CN100446506C - Safety scheme solving method and system for mobile IP network - Google Patents
Safety scheme solving method and system for mobile IP network Download PDFInfo
- Publication number
- CN100446506C CN100446506C CNB2005101062468A CN200510106246A CN100446506C CN 100446506 C CN100446506 C CN 100446506C CN B2005101062468 A CNB2005101062468 A CN B2005101062468A CN 200510106246 A CN200510106246 A CN 200510106246A CN 100446506 C CN100446506 C CN 100446506C
- Authority
- CN
- China
- Prior art keywords
- network
- home agent
- security strategy
- mobile
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a solving method and a system for a safety scheme of a mobile IP network. The method mainly comprises that safety policies are allocated on a home agent of a mobile node in the mobile IP network, and the home agent carries out safety control processing for received data packets according to the safety policies. With the present invention, the attacked opportunities suffered by the mobile node can be decreased, the transmission of viruses, junk mails, etc. is reduced, the safety operation of the mobile IP network is ensured, and the unnecessary resource waste of the mobile IP network is avoided.
Description
Technical field
The present invention relates to communication field, relate in particular to a kind of solution and system of safety approach of mobile IP network.
Background technology
Mobile IP is a kind of solution that locomotive function is provided to the user on Internet.Mobile IP can surmount the restriction of geographic range, has characteristics such as extensibility, reliability and fail safe.Mobile IP has expanded moving and roaming capacity of user, can make node still keep ongoing communication in the process of switching.
In mobile IP, MN (mobile node) can be connected on any link with permanent IP address.Mobile IP is providing the large-scale ambulant while to terminal, can also guarantee the IP address allocability and the accessibility of terminal.Mobile IP system mainly comprises MN, FA (Foreign Agent), HA (home agent) and CN (communication node), in the mobile IP v 6 system, does not comprise the FA Foreign Agent).
In mobile IPv 4, the transmittance process of the packet between MN and the CN is described according to RFC3344 and is realized, its schematic diagram as shown in Figure 1.Specifically describe as follows:
When MN moved to field network, the packet that CN sends to the MN on the field network will be routed to earlier on the HA of MN, then, was delivered to through the tunnel on the FA of MN, and is last, passes to MN by FA.MN sends to the packet of CN with being routed to earlier on the FA of MN, is directly passed to CN by this FA.
For the mobile IP v 6 system, do not have this entity of FA, MN directly and HA set up the tunnel.Its schematic diagram as shown in Figure 2.The transmittance process of the packet of this system is: CN sends to the packet of the MN on the field network with being routed to earlier on the HA of MN, then, is directly delivered to MN through the tunnel.
The shortcoming of the transmittance process of the packet of above-mentioned mobile IPv 4 system and mobile IP v 6 system is:
On the one hand, if the CN node is premeditated network is attacked, MN is initiated a large amount of legal or invalid data bags, because in the existing transmission scheme, the packet that CN is mail to MN is not controlled, and just relies on the application layer of MN that the invalid data bag is discerned, filtered.Therefore, this packet will pass through the tunnel of HA, FA (for the mobile IPv 4 system), wireless device and MN respectively and handle, wherein a lot of packets are illegal packets, thereby have caused the reduction of the fail safe of mobile IP network, have caused the wasting of resources of HA, FA, MN and wireless channel.
On the other hand, for the careless infective virus of MN or MN premeditated to network attack, transmitted virus, if do not control, also will also cause huge harm to network.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of solution and system of safety approach of mobile IP network, thereby can guarantee the safe operation of mobile IP network.
The objective of the invention is to be achieved through the following technical solutions:
A kind of solution of safety approach of mobile IP network comprises:
The security strategy of the described mobile node of configuration on the home agent of A, the mobile node in mobile IP network;
B, according to described security strategy, described home agent mails to described mobile node or carries out security control by the packet that described mobile node sends and handle what receive.
Described steps A specifically comprises:
Active arrangement or issue the security strategy of this node by network automatically on the home agent of the mobile node in mobile IP network.
Described steps A specifically comprises:
Mobile node customizes the security strategy that oneself needs by its autonomous gate system of network entry, by Security Policy Server this security strategy is configured on its home agent, and this security strategy is come into force.
Described steps A specifically comprises:
Mobile node is configured in this security strategy on its home agent by Security Policy Server, and this security strategy is come into force by the security strategy that note or MMS system customization need oneself.
Described steps A specifically comprises:
Mobile node carries out alternately according to voice suggestion and call center system or with the contact staff, customizes the security strategy that oneself needs, and by Security Policy Server this security strategy is configured on its home agent, and this security strategy is come into force.
Described steps A specifically comprises:
Starting the depth data bag in the network at described home agent place detects, this depth data bag detects and comprises that the packet that mobile node is sent and receives screens, filters, according to testing result, automatically the security strategy with mobile node is issued on its home agent, and this security strategy is come into force.
Described steps A specifically comprises:
The depth data bag detects the packet that mobile node is sent and receives and screens, filters, check the operation of virus and spam, behind the abnormal data bag of having found predetermined quantity, automatically generate corresponding security strategy, issue agreement by the Security Policy Server usage policy this security strategy is issued on the described home agent.
Described policy distribution agreement comprises public development strategy service COPS agreement or Diameter.
Described steps A specifically comprises:
Configuration intrusion detection and system of defense IDP and/or fire compartment wall on described home agent.
Described step B specifically comprises:
Described home agent mails to mobile node or carries out filtration treatment by the packet that mobile node sends what receive according to the security strategy of described configuration.
Described mobile IP network comprises network protocol version 4Ipv4 network and network protocol version six Ipv6 network.
A kind of resolution system of safety approach of mobile IP network comprises:
Security Policy Server: be used to receive the security strategy of the described mobile node that mobile node active arrangement or network issue automatically,, and this security strategy be issued to the security policy manager module comprising user's the security strategy and the security strategy of system;
Security policy manager module: be used for the security strategy that the managing security policies server issues, and according to this security strategy, home agent is received send with home agent and for to mail to described mobile node or to check and filtration treatment that by the packet that described mobile node sends this module is arranged on home agent inside.
Described system comprises:
Intrusion detection and system of defense: be used in the network at described home agent place, starting the depth data bag and detect, this depth data bag detects and comprises that the packet that mobile node is sent and receives screens, filters, by linking with Security Policy Server, discovery is from the invasion and attack that comprise attack, virus of user or network, and the processing that is on the defensive automatically, this system is arranged on home agent inside or is arranged on the home agent outside;
And/or,
Fire compartment wall: be used for the packet that packet that home agent is received and home agent send and check and filtration treatment, it is inner or be arranged on the home agent outside that this fire compartment wall is arranged on home agent.
As seen from the above technical solution provided by the invention; the present invention is by in HA place manual configuration or issue user's security strategy automatically; to mail to MN or by MN send illegal packet filter, shield; both reduced MN chance under attack; wireless devices such as FA, HA, MN have been protected again; thereby guaranteed the safe operation of mobile IP network, avoided the wasting of resources of unnecessary movement IP network.
Description of drawings
Fig. 1 is the transmittance process schematic diagram of the packet between MN and the CN in mobile IPv 4;
Fig. 2 is the transmittance process schematic diagram of the packet between MN and the CN in mobile IP v 6;
Fig. 3 is the schematic diagram of the method for the invention;
Fig. 4 is the concrete process chart of the method for the invention;
Fig. 5 is a kind of structure chart of system of the present invention;
Fig. 6 is the another kind of structure chart of system of the present invention.
Embodiment
The invention provides a kind of solution and system of safety approach of mobile IP network, core of the present invention is: in HA place active arrangement or issue user's security strategy automatically, to mailing to MN or being filtered, shielded by the illegal packet that MN sends.
Describe the present invention in detail below in conjunction with accompanying drawing, the schematic diagram of the method for the invention as shown in Figure 3, the concrete handling process of this method comprises the steps: as shown in Figure 4
Step 4-1, in HA place active arrangement or issue user's security strategy automatically.
The present invention at first need or issue user's security strategy automatically in HA place active arrangement.
The processing procedure of the security strategy of user's active arrangement oneself is as follows:
The user can need, and after having received a large amount of unusual packets, mobile node customizes the security strategy that oneself needs by its autonomous gate system of network login; Perhaps customize the security strategy that oneself needs by note or MMS system; Perhaps carry out alternately, customize the security strategy that oneself needs according to voice suggestion and call center system or with the contact staff.Then, this security strategy is configured on its home agent, and this security strategy is come into force by Security Policy Server.
The processing procedure of security strategy that network issues the user automatically is as follows:
We at first introduce deep packet inspection technical.
Deep packet inspection technical is that data packet header or the packaged content of payload are analyzed, thus the guiding, filter and write down the communication flows of IP-based application program and Web service, its work is not subjected to the restriction of protocol type and Application Type.Deep packet inspection technical can be analysed in depth the content of IP, TCP (transmission control protocol) or UDP (User Datagram Protoco (UDP)) communication flows.
So, in the network at HA place, start DPI (detection of depth data bag), the packet that mobile node sends and receives is screened, filtered.Check the operation of virus and spam, when having found the unusual packet of predetermined quantity, automatically generate corresponding security strategy, use policy distribution agreements such as COPS (public development strategy service), Diameter that security strategy is issued on the HA by Security Policy Server.
In addition, can also configuration ID P (intrusion detection and system of defense) at the HA place and/or fire compartment wall, the packet of turnover HA is checked and filtered.IDP not only can detect the generation of invasion, and can pass through certain response mode, as the interlock by Security Policy Server, ends the generation and the development of intrusion behavior in real time, and protection system is not subjected to substantive the attack in real time.The packet that packet that fire compartment wall can receive home agent and home agent send is checked and filtration treatment.
Step 4-2, the security strategy of utilizing active arrangement or issuing automatically, the packet that the packet that mails to MN and MN are sent carries out security control to be handled.
When MN after having carried out normal registration on the HA, HA just begins to receive CN etc. and mails to the packet of MN and the packet that MN sends.And, the packet that receives is carried out corresponding security control handle according to above-mentioned active arrangement or the user's that issues automatically security strategy.
HA can by security strategy to mail to that MN or MN send packet carry out filtration treatment, such as, the mail that certain user is sent carries out virus filtration, the spam that mails to certain user is filtered, and the application (using as illegal VOIP) of certain illegal operation is filtered.
According to the strategy of customization, the safe action that security server can also in time be notified the user and done.As in finding the flow that MN sends, under cover after the virus, then, a webpage being forced to be pushed to the user, point out the user to carry out patch installing or securing software rises the utmost point by forcing the mode of portal.
Security server is according to the cycle of customization, and regularly statistical informations such as the junk traffic that sends to this user that HA is filtered out, attack traffic are notified the user in modes such as note, multimedia message, Email, calls.
A kind of structure chart of system of the present invention comprises as shown in Figure 5 as lower module:
Security Policy Server: be used to receive the security strategy that mobile node active arrangement or network issue automatically,, and this security strategy be issued on the home agent comprising user's the security strategy and the security strategy of system.
Home agent: be used for the security strategy that the managing security policies server issues, and according to the safety measure of this security strategy and other configuration, the packet that sends with home agent that home agent is received is checked and filtration treatment.Home agent comprises: security policy manager module, intrusion detection and system of defense and fire compartment wall.
Wherein, security policy manager module: be used for the security strategy that the managing security policies server issues, and according to this security strategy, the packet that sends with home agent that home agent is received is checked and filtration treatment.
Wherein, intrusion detection and system of defense: the packet that is used for home agent is received carries out depth detection, by linking with Security Policy Server, find the invasion and attack that comprise attack, virus from user or network, and the processing that is on the defensive automatically.
Wherein, fire compartment wall: be used for the packet that packet that home agent is received and home agent send and check and filtration treatment.
The another kind of structure chart of system of the present invention comprises as shown in Figure 6 as lower module:
Security Policy Server: be used to receive the security strategy that mobile node active arrangement or network issue automatically,, and this security strategy be issued on the home agent comprising user's the security strategy and the security strategy of system.
Home agent: comprise the security policy manager module, this module is used for the security strategy that the managing security policies server issues, and according to this security strategy, and the packet that sends with home agent that home agent is received is checked and filtration treatment.
Intrusion detection and system of defense: the packet that is used for home agent is received carries out depth detection, by linking with Security Policy Server, finds the invasion and attack that comprise attack, virus from user or network, and the processing that is on the defensive automatically.
Fire compartment wall: be used for the packet that packet that home agent is received and home agent send and check and filtration treatment.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (13)
1, a kind of solution of safety approach of mobile IP network is characterized in that, comprising:
The security strategy of the described mobile node of configuration on the home agent of A, the mobile node in mobile IP network;
B, according to described security strategy, described home agent mails to described mobile node or carries out security control by the packet that described mobile node sends and handle what receive.
2, according to the solution of the safety approach of the described mobile IP network of claim 1, it is characterized in that described steps A specifically comprises:
Active arrangement or issue the security strategy of this node by network automatically on the home agent of the mobile node in mobile IP network.
3, according to the solution of the safety approach of the described mobile IP network of claim 2, it is characterized in that described steps A specifically comprises:
Mobile node customizes the security strategy that oneself needs by its autonomous gate system of network entry, by Security Policy Server this security strategy is configured on its home agent, and this security strategy is come into force.
4, according to the solution of the safety approach of the described mobile IP network of claim 2, it is characterized in that described steps A specifically comprises:
Mobile node is configured in this security strategy on its home agent by Security Policy Server, and this security strategy is come into force by the security strategy that note or MMS system customization need oneself.
5, according to the solution of the safety approach of the described mobile IP network of claim 2, it is characterized in that described steps A specifically comprises:
Mobile node carries out alternately according to voice suggestion and call center system or with the contact staff, customizes the security strategy that oneself needs, and by Security Policy Server this security strategy is configured on its home agent, and this security strategy is come into force.
6, according to the solution of the safety approach of the described mobile IP network of claim 2, it is characterized in that described steps A specifically comprises:
Starting the depth data bag in the network at described home agent place detects, this depth data bag detects and comprises that the packet that mobile node is sent and receives screens, filters, according to testing result, automatically the security strategy with mobile node is issued on its home agent, and this security strategy is come into force.
7, according to the solution of the safety approach of the described mobile IP network of claim 6, it is characterized in that described steps A specifically comprises:
The depth data bag detects the packet that mobile node is sent and receives and screens, filters, check the operation of virus and spam, behind the abnormal data bag of having found predetermined quantity, automatically generate corresponding security strategy, issue agreement by the Security Policy Server usage policy this security strategy is issued on the described home agent.
According to the solution of the safety approach of the described mobile IP network of claim 7, it is characterized in that 8, described policy distribution agreement comprises public development strategy service COPS agreement or Diameter.
9, according to the solution of the safety approach of the described mobile IP network of claim 2, it is characterized in that described steps A specifically comprises:
Configuration intrusion detection and system of defense IDP and/or fire compartment wall on described home agent.
10, according to the solution of the safety approach of claim 1,2,3,4,5,6,7,8 or 9 described mobile IP networks, it is characterized in that described step B specifically comprises:
Described home agent mails to mobile node or carries out filtration treatment by the packet that mobile node sends what receive according to the security strategy of described configuration.
11, according to the solution of the safety approach of the described mobile IP network of claim 1, it is characterized in that described mobile IP network comprises network protocol version 4Ipv4 network and network protocol version six Ipv6 network.
12, a kind of resolution system of safety approach of mobile IP network is characterized in that, comprising:
Security Policy Server: be used to receive the security strategy of the described mobile node that mobile node active arrangement or network issue automatically,, and this security strategy be issued to the security policy manager module comprising user's the security strategy and the security strategy of system;
Security policy manager module: be used for the security strategy that the managing security policies server issues, and according to this security strategy, home agent is received send with home agent and for to mail to described mobile node or to check and filtration treatment that by the packet that described mobile node sends this module is arranged on home agent inside.
13, according to the resolution system of the safety approach of the described mobile IP network of claim 12, it is characterized in that described system comprises:
Intrusion detection and system of defense: be used in the network at described home agent place, starting the depth data bag and detect, this depth data bag detects and comprises that the packet that mobile node is sent and receives screens, filters, by linking with Security Policy Server, discovery is from the invasion and attack that comprise attack, virus of user or network, and the processing that is on the defensive automatically, this system is arranged on home agent inside or is arranged on the home agent outside;
And/or,
Fire compartment wall: be used for the packet that packet that home agent is received and home agent send and check and filtration treatment, it is inner or be arranged on the home agent outside that this fire compartment wall is arranged on home agent.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101062468A CN100446506C (en) | 2005-09-19 | 2005-09-19 | Safety scheme solving method and system for mobile IP network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101062468A CN100446506C (en) | 2005-09-19 | 2005-09-19 | Safety scheme solving method and system for mobile IP network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1866915A CN1866915A (en) | 2006-11-22 |
| CN100446506C true CN100446506C (en) | 2008-12-24 |
Family
ID=37425804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101062468A Expired - Fee Related CN100446506C (en) | 2005-09-19 | 2005-09-19 | Safety scheme solving method and system for mobile IP network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100446506C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109246136B (en) * | 2016-08-25 | 2020-12-04 | 杭州数梦工场科技有限公司 | Message control method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020157024A1 (en) * | 2001-04-06 | 2002-10-24 | Aki Yokote | Intelligent security association management server for mobile IP networks |
| CN1505320A (en) * | 2002-11-28 | 2004-06-16 | ��ʽ����Ntt����Ħ | Communication control apparatus, firewall apparatus, and data communication method |
| CN1643947A (en) * | 2002-03-20 | 2005-07-20 | Ut斯达康有限公司 | Method to provide dynamic internet protocol security policy service |
| US20050175002A1 (en) * | 2004-02-09 | 2005-08-11 | Nokia Corporation | Alternative method to the return routability test to send binding updates to correspondent nodes behind firewalls |
-
2005
- 2005-09-19 CN CNB2005101062468A patent/CN100446506C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020157024A1 (en) * | 2001-04-06 | 2002-10-24 | Aki Yokote | Intelligent security association management server for mobile IP networks |
| CN1643947A (en) * | 2002-03-20 | 2005-07-20 | Ut斯达康有限公司 | Method to provide dynamic internet protocol security policy service |
| CN1505320A (en) * | 2002-11-28 | 2004-06-16 | ��ʽ����Ntt����Ħ | Communication control apparatus, firewall apparatus, and data communication method |
| US20050175002A1 (en) * | 2004-02-09 | 2005-08-11 | Nokia Corporation | Alternative method to the return routability test to send binding updates to correspondent nodes behind firewalls |
Non-Patent Citations (6)
| Title |
|---|
| 分布式防火墙思想在移动IP安全中的应用. 李卓明,刘乃安,曾兴雯.无线通信技术,第4期. 2002 |
| 分布式防火墙思想在移动IP安全中的应用. 李卓明,刘乃安,曾兴雯.无线通信技术,第4期. 2002 * |
| 移动IP中的安全威胁及对策. 王勇,王春霞.中国数据通信,第1期. 2004 |
| 移动IP中的安全威胁及对策. 王勇,王春霞.中国数据通信,第1期. 2004 * |
| 移动IP环境下基于代理过滤器的应用自适应框架. 万俊伟,卢锡城.计算机研究与发展,第37卷第5期. 2000 |
| 移动IP环境下基于代理过滤器的应用自适应框架. 万俊伟,卢锡城.计算机研究与发展,第37卷第5期. 2000 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1866915A (en) | 2006-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | An untold story of middleboxes in cellular networks | |
| US8266696B2 (en) | Techniques for network protection based on subscriber-aware application proxies | |
| JP5080490B2 (en) | Method and apparatus for route optimization in a communication network | |
| US20080196104A1 (en) | Off-line mms malware scanning system and method | |
| CN100550912C (en) | The system and method that invalid header field is detected and filters | |
| US20110314542A1 (en) | Treatment of malicious devices in a mobile-communications network | |
| US7620808B2 (en) | Security of a communication system | |
| EP1234469B1 (en) | Cellular data system security method | |
| Peng et al. | Mobile data charging: new attacks and countermeasures | |
| WO2009132700A1 (en) | Improved intrusion detection and notification | |
| US11528253B2 (en) | Security platform for service provider network environments | |
| CN115989661A (en) | Securing control and user plane separation in a mobile network | |
| Ricciato | Unwanted traffic in 3G networks | |
| CN103812958A (en) | Method for processing network address translation technology, NAT device and BNG device | |
| CN100446506C (en) | Safety scheme solving method and system for mobile IP network | |
| Ricciato et al. | On the impact of unwanted traffic onto a 3G network | |
| US9264885B2 (en) | Method and system for message transmission control, method and system for register/update | |
| CN108370371B (en) | Detection method for countering charging fraud | |
| US11799914B2 (en) | Cellular internet of things battery drain prevention in mobile networks | |
| WO2019160776A1 (en) | Transport layer signaling security with next generation firewall | |
| JP4322179B2 (en) | Denial of service attack prevention method and system | |
| EP2865199A1 (en) | Machine type communication interworking function | |
| Park et al. | Real threats using GTP protocol and countermeasures on a 4G mobile grid computing environment | |
| CN102075308B (en) | Method and device for processing responseless message | |
| CN100413376C (en) | Method and terminal for increasing communication safety of net generation network terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081224 |