JP4462554B2 - Route repair method and system - Google Patents

Description

  The present invention relates to a route repair method and system, and more particularly, to a route repair method and system that enables multi-hop communication with high anonymity and confidentiality on an ad hoc network.

  In addition to a method in which a mobile terminal communicates via a wireless base station, such as a mobile phone network or a wireless LAN, there is a method in which terminals directly exchange data. For example, this is supported by a communication mode called “ad hoc mode” in a wireless LAN. In ad hoc mode, terminals communicate with each other on a one-to-one basis, but by further expanding this and using ad hoc routing technology, not only the other party but also the other party Multi-hop communication has been proposed that enables communication by using a mobile terminal located at a relay terminal as a relay terminal, and is disclosed in Patent Document 1, for example.

  On the other hand, in a wireless network constructed ad hoc, there are not always only terminals that operate correctly. In some cases, a malicious third party may exist and perform various attacks. In ad hoc routing technology, data packets sent from a terminal go through multiple relay terminals. In conventional ad hoc routing technology, even if there is a person who acts fraudulently on the relay terminal, know that Is difficult.

  Further, in the conventional routing technique, it is necessary for end terminals (transmission terminal and destination terminal) that communicate with each other to register a unique address that can uniquely identify a partner terminal for a transmission packet. For this reason, the end terminal which is performing communication is known to the entire relay node, and communication anonymity is significantly lost.

For such a technical problem, Patent Document 1 discloses a technique for establishing a communication path while ensuring anonymity and confidentiality when a terminal performs ad hoc communication.
Japanese Patent Application No. 2003-420753

  According to the above-described conventional technology, the transmission terminal, the destination terminal, and the relay route are not specified by other terminals at the time of establishing the route, and the anonymous address for data communication is assigned to each of the transmission terminal and the destination terminal. (FWs, FWt) can be assigned, and if this anonymous address is used, multi-hop communication with high anonymity and confidentiality can be performed on the ad hoc network.

  However, if a unique address is used for each terminal in a control message such as a path disconnect message or a path repair message transmitted / received between terminals when the disconnected path is repaired, the end terminal And the anonymity and confidentiality of the route will be impaired.

  The object of the present invention is to solve the above-described problems of the prior art, when an anonymous address is assigned to each of the end terminals, and the end terminal communicates with each other by using the anonymous address. It is an object of the present invention to provide a route restoration method and system that can be reproduced by only partial restoration so that the anonymity and confidentiality of a terminal and the like are not impaired and the entire route is not recreated.

In order to achieve the above-described object, the present invention assigns an anonymous address to each of a pair of end terminals, and when this end terminal communicates using the anonymous address, the route is disconnected. The path repair method for repair is characterized in that the following measures are taken.
(1) A procedure in which at least one of a pair of terminals facing each other across a disconnect link uses the anonymous address to transmit a link disconnect message to an end terminal, and one end terminal that has received the link disconnect message A procedure of generating a route repair message, a procedure in which the one end terminal transmits the route repair message to the other end terminal using the anonymous address, and a terminal that receives the route repair message receives the message. A procedure for relaying to the other end terminal, a procedure for the other end terminal receiving the route repair message to generate a route repair response message, and the other end terminal using the anonymous address for the route repair. A procedure for transmitting a response message to one end terminal, and a terminal receiving the path repair response message Including a procedure of relaying the message to one end terminal, and a procedure of a terminal relaying the route repair message and the route repair response message storing the anonymous address as route information, the route repair message and the route repair response message Between the pair of terminals facing each other across the cut link, the source address is a dummy address and the destination address is flooded with a broadcast address, and except between the pair of terminals facing each other across the cut link The anonymous address is used.
(2) The end terminal that has received the link disconnection message further includes a procedure for writing a sequence number in a path repair message to be transmitted, and the pair of end terminals writes different sequence numbers in the path repair message, The terminal is characterized in that one of the route repair messages is ignored based on the sequence number.

According to the present invention, the following effects are achieved.
(1) The source address has a dummy address so that the source and destination are not identified between the pair of terminals facing each other across the disconnected link when relaying the route repair message and its response message at the time of route repair. The broadcast address is written and transmitted to the destination address, while the anonymous address is used on the existing route. Therefore, the disconnected route can be partially restored so that the anonymity and confidentiality of the end terminal are not impaired.
(2) Each end terminal receives a path disconnection message transmitted from each of a pair of terminals facing each other across the disconnection link, and each end terminal sends a path repair message in response to this. Since the terminal enables one and disables the other based on the sequence number written in each message, a plurality of route repair procedures are not executed for the same disconnected link.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a diagram showing a configuration example of an ad hoc network to which a route establishing method of the present invention is applied. A wireless access point AP, a route control server RM connected to the wireless access point AP via a network, and A plurality of mobile terminals (S, A, B,... T) are the main components.

In this embodiment, only the mobile terminals A and B are located within the communication area of the wireless access point AP, that is, within the infrastructure network, the mobile terminals S, C, and T are located outside the infrastructure network, and the mobile terminal S transmits A case where the mobile terminal T behaves as a terminal and the mobile terminal T behaves as a destination terminal will be described as an example. In the present embodiment, communication data is concealed using a public key / private key pair and a shared key, so that the routing server RM and each of the mobile terminals S, A, B, C, T are shown in FIG. Various encryption keys are managed as shown in the list.
(a) First public key KRMp:
Issued by the routing server RM and held in all mobile terminals.
(b) First secret key KRMs:
This key is paired with the first public key KRMp and is held only by the server RM.
(c) First shared key KRM_x:
The key is shared by the mobile terminal X and the server RM, and is registered in advance in the server RM by each mobile terminal X.
(d) Second public key Kxp:
This is a key unique to each mobile terminal X and is held by the routing server RM.
(e) Second secret key Kxs:
It is a key that is paired with each of the second public keys Kxp, and is held by each mobile terminal X.
(f) Second shared key KCx:
It is generated in each mobile terminal X when flooding the RREQ and is used to confirm the validity of the RREP received thereafter.
(g) Session key SK:
It is generated at the destination terminal T when a route is established, registered in the RREP, and notified to each relay terminal. Since the session key SK is shared by all the relay terminals, it can be used even after the route is established.

  3 and 4 are flowcharts showing a route establishment procedure executed by each mobile terminal at the time of route establishment, and FIG. 5 is a flowchart showing a route establishment procedure executed by the route control server RM at the time of route establishment. FIG. 6 is a sequence diagram when establishing a route.

  In the terminal S, a route table is searched in response to a route establishment instruction with the terminal T as a destination, and it is confirmed whether or not the route to the terminal T is already registered. Here, the description will be continued assuming that the route to terminal T is not registered in the route table and it is determined that a new route search is necessary. In the transmitting terminal S, a route request message (RREQ) having the final destination as the terminal T is generated.

  FIG. 7 is a diagram illustrating an example of a format of a signaling message transmitted / received between mobile terminals and between each mobile terminal and the routing server RM, and includes a basic header and a signaling unit. In the basic header, parameters such as a Type value indicating a message type (RREQ, RREP, FWREQ, FWREP, etc.), a length Len of a signaling unit, and a flag value are registered.

  FIG. 8 is a diagram illustrating a basic format of RREQ, which is stored in the signaling unit and transmitted. The RREQ includes an IP address “IPs” of the transmission terminal S, an IP address “IPt” of the destination terminal T, an “address ID” uniquely corresponding to an anonymous address FWs and FWt described later, and a unique correspondence with each session “ "Session ID" and its candidate value "Session ID candidate", Sequence number "seq", Hop limit number "hop limit", "Public key", Message identifier (hash code) "sig", Number of hops to date " Fields of “hop”, “previous hop order ID” to be described later, and hop information “hop info” are secured.

  The IP addresses “IPs” and “IPt” of the transmission terminal S and the destination terminal T are encrypted with the first public key KRMp at the transmission terminal S and registered in the RREQ. In the “session ID candidate”, a random value is registered in the transmission terminal S. In the “session ID”, the initial value “0” is registered in the transmission terminal S. In the “public key”, the first public key “KRMp” is registered when transmitted from the transmission terminal S. The message identifier “sig” is a unique signature for each terminal, with the IP address IPs, IPt encrypted data, address ID, session ID candidate, session ID, seq, hop limit, and public key (KRMp) as signature ranges. One shared key KRM_x (KRM_s in the case of the transmitting terminal S) is generated by calculation of a keyed hash function such as HMAC-MD5 using the encryption key.

  In the “hop info”, the IP address “IPx”, “previous hop order ID”, “own hop order ID”, “FW value”, “second shared key KCx” of each mobile terminal X, anonymous as will be described later The fields of address pair “FWs”, “FWt” and check value “check” are reserved. The anonymous addresses “FWs”, “FWt”, and “check” are parameters that are provided later from the routing server RM, and are all “0” when flooded from the transmission terminal S.

  The “previous hop order ID” is one of identifiers representing the pop order of messages, and is an ordinal number given to the RREQ by the previous mobile terminal that hopped the message to itself. The “own hop order ID” is an ordinal number assigned to the RREQ by itself, and is a value larger than the “previous hop order ID”. In the RREQ transmitted from the transmission terminal S, “0” is registered in both “previous hop order ID” and “own hop order ID”. The “hop info” is encrypted with the first public key KRMp and stored in the RREQ.

  In the RREQ, a dummy address (for example, [0.0.0.0]) is registered in the source address of the IP header, and a broadcast address (for example, [255.255.255.255]) is registered in the destination address and flooded on the network. The

  When the mobile terminal A receives the RREQ flooded from the transmission terminal S in step S1 of FIG. 3, in step S2, the “address ID” registered in the RREQ is referred to. The address ID of the RREQ received at the terminal A is still “0”, which means that the validity of the RREQ has not yet been verified by the server RM. This also means that the address information (IP address “IPs”, “IPt”) of the RREQ is still encrypted with the first public key KRMp and can be decrypted only by the routing server RM. Then, the process proceeds to step S5 without attempting to decipher it.

  If the address ID is other than “0”, the RREQ address information is re-encrypted by the server RM with the first shared key KRM_t that can be decrypted if the destination terminal T. Therefore, it progresses to step S3. In step S3, the address information of the RREQ is decrypted with the first shared key KRM_x unique to each terminal, and the decryption is tried. In step S4, it is determined whether or not the destination of the RREQ is itself based on whether or not the decoding is successful. If it cannot be decoded, it is determined that the destination of the received RREQ is other than itself, and the process proceeds to step S5.

  In step S5, it is determined whether or not it is within the infrastructure network. If it is terminal A, it is determined that it is within the range and the process proceeds to step S6. In step S6, a FW address request message (FWREQ) for requesting anonymous addresses FWs and FWt to the server RM is generated and transmitted to the server RM in step S7.

  FIG. 9 is a diagram showing an example of the basic format of the FWREQ, which has the same format as the RREQ, and includes parameters within the RREQ signature range, message identifiers “sig”, “Hop Info”, and the like. Is registered and sent as it is.

  Proceeding to FIG. 5, when the server RM receives the FWREQ in step S51, the server RM proceeds to step S52 and refers to the “address ID” stored in the FWREQ. In the case of FWREQ sent from terminal A, the “address ID” is “0”, which is the first FWREQ received for the same RREQ, and this means that anonymous addresses FWs, FWt and session IDs are not assigned. The process proceeds to step S53.

  In step S53, the address information encrypted with the first public key KRMp is decrypted with the first secret key KRMs, and the IP address “IPs” of the transmission terminal S and the IP address “IPt” of the destination terminal T are extracted. . In step S54, calculation of a keyed hash function such as HMAC-MD5 is performed on the signature range data using the first shared key KRM_s shared by the server RM with the transmission terminal S as an encryption key, and the calculation result and the FWREQ are calculated. The registered message identifier “sig” is compared. If the two match and the validity of the FWREQ is confirmed, the process proceeds to step S55, where each of the IP addresses “IPs” and “IPt” is the first shared key KRM_t that the server RM shares with the destination terminal T. It is encrypted again.

  In step S56, “Hop Info” encrypted with the first public key KRMp is decrypted with the first secret key KRMs, and further encrypted with the second public key Ktp unique to the destination terminal T. In step S57, it is determined whether or not the value of “session ID candidate” registered in FWREQ has already been assigned to another session. If not assigned, the process proceeds to step S58, and the value of the session ID candidate is registered as it is as a session ID. If the value of the session ID candidate is already assigned to another session, the process proceeds to step S59, and an unassigned ID is registered as a session ID.

  In step S60, an FW address response message (FWREP) is generated. FIG. 10 is a diagram showing an example of the basic format of FWREP. Compared to the received FWREQ (FIG. 9), the public key is changed from the first public key KRMp to the second public key Ktp unique to the destination terminal T. And the encryption key of the address information is changed from the first public key KRMp to the first shared key KRM_t of the destination terminal T, and the message identifier “sig” is a keyed hash with the first shared key KRM_t of the destination terminal T as the encryption key The calculation result of the function has been changed.

  In step S61, unassigned anonymous addresses FWs and FWt are assigned to the pairs of IP addresses “IPs” and “IPt” of the transmission terminal S and the destination terminal T, and are registered in the table together with check values (random numbers). . In step S62, the entry number of the table (or a value that can be converted to the value on a one-to-one basis) is registered as an “address ID”, and is registered in FWREP along with the FWs, FWt, and check values. In step S63, the FWREP is transmitted to terminal A.

  If the address ID of the received FWREQ is other than “0” in step S52, the process proceeds to step S64, and a pair of anonymous addresses FWs and FWt is extracted from the table based on the value. In step S65, the registered anonymous addresses FWs and FWt are compared with the extracted anonymous addresses FWs and FWt and Hop info of FWREQ. If the two match, the process proceeds to step S63 and FWREP is transmitted.

  On the other hand, if the two do not match, some fraud has been performed, so in step S66 FWREQ is discarded and FWREP is not transmitted. Even if the anonymous address FWs and FWt are already registered in FWREQ even though the address ID is determined to be “0” in step S52, some fraud has been performed, so the FWREQ is discarded and FWREP Is not sent.

  Returning to FIG. 3, after transmitting the FWREQ, the terminal A proceeds to step S10 upon receiving the FWREP in step S8, and tries to decrypt the address information with its own first shared key KRM_a. In step S11, it is determined again whether or not the RREQ is addressed to the own terminal based on whether or not the decoding is successful. The address information of FWREP cannot be decrypted by the terminal A because it is re-encrypted with the first shared key KRM_t unique to the destination terminal T by the routing control server RM in the step S55. Accordingly, here again, it is determined that the destination of the RREQ is other than itself and the process proceeds to step S12. Note that after the FWREQ is transmitted in the step S7, a predetermined time elapses before the FWREP is received in the step S8, and if a timeout is detected in the step S9, the process proceeds to the step S12.

  In step S12, a random value larger than the previous hop order ID registered in the received RREQ is generated as the own hop order ID. Then, anonymous addresses FWs, FWt, own hop order ID and previous hop order ID assigned by the routing server RM and additionally registered in FWREP, and the second shared key KCx (generated by terminal X as a random value) Etc. are written in Hop Info, and this is multiple-encrypted using the public key Ktp registered in the FWREP, and the RREQ is updated by rewriting the previous hop order ID to the own hop order ID.

  In this embodiment, after transmitting FWREQ in step S7, the process waits until FWREP is received in step S8. However, after transmitting FWREQ in step S7, the process is terminated for the time being, and the subsequent FWREQ is changed. You may make it transfer to said step S10 with a reception.

  FIG. 11 is a diagram schematically representing the multiple encryption structure of the Hop Info, which is generated by the terminal A into the Hop Info re-encrypted with the second public key Ktp in the path control server RM. Hop Info is added and collectively encrypted with the second public key Ktp.

  In step S13, the updated RREQ is flooded. In step S14, the session ID candidate, the session ID, the self-hop order ID, the seq, the check value, and the second shared key KCx registered in the FWREP are temporarily registered in their own transfer list in association with each other. The However, anonymous addresses FWs and FWt are not registered. The lifetime related to these temporary registrations is shorter than the lifetime when official registration is performed.

  FIG. 12 is a diagram showing an example of the RREQ flooded from the terminal A. Compared with the RREQ flooded from the transmission terminal S, the encryption key of the address information is unique to the destination terminal T from the KRMp. The key is changed to KRM_t, and the public key is also changed from KRMp to the second public key Ktp unique to the destination terminal T.

  Returning to FIG. 3, the terminal B that has received the RREQ from the terminal A determines that the address ID is other than “0” in step S2. If the address ID is other than “0”, the process proceeds to step S3, where the address information registered in the RREQ is decrypted with its own first shared key KRM_b to attempt decryption. In step S4, it is determined whether or not the destination of the RREQ is itself based on whether or not the decoding is successful.

  If the destination of the RREQ is the terminal B, the address information can be decrypted by the routing server RM because the server RM is re-encrypted with the first shared key KRM_b shared with the terminal B. However, since the address information of RREQ received by the terminal B is encrypted with the first shared key KRM_t of the destination terminal T, it cannot be decrypted. Accordingly, here, it is determined that a destination other than itself is the destination, and the process proceeds to step S5. Thereafter, as in the case of terminal A, transmission of FWREQ (S7), reception of FWREP (S8), update of RREQ (S12), flooding of RREQ (S13), update of transfer list (S14), etc. are executed. Is done.

  Further, since the terminal C that has received the RREQ from the terminal B is determined not to be a destination terminal in step S4, it is determined to be out of service in step S5, and therefore the process proceeds to step S12 without transmitting FWREQ to the server RM. RREQ update (S12), RREQ flooding (S13), transfer list update (S14), and the like are executed.

  Note that the out-of-service terminal immediately processes the received RREQ without communicating with the routing server RM. At that time, “0” is registered in FWs, FWt, and check of Hop Info, and only the number of hops is updated in others, and the public key registered in the RREQ (if any of the terminals in the previous stage is a range terminal) For example, the second public key Ktp of the destination terminal T and the first public key KRMp, if any of the preceding terminals are out-of-service terminals, are flooded.

  On the other hand, when the destination terminal T receives the RREQ in step S1, the destination terminal T proceeds from step S2 to step S3 and tries to decode it. If this RREQ relays a terminal in the range even once, the address information is re-encrypted with the first shared key KRM_t unique to itself in the server RM, and if it is the terminal T, it is correctly decrypted and decrypted. Therefore, the process proceeds from step S4 to step S21. In step S21, it is determined whether or not the destination IP address IPt obtained by the decryption matches its own IP address. If the two match, it is determined that the destination of the RREQ is itself, and the process proceeds to step S22.

  Even if the RREQ received at the destination terminal T has never relayed a terminal within the range, if the destination terminal T is a terminal within the range, the process proceeds to step S6 and subsequent steps, and FWREQ is sent to the server RM in the same manner as described above. (Step S7) and FWREP is received (step S8), the address information is re-encrypted with the first shared key KRM_t in the FWREP, and the address information can be decrypted and decrypted in step S11. Therefore, it can progress to step S22.

  In step S22, a keyed hash function of the signature range is calculated using the first shared key KRM_t as an encryption key, and the calculation result is compared with the message identifier “sig” registered in RREQ. When a plurality of RREQs are received through a plurality of routes, other than the RREQ currently being processed (validation is being confirmed) are temporarily stored as Pending RREQ in the queue. When the validity of the RREQ is confirmed, the process proceeds to step S23, and all the multiplexed Hop Info are decrypted one after another using the second secret key Kts. In step S24, Hop Info is verified.

  At this time, Hop Info generated in the terminal in the range includes FWs, FWt, and check values, but if those values are different among multiple Hop Info, some sort of fraud is being done. The RREQ is discarded because it is considered. If all FWs, FWt, and check values match, the continuity of the previous hop order ID and own hop order ID registered in each Hop Info, and whether each hop order ID increases in hop order The validity is determined based on the above. If there is no problem in determining the legitimacy of the route, the process proceeds to step S25 and the route information is registered. In step S26, a route establishment response (RREP) message is generated and flooded in step S27. Even in this RREP, a dummy address (for example, [0.0.0.0]) is registered as the source address of the IP header, and a broadcast address (for example, [255.255.255.255]) is registered as the destination address.

  FIG. 13 is a diagram showing an example of the format of the RREP. The seq, session ID, and session ID candidate are the same as the received RREQ. The Hop Info of each relay terminal stored in the Hop Info of the received RREQ after being multi-encrypted is separately encrypted and concatenated with the second shared key KCx registered in each Hop Info. Each Hop Info concatenation permutation is random. If a suitable number of dummy Hop Infos are inserted, it is difficult for a third party to know the number of Hops. In each Hop Info, the session key SK is common to all Hop Info in the RREP, and is randomly generated by the destination terminal T when the RREP is transmitted.

  In the Hop Info for the transmitting terminal S, as shown in an example in FIG. 14, together with an encryption key used at the time of data communication (for example, an AES encryption key if AES encryption is used), all relay terminals (the RREQ Own address IPx, own hop order ID, and second shared key KCx are added as relay address information. The destination terminal T generates an encryption key (AES) for data communication. The flag is for transmitting various types of information to the transmitting terminal S, and here includes information for transmitting whether each relay terminal is within or outside the service area.

  When terminal C receives the flooded RREP from the destination terminal T in step S15 in FIG. 3, the process proceeds to step S31 in FIG. 4, and the transfer list is searched using the session ID registered in this RREP as a search key. Is done. In step S32, the second shared key KCx associated with the session ID is extracted.

  If the session ID is “0” when the RREQ is received first, the session ID candidate is registered in the transfer list. Searches again with the session ID candidates registered in RREP. When the search by the session ID or the session ID candidate is successful, the value of the session ID of RREQ is written in the transfer list, and the value of the session ID candidate is updated to “0”. If both searches fail, the RREP is discarded.

  In step S33, all Hop Info registered in RREP is decrypted using the extracted second shared key KCx. In step S34, it is determined whether or not the decrypted valid data is included in all the decrypted data. If valid data cannot be obtained, there is a possibility that some kind of fraud including tampering has been performed, so the process proceeds to step S41, and the current RREP is discarded.

  If there is Hop Info from which valid data is obtained, the process proceeds to step S35, and it is determined whether or not the RREP destination is itself. If it is the terminal C, it is determined that the destination is other than itself, so the process proceeds to step S36, and the contents are written in the transfer list. However, the lifetime for this registration is shorter than that for official registration.

  In step S37, it is determined whether or not it is within the range, and if it is within the range, the process proceeds to step S38 and the range flag F1 is set. In step S39, all data other than the own hop order ID is deleted or rewritten to dummy data from its own Hop Info (FIG. 13) from which the valid data is obtained, and then re-used using the session key SK. Encrypted. In step S40, the RREP including the re-encrypted Hop Info is flooded. At this time, a dummy address is registered as the source address of the IP header, and a broadcast address is registered as the destination address.

  The above procedure is executed at each relay terminal, and if no fraud is detected at all the relay terminals, the RREP reaches the transmitting terminal S. When the transmitting terminal S receives the RREP, it is determined whether or not the destination of the RREP is itself.

  If it is determined in step S35 that it is the destination, the process proceeds to step S42, and the session key SK is extracted. In step S43, all Hop Info is decrypted using the session key SK. In step S44, the own hop order ID of each mobile terminal registered in each Hop Info is extracted. In step S45, all the relay address information (local hop order ID) registered in the RREP is extracted. In step S46, the local hop order ID of each mobile terminal is compared with all the relay address information. If the two match completely, the anonymous addresses FWs, FWt, session ID, etc. are registered in the transfer list in step S47. In step S48, it is registered in the route information table. In step S49, a route establishment completion notification (RCMP) is transmitted to the destination terminal T.

  In the RCMP, the FWt and FWs are set in the destination address and the source address, and transmitted to the destination terminal T using the data encryption key AES notified in the RREP. When the destination terminal T receives the RCMP, the pending RREQ is discarded and the route table is determined. Accordingly, the destination terminal T can transmit data from that point.

  In the above-described embodiment, it has been described that the FWREQ is transmitted to the routing control server RM when the mobile terminal that has received the RREQ is within range, but if the transmission terminal S is within range, the transmission terminal S also Similarly, FWREQ is transmitted.

  Next, a procedure for detecting and repairing when the route established as described above is disconnected will be described.

  FIG. 15 is a flowchart showing a procedure of a route repair request in which a mobile terminal that has detected link disconnection requests a route repair to the transmission terminal S or the destination terminal T. FIG. It is the flowchart which showed the procedure of the path | route repair performed in response to the said path | route repair request | requirement.

  FIG. 17 is a sequence diagram showing an operation from detection of link disconnection to route repair. Here, there is a route between mobile terminal A, B, and C between relay terminal S and destination terminal T as a relay terminal. The case where the link between the relay terminals B and C is disconnected in the established state will be described as an example. In the present embodiment, the same processing is executed by a pair of relay terminals B and C facing each other across the cut link. Here, the operation of the relay terminal B will be described.

  In relay terminal B, when disconnection of the adjacent link is detected in step S101 of FIG. 15, in step S102, the session whose link is disconnected is specified based on the pair of anonymous addresses FWs and FWt or the session ID. In step S103, a link disconnection (RERR) message for notifying an end terminal (transmission terminal S or destination terminal T) of link disconnection is generated. In this RERR, the IP address and the own pop order ID are registered as an identifier related to the relay terminal B that detects the link disconnection, and a third party sniffs the RERR and transmits the same packet later. A sequence number is registered to prevent a “retransmission attack”.

  In step S104, an error flag is set in an entry on the table relating to the identified session. In step S105, a session key SK associated with the identified session is extracted from the table. In step S106, the RERR message is encrypted with the session key SK, and in step S107, a header in which the anonymous address (FWs) of the transmission terminal S is recorded as a destination address is transmitted.

  The RERR transmitted from the transmission terminal S is transferred to the transmission terminal S via the relay terminal A. At this time, the relay terminal A relays it as it is without changing the RERR. However, for the route that relayed RERR, the relay terminal A sets a flag indicating that it is being repaired in the entry related to the session ID of the route on its table, and temporarily performs data communication using the route. May be interrupted.

  When the transmitting terminal S receives the RERR message transmitted from the relay terminal B in step S201 of FIG. 16, the transmitting terminal S proceeds to step S202, and the session key SK associated with the destination address (FWs) is extracted from the table. . In step S203, RERR is decrypted with the extracted session key SK. In step S204, it is determined whether or not the decrypted RERR message can be decrypted. If the decrypted RERR message can be decrypted, it is determined that the RERR is a regular message addressed to itself, and the process proceeds to step S205. If it cannot be decoded, it is discarded.

  In addition, since the identifier (IP address or own hop order ID) and sequence number of the terminal that detected the link disconnection is registered in the RERR, the RERR can be decoded, and in addition, the RERR It is also judged whether or not each of the above registered parameters is legitimate, and if the RERR is decipherable and the contents are confirmed to be legitimate, the RERR itself You may make it determine with it being a regular message addressed.

  In step S205, a route repair message (RRPR) is generated. This RRPR has the same configuration (see FIG. 8) as the RREQ (route establishment request) transmitted from the transmission terminal S at the time of establishing the route, but it indicates that the message is a message transmitted from the transmission terminal S. Flabs are set. In this RRPR, the anonymous address FWs of the transmission terminal S is written to the transmission source address, the anonymous address FWt of the destination terminal T is written to the destination address, and transmitted in step S206.

  As shown in FIG. 17, the terminal that has received the RRPR transmitted from the transmitting terminal S relays this to the destination terminal T in the same way as the RREQ, thereby establishing a forward path. At this time, on the route from one relay terminal B that has detected the link disconnection to the other relay terminal C (B → N1 → N2 → C), the RRPR has a dummy address (for example, [ 0.0.0.0]) is written, and a header with a broadcast address ([255.255.255.255]) written as the destination address is added and flooded. On the other hand, except for the route between the relay terminals B and C, the anonymous address FWs of the transmission terminal S is written as the transmission source address, and a header with the anonymous address FWt of the destination terminal T is written as the destination address. Sent.

  Each terminal that has received the RRPR transmits a FWREQ to the server RM to request verification of the RRPR if the terminal itself is within the infrastructure network, like each terminal that has received the RREQ at the time of establishing the route. Also good. At this time, if any fraud is detected in the server RM and FWREP is not returned from the server RM, the relay of the RRPR is stopped.

  Upon receiving the RRPR, the destination terminal T generates an RREP_R (path repair response message) in the same manner as the RREP generated and returned in response to the RREQ, and anonymity is transmitted to the source address. The anonymous address FWs of the transmission terminal S is written in the address FWt and the destination address and transmitted.

  Each terminal that has received RREP_R transmitted from the destination terminal T establishes a return path by relaying it to the transmitting terminal S. At this time, on the route from the other relay terminal C that has detected the link disconnection to one relay terminal B (C → N2 → N1 → B), as in the case of the RRPR, the source address is a dummy address. Is written, and the header with the broadcast address written in the destination address is added and flooded. On the other hand, except for the route between the relay terminals C and B, the header where the anonymous address FWt of the destination terminal T is written in the source address and the anonymous address FWs of the sender terminal S is written in the destination address. Sent.

  In this embodiment, when an RRPR is generated at an end terminal (transmission terminal S or destination terminal T) that has received RERR, a sequence number seq is written therein. The sequence number seq is set to a different initial value so that the values do not match between end terminals, and the increase / decrease value at the time of updating is also different. In this way, the sequence number of RRPR transmitted from one end terminal is always larger than the sequence number of RRPR transmitted from the other end terminal.

  In this embodiment, the terminals A and B that detect the link disconnection both transmit RERR, and the transmitting terminal S receives RRPR (2) transmitted from the destination terminal T after transmitting RRPR (1). At this time, if the sequence number of RRPR (1) is larger than the sequence number of RRPR (2), the RRPR (2) is ignored. If the sequence number of RRPR (1) is smaller than the sequence number of RRPR (2), RREP is transmitted again in response to the RRPR (2), and the processing related to RRPR (1) is performed in the middle.

  Similarly, in the relay terminal, if the sequence number of RRPR (1) received first is larger than the sequence number of RRPR (2) received later, the RRPR (2) is ignored. On the other hand, if the sequence number of RRPR (1) received first is smaller than the sequence number of RRPR (2) received later, the RRPR (2) is relayed and the RRPR (1) Information about is deleted.

  In the above-described embodiment, it has been described that both of the pair of relay terminals facing each other across the cut link transmit RERR, and only one of them is enabled based on the sequence number. However, the RERR may be transmitted only by a pair of terminals that detect a link disconnection.

It is a figure of the ad hoc network to which the route establishment method of the present invention is applied. It is the figure which showed the list | wrist of the encryption key managed by a route control server and each mobile terminal. It is the flowchart (the 1) which showed the route establishment procedure performed with each mobile terminal at the time of route establishment. It is the flowchart (the 2) which showed the route establishment procedure performed with each mobile terminal at the time of route establishment. 6 is a flowchart showing a route establishment procedure performed by the route control server RM when a route is established. It is a sequence diagram at the time of route establishment. It is the figure which showed an example of the format of a signaling message. It is the figure which showed the basic format of RREQ. It is the figure which showed an example of the basic format of FWREQ. It is the figure which showed an example of the basic format of FWREP. It is the figure which expressed the multiple encryption structure of Hop Info typically. FIG. 3 is a diagram showing an example of RREQ flooded from mobile terminal A in FIG. 1. It is the figure which showed an example of the format of RREP. FIG. 4 is a diagram illustrating a structure of Hop Info for a transmission terminal S. 10 is a flowchart showing a procedure of a route repair request in which a mobile terminal that has detected a link disconnection requests route repair to a transmission terminal S or a destination terminal T. 6 is a flowchart showing a route repair procedure executed by a transmission terminal S and a destination terminal T in response to a route repair request. It is the sequence diagram which showed the operation | movement from the detection of link cutting | disconnection to a path | route repair.

Explanation of symbols

S, A, B, C, T ... Mobile terminal
RM: Routing server
AP: Wireless access point

Claims (3)

An anonymous address is assigned to each of a pair of end terminals, the anonymous address pair is notified to a terminal that relays communication between the end terminals, and the end terminals communicate with each other using the anonymous address In the path repairing method of repairing when this is cut,
A procedure in which at least one of a pair of terminals facing each other across the cut link uses the anonymous address to transmit a link cut message to the end terminal;
A procedure in which one end terminal receiving the link disconnection message generates a route repair message;
The one end terminal transmits a route repair message to the other end terminal using the anonymous address;
A procedure in which the terminal that has received the path repair message relays the message to the other end terminal;
A procedure in which the other end terminal receiving the route repair message generates a route repair response message;
The other end terminal uses the anonymous address to send the route repair response message to one end terminal;
A procedure in which the terminal that has received the path repair response message relays the message to one end terminal;
A terminal that relays the route repair message and the route repair response message stores the anonymous address as route information,
The relay of the route repair message and the route repair response message is performed by flooding a source address as a dummy address and a destination address as a broadcast address between a pair of terminals facing each other across the disconnected link. The route repairing method is performed using the anonymous address except between a pair of terminals facing each other. The end terminal that has received the link disconnection message further includes a procedure of writing a sequence number in a route repair message to be transmitted,
The pair of end terminals writes different sequence numbers in each path repair message, and each terminal ignores one path repair message based on the sequence number. Path repair method. An anonymous address is assigned to each of a pair of end terminals, the anonymous address pair is notified to a terminal that relays communication between the end terminals, and the end terminals communicate with each other using the anonymous address In the path repair system that repairs this when it is disconnected
Each terminal is
Means for detecting disconnection of adjacent links;
When the disconnection of the adjacent link is detected, means for transmitting a link disconnection message to one end terminal using the anonymous address;
Means for generating a route repair message in response to receiving a link disconnect message addressed to itself;
Means for transmitting the route repair message to the other end terminal using the anonymous address;
Means for relaying a route repair message transmitted from one end terminal to the other end terminal;
Means for generating a route repair response message in response to receiving a route repair message addressed to itself;
Means for transmitting the route repair response message to one end terminal using the anonymous address;
Means for relaying a route repair response message transmitted from the other end terminal to one end terminal;
Means for generating route information based on the relayed route repair message and the route repair response message,
The relay of the route repair message and the route repair response message is performed by flooding the source address with a dummy address and the destination address with a broadcast address between a pair of terminals facing each other across the disconnected link. The route repairing system is performed using the anonymous address except between a pair of facing terminals.

Images