CN1399441A - Technology of establishing safe multicasting tunnel with IP layer-based special virtual network - Google Patents
Technology of establishing safe multicasting tunnel with IP layer-based special virtual network Download PDFInfo
- Publication number
- CN1399441A CN1399441A CN 02133382 CN02133382A CN1399441A CN 1399441 A CN1399441 A CN 1399441A CN 02133382 CN02133382 CN 02133382 CN 02133382 A CN02133382 A CN 02133382A CN 1399441 A CN1399441 A CN 1399441A
- Authority
- CN
- China
- Prior art keywords
- multicast
- tunnel
- user
- virtual private
- mvpn2
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention discloses one kind of novel technological mode of establishing safe multicasting tunnel based on IP layer special virtual network in unsafe Internet line. It includes using virtual special network IOSec VPN formed by Internet cipher key exchange protocol in distributnig multicasting cipher key, expanding safety policy data base SPDB and safety association data base SADB to form multicasting tunnel MVPN and then transmitting data. Based on different case of joined and exited groups, different cipher updating method is aodpted. The present invention is suitable for running in Internet and has good multicast member identifying performance and high security and safety of transmitted multicast data.
Description
Affiliated technical field:
The present invention relates to network security technology, the VPN(Virtual Private Network) technology that adopts Internet security protocol IPSec to make up is set up the safe multicasting tunnel that is used to protect cast communication, is the implementation of a kind of novelty that cast communication is protected.
Technical background:
IPSec is a kind of important means that realizes network security, and modes such as its employing encryption and authentication form the escape way VPN between the main frame or the network segment.When handling packet, IPSec needs two basic steps: the first, consult security policy database (SPDB), and the security strategy that decision is taked data (such as being to accept, transmit or abandon data), SPDB is a kind of rough processing.The second, passed to security association database (SADB) by the data that SPDB receives, SADB has determined the safety measure of concrete employing, as cryptographic algorithm, deblocking length, key length etc.Owing to lack security strategy (SP) and security association (SA) among SPDB and the SADB, so need in this patent to expand at multicast address.
Data transmit three kinds of basic modes, a kind ofly cries clean culture, at host to host traffic; A kind ofly cry broadcasting, at the communication of main frame All hosts in the subnet; The third is multicast, adopts the multicast address (from 224.0.0.0 to 239.255.255.255) of Internet regulation, has only the group membership can receive multicast packet.Internet igmpinternet (IGMP) control is adopted in the generation of group.Multicast has been saved a large amount of network bandwidths, can realize utilizations such as video request program, is the focus under the broadband operation, also is the emphasis of future development.Existing multicast shortcoming is dangerous, and anyone can the adding group, also can withdraw from group, and this adopts the security threat of the utilization of multicasting technologys such as E-Government meeting very big to some, so safe multicasting is more and more paid attention to.But since multicast at be group address, its entity is many machines, if security protocol under the employing clean culture such as Internet Key Exchange (IKE), the promoter of Lian Jieing has only one so, but the respondent but has many, how to hold consultation? how group membership's identity is differentiated? therefore, the security protocol IKE under the clean culture, IPSec can not be directly used in multicast.This is the difficult point of multicast development.
The development of multicast is owing to need support the utilization of one-to-many or multi-to-multi in a kind of extendible mode.The commerce of multicast utilization is at present more and more paid attention to, but fail safe but constitutes one of restraining factors of the extensive utilization of multicast.The key issue that realizes safe multicasting is that user right is cancelled problem: the policy update problem (or key updating problem) that security strategy allocation problem (as cipher key distribution problem) during promptly new user's adding group and user withdraw from group.The method that solves this key issue has:
First kind of fundamental method is that each user has a common key (wildcard one Ks) with multicast source respectively, and multicast source adopts distribution group multicast data encryption key (Kd) under the Ks protection; When the user adds fashionablely, multicast source adopts Kd to be distributed to old user Kd ' again, distributes Kd ' for new user with Ks; When the user withdrawed from, multicast source adopted Ks to distribute Kd again ".The shortcoming of this method is to work as number of users more for a long time, and key distribution efficient is low, and wildcard lacks enough authenticating user identifications in addition.
Second method is multicast group to be divided into some hierarchical trees on the basis of first method, each branch has a control point, carry out according to first method in each control point, the control point of same level has a more higher leveled control point again, by that analogy.The shortcoming of this method is that Control Node can not arbitrarily be changed and cancel, and also is that Control Node becomes safe weak spot.
The third method is to adopt public key technique, carries out key updating as adopting Diffie-Hellman (abbreviating D-H as), and the D-H exchanging safety is relatively poor, is subjected to man-in-the-middle attack easily.
IPSec VPN is a kind of VPN (virtual private network) of the IP layer safety that makes up on unsafe Internet circuit; it is mainly used in communicating by letter of protection main frame and individual, will protect the IPSec VPN of the main frame or the network segment to be used for the implementation that safe multicasting is a kind of novelty.
Summary of the invention:
The present invention proposes the new method that a kind of IPSec of employing VPN realizes safe multicasting.This method adopts multicast source and multicast user to carry out ike negotiation, and then formation IPSec VPN, carry out the distribution of multicast key on this basis, then Security Policy Database (SPDB) and security association database (SADB) are expanded, formation group security association (GSA) is organized data on this basis and is sent.
Safety approach in the computer security communication has comprised the content of two aspects: the one, and the safe handling of data; The 2nd, the needed key managing project of data processing comprises the parameter such as generation, distribution, management, life cycle of key.Two kinds of basic key managing projects are arranged at present: first kind of Managed Solution that is based on the symmetric key system, key the most basic in this method adopts the off-line ways of distribution; Second kind is the Managed Solution that adopts based on the unsymmetrical key system, and the most basic thought of this method is to adopt asymmetric arithmetic, and publicly-owned information such as public-key cryptography can be propagated on the net, is difficult to infer user's private information from publicly-owned information.D-H exchange commonly.What cooperate with the unsymmetrical key Managed Solution is authentication to the communicating pair identity, therefore needs infrastructure such as CA, PKI and utilizes technology such as digital signature.For the key management under the standard IPSec communication environment, Internet task groups (IETF) has been formulated a kind of security association generic frame-ISAKMP of standard.Can carry out exchange, the management of key on this framework, IKE is exactly a kind of agreement that is based upon on the ISAKMP framework.IKE is divided into two Main Stage during work, and one is the holotype stage, and another is the quick mode stage.Holotype is used for forming basic escape way, is used for protecting quick mode, and the security association that this stage forms is ISAKMP SA; Quick mode forms the escape way of protected data communication, and the security association that this stage forms is IPSec SA.
Realization principle of the present invention is:
Multicast source adopts the IGMP control information to set up multicast group, and the member is by IGMP adding group, so multicast source obtains the multicast member tabulation.On the basis of collecting multicast member, multicast source and member adopt IKE to hold consultation.The result who consults forms the secure tunnel (abbreviating " individual tunnel " in this patent as) between multicast source and the member, multicast source adopts hardware card to generate multicast packet encryption key Kd then, by " individual tunnel ", multicast source sends Kd safety to group membership, the group membership is on the basis of Kd, expand Security Policy Database SPDB and security association database SADB, thereby form the security of multicast tunnel (abbreviate " Multicast Tunnel " in this patent as, represent) between multicast source and the group membership with English MVPN.
Suppose that the Multicast Tunnel between multicast source and the experienced member represents with MVPN1, when new user adds fashionable, multicast source and new user carry out ike negotiation, form the individual tunnel between multicast source and the newcomer, multicast source is distributed to newcomer's multicast packet encryption key Kd by individual tunnel afterwards, the newcomer expands SPDB and the SADB of oneself, forms the new Multicast Tunnel MVPN2 between multicast source and the newcomer.Adopt Multicast Tunnel MVPN1 distribution group multicast data encryption key Kd then between multicast source and the experienced member, on the basis of Kd, Multicast Tunnel MVPN1 is updated to MVPN2.So all members can pass through Multicast Tunnel MVPN2 acquired information.
When the user withdraws from, it is (different with former multicast packet encryption key in order to represent this multicast packet encryption key that multicast source regenerates the multicast packet encryption key, use Kd ' expression), multicast source adopts the individual tunnel distribution Kd ' between multicast source and the remaining member.On Kd ' basis, Multicast Tunnel is updated to MVPN2 by MVPN1.So all remaining members can pass through Multicast Tunnel MVPN2 acquired information.
The invention is characterized in: the VPN (virtual private network) IPSec VPN that adopts Internet IKMP IKE to form carries out the distribution of multicast key, form security of multicast passage MVPN by expanding security of multicast policy library SPDB and security association database SADB, data are carried out the transmission of multicast packet by MVPN then.
Concrete steps of the present invention are:
A: multicast source adopts the IGMP control information to set up multicast group;
B: the variation of multicast source monitoring group membership state;
Add fashionablely as the user, different according to initiate user and old user are adopted different steps, and are as follows:
To initiate user, step is C to F:
C: multicast source and member carry out ike negotiation, form individual tunnel;
D: by individual tunnel distribution group multicast data encryption key Kd;
E: the member expands Security Policy Database SPDB and the security association database SADB of oneself, forms Multicast Tunnel MVPN2;
F: data transmit by Multicast Tunnel MVPN2.
To the old user, step is G to I:
G: multicast source transmits old user Kd by former Multicast Tunnel MVPN1;
H: the member upgrades Multicast Tunnel, and promptly Multicast Tunnel is updated to MVPN2 by MVPN1;
I: data transmit by the Multicast Tunnel MVPN2 after upgrading.
When the member withdrawed from, step was that J is to M.
J: multicast source generates new multicast packet encryption key Kd ';
K: multicast source and remaining member transmit Kd ' by individual tunnel;
L: the member is updated to MVPN2 with Multicast Tunnel MVPN1;
M: data transmit by the MVPN2 after upgrading.
New user of the present invention adds in the step, and there have new user to add to be fashionable, adopts ike negotiation individual tunnel, on the basis in individual tunnel, forms Multicast Tunnel; The old user then upgrades old Multicast Tunnel; When having the user to withdraw from, on the basis in existing individual tunnel, carry out the renewal of old Multicast Tunnel.
The present invention, need upgrade Security Policy Database SPDB and security association database SADB, to set up the tunnel of multicast on the basis in individual tunnel when new user adds fashionablely.
The present invention adopts IKE to carry out key distribution, can carry out the authentication at user or main frame, adopts the distribution of IPSec VPN multicast key on this basis, has safe characteristics.Adopt the Security Policy Database and the security association database that expand, the tunnel of IPSecVPN is generalized to group by the user, form safe multicasting VPN-MVPN, multicast packet transmits by MVPN, because IPSec VPN has at host-to-host or user to the user, so fail safe is higher.
The present invention has adopted the unsymmetrical key system, does not directly rely on wildcard, is applicable to that Internet uses on the net; The distribution of multicast key relies on IKE and IPSec VPN, has utilized both advantages, and is good to the distinctive of multicast member; Main frame and the transmission of the group escape way MVPN between main frame or the network segment and the network segment that multicast packet forms by adopting modes such as encryption and authentication, fail safe is good.
Accompanying drawing and drawing explanation thereof:
Fig. 1 flow chart of the present invention
Whether wherein finger daemon is used for monitoring group membership's state, such as having the member to add and withdrawing from.If adding is arranged, then the new entrant is carried out different processing respectively with original member.If withdraw from, then handle according to flow process.
Embodiment:
The invention is characterized in: the VPN (virtual private network) IPSec VPN that adopts Internet IKMP IKE to form carries out the distribution of multicast key, and Security Policy Database and security association database are expanded formation security of multicast tunnel, and data transmit by the security of multicast tunnel.
Concrete steps of the present invention are: multicast source adopts the IGMP control information to set up multicast group, and the member adds this group by IGMP.Whether the continuous detection of multicast source has the member to add.
When multicast source has detected the user and has added, multicast source at once and newly add the member and carry out the information exchange of IKE, the authentication of multicast source to the member not only finished in this exchange, also generated the people tunnel of secure tunnel between multicast source and the member.Multicast source generates the key K d of protection multicast data communication then, adopts diverse ways that key is sent in the past to newcomer and experienced member.To the newcomer, owing to the tunnel that does not also have at multicast, so Kd sends by individual tunnel.The newcomer need expand Security Policy Database SPDB and the security association database SADB of oneself, formation group tunnel MVPN then.For experienced member, owing to had Multicast Tunnel, so Kd directly distributes by Multicast Tunnel.
When multicast source has detected the user and has withdrawed from, so multicast source generates new multicast packet encryption key Kd ', this moment, multicast source and remaining member transmitted Kd ' by individual tunnel, carried out the renewal of Multicast Tunnel on the basis of Kd ', and multicast packet transmits by the Multicast Tunnel after upgrading then.
Aforesaid way of the present invention is realized with ANSIC under Linux.
Claims (5)
1. adopt the technology of setting up safe multicasting tunnel based on the IP layer virtual private network, it is characterized in that: the Virtual Private Network IPSec VPN that adopts Internet IKMP IKE to form carries out the distribution of multicast key, and security of multicast policy library SPDB and security association database SADB are expanded formation group secure tunnel MVPN, and data are carried out the transmission of multicast packet by MVPN.
2. the technology of setting up safe multicasting tunnel based on the IP layer virtual private network of using according to claim 1 is characterized in that: described VPN (virtual private network) IPSec VPN is the VPN (virtual private network) that makes up LP layer safety on a kind of unsafe Internet circuit.
3. the technology of setting up existing safe multicasting tunnel based on the IP layer virtual private network of using according to claim 1, its described concrete steps are:
A: multicast source adopts the IGMP control information to set up multicast group;
B: the variation of multicast source monitoring group membership state;
Add fashionablely as the user, different according to initiate user and old user are adopted different steps, and are as follows:
To initiate user, step is C to F:
C: multicast source and member carry out ike negotiation, form individual tunnel;
D: by individual tunnel distribution group multicast data encryption key Kd;
E: the member expands Security Policy Database SPDB and the security association database SADB of oneself, forms Multicast Tunnel MVPN2;
F: data transmit by Multicast Tunnel MVPN2.
To the old user, step is G to I:
G: multicast source transmits old user Kd by former Multicast Tunnel MVPN1;
H: the member upgrades Multicast Tunnel, and promptly Multicast Tunnel is updated to MVPN2 by MVPN1;
I: data transmit by the Multicast Tunnel MVPN2 after upgrading.
When the member withdrawed from, step was that J is to M.
J: multicast source generates new multicast packet encryption key Kd ';
K: multicast source and remaining member transmit Kd ' by individual tunnel;
L: the member is updated to MVPN2 with Multicast Tunnel MVPN1;
M: data transmit by the MVPN2 after upgrading.
4. according to claim 1 or the 3 described technology of setting up safe multicasting tunnel based on the IP layer virtual private network of using, it is characterized in that: described new user adds in the step, and there have new user to add to be fashionable, adopts ike negotiation individual tunnel, on the basis in individual tunnel, form Multicast Tunnel; The old user then upgrades old Multicast Tunnel; When having the user to withdraw from, on the basis in existing individual tunnel, carry out the renewal of old Multicast Tunnel.
5, according to claim 1 or the 3 described technology of setting up safe multicasting tunnel based on IP layer virtual private of using, it is characterized in that: when new user adds fashionable, on the basis in individual tunnel, need upgrade Security Policy Database SPDB and security association database SADB, to set up the tunnel of multicast.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02133382 CN1291565C (en) | 2002-06-28 | 2002-06-28 | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02133382 CN1291565C (en) | 2002-06-28 | 2002-06-28 | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1399441A true CN1399441A (en) | 2003-02-26 |
| CN1291565C CN1291565C (en) | 2006-12-20 |
Family
ID=4747167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02133382 Expired - Fee Related CN1291565C (en) | 2002-06-28 | 2002-06-28 | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1291565C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100385885C (en) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| CN100459568C (en) * | 2005-09-22 | 2009-02-04 | 武汉思为同飞网络技术有限公司 | System and method for realizing VPN protocol at application layer |
| CN101499965B (en) * | 2008-02-29 | 2011-11-02 | 沈建军 | Method for network packet routing forwarding and address converting based on IPSec security association |
| CN101521614B (en) * | 2008-02-26 | 2012-04-04 | 华为技术有限公司 | Method, device and system for protecting operator backbone transmission service |
| CN101217458B (en) * | 2007-12-28 | 2012-09-05 | 华为技术有限公司 | A virtual private online resource allocation method |
| US9344434B2 (en) | 2012-07-09 | 2016-05-17 | Hangzhou H3C Technologies Co., Ltd. | GET VPN group member registration |
-
2002
- 2002-06-28 CN CN 02133382 patent/CN1291565C/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100385885C (en) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| CN100459568C (en) * | 2005-09-22 | 2009-02-04 | 武汉思为同飞网络技术有限公司 | System and method for realizing VPN protocol at application layer |
| CN101217458B (en) * | 2007-12-28 | 2012-09-05 | 华为技术有限公司 | A virtual private online resource allocation method |
| CN101521614B (en) * | 2008-02-26 | 2012-04-04 | 华为技术有限公司 | Method, device and system for protecting operator backbone transmission service |
| CN101499965B (en) * | 2008-02-29 | 2011-11-02 | 沈建军 | Method for network packet routing forwarding and address converting based on IPSec security association |
| US9344434B2 (en) | 2012-07-09 | 2016-05-17 | Hangzhou H3C Technologies Co., Ltd. | GET VPN group member registration |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1291565C (en) | 2006-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20150304286A1 (en) | Symmetric key distribution framework for the internet | |
| AU2005204576B2 (en) | Enabling stateless server-based pre-shared secrets | |
| CN103427998B (en) | The authentication of a kind of Internet data distribution and data ciphering method | |
| JP2011523513A (en) | Wireless communication system and method for automatic node and key revocation | |
| CN106254324A (en) | A kind of encryption method storing file and device | |
| CN1444386A (en) | Safe inserting method of wide-band wireless IP system mobile terminal | |
| CN101047493A (en) | Method and system for acquiring simple network management protocol management key | |
| CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
| CN112383393A (en) | Trusted communication system and method of software defined sensor network | |
| CN1291565C (en) | Technology of establishing safe multicasting tunnel with IP layer-based special virtual network | |
| JP3908982B2 (en) | CUG (Closed User Group) management method, CUG providing system, CUG providing program, and storage medium storing CUG providing program | |
| CN1750534A (en) | EPA network safety management entity ad safety processing method | |
| CN1848722A (en) | Method and system for establishing credible virtual special network connection | |
| Lesueur et al. | An efficient distributed PKI for structured P2P networks | |
| CN1509006A (en) | Firewall and invasion detecting system linkage method | |
| CN1750533A (en) | Method for realizing safety coalition backup and switching | |
| Dunigan et al. | Group key management | |
| KR20130077202A (en) | Method and system for determining security policy among ipsec vpn devices | |
| Cho et al. | Practical authentication and access control for software-defined networking over optical networks | |
| Morgner et al. | Analyzing requirements for post quantum secure machine readable travel documents | |
| Harney et al. | RFC2093: Group key management protocol (GKMP) specification | |
| CN101370012A (en) | Equity computation faith mechanism construction method based on proxy | |
| KR20090036807A (en) | Network for menagement of secure group of snmp | |
| CN1585339A (en) | Method for realizing share of group safety alliance | |
| CN115665749B (en) | Safe and trusted access method and system for mass industrial equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151209 Address after: 100000, Fengtai District, Beijing, South Fourth Ring Road, No. eighteen, No. 188, building 6, 1 to 9, 101 Patentee after: In Dianke (Beijing) Network Information Security Co. Ltd. Address before: 610041, No. 6, pioneering Road, hi tech Zone, Sichuan, Chengdu Patentee before: Weishi-ting Information Industry Co., Ltd., Chengdu City |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061220 Termination date: 20170628 |