A Virtual Private Network (VPN) is an extension to a network that is remotely administrated. This network is carried over the local network via tunneling, either in protocols that either can be IP based or not IP based (for example ATM). When extending these networks into mobile packet data networks, a single node must handle a large number of VPNs. This implicates that the management and configuration of all these extensions to the VPNs has to be managed by the operator managing the mobile packet network. In for example GPRS (General Packet Radio Service), the GGSN (Gateway GPRS Switching Node) connects the mobile network to the remotely administrated network. FIG. 1 depicts a schematic overview of such a GPRS network with the GGSN.
FIG. 2 depicts an example with traffic between two mobile stations. This example shows that the administrator of the GGSN has to manage the packet filtering rules that protects the mobile stations from each other. The traffic between mobile stations cannot be monitored from a remotely administrated network.
One known solution is based on an implementation of packet filtering doing packet forwarding. By defining a packet filter that forwards all traffic from one interface or tunnel to another interface or tunnel, the routing information in the forwarding table will not be considered and the traffic can be forced to a remote network.
Another known WPP solution to the problem is to directly map traffic from one interface/tunnel into another interface or tunnel, without making a forwarding decision based on the destination IP address. This known solution is called APN (Access Point Name) Routing.
The disadvantage with the above solutions is poor redundancy, since the packet filters (or mapping table) are not dynamically updated and the interface or tunnel that the packets are forwarded to might be unavailable due to link or network problems.
FIG. 3 shows two nodes A and B and a router RT being physically connected to an Ethernet segment ETH S. Two virtual private networks VPN_1 and VPN_2 are implemented over the common Ethernet segment ETH_S. Node A comprises a first and a second IP interface IP_IF1 and IP_IF2. The IP interfaces IP_IF1 and IP_IF2 at the IP layer 3 are mapped to the given unique layer 2 MAC (Media Access Control) Ethernet address ETH_IF1 by means of the ARP (automatic Request Protocol) protocol.
Likewise interfaces—IP_IF3—and IP_IF4 are mapped to Ethernet interface ETH_IF2 of node B. IP interfaces IP_IF5 and IP_IF6 is mapped to ETH_IF2 on router RT.
IP_IF1 of node A forms a first virtual private network VPN_1 with IP_IF3 of node B. IP_IF4 of node B forms a second virtual private network VPN_2 with IP_IF6 of router RT. IP Packets may be communicated between the respective IP interfaces over the respective VPN's. To the various IP interfaces of each respective VPN it appears that the Ethernet segment is exclusive.
FIG. 4 shows an exemplary IP packet delivered from IP interface IP_IF3 to IP_IF1 on VPN_1 for the network shown in FIG. 3. The IP packet is encapsulated in an Ether packet with source address SRC=ETH_IF2 and destination address DST=ETH_IF1. It has an Ethernet type identification of type “VLAN”—Virtual Local Area Network—and carries a corresponding network identifier VPN_1 and a second Ethernet type identifier IPv4 pertaining to the version of the IP protocol being used. In the Ethernet payload ETH_PL there is provided the IP source (IP SRC) and destination addresses (IP DST) mentioned above and the IP payload. The packet is ended by an Ethernet cyclical redundancy check value ETH CRC.
In FIG. 5 an exemplary prior art network has been shown comprising a router RT providing a first virtual private network VPN_1 via forwarding table VRF_1 providing interconnectivity for IP interfaces IP_IF1, IP_IF2 and IP_IF3. The router moreover provides a second virtual private network VPN_2 via forwarding table VRF_2 providing interconnectivity for IP interfaces IP_IF5 and IP_IF6.