CN104580186A - Communication system and method based on HIP - Google Patents
Communication system and method based on HIP Download PDFInfo
- Publication number
- CN104580186A CN104580186A CN201410846546.9A CN201410846546A CN104580186A CN 104580186 A CN104580186 A CN 104580186A CN 201410846546 A CN201410846546 A CN 201410846546A CN 104580186 A CN104580186 A CN 104580186A
- Authority
- CN
- China
- Prior art keywords
- client
- hip
- gateway node
- module
- digital certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 title abstract description 11
- 238000005538 encapsulation Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a communication system and method based on HIP. The system comprises a plurality of client terminals and a server, and the client terminals are in HIP protocol communication with the server; the system further comprises a gateway node and an authentication center, and the gateway node is in HIP protocol communication with the client terminals and the server; meanwhile, the gateway node is further in communication with the authentication center all the time. By means of the system, the gateway node is erected between the application server for providing services and the client terminals using the services and serves as a unique channel between an internal network and an external network, and safe operation such as identity authentication and access control can be executed.
Description
Technical field
The invention belongs to the communications field, is more particularly the communication system based on HIP and communication means.
Background technology
E-Government and intelligent mobile terminal flourish, application server is made to need provide and optimize the access request to mobile terminal, mobile terminal needs frequently to switch between different network formats and heterogeneous networks service area because its mobility determines its network environment, traditional network connects based on IP address binding, when after network connection establishment, once IP address change, connection will disconnect, and causes the network application on mobile terminal unavailable.
Current Internet has two overall name spaces, domain name and IP address, and wherein IP address is simultaneously as identify label and the station location marker of main frame.This ambiguity design is the main cause causing the various problems such as route extensibility, mobility and many places.Especially the binding of transport layer and IP address, after causing IP address modification, network connection can disconnect.Therefore there is scholar to propose in recent years and this ambiguity of IP address is carried out solution coupling, namely the new network architecture that identity-based information is separated with positional information is redesigned, to solve the various problems that current internet faces, wherein host identity protocol (Host Identity Protocol is called for short HIP) is most typical agreement.
HIP inserts a new protocol layer between transport layer and network layer---and host identity layer, on host identity layer, use hostid to substitute original IP address to show the identity attribute of main frame, network layer uses IP address route data packets.Mapping and Converting between identification identifier and IP address completes in host identity layer.Therefore the address switchover of network layer, can not affect the continuity of layer conversation, and such HIP is easy to realize the support to Host Mobility.The architecture of HIP as shown in Figure 1.
But how mobile terminal becomes a problem based on HIP access application server safely and reliably.If every platform application server is all directly exposed to external network, very easily attacked, and it is higher to be that every station server carries out network safety prevention cost.HIP uses Internet Protocol Security(internet protocol secure, is called for short ipsec protocol) ensure the safety of user data.In conventional TCP/IP architecture, security association is tied on IP address by IPSec, make the security association of network layer can not change the position of oneself in a network, limit the mobility of main frame, and after using HIP, the security association that HIP uses is bound on host identification, can support the IP address modification in communicating.
How to make mobile terminal and provide the application server of service low and secure communication can just seem particularly important based on the basis of HIP being carried out cost.
Summary of the invention
Technical problem to be solved by this invention is: provide a kind of communication system based on HIP, this system sets up gateway node between the client terminal providing the application server of service and use service, gateway node, as the unique passage between intranet and extranet, can perform the safety operation such as authentication, access control.
In order to solve the problems of the technologies described above, the present invention is based on the communication system of HIP, comprise several client and servers, described client and server adopt HIP protocol communication, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application, wherein,
The application program that client application is supported for client operating system;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, and use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
Simultaneously in order to further describe the implementation procedure of the communication that the present invention is based on HIP, the present invention proposes a kind of communication means, comprises the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results;
Step 4, server complete corresponding business operation according to service request.
Preferred version further, in communication means of the present invention, in step 3, service request comprises client ip address, server ip address, digital certificate and port.
Preferred version further, in communication means of the present invention, in step 3, this service request is verified, be specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate.
Compared with prior art, the present invention has following beneficial effect: the present invention sets up gateway server between the client terminal providing the application server of service and use service, gateway server, as the unique passage between intranet and extranet, can perform the safety operation such as authentication, access control; Simultaneously on the basis ensureing gateway server safety, allow client terminal impression less than the existence of security gateway, access application server pellucidly.
Accompanying drawing explanation
Fig. 1 is the architecture of HIP agreement.
Fig. 2 is detailed block diagram of the present invention.
Fig. 3 is Sketch block diagram of the present invention.
Embodiment
As shown in Figure 2, a kind of communication system based on HIP of the present invention, comprise several client and servers, described client and server adopt HIP protocol communication, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application,
Wherein,
The application program that client application is supported for client operating system, as browser, Mail Clients etc.;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack; ;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
In specific implementation process, multiple client and multiple server share a gateway node, its frame structure as
Shown in Fig. 3.
The specific implementation process of each module is as follows:
1, client: utilize virtual network card technology, set up virtual network card equipment tun0, hip0, the all packet of client is all sent to Microsoft Loopback Adapter tun0, tun0 catches the packet of inflow, be forwarded to hip0 network interface card, hip0 Microsoft Loopback Adapter achieves HIP agreement, supports that using host identification to initiate HIP connects.
2, the realization of client HIP module: hip0 Microsoft Loopback Adapter, while realizing HIP agreement, in the 4-Way Handshake process of HIP, adds the transmission of digital certificate.From the packet that hip0 receives, perform IP-IN-IP package, utilize ipsec technology data portion to do encryption encapsulation simultaneously, be assembled into UDP message bag.
3, the handling process of gateway node: first gateway node sloughs UDP header after receiving UDP message bag, then carry out IPSec deciphering, give the 2nd HIP module by the message after deciphering.2nd HIP module performs authentication operation to the digital certificate in message after deciphering, and the source address of packet is replaced to the address of hip0.Gateway node performs access control inspection to packet, and be transmitted to server by the packet checked, the message do not checked by access control is then abandoned.
4, the answer of server: after gateway node receives the response data packet of background application server, from the hip0 Microsoft Loopback Adapter capture-data bag of gateway node, use the mode identical with client to carry out package process, unique difference is that digital certificate package is not squeezed in packet by gateway node.
5, Packet Generation is to client: the process unpacked is with the unpacking process of gateway node, and difference is do not have authentication and access control process.
Meanwhile, a kind of communication means that the present invention proposes, comprises the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results; Service request comprises client ip address, server ip address, digital certificate and port; This service request is verified, is specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate;
Step 4, server complete corresponding business operation according to service request.
Obviously, the above embodiment of the present invention is only for example of the present invention is clearly described, and is not the restriction to embodiments of the present invention.For those of ordinary skill in the field, can also make other changes in different forms on the basis of the above description.Here exhaustive without the need to also giving all execution modes.And these belong to connotation of the present invention the apparent change of extending out or variation still belong to protection scope of the present invention.
Claims (5)
1. based on the communication system of HIP, comprise several client and servers, described client and server adopt HIP protocol communication, it is characterized in that, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application, wherein,
The application program that client application is supported for client operating system;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, and use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
2. according to claim 1 based on the communication system of HIP, it is characterized in that, the application program that client operating system is supported is browser, Mail Clients.
3. described in claim 1 based on a communication means for the communication system of HIP, it is characterized in that, comprise the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results;
Step 4, server complete corresponding business operation according to service request.
4. communication means according to claim 3, it is characterized in that, in step 3, service request comprises client ip address, server ip address, digital certificate and port.
5. communication means according to claim 4, it is characterized in that, in step 3, this service request is verified, be specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410846546.9A CN104580186B (en) | 2014-12-31 | Communication system and communication means based on HIP |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410846546.9A CN104580186B (en) | 2014-12-31 | Communication system and communication means based on HIP |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104580186A true CN104580186A (en) | 2015-04-29 |
CN104580186B CN104580186B (en) | 2018-02-09 |
Family
ID=
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429722A (en) * | 2017-02-15 | 2018-08-21 | 成都飞天联合网络技术有限公司 | Control method, control system and the wearable device of cabin |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1741523A (en) * | 2004-08-25 | 2006-03-01 | 华为技术有限公司 | Key exchange protocol method for realizing main machine transferability and multi-home function |
US20070124489A1 (en) * | 2000-01-24 | 2007-05-31 | Microsoft Corporation | Nat access control with ipsec |
CN101120572A (en) * | 2005-02-18 | 2008-02-06 | 艾利森电话股份有限公司 | Host identity protocol method and apparatus |
CN102377829A (en) * | 2010-08-09 | 2012-03-14 | 中兴通讯股份有限公司 | Communication method, system and equipment based on host identity protocol (HIP) |
CN103595823A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Data transmission method, terminal and system |
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070124489A1 (en) * | 2000-01-24 | 2007-05-31 | Microsoft Corporation | Nat access control with ipsec |
CN1741523A (en) * | 2004-08-25 | 2006-03-01 | 华为技术有限公司 | Key exchange protocol method for realizing main machine transferability and multi-home function |
CN101120572A (en) * | 2005-02-18 | 2008-02-06 | 艾利森电话股份有限公司 | Host identity protocol method and apparatus |
CN102377829A (en) * | 2010-08-09 | 2012-03-14 | 中兴通讯股份有限公司 | Communication method, system and equipment based on host identity protocol (HIP) |
CN103595823A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Data transmission method, terminal and system |
Non-Patent Citations (1)
Title |
---|
MADHUSANKA LIYANAGE, ET AL.: "Securing the contrl channel of software-defined mobile networks", 《PROCEEDING OF IEEE INTERNATIONAL SYMPOSIUM ON A WORLD OF WIRELESS,MOBILE AND MULTIMEDIA NETWORKS》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429722A (en) * | 2017-02-15 | 2018-08-21 | 成都飞天联合网络技术有限公司 | Control method, control system and the wearable device of cabin |
CN108429722B (en) * | 2017-02-15 | 2021-01-05 | 飞天联合(北京)系统技术有限公司 | Control method and control system of cabin and wearable equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103580980B (en) | The method and device thereof that virtual network finds and automatically configures automatically | |
CN110800331A (en) | Network verification method, related equipment and system | |
CN105430059A (en) | Smart client routing | |
CN104993993B (en) | A kind of message processing method, equipment and system | |
CN101136929B (en) | Internet small computer system interface data transmission method and apparatus | |
CN107438074A (en) | The means of defence and device of a kind of ddos attack | |
WO2011032447A1 (en) | Method, system and communication terminal for implementing inter-communication between new network and internet | |
CN110474922B (en) | Communication method, PC system and access control router | |
CN105592038B (en) | Portal authentication method and device | |
CN102611712A (en) | Digital home network access and authentication method | |
CN104901796B (en) | A kind of authentication method and equipment | |
CN101447976B (en) | Method for accessing dynamic IP session, system and device thereof | |
CN105814918B (en) | Long-range socket for load shedding connects | |
CN110351721A (en) | Access method and device, the storage medium, electronic device of network slice | |
CN102202108A (en) | Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode | |
CN117119463A (en) | CPE security authentication method and system for 5G private network | |
CN111586017A (en) | Method and device for authenticating communication user | |
CN104092687A (en) | BGP conversation establishing method and device | |
CN103227822A (en) | Method for establishing P2P communication connection and equipment | |
CN109587204B (en) | Method and device for accessing public network and electronic equipment | |
CN103200147B (en) | The requesting method and device of third party's business | |
CN103634221A (en) | Access control method of environmental protection and technology service network | |
CN104580186A (en) | Communication system and method based on HIP | |
CN103945379A (en) | Method of realizing access authentication and data communication in access network | |
CN102685667A (en) | Method, device and system for transmitting and acquiring position information of access user |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180209 |