CN103188228A - Method for achieving safety protection from end to end, security gateway and system - Google Patents
Method for achieving safety protection from end to end, security gateway and system Download PDFInfo
- Publication number
- CN103188228A CN103188228A CN2011104523442A CN201110452344A CN103188228A CN 103188228 A CN103188228 A CN 103188228A CN 2011104523442 A CN2011104523442 A CN 2011104523442A CN 201110452344 A CN201110452344 A CN 201110452344A CN 103188228 A CN103188228 A CN 103188228A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- access device
- ike
- gateway
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for achieving safety protection from end to end, a security gateway and a system. A first access device and a first security gateway, and a second access device and a second security gateway respectively set up an Internet Key Exchange Security Association (IKESA). The first access device and the second access device set up and maintain an IP Security Security Association (IP sec SA), safety protection is carried out on the processes of setting up and the maintaining of the IPsec SA by the IKE SAs set up by the first access device and the first security gateway, and the second access device and the second security gateway. By the adoption of method for achieving the safety protection from end to end, the security gateway and the system, an identity authentication step which is complex and hard to arrange when the IKESAs directly set up among the access devices is avoided.
Description
Technical field
The present invention relates to technical field of communication safety and comprising, relate in particular to a kind of method, security gateway and system that realizes the End-to-End Security protection.
Background technology
At present, the Internet and mobile internet device as computer, smart mobile phone etc., can insert by fixed broadband, mobile 3G (3
RdGeneration, 3G (Third Generation) Moblie technology) inserts and the Internet and mobile Internet are linked in wireless WLAN (Wireless Local Area Networks, i.e. WLAN) access.Telecom operators such as China Telecom, CHINAUNICOM and China Mobile provide various access services for the user, and for example, China Mobile provides plurality of access modes such as fixed broadband access, mobile 3G access and wireless WLAN access.An equipment as smart mobile phone, can insert by multiple modes such as 3G and WLAN, when the 3G signal is only arranged, use 3G to insert, when WLAN or WLAN and 3G signal coexistence are only arranged, use WLAN to insert, along with the switching of access way, the IP address of access device may also can correspondingly change.
In actual applications, eavesdropped and distort in order to prevent significant data, the user wishes to protect end-to-end communication safety.For example, the company personnel utilizes mobile phone to exchange company's confidential information with the leader, utilize mobile phone to transmit some concealed contents between lovers, transmit between the family computer that the user utilizes smart mobile phone that 3G or WLAN insert and fixed broadband to insert under the certain situation such as significant data, guarantee that end-to-end communication all is very important safely.
IP Security (the procotol fail safe is called for short IPsec) can provide the end-to-end communication security protection.The IP datagram of IPsec provides confidentiality, data integrity, access control and data source authentication security protection service.These services are to realize by IPsec security association (Security Association abbreviates SA as).IPsec SA has defined the method at the transmitting terminal of IP datagram and receiving terminal protection IP flow, comprises the communication security agreement of use, and the key of key algorithm and cryptographic algorithm and other provide the security protection information that service needs.
Because it is poor that manual mode is set up the autgmentability of IPsec SA, therefore need utilize protocol dynamic to set up IPsec SA, this agreement is called Internet Key Exchange (Internet Key Exchange abbreviates IKE as).The version 1IKE v1 of IKE is the RFC 2407 at IETF, and RFC 2408, define among the RFC2409.The version 2 IKE v2 of IKE defines in RFC 4702, and has done clarification and modification at RFC 4812.Do clarification and renewal among 5996 couples of RFC 4702 of RFC and the RFC 4812, replaced two RFC.IKE v2 is the change to IKE v1, and back compatible is not provided.
Before communicating pair was set up IPsec SA, IKE at first set up IKE security association (abbreviating IKE SA as) at communicating pair, utilizes IKE SA to set up IPsec SA then between both sides.In RFC 5996, IPsec SA is also referred to as child's association (Child SA) of IKE SA.In the scene of using IKEv2, the communication security agreement of IPsec SA adopts ESP (the Encapsulated Security Payload that is defined in RFC 4302, abbreviate ESP as) agreement or be defined in authentication header (Authentication Header abbreviates AH as) agreement among the RFC 4303.
The deployment way of IPsec has three classes: gateway-gateway (site-to-site), long-range access (remote access), main frame-main frame (host-to-host).Wherein, gateway-gateway and long-range access module are mainly used in the enterprise network environment, and the End-to-End Security protection can not be provided.Main frame-host mode can provide the End-to-End Security protection, needs two main frames of communication directly to set up IKE SA and IPsec SA, utilizes the IP flow of IPsec SA protection intercommunication then.
But have following defective or deficiency in the prior art: when utilizing IKE v2 to set up IKE SA, communicating pair need authenticate the opposite end, and authentication can be carried out based on shared secret or certificate mode.Based on the certificate mode, the user need have certificate, for the general user, obtains certificate and use certificate and carries out the process of network authentication and dispose very complicated.Based on the mode of shared secret, require to safeguard between user and each equity side a pair of shared secret, when reciprocity number formulary order more for a long time, the generation of shared secret will become very complicated with safeguarding.In sum, two kinds of authentication modes all more complicated, inconvenience for the general network user, this also is that IPsec main frame on the present the Internet-host mode is disposed not one of reason widely.
Summary of the invention
The technical problem that the present invention solves provides a kind of method, security gateway and system that realizes the End-to-End Security protection, complexity when having avoided directly setting up IKE SA between access device, the authentication link that is difficult to dispose.
For solving the problems of the technologies described above, the invention provides a kind of method that realizes the End-to-End Security protection,
First access device and first security gateway and second access device and second security gateway are set up Internet Key Exchange security association (IKE SA) respectively;
Described first access device and described second access device are set up and maintaining network protocol safety security association (IPsec SA), and the foundation of described IPsec SA and maintenance process are subjected to the IKE SA safeguard protection of described first access device and described first security gateway and described second access device and the foundation of described second security gateway.
Further, when the access network of described first access device and described second access device was identical, described first security gateway and described second security gateway were the same IPsec gateway in the described identical access network;
When the access network of described first access device and described second access device was inequality, described first security gateway and described second security gateway were respectively the different IP sec gateway in described two different access networks; And set up IKE SA between described two different IP sec gateways.
Further, described first access device and described second access device have the sign of access;
Described access sign comprises one of following or combination in any: IP address or telephone number or unified resource sign or domain name.
Further, the key among the described IPsec SA of described first access device and described second access device foundation is consulted by the graceful key agreement mechanism in Di Fei-Hull (Diffie-Hellman) and is derived from.
Further, the described process of safeguarding IPsec SA comprises: IPsec SA upgrades, IPsec SA deletes and access device IP address change notice.
Further, described first access device and described first security gateway, described second access device and described second security gateway, and the process of setting up IKE SA between described first security gateway and described second security gateway, set up at described first access device and described second access device before the process of IPsec SA or carry out simultaneously with the process that described first access device and described second access device are set up IPsec SA;
When the process of the process of the described IKE of foundation SA and the described IPsec of foundation SA is carried out simultaneously, in the message of the process of setting up described IKE SA, comprise be used to the parameter of setting up described IKE SA, also comprise be used to the parameter of setting up described IPsec SA.
The present invention also provides a kind of system that realizes the End-to-End Security protection, described system comprises access device and the security gateway in the access network, comprise in the described access device that IKE SA sets up the unit and IPsecSA sets up the unit, comprise in the described security gateway that IKE SA sets up module, wherein:
Described IKE SA sets up the unit and is used for, and sets up IKE SA with the security gateway in this access network;
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks;
Described IPsec SA sets up the unit and is used for, and set up with other access devices in this access network or other access networks and safeguard IPsec SA, and the described IKE SA safeguard protection of being set up of the foundation of described IPsec SA and maintenance process.
Further, described IPsec SA sets up the unit and is used for, and when initiating to set up described IPsec SA with described other access devices, if set up IKE SA with the security gateway in this access network, then sets up described IPsec SA based on the described IKE SA that sets up; If also do not set up IKE SA with the security gateway in this access network, then set up the process of IKE SA and described IPsec SA simultaneously, and in the message of the process of setting up described IKE SA, comprise be used to the parameter of setting up described IKE SA, also comprise be used to the parameter of setting up described IPsec SA.
Further, described IPsec SA sets up the process that IPsec SA is safeguarded in the unit, comprising: IPsec SA upgrades, IPsec SA deletes and access device IP address change notice.
Further, described IPsec SA sets up key among the described IPsec SA that sets up the unit and consults by the graceful key agreement mechanism in Di Fei-Hull and derive from.
In addition, the present invention also provides a kind of security gateway of realizing the End-to-End Security protection, and described security gateway comprises that IKE SA sets up module,
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks.
Further, described IKE SA sets up module and is used for:
Respectively with this access network in first access device and second access device set up IKE SA, the IPsec SA that sets up between described first access device and described second access device and safeguard is carried out safeguard protection;
Perhaps; respectively with this access network in first access device and the security gateway in other access networks set up IKE SA, the IPsec SA that sets up between second access device in described first access device and described other access networks and safeguard is carried out safeguard protection.
Compare with existing End-to-End Security means of defence, the present invention has following beneficial effect at least:
1) IPsec method of the present invention can provide End-to-End Security protection, guarantees confidentiality, the integrality of communicating by letter between access device and access device, avoids suffering attacks such as the internuncial data eavesdropping of malice, data tampering;
2) IPsec method of the present invention is disposed easily, do not need directly to set up IKE SA between access device, utilize the mutual authentication between IPsec gateway realization access device, between access device, set up an authentication passage, and set up IPsec SA between access device based on the authenticated channel of setting up, complexity when having avoided directly setting up IKE SA between access device, the authentication link that is difficult to dispose.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not constitute improper restriction of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the main frame-gateway-gateway-host mode of the embodiment of the invention;
Fig. 2 is the schematic diagram of the main frame-gateway-host mode of the embodiment of the invention;
Fig. 3 is that the IKE v2 of the embodiment of the invention sets up IKE SA flow chart;
Fig. 4 is that IPsec SA sets up flow process (comprising that IKE SA sets up process) figure under the main frame-gateway-gateway-host mode of the embodiment of the invention;
Fig. 5 is that IPsec SA sets up flow process (utilizing trigger to set up IKE SA process) figure under the main frame-gateway-gateway-host mode of the embodiment of the invention;
Fig. 6 is the flow chart of IPsec SA foundation under the main frame-gateway-gateway-host mode of the embodiment of the invention, renewal, deletion and IP address change notice;
Fig. 7 is the flow chart of IPsec SA foundation under the main frame-gateway-host mode of the embodiment of the invention, renewal, deletion and IP address change notice.
Embodiment
Present embodiment provides a kind of method that realizes the End-to-End Security protection, comprise: in access network, increase security gateway (IPsec gateway), directly do not set up IKE SA between Hu Tongxin two access devices mutually, but set up IKE SA with the IPsec gateway respectively, utilize the IPsec gateway between two access devices, to set up an authentication passage then, and utilize authenticated channel between these two access devices, to transmit foundation, renewal, delete IPsec SA and safeguard the IKE v2 message that the IP address change needs.
The method of the realization End-to-End Security protection of present embodiment, specifically by the following technical solutions:
When the user contracts access service, be that access device distributes an access unification, that the overall situation is unique to identify and bind with access device by telecom operators.Inserting sign can be IPv4 or IPv6 address, also may adopt telephone number, e-mail address, and perhaps the domain name form is represented.When the access device access network, need authenticate (carrying out authentication as utilizing to insert to identify with password) to access device, after inserting checking, if the access of access device sign non-ip address form, access device can obtain an interim IP address from access network.
Access at access device is designated under the situation of non-ip address form, by inserting sign and the mapping relations of IP address mapping database maintenance access sign with the IP address.When access device A with before access device B communicates by letter, access device A need initiate to insert the mapping request of sign-IP address to access network, with the IP address of acquisition access device B.When access device had the plurality of optional access way, along with access way changes, the IP address of access device may constantly change.For example, for the equipment that can adopt WLAN and two kinds of access waies of 3G, along with the switching of access way, the IP address of access device also can correspondingly change.Therefore, insert sign and need dynamically update the access sign of maintenance and the mapping relations of IP address with IP address mapping database.
Communication between access device has two types: the access device that the access device of two communications belongs to same access network or two communications belongs to different access networks.Correspondingly, Dui Ying IPsec SA sets up mode and also can be divided into two kinds: main frame-gateway-gateway-host mode, and main frame-gateway-host mode.When the access device of two communications belongs to different access networks, set up, upgrade, delete IPsec SA and safeguard the IP address change by main frame-gateway-gateway-host mode between two access devices.When two access devices are in consolidated network, set up, upgrade, delete IPsec SA and safeguard the IP address change by main frame-gateway-host mode between two access devices.
In main frame-gateway-gateway-host mode, the IPsec gateway of initiator's access device and initiator's access network (the following initiator IPsec gateway that also abbreviates as) is set up IKE SA, the IPsec gateway of initiator's access network and the IPsec gateway of opposite end access network (the following opposite end IPsec gateway that also abbreviates as) are set up IKE SA, and opposite end access device and opposite end IPsec gateway are set up IKE SA.Thereby, by initiator IPsec gateway and opposite end IPsec gateway, set up an authentication passage between initiator's access device and opposite end access device.When initiator's access device desire was set up IPsec SA with the opposite end access device, initiator's access device utilized initiator IPsec gateway and opposite end IPsec gateway passes IKE v2 message to give the opposite end access device, thereby sets up IPsec SA with the opposite end access device.
In main frame-gateway-host mode, initiator's access device and opposite end access device are positioned at same access network, and both are connected to same IPsec gateway, and all set up IKE SA with the IPsec gateway.By the IPsec gateway, set up an authentication passage between initiator's access device and opposite end access device.When initiator's access device desire was set up IPsec SA with the opposite end access device, the initiator utilized IPsec gateway passes IKE v2 message to give the opposite end access device, thereby sets up IPsec SA with the opposite end access device.
Article one, IKE v2 message is made up of fixing message header and one or more message load (Payload), and a message load is made up of one or more territory (Field).In the present embodiment, mainly comprise following a few class message load:
End-to-End Security protection sustained load (ID-BASED END TO END PROTECTION SUPPORTED) based on sign: the End-to-End Security protection sustained load based on sign shows that one's own side has the End-to-End Security protection tenability based on sign.
Sign load (IDENTIFICATION): sign load is that the load type of IKE v2 agreement regulation comprises sign type and identification field.IKE v2 agreement has been stipulated multiple sign types such as IP v4 address, IP v6 address, e-mail address type, ID_KEY_ID type, for the access sign of showing with List Address, can use email type, access sign for the telephone number sign that adopts numeric string can adopt the ID_KEY_ID type to represent.When sign type when being IPv4 or IPv6 address, sign load can be used for carrying the address.For access sign and the difference mutually of other forms of access sign to the IP address format, the sign load that the present invention will carry the address is called address designation load, and the sign load of carrying other forms access signs is called non-address designation load.Sign load is used in pairs, the front for the initiator identifies load, the back identify load for the opposite end.Sign load can be address designation load or non-address designation load, the combination of a pair of sign load has four kinds of possibilities: (address designation load, address designation load), (address designation load, non-address designation load), (non-address designation load, address designation load), (non-address designation load, non-address designation load).
Random data load (NONCE): random number load is the load type of IKE v2 agreement regulation, carries a random data fresh-keeping property (Liveness) to be provided and to prevent Replay Attack.
Security association load (SECURITY ASSOCIATION): security association load is the load type of IKE v2 agreement regulation, comprise one or more proposed architecture (Proposal Structure), each proposal comprises protocol type (ESP, AH or IKE), Security Parameter Index (Security Parameter Index, SPI) length, the SPI value, and one or more varitron structures (Transform Substructure), the cryptographic algorithm of each varitron structural support, integrality and puppet are figured method herewith, Di Fei-Hull graceful (Diffie-Hellman) group, and extended sequence number (Extended Sequence Number abbreviates ESN as) set.Do not need to comprise the varitron structure that representative contains the pseudo-random function algorithm in the protocol architecture of IKE v2 agreement regulation ESP, AH protocol type.The present invention uses the pseudo-random function algorithm to be used for the derivative key material, must comprise the varitron structure that represents the pseudo-random function algorithm in the protocol architecture of requirement ESP, AH protocol type, optional two pseudo-random function algorithms are PRF_HMAC_MD5 and the PRF_HMAC_SHA1 that stipulates in the IKE v2 agreement.In addition, the present invention requires must wrap in the protocol architecture of ESP, AH protocol type and represents Diffie-Hellman group varitron structure, is used for specifying the Diffie-Hellman group of use.
Key agreement load (KEY EXCHANGE): key agreement load is the load type of IKE v2 agreement regulation, comprises the parameter that Diffie-Hellman consults needs.During Diffie-Hellman consulted, the initiator of negotiation selected a random number i littler than prime number p, then with g
iModp sends to the opposite end, and a random number r littler than prime number p is selected in the opposite end, with g
rModp gives transmit leg, and both sides can calculate and obtain g
IrModp, wherein, for the Diffie-Hellman group of appointment, g and p are disclosed.The parameter that Diffie-Hellman in IKE v2 need to consult is above-mentioned g
iModp and g
rModp, and Diffie-Hellman group number.
IKE v2 agreement regulation, the key material of IPsec SA derive from formula and are: KEYMAT=prf+ (SK_d, g
IrModp|Ni|Nr) obtain, wherein prf+ is a kind of function that generates based on pseudo-random function prf, g
IrModp is the secret value after Diffie-Hellman consults, | the expression concatenation, Ni is the random data in the random data load that the initiator sends, and Nr is the random data in the random data load that sends of opposite end, and SK_d is a key that generates when setting up IKE SA.
In the present embodiment, owing to do not set up IKE SA between initiator's access device and opposite end access device, therefore the method that can not use IKE v2 agreement to stipulate generates the key material of IPsec SA.The key material derived method of present embodiment is: KEYMAT=prf+ (g
IrModp|Ni|Nr, IDi|IDr).Wherein prf is the pseudo-random function of appointment in the protocol architecture of ESP, AH protocol type, and IDi is the access sign of initiator's access device, and IDr is the access sign of opposite end access device.In the present invention, IPsec SA set up with IPsec SA more the IPsec SA key material in the new technological process all according to above-mentioned formula KEYMAT=prf+ (g
IrModp|Ni|Nr IDi|IDr) generates.
Notice load (NOTIFY): notice load is the load type of IKE v2 agreement regulation, comprises SPI length, SPI value, type of notification message, notification data territory.
Deletion load (DELETE): deletion load is the load type of IKE v2 agreement regulation, comprises SPI length, SPI codomain.
Flow chooser load (TRAFFIC SELECTOR): flow chooser load is the load type of IKE v2 regulation, comprises one or more flow chooser clauses and subclauses.Each flow chooser clauses and subclauses comprises flow chooser type, protocol type, both port of origination, terminating port, initial address, termination address.Wherein flow chooser type is IP v4 or IP v6 address, and protocol type is UDP, TCP and ICMP etc.Initial address, termination address are united and have been stipulated address realm.Both port of origination, terminating port are united and have been stipulated port range.Be coordination between the flow chooser clauses and subclauses, the scope of whole flow chooser is the union of each flow chooser clauses and subclauses prescribed limit.Flow chooser load is to use in pairs, the flow chooser load of front is originating end flow chooser load, be used for stipulating initiator's IP range of flow, the flow chooser load of back is responder flow chooser load, is used for the IP range of flow of prescribed response side.In use, the initiator can send a pair of flow chooser load to response side, response side can utilize the subclass of initiator's the subclass of originating end flow chooser load and responder flow chooser load to generate new a pair of flow chooser load and return to the initiator, as final flow chooser.
Below will IPsec SA foundation between main frame, renewal, deletion and IP address change notice flow process be specifically described respectively at main frame-gateway-gateway-host mode and main frame-gateway-host mode.
One, the IPsec SA foundation of main frame-gateway-gateway-host mode, renewal, deletion and IP address change notice
In main frame-gateway-gateway-host mode, when setting up IPsec SA, may set up an authentication passage between initiator's access device and opposite end access device, namely all set up IKE SA between two network elements of three sections of initiator's access device and initiator IPsec gateway, initiator IPsec gateway and opposite end IPsec gateway and opposite end IPsec gateway and opposite end access device.At this moment, the process of IKE SA foundation mainly comprises following 4 steps: 1, the initiator sends the IKE_SA_INIT request message to the opposite end; 2, the IKE_SA_INIT response is returned in opposite end response IKE_SA_INIT request; 3, the initiator sends the IKE_SA_AUTH request message; 4, the IKE_SA_AUTH response message is returned in the opposite end.By above-mentioned steps, IKE SA has been set up in initiator and opposite end.
In addition, before setting up IPsec SA, may not set up an authentication passage between initiator's access device and opposite end access device yet.If when setting up IPsec SA, IKE SA between access device and IPsec gateway does not set up, be the speed of setting up and the minimizing interacting message of accelerating IPsec SA, preferably, can be in the mutual IKE_SA_AUTH request and response message of access device and IAD, carry the load of IPsec SA needs between the IKE SA that sets up between access device and IAD and access device.If when setting up IPsec SA, initiator IPsec gateway and opposite end IPsec gateway are not set up IKE SA, initiator IPsec gateway and opposite end IPsec gateway are set up IKE SA alternately by IKE_SA_INIT request, four steps of IKE_SA_AUTH request earlier, utilize the CREATE_CHILD_SA requests/response messages to carry then and set up the load that IPsec SA needs between access device.
Following IPsec SA sets up in the process prescription, has comprised the authentication passage and has set up and do not set up two kinds of situations.
If initiator's access device is set up IKE SA with one's own side IPsec gateway, then CREATE_CHILD_SA request message of initiator's access device structure comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign.Wherein a pair of sign load is the sign load of initiator's access device and opposite end access device, can be address designation load or non-address designation load, the combination of a pair of sign load has four kinds of possibilities: (address designation load, address designation load), (address designation load, non-address designation load), (non-address designation load, address designation load), (non-address designation load, non-address designation load).Cipher key exchange payload is used for arranging key.Then the CREATE_CHILD_SA request message is sent to one's own side's IPsec gateway.
If setting up IKE as yet with one's own side's IPsec gateway, initiator's access device is not connected, then initiator's access device sends the IKE_SA_INIT request message to one's own side IPsec gateway, and initiator IPsec gateway returns the IKE_SA_INIT response message to initiator's access device.Initiator's access device sends the IKE_SA_AUTH request message to initiator IPsec gateway then, set up the necessary load of IKE SA except carrying initiator's access device and initiator IPsec gateway, the IKE_SA_AUTH request message also carries and generates the load that IPsec SA needs, and comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign.The a pair of sign load sign for initiator's access device and opposite end access device of carrying wherein, cipher key exchange payload are used for arranging key.Then the IKE_SA_AUTH request message is sent to one's own side's IPsec gateway.
After initiator IPsec gateway is received CREATE_CHILD_SA or IKE_SA_AUTH request message, can determine the IPsec gateway of opposite end access device correspondence according to the access sign of opposite end access device.If do not set up IKE SA with opposite end IPsec gateway as yet.Then initiator IPsec gateway needs to set up IKE SA with opposite end IPsec gateway earlier.Then, CREATE_CHILD_SA request message of initiator IPsec gateway structure comprises the CREATE_CHILD_SA that receives of copy or End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, the random number load (NONCE) based on sign in the IKE_SA_AUTH request message.Initiator IPsec gateway sends to opposite end IPsec gateway with the CREATE_CHILD_SA request message.
After opposite end IPsec gateway receives that additional End-to-End Security based on sign protects the CREATE_CHILD_SA request message of sustained load, if sign load is non-address designation load, then IPsec gateway in opposite end need be searched one's own side's access sign and address mapping database earlier, obtains the IP address of opposite end access device.
Whether the inspection of opposite end IPsec gateway has set up IKE SA with the opposite end access device then.Opposite end IPsec gateway has following three kinds of processing modes:
Mode A, if set up IKE SA with the opposite end access device, then IPsec gateway in opposite end can be constructed a CREATE_CHILD_SA request message, comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign in the CREATE_CHILD_SA request message that receives of copy.Opposite end IPsec gateway sends to the CREATE_CHILD_SA request message IP address of opposite end access device.
If opposite end IPsec gateway and opposite end access device are not set up IKE SA, the processing method of opposite end IPsec gateway is B or mode C in the following way:
Mode B, opposite end IPsec gateway sends the IKE_SA_INIT request message to the opposite end access device, and the opposite end access device returns the IKE_SA_INIT response message to opposite end IPsec gateway.IKE_SA_AUTH request message of opposite end IPsec gateway structure then comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign in the CREATE_CHILD_SA request message that receives of copy.Opposite end IPsec gateway sends to the IKE_SA_AUTH request message IP address of opposite end access device.
Among the aforesaid way B, opposite end IPsec gateway is initiated IKE SA to the opposite end access device and is set up request, different with mode B is, to be opposite end IPsec gateway send a content to the opposite end access device to mode C sets up request for the request message of empty INFORMATIONAL type requires the opposite end access device to initiate IKE SA, and this INFORMATIONAL request message uses as trigger.Then, send the IKE_SA_INIT request message by the opposite end access device, opposite end IPsec gateway sends the IKE_SA_INIT response message, and the opposite end access device sends the IKE_SA_AUTH request message, and opposite end IPsec gateway sends the IKE_SA_AUTH response.Through above-mentioned steps, between opposite end IPsec gateway and opposite end access device, set up IKE SA after, construct the CREATE_CHILD_SA request message according to mode A, and send to the opposite end access device.
Behind the IKE_SA_AUTH request message of the CREATE_CHILD_SA that receives mode A or C or mode B, the opposite end access device can be produced a CREATE_CHILD_SA or IKE_SA_AUTH response message.The CREATE_CHILD_SA response message comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign.The IKE_SA_AUTH response message is set up the load of IKE SA needs except comprising with opposite end IPsec gateway, also comprises the load of creating IPsec SA needs in the above-mentioned CREATE_CHILD_SA response message.Then, the opposite end access device sends to opposite end IPsec gateway with CREATE_CHILD_SA or IKE_SA_AUTH response message.Simultaneously, the opposite end access device can derive from the various keys of IPsec SA according to the IPsec SA key material generation method of above-mentioned appointment.
After opposite end IPsec gateway is received CREATE_CHILD_SA or IKE_SA_AUTH response message, can construct a CREATE_CHILD_SA response message, End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE) based on sign in copy CREATE_CHILD_SA or the IKE_SA_AUTH response message.Then the CREATE_CHILD_SA response message is sent to the IPsec gateway of transmit leg access device.
After transmit leg IPsec gateway is received CREATE _ CHILD_SA response message, set up IKE SA with transmit leg IPsec gateway if judge initiator's access device, then transmit leg IPsec gateway will be constructed a CREATE_CHILD_SA, otherwise transmit leg IPsec gateway will be constructed an IKE_SA_AUTH response message.Wherein, the CREATE_CHILD_SA response message comprises that copy receives End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, the random number load (NONCE) based on sign of CREATE_CHILD_SA response message.The IKE_SA_AUTH response message is set up the load of IKE SA needs except comprising with opposite end IPsec gateway, also comprises the various load of above-mentioned CREATE_CHILD_SA response message.Then, initiator IPsec gateway sends to initiator's access device with CREATE C_HILD_SA or IKE_SA_AUTH response message.At last, initiator's access device can derive from the various keys of IPsec SA according to the IPsec SA key material generation method of above-mentioned appointment.
So far, set up the IPsec SA of protection initiator access device to opposite end access device IP digital data stream between initiator's access device and opposite end access device.In order to realize two-way secure communication, also need to utilize said method to create protection opposite end access device to the IPsec SA of initiator's access device IP traffic, utilize two-way IPsec SA that IP packet is between the two protected.
It is similar that the flow process of between access device IPsec SA being upgraded and above-mentioned IP sec SA set up flow process.At this moment, set up an authentication passage between access device.Initiate CREATE_CHILD_SA request message of access device structure of IPsec SA update request, comprise the End-to-End Security protection sustained load based on sign, IPsec SA upgrades (REKEY_SA) notice load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random number load (NONCE), wherein upgrading IPsec SA notice load is the class notice load type of IKE v2 agreement, carry the Security Parameter Index (Security Parameter Index abbreviates SPI as) of the IPsec SA that to upgrade.Then the CREATE_CHILD_SA request message is sent to one's own side's IPsec gateway.CREATE_CHILD_SA request message of IPsec gateway structure of one's own side, each payload content of CREATE_CHILD_SA request message that copy is received, the CREATE_CHILD_SA request message with structure sends to opposite end IPsec gateway then.CREATE_CHILD_SA request message of opposite end IPsec gateway structure, each payload content of CREATE_CHILD_SA request message that copy is received, the CREATE_CHILD_SA request message with structure sends to the opposite end access device then.
Access device structure CREATE_CHILD_SA response message in opposite end comprises End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of sign load, a pair of flow chooser load, random data load based on sign.CREATE_CHILD_SA response message with structure sends to opposite end IPsec gateway then.Simultaneously, the opposite end access device can derive from the various keys of the IPsec SA that upgrades according to the IPsec SA key material generation method of above-mentioned appointment.
CREATE_CHILD_SA response message of opposite end IPsec gateway structure, each payload content of CREATE_CHILD_SA response message that copy is received sends to the IPsec gateway of initiating IPsec SA update request equipment with the CREATE_CHILD_SA response of constructing.Initiate the gateway of request access device with the same manner structure CREATE_CHILD_SA response message, and send to the initiation requesting service.At last, initiator's access device can derive from the various keys of the IPsec SA that upgrades according to the IPsec SA key material generation method of above-mentioned appointment.
IPsec SA deletion flow process is as follows: during IPsec SA deletion, set up an authentication passage between access device, initiate the request message of an IKE v2INFORMATIONAL type of access device structure of IPsec SA removal request, comprise End-to-End Security protection sustained load, deletion load, a pair of sign load based on sign.Then the INFORMATIONAL request message is sent to one's own side's IPsec gateway.INFORMATIONAL request message of IPsec gateway structure of one's own side, each payload content such as the End-to-End Security protection sustained load based on sign that copy is received, deletion load, a pair of sign load, the request message with structure sends to opposite end IPsec gateway then.INFORMATIONAL request message of opposite end IPsec gateway structure, each payload content of INFORMATIONAL request message that copy is received, the INFORMATIONAL request message with structure sends to the opposite end access device then.
Access device structure INFORMATIONAL response message in opposite end comprises based on the End-to-End Security protection sustained load of sign, a pair of sign load.INFORMATIONAL response message with structure sends to opposite end IPsec gateway then.INFORMATIONAL response message of opposite end IPsec gateway structure, each payload content of INFORMATIONAL response message that copy is received sends to the IPsec gateway of initiating IPsec SA removal request equipment with the INFORMATIONAL response of constructing.Initiate the gateway of requesting service with the same manner structure INFORMATIONAL response message, and send to the initiation requesting service.
IP address change notice flow process is as follows: during IP address change notice, set up an authentication passage between access device, after access device finds that one's own side's IP address changes, the request message of an IKE v2 INFORMATIONAL type be can construct, End-to-End Security protection sustained load, IP address change (UPDATE_SA_ADDRESSES) notice load, a pair of sign load based on sign comprised.Wherein IP address change notice load is the class notice load type of IKE v2 agreement, and expression changes with the IP address of IPsec SA binding, and first sign load of a pair of sign load is address designation load, carries the IP address of having upgraded.Then the INFORMATIONAL request message is sent to one's own side's IPsec gateway.INFORMATIONAL request message of IPsec gateway structure of one's own side, notice load, a pair of sign load, each payload content of request message that copy is received, the request message that comprises load such as notice load, a pair of sign load that will construct then sends to opposite end IPsec gateway.INFORMATIONAL request message of opposite end IPsec gateway structure, each payload content of INFORMATIONAL request message that copy is received, the INFORMATIONAL request message with structure sends to the opposite end access device then.The opposite end access device is revised the IP address of the access device correspondence of initiating IP address change notice according to the IP address of the renewal in the sign load in the INFORMATIONAL request message.
Access device structure INFORMATIONAL response message in opposite end comprises a pair of sign load.INFORMATIONAL response message with structure sends to opposite end IPsec gateway then.INFORMATIONAL response message of opposite end IPsec gateway structure, each payload content of INFORMATIONAL response message that copy is received responds the INFORMATIONAL that constructs the IPsec gateway that sends to the access device of initiating the request of IP address change.Initiate the gateway of requesting service with the same manner structure INFORMATIONAL response message, and send to the initiation requesting service.
Two, the IPsec SA foundation of main frame-gateway-host mode, renewal, deletion and IP address change notice
To set up flow process similar to main frame-gateway-gateway-host mode for IPsec SA between the access device of main frame-gateway-host mode.
At first, if set up IKE SA between initiator's access device that IPsec SA sets up and gateway, CREATE_CHILD_SA request message of initiator's access device structure, otherwise and after taking turns IKE_SA_INIT requests/response messages exchange by one between gateway, construct an IKE_SA_AUTH request message.The building method of the load of CREATE_CHILD_SA or IKE_SA_AUTH request message is identical with main frame-gateway-gateway host pattern.If gateway and opposite end access device have been set up IKE SA then, CREATE_CHILD_SA request message of gateway structure, otherwise adopt the mode B of main frame-gateway-gateway-host mode or mode C to construct IKE_SA_AUTH or CREATE_CHILD_SA request message.The building method of the load of CREATE_CHILD_SA or IKE_SA_AUTH request message is identical with main frame-gateway-gateway host pattern.
Correspondingly, CREATE_CHILD_SA of opposite end access device structure or IKE_SA_AUTH response message, the building method of load is identical with main frame-gateway-gateway host pattern in the message.Then, the opposite end access device sends to gateway with CREATE_CHILD_SA or IKE_SA_AUTH response message.CREATE_CHILD_SA of gateway structure or IKE_SA_AUTH response message, the building method of load is with identical with main frame-gateway-gateway host pattern.Then, gateway sends to initiator's access device with CREATE_CHILD_SA or IKE_SA_AUTH response message.
The IPsec SA of main frame-gateway-host mode more new technological process is similar to main frame-gateway-gateway-host mode.IPsec SA is CREATE_CHILD_SA request message of initiator's access device structure of new technological process more, and the building method of load is identical with main frame-gateway-gateway host pattern.Then, initiator's access device sends to initiator IPsec gateway with the CREATE_CHILD_SA request message.CREATE_CHILD_SA request message of gateway structure, the building method of load is identical with main frame-gateway-gateway host pattern.Then, initiator IPsec gateway sends to the opposite end access device with the CREATE_CHILD_SA request message.
CREATE_CHILD_SA response message of opposite end access device structure, the building method of load is identical with main frame-gateway-gateway host pattern.Then, the opposite end access device sends to the IPsec gateway with the CREATE_CHILD_SA response message.CREATE_CHILD_SA response message of IPsec gateway structure, the building method of load is identical with main frame-gateway-gateway host pattern.The IPsec gateway sends to initiator's access device with the CREATE_CHILD_SA response message.
The IPsec SA deletion flow process of main frame-gateway-host mode is similar to main frame-gateway-gateway-host mode.INFORMATIONAL request message of initiator's access device structure of IPsec SA deletion flow process, the building method of load is identical with main frame-gateway-gateway host pattern.Then, initiator's access device sends to the IPsec gateway with the INFORMATIONAL request message.Similar, the IPsec gateway is constructed an INFORMATIONAL request message, and the INFORMATIONAL request message is sent to the opposite end access device.The opposite end access device sends the INFORMATIONAL response message to the IPsec gateway, and the IPsec gateway sends response message to initiator's access device.
The IP address change notice flow process of main frame-gateway-host mode is similar to main frame-gateway-gateway-host mode.INFORMATIONAL request message of initiator's access device structure of IP address change notice flow process, the building method of load is identical with main frame-gateway-gateway host pattern.Then, initiator's access device sends to the IPsec gateway with the INFORMATIONAL request message.Similar, the IPsec gateway is constructed an INFORMATIONAL request message, and the INFORMATIONAL request message is sent to the opposite end access device.The opposite end access device sends the INFORMATIONAL response message to the IPsec gateway, and the IPsec gateway sends response message to initiator's access device.
For making the purpose, technical solutions and advantages of the present invention clearer, hereinafter will be elaborated to embodiments of the invention by reference to the accompanying drawings.Need to prove that under the situation of not conflicting, the embodiment among the application and the feature among the embodiment be combination in any mutually.
The invention provides two kinds of IPsec deployment modes: the main frame-gateway shown in the main frame-gateway shown in Fig. 1-gateway-host mode and Fig. 2-host mode.
The IKE v2 agreement that Fig. 3 shows the embodiment of the invention is set up the flow process of IKE SA.This flow process mainly comprises the steps:
Step 11, initiator 1001 is 1002 transmission IKE_SA_INIT requests to the opposite end.
Step 12, opposite end 1002 sends the IKE_SA_INIT response to initiator 1001.
Step 13, initiator 1001 is 1002 transmission IKE_SA_AUTH requests to the opposite end, comprise End-to-End Security protection sustained load and other load based on sign.End-to-End Security protection sustained load based on sign is used for showing that one's own side has the End-to-End Security protection tenability based on sign.
Wherein, described initiator may be access device or IPsec gateway; Described opposite end also may be access device or IPsec gateway.
Fig. 4 shows under the main frame-gateway-gateway-pattern of the embodiment of the invention, and IPsec SA sets up flow process.In the present embodiment, suppose that the IKE SA of initiator's access device 101 and IPsec gateway 102, IPsec gateway 102 and opposite end IPsec gateway 108, opposite end IPsec gateway 108 and opposite end access device 109 all sets up.As shown in Figure 4, this flow process mainly comprises the steps:
Step 301, initiator's access device 101 send the IKE_SA_INIT request of setting up access device 101 and 102 IKE SA of IAD.
Step 302, gateway 102 sends the IKE_SA_INIT response message of setting up IKE SA to access device 101.
Step 303, access device 101 sends the IKE_SA_AUTH request message of setting up access device 101 and 102 IKE SA of gateway and access device 101 and 109 IPsec SA of access device to gateway 102.
Step 304-307, gateway 102 is set up IKE SA with gateway 108.
Step 308, gateway 107 sends the CREATE_CHILD_SA request message of setting up access device 101 and 109 IPsec SA of access device.
Step 309 and 310,109 exchanges of gateway 108 and access device are set up IKE_SA_INIT request and the response message of gateway 108 and 109 IKE SA of access device.
Step 311, gateway 108 sends the IKE_SA_AUTH request message of setting up IAD 108 and 109 IKE SA of access device and access device 101 and 109 IPsec SA of access device to access device 109.
Step 312, access device 109 are returned the IKE_SA_AUTH response message of setting up IAD 108 and 109 IKE SA of access device and access device 101 and 109 IPsec SA of access device.
Step 313, gateway 108 are returned the CREATE_CHILD_SA response message of setting up access device 101 and 109 IPsec SA of access device.
Step 314, gateway 102 are returned the IKE_SA_AUTH response message of setting up access device 101 and 109 IPsec SA of access device.
So far, the initiator insert 101 and 109 of opposite end access devices set up unidirectional IPsec SA.
Fig. 5 shows under the main frame-gateway-gateway-pattern of the embodiment of the invention, and IPsec SA sets up flow process.In the present embodiment, suppose that initiator's access device 101 and IPsec gateway 102 have been set up IKE SA, IPsec gateway 102 is not set up with the IKE SA that opposite end IPsec gateway 108 has been set up IKE SA, opposite end IPsec gateway 108 and opposite end access device 109.As shown in Figure 5, this flow process mainly comprises the steps:
Step 401, initiator's access device 101 sends the CREATE_CHILD_SA request message of setting up access device 101 and 109 IPsec SA of access device.
Step 402, gateway 102 sends the CREATE_CHILD_SA request message of setting up IPsec SA to opposite end gateway 108.
Step 403, opposite end gateway 108 sends the IKE_SA_INIT request message to opposite equip. 109, and this message is only made trigger and is used, and notice opposite equip. 109 is initiated IKE SA and is set up request.
Step 404-407, opposite end access device 109 is set up IKE SA with opposite end gateway 108.
Step 408, opposite end gateway 108 sends the CREATE_CHILD_SA request message of setting up IPsec SA to opposite equip. 109.
Step 409, opposite end access device 109 sends the CREATE_CHILD_SA response message of setting up IPsec SA to opposite end gateway 108.
Step 410, opposite end gateway 108 sends the CREATE_CHILD_SA response message of setting up IPsec SA to gateway 102.
Step 411, gateway 102 sends the CREATE_CHILD_SA response message of setting up IPsec SA to initiator's access device 101.
So far, the initiator insert 101 and 109 of opposite end access devices set up unidirectional IPsec SA.
Fig. 6 shows under the main frame-gateway-gateway-pattern of the embodiment of the invention, IPsec SA foundation, renewal, deletion and IP address change notice flow process.In the present embodiment, suppose that the IKE SA of 109 of 102 of initiator's access device 101 and IPsec gateways, IPsec gateway 102 and opposite end IPsec gateway 108, opposite end IPsec gateway 108 and opposite end access devices sets up.As shown in Figure 6, this flow process mainly comprises the steps:
Following step 501 to step 506 is to set up the flow process of IPsec SA between access device.
Step 501, initiator's access device 101 sends the CREATE_CHILD_SA request message of setting up IPsec SA.
Step 502, gateway 102 sends the CREATE_CHILD_SA request message of setting up IPsec SA to opposite end gateway 108.
Step 503, opposite end gateway 108 sends the CREATE_CHILD_SA request message of setting up IPsec SA to opposite equip. 109.
Step 504, opposite equip. 109 sends the CREATE_CHILD_SA response message of setting up IPsec SA to opposite end gateway 108.
Step 505, opposite end gateway 108 sends the CREATE_CHILD_SA response message of setting up IPsec SA to gateway 102.
Step 506, gateway 102 sends the CREATE_CHILD_SA response message of setting up IPsec SA to initiator's access device 101.
So far, the initiator insert 101 and 109 of opposite end access devices set up unidirectional IPsec SA.
Following step 507 to step 512 is to upgrade the flow process of IPsec SA between access device.
Step 507, initiator's access device 101 sends the CREATE_CHILD_SA request message that upgrades IPsec SA.
Step 508, gateway 102 sends the CREATE_CHILD_SA request message that upgrades IPsec SA to opposite end gateway 108.
Step 509, opposite end gateway 108 sends the CREATE_CHILD_SA request message that upgrades IPsec SA to opposite equip. 109.
Step 510, opposite equip. 109 sends the CREATE_CHILD_SA response message that upgrades IPsec SA to opposite end gateway 108.
Step 511, opposite end gateway 108 sends the CREATE_CHILD_SA response message that upgrades IPsec SA to gateway 102.
Step 512, gateway 102 sends the CREATE_CHILD_SA response message that upgrades IPsec SA to initiator's access device 101.
So far, the initiator insert 101 and 109 of opposite end access devices finished IPsec SA and upgraded.
Following step 513 to step 518 is the flow process of access device IP address change notice.
Step 513, initiator's access device 101 sends the INFORMATIONAL request message of access device IP address change notice.
Step 514, gateway 102 send the INFORMATIONAL request message of access device IP address change notice to opposite end gateway 108.
Step 515, opposite end gateway 108 send the INFORMATIONAL request message of access device IP address change notice to opposite equip. 109.
Step 516, opposite equip. 109 send the INFORMATIONAL response message of access device IP address change notice to opposite end gateway 108.
Step 517, opposite end gateway 108 send the INFORMATIONAL response message of access device IP address change notice to gateway 102.
Step 518, gateway 102 send the INFORMATIONAL response message of access device IP address change notice to initiator's access device 101.
So far, finished access device IP address change notice.
Following step 519 to step 524 is the flow process of deletion IPsec SA between access device.
Step 519, initiator's access device 101 sends the INFORMATIONAL request message of deletion IPsec SA.
Step 520, gateway 102 send the INFORMATIONAL request message of deletion IPsec SA to opposite end gateway 108.
Step 521, opposite end gateway 108 send the INFORMATIONAL request message of deletion IPsec SA to opposite equip. 109.
Step 522, opposite equip. 109 send the INFORMATIONAL response message of deletion IPsec SA to opposite end gateway 108.
Step 523, opposite end gateway 108 send the INFORMATIONAL response message of deletion IPsec SA to gateway 102.
Step 524, gateway 102 send the INFORMATIONAL response message of deletion IPsec SA to initiator's access device 101.
So far, 109 of initiator's access device 101 and opposite end access devices have been finished IPsec SA deletion.
Fig. 7 shows under the main frame-gateway-host mode of the embodiment of the invention, IPsec SA foundation, renewal, deletion and IP address change notice flow process.In the present embodiment, suppose that the IKE SA of 139 of access device 131 and IPsec gateway 132, IPsec gateway 132 and access devices sets up.As shown in Figure 7, this flow process mainly comprises the steps:
Following step 601 to step 604 is to set up the flow process of IPsec SA between access device.
Step 601, initiator's access device 131 sends the CREATE_CHILD_SA request message of setting up IPsec SA.
Step 602, gateway 132 sends the CREATE_CHILD_SA request message of setting up IPsec SA.
Step 603, opposite equip. 139 sends the CREATE_CHILD_SA response message of setting up IPsec SA to gateway 132.
Step 604, gateway 132 sends the CREATE_CHILD_SA response message of setting up IPsec SA to initiator device 131.
So far, 139 of initiator's access device 131 and opposite end access devices have been set up unidirectional IPsec SA.
Following step 605 to step 608 is to upgrade the flow process of IPsec SA between access device.
Step 605, initiator's access device 131 sends the CREATE_CHILD_SA request message that upgrades IPsec SA.
Step 606, gateway 132 sends the CREATE_CHILD_SA request message that upgrades IPsec SA.
Step 607, opposite equip. 139 sends the CREATE_CHILD_SA response message that upgrades IPsec SA to gateway 132.
Step 608, gateway 132 sends the CREATE_CHILD_SA response message that upgrades IPsec SA to initiator device 131.
So far, 139 of initiator's access device 131 and opposite end access devices have been finished IPsec SA renewal.
Following step 609 to step 612 is the flow process of access device IP address change notice.
Step 609, initiator's access device 131 sends the INFORMATIONAL request message of access device IP address change notice.
Step 610, gateway 132 sends the INFORMATIONAL request message of access device IP address change notice.
Step 611, opposite equip. 139 send the INFORMATIONAL response message of access device IP address change notice to gateway 132.
Step 612, gateway 132 send the INFORMATIONAL response message of access device IP address change notice to initiator device 131.
So far, finished access device IP address change notice.
Following step 613 is to the flow process of step 616 for deletion IPsec SA.
Step 613, initiator's access device 131 sends the INFORMATIONAL request message of deletion IPsec SA.
Step 614, gateway 132 sends the INFORMATIONAL request message of deletion IPsec SA
Step 615, opposite equip. 139 send the INFORMATIONAL response message of deletion IPsec SA to gateway 132
Step 616, gateway 132 send the INFORMATIONAL response message of deletion IPsec SA to initiator device 131
So far, 139 of initiator's access device 131 and opposite end access devices have been finished IPsec SA deletion.
In addition, a kind of system that realizes the End-to-End Security protection also is provided in the embodiment of the invention, the present embodiment system comprises access device and the security gateway in the access network, comprise in the described access device that IKESA sets up the unit and IPsec SA sets up the unit, comprise in the described security gateway that IKE SA sets up module, wherein:
Described IKE SA sets up the unit and is used for, and sets up IKE SA with the security gateway in this access network;
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks;
Described IPsec SA sets up the unit and is used for, and set up with other access devices in this access network or other access networks and safeguard IPsec SA, and the described IKE SA safeguard protection of being set up of the foundation of described IPsec SA and maintenance process.
Further, described IPsec SA sets up the unit and is used for, and when initiating to set up described IPsec SA with described other access devices, if set up IKE SA with the security gateway in this access network, then sets up described IPsec SA based on the described IKE SA that sets up; If also do not set up IKE SA with the security gateway in this access network, then set up the process of IKE SA and described IPsec SA simultaneously, and in the message of the process of setting up described IKE SA, comprise be used to the parameter of setting up described IKE SA, also comprise be used to the parameter of setting up described IPsec SA.
Further, described IPsec SA sets up the process that IPsec SA is safeguarded in the unit, comprising: IPsec SA upgrades, IPsec SA deletes and access device IP address change notice.
Further, described IPsec SA sets up key among the described IPsec SA that sets up the unit and consults by the graceful key agreement mechanism in Di Fei-Hull and derive from.
In addition, also provide a kind of security gateway (IPsec gateway) of realizing the End-to-End Security protection in the embodiment of the invention, this security gateway comprises that mainly IKE SA sets up module,
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks.
Further, described IKE SA sets up module and is used for:
Respectively with this access network in first access device and second access device set up IKE SA, the IPsec SA that sets up between described first access device and described second access device and safeguard is carried out safeguard protection;
Perhaps; respectively with this access network in first access device and the security gateway in other access networks set up IKE SA, the IPsec SA that sets up between second access device in described first access device and described other access networks and safeguard is carried out safeguard protection.
It below only is preferred case study on implementation of the present invention; be not limited to the present invention; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and be carried out by calculation element, and in some cases, can carry out step shown or that describe with the order that is different from herein, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
Claims (12)
1. a method that realizes the End-to-End Security protection is characterized in that,
First access device and first security gateway and second access device and second security gateway are set up Internet Key Exchange security association (IKE SA) respectively;
Described first access device and described second access device are set up and maintaining network protocol safety security association (IPsec SA), and the foundation of described IPsec SA and maintenance process are subjected to the IKE SA safeguard protection of described first access device and described first security gateway and described second access device and the foundation of described second security gateway.
2. the method for claim 1 is characterized in that,
When the access network of described first access device and described second access device was identical, described first security gateway and described second security gateway were the same IPsec gateway in the described identical access network;
When the access network of described first access device and described second access device was inequality, described first security gateway and described second security gateway were respectively the different IP sec gateway in described two different access networks; And set up IKE SA between described two different IP sec gateways.
3. the method for claim 1 is characterized in that,
Described first access device and described second access device have the sign of access;
Described access sign comprises one of following or combination in any: IP address or telephone number or unified resource sign or domain name.
4. the method for claim 1 is characterized in that,
Key among the described IPsec SA that described first access device and described second access device are set up is consulted by the graceful key agreement mechanism in Di Fei-Hull (Diffie-Hellman) and is derived from.
5. the method for claim 1 is characterized in that,
The described process of safeguarding IPsec SA comprises: IPsec SA upgrades, IPsec SA deletes and access device IP address change notice.
6. method as claimed in claim 1 or 2 is characterized in that,
Described first access device and described first security gateway, described second access device and described second security gateway, and the process of setting up IKE SA between described first security gateway and described second security gateway, set up at described first access device and described second access device before the process of IPsec SA or carry out simultaneously with the process that described first access device and described second access device are set up IPsec SA;
When the process of the process of the described IKE of foundation SA and the described IPsec of foundation SA is carried out simultaneously, in the message of the process of setting up described IKE SA, comprise be used to the parameter of setting up described IKE SA, also comprise be used to the parameter of setting up described IPsec SA.
7. system that realizes End-to-End Security protection, it is characterized in that described system comprises access device and the security gateway in the access network, comprise in the described access device that IKE SA sets up the unit and IPsec SA sets up the unit, comprise in the described security gateway that IKE SA sets up module, wherein:
Described IKE SA sets up the unit and is used for, and sets up IKE SA with the security gateway in this access network;
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks;
Described IPsec SA sets up the unit and is used for, and set up with other access devices in this access network or other access networks and safeguard IPsec SA, and the described IKE SA safeguard protection of being set up of the foundation of described IPsec SA and maintenance process.
8. system as claimed in claim 7 is characterized in that,
Described IPsec SA sets up the unit and is used for, and when initiating to set up described IPsec SA with described other access devices, if set up IKE SA with the security gateway in this access network, then sets up described IPsec SA based on the described IKE SA that sets up; If also do not set up IKESA with the security gateway in this access network, then set up the process of IKE SA and described IPsec SA simultaneously, and in the message of the process of setting up described IKE SA, comprise be used to the parameter of setting up described IKE SA, also comprise be used to the parameter of setting up described IPsec SA.
9. as claim 7 or 8 described systems, it is characterized in that,
Described IPsec SA sets up the process that IPsec SA is safeguarded in the unit, comprising: IPsec SA upgrades, IPsec SA deletes and access device IP address change notice.
10. as claim 7 or 8 described systems, it is characterized in that,
The key that described IPsec SA sets up among the described IPsec SA that sets up the unit passes through the graceful key agreement mechanism negotiation of Di Fei-Hull and derives from.
11. a security gateway of realizing the End-to-End Security protection is characterized in that described security gateway comprises that IKE SA sets up module,
Described IKE SA sets up module and is used for, and sets up IKE SA with access device in this access network or with the security gateway in other access networks.
12. security gateway as claimed in claim 11 is characterized in that, described IKE SA sets up module and is used for:
Respectively with this access network in first access device and second access device set up IKE SA, the IPsec SA that sets up between described first access device and described second access device and safeguard is carried out safeguard protection;
Perhaps; respectively with this access network in first access device and the security gateway in other access networks set up IKE SA, the IPsec SA that sets up between second access device in described first access device and described other access networks and safeguard is carried out safeguard protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110452344.2A CN103188228B (en) | 2011-12-29 | 2011-12-29 | A kind of method, security gateway and system for realizing End-to-End Security protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110452344.2A CN103188228B (en) | 2011-12-29 | 2011-12-29 | A kind of method, security gateway and system for realizing End-to-End Security protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103188228A true CN103188228A (en) | 2013-07-03 |
| CN103188228B CN103188228B (en) | 2018-05-01 |
Family
ID=48679197
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110452344.2A Expired - Fee Related CN103188228B (en) | 2011-12-29 | 2011-12-29 | A kind of method, security gateway and system for realizing End-to-End Security protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103188228B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125124A (en) * | 2014-07-11 | 2014-10-29 | 京信通信系统(中国)有限公司 | Smart home remote control method, device and system |
| CN109257375A (en) * | 2018-11-01 | 2019-01-22 | 北京信息科技大学 | A kind of internet access authentication system and method based on trust anchor system |
| CN110061965A (en) * | 2019-03-13 | 2019-07-26 | 北京华为数字技术有限公司 | Update method, apparatus, equipment and the readable storage medium storing program for executing of Security Association |
| CN111147273A (en) * | 2018-11-06 | 2020-05-12 | 中兴通讯股份有限公司 | Data security realization method and related equipment |
| CN114172739A (en) * | 2021-12-14 | 2022-03-11 | 杭州数梦工场科技有限公司 | Gateway communication method, device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| CN1863048A (en) * | 2005-05-11 | 2006-11-15 | 中兴通讯股份有限公司 | Method of internet key exchange consultation between user and cut-in apparatus |
| CN101106454A (en) * | 2007-08-17 | 2008-01-16 | 杭州华三通信技术有限公司 | Method and device for originating Internet secret key exchange and negotiation |
| EP2096830A1 (en) * | 2008-02-29 | 2009-09-02 | Research In Motion Limited | Methods and apparatus for use in enabling a mobile communication device with a digital certificate |
| CN102143489A (en) * | 2010-02-01 | 2011-08-03 | 华为技术有限公司 | Method, device and system for authenticating relay node |
-
2011
- 2011-12-29 CN CN201110452344.2A patent/CN103188228B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| CN1863048A (en) * | 2005-05-11 | 2006-11-15 | 中兴通讯股份有限公司 | Method of internet key exchange consultation between user and cut-in apparatus |
| CN101106454A (en) * | 2007-08-17 | 2008-01-16 | 杭州华三通信技术有限公司 | Method and device for originating Internet secret key exchange and negotiation |
| EP2096830A1 (en) * | 2008-02-29 | 2009-09-02 | Research In Motion Limited | Methods and apparatus for use in enabling a mobile communication device with a digital certificate |
| CN102143489A (en) * | 2010-02-01 | 2011-08-03 | 华为技术有限公司 | Method, device and system for authenticating relay node |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125124A (en) * | 2014-07-11 | 2014-10-29 | 京信通信系统(中国)有限公司 | Smart home remote control method, device and system |
| CN109257375A (en) * | 2018-11-01 | 2019-01-22 | 北京信息科技大学 | A kind of internet access authentication system and method based on trust anchor system |
| CN109257375B (en) * | 2018-11-01 | 2021-12-28 | 北京信息科技大学 | Internet access authentication system and method based on trust anchor system |
| CN111147273A (en) * | 2018-11-06 | 2020-05-12 | 中兴通讯股份有限公司 | Data security realization method and related equipment |
| WO2020093834A1 (en) * | 2018-11-06 | 2020-05-14 | 中兴通讯股份有限公司 | Data security implementation method relevant apparatus |
| CN110061965A (en) * | 2019-03-13 | 2019-07-26 | 北京华为数字技术有限公司 | Update method, apparatus, equipment and the readable storage medium storing program for executing of Security Association |
| CN110061965B (en) * | 2019-03-13 | 2022-08-26 | 北京华为数字技术有限公司 | Method, device and equipment for updating security alliance and readable storage medium |
| CN114172739A (en) * | 2021-12-14 | 2022-03-11 | 杭州数梦工场科技有限公司 | Gateway communication method, device, electronic equipment and storage medium |
| CN114172739B (en) * | 2021-12-14 | 2024-01-26 | 杭州数梦工场科技有限公司 | Gateway communication method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103188228B (en) | 2018-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dragomir et al. | A survey on secure communication protocols for IoT systems | |
| US7181012B2 (en) | Secured map messages for telecommunications networks | |
| US6976177B2 (en) | Virtual private networks | |
| CN103155512B (en) | System and method for providing secure access to service | |
| CN101969638B (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
| US20100119069A1 (en) | Network relay device, communication terminal, and encrypted communication method | |
| US20100228980A1 (en) | Method and Arrangement for Providing a Wireless Mesh Network | |
| EP2506491B1 (en) | Encryption information transmission terminal | |
| Dantu et al. | EAP methods for wireless networks | |
| CN107005534A (en) | Secure connection is set up | |
| CN102823282A (en) | Key authentication method for binary CDMA | |
| CN108683510A (en) | A kind of user identity update method of encrypted transmission | |
| Moreira et al. | Security mechanisms to protect IEEE 1588 synchronization: State of the art and trends | |
| CN1863048B (en) | Method of internet key exchange consultation between user and cut-in apparatus | |
| CN103188228A (en) | Method for achieving safety protection from end to end, security gateway and system | |
| CN110730071A (en) | Power distribution communication equipment safety access authentication method, device and equipment | |
| US20100131762A1 (en) | Secured communication method for wireless mesh network | |
| TW202142011A (en) | A method for preventing encrypted user identity from replay attacks | |
| KR102219018B1 (en) | Blockchain based data transmission method in internet of things | |
| CN103916359A (en) | Method and device for preventing attacks from ARP middleman in network | |
| Rong et al. | Wireless network security | |
| CN100466599C (en) | Safety access method for special local area net and device used for said method | |
| Pandey et al. | A system and method for authentication in wireless local area networks (wlans) | |
| Baskaran et al. | Blind key distribution mechanism to secure wireless metropolitan area network | |
| CN114614984A (en) | Time-sensitive network secure communication method based on state cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180501 Termination date: 20201229 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |