1. Field of the Invention
The present invention relates to a virtual network construction method, a virtual network construction system, and a relaying apparatus, and in particular to a virtual network construction method, a virtual network construction system, and a relaying apparatus within a public data communication network.
2. Description of the Related Art
Companies, enterprises, or the like having their sites which are referred to as user sites dispersed over a plurality of locations, have adopted various methods as inter-LAN connecting technology for connecting local area networks (LAN's) of the sites to construct intra-company networks or the like.
One of such methods is a leased line service connecting the user sites with leased lines, for example. However, since the leased line service is very expensive and its billing is proportional to the distance, the user company constructs the inter-LAN connection by connecting each site in line in order to economize the distance of the lines utilized as much as possible.
In this case, there has been a problem that when the communication is disabled at an intermediating user site due to a fault, the end to end communication is also disabled.
Thereafter, a virtual leased line service such as an ATM (Asynchronous Transfer Mode) service and an FR (Frame Relay) service which is less expensive compared to the leased line service appeared, so that the billing is performed in accordance with the number of virtual connections instead of the billing proportional to the distance.
As a result, network configuration connecting the LAN's of branch offices to a headquarter in the form of a star has increased and it has decreased that a fault at an intermediating site gives influences on the other sites.
Moreover, the spread of the Internet has enabled user companies to connect the dispersed user sites by using the Internet, which is a public data communication network, without using the virtual leased line service such as the ATM service and the FR service. Such a service is called an Internet VPN service, and the billing is performed by the number of physical sites connected. It is to be noted that VPN stands for Virtual Private Network.
Since the LAN of each user site (hereinafter, referred to as user network) generally uses private addresses in an Internet VPN service, packets cannot be flown unchanged into the Internet using global addresses.
Therefore, for the communications through the Internet (hereinafter, referred to as global Internet) between a plurality of user network sites, a so-called tunneling technique is required.
Namely, when transmitting a packet from the user network to the global Internet, a router connecting to the global Internet in the user network of the transmitting source encapsulates the packet to be transmitted from the user network with an IP packet having a global address and transmits it to a destination user network through the global Internet.
A router connecting to the global network in the destination user network decapsulates the packet after receiving it and then forwards it to a destination host computer within the destination user network.
In this case, each user network is required to be provided with a router connecting to the global network that is an apparatus capable of initiating and terminating a tunnel, i.e. encapsulating and decapsulating the packet. However, when processes become complicated the performance of that router declines, so that purchase of an expensive apparatus or upgrade is required in order to improve the performance.
Moreover, if there are numerous sites, various settings, such as routing information setting and logical interfaces setting, necessary for the connection to the global Internet become more complicated. In this case, the user company is required to educate managers for maintaining and managing the VPN, so that additional staffs and costs are required.
Consequently, a new VPN service has been devised in which the maintenance and management of the VPN are outsourced to a provider (Internet Service Provider; hereinafter abbreviated as ISP) or a carrier of the public data communication network so that the existing routers can be used in the user network without changes. Hereinafter, such a VPN service will be referred to as an IP-VPN (Internet Protocol-Virtual Private Network) service.
In the IP-VPN service, the tunnel initiating/terminating function is provided by a relaying apparatus within the public data communication network. Hereinafter, the relaying apparatus within the public data communication network having the tunnel initiating/terminating function will be occasionally referred to as an edge router. Moreover, in case there are a plurality of user sites and the user networks of the sites are connected to different routers, a routing control between the user networks is required wherein the edge router determines, for a packet transmitted from a user network, to which tunnel an encapsulated packet should be transmitted according to the destination user network. Such a routing control function is also provided by the edge router.
Namely, the edge router transfers the packet based on routing information of a private address of the user network, aside from the routing information of the global Internet.
In order to describe a general IP-VPN service, FIG. 21 shows that virtual networks (hereinafter, referred to as private networks) constructed by tunnels connecting the user networks are overlaid to the global Internet operated by using global addresses, when the user networks are operated by using private addresses.
In FIG. 21, an ISP network NW1 providing a global address space has its backbone composed of edge routers PR1, PR4, and PR5, and core routers PR2 and PR3 which do not accommodate the user networks nor provide the tunnel initiating/terminating function within the public data communication network.
Now, a case will be considered where a user company desires to mutually connect user networks UN1-UN6 by using the IP-VPN service.
In this case, the user networks UN1-UN6 have existing routers (user routers) UR1-UR6 respectively, wherein the user routers UR1 and UR2 are connected to the edge router PR1, the user routers UR3-UR5 are connected to the edge router PR4, and the UR6 is connected to the edge router PR5, respectively.
In the edge routers PR1, PR4, and PR5, there are virtual routers VPN1-VR1-VPN1-VR3. Therefore, the user networks UN1-UN6 are connected to a virtual private network VPN1 which is a private address space through the virtual routers VPN1-VR1-VPN1-VR3 as shown extracted above the network NW1 in FIG. 21.
Conventionally proposed methods of such an IP-VPN service will be specifically described below.
(1) IETF RFC2547
Firstly, a method proposed as an IETF RFC2547 will be described referring to FIG. 22.
FIG. 22 shows the same physical connection form as that of FIG. 21. However, in FIG. 22, different from FIG. 21, it is assumed that a user company (company A) having sites of the user networks UN1, UN3, and UN4 is different from a user company (company B) having sites of the user networks UN2, UN5, and UN6.
Therefore, in FIG. 22, a virtual private network VPN2 for the company A and a virtual private network VPN1 for the company B are separately constructed.
Also in FIG. 22, ports are shown as physical interfaces of the edge routers PR1, PR4, and PR5, e.g. ports PR1-PP1, PR1-PP2, and PR1-PP6 are shown in the edge router PR1.
Also, ports as virtual interfaces of virtual routers VPN1-VR1, VPN1-VR2, VPN1-VR3, VPN2-VR1, and VPN2-VR2 are shown, e.g. ports V2-VR1-VP1 and V2-VR1-VP6 are shown in the virtual router VPN2-VR1.
Hereinafter, the process of the IETF RFC2547 method will be described.
When the companies A and B respectively perform communications between their user networks, it is required that the packets are transferred through the ISP network NW1 in the virtual private networks VPN2 and VPN1 respectively.
The RFC2547 method realizes the VPN using a technique called a Multi Protocol Label Switching (MPLS) and a routing protocol called a Border Gateway Protocol.
The MPLS is a technique which enables a router on an IP route to replace an IP packet relaying process performed on a network layer with a label switching process performed on a datalink layer by using a label added to the packet, thereby reducing a process of route retrieval and relaying a packet at a high speed.
The label of MPLS assumes a value predetermined for an inter-router link between the routers sharing the links, so that upon receiving a packet with label, the router checks the label to determine where it should be relayed to, and adds a new label corresponding to the output link to the packet to be retransmitted.
A path in which the packet is transferred by the label is called a Label Switching Path (LSP). The LSP can be regarded as a tunnel in which the IP packet is encapsulated to be transferred by the label. Hereinafter, the LSP will be occasionally referred to as an MPLS tunnel.
Also, in the RFC2547 method, the routing protocol called the Border Gateway Protocol (hereinafter abbreviated as BGP) is used. In the edge routers, a routing control process realizing this protocol is activated, so that the routing control processes on the edge routers are connected in a full mesh. Alternatively, the edge routers can be connected starlike, so that they are connected through a route reflector providing an exchange function of a routing control packet similar to that provided in case of the full mesh connection.
In order to exchange the routing control packets by the MPLS tunnels between the edge routers connected in the full mesh, the LSP's are required to be pre-established so that the edge routers are connected in the full mesh. The LSP's established herein are realized by setting, in the routers, labels corresponding to inter-router links on routes for global IP prefixes of destination network. Such LSP's will be hereinafter referred to as level-1 tunnels. In the arrangement of FIG. 22, the level-1 tunnels are established between physical routers PR1-PR4, PR1-PR5, and PR4-PR5.
An administrator of ISP makes a port (I/F) number of the edge router correspond to a Route Distinguisher (hereinafter abbreviated as RD) as a user site identifier. In this case, the RD can be an arbitrary number which is unique for each user network managed by the provider network.
Also, there is another mapping between the VPN's and groups of RD's, that sets which user networks, distinguished by the RD's belong to the same VPN. By this mapping, e.g. the VPN2 and VPN1 are respectively made to correspond to the ports PR1-PP1 and PR1-PP2 of the edge router PR1. In the edge router, the VPN's are distinguished by VPN numbers, and the VPN numbers are used for managing the routing table independently per VPN, and for making user network accommodating ports correspond to the VPN.
Also, the administrator of ISP makes one-to-one correspondences between the port numbers and the virtual interfaces of the virtual routers for each port of the edge routers connected to the user networks.
By making such correspondences, e.g. the virtual interfaces V2-VR1-VP1 and V1-VR1-VP2 are respectively made to correspond to the ports PR1-PP1 and PR1-PP2 of the edge router PR1.
It is to be noted that the edge routers PR1, PR4, and PR5 have independent routing tables per VPN. These routing tables are generated by the routing control process (BGP) common to the VPN's and independently generated per virtual private network based on the routing information within all of the virtual private networks (VPN1 and VPN2 in case of FIG. 22) received from the local sites or remote sites.
At this time, the routing control process on the edge router assigns an RD to an address prefix of the received routing information from the user networks, so that the routing information can be distinguished per virtual private network.
Also, the edge routers have a function of searching through the routing table corresponding to the VPN by the port number of the port having received the data packet and of forwarding the packet received. This forwarding function has a virtual interface for transmitting the packet to the tunnel established between the edge routers.
The edge routers have different MPLS tunnels (level-2 tunnels) per destination prefix within the same VPN, so that different tunnels per destination can be identified.
The edge routers multiplex the tunnels for each prefix (level-2 tunnels), nested within the level-1 tunnel, between the edge routers. Actually, the edge routers doubly add the MPLS labels corresponding to the level-1 tunnel and the level-2 tunnel to the IP packet.
This can be seen in FIG. 22, where three level-2 tunnels are established in the level-1 tunnel between the edge routers PR1 and PR4. Namely, the three level-2 tunnels are the two tunnels between the virtual port V2-VR1-VP6 of the virtual router VPN2-VR1 and the virtual port V2-VR2-VP1 of the virtual router VPN2-VR2 established per address prefix, a single tunnel established between the virtual port V1-VR1-VP6 of the virtual router VPN1-VR1 and the virtual port V1-VR2-VP1 of the virtual router VPN1-VR2.
In the routing tables per VPN on the edge routers, a representing address of a next hop edge router and a virtual interface for transmission thereto for each destination prefix are written. The virtual interface is an entrance to the level-2 tunnel connected to the destination edge router.
In FIG. 22, the virtual interface V2-VR1-VP6 of the virtual router VPN2-VR1 within the edge router PR1 is the entrance to the level-2 tunnel connected to the destination edge router PR4.
The edge router assigns a different label for a level-2 tunnel per prefix, and adds a label for a level-1 tunnel determined by the representing address of the next hop edge router to transmit the packet to the physical port (PP) connected to the global Internet.
As to routing control process, the routing control process on each edge router generates independent routing tables per VPN by exchanging routing information both of the global Internet and of the VPN's through the level-1 tunnel established between the routers.
In the forwarding process, when the packet arrives at the physical port of the edge router from the user site, the edge router refers to the routing table corresponding to the VPN by the VPN number corresponding to the physical port which has received the packet and transmits the packet to the virtual interface connected to the next hop edge router.
When the virtual router transmits the packet to the virtual interface, practically, after the edge router adds a label (hereinafter, referred to as level-2 label) corresponding to the level-2 tunnel per prefix, the edge router adds a label (hereinafter, referred to as level-1 label) corresponding to the level-1 tunnel to the edge router on which the destination virtual router exists, and transmits the packet to the physical interface.
Also, when the edge router receives a packet with a label from the ISP network NW1, the next hop router and the output physical port are determined by the label, using a label table where a relaying operation is described. For example, in an MPLS implemented system by the Cisco Systems, Inc., in the United States, the level-1 label is removed at an LSR (label switching router) which is prior to the edge router by one hop, so that the edge router receives the packet with the level-2 label. The edge router checks the level-2 label, searches through the label table, and forwards the packet to the physical port connected to the user site. At this time, the level-2 label is removed from the packet to be forwarded.
(2) IETF draft draft-muthukrishnan-corevpn-arch-00.txt
Next, a method proposed as an IETF draft draft-muthukrishnan-corevpn-arch-00.txt will be described referring to FIG. 23.
The arrangement of FIG. 23 is almost the same as that of FIG. 22. However, it is different in that there are two tunnels in the virtual private network VPN2 shown in FIG. 22, between the virtual interface V2-VR1-VP6 of the virtual router VPN2-VR1 and the virtual interface V2-VR2-VP1 of the virtual router VPN2-VR2, whereas only one tunnel is shown in FIG. 23.
This is because in this method, management per destination prefix is not performed.
Also, since the routing protocol between the virtual routers is not limited to the BGP in this method, tunnels are not always required to be established in the full mesh between the edge routers. However, establishing the tunnels in the full mesh is preferable considering that the end-to-end communication will be disturbed if a fault occurs in an edge router, and that the number of router hops of the relayed packet will be increased by relaying a number of edge routers.
In this case, the MPLS is used as the tunneling technique, and the administrator of ISP establishes the MPLS tunnel (level-1 tunnel) between every pair of edge routers in the same way as in the case of FIG. 22.
Also, different from FIG. 22, the edge router activates an independent virtual router per VPN, so that the same VPN-ID is set in the virtual routers belonging to the same VPN. The virtual routing function has the routing function for receiving the routing information within the user network and generating the routing table based on the received information, and the forwarding function for forwarding the received packet by searching through the routing table corresponding to the VPN-ID by the received port number. This forwarding function has the virtual interface for transmitting the packet to the tunnel established between the edge routers.
Also, the virtual routers on the edge routers having the same VPN-ID are connected with the virtual link on the global network. However, in order to make distinction from the traffics from the user sites having other VPN-ID's, the virtual routers having other VPN-ID's use different virtual links (tunnels) per VPN (level-2 tunnel).
The edge router multiplexes the inter-virtual router links (level-2 tunnels) of the VPN's being nested within the level-1 tunnel between the edge routers. Practically, the edge router doubly adds the MPLS labels corresponding to the level-1 tunnel and the level-2 tunnel to the IP packet to be transmitted.
In order to determine which virtual router of the edge router is connected to the end of which level-2 tunnel, the virtual router on the edge router makes the label value of the level-2 tunnel correspond to a virtual I/F address of the destination virtual router which is the connecting destination of the tunnel in case an IP address is allocated to the virtual I/F or to the representative address of the destination virtual router in case of a point-to-point link wherein the IP address is not allocated to the virtual I/F.
Also, the administrator of ISP makes one-to-one correspondences between the virtual interfaces of the virtual routers and the port numbers of the ports connected to the user site.
The virtual routers having the same VPN-ID exchange the routing information of each other through the level-2 tunnel established between the edge routers, and then generate routing tables for that VPN-ID.
When the packet arrives at the physical port of the edge router from the user site, the edge router refers to the routing table corresponding to the VPN-ID by the VPN-ID corresponding to the physical port having received the packet and transmits the packet to the virtual interface connected to the next hop virtual router.
When the virtual router transmits the packet to the virtual interface, practically, after the edge router adds a label corresponding to the level-2 tunnel, the edge router adds the label corresponding to the level-1 tunnel to another edge router on which the destination virtual router exists, and transmits the packet to the physical interface.
When the edge router receives the packet with the label from the level-1 tunnel, the edge router checks the level-1 label of the encapsulated packet, determines whether the packet is addressed to itself to remove the label, or the packet should be forwarded by changing the label. If it is addressed to itself, the edge router checks the label corresponding to the level-2 tunnel and determines which virtual interface of the virtual router within the edge router should receive the packet. At this time, the edge router removes the level-2 label to pass the packet to the virtual interface.
The virtual router having received the packet at the virtual interface checks the destination address in an IP header of the IP packet, that is the destination address within the user network, forwards the packet to one of the virtual interfaces corresponding to the virtual ports connected to the user site by searching through the VPN routing table held by the virtual router.
It is to be noted that in the above-mentioned methods (1) and (2), the MPLS tunneling is used as the tunneling technique. In this case, the packet relayed by the MPLS tunnel has a format as shown in FIG. 24 wherein SHIM headers are doubly added.
However, an L2TP (layer two tunneling protocol) tunnel and an IPsec (IP security protocol) tunnel are generally used as the IP tunnel which is a tunneling technique other than the MPLS tunnel.
A packet of the general L2TP tunnel has a format shown in FIG. 25. When the packet consisting of the IP header, a TCP/UDP header, and application data is transmitted through an L2TP tunnel, an L2TP header and a PPP header are added thereto associated with an encapsulation. Moreover, when the edge router transmits the encapsulated packet to the provider network, a lower layer media PPP/Ether header, and the like as well as the IP header and the UDP header are also added.
Also, in the general IPsec tunnel, there are cases where an AH (authentication header) having the authenticating function and where an ESP (encapsulating security payload) header having both functions of authentication and encryption. The formats of the respective packets relayed in the IPsec tunnel are shown in FIGS. 26 and 27.
As shown in FIG. 26, in the packet using the AH header, an outer IPv4 header, the AH header, an inner IPv4 header, and IP upper layer data are objects of the authentication.
Also, as shown in FIG. 27, the packet using the ESP header is composed of the outer IPv4 header, the ESP header, the inner IPv4 header, the IP upper layer data, an ESP trailer, and an ESP authentication header. The range excluding the outer IPv4 header and the ESP authentication header therefrom is the object of the authentication. Moreover, the range further excluding the ESP header therefrom is the object of the encryption.
In order to provide the IP-VPN service, the administrator of ISP allocates the VPN numbers or the VPN-ID's to the ports of the edge routers connected to the user networks. In order to enable the communication between the sites belonging to the same VPN, it is required that the sites are mutually connected by the tunnels through the global network and that the communication should be distinguished from the communication between the sites having other VPN numbers or VPN-ID's.
In the IETF RFC2547 method, the edge routers are required to hold the relationship between the ports and the virtual private networks to which the ports belong, and to mutually connect the ports within the same virtual private network with the virtual links (level-2 tunnels).
In the RFC2547 method, the BGP session for connecting the BGP routing control process on the edge router is established by using the level-1 tunnel connecting the edge routers. The edge router multiplexes the routing information of all of the VPN's by using the BGP session to be exchanged. The edge router determines, based on the routing information, which ports accommodating the user sites should be connected with the layer 2 tunnel.
The edge router distributing the routing information by using the BGP protocol sets which routing information of which site belonging to which VPN should be distributed to which virtual router. Also, for the edge router having received the routing information by the BGP protocol, the administrator of ISP manually sets in the edge router that, in which virtual router the route received by the BGP should be stored. Therefore, if the configuration of the VPN becomes complicated and the number of the VPN's increases, the setting becomes extremely complicated.
Generally, the BGP is the routing protocol mainly used by providers which is transit networks. There are not a few providers who realize the routing control by an OSPF (open shortest path first). Therefore, operating the BGP on all of the edge routers of the providers in order to realize the VPN has been a big hurdle.
On the other hand, in the method of draft-mushukrishnan-corevpn-arch-00.txt, the virtual routers belonging to the same VPN (having the same VPN-ID) are connected with the level-2 tunnels, so that the routing information received from a site belonging to a certain VPN is exchanged between the virtual routers using the level-2 tunnels which connect the virtual routers belonging to the VPN.
This method has been proposed based on the MPLS, and uses the Label Distribution Protocol (LDP) for establishing a Label Switching Path (LSP) which is the MPLS tunnel within the MPLS network, so that it cannot be applied to methods using the IP tunnel (L2TP,IPsec).