網路安全已成為現今網際網路(Internet)技術發展最重要的考量之一。在眾多已發展的安全機制之中，虛擬私有網路(Virtual Private Network, 以下簡稱VPN)是目前最被廣為應用的一種。VPN是一種可利用廣域網路(如:網際網路)將一遠端使用者電腦與一本地網路的伺服器建立專用的網路通道，進行數據傳輸，並提供就像在封閉的私人區域網路(如:公司內部網路)裡一樣安全。
然而，隨著無線網路的逐漸普遍以及行動使用者的日漸增加，如何建立可移動式的(Mobile) VPN亦成為相當重要的研究課題。有鑑於此，IETF Mobile IPv4工作小組提出了在外部網路上架設一外部本地代理器(x-HA)來提供IPsec-based VPN使用者國際無縫漫遊的服務。但是在習知IETF的方法後，會產生兩個問題，第一是該x-HA應該被放置於何處最為適當?第二是可否相信該x-HA是安全的?
針對上述的兩個問題，在本論文中，我們將AAA(Authentication, Authorization and Accounting)的功能整合進IETF Mobile VPN系統中，來動態指派在外部漫遊網路中接近該行動使用者的HA作為該x-HA，使其此後在相同的外部網路中漫遊時，只需向該x-HA註冊即可，而不必再向該內部私有網路之i-HA註冊。如此可將行動使用者在漫遊時的代理器間轉接傳遞(Handoff)延遲及端點至端點(End to End)延遲降到最低，並可完全結合VPN的IPsec安全控制。此外，為了驗證理論的正確性，我們也分別將IETF和我們所提出的方法實作在一測試平台上，並透過實際的測試與實驗來相互的分析比較其效能。

This thesis presents the dynamic external Home Agent (x-HA) assignment for mobile Virtual Private Networks (VPNs). The proposed architecture is based on the IPsec-based VPN proposed by the IETF for mobile users. The IETF solution, however, leads to two questions: where should we put the x-HA and how should we trust the x-HA? We propose to assign the x-HA dynamically so the handoff latency and end-to-end latency could be reduced significantly. Based on Diameter Mobile IPv4 application, we also propose a technique such that the x-HA can be associated with the VPN securely. In addition, the registrations with x-HA and internal HA (i-HA) are concurrently accomplished. The proposed technique is implemented in a mobile VPN testbed. Performance analysis based on empirical experiments is discussed.

[1] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol.” IETF RFC
2401, Nov. 1998.
[2] C. E. Perkins, “IP Mobility support for IPv4.” IETF RFC 3344, Aug. 2002.
[3] S. Vaarala (Ed.), “Mobile IPv4 traversal across IPsec-based VPN gateways.”
[4] F. Adrangi and H. Levkowetz, “Problem statement: Mobile IPv4 traversal of VPN
gateways.”
[5] K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, and G. Zorn, “Point-to-Point
Tunneling Protocol (PPTP).” IETF RFC 2637, 1999.
[6] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, and B. Palter, “Layer Two
Tunneling Protocol (L2TP).” IETF RFC 2661, Aug. 1999.
[7] D. C. Plummer, “An Ethernet address resolution protocol.” IETF RFC 826, Nov. 1982.
[8] J. Postel, “Multi-LAN Address Resolution.” IETF RFC 925, Oct. 1984.
[9] D. Harkins and D. Carrel, “The Internet Key Exchange (IKE).” IETF RFC 2409, Nov.
1998.
[10] S. Kent and R. Atkinson, “IP Encapsulating Security Payload (ESP).” IETF RFC 2406,
Nov. 1998.
[11] M. Kulkarni, A. Patel, and K. Leung, “Mobile IPv4 dynamic Home Agent assignment.”
[12] R. Droms, “Dynamic Host Configuration Protocol.” IETF RFC 2131, Mar. 1997.
[13] S. Alexander and R. Droms, “DHCP Options and BOOTP Vendor Extensions.” IETF
RFC 2132, Mar. 1997.
[14] C. Perkins and P. Calhoun, “Mobile IPv4 challenge/response extensions.” IETF RFC
3012, Nov. 2000.
[15] P. Calhoun and C. Perkins, “Mobile IP network access identifier extension for IPv4.”
IETF RFC 2794, Mar. 2000.
[16] P. Calhoun, , J. Loughney, E. Guttman, G. Zorn, and J. Arkko, “Diameter base protocol.”
IETF RFC 3588, Sept. 2003.
[17] P. R. Calhoun, T. Johansson, C. E. Perkins, T. Hiller, and P. J. McCann, “Diameter
Mobile IPv4 application.”
[18] T. Dierks and C. Allen, “The TLS Protocol.” IETF RFC 2246, Jan. 1999.
[19] F. Johansson and T. Johansson, “Mobile IPv4 extension for carrying network access
identifiers.” IETF RFC 3846, June 2004.
[20] C. E. Perkins and P. R. Calhoun, “AAA registration keys for Mobile IPv4.”
[21] “FreeS/WAN - implementation of IPsec and IKE for Linux.” http://www.freeswan.org/.
[22] “NIST Net - a Linux-based network emulation tool.”
http://snad.ncsl.nist.gov/itg/nistnet/.
[23] “Dynamics - HUT Mobile IP.” http://dynamics.sourceforge.net/.
[24] C. Rigney, S.Willens, A. Rubens, andW. Simpson, “Remote authentication dial in user
service (RADIUS).” IETF RFC 2865, June 2000.
[25] “Netperf - benchmark used to measure the performance of many different types of
networking.” http://www.netperf.org/.