WO2009012676A1 - A method and equipment for generating care of address and a method and system for improving route optimization security - Google Patents

A method and equipment for generating care of address and a method and system for improving route optimization security Download PDF

Info

Publication number
WO2009012676A1
WO2009012676A1 PCT/CN2008/071269 CN2008071269W WO2009012676A1 WO 2009012676 A1 WO2009012676 A1 WO 2009012676A1 CN 2008071269 W CN2008071269 W CN 2008071269W WO 2009012676 A1 WO2009012676 A1 WO 2009012676A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
binding
care
mobile node
module
Prior art date
Application number
PCT/CN2008/071269
Other languages
French (fr)
Chinese (zh)
Inventor
Chunqiang Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009012676A1 publication Critical patent/WO2009012676A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/14Backbone network devices

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a method and apparatus for generating a care-of address and a method and system for improving route optimization security.
  • IPV6 is a solution for mobility at the network layer.
  • MN Mobile Node
  • CN Correspondent Node, communication node or communication peer
  • HA Home Agent
  • a mobile node can be uniquely identified by HoA (Home Address), which is a global unicast routable address assigned to the mobile node.
  • HoA Home Address
  • the Mobile IPv6 specification requires that the mobile node move from one link to another without interrupting the ongoing communication using the home address, and the mobility of the node is transparent to the transport layer and other higher layer protocols.
  • the mobile node When the mobile node roams to the foreign network, it will generate a CoA (Care of Address) in a certain way, and notify the home agent through the BU (Binding Update).
  • the home agent intercepts the message sent to the mobile node's home network to communicate with the mobile node, and then forwards the message to the mobile node through the tunnel mode.
  • the mobile node sends a message to the communication node, the packet is encapsulated and sent to the home agent.
  • the home agent decapsulates the tunnel message and forwards it to the communication node. After receiving the message, the communication node returns a BA (Binding Acknowledge) message to confirm the BU message.
  • BA Billing Acknowledge
  • Such a communication method in which a mobile node and a communication node transit through a home agent is called a triangular routing mode.
  • the two-corner routing mode increases the communication delay, the overhead of the packet header that communicates with the mobile node is large, the burden of the mobile node's home link is increased, and the route may not be optimized enough.
  • Another communication mode of the mobile node and the communication node is a route optimization mode, that is, the current location information (ie, CoA) of the mobile node is notified to the communication node by the BU, and the communication node and the mobile node do not go through the home agent transfer but directly Communication.
  • the communication between the mobile node and the communication node is vulnerable to attack. For example, if the attacker replaces the CoA in the BU message with a forged CoA, the mobile node cannot receive the message sent by the communication node; the attacker can also replay the BU message previously sent by the mobile node, and the communication node will follow the The old address in the BU message sends the data packet instead of its current location; if the CoA is not checked, the malicious node can also forge the BU message to use a victim node address as the CoA, thereby causing the communication node to send a large amount of data to the victim node.
  • the interface identifier may adopt a method of randomly selecting one data as an interface identifier, or may generate an interface identifier according to the MAC address of the mobile node.
  • the inventors have found that at least the following problems exist in the prior art for generating a care-of address: For a method of randomly selecting one data as an interface identifier, the communication node cannot obtain the verification information of the care-of address; The method of generating the interface identifier and the care-of address, when the communication node and the mobile node are not in the same subnet, the packet header sent by the mobile node to the communication node does not carry the MAC address of the mobile node, so the communication node cannot Verifying the care-of address; Since the care-of address cannot be verified, the mobile node and the communication node are very insecure when communicating, such as the communication node sending data to the wrong care-of address and so on.
  • the MN sends a HoTI (Home Test Init) message to the CN.
  • the inner source IP address of the message is HoA (for tunneling by the home agent to the CN), and requests to obtain a home secret generation token (Home Keygen Token) ), which can also carry a cookie (a random number generated by MN - a small dessert).
  • a home secret generation token (Home Keygen Token)
  • the following method is used to calculate the home secret generation token:
  • Ken is the secret that only CN knows, and Nonce is a random number generated by CN.
  • the CN After generating the home secret generation token, the CN sends the home secret generation token to the HoT (Home Test, Home Test) message (ie, the response message to the HoTI message) to the MN, and will also receive the received HoTI message.
  • the cookie is placed in the HoT message.
  • the MN also sends a CoTI (Care of Test Init) message to the CN, transmits the MN's CoA to the CN, and requests a Care-of Keygen Token, which can also be carried. Cookie.
  • CoTI Care of Test Init
  • the CN receives the CoTI message, the following method is used to calculate the handover secret generation token:
  • Care-of Keygen Token First (64, HMAC-SHA1 (Ken, CoA ( Nonce
  • the CN After generating the handover secret generation token, the CN sends the handover secret generation token to the MN (Care of Test) message (that is, the response message to the CoTI message), and also sends the received cookie to the MN. Send it in the CoT message.
  • MN Care of Test
  • the MN After receiving the HoT and CoT messages returned by the CN, the MN performs a cookie check respectively. After the verification is passed, the home secret generation token is taken out from the HoT, and the secret generation token is taken out from the CoT, and then the Kbm is calculated as follows:
  • Kbm SHA1 (Home Keygen Token
  • the MAC Message Authentication Code
  • the binding authorization data is placed in the BU message.
  • the Kbm is generated by the same method.
  • a MAC is generated to verify the MAC in the BU message, thereby determining the correctness of the received BU message.
  • Kbm SHA1 (Home Keygen Token) ;
  • the generated Kbm is then used to generate the MAC in the BU message as a verification of the BU message.
  • the attacker can illegally obtain the HoT message and the CoT message, and use the same method to calculate and generate the Kbm, thereby forging the BU message.
  • the attacker sneaked out the CoT message sent by the CN to MNa, extracted the handover secret generation token, intercepted the HoT message sent by the CN to the MNb, extracted the home secret generation token, and then calculated the Kbm, and the CoAa Binding with the HoTb sends a BU message to the CN.
  • the BU can be verified and accepted by the CN. Therefore, the traffic sent by the CN to the MNb through route optimization is redirected to the MNa, resulting in reduced security of data transmission.
  • an embodiment of the present invention provides a method and apparatus for generating a care-of address.
  • the technical solution is as follows:
  • a method of generating a care-of address comprising:
  • the interface identifier is combined with a prefix of an external network accessed by the mobile node to generate a care-of address.
  • An apparatus for generating a care-of address comprising:
  • An interface identifier generating module configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input; the care-of address generating module, configured to use the interface identifier generated by the interface identifier generating module and the external access of the mobile node The prefix of the network is combined to generate a care-of address.
  • the CN can obtain the verification information of the care-of address, which limits the attack caused by the misuse of the mobile mechanism, and improves the attack.
  • Mobile IPv6 CoA security By inputting the home address HoA of the mobile node MN and using the one-way function operation to generate the interface identifier and the care-of address CoA, the CN can obtain the verification information of the care-of address, which limits the attack caused by the misuse of the mobile mechanism, and improves the attack. Mobile IPv6 CoA security.
  • the embodiment of the invention provides a method for improving route optimization security. And system.
  • the technical solution is as follows:
  • the embodiment of the present invention provides a method for improving route optimization security, where the method includes: the mobile node generates an interface identifier by using a one-way function operation with the home address as an input;
  • the mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address
  • the mobile node and the communication node perform a return route reachability process by using the home address and the care-of address, and then generate the same binding management key respectively;
  • the mobile node and the communication node respectively generate binding authorization data by using the binding management key generated by the mobile node, and the mobile node sends a binding update message including the home address, the care-of address, and the binding authorization data generated by itself to the mobile node.
  • the communication node After receiving the binding update message, the communication node verifies the binding authorization data in the binding update message, and if the binding authorization data generated by itself is consistent, the mobile node is allowed to perform routing with the communication node. Communication in optimized mode.
  • the embodiment of the present invention further provides a method for improving route optimization security, where the method includes: the mobile node generates an interface identifier by using a one-way function operation with the home address as an input, and the home address is passed through a cryptographic method.
  • the mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address
  • the mobile node and the communication node perform a return route reachability process by using the home address and the care-of address; the mobile node signs a binding update message with its own private key as the binding authorization data of the binding update message; Sending, by the mobile node, the binding update message that includes the home address, the care-of address, and the binding authorization data to the communication node, and carrying the public key of the mobile node in the binding update message;
  • the communication node After receiving the binding update message, the communication node extracts the public key of the mobile node, and uses the public key of the mobile node to verify the binding authorization data in the binding update message. The mobile node is then allowed to communicate with the communication node in a route optimization mode.
  • an embodiment of the present invention provides a system for improving route optimization security, where the system includes a mobile node and a communication node, and the mobile node includes:
  • a care-of address generating module configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input; and combining the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
  • a key generation module configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the communication node, and then generate a binding management key
  • An authorization data generating module configured to generate binding authorization data by using a binding management key generated by the key generation module
  • a sending module configured to send a care-of address generated by the home address, the care-of address generating module, and a binding update message of the binding authorization data generated by the authorization data generating module to the communication node;
  • the communication node includes:
  • a key generation module configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the mobile node, and then generate a key generation module generated by the mobile node Bind the management key with the same management key;
  • An authorization data generating module configured to generate binding authorization data by using a binding management key generated by a key generation module of the communication node
  • a receiving module configured to receive a binding update message sent by the sending module
  • a comparison module configured to compare the binding authorization data in the binding update message received by the receiving module with the binding authorization data generated by the authorization data generating module of the communication node;
  • control module configured to allow the mobile node to perform communication in a route optimization mode with the communication node when the comparison module matches the result.
  • the embodiment of the present invention further provides a system for improving route optimization security, where the system includes a mobile node and a communication node, and the mobile node includes:
  • a care-of address generating module configured to generate an interface identifier by using a one-way function operation by using a home address of the mobile node as an input; and combining the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address, where the hometown The address is generated by a cryptographic method;
  • a route reachable execution module configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the communication node;
  • An authorization data generating module configured to sign, by using a private key of the mobile node, a binding update message as binding authorization data of the binding update message;
  • a sending module configured to send the binding update message that includes the home address, the care-of address generated by the care-of address generating module, and the binding authorization data generated by the authorization data generating module, to the communication node, and
  • the binding update message carries a public key of the mobile node
  • the communication node includes:
  • a route reachable execution module configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the mobile node;
  • a receiving module configured to receive a binding update message sent by the sending module
  • a verification module configured to extract a public key of the mobile node in a binding update message received by the receiving module, and use The public key of the mobile node verifies the binding authorization data in the binding update message;
  • control module configured to allow the mobile node to perform communication in a route optimization mode with the communication node when the verification module passes the verification.
  • the return route reachability procedure RRP is performed using the CoA; then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm, which is used for the BU The message is verified.
  • the HoA is generated by CGA (Cryptographically Generated Addresses)
  • the BU message is verified by using the MN's private key to sign the BU message as the binding authorization data.
  • the MN and the MN are authenticated.
  • the CN can perform communication in the route optimization mode, which limits the attacks caused by the misuse of the mobile mechanism, and improves the security of the communication in the route optimization mode of the mobile IPv6.
  • FIG. 1 is a schematic diagram of a return route reachable process in the prior art
  • FIG. 2 is a flowchart of a method for generating a care-of address according to Embodiment 1 of the present invention
  • FIG. 3 is a structural diagram of an apparatus for generating a care-of address according to Embodiment 2 of the present invention.
  • FIG. 5 is a structural diagram of a system for improving roadway optimization security according to Embodiment 4 of the present invention.
  • FIG. 6 is a flowchart of another method for improving route optimization security according to Embodiment 5 of the present invention.
  • FIG. 7 is a structural diagram of another system for improving route optimization security according to Embodiment 6 of the present invention. detailed description
  • a care-of address CoA is generated on the basis of the home address HoA of the mobile node, and the return route reachable process RRP is performed by using the CoA, and then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm.
  • the BU message is verified by using the MN's private key signature BU message as the binding authorization data; after the verification is passed, the MN and the CN can perform the communication in the route optimization mode.
  • an embodiment of the present invention provides a method for generating a care-of address, which specifically includes:
  • Step 101 Generate an identifier OID by a one-way function operation with the HoA of the MN as an input.
  • the formula for calculating the operation using the one-way function PRF is as follows:
  • the Expression can be the HoA of the MN, or the combination of the network prefix (Subnet Prefix) and the HoA of the external network accessed by the MN;
  • the PRF is a one-way cryptographic function, which can be MD5, SHA-1, SHA256 or AES- One-way function such as XCBC-PRF. Therefore the above formula can take many forms, for example:
  • OID SHA-1 (HoA);
  • OID MD5 (HoA I Subnet Prefix) and so on.
  • Step 102 After generating the OID, the MN processes the OID to obtain an interface identifier (Interface ID) of 64 bits in length. If the length of the OID exceeds 64 bits, there are several ways to process it. For example, it can be processed as follows:
  • Interface ID Abs (64, n, OID);
  • the first 64 bits starting from the n bit are selected as the interface ID from the OID.
  • the interface identifier and the corresponding CoA can be regenerated by changing the value of n.
  • the OID is divided into multiple blocks according to 64 bits. If the last block in the division process is less than 64 bits, the content of the corresponding length is arbitrarily added to 64 bits from other blocks, assuming that the OID is divided into N blocks, respectively
  • Blockl, Block2, ..., BlockN the interface identifier can be calculated as follows:
  • Interface ID Blockl ⁇ Block2 ten...10 BlockN;
  • Step 103 After generating the interface identifier of the CoA, the MN combines the prefix Subnet Prefix of the accessed external network with the interface identifier to generate a CoA of the MN.
  • prefix Subnet Prefix is 0x31223344 and the interface identifier is 0x55667788, then 0x31223344 and 0x55667788 are connected together to get 0x3122334455667788, which is the MN CoA.
  • the foregoing step 101 may be specifically as follows:
  • the MN's HoA is combined with the MN's public key as an input, or the prefix of the external network accessed by the MN is combined with the HoA and the public key as input, and the interface identifier is generated by a one-way function operation, that is, the Expression may also include the MN. Public key information.
  • the interface identifier and the CoA are generated by using a one-way function operation, so that the CN can obtain the verification information of the care-of address, which limits the attack caused by the misuse of the mobile mechanism, and improves the mobile IPv6.
  • an embodiment of the present invention provides an apparatus for generating a care-of address, which specifically includes:
  • an interface identifier generating module 201 configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input;
  • the care-of address generation module 202 is configured to combine the interface identifier generated by the interface identifier generation module 201 with the prefix of the external network accessed by the mobile node to generate a care-of address.
  • the interface identifier generation module 201 may specifically include:
  • a combination unit configured to combine a prefix of an external network accessed by the mobile node with a home address of the mobile node
  • a generating unit is configured to input the data obtained by combining the combined units as an input, and generate an interface identifier by a one-way function operation.
  • the interface identifier generating module 201 may specifically include:
  • a combination unit configured to combine the home address of the mobile node with the public key of the mobile node, or combine the prefix of the external network accessed by the mobile node with the home address and the public key;
  • a generating unit is configured to input the data obtained by combining the combined units as an input, and generate an interface identifier by a one-way function operation.
  • the above device may further include:
  • the length processing module is configured to determine whether the length of the interface identifier generated by the interface identifier generating module 201 exceeds 64 bits, and if yes, set a start bit, starting from the start bit, and taking 64 bits as a new interface identifier. Send to the care-of address generation module 202.
  • the above device may also include:
  • a length processing module configured to determine whether the length of the interface identifier generated by the interface identifier generating module 201 exceeds 64 bits, and if yes, divide the interface identifier into multiple blocks according to 64 bits, if the last block is less than 64 bits, From its Any content in the block whose corresponding length is taken is added to 64 bits, and then bit logic operations are performed on the plurality of blocks, and the result of the operation is sent to the care-of address generation module 202 as a new interface identifier.
  • the above apparatus may further include:
  • the address checking module is configured to: when the care-of address generating module 202 generates the care-of address, determine whether the care-of address is the same as the used IP address in the network, if the same, set the increment, and set the start bit of the length processing module. The quantity is summed, and the result of the operation is a new start bit, taking 64 bits as an interface identifier and generating a new care-of address.
  • the interface identifier generation module 201 takes the HoA of the MN as an input, generates a interface identifier by using a one-way function operation, and the care-of address generation module 202 generates a CoA according to the interface identifier, so that the CN can obtain the verification information of the care-of address, which limits the The attack caused by the misuse of the mobile mechanism improves the security of the mobile IPv6 CoA.
  • the address check module performs an address check on the generated CoA to avoid address conflicts in the network and improve the security of generating the care-of address.
  • an embodiment of the present invention provides a method for improving route optimization security, which specifically includes the following steps: Step 301: The MN generates an interface identifier by using a one-way function operation with HoA as an input.
  • Step 302 The MN combines the interface identifier with the prefix of the external network accessed by the MN to generate a CoA.
  • the duplicated address detection may be performed on the generated CoA, that is, whether the generated CoA is the same as the used IP address in the network. If the address conflict occurs, the interface ID is regenerated according to the following steps. Then regenerate an available CoA:
  • Step 303 The MN and the CN both use the HoA of the MN and the generated CoA to perform a return route reachability process.
  • the CN When the MN first initiates the registration with the CN, the CN generates the home secret generation token and the handover secret generation token respectively in the return route reachability process, and transmits the secret generation token to the MN through HoT and CoT.
  • the MN does not register the CN with the peer for the first time, only the CoTI and the CoT can be executed in the return route reachable process, and the CN only generates the handover secret generation token and transmits it to the MN through the CoT.
  • the MN deregisters the binding relationship with the CN
  • only the HoTI and the HoT can be executed in the process of returning the reachable route, and the CN generates only the home secret generation token and transmits it to the MN through the HoT.
  • Step 304 The CN generates Kbm according to the token generated in the return route reachable process, and the MN generates Kbm according to the token extracted from the received test response message; the Kbm generated by the MN is the same as the Kbm generated by the CN.
  • Step 305 The MN and the CN respectively generate binding authorization data by using the respective generated Kbm.
  • Step 306 The MN sends a BU message including the HoA and the CoA of the MN to the CN, and carries the binding authorization data generated by the MN in the BU message.
  • the MN may further set a minimum time interval for performing RRP and sending a BU message. Accordingly, the CN may also limit the maximum number of BU messages received per unit time according to requirements, and the like.
  • Step 307 After receiving the BU message, the CN verifies the binding authorization data in the BU message, and compares the binding authorization data generated by the CN with the binding authorization data in the BU message. If they are consistent, the CN and the CN are allowed. The MN performs communication in the route optimization mode. If it is inconsistent, it indicates that the BU message received by the CN is incorrect at this time, and the MN and the CN are not allowed to perform communication in the route optimization mode.
  • step of verifying the CoA in the BU message may be added before the binding authorization data in the CN verification BU message (step 307), as follows:
  • the CN extracts the HoA of the MN from the received BU message, and generates a temporary CoA according to the same method as the steps 301 to 302 according to the HoA, and then compares the generated CoA and the CoA in the BU message to be consistent. If the agreement is consistent, the binding authorization data is verified. If the current BU message is incorrect, the original BU message may be a forged BU message.
  • the MN and the CN are not allowed to perform communication in the route optimization mode.
  • the handover address CoA is generated on the basis of the home address HoA of the mobile node MN, and the return route reachability procedure RRP is performed by using the CoA, and then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm. It is used to verify the BU message. After the verification is passed, the MN and the CN can communicate in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, thereby improving the security of the communication in the route optimization mode of the mobile IPv6. . Before verifying the binding authorization data, the CoA in the BU message can be further verified, which can further improve the security of the communication in the route optimization mode.
  • an embodiment of the present invention further provides a system for improving route optimization security, specifically including a mobile node 401 and a communication node 402.
  • the mobile node 401 includes:
  • the care-of address generation module 4011 is configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node 401 as an input; and combining the interface identifier with a prefix of the external network accessed by the mobile node 401 to generate a care-of address;
  • a key generation module 4012 configured to perform a return route reachability process with the care-of address generated by the home address and the care-of address generation module 401 together with the communication node 402, and then generate a binding management key;
  • an authorization data generating module 4013 configured to generate a binding by using a binding management key generated by the key generation module 4012.
  • Authorization data
  • a sending module 4014 configured to send a binding update message including a home address, a care-of address generated by the care-of address generating module 4011, and a binding authorization data generated by the authorization data generating module 4013 to the communication node 402;
  • Communication node 402 includes:
  • the key generation module 4021 is configured to use the home address and the care-of address generation module together with the mobile node 401.
  • the care-of address generated by 4011 performs a return route reachability process, and then generates a binding management key identical to the binding management key generated by the key generation module 4012 of the mobile node 401;
  • an authorization data generating module 4022 configured to generate binding authorization data by using a binding management key generated by the key generation module 4021 of the communication node 402;
  • the receiving module 4023 is configured to receive a binding update message sent by the sending module 4014.
  • the matching module 4024 is configured to compare the binding authorization data in the binding update message received by the receiving module 4023 with the binding authorization data generated by the authorization data generating module 4022 of the communication node 402.
  • the control module 4025 is configured to allow the mobile node 401 to communicate with the communication node 402 in the route optimization mode when the comparison result of the comparison module 4024 is consistent.
  • the foregoing communication node 402 may further include:
  • the care-of address matching module is configured to extract the home address of the mobile node 401 from the binding update message received by the receiving module 4023 before the comparison module 4024 is compared, and use the care-of address generation module 4011 according to the home address
  • the method of generating the same care-of address generates a temporary care-of address, and verifies whether the temporary care-of address is consistent with the care-of address in the binding update message. If they are consistent, the comparison module 4024 is triggered to work.
  • the care-of address ACA is generated by the care-of address generation module 4011 on the basis of the home address HoA of the mobile node 401MN, and the key generation module 4012 uses the CoA to perform the return route reachability process RRP, and then calculates the binding management key.
  • Kbm the authorization data generating module 4013 uses Kbm to generate binding authorization data, which is used to verify the BU message.
  • the MN and the CN can perform communication in the route optimization mode, which limits the misuse of the mobile mechanism. Attack, thereby improving the security of communication in the mobile IPv6 route optimization mode.
  • the CoA in the BU message is verified by the care-of address matching module, which can further improve the security of the communication in the route optimization mode.
  • an embodiment of the present invention provides a method for improving route optimization security, which specifically includes the following steps: Step 501: The MN generates an interface identifier by using a one-way function operation with HoA as an input, where the HoA is generated based on a CGA manner. .
  • the MN can also use the network prefix (Subnet Prefix) of the external network accessed by the MN and the public key of the MN.
  • the HoA combination is used as an input to generate an interface identifier through a one-way function operation.
  • Step 502 The MN combines the interface identifier with the prefix of the external network accessed by the MN to generate a CoA.
  • the duplicated address detection may be performed on the generated CoA, that is, whether the generated CoA is the same as the used IP address in the network. If the address conflict occurs, the interface ID is regenerated according to the following steps. Then regenerate an available CoA:
  • Interface ID Abs (64, n, OID).
  • Step 503 The MN and the CN both use the HoA of the MN and the generated CoA to perform a return route reachability process.
  • the CN When the MN first initiates the registration with the CN, the CN generates the home secret generation token and the handover secret generation token respectively in the return route reachability process, and transmits the secret generation token to the MN through HoT and CoT.
  • the MN does not register the CN with the peer for the first time, only the CoTI and the CoT can be executed in the return route reachable process, and the CN only generates the handover secret generation token and transmits it to the MN through the CoT.
  • the MN deregisters the binding relationship with the CN
  • only the HoTI and the HoT can be executed in the process of returning the reachable route, and the CN generates only the home secret generation token and transmits it to the MN through the HoT.
  • Step 504 After returning the route reachable process, the MN signs the BU message with the private key of the MN, and acts as the binding authorization data in the BU message, and then sends the BU message to the CN, and carries the CGA parameter information in the BU message. This includes the MN's public key.
  • Step 505 After receiving the BU message sent by the MN, the CN extracts the public key of the MN in the CGA parameter information in the BU message, and uses the public key to verify the binding authorization data in the BU message. If the verification succeeds, the binding is generated.
  • the entry allows the CN and the MN to communicate in the route optimization mode; if the verification fails, the CN sends an error code to the MN, and does not allow the CN and the MN to perform communication in the route optimization mode.
  • the MN may further set a minimum time interval for performing RRP and sending a BU message. Accordingly, the CN may also limit the maximum number of BU messages received per unit time according to requirements, and the like.
  • the CN may further generate a random number Ks, and encrypt the random number Ks by using the public key of the MN, and then send the encrypted Ks to the MN in the BA message; and the CN may also use the following The method generates Kbm, and combines Ks with the transfer secret generation token to perform a one-way function operation to generate Kbm, and uses the Kbm to generate binding authorization data as a basis for verifying the BA message;
  • Kbm PRF(Ks, Care-ofKeygen Token);
  • the MN After receiving the BA message, the MN extracts the encrypted random number Ks in the BA message, and decrypts it using the MN's private key to obtain Ks, and generates a new Kbm using the same method as the CN generates the above Kbm:
  • the MN can use the newly generated Kbm to generate new binding authorization data, which is used as the basis for verifying the BU message in the subsequent peer registration process, and can also use the new binding authorization data to verify the BA message, if it is in the BA message.
  • the binding authorization data is consistent, that is, the authentication is passed, and the CN and the MN are allowed to perform communication in the routing mode; otherwise, the CN and the MN are not allowed to perform communication in the routing mode.
  • the MN may further carry the identifier information in the BU message, indicating that the CoA of the MN is generated by a one-way function operation, and correspondingly, before the binding authorization data in the BU message is verified by the CN, the verification BU message is added.
  • the steps of the CoA are as follows:
  • the CN initiates verification of the CoA in the BU message according to the identifier information in the received BU message, extracts the drawn HoA from the BU message, and generates a temporary according to the HoA according to the same method as steps 501 to 502.
  • the CoA is then consistent with the CoA in the generated temporary CoA and the BU message. If the CoA is valid, the CoA authentication is passed, and the binding authorization data in the BU message can be verified. If not, the CoA authentication fails.
  • the current BU message is incorrect. It may be a forged BU message.
  • the CN sends an error code to the MN.
  • the CN and the MN are not allowed to communicate in the route optimization mode.
  • the MN may also carry the parameter involved in generating the interface identifier in step 502 in the BU message.
  • the MN may carry the parameters used by the CGA to generate the HoA in the BU message, for example, the public key information of the MN, the collision count and the modifier (ie, the random number), and the like;
  • the parameters used by the CGA to generate the HoA in the BU message for example, the public key information of the MN, the collision count and the modifier (ie, the random number), and the like;
  • the CN After receiving the BU message, the CN extracts the above parameters, and calculates a temporary HoA by using the same CGA method as in step 501, and then compares with the HoA in the temporary HoA and the BU message. If they are consistent, the HoA verification is performed. The CN can continue to verify the CoA and the binding authorization data in the BU message; otherwise, the HoA authentication fails, indicating that the BU message is incorrect, the CN sends an error code to the MN, and the MN and the CN are not allowed to perform communication in the route optimization mode.
  • the above method generates a handover address CoA based on the home address HoA of the mobile node MN, uses the CoA to perform a return route reachability procedure RRP, and then uses the MN's private key to sign the BU message as the binding authorization data in the BU message. It is used to verify the BU message. After the verification is passed, the MN and the CN can perform communication in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, and improves the security of the communication in the route optimization mode of the mobile IPv6. By adding the steps of verifying the HoA and CoA in the BU message and verifying the BA message, the security of the communication in the route optimization mode can be further improved.
  • the HoA is generated based on the CGA, which ensures that the HoTI/HoT message is not required to be generated in the subsequent peer registration, which reduces the routing optimization signaling overhead. It reduces the dependence of the route optimization on the HA and improves the robustness of the system. The delay and complexity of the update of the binding of the mobile node to the communication node during link switching.
  • an embodiment of the present invention further provides a system for improving route optimization security, specifically including a mobile node 601 and a communication node 602;
  • Mobile node 601 includes:
  • the care-of address generation module 6011 is configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node 601 as an input; and combine the interface identifier with the prefix of the external network accessed by the mobile node 601 to generate a care-of address, and the home address passes Cryptographic method generation;
  • a return route reachable execution module 6012 configured to perform a return route reachability process using the care-of address generated by the home address and the care-of address generation module 6011 together with the communication node 602;
  • an authorization data generating module 6013 configured to use the private key of the mobile node 601 to sign the binding update message as the binding authorization data of the binding update message;
  • the sending module 6014 is configured to send a binding update message including the home address, the care-of address generated by the care-of address generating module 6011, and the binding authorization data generated by the authorization data generating module 6013 to the communication node 602, and update the binding
  • the message carries the public key of the mobile node 601;
  • Communication node 602 includes:
  • a return route reachable execution module 6021 configured to perform a return route reachable process using the care-of address generated by the home address and the care-of address generation module 6011 together with the mobile node 601;
  • the receiving module 6022 is configured to receive a binding update message sent by the sending module 6014.
  • a verification module 6023 configured to extract a public key of the mobile node 601 in the binding update message received by the receiving module 6022, and verify the binding authorization data in the binding update message by using the public key of the mobile node 601;
  • the control module 6024 is configured to allow the mobile node 601 to perform communication in the route optimization mode with the communication node 602 when the verification module 6023 passes the verification.
  • the communication node 602 can also include:
  • the care-of address verification module is configured to: before the verification module 6023 performs verification, extract the home address of the mobile node 601 from the binding update message received by the receiving module 6022, and generate a care-of address according to the home address and the care-of address generation module 6011. The same method generates a temporary care-of address, and verifies whether the temporary care-of address is consistent with the care-of address in the binding update message. If they are consistent, the verification module 6023 is triggered to work.
  • the sending module 6014 is further configured to carry, in the binding update message, parameters used when generating the home address by using the foregoing cryptographic method, for example, the public key information, the collision count, and the modifier (ie, the random number) of the mobile node 601. And so on; correspondingly, the communication node 602 may further include:
  • the home address verification module is configured to receive the binding from the receiving module 6022 before the verification module 6023 performs verification.
  • the above parameters are extracted in the update message, and a temporary home address is generated according to the extracted parameters, and the temporary home address is verified to be consistent with the home address in the binding update message. If they are consistent, the verification module 6023 is triggered to work.
  • control module 6024 may specifically include:
  • a new authorization data generating unit configured to generate a random number when the verification module 6023 passes the verification, using the mobile node
  • the public key of 601 is encrypted; after the random number is combined with the handover secret generation token generated by the communication node 602 in the process of performing the return route reachability, the one-way function is used to generate a new binding management key; Binding the management key to generate new binding authorization data;
  • a binding confirmation message sending unit configured to send a binding confirmation message to the mobile node 601, where the binding confirmation message carries the random number encrypted by the new authorization data generating unit and the generated new binding authorization data;
  • the mobile node 601 further includes:
  • a binding confirmation message receiving module configured to receive a binding confirmation message sent by the binding confirmation message sending unit
  • a binding confirmation message verification module configured to: after the binding confirmation message receiving module receives the binding confirmation message, extracting The encrypted random number is decrypted by the private key of the mobile node to obtain a random number; according to the random number, a temporary binding management key is generated by the same method as the new authorization data generating unit generates a new binding management key, and according to the method The temporary binding management key generates a temporary binding authorization data in the same manner as the new authorization data generating unit generates new binding authorization data, and then compares the new binding authorization in the temporary binding authorization data and the binding confirmation message. Whether the data is consistent;
  • control module configured to allow the mobile node 601 to perform communication in the route optimization mode with the communication node 602 when the binding confirmation message verification module matches the result.
  • the system generates a care-of address CoA based on the home address HoA of the mobile node 601MN by the care-of address generation module 6011, and the return route reachability execution module 6012 uses the CoA to perform a return route reachability procedure RRP, which is used by the authorization data generation module 6013.
  • the MN's private key signature BU message generates binding authorization data, which is used to verify the BU message. After the verification is passed, the MN and the CN can perform communication in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, and improves The security of communication in the route optimization mode of mobile IPv6.
  • the handover address verification module may further verify the CoA in the BU message, and the home address verification module verifies the HoA in the BU message, and the binding confirmation message verification module is The BA message is verified, which can further improve the security of communication in the route optimization mode.
  • the HoA is generated based on the CGA, which ensures that the HoTI/HoT message is not required to be generated in the subsequent peer registration, which reduces the routing optimization signaling overhead. It reduces the dependence of the route optimization on the HA and improves the robustness of the system.
  • the technical solution in the embodiment of the present invention can be implemented by using software, and the corresponding program can be stored in a readable storage medium.
  • Quality such as a computer's hard disk or non-volatile memory such as flash memory.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and equipment for generating care of address and a method and system for improving route optimization security are provided, the present invention belongs to the mobile communication field. The method that generates the care of address includes steps: the interface ID is generated by the one-way function using the HoA as the input; CoA is generated by combining the interface ID and prefix of an external network that is visited by the MN. The method that improves the route optimization security includes steps: CoA is generated by using the above method; MN and CN performs RRP; MN signs BU information using the private key to obtain the binding authorization data; MN transmits the BU information including HoA, CoA and he binding authorization data to CN, CN validates it using the public key, if it passes, the communication between the MN and the CN under the mode of route optimization. The equipment includes a identifier generation module and a care of address generation module. The system includes MN and CN. The CoA generated by the present invention limits the attack because the mobile mechanism is misapplied, and the communication security is improved under the mode of the mobile IPv6 route optimization.

Description

生成转交地址的方法和装置与提高路由优化安全性的方法和系统 技术领域  Method and apparatus for generating care-of address and method and system for improving route optimization security
本发明涉及移动通信领域, 特别涉及一种生成转交地址的方法和装置与提高路由优化安 全性的方法和系统。 说  The present invention relates to the field of mobile communications, and in particular, to a method and apparatus for generating a care-of address and a method and system for improving route optimization security. Say
背景技术 Background technique
随着计算机网络技术和移动通信技术的快速发展, 对网络提供移动性提出了需求, 移动 With the rapid development of computer network technology and mobile communication technology, there is a demand for mobile mobility.
IPV6是一种在网络层解决移动性的方案。 移动 IPv6中有三种基本的网络实体: MN (Mobile Node, 移动节点)、 CN (Correspondent Node, 通信节书点或通信对端) 以及 HA (Home Agent, 家乡代理)。 一个移动节点可以通过 HoA (Home Address, 家乡地址) 唯一的识别出, HoA 是分配给移动节点的一个全局单播可路由地址。移动 IPv6规范要求, 移动节点从一条链路移 动到另一链路的过程中, 不中断使用家乡地址正在进行的通信, 节点的移动性对传输层和其 它高层协议都是透明的。 IPV6 is a solution for mobility at the network layer. There are three basic network entities in mobile IPv6: MN (Mobile Node), CN (Correspondent Node, communication node or communication peer), and HA (Home Agent). A mobile node can be uniquely identified by HoA (Home Address), which is a global unicast routable address assigned to the mobile node. The Mobile IPv6 specification requires that the mobile node move from one link to another without interrupting the ongoing communication using the home address, and the mobility of the node is transparent to the transport layer and other higher layer protocols.
当移动节点漫游到外地网络时, 会通过一定方式生成 CoA (Care of Address, 转交地址), 并通过 BU (Binding Update, 绑定更新消息) 通知家乡代理。 家乡代理会截获发送到移动节 点家乡网络与移动节点进行通信的报文, 再通过隧道模式转发给移动节点; 当移动节点向通 信节点发送报文时, 对报文进行隧道封装后发送到家乡代理, 家乡代理对隧道报文进行解封 装后转发给通信节点, 通信节点收到后, 返回 BA (Binding Acknowledge, 绑定确认) 消息, 对 BU消息进行确认。 这种移动节点和通信节点经过家乡代理中转的通信方式被称为三角路 由模式。 二角路由模式会增加通信时延, 存在与移动节点通信的报文头部开销大, 增加了移 动节点家乡链路的负担, 以及路由可能不够优化等问题。 移动节点和通信节点的另外一种通 信方式为路由优化模式, 即通过 BU将移动节点当前的位置信息 (即 CoA) 告诉通信节点, 通信节点和移动节点之间不经过家乡代理中转而是直接进行通信。 路由优化模式下若 BU消 息没有受到保护, 移动节点和通信节点间的通信很容易受到攻击。 例如, 攻击者用一个伪造 的 CoA代替 BU消息中的 CoA, 移动节点就无法收到通信节点发送的报文; 攻击者也可以重 放移动节点先前发送的 BU消息, 通信节点接受后, 会按照 BU消息中的旧地址发送数据包, 而不是其当前位置; 若不对 CoA进行检查, 恶意节点还可以伪造 BU消息将一个受害节点地 址作为 CoA, 从而引发通信节点发送大量的数据至受害节点。 现有技术中一个移动 IPv6节点生成转交地址时,其中的接口标识可以采用随意选择一个 数据作为接口标识的方式, 也可以采用根据移动节点的 MAC地址生成一个接口标识的方式。 在实现本发明过程中, 发明人发现上述生成转交地址的现有技术中至少存在如下问题: 对于 随意选择一个数据作为接口标识的方式, 通信节点得不到转交地址的验证信息; 对于通过 MAC地址生成接口标识及转交地址的方式, 当通信节点与移动节点不在同一子网的情形下, 由移动节点发送到通信节点的报文头部中也没有携带移动节点的 MAC地址, 所以通信节点 也无法验证转交地址; 由于无法验证转交地址, 则移动节点和通信节点进行通信时会很不安 全, 如通信节点将数据发往错误的转交地址等等。 When the mobile node roams to the foreign network, it will generate a CoA (Care of Address) in a certain way, and notify the home agent through the BU (Binding Update). The home agent intercepts the message sent to the mobile node's home network to communicate with the mobile node, and then forwards the message to the mobile node through the tunnel mode. When the mobile node sends a message to the communication node, the packet is encapsulated and sent to the home agent. The home agent decapsulates the tunnel message and forwards it to the communication node. After receiving the message, the communication node returns a BA (Binding Acknowledge) message to confirm the BU message. Such a communication method in which a mobile node and a communication node transit through a home agent is called a triangular routing mode. The two-corner routing mode increases the communication delay, the overhead of the packet header that communicates with the mobile node is large, the burden of the mobile node's home link is increased, and the route may not be optimized enough. Another communication mode of the mobile node and the communication node is a route optimization mode, that is, the current location information (ie, CoA) of the mobile node is notified to the communication node by the BU, and the communication node and the mobile node do not go through the home agent transfer but directly Communication. In the route optimization mode, if the BU message is not protected, the communication between the mobile node and the communication node is vulnerable to attack. For example, if the attacker replaces the CoA in the BU message with a forged CoA, the mobile node cannot receive the message sent by the communication node; the attacker can also replay the BU message previously sent by the mobile node, and the communication node will follow the The old address in the BU message sends the data packet instead of its current location; if the CoA is not checked, the malicious node can also forge the BU message to use a victim node address as the CoA, thereby causing the communication node to send a large amount of data to the victim node. In the prior art, when a mobile IPv6 node generates a care-of address, the interface identifier may adopt a method of randomly selecting one data as an interface identifier, or may generate an interface identifier according to the MAC address of the mobile node. In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art for generating a care-of address: For a method of randomly selecting one data as an interface identifier, the communication node cannot obtain the verification information of the care-of address; The method of generating the interface identifier and the care-of address, when the communication node and the mobile node are not in the same subnet, the packet header sent by the mobile node to the communication node does not carry the MAC address of the mobile node, so the communication node cannot Verifying the care-of address; Since the care-of address cannot be verified, the mobile node and the communication node are very insecure when communicating, such as the communication node sending data to the wrong care-of address and so on.
为了提高路由优化的安全性, 目前存在一种现有技术, 通过使用 RRP (Return Routability Procedure, 返回路由可达过程)的方法生成 Kbm (Binding Management Key, 绑定管理密钥), 使用 Kbm保护 MN和 CN之间的 BU与 BA消息。 当 MN与 CN进行路由优化模式通信时, 先执行返回路由可达过程, 然后生成 Kbm, 在进行对端注册时, 用 Kbm生成绑定授权数据 保护 BU和 BA的完整性。 参见图 1, 返回路由可达过程具体如下:  In order to improve the security of route optimization, there is a prior art that generates a Kbm (Binding Management Key) by using a RRP (Return Routability Procedure) method, and protects the MN by using Kbm. BU and BA messages between the CN and the CN. When the MN communicates with the CN in the route optimization mode, the return route reachability process is executed first, and then Kbm is generated. When the peer registration is performed, the binding authorization data is generated by Kbm to protect the integrity of the BU and the BA. Referring to Figure 1, the process of returning the reachable route is as follows:
MN向 CN发送 HoTI (Home Test Init, 家乡测试初始)消息, 该消息的内层源 IP地址为 HoA (通过隧道方式由家乡代理转发给 CN), 并请求获得家乡秘密生成令牌 (Home Keygen Token), 其中还可以携带 cookie (MN生成的随机数-小甜点)。 CN收到 HoTI消息后, 按下 面的方法计算家乡秘密生成令牌:  The MN sends a HoTI (Home Test Init) message to the CN. The inner source IP address of the message is HoA (for tunneling by the home agent to the CN), and requests to obtain a home secret generation token (Home Keygen Token) ), which can also carry a cookie (a random number generated by MN - a small dessert). After the CN receives the HoTI message, the following method is used to calculate the home secret generation token:
Home Keygen Token = First (64, HMAC-SHA1 (Ken, HoA | Nonce | 0));  Home Keygen Token = First (64, HMAC-SHA1 (Ken, HoA | Nonce | 0));
其中 Ken是只有 CN才知道的秘密, Nonce是由 CN生成的随机数。 生成家乡秘密生成 令牌后, CN把家乡秘密生成令牌放在 HoT (Home Test, 家乡测试) 消息 (即对 HoTI消息 的响应消息) 中发送给 MN, 同时也会将收到的 HoTI消息中的 cookie放在 HoT消息中。  Where Ken is the secret that only CN knows, and Nonce is a random number generated by CN. After generating the home secret generation token, the CN sends the home secret generation token to the HoT (Home Test, Home Test) message (ie, the response message to the HoTI message) to the MN, and will also receive the received HoTI message. The cookie is placed in the HoT message.
另夕卜, MN还向 CN发送 CoTI (Care of Test Init, 转交测试初始) 消息, 将 MN的 CoA 传给 CN, 并请求获得转交秘密生成令牌 (Care-of Keygen Token), 其中也可以携带 cookie。 CN收到 CoTI消息后, 按下面的方法计算转交秘密生成令牌:  In addition, the MN also sends a CoTI (Care of Test Init) message to the CN, transmits the MN's CoA to the CN, and requests a Care-of Keygen Token, which can also be carried. Cookie. After the CN receives the CoTI message, the following method is used to calculate the handover secret generation token:
Care-of Keygen Token = First (64, HMAC-SHA1 (Ken, CoA ( Nonce | 1 ));  Care-of Keygen Token = First (64, HMAC-SHA1 (Ken, CoA ( Nonce | 1 ));
其中 Ken与 Nonce的值同上。 生成转交秘密生成令牌后, CN把转交秘密生成令牌放在 CoT (Care of Test, 转交测试) 消息 (即对 CoTI消息的响应消息) 中发送给 MN, 同时也会 将收到的 cookie放在 CoT消息中发过去。  The values of Ken and Nonce are the same as above. After generating the handover secret generation token, the CN sends the handover secret generation token to the MN (Care of Test) message (that is, the response message to the CoTI message), and also sends the received cookie to the MN. Send it in the CoT message.
MN收到 CN返回的 HoT和 CoT消息后, 分别进行 cookie检查, 验证通过后, 从 HoT 中取出家乡秘密生成令牌,从 CoT中取出转交秘密生成令牌,然后按照如下方法计算出 Kbm:  After receiving the HoT and CoT messages returned by the CN, the MN performs a cookie check respectively. After the verification is passed, the home secret generation token is taken out from the HoT, and the secret generation token is taken out from the CoT, and then the Kbm is calculated as follows:
Kbm = SHA1 (Home Keygen Token | Care-of Keygen Token )。 当 MN向 CN发起对端注册时, 用上述 Kbm生成 MAC ( Message Authentication Code, 消息鉴别码), 作为绑定授权数据放在 BU消息中, CN收到 BU消息后, 用同样的方法生成 Kbm, 进而生成 MAC, 来验证 BU消息中的 MAC, 从而判别出收到的 BU消息的正确性。 Kbm = SHA1 (Home Keygen Token | Care-of Keygen Token ). When the MN initiates the peer registration with the CN, the MAC (Message Authentication Code) is generated by using the above Kbm, and the binding authorization data is placed in the BU message. After the CN receives the BU message, the Kbm is generated by the same method. Then, a MAC is generated to verify the MAC in the BU message, thereby determining the correctness of the received BU message.
当 MN向 CN注销绑定关系时, 在返回路由可达过程中可以只执行 HoTI和 HoT, 则 CN 只生成家乡秘密生成令牌, 且 MN与 CN按照如下方法计算出 Kbm:  When the MN deregisters the binding relationship with the CN, only the HoTI and HoT can be executed in the return route reachable process, then the CN generates only the home secret generation token, and the MN and the CN calculate the Kbm as follows:
Kbm = SHA1 (Home Keygen Token) ;  Kbm = SHA1 (Home Keygen Token) ;
然后用生成的 Kbm来生成 BU消息中的 MAC , 作为对 BU消息的验证。  The generated Kbm is then used to generate the MAC in the BU message as a verification of the BU message.
在实现本发明过程中, 发明人发现上述现有技术中至少存在如下问题:  In the process of implementing the present invention, the inventors have found that at least the following problems exist in the above prior art:
在返回路由可达过程结束后, MN还没有发送 BU消息将 HoA与 CoA进行绑定之前,攻 击者可以通过非法获取 HoT消息和 CoT消息, 并用同样的方法来计算生成 Kbm, 从而伪造 BU消息, 导致 CN将数据发向错误的地址。例如,攻击者窃听到 CN发给 MNa的 CoT消息, 并提取出转交秘密生成令牌, 窃听到 CN发给 MNb的 HoT消息, 并提取出家乡秘密生成令 牌, 然后计算出 Kbm, 并将 CoAa与 HoTb绑定向 CN发送 BU消息, 该 BU可以被 CN验证 通过并接受, 因此 CN通过路由优化发送到 MNb的流量被重定向到了 MNa, 导致数据传输 的安全性降低。 发明内容  After the MN has not sent a BU message to bind the HoA to the CoA, the attacker can illegally obtain the HoT message and the CoT message, and use the same method to calculate and generate the Kbm, thereby forging the BU message. Causes the CN to send the data to the wrong address. For example, the attacker sneaked out the CoT message sent by the CN to MNa, extracted the handover secret generation token, intercepted the HoT message sent by the CN to the MNb, extracted the home secret generation token, and then calculated the Kbm, and the CoAa Binding with the HoTb sends a BU message to the CN. The BU can be verified and accepted by the CN. Therefore, the traffic sent by the CN to the MNb through route optimization is redirected to the MNa, resulting in reduced security of data transmission. Summary of the invention
为了提高生成转交地址的安全性,本发明实施例提供了一种生成转交地址的方法和装置。 所述技术方案如下:  In order to improve the security of generating a care-of address, an embodiment of the present invention provides a method and apparatus for generating a care-of address. The technical solution is as follows:
一种生成转交地址的方法, 所述方法包括:  A method of generating a care-of address, the method comprising:
以移动节点的家乡地址为输入通过单向函数运算生成接口标识;  Generating an interface identifier by using a one-way function operation with the mobile node's home address as input;
将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地址。  The interface identifier is combined with a prefix of an external network accessed by the mobile node to generate a care-of address.
一种生成转交地址的装置, 所述装置包括:  An apparatus for generating a care-of address, the apparatus comprising:
接口标识生成模块,用于以移动节点的家乡地址为输入通过单向函数运算生成接口标识; 转交地址生成模块, 用于将所述接口标识生成模块生成的接口标识与所述移动节点访问 的外部网络的前缀结合生成转交地址。  An interface identifier generating module, configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input; the care-of address generating module, configured to use the interface identifier generated by the interface identifier generating module and the external access of the mobile node The prefix of the network is combined to generate a care-of address.
上述技术方案具有如下有益效果:  The above technical solution has the following beneficial effects:
通过以移动节点 MN的家乡地址 HoA为输入,并利用单向函数运算生成接口标识以及转 交地址 CoA, 使 CN可以得到转交地址的验证信息, 限制了因移动机制误用而导致的攻击, 提高了移动 IPv6的 CoA的安全性。  By inputting the home address HoA of the mobile node MN and using the one-way function operation to generate the interface identifier and the care-of address CoA, the CN can obtain the verification information of the care-of address, which limits the attack caused by the misuse of the mobile mechanism, and improves the attack. Mobile IPv6 CoA security.
为了提高路由优化通信的安全性, 本发明实施例提供了一种提高路由优化安全性的方法 和系统。 所述技术方案如下: In order to improve the security of route optimization communication, the embodiment of the invention provides a method for improving route optimization security. And system. The technical solution is as follows:
一方面, 本发明实施例提供了一种提高路由优化安全性的方法, 所述方法包括: 移动节点以家乡地址为输入通过单向函数运算生成接口标识;  In one aspect, the embodiment of the present invention provides a method for improving route optimization security, where the method includes: the mobile node generates an interface identifier by using a one-way function operation with the home address as an input;
所述移动节点将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地 址;  The mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
所述移动节点和通信节点使用所述家乡地址和转交地址执行返回路由可达过程, 然后分 别生成相同的绑定管理密钥;  The mobile node and the communication node perform a return route reachability process by using the home address and the care-of address, and then generate the same binding management key respectively;
所述移动节点和通信节点分别用自己生成的绑定管理密钥生成绑定授权数据; 所述移动节点发送包含所述家乡地址、 转交地址和自己生成的绑定授权数据的绑定更新 消息给通信节点;  The mobile node and the communication node respectively generate binding authorization data by using the binding management key generated by the mobile node, and the mobile node sends a binding update message including the home address, the care-of address, and the binding authorization data generated by itself to the mobile node. Communication node
所述通信节点收到所述绑定更新消息后, 验证所述绑定更新消息中的绑定授权数据, 如 果与自己生成的绑定授权数据一致, 则允许所述移动节点与通信节点进行路由优化模式下的 通信。  After receiving the binding update message, the communication node verifies the binding authorization data in the binding update message, and if the binding authorization data generated by itself is consistent, the mobile node is allowed to perform routing with the communication node. Communication in optimized mode.
另一方面, 本发明实施例还提供了一种提高路由优化安全性的方法, 所述方法包括: 移动节点以家乡地址为输入通过单向函数运算生成接口标识, 所述家乡地址通过密码学 方法生成;  On the other hand, the embodiment of the present invention further provides a method for improving route optimization security, where the method includes: the mobile node generates an interface identifier by using a one-way function operation with the home address as an input, and the home address is passed through a cryptographic method. Generate
所述移动节点将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地 址;  The mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
所述移动节点和通信节点使用所述家乡地址和转交地址执行返回路由可达过程; 所述移动节点用自己的私钥签名绑定更新消息,作为所述绑定更新消息的绑定授权数据; 所述移动节点发送包含所述家乡地址、 转交地址和绑定授权数据的所述绑定更新消息给 通信节点, 并在所述绑定更新消息中携带所述移动节点的公钥;  The mobile node and the communication node perform a return route reachability process by using the home address and the care-of address; the mobile node signs a binding update message with its own private key as the binding authorization data of the binding update message; Sending, by the mobile node, the binding update message that includes the home address, the care-of address, and the binding authorization data to the communication node, and carrying the public key of the mobile node in the binding update message;
所述通信节点收到所述绑定更新消息后, 提取出所述移动节点的公钥, 用所述移动节点 的公钥验证所述绑定更新消息中的绑定授权数据, 如果验证通过, 则允许所述移动节点与通 信节点进行路由优化模式下的通信。  After receiving the binding update message, the communication node extracts the public key of the mobile node, and uses the public key of the mobile node to verify the binding authorization data in the binding update message. The mobile node is then allowed to communicate with the communication node in a route optimization mode.
一方面, 本发明实施例提供了一种提高路由优化安全性的系统, 所述系统包括移动节点 和通信节点, 所述移动节点包括:  In one aspect, an embodiment of the present invention provides a system for improving route optimization security, where the system includes a mobile node and a communication node, and the mobile node includes:
转交地址生成模块, 用于以所述移动节点的家乡地址为输入通过单向函数运算生成接口 标识; 将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地址;  a care-of address generating module, configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input; and combining the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
密钥生成模块, 用于与所述通信节点一起使用所述家乡地址和所述转交地址生成模块生 成的转交地址执行返回路由可达过程, 然后生成绑定管理密钥; 授权数据生成模块, 用于用所述密钥生成模块生成的绑定管理密钥生成绑定授权数据; 发送模块, 用于发送包含所述家乡地址、 所述转交地址生成模块生成的转交地址和所述 授权数据生成模块生成的绑定授权数据的绑定更新消息给所述通信节点; a key generation module, configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the communication node, and then generate a binding management key; An authorization data generating module, configured to generate binding authorization data by using a binding management key generated by the key generation module, and a sending module, configured to send a care-of address generated by the home address, the care-of address generating module, and a binding update message of the binding authorization data generated by the authorization data generating module to the communication node;
所述通信节点包括:  The communication node includes:
密钥生成模块, 用于与所述移动节点一起使用所述家乡地址和所述转交地址生成模块生 成的转交地址执行返回路由可达过程, 然后生成与所述移动节点的密钥生成模块生成的绑定 管理密钥相同的绑定管理密钥;  a key generation module, configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the mobile node, and then generate a key generation module generated by the mobile node Bind the management key with the same management key;
授权数据生成模块, 用于用所述通信节点的密钥生成模块生成的绑定管理密钥生成绑定 授权数据;  An authorization data generating module, configured to generate binding authorization data by using a binding management key generated by a key generation module of the communication node;
接收模块, 用于接收所述发送模块发来的绑定更新消息;  a receiving module, configured to receive a binding update message sent by the sending module;
比对模块, 用于将所述接收模块收到的绑定更新消息中的绑定授权数据与所述通信节点 的授权数据生成模块生成的绑定授权数据进行比对;  And a comparison module, configured to compare the binding authorization data in the binding update message received by the receiving module with the binding authorization data generated by the authorization data generating module of the communication node;
控制模块, 用于当所述比对模块比对的结果一致时, 允许所述移动节点与通信节点进行 路由优化模式下的通信。  And a control module, configured to allow the mobile node to perform communication in a route optimization mode with the communication node when the comparison module matches the result.
另一方面, 本发明实施例还提供了一种提高路由优化安全性的系统, 所述系统包括移动 节点和通信节点, 所述移动节点包括:  On the other hand, the embodiment of the present invention further provides a system for improving route optimization security, where the system includes a mobile node and a communication node, and the mobile node includes:
转交地址生成模块, 用于以所述移动节点的家乡地址为输入通过单向函数运算生成接口 标识; 将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地址, 所述家乡 地址通过密码学方法生成;  a care-of address generating module, configured to generate an interface identifier by using a one-way function operation by using a home address of the mobile node as an input; and combining the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address, where the hometown The address is generated by a cryptographic method;
返回路由可达执行模块, 用于与所述通信节点一起使用所述家乡地址和所述转交地址生 成模块生成的转交地址执行返回路由可达过程;  Returning a route reachable execution module, configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the communication node;
授权数据生成模块, 用于用所述移动节点的私钥签名绑定更新消息, 作为所述绑定更新 消息的绑定授权数据;  An authorization data generating module, configured to sign, by using a private key of the mobile node, a binding update message as binding authorization data of the binding update message;
发送模块, 用于发送包含所述家乡地址、 所述转交地址生成模块生成的转交地址和所述 授权数据生成模块生成的绑定授权数据的所述绑定更新消息给所述通信节点, 并在所述绑定 更新消息中携带所述移动节点的公钥;  a sending module, configured to send the binding update message that includes the home address, the care-of address generated by the care-of address generating module, and the binding authorization data generated by the authorization data generating module, to the communication node, and The binding update message carries a public key of the mobile node;
所述通信节点包括:  The communication node includes:
返回路由可达执行模块, 用于与所述移动节点一起使用所述家乡地址和所述转交地址生 成模块生成的转交地址执行返回路由可达过程;  Returning a route reachable execution module, configured to perform a return route reachability process by using the home address and the care-of address generated by the care-of address generation module together with the mobile node;
接收模块, 用于接收所述发送模块发来的绑定更新消息;  a receiving module, configured to receive a binding update message sent by the sending module;
验证模块, 用于提取所述接收模块收到的绑定更新消息中的所述移动节点的公钥, 并用 所述移动节点的公钥验证所述绑定更新消息中的绑定授权数据; a verification module, configured to extract a public key of the mobile node in a binding update message received by the receiving module, and use The public key of the mobile node verifies the binding authorization data in the binding update message;
控制模块, 用于当所述验证模块验证通过时, 允许所述移动节点与通信节点进行路由优 化模式下的通信。  And a control module, configured to allow the mobile node to perform communication in a route optimization mode with the communication node when the verification module passes the verification.
上述技术方案具有如下有益效果:  The above technical solution has the following beneficial effects:
通过在移动节点 MN的家乡地址 HoA的基础上生成转交地址 CoA, 使用该 CoA执行返 回路由可达过程 RRP; 然后计算出绑定管理密钥 Kbm, 使用 Kbm生成绑定授权数据, 用来 对 BU消息进行验证; 当 HoA用 CGA ( Cryptographically Generated Addresses, 密码学方法生 成的地址) 方式生成时, 通过使用 MN的私钥签名 BU消息作为绑定授权数据, 来验证 BU 消息; 验证通过后, MN与 CN可以进行路由优化模式下的通信, 限制了因移动机制误用而 导致的攻击, 提高了移动 IPv6的路由优化模式下通信的安全性。 附图说明  By generating a care-of address CoA based on the home address HoA of the mobile node MN, the return route reachability procedure RRP is performed using the CoA; then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm, which is used for the BU The message is verified. When the HoA is generated by CGA (Cryptographically Generated Addresses), the BU message is verified by using the MN's private key to sign the BU message as the binding authorization data. After the verification is passed, the MN and the MN are authenticated. The CN can perform communication in the route optimization mode, which limits the attacks caused by the misuse of the mobile mechanism, and improves the security of the communication in the route optimization mode of the mobile IPv6. DRAWINGS
图 1是现有技术中返回路由可达过程示意图;  1 is a schematic diagram of a return route reachable process in the prior art;
图 2是本发明实施例 1提供的生成转交地址的方法的流程图;  2 is a flowchart of a method for generating a care-of address according to Embodiment 1 of the present invention;
图 3是本发明实施例 2提供的生成转交地址的装置的结构图;  3 is a structural diagram of an apparatus for generating a care-of address according to Embodiment 2 of the present invention;
图 4是本发明实施例 3提供的提高路由优化安全性的方法的流程图;  4 is a flowchart of a method for improving route optimization security according to Embodiment 3 of the present invention;
图 5是本发明实施例 4提供的提高路 ώ优化安全性的系统的结构图;  FIG. 5 is a structural diagram of a system for improving roadway optimization security according to Embodiment 4 of the present invention; FIG.
图 6是本发明实施例 5提供的另一种提高路由优化安全性的方法的流程图;  6 is a flowchart of another method for improving route optimization security according to Embodiment 5 of the present invention;
图 7是本发明实施例 6提供的另一种提高路由优化安全性的系统的结构图。 具体实施方式  FIG. 7 is a structural diagram of another system for improving route optimization security according to Embodiment 6 of the present invention. detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明实施方式作进 一步地详细描述。  In order to make the objects, the technical solutions and the advantages of the present invention more apparent, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
本发明实施例在移动节点 ΜΝ的家乡地址 HoA的基础上生成转交地址 CoA,使用该 CoA 执行返回路由可达过程 RRP, 然后计算出绑定管理密钥 Kbm, 使用 Kbm生成绑定授权数据, 用来对 BU消息进行验证; 当 HoA用 CGA方式生成时, 通过使用 MN的私钥签名 BU消息 作为绑定授权数据, 来验证 BU消息; 验证通过后, MN与 CN可以进行路由优化模式下的通 信。  In the embodiment of the present invention, a care-of address CoA is generated on the basis of the home address HoA of the mobile node, and the return route reachable process RRP is performed by using the CoA, and then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm. To verify the BU message; when the HoA is generated in the CGA mode, the BU message is verified by using the MN's private key signature BU message as the binding authorization data; after the verification is passed, the MN and the CN can perform the communication in the route optimization mode. .
实施例 1  Example 1
参见图 2, 本发明实施例提供了一种生成转交地址的方法, 具体包括:  Referring to FIG. 2, an embodiment of the present invention provides a method for generating a care-of address, which specifically includes:
步骤 101 : 以 MN的 HoA为输入通过单向函数运算生成标识 OID。 其中, 利用单向函数 PRF (Pseudo Random Function, 伪随机函数)进行运算的公式具体 如下: Step 101: Generate an identifier OID by a one-way function operation with the HoA of the MN as an input. Among them, the formula for calculating the operation using the one-way function PRF (Pseudo Random Function) is as follows:
OID = PRF (Expression);  OID = PRF (Expression);
其中 Expression可以为 MN的 HoA,也可以为 MN所访问的外部网络的网络前缀(Subnet Prefix) 与 HoA 的组合; PRF 是单向密码学函数, 它可以是 MD5、 SHA-1、 SHA256 或 AES-XCBC-PRF等单向函数。 因此上述公式可以有多种形式, 例如:  The Expression can be the HoA of the MN, or the combination of the network prefix (Subnet Prefix) and the HoA of the external network accessed by the MN; the PRF is a one-way cryptographic function, which can be MD5, SHA-1, SHA256 or AES- One-way function such as XCBC-PRF. Therefore the above formula can take many forms, for example:
OID = SHA-1 (HoA);  OID = SHA-1 (HoA);
或 OID = MD5 (HoA I Subnet Prefix) 等等。  Or OID = MD5 (HoA I Subnet Prefix) and so on.
步骤 102:生成 OID后, MN对 OID进行处理得到长度为 64bit的接口标识(Interface ID)。 如果 OID的长度超过 64bit, 处理的方式有多种, 例如, 可以按如下公式进行处理后作为 Step 102: After generating the OID, the MN processes the OID to obtain an interface identifier (Interface ID) of 64 bits in length. If the length of the OID exceeds 64 bits, there are several ways to process it. For example, it can be processed as follows:
CoA的接口标识: CoA interface identifier:
Interface ID = Abs (64, n, OID);  Interface ID = Abs (64, n, OID);
即从 OID中选取从 n bit开始的前 64bit作为接口标识 Interface ID,第一次生成 CoA时可 以选取 n=0, 当地址冲突时, 可以通过改变 n的值来重新生成接口标识以及相应的 CoA; 其 中, n为预先设置的起始位;  That is, the first 64 bits starting from the n bit are selected as the interface ID from the OID. When the CoA is generated for the first time, n=0 can be selected. When the address conflicts, the interface identifier and the corresponding CoA can be regenerated by changing the value of n. Where n is a preset start bit;
还可以按如下方式进行处理: 将 OID按 64bit分成多个块, 如果划分过程中最后一块不 足 64bit, 则从其它块中任意取相应长度的内容补充成 64bit, 假设将 OID划分为 N块, 分别 为: Blockl、 Block2、 ...、 BlockN, 则接口标识可以按如下公式计算:  It can also be processed as follows: The OID is divided into multiple blocks according to 64 bits. If the last block in the division process is less than 64 bits, the content of the corresponding length is arbitrarily added to 64 bits from other blocks, assuming that the OID is divided into N blocks, respectively For: Blockl, Block2, ..., BlockN, the interface identifier can be calculated as follows:
Interface ID = Blockl ©Block2㊉…㊉ BlockN;  Interface ID = Blockl ©Block2 ten...10 BlockN;
其中运算符㊉可以是 "与 (AND)"、 "或 (OR) "或 "异或 (XOR)"等位逻辑运算符。 步骤 103 : 生成 CoA的接口标识后, MN将访问的外部网络的前缀 Subnet Prefix与接口 标识结合, 生成 MN的 CoA。  The operator ten can be a "AND", "OR (OR)" or "Exclusive (XOR)" bitwise logical operator. Step 103: After generating the interface identifier of the CoA, the MN combines the prefix Subnet Prefix of the accessed external network with the interface identifier to generate a CoA of the MN.
例如, 前缀 Subnet Prefix为 0x31223344, 接口标识为 0x55667788, 则将 0x31223344禾口 0x55667788连接在一起后得到 0x3122334455667788, 该 0x3122334455667788 即为 MN的 CoA。  For example, if the prefix Subnet Prefix is 0x31223344 and the interface identifier is 0x55667788, then 0x31223344 and 0x55667788 are connected together to get 0x3122334455667788, which is the MN CoA.
当 MN的 HoA是通过 CGA方式生成时, 上述步骤 101可以具体为:  When the HoA of the MN is generated by the CGA method, the foregoing step 101 may be specifically as follows:
将 MN的 HoA与 MN的公钥组合后作为输入,或者将 MN访问的外部网络的前缀与 HoA 和公钥组合后作为输入, 通过单向函数运算生成接口标识, 即 Expression中还可以包括 MN 的公钥信息。  The MN's HoA is combined with the MN's public key as an input, or the prefix of the external network accessed by the MN is combined with the HoA and the public key as input, and the interface identifier is generated by a one-way function operation, that is, the Expression may also include the MN. Public key information.
进一步地, 在上述方法中还可以增加对生成的 CoA执行重复地址检测的步骤: 判断生成的 CoA与网络中已使用的 IP地址是否相同, 如果相同, 即发现地址冲突, 则 按下面的步骤重新生成接口标识 Interface ID, 进而重新生成一个可用的 CoA: 修改起始位 n的值, 在原来的基础上增加增量, 即 n= n + increment, 其中 increment为预 先设置的增量, 可以为 1、 2、 3、 4、 5、 6、 7、 8、 16、 32等固定值, 然后用如下公式运算: Interface ID = Abs (64, n, OID)。 Further, in the foregoing method, the step of performing duplicate address detection on the generated CoA may be further added: determining whether the generated CoA is the same as the used IP address in the network, and if the same, that is, an address conflict is found, Regenerate the interface ID of the interface ID according to the following steps, and then regenerate an available CoA: Modify the value of the starting bit n, and increase the increment based on the original, that is, n= n + increment, where increment is preset. The quantity can be a fixed value of 1, 2, 3, 4, 5, 6, 7, 8, 16, 32, etc., and then operated by the following formula: Interface ID = Abs (64, n, OID).
本实施例通过以 MN的 HoA为输入, 利用单向函数运算生成接口标识以及 CoA, 使 CN 可以得到转交地址的验证信息, 限制了因移动机制误用而导致的攻击, 提高了移动 IPv6 的 In this embodiment, by using the HoA of the MN as an input, the interface identifier and the CoA are generated by using a one-way function operation, so that the CN can obtain the verification information of the care-of address, which limits the attack caused by the misuse of the mobile mechanism, and improves the mobile IPv6.
CoA的安全性; 通过对生成的 CoA进行地址检查, 可以避免网络中发生地址冲突, 提高了生 成转交地址的安全性。 实施例 2 CoA security; By performing address check on the generated CoA, address conflicts in the network can be avoided, and the security of generating care-of addresses is improved. Example 2
参见图 3, 本发明实施例提供了一种生成转交地址的装置, 具体包括:  Referring to FIG. 3, an embodiment of the present invention provides an apparatus for generating a care-of address, which specifically includes:
( 1 )接口标识生成模块 201, 用于以移动节点的家乡地址为输入通过单向函数运算生成 接口标识;  (1) an interface identifier generating module 201, configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node as an input;
(2)转交地址生成模块 202, 用于将接口标识生成模块 201生成的接口标识与移动节点 访问的外部网络的前缀结合生成转交地址。  (2) The care-of address generation module 202 is configured to combine the interface identifier generated by the interface identifier generation module 201 with the prefix of the external network accessed by the mobile node to generate a care-of address.
参见图接口标识生成模块 201可以具体包括:  The interface identifier generation module 201 may specifically include:
1 ) 组合单元, 用于将移动节点访问的外部网络的前缀与移动节点的家乡地址进行组合; 1) a combination unit, configured to combine a prefix of an external network accessed by the mobile node with a home address of the mobile node;
2)生成单元, 用于将组合单元组合后得到的数据作为输入, 通过单向函数运算生成接口 标识。 2) A generating unit is configured to input the data obtained by combining the combined units as an input, and generate an interface identifier by a one-way function operation.
当移动节点的家乡地址通过密码学方法生成时, 接口标识生成模块 201可以具体包括: When the home address of the mobile node is generated by a cryptographic method, the interface identifier generating module 201 may specifically include:
1 )组合单元, 用于将移动节点的家乡地址与移动节点的公钥进行组合, 或者将移动节点 访问的外部网络的前缀与家乡地址和公钥进行组合; 1) a combination unit, configured to combine the home address of the mobile node with the public key of the mobile node, or combine the prefix of the external network accessed by the mobile node with the home address and the public key;
2)生成单元, 用于将组合单元组合后得到的数据作为输入, 通过单向函数运算生成接口 标识。  2) A generating unit is configured to input the data obtained by combining the combined units as an input, and generate an interface identifier by a one-way function operation.
其中, 上述装置还可以包括:  The above device may further include:
长度处理模块,用于判断接口标识生成模块 201生成的接口标识的长度是否超过 64比特 位, 如果是, 则设置一个起始位, 从起始位开始, 取 64比特位, 作为新的接口标识发送给转 交地址生成模块 202。  The length processing module is configured to determine whether the length of the interface identifier generated by the interface identifier generating module 201 exceeds 64 bits, and if yes, set a start bit, starting from the start bit, and taking 64 bits as a new interface identifier. Send to the care-of address generation module 202.
其中, 上述装置也可以包括:  Wherein, the above device may also include:
长度处理模块,用于判断接口标识生成模块 201生成的接口标识的长度是否超过 64比特 位, 如果是, 则将接口标识按 64比特位划分成多个块, 若最后一块不足 64比特位, 则从其 它块中任意取相应长度的内容补充成 64比特位, 然后对多个块进行位逻辑运算, 将运算的结 果作为新的接口标识发送给转交地址生成模块 202。 a length processing module, configured to determine whether the length of the interface identifier generated by the interface identifier generating module 201 exceeds 64 bits, and if yes, divide the interface identifier into multiple blocks according to 64 bits, if the last block is less than 64 bits, From its Any content in the block whose corresponding length is taken is added to 64 bits, and then bit logic operations are performed on the plurality of blocks, and the result of the operation is sent to the care-of address generation module 202 as a new interface identifier.
为了避免发生地址冲突, 上述装置还可以包括:  In order to avoid address conflicts, the above apparatus may further include:
地址检查模块, 用于当转交地址生成模块 202生成转交地址后, 判断转交地址与网络中 已使用的 IP地址是否相同, 如果相同, 则设置增量, 对长度处理模块设置的起始位和增量进 行求和运算, 以运算的结果为新的起始位,取 64比特位,作为接口标识并生成新的转交地址。  The address checking module is configured to: when the care-of address generating module 202 generates the care-of address, determine whether the care-of address is the same as the used IP address in the network, if the same, set the increment, and set the start bit of the length processing module. The quantity is summed, and the result of the operation is a new start bit, taking 64 bits as an interface identifier and generating a new care-of address.
本实施例通过接口标识生成模块 201以 MN的 HoA为输入,利用单向函数运算生成接口 标识, 以及转交地址生成模块 202根据该接口标识生成 CoA, 使 CN可以得到转交地址的验 证信息, 限制了因移动机制误用而导致的攻击, 提高了移动 IPv6的 CoA的安全性; 通过地 址检查模块对生成的 CoA进行地址检查, 可以避免网络中发生地址冲突, 提高了生成转交地 址的安全性。 实施例 3  In this embodiment, the interface identifier generation module 201 takes the HoA of the MN as an input, generates a interface identifier by using a one-way function operation, and the care-of address generation module 202 generates a CoA according to the interface identifier, so that the CN can obtain the verification information of the care-of address, which limits the The attack caused by the misuse of the mobile mechanism improves the security of the mobile IPv6 CoA. The address check module performs an address check on the generated CoA to avoid address conflicts in the network and improve the security of generating the care-of address. Example 3
参见图 4, 本发明实施例提供了一种提高路由优化安全性的方法, 具体包括以下步骤: 步骤 301 : MN以 HoA为输入通过单向函数运算生成接口标识。  Referring to FIG. 4, an embodiment of the present invention provides a method for improving route optimization security, which specifically includes the following steps: Step 301: The MN generates an interface identifier by using a one-way function operation with HoA as an input.
步骤 302: MN将接口标识与 MN访问的外部网络的前缀结合生成 CoA。  Step 302: The MN combines the interface identifier with the prefix of the external network accessed by the MN to generate a CoA.
进一步地, 还可以对生成的 CoA执行重复地址检测, 即判断生成的 CoA与网络中已使 用的 IP 地址是否相同, 如果相同, 即发现地址冲突, 则按下面的步骤重新生成接口标识 Interface ID, 进而重新生成一个可用的 CoA:  Further, the duplicated address detection may be performed on the generated CoA, that is, whether the generated CoA is the same as the used IP address in the network. If the address conflict occurs, the interface ID is regenerated according to the following steps. Then regenerate an available CoA:
修改初次采用的起始位 n的值, 在原来的基础上增加增量, 即 n= n + increment, 其中增 量 increment可以为 1、 2、 3、 4、 5、 6、 7、 8、 16、 32等固定值, 然后用如下公式运算: Interface ID = Abs (64, n, OID)。  Modify the value of the initial starting bit n, and increase the increment on the original basis, that is, n= n + increment, where the incremental increment can be 1, 2, 3, 4, 5, 6, 7, 8, 16 Fixed values such as 32, and then operate with the following formula: Interface ID = Abs (64, n, OID).
步骤 303 : MN和 CN均使用 MN的 HoA和生成的 CoA执行返回路由可达过程。  Step 303: The MN and the CN both use the HoA of the MN and the generated CoA to perform a return route reachability process.
当 MN首次向 CN发起对端注册时, 在返回路由可达过程中 CN分别生成家乡秘密生成 令牌和转交秘密生成令牌, 并通过 HoT和 CoT传送给 MN。  When the MN first initiates the registration with the CN, the CN generates the home secret generation token and the handover secret generation token respectively in the return route reachability process, and transmits the secret generation token to the MN through HoT and CoT.
当 MN非首次向 CN发起对端注册时, 在返回路由可达过程中可以只执行 CoTI和 CoT, 则 CN只生成转交秘密生成令牌并通过 CoT传给 MN。  When the MN does not register the CN with the peer for the first time, only the CoTI and the CoT can be executed in the return route reachable process, and the CN only generates the handover secret generation token and transmits it to the MN through the CoT.
当 MN向 CN注销绑定关系时, 在返回路由可达过程中可以只执行 HoTI和 HoT, 则 CN 只生成家乡秘密生成令牌并通过 HoT传给 MN。  When the MN deregisters the binding relationship with the CN, only the HoTI and the HoT can be executed in the process of returning the reachable route, and the CN generates only the home secret generation token and transmits it to the MN through the HoT.
步骤 304: CN根据在返回路由可达过程中生成的令牌生成 Kbm, MN根据从收到的测试 响应消息中提取出的令牌生成 Kbm; MN生成的 Kbm与 CN生成的 Kbm相同。 步骤 305: MN和 CN分别用各自生成的 Kbm生成绑定授权数据。 Step 304: The CN generates Kbm according to the token generated in the return route reachable process, and the MN generates Kbm according to the token extracted from the received test response message; the Kbm generated by the MN is the same as the Kbm generated by the CN. Step 305: The MN and the CN respectively generate binding authorization data by using the respective generated Kbm.
步骤 306: MN向 CN发送包含 MN的 HoA和 CoA的 BU消息, 并且在 BU消息中携带 MN生成的绑定授权数据。  Step 306: The MN sends a BU message including the HoA and the CoA of the MN to the CN, and carries the binding authorization data generated by the MN in the BU message.
为了避免消耗过多的计算资源, 进一步地, MN还可以设置执行 RRP和发送 BU消息的 最小时间间隔, 相应地, CN也可以根据需要限制单位时间内接受 BU消息的最大个数等等。  In order to avoid consuming excessive computing resources, the MN may further set a minimum time interval for performing RRP and sending a BU message. Accordingly, the CN may also limit the maximum number of BU messages received per unit time according to requirements, and the like.
步骤 307: CN收到 BU消息后, 对 BU消息中的绑定授权数据进行验证, 即将 CN生成 的绑定授权数据与 BU消息中的绑定授权数据进行比对, 如果一致, 则允许 CN和 MN进行 路由优化模式下的通信; 如果不一致, 表明此时 CN收到的 BU消息不正确, 则不允许 MN 与 CN进行路由优化模式下的通信。  Step 307: After receiving the BU message, the CN verifies the binding authorization data in the BU message, and compares the binding authorization data generated by the CN with the binding authorization data in the BU message. If they are consistent, the CN and the CN are allowed. The MN performs communication in the route optimization mode. If it is inconsistent, it indicates that the BU message received by the CN is incorrect at this time, and the MN and the CN are not allowed to perform communication in the route optimization mode.
进一步地, 还可以在 CN验证 BU消息中的绑定授权数据 (步骤 307) 之前增加验证 BU 消息中的 CoA的步骤, 具体如下:  Further, the step of verifying the CoA in the BU message may be added before the binding authorization data in the CN verification BU message (step 307), as follows:
CN从收到的 BU消息中提取出 MN的 HoA, 并根据该 HoA用与步骤 301至步骤 302相 同的方法生成一个临时 CoA, 然后比对生成的临时 CoA和 BU消息中的 CoA是否一致, 如 果一致, 则继续进行绑定授权数据的验证; 如果不一致, 则说明当前的 BU消息有误, 可能 是伪造的 BU消息, 则不允许 MN与 CN进行路由优化模式下的通信。  The CN extracts the HoA of the MN from the received BU message, and generates a temporary CoA according to the same method as the steps 301 to 302 according to the HoA, and then compares the generated CoA and the CoA in the BU message to be consistent. If the agreement is consistent, the binding authorization data is verified. If the current BU message is incorrect, the original BU message may be a forged BU message. The MN and the CN are not allowed to perform communication in the route optimization mode.
本实施例通过在移动节点 MN的家乡地址 HoA的基础上生成转交地址 CoA,使用该 CoA 执行返回路 ώ可达过程 RRP, 然后计算出绑定管理密钥 Kbm, 使用 Kbm生成绑定授权数据, 用来对 BU消息进行验证, 验证通过后, MN与 CN可以进行路由优化模式下的通信, 限制了 因移动机制误用而导致的攻击, 从而提高了移动 IPv6的路由优化模式下通信的安全性。在验 证绑定授权数据之前, 还可以进一步对 BU消息中的 CoA进行验证, 可以进一步提高路由优 化模式下通信的安全性。 实施例 4  In this embodiment, the handover address CoA is generated on the basis of the home address HoA of the mobile node MN, and the return route reachability procedure RRP is performed by using the CoA, and then the binding management key Kbm is calculated, and the binding authorization data is generated by using Kbm. It is used to verify the BU message. After the verification is passed, the MN and the CN can communicate in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, thereby improving the security of the communication in the route optimization mode of the mobile IPv6. . Before verifying the binding authorization data, the CoA in the BU message can be further verified, which can further improve the security of the communication in the route optimization mode. Example 4
参见图 5, 本发明实施例还提供了一种提高路由优化安全性的系统, 具体包括移动节点 401和通信节点 402;  Referring to FIG. 5, an embodiment of the present invention further provides a system for improving route optimization security, specifically including a mobile node 401 and a communication node 402.
移动节点 401包括:  The mobile node 401 includes:
( 1 ) 转交地址生成模块 4011, 用于以移动节点 401 的家乡地址为输入通过单向函数运 算生成接口标识; 将接口标识与移动节点 401访问的外部网络的前缀结合生成转交地址; (1) The care-of address generation module 4011 is configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node 401 as an input; and combining the interface identifier with a prefix of the external network accessed by the mobile node 401 to generate a care-of address;
(2) 密钥生成模块 4012, 用于与通信节点 402—起使用家乡地址和转交地址生成模块 401生成的转交地址执行返回路由可达过程, 然后生成绑定管理密钥; (2) a key generation module 4012, configured to perform a return route reachability process with the care-of address generated by the home address and the care-of address generation module 401 together with the communication node 402, and then generate a binding management key;
(3 )授权数据生成模块 4013, 用于用密钥生成模块 4012生成的绑定管理密钥生成绑定 授权数据; (3) an authorization data generating module 4013, configured to generate a binding by using a binding management key generated by the key generation module 4012. Authorization data;
(4) 发送模块 4014, 用于发送包含家乡地址、 转交地址生成模块 4011生成的转交地址 和授权数据生成模块 4013生成的绑定授权数据的绑定更新消息给通信节点 402;  (4) a sending module 4014, configured to send a binding update message including a home address, a care-of address generated by the care-of address generating module 4011, and a binding authorization data generated by the authorization data generating module 4013 to the communication node 402;
通信节点 402包括:  Communication node 402 includes:
( 1 ) 密钥生成模块 4021, 用于与移动节点 401—起使用家乡地址和转交地址生成模块 (1) The key generation module 4021 is configured to use the home address and the care-of address generation module together with the mobile node 401.
4011生成的转交地址执行返回路由可达过程,然后生成与移动节点 401的密钥生成模块 4012 生成的绑定管理密钥相同的绑定管理密钥; The care-of address generated by 4011 performs a return route reachability process, and then generates a binding management key identical to the binding management key generated by the key generation module 4012 of the mobile node 401;
(2)授权数据生成模块 4022, 用于用通信节点 402的密钥生成模块 4021生成的绑定管 理密钥生成绑定授权数据;  (2) an authorization data generating module 4022, configured to generate binding authorization data by using a binding management key generated by the key generation module 4021 of the communication node 402;
(3 ) 接收模块 4023, 用于接收发送模块 4014发来的绑定更新消息;  (3) The receiving module 4023 is configured to receive a binding update message sent by the sending module 4014.
(4) 比对模块 4024, 用于将接收模块 4023收到的绑定更新消息中的绑定授权数据与通 信节点 402的授权数据生成模块 4022生成的绑定授权数据进行比对;  The matching module 4024 is configured to compare the binding authorization data in the binding update message received by the receiving module 4023 with the binding authorization data generated by the authorization data generating module 4022 of the communication node 402.
( 5 )控制模块 4025, 用于当比对模块 4024比对的结果一致时, 允许移动节点 401与通 信节点 402进行路由优化模式下的通信。  (5) The control module 4025 is configured to allow the mobile node 401 to communicate with the communication node 402 in the route optimization mode when the comparison result of the comparison module 4024 is consistent.
其中, 上述通信节点 402还可以包括:  The foregoing communication node 402 may further include:
转交地址比对模块, 用于在比对模块 4024进行比对之前, 从接收模块 4023收到的绑定 更新消息中提取移动节点 401的家乡地址,并根据该家乡地址用与转交地址生成模块 4011生 成转交地址相同的方法生成一个临时转交地址, 验证临时转交地址与绑定更新消息中的转交 地址是否一致, 如果一致, 则触发比对模块 4024工作。  The care-of address matching module is configured to extract the home address of the mobile node 401 from the binding update message received by the receiving module 4023 before the comparison module 4024 is compared, and use the care-of address generation module 4011 according to the home address The method of generating the same care-of address generates a temporary care-of address, and verifies whether the temporary care-of address is consistent with the care-of address in the binding update message. If they are consistent, the comparison module 4024 is triggered to work.
本实施例通过转交地址生成模块 4011在移动节点 401MN的家乡地址 HoA的基础上生成 转交地址 CoA, 由密钥生成模块 4012使用该 CoA执行返回路由可达过程 RRP, 然后计算出 绑定管理密钥 Kbm, 由授权数据生成模块 4013使用 Kbm生成绑定授权数据, 用来对 BU消 息进行验证, 验证通过后, MN与 CN可以进行路由优化模式下的通信, 限制了因移动机制 误用而导致的攻击, 从而提高了移动 IPv6的路由优化模式下通信的安全性。进一步通过转交 地址比对模块对 BU消息中的 CoA进行验证,可以进一步提高路由优化模式下通信的安全性。 实施例 5  In this embodiment, the care-of address ACA is generated by the care-of address generation module 4011 on the basis of the home address HoA of the mobile node 401MN, and the key generation module 4012 uses the CoA to perform the return route reachability process RRP, and then calculates the binding management key. Kbm, the authorization data generating module 4013 uses Kbm to generate binding authorization data, which is used to verify the BU message. After the verification is passed, the MN and the CN can perform communication in the route optimization mode, which limits the misuse of the mobile mechanism. Attack, thereby improving the security of communication in the mobile IPv6 route optimization mode. Further, the CoA in the BU message is verified by the care-of address matching module, which can further improve the security of the communication in the route optimization mode. Example 5
参见图 6, 本发明实施例提供了一种提高路由优化安全性的方法, 具体包括以下步骤: 步骤 501 : MN以 HoA为输入通过单向函数运算生成接口标识, 其中 HoA是基于 CGA 方式生成的。  Referring to FIG. 6, an embodiment of the present invention provides a method for improving route optimization security, which specifically includes the following steps: Step 501: The MN generates an interface identifier by using a one-way function operation with HoA as an input, where the HoA is generated based on a CGA manner. .
另外, MN还可以将 MN所访问的外部网络的网络前缀(Subnet Prefix)和 MN的公钥与 HoA组合作为输入, 通过单向函数运算生成接口标识。 In addition, the MN can also use the network prefix (Subnet Prefix) of the external network accessed by the MN and the public key of the MN. The HoA combination is used as an input to generate an interface identifier through a one-way function operation.
步骤 502: MN将接口标识与 MN访问的外部网络的前缀结合生成 CoA;  Step 502: The MN combines the interface identifier with the prefix of the external network accessed by the MN to generate a CoA.
进一步地, 还可以对生成的 CoA执行重复地址检测, 即判断生成的 CoA与网络中已使 用的 IP 地址是否相同, 如果相同, 即发现地址冲突, 则按下面的步骤重新生成接口标识 Interface ID, 进而重新生成一个可用的 CoA:  Further, the duplicated address detection may be performed on the generated CoA, that is, whether the generated CoA is the same as the used IP address in the network. If the address conflict occurs, the interface ID is regenerated according to the following steps. Then regenerate an available CoA:
修改初次采用的起始位 n的值, 在原来的基础上增加增量, 即 n= n + increment, 其中增 量 increment可以为 1、 2、 3、 4、 5、 6、 7、 8、 16、 32等固定值, 然后用如下公式运算: Modify the value of the initial starting bit n, and increase the increment on the original basis, that is, n= n + increment, where the incremental increment can be 1, 2, 3, 4, 5, 6, 7, 8, 16 , 32, etc. fixed values, and then use the following formula:
Interface ID = Abs (64, n, OID)。 Interface ID = Abs (64, n, OID).
步骤 503 : MN和 CN均使用 MN的 HoA和生成的 CoA执行返回路由可达过程。  Step 503: The MN and the CN both use the HoA of the MN and the generated CoA to perform a return route reachability process.
当 MN首次向 CN发起对端注册时, 在返回路由可达过程中 CN分别生成家乡秘密生成 令牌和转交秘密生成令牌, 并通过 HoT和 CoT传送给 MN。  When the MN first initiates the registration with the CN, the CN generates the home secret generation token and the handover secret generation token respectively in the return route reachability process, and transmits the secret generation token to the MN through HoT and CoT.
当 MN非首次向 CN发起对端注册时, 在返回路由可达过程中可以只执行 CoTI和 CoT, 则 CN只生成转交秘密生成令牌并通过 CoT传给 MN。  When the MN does not register the CN with the peer for the first time, only the CoTI and the CoT can be executed in the return route reachable process, and the CN only generates the handover secret generation token and transmits it to the MN through the CoT.
当 MN向 CN注销绑定关系时, 在返回路由可达过程中可以只执行 HoTI和 HoT, 则 CN 只生成家乡秘密生成令牌并通过 HoT传给 MN。  When the MN deregisters the binding relationship with the CN, only the HoTI and the HoT can be executed in the process of returning the reachable route, and the CN generates only the home secret generation token and transmits it to the MN through the HoT.
步骤 504: 返回路由可达过程结束后, MN用 MN的私钥对 BU消息进行签名, 作为 BU 消息中的绑定授权数据, 然后向 CN发送 BU消息, 并在 BU消息中携带 CGA参数信息, 其 中包括 MN的公钥。  Step 504: After returning the route reachable process, the MN signs the BU message with the private key of the MN, and acts as the binding authorization data in the BU message, and then sends the BU message to the CN, and carries the CGA parameter information in the BU message. This includes the MN's public key.
步骤 505: CN收到 MN发送的 BU消息后, 在 BU消息中的 CGA参数信息中提取 MN 的公钥, 并使用该公钥验证 BU消息中的绑定授权数据, 如果验证通过, 则生成绑定条目, 允许 CN和 MN进行路由优化模式下的通信; 如果验证失败, 则 CN发送错误代码给 MN, 不允许 CN和 MN进行路由优化模式下的通信。  Step 505: After receiving the BU message sent by the MN, the CN extracts the public key of the MN in the CGA parameter information in the BU message, and uses the public key to verify the binding authorization data in the BU message. If the verification succeeds, the binding is generated. The entry allows the CN and the MN to communicate in the route optimization mode; if the verification fails, the CN sends an error code to the MN, and does not allow the CN and the MN to perform communication in the route optimization mode.
为了避免消耗过多的计算资源, 进一步地, MN还可以设置执行 RRP和发送 BU消息的 最小时间间隔, 相应地, CN也可以根据需要限制单位时间内接受 BU消息的最大个数等等。  In order to avoid consuming excessive computing resources, the MN may further set a minimum time interval for performing RRP and sending a BU message. Accordingly, the CN may also limit the maximum number of BU messages received per unit time according to requirements, and the like.
进一步地, 当验证通过后, CN还可以生成一个随机数 Ks, 并使用 MN的公钥加密该随 机数 Ks,然后将加密后的 Ks放在 BA消息中发送给 MN; 而且 CN还可以用下面的方法生成 Kbm, 即将 Ks与转交秘密生成令牌组合后进行单向函数运算生成 Kbm, 并用该 Kbm生成绑 定授权数据, 作为验证 BA消息的依据;  Further, after the verification is passed, the CN may further generate a random number Ks, and encrypt the random number Ks by using the public key of the MN, and then send the encrypted Ks to the MN in the BA message; and the CN may also use the following The method generates Kbm, and combines Ks with the transfer secret generation token to perform a one-way function operation to generate Kbm, and uses the Kbm to generate binding authorization data as a basis for verifying the BA message;
Kbm = PRF(Ks, Care-ofKeygen Token);  Kbm = PRF(Ks, Care-ofKeygen Token);
MN收到 BA消息后, 提取 BA消息中加密后的随机数 Ks, 并使用 MN的私钥进行解密 得出 Ks, 并使用与 CN生成上述 Kbm相同的方法生成新的 Kbm: MN可以使用新生成的 Kbm 生成新的绑定授权数据, 来作为后续对端注册过程中验证 BU消息的依据, 也可以用该新的绑定授权数据来验证 BA消息, 如果与 BA消息中的绑定授 权数据一致, 即验证通过, 则允许 CN与 MN进行路由模式下的通信; 否则, 不允许 CN与 MN进行路由模式下的通信。 After receiving the BA message, the MN extracts the encrypted random number Ks in the BA message, and decrypts it using the MN's private key to obtain Ks, and generates a new Kbm using the same method as the CN generates the above Kbm: The MN can use the newly generated Kbm to generate new binding authorization data, which is used as the basis for verifying the BU message in the subsequent peer registration process, and can also use the new binding authorization data to verify the BA message, if it is in the BA message. The binding authorization data is consistent, that is, the authentication is passed, and the CN and the MN are allowed to perform communication in the routing mode; otherwise, the CN and the MN are not allowed to perform communication in the routing mode.
进一步地, MN还可以在 BU消息中携带标识信息, 指示 MN的 CoA是通过单向函数运 算生成的, 相应地, 还可以在 CN验证 BU消息中的绑定授权数据之前, 增加验证 BU消息 中的 CoA的步骤, 具体如下:  Further, the MN may further carry the identifier information in the BU message, indicating that the CoA of the MN is generated by a one-way function operation, and correspondingly, before the binding authorization data in the BU message is verified by the CN, the verification BU message is added. The steps of the CoA are as follows:
CN根据收到的 BU消息中的标识信息, 发起对 BU消息中的 CoA的验证, 从 BU消息 中提取出画的 HoA, 并根据该 HoA用与步骤 501至歩骤 502相同的方法生成一个临时的 CoA, 然后比对生成的临时 CoA和 BU消息中的 CoA是否一致, 如果一致, 则 CoA验证通 过, 可以继续进行对 BU消息中的绑定授权数据的验证; 如果不一致, 则 CoA验证失败, 说 明当前的 BU消息有误, 可能是伪造的 BU消息, 则 CN发送错误代码给 MN, 不允许 CN和 MN进行路由优化模式下的通信。  The CN initiates verification of the CoA in the BU message according to the identifier information in the received BU message, extracts the drawn HoA from the BU message, and generates a temporary according to the HoA according to the same method as steps 501 to 502. The CoA is then consistent with the CoA in the generated temporary CoA and the BU message. If the CoA is valid, the CoA authentication is passed, and the binding authorization data in the BU message can be verified. If not, the CoA authentication fails. The current BU message is incorrect. It may be a forged BU message. The CN sends an error code to the MN. The CN and the MN are not allowed to communicate in the route optimization mode.
当希望 CN对 BU消息中的 CoA进行验证时, MN还可以在 BU消息中携带步骤 502中 生成接口标识时涉及到的参数^  When the CN is required to verify the CoA in the BU message, the MN may also carry the parameter involved in generating the interface identifier in step 502 in the BU message.
进一步地, MN在发送 BU消息时, 可以在 BU消息中携带用 CGA生成 HoA时所采用 的参数, 例如, MN的公钥信息、 冲突计数和修饰符 (即随机数) 等等; 相应地, 在验证 BU 消息中的 CoA之前, 还可以增加验证 BU消息中的 HoA的步骤, 具体如下:  Further, when transmitting the BU message, the MN may carry the parameters used by the CGA to generate the HoA in the BU message, for example, the public key information of the MN, the collision count and the modifier (ie, the random number), and the like; Before verifying the CoA in the BU message, you can also add the steps to verify the HoA in the BU message, as follows:
CN在收到 BU消息后, 提取出上述参数, 并用与步骤 501中相同的 CGA方法计算出一 个临时的 HoA, 然后比对该临时 HoA与 BU消息中的 HoA是否一致, 如果一致, 则 HoA验 证通过, CN可以继续验证 BU消息中的 CoA以及绑定授权数据; 否则, HoA验证失败, 说 明 BU消息不正确,则 CN发送错误代码给 MN,不允许 MN与 CN进行路由优化模式下的通 信。  After receiving the BU message, the CN extracts the above parameters, and calculates a temporary HoA by using the same CGA method as in step 501, and then compares with the HoA in the temporary HoA and the BU message. If they are consistent, the HoA verification is performed. The CN can continue to verify the CoA and the binding authorization data in the BU message; otherwise, the HoA authentication fails, indicating that the BU message is incorrect, the CN sends an error code to the MN, and the MN and the CN are not allowed to perform communication in the route optimization mode.
上述方法通过在移动节点 MN的家乡地址 HoA的基础上生成转交地址 CoA,使用该 CoA 执行返回路由可达过程 RRP, 然后用 MN的私钥签名 BU消息, 作为 BU消息中的绑定授权 数据, 用来对 BU消息进行验证, 验证通过后, MN与 CN可以进行路由优化模式下的通信, 限制了因移动机制误用而导致的攻击, 提高了移动 IPv6的路由优化模式下通信的安全性。通 过增加对 BU消息中的 HoA和 CoA进行验证以及对 BA消息进行验证的步骤,可以进一步提 高路由优化模式下通信的安全性。 由于基于 CGA方式生成 HoA, 可以保障在后续的对端注 册中不必再发起 HoTI/HoT消息, 降低了路由优化信令开销; 减少了路由优化对 HA的依赖, 提高了系统的健壮性; 降低了链路切换时移动节点与通信节点绑定更新的延时和复杂程度。 实施例 6 The above method generates a handover address CoA based on the home address HoA of the mobile node MN, uses the CoA to perform a return route reachability procedure RRP, and then uses the MN's private key to sign the BU message as the binding authorization data in the BU message. It is used to verify the BU message. After the verification is passed, the MN and the CN can perform communication in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, and improves the security of the communication in the route optimization mode of the mobile IPv6. By adding the steps of verifying the HoA and CoA in the BU message and verifying the BA message, the security of the communication in the route optimization mode can be further improved. The HoA is generated based on the CGA, which ensures that the HoTI/HoT message is not required to be generated in the subsequent peer registration, which reduces the routing optimization signaling overhead. It reduces the dependence of the route optimization on the HA and improves the robustness of the system. The delay and complexity of the update of the binding of the mobile node to the communication node during link switching. Example 6
参见图 7, 本发明实施例还提供了一种提高路由优化安全性的系统, 具体包括移动节点 601和通信节点 602;  Referring to FIG. 7, an embodiment of the present invention further provides a system for improving route optimization security, specifically including a mobile node 601 and a communication node 602;
移动节点 601包括:  Mobile node 601 includes:
( 1 ) 转交地址生成模块 6011, 用于以移动节点 601 的家乡地址为输入通过单向函数运 算生成接口标识; 将接口标识与移动节点 601访问的外部网络的前缀结合生成转交地址, 家 乡地址通过密码学方法生成;  (1) The care-of address generation module 6011 is configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node 601 as an input; and combine the interface identifier with the prefix of the external network accessed by the mobile node 601 to generate a care-of address, and the home address passes Cryptographic method generation;
(2) 返回路由可达执行模块 6012, 用于与通信节点 602—起使用家乡地址和转交地址 生成模块 6011生成的转交地址执行返回路由可达过程;  (2) a return route reachable execution module 6012, configured to perform a return route reachability process using the care-of address generated by the home address and the care-of address generation module 6011 together with the communication node 602;
( 3 ) 授权数据生成模块 6013, 用于用移动节点 601 的私钥签名绑定更新消息, 作为绑 定更新消息的绑定授权数据;  (3) an authorization data generating module 6013, configured to use the private key of the mobile node 601 to sign the binding update message as the binding authorization data of the binding update message;
(4) 发送模块 6014, 用于发送包含家乡地址、 转交地址生成模块 6011生成的转交地址 和授权数据生成模块 6013生成的绑定授权数据的绑定更新消息给通信节点 602, 并在绑定更 新消息中携带移动节点 601的公钥;  (4) The sending module 6014 is configured to send a binding update message including the home address, the care-of address generated by the care-of address generating module 6011, and the binding authorization data generated by the authorization data generating module 6013 to the communication node 602, and update the binding The message carries the public key of the mobile node 601;
通信节点 602包括:  Communication node 602 includes:
( 1 ) 返回路由可达执行模块 6021, 用于与移动节点 601 —起使用家乡地址和转交地址 生成模块 6011生成的转交地址执行返回路 ώ可达过程;  (1) a return route reachable execution module 6021, configured to perform a return route reachable process using the care-of address generated by the home address and the care-of address generation module 6011 together with the mobile node 601;
(2) 接收模块 6022, 用于接收发送模块 6014发来的绑定更新消息;  (2) The receiving module 6022 is configured to receive a binding update message sent by the sending module 6014.
( 3 )验证模块 6023, 用于提取接收模块 6022收到的绑定更新消息中的移动节点 601的 公钥, 并用移动节点 601的公钥验证绑定更新消息中的绑定授权数据;  (3) a verification module 6023, configured to extract a public key of the mobile node 601 in the binding update message received by the receiving module 6022, and verify the binding authorization data in the binding update message by using the public key of the mobile node 601;
(4)控制模块 6024, 用于当验证模块 6023验证通过时, 允许移动节点 601与通信节点 602进行路由优化模式下的通信。  (4) The control module 6024 is configured to allow the mobile node 601 to perform communication in the route optimization mode with the communication node 602 when the verification module 6023 passes the verification.
为了进一步提高安全性, 通信节点 602还可以包括:  To further improve security, the communication node 602 can also include:
转交地址验证模块, 用于在验证模块 6023进行验证之前, 从接收模块 6022收到的绑定 更新消息中提取移动节点 601的家乡地址,并根据该家乡地址用与转交地址生成模块 6011生 成转交地址相同的方法生成一个临时转交地址, 验证临时转交地址与绑定更新消息中的转交 地址是否一致, 如果一致, 则触发验证模块 6023工作。  The care-of address verification module is configured to: before the verification module 6023 performs verification, extract the home address of the mobile node 601 from the binding update message received by the receiving module 6022, and generate a care-of address according to the home address and the care-of address generation module 6011. The same method generates a temporary care-of address, and verifies whether the temporary care-of address is consistent with the care-of address in the binding update message. If they are consistent, the verification module 6023 is triggered to work.
进一步地,发送模块 6014还可以用于在绑定更新消息中携带用上述密码学方法生成家乡 地址时采用的参数, 例如, 移动节点 601的公钥信息、 冲突计数和修饰符 (即随机数)等等; 相应地, 通信节点 602还可以包括:  Further, the sending module 6014 is further configured to carry, in the binding update message, parameters used when generating the home address by using the foregoing cryptographic method, for example, the public key information, the collision count, and the modifier (ie, the random number) of the mobile node 601. And so on; correspondingly, the communication node 602 may further include:
家乡地址验证模块, 用于在验证模块 6023进行验证之前, 从接收模块 6022收到的绑定 更新消息中提取上述参数, 并根据提取的参数用上述密码学方法生成一个临时家乡地址, 验 证临时家乡地址与绑定更新消息中的家乡地址是否一致, 如果一致, 则触发验证模块 6023工 作。 The home address verification module is configured to receive the binding from the receiving module 6022 before the verification module 6023 performs verification. The above parameters are extracted in the update message, and a temporary home address is generated according to the extracted parameters, and the temporary home address is verified to be consistent with the home address in the binding update message. If they are consistent, the verification module 6023 is triggered to work.
进一步地, 控制模块 6024可以具体包括:  Further, the control module 6024 may specifically include:
新授权数据生成单元, 用于当验证模块 6023验证通过时, 生成一个随机数, 用移动节点 a new authorization data generating unit, configured to generate a random number when the verification module 6023 passes the verification, using the mobile node
601 的公钥进行加密; 将随机数与通信节点 602在执行返回路由可达过程中生成的转交秘密 生成令牌进行组合后, 利用单向函数进行运算生成新绑定管理密钥; 然后用新绑定管理密钥 生成新绑定授权数据; The public key of 601 is encrypted; after the random number is combined with the handover secret generation token generated by the communication node 602 in the process of performing the return route reachability, the one-way function is used to generate a new binding management key; Binding the management key to generate new binding authorization data;
绑定确认消息发送单元, 用于发送绑定确认消息给移动节点 601, 绑定确认消息中携带 新授权数据生成单元加密后的随机数和生成的新绑定授权数据;  a binding confirmation message sending unit, configured to send a binding confirmation message to the mobile node 601, where the binding confirmation message carries the random number encrypted by the new authorization data generating unit and the generated new binding authorization data;
相应地, 移动节点 601还包括:  Correspondingly, the mobile node 601 further includes:
绑定确认消息接收模块, 用于接收绑定确认消息发送单元发来的绑定确认消息; 绑定确认消息验证模块, 用于当绑定确认消息接收模块收到绑定确认消息后, 提取出加 密后的随机数, 并用移动节点的私钥解密后, 得到随机数; 根据随机数用与新授权数据生成 单元生成新绑定管理密钥相同的方法生成一个临时绑定管理密钥, 并根据该临时绑定管理密 钥用与新授权数据生成单元生成新绑定授权数据相同的方法生成一个临时绑定授权数据, 然 后比对临时绑定授权数据与绑定确认消息中的新绑定授权数据是否一致;  a binding confirmation message receiving module, configured to receive a binding confirmation message sent by the binding confirmation message sending unit, and a binding confirmation message verification module, configured to: after the binding confirmation message receiving module receives the binding confirmation message, extracting The encrypted random number is decrypted by the private key of the mobile node to obtain a random number; according to the random number, a temporary binding management key is generated by the same method as the new authorization data generating unit generates a new binding management key, and according to the method The temporary binding management key generates a temporary binding authorization data in the same manner as the new authorization data generating unit generates new binding authorization data, and then compares the new binding authorization in the temporary binding authorization data and the binding confirmation message. Whether the data is consistent;
控制模块, 用于当绑定确认消息验证模块比对的结果一致时, 允许移动节点 601与通信 节点 602进行路由优化模式下的通信。  And a control module, configured to allow the mobile node 601 to perform communication in the route optimization mode with the communication node 602 when the binding confirmation message verification module matches the result.
上述系统通过转交地址生成模块 6011在移动节点 601MN的家乡地址 HoA的基础上生成 转交地址 CoA, 由返回路由可达执行模块 6012使用该 CoA执行返回路由可达过程 RRP, 由 授权数据生成模块 6013使用 MN的私钥签名 BU消息生成绑定授权数据,用来对 BU消息进 行验证, 验证通过后, MN与 CN可以进行路由优化模式下的通信, 限制了因移动机制误用 而导致的攻击, 提高了移动 IPv6的路由优化模式下通信的安全性。在验证绑定授权数据的基 础上, 还可以进一步由转交地址验证模块对 BU消息中的 CoA进行验证, 由家乡地址验证模 块对 BU消息中的 HoA进行验证, 以及由绑定确认消息验证模块对 BA消息进行验证, 从而 可以进一步提高路由优化模式下通信的安全性。 由于基于 CGA方式生成 HoA, 可以保障在 后续的对端注册中不必再发起 HoTI/HoT消息, 降低了路由优化信令开销; 减少了路由优化 对 HA的依赖, 提高了系统的健壮性; 降低了链路切换时移动节点与通信节点绑定更新的延 时和复杂程度。  The system generates a care-of address CoA based on the home address HoA of the mobile node 601MN by the care-of address generation module 6011, and the return route reachability execution module 6012 uses the CoA to perform a return route reachability procedure RRP, which is used by the authorization data generation module 6013. The MN's private key signature BU message generates binding authorization data, which is used to verify the BU message. After the verification is passed, the MN and the CN can perform communication in the route optimization mode, which limits the attack caused by the misuse of the mobile mechanism, and improves The security of communication in the route optimization mode of mobile IPv6. On the basis of verifying the binding authorization data, the handover address verification module may further verify the CoA in the BU message, and the home address verification module verifies the HoA in the BU message, and the binding confirmation message verification module is The BA message is verified, which can further improve the security of communication in the route optimization mode. The HoA is generated based on the CGA, which ensures that the HoTI/HoT message is not required to be generated in the subsequent peer registration, which reduces the routing optimization signaling overhead. It reduces the dependence of the route optimization on the HA and improves the robustness of the system. The delay and complexity of the update of the binding of the mobile node to the communication node during link switching.
本发明实施例中的技术方案可以用软件来实现, 相应的程序可以存储于可读取的存储介 质中, 如计算机的硬盘或闪存等非易失性存储器中。 The technical solution in the embodiment of the present invention can be implemented by using software, and the corresponding program can be stored in a readable storage medium. Quality, such as a computer's hard disk or non-volatile memory such as flash memory.
以上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的精神和原则之 内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 Claims
1 . 一种生成转交地址的方法, 其特征在于, 所述方法包括:  A method for generating a care-of address, the method comprising:
以移动节点的家乡地址为输入通过单向函数运算生成接口标识;  Generating an interface identifier by using a one-way function operation with the mobile node's home address as input;
将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地址。  The interface identifier is combined with a prefix of an external network accessed by the mobile node to generate a care-of address.
2. 根据权利要求 1所述的生成转交地址的方法, 其特征在于, 所述以移动节点的家乡地 址为输入通过单向函数运算生成接口标识的步骤具体为:  The method for generating a care-of address according to claim 1, wherein the step of generating an interface identifier by using a one-way function operation with the home address of the mobile node as an input is specifically:
将移动节点访问的外部网络的前缀和所述移动节点的家乡地址组合后作为输入, 通过单 向函数运算生成接口标识。  The interface identifier is generated by a one-way function operation by combining the prefix of the external network accessed by the mobile node and the home address of the mobile node as input.
3. 根据权利要求 1所述的生成转交地址的方法, 其特征在于, 当所述移动节点的家乡地 址通过密码学方法生成时, 以移动节点的家乡地址为输入通过单向函数运算生成接口标识的 步骤具体为:  The method for generating a care-of address according to claim 1, wherein when the home address of the mobile node is generated by a cryptographic method, an interface identifier is generated by a one-way function operation with the home address of the mobile node as an input. The steps are specifically as follows:
将移动节点的家乡地址与所述移动节点的公钥组合后作为输入, 或者将所述移动节点访 问的外部网络的前缀与所述家乡地址和公钥组合后作为输入, 通过单向函数运算生成接口标 识。  Combining the home address of the mobile node with the public key of the mobile node as an input, or combining the prefix of the external network accessed by the mobile node with the home address and the public key as input, and generating by a one-way function operation Interface identifier.
4. 根据权利要求 1所述的生成转交地址的方法, 其特征在于, 所述以移动节点的家乡地 址为输入通过单向函数运算生成接口标识的步骤之后还包括:  The method for generating a care-of address according to claim 1, wherein the step of generating an interface identifier by using a one-way function operation by using a home address of the mobile node as an input further comprises:
判断所述接口标识的长度是否超过 64比特位, 如果是, 则设置一个起始位, 从所述起始 位开始, 取 64比特位, 作为接口标识。  It is judged whether the length of the interface identifier exceeds 64 bits, and if so, a start bit is set, and 64 bits are taken as the interface identifier from the start bit.
5. 根据权利要求 1所述的生成转交地址的方法, 其特征在于, 所述以移动节点的家乡地 址为输入通过单向函数运算生成接口标识的步骤之后还包括:  The method for generating a care-of address according to claim 1, wherein the step of generating an interface identifier by using a one-way function operation by using a home address of the mobile node as an input further comprises:
判断所述接口标识的长度是否超过 64比特位, 如果是, 则将所述接口标识按 64比特位 划分成多个块, 若最后一块不足 64 比特位, 则从其它块中任意取相应长度的内容补充成 64 比特位, 然后对所述多个块进行位逻辑运算, 将运算的结果作为接口标识。  Determining whether the length of the interface identifier exceeds 64 bits. If yes, dividing the interface identifier into multiple blocks according to 64 bits. If the last block is less than 64 bits, the corresponding length is taken from other blocks. The content is supplemented into 64 bits, and then bit logical operations are performed on the plurality of blocks, and the result of the operation is identified as an interface.
6. 根据权利要求 4所述的生成转交地址的方法, 其特征在于, 所述方法还包括: 生成所述转交地址后,判断所述转交地址与网络中已使用的 IP地址是否相同,如果相同, 则设置增量, 对所述起始位和增量进行求和运算, 以所述运算的结果为新的起始位, 取 64比 特位, 作为接口标识并生成新的转交地址。  The method for generating a care-of address according to claim 4, wherein the method further comprises: after generating the care-of address, determining whether the care-of address is the same as the used IP address in the network, if the same Then, the increment is set, and the start bit and the increment are summed, and the result of the operation is a new start bit, and 64 bits are taken as an interface identifier and a new care-of address is generated.
7. 根据权利要求 1至 6中任一权利要求所述的生成转交地址的方法, 其特征在于, 所述 单向函数为 SHA1或 MD5。  The method for generating a care-of address according to any one of claims 1 to 6, wherein the one-way function is SHA1 or MD5.
8. 一种提高路由优化安全性的方法, 其特征在于, 所述方法包括:  A method for improving route optimization security, the method comprising:
移动节点以家乡地址为输入通过单向函数运算生成接口标识; 所述移动节点将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地 址; The mobile node generates an interface identifier by using a one-way function operation with the home address as an input; The mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
所述移动节点和通信节点使用所述家乡地址和转交地址执行返回路由可达过程, 然后分 别生成相同的绑定管理密钥;  The mobile node and the communication node perform a return route reachability process by using the home address and the care-of address, and then generate the same binding management key respectively;
所述移动节点和通信节点分别用自己生成的绑定管理密钥生成绑定授权数据; 所述移动节点发送包含所述家乡地址、 转交地址和自己生成的绑定授权数据的绑定更新 消息给通信节点;  The mobile node and the communication node respectively generate binding authorization data by using the binding management key generated by the mobile node, and the mobile node sends a binding update message including the home address, the care-of address, and the binding authorization data generated by itself to the mobile node. Communication node
所述通信节点收到所述绑定更新消息后, 验证所述绑定更新消息中的绑定授权数据, 如 果与自己生成的绑定授权数据一致, 则允许所述移动节点与通信节点进行路由优化模式下的 通信。  After receiving the binding update message, the communication node verifies the binding authorization data in the binding update message, and if the binding authorization data generated by itself is consistent, the mobile node is allowed to perform routing with the communication node. Communication in optimized mode.
9. 根据权利要求 8所述的提高路由优化安全性的方法, 其特征在于, 所述验证所述绑定 更新消息中的绑定授权数据的歩骤之前还包括:  The method for improving the security of the route optimization according to claim 8, wherein the step of verifying the binding authorization data in the binding update message further comprises:
所述通信节点从所述绑定更新消息中提取所述移动节点的家乡地址, 并根据所述家乡地 址用与所述移动节点生成所述转交地址相同的方法生成一个临时转交地址, 验证所述临时转 交地址与所述绑定更新消息中的转交地址是否一致, 如果一致, 则继续执行验证所述绑定更 新消息中的绑定授权数据的步骤。  The communication node extracts a home address of the mobile node from the binding update message, and generates a temporary care-of address according to the home address in the same manner as the mobile node generates the care-of address, and verifies the Whether the temporary care-of address is consistent with the care-of address in the binding update message, and if yes, the step of verifying the binding authorization data in the binding update message is continued.
10. 一种提高路 ώ优化安全性的方法, 其特征在于, 所述方法包括:  A method for improving the security of a route, characterized in that the method comprises:
移动节点以家乡地址为输入通过单向函数运算生成接口标识, 所述家乡地址通过密码学 方法生成;  The mobile node generates an interface identifier by using a one-way function operation with the home address as an input, and the home address is generated by a cryptographic method;
所述移动节点将所述接口标识与所述移动节点访问的外部网络的前缀结合生成转交地 址;  The mobile node combines the interface identifier with a prefix of an external network accessed by the mobile node to generate a care-of address;
所述移动节点和通信节点使用所述家乡地址和转交地址执行返回路由可达过程; 所述移动节点用自己的私钥签名绑定更新消息,作为所述绑定更新消息的绑定授权数据; 所述移动节点发送包含所述家乡地址、 转交地址和绑定授权数据的所述绑定更新消息给 通信节点, 并在所述绑定更新消息中携带所述移动节点的公钥;  The mobile node and the communication node perform a return route reachability process by using the home address and the care-of address; the mobile node signs a binding update message with its own private key as the binding authorization data of the binding update message; Sending, by the mobile node, the binding update message that includes the home address, the care-of address, and the binding authorization data to the communication node, and carrying the public key of the mobile node in the binding update message;
所述通信节点收到所述绑定更新消息后, 提取出所述移动节点的公钥, 用所述移动节点 的公钥验证所述绑定更新消息中的绑定授权数据, 如果验证通过, 则允许所述移动节点与通 信节点进行路由优化模式下的通信。  After receiving the binding update message, the communication node extracts the public key of the mobile node, and uses the public key of the mobile node to verify the binding authorization data in the binding update message. The mobile node is then allowed to communicate with the communication node in a route optimization mode.
11 . 根据权利要求 10所述的提高路由优化安全性的方法, 其特征在于, 所述用所述移动 节点的公钥验证所述绑定更新消息中的绑定授权数据的歩骤之前还包括:  The method for improving route optimization security according to claim 10, wherein the step of verifying the binding authorization data in the binding update message by using the public key of the mobile node further includes :
所述通信节点从所述绑定更新消息中提取所述移动节点的家乡地址, 并根据所述家乡地 址用与所述移动节点生成所述转交地址相同的方法生成一个临时转交地址, 验证所述临时转 交地址与所述绑定更新消息中的转交地址是否一致, 如果一致, 则继续执行验证所述绑定更 新消息中的绑定授权数据的步骤。 The communication node extracts a home address of the mobile node from the binding update message, and according to the hometown Generating a temporary care-of address in the same manner as the mobile node generates the care-of address, and verifying whether the temporary care-of address is consistent with the care-of address in the binding update message, and if they are consistent, continuing to perform the verification The step of binding the authorization data in the update message.
12. 根据权利要求 10所述的提高路由优化安全性的方法, 其特征在于, 所述移动节点发 送所述绑定更新消息以及所述通信节点收到后验证绑定授权数据的步骤进一步包括:  The method for improving the security of the route optimization according to claim 10, wherein the step of the mobile node transmitting the binding update message and the verifying the binding authorization data after the receiving the communication node further comprises:
所述移动节点在所述绑定更新消息中携带用所述密码学方法生成所述家乡地址时采用的 参数, 所述通信节点在验证所述绑定更新消息中的绑定授权数据之前, 从所述绑定更新消息 中提取所述参数, 并根据所述参数用所述密码学方法生成一个临时家乡地址, 验证所述临时 家乡地址与所述绑定更新消息中的家乡地址是否一致, 如果一致, 则继续执行验证所述绑定 更新消息中的绑定授权数据的歩骤。  And the mobile node carries, in the binding update message, a parameter that is used when the home address is generated by using the cryptographic method, and before the communication node verifies the binding authorization data in the binding update message, Extracting the parameter in the binding update message, and generating a temporary home address by using the cryptographic method according to the parameter, and verifying whether the temporary home address is consistent with the home address in the binding update message, if If yes, the process of verifying the binding authorization data in the binding update message is continued.
13. 根据权利要求 10所述的提高路由优化安全性的方法, 其特征在于, 所述允许所述移 动节点和通信节点进行路由优化模式下的通信的步骤之前还包括:  The method for improving the security of the route optimization according to claim 10, wherein the step of allowing the mobile node and the communication node to perform communication in the route optimization mode further comprises:
所述通信节点生成一个随机数, 用所述移动节点的公钥加密所述随机数;  The communication node generates a random number, and encrypts the random number with a public key of the mobile node;
所述通信节点将所述随机数与所述通信节点在执行返回路由可达过程中生成的转交秘密 生成令牌进行组合后, 利用单向函数进行运算生成新绑定管理密钥; 然后用所述新绑定管理 密钥生成新绑定授权数据;  The communication node combines the random number with the handover secret generation token generated by the communication node in the process of performing the return route reachability, and then uses a one-way function to generate a new binding management key; The new binding management key generates new binding authorization data;
所述通信节点发送绑定确认消息给所述移动节点, 所述绑定确认消息中携带所述加密后 的随机数和所述新绑定授权数据;  The communication node sends a binding confirmation message to the mobile node, where the binding confirmation message carries the encrypted random number and the new binding authorization data;
所述移动节点收到所述绑定确认消息后, 提取出所述加密后的随机数, 并用所述移动节 点的私钥解密后, 得到所述随机数;  After receiving the binding confirmation message, the mobile node extracts the encrypted random number, and decrypts the private key of the mobile node to obtain the random number;
所述移动节点根据所述随机数用与所述通信节点生成所述新绑定管理密钥相同的方法生 成一个临时绑定管理密钥, 并根据所述临时绑定管理密钥用与所述通信节点生成所述新绑定 授权数据相同的方法生成一个临时绑定授权数据;  And the mobile node generates a temporary binding management key according to the random number in the same manner as the communication node generates the new binding management key, and uses the temporary binding management key according to the temporary binding management key. The communication node generates the temporary binding authorization data by generating the same method as the new binding authorization data;
所述移动节点验证所述临时绑定授权数据与所述绑定确认消息中的新绑定授权数据是否 —致, 如果一致, 则允许所述移动节点与通信节点进行路由优化模式下的通信。  And the mobile node verifies whether the temporary binding authorization data and the new binding authorization data in the binding confirmation message are consistent, if consistent, allowing the mobile node to perform communication in a route optimization mode with the communication node.
14. 一种生成转交地址的装置, 其特征在于, 所述装置包括:  14. An apparatus for generating a care-of address, the apparatus comprising:
接口标识生成模块 (201 ), 用于以移动节点的家乡地址为输入通过单向函数运算生成接 口标识;  An interface identifier generating module (201), configured to generate an interface identifier by using a one-way function operation by using a home address of the mobile node as an input;
转交地址生成模块(202), 用于将所述接口标识生成模块(201 )生成的接口标识与所述 移动节点访问的外部网络的前缀结合生成转交地址。 The care-of address generation module (202) is configured to combine the interface identifier generated by the interface identifier generation module (201) with the prefix of the external network accessed by the mobile node to generate a care-of address.
15. 根据权利要求 14所述的生成转交地址的装置, 其特征在于, 所述接口标识生成模块 (201 ) 具体包括: The apparatus for generating a care-of address according to claim 14, wherein the interface identifier generating module (201) specifically includes:
组合单元,用于将移动节点访问的外部网络的前缀与所述移动节点的家乡地址进行组合; 生成单元, 用于将所述组合单元组合后得到的数据作为输入, 通过单向函数运算生成接 口标识。  a combination unit, configured to combine a prefix of an external network accessed by the mobile node with a home address of the mobile node; a generating unit, configured to input data obtained by combining the combined units as an input, and generate an interface by a one-way function operation Logo.
16. 根据权利要求 14所述的生成转交地址的装置, 其特征在于, 当所述移动节点的家乡 地址通过密码学方法生成时, 所述接口标识生成模块 (201 ) 具体包括:  The apparatus for generating a care-of address according to claim 14, wherein, when the home address of the mobile node is generated by a cryptographic method, the interface identifier generating module (201) specifically includes:
组合单元, 用于将移动节点的家乡地址与所述移动节点的公钥进行组合, 或者将所述移 动节点访问的外部网络的前缀与所述家乡地址和公钥进行组合;  a combination unit, configured to combine a home address of the mobile node with a public key of the mobile node, or combine a prefix of an external network accessed by the mobile node with the home address and a public key;
生成单元, 用于将所述组合单元组合后得到的数据作为输入, 通过单向函数运算生成接 口标识。  And a generating unit, configured to input data obtained by combining the combined units as an input, and generate an interface identifier by a one-way function operation.
17. 根据权利要求 14所述的生成转交地址的装置, 其特征在于, 所述装置还包括: 长度处理模块, 用于判断所述接口标识生成模块(201 )生成的接口标识的长度是否超过 64 比特位, 如果是, 则设置一个起始位, 从所述起始位开始, 取 64 比特位, 作为新的接口 标识发送给所述转交地址生成模块 (202)。  The device for generating a care-of address according to claim 14, wherein the device further comprises: a length processing module, configured to determine whether the length of the interface identifier generated by the interface identifier generating module (201) exceeds 64 The bit, if yes, sets a start bit from which 64 bits are taken and sent as a new interface identifier to the care-of address generation module (202).
18. 根据权利要求 14所述的生成转交地址的装置, 其特征在于, 所述装置还包括: 长度处理模块, 用于判断所述接口标识生成模块(201 )生成的接口标识的长度是否超过 64比特位, 如果是, 则将所述接口标识按 64比特位划分成多个块, 若最后一块不足 64比特 位, 则从其它块中任意取相应长度的内容补充成 64比特位, 然后对所述多个块进行位逻辑运 算, 将运算的结果作为新的接口标识发送给所述转交地址生成模块 (202)。  The device for generating a care-of address according to claim 14, wherein the device further comprises: a length processing module, configured to determine whether the length of the interface identifier generated by the interface identifier generating module (201) exceeds 64 a bit, if yes, dividing the interface identifier into a plurality of blocks by 64 bits, and if the last block is less than 64 bits, arbitrarily taking the content of the corresponding length from other blocks to be added to 64 bits, and then The plurality of blocks perform bit logic operations, and the result of the operation is sent to the care-of address generation module (202) as a new interface identifier.
19. 根据权利要求 17所述的生成转交地址的装置, 其特征在于, 所述装置还包括: 地址检查模块, 用于当所述转交地址生成模块(202)生成所述转交地址后, 判断所述转 交地址与网络中已使用的 IP地址是否相同, 如果相同, 则设置增量, 对所述长度处理模块设 置的起始位和所述增量进行求和运算, 以所述运算的结果为新的起始位, 取 64比特位, 作为 接口标识并生成新的转交地址。  The device for generating a care-of address according to claim 17, wherein the device further comprises: an address checking module, configured to: after the care-of address generating module (202) generates the care-of address, determine the location Whether the care-of address is the same as the used IP address in the network. If they are the same, the increment is set, and the start bit set by the length processing module and the increment are summed, and the result of the operation is The new start bit, taking 64 bits, is used as an interface identifier and generates a new care-of address.
20. 一种提高路由优化安全性的系统, 其特征在于, 所述系统包括移动节点 (401 )和通 信节点 (402), 所述移动节点 (401 ) 包括:  20. A system for improving route optimization security, characterized in that the system comprises a mobile node (401) and a communication node (402), the mobile node (401) comprising:
转交地址生成模块 (4011 ), 用于以所述移动节点 (401 ) 的家乡地址为输入通过单向函 数运算生成接口标识; 将所述接口标识与所述移动节点(401 )访问的外部网络的前缀结合生 成转交地址;  a care-of address generating module (4011), configured to generate, by using a one-way function operation, an interface identifier by using a home address of the mobile node (401) as an input; and identifying the interface with an external network accessed by the mobile node (401) The prefix combination generates a care-of address;
密钥生成模块 (4012), 用于与所述通信节点 (402) —起使用所述家乡地址和所述转交 地址生成模块 (4011 ) 生成的转交地址执行返回路由可达过程, 然后生成绑定管理密钥; 授权数据生成模块(4013 ), 用于用所述密钥生成模块(4012)生成的绑定管理密钥生成 绑定授权数据; a key generation module (4012), configured to use the home address and the referral together with the communication node (402) The care-of address generated by the address generation module (4011) performs a return route reachability process, and then generates a binding management key; an authorization data generating module (4013) for binding management generated by the key generation module (4012) Key generation binding authorization data;
发送模块(4014), 用于发送包含所述家乡地址、 所述转交地址生成模块(4011 ) 生成的 转交地址和所述授权数据生成模块 (4013 ) 生成的绑定授权数据的绑定更新消息给所述通信 节点 (402);  a sending module (4014), configured to send a binding update message including the home address, the care-of address generated by the care-of address generating module (4011), and the binding authorization data generated by the authorization data generating module (4013) to The communication node (402);
所述通信节点 (402) 包括:  The communication node (402) includes:
密钥生成模块 (4021 ), 用于与所述移动节点 (401 ) —起使用所述家乡地址和所述转交 地址生成模块 (4011 )生成的转交地址执行返回路由可达过程,然后生成与所述移动节点(401 ) 的密钥生成模块 (4012) 生成的绑定管理密钥相同的绑定管理密钥;  a key generation module (4021), configured to perform a return route reachability process together with the mobile node (401) using the home address and the care-of address generated by the care-of address generation module (4011), and then generate a a binding management key generated by the key generation module (4012) of the mobile node (401) with the same binding management key;
授权数据生成模块 (4022), 用于用所述通信节点 (402) 的密钥生成模块 (4021 ) 生成 的绑定管理密钥生成绑定授权数据;  An authorization data generating module (4022), configured to generate binding authorization data by using a binding management key generated by a key generation module (4021) of the communication node (402);
接收模块 (4023 ), 用于接收所述发送模块 (4013 ) 发来的绑定更新消息;  a receiving module (4023), configured to receive a binding update message sent by the sending module (4013);
比对模块(4024), 用于将所述接收模块(4023 )收到的绑定更新消息中的绑定授权数据 与所述通信节点 (402) 的授权数据生成模块 (4022) 生成的绑定授权数据进行比对;  a matching module (4024), configured to bind the binding authorization data in the binding update message received by the receiving module (4023) with the authorization data generating module (4022) of the communication node (402) Authorization data for comparison;
控制模块(4025 ), 用于当所述比对模块(4024) 比对的结果一致时, 允许所述移动节点 a control module (4025), configured to allow the mobile node when the comparison module (4024) compares the results
(401 ) 与通信节点 (402) 进行路 ώ优化模式下的通信。 (401) Communicate with the communication node (402) in the route optimization mode.
21 . 根据权利要求 20 所述的提高路由优化安全性的系统, 其特征在于, 所述通信节点 21. The system for improving route optimization security according to claim 20, wherein said communication node
(402) 还包括: (402) also includes:
转交地址比对模块,用于在所述比对模块(4024)进行比对之前,从所述接收模块(4023 ) 收到的绑定更新消息中提取所述移动节点(401 )的家乡地址, 并根据所述家乡地址用与所述 转交地址生成模块 (4011 ) 生成所述转交地址相同的方法生成一个临时转交地址, 验证所述 临时转交地址与所述绑定更新消息中的转交地址是否一致, 如果一致, 则触发所述比对模块 (4024) 工作。  a care-of address matching module, configured to extract a home address of the mobile node (401) from a binding update message received by the receiving module (4023) before comparing the comparison module (4024), And generating, according to the home address, a temporary care-of address according to the method that the care-of address generation module (4011) generates the care-of address, and verifying whether the temporary care-of address is consistent with the care-of address in the binding update message. If it is consistent, the comparison module (4024) is triggered to work.
22. 一种提高路由优化安全性的系统, 其特征在于, 所述系统包括移动节点 (601 )和通 信节点 (602), 所述移动节点 (601 ) 包括:  A system for improving the security of route optimization, characterized in that the system comprises a mobile node (601) and a communication node (602), the mobile node (601) comprising:
转交地址生成模块 (6011 ), 用于以所述移动节点 (601 ) 的家乡地址为输入通过单向函 数运算生成接口标识; 将所述接口标识与所述移动节点(601 )访问的外部网络的前缀结合生 成转交地址, 所述家乡地址通过密码学方法生成;  a care-of address generating module (6011), configured to generate an interface identifier by using a one-way function operation with the home address of the mobile node (601) as an input; and identifying the interface with an external network accessed by the mobile node (601) The prefix combination generates a care-of address, and the home address is generated by a cryptographic method;
返回路由可达执行模块 (6012), 用于与所述通信节点 (602) —起使用所述家乡地址和 所述转交地址生成模块 (6011 ) 生成的转交地址执行返回路由可达过程; 授权数据生成模块 (6013 ), 用于用所述移动节点 (601 ) 的私钥签名绑定更新消息, 作 为所述绑定更新消息的绑定授权数据; Returning a route reachable execution module (6012), configured to perform a return route reachability process together with the communication node (602) using the home address and the care-of address generated by the care-of address generation module (6011); An authorization data generating module (6013), configured to sign, by using a private key of the mobile node (601), a binding update message as binding authorization data of the binding update message;
发送模块(6014), 用于发送包含所述家乡地址、 所述转交地址生成模块(6011 ) 生成的 转交地址和所述授权数据生成模块 (6013 ) 生成的绑定授权数据的所述绑定更新消息给所述 通信节点 (602), 并在所述绑定更新消息中携带所述移动节点 (601 ) 的公钥;  a sending module (6014), configured to send the binding update that includes the home address, the care-of address generated by the care-of address generating module (6011), and binding authorization data generated by the authorization data generating module (6013) Sending a message to the communication node (602), and carrying the public key of the mobile node (601) in the binding update message;
所述通信节点 (602) 包括:  The communication node (602) includes:
返回路由可达执行模块 (6021 ), 用于与所述移动节点 (601 ) —起使用所述家乡地址和 所述转交地址生成模块 (6011 ) 生成的转交地址执行返回路由可达过程;  Returning a route reachable execution module (6021), configured to perform a return route reachability process together with the mobile node (601) using the home address and the care-of address generated by the care-of address generation module (6011);
接收模块 (6022), 用于接收所述发送模块 (6014) 发来的绑定更新消息;  a receiving module (6022), configured to receive a binding update message sent by the sending module (6014);
验证模块(6023 ), 用于提取所述接收模块(6022)收到的绑定更新消息中的所述移动节 点 (601 ) 的公钥, 并用所述移动节点 (601 ) 的公钥验证所述绑定更新消息中的绑定授权数 据;  a verification module (6023), configured to extract a public key of the mobile node (601) in a binding update message received by the receiving module (6022), and verify the same by using a public key of the mobile node (601) Binding authorization data in the binding update message;
控制模块(6024), 用于当所述验证模块(6023 )验证通过时, 允许所述移动节点 (601 ) 与通信节点 (602) 进行路由优化模式下的通信。  The control module (6024) is configured to allow the mobile node (601) to communicate with the communication node (602) in a route optimization mode when the verification module (6023) passes the verification.
23. 根据权利要求 22 所述的提高路由优化安全性的系统, 其特征在于, 所述通信节点 23. The system for improving route optimization security according to claim 22, wherein said communication node
( 602) 还包括: ( 602) also includes:
转交地址验证模块,用于在所述验证模块(6023 )进行验证之前,从所述接收模块(6022) 收到的绑定更新消息中提取所述移动节点(601 )的家乡地址, 并根据所述家乡地址用与所述 转交地址生成模块 (6011 ) 生成所述转交地址相同的方法生成一个临时转交地址, 验证所述 临时转交地址与所述绑定更新消息中的转交地址是否一致, 如果一致, 则触发所述验证模块 a care-of address verification module, configured to extract a home address of the mobile node (601) from a binding update message received by the receiving module (6022) before the verification module (6023) performs verification, and according to the The home address is generated by the method in which the care-of address generation module (6011) generates the care-of address, and generates a temporary care-of address, and verifies whether the temporary care-of address is consistent with the care-of address in the binding update message. , triggering the verification module
( 6023 ) 工作。 ( 6023 ) Work.
24. 根据权利要求 22 所述的提高路由优化安全性的系统, 其特征在于, 所述发送模块 ( 6014) 还用于在所述绑定更新消息中携带用所述密码学方法生成所述家乡地址时采用的参 数;  The system for improving route optimization security according to claim 22, wherein the sending module (6014) is further configured to: in the binding update message, carry the cryptography method to generate the hometown The parameters used in the address;
相应地, 所述通信节点 (602) 还包括:  Correspondingly, the communication node (602) further includes:
家乡地址验证模块,用于在所述验证模块(6023 )进行验证之前,从所述接收模块(6022) 收到的绑定更新消息中提取所述参数, 并根据所述参数用所述密码学方法生成一个临时家乡 地址, 验证所述临时家乡地址与所述绑定更新消息中的家乡地址是否一致, 如果一致, 则触 发所述验证模块 (6023 ) 工作。  a home address verification module, configured to extract the parameter from a binding update message received by the receiving module (6022) before the verification module (6023) performs verification, and use the cryptography according to the parameter The method generates a temporary home address, and verifies whether the temporary home address is consistent with the home address in the binding update message. If they are consistent, the verification module (6023) is triggered to work.
25. 根据权利要求 22 所述的提高路由优化安全性的系统, 其特征在于, 所述控制模块 25. The system for improving route optimization security according to claim 22, wherein the control module
( 6024) 具体包括: 新授权数据生成单元, 用于当所述验证模块 (6023 ) 验证通过时, 生成一个随机数, 用 所述移动节点 (601 ) 的公钥加密所述随机数; 将所述随机数与所述通信节点 (602) 在执行 返回路由可达过程中生成的转交秘密生成令牌进行组合后, 利用单向函数进行运算生成新绑 定管理密钥; 然后用所述新绑定管理密钥生成新绑定授权数据; ( 6024) Specifically includes: a new authorization data generating unit, configured to: when the verification module (6023) passes the verification, generate a random number, encrypt the random number with a public key of the mobile node (601); After the communication node (602) combines the handover secret generation token generated in the process of performing the return route reachability, the one-way function is used to generate a new binding management key; and then the new binding management key is used to generate a new Bind authorization data;
绑定确认消息发送单元, 用于发送绑定确认消息给所述移动节点 (601 ), 所述绑定确认 消息中携带所述新授权数据生成单元加密后的随机数和生成的所述新绑定授权数据;  a binding confirmation message sending unit, configured to send a binding confirmation message to the mobile node (601), where the binding confirmation message carries the encrypted number encrypted by the new authorization data generating unit and the generated new binding Authorization data;
相应地, 所述移动节点 (601 ) 还包括:  Correspondingly, the mobile node (601) further includes:
绑定确认消息接收模块, 用于接收所述绑定确认消息发送单元发来的绑定确认消息; 绑定确认消息验证模块, 用于当所述绑定确认消息接收模块收到所述绑定确认消息后, 提取出所述加密后的随机数, 并用所述移动节点 (601 ) 的私钥解密后, 得到所述随机数; 根 据所述随机数用与所述新授权数据生成单元生成所述新绑定管理密钥相同的方法生成一个临 时绑定管理密钥, 并根据该临时绑定管理密钥用与所述新授权数据生成单元生成所述新绑定 授权数据相同的方法生成一个临时绑定授权数据, 然后比对所述临时绑定授权数据与所述绑 定确认消息中的新绑定授权数据是否一致;  a binding confirmation message receiving module, configured to receive a binding confirmation message sent by the binding confirmation message sending unit, and a binding confirmation message verification module, configured to: when the binding confirmation message receiving module receives the binding After confirming the message, extracting the encrypted random number, and decrypting with the private key of the mobile node (601), obtaining the random number; generating the location according to the random number and the new authorization data generating unit The method of the same new binding management key generates a temporary binding management key, and generates a same method according to the temporary binding management key by generating the new binding authorization data by the new authorization data generating unit. Temporarily binding the authorization data, and then comparing whether the temporary binding authorization data is consistent with the new binding authorization data in the binding confirmation message;
控制模块, 用于当所述绑定确认消息验证模块比对的结果一致时, 允许所述移动节点 a control module, configured to allow the mobile node when the binding confirmation message verification module matches the result of the comparison
( 601 ) 与通信节点 (602) 进行路由优化模式下的通信。 (601) Communicate with the communication node (602) in route optimization mode.
PCT/CN2008/071269 2007-07-25 2008-06-11 A method and equipment for generating care of address and a method and system for improving route optimization security WO2009012676A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710119480.3 2007-07-25
CN2007101194803A CN101106568B (en) 2007-07-25 2007-07-25 Method, device and system for generating forwarding address and improving route optimization security

Publications (1)

Publication Number Publication Date
WO2009012676A1 true WO2009012676A1 (en) 2009-01-29

Family

ID=39000242

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071269 WO2009012676A1 (en) 2007-07-25 2008-06-11 A method and equipment for generating care of address and a method and system for improving route optimization security

Country Status (2)

Country Link
CN (1) CN101106568B (en)
WO (1) WO2009012676A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8499146B2 (en) 2008-10-31 2013-07-30 Chengdu Huawei Symantec Technologies Co., Ltd. Method and device for preventing network attacks
CN110622491A (en) * 2017-05-16 2019-12-27 高通股份有限公司 Ethernet over cellular

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106568B (en) * 2007-07-25 2010-06-02 华为技术有限公司 Method, device and system for generating forwarding address and improving route optimization security
CN101299668A (en) * 2008-06-30 2008-11-05 华为技术有限公司 Method, system and apparatus for establishing communication
US8982815B2 (en) * 2012-04-24 2015-03-17 Mediatek Inc. Apparatuses and methods for IPV6 address acquisition
CN105989477A (en) * 2014-11-07 2016-10-05 天地融科技股份有限公司 Data interaction method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1457170A (en) * 2002-05-09 2003-11-19 佳能株式会社 Device for issuing public pin certificates
CN1498484A (en) * 2001-03-13 2004-05-19 �ձ�������ʽ���� System for managing mobile node in mobile network
WO2006106712A1 (en) * 2005-03-31 2006-10-12 Matsushita Electric Industrial Co., Ltd. Communication control method, communication node, and mobile node
CN1972317A (en) * 2005-11-24 2007-05-30 华为技术有限公司 Care-of address and its acquisition method and system for configuration information of care-of address
CN101106568A (en) * 2007-07-25 2008-01-16 华为技术有限公司 Method, device and system for generating forwarding address and improving route optimization security

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101001261B (en) * 2006-01-09 2010-09-29 华为技术有限公司 Communication method of MIPv6 moving node
CN100456742C (en) * 2006-04-30 2009-01-28 国家数字交换系统工程技术研究中心 Mobile Internet protocol route processing method and system and router

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1498484A (en) * 2001-03-13 2004-05-19 �ձ�������ʽ���� System for managing mobile node in mobile network
CN1457170A (en) * 2002-05-09 2003-11-19 佳能株式会社 Device for issuing public pin certificates
WO2006106712A1 (en) * 2005-03-31 2006-10-12 Matsushita Electric Industrial Co., Ltd. Communication control method, communication node, and mobile node
CN1972317A (en) * 2005-11-24 2007-05-30 华为技术有限公司 Care-of address and its acquisition method and system for configuration information of care-of address
CN101106568A (en) * 2007-07-25 2008-01-16 华为技术有限公司 Method, device and system for generating forwarding address and improving route optimization security

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8499146B2 (en) 2008-10-31 2013-07-30 Chengdu Huawei Symantec Technologies Co., Ltd. Method and device for preventing network attacks
CN110622491A (en) * 2017-05-16 2019-12-27 高通股份有限公司 Ethernet over cellular
CN110622491B (en) * 2017-05-16 2023-01-03 高通股份有限公司 Method and apparatus for wireless communication

Also Published As

Publication number Publication date
CN101106568B (en) 2010-06-02
CN101106568A (en) 2008-01-16

Similar Documents

Publication Publication Date Title
CN101965722B (en) Re-establishment of a security association
EP1633107B1 (en) Authenticating address ownership using care-of-address (COA) binding protocol
US8726019B2 (en) Context limited shared secret
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
JP5007341B2 (en) Method and apparatus for binding update between mobile node and correspondent node
US20080291885A1 (en) METHOD FOR COMMUNICATION OF MIPv6 MOBILE NODES
WO2008034368A1 (en) A method, system, mobile node and correspondent node for generating the binding management key
JP2003324419A (en) Method of securing binding update by using address based key
JP5159878B2 (en) Method and apparatus for combining internet protocol authentication and mobility signaling
US20080028459A1 (en) Method for managing security in a mobile communication system using proxy mobile internet protocol and system thereof
US20050246769A1 (en) Method of generating an authentication
JP2008537429A (en) Providing anonymity to mobile nodes in session with supported nodes
WO2009012676A1 (en) A method and equipment for generating care of address and a method and system for improving route optimization security
Chuang et al. SF-PMIPv6: A secure fast handover mechanism for Proxy Mobile IPv6 networks
WO2009094939A1 (en) Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof
Qiu et al. A pmipv6-based secured mobility scheme for 6lowpan
Ameur et al. Secure Reactive Fast Proxy MIPv6-Based NEtwork MObility (SRFP-NEMO) for Vehicular Ad-hoc Networks (VANETs).
Modares et al. Securing binding update in mobile IPv6 using private key base binding update protocol
Susanto Functional Scheme for IPv6 Mobile Handoff
Leu et al. A handover security mechanism employing diffie-Hellman PKDS for IEEE802. 16e wireless networks
WO2014205846A1 (en) Data transmission method, machine type communication terminal and addressing server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757680

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757680

Country of ref document: EP

Kind code of ref document: A1