In the mobile IPv6 data transfer technology, every Mobile Node (MN) has a fixed Home Address (HoA), which is independent of the current location by which the MN accesses the Internet and is directly used in a home link of the MN. When the MN moves outside the home link, the current location information of the MN is provided over a Care of Address (CoA) acquired from a Foreign Agent (FA).
A Communication Node (CN) is a communication opposite end of the MN. A bidirectional tunnel mode and a route optimization mode may be used for transferring data packets between the MN and the CN.
In the route optimization mode, data packets are directly transferred between the MN and the CN supporting mobile IPv6, and the CN must know the new CoA of the MN after moving.
In the bidirectional tunnel mode, data packets are transferred between the MN and the CN over a Home Agent (HA), and the CN need not know the new CoA of the MN after moving. For example, when the MN receives a data packet from the CN, the data packet will be sent to the HoA of the MN because the HoA of the MN is unchanged. The data packet is firstly sent from the CN to a Home Agent (HA), and then is forwarded to the MN by the HA.
The bidirectional tunnel mode will result in a severe transfer delay because the data packet is forwarded over the HA while the route optimization mode eliminates such a disadvantage of the bidirectional tunnel mode.
In order to implement the route optimization transfer of data packets between the MN and the CN supporting mobile IPv6, the MN needs to notify the new CoA of the MN to the HA and the CN once the location of the MN is changed.
After the MN moves to a link apart from the home link, the procedure for the MN notifying the new CoA of the MN to the HA and the CN includes a Return Routable Procedure (RRP) and an exchange Binding Update/Binding Acknowledgement (BU/BA) procedure, which are implemented as follows.
(1) Return Routable Procedure
Firstly, the MN sends to the CN a CoA test initiation packet and sends to the CN a HoA test initiation packet over the HA.
Secondly, the CN sends to the MN a CoA test response packet and sends to the MN a HoA test response packet over the HA.
(2) Exchange Binding Update/Binding Acknowledgement Procedure
After finishing the return routable procedure, the MN initiates the exchange binding update procedure and notifies the CN and the HA of the new CoA of the MN after moving. After receiving the new CoA, the CN adds an item for the MN in the binding buffer of the CN to store the new CoA. In other words, communication registration is finished. After receiving the new CoA, the HA adds an item for the MN in the binding agent of the HA to store the new CoA and home registration is finished.
Hereafter, both the CN and the HA send to the MN an exchange binding update packet acknowledgement. In this way, the binding acknowledgement procedure is accomplished.
After the communication registration and the home registration are accomplished, the new CoA of the MN is registered to the CN and the HA. Therefore, the route optimization mode may be used to transfer data packets between the MN and the CN.
Before data packets are transferred between the MN and the CN, it is necessary to establish a Transport Control Protocol (TCP) connection between the MN and the CN. There are three procedures for establishing the TCP connection.
In a network protected by a firewall, Node A protected by the firewall initiates, through the firewall, a TCP connection synchronization (SYN) request to Node B outside of the network protected by the firewall, and the SYN request contains the address of Node B, i.e. a destination address, the Port of Node B, i.e. a destination port, and the protocol number between Node A and Node B. Node B returns, through the firewall, to Node A an SYN request acknowledgement (SYN-ACK), and the SYN request acknowledgement contains the address of Node A, i.e. a source address, and the port of Node A, i.e. a source port. Up to now, a TCP connection is established between Node A and Node B. As can be seen easily, it is possible to establish a TCP connection successfully after a communication registration is finished between Node A and Node B.
Additionally, in order to transfer data packets in security between the MN and the CN, a firewall (FW) is set between the MN and the CN for intercepting a malicious node. There are many varieties of firewalls. The state firewall (state FW) adopts a state packet filtering technology, and is widely applied due to the good security and the high speed. The following firewall is referred to as the state firewall.
While establishing a TCP connection, a firewall will create an entry item according to five elements interacting in the TCP connection, including a source address, a destination address, a source port, a destination port and a protocol number, and the entry item includes the above-mentioned five elements. Therefore, when a data packet outside the network protected by the firewall traverses the firewall and enters the network protected by the firewall, if the destination address and the source address included in the header of the data packet are the same as the destination address and the source address in the entry item of the firewall respectively as well as the source port, the destination port and the protocol number of the data packet are also the same as the source port, the destination port and the protocol number in the entry item of the firewall, the firewall allows the data packet to traverse it; otherwise, the firewall intercepts the data packet and drops the intercepted data packet, which is also called filtering.
At present, because the address of the MN will change with the change of the location of the MN, there are the following problems when a data packet traverses a firewall. Suppose the communication registration between the MN and the CN is successfully completed after the location of the MN changes, i.e., the CN has acquired a new CoA of the MN.
For one example, the CN is in the network protected by the firewall and the MN is outside the network protected by the firewall.
FIG. 1(a) is a schematic diagram for exchanging a data packet between a mobile node and a communication node through a firewall when the communication node is in the network protected by the firewall and the mobile node is outside the network protected by the firewall. The mobile node sends a data packet to the communication node from a new CoA of the mobile node. When traversing the firewall, the data packet is unable to pass the filtering of the firewall because there is no item matching the new CoA of the mobile node in the entry item of the firewall. Therefore, the data packet is dropped. In this way, the data packet sent to the communication node in the network protected by the firewall is lost when the mobile node outside the network protected by the firewall moves to a new link.
In this case, if the communication node in the network protected by the firewall firstly sends a data packet to the mobile node outside the network protected by the firewall, the firewall will newly add an item in the entry item after the data packet traverses the firewall. The item includes such five elements as an address of the communication node, a new CoA of the mobile node, a port of the communication node, a new port of the mobile node, and a protocol number between the communication node and the mobile node. Therefore, when the mobile node resends a data packet to the communication node and the data packet traverses the firewall, the data packet may match the newly-added entry item of the firewall and pass the filtering of the firewall, thereby traversing the firewall successfully.
For another example, the MN is in the network protected by the firewall and the CN is outside the network protected by the firewall.
FIG. 1(b) is a schematic diagram for exchanging a data packet between a mobile node and a communication node through a firewall when the mobile node is in the network protected by the firewall and the communication node is outside the network protected by the firewall. If the communication node sends a data packet to the mobile node moving to a new link, the destination address of the data packet can not match the destination address in the entry item because the entry item of the firewall does not include the new CoA of the mobile node after moving, but only the address of the mobile node before moving when the data packet traverses the firewall, thereby the data packet fails to pass the filtering of the firewall, and the data packet is dropped.
In this case, if the mobile node in the network protected by the firewall firstly sends a data packet to the communication node outside the network protected by the firewall, the firewall will newly add an item in the entry item after the data packet traverses the firewall. The item includes such five elements as an address of the communication node, a new CoA of the mobile node, a port of the communication node, a new port of the mobile node, and a protocol number between the communication node and the mobile node. Therefore, when the communication node resends a data packet to the mobile node and the data packet traverses the firewall, the data packet may match the newly-added entry item of the firewall and pass the filtering of the firewall, thereby traversing the firewall successfully.
As can be seen from the above two cases, no matter whether the CN is in the network protected by the firewall and the MN is outside the network protected by the firewall or the MN is in the network protected by the firewall and the CN is outside the network protected by the firewall, there occurs the same problem that a data packet fails to traverse the firewall and is dropped due to the change of the address of the MN caused by the change of the location of the MN. However, the problem will not occur when the data packet in the network protected by the firewall traverses the firewall. Therefore, the following problem that a data packet traverses a firewall is the existing problem which occurs when the data packet outside the network protected by the firewall traverses the firewall.
At present, in order to solve the problem, some solutions adopt a filtering method based on the home address of the MN. Because the HoA keeps unchanged when the MN moves, and the HoA is contained in a Home Address Destination Option of the data packet sent from the MN to the CN and is contained in a Type 2 Routing Header of the data packet sent from the CN to the MN, the entry item of the firewall always includes such five fixed elements as a source address, a destination address, a source port, a destination port and a protocol number for the MN and the CN.
If the CN is in the network protected by the firewall and the MN is outside the network protected by the firewall, when the MN sends a data packet to the CN, five elements in the entry item of the firewall for matching includes: (1) a source address: the HoA of the MN, (2) a destination address: the address of the CN, (3) a source port: the port of the MN, (4) a destination port: the port of the CN, (5) a protocol number between the CN and the MN. Because the data packet sent from the MN to the CN contains the Home Address Destination Option, the firewall is able to extract the HoA of the MN from the Home Address Destination Option to replace the new CoA of the MN as a source address. Therefore, the changed source address of the MN is able to match the source address in the entry item. In this way, the data packet is able to pass the filtering of the firewall by the filtering method based on the HoA of the MN.
If the MN is in the network protected by the firewall and the CN is outside the network protected by the firewall, when the CN sends a data packet to the MN, five elements in the entry item of the firewall for matching includes: (1) a source address: the address of the CN, (2) a destination address: the HoA of the MN, (3) a source port: the port of the CN, (4) a destination port: the port of the MN, (5) a protocol number between the CN and the MN. Because the packet sent from the CN to the MN contains the Type 2 Routing Header, the firewall is able to extract the HoA of the MN from the Type 2 Routing Header to replace the new CoA of the MN as a destination address. Therefore, the changed destination address of the MN is able to match the destination address in the entry item. In this way, the data packet is able to pass the filtering of the firewall by using the filtering method based on the HoA of the MN.
FIG. 2 is a flowchart for the mobile IPv6 data outside a network protected by a firewall traversing the firewall in the prior art. Suppose the communication registration has been completed between an MN and a CN after the MN moves to a link apart from the home link, the port and protocol number of the MN match the port and protocol number of the CN, the address of the MN in the home link is the home address, the address of the MN in the link apart from the home link is the CoA, and the address of the CN is Home address 1. The method for mobile IPv6 data outside a network protected by the firewall traversing the firewall in the prior art includes the following steps.
Steps 200˜201: The firewall intercepts a data packet outside a network protected by the firewall and determines whether the source address, the destination address, the source port, the destination port and the protocol number of the data packet match five elements in the entry item of the firewall; if the matching is successful, Step 208 is performed; otherwise, Step 202 is performed.
This step is described by two examples.
For one example, if the MN is outside the network protected by the firewall and the CN is in the network protected by the firewall, the entry item includes: a source home address, a destination home address 1, a source port, a destination port and a protocol number. If the MN is in the home link, the source address of the data packet sent from the MN to the CN is still the home address of the MN, i.e. the source home address, and the destination address is the address of the CN, i.e. the destination home address 1, which are able to match the source home address and the destination home address 1 in the entry item. Therefore, the data packet is able to pass the filtering of the firewall, and Step 208 is performed. If the MN moves to a link apart from the home link, the source address of the data packet sent from the MN to the CN is not the home address of the MN but a new CoA which is unable to match the source home address in the entry item. Therefore, the data packet is unable to pass the filtering of the firewall, and Step 202 is performed.
For another example, if the CN is outside the network protected by the firewall and the MN is in the network protected by the firewall, the entry item includes: a source home address 1, a destination home address, a source port, a destination port and a protocol number. If the MN is in the home link, the source address of the data packet sent from the CN to the MN is still the address of the CN, i.e. the source home address 1, and the destination address is the home address of the MN, i.e. the destination home address, which are able to match the source home address 1 and the destination home address in the entry item. Therefore, the data packet is able to pass the filtering of the firewall, and Step 208 performed. If the MN moves to a link apart from the home link, the address of the MN is a new CoA, but the destination address of the data packet sent from the CN to the MN is still the home address of the MN. The destination address of the data packet is able to match the destination home address in the entry item. Therefore, the data packet is able to pass the filtering of the firewall. However, the data packet is unable to be sent to the MN because the address of the MN is changed to the CoA. In this case, even though passing the address matching and Step 208 is performed, the data packet will be dropped.
Steps 202˜203: Query whether the data packet contains a Home Address Destination Option; if the data packet contains a Home Address Destination Option, extract the home address from the Home Address Destination Option to replace the source CoA of the data packet, and Step 204 is performed; otherwise, Step 205 is performed.
In this step, if the data packet includes the Home Address Destination Option, it indicates that the data packet is sent from the MN to the CN, i.e., the MN is outside the network protected by the firewall and the CN is in the network protected by the firewall. Therefore, the five elements in the entry item includes a source home address, a destination home address 1, a source port, a destination port and a protocol number.
Step 204: Match the replaced source address of the data packet, i.e. the home address of the MN with the source home address in the entry item; if the home address of the MN matches the source home address in the entry item, Step 208 is performed; otherwise, Step 209 is performed.
In this step, the replaced source address of the data packet, i.e. the home address of the MN matches the source address in the entry item; if the home address of the MN matches the source address in the entry item, the matching is successful; otherwise, the matching is unsuccessful.
Steps 205˜206: Query whether the data packet contains a Type 2 Routing Header; if the data packet contains a Type 2 Routing Header, extract the home address from the Type 2 Routing Header to replace the destination CoA of the data packet, and Step 207 is performed; otherwise, Step 209 is performed.
In this step, if the data packet includes the Type 2 Routing Header, it indicates that the data packet is sent from the CN to the MN, i.e. the CN is outside the network protected by the firewall and the MN is in the network protected by the firewall. Therefore, the five elements in the entry item includes a source home address 1, a destination home address, a source port, a destination port and a protocol number.
Step 207: Match the replaced destination address of the data packet, i.e. the home address of the MN with the destination home address in the entry item; if the home address of the MN matches the destination home address in the entry item, Step 208 is performed; otherwise, Step 209 is performed.
In this step, the replaced destination address of the data packet, i.e. the home address of the MN matches the destination home address in the entry item; if the home address of the MN matches the destination address in the entry item, the matching is successful; otherwise, the matching is unsuccessful.
Step 208: The data packet traverses the firewall successfully.
Step 209: The data packet is dropped.
The method mentioned above is for mobile IPv6 data outside a network protected by a firewall traversing the firewall. There are still disadvantages using the conventional filtering method based on the home address of the MN when a data packet is sent from the outside of the network protected by the firewall to the inside of the network protected by the firewall. For one thing, as can be seen from the procedure of FIG. 2, the conventional method needs to perform the matching for a data packet of which the current address is unable to match the corresponding address in the entry item by the filtering method based on the home address of the MN, i.e., the conventional method needs to query the option or header of the data packet, which needs a large amount of time and result a low efficiency of traversing the firewall; for another, as can be seen from the above method, when the MN is in the network protected by the firewall and the CN is outside the network protected by the firewall, even though the matching using the conventional filtering method based on the home address of the MN is successful, the data packet passing the filtering of the firewall will be dropped because the destination address changes, which makes the data packet unable to traverse the firewall normally. The detailed procedure has been described through the second example of Steps 200˜201.
It should be noted that the above method is on how the current mobile IPv6 data outside a network protected by a firewall traverses the firewall and when the data packet is sent from the inside of the network protected by the firewall to the outside of the network protected by the firewall, the above filtering method based on the home address of the MN is able to filter the data packet normally; the problem that the data packet traverses the firewall does not occur.