JP2006050487A - Initial information setting method, initial information setting device, communication device, and initial information setting program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To automate a complicated setting operation required for using a Mobile IP by a user. <P>SOLUTION: A key exchange method used for an exchange of an encryption key is enabled to be used for a distribution of initial setting information of a Mobile IP protocol, and a setting operation by a user is automated. Namely, each Mobile IP communication device is provided with an initial information setting device, acquires the initial setting information from a communication management device managing information concerning Mobile IP communication, and the initial information setting device sets the information for the Mobile IP communication. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a setting method, a setting device, and a setting program for initial information of a communication device that requires setting of initial information before starting communication, and more particularly to a communication device using a key exchange method by ISAKMP.

  By using a protocol called Mobile IP, communication with other communication terminals (Correspondent Node: CN) can be continued even if the mobile terminal (Mobile Node: MN) freely moves in the Internet. However, in order to use the Mobile IP protocol, the mobile terminal (MN) needs, for example, the following setting information as initial information for communication.

・ Home address of mobile terminal (MN) ・ Address of home agent ・ Authenticator (SPI) with home agent, authentication method, and information for general users who use authentication key mobile terminals Is difficult to set and is often misconfigured.

  About Mobile IP, it is detailed in RFC3344 (IP Mobility Support for IPv4) and RFC3775 (Mobility Support in IPv6) of RFC (Request For Comment) issued by IETF (Internet Engineering Task Force).

VPN (Virtual Private Network) is an important technology for putting Mobile IP into practical use. VPN is a technology for establishing communication security and is generally used. ISAKMP (Internet Security Association Key Management Protocol, see Non-Patent Document 1) is specified as one of the protocols for realizing this. This is a protocol for securely exchanging key information necessary for ensuring security with a terminal of a communication partner (referred to as an opposite device). Currently, ISAKMP / IKE and ISAKMP / Oakley are known key exchange protocols that can be used with ISAKMP.
D. Maughan, three others, RFC2408, [online], November 1998, IETF, [searched August 3, 1998], Internet <URL: http://www.ietf.org/rfc/rfc2408 .txt>

  In order to use the Mobile IP protocol, it is necessary to set various details that are difficult for the user to understand.

  The key exchange method using ISAKAMP is a technology for exchanging key information to realize secure encrypted communication between communication terminals, so it is often used in conjunction with the Mobile IP protocol. , It could not be used to obtain the setting information required when using the Mobile IP protocol.

  An object of the present invention is to make it possible to use a key exchange method such as ISAKMP also for distributing setting information of Mobile IP protocol, and to automate complicated setting work required by a user when using Mobile IP.

According to the initial information setting method of the present invention,
A method of setting initial setting information for Mobile IP communication in a communication device that performs Mobile IP communication, and is to be distributed to the communication device in a communication management device that manages information related to Mobile IP communication of the communication device Storing the initial setting information and storing the communication management device using the key exchange procedure when exchanging an encryption key for encrypting communication with another communication device based on a predetermined key exchange procedure; Initial setting information corresponding to a communication apparatus is distributed, and the communication apparatus performs setting for Mobile IP communication based on the distributed initial setting information.

According to the initial information setting device of the present invention,
A device that sets initial setting information for Mobile IP communication for a communication device that performs Mobile IP communication, using a key exchange procedure for exchanging an encryption key that encrypts communication with other communication devices, Initial setting information acquisition means for acquiring the initial setting information to be set in the communication device, and an initial setting for setting information for the communication device to perform Mobile IP communication based on the acquired initial setting information in the communication device There is provided an initial information setting device comprising a setting means.

  In addition, a communication device having the function of the initial information setting device and an initial information setting program for realizing the communication device using a computer are provided.

  With this configuration, it is possible to automate the complicated setting work required by the user when using Mobile IP.

  In the present invention, the ISAKMP key exchange method is also used for distributing the setting information of the Mobile IP protocol, so that the complicated setting work required by the user when using Mobile IP can be automated.

  FIG. 1 illustrates a general module configuration when ISAKMP is applied.

FIG. 1 shows Socket Layer 101, ISAKMP 102, Key Exchange Definition 103, DOI Definition 104, Security Protocol 105, and Application 106.

  The Socket Layer 101 is a communication module provided in an OS (Operating System) on which these application programs run. An application running on this OS exchanges data via a socket provided by the socket layer 101 and communicates with other communication terminals.

  The ISAKMP 102 has a function of exchanging keys for encrypted communication in accordance with RFC2408 issued by the IETF. Prior to the encrypted communication, when the encrypted communication is started from the own apparatus, a negotiation packet is created and transmitted to the opposite device via the Socket Layer 101. Conversely, when a negotiation packet is received from the opposite device, it has a function of exchanging keys according to a key exchange protocol for encrypted communication such as IKE or Oakley. The key exchange protocol to be followed depends on the module indicated by the Key Exchange Definition 103.

  The Key Exchange Definition 103 has a function of exchanging keys with a counterpart device using a predetermined protocol via the ISAKMP 102. The predetermined protocol refers to IKE, Oakley, etc. described above. The information exchanged here is sent to the DOI Definition 104.

  The DOI Definition 104 has a function of translating the negotiation packet received by the Key Exchange Definition 103 for a predetermined encrypted communication. Normally, it is prepared for each encrypted communication to be implemented. Information such as an encryption algorithm and an encryption key obtained as a result of the translation is used for controlling the Security Protocol 105 via the ISAKMP 102.

  The Security Protocol 105 is a module incorporated in an IP layer located in a lower layer of the Socket Layer 101, and receives encrypted information such as an encryption key for encrypted communication from the ISAKMP 102 and realizes encrypted communication with the opposite device. . When a general-purpose application such as Application 106 communicates with the opposite device, the data received via the Socket Layer 101 is encrypted, and when an encrypted packet is received from the opposite device, it is decrypted and finally general-purpose Pass it to the application.

  Application 106 is a general-purpose application that runs on its own device. Since the security protocol 105 automatically encrypts / decrypts encrypted communication with the opposite device, the application 106, which is a general-purpose application, does not need to consider whether the communication with the opposite device is encrypted. .

  As described above, the ISAKMP 102 that has received the negotiation packet from the opposite device via the Socket Layer 101 executes key exchange with the opposite device according to the key exchange method defined by the Key Exchange Definition 103. The negotiation packet is translated for encrypted communication according to the DOI Definition 104, and the security protocol 105 is controlled based on the encryption key obtained as a result of the translation to encrypt the communication between the own device and the opposite device.

  In addition, the key exchange for encrypted communication by ISAKMP defined in RFC2408 does not stipulate a key exchange method using a negotiation packet and what kind of encrypted communication is to be implemented. That is, by appropriately implementing the Key Exchange Definition 103, the DOI Definition 104, and the Security Protocol 105 that control the exchange method and encryption, it can be applied to various encrypted communications.

  FIG. 2 explains a specific example of the module configuration defined in ISAKMP shown in FIG. Key Exchange Definition 103, DOI Definition 104, and Security Protocol 105 in FIG. 1 are IKE 201, IPSec DOI 202, and IPSec 203, respectively. In the specific example shown in FIG. 2, key exchange is performed using IKE (Internet Key Exchange) defined in RFC2409 issued by IETF. The encrypted communication after the key exchange is encrypted by the IPSec 203 using an encryption key or the like obtained as a result of translation based on the IPSec DOI defined in RFC2407 issued by IETF.

  FIG. 3 shows an example of a key exchange flow by ISAKMP / IKE. In the figure, an initiator 301 is a side that transmits a negotiation packet, and a responder 302 is a side that receives the negotiation packet. When the mobile terminal (MN) connects to the corporate network using VPN from the Internet, a combination of an initiator 301 for the mobile terminal (MN) and a VPN gateway connected to the corporate network for the Responder 302 can be considered. In this example, since the mobile terminal performs encrypted communication with the VPN gateway installed in the corporate network, it can communicate securely even when using the Internet that can be used by unspecified persons. .

  The key exchange process, such as the exchange of negotiation packets, is described in detail in RFC 2409, and will not be detailed here.

  FIG. 4 shows an example of a negotiation packet defined in RFC2407 for exchanging IPSec keys using ISAKMP / IKE. Each has formats called SA, Proposal #, and Transform #. A field called Domain of Interpretation (DOI) is defined in SA, and ISAKMP 102 passes the received negotiation packet from the modules implemented as DOI Definition 104 to the DOI Definition module assigned to this value. In the example of FIG. 4, since DOI = 1, it is passed to IPSec DOI 202, which is a DOI for IPSec. At present, the RFC issued by the IETF only specifies DOI = 1 (IPSec DOI).

  FIG. 5 shows a conventional module configuration when Mobile IP is mounted on its own device.

Conventionally, when implementing Mobile IP, MIP Controller 501 that manages setting information necessary for communication via a home agent based on the Mobile IP protocol and exchanges information such as authentication by communicating with the home agent is required. is there. In addition, a Mobile IP driver such as Mobile IP 502 that receives Mobile IP in the IP layer provided in the OS upon receiving an instruction from a control module such as MIP Controller 501 is required. However, RFC3344 and RFC3775, which define Mobile IP, do not mention a method for automatically setting information such as a home address necessary for Mobile IP communication. For example, MIP Controller 501 has an interface such as a GUI or a configuration file. The user needs to set it. In this case, the user is forced to input miscellaneous and difficult-to-understand information such as the home address, home agent address or authenticator, authentication method, and authentication key.

  Even in this case, once the information necessary for Mobile IP communication is set, Mobile IP 502 automatically performs operations such as transfer to the home agent, so Application 106 can communicate with the communication partner using Mobile IP communication. There is no need to consider whether or not there is.

(First embodiment)
FIG. 6 shows an example of a module configuration for initial information setting according to the first embodiment of the present invention. In FIG. 6, a module configuration as an example of ISAKMP / IKE shown in FIG. 2, a conventional Mobile IP module configuration shown in FIG. 5, and a new Mobile IP DOI 601 are added. Since the initial information setting module configuration in the present embodiment is the same as the function of each module shown in FIGS. 2 and 5, the configuration and operation different from those will be mainly described.

  The Mobile IP DOI 601 is a module configured in accordance with the DOI Definition regulations, similar to the IPSec DOI 202. However, while the IPSec DOI 202 is configured in accordance with the IPSec DOI defined in RFC2407, the Mobile IP DOI 601 has a function of translating a negotiation packet with a counterpart device for Mobile IP. Specifically, the negotiation packet is translated, and the mobile terminal (MN) home address, the home agent address, the authenticator (SPI) between the home agent and the authentication method, which are the information necessary for setting Mobile IP communication Then, information such as an authentication key is extracted, or a negotiation packet including such information is created. The above setting information is merely an example, and various information necessary for setting Mobile IP communication may be included.

  Regarding the implementation of Mobile IP DOI 601, there is no clear implementation method since the RFC by IETF has not been issued at present.

  The ISAKMP 102 determines whether to pass the received negotiation packet to the IPSec DOI 202 used for translation of the negotiation packet for encrypted communication or to the Mobile IP DOI 601 for Mobile IP. Judge according to the value of Interpretation (DOI).

  As described above, the MIP Controller 501 has conventionally had to have an interface such as a GUI or a setting file. In this embodiment, these values are received by receiving various setting information extracted by the Mobile IP DOI 601. Automate the settings. By configuring in this way, it is not necessary to set Mobile IP-related information by the user himself, and thus it is possible to automate complicated setting work by the user necessary when using Mobile IP.

  In the figure, IPSec DOI 202 and IPSec 203 are represented by broken lines. However, this is not an essential module in this embodiment, but is described because it is often mounted together. In this embodiment, an example using IPSec is shown, but when other encrypted communication is applied, the module portion may be replaced. In the present embodiment, a key exchange method other than IKE can be used. In this case, IKE 201 can be replaced as appropriate.

  FIG. 7 is an example of a block diagram of the initial information setting device in the present embodiment. FIG. 7 shows an initial information setting device 701, a negotiation packet processing unit 702, a Mobile IP initialization data negotiation unit 703, a Mobile IP translation unit 704, and a Mobile IP management unit 705.

  The initial information setting device 701 is installed in a mobile terminal (MN) that performs Mobile IP communication or an opposite device such as a VPN gateway, and automatically acquires or provides information necessary for Mobile IP communication. It has a function to automate various settings required for Needless to say, the initial information setting device 701 can be configured as a mobile terminal having this function or its opposite device without being separately configured.

  The negotiation packet processing unit 702 has a function of receiving a negotiation packet obtained from the Socket Layer 101 or generating a negotiation packet.

  The Mobile IP initialization data negotiation unit 703 has a function corresponding to the ISAKMP 102. In accordance with the operation defined in RFC2408, reception of the negotiation packet, delivery to the DOI Definition module based on the DOI field value of the received negotiation packet, and the like are performed.

  The Mobile IP translation unit 704 corresponds to the Mobile IP DOI 601. In cooperation with the Mobile IP initialization data negotiation unit 703, the mobile IP has a function of translating the received Mobile IP negotiation packet and extracting setting information. Alternatively, when the own device is a device opposite to the mobile terminal such as a VPN gateway, information including information to be set in the mobile terminal necessary for Mobile IP communication is acquired and an instruction to create a negotiation packet including the information is given. Since the information to be set in the mobile terminal is known from which mobile terminal when the negotiation packet is received, various setting information to be pre-assigned to the mobile terminal is searched from a database (not shown). It is possible to obtain. The method of acquiring information to be allocated to the mobile terminal is not limited to the above method, and any method may be used as long as each mobile terminal that has transmitted the negotiation packet is set to be identifiable during Mobile IP communication. Absent.

  The Mobile IP management unit 705 corresponds to the MIP Controller 501, manages setting information necessary for Mobile IP communication, and has a function of realizing communication based on the Mobile IP protocol defined in RFC3344 or RFC3775 in cooperation with Mobile IP502. . Specifically, based on various setting information obtained through the initialization data negotiation unit 703 for Mobile IP, settings necessary for Mobile IP communication in the own apparatus are performed. Alternatively, there may be a case where necessary processing such as authentication is performed by directly communicating with the opposing home agent or the like via the Socket Layer 101.

  FIG. 8 shows an example of a Mobile IP negotiation packet handled by the initial information setting apparatus according to this embodiment. Basically, it is the same as the ISAKMP / IKE negotiation packet shown in FIG. 4, but in FIG. 8, the DOI field value in the SA is set to a value other than 1. As a result, Proposal # and Transform # can also be used with different interpretations for Mobile IP. By changing the interpretation for Mobile IP in this way, it becomes possible to include various setting information necessary for Mobile IP communication, and thus it is possible to pass these values in the same way as using the conventional key exchange method. . Since the negotiation packet shown in FIG. 8 is DOI = 2, it is transferred to the Mobile IP translation unit 704 corresponding to Mobile IP DOI 601 by the Mobile IP initialization data negotiation unit 703 corresponding to ISAKMP 102 and negotiated for Mobile IP. Interpreted as a packet and translated.

  In this embodiment, DOI = 2 is adopted in the meaning of Mobile IP. However, since the standard value for Mobile IP has not been determined at present, an unassigned value is appropriately set. It may be used.

  By configuring in this way, it is possible to automate complicated setting work required by the user when using Mobile IP.

  In addition, it is possible to configure the module related to ISAKMP based on the above setting method and the operation of the initial information setting device as a program for executing on a computer. Even in this case, the same effect as in this embodiment can be obtained. be able to.

(Second Embodiment)
FIG. 9 shows an example of a system configuration diagram of the initial information setting method in the present embodiment.

FIG. 9 shows a Client 901 corresponding to a mobile terminal that performs Mobile IP communication, a Kerberos Authentication Server 902 that distributes an authentication for encrypted communication and an encryption key for encrypted communication,
In addition, Application Server 903 serving as a counterpart device during Mobile IP communication is shown.

  Kerberos authentication is used between the Client 901 and the Kerberos Authentication Server 902. Kerberos authentication here is a user authentication method based on the assumption that it will be used on the network developed by the Massachusetts Institute of Technology (MIT) Athena project. In this embodiment, an authentication key for key exchange and an encryption key for encrypted communication are replaced with Kerberos authentication.

  The client 901 first requests Kerberos authentication from the Kerberos Authentication Server 902. If the request is accepted, the Kerberos Authentication Server 902 provides setting information necessary for Mobile IP communication of the Client 901. The setting information here is initialization data required when starting Mobile IP communication such as an authentication algorithm and authentication key for Mobile IP, a home address to be assigned to Client 901, and an address of a home agent.

  Alternatively, when Kerberos authentication is used, since the key distribution server can be arranged separately, an encryption key is requested from Application Server 903, and setting information necessary for Mobile IP communication is received from Application Server 903 when the key is provided. It can also be done.

  By configuring in this way, it is possible to automate complicated setting work required by the user when using Mobile IP.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a figure which shows the general module structure at the time of applying ISAKMP. It is a figure which shows the general module structure of ISAKMP / IKE. It is a figure which shows an example of the general key exchange flow of ISAKMP / IKE. It is a figure which shows an example of the negotiation packet for IPSec. It is a figure which shows the general module structure at the time of applying Mobile IP. It is a figure which shows an example of the module structure for the initial information setting concerning 1st Embodiment. It is a figure which shows an example of the block diagram of the initial stage information setting apparatus concerning 1st Embodiment. It is a figure which shows an example of the negotiation packet for Mobile IP concerning 1st Embodiment. It is a figure which shows an example of the initial stage information setting system concerning 2nd Embodiment.

Explanation of symbols

101: Socket Layer
102: ISAKMP module 103; Key Exchange Definition module 104: DOI Definition module 105: Security Protocol module 106: Application
201: IKE module 202: IPSec DOI module 203: IPSec driver 501: MIP Controller module 502: Mobile IP driver 601: Mobile IP DOI module 701: Initial information setting device 702: Negotiation packet processing unit 703: Initialization negotiation for Mobile IP Unit 704: Mobile IP translation unit 705: Mobile IP management unit 901: Client
902: Kerberos Authentication Server
903: Application Server

Claims (20)

A method for setting initial setting information for Mobile IP communication in a communication device that performs Mobile IP communication,
In the communication management device that manages information related to Mobile IP communication of the communication device, the initial setting information to be distributed to the communication device is stored,
Initial setting information corresponding to the communication device stored in the communication management device using the key exchange procedure when an encryption key for encrypting communication with another communication device is exchanged based on a predetermined key exchange procedure Distribute
An initial information setting method, wherein the communication device performs settings for Mobile IP communication based on distributed initial setting information.   The initial information setting method according to claim 1, wherein the key exchange procedure is based on a procedure defined as ISAKMP.   In the key exchange procedure, when a negotiation packet defined in ISAKMP is received, it is determined based on a value of a DOI field of the packet that the negotiation packet is a packet including the initial setting information. The initial information setting method according to claim 2.   When setting for the Mobile IP communication, if it is determined in the determination that the packet is a negotiation packet including the initial setting information, initial setting information included in the packet is translated for Mobile IP setting. The initial information setting method according to claim 3, wherein the initial information setting method is characterized in that:   The initial information setting method according to claim 1, wherein the key exchange procedure is based on a procedure defined as Kerberos. A device that sets initial setting information for Mobile IP communication to a communication device that performs Mobile IP communication.
Initial setting information acquisition means for acquiring the initial setting information to be set in the communication device using a key exchange procedure for exchanging an encryption key for encrypting communication with another communication device;
An initial information setting device comprising: initial setting means for setting information for the communication device to perform Mobile IP communication in the communication device based on the acquired initial setting information.   7. The initial information setting apparatus according to claim 6, wherein the initial setting information acquisition unit acquires initial setting information based on a procedure defined in ISAKMP as the key exchange procedure.   The initial setting information acquisition means, when receiving a negotiation packet defined in ISAKMP, a determination means for determining that the negotiation packet is a packet including the initial setting information based on a value of a DOI field of the packet The initial information setting device according to claim 7, further comprising:   The said initial setting information acquisition means is further provided with the translation means which translates the initial setting information contained in the packet determined to contain initial setting information by the said determination means for Mobile IP setting. The initial information setting device described.   7. The initial information setting apparatus according to claim 6, wherein the initial setting information acquisition unit acquires initial setting information based on a procedure defined in Kerberos as the key exchange procedure. A communication device for performing Mobile IP communication,
Initial setting information acquisition means for acquiring the initial setting information to be set for performing Mobile IP communication using a key exchange procedure for exchanging an encryption key for encrypting communication with another communication device;
An initial setting means for setting the communication device based on the acquired initial setting information.   12. The communication apparatus according to claim 11, wherein the initial setting information acquisition unit acquires initial setting information based on a procedure defined in ISAKMP as the key exchange procedure.   The initial setting information acquisition means, when receiving a negotiation packet defined in ISAKMP, a determination means for determining that the negotiation packet is a packet including the initial setting information based on a value of a DOI field of the packet The communication apparatus according to claim 12, further comprising:   The said initial setting information acquisition means is further provided with the translation means which translates the initial setting information contained in the packet determined to contain initial setting information by the said determination means for Mobile IP setting. The communication device described.   12. The communication apparatus according to claim 11, wherein the initial setting information acquisition unit acquires initial setting information based on a procedure defined in Kerberos as the key exchange procedure. This is a computer-executable program that sets initial setting information for Mobile IP communication for communication devices that perform Mobile IP communication.
Using the key exchange procedure for exchanging an encryption key for encrypting communication with another communication device, obtaining the initial setting information to be set in the communication device;
An initial information setting program, comprising: a step of setting information for the communication device to perform Mobile IP communication in the communication device based on the acquired initial setting information.   The initial information setting program according to claim 16, wherein initial setting information is acquired based on a procedure defined in ISAKMP as the key exchange procedure.   The method further comprising: when receiving a negotiation packet defined in ISAKMP, determining based on a value of a DOI field of the packet that the negotiation packet is a packet including the initial setting information. Item 18. An initial information setting program according to Item 17.   19. The initial information setting program according to claim 18, further comprising a step of translating the initial setting information included in the packet determined to include the initial setting information for Mobile IP setting. The initial information setting program according to claim 16, wherein initial setting information is acquired based on a procedure defined in Kerberos as the key exchange procedure.

Images