CN101183936B - IPv6 identification load switching method in internet cipher key switch - Google Patents
IPv6 identification load switching method in internet cipher key switch Download PDFInfo
- Publication number
- CN101183936B CN101183936B CN2007101959129A CN200710195912A CN101183936B CN 101183936 B CN101183936 B CN 101183936B CN 2007101959129 A CN2007101959129 A CN 2007101959129A CN 200710195912 A CN200710195912 A CN 200710195912A CN 101183936 B CN101183936 B CN 101183936B
- Authority
- CN
- China
- Prior art keywords
- ipv6
- identification load
- message
- count value
- load
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides an IPv6 identity load exchange method in internet key exchange, comprising the following steps: the identity load content in the message is written in ipv6-address/prefix-length when the sending end negotiating with IPv6 strategy sends internet key exchange message with ID_IPV6_ADDR_SUBNET type identity load; the responding end analyzes the inner identity load after receiving the message, and sends the internet key exchange response message to the sending end. The invention has the advantages that the length of the identity load is shortened, the process of the sending end and the receiving end is simplified, and the method is compatible with the original protocol.
Description
Technical field
The present invention relates to data communication field, relate in particular to the method for Pv6 identification load exchange in a kind of IKE (the Internet Key Exchange) exchange.
Background technology
Safety has become more and more important requirement in the data communication field.
IPsec has provided a whole set of architecture that is applied to network data security on the IP layer, comprises network authenticating protocol, encapsulating security payload (esp), IKMP and is used for network authentication and some algorithms of encryption etc.; Psec has stipulated how to select security protocol between peer layer, has determined security algorithm and cipher key change, Network Security Service such as access control, data source authentication, data encryption upwards are provided.
Wherein IKMP mainly is meant the Internet Key Exchange (IKE), and it has solved problem how to set up or to upgrade shared key in unsafe network environment (in the internet) safely.Used the identification load (Identification Payload) of definition among the RFC2407 " The Internet IP Security Domain of Interpretation forISAKMP " in the IKE exchange, this load allows both sides to exchange identity information, and the information that wherein comprises is used to confirm the identity of SA negotiation initiator.The respondent decides the security strategy that is applied to security association (SA) with identity information.
When IKE supports IPv6, can use the strategy that the ID_IPV6_ADDR_SUBNET type is consulted both sides, payload content is the value of 2 16 bytes, first 16 byte representation IPv6 address, second 16 byte representation IPv6 netmask.
This method has following weak point:
Describe according to RFC2373 " IP Version 6 Addressing Architecture ", adopt the ipv6-address/prefix-length form to represent the IPv6 address, inconsistent with the form of stipulating in the RFC2407 agreement.
Adopt the mode of 16 byte netmasks additionally to take loaded length when sending the identification load of ID_IPV6_ADDR_SUBNET type in the RFC2407 agreement, and owing to use 32 mask method for expressing, need step-by-step to carry out and operation, difficult treatment during parsing.
Summary of the invention
The technical problem to be solved in the present invention provides the method for IPv6 identification load exchange in a kind of the Internet Key Exchange, when solving the identification load that sends the ID_IPV6_ADDR_SUBNET type in the prior art, netmask additionally takies the defective of loaded length and difficult treatment in original mode of filling in payload content.
In order to address the above problem, the invention provides the method for IPv6 identification load exchange in a kind of the Internet Key Exchange, comprising:
When originating end negotiation IPv6 strategy sends the Internet Key Exchange message of the identification load that carries the ID_IPV6_ADDR_SUBNET type, the content of the identification load in the described message is filled in the ipv6-address/prefix-length form;
After responder is received described message, resolve identification load wherein, and send the Internet Key Exchange back message using to originating end.
Further, after described originating end sends described the Internet Key Exchange message, if receive error message that described responder is sent or overtime after do not receive that the Internet Key Exchange back message using that described responder is sent then resends described the Internet Key Exchange message.
Further, described originating end is each when sending described the Internet Key Exchange message, at first read count value, if being 0, described count value fills in wherein identification load with the ipv6-address/prefix-length form, if described count value is that 1 form with 32 bytes is filled in described identification load, first 16 byte is the IPv6 address, and second 16 byte is the IPv6 netmask, fills in the described count value of change after the content of described identification load.
Further, after described responder is received described message, at first judge whether to resolve identification load wherein, can then resolve described identification load, otherwise send error message to originating end.
Further, when described responder is resolved described identification load, if the length of described identification load is that 20 bytes are then by the described identification load of ipv6-address/prefix-length format analysis; If the length of described identification load is that 32 bytes are the IPv6 address by first 16 byte then, the form that second 16 byte are the IPv6 netmask is resolved described identification load.
Further, at originating end one switch is set and identifies described count value, represent that when switch open the count value value is 0, the count value value was 1 when switch cut out.
Further, the described count value of change is meant after filling in the content of described identification load: switch is that opening then is changed to closed condition with described switch after filling in the content of described identification load when reading count value, and switch is that closed condition then is changed to opening with described switch after filling in the content of described identification load when reading count value.
In sum, the invention provides the method for IPv6 identification load exchange in a kind of the Internet Key Exchange, when sending the identification load of ID_IPV6_ADDR_SUBNET type, the preferential form of ipv6-address/prefix-length that adopts is filled in payload content, shortened the length of identification load, simplified the processing of originating end and receiving terminal, and can with original protocol-compliant.
Description of drawings
Fig. 1 is application scenarios figure of the present invention;
Fig. 2 be among the present invention in the Internet Key Exchange the flow chart during as originating end;
Fig. 3 is the flow chart of holding in response in the Internet Key Exchange among the present invention.
Embodiment
The invention provides the method for IPv6 identification load exchange in a kind of the Internet Key Exchange, Fig. 1 is application scenarios figure of the present invention, and the IPsec peers include both interconnects by IP network, by the ike negotiation key; IP network is the IPv6 network.When the originating end of IKE exchange sends the identification load of ID_IPV6_ADDR_SUBNET type, the preferential form of ipv6-address/prefix-length that adopts is filled in the identification load content, promptly use 20 byte lengths to fill in identification load, first 16 byte is the IPv6 address, the least-significant byte sign prefix length of next 4 bytes, high 24 are filled to 0.
Describe the inventive method below with reference to accompanying drawing in detail with the mode of embodiment:
The operation of originating end when being illustrated in figure 2 as local terminal as negotiation IPv6 strategy:
Step 201: the beginning consulting tactical is ready for sending the IKE message that carries ID load;
Step 202: judging whether the ID load type is ID_IPV6_ADDR_SUBNET, is execution in step 203 then;
Step 203: checking whether count value is 0, is execution in step 204 then, otherwise execution in step 205;
Can but be not limited to one switch to be set and identify count value at originating end, represent during switch open that the count value value is 0, the count value value was 1 when switch cut out.
Step 204: the ID payload content is extended this as the ipv6-address/prefix-length form, take 20 byte lengths altogether, first 16 byte is the IPv6 address, the least-significant byte sign prefix length of 4 bytes in back, and high 24 are filled to 0; And change the switch state of this moment, and switch is changed to closed condition, be about to count value and be made as 1.Execution in step 206;
Step 205: the count value that sends ID load is carried out clearly 0, promptly change the switch state of this moment, switch is changed to opening; And fill in the ID payload content by the form of the ID_IPV6_ADDR_SUBNET type of the former regulation of agreement, be about to the value that ID load extends this as 2 16 bytes, first 16 byte representation IPv6 address, second 16 byte representation IPv6 netmask; Execution in step 206;
Step 206: the IKE message that sends packaged ID load is to the opposite end, is about to packaged ID load and sends to responder together with the remainder of IKE message, herein the same prior art of remainder content of IKE message;
Do not receive the IKE back message using that responder is sent if receive error message or overtime back originating end that responder is sent after the step 206, then resend the IKE message that carries ID load.When resending the IKE message, send by the ipv6-address/prefix-length form, send if count value is 1 form by 32 bytes of the former regulation of agreement if count value is 0.The same prior art of overtime herein implication.
Be illustrated in figure 3 as the opposite end handling process of termination receipts IKE message in response:
Step 301: the IKE message that receives originating end;
Step 302: the IKE message that judge to receive if ID load judges whether the ID load type is ID_IPV6_ADDR_SUBNET, is an execution in step 303 then;
Step 303: can judgement resolve the ID load in the IKE message of receiving, promptly judges whether to support the ID load of ipv6-address/prefix-length form, can resolve then execution in step 304, otherwise execution in step 309;
Step 304: judging whether the ID loaded length in the IKE message is 20 bytes, is execution in step 305 then, otherwise execution in step 306;
Step 305: with ipv6-address/prefix-length format analysis ID load, take 20 byte lengths altogether, first 16 byte is the IPv6 address, the least-significant byte sign prefix length of 4 bytes in back, and high 24 are filled to 0; Execution in step 308;
Step 306: judging whether the ID loaded length in the IKE message is 32 bytes, is execution in step 307 then;
Step 307: the ID load by in the definition parsing IKE message of former protocols having ordinance load content, take 32 byte lengths altogether, first 16 byte is the IPv6 address, second 16 byte is the IPv6 netmask; Execution in step 308;
Step 308: send corresponding IKE back message using to originating end; This goes on foot same prior art.
Step 309: send error message to originating end.
Claims (7)
1. the method for IPv6 identification load exchange in the Internet Key Exchange comprises:
When originating end negotiation IPv6 strategy sends the Internet Key Exchange message of the identification load that carries the ID_IPV6_ADDR_SUBNET type, the content of the identification load in the described message is filled in the ipv6-address/prefix-length form;
After responder is received described message, resolve identification load wherein, and send the Internet Key Exchange back message using to originating end.
2. the method for claim 1 is characterized in that:
After described originating end sends described the Internet Key Exchange message, if receive error message that described responder is sent or overtime after do not receive that the Internet Key Exchange back message using that described responder is sent then resends described the Internet Key Exchange message.
3. method as claimed in claim 2 is characterized in that:
Described originating end is each when sending described the Internet Key Exchange message, at first read count value, if being 0, described count value fills in wherein identification load with the ipv6-address/prefix-length form, if described count value is that 1 form with 32 bytes is filled in described identification load, first 16 byte is the IPv6 address, second 16 byte is the IPv6 netmask, fills in the described count value of change after the content of described identification load.
4. the method for claim 1 is characterized in that:
After described responder is received described message, at first judge whether to resolve identification load wherein, can then resolve described identification load, otherwise send error message to originating end.
5. method as claimed in claim 3 is characterized in that:
When described responder is resolved described identification load, if the length of described identification load is that 20 bytes are then by the described identification load of ipv6-address/prefix-length format analysis; If the length of described identification load is that 32 bytes are the IPv6 address by first 16 byte then, the form that second 16 byte are the IPv6 netmask is resolved described identification load.
6. method as claimed in claim 3 is characterized in that:
At originating end one switch is set and identifies described count value, represent that when switch open the count value value is 0, the count value value was 1 when switch cut out.
7. method as claimed in claim 6 is characterized in that:
The described count value of change is meant after filling in the content of described identification load: switch is that opening then is changed to closed condition with described switch after filling in the content of described identification load when reading count value, and switch is that closed condition then is changed to opening with described switch after filling in the content of described identification load when reading count value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101959129A CN101183936B (en) | 2007-12-04 | 2007-12-04 | IPv6 identification load switching method in internet cipher key switch |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101959129A CN101183936B (en) | 2007-12-04 | 2007-12-04 | IPv6 identification load switching method in internet cipher key switch |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101183936A CN101183936A (en) | 2008-05-21 |
CN101183936B true CN101183936B (en) | 2011-04-20 |
Family
ID=39449034
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2007101959129A Active CN101183936B (en) | 2007-12-04 | 2007-12-04 | IPv6 identification load switching method in internet cipher key switch |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101183936B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102065423B (en) * | 2010-12-13 | 2013-07-10 | 中国联合网络通信集团有限公司 | Node access authentication method, access authenticated node, access node and communication system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1744596A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Method for host obtaining network allocation parameterns in IPV6 network |
CN101019383A (en) * | 2004-07-30 | 2007-08-15 | 奥林奇股份有限公司 | Tunneling internet protocol packets between a gateway support node and a mobile terminal |
-
2007
- 2007-12-04 CN CN2007101959129A patent/CN101183936B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101019383A (en) * | 2004-07-30 | 2007-08-15 | 奥林奇股份有限公司 | Tunneling internet protocol packets between a gateway support node and a mobile terminal |
CN1744596A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Method for host obtaining network allocation parameterns in IPV6 network |
Non-Patent Citations (4)
Title |
---|
D. Piper.RFC2407: The Internet IP Security Domain of Interpretation for ISAKMP.《Network Working Group》.The Internet Society,1998,全文. * |
R. Hinden, S. Deering.RFC2373:IP Version 6 Addressing Architecture.《Network Working Group》.The Internet Society,1998,全文. * |
Yiu Keung Li, Derek Pao.Comparative Studies of Address Lookup Algorithms for IPv6.《Advanced Communication Technology, 2006. ICACT 2006. The 8th International Conference》.2006,第1卷285-290. * |
YiuKeungLi Derek Pao.Comparative Studies of Address Lookup Algorithms for IPv6.《Advanced Communication Technology |
Also Published As
Publication number | Publication date |
---|---|
CN101183936A (en) | 2008-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
ES2362993T3 (en) | A METHOD AND PROVISION TO PROVIDE SECURITY THROUGH CONVERSION OF NETWORK ADDRESSES USING TUNNEL AND COMPENSATIONS. | |
US8843738B2 (en) | TLS abbreviated session identifier protocol | |
EP1916797B1 (en) | Authentication authorization accounting protocol message transmitting method | |
US20040184456A1 (en) | Packet-oriented data communications between mobile and fixed data networks | |
US20050259673A1 (en) | Method and system for end-to-end communication between a universal integrated circuit card and a remote entity over an IP-based wireless wide area network and the internet | |
CN113630773A (en) | Safety implementation method, equipment and system | |
FI116027B (en) | A method and system to ensure the secure transmission of messages | |
CN104618902A (en) | Un-ciphered network operation solution | |
KR102006873B1 (en) | A method and a system for dynamically changing upper bound on data packet size in wireless communication networks | |
JP5447522B2 (en) | Communication between client and server in mobile radio communication device | |
CN108011927A (en) | The method, apparatus and storage medium and electronic equipment of request data | |
US20140029493A1 (en) | Wireless Communication Interworking Function | |
CN111355698B (en) | Transmission method, device, message sending end and receiving end | |
CN107294913A (en) | Safety communicating method, service end and client based on HTTP | |
US9602476B2 (en) | Method of selectively applying data encryption function | |
CN1855924A (en) | Method for network layer safety text going through address changing device | |
US20060013192A1 (en) | Obtaining and notifying middle box information | |
JP5716712B2 (en) | Packet transfer apparatus and method | |
CN108064441B (en) | Method and system for accelerating network transmission optimization | |
CN101183936B (en) | IPv6 identification load switching method in internet cipher key switch | |
CN109587204B (en) | Method and device for accessing public network and electronic equipment | |
US20090073971A1 (en) | Per-packet quality of service support for encrypted ipsec tunnels | |
US20120201204A1 (en) | Method for establishing an application session, device and corresponding notification | |
EP4109828A1 (en) | Method for communicating with a remote dns server | |
CN115134806B (en) | IPSec security reinforcement transmission method, CPE and network transmission system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |