地址;为了兼容 RFC3306, 将第 11比特设置为 0; T比特(第 12位) 设置为 1, 标识所述组播地址是非永久的。 scop 段(13-16位)为 1000,表示 VPN内网中有效的组播地址。如此设置后, 形成如下的格式: 80 32 0 V 0 T Set the V bit (bit 10) in the figs field to 1, indicating that it is a VPN multicast address; to be compatible with RFC3306, set the 11th bit to 0; T bit (bit 12) is set to 1 , identifying that the multicast address is non-permanent. The scop segment (13-16 bits) is 1000, indicating a valid multicast address in the VPN intranet. After this setting, the following format is formed: 80 32

11111111 | 0101 | 1000 reserved | group ID 11111111 | 0101 | 1000 reserved | group ID

VPN全局地址用于在运营商网络, 即 VPN公网上对 VPN内的目的地址进行寻址。 运营 商只关心路由器如何到达一个 VPN站点, 以及到达哪个 VPN站点, 而不关心如何到达 VPN 内部目的站点。 The VPN global address is used to address the destination address in the VPN on the carrier network, that is, the VPN public network. The operator only cares about how the router arrives at a VPN site and which VPN site it arrives, regardless of how it reaches the VPN internal destination site.

VPN全局地址不同于全局公网地址, 路由器必须防止不同 VPN的 VPN全局地址相互可 达。  The VPN global address is different from the global public address. The router must prevent VPN global addresses of different VPNs from reaching each other.

设置 VPN全局地址的过程如下:  The process of setting the VPN global address is as follows:

单播 VPN全局地址设置为如下结构:  The unicast VPN global address is set to the following structure:

48— n bits n bits 64 bits vpn global routing prefix subnet ID | interface ID 48- n bits n bits 64 bits vpn global routing prefix subnet ID | interface ID

为了在 VPN公网中寻址到一个 VPN Site, 将所述 vpn global routing prefix设置为 包含一个前缀 002, 以及一个 VPN Site ID的结构; Subnet ID和 interface ID仅用于保 存 VPN内部单播地址, 在 VPN公网上寻址时被忽略。 如此设置后, 形成如下结构: In order to address a VPN site in the VPN public network, the vpn global routing prefix is set to include a prefix 002, and a VPN Site ID structure; the Subnet ID and the interface ID are only used to save the VPN internal unicast address. It is ignored when addressing on the VPN public network. After this setting, the following structure is formed:

45 bits 16 bits 64 bits 45 bits 16 bits 64 bits

002 VPN site ID subnet ID interface ID 002 VPN site ID subnet ID interface ID

组播 VPN全局地址设置为如下结构: The multicast VPN global address is set to the following structure:

112-n-m 112-n-m

111111111 figs I scop reserved | VPN group ID | group ID 其中, VPN group ID表示 VPN的各个 Site之间传播组播报文的组播组。 当 scop字段 设置为 1110时, 表示所述地址为在全局有效的组播地址。 group ID仅用于保存 VPN内部 的组播地址, 在公网上寻址时被忽略。 如此设置后, 形成如下的结构: 111111111 figs I scop reserved | VPN group ID | group ID The VPN group ID indicates the multicast group that propagates multicast packets between sites in the VPN. When the scop field is set to 1110, it indicates that the address is a globally valid multicast address. The group ID is only used to save the multicast address inside the VPN and is ignored when addressing on the public network. After this setting, the following structure is formed:

8 48 32 32 8 48 32 32

11111111 | 0101 | 1110 reserved | VPN group ID | group ID 上述设置的单播 VPN本地地址和 VPN全局地址之间可互相映射, 在映射时, 所述 Interface ID、 subnet ID字段在映射时保持不变, 处理其它字段时, 根据全局 /本地地 址的结构特征, 添加不同的前缀, 并添加或清除 VPN site ID信息。 11111111 | 0101 | 1110 reserved | VPN group ID | group ID The unicast VPN local address and the VPN global address can be mapped to each other. When mapping, the Interface ID and subnet ID fields remain unchanged during mapping. When processing other fields, add different prefixes according to the structural characteristics of the global/local address, and add or clear the VPN site ID information.

组播 VPN全局地址由 VPN本地地址映射而成, 在映射时, 按照全局 /本地地址的特征 设置 scop字段, 并添加或清除 VPN group ID。 步骤 200、 建立各个 site间的连接关系, 即 VPN的拓扑关系。  The multicast VPN global address is mapped by the VPN local address. When mapping, set the scop field according to the characteristics of the global/local address, and add or clear the VPN group ID. Step 200: Establish a connection relationship between the sites, that is, a topology relationship of the VPN.

VPN拓扑关系的建立方法包括如下三种:  The establishment of a VPN topology relationship includes the following three methods:

第一种, 使用单播 VPN全局地址中的 VPN Site ID字段中的部分字段标识 VPN, 即 VPN ID, 如果一些 Site属于同一个 VPN网络, 则它们具备同样的 VPN ID。 VPN site ID格式如 下:  The first type uses a part of the VPN Site ID field in the unicast VPN global address to identify the VPN, that is, the VPN ID. If some Sites belong to the same VPN network, they have the same VPN ID. The format of the VPN site ID is as follows:

I 45- m bits | m bits  I 45- m bits | m bits

VPN ID I Site ID 第二种方式, 为单播 VPN全局地址中的 VPN site ID字段附加路由属性来表达 VPN拓 扑关系。 这种路由属性可采用 BGP扩展团体属性中的目标路由 (Route Target ; RT) 的 格式。  VPN ID I Site ID The second method is to add a route attribute to the VPN site ID field in the unicast VPN global address to express the VPN topology. This routing attribute can be in the format of the Route Target (RT) in the BGP extended community attribute.

第三种方式,在 VPN内的 PE设备上静态配置一个 site与其它相关联的 site间的 VPN关 系, 形成 VPN拓扑关系。  In the third mode, a VPN relationship between a site and other associated sites is statically configured on the PE device in the VPN to form a VPN topology relationship.

步骤 300、 配置所述 VPN内各个 site设备的路由属性信息。  Step 300: Configure routing attribute information of each site device in the VPN.

步骤 300的具体实施过程如下:  The specific implementation process of step 300 is as follows:

步骤 310、 在 PE设备上配置 VPN内的各个 site间的路由信息。  Step 310: Configure routing information between the sites in the VPN on the PE.

针对步骤 200中的通过第一种方式形成的 VPN拓扑关系,在初始化时, PE设备配置 VPN 内的各个 site, 并为其分配相应的 VPN site ID信息, PE设备根据所述 VPN site ID信息 生成 IPv6聚合路由, 称为 VPN site路由, 例如 002 : VPN site ID : : /48, 并通过路由协议 发布给 VPN的 P设备以及其它 PE设备。 目的 PE设备根据所述 VPN site ID信息中包含的 VPN ID信息, 与本地配置的 VPN site ID中的 VPN ID进行匹配, 如果相同, 则保存这条路由, 否则丢弃。 具体实时过程包括如下步骤: For the VPN topology relationship formed by the first method in step 200, the PE device configures the VPN during initialization. Each site in the network is assigned a corresponding VPN site ID information, and the PE device generates an IPv6 aggregation route, which is called a VPN site route, for example, 002: VPN site ID: : /48, and routes through the VPN site ID information. The protocol is issued to the P device of the VPN and other PE devices. The destination PE device matches the VPN ID in the locally configured VPN site ID according to the VPN ID information included in the VPN site ID information. If the information is the same, the route is saved. Otherwise, the route is discarded. The specific real-time process includes the following steps:

步骤 311、 在 PE设备中设置 VPN site, 并为其赋予 VPN site ID;  Step 311: Set a VPN site in the PE device, and assign a VPN site ID to the PE device.

步骤 312、 PE设备根据所述 VPN site ID生成 IPv6聚合路由, 即 VPN site路由; 步骤 313、所述 PE设备通过路由协议将所述 IPv6聚合路由发布给 VPN的 P设备和 /或目 的 PE;  Step 312: The PE device generates an IPv6 aggregation route, that is, a VPN site route, according to the VPN site ID. Step 313: The PE device advertises the IPv6 aggregation route to the P device and/or the destination PE of the VPN through a routing protocol.

步骤 314、 所述 P设备和 /或目的 PE根据所述 VPN site ID中包含的 VPN ID信息, 与本 地配置的 VPN site ID中的 VPN ID进行比较, 若相同, 则保存此路由; 否则丢弃所述路 由。  Step 314: The P device and/or the destination PE compares the VPN ID information included in the VPN site ID with the VPN ID in the locally configured VPN site ID. If the information is the same, the route is saved; otherwise, the route is saved. Said routing.

经过上述过程后, 属于同一个 VPN的各个 Site之间可达, 不属于同一个 VPN的各个 Site之间不可达。  After the above process, the sites belonging to the same VPN are reachable, and the sites that do not belong to the same VPN are unreachable.

如果 VPN内有组播报文, 则当 PE设备配置 VPN site时, 需要为所述 VPN site (即 PE 设备配置的 VPN site) 分配 VPN group ID信息, 并通过组播路由协议, 将其加入到组播 组 (group) 中的 VPN site中。  If there is a multicast packet in the VPN, the VPN site ID information is assigned to the VPN site (that is, the VPN site configured for the PE device) and is added to the VPN site through the multicast routing protocol. In the VPN site in the multicast group.

针对步骤 200中通过第二种方式形成的 VPN拓扑关系,当 VPN内仅仅转发单播报文时, 通过初始化, 在 VPN的 PE设备上配置 VPN内的各个 site, 并为所述各个 site分别分配 VPN site ID, 入口 RT列表和出口 RT列表。 PE设备根据这些信息生成一个 IPv6聚合路由信息, 例如 002 : VPN site ID: : /48, 并添加出口 RT列表中包含的 RT扩展团体属性, 通过路由协 议发布给 P设备以及其它 PE设备。 目的 PE设备将 VPN路由中的 RT列表与本地入口 RT列表进 行匹配, 如果至少有一个 RT扩展属性相同, 则保存这条路由, 否则丢弃。 这样, 根据 RT 扩展属性的匹配关系, 可构造 full mesh (全互连网络) , hub-spoke (—种网络拓扑结 构) 等多种 VPN拓扑形式, 并可以构造 Intranet (企业内部互联网) , Extranet (外部 网络) 等。 具体实施过程包括如下步骤:  For the VPN topology relationship formed by the second method in step 200, when only the unicast packets are forwarded in the VPN, the sites in the VPN are configured on the PEs of the VPN, and the VPNs are respectively allocated to the sites. Site ID, entry RT list and exit RT list. Based on the information, the PE device generates an IPv6 aggregation routing information, for example, 002: VPN site ID: : /48, and adds the RT extended community attribute contained in the egress RT list to the P device and other PE devices through the routing protocol. The PE device matches the RT list in the VPN route with the local ingress RT list. If at least one RT extension attribute is the same, the route is saved. Otherwise, the route is discarded. In this way, according to the matching relationship of RT extended attributes, multiple VPN topologies such as full mesh and hub-spoke can be constructed, and intranet (intranet) and extranet can be constructed. External network) and so on. The specific implementation process includes the following steps:

步骤 315、 在初始化时, 通过 VPN的 PE设备配置 VPN内各个 site, 并为所述各个 site 分别分配 VPN site ID信息、 入口路由目标 RT信息和出口 RT信息;  Step 315: During initialization, configure a site in the VPN through the PE device of the VPN, and allocate VPN site ID information, ingress route target RT information, and exit RT information for each site.

步骤 316、 PE设备根据所述 VPN site ID信息、 入口 RT信息和出口 RT信息生成 IPv6 聚合路由信息; 步骤 317、 在所述 IPv6聚合路由信息中添加出口 RT信息中包含的 RT扩展团体属性, 并通过路由协议将其发布给 VPN的 P设备和 /或目的 PE; Step 316: The PE device generates IPv6 aggregate routing information according to the VPN site ID information, the ingress RT information, and the egress RT information. Step 317: Add, in the IPv6 aggregate routing information, the RT extended community attribute included in the egress RT information, and advertise the same to the P device and/or the destination PE of the VPN through the routing protocol.

步骤 318、所述 P设备和 /或目的 PE根据所述 VPN路由中的 RT扩展团体属性信息, 与本 地配置的入口 RT信息中的 RT扩展团体属性信息进行比较,若至少有一个 RT扩展团体属性 信息相同, 则保存此路由; 否则丢弃所述路由。  Step 318: The P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, if at least one RT extended community attribute exists. If the information is the same, the route is saved; otherwise the route is discarded.

如果 VPN内有组播报文, 则通过 PE配置 VPN内各个 site时, 为所述各个 site分配 VPN group ID信息, 然后, PE设备通过组播路由协议, 将所述 VPN group ID信息加入到组播 组 (group) 的各个 site。  If there are multicast packets in the VPN, the VPN group ID information is allocated to each site when the PEs are configured with the sites in the VPN. Then, the PE device adds the VPN group ID information to the group through the multicast routing protocol. Each site of the group.

经过上述步骤后, 无论哪种方式, 最终在 PE上为每个 site形成一个路由列表, 在所 述列表中包含了与所述 site存在 VPN关系的各个 site 的 site ID信息。  After the above steps, in any way, a routing list is formed for each site on the PE, and the site ID information of each site having a VPN relationship with the site is included in the list.

步骤 320、 在各个 site上配置所述 site的路由信息。 具体实施过程包括如下步骤: 步骤 321、 静态配置各个 site间的路由信息;  Step 320: Configure routing information of the site on each site. The specific implementation process includes the following steps: Step 321: Statically configure routing information between sites;

或,  Or,

步骤 322、 通过在 PE设备与 PE设备间运行路由协议, 获得与所述 site属于同一 VPN 的其它 Site的路由信息。  Step 322: Run a routing protocol between the PE device and the PE device to obtain routing information of other sites that belong to the same VPN as the site.

步骤 322的实施过程具体包括:  The implementation process of step 322 specifically includes:

首先, 本地 PE设备发布 VPN路由信息给目标 PE设备, 所述 VPN路由信息携带本地 PE 设备上设置的 site的 VPN site ID信息。  First, the local PE device advertises the VPN routing information to the target PE device, where the VPN routing information carries the VPN site ID information of the site set on the local PE device.

接着, 所述目标 PE接收到所述 VPN路由信息时, 根据所述 VPN site ID信息检查其内 是否存在与本地 PE上设置的 Site属于同一 VPN的 Site, 若存在属于同一个 VPN的 Site, 则 将所述 Site的信息加入到本地 PE上设置的 Site的路由信息中。  When the target PE receives the VPN routing information, it checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site ID information, and if there is a site belonging to the same VPN, The information of the site is added to the routing information of the site set on the local PE.

所述 Site的路由信息包含了所述 site以及与所述 site有 VPN关系的全部 site的路由 信息。  The routing information of the Site includes routing information of the site and all sites having a VPN relationship with the site.

步骤 400、 基于上述设置的 site路由信息实现 VPN报文的传输。 具体实施过程如下: 当在 VPN内部的各个 site之间转发报文时:  Step 400: Implement VPN message transmission based on the site routing information set by the foregoing. The specific implementation process is as follows: When forwarding packets between sites within the VPN:

由于通过上述配置过程, 在每个 Site均已经获得到达其它 site的路由, 故能够采用 标准的单 /组播转发机制。所述 Site通过标准的单播 /组播转发机制转发 VPN报文给 VPN内 部的其它 Site设备, 所述报文携带的源 /目的地址均采用 VPN内部地址格式构造。  Since the route to other sites has been obtained at each Site through the above configuration process, a standard single/multicast forwarding mechanism can be adopted. The site forwards the VPN packet to other Site devices in the VPN through the standard unicast/multicast forwarding mechanism. The source/destination addresses carried in the packet are constructed in the VPN internal address format.

当需要通过入口 PE设备中的 s i t e转发 VPN报文时:  When you need to forward VPN packets through s i t e in the ingress PE device:

由于通常全局 VPN地址, 包括源 /目的地址只能由 PE生成, 为防止伪造的 VPN报文进 入骨干网, 在 PE设备上需要进行入口检查, 即在 PE设备连接各个 s ite的接口上, 配置其 仅接收目的地址为 VPN本地地址以及 Internet全局地址的报文,拒绝接收目的地址为 VPN 全局地址的报文。 同时配置其它接口不接收源 /目的地址为 VPN本地地址的报文。 以及配 置 P设备不接收源 /目的地址为 VPN本地地址的报文。 Generally, the global VPN address, including the source/destination address, can only be generated by the PE to prevent forged VPN packets. On the inbound backbone network, you need to perform the ingress check on the PE device. That is, the interface that connects the PEs to the local device is configured to receive only the packets with the destination address being the VPN local address and the Internet global address. Address message. At the same time, other interfaces are not allowed to receive packets whose source/destination address is a VPN local address. And the P device does not receive packets whose source/destination address is a VPN local address.

当在入口 PE设备转发 VPN报文时, 首先, 要识别所述 VPN报文属于哪个 Site , —般采 用接口 /子接口方式来识别,也可以根据 IPv6三元组 /IPv4五元组 /VLAN/DSCP等多种方式 来进行识别。 一旦识别之后, 对于单播报文, 在所述报文携带的源地址结构中增加 VPN s ite ID信息, 将源地址转换为源 VPN全局地址, 然后, 根据目的地址, 查找 PE设备上保 存的 s ite路由信息, 当找到对应的目的 s ite的 s ite ID信息后, 则根据所述目的 s ite ID 信息将报文中携带的目的地址转换为目的 VPN全局地址,然后根据转换后的目的 VPN全局 地址, 将所述 VPN报文转发到下一跳。 对于组播报文, 首先添加源 VPN s ite ID, 将源地 址转换为源 VPN全局地址; 然后添加 VPN group ID信息, 将目的地址转换为目的 VPN全局 组播地址; 然后根据所述 VPN group ID信息在 PE设备上保存的组播路由信息中查找对应 的目的 s ite ID信息, 最后根据所述查找到的目的 s ite ID信息将所述 VPN报文进行转发。 具体实施过程如下:  When the ingress PE device forwards the VPN packet, first, to identify which site the VPN packet belongs to, it is generally identified by the interface/sub-interface method, or according to the IPv6 triplet/IPv4 quintuple/VLAN/ DSCP and other methods are used for identification. After the unicast packet is added, the VPN site ID information is added to the source address structure carried in the packet, and the source address is converted into the source VPN global address. Then, according to the destination address, the s saved on the PE device is searched. The ite routing information, after the site ID information of the destination site is found, the destination address carried in the packet is converted into the destination VPN global address according to the destination site ID information, and then the VPN is globally based on the translated destination. Address, forward the VPN packet to the next hop. For the multicast packet, first add the source VPN site ID, and convert the source address to the source VPN global address. Then add the VPN group ID information to convert the destination address to the destination VPN global multicast address. Then, according to the VPN group ID. The information is searched for the corresponding destination site ID information in the multicast routing information saved on the PE device, and finally the VPN packet is forwarded according to the found destination site ID information. The specific implementation process is as follows:

当在入口 PE设备转发单播报文时, 包括:  When the unicast packet is forwarded by the ingress PE device, it includes:

步骤 411、 所述入口 PE对接收到的报文进行分析, 得到所述报文的源地址对应的 s ite ;  Step 411: The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.

步骤 412、 为所述报文添加所述源地址对应的 s ite的 VPN s ite ID信息, 并将源地址 转换为源 VPN全局地址;  Step 412: Add the VPN site ID information of the site corresponding to the source address to the packet, and convert the source address into a source VPN global address.

步骤 413、 根据所述报文携带的目的地址查找相应的目的 s ite的路由信息, 获得目 的 VPN s ite ID信息;  Step 413: Search for routing information of the destination site according to the destination address carried in the packet, and obtain the destination VPN site ID information.

步骤 414、 根据所述获得的目的 VPN s ite ID将所述报文携带的目的地址转换为目的 VPN全局地址, 并根据所述目的 VPN s ite ID信息将所述报文转发给对应的 s ite。  Step 414: Convert the destination address carried by the packet to the destination VPN global address according to the obtained destination VPN site ID, and forward the packet to the corresponding site according to the destination VPN site ID information. .

当在入口 PE设备转发组播报文时, 包括:  When the ingress PE device forwards multicast packets, it includes:

步骤 421、 所述入口 PE对接收到的报文进行分析, 得到所述报文的源地址对应的 s ite ;  Step 421: The ingress PE analyzes the received packet, and obtains a site corresponding to the source address of the packet.

步骤 422、 通过添加对应的 s i te的 VPN s ite ID信息, 将源地址转换为源 VPN全局地 址;  Step 422: Convert the source address to the source VPN global address by adding the corresponding VPN site ID information of the s i te;

步骤 423、 通过添加 VPN group ID信息, 将所述报文携带的目的地址转换为目的 VPN 全局组播地址; Step 423: Convert the destination address carried by the packet to the destination VPN by adding the VPN group ID information. Global multicast address;

步骤 424、 根据所述 VPN group ID信息查找在 PE设备上保存的组播路由信息, 获得 相应的目的 VPN site ID信息, 并根据所述目的 VPN site ID信息将所述报文组播给对应 的 site。  Step 424: Search for the multicast routing information saved on the PE device according to the VPN group ID information, obtain the corresponding destination VPN site ID information, and multicast the packet to the corresponding destination according to the destination VPN site ID information. Site.

当需要在 P设备转发 VPN报文时:  When you need to forward VPN packets on the P device:

对于单播报文, 由于 P设备已经获得了到达目的 site的聚合路由, 因此, 采用标准 的 IPv6路由转发即可到达出口 PE。 对于组播报文, 需要根据 VPN全局组播地址中的 VPN group ID信息, 查找组播路由信息, 进行转发。 其不同于标准的组播转发流程, 而是按 照最长匹配的方式根据组播聚合路由进行转发, 也称为组播聚合路由转发。具体实施过 程如下:  For unicast packets, the P device has obtained the aggregated route to the destination site. Therefore, the standard IPv6 route forwarding can be used to reach the egress PE. For multicast packets, you need to search for multicast routing information based on the VPN group ID information in the global multicast address of the VPN. Different from the standard multicast forwarding process, it is forwarded according to the multicast aggregation route according to the longest matching method, also known as multicast aggregation route forwarding. The specific implementation process is as follows:

当通过 P设备转发单播 VPN报文时, 包括:  When a unicast VPN packet is forwarded through the P device, the following information is included:

步骤 431、所述 P设备接收到单播报文时, 根据获得的目的 site的聚合路由, 采用标 准的 IPv6路由方式将所述报文转发给出口 PE;  Step 431: When receiving the unicast packet, the P device forwards the packet to the egress PE by using a standard IPv6 routing manner according to the obtained aggregated route of the destination site.

当通过 P设备转发组播 VPN报文时, 包括:  When a multicast VPN packet is forwarded through the P device, the following information is included:

步骤 432、 所述 P设备接收到组播报文时, 根据所述报文中携带的 VPN全局组播地址 中的 VPN group ID信息, 查找组播路由信息, 得到相应的多播组中的各个 site的 site ID 信息;  Step 432: When receiving the multicast packet, the P device searches for multicast routing information according to the VPN group ID information in the VPN global multicast address carried in the packet, and obtains each of the corresponding multicast groups. Site ID information of the site;

步骤 433、 根据所述得到的各个 site ID信息将所述组播报文组播给相应的多播组中 的各个 site。  Step 433: Multicast the multicast packet to each site in the corresponding multicast group according to the obtained site ID information.

当需要通过出口 PE设备转发 VPN报文时:  When you need to forward VPN packets through the egress PE device:

当需要通过出口 PE设备转发报文时, 为防止入口 PE上的误配置或安全检查失效, 在 出口 PE上, 应该防止进入的报文设置了非法源 site ID。 方法是: 当所述出口 PE接收到 报文后, 首先提取所述报文中的源地址中的 VPN site ID信息; 然后, 根据所述 VPN site ID信息,检查所述报文进入本出口 PE的接口是否为获得 VPN site聚合路由的接口,若是, 则通过所述出口 PE转发所述报文, 否则, 丢弃所述报文。  To prevent the misconfiguration or security check on the ingress PE from being invalidated on the egress PE, you should prevent the illegal source site ID from being set on the egress PE. The method is: after the egress PE receives the packet, first extracts the VPN site ID information in the source address in the packet; and then, according to the VPN site ID information, checks that the packet enters the egress PE. If the interface is the interface that obtains the VPN site aggregation route, the packet is forwarded by the egress PE. Otherwise, the packet is discarded.

在出口 PE上转发 VPN报文时, 对于单播报文, 首先将源、 目的全局地址转换成 VPN 内部的单播本地地址, 然后根据转换后的目的地址中的 site ID信息, 查找对应的本地 site路由信息, 并根据所述信息转发所述 VPN报文。对于组播报文, 将源地址转换为 VPN 内部的组播本地地址, 并根据目的地址中的 VPN group ID信息, 定位到本地 site, 将目 的全局地址地址转换为 VPN内部的组播本地地址,然后根据转换后的 VPN内部的组播本地 地址中的 group ID信息转发所述报文。 具体实施过程如下: When forwarding a VPN packet on the egress PE, the unicast packet is first converted into a unicast local address in the VPN, and then the local site is searched according to the site ID information in the translated destination address. Routing information, and forwarding the VPN packet according to the information. For the multicast packet, the source address is translated into the multicast local address of the VPN, and the destination global address is translated into the multicast local address of the VPN according to the VPN group ID information in the destination address. Then according to the multicast locality inside the converted VPN The group ID information in the address forwards the message. The specific implementation process is as follows:

当在出口 PE设备转发单播报文时, 包括:  When forwarding an unicast packet on the egress PE device, it includes:

步骤 451、 当出口 PE设备接收到单播报文时, 将所述报文的源、 目的全局地址转换 为 VPN内部的单播本地地址;  Step 451: When the egress PE device receives the unicast packet, the source and destination global addresses of the packet are translated into a unicast local address in the VPN.

步骤 452、 根据目的全局地址中的 VPN site ID信息查找并获得对应的 site的本地路 由信息;  Step 452: Search and obtain local route information of the corresponding site according to the VPN site ID information in the destination global address.

步骤 453、 根据所述获得的本地路由信息转发所述报文;  Step 453: Forward the packet according to the obtained local routing information.

当在出口 PE设备转发组播报文时, 包括:  When the egress packet is forwarded by the egress PE device, it includes:

步骤 454、 当出口 PE设备接收到组播报文时, 将所述报文的源全局地址转换为 VPN 内部的本地地址;  Step 454: When the egress PE device receives the multicast packet, the source global address of the packet is translated into a local address in the VPN.

步骤 455、 根据报文携带的目的地址中的 VPN group ID信息查找并获得对应的 site 的本地路由信息并根据所述获得的本地路由信息将目的全局地址地址转换为 VPN内部的 组播本地地址;  Step 455: Search and obtain the local routing information of the corresponding site according to the VPN group ID information in the destination address of the packet, and convert the destination global address address into a multicast local address in the VPN according to the obtained local routing information.

步骤 456、 根据转换后的 VPN内部的组播本地地址中的 group ID信息转发所述报文。 上述过程描述了 VPN内各个 site之间互相访问的过程, VPN site除了访问 VPN内其它 site夕卜, 还可以同时访问 Internets  Step 456: Forward the packet according to the group ID information in the multicast local address of the converted VPN. The above process describes the process of accessing each site in the VPN. In addition to accessing other sites in the VPN, the VPN site can also access the Internet.

当所述 VPN site访问因特网时, 所述 VPN site根据 VPN site ID信息将 VPN内 site 的本地地址转换为因特网全局地址, 并根据转换后的因特网全局地址访问因特网。  When the VPN site accesses the Internet, the VPN site converts the local address of the site in the VPN into an Internet global address according to the VPN site ID information, and accesses the Internet according to the converted Internet global address.

VPN内部的本地地址转换为 Internet全局地址的格式如下所示:  The format of the internal address translation of the VPN to the Internet global address is as follows:

I 3 I 45 bits | 16 bits | 64 bits |  I 3 I 45 bits | 16 bits | 64 bits |

I 0011 global routing prefix | subnet ID | interface ID | 上述格式为 RFC3587标准格式, 其中, global routing prefix可以通过 VPN site ID 自动生成。 I 0011 global routing prefix | subnet ID | interface ID | The above format is RFC3587 standard format, where the global routing prefix can be automatically generated by the VPN site ID.

通过本发明实施例, 可以看出, 在转发 VPN报文时, 采用了标准的 IPv6路由转发方 式, 因此在跨越自治系统时, 只需要将 VPN内各个 site, 或 VPN内的组播组 (group) 的 路由信息发布到相邻的自治系统, 以及属于同一个 VPN网络的 PE设备之间分发 VPN内各个 site的路由即可。 通过本发明实施例, 还能够实现 IPV4站点的互联, 即通过 IPv6骨干网络将多个 IPv4 网络互相连接起来, 或者接入采用 IPv4地址的 VPN用户, 此时对于单播报文, VPN内的 PE 设备对每个 IPv4 site, 仍然分配一个 IPv6的 VPN site ID; 对于组播报文, 对每个 IPv4 site仍然分配一个 VPN group ID, 同时维护 IPv4路由信息, 并保存到 IPv4路由信息中, 但这种 IPv4路由信息携带一个路由属性, 包含 IPv4所属的 VPN site ID。 With the embodiment of the present invention, it can be seen that the standard IPv6 routing and forwarding mode is adopted when forwarding VPN packets. Therefore, when spanning the autonomous system, only the sites in the VPN or the multicast groups in the VPN are required. The routing information is advertised to the neighboring autonomous system, and the routes of the sites in the VPN are distributed between the PE devices belonging to the same VPN network. The embodiment of the present invention can also implement interconnection of IPV4 sites, that is, multiple IPv4s through an IPv6 backbone network. The network is connected to each other or to a VPN user with an IPv4 address. For a unicast packet, the PE device in the VPN still assigns an IPv6 VPN site ID to each IPv4 site. For multicast packets, for each multicast packet, The IPv4 site still assigns a VPN group ID and maintains the IPv4 routing information and saves it to the IPv4 routing information. However, the IPv4 routing information carries a routing attribute, including the VPN site ID to which the IPv4 belongs.

通过 VPN拓扑发现过程, PE设备获得 site内部的 IPv4路由后, 要增加 VPN site ID属 性, 发布给其它 PE设备, 目的 PE设备检查这个 site是否与本地的某个 site属于同一个 VPN, 如果相同, 则保存这条路由, 否则丢弃。  After the VPN topology is discovered, after the PE device obtains the IPv4 route from the site, the PE site ID attribute is added to other PEs. The destination PE device checks whether the site belongs to the same VPN as the local site. Then save this route, otherwise discard.

从 CE设备进入 PE设备的单播报文, 根据入接口等信息确定它源自哪个 site, 然后 查找 IPv4路由表,确定相应的目的 site,然后将源 /目的 IPv4地址转换为内嵌 IPv4的 IPv6 VPN单播地址, 格式如下:  The unicast packet from the CE device to the PE device determines which site it originates from based on the inbound interface, and then searches the IPv4 routing table, determines the destination site, and then translates the source/destination IPv4 address into an IPv6 VPN with embedded IPv4. Unicast address, the format is as follows:

45 bits 32 16 32 bits 45 bits 32 16 32 bits

VPN site ID 然后根据目的 Site, 找到下一跳进行转发。 进入 P设备的单播报文, P设备根据上 述地址, 查找 VPN site的聚合路由, 进行转发。 到达出口 PE时, 根据 VPN site ID, 获 知其目的地址是一个 IPv4 site, 转换为 IPv4地址, 查找 IPv4路由表转发给 CE。  The VPN site ID then finds the next hop for forwarding according to the destination site. After the unicast packet is sent to the P device, the P device searches for the aggregated route of the VPN site according to the address and forwards the packet. When the egress PE is reached, the IPv4 routing table is forwarded to the IPv4 address and the IPv4 routing table is forwarded to the CE.

从 CE进入 PE的组播报文, 首先根据入接口等信息确定它源自哪个 site, 确定 VPN group,然后将源地址转换为内嵌 IPv4的 IPv6 VPN单播地址,将目的地址转换为内嵌 IPv4 的 IPv6 VPN组播地址, 格式如下:  The multicast packet that enters the PE from the CE is first determined according to the inbound interface and other information, determines the VPN site, determines the VPN group, and then translates the source address into an IPv6 VPN unicast address embedded with IPv4, and translates the destination address into the embedded address. IPv4 IPv6 VPN multicast address, in the following format:

8 4 4 48 32 32 8 4 4 48 32 32

11111111 | 0101 | 1110 reserved | VPN group ID | IPv4 address 然后根据 VPN group, 在骨干网内进行转发。 到达出口 PE时, 根据 VPN group ID, 知道其目的地是一个 IPv4 site, 转换为 IPv4组播地址, 然后转发给 CE。 11111111 | 0101 | 1110 reserved | VPN group ID | IPv4 address Then forwarded in the backbone network according to the VPN group. When the egress PE is reached, it knows that its destination is an IPv4 site, translates it to an IPv4 multicast address, and forwards it to the CE based on the VPN group ID.

由上述本发明实施例的具体实施方案可以看出, 本发明实施例利用 IPv6地址结构, 无需附加 VPN前缀即可组成 VPN地址, VPN网络内部本地地址的寻址和 VPN报文的封装都基 于 IPv6地址结构, VPN网络中站点的路由不需要采用特殊方法, 采用普通的 IPv6路由即 可实现, 也不需要采用特殊的隧道来封装 VPN报文。 而且在 VPN骨干网内部不需要保存、 也不需要发布 VPN内部各个站点的路由信息。 因此, 其存在如下显著效果:As can be seen from the foregoing specific embodiments of the present invention, the embodiment of the present invention utilizes an IPv6 address structure, and can form a VPN address without adding a VPN prefix. The addressing of the local address and the encapsulation of VPN packets in the VPN network are all based on IPv6. The address structure, the route of the site in the VPN network does not need to adopt a special method, and can be implemented by using ordinary IPv6 routes, and does not need to use a special tunnel to encapsulate VPN packets. And there is no need to save inside the VPN backbone. There is also no need to publish routing information for each site within the VPN. Therefore, it has the following significant effects:

1、 利用 IPv6地址容纳 VPN信息, VPN报文无需附加的开销; 1. The IPv6 address is used to accommodate VPN information, and no additional overhead is required for VPN packets.

2、 VPN报文与普通 IP报文的转发流程统一, 可在纯 IPv6网络上承载 VPN流量; 2. The forwarding process of the VPN packets and the common IP packets is unified, and the VPN traffic can be carried on the pure IPv6 network.

3、 P设备仅维护 VPN site聚合路由, 开销小; 3. The P device maintains only the VPN site aggregation route, and the overhead is small.

4、 VPN组成关系清晰, VPN路由只需要携带固定长度的 site ID, 便于处理; 4. The VPN has a clear relationship. The VPN route only needs to carry a fixed-length site ID for easy processing.

5、 根据目的地址前缀的区别, site可以同时访问 Internet和 VPN, 实现简便;5. According to the difference of the destination address prefix, the site can access the Internet and the VPN at the same time, which is easy to implement;

6、 VPN site前缀由运营商 PE添加, 并且在入口 PE作合法性检查, 在出口 PE作 RPF检 查, 保证了 VPN的安全性; 6. The VPN site prefix is added by the operator PE, and the legitimacy check is performed on the ingress PE, and the RPF check is performed on the egress PE to ensure the security of the VPN.

7、 IPv4 site无需升级到 IPv6, 即可通过 IPv6骨干网互连, 形成 VPN;  7. The IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.

8、 跨越自治系统的方法实现简单, 无需自治系统边界路由器存储 /转发 VPN路由, 也无需多层标签栈。  8. The method of crossing the autonomous system is simple to implement. There is no need for the autonomous system border router to store/forward VPN routes, and there is no need for a multi-layer label stack.

总之, 本发明实施例根据目的地址前缀的区别, 各个 site可以同时访问 Internet和 VPN, 从而实现简便; 在跨越自治系统时, 只需将 VPN site、 VPN group的路由发布到相 邻的自治系统, 无需自治系统边界路由器存储 /转发 VPN路由, 也无需多层标签栈, 从而 实现比较简单; 而且, 通过本发明实施例, VPN组成关系清晰, VPN路由只需要携带固定 长度的 site ID, 便于处理; 而且 VPN site前缀由运营商 PE添加, 并且在入口 PE作合法 性检查, 在出口 PE作 RPF检查, 保证了 VPN的安全性。 再者, IPv4 site无需升级到 IPv6, 即可通过 IPv6骨干网互连, 形成 VPN。  In summary, in the embodiment of the present invention, according to the difference of the destination address prefix, each site can access the Internet and the VPN at the same time, thereby facilitating the implementation; when crossing the autonomous system, only the routes of the VPN site and the VPN group are advertised to the adjacent autonomous system. The autonomous system border router does not need to store/forward the VPN route, and the multi-layer label stack is not required, so that the implementation is relatively simple. Moreover, the VPN has a clear relationship, and the VPN route only needs to carry a fixed-length site ID, which is convenient for processing. Moreover, the VPN site prefix is added by the operator PE, and the entry PE performs the legality check, and the egress PE performs the RPF check to ensure the security of the VPN. In addition, the IPv4 site does not need to be upgraded to IPv6, and can be interconnected through the IPv6 backbone network to form a VPN.

以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替 换, 例如 IPv4站点间的互联的情况, 都应涵盖在本发明的保护范围之内。 因此, 本发 明的保护范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives, such as the interconnection between IPv4 sites, are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权利要求 Rights request 1、 一种实现虚拟专用网的方法, 其特征在于, 包括:  A method for implementing a virtual private network, comprising: 基于 IPv6地址结构设置虚拟专用网 VPN内各个站点的 VPN本地地址和 VPN全局地址; 根据所述设置的 VPN本地地址和 VPN全局地址建立所述 VPN中各站点的路由信息, 并 根据所述路由信息, VPN内各站点间传输 VPN报文。  Setting a VPN local address and a VPN global address of each site in the virtual private network VPN based on the IPv6 address structure; establishing routing information of each site in the VPN according to the set VPN local address and the VPN global address, and according to the routing information VPN packets are transmitted between sites in the VPN. 2、 根据权利要求 1所述的方法, 其特征在于, 所述建立所述 VPN中各站点的路由信 息的步骤具体包括:  The method according to claim 1, wherein the step of establishing routing information of each site in the VPN specifically includes: 根据所述设置的 VPN本地地址和 VPN全局地址, 在 VPN内的提供商边缘 PE设备上配置 所述 VPN中各站点的路由信息, 在每个站点上配置与其相关联的站点间的路由信息。  According to the set VPN local address and the VPN global address, the routing information of each site in the VPN is configured on the provider edge PE device in the VPN, and the routing information between the associated sites is configured on each site. 3、 根据权利要求 2所述的方法, 其特征在于, 所述在 VPN内的 PE设备上配置所述 VPN 中各站点的路由信息的步骤具体包括:  The method according to claim 2, wherein the step of configuring the routing information of each site in the VPN on the PE device in the VPN specifically includes: 在初始化时, 在 PE设备中配置 VPN站点, 及 VPN站点标识;  During initialization, configure the VPN site and the VPN site identifier in the PE device. 当 VPN内有单播报文时, PE设备根据所述 VPN站点标识生成 VPN内各个站点的 IPv6聚 合路由, 并通过路由协议将所述 IPv6聚合路由发布给 VPN的提供商 P设备和 /或目的 PE; 所述 P设备和 /或目的 PE根据所述 IPv6聚合路由包含的 VPN站点标识中的 VPN标识信 息, 与本地配置的 VPN站点标识中的 VPN标识进行比较, 若相同, 则保存该路由; 否则, 丢弃该路由;  When a unicast packet exists in the VPN, the PE device generates an IPv6 aggregation route of each site in the VPN according to the VPN site identifier, and advertises the IPv6 aggregation route to the VPN provider P device and/or the destination PE through a routing protocol. The P device and/or the destination PE compares the VPN identification information in the VPN site identifier included in the IPv6 aggregation route with the VPN identifier in the locally configured VPN site identifier, and if the same, saves the route; , discard the route; 或,  Or, 在初始化时, 在 PE设备中配置 VPN站点, 并为其分配 VPN组标识信息;  During initialization, configure a VPN site in the PE device and assign VPN group identification information to it. 当 VPN内有组播报文时, 通过组播路由协议, 将所述分配的 VPN组标识信息加入到组 播组中的各个 VPN站点中;  When the VPN has a multicast packet, the assigned VPN group identification information is added to each VPN site in the multicast group through the multicast routing protocol. 或,  Or, 在初始化时,通过 VPN的 PE设备配置 VPN内各个站点,并为所述各个站点分别分配 VPN 站点标识信息、 入口路由目标 RT信息和出口 RT信息;  During initialization, the PE device of the VPN configures each site in the VPN, and assigns VPN site identification information, ingress route target RT information, and exit RT information to each site. 当 VPN内有单播报文时, PE设备根据所述 VPN标识信息、 入口 RT信息和出口 RT信息生 成 IPv6聚合路由信息,并在所述 IPv6聚合路由信息中添加出口 RT信息中包含的 RT扩展团 体属性, 然后通过路由协议将其发布给 VPN的 P设备和 /或目的 PE;  When a unicast packet exists in the VPN, the PE device generates IPv6 aggregation routing information according to the VPN identification information, the ingress RT information, and the egress RT information, and adds the RT extension group included in the egress RT information to the IPv6 aggregation routing information. Attribute, and then advertised to the P device and/or destination PE of the VPN through a routing protocol; 所述 P设备和 /或目的 PE根据所述 VPN路由中的 RT扩展团体属性信息, 与本地配置的 入口 RT信息中的 RT扩展团体属性信息进行比较, 若至少有一个 RT扩展团体属性信息相 同, 则保存该路由; 否则, 丢弃该路由。 The P device and/or the destination PE compares with the RT extended community attribute information in the locally configured ingress RT information according to the RT extended community attribute information in the VPN route, and if at least one RT extended community attribute information is the same, The route is saved; otherwise, the route is discarded. 4、 根据权利要求 2所述的方法, 其特征在于, 所述在每个站点上配置与其相关联的 站点间的路由信息的步骤具体包括: The method according to claim 2, wherein the step of configuring routing information between the sites associated with each site on the site comprises: 在各个 VPN站点上静态配置与其相关联的站点间的路由信息;  Statically configuring routing information between its associated sites on each VPN site; 或,  Or, 在各个 VPN站点上, 通过在 PE设备与 PE设备间运行路由协议获得与所述站点相关联 的站点的路由信息。  At each VPN site, routing information of a site associated with the site is obtained by running a routing protocol between the PE device and the PE device. 5、 根据权利要求 4所述的方法, 其特征在于, 所述通过在 PE设备与 PE设备间运行路 由协议获得与所述站点相关联的站点的路由信息的步骤具体包括:  The method according to claim 4, wherein the step of obtaining the routing information of the site associated with the site by running a routing protocol between the PE device and the PE device comprises: 通过在本地 PE设备上设置的站点发布 VPN路由信息给目标 PE设备,所述 VPN路由信息 携带所述站点的 VPN站点标识信息;  Distributing the VPN routing information to the target PE device by using the site set on the local PE device, where the VPN routing information carries the VPN site identification information of the site; 所述目标 PE接收到所述 VPN路由信息时,根据所述 VPN站点信息检查其内是否存在与 本地 PE上设置的站点属于同一 VPN的站点, 若存在属于同一个 VPN的站点, 则将所述站点 的信息加入到本地 PE上设置的站点的路由信息中。  When receiving the VPN routing information, the target PE checks whether there is a site belonging to the same VPN as the site set on the local PE according to the VPN site information, and if there is a site belonging to the same VPN, the The information of the site is added to the routing information of the site set on the local PE. 6、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传输 VPN报文的步骤中, 在 VPN内部的处理包括:  The method according to any one of claims 1 to 5, wherein in the step of transmitting a VPN message between the sites in the VPN, the processing inside the VPN includes: 根据所述设置的 VPN内各个站点的 VPN本地地址构造 VPN报文的源地址和目的地址; 根据所述站点上配置的路由信息, 采用标准的单 /组播转发机制, 将所述 VPN报文转发给 所述目的地址对应的站点。  The source address and the destination address of the VPN packet are configured according to the VPN local address of each site in the set VPN. According to the routing information configured on the site, the standard single/multicast forwarding mechanism is used to forward the VPN packet. Forward to the site corresponding to the destination address. 7、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传输 VPN报文的步骤中, 在入口 PE设备上的处理包括:  The method according to any one of claims 1 to 5, wherein in the step of transmitting a VPN packet between the sites in the VPN, the processing on the ingress PE device includes: 所述入口 PE确定收到的报文的源地址对应的站点, 为所述报文添加该站点的 VPN站 点标识信息, 将源地址转换为源 VPN全局地址;  The ingress PE determines the site corresponding to the source address of the received packet, adds the VPN site identifier information of the site to the packet, and converts the source address into the source VPN global address. 根据所述报文携带的目的地址查找相应的目的站点的路由信息, 获得目的 VPN站点 标识信息, 并根据所述获得的目的 VPN站点标识将所述报文携带的目的地址转换为目的 VPN全局地址, 转发该报文;  And searching for the routing information of the destination site according to the destination address carried in the packet, obtaining the destination VPN site identifier information, and converting the destination address carried by the packet to the destination VPN global address according to the obtained destination VPN site identifier. Forward the message; 或,  Or, 所述入口 PE确定收到的报文的源地址对应的站点, 并通过添加该站点的 VPN站点标 识信息, 将源地址转换为源 VPN全局地址;  The ingress PE determines the site corresponding to the source address of the received packet, and adds the source address of the received site to the source VPN global address by adding the VPN site identification information of the site; 通过添加 VPN组标识信息, 将所述报文携带的目的地址转换为目的 VPN全局组播地 址,并根据所述 VPN组标识信息查找在 PE设备上保存的组播路由信息获得相应的目的 VPN 站点标识信息, 根据所述目的 VPN站点标识信息组播发送所述报文。 The destination address of the packet is translated into the destination VPN global multicast address by adding the VPN group identification information, and the multicast routing information saved on the PE device is obtained according to the VPN group identification information to obtain the corresponding destination VPN. The station identifier information is multicast, and the packet is multicast according to the destination VPN site identifier information. 8、 根据权利要求 7所述的方法, 其特征在于, 该方法还包括:  8. The method according to claim 7, wherein the method further comprises: 在所述入口 PE设备中配置其与 VPN站点连接的接口仅接收目的地址为 VPN本地地址 以及互联网全局地址的报文, 并拒绝接收目的地址为 VPN全局地址的报文; 以及, 在所 述 P设备中配置拒绝接收源 /目的地址为 VPN本地地址的报文。  Configuring the interface that is connected to the VPN site in the ingress PE device to receive only the packet whose destination address is the VPN local address and the Internet global address, and rejects the packet whose destination address is the VPN global address; and, in the P The device is configured to reject packets whose source/destination address is a VPN local address. 9、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传输 VPN报文的步骤中, 在 P设备上的处理包括:  The method according to any one of claims 1 to 5, wherein in the step of transmitting a VPN packet between the sites in the VPN, the processing on the P device includes: 所述 P设备接收到单播报文时, 根据获得的目的站点的聚合路由, 采用标准的 IPv6 路由方式将所述报文转发给出口 PE;  When receiving the unicast packet, the P device forwards the packet to the egress PE according to the obtained aggregation route of the destination site in a standard IPv6 routing manner; 或,  Or, 所述 P设备接收到组播报文时, 根据所述报文中携带的 VPN全局组播地址中的 VPN组 标识信息在组播路由信息中确定多播组中的各个站点的站点标识信息; 并根据所述各个 站点标识信息组播发送所述组播报文。  When receiving the multicast packet, the P device determines the site identification information of each site in the multicast group in the multicast routing information according to the VPN group identifier information in the VPN global multicast address carried in the packet; And multicasting the multicast packet according to the foregoing site identifier information. 10、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传 输 VPN报文的步骤中, 在出口 PE设备上的处理包括:  The method according to any one of claims 1 to 5, wherein in the step of transmitting a VPN packet between the sites in the VPN, the processing on the egress PE device includes: 当出口 PE设备接收到单播报文时, 将所述报文的源、 目的全局地址转换为 VPN内部 的单播本地地址;  When the egress PE device receives the unicast packet, the source and destination global addresses of the packet are translated into a unicast local address in the VPN. 根据目的全局地址中的 VPN站点标识信息查找并获得对应的站点的本地路由信息, 并根据所述获得的本地路由信息转发所述报文;  Finding and obtaining the local routing information of the corresponding site according to the VPN site identification information in the destination global address, and forwarding the packet according to the obtained local routing information; 或,  Or, 当出口 PE设备接收到组播报文时, 将所述报文的源全局地址转换为 VPN内部的本地 地址;  When the egress PE device receives the multicast packet, the source global address of the packet is translated into a local address in the VPN. 根据报文携带的目的地址中的 VPN组标识信息查找并获得对应的站点的本地路由信 息, 并根据所述获得的本地路由信息将目的全局地址地址转换为 VPN内部的组播本地地 址;  Searching for and obtaining the local routing information of the corresponding site according to the VPN group identification information in the destination address carried in the packet, and converting the destination global address address into a multicast local address in the VPN according to the obtained local routing information; 根据转换后的 VPN内部的组播本地地址中的 VPN组标识信息转发所述报文。  The packet is forwarded according to the VPN group identifier information in the multicast local address of the VPN. 11、 根据权利要求 10所述的方法, 其特征在于, 在所述出口 PE接收到报文后, 该方 法还包括:  The method according to claim 10, wherein after the egress PE receives the message, the method further includes: 提取所述报文中的源地址中的 VPN站点标识信息;  Extracting VPN station identification information in the source address in the packet; 根据所述 VPN站点标识信息,检查所述报文进入本出口 PE的接口是否为获得 VPN站点 聚合路由的接口, 若是, 则通过出口 PE转发所述报文, 否则, 丢弃所述报文。 Determining, according to the VPN site identifier information, whether the interface that the packet enters the egress PE is a VPN site. The interface that aggregates the route. If yes, the packet is forwarded through the egress PE. Otherwise, the packet is discarded. 12、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传 输 VPN报文的步骤中, 所述 VPN站点访问因特网的处理包括:  The method according to any one of claims 1 to 5, wherein in the step of transmitting a VPN message between the sites in the VPN, the processing of the VPN site accessing the Internet includes: VPN站点根据 VPN站点标识信息将 VPN内站点的源本地地址转换为源全局地址, 将目 的本地地址转换为因特网全局地址, 并根据该因特网全局地址访问因特网。  The VPN site translates the source local address of the site within the VPN into a source global address according to the VPN site identification information, converts the destination local address into an Internet global address, and accesses the Internet according to the Internet global address. 13、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 在所述 VPN内各站点间传 输 VPN报文的步骤中, 通过 VPN内 IPv6骨干网转发 IPv4报文的处理包括:  The method according to any one of claims 1 to 5, wherein, in the step of transmitting a VPN packet between the sites in the VPN, the process of forwarding the IPv4 packet through the IPv6 backbone network in the VPN includes: 入口 PE收到 IPv4单播报文后,根据所述报文的源 IPv4地址信息查找所述配置的 IPv4 路由信息, 得到目的 IPv4地址信息, 并将所述源和目的 IPv4地址转换为内嵌 IPv4的 IPv6 单播地址, 之后根据所述目的地址转发所述 IPv4报文;  After receiving the IPv4 unicast packet, the ingress PE searches for the configured IPv4 routing information according to the source IPv4 address information of the packet, obtains the destination IPv4 address information, and converts the source and destination IPv4 addresses into the embedded IPv4 address. An IPv6 unicast address, and then forwarding the IPv4 packet according to the destination address; 在 P设备收到所述报文后,根据所述 IPv6聚合路由信息转发所述报文给出口 PE设备; 出口 PE设备根据所述报文中携带的 IPv4的 VPN站点标识信息确定所述报文的目的地 址对应的站点为 IPv4站点时, 则查找 IPv4路由信息, 将所述目的 IPv6地址转换为 IPv4目 的地址, 并根据所述 IPv4目的地址将所述报文转发给对应的目的站点;  After receiving the packet, the P device forwards the packet to the egress PE device according to the IPv6 aggregate routing information. The egress PE device determines the packet according to the IPv4 VPN site identifier information carried in the packet. When the site corresponding to the destination address is an IPv4 site, the IPv4 routing information is searched, the destination IPv6 address is translated into an IPv4 destination address, and the packet is forwarded to the corresponding destination site according to the IPv4 destination address. 或,  Or, 入口 PE收到 IPv4组播报文后,根据所述报文的源 IPv4地址信息查找所述配置的 IPv4 路由信息, 得到相应的目的 IPv4地址信息, 之后将所述源和目的 IPv4地址转换为内嵌 IPv4的 IPv6单播地址, 并根据所述目的地址在 IPv6网中转发所述 IPv4报文;  After receiving the IPv4 multicast packet, the ingress PE searches the configured IPv4 routing information according to the source IPv4 address information of the packet, obtains the corresponding destination IPv4 address information, and then converts the source and destination IPv4 addresses into the internal Embedding an IPv4 unicast address of the IPv4 network, and forwarding the IPv4 packet in the IPv6 network according to the destination address; 在所述报文到达出口 PE设备后, 出口 PE设备根据所述报文中携带的 IPv4的 VPN group ID信息确定所述报文的目的地址对应的站点为 IPv4站点时,则查找 IPv4路由信 息, 将所述目的 IPv6地址转换为 IPv4目的地址, 并根据所述 IPv4目的地址将所述报 文转发给对应的目的站点。  After the packet reaches the egress PE device, the egress PE device determines, according to the IPv4 VPN group ID information carried in the packet, that the site corresponding to the destination address of the packet is an IPv4 site, and then searches for IPv4 routing information. And converting the destination IPv6 address to an IPv4 destination address, and forwarding the packet to the corresponding destination station according to the IPv4 destination address. 14、 根据权利要求 1至 5任一项所述的方法, 其特征在于, 当 VPN内存在 IPv4站点时, 该方法还包括:  The method according to any one of claims 1 to 5, wherein when the VPN is in the IPv4 site, the method further includes: 在 PE设备上为所述 IPv4站点分配 IPv4的 VPN站点标识, 并根据所述 IPv4站点标识在 Allocating an IPv4 VPN site identifier to the IPv4 site on the PE device, and according to the IPv4 site identifier PE设备上配置各个 IPv4站点的 IPv4路由信息; 在各个 IPv4站点上为所述 IPv4站点分配 IPv4的 VPN站点标识信息, 并根据所述 IPv4站点标识信息, 在各个 IPv4站点上分别配置 与其相关联的 IPv4站点间 IPv4路由信息; The IPv4 routing information of each IPv4 site is configured on the PE device. The IPv4 site is assigned IPv4 VPN site identification information on the IPv4 site, and the IPv4 site identification information is respectively configured and associated with each IPv4 site. IPv4 routing information between IPv4 stations; 或,  Or, 在 PE设备上为所述 IPv4站点分配 IPv4的 VPN group ID, 并通过组播路由协议, 在 PE 设备上将所述 VPN group ID信息加入到组播组中的各个 VPN站点中; 在各个 IPv4站点上 为所述 IPv4站点分配 IPv4的 VPN group ID, 并通过组播路由协议在各个 IPv4站点上将所 述 VPN group ID信息加入到组播组中的各个 VPN站点中。 Assigning an IPv4 VPN group ID to the IPv4 site on the PE device, and using a multicast routing protocol in the PE Adding the VPN group ID information to each VPN site in the multicast group on the device; assigning the IPv4 VPN group ID to the IPv4 site on each IPv4 site, and using the multicast routing protocol on each IPv4 site. The VPN group ID information is added to each VPN site in the multicast group. 15、 一种实现虚拟专用网的设备, 其特征在于, 包括:  15. A device for implementing a virtual private network, comprising: 路由信息建立单元, 用于根据 VPN内各个站点的 VPN本地地址和 VPN全局地址建立所 述 VPN中各站点的路由信息,所述的 VPN内各个站点的 VPN本地地址和 VPN全局地址为基于 IPv6地址结构设置;  a routing information establishing unit, configured to establish routing information of each site in the VPN according to a VPN local address and a VPN global address of each site in the VPN, where the VPN local address and the VPN global address of each site in the VPN are IPv6-based addresses Structure setting VPN报文传输处理单元, 用于根据所述路由信息建立单元建立的路由信息, 传输 VPN 内各站点间交互的 VPN报文。  The VPN packet transmission processing unit is configured to transmit, according to the routing information established by the routing information, a VPN packet exchanged between sites in the VPN. 16、 根据权利要求 15所述的设备, 其特征在于, 所述的路由信息建立单元包括: 各站点路由信息建立单元,用于根据所述设置的 VPN本地地址和 VPN全局地址,在 VPN 内的提供商边缘 PE设备上配置所述 VPN中各站点的路由信息;  The device according to claim 15, wherein the routing information establishing unit comprises: each site routing information establishing unit, configured to be within the VPN according to the set VPN local address and the VPN global address. Configuring routing information of each site in the VPN on the provider edge PE device; 关联站点路由信息建立单元, 用于根据所述设置的 VPN本地地址和 VPN全局地址, 在 每个站点上配置与其相关联的站点间的路由信息。  The associated site routing information establishing unit is configured to configure routing information between the associated sites at each site according to the set VPN local address and the VPN global address. 17、 根据权利要求 15或 16所述的设备, 其特征在于, 所述的 VPN报文传输处理单元 具体包括以下至少一项:  The device according to claim 15 or 16, wherein the VPN packet transmission processing unit specifically includes at least one of the following: 第一 VPN内部传输处理单元, 设置于 VPN内部的站点上, 用于根据所述设置的 VPN内 各个站点的 VPN本地地址构造 VPN报文的源地址和目的地址,并根据所述路由信息建立单 元建立的路由信息将所述 VPN报文转发给所述目的地址对应的站点;  The first VPN internal transmission processing unit is disposed at a site inside the VPN, and configured to construct a source address and a destination address of the VPN packet according to the VPN local address of each site in the set VPN, and establish a unit according to the routing information. The established routing information forwards the VPN packet to the site corresponding to the destination address; 第二 VPN报文传输处理单元, 设置于入口 PE设备上, 用于将接收到的报文的源地址 转换为源 VPN全局地址, 目的地址转换为目的 VPN全局地址, 并转发该报文;  The second VPN packet transmission processing unit is configured to be configured on the ingress PE device, configured to convert the source address of the received packet into a source VPN global address, convert the destination address to the destination VPN global address, and forward the packet; 第三 VPN报文传输处理单元, 设置于 P设备上, 用于根据获得单播报文的目的站点的 聚合路由, 或者, 根据组播报文中的 VPN组标识信息, 转发该报文;  The third VPN packet transmission processing unit is configured on the P device, and is configured to forward the packet according to the aggregated route of the destination station that obtains the unicast packet, or according to the VPN group identifier information in the multicast packet; 第四 VPN报文传输处理单元, 设置于出口 PE设备上, 用于将所述报文的源、 目的全 局地址转换为 VPN内部的 VPN本地地址, 并根据本地路由信息转发所述报文。  The fourth VPN packet transmission processing unit is configured to be configured on the egress PE device, configured to translate the source and destination global addresses of the packet into a VPN local address in the VPN, and forward the packet according to the local routing information.
PCT/CN2007/070376 2006-07-27 2007-07-27 Method and device for implementing vpn based on ipv6 address structure Ceased WO2008014723A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2006101038177A CN101114971A (en) 2006-07-27 2006-07-27 Method of Realizing Virtual Private Network Based on IPv6 Address Structure
CN200610103817.7 2006-07-27

Publications (1)

Publication Number Publication Date
WO2008014723A1 true WO2008014723A1 (en) 2008-02-07

Family

ID=38996896

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070376 Ceased WO2008014723A1 (en) 2006-07-27 2007-07-27 Method and device for implementing vpn based on ipv6 address structure

Country Status (2)

Country Link
CN (1) CN101114971A (en)
WO (1) WO2008014723A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572993A (en) * 2012-01-31 2012-07-11 北京航空航天大学 An Anycast Routing Method for Opportunistic Networks Based on Comprehensive Capability Selection
CN113300949A (en) * 2020-02-24 2021-08-24 华为技术有限公司 Method for forwarding message, method, device and system for issuing routing information

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808038B (en) * 2010-03-29 2012-02-08 杭州华三通信技术有限公司 VPN instance division method and device
CN102404716A (en) * 2010-09-07 2012-04-04 上海贝尔股份有限公司 Method and device for transmitting data for wireless sensor network based on IP
CN103684959B (en) 2012-09-20 2017-10-24 华为技术有限公司 VPN Implementation Method and PE Equipment
CN102904814B (en) * 2012-10-19 2015-09-16 福建星网锐捷网络有限公司 Data transmission method, source PE, object PE and data transmission system
CN102932231B (en) * 2012-11-28 2015-05-20 杭州华三通信技术有限公司 Method for reducing update messages and service provider network edge device
CN103166874B (en) * 2013-03-25 2016-03-02 杭州华三通信技术有限公司 A kind of message forwarding method and equipment
CN104158737B (en) * 2013-05-15 2017-07-28 华为技术有限公司 A kind of methods, devices and systems for controlling routing iinformation to issue
CN105491558A (en) * 2014-09-18 2016-04-13 北京信威通信技术股份有限公司 Method for generating IPv6 multicast address of cluster group
CN109412952B (en) * 2018-12-13 2019-09-06 北京华三通信技术有限公司 Route information publishing method and device
CN110266592B (en) * 2019-06-21 2021-07-30 Ut斯达康通讯有限公司 Communication method and device for SRV6 network and IP MPLS network
CN111131049B (en) * 2019-12-31 2021-08-27 苏州盛科通信股份有限公司 Method and device for processing routing table entry
CN113098770B (en) * 2020-01-08 2024-04-16 华为技术有限公司 Message sending method, routing table item generation method, device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697408A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for managing routes in virtual private network based on IPv6
CN1710877A (en) * 2004-06-16 2005-12-21 华为技术有限公司 System and method for realizing virtual special network of hybrid backbond network of hybrid station

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697408A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for managing routes in virtual private network based on IPv6
CN1710877A (en) * 2004-06-16 2005-12-21 华为技术有限公司 System and method for realizing virtual special network of hybrid backbond network of hybrid station

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572993A (en) * 2012-01-31 2012-07-11 北京航空航天大学 An Anycast Routing Method for Opportunistic Networks Based on Comprehensive Capability Selection
CN113300949A (en) * 2020-02-24 2021-08-24 华为技术有限公司 Method for forwarding message, method, device and system for issuing routing information
CN113300949B (en) * 2020-02-24 2022-12-06 华为技术有限公司 Method for forwarding message, method, device and system for releasing routing information

Also Published As

Publication number Publication date
CN101114971A (en) 2008-01-30

Similar Documents

Publication Publication Date Title
WO2008014723A1 (en) Method and device for implementing vpn based on ipv6 address structure
CN1266913C (en) Tunneling through access network
CN107222449B (en) Communication method, device and system based on flow rule protocol
US7698455B2 (en) Method for providing scalable multicast service in a virtual private LAN service
JP5579853B2 (en) Method and system for realizing virtual private network
US9756682B2 (en) Method and system for partitioning wireless local area network
CN107026791B (en) Virtual private network VPN service optimization method and device
JP2013504959A (en) Method and system for realizing virtual private network
WO2019105462A1 (en) Method and apparatus for sending packet, method and apparatus for processing packet, pe node, and node
JP2004357292A (en) System for converting data transferred on ip switched network from ipv4 base into ipv6 base
JP2000286853A (en) Method and apparatus for routing packets
WO2011103781A2 (en) Method, device for implementing identifier and locator split, and method for data encapsulating
CN1787485A (en) Packet forwarding apparatus and communication network
WO2007112691A1 (en) System, method and network device for vpn customer to access public network
WO2008011818A1 (en) Method of realizing hierarchy-virtual private lan service and network system
WO2023082779A1 (en) Packet forwarding method, electronic device, and storage medium
WO2005112350A1 (en) A METHOD FOR MANAGING THE ROUTE IN THE VIRTUAL PRIVATE NETWORK BASED ON IPv6
EP1811728A1 (en) Method, system and device of traffic management in a multi-protocol label switching network
CN101001264B (en) Method, device, network edge equipment and addressing server for L1VPN address distribution
CN1863129A (en) System based on two layer VPN foreign medium communication and method thereof
CN100563182C (en) A method for realizing virtual private network service in multi-layer label switching network
CN101304338A (en) Method and device for discovering equipment in multi-protocol label switching three-layer virtual private network
CN101841548B (en) Method for mapping host identity to network addresses
CN117879998A (en) Management system based on internet export
WO2010066144A1 (en) Method, device and multi-address space mobile network for sending and forwarding data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07764296

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07764296

Country of ref document: EP

Kind code of ref document: A1