CN103188228B - A kind of method, security gateway and system for realizing End-to-End Security protection - Google Patents

A kind of method, security gateway and system for realizing End-to-End Security protection Download PDF

Info

Publication number
CN103188228B
CN103188228B CN201110452344.2A CN201110452344A CN103188228B CN 103188228 B CN103188228 B CN 103188228B CN 201110452344 A CN201110452344 A CN 201110452344A CN 103188228 B CN103188228 B CN 103188228B
Authority
CN
China
Prior art keywords
ipsec
access device
ike
access
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110452344.2A
Other languages
Chinese (zh)
Other versions
CN103188228A (en
Inventor
张瑞山
谢振华
张孟旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110452344.2A priority Critical patent/CN103188228B/en
Publication of CN103188228A publication Critical patent/CN103188228A/en
Application granted granted Critical
Publication of CN103188228B publication Critical patent/CN103188228B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method, security gateway and system for realizing End-to-End Security protection, the first access device and the first security gateway and the second access device and the second security gateway establish IKESA respectively;First access device and the second access device are established and safeguard IPsec SA, and the IKE SA safeguard protections that the foundation of IPsec SA is established with maintenance process by the first access device and the first security gateway and the second access device and the second security gateway.Using the present invention, avoid when directly establishing IKESA between access device it is complicated, be difficult to the authentication link disposed.

Description

A kind of method, security gateway and system for realizing End-to-End Security protection
Technical field
The present invention relates to technical field of communication safety and comprising, more particularly to a kind of method for realizing End-to-End Security protection, safety Gateway and system.
Background technology
At present, internet and mobile internet device, such as computer, smart mobile phone, can be accessed by fixed broadband, is mobile 3G(3rdGeneration, 3rd generation mobile communication technology) access and wireless WLAN (Wireless Local Area Networks, i.e. WLAN) access be connected to internet and mobile Internet.The telecommunications such as China Telecom, China Unicom and China Mobile Operator provides various access services to the user, for example, China Mobile provides fixed broadband access, mobile 3G is accessed and wireless The plurality of access modes such as WLAN accesses.One equipment, such as smart mobile phone, can be accessed by various ways such as 3G and WLAN, when Only 3G signals when, accessed using 3G, as only WLAN or WLAN and 3G signal coexistences, accessed using WLAN, with connecing Enter the switching of mode, the IP address of access device also can may correspondingly change.
In practical applications, significant data is ravesdropping and distorts in order to prevent, and user wishes to protect end-to-end communication security. For example, company personnel and leader exchange Company Confidential information using mobile phone, some concealed contents are transmitted using mobile phone between lovers, are used Some feelings such as significant data are transmitted using between the 3G or WLAN smart mobile phones accessed and the family computer of fixed broadband access in family Under condition, ensure that end-to-end communication is all very important safely.
IP Security (procotol security, abbreviation IPsec) can provide end-to-end communication security protection.IPsec Confidentiality, data integrity, access control and data source authentication security protection service are provided to IP datagram.These services are logical IPsec security associations (Security Association, referred to as SA) are crossed to realize.IPsec SA are defined in IP datagram The method of transmitting terminal and receiving terminal protection IP flows, the communication security protocol included the use of, key algorithm and cryptographic algorithm it is close Key and other information that security protection service needs are provided.
The autgmentability that IPsec SA are established due to manual mode is poor, it is therefore desirable to IPsec SA are established using protocol dynamic, This agreement is known as Internet Key Exchange (Internet Key Exchange, referred to as IKE).The version of IKE 1IKE v1 are the RFC 2407 in IETF, defined in RFC 2408, RFC2409.The version 2 IKE v2 of IKE are in RFC 4702 Defined in, and made to clarify and changed in RFC 4812.RFC 5996 in RFC 4702 and RFC 4812 to having made to clarify and more Newly, two RFC be instead of.IKE v2 are the changes to IKE v1, do not provide backward compatibility.
Before communicating pair establishes IPsec SA, IKE establishes IKE security associations (referred to as IKE in communicating pair first SA), IPsec SA are then established between both sides using IKE SA.In RFC 5996, IPsec SA are also referred to as the child of IKE SA Son association (Child SA).In the scene using IKEv2, the communication security protocol of IPsec SA, which uses, is defined on RFC 4302 Package safety load (Encapsulated Security Payload, referred to as ESP) agreement or be defined on RFC 4303 In authentication header (Authentication Header, referred to as AH) agreement.
The deployment way of IPsec shares three classes:Gateway-gateway (site-to-site), remotely access (remote Access), host-host (host-to-host).Wherein, gateway-gateway and remotely access pattern and be mainly used for enterprise network Environment, and End-to-End Security protection cannot be provided.Host-host mode can provide End-to-End Security protection, it is necessary to communicate Two hosts directly establish IKE SA and IPsec SA, then utilize IPsec SA protection intercommunication IP flows.
But following defect or deficiency exists in the prior art:When establishing IKE SA using IKE v2, communicating pair needs Opposite end is authenticated, certification can be based on shared secret or certificate mode carries out.Based on certificate mode, user needs to possess card Book, for general user, obtains certificate and carries out the process of network authentication using certificate and configure very complicated.Based on altogether Enjoy the mode of secret, it is desirable to a pair of of shared secret is safeguarded between user and each peer, when peer number is more, is shared Secret generation will become extremely complex with maintenance.In conclusion two kinds of authentication modes for the general network user all More complicated, inconvenient, this is also one of the reason for IPsec hosts on current internet-host mode deployment is not extensive.
The content of the invention
The technical problem to be solved by the present invention is to provide a kind of method for realizing End-to-End Security protection, security gateway and it is System, avoid when directly establishing IKE SA between access device it is complicated, be difficult to the authentication link disposed.
In order to solve the above technical problems, the present invention provides it is a kind of realize End-to-End Security protection method,
First access device and the first security gateway and the second access device and the second security gateway establish network respectively Key Exchange Protocol security association (IKE SA);
First access device is established with second access device and safeguards procotol security security association (IPsec SA), the foundation of the IPsec SA and maintenance process by first access device and first security gateway, And the IKE SA safeguard protections that second access device is established with second security gateway.
Further, when first access device is identical with the access network of second access device, described first Security gateway is the same IPsec gateways in the identical access network with second security gateway;
When the access network of first access device and second access device differs, first security gateway It is respectively the different IPsec gateways in described two different access networks from second security gateway;And described two differences IKE SA are established between IPsec gateways.
Further, first access device with second access device there is access to identify;
The access mark includes one below or any combination:IP address or telephone number or uniform resource identifier, Or domain name.
Further, the key in the IPsec SA that first access device is established with second access device Consulted by the graceful key agreement mechanisms of diffie-hellman (Diffie-Hellman) and derived from.
Further, the process for safeguarding IPsec SA, including:IPsec SA renewals, IPsec SA are deleted, Yi Jijie Enter IP address of equipment change notification.
Further, first access device and first security gateway, second access device and described the The process of IKE SA is established between two security gateways, and first security gateway and second security gateway, described Before the process that first access device and second access device establish IPsec SA or with first access device with The process that second access device establishes IPsec SA is carried out at the same time;
When the process for establishing IKE SA and the process for establishing IPsec SA are carried out at the same time, described in foundation The parameter for being used for establishing the IKE SA is included in the message of the process of IKE SA, also includes and is used to establish the IPsec SA's Parameter.
Present invention also offers a kind of system for realizing End-to-End Security protection, and the system comprises connecing in access network Enter equipment and security gateway, the access device includes that IKE SA establish unit and IPsecSA establishes unit, the safety net Module is established in the Central Shanxi Plain including IKE SA, wherein:
The IKE SA establish unit and are used for, and IKE SA are established with the security gateway in this access network;
The IKE SA establish module and are used for, and are accessed with the access device in this access network or with other in networks Security gateway establish IKE SA;
The IPsec SA establish unit and are used for, with other access devices in this access network or other access networks Establish and safeguard IPsec SA, and the IKE SA safeguard protections that the foundation of the IPsec SA is established with maintenance process.
Further, the IPsec SA establish unit and are used for, and are initiated with other described access devices described in foundation During IPsec SA, if having established IKE SA with the security gateway in this access network, the IKE SA based on foundation are built Found the IPsec SA;If not setting up IKE SA also with the security gateway in this access network, it is carried out at the same time and establishes IKE The process of SA and the IPsec SA, and included in the message of process of the IKE SA is established and be used to establish the IKE SA Parameter, also include and be used to establish the parameter of the IPsec SA.
Further, the IPsec SA establish the process that unit safeguards IPsec SA, including:IPsec SA renewals, IPsec SA are deleted and access device IP address change notification.
Further, the key that the IPsec SA are established in the IPsec SA of unit foundation passes through diffie-hellman Graceful key agreement mechanisms are consulted and are derived from.
In addition, present invention also offers a kind of security gateway for realizing End-to-End Security protection, the security gateway includes IKE SA establish module,
The IKE SA establish module and are used for, and are accessed with the access device in this access network or with other in networks Security gateway establish IKE SA.
Further, the IKE SA establish module and are used for:
IKE SA are established with the first access device in this access network and the second access device respectively, are connect to described first Enter the IPsec SA for establishing and safeguarding between equipment and second access device and carry out safeguard protection;
Alternatively, built respectively with the first access device in this access network and the security gateway in other access networks Vertical IKE SA, to what is established and safeguard between the second access device in first access device and other described access networks IPsec SA carry out safeguard protection.
Compared with existing End-to-End Security means of defence, the present invention at least has the advantages that:
1) IPsec methods of the invention can provide End-to-End Security protection, ensure to lead between access device and access device Confidentiality, the integrality of letter, avoid by attacks such as the internuncial data eavesdropping of malice, data tamperings;
2) IPsec methods of the invention are easily disposed, and IKE SA need not be directly established between access device, utilize IPsec Gateway realizes being mutually authenticated between access device, and a certification passage, and the letter of the certification based on foundation are established between access device The IPsec SA between access device are established in road, avoid when directly establishing IKE SA between access device it is complicated, be difficult to the body disposed Part certification link.
Brief description of the drawings
Attached drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of host-gateway-gateway-host mode of the embodiment of the present invention;
Fig. 2 is the schematic diagram of host-gateway-host mode of the embodiment of the present invention;
Fig. 3 is that the IKE v2 of the embodiment of the present invention establish IKE SA flow charts;
Fig. 4 be the embodiment of the present invention host-gateway-gateway-host mode under IPsec SA Establishing process (including IKE SA establishes process) figure;
Fig. 5 be the embodiment of the present invention host-gateway-gateway-host mode under IPsec SA Establishing process (using triggering Device establishes IKE SA processes) figure;
Fig. 6 be the embodiment of the present invention host-gateway-gateway-host mode under IPsec SA establish, renewal, delete and The flow chart of IP address change notification;
Fig. 7 be the embodiment of the present invention host-gateway-host mode under IPsec SA establish, renewal, delete and IP address The flow chart of change notification.
Embodiment
Present embodiment provides a kind of method for realizing End-to-End Security protection, including:Increase safety within the access network Gateway (IPsec gateways), does not establish IKE SA between two access devices being in communication with each other directly, but respectively with IPsec gateways IKE SA are established, then establish a certification passage between two access devices using IPsec gateways, and exist using authenticated channel The IKE v2 message for establishing, update, delete IPsec SA and safeguarding that IP address change needs is transmitted between the two access devices.
The method for realizing End-to-End Security protection of present embodiment, specifically using following technical scheme:
When user contracts access service, by telecom operators for access device distribute one it is unified, globally unique Access mark is simultaneously bound with access device.It can be IPv4 or IPv6 addresses to access mark, it is also possible to using telephone number, electricity Sub- addresses of items of mail, or domain name form represent.When access device accesses network, it is necessary to be authenticated (such as to access device Using access mark authentication is carried out with password), after being verified by access, if the access mark non-ip address of access device Form, access device can obtain an interim IP address from access network.
In the case where the access of access device is identified as non-ip address form, data are mapped with IP address by access mark Safeguard the mapping relations of access mark and IP address in storehouse.Before access device A communicates with access device B, access device A need to Access network and initiate access mark-IP address mapping request, to obtain the IP address of access device B.When access device is with more During the optional access way of kind, as access way changes, the IP address of access device may constantly change.For example, for can With using the equipment of two kinds of access ways of WLAN and 3G, with the switching of access way, the IP address of access device also can be corresponding Ground changes.Therefore, access mark needs the access mark of dynamic updating maintenance and reflecting for IP address with IP address mapping database Penetrate relation.
Communication between access device has two types:The access device of two communications belongs to same access network or two The access device of a communication belongs to different access networks.Correspondingly, corresponding IPsec SA, which establish mode, can also be divided into two kinds: Host-gateway-gateway-host mode, and host-gateway-host mode.When the access device of two communications belongs to different accesses During network, established between two access devices by host-gateway-gateway-host mode, update, delete IPsec SA and dimension Protect IP address change.When two access devices are in consolidated network, pass through host-gateway-host side between two access devices Formula establishes, updates, deletes IPsec SA and safeguards that IP address changes.
In host-gateway-gateway-host mode, initiator's access device accesses the IPsec gateways of network with initiator (hereinafter also referred to as initiator IPsec gateways) establishes IKE SA, and initiator accesses the IPsec gateways and opposite end access net of network The IPsec gateways (hereinafter also referred to as opposite end IPsec gateways) of network establish IKE SA, opposite end access device and opposite end IPsec nets IKE SA are established in pass.So as to which by initiator IPsec gateways and opposite end IPsec gateways, initiator's access device is accessed with opposite end Equipment room establishes a certification passage.When initiator's access device is intended to establish IPsec SA with opposite end access device, initiate Square access device gives opposite end access device using initiator IPsec gateways with opposite end IPsec gateway passes IKE v2 message, so that IPsec SA are established with opposite end access device.
In host-gateway-host mode, initiator's access device and opposite end access device are located at same access network, Both are connected to same IPsec gateways, and establish IKE SA with IPsec gateways.By IPsec gateways, initiator's access is set A certification passage is established between the standby access device with opposite end.When initiator's access device is intended to establish with opposite end access device During IPsec SA, initiator gives opposite end access device using IPsec gateway passes IKE v2 message, thus with opposite end access device Establish IPsec SA.
One IKE v2 message is made of the message header fixed and one or more message load (Payload), and one A message load is made of one or more domain (Field).It is main to include following a few class message loads in present embodiment:
End-to-End Security protection sustained load (ID-BASED END TO END PROTECTION based on mark SUPPORTED):End-to-End Security protection sustained load based on mark shows that there is one's own side the End-to-End Security based on mark to prevent Protect tenability.
Identify load (IDENTIFICATION):Mark load is that load type as defined in IKE v2 agreements includes mark class Type and identification field.IKE v2 agreements define IP v4 addresses, IP v6 addresses, e-mail address type, ID_KEY_ID types Etc. a variety of identity types, identified for the access shown with List Address, email type can be used, for using The access mark of the telephone number mark of numeric string, can use ID_KEY_ID types to represent.When identity type for IPv4 or During IPv6 addresses, mark load can be used for carrying address.In order to which the access mark to IP address form and other forms connect Inlet identity distinguishes, and the mark load for carrying address is known as address mark load by the present invention, carries other forms access mark Mark load be known as non-address mark load.Mark load use in pairs, above for initiator identify load, below be Opposite end identifies load.It can be that address label knows load or non-address identifies load to identify load, and the combination of a pair of mark load is total to There are four kinds of possibilities:(address mark load, address mark load), (address mark load, non-address mark load), (non-ly Location mark load, address mark load), (non-address mark load, non-address mark load).
Random data load (NONCE):Random number load is load type as defined in IKE v2 agreements, carries one at random Data are to provide freshness (Liveness) and prevent Replay Attack.
Security association load (SECURITY ASSOCIATION):Security association load is load as defined in IKE v2 agreements Type, including one or more proposed architecture (Proposal Structure), it is each to propose to include protocol type (ESP, AH Or IKE), Security Parameter Index (Security Parameter Index, SPI) length, SPI values, it is and one or more Convert minor structure (Transform Substructure), the Encryption Algorithm of each varitron structural support, integrality and it is pseudo- with Graceful (Diffie-Hellman) group of function algorithm, diffie-hellman and extended sequence number (Extended Sequence Number, referred to as ESN) set.IKE v2 agreements are provided to include in the protocol architecture of ESP, AH protocol type and represented The conversion minor structure of the algorithm containing pseudo-random function.The present invention is used for derivative key material using pseudo-random function algorithm, it is desirable to The conversion minor structure for representing pseudo-random function algorithm, optional two puppets must be included in the protocol architecture of ESP, AH protocol type Random function algorithm is PRF_HMAC_MD5 and PRF_HMAC_SHA1 specified in IKE v2 agreements.In addition, application claims It must be wrapped in the protocol architecture of ESP, AH protocol type and represent Diffie-Hellman groups conversion minor structure, be used to specify what is used Diffie-Hellman groups.
Key agreement load (KEY EXCHANGE):Key agreement load is load type as defined in IKE v2 agreements, bag The parameter for consulting to need containing Diffie-Hellman.During Diffie-Hellman consults, the initiator of negotiation selects one than element Random number i small number p, then by giModp is sent to opposite end, and opposite end selects a random number r smaller than prime number p, by grmodp To sender, both sides, which can calculate, obtains girModp, wherein, for specified Diffie-Hellman groups, g and p are public Open.The parameter that Diffie-Hellman in IKE v2 consults to need is above-mentioned giModp and grModp, and Diffie-Hellman group numbers.
IKE v2 agreements provide that the key material of IPsec SA derives from formula and is:KEYMAT=prf+ (SK_d, girmodp| Ni | Nr) obtain, wherein prf+ be based on pseudo-random function prf generation a kind of function, girModp assists for Diffie-Hellman Secret value after business, | represent concatenation, Ni is the random data in the random data load that initiator sends, and Nr is opposite end Random data in the random data load of transmission, SK_d are to establish the key generated during IKE SA.
, cannot due to not establishing IKE SA between initiator's access device and opposite end access device in present embodiment The key material of IPsec SA is generated using method as defined in IKE v2 agreements.The key material derived method of present embodiment For:KEYMAT=prf+ (girModp | Ni | Nr, IDi | IDr).Wherein prf is to be specified in the protocol architecture of ESP, AH protocol type Pseudo-random function, IDi be initiator's access device access identify, IDr be opposite end access device access identify.In this hair In bright, IPsec SA are established with the IPsec SA key materials in IPsec SA more new technological process all in accordance with above-mentioned formula KEYMAT= prf+(girModp | Ni | Nr, IDi | IDr) generation.
Notify load (NOTIFY):Notice load be IKE v2 agreements as defined in load type, include SPI length, SPI Value, type of notification message, notice data field.
Delete load (DELETE):It is load type as defined in IKE v2 agreements to delete load, includes SPI length, SPI values Domain.
Flow selects sub- load (TRAFFIC SELECTOR):It is load class as defined in IKE v2 that flow, which selects sub- load, Type, including one or more flow select sub- entry.Each flow selects sub- entry to include flow selection subtype, protocol class Type, both port of origination, terminating port, initial address, termination address.Wherein flow selection subtype is IP v4 or IP v6 addresses, Protocol type is UDP, TCP and ICMP etc..Initial address, termination address, which are combined, defines address realm.Both port of origination, clearing end Mouth, which is combined, defines port range.It is coordination between the sub- entry of flow selection, the scope of whole flow selection is each Flow selects the union of sub- entry prescribed limit.Flow selects sub- load to use in pairs, and flow above selects sub- load Sub- load is selected for originating end flow, for providing the IP range of flows of initiator, flow below selects sub- load as response Flow is held to select sub- load, for the IP range of flows of prescribed response side.When in use, initiator can send a pair to responder Flow selects sub- load, and responder can utilize the originating end flow of initiator to select the subclass of sub- load and responder flow to select Selecting a pair of of the flow of the subset generation of sub- load newly selects sub- load to return to initiator, and son is selected as final flow.
Host-gateway-gateway-host mode and host-gateway-host mode will be directed to respectively, host below IPsec SA are established, updated, deleting and IP address change notification flow is specifically described.
First, IPsec SA foundation, renewal, deletion and the IP address change notification of host-gateway-gateway-host mode
In host-gateway-gateway-host mode, when establishing IPsec SA, initiator's access device is accessed with opposite end Equipment room may have been built up a certification passage, i.e. initiator's access device and initiator IPsec gateways, initiator IPsec gateways and opposite end IPsec gateways and two network elements of opposite end IPsec gateways and three sections of opposite end access device Between all have built up IKE SA.At this time, the process that IKE SA are established mainly includes following 4 steps:1st, initiator sends IKE_ SA_INIT request messages are to opposite end;2nd, opposite end response IKE_SA_INIT requests, return to IKE_SA_INIT responses;3rd, initiator Send IKE_SA_AUTH request messages;4th, opposite end returns to IKE_SA_AUTH response messages.By above-mentioned steps, initiator with it is right End establishes IKE SA.
In addition, before IPsec SA are established, one may also have not been set up between initiator's access device and opposite end access device Bar certification passage.If when establishing IPsec SA, the IKE SA between access device and IPsec gateways are not set up, to accelerate IPsec SA's establishes speed and reduction interacting message, it is preferable that the IKE_SA_ that can be interacted in access device with access gateway AUTH is asked with response message, and IPsec between IKE SA and access device between access device and access gateway is established in carrying The load that SA needs.If when establishing IPsec SA, initiator IPsec gateways do not set up IKE SA with opposite end IPsec gateways, Initiator IPsec gateways first pass through IKE_SA_INIT request/responses, IKE_SA_AUTH request/responses with opposite end IPsec gateways IKE SA are established in the interaction of four steps, are then carried and are established between access device using CREATE_CHILD_SA requests/response messages The load that IPsec SA need.
Following IPsec SA are established in process description, are contained certification passage and are had built up and do not set up two kinds of situations.
If initiator's access device establishes IKE SA, initiator's access device construction one with one's own side's IPsec gateways Bar CREATE_CHILD_SA request messages, including based on mark End-to-End Security protection sustained load, security association load, Cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow select sub- load, random number load (NONCE). One pair of which mark load for initiator's access device and opposite end access device mark load, can be address label know load or Non-address identifies load, and the combination of a pair of mark load shares four kinds of possibilities:(address mark load, address mark load), (address mark load, non-address mark load), (non-address mark load, address mark load), (non-address mark load, Non-address identifies load).Cipher key exchange payload is used for arranging key.Then CREATE_CHILD_SA request messages are sent to The IPsec gateways of one's own side.
If initiator's access device and the IPsec gateways of one's own side not yet establish IKE connections, initiator's access device to One's own side IPsec gateways send IKE_SA_INIT request messages, and initiator IPsec gateways return to IKE_ to initiator's access device SA_INIT response messages.Then initiator's access device sends IKE_SA_AUTH request messages to initiator IPsec gateways, removes Carrying initiator access device is established outside the necessary load of IKE SA with initiator's IPsec gateways, and IKE_SA_AUTH requests disappear Breath also carries the load that generation IPsec SA need, including the protection of the End-to-End Security based on mark sustained load, security association Load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow select sub- load, random number load (NONCE).The mark for initiator's access device and opposite end access device that one pair of which mark load carries, key, which exchanges, to be carried Lotus is used for arranging key.Then IKE_SA_AUTH request messages are sent to the IPsec gateways of one's own side.
, can be according to opposite end after initiator's IPsec gateways receive CREATE_CHILD_SA or IKE_SA_AUTH request messages The access mark of access device determines the corresponding IPsec gateways of opposite end access device.If not yet established with opposite end IPsec gateways IKE SA.Then initiator IPsec gateways need first to establish IKE SA with opposite end IPsec gateways.Then, initiator IPsec gateways A CREATE_CHILD_SA request message is constructed, includes the CREATE_CHILD_SA received or IKE_SA_ of copy The protection of the End-to-End Security based on mark sustained load in AUTH request messages, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow select sub- load, random number load (NONCE).Initiator IPsec CREATE_CHILD_SA request messages are sent to opposite end IPsec gateways by gateway.
Opposite end IPsec gateways receive the CREATE_CHILD_ of the additional End-to-End Security protection sustained load based on mark After SA request messages, if mark load identifies load for non-address, opposite end IPsec gateways need first to search the access of one's own side Mark and address mapping database, obtain the IP address of opposite end access device.
Then IPsec gateways in opposite end are checked whether has established IKE SA with opposite end access device.Opposite end IPsec gateways share Following three kinds of processing modes:
Mode A, if having established IKE SA with opposite end access device, opposite end IPsec gateways can construct a CREATE_ The end based on mark in CHILD_SA request messages, including the CREATE_CHILD_SA request messages received of copy is arrived Hold security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair Flow selects sub- load, random number load (NONCE).CREATE_CHILD_SA request messages are sent to by opposite end IPsec gateways The IP address of opposite end access device.
If opposite end IPsec gateways do not set up IKE SA with opposite end access device, the processing method of opposite end IPsec gateways can By B in the following way or in a manner of C:
Mode B, opposite end IPsec gateways send IKE_SA_INIT request messages, opposite end access device to opposite end access device IKE_SA_INIT response messages are returned to opposite end IPsec gateways.Then IPsec gateways in opposite end construct an IKE_SA_AUTH and ask Ask the protection of the End-to-End Security based on mark in message, including the CREATE_CHILD_SA request messages received of copy Sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow selection Load, random number load (NONCE).IKE_SA_AUTH request messages are sent to opposite end access device by opposite end IPsec gateways IP address.
In aforesaid way B, opposite end IPsec gateways initiate IKE SA to opposite end access device and establish request, different from mode B , mode C is that opposite end IPsec gateways send a content as empty INFORMATIONAL types to opposite end access device Request message requires opposite end access device to initiate IKE SA and establishes request, this INFORMATIONAL request message is as trigger Use.Then, IKE_SA_INIT request messages are sent by opposite end access device, opposite end IPsec gateways send IKE_SA_INIT Response message, opposite end access device send IKE_SA_AUTH request messages, and opposite end IPsec gateways send IKE_SA_AUTH and ring Should.By above-mentioned steps, after establishing IKE SA between opposite end IPsec gateways and opposite end access device, constructed according to mode A CREATE_CHILD_SA request messages, and it is sent to opposite end access device.
After the IKE_SA_AUTH request messages of CREATE_CHILD_SA or mode B of mode A or C are received, to termination A CREATE_CHILD_SA or IKE_SA_AUTH response message can be produced by entering equipment.CREATE_CHILD_SA response messages, Including based on mark End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), A pair of mark load, a pair of of flow select sub- load, random number load (NONCE).IKE_SA_AUTH response messages except comprising Established with opposite end IPsec gateways outside the load of IKE SA needs, further include and created in above-mentioned CREATE_CHILD_SA response messages Build the load of IPsec SA needs.Then, opposite end access device is by CREATE_CHILD_SA or IKE_SA_AUTH response messages It is sent to opposite end IPsec gateways.Meanwhile opposite end access device can be according to the above-mentioned IPsec SA key materials generation side specified Method derives from the various keys of IPsec SA.
After opposite end IPsec gateways receive CREATE_CHILD_SA or IKE_SA_AUTH response messages, one can be constructed CREATE_CHILD_SA response messages, copy CREATE_CHILD_SA or IKE_SA_AUTH response messages in based on mark End-to-End Security protection sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark carry Lotus, a pair of of flow select sub- load, random number load (NONCE).Then CREATE_CHILD_SA response messages are sent to The IPsec gateways of the side's of sending access device.
After sender's IPsec gateways receive CREATE _ CHILD_SA response messages, if it is determined that initiator's access device IKE SA are established with sender's IPsec gateways, then sender IPsec gateways will construct a CREATE_CHILD_SA, otherwise Sender IPsec gateways will construct an IKE_SA_AUTH response message.Wherein, CREATE_CHILD_SA response messages, bag Include copy and receive the protection of the End-to-End Security based on the mark sustained load of CREATE_CHILD_SA response messages, safety pass Join load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow and select sub- load, random number load (NONCE).IKE_SA_AUTH response messages also wrap in addition to comprising the load of IKE SA needs is established with opposite end IPsec gateways Include the various load of above-mentioned CREATE_CHILD_SA response messages.Then, initiator IPsec gateways are by CREATE C_ HILD_SA or IKE_SA_AUTH response messages are sent to initiator's access device.Finally, initiator's access device can be according to The above-mentioned IPsec SA key materials generation method specified derives from the various keys of IPsec SA.
So far, protection initiator's access device is established between initiator's access device and opposite end access device to access to opposite end The IPsec SA of device IP digital data stream.In order to realize two-way secure communication, it is also necessary to created and protected using the above method Opposite end access device to initiator's access device IP traffic IPsec SA, using two-way IPsec SA to IP between the two Data packet is protected.
It is similar with above-mentioned IPsec SA Establishing process to the flow of IPsec SA renewals between access device.At this time, access is set A certification passage has been had been built up between standby.The access device for initiating IPsec SA renewal requests constructs a CREATE_ CHILD_SA request messages, include the End-to-End Security protection sustained load based on mark, IPsec SA renewals (REKEY_SA) Notify load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow selection Load, random number load (NONCE), wherein a kind of notice load class of the renewal IPsec SA notice load for IKE v2 agreements Type, carries the Security Parameter Index (Security Parameter Index, referred to as SPI) of the IPsec SA of renewal.So CREATE_CHILD_SA request messages are sent to the IPsec gateways of one's own side afterwards.The IPsec gateways of one's own side construct one CREATE_CHILD_SA request messages, copy received each payload content of CREATE_CHILD_SA request messages, then by structure The CREATE_CHILD_SA request messages made are sent to opposite end IPsec gateways.Opposite end IPsec gateways construct a CREATE_ CHILD_SA request messages, copy received each payload content of CREATE_CHILD_SA request messages, then by construction CREATE_CHILD_SA request messages are sent to opposite end access device.
Opposite end access device constructs a CREATE_CHILD_SA response message, including the End-to-End Security based on mark Protect sustained load, security association load, cipher key exchange payload (KEY EXCHANGE), a pair of of mark load, a pair of of flow choosing Select sub- load, random data load.Then the CREATE_CHILD_SA response messages of construction are sent to opposite end IPsec gateways. Meanwhile opposite end access device can derive from the IPsec SA of renewal according to the above-mentioned IPsec SA key materials generation method specified Various keys.
Opposite end IPsec gateways construct a CREATE_CHILD_SA response message, copy received CREATE_CHILD_ Each payload content of SA response messages, is sent to initiation IPsec SA renewal requests by the CREATE_CHILD_SA responses of construction and sets Standby IPsec gateways.The gateway for initiating request access device constructs CREATE_CHILD_SA response messages in the same fashion, and It is sent to initiation request equipment.Finally, initiator's access device can be generated according to the above-mentioned IPsec SA key materials specified Method derives from the various keys of the IPsec SA of renewal.
It is as follows that IPsec SA delete flow:A certification is had been built up when IPsec SA are deleted, between access device to lead to Road, the access device for initiating IPsec SA removal requests construct the request message of an IKE v2INFORMATIONAL type, bag Containing the End-to-End Security protection sustained load based on mark, delete load, a pair of of mark load.Then by INFORMATIONAL Request message is sent to the IPsec gateways of one's own side.The IPsec gateways of one's own side construct an INFORMATIONAL request message, copy The received End-to-End Security protection sustained load based on mark of shellfish, delete each payload contents such as load, a pair of of mark load, so The request message of construction is sent to opposite end IPsec gateways afterwards.Opposite end IPsec gateways construct an INFORMATIONAL request Message, copies received each payload content of INFORMATIONAL request messages, then asks the INFORMATIONAL of construction Message is sent to opposite end access device.
Opposite end access device constructs an INFORMATIONAL response message, including the End-to-End Security based on mark is prevented Protect sustained load, a pair of of mark load.Then the INFORMATIONAL response messages of construction are sent to opposite end IPsec gateways. Opposite end IPsec gateways construct an INFORMATIONAL response message, and it is each to copy received INFORMATIONAL response messages The INFORMATIONAL responses of construction, are sent to the IPsec gateways for initiating IPsec SA removal request equipment by payload content. The gateway for initiating request equipment constructs INFORMATIONAL response messages in the same fashion, and is sent to initiation request equipment.
IP address change notification flow is as follows:During IP address change notification, one is had been built up between access device and has been recognized Passage is demonstrate,proved, after access device finds that the IP address of one's own side changes, an IKE v2 INFORMATIONAL class can be constructed The request message of type, includes the End-to-End Security protection sustained load based on mark, IP address change (UPDATE_SA_ ADDRESSES load, a pair of of mark load) are notified.Wherein IP address change notification load notifies for a kind of of IKE v2 agreements Load type, represents to have changed with the IP address of IPsec SA bindings, and first mark load of a pair of mark load is ground Location identifies load, carries updated IP address.Then INFORMATIONAL request messages are sent to the IPsec of one's own side Gateway.The IPsec gateways of one's own side construct an INFORMATIONAL request message, copy received notice load, a pair of of mark Each payload content of load, request message, then by the request message for including the load such as notice load, a pair of of mark load of construction It is sent to opposite end IPsec gateways.Opposite end IPsec gateways construct an INFORMATIONAL request message, and copy is received The INFORMATIONAL request messages of construction, are then sent to termination by each payload content of INFORMATIONAL request messages Enter equipment.Opposite end access device is changed according to the updated IP address identified in INFORMATIONAL request messages in load Initiate the corresponding IP address of access device of IP address change notification.
Opposite end access device constructs an INFORMATIONAL response message, including a pair of of mark load.Then will construction INFORMATIONAL response messages be sent to opposite end IPsec gateways.Opposite end IPsec gateways construct an INFORMATIONAL Response message, copies received each payload content of INFORMATIONAL response messages, and the INFORMATIONAL of construction is responded It is sent to the IPsec gateways for the access device for initiating IP address change request.Initiate the gateway structure in the same fashion of request equipment INFORMATIONAL response messages are made, and are sent to initiation request equipment.
2nd, IPsec SA foundation, renewal, deletion and the IP address change notification of host-gateway-host mode
IPsec SA Establishing process and host-gateway-gateway-host mould between the access device of host-gateway-host mode Formula is similar.
First, if having established IKE SA between initiator's access device and gateway that IPsec SA are established, initiator's access Equipment constructs a CREATE_CHILD_SA request message, otherwise passes through a wheel IKE_SA_INIT request/responses between gateway After message exchange, an IKE_SA_AUTH request message is constructed.CREATE_CHILD_SA or IKE_SA_AUTH request messages The building method of load is identical with host-gateway-gateway host pattern.Then if gateway has been established with opposite end access device IKE SA, gateway constructs a CREATE_CHILD_SA request message, otherwise using host-gateway-gateway-host mode Either mode C constructs IKE_SA_AUTH or CREATE_CHILD_SA request messages to mode B.CREATE_CHILD_SA or The building method of the load of IKE_SA_AUTH request messages is identical with host-gateway-gateway host pattern.
Correspondingly, opposite end access device constructs a CREATE_CHILD_SA or IKE_SA_AUTH response message, message The building method of middle load is identical with host-gateway-gateway host pattern.Then, opposite end access device is by CREATE_CHILD_ SA or IKE_SA_AUTH response messages are sent to gateway.Gateway constructs a CREATE_CHILD_SA or IKE_SA_AUTH and rings Message is answered, the building method of load is identical with host-gateway-gateway host pattern.Then, gateway is by CREATE_CHILD_ SA or IKE_SA_AUTH response messages are sent to initiator's access device.
The IPsec SA more new technological process of host-gateway-host mode is similar to host-gateway-gateway-host mode. Initiator's access device of IPsec SA more new technological process constructs a CREATE_CHILD_SA request message, the construction side of load Method is identical with host-gateway-gateway host pattern.Then, initiator's access device sends out CREATE_CHILD_SA request messages Give initiator's IPsec gateways.Gateway constructs a CREATE_CHILD_SA request message, and the building method of load and host- Gateway-gateway host pattern is identical.Then, CREATE_CHILD_SA request messages are sent to opposite end by initiator IPsec gateways Access device.
Opposite end access device constructs a CREATE_CHILD_SA response message, building method and the host-net of load Pass-gateway host pattern is identical.Then, CREATE_CHILD_SA response messages are sent to IPsec nets by opposite end access device Close.IPsec gateways construct a CREATE_CHILD_SA response message, building method and the host-gateway-gateway master of load Machine pattern is identical.CREATE_CHILD_SA response messages are sent to initiator's access device by IPsec gateways.
It is similar to host-gateway-gateway-host mode that the IPsec SA of host-gateway-host mode delete flow. Initiator's access device that IPsec SA delete flow constructs an INFORMATIONAL request message, the building method of load It is identical with host-gateway-gateway host pattern.Then, INFORMATIONAL request messages are sent to by initiator's access device IPsec gateways.Similar, IPsec gateways construct an INFORMATIONAL request message, and INFORMATIONAL requests are disappeared Breath is sent to opposite end access device.Opposite end access device sends INFORMATIONAL response messages and gives IPsec gateways, IPsec nets Close transmission response message and give initiator's access device.
The IP address change notification flow of host-gateway-host mode is similar to host-gateway-gateway-host mode. Initiator's access device of IP address change notification flow constructs an INFORMATIONAL request message, the construction side of load Method is identical with host-gateway-gateway host pattern.Then, initiator's access device sends INFORMATIONAL request messages Give IPsec gateways.Similar, IPsec gateways construct an INFORMATIONAL request message, and INFORMATIONAL is asked Message is sent to opposite end access device.Opposite end access device sends INFORMATIONAL response messages and gives IPsec gateways, IPsec Gateway sends response message and gives initiator's access device.
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with attached drawing to the present invention Embodiment be described in detail.It should be noted that in the case where there is no conflict, in the embodiment and embodiment in the application Feature can mutually be combined.
The present invention provides two kinds of IPsec deployment modes:Host-gateway-gateway-host mode shown in Fig. 1, and figure Host-gateway-host mode shown in 2.
Fig. 3 shows that the IKE v2 agreements of the embodiment of the present invention establish the flow of IKE SA.The flow mainly includes as follows Step:
Step 11, initiator 1001 sends IKE_SA_INIT requests to opposite end 1002.
Step 12, opposite end 1002 sends IKE_SA_INIT responses to initiator 1001.
Step 13, initiator 1001 sends IKE_SA_AUTH requests to opposite end 1002, includes the end-to-end peace based on mark Full protection sustained load and other load.End-to-End Security protection sustained load based on mark is based on for showing that one's own side has The End-to-End Security protection tenability of mark.
Step 14, opposite end 1002 adds the End-to-End Security protection branch based on mark in IKE_SA_AUTH response messages Hold load and other load.
Wherein, the initiator is probably access device or IPsec gateways;The opposite end is also likely to be access device Or IPsec gateways.
Fig. 4 shown under host-gateway-gateway-pattern of the embodiment of the present invention, IPsec SA Establishing process.This implementation In example, it is assumed that initiator's access device 101 and IPsec gateways 102, IPsec gateways 102 and opposite end IPsec gateways 108, opposite end IPsec gateways 108 and the IKE SA of opposite end access device 109 are not set up.As shown in figure 4, the flow mainly includes following step Suddenly:
Step 301, initiator's access device 101 sends and establishes IKE SA between access device 101 and access gateway 102 IKE_SA_INIT is asked.
Step 302, gateway 102 sends the IKE_SA_INIT response messages for establishing IKE SA to access device 101.
Step 303, access device 101 is sent to gateway 102 establishes IKE SA between access device 101 and gateway 102 and connects Enter the IKE_SA_AUTH request messages of IPsec SA between equipment 101 and access device 109.
Step 304-307, gateway 102 establish IKE SA with gateway 108.
Step 308, gateway 107 sends the CREATE_ for establishing IPsec SA between access device 101 and access device 109 CHILD_SA request messages.
Step 309 and 310, exchanges between gateway 108 and access device 109 and establishes IKE between gateway 108 and access device 109 The IKE_SA_INIT requests of SA and response message.
Step 311, gateway 108 sends to access device 109 and establishes IKE SA between access gateway 108 and access device 109 The IKE_SA_AUTH request messages of IPsec SA between access device 101 and access device 109.
Step 312, access device 109 returns and establishes IKE SA and access device between access gateway 108 and access device 109 The IKE_SA_AUTH response messages of IPsec SA between 101 and access device 109.
Step 313, gateway 108 returns to the CREATE_ for establishing IPsec SA between access device 101 and access device 109 CHILD_SA response messages.
Step 314, gateway 102 returns to the IKE_SA_ for establishing IPsec SA between access device 101 and access device 109 AUTH response messages.
So far, unidirectional IPsec SA are established between initiator's access 101 and opposite end access device 109.
Fig. 5 shown under host-gateway-gateway-pattern of the embodiment of the present invention, IPsec SA Establishing process.This implementation In example, it is assumed that initiator's access device 101 has established IKE SA, IPsec gateways 102 and opposite end IPsec with IPsec gateways 102 Gateway 108 has been established IKE SA, opposite end IPsec gateways 108 and the IKE SA of opposite end access device 109 and has not been set up.Such as Fig. 5 institutes Show, which mainly includes the following steps:
Step 401, initiator's access device 101 sends and establishes IPsec SA between access device 101 and access device 109 CREATE_CHILD_SA request messages.
Step 402, gateway 102 to peer gateway 108 send establish IPsec SA CREATE_CHILD_SA request disappear Breath.
Step 403, peer gateway 108 sends IKE_SA_INIT request messages to opposite equip. 109, this message is only touched Send out device to use, notice opposite equip. 109 initiates IKE SA and establishes request.
Step 404-407, opposite end access device 109 establish IKE SA with peer gateway 108.
Step 408, peer gateway 108 sends the CREATE_CHILD_SA requests for establishing IPsec SA to opposite equip. 109 Message.
Step 409, opposite end access device 109 sends the CREATE_CHILD_SA for establishing IPsec SA to peer gateway 108 Response message.
Step 410, peer gateway 108 to gateway 102 send establish IPsec SA CREATE_CHILD_SA response disappear Breath.
Step 411, gateway 102 sends the CREATE_CHILD_SA sound for establishing IPsec SA to initiator's access device 101 Answer message.
So far, unidirectional IPsec SA are established between initiator's access 101 and opposite end access device 109.
Fig. 6 shown under host-gateway-gateway-pattern of the embodiment of the present invention, IPsec SA are established, renewal, delete with And IP address change notification flow.In the present embodiment, it is assumed that between initiator's access device 101 and IPsec gateways 102, IPsec nets The 102 and IKE SA between opposite end IPsec gateways 108, opposite end IPsec gateways 108 and opposite end access device 109 are closed all to have built It is vertical.As shown in fig. 6, the flow mainly includes the following steps:
Following step 501 establishes the flow of IPsec SA to step 506 between access device.
Step 501, initiator's access device 101 sends the CREATE_CHILD_SA request messages for establishing IPsec SA.
Step 502, gateway 102 to peer gateway 108 send establish IPsec SA CREATE_CHILD_SA request disappear Breath.
Step 503, peer gateway 108 sends the CREATE_CHILD_SA requests for establishing IPsec SA to opposite equip. 109 Message.
Step 504, opposite equip. 109 sends the CREATE_CHILD_SA responses for establishing IPsec SA to peer gateway 108 Message.
Step 505, peer gateway 108 to gateway 102 send establish IPsec SA CREATE_CHILD_SA response disappear Breath.
Step 506, gateway 102 sends the CREATE_CHILD_SA sound for establishing IPsec SA to initiator's access device 101 Answer message.
So far, unidirectional IPsec SA are established between initiator's access 101 and opposite end access device 109.
Following step 507 updates the flow of IPsec SA to step 512 between access device.
Step 507, initiator's access device 101 sends the CREATE_CHILD_SA request messages of renewal IPsec SA.
Step 508, CREATE_CHILD_SA request of the gateway 102 to the transmission renewal IPsec of peer gateway 108 SA disappears Breath.
Step 509, peer gateway 108 sends the CREATE_CHILD_SA requests of renewal IPsec SA to opposite equip. 109 Message.
Step 510, opposite equip. 109 sends the CREATE_CHILD_SA responses of renewal IPsec SA to peer gateway 108 Message.
Step 511, CREATE_CHILD_SA response of the peer gateway 108 to the transmission renewal IPsec of gateway 102 SA disappears Breath.
Step 512, gateway 102 sends the CREATE_CHILD_SA sound of renewal IPsec SA to initiator's access device 101 Answer message.
So far, IPsec SA renewals are completed between initiator's access 101 and opposite end access device 109.
Flow of the following step 513 to step 518 for access device IP address Notification of Changes.
Step 513, the INFORMATIONAL of the transmission of initiator's access device 101 access device IP address Notification of Changes please Seek message.
Step 514, gateway 102 sends the INFORMATIONAL of access device IP address Notification of Changes to peer gateway 108 Request message.
Step 515, peer gateway 108 sends access device IP address Notification of Changes to opposite equip. 109 INFORMATIONAL request messages.
Step 516, opposite equip. 109 sends access device IP address Notification of Changes to peer gateway 108 INFORMATIONAL response messages.
Step 517, peer gateway 108 sends the INFORMATIONAL of access device IP address Notification of Changes to gateway 102 Response message.
Step 518, gateway 102 sends access device IP address Notification of Changes to initiator's access device 101 INFORMATIONAL response messages.
So far, access device IP address Notification of Changes is completed.
Following step 519 deletes the flow of IPsec SA to step 524 between access device.
Step 519, initiator's access device 101 sends the INFORMATIONAL request messages for deleting IPsec SA.
Step 520, gateway 102 sends the INFORMATIONAL request messages for deleting IPsec SA to peer gateway 108.
Step 521, INFORMATIONAL request of the peer gateway 108 to the transmission deletion IPsec of opposite equip. 109 SA disappears Breath.
Step 522, INFORMATIONAL response of the opposite equip. 109 to the transmission deletion IPsec of peer gateway 108 SA disappears Breath.
Step 523, peer gateway 108 sends the INFORMATIONAL response messages for deleting IPsec SA to gateway 102.
Step 524, gateway 102 sends the INFORMATIONAL responses for deleting IPsec SA to initiator's access device 101 Message.
So far, IPsec SA deletions are completed between initiator's access device 101 and opposite end access device 109.
Fig. 7 shown under host-gateway-host mode of the embodiment of the present invention, IPsec SA are established, renewal, delete with And IP address Notification of Changes flow.In the present embodiment, it is assumed that access device 131 and IPsec gateways 132, IPsec gateways 132 with IKE SA between access device 139 have built up.As shown in fig. 7, the flow mainly includes the following steps:
Following step 601 establishes the flow of IPsec SA to step 604 between access device.
Step 601, initiator's access device 131 sends the CREATE_CHILD_SA request messages for establishing IPsec SA.
Step 602, gateway 132 sends the CREATE_CHILD_SA request messages for establishing IPsec SA.
Step 603, opposite equip. 139 to gateway 132 send establish IPsec SA CREATE_CHILD_SA response disappear Breath.
Step 604, gateway 132 to initiator device 131 send establish IPsec SA CREATE_CHILD_SA response disappear Breath.
So far, unidirectional IPsec SA are established between initiator's access device 131 and opposite end access device 139.
Following step 605 updates the flow of IPsec SA to step 608 between access device.
Step 605, initiator's access device 131 sends the CREATE_CHILD_SA request messages of renewal IPsec SA.
Step 606, gateway 132 sends the CREATE_CHILD_SA request messages of renewal IPsec SA.
Step 607, CREATE_CHILD_SA response of the opposite equip. 139 to the transmission renewal IPsec of gateway 132 SA disappears Breath.
Step 608, CREATE_CHILD_SA response of the gateway 132 to the transmission renewal IPsec of initiator device 131 SA disappears Breath.
So far, IPsec SA renewals are completed between initiator's access device 131 and opposite end access device 139.
Flow of the following step 609 to step 612 for access device IP address Notification of Changes.
Step 609, the INFORMATIONAL of the transmission of initiator's access device 131 access device IP address Notification of Changes please Seek message.
Step 610, gateway 132 sends the INFORMATIONAL request messages of access device IP address Notification of Changes.
Step 611, opposite equip. 139 sends the INFORMATIONAL of access device IP address Notification of Changes to gateway 132 Response message.
Step 612, gateway 132 sends access device IP address Notification of Changes to initiator device 131 INFORMATIONAL response messages.
So far, access device IP address Notification of Changes is completed.
Flow of the following step 613 to step 616 for deletion IPsec SA.
Step 613, initiator's access device 131 sends the INFORMATIONAL request messages for deleting IPsec SA.
Step 614, gateway 132 sends the INFORMATIONAL request messages for deleting IPsec SA
Step 615, opposite equip. 139 sends the INFORMATIONAL response messages for deleting IPsec SA to gateway 132
Step 616, gateway 132 sends the INFORMATIONAL response messages for deleting IPsec SA to initiator device 131
So far, IPsec SA deletions are completed between initiator's access device 131 and opposite end access device 139.
In addition, a kind of system for realizing End-to-End Security protection, the present embodiment system are additionally provided in the embodiment of the present invention Including the access device and security gateway in access network, the access device includes IKESA and establishes unit and IPsec SA Unit is established, the security gateway includes IKE SA and establishes module, wherein:
The IKE SA establish unit and are used for, and IKE SA are established with the security gateway in this access network;
The IKE SA establish module and are used for, and are accessed with the access device in this access network or with other in networks Security gateway establish IKE SA;
The IPsec SA establish unit and are used for, with other access devices in this access network or other access networks Establish and safeguard IPsec SA, and the IKE SA safeguard protections that the foundation of the IPsec SA is established with maintenance process.
Further, the IPsec SA establish unit and are used for, and are initiated with other described access devices described in foundation During IPsec SA, if having established IKE SA with the security gateway in this access network, the IKE SA based on foundation are built Found the IPsec SA;If not setting up IKE SA also with the security gateway in this access network, it is carried out at the same time and establishes IKE The process of SA and the IPsec SA, and included in the message of process of the IKE SA is established and be used to establish the IKE SA Parameter, also include and be used to establish the parameter of the IPsec SA.
Further, the IPsec SA establish the process that unit safeguards IPsec SA, including:IPsec SA renewals, IPsec SA are deleted and access device IP address change notification.
Further, the key that the IPsec SA are established in the IPsec SA of unit foundation passes through diffie-hellman Graceful key agreement mechanisms are consulted and are derived from.
In addition, a kind of security gateway (IPsec nets for realizing End-to-End Security protection are additionally provided in the embodiment of the present invention Close), which mainly establishes module including IKE SA,
The IKE SA establish module and are used for, and are accessed with the access device in this access network or with other in networks Security gateway establish IKE SA.
Further, the IKE SA establish module and are used for:
IKE SA are established with the first access device in this access network and the second access device respectively, are connect to described first Enter the IPsec SA for establishing and safeguarding between equipment and second access device and carry out safeguard protection;
Alternatively, built respectively with the first access device in this access network and the security gateway in other access networks Vertical IKE SA, to what is established and safeguard between the second access device in first access device and other described access networks IPsec SA carry out safeguard protection.
It these are only that the present invention's is preferable to carry out case, be not intended to limit the invention, the present invention can also have other Various embodiments, in the case of without departing substantially from spirit of the invention and its essence, those skilled in the art can be according to this hair It is bright to make various corresponding changes and deformation, but these corresponding changes and deformation should all belong to appended claims of the invention Protection domain.
Obviously, those skilled in the art should be understood that above-mentioned each module of the invention or each step can be with general Computing device realize that they can be concentrated on single computing device, or be distributed in multiple computing devices and formed Network on, alternatively, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored Performed in the storage device by computing device, and in some cases, can be with different from shown in order execution herein The step of going out or describing, they are either fabricated to each integrated circuit modules respectively or by multiple modules in them or Step is fabricated to single integrated circuit module to realize.Combined in this way, the present invention is not restricted to any specific hardware and software.

Claims (8)

  1. A kind of 1. method for realizing End-to-End Security protection, it is characterised in that
    First access device and the first security gateway and the second access device and the second security gateway establish netkey respectively Exchange agreement security association IKE SA;
    When first access device is identical with the access network of second access device, first security gateway with it is described Second security gateway is the same IPsec gateways in the identical access network;
    When the access network of first access device and second access device differs, first security gateway and institute It is respectively the different IPsec gateways in described two different access networks to state the second security gateway;And described two difference IPsec IKE SA are established between gateway;
    First access device is established with second access device and safeguards procotol security security association IPsec The foundation of SA, the IPsec SA and maintenance process are by first access device and first security gateway and described The IKE SA safeguard protections that second access device is established with second security gateway;
    First access device and first security gateway, second access device and second security gateway, with And the process of IKE SA is established between first security gateway and second security gateway, first access device with Second access device is established the process of IPsec SA and is set before or with first access device and the described second access The standby process for establishing IPsec SA is carried out at the same time;
    When the process for establishing IKE SA is carried out at the same time with the process for establishing IPsec SA, the mistake of the IKE SA is being established The parameter for being used for establishing the IKE SA is included in the message of journey, also includes the parameter for being used for establishing the IPsec SA.
  2. 2. the method as described in claim 1, it is characterised in that
    First access device with second access device there is access to identify;
    The access mark includes one below or any combination:IP address or telephone number or uniform resource identifier or domain Name.
  3. 3. the method as described in claim 1, it is characterised in that
    Key in the IPsec SA that first access device is established with second access device passes through diffie-hellman Graceful key agreement mechanisms Diffie-Hellman consults and derives from.
  4. 4. the method as described in claim 1, it is characterised in that
    The process for safeguarding IPsec SA, including:IPsec SA renewals, IPsec SA are deleted and access device IP address Change notification.
  5. 5. a kind of system for realizing End-to-End Security protection, it is characterised in that the system comprises the access in access network to set Standby and security gateway, the access device include Internet Key Exchange security association IKE SA and establish unit and network association View security security association IPsec SA establish unit, and the security gateway includes IKE SA and establishes module, wherein:
    The IKE SA establish unit and are used for, and IKE SA are established with the security gateway in this access network;
    The IKE SA establish module and are used for, and the peace in networks is accessed with the access device in this access network or with other Full gateway establishes IKE SA;
    The IPsec SA establish unit and are used for, and are established with other access devices in this access network or other access networks And safeguard IPsec SA, and the IKE SA safeguard protections that the foundation of the IPsec SA is established with maintenance process;For with When other described access devices initiate to establish the IPsec SA, if having established IKE with the security gateway in this access network SA, then the IKE SA based on foundation establish the IPsec SA;If do not built also with the security gateway in this access network Vertical IKE SA, then be carried out at the same time the process for establishing IKE SA and the IPsec SA, and establishing the process of the IKE SA The parameter for being used for establishing the IKE SA is included in message, also includes the parameter for being used for establishing the IPsec SA.
  6. 6. system as claimed in claim 5, it is characterised in that
    The IPsec SA establish the process that unit safeguards IPsec SA, including:IPsec SA renewal, IPsec SA delete, with And access device IP address change notification.
  7. 7. system as claimed in claim 5, it is characterised in that
    The key that the IPsec SA are established in the IPsec SA of unit foundation passes through the graceful key agreement mechanisms of diffie-hellman Consult and derive from.
  8. 8. a kind of security gateway for realizing End-to-End Security protection, it is characterised in that the security gateway is established including IKE SA Module,
    The IKE SA establish module and are used for, and the peace in networks is accessed with the access device in this access network or with other Full gateway establishes IKE SA;
    Wherein, the IKE SA establish module and are specifically used for:
    IKE SA are established with the first access device in this access network and the second access device respectively, the described first access is set The IPsec SA for establishing and safeguarding between standby and described second access device carry out safeguard protection;Security gateway and this access network In the first access device and the second access device establish the process of IKE SA, connect in first access device and described second Established before entering the process that equipment establishes IPsec SA or with first access device and second access device The process of IPsec SA is carried out at the same time;When the process for establishing IKE SA is carried out at the same time with the process for establishing IPsec SA, The parameter for being used for establishing the IKE SA is included in the message of process of the IKE SA is established, is also included described for establishing The parameter of IPsec SA;
    Alternatively, IKE is established with the first access device in this access network and the security gateway in other access networks respectively SA, to the IPsec for establishing and safeguarding between the second access device in first access device and other described access networks SA carries out safeguard protection;Security gateway and the first access device and security gateway are established with the security gateway in other access networks The process of IKE SA, before first access device and second access device establish the process of IPsec SA or The process for establishing IPsec SA with second access device with first access device is carried out at the same time;When establishing IKE SA's When process is carried out at the same time with the process for establishing IPsec SA, includes and be used in the message of process of the IKE SA is established The parameter of the IKE SA is established, also includes the parameter for being used for establishing the IPsec SA.
CN201110452344.2A 2011-12-29 2011-12-29 A kind of method, security gateway and system for realizing End-to-End Security protection Expired - Fee Related CN103188228B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110452344.2A CN103188228B (en) 2011-12-29 2011-12-29 A kind of method, security gateway and system for realizing End-to-End Security protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110452344.2A CN103188228B (en) 2011-12-29 2011-12-29 A kind of method, security gateway and system for realizing End-to-End Security protection

Publications (2)

Publication Number Publication Date
CN103188228A CN103188228A (en) 2013-07-03
CN103188228B true CN103188228B (en) 2018-05-01

Family

ID=48679197

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110452344.2A Expired - Fee Related CN103188228B (en) 2011-12-29 2011-12-29 A kind of method, security gateway and system for realizing End-to-End Security protection

Country Status (1)

Country Link
CN (1) CN103188228B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125124A (en) * 2014-07-11 2014-10-29 京信通信系统(中国)有限公司 Smart home remote control method, device and system
CN109257375B (en) * 2018-11-01 2021-12-28 北京信息科技大学 Internet access authentication system and method based on trust anchor system
CN111147273B (en) * 2018-11-06 2023-03-24 中兴通讯股份有限公司 Data security realization method and related equipment
CN110061965B (en) * 2019-03-13 2022-08-26 北京华为数字技术有限公司 Method, device and equipment for updating security alliance and readable storage medium
CN114172739B (en) * 2021-12-14 2024-01-26 杭州数梦工场科技有限公司 Gateway communication method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1406005A (en) * 2001-09-17 2003-03-26 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101106454A (en) * 2007-08-17 2008-01-16 杭州华三通信技术有限公司 Method and device for originating Internet secret key exchange and negotiation
EP2096830A1 (en) * 2008-02-29 2009-09-02 Research In Motion Limited Methods and apparatus for use in enabling a mobile communication device with a digital certificate
CN102143489A (en) * 2010-02-01 2011-08-03 华为技术有限公司 Method, device and system for authenticating relay node

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1406005A (en) * 2001-09-17 2003-03-26 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
CN1863048A (en) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 Method of internet key exchange consultation between user and cut-in apparatus
CN101106454A (en) * 2007-08-17 2008-01-16 杭州华三通信技术有限公司 Method and device for originating Internet secret key exchange and negotiation
EP2096830A1 (en) * 2008-02-29 2009-09-02 Research In Motion Limited Methods and apparatus for use in enabling a mobile communication device with a digital certificate
CN102143489A (en) * 2010-02-01 2011-08-03 华为技术有限公司 Method, device and system for authenticating relay node

Also Published As

Publication number Publication date
CN103188228A (en) 2013-07-03

Similar Documents

Publication Publication Date Title
Dragomir et al. A survey on secure communication protocols for IoT systems
Aboba et al. Extensible authentication protocol (EAP) key management framework
CN101682656B (en) Method and apparatus for protecting the routing of data packets
CN109842880A (en) Method for routing, apparatus and system
CN107005534A (en) Secure connection is set up
CN103781066A (en) Wireless transmit/receive units and implementation method using the same
CN103155512A (en) System and method for providing secured access to services
CN102202299A (en) Realization method of end-to-end voice encryption system based on 3G/B3G
CN103188228B (en) A kind of method, security gateway and system for realizing End-to-End Security protection
GB2374497A (en) Facilitating legal interception of IP connections
KR20090016029A (en) Method and system for providing a mesh key
CN107113301A (en) Voice and text data service for mobile subscriber
CN114726523B (en) Password application service system and quantum security capability open platform
CN101478389B (en) Multi-stage security supporting mobile IPSec transmission authentication method
Singh et al. Analysis of security issues and their solutions in wireless LAN
Gokulakrishnan et al. A survey report on VPN security & its technologies
Escudero-Andreu et al. Analysis and design of security for next generation 4G cellular networks
JP3789098B2 (en) Network system, network access device, network server, and network access control method
CN116055091A (en) Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution
Rong et al. Wireless network security
CN114614984A (en) Time-sensitive network secure communication method based on state cryptographic algorithm
Xenakis et al. Dynamic network-based secure VPN deployment in GPRS
Sharp Network Security
Oualha et al. Pseudonymous communications in secure industrial wireless sensor networks
Southern et al. Wireless security: securing mobile UMTS communications from interoperation of GSM

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180501

Termination date: 20201229