The research related to the next generation information network architecture is one of the most popular topics. The basic direction of these research topics takes seamlessly integrating services in the telecommunication network represented by the voice service, the TV network represented by the video service, and the Internet network represented by the data service as the purpose and takes the IP-based network bearer as a feature, typical examples are the VOIP (Voice over Internet Protocol, IP phone) providing the voice service, the IPTV network providing the TV service, the 3G mobile communication network which uses the IP core network to bear, and a lot of super-3G or 4G network research projects, and so on.
4G is short for the 4th generation mobile communication system, and the 4G aims to provide the voice, data and streaming media services with an IP bearer network based solution so that the users can obtain a higher-speed communication environment at “any time, any place, any service”.
The NGN (Next Generation Network) is the next generation network established on the basis of the telecommunication network and intended to establish a unified IP packet switch based transmission layer. The development of each application program may be independent of specific transmission technology on the unified transmission layer, thereby expanding the application range of the application programs.
As the current IP-based packet bearer network is evolved from the IPv4. The IP technology is originated in the United States, therefore, the United States and other developed countries own a large number of IPv4 addresses, in contrary, very few IP addresses are allocated to the populous developing countries, resulting in that the development of the IP packet bearer network and a variety of communication networks are constrained by the lack of IP addresses in the developing countries, for example, the number of China's Internet users has exceeded the number of its own IPv4 addresses at present, and the number of network users in China is still increasing with high speed, and other technologies and equipments have to be used to increase the reuse of IP addresses, so the problem of the lack of IP address space is a serious problem haunting the future development of China's IP bearer network and communications networks. The best way to solve this problem is to use the IPV6, but such an outright change in network architecture technology will lead to that enormous construction costs are needed to build the IPv6 bearer network and hundreds of millions of ends are needed to be replaced, which is expensive, showing that this is not a suitable scheme so far.
From the above technical review, it can be seen that the research emphasis and direction selection of the next generation network architecture are very different due to differences in the technical basis, the interest background and so on, but the faced problems and difficulties are the same.
The 3G and 4G are research core of the next generation network in the field of wireless communications and are intended to improve the quality of wireless mobile communications based on the full IP packet core network; the NGN and the NGI (Next-Generation Internet) are researches of the next-generation network convergence respectively in the fields of telecommunications network and the Internet respectively; the CNGI (China's Next Generation Internet) is intended to build the next generation Internet based on IPv6; the “Fundamental Research on the integrated trusted network and pervasive service system” of Beijing Jiaotong University expects to build a unified new packet network. Although the various studies are greatly different, the viewpoint generally accepted by the various studies is that: the future network is a packet based unified bearer network. Therefore, the studying of the next generation network architecture takes the Internet as the main reference object. Since its birth, the Internet keeps a rapid development and has become the most successful and most viable communication network, the flexible scalability, efficient packet switching, powerful ends and other characteristics are very consistent with the design needs of the new generation network, and the Internet will be the main reference blueprint of the new generation network design. However, the structure of the Internet is far from optimal, and there are many important design problems. Besides that the IP address space cannot meet the application requirement, the problems mainly represent in the following aspects:
the Internet was invented in the 1970s when it was hard to predict that there would exist a large number of mobile ends and multiple-home ends in today's world, and thus the Internet protocol stack at that time is mainly designed for the ends which are “fixedly” connected. In the network environment at that time, because the end basically did not move from one location to another, the sending address is the receiving address, and the path is reversible, for which the IP address having dual attributes of identity and location can work well and there is not any conflict between the identity attribute and the location attribute of the IP address. The IP address representing both the identity and the location just met the network requirements at that time. From the network environment at that time, this design is simple and effective, and it simplifies the hierarchy of the protocol stack. But there is no doubt that the location attribute and identity attribute of the IP address have internal contradictions. The identity attribute of the IP address requires that any two IP addresses are equal, although the IP addresses can be allocated in accordance with the organizations, but the continuously encoded IP addresses have no inevitable relationship, or at least have no inevitable relationship in topology locations; the location attribute of the IP address requires that the IP addresses are allocated based on the network topology (rather than the organization), and the IP addresses in the same subnet should be in a continuous IP address block, so that the IP address prefixes in the network topology can be aggregated, thereby reducing the routing table entries in the router equipment and ensuring the scalability of the routing system.
With the development of the network size and the technology, some technologies for allocating dynamically IP addresses, such as the Dynamic End host Configuration Protocol (DHCP) gradually emerge, which began to break the assumption that an IP address uniquely represents an end. The use of private IP address space and the birth of the Network Address Translator (NAT) technology make the situation even worse. In this case, the IP address having both the identity attribute and the location attribute is difficult to play its role, and the dual attribute problem of the IP address has been prominent. Besides that the requirements at the technical level change significantly, the Internet users have also undergone tremendous change. In the first few years after the birth of the Internet, the Internet is basically shared by some mutually trusted personnel in the same group, and the traditional Internet protocol stack was designed based on this assumption; the current Internet users are quite a mixed bag, it is difficult to trust each other. In this case, the Internet without the built-in security mechanism also requires changing.
In general, the internal contradictions of the dual attribute of the IP address will lead to the following main problems.
1. The Problem of Routing Scalability
The scalability of the Internet routing system has a basic assumption: “either the addresses are allocated according to the topology, or the topology is deployed according to the addresses”. The identity attribute of the IP address requires that the IP addresses are allocated based on the organization (not the network topology) to which the end belongs, and this allocation needs to maintain a certain stability and cannot change frequently; the location attribute of the IP address requires that the IP addresses are allocated based on the network topology, so as to ensure the scalability of the routing system. Thus, a conflict comes between the two attributes of the IP address, which finally leads to the scalability problem of the Internet routing system.
2. The Problem of Mobility
The identity attribute of the IP address requires that the IP address should not change with the end location, so as to guarantee that the communication bound to the identity is not interrupted, and also guarantee that after the end moves, other ends can still use its identity to establish the communication connection with the end; while the location attribute of the IP address requires that the IP address changes with the end location, so that the IP addresses can aggregate in a new network topology, otherwise, the network must reserve a separate routing information for the moved end, resulting in the rapid increase of the routing table entries.
3. The Problem of Multiple Homes
Multiple homes usually mean that the ends or networks simultaneously access to the Internet via the networks of a plurality of ISPs (Internet Service Providers). The advantages of the multi-home technology comprise increasing the network reliability, supporting the traffic load balancing between multiple ISPs and improving the overall available bandwidth and so on. However, the internal contradiction of the dual attributes of the IP address makes the multi-home technique difficult to achieve. The identity attribute of the IP address requires that a multi-home end shows always the unchanged identity to other ends, no matter via how many ISPs the end accesses to the Internet; while the location attribute of the IP address requires that a multi-home end uses different IP addresses to communicate in different ISP networks, so as to ensure that the end's IP address is able to aggregate in the ISP network topology.
4. The Problem of Security and Location Privacy
Since the IP address contains both the identity information and location information of the end, the communication peer end and malicious eavesdroppers can obtain simultaneously the identity information and the topology location information of the end based on the IP address of the end.
Overall, since the system structure is established for the traditional Internet, the technology environment and user groups of the Internet have undergone enormous changes, and the Internet needs to be innovated. The problem of dual attributes of the IP address is one of the basic reasons troubling the Internet to continue to develop, and separating the identity attribute and the location attribute of the IP address is a good idea to solve the problems faced by the Internet. The new network will be designed based on this idea, and a network architecture where the identity information is separated with the location information is proposed to solve some serious drawbacks of the existing Internet.
In order to solve the problem of identity and location, the industry makes a lot of researches and explorations, and the basic idea of all the identity and location separation schemes is to separate the dual attributes, identity and location, that are originally bound to the IP address. Among the schemes, some schemes, such as the IPNL (IP Next Layer, belonging to the NAT scalable architecture mode), TRIAD (A Scalable Deployable NAT-based Internet Architecture), and so on, use the URL (Uniform Resource Locator, which is an identification method used to completely describe the addresses of Web pages and other resources in the Internet) in the application layer or the FQDN (Fully Qualified Domain Name) as the identity identifier of the end; some schemes introduce a new name space as the identity identifier, for example, the HIP (End host Identity Protocol) adds a end host identifier to the network layer which takes the IP address as the location identifier; some schemes, such as LISP (Locator/ID Separation Protocol) and so on, classify the IP addresses, wherein, some IP addresses work as the identity identifiers, and some other IP addresses work as the location identifiers; the Chinese patent application CN1801764, published on Jul. 12, 2006, by Zhang Hongke, et al, from Beijing Jiaotong University, named “an internet access method based on the identity and location separation”, uses the IP address as the location identifier of the end host, and introduces the end host identity as the identity identifier to solve the problem of the identity and location separation. In the aforementioned schemes, the end host-based solutions need to modify the end host protocol stack, such as the HIP; the network-based solutions need to improve the routers at the specific locations. Moreover, for the solutions both based on the network, the locations of the routers fulfilling the identity and location mapping function are different. Some schemes definitely specify that the routers fulfilling the mapping function should be located at the boundaries of the user network, that is, the mapping function routers belong to the user network; some schemes (LISP, TIDR (Tunneled Inter-domain Routing) and Ivip (Internet Vastly Improved. Plumbing)) does not constraint the location of the mapping function router in the network; some schemes are definitely to address the routing scalability problem and to ensure that only the network administrator can obtain the identity and location mapping information, and constrain strictly that the mapping function router is the core network access router, that is, the mapping function router belongs to the core network. In solutions where both the identity identifier and the location identifier are in the network layer meanwhile, such as LISP, there is a design difference on whether to completely separate the identity and location strictly according to the division of the network topology or not. The current version of the LISP protocol requires that the network must use the EID (End Identifier) to route the first packet to the peer end before providing the mapping analysis service, so that the tunnel routers of both communication sides learn the mapping relationship between the RLOC (routing Locator) and EID, which makes at least part of the routing nodes in the network save simultaneously both the RLOC-based and the EID-based routing entries, thus affecting the capability of the LISP to solve the routing scalability problem.
The original intentions the various identity and location separation schemes are different, so the function ultimately achieved also varies. IPNL is designed to make the IPv4 network get a longer life to avoid the problem of full replacement caused by replacing the IPv4 protocol with the IPv6 protocol. The TRIAD is designed to solve various problem s caused by the NAT to the Internet, and meanwhile provide some support to the mobility, the policy routing and so on. HIP was originally proposed to solve the security problem, and afterwards did a lot of work on supporting the mobility and makes study on multi-home support. SHIM6 (Level 3 Shim for IPv6) is proposed mainly to solve the problem of the IPv6 network supporting multiple homes. The LIN6 (Location Independent Networking for IPv6) is designed to provide the IPv6 protocol with a mobility option and multi-home solution. The ILNP (Identifier Locator Network Protocol) is designed to provide an IPv6 extension mechanism to solve the mobility and multi-home problem. The GSE (Global, Site and End-System Designator) attempts to change the IPV6 address structure, so as to control the increase of the global routing table entries and support more flexibly the multi-home technology. The TIDR is designed to enhance the routing and forwarding function of the existing Internet to solve the global routing table expansion, inter-domain routing safety and multi-home problem s. The LISP is mainly designed to solve the routing scalability problem.
All the above proposals and schemes give solutions based on part of the problem to achieve the identity and location separation in the existing network architecture. The identity and location separation is the key technology of the future data communication network, especially the mobile data communications network.
The VPN (virtual private network) can achieve interconnections between different network components and resources. The VPN can use the infrastructures of the Internet or other public Interconnection networks to create a tunnel for the user, and provide the same security and functionality guarantees as the private network.
The VPN has many implementation solutions, and these implementation solutions are specifically divided into the customer premises equipment VPN solution (CPE-VPN) and the Provider Provisioned VPN solution (PP-VPN).
The CPE-VPN solution is characterized by that the user sets, manages and maintains the VPN gateway device, and standard VPN tunneling based connections are established between various branches and corporate headquarter through the public IP network, wherein, the tunneling protocol usually uses the Layer 2 tunneling protocol (L2TP), Point to Point Tunneling Protocol (PPTP), IPsec (secure IP), IP in IP (IP encapsulated in IP) and GRE (Generic Routing Encapsulation), and so on, and various encryption technologies and NAT technologies are used to guarantee the security of data transmission.
The establishment and management of the VPN tunneling connection are full charged by the users themselves, and the providers do not need to adjust or change the network structure and performance. This approach is commonly referred to as “self-built VPN” mode.
The VPN supported enterprise uses public networks such as the Internet to establish connections with its branches or other companies and make secure communications. This VPN connection established across Internet is logically equivalent to the connection established between two places by using the wide area network. Although the VPN communication is established on the basis of the public interconnected network, the users feel that they use the private network to communicate when using the VPN, so the network is named the virtual private network. The VPN technology can solve the problem that employees need access to central resources, and companies must timely and effectively communicate with each other in the case that remote communication amount increases day after day and enterprise global operations are widely distributed.
The basic usage of the VPN is:
achieving remote user access via the VPN, the VPN supporting to access the enterprise resources remotely in a secure way through the public interconnection network, for example, the VPN users firstly dial the broadband remote access server (BRAS) of the local Internet service provider (ISP), then use the VPN software to establish a VPN across the Internet or other public interconnection networks between the remote user and the enterprise VPN server with the connection established with the local ISP.
When a VPN is used to connect a remote local area network, there is no need to use expensive long-distance dedicated circuit, and the routers in the branches and enterprise end can connect the Internet via the local ISP by using their own local private lines, or dial-up to access into the broadband access server of the ISP so as to connect the Internet. The VPN software is used to establish a VPN between the routers of each branch and the router of the enterprise end with the established connection to the local ISP and the Internet.
The operator implemented PP-VPN solution means to set a VPN gateway device in the public data communication network of the operator for the dedicated access users or remote dial-up access users. With the gateway device, the VPN may be established via technologies such as the tunneling encapsulation, virtual routers or MPLS (Multiprotocol Label Switching) based on the specific VPN network needs in the whole network, and the encryption technology can be used to protect the data transmission security. The establishment of the VPN connection is entirely charged by the operator, and is transparent to the user. This method is commonly referred to as “outsourcing VPN” mode.
At the same time as the rapid development of the broadband access network, in order to expand their business with high quality, the operators must solve the following problem: how to perform a rational hierarchical planning on the network structure to achieve the user positioning and service management. Since the Ethernet technology is widely used in the access network level, currently, the technology achieving the network dividing based on the Ethernet is mainly the virtual local area network (VLAN) technology. The VLAN is an emerging technology that achieves a virtual working group by logically rather than physically dividing the devices in the LAN into multiple network segments. The IEEE (The Institute of Electrical and Electronics Engineers) issued the 802.1Q protocol standard draft to standardize the VLAN implementation scheme in 1999. The traditional Ethernet frame format defines 4096 VLANs which are proposed to solve the broadcast problem and the safety of Ethernet. The VLAN adds the VLAN header on the basis of the Ethernet frame, uses the VLAN ID to divide the users into smaller working groups, and restricts the users in different working groups exchange visits in the second layer. Each working group is a virtual LAN, of which the benefit is that it can restrict the broadcast range, form a virtual working group and dynamically manage the network. The VLAN isolates the broadcast storm and also isolates the communications between different VLANs, so the routers are needed to complete the communications between different VLANs.
There are several main methods for dividing the VLAN. One is to divide the VLAN according to the port, and this method is the most common method; the second method is to divide the VLAN based on the MAC (Media Access Control) address, the biggest advantage of which is that the VLAN does not need to be reconfigured when the user physical location moves, that is, the location changes from one switch to another switch, and the disadvantage is that all the users must be configured during the initialization, leading to a lower execution efficiency of the switch; the third method is to divide the VLAN based on the network layer, which divides the VLAN according to the network layer address or the protocol type (if supporting multiple protocols) of each end host rather than according to the routing, so even if the user's physical location changes, it does not need to reconfigure the VLAN to which the user belongs, the disadvantage is that re-analyzing the frame header will reduce efficiency; the fourth method is to divide the VLAN based on the IP multicast, wherein, the IP Multicast is actually also a definition of the VLAN, that is, a multicast group is considered to be one VLAN, this VLAN division method expands the VLAN to the wide area network, so this method has greater flexibility, moreover, the method can easily be extended through the router.
As the VPN technology in specific Ethernet communication environments, the VLAN has been applied in a large scale on broadband access. The VPN that is applied frequently in the core network or the wide area network is the VPN based on the multi-protocol label switching (MPLS).
The emergence of the Multi-Protocol Label Switching (MPLS) technology changes the whole Internet system structure. The technical scheme of using the MPLS technology to implement the VPN significantly reduces the deficiencies of the traditional IP network, and further provides the same security guarantee as the Frame Relay or ATM (Asynchronous Transfer Mode) network, thus it can be well adapted to the VPN service needs.
The network model of MPLS VPN comprises: a customer edge (CE) device, which may be a router or Layer 2 switch that is located at the client side and provides access to the network provider; the provider edge (PE) router, which mainly maintains the node related forwarding table, exchanges the VPN routing information with other PE routers, and uses the Label Switched Path (LSP) in the MPLS network to forward the VPN service, and this is the Label Edge Router (LER) in the MPLS network; the provider router (PR), which uses the established LSP to transparently forward the VPN data, and does not maintain the VPN-related routing information, and this is the Label Switching Router (LSR) in the MPLS network.
The advantages of the MPLS VPN:
security: since the MPLS VPN uses the routing isolation, address isolation, information hiding and other various means, it provides anti attack and anti label spoofing methods, thus the MPLS VPN is completely able to provide security guarantees similar to the ATM/FR VPN.
Scalability: the MPLS VPN is highly scalable. On the one hand, the MPLS network can accommodate a large number of VPNs, on the other hand, for the number of user nodes, since the BGP (Border Gateway Protocol) is used to allocate and manage the members, the number of user nodes in the same VPN is not restricted, and it is easy to be expanded, and any node can directly communicate with any other nodes. Especially, it does not need to one-by-one configure the circuits between the user nodes when implementing the full-grid communication between the user nodes, and the user side only needs one port/one line to access the network, thus avoiding the N square scalability problem.
Reliability: the MPLS VPN services naturally have a large bandwidth, multiple nodes, multiple routes, sufficient network and transmission resources to ensure the network reliability. When the trunk line within the Internet is interrupted, the MPLS VPN traffic detours to the other circuits based on the IGP (Interior Gateway Protocol) together with the general Internet traffic, the process is automatically fulfilled relying completely on the IGP convergence, and is completely transparent to the users, and no single point failure exists during the transmission in the wide area network.