JP2006203764A - Mobile communication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a mobile communication system where it is possible to access an HA (home agent) which an original contracted business company has even when an MN (mobile node) moves to a business company except for the contracted business company, by enabling the MN to obtain a closest MAP (mobile anchor point) address to set a pre-share key to a MAP safely. <P>SOLUTION: The system is provided with an SLP-DA (service location protocol-directory agent) for managing a pre-share key information for IKE (Internet key exchange) corresponding to the MN, and unitarily managing address information of the MAP under control of one or a plurality of HAs. When the MN moves from a network under control of one HA to a network under control of another HA; the SLP-DA registers a pre-share key for IKE corresponding to a key index to the closest MAP, and delivers the address information of the closest MAP and key index information to a UA (user agent) of the MN. When the SLP-DA registers the pre-share key for IKE in the closest MAP, IPsec is applied. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

The present invention is based on MAP (Mobile Anchor) layered with HA (Home Agent).
It is used for IPv6 networks with multiple (Point). The present invention relates to a communication system including a MN, an IPv6 network to which the MN is connected, and a communication partner that is connected to the IPv6 network and exchanges communication data with the MN. Protocol (IKE: Internet) that can automatically generate and exchange private keys for encryption and authentication
It relates to a security information management system using Key Exchange.

In an IPv6 network having a plurality of MAPs layered with the HA, when the MAP is constructed under the HA, the MN (Mobile Node) obtains the MAP address as a method of obtaining the IETF (The Internet Engineering Task
In the (Force) draft, a MAP address point is attached to an RA (Router Advertisement) from an AR (Access Router).

  When the pre-shared key method is adopted as the authentication method in the IKE Phase 1 between the MN and the MAP, the MN's pre-shared key is set in the MAP, and the MAP authenticates the MN using the pre-shared key.

If the MAP is located in various business companies, based on the roaming contract of each contractor, if the MN moves to a non-contracted business company, the business company passes through the MAP of the business company that has the roaming contract. Access to HA.
JP 2003-51841 A Japanese Patent Laid-Open No. 2003-179592 Japanese Patent Laid-Open No. 2003-318956

  When a MAP is established under the control of the HA, as a method for the MN to acquire the MAP address, the IETF draft is to attach the MAP address point to the RA from the AR. The MAP address acquisition procedure is not implemented and the MAP address cannot be acquired.

  When the pre-shared key method is adopted as the authentication method in IKE Phase 1 between the MN and the MAP, there is no method for setting the MN pre-shared key in the MAP safely. Although it is theoretically possible to distribute all MAP keys on the network to the MN at the time of contract, it is possible to have the MAP have all the keys of the MN that may move to the MAP. It is difficult and difficult to implement because it is forced to install excess equipment.

  When MAP is deployed in various business companies, there is no established method for restricting usage based on roaming contracts for each contractor. The HA of the original contracting business company cannot be accessed via the MAP of the business company with the roaming contract.

  The present invention has been made in such a background. The MN can acquire the latest MAP address, can securely set a pre-shared key in the MAP, An object of the present invention is to provide a mobile communication system that enables access to the HA of the original contract business company even when the mobile phone moves.

The present invention centrally manages MAP information installed by a single business company or a plurality of business companies including roaming as a MAP table as a DB (Data Base) under SLP / DA (Service Location Protocol / Directory Agent), MN UA (User
Agent) sends a MAP address acquisition request to the SLP / DA, and the SLP / DA checks the roaming contract information to determine whether the roaming contracted operating company is transferred to the roaming contracted operating company. If it is a movement, the nearest MAP address is assigned based on the MN's existing Prefix information in SLP / DA. When a plurality of MAPs are arranged in the immediate vicinity of the existing Prefix, the MAP assigned by round robin is changed.

  Also, a plurality of MN IKE pre-shared keys used between the MN and the MAP at the time of MN distribution are assigned, IDs are assigned to the respective keys, and key-index information is held between the MN and the SLP / DA. By exchanging the key-index information between the MN and the SLP / DA, the actual shared key is not understood even if seen by a third party, and the KDC is between the SLP / DA and the MAP. Using the signature function based on IPsec by (Key Distribute Control), the pre-shared key of the MN is registered in the MAP so that the pre-shared key of the MN cannot be seen by a third party.

  As a result, the acquisition of the MAP address, the secure distribution of the pre-shared key to the MAP, and the access to the HA of the original contracted business company via the destination MAP when moving to the network of the business company contracted for roaming Can be made possible.

  That is, the first aspect of the present invention is the MN, the IPv6 network to which the MN is connected, the HA connected to the IPv6 network and exchanging communication data with the MN, and the MN under the HA. It is a mobile communication system provided with MAP connected directly.

  Here, a feature of the present invention is that the MN is assigned a plurality of IKE pre-shared keys for the MAP to authenticate the MN, and each of the plurality of IKE pre-shared keys includes Means for managing pre-shared key information for IKE assigned to the MN corresponding to the MN, and managing address information of one or a plurality of MAPs under the HA, with a key index value assigned When the MN moves from a network managed by one HA to a network managed by another HA, the UA of the MN sends an address of a new MAP nearest to itself to the managing means. Means for requesting the key index information of the IKE pre-shared key necessary for the MAP to authenticate itself, and the managing means comprises: Based on the location information of the MN, the MAP address nearest to the MN and the key index indicating the IKE pre-shared key necessary for the MAP to authenticate the MN are determined based on the request of the MN And registering the IKE pre-shared key corresponding to the determined key index with the nearest MAP, and distributing the address information of the nearest MAP and the key index information to the UA of the MN. It is in place.

  When the managing means registers the pre-shared key for IKE in the nearest MAP, it is desirable to include means for applying IPsec.

  The second aspect of the present invention is SLP / DA. The feature of the present invention is that the MN, the IPv6 network to which the MN is connected, and the IPv6 network are connected to and communicate with the MN. A HA that exchanges data and a MAP that is directly connected to the MN under the HA, and a plurality of IKE pre-shared keys for the MAP to authenticate the MN are allocated to the MN. The IKE pre-shared key is applied to a mobile communication system to which a key index value is assigned, and manages IKE pre-shared key information assigned to the MN corresponding to the MN. Means for centrally managing the address information of MAPs under one or a plurality of HAs, and the UA of the MN is a network managed by the MN. When moving to a network under the control of another HA, the key of the IKE pre-shared key that is necessary for the MAP to authenticate itself to the managing means and the address of the new MAP nearest to the self. In response to the request, the managing means requests the index information, and based on the location information of the MN, the address of the MAP nearest to the MN and the MAP required for the MAP to authenticate the MN The key index indicating the pre-shared key for IKE is determined, the pre-shared key for IKE corresponding to the determined key index is registered in the nearest MAP, and the nearest MAP is registered in the UA of the MN Means for distributing the address information and the key index information.

  When the managing means registers the pre-shared key for IKE in the nearest MAP, it is desirable to include means for applying IPsec.

  A third aspect of the present invention is a program, and the feature of the present invention is that, when installed in the information processing apparatus, the information processing apparatus is connected to the MN and the IPv6 network to which the MN is connected. , Which is connected to the IPv6 network and exchanges communication data with the MN, and a MAP directly connected to the MN under the HA, the MN authenticating the MN to the MN A plurality of pre-shared keys for IKE are allocated, and the pre-shared key information for IKE allocated to the MN is applied to the mobile communication system to which each of the plurality of pre-shared keys for IKE is assigned a key index value. And a function for centrally managing address information of one or a plurality of MAPs under HA, When a MN moves from a network managed by one HA to a network managed by another HA, the UA authenticates itself to the function managed by the new MAP address closest to the MN. Requesting the key index information of the IKE pre-shared key that is necessary for the management, and the function to manage is based on the location information of the MN in response to the request, and the address of the MAP nearest to the MN And the key index indicating the IKE pre-shared key necessary for the MAP to authenticate the MN, and the IKE pre-shared key corresponding to the determined key index is determined as the latest IKE pre-shared key. A function of registering with the MAP and distributing the address information of the latest MAP and the key index information to the UA of the MN There is to for realizing functions corresponding to SLP · DA with.

  When the function to be managed registers the pre-shared key for IKE in the nearest MAP, it is desirable to realize a function to apply IPsec.

  By recording the program of the present invention on a recording medium, the information processing apparatus can install the program of the present invention using the recording medium. Alternatively, the program of the present invention can be directly installed in the information processing apparatus via a network from a server holding the program of the present invention.

  Thereby, using a general-purpose information processing device, the MN can acquire the latest MAP address, can safely set a pre-shared key in the MAP, and even when the MN moves to other than the contracting business company It is possible to realize SLP / DA applied to a mobile communication system that enables access to the HA of the original contracting company.

According to the present invention,
1. When the MAP is constructed under the HA, the MN can obtain the latest MAP address by making an inquiry to the SLP / DA.
2. When the pre-shared key method is adopted as the authentication method in IKE Phase 1 between the MN and the MAP, the SLP / DA securely sets the pre-shared key of the MN to the MAP by applying IPsec between the MN and the key distribution to each other. can do.
3. Even when MAP is deployed in various business companies, the usage restrictions based on roaming contracts for each contractor can be controlled by ACL (Access Control) information using SLP / DA. Even when the user moves, the HA of the original contract business company can be accessed via the MAP of the business company contracted for roaming.

  Embodiments of the present invention will be described with reference to FIGS. FIG. 1 is a block diagram of the SLP / DA of this embodiment. FIG. 2 is a block diagram of the MN's UA (denoted as MN / UA in the figure). FIG. 3 is a diagram showing IKE pre-shared keys and corresponding key indexes.

  In this embodiment, as shown in FIG. 6 or FIG. 7, the MN, the IPv6 network to which the MN is connected, the HA connected to the IPv6 network and exchanging communication data with the MN, and the subordinates of the HA And a MAP directly connected to the MN.

  Here, as a feature of this embodiment, as shown in FIG. 3, the MN is assigned a plurality of IKE pre-shared keys for the MAP to authenticate the MN. Each pre-shared key is assigned a key index value, manages pre-shared key information for IKE assigned to the MN, corresponding to the MN, and addresses of one or more MAPs under the HA As shown in FIG. 2, when the MN moves from a network under the jurisdiction of one HA to a network under the jurisdiction of another HA, as shown in FIG. For the SLP / DA, the new MAP address closest to itself and the key index of the pre-shared key for IKE that this MAP needs to authenticate itself As shown in FIG. 1, the SLP / DA receives the nearest MAP address and the address of the nearest MAP to the MN based on the location information of the MN in response to the request. The MAP address determination unit 1 and the key index determination unit 2 respectively determine the key index indicating the IKE pre-shared key necessary for the MAP to authenticate the MN. The IKE pre-shared key corresponding to the index is registered in the nearest MAP by the IKE pre-shared key information registration unit 3, and the MAP address and key / index information distribution unit 4 stores the nearest MAP in the MN's UA. The address information and the key index information are distributed.

  Note that the IKE pre-shared key information registration unit 3 of the SLP • DA applies IPsec when registering the IKE pre-shared key to the nearest MAP.

  FIG. 8 is a diagram showing tables that are accessed by the SLP / DA. As shown in FIG. 8, the SLP / DA accesses the MN table, the carrier table, and the MAP table. The MN table includes a contract ID, a HoA (Home Address), an ACL for roaming control, a MAP address registered last, and a key list. The ACL for HoA and roaming control indicates contract information, and the last registered MAP address indicates the status. The carrier table includes a carrier ID and a remote DB ID. The MAP table includes a prefix, a prefix length, and a MAP address.

  FIG. 9 is a diagram showing tables held by the UA of the MN. As shown in FIG. 2, the UA of the MN has a contract information table 6 and an address table 7. As shown in FIG. 9, the contract information table 6 includes a contract ID, HoA, carrier ID, last registered MAP address, and key list. HoA and carrier ID indicate contract information, and the last registered MAP address indicates a state. The address table 7 includes a prefix, a prefix length, an LCoA (Local Care of Address), and the obtained MAP address.

FIG. 10 shows an application programming API (Application Programming).
FIG. As shown in FIG. 10, the SLP / DA queries the carrier table for the contract ID KEY, obtains the carrier ID and the remote DB name, then queries the MN table for the contract ID KEY, and acquires ACL information and key information ( PSK, Key-Index).

  Also, the MAP table is inquired of KEY for LCoA, and the MAP address is acquired. The carrier table and the MAP table exist on the common network side, and the MN table exists on the carrier side network.

  Note that a carrier table, a MAP table, and an MN table exist in one network when operating on a single carrier.

  The present invention can be implemented as a program that, when installed in a general-purpose information processing apparatus, causes the information processing apparatus to realize functions corresponding to the SLP / DA of the present invention. This program is recorded on a recording medium and installed in the information processing apparatus, or installed in the information processing apparatus via a communication line, whereby the MAP address determination unit 1 and the key / index determination unit 2 are installed in the information processing apparatus. The IKE pre-shared key information registration unit 3, the MAP address and key / index information distribution unit 4 can realize corresponding functions.

  Hereinafter, this embodiment will be described in more detail.

  FIG. 6 is a schematic diagram of processing when a MAP is provided in network operation by a single business company. As shown in FIG. 6, when a MAP is provided by a single business company, an SLP / DA that can access the MN table and the MAP table as a DB is provided in the network provided by the business company, and is used by the SLP / DA. Data (MAP access, pre-shared key, key-index, etc.) is managed by Data Base technology. At this time, the SLP / DA node and the node having the DB are made different to make the SLP / DA redundant.

  FIG. 7 is a schematic diagram when MAP is provided in network operation by a plurality of business companies including routing. In the case of multiple business companies including routing, the MN table (contractor information) is maintained and updated by each registered business company, and the SLP / DA that connects information using DB technology is used as a single DB, and remote DB location management Prepare a carrier table for The SLP / DA is provided as a common center on the network of the representative managing company or a common network, and the MAP table and the carrier table are arranged in the common center. At this time, SLP / DA redundancy is performed by making the SLP / DA node different from the node having the DB.

  Next, a processing flow when the UA of the MN belonging to the business company A moves to the network of the business company B will be described with reference to FIG. FIG. 4 is a sequence diagram showing a procedure for inquiring about the location of the MAP.

  The UA of the MN that has moved from the network of the business company A to the network of the business company B receives the RA ((1) in FIG. 4), attaches the LCoA generated from the RA and the contract ID, and sends the MAP address to the SLP / DA. A shared key information (index value) request indicating the IKE pre-shared key at the time of MAP access is made ((2) in FIG. 4). In order to prevent different MAP assignments from being made to the MN's UA when a re-MAP address is requested from the MN's UA within the same MAP Domain, the MN's UA uses the currently used MAP address when making an inquiry to the SLP / DA. Is included in the request.

  Upon receiving the request, the SLP / DA searches the DB with the contract ID and LCoA using the DB technology ((3) in FIG. 4), and carries the carrier ID, remote DB name, ACL information, MAP address, shared key information (Pre- (Shared Key, Key-index) is obtained ((4) in FIG. 4).

  When operating in a single business company as shown in FIG. 6, the SLP DA that receives the request ((1) in FIG. 6) searches the MN table by contract ID using DB technology ((( 2)), shared key information (Pre-Shared Key, Key-index) and ALC information are acquired ((3) in FIG. 6). Further, the MAP table is searched with LCoA ((2) in FIG. 6), and the MAP address is acquired ((3) in FIG. 6).

  When the SLP / DA is placed in the representative manager / common center as shown in FIG. 7, the carrier table is searched with the contract ID and LCoA ((2) in FIG. 7), and the carrier ID and the remote DB name are acquired (FIG. 7). Similarly, the MAP table is searched with LCoA ((2) in FIG. 7), and the MAP address is acquired ((3) in FIG. 7). Further, using the acquired remote DB name and contract ID as a key, the MN table managed by the business company contracted by the MN UA is searched ((4) in FIG. 7), and the shared key information (Pre-Shared Key) is searched. , Key-index) and ACL information are acquired ((5) in FIG. 7).

  In either operation mode, the MN's UA determines from the MAP address and ACL acquired whether the MN can communicate at the destination ((5) in FIG. 4). If it is determined that communication is not possible, the process ends. Return nothing to UA. In the case of determining that communication is possible and registering the shared key with the key information and HoA as parameters for the MAP of the acquired MAP address ((6) in FIG. 4), the result is sent from the MAP as a key response message. Receive ((7) in FIG. 4).

  If the SLP • DA cannot receive the key response message within the specified time, it retransmits the specified number of times. If the key response message is not received even after the predetermined number of retransmissions, nothing is notified to the UA of the MN. When the key response message is received, nothing is notified to the UA of the MN when the processing result in the key reception message is an illegal end.

  If the processing result is normal termination, the MN UA is notified of the key information (Key-index value) used between the MN UA and MAP and the MAP address ((8) in FIG. 4).

  In addition, since the information on the shared key itself does not flow between the UA of the MN and the SLP / DA, and only the key-index value for specifying the key flows, it is safe even if it is stolen by a third party. The key information itself flows between the SLP • DA and the MAP and between the SLP • DA and the DB, which is not secure. In order to avoid this, security is ensured by applying IPsec between each other through a key distributor.

  The MN's UA searches its own key management table with the received key information (Key-index value), identifies the shared key that is actually used, and identifies its location registration for the MAP at the received MAP address The shared key is used for encryption ((9) in FIG. 4), and the location registration completion notification is received from the MAP.

  Thus, in the case of a single business company, the MN's UA that has moved can register its location with the HA via the nearest MAP. In the case of multiple business companies, it is possible to register the location with the business company A's HA via the business company B's MAP, and communication with the CN (Corresponding Node) via the business company A's HA. It becomes possible.

(Other examples)
FIG. 5 is a sequence diagram showing a procedure in a case where the present invention is applied to a network in which a MAP address can be obtained by the RA MAP option at the destination of the MN. The difference from the time when the present invention is applied to the network where the MAP address cannot be obtained at the movement destination in FIG. 4 is as follows ((1) in FIG. 5), and the MAP address is obtained by RA in (2) in FIG. The new MAP address obtained together with the contract ID and LCoA is also sent to the SLP / DA as a server request. If the new MAP address is included in the request, the SLP / DA does not search the MAP table by DB access. Then, processing is performed using the received MAP address.

  According to the present invention, the MN can acquire the latest MAP address, can securely set a pre-shared key in the MAP, and even if the MN moves to other than the contracting business company, the original contracting business company Since it is possible to access the HA that it has, the safety and flexibility of the mobile communication service can be improved. Thereby, the convenience of a mobile communication service can be improved and it can contribute to user acquisition.

The block configuration diagram of SLP / DA of the present embodiment. The block block diagram of UA of MN. The figure which shows the pre-shared key for IKE and the key index corresponding to this. It is a sequence diagram which shows the procedure which inquires the location of MAP. The sequence diagram which shows the procedure at the time of applying this invention to the network which can obtain a MAP address with the MAP option of RA in the movement destination of MN. Schematic of processing when MAP is provided in network operation by a single business company. Schematic at the time of MAP provision in network operation by multiple business companies including routing. The figure which shows the tables which SLP * DA accesses. The figure which shows the tables which UA of MN holds. The figure which shows API of DB operation.

Explanation of symbols

1 MAP address determination unit 2 key / index determination unit 3 IKE pre-shared key information registration unit 4 MAP address and key / index information distribution unit 5 latest MAP address acquisition unit 6 contract information table 7 address table

Claims (6)

A mobile terminal (hereinafter referred to as MN), an IPv6 network to which the MN is connected, a home agent (hereinafter referred to as HA) connected to the IPv6 network and exchanging communication data with the MN, In a mobile communication system comprising a mobile anchor point (hereinafter referred to as MAP) that is directly connected to the MN under the HA,
The MN includes an IKE (Internet Key) for the MAP to authenticate the MN.
Exchange) multiple pre-shared keys are assigned,
Each of the plurality of pre-shared keys for IKE is assigned a key index value,
IKE pre-shared key information assigned to the MN is managed corresponding to the MN, and means for centrally managing address information of one or more MAPs under the HA,
When the MN moves from a network managed by one HA to a network managed by another HA, the MN's UA (User Agent) sends the address of the new MAP closest to itself to the managing means. And means for requesting the key index information of the pre-shared key for IKE that is necessary for the MAP to authenticate itself,
In response to the request, the managing means indicates the address of the MAP nearest to the MN and the IKE pre-shared key necessary for the MAP to authenticate the MN based on the location information of the MN. A key index is determined, and a pre-shared key for IKE corresponding to the determined key index is registered in the nearest MAP, and the address information of the nearest MAP and the key index are registered in the UA of the MN. A mobile communication system comprising means for distributing information.   The mobile communication system according to claim 1, further comprising means for applying IPsec when the managing means registers the pre-shared key for IKE in the nearest MAP. An MN, an IPv6 network to which the MN is connected, an HA that is connected to the IPv6 network and exchanges communication data with the MN, and a MAP that is directly connected to the MN under the HA. Is applied to a mobile communication system in which a plurality of IKE pre-shared keys for the MAP to authenticate the MN are assigned, and a key index value is assigned to each of the plurality of IKE pre-shared keys. ,
IKE pre-shared key information assigned to the MN is managed corresponding to the MN, and means for centrally managing address information of one or more MAPs under the HA,
When the MN moves from a network managed by one HA to a network managed by another HA, the MN's UA sends a new MAP address closest to itself and the MAP to the managing means. Requesting the key index information of the pre-shared key for IKE, which is necessary for authenticating itself,
In response to the request, the managing means indicates the address of the MAP nearest to the MN and the IKE pre-shared key necessary for the MAP to authenticate the MN based on the location information of the MN. A key index is determined, a pre-shared key for IKE corresponding to the determined key index is registered in the nearest MAP, and the address information of the nearest MAP and the key index are registered in the UA of the MN. SLP / DA (Service Location Protocol / Directory) characterized in that it has a means to distribute information.
Agent).   4. The SLP / DA according to claim 3, further comprising means for applying IPsec when the managing means registers the pre-shared key for IKE in the nearest MAP. By installing on an information processing device,
An MN, an IPv6 network to which the MN is connected, an HA that is connected to the IPv6 network and exchanges communication data with the MN, and a MAP that is directly connected to the MN under the HA. Is applied to a mobile communication system in which a plurality of IKE pre-shared keys for the MAP to authenticate the MN are assigned, and a key index value is assigned to each of the plurality of IKE pre-shared keys. ,
The IKE pre-shared key information allocated to the MN is managed corresponding to the MN, and the address information of one or more MAPs under the HA is centrally managed.
When the MN moves from a network managed by one HA to a network managed by another HA, the MN has a new MAP address that is closest to itself and the MAP Requesting the key index information of the pre-shared key for IKE, which is necessary for authenticating itself,
The function to be managed is based on the location information of the MN in response to the request, and indicates the address of the MAP nearest to the MN and the pre-shared key for IKE necessary for the MAP to authenticate the MN. A key index is determined, a pre-shared key for IKE corresponding to the determined key index is registered in the nearest MAP, and the address information of the nearest MAP and the key index are registered in the UA of the MN. A program characterized by realizing a function corresponding to SLP / DA with a function of distributing information.   6. The program according to claim 5, wherein when the function to be managed registers the pre-shared key for IKE in the nearest MAP, a function for applying IPsec is realized.

Images