CN1874343B - Method for creating IPSec safety alliance - Google Patents

Method for creating IPSec safety alliance Download PDF

Info

Publication number
CN1874343B
CN1874343B CN2005100749088A CN200510074908A CN1874343B CN 1874343 B CN1874343 B CN 1874343B CN 2005100749088 A CN2005100749088 A CN 2005100749088A CN 200510074908 A CN200510074908 A CN 200510074908A CN 1874343 B CN1874343 B CN 1874343B
Authority
CN
China
Prior art keywords
security
address
security association
destination address
alliance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2005100749088A
Other languages
Chinese (zh)
Other versions
CN1874343A (en
Inventor
王辉
唐正斌
徐暕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2005100749088A priority Critical patent/CN1874343B/en
Priority to PCT/CN2006/001186 priority patent/WO2006128384A1/en
Publication of CN1874343A publication Critical patent/CN1874343A/en
Application granted granted Critical
Publication of CN1874343B publication Critical patent/CN1874343B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The method comprises: building a security association (SA) whose destination address is an unassigned address and is capable of making address refreshing so as to reduce the amount of SA to be built in case of uncertainty or multi destination existing.

Description

The creation method of ipsec security alliance
Technical field
The present invention relates to the creation method of ipsec security alliance in the Network Communicate Security, relate in particular to the creation method of a kind of destination address ipsec security alliance when indefinite or a plurality of.
Background technology
Ipsec protocol is a kind of security protocol of extensive use in the network service.In the application of this agreement, need set up the encrypting and decrypting process that Security Association is used for information, to guarantee the safe transfer of information.According to ipsec protocol definition, the tlv triple that Security Association is made up of destination address, Security Association index (SPI), security protocol is unique definite.
Be applied in the process of mobile IP at IPSec; stipulate according to RFC3776; after mobile node moves to field network; can use IPSec between home agent (Home Agent) and mobile node (Mobile Node), to set up Security Association; with the control message between transmission mode (transport mode) protection mobile node and the home agent, with control or the load message between tunnel mode (tunnel mode) protection mobile node and the communication node (Correspondent Node).At the local agent side, right for the Security Association that the enforcement of the control message between mobile node and home agent ipsec protection is created, its Inbound Security Association destination address is hometown-agent-address (Home AgentAddress); Outgoing direction Security Association destination address is moving nodes local address (HomeAddress).
Realize that according to mobile IPv 6 protocol principle, home agent offer hometown-agent-address (Home Agent Address) that mobile node uses and have a plurality ofly, which hometown-agent-address mobile node specifically uses, and selects to decide on mobile node.
At this situation, present implementation is, between home agent and mobile node, for setting up a pair of Security Association between each different hometown-agent-address and the moving nodes local address.Such as, home agent have three hometown-agent-address (HAAddr1, HAAddr2, HAAddr3); The moving nodes local address is HomeAddr; IPSec uses the ESP security protocol; The security protocol encapsulation mode is a transmission mode; Then will set up 3 pairs of Security Associations at the local agent side.
But for setting up a pair of Security Association between each different hometown-agent-address and the moving nodes local address, cause Security Association quantity many, particularly difficult in maintenance under the manual configuration situation.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the creation method of the ipsec security alliance of the purpose of this invention is to provide a kind of destination address simple and flexible when indefinite or a plurality of, being convenient to safeguard.
The objective of the invention is to be achieved through the following technical solutions:
The tlv triple that the creation method of a kind of ipsec security alliance, the Security Association of this method are made up of destination address, Security Parameter Index and security protocol is unique to be determined, comprises the steps:
A, to create destination address be the Security Association of assigned address not; Distribute unique Security Parameter Index for it when wherein, creating Security Association;
B, when Security Association is determined its employed destination address, upgrade in the described Security Association not assigned address with determined destination address information as destination address.
The Security Association that described steps A is created the tlv triple of collision detection relatively in its not assigned address be identical with the result who compares in any address.
The Security Association that described steps A is created when collision detection its not the result that compares of assigned address and its address may value, in the limited range be identical.
The destination address that described steps A is created is to ignore destination address when the Security Association of assigned address in use is not decrypted coupling.
The Security Association that described steps A is created be in the mobile IP v 6 home agent for mobile node set up safety is connected create, destination address is the Inbound Security Association of assigned address not.
Described home agent is to move to the destination address that the Binding Update BU message that sends behind the field network is determined the Inbound Security Association according to mobile node.
Described home agent is updated into the destination address of direction Security Association according to the address information in the Binding Update BU message of being received.
Described home agent corresponding Inbound Security Association destination address after mobile node returns home network is set to not assigned address.
As seen from the above technical solution provided by the invention, the present invention is by creating destination address for the Security Association of assigned address not and carry out address flush so that more sound Security Association to be provided in the time can determining the address, thus the creation method of simple and flexible when providing a kind of destination address indefinite or a plurality of, the ipsec security alliance being convenient to safeguard.
(reach in the collision detection of Security Association thereafter by distribute unique Security Parameter Index or the tlv triple when the Security Association collision detection assigned address not and the result that compares in any address to be thought identical in relatively for Security Association at this Security Association, ignore destination address, only carry out collision detection as index with the other parts of tlv triple) etc. measure, can prevent more issuable conflicts in the establishment of Security Association or refresh process.
The present invention not only can be applied to the establishment of the ipsec security alliance in the mobile IP v 6, also can be applied to the establishment of ipsec security alliance in the indefinite or a plurality of occasion of (route message destination address may be different multicast address, unicast address) in the Routing Protocols such as OSPFv3 or other destination address.
Description of drawings
A kind of process chart when Fig. 1 uses in IPv6 for the present invention.
Embodiment
Core concept of the present invention is by creating destination address for the Security Association of assigned address not and carry out address flush so that more sound Security Association to be provided in the time can determining the address, thereby a kind of creation method of Security Association of flexible and convenient is provided.
The present invention is further illustrated below in conjunction with accompanying drawing.
Home agent offered hometown-agent-address (Home Agent Address) that mobile node uses and has a plurality ofly when IPSec used among the IPv6, and which hometown-agent-address mobile node specifically uses, and selects to decide on mobile node; The application of the present invention in IPv6 can be adopted handling process as shown in Figure 1.
In order to prevent the conflict of Security Association, at first to enter step 11, distribute to unique Security Parameter Index, promptly the method Security Association is gone in this locality or the shared Security Association of coming in and going out its Security Parameter Index be unique: this Security Parameter Index can not be identical with the Security Parameter Index that has existed, and in the future the Security Parameter Index that distributes can not be identical with this Security Parameter Index.Certainly, might not distribute unique safe index here, also the method that can adopt other to avoid a conflict.Such as, can make Security Association that described steps A creates the tlv triple of collision detection relatively in its not the result that compares of assigned address and any address ignore destination address when promptly comparing and only carry out collision detection as index for identical with the other parts of tlv triple; Can also make Security Association that described steps A creates when collision detection its not the result that compares of assigned address and its address may value, in the limited range for identical, promptly relatively the time except that the Security Association of the potentially conflicting that scope constitutes of assigned address possibility value not other Security Association carry out collision detection with tlv triple as index.
After obtaining unique Security Parameter Index, enter step 12, utilize this Security Parameter Index and create destination address to be the Security Association of assigned address not in conjunction with other configuring condition.As shown in table 1 for home agent be that mobile node has been created a pair of Security Association.The situation here is that the home agent local terminal has three hometown-agent-address (HAAddr1, HAAddr2 HAAddr3) can select for use for mobile node, and the moving nodes local address is HomeAddr; IPSec uses the ESP security protocol, and the security protocol encapsulation mode is a transmission mode.Wherein the destination address of Inbound Security Association is assigned address 0::0 not, and unique Security Parameter Index is SPI-11, and security protocol is ESP (Encapsulated Security Payload is pressed into a safe load) agreement.
Home agent is a pair of Security Association that mobile node is created among table 1, the IPv6
Destination address is just can use after the Security Association of not assigned address is created, and promptly enters step 13.But when receiving message and promptly carry out step 14, need whether determine to judge,, then when message decipher, adopt step 16 to carry out completely tlv triple and mate if determine through step 15 pair destination address; If destination address is an assigned address not, then adopt step 17 when the deciphering coupling, to ignore destination address.Enter step 18 pair deciphering coupling then and whether successfully judge, if not, then enter step 13 and carry out the corresponding error processing or wait for the reception message again; If then explanation has correctly received message.
Behind the correct reception message, enter step 19, judge further whether the message that is received has announced the information that the Security Association destination address changes.If not, then enter step 13 and proceed other subsequent treatment; If then enter the destination address that step 20 refreshes Security Association, and then enter step 13 and carry out other processing.As shown in table 2 for home agent to the state behind the refreshing of Security Association.This refresh be after mobile node moves on to field network to the local node send hometown-agent-address that BU (Binding Update, Binding Update) message, the own selection of announcement use as HAAddr1 after refreshing of carrying out of home agent Security Association.
Table 2, home agent are to the state behind the refreshing of Security Association
Figure G2005100749088D00052
Certainly, address change in the step 19 can be that never assigned address becomes definite address (leaving home network), also can be to become not assigned address (network of coming back to hometown) from the address of determining, can also be to become another to determine address (moving to another field network from a field network) from a definite address.Accordingly, the Security Association destination address of step 20 refreshes also dissimilar variations.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (8)

1. the tlv triple that the creation method of an ipsec security alliance, the Security Association of this method are made up of destination address, Security Parameter Index and security protocol is unique to be determined, it is characterized in that, comprises the steps:
A, to create destination address be the Security Association of assigned address not; Distribute unique Security Parameter Index for it when wherein, creating Security Association;
B, when Security Association is determined its employed destination address, upgrade in the described Security Association not assigned address with determined destination address information as destination address.
2. the creation method of ipsec security according to claim 1 alliance is characterized in that, the Security Association that described steps A is created the tlv triple of collision detection relatively in its not assigned address be identical with the result who compares in any address.
3. the creation method of ipsec security according to claim 1 alliance is characterized in that, the Security Association that described steps A is created when collision detection its not the result that compares of assigned address and its address may value, in the limited range be identical.
4. according to the creation method of each described ipsec security alliance of claim 1 to 3, it is characterized in that the destination address that described steps A is created is ignored destination address when the Security Association of assigned address in use is not decrypted coupling.
5. the creation method of ipsec security according to claim 4 alliance, it is characterized in that, the Security Association that described steps A is created be in the mobile IP v 6 home agent for mobile node set up safety is connected create, destination address is the Inbound Security Association of assigned address not.
6. the creation method of ipsec security according to claim 5 alliance is characterized in that described home agent is to move to the destination address that the Binding Update BU message that sends behind the field network is determined the Inbound Security Association according to mobile node.
7. the creation method of ipsec security according to claim 5 alliance is characterized in that described home agent is updated into the destination address of direction Security Association according to the address information in the Binding Update BU message of being received.
8. the creation method of ipsec security according to claim 6 alliance is characterized in that, described home agent corresponding Inbound Security Association destination address after mobile node returns home network is set to not assigned address.
CN2005100749088A 2005-06-03 2005-06-03 Method for creating IPSec safety alliance Expired - Fee Related CN1874343B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2005100749088A CN1874343B (en) 2005-06-03 2005-06-03 Method for creating IPSec safety alliance
PCT/CN2006/001186 WO2006128384A1 (en) 2005-06-03 2006-06-02 A method for creating a ipsec security association

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2005100749088A CN1874343B (en) 2005-06-03 2005-06-03 Method for creating IPSec safety alliance

Publications (2)

Publication Number Publication Date
CN1874343A CN1874343A (en) 2006-12-06
CN1874343B true CN1874343B (en) 2010-04-21

Family

ID=37481239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2005100749088A Expired - Fee Related CN1874343B (en) 2005-06-03 2005-06-03 Method for creating IPSec safety alliance

Country Status (2)

Country Link
CN (1) CN1874343B (en)
WO (1) WO2006128384A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088438B (en) * 2009-12-03 2013-11-06 中兴通讯股份有限公司 Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client
CN102271061B (en) * 2010-06-07 2013-12-25 杭州华三通信技术有限公司 Method and device for determining number of IP security virtual private network tunnels
CN112733175A (en) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 Data encryption method and device based on ESP (electronic stability program) protocol
CN115529180B (en) * 2022-09-28 2024-05-31 芯云晟(杭州)电子科技有限公司 IPSec encryption and decryption unloading method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1406005A (en) * 2001-09-17 2003-03-26 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
EP1420559A1 (en) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60305869T2 (en) * 2003-03-27 2006-10-05 Motorola, Inc., Schaumburg Communication between a private network and a mobile device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1406005A (en) * 2001-09-17 2003-03-26 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
EP1420559A1 (en) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism

Also Published As

Publication number Publication date
WO2006128384A1 (en) 2006-12-07
CN1874343A (en) 2006-12-06

Similar Documents

Publication Publication Date Title
CN102045783B (en) Apparatus and method for connecting peer to peer using wlan
US9392525B2 (en) Establishing reliable routes without expensive mesh peering
US11563546B2 (en) Method and apparatus for MoCA network with protected set-up
US7251729B1 (en) Authentication method for establishing connection between devices
CN102215052B (en) Bluetooth radio and the management for integrating with communication network are applied
EP3288296B1 (en) Method and system for building steady piconet based on bluetooth
JP2007074297A (en) Method for setting security of wireless communication network, security setting program, wireless communication network system, and client apparatus
CN104780499A (en) Multi-device intelligent interconnection method and system based on Bluetooth
US20210409408A1 (en) METHOD AND APPARATUS FOR MoCA NETWORK WITH PROTECTED SET-UP
CN1874343B (en) Method for creating IPSec safety alliance
CN104541489A (en) Method for configuring network nodes of a telecommunications network, telecommunications network, program and computer program product
CN110753313A (en) Data synchronization method and system
EP2947846B1 (en) Transparent satellite communications in a cellular centric m2m network
US20150038184A1 (en) Wireless communication method and apparatus
CN105471909A (en) Method for quickly establishing local area network connection and initiating device and routing device
JP4444130B2 (en) Wireless access point and route determination method or communication method thereof, wireless communication system and communication method thereof
CN105451367A (en) Wireless network connection method, device and system
WO2011064858A1 (en) Wireless authentication terminal
CN103188662B (en) A kind of method and device verifying WAP (wireless access point)
WO2005039125A1 (en) Home link setting method, home gateway device, and mobile terminal
KR102306404B1 (en) Method for trnasmitting multicasting message on lora network
US20060168110A1 (en) Method to facilitate use of multiple communication protocols in a communication network
JP2008131417A (en) Terminal accommodation apparatus, and packet route switching method and program
KR101923824B1 (en) Bluetooth communication method based on internet of things and apparatus therefore
CN104410566A (en) Message withdrawal method for preventing withdrawal conflict

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100421

Termination date: 20160603