CN1832484A - Method for effective protecting signalling message between mobile route and hometown agent - Google Patents
Method for effective protecting signalling message between mobile route and hometown agent Download PDFInfo
- Publication number
- CN1832484A CN1832484A CN 200610076115 CN200610076115A CN1832484A CN 1832484 A CN1832484 A CN 1832484A CN 200610076115 CN200610076115 CN 200610076115 CN 200610076115 A CN200610076115 A CN 200610076115A CN 1832484 A CN1832484 A CN 1832484A
- Authority
- CN
- China
- Prior art keywords
- mobile
- option
- nemo
- authentication
- home agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000011664 signaling Effects 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000013459 approach Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000008878 coupling Effects 0.000 claims description 3
- 238000010168 coupling process Methods 0.000 claims description 3
- 238000005859 coupling reaction Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 7
- 230000007246 mechanism Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010033307 Overweight Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 235000020825 overweight Nutrition 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Abstract
This invention relates to an effective protection method for home agent signaling information, which protects the signaling information between the mobile router and a home agent by designing a new item selection to bind renewing BU and restoring BA to greatly reduce the process load of the MR and HA to speed up the process of signaling information and switch of the sub-net among different networks, at the same time, to the NEMO structure , the sub-net utilizes a direct linked father MR to certify a new comer sub-MR signaling information, if it is passed, it is transferred, otherwise, it refuses to service for the sub-net.
Description
Technical field
The present invention relates to a kind of method for effective protecting signalling message between mobile route and hometown agent, belong to mobile IP security fields.
Background technology
The research and the application of present mobile IP (the RFC3775 mobile IP v 6 is supported substantially), mobile network, mobile/mobile interconnection techniques such as wireless router become focus.People no longer are satisfied with the use fixed terminal or single mobile terminal is connected to network, but wish the terminal organic assembling in certain range of attributes to be got up, and obtain information with a metastable Internet of being integrated into with going up motion.For example carry multiple information equipment by the wired or wireless network that is connected to form on the moving targets such as train, automobile, spacecraft, steamer, and dynamically change to the connection of Internet along with the variation of moving target position.
NEMO working group issues first piece of RFC " mobile network supports substantially " (the RFC3963 mobile network supports substantially) of this tissue in January, 2005, the problem that solves is: how the mobility to whole network manages, make whole network when changing the access point of internet, can keep its accessibility in the Internet topology.If do not guarantee the mobility of network by certain clear and definite mechanism, existing communication will be interrupted, and will lose with the connectedness of fhe global the Internet.Though the support that existing mobile IP technology can not provide network to move fully, but desirable network moves the support scheme should be as far as possible based on mobile IP, purpose is the maximum interoperability (RFC4068 fast moving IPv6 agreement) of maintenance and node motion, satisfies the various new demands that network moves application simultaneously.
In the deployment of NEMO, one of of paramount importance problem is exactly a safety problem.Because in mobile environment, comprise that the portable terminal of mobile router will be linked into network by Radio Link, this link is with respect to easier Replay Attack and other active attack of being subjected to of wire link, and packet also is very easy to be intercepted by other nodes.Under such environment, MR is as the masters of initiating registration, and its BU that sends to HA is easy to be intercepted and revise by the third party, registers thereby deception HA is the node of a forgery.Potential safety problem is arranged here.
Prior art related to the present invention;
Be directed to safety problem potential among the NEMO at present and mainly contain two kinds of solutions; the one, utilize IPSec (RFC2401: internet security framework and RFC3776 use the signaling message between MN and HA in the IPsec protocol protection mobile IP v 6) that the signaling message that transmits between MR and the HA is protected, the 2nd, by customization key PBK (Purpose-built Keys) agreement signaling message is protected.Introduce respectively below these two kinds of schemes with and shortcoming.
IPsec agreement among the NEMO;
Design IPSec is in order to prevent IP address spoofing, prevent that any type of IP datagram from distorting and reset, and be the give security security service of confidentiality and other of IP datagram, and IPSec provides these services in network layer, and this layer is the layer that comprises the IP agreement in the ICP/IP protocol stack.The security service that IPSec provided is united realization by access to your password agreement and security mechanism.IPSec can allow system select required security protocol and algorithm, and being generated as simultaneously provides these to serve the position that necessary key and key are deposited.
The security service that IPSec provides comprises the access control to network element, data source authentication, be provided for not having the data integrity of chaining service agreement (as udp protocol),, utilize the confidentiality that the encryption of data is provided data flow the monitoring and the refusal of playback datagram.The IPSec realization is based on the IP layer, thereby can provide service for various upper-layer protocols.In IPv6, use IPSec to provide security service high-quality, interoperable as datagram.IPSec reaches these targets by using two kinds of communication security agreements: authentication header (AH) and ESP (ESP), utilize the IKMP as Internet cipher key change (IKE) agreement to generate and manage shared key simultaneously.
The IPsec Security Architecture mainly contains three parts and forms:
Security protocol: authentication header (AH) and ESP (ESP); (RFC2402 IP authentication header agreement) Security Association and security strategy;
Key management: manual management and management (IKE) automatically; (RFC2409 IKE)
In NEMO, MR both can be used as a mobile host (MN), also can be used as the default gateway of a subnet.No matter MR with which type of functional entity occurs in network, protect as long as enable IPSec between MR and the HA, the signaling message that transmits between MR and the HA (comprising BU and BA) can be thought safety so.Under such environment, the third party also be difficult to obtain intercepting between them data and be decrypted.When using IPSec to protect signaling message among the NEMO, NEMO itself does not need to carry out any expansion, simultaneously the various cipher modes that each entity can use IPSec to provide among the NEMO.How to set up SA, how to carry out cipher key change and how data carried out encryption and decryption as for MR and HA, belong to fully IPSec architecture itself the problem that should solve.
Use IPSec that the signaling message protection of transmitting between MR and the HA is mainly contained following shortcoming:
IPSec need rely on Public Key Infrastructure(PKI) to operate, but this system does not well implement at present as yet;
The key management of IPSec partly need support the equipment of this agreement to have very strong disposal ability;
For the stronger mobile device of operational capability, as notebook computer, can bear fully that IPSec brings than intensive and power consumption, but in the NEMO environment, portable terminal is equipment such as mobile phone, PDA greatly, and computing capability is low, and the power consumption that can bear is limited.Because MR also is at the volley, it also is very important reducing power consumption simultaneously, so this higher to the processor calculating Capability Requirement with respect to IPSec, the system that power consumption is bigger very is not adapted at using in the NEMO system.
Customization key protocol among the NEMO;
The PBK agreement promptly customizes key (Purpose-built Keys) (draft-bradner-pbk-frame purpose structure key framework) agreement.With respect to IPSec, PBK is the agreement of a lightweight, and limited security mechanism can only be provided.In the PBK agreement, suppose: guaranteeing that certain operations is on the safe basis, can think that follow-up operation is safe.Before each NEMO session, communicating pair produces a pair of new PKI, private key, and this is interim to key, has only the communicating pair (MR and HA) of participation to use, and need not to third-party registration.When conversation end, this key is no longer valid.This a pair of key only can be used by the communication equipment that participates in, and can not obtain for the third party.Because key often changes, thereby protected the signaling message between MR and HA.Different with IPSec, PBK is applied to transport layer and application layer, and ipsec protocol works in network layer.
The performing step of PBK in NEMO is as follows:
Mobile router is created PKI, private key to Kpub, Kpri;
Mobile router generates PBID, PBID=hash (Kpub), and PBID is as the discriminating identifier of mobile node here;
MR adds PBID information in mailing to first bag of Correspondent Node, concerning NEMO, PBID can be placed in the option head (if PBK is used in the application service as HTTP etc., then the position of PBID just should be in application layer).Also can at this moment transmit PKI Kpub together (or in office what is the need for will authenticate transmission before);
Correspondent Node receives the PBID that mobile node is sent, and checking Hash (Kpub), if coupling then PBID is preserved;
When roam into one new when regional, MR is with private key Kpri signature binding update messages, and comprises PBID therein.Resist Replay Attack if desired, then can place provisional random number (nonce) or timestamp (timestamp) therein;
Message after mobile router will be signed sends to Correspondent Node;
Correspondent Node uses the PKI Kpub that is stored that the signature that receives is verified, and sends a challenge grouping (Challenge Packet) to the IP address of the MR place network segment, and this grouping comprises a random number test value that is produced by HA;
After MR received challenge grouping (challenge packet), it was encrypted the random number test value with its private key Kpri, again the result is sent to HA.
HA is with the PKI that receives and PBID deciphering, if result and former Data Matching, then HA can confirm that MR is exactly after its MR that register connection end, and PKI Kpub, private key Kpri are to being dropped.Next time, it was right to produce new key at random again when connecting initialization.
PBK scheme major defect:
At first, PBK is compared with IPSec, and fail safe is poor.The PBK protocol side overweights in communication simultaneously, and it can guarantee that the information that continues all comes from same connection source, still, can't resist man-in-the-middle attack.The man-in-the-middle attack problem is from seeing in essence still in default of the effective authentication to malicious node, to such an extent as to HA or Correspondent Node have been accepted the binding update messages that malice MR forged.If can clear and definite binding update messages from the node of false identity, then can disregard or report to the police, thereby reach the purpose of removing man-in-the-middle attack this binding update messages.And the invention scheme that we propose can find a balance point at IPSec and PBK, has both solved because the huge amount of calculation that the IPSec introducing is brought and the consumption of main engine power have solved man-in-the-middle attack problem among the PBK simultaneously again.
Summary of the invention
In order to overcome the deficiency of prior art structure, the invention provides a kind of method for effective protecting signalling message between mobile route and hometown agent, by add new mobile option in BU, NEMO mobile messaging authentication option is protected BU.
The technical solution adopted for the present invention to solve the technical problems is: stipulate that in the basic agreement of NEMO the signaling message between MR and the HA (BU and BA) is protected by IPSec.A kind of method for effective protecting signalling message between mobile route and hometown agent in the NEMO environment, utilizes the alternative safety approach of an authentication option as IPSec.
This scheme is protected BU and BA between MR and the HA by increasing a new authentication option, and this authentication option both can be used (in general there is no need to use simultaneously the two) together with IPSec simultaneously, also can use separately.For IPSec, this scheme is a kind of mechanism of lightweight, and it shares key mobility safety alliance based on MR and HA, and sharing key mobility SA can static configuration or dynamically foundation.Mobility SA (Mobility Security Association) can be understood as based on the NEMO authentication SA that shares key.For security requirement is not very high, and under the more limited environment of simultaneity factor resource, the advantage of this scheme is just apparent in view.
A kind of method for effective protecting signalling message between mobile route and hometown agent is divided into two parts,
1, new mobile option form is arranged;
2, MR and HA handle the message that contains new option.
New mobile option form:
NEMO is as the Extended Protocol of mobile IPv 6 protocol, at first support the mobile IP v 6 basic agreement, in order to realize of paramount importance functional entity mobile router (MR) among the NEMO, NEMO expands the Binding Update BU and the binding acknowledgement BA message that send to home agent in the mobile IPv 6 protocol simultaneously.
Compare with Binding Update in the mobile IP v 6, this form has increased the R flag bit, and what represent to send Binding Update to HA when R set is mobile router, then represents it is the BU that mobile node sends during the R zero clearing.
With respect to the form of BA in the mobile IP v 6, increased the R flag bit in this form equally, represented that when R set HA supports the MR registration, when the zero clearing of R position then notifies the MR home agent not support the registration of MR.
New mobile option is arranged, NEMO mobile messaging authentication option.This option based among the RFC4285 on the unit mobility authentication infrastructure, the MIPv6 authentication option is expanded, make it can support mobile network's authentication.
NEMO distinguishes as shown in Table 1 and Table 2 the expansion of Binding Update and binding acknowledgement:
Binding Update BU form among table 1 NEMO
| Sequence number | |||||||
| A | H | L | K | M | R | Keep | Life span |
| Mobile option | |||||||
Compare with Binding Update in the mobile IP v 6, this form has increased the R flag bit, and what represent to send Binding Update to HA when R set is mobile router, then represents it is the BU that mobile node sends during the R zero clearing.
With respect to the form of BA in the mobile IP v 6, increased the R flag bit in this form equally, as shown in table 2, represent that when R set HA supports the MR registration, when the zero clearing of R position then notifies the MR home agent not support the registration of MR.
The form of binding acknowledgement BA among table 2 NEMO
| Type | K | R | Keep | |
| Sequence number | Life span | |||
| Mobile option | ||||
If in NEMO, these two message are not protected, will cause serious safety problem, some assailants can cheat HA easily and bind for oneself, thus the data of stealing.At background technology one joint, introduce the signaling message scheme between existing two kinds of protection MR and BU, but these two kinds of schemes all there is its shortcoming separately.
In the present invention, in order better to solve the safety problem among the NEMO, designed a new mobile option, NEMO mobile messaging authentication option.This option based among the RFC4285 (RFC4285 mobile IP v 6 authentication protocol) on the unit mobility authentication infrastructure, the MIPv6 authentication option is expanded, make it can support mobile network's authentication.Basic format design to new option is as shown in table 3:
Table 3 NEMO mobile messaging authentication option
| Type | Length | |
| The mobile security parameter reference | ||
| Timestamp | ||
| Verify data | ||
The implication of each field is as follows in the NEMO authentication option:
Type: be used to identify the type of this mobile option, it is 8 bits that institute takes up space, and according to existing option type and value among existing mobile IP v 6 and the NEMO, is 10 with this value defined for the time being.
Length: 8 bit unsigned int numerals are used to identify the length of whole mobile option except type and the shared length of length itself.
Mobile security parameter reference SPI: be used to identify the Security Association between mobile router (MR) and home agent (HA).
Timestamp: account for the length of 64 bits, its form is specified by NTP (Network Time Protocol) (RFC1305), is used to resist Replay Attack.
Verify data: this section comprises the information of the relevant mobile entity of authentication, accounts for 64 bit lengths.The message of protection from slip-on head to (comprising) timestamp section.The structure of NEMO mobile messaging authentication option:
Mobile type and length all are fixed values in this option.And based on shared key SA by mobility SPI, key, the re-transmission preventing mechanism of identifying algorithm and use is formed.SPI is the number in [0-4294967296] in this option, and wherein [0-255] keeps.Key is the arbitrary value of 16 byte longs.Identifying algorithm is HMAC_SHA1[] (RFC2104 message authentication algorithm HMAC).If this is an authentication option unique in the message, then must be last option of slip-on head.The timestamp of the calculating of verify data from slip-on head to this option, specific algorithm is as follows:
Verify data=First (96, HMAC_SHA1 (MR-HA shares key, mobile data)
Mobile data=Care-of Address | home address | the slip-on head data (| exclusive disjunction is carried out in the step-by-step of expression data)
The slip-on head data are slip-on head content timestamp fields to this option.Need the checksum field of slip-on head to be set to 0 when calculating mobile data.MAC result's 96 bit are used as authentication data field.
Timestamp in this option is used for resisting replay attack.Whether this timestamp can allow home agent verify Binding Update is that up-to-date Binding Update rather than the assailant of MR retransmits previous Binding Update.This is to particularly useful with following situation: home agent does not keep the state information of MR after removing the binding inlet.Home agent implements to retransmit protection inspection in the certified back of Binding Update.MR then mates the binding acknowledgement of the Binding Update correspondence of oneself sending with the timestamp in the NEMO mobile authentication option.This timestamp can be used as optional, does not force MR must implement the filling and the processing of this timestamp when sending BU.If MR is initialized as at 0 o'clock with this timestamp in structure BU, then HA can not handle this field, fills 0 to this field is same in should the BA of BU simultaneously.But when MR prepared to use in BU this field to resist Replay Attack, this field will be as the part based on the mobility SA that shares key so.
It is that node generates message that timestamp retransmits the protection basic principle, inserts the current time therein, and whether the receiving node review time stabs very the current time near oneself.Unless internodal the definition based on the mobility SA that shares key had any different, default value may be used for limiting this time difference in 7 seconds.Numerical value should be greater than 3 seconds.Two nodes must have fully synchronous clock on working day.
The Message Processing flow process:
Set up one between step 1, MR and the HA based on the SA that shares key;
Step 2, establishment NEMO mobile messaging authentication option comprise timestamp and verify data;
Step 3, when mobile node and home agent are received the packet that has this option, must verify the verify data of option, if authentification failure, it is NEMO-AUTH-FAIL (expression NEMO authentification failure) that home agent must send the binding acknowledgement state encoding, if the home agent neither one is based on the SA that shares key, home agent must abandon Binding Update, home agent may write down these incidents, in the BU that MR sends to HA, must comprise this new mobile option, if this option is an authentication option unique among the BU, this option must be last mobile option so;
Step 4, the timestamp option is handled, if timestamp is legal, home agent copies whole timestamp field in returning to the binding acknowledgement of MR, if it is illegal, home agent is low 32 bits of copy in binding acknowledgement only, high 32 bits are from oneself time on working day, if the timestamp field is illegal, but Binding Update authentication success, home agent must return and have the binding acknowledgement that state code is NEMO-ID-MISMATCH (expression NEMO timestamp option does not match), if timestamp is verified failure, home agent is than creating the banding cache inlet, receive a binding acknowledgement that does not comprise NEMO-ID-MISMATCH, MR must compare the value of timestamp in the Binding Update that the value of timestamp in the binding acknowledgement and its sends, if coupling, mobile node is further handled mobile node in the binding acknowledgement-home agent verify data, if do not match, MR abandons BA.
The beneficial effect that technical solution of the present invention is brought is as follows:
In the NEMO environment, utilize the alternative safety approach of an authentication option as IPSec, this scheme significantly reduces with respect to the data that IPSec need handle, thereby has effectively reduced the load of each end for process.
In the NEMO environment, subnet nested more common, this moment, data all were to transmit by setting up the tunnel, caused the authentication registration binding procedure of MR to become very complicated, problem is more outstanding when the degree of depth is nested.Utilize the alternative HA of father MR of newly nested MR that the BU that this MR sends is authenticated in invention this moment, authentication success is then transmitted BU, otherwise refusal is this MR service.So just can in the shorter time, find illegal MR, also reduce unnecessary data transmission in the network simultaneously.
New option design is succinct, handles easily, and is very little to existing NEMO agreement change, is easy to realize.
Description of drawings
Below in conjunction with drawings and Examples invention is further specified.
Basic topological diagram when Fig. 1 NEMO does not exist subnet nested;
MR registration binding procedure when not existing subnet nested among Fig. 2 NEMO;
Basic topological diagram when existing subnet nested among Fig. 3 NEMO;
MR binding registration process when existing subnet nested among Fig. 4 NEMO.
Embodiment
Embodiment 1:
As shown in Figure 1, there is not the nested situation of subnet;
When subnet does not exist when nested, for the processing comparing class of MN seemingly, different be that the two need handle the authentication option of different-format among entire process flow process and the MIPv6.NEMO can allow the nested of subnet, and this regulation makes NEMO healthy and strong more, also makes it can adapt to the network topology that constantly changes in the wireless environment, has stronger self adaptation.Stipulate among the RFC3963, processing for the packet among the nested NEMO mainly is to pass through tunnel style, the sight when though this mode is can the basic handling subnet nested, but it has also brought numerous problems simultaneously, especially when the degree of depth is nested, just especially obvious as problems such as route redundancy, binding length consuming time.In such topological structure, huger security system as IPSec bring bigger load can for these nested MR.So do not needing under the very high security context, use the new NEMO authentication option of above invention to guarantee fail safe, will alleviate the burden of these MR greatly.
Step 1:MR obtains the home address of oneself by HA behind the network startup of local, and consults the SA between them;
Step 2:MR and with subnet move to new couple in router AR;
Step 3:MR receives that two layers of link on the AR trigger message router bulletin (RA) message, and this moment, MR generated the Care-of Address COA of oneself by the AR prefix that contains among the RA;
Step 4:AR carries out duplicate address detection to the COA that MR generates;
Step 5:MR structure BU message, wherein MR utilizes the source address of CoA as oneself, the home address that in the address option of local, comprises oneself, utilize SA generation NEMO mobile messaging authentication option that consults in the step 1 and other fields of filling BU simultaneously, comprise timestamp etc., after finishing, MR sends BU message to HA;
After step 6:HA receives BU message, extract wherein NEMO mobile messaging authentication option, the SA that utilizes beginning and MR to consult authenticates NEMO mobile messaging authentication option in the BU message, successfully receives BU and create the banding cache list item on HA.If successfully forward step 8 to;
Step 7:HA sends binding acknowledgement BA to MR.Finish switching;
Step 8:HA refuses Binding Update, and sends the binding answer to MR, comprises NEMO-AUTH-FAIL, the expression authentification failure.
Embodiment 2: have the nested situation of subnet;
In order to make the present invention can handle the authentication of NEMO in the mode of optimum, invention does not exist on the nested scheme basis when topological based on top, a kind of new scheme that exists subnet nested that is used to handle has been proposed, this scheme is fully based on the top new NEMO authentication option that we invent, only be not both when existing subnet nested, the MR that newly comes in allows upper level MR replace HA to authenticate the BU that this MR sends earlier, if by just continuing to be transmitted to HA, if do not pass through, then refusing provides service for this MR.Can find illegal MR faster by such optimization, simultaneously also provide service for the legal MR that newly comes in faster, and need not wait until all at every turn that MR has registered (success or failure) to HA and just accepted or refuse this new MR, this is especially obvious in the advantage of the nested this scheme of NEMO topological structure of the degree of depth.Why its father MR can provide so a kind of authentication, mainly be owing to two reasons, the one, this MR registered to HA, much it is known about HA information, and owing to only be to increase an authentication head in our scheme, different with IPSec is, the data of this head are not encrypted yet, upper level MR is as the forwarding router (the new in other words conj.or perhaps default gateway that adds MR) of BU, can extract the authentication option among this BU easily, thereby replace HA earlier this node to be authenticated.Idiographic flow is as shown in Figure 4:
Step 1:MR obtains the home address of oneself by HA behind the network startup of local, and consults the SA between them;
Step 2:MR and with subnet move on the new MR, form the topology of a nested form, this stylish MR that enters is as sub-MR, the MR that its inserts then is its father MR;
Step 3: sub-MR receives that two layers of link on the father MR trigger message router bulletin (RA) message, and this moment, sub-MR generated the Care-of Address COA of oneself by the father MR prefix that contains among the RA;
Step 4: the COA that father MR antithetical phrase MR generates carries out duplicate address detection;
Step 5: sub-MR structure BU message, wherein MR utilizes the source address of CoA as oneself, the home address that in the address option of local, comprises oneself, utilize SA generation NEMO mobile messaging authentication option that consults in the step 1 and other fields of filling BU simultaneously, comprise timestamp etc., after finishing, MR sends BU message to HA;
Step 6: father MR intercepts the BU message that sub-MR sends over, and this BU is authenticated, if by would transmit this BU to HA, otherwise refusal provides for this MR;
Step 7:HA receives the BU that father MR sends over, and HA extracts the information of BU;
Step 8: utilize the SA that consults between original and the MR, NEMO mobile messaging authentication option in the BU message is authenticated, successful then create the banding cache tabulation, otherwise reject;
Step 9: send BA, comprise the NEMO mobile authentication option that copy comes among the BU simultaneously;
Step 10: bind successfully.
The abbreviation bilingual:
NEMO (Network Mobility) mobile network
HoA (Home Address) home address
CoA (Care of Address) Care-of Address
MN (Mobile Node) mobile node
MR (Mobile Router) mobile router
HA (Home Agent) home agent
AR (Access Router) couple in router
CN (Corresponding Node) Correspondent Node
MNP (Mobile Network Prefix) mobile subnetwork prefix
BU (Binding Update) Binding Update
BA (Binding Acknowledgement) binding acknowledgement
SPI (Security Parameter Index) Security Parameter Index
SA (Security Association) Security Association
Claims (5)
1. a method for effective protecting signalling message between mobile route and hometown agent is characterized in that; In the NEMO environment, utilize the alternative safety approach of an authentication option as IPSec.
2. a kind of method for effective protecting signalling message between mobile route and hometown agent according to claim 1 is characterized in that; The authentication option form has the R flag bit, and what represent to send Binding Update to HA when R set is mobile router, then represents it is the BU that mobile node sends during the R zero clearing; The form of binding acknowledgement in Binding Update and the mobile IP v 6 has increased the R flag bit in the mobile IP v 6, represents that when R set HA supports the MR registration, when the zero clearing of R position then notifies the MR home agent not support the registration of MR; NEMO mobile messaging authentication option is arranged, this option based among the RFC4285 on the unit mobility authentication infrastructure, the MIPv6 authentication option is expanded, support mobile network's authentication.
3. a kind of method for effective protecting signalling message between mobile route and hometown agent according to claim 2 is characterized in that: NEMO mobile messaging authentication option contains type: be used to identify the type of this mobile option, it is 8 bits that institute takes up space; Length: 8 bit unsigned int numerals are used to identify the length of whole mobile option except type and the shared length of length itself; Mobile security parameter reference SPI: be used to identify the Security Association between mobile router and home agent; Timestamp: account for the length of 64 bits, its form is specified by NTP (Network Time Protocol), is used to resist Replay Attack; Verify data: this section comprises the information of the relevant mobile entity of authentication, accounts for 64 bit lengths.
4. according to claim 2 or 3 described a kind of method for effective protecting signalling message between mobile route and hometown agent, it is characterized in that: contain following steps;
Set up one between step 1, MR and the HA based on the SA that shares key;
Step 2, establishment NEMO mobile messaging authentication option comprise timestamp and verify data;
Step 3, when mobile node and home agent are received the packet that has this option, verify the verify data of option, if authentification failure, it is NEMO-AUTH-FAIL that home agent sends the binding acknowledgement state encoding, if the home agent neither one is based on the SA that shares key, home agent abandons Binding Update, home agent may write down these incidents, in the BU that MR sends to HA, comprise this new mobile option, if this option is an authentication option unique among the BU, this option must be last mobile option so;
Step 4, the timestamp option is handled, if timestamp is legal, home agent copies whole timestamp field in returning to the binding acknowledgement of MR, if it is illegal, home agent is low 32 bits of copy in binding acknowledgement only, high 32 bits are from oneself time on working day, if the timestamp field is illegal, but Binding Update authentication success, home agent returns and has the binding acknowledgement that state code is NEMO-ID-MISMATCH, if timestamp is verified failure, home agent is than creating the banding cache inlet, receive a binding acknowledgement that does not comprise NEMO-ID-MISMATCH, the value of timestamp in the Binding Update of the value of timestamp and its transmission in the MR comparison binding acknowledgement, if coupling, mobile node is further handled mobile node in the binding acknowledgement-home agent verify data, if do not match, MR abandons BA.
5. a kind of method for effective protecting signalling message between mobile route and hometown agent according to claim 4; feature is: in the NEMO environment; data are transmitted by setting up the tunnel during subnet nested; utilize the alternative HA of father MR of nested MR that the BU that this MR sends is authenticated; authentication success is then transmitted BU, otherwise refusal is this MR service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100761154A CN100536471C (en) | 2006-04-27 | 2006-04-27 | Method for effective protecting signalling message between mobile route and hometown agent |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100761154A CN100536471C (en) | 2006-04-27 | 2006-04-27 | Method for effective protecting signalling message between mobile route and hometown agent |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1832484A true CN1832484A (en) | 2006-09-13 |
| CN100536471C CN100536471C (en) | 2009-09-02 |
Family
ID=36994481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100761154A Active CN100536471C (en) | 2006-04-27 | 2006-04-27 | Method for effective protecting signalling message between mobile route and hometown agent |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100536471C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399752B (en) * | 2007-09-28 | 2011-07-06 | 华为技术有限公司 | Recognition method, system and device for mobile router |
| WO2011137819A1 (en) * | 2010-07-26 | 2011-11-10 | 华为技术有限公司 | Time message processing method, apparatus and system |
-
2006
- 2006-04-27 CN CNB2006100761154A patent/CN100536471C/en active Active
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399752B (en) * | 2007-09-28 | 2011-07-06 | 华为技术有限公司 | Recognition method, system and device for mobile router |
| WO2011137819A1 (en) * | 2010-07-26 | 2011-11-10 | 华为技术有限公司 | Time message processing method, apparatus and system |
| CN102347831A (en) * | 2010-07-26 | 2012-02-08 | 华为技术有限公司 | Time message processing method, device and system |
| CN102347831B (en) * | 2010-07-26 | 2014-12-03 | 华为技术有限公司 | Time message processing method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100536471C (en) | 2009-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5745626B2 (en) | Method and apparatus for lightweight security solutions for host-based mobility and multihoming protocols | |
| JP5597676B2 (en) | Key material exchange | |
| CN101965722B (en) | Re-establishment of a security association | |
| JP2009516435A (en) | Secure route optimization for mobile networks using multi-key encryption generated addresses | |
| US8611543B2 (en) | Method and system for providing a mobile IP key | |
| CN101150572B (en) | Binding and update method and device for mobile node and communication end | |
| Deng et al. | Defending against redirect attacks in mobile IP | |
| Qiu et al. | Secure group mobility support for 6lowpan networks | |
| CN1643947A (en) | Method to provide dynamic internet protocol security policy service | |
| EP1847063A2 (en) | Context limited shared secret | |
| CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
| Praptodiyono et al. | Mobile IPv6 vertical handover specifications, threats, and mitigation methods: A survey | |
| Kim et al. | MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment | |
| CN1980231B (en) | Method for renewing fire-retardant wall in mobile IPv6 | |
| El Bouabidi et al. | Design and analysis of secure host-based mobility protocol for wireless heterogeneous networks | |
| CN1832484A (en) | Method for effective protecting signalling message between mobile route and hometown agent | |
| Shah et al. | A TOTP-based enhanced route optimization procedure for mobile IPv6 to reduce handover delay and signalling overhead | |
| Jara et al. | Mobility modeling and security validation of a mobility management scheme based on ecc for ip-based wireless sensor networks (6lowpan) | |
| Qiu et al. | A pmipv6-based secured mobility scheme for 6lowpan | |
| CN101056307A (en) | A method for secure registration with the agent mobile IP | |
| Al Hawi et al. | Secure framework for the return routability procedure in MIPv6 | |
| Jara et al. | Secure mobility management scheme for 6lowpan id/locator split architecture | |
| Mufti et al. | Design and implementation of a secure mobile IP protocol | |
| Qiu et al. | A secure pmipv6-based group mobility scheme for 6l0wpan networks | |
| Xiaorong et al. | The research on mobile Ipv6 security features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160510 Address after: 100044, Beijing, Haidian District sorghum Bridge oblique Street No. 59, No. 1, building 16, 1606 Patentee after: CHINA HIGH-SPEED RAILWAY TECHNOLOGY CO.,LTD. Address before: 100044 Beijing Xizhimen Shangyuan Village No. 3 Patentee before: Beijing Jiaotong University |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20211207 Address after: 100083 2-305-18-7, 3 / F, building 2, yard 59, gaoliangqiaoxie street, Haidian District, Beijing Patentee after: BEIJING DPSHEEN ORBITAL TECHNOLOGY CO.,LTD. Address before: 100044 1606, 16th floor, building 1, yard 59, gaoliangqiaoxie street, Haidian District, Beijing Patentee before: CHINA HIGH-SPEED RAILWAY TECHNOLOGY CO.,LTD. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240328 Address after: 100044 1606, 16 / F, Zhongkun building, No.59 courtyard, gaoliangqiaoxie street, Haidian District, Beijing Patentee after: CHINA HIGH-SPEED RAILWAY TECHNOLOGY CO.,LTD. Country or region after: China Address before: 100083 2-305-18-7, 3 / F, building 2, yard 59, gaoliangqiaoxie street, Haidian District, Beijing Patentee before: BEIJING DPSHEEN ORBITAL TECHNOLOGY CO.,LTD. Country or region before: China |
|
| TR01 | Transfer of patent right |