TW200901679A

TW200901679A - Network redundancy system and processing method therefor

Info

Publication number: TW200901679A
Application number: TW96122702A
Authority: TW
Inventors: Yuan-Hung Chen; Yung-Chiang Chien
Original assignee: Digital United Inc
Priority date: 2007-06-23
Filing date: 2007-06-23
Publication date: 2009-01-01

Abstract

A network redundancy system is disclosed. A router of a transmitter detects that the primary line is off-line and transmits an access point name of a subscriber identity module card to a 3G network. The 3G network identifies the name and introduces the IP route of the transmitter to the MPLS network, creating an IPSec tunnel to introduce the traffic from the transmitter to the tunnel. A first network device of the MPLS network looks up a routing table and IP routing information corresponding to the tunnel, attaches a VPN label and an MPLS label to a package from the transmitter, and transmits the package to the MPLS network. A second network device of the MPLS network detects a belonging network of the package, removes the labels from the package, and transmits the package to the IP network of a receiver.

Description

200901679 九、發明說明：【發明所屬之技術領域】本發明係有關於一種網路通訊系統，且特別有關於一種虛擬私人網路（Virtual Private Network，簡稱為VPN) 之網路備援系統及其處理方法。’ 【先前技術】「虛擬私有網路（Virtual Private Network，簡稱為 VPN)」是近年來網路應用中最受矚目的營運模式，因為它利用公用網路取代專線連接企業的區域網路，不僅大幅降低建置成本，也提高了未來擴充的便利性。一般VPN可分為以用戶端設備為基礎（Customer Premises Equipment (簡稱為CPE ) -based )之VPN以及以網路為基礎 (Network-based )之VPN。前者主要由企業用戶端以自身的設備自行利用第二層通道通信協定（Layer Two Tunneling Protoco卜簡稱為L2TP)或網際網路通訊協安全性（Internet Protocol Security，簡稱為 IPSec )這類的技術，與遠端的CPE-based VPN裝置建置跨越公用網路的虛擬私有通道，是現今最為常見的VPN解決方案。後者則是由網路服務提供者（Service Providers，簡稱為SP)直接提供 VPN的建置服務，是曰漸興起的VPN方案。目前CPE-based VPN所使用的技術中可區分為Layer 2 的PPTP或是L2TP的通道（Tunneling)技術，以及Layer 3的IPsec技術。因為這些VPN技術都是透過IP的封裝格The invention relates to a network communication system, and particularly to a virtual private network (VPN) network backup system and Approach. [Prior Art] "Virtual Private Network (VPN)" is the most popular mode of operation in network applications in recent years, because it uses public networks to replace the regional network of private lines. Significantly reduce the cost of construction and increase the convenience of future expansion. A general VPN can be divided into a customer premises-based (Customer Premises Equipment (CPE)-based) VPN and a network-based VPN. The former is mainly used by the enterprise user terminal to utilize the technologies of Layer 2 Tunneling Protoco (L2TP) or Internet Protocol Security (IPSec) for its own equipment. Establishing a virtual private channel across the public network with a remote CPE-based VPN device is the most common VPN solution today. The latter is a VPN service that is directly provided by a network service provider (Service Providers, SP for short). At present, the technology used in CPE-based VPN can be divided into Layer 2 PPTP or L2TP tunneling technology, and Layer 3 IPsec technology. Because these VPN technologies are all encapsulated through IP

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 6 200901679 式傳送，因此亦被統稱為ΙΡ-VPN的技術。 /. 此外，由於網際網路（internet)的快速成長，以網際網路通訊協定（Internet Protocol，簡稱為ϊρ)網路為美礎發展出來的應用日益增多，企業採用ΙΡ網路來建置企部網路（Intranet)的需求也與日倶增。Ιρ網路是以^、位址為傳送封包的依據。但在傳統的ΙΡ封包傳送過程中，每 -個節點設備必須重複被檢查封包的表頭I解析下__個^ 徑’直到到達目的地為止，因此網路越龐大，傳輸的效能將會越差，將不敷未來Intemet高速且大量傳輸的需求。多重協定標籤交換（Multi PrGt⑽1 Label Switehing，㈣技術正是滿足了未㈣需求’並且相容於= 的最佳選擇。第1圖係顯示利用撥接連線提供備援服務之vpN 系統的架構示意圖。第2A〜2C圖係顯示利用撥接連線^ 供備援服務之VPN備援系統的工作流程示音圖。+生立到，網路備㈣統巾之傳送端與魏端所有的電腦致上相同’但主要係以傳送端之電腦設備與所使用之網路媒體來說明實作流程’接收端之電腦設備的運作流程貝另行說明。 ' 撥接連線包括整合服務數位網路（Integmed se_esClient's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final/Alex Chen 6 200901679 The type of transmission is therefore also collectively referred to as the ΙΡ-VPN technology. In addition, due to the rapid growth of the Internet, the use of the Internet Protocol (Internet Protocol, 简称ρ) network for the development of the United States is increasing the number of applications, enterprises use the Internet to build enterprises The demand for the intranet is also increasing. The network is based on ^, the address is the basis for transmitting packets. However, in the traditional packet transmission process, each node device must repeat the header I of the checked packet to resolve the __ path until it reaches the destination, so the larger the network, the more efficient the transmission will be. Poor, will not meet the needs of future high-speed and large-scale transmission of Internet. Multi-ProvGt(10)1 Label Switehing, (4) technology is the best choice to meet the requirements of the (four) requirements and is compatible with =. Figure 1 shows the architecture of the vpN system using the dial-up connection to provide backup services. The 2A~2C diagram shows the workflow diagram of the VPN backup system using the dial-up connection ^ for the backup service. +Shengli, the network backup (4) the transmission end of the towel and all the computers of Wei Duan To the same 'but mainly based on the computer equipment on the transmission side and the network media used to illustrate the implementation process'. The operation process of the computer equipment on the receiving end is explained separately. 'The dial-up connection includes the integrated service digital network ( Integmed se_es

Dlgltal Network，簡稱為ISDN)與公眾電話網絡（p滿化 Switched Telephone Network，簡稱為 pSTN)。 ISDN是整合（lmegrated)、服務（s—)、數位 (Dlgltal)和網路（Nefk)的組合，其將各種資訊及通Dlgltal Network (referred to as ISDN) and public telephone network (p Fully Switched Telephone Network, referred to as pSTN). ISDN is a combination of integrated (lmegrated), service (s-), digital (Dlgltal) and network (Nefk), which will provide various information and communication.

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW/Draft-Final/Alex Chen 7 200901679 訊管道納入一個共通的網路裡面，使得用戶利用一對電話線即可同時享有語音、數據、影像等多樣化之數位通訊服務，並且可免去在類比式與數位式之間不斷轉換資料的不便’因而大量地增進了電話線路數位㈣傳送速度的科技。 PSTN (即-般市話及行動電話）的原理是以數據機 (MODEM)將電腦的.〇、1#數位資料轉換為類似人類聲頻範圍的類比聲音，再利用-般的室内電話網絡連接至另一部電腦的數據機，再以相反的方式將聲音還原成數位資料0 簽考第1圖，由傳送端A (Tran_A)之主機11〇經由非同步數位用戶專線數據機（Asymmetric DigitalClient's Docket No. : N/A TT's Docket No : 0695-A41231-TW/Draft-Final/Alex Chen 7 200901679 The pipeline is integrated into a common network, allowing users to enjoy voice and data simultaneously using a pair of telephone lines. Diversified digital communication services such as video and video, and the inconvenience of continuously converting data between analog and digital types can be eliminated, thus greatly increasing the technology of the telephone line digit (four) transmission speed. The principle of PSTN (ie, general telephone and mobile phone) is to convert the computer's .1 and 1# digital data into an analog sound similar to the human audio range by means of a modem (MODEM), and then connect to the indoor telephone network through a general-purpose telephone network. The data machine of another computer restores the sound to digital data in the opposite way. 0 The first picture is signed, and the host 11 of the transmitting end A (Tran_A) passes the asynchronous digital user line data machine (Asymmetric Digital).

Subscriber Line，簡稱為ADSL)數據機13〇連接到遠端接收端B (Rec—Β)之連線路徑為主線路，而由傳送端a之主機110經由撥接數據機140連接到遠端接收端B之連線路控為備援線路。參考第1圖與第2A圖，首先，在傳送端A中，與主機110連接的路由器（Router) 120偵測連接ADSL數據機 130之乙太網路（Ethernet)的廣域網路（wide Area Network ’簡稱為WAN)介面為開啟（up，即連線為正常）時，則經由PSTN 150與非同步傳輪模式（Asynchr〇n〇usSubscriber Line, abbreviated as ADSL), the connection path of the data machine 13 to the remote receiving end B (Rec_Β) is the main line, and the host 110 of the transmitting end a is connected to the remote end via the dialing data machine 140. The line connection of terminal B is the backup line. Referring to FIG. 1 and FIG. 2A, first, in the transmitting terminal A, a router 120 connected to the host 110 detects an Ethernet wide area network (wide area network ' that connects the ADSL modem 130 to the Ethernet (Ethernet). Referred to as WAN) interface is open (up, that is, the connection is normal), then via PSTN 150 and asynchronous transfer mode (Asynchr〇n〇us

Transfer Mode ’ 簡稱為 ATM)網路 16〇偵測（ping ) MPLS 網路（VPN) 170中利用寬頻遠端接取伺服器（Br〇adband Remote Access Server，簡稱為BRAS)所設置之供應商邊緣設備（Provider Edge Device ’ 簡稱為 ρΕ) 17ι 的 ιρ 位址。Transfer Mode 'abbreviated as ATM) Network 16 Detect (ping) MPLS Network (VPN) 170 uses the broadband edge access server (Br〇adband Remote Access Server, BRAS for short) to set the edge of the supplier The ιρ address of the device (Provider Edge Device 'abbreviated as ρΕ) 17ι.

Client’s Docket No. : N/A TT’s Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 200901679 需注意到’ ADSL數據機13〇必須使用橋接模式（Bridge Mode)才能偵測整段線路的狀況。atm是一種先進的分封交換技術，可同時應用在區域網路及廣域網路中，每秒的傳輸速度理論上可達到1.2Gbps，但實際應用中只能達到155Mbps。ATM網路160與MPLS網路170間可藉由非 ! 同步傳送模式第1位階（Asynchronous Transfer Mode-1，簡稱為STM-1)來連接。路由态120命令其ip堆疊（stack )送出一個網際網路控制亂息通訊協定（Internet Control Message Protocol，簡稱為ICMP)回響（Echo)請求給BRAS PE 171，然後等待ICMP Echo回應。當路由器120的IP堆疊就會收到ICMP Echo回應，表示BRAS PE 171係正常運作且可到達。路由器120確定主線路之ADSL數據機130的線路正常後，將後端區域網路（Local Area Network，簡稱為LAN )的網路流量（Traffic)導向ADSL數據機130。 BRAS PE 171查詢傳送端A之ADSL數據機130的虛擬路徑辨識（Virtual Channel Identification，簡稱為 VPI) 與虛擬通道辨識（Virtual Path Identification，簡稱為 VCI) 所屬虛擬路由表（Virtual Routing Forwarding/Table，簡稱為VFR)及其IP路由資訊後，將封包打上VPN標籤（Label ) 及MPLS標籤並傳送至MPLS網路170中。VRF係指MPLS VPN中，每個不同的VPN客戶存放自己企業IP路由資訊的地方。 MPLS屬於第三代網路架構，是新一代的ip高速骨幹Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 200901679 It should be noted that 'ADSL modem 13〇 must use Bridge Mode to detect the condition of the entire line. . Atm is an advanced packet switching technology that can be applied to both regional and wide area networks. The transmission speed per second can theoretically reach 1.2 Gbps, but in practice it can only reach 155 Mbps. The ATM network 160 and the MPLS network 170 can be connected by the Asynchronous Transfer Mode-1 (STM-1). The routing state 120 commands its ip stack to send an Internet Control Message Protocol (ICMP) echo request (Echo) request to the BRAS PE 171, and then waits for the ICMP Echo response. When the IP stack of router 120 receives an ICMP Echo response, it indicates that BRAS PE 171 is functioning properly and reachable. After determining that the line of the ADSL modem 130 of the primary line is normal, the router 120 directs the traffic of the local area network (LAN) to the ADSL modem 130. The BRAS PE 171 queries the virtual path identification (Virtual Channel Identification, VPI for short) and the Virtual Routing Identification (VCI) virtual routing forwarding (Table). After routing information for VFR and its IP, the packet is tagged with a VPN label and an MPLS label and transmitted to the MPLS network 170. VRF refers to the place where each VPN client stores its own enterprise IP routing information in MPLS VPN. MPLS belongs to the third generation network architecture and is a new generation of ip high-speed backbone.

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 200901679 網路交換標準，由網際網路工程專案小組（Internet Engineering Task Force，簡稱為 mTF ) 、 3Com等網路設備大_主導，pLS的運作原理是提供每個IP封包-個標籤，由此決定封包的路徑以及優先順序，與MPLS相㈣料H，會將封包轉送到其路徑前，僅讀取封包標籤，無須讀取每個封包的Ip位址以及標頭，因此網路速度便會加快許多，同時藉由服務品質（Quality 〇f Sendee’簡稱為QoS)㈤機制對所傳送的封包加以分級，進而大幅提升網路服務品質並且提供更多樣化的服務。 MPLS VPN係在MPLS網路中以νρΝ標籤來區別不同企業網路之封包的技術。接下來，封包在MPLS網路no中傳送，且MpLS網路170之PE 175查詢此封包所屬的VpN，去除封包中的 VPN ^籤’然後將5彡封包傳送至接收端b的網路中。接著’ PE 175查§旬傳送端A之專線所屬VRF及其ιρ路由資，在來自接收鳊B之封包打上vpN標籤及MpLS標籤，然後將該封包傳送MPLS網路17〇中。BRAS pE 171 查詢該封包所屬的VPN，去除封包中的vpN標籤，然後將該封包傳送至傳送端A的IP網路中，如此即完成傳送端 A與接收端B間的封包傳送。參考第1圖與第2B、2C圖，當路由器12〇偵測連接 ADSL數據機130之乙太網路（Ethernet)的廣域網路 (WAN )連線為斷線時，則驅動數據機進行撥號給 PSTN 15〇，此時數據機H0與psTN 15〇間在交換Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 200901679 Network Exchange Standard, by Internet Engineering Task Force (mTF), 3Com, etc. The network device is large_dominant. The operation principle of the pLS is to provide each IP packet-label, thereby determining the path and priority of the packet. With the MPLS phase (4), the packet H is forwarded to its path and only read. The packet label does not need to read the Ip address and header of each packet, so the network speed is much faster, and the transmitted packet is classified by the quality of service (Quality 〇f Sendee's QoS) (5) mechanism. , in turn, greatly improve the quality of network services and provide more diverse services. MPLS VPN is a technology that uses νρΝ tags to distinguish packets of different enterprise networks in an MPLS network. Next, the packet is transmitted in the MPLS network no, and the PE 175 of the MpLS network 170 queries the VpN to which the packet belongs, removes the VPN signature in the packet, and then transmits the 5 packet to the network of the receiving end b. Then, the PE 175 checks the VRF of the private line of the transmitting end A and its IPP routing resource, and puts the vpN tag and the MpLS tag on the packet from the receiving port B, and then transmits the packet to the MPLS network. The BRAS pE 171 queries the VPN to which the packet belongs, removes the vpN tag in the packet, and then transmits the packet to the IP network of the transmitting end A, thus completing the packet transmission between the transmitting end A and the receiving end B. Referring to FIG. 1 and FIGS. 2B and 2C, when the router 12 detects that the Ethernet (WAN) connection of the ADSL modem 130 is disconnected, the data modem is driven to dial the number. PSTN 15〇, at this time, the data machine H0 and psTN 15 are being exchanged.

Client’s Docket No, : N/A TT’s Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 10 200901679 (Handshake)撥接速度。數據機140撥號動作完成後，即經由PSTN 150將傳送端A (即，客戶端）的帳號密碼傳送給MPLS網路170之利用遠程接入伺服器（RemoteClient’s Docket No, : N/A TT’s Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 10 200901679 (Handshake) Dial-up speed. After the dialing operation of the data machine 140 is completed, the account password of the transmitting end A (i.e., the client) is transmitted to the MPLS network 170 via the PSTN 150 to utilize the remote access server (Remote).

Access Server ’簡稱為rAs)所設置的PE 173進行認證。 PSTN 150與MPLS網路170間係利用原級速率介面 (PrimaTy Rate Interface，簡稱為 PRI)之 T1 線路（PRI-T1 ) 相連接。認證成功後，RASPE 173將帳號密碼傳送到其遠端撥入用戶 3忍證服務（Remote Authentication Dial-In User Service ’簡稱為Radius)伺服器（未顯示）認證，然後由動悲主機设疋協定（Dynamic Host Configuration Protocol，簡稱為DHCP)伺服器（未顯示）指定ip位址給傳送端A的路由器120。指定IP位址後，路由器120將後端區域網路的網路流量導入數據機140之撥號器（Dialer)(未顯示）的點對點通訊協定（Point-to-Point Protocol，簡稱為PPP)通道中，同時RAS PE 173將傳送端A的路由資訊轉入接收端B的 VRF中。接著，RASPE173根據撥號器（未顯示）之PPP 通道查詢傳送端A的VRF與路由表（Routing Table)，將來自撥號器（未顯示）的封包打上VPN標籤與MPLS標籤，然後將該封包轉送進入MPLS網路170。該封包在MPLS 網路170中傳送，且PE 175查詢該封包所屬的VPN，去除封包中的VPN標籤，然後將該封包傳送至接收端B的 IP網路中。The PE 173 set by the Access Server ‘short for rAs is authenticated. The PSTN 150 and the MPLS network 170 are connected by a PrimaTy Rate Interface (PRI) T1 line (PRI-T1). After the authentication is successful, RASPE 173 transmits the account password to its Remote Authentication Dial-In User Service (Radius) server (not shown) for authentication, and then the protocol is set by the mobile host. A (Dynamic Host Configuration Protocol, abbreviated as DHCP) server (not shown) specifies an ip address to the router 120 of the transmitting end A. After the IP address is specified, the router 120 imports the network traffic of the back-end area network into the Point-to-Point Protocol (PPP) channel of the dialer (not shown) of the data machine 140. At the same time, RAS PE 173 transfers the routing information of the transmitting end A to the VRF of the receiving end B. Next, the RASPE 173 queries the VRF and routing table of the transmitting end A according to the PPP channel of the dialer (not shown), and puts the packet from the dialer (not shown) with the VPN label and the MPLS label, and then forwards the packet into the packet. MPLS network 170. The packet is transmitted in the MPLS network 170, and the PE 175 queries the VPN to which the packet belongs, removes the VPN label in the packet, and then transmits the packet to the IP network of the receiving end B.

接著，PE 175查詢傳送該封包之網路專線所屬的VRFNext, the PE 175 queries the VRF to which the network private line transmitting the packet belongs.

Client's Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 11 200901679 與路由表’在來自接收端B之封包打上VPN標籤及MPLS 標籤，然後將該封包傳送至MPLS網路170中。RAS PE (IPsec ΡΕ) Π3根據IPSec查詢該封包所屬的VPN，去除該封包的VPN標籤’然後將該封包傳送至傳送端a之撥翠器（未顯示）的PPP通道中。Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final/Alex Chen 11 200901679 with the routing table 'Put the VPN tag and MPLS label on the packet from the receiving end B, and then send the packet to In the MPLS network 170. RAS PE (IPsec ΡΕ) Π3 queries the VPN to which the packet belongs according to IPSec, removes the VPN label of the packet and then transmits the packet to the PPP channel of the dialer (not shown) of the transmitting end a.

.如前文所述’傳統VPN備援專線使用的規格為psTN 或ISDN，其偵測主線斷線的方式如下。偵測的主線必須以實體電路（例如’專線）直接連到CPE設備，其只能判定實體信號是否斷線，所以連接的ADSL必須是CPE設備内建ADSL數據機的模組才行。因為外接式的ADSL數據機通常一個RJ-11的連接埠是連接電信公司的電話線，另一個連接埠是乙太網路（Ethernet )的介面，而乙太網路 (Ethernet)的線路是接到CPE上，如果連接到cpe的線路斷線’但乙太網路（Ethernet)的WAN介面並不會斷線 (Down)，故CPE設備無法偵測到外接式ADSL數據機是否斷線。此外’偵測主線斷線並切換備援的所需時間為 90秒以上。綜上所述’目前的VPN備援系統的缺點如下。採用 ISDN或撥接（PSTN)網路備援，故局端主線路頻寬擴充彈性不佳，每次擴充頻寬只能使用T1或E1線路。可容許撥入的客戶數有限’其中T1最多同時允許23個頻道撥入，一個頻道係由一個客戶端使用。無法達成異質網路備援，即主線與備援線必須使用同一電信公司的實體電話線。客戶端備援頻寬最多128k，未來使用上將造成瓶頸。備援As mentioned above, the traditional VPN backup line uses the specification psTN or ISDN. The way to detect the main line disconnection is as follows. The detected main line must be directly connected to the CPE device by a physical circuit (such as a 'dedicated line'). It can only determine whether the physical signal is disconnected. Therefore, the connected ADSL must be a module of the ADSL data machine built in the CPE device. Because the external ADSL modem usually has one RJ-11 port connected to the telephone line of the telecommunications company, the other port is the Ethernet interface, and the Ethernet line is connected. On the CPE, if the line connected to cpe is disconnected' but the WAN interface of the Ethernet is not disconnected, the CPE device cannot detect whether the external ADSL modem is disconnected. In addition, it takes more than 90 seconds to detect the main line disconnection and switch backup. In summary, the shortcomings of the current VPN backup system are as follows. With ISDN or dial-up (PSTN) network backup, the bandwidth of the main line of the central office is not flexible enough. Only the T1 or E1 lines can be used for each extended bandwidth. The number of customers that can be dialed in is limited' where T1 allows up to 23 channels to be dialed in at the same time, and one channel is used by one client. Heterogeneous network backup cannot be achieved, that is, the main line and the backup line must use the physical telephone line of the same telecommunications company. The client backup bandwidth is up to 128k, which will cause bottlenecks in future use. Backup

Client’s Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 12 200901679 ISDN或撥接的計費方式不佳。因此，本發明提供了一種VPN網路備援系統及其處理方法。【發明内容】基於上述目的，本發明實施例揭露了一種網路備援系統之處理方法。一傳送端之一路由器偵測一主要線路為斷線狀態。藉由一無線路由器與一無線網路卡撥號至一無線基地台，並且傳送該無線網路卡中之用戶識別卡的接取點名稱給該無線網路。該接取點名稱在認證後，將該傳送端的IP路由導通至一中介網路。該傳送端建立與該中介網路間之一安全通道，其中該安全通道係表示為一備援專線。該路由器將該傳送端之網路流量導入該安全通道中。該中介網路之一第一網路設備（IPsec PE)查詢對應該安全通道之一路由表（VRF)及IP路由資訊，將經由該安全通道傳送之一第一封包打上一第一網路（VPN)標籤及一第一中介（MPLS)標籤，並將該第一封包傳送進入該中介網路中。該中介網路之一第二網路設備查詢該第一封包所屬之網路，去除該第一封包中之該網路標籤，並且將該第一封包傳送至一接收端的IP網路中。本發明實施例更揭露了一種網路備援系統，包括：一接收端、一無線網路、一中介網路與一傳送端。該中介網路更包括一第一網路設備與一第二網路設備。該傳送端更包括一路由器、一無線路由器與一無線網路卡。該路由器偵測一主要線路為斷線狀態。該無線路由器與無線網路卡Client’s Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 12 200901679 ISDN or dial-up billing is not good. Therefore, the present invention provides a VPN network backup system and a processing method thereof. SUMMARY OF THE INVENTION Based on the above objectives, an embodiment of the present invention discloses a method for processing a network backup system. One of the transmitters detects that a primary line is disconnected. Dialing to a wireless base station by a wireless router and a wireless network card, and transmitting the access point name of the subscriber identity card in the wireless network card to the wireless network. After the authentication point name is authenticated, the IP route of the transmitting end is turned on to an intermediate network. The transmitting end establishes a secure channel with the intermediate network, wherein the secure channel is represented as a backup dedicated line. The router imports the network traffic of the transmitting end into the secure channel. The first network device (IPsec PE) of the intermediary network queries a routing table (VRF) and IP routing information corresponding to the secure channel, and transmits a first packet to the first network via the secure channel ( A VPN) tag and a first intermediate (MPLS) tag, and the first packet is transferred into the intermediate network. The second network device of the intermediary network queries the network to which the first packet belongs, removes the network label in the first packet, and transmits the first packet to an IP network of a receiving end. The embodiment of the invention further discloses a network backup system, comprising: a receiving end, a wireless network, an intermediate network and a transmitting end. The intermediary network further includes a first network device and a second network device. The transmitting end further includes a router, a wireless router and a wireless network card. The router detects that a primary line is disconnected. The wireless router and wireless network card

Client’s Docket No. : N/A TT's Docket No * 0695-A41231-TW / Draft-Fina]/Alex Chen 13 200901679 在該一主要線路為斷線狀態時撥號至一無線基地台，並且傳送該無線網路卡中之用戶識別卡的接取點名稱給該無線網路。該無線網路在認證該接取點名稱後將該傳送端的IP 路由導通至一中介網路，以建立該傳送端與該中介網路間之一安全通道，其中該安全通道係表示為一備援專線。該 ? r 路由器將該傳送端之網路流量導入該安全通道中。該第一網路設備查詢對應該安全通道之一路由表及IP路由資訊，將經由該安全通道傳送之一第一封包打上一第一網路 ( 標籤及一第一中介標簸，並且將該第一封包傳送進入該中介網路中。該第二網路設備查詢該第一封包所屬之網路，去除該第一封包中之該網路標籤，並且將該第一封包傳送至一接收端的IP網路中。【實施方式】為了讓本發明之目的、特徵、及優點能更明顯易懂，下文特舉較佳實施例，並配合所附圖示第3圖至第6圖， I 做詳細之說明。本發明說明書提供不同的實施例來說明本發明不同實施方式的技術特徵。其中，實施例中的各元件之配置係為說明之用，並非用以限制本發明。且實施例中圖式標號之部分重複，係為了簡化說明，並非意指不同實施例之間的關聯性。本發明實施例揭露了一種網路備援系統及其處理方法。本發明實施例之VPN網路備援系統係使用第3代行動通訊系統（3fd Generation，簡稱為3G)來提供企業客戶在Client's Docket No. : N/A TT's Docket No * 0695-A41231-TW / Draft-Fina]/Alex Chen 13 200901679 Dials to a wireless base station when the primary line is disconnected and transmits the wireless network The access point name of the subscriber identity card in the card is given to the wireless network. After authenticating the access point name, the wireless network conducts the IP route of the transmitting end to an intermediary network to establish a secure channel between the transmitting end and the intermediate network, wherein the secure channel is represented as a backup device. Aid line. The r router imports the network traffic of the transmitting end into the secure channel. The first network device queries a routing table and IP routing information corresponding to one of the secure channels, and transmits a first packet (a label and a first intermediate label) to the first packet transmitted through the secure channel, and the The first packet is transmitted into the intermediate network. The second network device queries the network to which the first packet belongs, removes the network label in the first packet, and transmits the first packet to a receiving end. [Embodiment] In order to make the objects, features, and advantages of the present invention more comprehensible, the preferred embodiments are described below, and in conjunction with the accompanying drawings, Figures 3 through 6, The description of the present invention is provided to illustrate the technical features of the various embodiments of the present invention. The configuration of the various elements in the embodiments is for illustrative purposes, and is not intended to limit the present invention. The present invention is directed to a network backup system and a processing method thereof for the purpose of simplifying the description. VPN network backup system using a series of cases of third-generation mobile communication system (3fd Generation, referred to as 3G) to provide enterprise customers

Client's Docket No. · N/A TT5s Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 14 200901679 固定線路（例如，ADSL )的備援應用及主線應用。 3G係為多媒體通訊與Internet與無線網路（Wireless Network)結合的新一代通訊技術。藉由3G技術可以支援處理圖像、音樂荨多媒體形式，提供網頁劉覽、電子商務 (e-Commerce，E(?)、多方線上會議（v〇ice c〇nfer?nce ) 等多種類資訊服務·’以及提供2Mbps、384kbps及144kbps 之資料傳輸速率。第3圖係顯示3G網路（寬頻多重分碼存取（Wideband Code Division Multiple Access，簡稱為 WCDMA) /通用行動電糸統（Universal Mobile Telecommunications Systems ’簡稱為UMTS ))的架構示意圖。 3G網路主要包括下列組成元件。閘道整合封包無線電服務支援節點（Gateway GeneralClient's Docket No. · N/A TT5s Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 14 200901679 Fixed-line (eg ADSL) backup applications and mainline applications. 3G is a new generation communication technology that combines multimedia communication with the Internet and Wireless Network. 3G technology can support the processing of images, music, multimedia formats, and provide a variety of information services such as web page browsing, e-commerce (e-Commerce, E (?), multi-party online meeting (v〇ice c〇nfer?nce) · 'And provide 2Mbps, 384kbps and 144kbps data transmission rate. Figure 3 shows 3G network (Wideband Code Division Multiple Access (WCDMA) / Universal Mobile Telecommunications (Universal Mobile Telecommunications) Schematic diagram of Systems 'referred to as UMTS). 3G network mainly includes the following components. Gateway integrated packet radio service support node (Gateway General

Packet Radio Service ( GPRS ) Support Node，簡稱為 GGSN )，其負責3G網路與外界IP網路的一個閘道。服務整合封包無線電服務支援節點（Serving GPRS Support Node ’簡稱為SGSN)，其負責紀錄在服務區域内有哪些使用者。若是使用者傳送的是屬於封包的資料，經由BSC的判斷，會將封包的資料傳給SGSN，由SGSN做封包的交換與傳輸。行動交換中心（Mobile Switching Center，簡稱為 MSC )，其負責語音過區切換（Hand-Off)和漫游（Roaming ) 的控制。原始地點登錄器（Home Location Register，簡稱為Packet Radio Service (GPRS) Support Node (referred to as GGSN), which is responsible for a gateway between the 3G network and the external IP network. The Serving GPRS Support Node (SGSN) is responsible for recording which users are in the service area. If the user transmits the data belonging to the packet, the data of the packet is transmitted to the SGSN by the BSC, and the SGSN performs the exchange and transmission of the packet. The Mobile Switching Center (MSC) is responsible for the control of voice handoff (Hand-Off) and roaming (Roaming). Home Location Register (Home Location Register, referred to as

Client's Docket No. · N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 15 200901679 HLR) ’其儲存使用者資料的設備。每一個使用者都會歸屬於專屬的HLR，手機的ip位址使用靜態配置時，使用的 IP位址存放在HLR。拜訪'位置暫存器（Visitor Location Register，簡稱為 VLR) ’齊放著目前所有在這個MSC管理區域内的所有手 ! 機資料’而一個VLR也可以同時被多個MSC所使用。每當使用者進入一個新的位置區域（Location Area，LA)就要對新區域MSC所擁有的VLR做一個註冊的動作，並且要更新原本HLR中的目前位置資訊。以便於在有使用者的電話接入時，可以透過HLR找出使用者目前所在的MSC 位置’再把電話連線轉到目前使用者所在的MSC，以進行後續的動作。 s忍 §登中心（Authentication Center，簡稱為 AUC )，其主要的工作在於對行動通訊網路中的使用者進行身分認證。無線電網路控制器（Radio Network Controller，簡稱為 RNC ) ’即為過去所稱的基地台控制器（Base StationClient's Docket No. · N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 15 200901679 HLR) 'The device that stores user data. Each user will belong to the exclusive HLR. When the mobile phone's ip address is statically configured, the IP address used is stored in the HLR. Visiting the 'Visitor Location Register (VLR)' is all the current data in the MSC management area, and a VLR can also be used by multiple MSCs at the same time. Each time the user enters a new location area (LA), a registration action is performed on the VLR owned by the new area MSC, and the current location information in the original HLR is updated. In order to facilitate the access of the user's telephone, the HLR can find the location of the MSC where the user is currently located, and then transfer the telephone connection to the MSC where the current user is located for subsequent actions. s End of the Center (Authoration Center, AUC for short), its main job is to authenticate users in the mobile communication network. The radio network controller (Radio Network Controller, RNC for short) is the base station controller (Base Station)

Controller’簡稱為BSC)。一個RNC同時連接許多個基地台（Base Transceiver Station，簡稱為 BTS) ，RNC 與 BTS的所在區域即組成全球行動通訊系統（Gi〇bai SyStern for Mobile Communication，簡稱為 GSM )網路的一個服務區域’以進行無線頻寬資源的管理。節點B ( Node B )，即為GSM架構下所稱的BTS，其接受客戶的使用者介面（User Equipment，簡稱為UE，即Controller' is simply referred to as BSC). An RNC connects to a number of base stations (BTS) at the same time. The area where the RNC and BTS are located constitutes a service area of the Global Mobile Communication System (Gi〇bai SyStern for Mobile Communication, GSM for short) network. To manage wireless bandwidth resources. Node B (Node B), which is called the BTS under the GSM architecture, accepts the user interface (User Equipment, UE for short).

Client’s Docket No. : N/A TT^sDocketNo : 0695-A41231-TW / Draft-Final/Alex Chen 16 200901679 行動電話）進行連線’就是所謂的行動基地台（Μ。· Station，簡稱為 MS)。有關3 G網路的運作流程係為習知相關技術，本發明實施例之網路備援系統僅係利用3G網路來達到異質備援= 目的，故在下文中並不單獨對3G網路的運作流程加明。 . 第4圖係顯示本發明實施例之利用3G提供備援服務之網路備援系統的架構示意圖。第5A〜5D圖係顯示利用3G 長:供備援服務之網路備援系統的工作流程示意圖。需注音到，本發明實施例之網路備援系統中之傳送端與接收端戶^ 有的電腦設備大致上相同，但主要係以傳送端之電腦設備與所使用之網路媒體來說明實作流程，接收端之電腦設備的運作流程則不另行說明。參考第4圖，由傳送端a (Tran—A)之主機41〇經由 ADSL數據機430連接到遠端接收端b (Rec_B)之連線路徑為主線路’而由傳送端A之主機410經由3 G路由器441 與3G網路450連接到遠端接收端B之連線路徑為備援線路。Client’s Docket No. : N/A TT^sDocketNo : 0695-A41231-TW / Draft-Final/Alex Chen 16 200901679 Mobile phone connection is the so-called mobile base station (Μ. Station, referred to as MS). The operation process of the 3G network is a related technology, and the network backup system of the embodiment of the present invention only uses the 3G network to achieve heterogeneous backup = purpose, so the following is not a separate 3G network. The operational process is clear. Fig. 4 is a block diagram showing the architecture of a network backup system using 3G to provide backup services according to an embodiment of the present invention. The 5A~5D diagram shows the workflow of using the 3G long: network backup system for backup services. In the network backup system of the embodiment of the present invention, the transmitting end is substantially the same as the receiving end, but mainly based on the computer device on the transmitting end and the network media used. The flow of the computer equipment at the receiving end is not described otherwise. Referring to FIG. 4, the host path 41 of the transmitting end a (Tran_A) is connected to the remote receiving end b (Rec_B) via the ADSL modem 430 as the main line 'and the host 410 of the transmitting end A via the host 410 The connection path between the 3G router 441 and the 3G network 450 connected to the remote receiving end B is a backup line.

參考第4圖與第5A圖，首先，在傳送端A中，與主機410連接的路由器（Router) 420經由ATM網路4邰偵測（Ping) MPLS 網路（VPN) 470 中之 BRAS PE 471 的 IP位址，以偵測主線路之ADSL數據機430的線路是否正常（開啟（Up)或關閉（Down))。每3秒偵測（Ping) 一次，若在1秒内收到回應則判定為正常。需/主思到，ADSLReferring to FIG. 4 and FIG. 5A, first, in the transmitting end A, a router 420 connected to the host 410 detects the BRAS PE 471 in the MPLS network (VPN) 470 via the ATM network 4. The IP address is used to detect whether the line of the ADSL modem 430 of the main line is normal (Up or Down). It is pinged every 3 seconds, and it is judged to be normal if a response is received within 1 second. Need / think, ADSL

Client’s Docket No· : N/A TT's Docket No ： 0695^A41231-TW / Draft-Final/Alex Chen 200901679 數據機130必須使用橋接模式（Bridge Mode )才能彳貞測整段線路的狀況。ATM網路460與MPLS網路470間可藉由 STM-1來連接。路由器420偵測（Ping) BRAS PE 471的IP位址，並且判斷ADSL數據機430的線路為正常時，命令其IP堆疊Client’s Docket No· : N/A TT's Docket No : 0695^A41231-TW / Draft-Final/Alex Chen 200901679 The data machine 130 must use the Bridge Mode to check the condition of the entire line. The ATM network 460 and the MPLS network 470 can be connected by STM-1. When the router 420 detects (Ping) the IP address of the BRAS PE 471 and judges that the line of the ADSL modem 430 is normal, the IP stack is commanded.

I (Stack)送:出一個 ICMP Echo 請求給 BRAS PE 47；!，然後等待ICMP Echo回應。當路由器120的IP堆疊就會收到 ICMP Echo回應，表示BRAS PE 471係正常運作且可到達。路由器420確定主線路之ADSL數據機430的線路正常後，將後端LAN的網路流量（Traffic )導向ADSL數據機 430 〇 BRAS PE471查詢傳送端A之ADSL數據機430的VPI 與VCI所屬VRF及其EP路由資訊後，將封包打上VPN標籤及MPLS標籤並傳送至MPLS網路470中。封包在MPLS 網路470中傳送，MPLS網路470之PE 475查詢此封包所屬的VPN ’去除封包中的VPN標籤，然後將該封包傳送至接收端B的IP網路中。接著，PE 475查詢傳送端A之專線所屬VRF及其IP路由資訊，在來自接收端B之封包打上VPN標籤及MPLS標籤，然後將該封包傳送至MPLS 網路470中。BRAS PE 471查詢該封包所屬的VPN，去除封包中的VPN標籤，然後將該封包傳送至傳送端A的IP 網路中，如此即完成傳送端A與接收端B間的封包傳送。參考第4圖與第5B〜5D圖，當路由器42(M貞測（Ping ) BRAS 471的IP位址，並且判斷ADSL數據機430的線路I (Stack) send: an ICMP Echo request to BRAS PE 47;!, and then wait for ICMP Echo to respond. When the IP stack of router 120 receives an ICMP Echo response, it indicates that BRAS PE 471 is functioning properly and reachable. After determining that the line of the ADSL data machine 430 of the main line is normal, the router 420 directs the traffic of the back-end LAN to the ADSL modem 430 〇BRAS PE471 to query the VPI of the ADSL modem 430 of the transmitting end A and the VRF to which the VCI belongs. After the EP routing information, the packet is marked with a VPN label and an MPLS label and transmitted to the MPLS network 470. The packet is transmitted in the MPLS network 470. The PE 475 of the MPLS network 470 queries the VPN label of the packet to remove the VPN label from the packet, and then transmits the packet to the IP network of the receiving end B. Next, the PE 475 queries the VRF of the private line of the transmitting end A and its IP routing information, and puts a VPN label and an MPLS label on the packet from the receiving end B, and then transmits the packet to the MPLS network 470. The BRAS PE 471 queries the VPN to which the packet belongs, removes the VPN label in the packet, and then transmits the packet to the IP network of the transmitting end A, thus completing the packet transmission between the transmitting end A and the receiving end B. Referring to FIG. 4 and FIG. 5B to FIG. 5D, when the router 42 (M) pings the IP address of the BRAS 471, and judges the line of the ADSL modem 430.

Client's Docket No. ： N/A TT's Docket No ： 0695-A41231-TW/Draft-Final/Alex Chen 200901679 為關閉（Down)時’則將主線的路由資訊刪除，並選擇使用備援線的路由資訊。此時，3G路由器441透過内含用戶識別卡（Subscriber Identity Module ( SIM) Card)的 3G 網路卡443進行PPP撥號以與3G基地台445連線。3G路由器441送出用戶識別卡的接取點名稱（Access Point tClient's Docket No. : N/A TT's Docket No : 0695-A41231-TW/Draft-Final/Alex Chen 200901679 When it is off (Down), the routing information of the main line is deleted, and the routing information of the backup line is selected. At this time, the 3G router 441 performs PPP dialing through the 3G network card 443 including the Subscriber Identity Module (SIM) Card to connect with the 3G base station 445. The access point name of the user identification card sent by the 3G router 441 (Access Point t

Name，簡稱為:ΑΡΝ)給3G網路450。 3G網路450藉由AUC認證後，由HLR指定IP位址給傳送端A (即，客戶端），然後藉由GGSN將IP路由導通至MPLS網路，使得路由器420開始準備與IPsecPB 473 建立IPsec通道（Tunnel)，即建立備援專線。3G網路450 與MPLS網路470間可藉由光纖到大樓（Fiber 丁〇 The Building，簡稱為FTTB)或專線（Lease Line)來連接。首先，建立第一階段（Phase 1 )的IPsec ’即建構網際網路金鑰交換（Internet Key Exchange，簡稱為IKE)之安全性關聯（Security Association，簡稱為SA)的安全通道以提供給第二階段（Phase 2)的參數來交換使用。需注意到，IKE協議是IPsec SA在協商保護套件和交換簽名或加密密鑰時所遵循的機制。IKE定義了雙方交流策略資訊的方式和構建並交換身份驗證消息的方式。IKE 是由另外三種協議（ISAKMP ( Internet安全關聯和密輪管理協議）、Oakley和SKEME)混合而成的一種協議。IKE 使用了兩個階段的ISAKMP。第一階段（Phase 1 )，協商創建一個通信信道（IKE SA)，並對該信道進行驗證，為雙方進一步的IKE通信提供機密性、消息完整性以及消息Name, referred to as: ΑΡΝ) to the 3G network 450. After the 3G network 450 is authenticated by the AUC, the HLR specifies the IP address to the transmitting end A (ie, the client), and then the IP routing is conducted to the MPLS network by the GGSN, so that the router 420 starts to prepare IPsec with the IPsecPB 473. Tunnel (Tunnel), that is, the establishment of a backup line. The 3G network 450 and the MPLS network 470 can be connected by a fiber to a building (Fiber Ding The Building, FTTB for short) or a dedicated line (Lease Line). First, establish the IPsec of the first phase (Phase 1), that is, establish a secure channel (Security Association, SA for short) of the Internet Key Exchange (IKE) to provide the second channel. The parameters of the phase (Phase 2) are used interchangeably. It is important to note that the IKE protocol is the mechanism by which IPsec SAs negotiate a protection suite and exchange signatures or encryption keys. IKE defines how the two parties communicate policy information and how they build and exchange authentication messages. IKE is a protocol that is a mixture of three other protocols, ISAKMP (Internet Security Association and Tiddle Management Protocol), Oakley, and SKEME. IKE uses two phases of ISAKMP. Phase 1 (Phase 1), negotiate to create a communication channel (IKE SA), and verify the channel to provide confidentiality, message integrity, and message for further IKE communication between the two parties.

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 19 200901679 源驗證服務。在第二階段（Phase 2)中，使用已建立的ιΚΕ SA建立ipsec SA。有關IKE SA與ipsec之相關技術内容係為習知技術，故不再予以贅述’本發明實施例之網路備援糸統係藉由IKE SA與IP sec來達到所欲目的。接著，路由器420經由3G路申器441將傳送端A(即，客戶端）的主機名稱（Host Name )與預先共用金餘 (Preshared Key)傳送至 IPsec PE 473 做認證。由使用 ipsec 的封裝安全負載（Encapsulating Security Payload，簡稱為 ESP)模式，故不會被3G路由器441的網路位址翻譯 (Network Address Translation，簡稱為 NAT)功能所影響。接著，IPsec PE 4了3傳送Phasel SA的金鑰給路由器 420，路由器420透過Phase 1之IKE SA安全通道，進行 IPsec SA的參數交換，以建立IPsec Phase2。路由器420 接著利用Phasel SA的金錄加密Phase2 SA的金錄與相關參數（例如，ESP、資料加密標準（Data Encryption Standard，簡稱為 DES )、信息-摘要演算法 5( Message-Digest algorithm 5，簡稱為 MD5 )、Diffie-Hellman ( DH ) Group2 ( 1024位元）·..等等），然後將Phase2SA的金鑰及相關參數傳送給IPsec PE 473。IPsec PE 473驗證參數，並在驗證正確後回應一確認訊息給路由器420,並且根據所屬的 IPsec通道，將傳道路徑轉入對應客戶端專用的VRF中。接下來，IPsec通道建立完成後，路由器420將後端 LAN的網路流量（Traffic)導入該IPsec通道中。此時， IPsec PE 473根據傳送端A之IPsec通道查詢所屬專用的Client’s Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 19 200901679 Source Verification Service. In the second phase (Phase 2), an ipsec SA is established using the established ι SA. The related technical content of IKE SA and ipsec is a conventional technology, and therefore will not be described again. The network backup system of the embodiment of the present invention achieves the desired purpose by using IKE SA and IP sec. Next, the router 420 transmits the host name (Host Name) of the transmitting end A (ie, the client) and the pre-shared key (Preshared Key) to the IPsec PE 473 via the 3G road register 441 for authentication. By using the Encapsulating Security Payload (ESP) mode of ipsec, it is not affected by the Network Address Translation (NAT) function of the 3G router 441. Next, the IPsec PE 4 transmits the key of the Phasel SA to the router 420, and the router 420 exchanges the parameters of the IPsec SA through the IKE SA secure channel of Phase 1 to establish IPsec Phase 2. The router 420 then uses the gold record of Phasel SA to encrypt the record of the Phase 2 SA and related parameters (for example, ESP, Data Encryption Standard (DES), Message-Digest Algorithm 5 (referred to as Message-Digest Algorithm 5). For MD5), Diffie-Hellman (DH) Group2 (1024 bits), etc., then pass the Phase2SA key and related parameters to IPsec PE 473. The IPsec PE 473 verifies the parameters and, after verification, responds with a confirmation message to the router 420 and, based on the IPsec channel to which it belongs, transfers the path to the corresponding client-specific VRF. Next, after the IPsec tunnel is established, the router 420 imports the traffic of the back-end LAN into the IPsec tunnel. At this time, IPsec PE 473 queries the private one according to the IPsec channel of the transmitting end A.

Client’s Docket No. : N/A TT's Docket No ； 0695-A41231-TW / Draft-Final / Alex Chen 20 200901679 VRF及其IP路由資訊，將來自IPsec通道的封包打上VPN 標籤及MPLS標籤並傳送進入MPLS網絡47〇中。封包在 MPLS網路470中傳送，MPLS網路47〇之PE 475查詢此封包所屬的VPN，去除封包中的VPN梯籤’然後將s亥封包傳送至接收端B的ιρ網路中。接著，PE 475查詢傳送端A之專線所屬vrf及其IP路由資訊，在來自接收端B 之封包打上VPN標籤及MPLS標籤，然後將該封包傳送至 MPLS網路470中。ipsec PE 473查詢該封包所屬的VPN，去除封包中的VPN標籤，然後將該封包傳送至傳送端A 之IPsec通道中，從而傳送至傳送端A的IP網路中，如此即完成在主線路斷線情況下，經由備援線路在傳送端A與接收端B間傳送封包的目的。本發明實施例之網路備援系統的備援路徑使用I p S e C 技術的原因如下。使用IPsec通道模式，可使客戶端多網段路由資訊，直接穿透3G網路架構連接至MPLS VPN網路中’使3G網路合作廠商不需管理客戶端路由資訊的問題，此外，可強化3G無線網路安全性。以下再簡述IPSec 連線的技術。 IPSec連線分成兩個邏輯階段，Phase 1與Phase 2。在Phase 1中，一個IPSec節點會啟動與遠端節點的連線。遠端節點會檢查該節點的可信度，然後雙方會為本次連線決定認證的方式。認證模式（Exchange Mode )包括積極模式（Aggressive Mode)與主要模式（Main Mode)，可以降低同時與多台主機間IPSec連線設定時的負荷。定Client's Docket No. : N/A TT's Docket No ; 0695-A41231-TW / Draft-Final / Alex Chen 20 200901679 VRF and its IP routing information, the packets from the IPsec channel are marked with VPN tags and MPLS labels and transmitted to the MPLS network. 47 〇. The packet is transmitted in the MPLS network 470. The PE 475 of the MPLS network 47 queries the VPN to which the packet belongs, removes the VPN ladder in the packet, and then transmits the s packet to the network of the receiving end B. Next, the PE 475 queries the vrf and the IP routing information of the private line of the transmitting end A, and puts the VPN label and the MPLS label on the packet from the receiving end B, and then transmits the packet to the MPLS network 470. Ipsec PE 473 queries the VPN to which the packet belongs, removes the VPN label in the packet, and then transmits the packet to the IPsec channel of the transmitting end A, thereby transmitting it to the IP network of the transmitting end A, thus completing the main line disconnection. In the case of a line, the purpose of transmitting a packet between the transmitting end A and the receiving end B via the backup line. The reason why the backup path of the network backup system of the embodiment of the present invention uses the I p S e C technology is as follows. Using IPsec channel mode, the client can route information on multiple network segments and directly connect to the MPLS VPN network through the 3G network architecture. This allows the 3G network partner to manage the client routing information. In addition, it can be enhanced. 3G wireless network security. The following is a brief description of the technology of IPSec connection. The IPSec connection is divided into two logical phases, Phase 1 and Phase 2. In Phase 1, an IPSec node initiates a connection to the remote node. The remote node checks the trustworthiness of the node, and then both parties determine the way to authenticate for this connection. The Exchange Mode includes Aggressive Mode and Main Mode, which can reduce the load when setting IPSec connection between multiple hosts at the same time. set

Client's Docket No. ： N/A TT’s Docket No : 0695-A41231-TW/Draft-Final/Alex Chen 21 200901679 義與節點進行認證時所採用的辨識方法（my_identifier )，係根據主機名稱或IP位址，其中使用主機名稱管理較簡易，不需為客戶端網路規劃IP網段的使用。初始連線定義節點間所採行的認證方式（Authentication Method )包括利用Preshared金錄或RS+公输，其中使用Preshared金鑰的方式安全且快速’不需建立複雜的認證方式。認證過程中使用的加密方式（Encryption Algorithm)包括DES或 3DES，其中使用DES加解密速度較快。節點間使用的雜湊演算法（Hash Algorithm)包括MD5或SHA1，其中使用MD5速度較快。建立動態金鑰的階段所用的 Diffie-Hellman 金鑰長度為 DH Group 2 ( 1024 位元）。在Phase 2中，在節點間建立S A時，會利用一些設定資訊（例如，加密方法、秘密交換金鑰的參數…等等）建立SA資料庫。本階段負責管理與遠端節點與網路的實際 IPSec連接。認證過程所支援的雜湊演算法包括 HMAC—MD5或HMAC—SHA1，其中使用MD5速度較快。加密方式包括DES或3DES，其中使用DES加解密速度較快。建立動態金錄的階段所用的Diffie-Hellman金錄長度為DH group 2 ( 1024位元）。使用的安全協定包括ESP Mode或AH Mode，其中使用ESP Mode可穿越客戶端的 NAT設備，擴展性較優。封包格式包括通道模式（Tunnei Mode)或傳輸模式（Transparent Mode)。使用 IPsec 通道模式可使客戶端多網段路由資訊，直接穿透3G網路架構連接至我們的MPLS VPN網路中，使3G網路合作廠商不Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW/Draft-Final/Alex Chen 21 200901679 The identification method (my_identifier) used by the node to authenticate is based on the host name or IP address. The host name management is relatively simple, and it is not necessary to plan the use of the IP network segment for the client network. Initial Connection Definition The Authentication Method adopted between nodes includes the use of Preshared Gold Recording or RS+ Public Input. The use of Preshared Keys is safe and fast. No complex authentication methods need to be established. The Encryption Algorithm used in the authentication process includes DES or 3DES, where DES encryption and decryption is faster. The hash algorithm used between nodes includes MD5 or SHA1, which uses MD5 faster. The Diffie-Hellman key used in the stage of establishing the dynamic key is DH Group 2 (1024 bits). In Phase 2, when SA is established between nodes, the SA database is built using some setting information (for example, encryption method, parameters of secret exchange key, etc.). This phase is responsible for managing the actual IPSec connections to the remote nodes and the network. The hashing algorithms supported by the authentication process include HMAC-MD5 or HMAC-SHA1, where MD5 is faster. Encryption methods include DES or 3DES, where DES encryption and decryption is faster. The Diffie-Hellman record length used in the stage of creating a dynamic record is DH group 2 (1024 bits). The security protocol used includes ESP Mode or AH Mode, in which ESP Mode can be used to traverse the NAT device of the client, and the scalability is superior. The packet format includes a tunnel mode (Tunnei Mode) or a transmission mode (Transparent Mode). Use IPsec channel mode to enable client multi-network segment routing information to directly penetrate the 3G network architecture and connect to our MPLS VPN network, so that 3G network partners do not

Client’s Docket No，： N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 22 200901679 需管理客戶端路由資訊的問題。第6圖係顯示本發明實施例之網路備援系統之處理方法的步驟流程。Client’s Docket No,: N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 22 200901679 The problem of managing client routing information. Fig. 6 is a flow chart showing the steps of the processing method of the network backup system according to the embodiment of the present invention.

首先，一傳送端偵測一主要線路為斷線狀態（步驟 S601)，則藉由一 3G路由器與一 3G網路卡撥號至一 3G ! t 基地台（步驟S602)，並且傳送該3G網路卡中之用戶識別卡的接取點名稱（APN)給該3G網路（步驟S603)。 3G網路在認證過該用戶識別卡的接取點名稱（APN)後，將該傳送端的IP路由導通至一 MPLS網路（步驟S604)。接著，該傳送端建立與該MPLS網路間之一 IPSec通道（步驟S606)，然後將網路流量（Traffic )導入該IPsec通道中（步驟S607)。該IPSec通道係表示為一備援專線。First, a transmitting end detects that a main line is in a disconnected state (step S601), and dials a 3G network to a 3G base station by a 3G router (step S602), and transmits the 3G network. The access point name (APN) of the subscriber identity card in the card is given to the 3G network (step S603). After authenticating the access point name (APN) of the subscriber identity card, the 3G network conducts the IP route of the transmitter to an MPLS network (step S604). Then, the transmitting end establishes an IPSec channel with the MPLS network (step S606), and then imports the network traffic (Traffic) into the IPsec channel (step S607). The IPSec channel is represented as a backup line.

接下來，該MPLS網路之IPsec PE查詢該IPsec通道專用的VRF及IP路由資訊（步驟S608)，將經由IPsec 通道傳送的封包打上VPN標籤及MPLS標籤，並將該封包傳送進入該MPLS網路中（步驟S69)。封包在該MPLS 網路中傳送，該MPLS網路之PE查詢該封包所屬的VPN (步驟S610)，去除封包中的VPN標籤（步驟S611)，然後將該封包傳送至一接收端的IP網路中（步驟S612)。接著，該MPLS網路之PE查詢該傳送端之專線所屬VRF 及其IP路由資訊（步驟S613)，在來自該接收端之封包打上VPN標籤及MPLS標籤，然後將該封包傳送至該 MPLS網路中（步驟S614)。該MPLS網路之IPsec PE查詢該封包所屬的VPN (步驟S615)，去除封包中的VPNNext, the IPsec PE of the MPLS network queries the VRF and IP routing information dedicated to the IPsec channel (step S608), tags the packet transmitted through the IPsec tunnel with the VPN label and the MPLS label, and transmits the packet into the MPLS network. Medium (step S69). The packet is transmitted in the MPLS network, and the PE of the MPLS network queries the VPN to which the packet belongs (step S610), removes the VPN label in the packet (step S611), and then transmits the packet to an IP network of the receiving end. (Step S612). Then, the PE of the MPLS network queries the VRF and the IP routing information of the private line of the transmitting end (step S613), puts a VPN label and an MPLS label on the packet from the receiving end, and then transmits the packet to the MPLS network. Medium (step S614). The IPsec PE of the MPLS network queries the VPN to which the packet belongs (step S615), and removes the VPN in the packet.

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 23 200901679 ^鐵（步驟S616) ’然後將該封包傳送至傳送端A之IPsec 通道中’ ^而傳送至傳送端A的IP網路中（步驟S617)，士此即7L成在主線路斷線情況下，經由備援線路在傳送端 A與接收端b間傳送封包的目的。在本發明實施例肀，vpN 3G備援之cpE可接受的丰線規格為ADSL (外接式的ADSL數據機）或FTTB。備援線的規格為或3.5G。CPE偵測主線斷線的方式如下。主線實體電路不需直接連到CPE設備，因此電信公司的電話線路可接在外接式的ADSL數據機上之RJ-11的連接埠上’另一個Rj_45的連接埠再以乙太網路（Ethernet) 的接線接到CPE設備的乙太網路（Ethernet)介面。該 Ethernet的WAN介面必須設定〇>位址，ADSL局端的 BRAS上也要設定WAN IP位址並且與用戶端的WAN IP 位址必須同屬一個網段。一般ADSL (Bridge Mode)的連接方式並不會在BRAS上設WAN IP位址，而只會提供一個初始閘道（Default Gateway)IP位址，其連接方式如下： PC—ADSL 數據機（Bridge Mode) —DSLAM—BRAS。本案所用在CPE與BRAS上有設定WAN IP位址，其連接方式如下： PC—CPE—ADSL 數據機（Bridge Mode) —DSLAM— BRAS。此外，偵測主線是否斷線或網路品質不佳是根據偵測 (Ping) BRAS WAN IP位址的情況來判斷，而偵測主線斷線並切換備援的所需時間為30秒。Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 23 200901679 ^Iron (step S616) 'The packet is then transferred to the IPsec channel of the transmitter A' and transmitted In the IP network to the transmission terminal A (step S617), 7L is used for the purpose of transmitting the packet between the transmission terminal A and the reception terminal b via the backup line in the case where the main line is disconnected. In the embodiment of the present invention, the acceptable line specification of the cpE of the vpN 3G backup is ADSL (external ADSL modem) or FTTB. The specification of the backup line is either 3.5G. The way the CPE detects the main line disconnection is as follows. The main line physical circuit does not need to be directly connected to the CPE equipment, so the telephone line of the telecommunication company can be connected to the RJ-11 connection port on the external ADSL data machine. 'Another Rj_45 connection is connected to the Ethernet (Ethernet) The wiring is connected to the Ethernet interface of the CPE device. The Ethernet WAN interface must be set to 〇> address, and the WAN IP address must be set on the BRAS of the ADSL office and must belong to the same network segment as the WAN IP address of the client. The general ADSL (Bridge Mode) connection method does not set the WAN IP address on the BRAS, but only provides an initial Gateway IP address. The connection method is as follows: PC-ADSL data machine (Bridge Mode) ) —DSLAM—BRAS. The WAN IP address is set on the CPE and BRAS in this case. The connection method is as follows: PC-CPE-ADSL Data Mode (Bridge Mode)-DSLAM-BRAS. In addition, detecting whether the main line is disconnected or the network quality is poor is judged based on the condition of the Ping BRAS WAN IP address, and the time required to detect the main line disconnection and switch the backup is 30 seconds.

Client’s Docket No. : N/A TT’s Docket No : 0695-A4123 l-TW / Draft-Final / Alex Chen 24 200901679 與傳统VPN備援系統相較，本發明之備援率统伟採用 3G無線網路備摇，A护細个知杈糸統係知用 r局*線路頻寬擴充很彈性，可容許接入的各戶數車父多（ipsec通客戶使用用-個通道）’可遠建/里的通道數為應，一個固網與不同接取媒體），二達，異質網路備援（使用不同 384/fi4v 客戶知備援頻寬有未來性（3G頻見為 384/64k 或 384/128k，3 sr 贴々 * 'Client's Docket No. : N/A TT's Docket No : 0695-A4123 l-TW / Draft-Final / Alex Chen 24 200901679 Compared with the traditional VPN backup system, the backup rate of the present invention is based on 3G wireless network preparation. Shake, A protects the details of the system, knows the use of r Bureau * line bandwidth expansion is very flexible, can allow access to the number of households more than the number of parents (ipsec through the use of customers - channel) can be built / inside The number of channels should be one, fixed network and different access media), Erda, heterogeneous network backup (using different 384/fi4v customers know that the backup bandwidth has a future (3G frequency is 384/64k or 384/) 128k, 3 sr stickers* '

认斗罄士士 3.5G 頻免為 3.6M/128k) ，3G 的计費方式彈性，可以連岭 ^ 運、、泉日寸間或使用量來計費，以及切The MPG of 3.5G is 3.6M/128k), and the billing method of 3G is flexible. It can be billed, and the amount of time is used for billing, and the amount of time is used.

換3G備杈路由所需時間較短。此外，在VPN 3Θ備接庫用μ ^ ^ ώ x-h At 发應用上’包括偵測主線斷線切換路由功能、3G連線功能、多以及網路安全性設計。彳、叫路由穿透3G網路功能心㈣’ 1線切換路由"力能方面，使用Ping的功能债測主線網路狀況，發現主線網路不通時，即變換備援路由，而發現主線網路恢復時，即變換回主線路由。在3G連線功能方面，具有叫發號功能，可規劃特定 APN給VPN提供者，以及請3G網路發放固定Ip位址給客戶。此外，如果遇到3G網路瞬斷會設備會自動重新撥號(Auto-Reconnection)。在多網段路由穿透3G網路功能方面，3〇網路商不需管理客戶端路由資料。在網路安全性設計方面，將3G網路與網際網路完全隔多巴’建立IPsec通道保護資料通過3G網路時的安全，以及當發生Inter-mobile延遲時’可防止VPN客戶在3G網路上有互通干擾情況。It takes less time to change the 3G backup route. In addition, the VPN 3 backup server uses the μ ^ ^ ώ x-h At application to detect the main line disconnection switching function, 3G connection function, and network security design.彳叫叫路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由路由When the network is restored, it changes back to the main line. In terms of 3G connection function, it has a function of calling number, which can plan a specific APN to the VPN provider, and ask the 3G network to issue a fixed IP address to the customer. In addition, the device will automatically re-dial (Auto-Reconnection) if it encounters a 3G network transient. In the case of multi-segment routing through 3G network functions, 3〇 network providers do not need to manage client routing data. In terms of network security design, the 3G network and the Internet are completely separated from each other. 'Establishing IPsec channel to protect data through 3G network security, and when Inter-mobile delay occurs' can prevent VPN customers from being on 3G network. Intercommunication is on the road.

Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 25 200901679 本發明更提供一種記錄媒體（例如光碟片、磁碟片與抽取式硬碟等等），其係記錄一電腦可讀取之權限簽核程式，以便執行上述之網路備援系統的處理方法。在此，儲存於記錄媒體上之權限簽核程式，基本上是由多數個程式碼片段所組成的（例如建立組織圖程式碼片段、簽核表單 t r 程式碼片段、設定程式碼片段、以及部署程式碼片段），並且這些程式碼片段的功能係對應到上述方法的步驟與上述系統的功能方塊圖。雖然本發明已以較佳實施例揭露如上，然其並非用以限定本發明，任何熟習此技藝者，在不脫離本發明之精神和範圍内，當可作各種之更動與潤飾，因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。【圖式簡單說明】第1圖係顯示利用撥接連線提供備援服務之VPN備援糸統的架構不意圖。第2A〜2C圖係顯示利用撥接連線提供備援服務之 VPN備援系統的工作流程示意圖。第3圖係顯示3G網路（WCDMA/UMTS )的架構示意圖。第4圖係顯示本發明實施例之利用3G提供備援服務之網路備援系統的架構示意圖。第5A〜5D圖係顯示利用3G提供備援服務之網路備援系統的工作流程示意圖。第6圖係顯示本發明實施例之網路備援系統之處理方Client's Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 25 200901679 The present invention further provides a recording medium (such as a disc, a floppy disk, a removable hard disk, etc.), It records a computer-readable permission sign-off program to perform the above-mentioned network backup system processing method. Here, the permission signing program stored on the recording medium is basically composed of a plurality of code segments (for example, creating an organization chart code segment, signing a form tr code segment, setting a code segment, and deploying) The code segment), and the function of these code segments corresponds to the steps of the above method and the functional block diagram of the above system. While the present invention has been described above by way of a preferred embodiment, it is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of protection is subject to the definition of the scope of the patent application. [Simple description of the diagram] Figure 1 shows the architecture of the VPN backup system that provides backup services using dial-up connections. The 2A~2C diagram shows the workflow of the VPN backup system that provides the backup service by using the dial-up connection. Figure 3 is a schematic diagram showing the architecture of a 3G network (WCDMA/UMTS). Figure 4 is a block diagram showing the architecture of a network backup system using 3G to provide backup services according to an embodiment of the present invention. The 5A~5D diagram shows the workflow of the network backup system using 3G to provide backup services. Figure 6 is a diagram showing the processing side of the network backup system of the embodiment of the present invention.

Client's Docket No. N/A TT5s Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 26 200901679 法的步驟流程。【主要元件符號說明】 110〜主機 120〜路由器 ’ 130〜ADSL數據機 ’ 140〜數據機 15 0〜公眾電話網絡 160〜非同步傳輸模式網路 170〜多重協定標籤交換網路 171〜寬頻遠端接取伺服器之供應商邊緣設備 17 3〜遠程接入伺服器之供應商邊緣設備 175〜供應商邊緣設備 410〜主機 420〜路由器 430〜ADSL數據機 441〜3G路由器 443〜3G網路卡 450〜3G網路 4 6 0〜非同步傳輸模式網路 470〜多重協定標籤交換網路 4 71〜寬頻遠端接取伺服器之供應商邊緣設備 4 7 3〜網際網路通訊協安全性之供應商邊緣設備 475〜供應商邊緣設備 AUC〜認證中心Client's Docket No. N/A TT5s Docket No : 0695-A41231-TW / Draft-Final/Alex Chen 26 200901679 Step flow of the method. [Main component symbol description] 110~host 120~router '130~ADSL data machine' 140~data machine 15 0~public telephone network 160~asynchronous transmission mode network 170~multiple protocol label switching network 171~wideband remote Supplier edge device 17 3 to the remote access server vendor edge device 175 ~ supplier edge device 410 ~ host 420 ~ router 430 ~ ADSL data machine 441 ~ 3G router 443 ~ 3G network card 450 ~3G network 4 6 0~ asynchronous transfer mode network 470~multi-protocol label switching network 4 71~ wideband remote access server vendor edge device 4 7 3~ internet communication protocol security supply Merchant edge device 475 ~ supplier edge device AUC ~ certification center

Client’s Docket No. : N/A TT^ Docket No ： 0695-A41231-TW / Draft-Final / Alex Chen 27 200901679 BTS〜基地台 EIR〜設備識別暫存器 GGSN〜閘道整合封包無線電服務支援節點 GMSC〜行動交換中心閘道器 GSM BSS〜全球行動通訊系統之基地台系統 t HLR〜原始地點登錄器 MSC〜行動交換中心Client's Docket No. : N/A TT^ Docket No : 0695-A41231-TW / Draft-Final / Alex Chen 27 200901679 BTS ~ Base Station EIR ~ Device Identification Register GGSN ~ Gateway Integration Packet Radio Service Support Node GMSC ~ Mobile switching center gateway GSM BSS ~ Global mobile communication system base station system t HLR ~ original location logger MSC ~ mobile switching center

Node B〜節點B PDN〜公用數據網 PSTN〜公眾電話網絡 RNC〜無線電網路控制器 S G S N〜服務整合封包無線電服務支援節點 T R A U〜傳輸編譯碼與速率轉接器單元 VLR〜拜訪位置暫存器Node B ~ Node B PDN ~ Public Data Network PSTN ~ Public Telephone Network RNC ~ Radio Network Controller S G S N ~ Service Integration Packet Radio Service Support Node T R A U ~ Transfer Code and Rate Adapter Unit VLR ~ Visit Location Register

Client’s Docket No. : N/A TT5s Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 28Client’s Docket No. : N/A TT5s Docket No : 0695-A41231-TW / Draft-Final/Alex Chen 28

Claims

200901679 、申請專利範圍： ^-種網路備援系統之處理方法，包括下列步驟：台 :傳送端之-路由器偵測-主要線路為斷線狀態； .猎由'^線路由器與一無線網路卡撥號至-無線基地無線^該無線網路卡中之用戶識別卡的接取點名稱給該一中:ί:點名稱在認證後’將該傳送端的1P路由導通至邊傳相建立與該巾介網路間之—安安全通道係表示為-備援專線； =由器將該傳送端之網路流量導人該安全通道中； μ中介網路之—第—網路設p 安全通道之—路由表（v吧及1?路由資訊ί—挪應該將經由該安全通道傳送之一第一 (VPN)標#及一筮士人、匕打上一弟一網路 …钛織及第—中介（MPLS)標籤，並將誃第— 包傳送進入該中介網路中，· 人于該中介網路之一第-锢玖π供太# 網路；《―、、，罔路汉備查_第-封包所屬之去除該第-封包中之該網路標鐵；以及將°亥第封包傳送至—接收端的IP網路中。 2.如申請專利範園第方法，其更包括下列步驟：頁所述的網路備援系統之處理 «亥中"網路之该第二網路設備查詢該傳送端之該備援 Client's Docket No. ： N/A TT，sDocketNo ·· 0695_A4123]_TW/D眺Fina】/A】^ 29 200901679 專線所屬之路由表及IP路由資訊； _在來自該接收端之—第二封包打上第二網路標鐵及一弟二二中介標籤，然後將該第二封包傳送至該中介網路中； "亥中介網路之該第一網路設備查詢該第二封包所屬之網路； t 去除該第二封包中之該第二網路標籤；以及 ’ 、、，將該第二封包傳送至該傳送端之該安全通道中，從而傳送至該傳送端之該ip網路中。 3.如申請專利範目第丨項所述的網路備援系統之處理方法，其中，該認證操作更包括下列步驟：該無線網路藉由-認證中心（AUC)對該接取認證； w 認證完成後，藉由一原始地點登錄器（HLR)指定一 IP位址給該傳送端；以及 ,,藉由閘道整合封包無線電服務支援節點（ggsn)將該傳送端的IP路由導通至該中介網路。、4.如申請專利範圍第〗項所述的網路備援系統之處理方法，其+中，建立該安全通道之操作更包括下列步驟：建立第一階段（Phase丨）的網際網路通訊協安全性 (IPsec)，並且建構一網際網路金鑰交換（ικε)之安全性關聯（SA)的安全通道；經由該無線路由器將該傳送端之主機名稱與預金鑰傳送至該[網路設備進行㈣； …、該第一網路設備傳送對應該第一階段之安全性關聯 Client's Docket No. : N/A TT-s Docket No : 〇695-A41231-TW / Draft-Final/Alex Chen 30 200901679 (Phasel SA)之—第—金餘給該路由器；數六^路由該1M SA安全通道進行 SA的參數父換，以建立—第二階段（phase2)，·. 之利用該第—階段之安全性關聯（Phasel⑷ SA'V =密該該第二階段之安全性關·（ Ph-2 _ 弟一金鑰與複複加密參數；，備；將A第—錢與該#加密參數傳送給該第-網路設 =第，料δχ備驗證該等參數，並H -確認訊息給該路由器，·以Α 雉傻口應封包根據該傳送端所屬之該安全通道，將封匕傳道路從轉人對應該傳送端專用之該路由表甲。方、申叫專利範圍第1項所述的網路備援系統之處理万r二中，該路由器藉由谓測（ping)該中介網路中之兔頻这端接取伺服益之供應商邊緣設備PE)的 IP位址’㈣_主要線路是否為斷線狀態。 6=申請專利範圍第i項所述的網路備援系統之處理 / ，/、中，該安全通道為一 IpSec通道。、、7，.如申請專利範圍第1項所述的網路備援系統之處理 /、中n亥中"網路為一多重協定標籤交換（mpls ) 網路。 y 、、&如申睛專利範圍第1項所述的網路備援系統之處理方法:其中’該第-網路設備為—lpsee供應商邊緣設備 (PE ) 〇 mal/Alex Chen Client’s Docket No, : n/A TT's Docket No : 0695-A41231-TW / Draft-Fi 31 200901679 9·如申請專利範圍第1項所述的網路備援系統之處理方法，甘.士一甲’該網路標籤為一虛擬私人網路（VPN)標籤。、10·如申請專利範圍第1項所述的網路備援系統之處理方法，其中，該中介標籤為一 MpLS標籤。 n.如申請專利範圍第1項所述的網路備援系統之處理方法，其中.，姑哲一 ! 、 μ弟一-罔路設備為一供應商邊緣設備（ρε )。、I2.如申請專利範圍第1項所述的網路備援系統之處理方法，其中，該無線網路為一 3G網路。 13· —種網路備援系統，包括：一接收端；一無線網路；一中介網路，其更包括： —第一網路設備；以及 —第二網路設備；以及一傳送端，其更包括：六用Μ俏剩一主要線路為斷線狀 -ϋ ^ ήΚ 1%., 口口—…線路由器與—無線網路卡，輕接於該二以在該—主要線路為斷線狀態時撥號至-I 2基地台：並且傳送該無線網路卡中之用戶識別卡：接取點名稱給該無線網路；、其中’該無線網路在認_接取點的ΙΡ路由導通至一中介網路，以建立良山將該傳运端路間之—安㈣道，其料料表tr-mt網魏由器將該傳送端之網路流量導入該安全^專中線； Client’s Docket No. : N/A TT's Docket No ： OePS^^Sl-TW/Draft-Fmal/AlexChen 32 200901679 該第路由資訊 1路設備查觸應駐全通道之-路衫及IP 第，並且將該第一封包傳送進 -網路”料全通道傳送之—第-封包打上、用路才示軾及一第一中介標籤丁上入該中介網路中；以及 0亥，第—'網路設備查詢該第一封勿％屈第一封包巾之_包所屬之網路，去除該收端的‘ 並且將該第-:封包傳送至-接中Λ如申請專利範圍第13項所述的網路備援系統，其由表ΪΪρΓ料備查_傳送端之該備援專線所屬之路由貪讯，在來自該接收端之二網路標籤及_筮__由入丄弟 _ , ^ 弟一中；f私戴，然後將該第二封包傳送至 S亥中；丨網路中；以及〜該第—網路設備查詢該第二封包所屬之網路，去除該弟一封包中之4第二網路標籤’並且將該第二封包傳送至 β傳运^之心全魏中’從而傳送至該傳送端之該工路中。如申請專利範圍第13項所述的網路備援系統，其 :該無線網路藉由一認證中心對該接取點名稱認證，認證完成後，藉由一原始地點登錄器指定一 ιρ位址給該傳送端’並且藉由閘道整合封包無線電服務支援節點（㈤叫將該傳送端的ip路由導通至該中介網路。 16.如申請專利範圍第13項所述的網路備援系統，苴中： /、 Client’s Docket No. : N/A TT's Docket No ：〇695-A41231-TW / Draft-Final/Alex Cher 33 200901679 該路由器建立第一階段（Phase 1)的網際網路通訊協安全性（IPsec)，並且建構一網際網路金鑰交換（IKE) 之安全性關聯（SA)的安全通道，經由該無線路由器將該傳送端之主機名稱與預先共用金鑰傳送至該第一網路設備進行認證； J ! :該第一網路設備傳送對應該第一階段之安全性關聯 (Phasel SA)之一第一金鑰給該路由器；該路由器經由該IKE SA安全通道進行IPsec SA的參數交換，以建立一第二階段（Phase2)，利用該第一階段之安全性關聯（Phasel SA)之該第一金鑰加密該該第二階段之安全性關聯（Phase2 SA)之一第二金鑰與複複加密參數，並且將該第二金鑰與該等加密參數傳送給該第一網路設備；以及該第一網路設備驗證該等參數，並在驗證正確後回應一確認訊息給該路由器，並且根據該傳送端所屬之該安全通道，將封包傳道路徑轉入對應該傳送端專用之該路由表中〇 17. 如申請專利範圍第13項所述的網路備援系統，其中，該路由器藉由傾測（Ping )該中介網路中之一寬頻遠端接取伺服器之供應商邊緣設備（BRAS PE)的IP位址，以判斷該主要線路是否為斷線狀態。 18. 如申請專利範圍第13項所述的網路備援系統，其中，該安全通道為一 IPSec通道。 19. 如申請專利範圍第13項所述的網路備援系統，其 Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 34 200901679 中，該中介網路為一多重協定標籤交換（MPLS)網路。 20. 如申請專利範圍第13項所述的網路備援系統，其中，該第一網路設備為一 IPsec供應商邊緣設備（PE)。 21. 如申請專利範圍第13項所述的網路備援系統，其中，該網路標籤為一虛擬私人網路（VPN)標籤。 T 22. 如申請專利範圍第13項:所述的網路備援系統，其中，該中介標籤為一 MPLS標籤。 23. 如申請專利範圍第13項所述的網路備援系統，其中’該第二網路設備為'供應商邊緣設備（PE )。 24. 如申請專利範圍第13項所述的網路備援系統，其中，該無線網路為一 3G網路。 Client’s Docket No. : N/A TT's Docket No ： 0695-A41231-TW / Draft-Final/Alex Chen 35200901679, the scope of application for patents: ^--------------------------------------------------------------------- The road card dials to - the wireless base wireless ^ the access point name of the subscriber identity card in the wireless network card is given to the one: ί: the point name is authenticated, and the 1P route of the transmitting end is turned on to the edge phase establishment and The security channel between the Internet is represented as a backup line; = the network traffic of the transmitting end is channeled into the secure channel; μ mediation network - the network is set to p security Channel - routing table (v bar and 1? routing information ί - should be transmitted via the secure channel one of the first (VPN) standard # and a gentleman, beat a brother a network ... titanium weaving and - an intermediary (MPLS) tag, and the first packet is transmitted into the intermediary network, and the person is in the intermediary network - 锢玖π供太# network; "―,,,罔路汉备查_ the first packet belongs to the removal of the net road sign in the first packet; and will be ° The first packet is transmitted to the IP network of the receiving end. 2. As for the method of applying for the patent garden, it further includes the following steps: the processing of the network backup system described in the page «Haizhong" The network device queries the backup client's Docket No. of the transmitting end: N/A TT, sDocketNo ·· 0695_A4123]_TW/D眺Fina]/A]^ 29 200901679 routing table and IP routing information belonging to the private line; The second packet from the receiving end is tagged with the second network road sign and the second and second media tags, and then the second packet is transmitted to the mediation network; "Hai intermediary network of the first network device Querying the network to which the second packet belongs; t removing the second network label in the second packet; and ',, transmitting the second packet to the secure channel of the transmitting end, thereby transmitting to the 3. The method of processing the network backup system according to the application of the patent specification, wherein the authentication operation further comprises the following steps: the wireless network by the authentication center (AUC) authentication for this access; w recognition After completion, an IP address is assigned to the transmitting end by a home location register (HLR); and, by means of the gateway integrated packet radio service support node (ggsn), the IP route of the transmitting end is forwarded to the intermediate network. 4. The processing method of the network backup system described in the patent application scope item, wherein the operation of establishing the secure channel further comprises the following steps: establishing a network of the first phase (Phase丨) The communication protocol security (IPsec), and constructs a secure channel of the Internet Key Exchange (ικε) security association (SA); the host name and the pre-key of the transmitting end are transmitted to the [via] via the wireless router [ The network device performs (4); ..., the first network device transmits the security association corresponding to the first phase Client's Docket No. : N/A TT-s Docket No : 〇695-A41231-TW / Draft-Final/Alex Chen 30 200901679 (Phasel SA) - the first - Jin Yu to the router; the number six ^ route the 1M SA secure channel for the SA parameter parent change to establish - the second phase (phase2), ·. Phase safety Union (Phasel (4) SA'V = secret security of the second phase · ( Ph-2 _ brother - one key and complex encryption parameters; , prepared; A - money and the # encryption parameters are transmitted to the first - Network setting = the first, the material δ backup to verify the parameters, and H - confirmation message to the router, · Α 雉雉口应应应根据根据根据根据根据根据根据根据根据根据根据根据根据根据根据根据根据根据The routing table is specific to the transmitting end. Fang, the application of the network backup system described in the first paragraph of the patent scope, the router, by the pinging (ping) the rabbit frequency in the intermediary network, the server is connected to the server The IP address of the edge device PE) '(four) _ whether the main line is disconnected. 6=In the processing of the network backup system described in item i of the patent application scope, / , /, the secure channel is an IpSec channel. 7, 7, for example, the processing of the network backup system described in the first application of the patent scope /, in the middle of the network " network is a multi-protocol label switching (mpls) network. y,, &amp; the processing method of the network backup system as described in item 1 of the scope of the patent application: wherein the 'the first network device is the lpsee provider edge device (PE) 〇mal/Alex Chen Client's Docket No, : n/A TT's Docket No : 0695-A41231-TW / Draft-Fi 31 200901679 9 · The processing method of the network backup system described in the first application of the patent scope, Gan. The road label is a virtual private network (VPN) label. 10. The processing method of the network backup system according to claim 1, wherein the mediation tag is an MpLS tag. n. The processing method of the network backup system described in claim 1 of the patent scope, wherein the Guzhanyi, the Qidiyi-罔road device is a supplier edge device (ρε). The processing method of the network backup system according to claim 1, wherein the wireless network is a 3G network. 13. A network backup system, comprising: a receiving end; a wireless network; an intermediate network, further comprising: - a first network device; and - a second network device; and a transmitting end, It also includes: The six main lines are the main line is broken - ϋ ^ ήΚ 1%., mouth - ... line router and - wireless network card, lightly connected to the two to Dial the line to the -I 2 base station: and transmit the subscriber identity card in the wireless network card: pick up the point name for the wireless network; , where 'the wireless network is at the access point Conducted to an intermediary network to establish a good mountain to the transit road - An (four) road, its material table tr-mt network Wei from the transmitter to the network traffic into the security ^ special line Client's Docket No. : N/A TT's Docket No : OePS^^Sl-TW/Draft-Fmal/AlexChen 32 200901679 The first routing information 1 device check should be in the full channel - road shirt and IP, and will The first packet is transmitted into the network, and the first packet is transmitted through the first channel.轼 and a first intermediary label is inserted into the intermediary network; and 0 hai, the first - 'network device query the first packet of the first packet of the first packet of the package to remove the network And transmitting the first-: packet to the network backup system as described in claim 13 of the patent application scope, which is prepared for the routing information of the backup line to which the transmission end belongs. In the network tag from the receiving end and _筮__ by the younger brother _, ^ brother one; f private wear, and then the second packet is transmitted to S Hai; 丨 network; and ~ The first network device queries the network to which the second packet belongs, removes the 4th network label 'in the packet of the younger brother' and transmits the second packet to the heart of the beta transmission. The network backup system according to claim 13, wherein the wireless network authenticates the access point name by a certification center, after the authentication is completed, An original location register specifies an address to the transmitting end' and is integrated by the gateway. The packet radio service support node ((5) calls the ip route of the transmitting end to the intermediate network. 16. The network backup system described in claim 13 of the patent scope, /:, Client's Docket No. : N /A TT's Docket No : 〇695-A41231-TW / Draft-Final/Alex Cher 33 200901679 The router establishes the first phase (Phase 1) Internet Protocol Security (IPsec) and constructs an Internet Gold Key exchange (IKE) security association (SA) security channel, the host name of the transmitting end and the pre-shared key are transmitted to the first network device for authentication via the wireless router; J!: the first network The road device transmits a first key corresponding to the first phase of the security association (Phasel SA) to the router; the router performs parameter exchange of the IPsec SA via the IKE SA secure channel to establish a second phase (Phase2) Encrypting the second key and the complex encryption parameter of the second phase of the security association (Phase2 SA) by using the first key of the first phase security association (Phasel SA), and two Keys and the encryption parameters are transmitted to the first network device; and the first network device verifies the parameters and, after the verification is correct, responds to an acknowledgement message to the router, and according to the secure channel to which the transmitter belongs The packet routing path is transferred to the routing table dedicated to the transmitting end. 17. The network backup system according to claim 13, wherein the router pings the intermediary network. One of the roads is remotely connected to the IP address of the vendor's edge device (BRAS PE) of the server to determine whether the primary line is disconnected. 18. The network backup system of claim 13, wherein the secure channel is an IPSec channel. 19. In the network backup system described in claim 13, the client's Docket No.: N/A TT's Docket No: 0695-A41231-TW / Draft-Final/Alex Chen 34 200901679 The road is a multiple protocol label switching (MPLS) network. 20. The network backup system of claim 13, wherein the first network device is an IPsec provider edge device (PE). 21. The network backup system of claim 13, wherein the network tag is a virtual private network (VPN) tag. T 22. The network backup system described in claim 13 of the patent scope, wherein the intermediary label is an MPLS label. 23. The network backup system of claim 13, wherein the second network device is a 'provider edge device (PE). 24. The network backup system of claim 13, wherein the wireless network is a 3G network. Client’s Docket No. : N/A TT's Docket No : 0695-A41231-TW / Draft-Final/Alex Chen 35