CN1874343B - Method for creating IPSec safety alliance - Google Patents
Method for creating IPSec safety alliance Download PDFInfo
- Publication number
- CN1874343B CN1874343B CN2005100749088A CN200510074908A CN1874343B CN 1874343 B CN1874343 B CN 1874343B CN 2005100749088 A CN2005100749088 A CN 2005100749088A CN 200510074908 A CN200510074908 A CN 200510074908A CN 1874343 B CN1874343 B CN 1874343B
- Authority
- CN
- China
- Prior art keywords
- security
- address
- security association
- destination address
- alliance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method comprises: building a security association (SA) whose destination address is an unassigned address and is capable of making address refreshing so as to reduce the amount of SA to be built in case of uncertainty or multi destination existing.
Description
Technical field
The present invention relates to the creation method of ipsec security alliance in the Network Communicate Security, relate in particular to the creation method of a kind of destination address ipsec security alliance when indefinite or a plurality of.
Background technology
Ipsec protocol is a kind of security protocol of extensive use in the network service.In the application of this agreement, need set up the encrypting and decrypting process that Security Association is used for information, to guarantee the safe transfer of information.According to ipsec protocol definition, the tlv triple that Security Association is made up of destination address, Security Association index (SPI), security protocol is unique definite.
Be applied in the process of mobile IP at IPSec; stipulate according to RFC3776; after mobile node moves to field network; can use IPSec between home agent (Home Agent) and mobile node (Mobile Node), to set up Security Association; with the control message between transmission mode (transport mode) protection mobile node and the home agent, with control or the load message between tunnel mode (tunnel mode) protection mobile node and the communication node (Correspondent Node).At the local agent side, right for the Security Association that the enforcement of the control message between mobile node and home agent ipsec protection is created, its Inbound Security Association destination address is hometown-agent-address (Home AgentAddress); Outgoing direction Security Association destination address is moving nodes local address (HomeAddress).
Realize that according to mobile IPv 6 protocol principle, home agent offer hometown-agent-address (Home Agent Address) that mobile node uses and have a plurality ofly, which hometown-agent-address mobile node specifically uses, and selects to decide on mobile node.
At this situation, present implementation is, between home agent and mobile node, for setting up a pair of Security Association between each different hometown-agent-address and the moving nodes local address.Such as, home agent have three hometown-agent-address (HAAddr1, HAAddr2, HAAddr3); The moving nodes local address is HomeAddr; IPSec uses the ESP security protocol; The security protocol encapsulation mode is a transmission mode; Then will set up 3 pairs of Security Associations at the local agent side.
But for setting up a pair of Security Association between each different hometown-agent-address and the moving nodes local address, cause Security Association quantity many, particularly difficult in maintenance under the manual configuration situation.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the creation method of the ipsec security alliance of the purpose of this invention is to provide a kind of destination address simple and flexible when indefinite or a plurality of, being convenient to safeguard.
The objective of the invention is to be achieved through the following technical solutions:
The tlv triple that the creation method of a kind of ipsec security alliance, the Security Association of this method are made up of destination address, Security Parameter Index and security protocol is unique to be determined, comprises the steps:
A, to create destination address be the Security Association of assigned address not; Distribute unique Security Parameter Index for it when wherein, creating Security Association;
B, when Security Association is determined its employed destination address, upgrade in the described Security Association not assigned address with determined destination address information as destination address.
The Security Association that described steps A is created the tlv triple of collision detection relatively in its not assigned address be identical with the result who compares in any address.
The Security Association that described steps A is created when collision detection its not the result that compares of assigned address and its address may value, in the limited range be identical.
The destination address that described steps A is created is to ignore destination address when the Security Association of assigned address in use is not decrypted coupling.
The Security Association that described steps A is created be in the mobile IP v 6 home agent for mobile node set up safety is connected create, destination address is the Inbound Security Association of assigned address not.
Described home agent is to move to the destination address that the Binding Update BU message that sends behind the field network is determined the Inbound Security Association according to mobile node.
Described home agent is updated into the destination address of direction Security Association according to the address information in the Binding Update BU message of being received.
Described home agent corresponding Inbound Security Association destination address after mobile node returns home network is set to not assigned address.
As seen from the above technical solution provided by the invention, the present invention is by creating destination address for the Security Association of assigned address not and carry out address flush so that more sound Security Association to be provided in the time can determining the address, thus the creation method of simple and flexible when providing a kind of destination address indefinite or a plurality of, the ipsec security alliance being convenient to safeguard.
(reach in the collision detection of Security Association thereafter by distribute unique Security Parameter Index or the tlv triple when the Security Association collision detection assigned address not and the result that compares in any address to be thought identical in relatively for Security Association at this Security Association, ignore destination address, only carry out collision detection as index with the other parts of tlv triple) etc. measure, can prevent more issuable conflicts in the establishment of Security Association or refresh process.
The present invention not only can be applied to the establishment of the ipsec security alliance in the mobile IP v 6, also can be applied to the establishment of ipsec security alliance in the indefinite or a plurality of occasion of (route message destination address may be different multicast address, unicast address) in the Routing Protocols such as OSPFv3 or other destination address.
Description of drawings
A kind of process chart when Fig. 1 uses in IPv6 for the present invention.
Embodiment
Core concept of the present invention is by creating destination address for the Security Association of assigned address not and carry out address flush so that more sound Security Association to be provided in the time can determining the address, thereby a kind of creation method of Security Association of flexible and convenient is provided.
The present invention is further illustrated below in conjunction with accompanying drawing.
Home agent offered hometown-agent-address (Home Agent Address) that mobile node uses and has a plurality ofly when IPSec used among the IPv6, and which hometown-agent-address mobile node specifically uses, and selects to decide on mobile node; The application of the present invention in IPv6 can be adopted handling process as shown in Figure 1.
In order to prevent the conflict of Security Association, at first to enter step 11, distribute to unique Security Parameter Index, promptly the method Security Association is gone in this locality or the shared Security Association of coming in and going out its Security Parameter Index be unique: this Security Parameter Index can not be identical with the Security Parameter Index that has existed, and in the future the Security Parameter Index that distributes can not be identical with this Security Parameter Index.Certainly, might not distribute unique safe index here, also the method that can adopt other to avoid a conflict.Such as, can make Security Association that described steps A creates the tlv triple of collision detection relatively in its not the result that compares of assigned address and any address ignore destination address when promptly comparing and only carry out collision detection as index for identical with the other parts of tlv triple; Can also make Security Association that described steps A creates when collision detection its not the result that compares of assigned address and its address may value, in the limited range for identical, promptly relatively the time except that the Security Association of the potentially conflicting that scope constitutes of assigned address possibility value not other Security Association carry out collision detection with tlv triple as index.
After obtaining unique Security Parameter Index, enter step 12, utilize this Security Parameter Index and create destination address to be the Security Association of assigned address not in conjunction with other configuring condition.As shown in table 1 for home agent be that mobile node has been created a pair of Security Association.The situation here is that the home agent local terminal has three hometown-agent-address (HAAddr1, HAAddr2 HAAddr3) can select for use for mobile node, and the moving nodes local address is HomeAddr; IPSec uses the ESP security protocol, and the security protocol encapsulation mode is a transmission mode.Wherein the destination address of Inbound Security Association is assigned address 0::0 not, and unique Security Parameter Index is SPI-11, and security protocol is ESP (Encapsulated Security Payload is pressed into a safe load) agreement.
Home agent is a pair of Security Association that mobile node is created among table 1, the IPv6
Destination address is just can use after the Security Association of not assigned address is created, and promptly enters step 13.But when receiving message and promptly carry out step 14, need whether determine to judge,, then when message decipher, adopt step 16 to carry out completely tlv triple and mate if determine through step 15 pair destination address; If destination address is an assigned address not, then adopt step 17 when the deciphering coupling, to ignore destination address.Enter step 18 pair deciphering coupling then and whether successfully judge, if not, then enter step 13 and carry out the corresponding error processing or wait for the reception message again; If then explanation has correctly received message.
Behind the correct reception message, enter step 19, judge further whether the message that is received has announced the information that the Security Association destination address changes.If not, then enter step 13 and proceed other subsequent treatment; If then enter the destination address that step 20 refreshes Security Association, and then enter step 13 and carry out other processing.As shown in table 2 for home agent to the state behind the refreshing of Security Association.This refresh be after mobile node moves on to field network to the local node send hometown-agent-address that BU (Binding Update, Binding Update) message, the own selection of announcement use as HAAddr1 after refreshing of carrying out of home agent Security Association.
Table 2, home agent are to the state behind the refreshing of Security Association
Certainly, address change in the step 19 can be that never assigned address becomes definite address (leaving home network), also can be to become not assigned address (network of coming back to hometown) from the address of determining, can also be to become another to determine address (moving to another field network from a field network) from a definite address.Accordingly, the Security Association destination address of step 20 refreshes also dissimilar variations.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (8)
1. the tlv triple that the creation method of an ipsec security alliance, the Security Association of this method are made up of destination address, Security Parameter Index and security protocol is unique to be determined, it is characterized in that, comprises the steps:
A, to create destination address be the Security Association of assigned address not; Distribute unique Security Parameter Index for it when wherein, creating Security Association;
B, when Security Association is determined its employed destination address, upgrade in the described Security Association not assigned address with determined destination address information as destination address.
2. the creation method of ipsec security according to claim 1 alliance is characterized in that, the Security Association that described steps A is created the tlv triple of collision detection relatively in its not assigned address be identical with the result who compares in any address.
3. the creation method of ipsec security according to claim 1 alliance is characterized in that, the Security Association that described steps A is created when collision detection its not the result that compares of assigned address and its address may value, in the limited range be identical.
4. according to the creation method of each described ipsec security alliance of claim 1 to 3, it is characterized in that the destination address that described steps A is created is ignored destination address when the Security Association of assigned address in use is not decrypted coupling.
5. the creation method of ipsec security according to claim 4 alliance, it is characterized in that, the Security Association that described steps A is created be in the mobile IP v 6 home agent for mobile node set up safety is connected create, destination address is the Inbound Security Association of assigned address not.
6. the creation method of ipsec security according to claim 5 alliance is characterized in that described home agent is to move to the destination address that the Binding Update BU message that sends behind the field network is determined the Inbound Security Association according to mobile node.
7. the creation method of ipsec security according to claim 5 alliance is characterized in that described home agent is updated into the destination address of direction Security Association according to the address information in the Binding Update BU message of being received.
8. the creation method of ipsec security according to claim 6 alliance is characterized in that, described home agent corresponding Inbound Security Association destination address after mobile node returns home network is set to not assigned address.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2005100749088A CN1874343B (en) | 2005-06-03 | 2005-06-03 | Method for creating IPSec safety alliance |
PCT/CN2006/001186 WO2006128384A1 (en) | 2005-06-03 | 2006-06-02 | A method for creating a ipsec security association |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2005100749088A CN1874343B (en) | 2005-06-03 | 2005-06-03 | Method for creating IPSec safety alliance |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1874343A CN1874343A (en) | 2006-12-06 |
CN1874343B true CN1874343B (en) | 2010-04-21 |
Family
ID=37481239
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2005100749088A Expired - Fee Related CN1874343B (en) | 2005-06-03 | 2005-06-03 | Method for creating IPSec safety alliance |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN1874343B (en) |
WO (1) | WO2006128384A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102088438B (en) * | 2009-12-03 | 2013-11-06 | 中兴通讯股份有限公司 | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client |
CN102271061B (en) * | 2010-06-07 | 2013-12-25 | 杭州华三通信技术有限公司 | Method and device for determining number of IP security virtual private network tunnels |
CN112733175A (en) * | 2021-01-22 | 2021-04-30 | 浪潮思科网络科技有限公司 | Data encryption method and device based on ESP (electronic stability program) protocol |
CN115529180B (en) * | 2022-09-28 | 2024-05-31 | 芯云晟(杭州)电子科技有限公司 | IPSec encryption and decryption unloading method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
EP1420559A1 (en) * | 2002-11-13 | 2004-05-19 | Thomson Licensing S.A. | Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE60305869T2 (en) * | 2003-03-27 | 2006-10-05 | Motorola, Inc., Schaumburg | Communication between a private network and a mobile device |
-
2005
- 2005-06-03 CN CN2005100749088A patent/CN1874343B/en not_active Expired - Fee Related
-
2006
- 2006-06-02 WO PCT/CN2006/001186 patent/WO2006128384A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
EP1420559A1 (en) * | 2002-11-13 | 2004-05-19 | Thomson Licensing S.A. | Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism |
Also Published As
Publication number | Publication date |
---|---|
WO2006128384A1 (en) | 2006-12-07 |
CN1874343A (en) | 2006-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102045783B (en) | Apparatus and method for connecting peer to peer using wlan | |
US9392525B2 (en) | Establishing reliable routes without expensive mesh peering | |
US11563546B2 (en) | Method and apparatus for MoCA network with protected set-up | |
US7251729B1 (en) | Authentication method for establishing connection between devices | |
CN102215052B (en) | Bluetooth radio and the management for integrating with communication network are applied | |
EP3288296B1 (en) | Method and system for building steady piconet based on bluetooth | |
JP2007074297A (en) | Method for setting security of wireless communication network, security setting program, wireless communication network system, and client apparatus | |
CN104780499A (en) | Multi-device intelligent interconnection method and system based on Bluetooth | |
US20210409408A1 (en) | METHOD AND APPARATUS FOR MoCA NETWORK WITH PROTECTED SET-UP | |
CN1874343B (en) | Method for creating IPSec safety alliance | |
CN104541489A (en) | Method for configuring network nodes of a telecommunications network, telecommunications network, program and computer program product | |
CN110753313A (en) | Data synchronization method and system | |
EP2947846B1 (en) | Transparent satellite communications in a cellular centric m2m network | |
US20150038184A1 (en) | Wireless communication method and apparatus | |
CN105471909A (en) | Method for quickly establishing local area network connection and initiating device and routing device | |
JP4444130B2 (en) | Wireless access point and route determination method or communication method thereof, wireless communication system and communication method thereof | |
CN105451367A (en) | Wireless network connection method, device and system | |
WO2011064858A1 (en) | Wireless authentication terminal | |
CN103188662B (en) | A kind of method and device verifying WAP (wireless access point) | |
WO2005039125A1 (en) | Home link setting method, home gateway device, and mobile terminal | |
KR102306404B1 (en) | Method for trnasmitting multicasting message on lora network | |
US20060168110A1 (en) | Method to facilitate use of multiple communication protocols in a communication network | |
JP2008131417A (en) | Terminal accommodation apparatus, and packet route switching method and program | |
KR101923824B1 (en) | Bluetooth communication method based on internet of things and apparatus therefore | |
CN104410566A (en) | Message withdrawal method for preventing withdrawal conflict |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100421 Termination date: 20160603 |