WO2006128384A1 - A method for creating a ipsec security association - Google Patents

A method for creating a ipsec security association Download PDF

Info

Publication number
WO2006128384A1
WO2006128384A1 PCT/CN2006/001186 CN2006001186W WO2006128384A1 WO 2006128384 A1 WO2006128384 A1 WO 2006128384A1 CN 2006001186 W CN2006001186 W CN 2006001186W WO 2006128384 A1 WO2006128384 A1 WO 2006128384A1
Authority
WO
WIPO (PCT)
Prior art keywords
security association
address
destination address
security
creating
Prior art date
Application number
PCT/CN2006/001186
Other languages
French (fr)
Chinese (zh)
Inventor
Hui Wang
Zhengbin Tang
Jian Xu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006128384A1 publication Critical patent/WO2006128384A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for creating a IPSec security association includes providing a more robust security association by creating a security association whose destination address is an unspecified address and updating a address when determining the address. Thereby the method reduces the amount of the created security association when a destination address is uncertain and improves the maintainability of the security association, so it is a flexible and convenient method for creating the security association.

Description

IPSec安全联盟的创建方法  How to create an IPSec security association
技术领域 Technical field
本发明涉及网络通信安全技术领域, 具体地说, 涉及 IPSec安全联盟 的创建方法。 背景技术  The present invention relates to the field of network communication security technologies, and in particular, to a method for creating an IPSec security association. Background technique
I P安全协议 (IPSec , IP Security Protocol)是网络通信中广泛应用的一种 安全协议。 在该协议的应用中, 需要建立安全联盟(SA , Secur i ty As sociat ion)用于信息的加密解密过程, 以确保信息的安全传递。 按照 IPSec协议定义, 一个安全联盟由目的地址、 安全参数索引 (SPI, Security Parameter Index ) 、 安全协议组成的三元组唯一确定。  IP Security Protocol (IPSec) is a security protocol widely used in network communication. In the application of the protocol, a security association (SA) needs to be established for the encryption and decryption process of information to ensure the secure transmission of information. According to the IPSec protocol definition, a security association is uniquely determined by a triplet consisting of a destination address, a Security Parameter Index (SPI), and a security protocol.
通常, 在移动通信中, 归属地代理(Home Agent ) 由运营商部署及维 护管理, 而移动节点也是运营商的可控用户(可通过移动用户识别码或 CA 证书等手段对身份进行验证控制),因此,在移动 I P信令安全的保障机制中, 可预先为移动节点和归属地代理配置建立安全联盟, 以保证移动节点和归 属代理间的安全。 在通信节点确认移动节点所宣称的归属地址和转交地址 是可达后, 对端通信节点(Correspondent Node )才会接受来自移动节点的 绑定更新消息, 并建立相应绑定关系, 然后将随后的流量转发到移动节点 新的转交地址, 以保证移动节点和通信节点间的安全。 在 IPSec应用于移动 IP的过程中, 根据 RPC3776规定, 在移动节点移动到外地网络以后, 可以 使用 IPSec在归属地代理和移动节点(Mobile Node )间建立安全联盟, 以传 输模式(transport mode )保护移动节点和归属地代理之间的控制报文, 以 隧道模式(tunnel mode )保护移动节点和通信节点之间的控制或者载荷报 文。 在归属地代理端, 为移动节点和归属地代理之间的控制报文实施 IPSec 保护而创建的安全联盟对, 其入方向安全联盟目的地址为归属地代理地址 ( Home Agent Address ); 出方向安全联盟目的地址为移动节点归属地地址 ( Home Address ) 。  Generally, in mobile communication, a home agent is deployed and maintained by an operator, and a mobile node is also a controllable user of the operator (the identity can be verified and controlled by means of a mobile subscriber identity code or a CA certificate) Therefore, in the security mechanism of the mobile IP signaling security, a security association may be established in advance for the mobile node and the home agent to ensure security between the mobile node and the home agent. After the communication node confirms that the home address and the care-of address claimed by the mobile node are reachable, the peer communication node (Correspondent Node) accepts the binding update message from the mobile node, and establishes a corresponding binding relationship, and then the subsequent The traffic is forwarded to the new care-of address of the mobile node to ensure security between the mobile node and the communication node. In the process of applying IPSec to mobile IP, according to RPC3776, after the mobile node moves to the foreign network, IPSec can be used to establish a security association between the home agent and the mobile node to protect the transport mode. The control message between the mobile node and the home agent protects the control or payload message between the mobile node and the communication node in a tunnel mode. In the home agent, the security association pair created by the IPSec protection for the control packet between the mobile node and the home agent, the destination address of the inbound security association is the home agent address (Home Agent Address); The destination address of the alliance is the home address of the mobile node.
根据移动 IPv6协议实现原理, 归属地代理提供给移动节点使用的归属 地代理地址(Home Agent Address )可能有多个, 移动节点具体使用哪个归 属地代理地址, 视移动节点选择而定。 针对这种情况, 目前的实现方式是, 在归属地代理和移动节点之间, 为每个不同的归属地代理地址和移动节点归属地地址之间建立一对安全联 盟。 比如, 归属地代理有三个归属地代理地址(HAAddrl , HAAddr2, HAAddr3 ) ; 移动节点归属地地址为 HomeAddr; IPSec使用 ESP安全协议; 安全协议封装模式为传输模式; 则在归属地代理端将建立 3对安全联盟。 According to the implementation principle of the mobile IPv6 protocol, there may be multiple Home Agent Addresses provided by the home agent to the mobile node, and which home agent address is specifically used by the mobile node, depending on the mobile node selection. For this situation, the current implementation is to establish a pair of security associations between each home agent proxy address and the mobile node home address between the home agent and the mobile node. For example, the home agent has three home agent addresses (HAAddrl, HAAddr2, HAAddr3); the mobile node's home address is HomeAddr; IPSec uses the ESP security protocol; the security protocol encapsulation mode is the transport mode; then the home agent will establish 3 For security alliances.
但为每个不同的归属地代理地址和移动节点归属地地址之间建立一对 安全联盟, 导致安全联盟数量多, 特别是手工配置情况下维护困难。 发明内容  However, a pair of security associations is established between each of the different home agent addresses and the home address of the mobile node, resulting in a large number of security associations, especially in the case of manual configuration. Summary of the invention
鉴于上述现有技术所存在的问题, 本发明的目的是提供一种 IPSec安全 联盟的创建方法, 可在目的地址不定或者多个时进行简单灵活的处理、 便 于维护管理。  In view of the above problems in the prior art, an object of the present invention is to provide a method for creating an IPSec security association, which can perform simple and flexible processing and facilitate maintenance management when the destination address is indefinite or multiple.
本发明提供的一种 IPSec安全联盟的创建方法, 该方法创建的安全联盟 由目的地址、 安全参数索引和安全协议组成的三元组唯一确定, 包括如下 步骤:  The method for creating an IPSec security association is provided by the present invention. The security association created by the method is uniquely determined by a triplet composed of a destination address, a security parameter index, and a security protocol, and includes the following steps:
创建目的地址为未指定地址的安全联盟;  Create a security association whose destination address is an unspecified address.
当安全联盟能够确定其所使用的目的地址时, 用确定的目的地址信息 更新安全联盟中的作为目的地址的未指定地址。  When the security association is able to determine the destination address it uses, it updates the unspecified address in the security association as the destination address with the determined destination address information.
为创建的安全联盟分配唯一的安全参数索引。  Assign a unique security parameter index to the created security association.
所创建的安全联盟在沖突检测的三元组比较中, 所述未指定地址与任 何地址相比较的结果为相同。  The created security association compares the unspecified address with any address in the triple comparison of conflict detection.
所创建的安全联盟在冲突检测时, 所述未指定地址与其可能取值的、 限定范围内的地址相比较的结果为相同。  When the created SA is in conflict detection, the result of comparing the unspecified address with the address within the limited range that may be valued is the same.
所创建的目的地址为未指定地址的安全联盟时, 在进行解密匹配时忽 略目的地址。  When the created destination address is an SA with no specified address, the destination address is ignored when the decryption match is performed.
所述创建的安全联盟是移动 IPv6中归属地代理为与移动节点建立安全 连接而创建的、 目的地址为未指定地址的入方向安全联盟。  The created security association is an inbound security association created by the home agent in the mobile IPv6 to establish a secure connection with the mobile node and whose destination address is an unspecified address.
所述归属地代理根据移动节点移动到外地网络后发送的绑定更新 BU 报文确定入方向安全联盟的目的地址。  The home agent determines the destination address of the inbound security association according to the binding update BU message sent by the mobile node after being moved to the foreign network.
所述归属地代理根据所收到的绑定更新 BU报文中的地址信息更新入 方向安全联盟的目的地址。 所述归属地代理在移动节点返回归属地网络后将相应的入方向安全联 盟 PI的地址设置为未指定地址。 The home agent updates the destination address of the inbound security association according to the address information in the received binding update BU message. After the mobile node returns to the home network, the home agent sets the address of the corresponding inbound security association PI to an unspecified address.
由上述本发明提供的技术方案可以看出, 本发明通过创建目的地址为 未指定地址的安全联盟、 并在能够确定地址时进行地址刷新以提供更健全 的安全联盟,从而提供了一种目的地址不定或者多个目的地址时简单灵活、 便于维护的 IPSec安全联盟的创建方法。  It can be seen from the technical solution provided by the present invention that the present invention provides a destination address by creating a security association whose destination address is an unspecified address and performing address refresh when the address can be determined to provide a more complete security association. A method for creating an IPSec SA that is simple, flexible, and easy to maintain when there are multiple or multiple destination addresses.
通过为安全联盟分配唯一的安全参数索引, 或者在安全联盟冲突检测 时的三元组比较中将未指定地址与任何地址相比较的结果认为相同 (即在 该安全联盟及其后安全联盟的冲突检测中, 忽略目的地址、 仅以三元组的 其它部分作为索引进行冲突检测)等措施, 可以防止在安全联盟的创建或 者刷新过程中可能产生的一些冲突。  The result of assigning a unique security parameter index to the security association, or comparing the unspecified address with any address in the triple comparison at the time of the security association conflict detection is considered to be the same (ie, the conflict in the security association and its subsequent security association) In the detection, the purpose of ignoring the destination address and using only the other parts of the triplet as the index for collision detection can prevent some conflicts that may occur during the creation or refreshing of the security association.
本发明不仅可以应用于移动 IPv6中的 IPSec安全联盟的创建, 也可以 应用于 OSPFv3等路由协议中(路由报文目的地址可能为不同的多播地址、 单播地址)或者其它目的地址不定或者多个的场合中 IPSec安全联盟的创 建。 附图说明  The present invention can be applied not only to the creation of an IPSec SA in Mobile IPv6, but also to a routing protocol such as OSPFv3 (the destination address of the routing message may be a different multicast address or a unicast address) or other destination addresses may be indefinite or The creation of an IPSec security association. DRAWINGS
图 1为本发明在 IPv6中应用时的一种处理流程图。 具体实施方式  FIG. 1 is a flowchart of a process when the present invention is applied in IPv6. detailed description
本发明的核心思想是通过创建目的地址为未指定地址的安全联盟、 并 在能够确定地址时进行地址刷新以提供更健全的安全联盟, 从而提供一种 灵活简便的安全联盟的创建方法。  The core idea of the present invention is to provide a flexible and simple method for creating a security association by creating a security association whose destination address is an unspecified address and performing address refresh when the address can be determined to provide a more robust security association.
为使本发明的原理、 特性和优点更加清楚, 下面结合附图对本发明作 进一步说明。  In order to make the principles, features and advantages of the present invention more apparent, the invention will be further described in conjunction with the accompanying drawings.
IPSec应用 IPv6中时归属地代理提供给移动节点使用的归属地代理地 址可能有多个, 移动节点具体使用哪个归属地代理地址 , 视移动节点选择 而定; 本发明在 IPv6中的应用可以采用如图 1所示的处理流程。  There may be multiple home agent addresses provided by the home agent to the mobile node when using IPSec, and which home agent address is used by the mobile node, depending on the mobile node selection; the application of the present invention in IPv6 may be as follows: The process flow shown in Figure 1.
> 步骤 11, 为创建的安全联盟分配唯一的安全参数索引, 即对本地入方 向安全联盟或者出方向安全联盟来说其安全参数索引是唯一的: 该安全参 数索引不能与已经存在的安全参数索引相同, 将来分配的安全参数索引也 不能与该安全参数索引相同。 当然, 这里并不一定要采用分配唯一的安全 参数索引的方法, 也可以采用其它可以防止沖突的方法, 防止安全联盟冲 突。 比如, 可以使所创建的安全联盟在冲突检测的三元组比较中, 其未指 定地址与任何地址相比较的结果为相同, 即比较时忽略目的地址, 仅以三 元组的其它部分作为索引进行冲突检测, 即不考虑目的地址, 只考虑 SPI 和安全协议, 只要 SPI和安全协议有任一个不相同 (如 SPI相同, 但安全协 议不相同), 即不冲突, 而不是一旦 SPI相同即判为冲突; 还可以使所创建 的安全联盟在冲突检测时, 其未指定地址与其可能取值的、 限定范围内的 地址相比较的结果为相同, 即比较时除未指定地址可能取值的范围所构成 可能冲突的安全联盟外, 其它安全联盟以三元组作为索引进行冲突检测。 > Step 11: Assign a unique security parameter index to the created SA. That is, the security parameter index is unique to the inbound SA or the outbound SA. The security parameter index cannot be compared with the existing security parameter index. The same, the future assigned security parameter index is also Cannot be the same as this security parameter index. Of course, it is not necessary to adopt a method of assigning a unique security parameter index, and other methods for preventing conflicts may be adopted to prevent security alliance conflicts. For example, the created security association can compare the unspecified address with any address in the triple comparison of conflict detection, that is, the destination address is ignored when comparing, and only the other parts of the triple are used as indexes. Collision detection, that is, regardless of the destination address, only consider SPI and security protocol, as long as any one of the SPI and the security protocol is different (such as the same SPI, but the security protocol is not the same), that is, no conflict, not once the SPI is the same It is also a conflict; the created security association can also compare the unspecified address with the address within the limited range when the conflict detection is performed, that is, the range of possible values except the unspecified address when comparing In addition to the security alliances that may constitute conflicts, other security associations use triples as an index for collision detection.
步骤 12, 获得唯一的安全参数索引后, 利用该安全参数索引并结合其 它配置情况创建目的地址为未指定地址的安全联盟。 如表 1所示为归属地 代理为移动节点创建了一对安全联盟。 这里的情况是归属地代理本端有三 个归属地代理地址( HAAddrl , HAAddr2, HAAddr3 )可供移动节点选用, 移动节点归属地地址为 HomeAddr; IPSec使用封装安全负载 ( ESP , Encapsulating Security Payload )安全协议, IPsec 封装安全负载 ESP是 IPsec 体系结构中的一种主要协议, 其主要设计用于 IPv4 和 IPv6 中提供安全服 务的混合应用。 ESP 通过加密需要保护的数据以及在 ESP 的数据部分放置 这些加密的数据来提供机密性和完整性。 ESP安全协议的封装模式为传输模 式。 其中入方向安全联盟的目的地址为未指定地址 0::0, 唯一的安全参数索 引为 SPI-11 , 安全协议为 ESP ( Encapsulated Security Payload, 压入安全载 荷)协议。  Step 12: After obtaining the unique security parameter index, use the security parameter index and combine the other configuration conditions to create an SA with the destination address as an unspecified address. As shown in Table 1, the home agent creates a pair of security associations for the mobile node. The situation here is that the home agent has three home agent addresses (HAAddrl, HAAddr2, HAAddr3) for the mobile node to select, the mobile node home address is HomeAddr; IPSec uses the Encapsulating Security Payload (ESP) security protocol. IPsec Encapsulating Security Payload ESP is a major protocol in the IPsec architecture designed primarily for hybrid applications that provide security services in both IPv4 and IPv6. ESP provides confidentiality and integrity by encrypting the data that needs to be protected and by placing these encrypted data in the data portion of the ESP. The encapsulation mode of the ESP security protocol is the transmission mode. The destination address of the inbound SA is the unspecified address 0::0. The only security parameter is SPI-11 and the security protocol is ESP (Encapsulated Security Payload).
表 1、 IPv6中归属地代理为移动节点创建的一对安全联盟  Table 1. A pair of security associations created by the home agent in IPv6 for the mobile node.
Figure imgf000007_0001
Figure imgf000007_0001
步骤 13 , 等待或者进行其它相应处理; 目的地址为未指定地址的安全 联盟创建之后就可以使用。 Step 13, waiting or performing other corresponding processing; the destination address is the security of the unspecified address Once the alliance is created, it can be used.
步骤 14, 接收报文;  Step 14. Receive a message;
步骤 15 , 对所创建安全联盟的目的地址是否确定进行判断,  Step 15: Determine whether the destination address of the created security association is determined.
如果目的地址是不确定的, 则执行步骤 16, 如果目的地址是确定的, 则执行步骤 17;  If the destination address is undefined, perform step 16, if the destination address is determined, go to step 17;
步骤 16, 在报文解密时忽略目的地址。  Step 16. Ignore the destination address when decrypting the message.
步骤 17, 在报文解密时进行完全的三元组匹配;  Step 17, performing a complete triple match when the message is decrypted;
步骤 18, 通过校验值或者参数, 来判断报文解密是否成功, 即判断是 否成功地进行了报文解密, 如果否, 则返回步骤 13 , 进行相应的错误处理 或者重新等待接收报文; 如果是, 则说明接收了正确的报文。  Step 18: Determine whether the message decryption is successful by using the check value or the parameter, that is, whether the message decryption is successfully performed, and if not, return to step 13 to perform corresponding error processing or wait for receiving the message again; Yes, it means that the correct message was received.
步骤 19, 接收到正确报文后, 进一步判断所接收的报文是否通告了安 全联盟目的地址改变的信息。 如果是, 则执行步骤 20; 否则, 返回步骤 13 继续进行其它的后续处理。  Step 19: After receiving the correct packet, further determine whether the received packet advertises the information of the change of the destination address of the security association. If yes, go to step 20; otherwise, return to step 13 to continue with other subsequent processing.
步骤 20,刷新安全联盟的目的地址, 然后再进入步骤 13进行其它处理。 如表 2所示为归属地代理对安全联盟的刷新后的状态。这个刷新是在移动节 点移到外地网络后向归属地节点发送绑定更新 BU ( Bindin Update )报文, 通告自己选择使用的归属地代理地址为 HAAddrl后, 归属地代理安全联盟 进行的刷新。  Step 20: Refresh the destination address of the security association, and then proceed to step 13 for other processing. As shown in Table 2, the status of the home agent to the security association after the refresh. This refresh is performed by the home agent security association after the mobile node moves to the foreign network and sends a Binding Update (BU) message to the home node to announce that the home agent address selected by the mobile node is HAAddrl.
表 2、 归属地代理对安全联盟的刷新后的状态  Table 2. The status of the home agent to the security alliance after the refresh
Figure imgf000008_0001
Figure imgf000008_0001
当然,在步骤 19中,地址变化可以是从未指定地址变为确定的地址(离 开归属地网络) , 也可以是从确定的地址变为未指定地址(回到归属地网 络) , 还可以是从一个确定地址变为另一个确定地址(从一个外地网络移 动到另一个外地网络) 。 相应地, 与上述步骤 20类似, 需进行安全联盟目 的地址刷新。 由上述具体实施例可知, 本发明通过为安全联盟分配唯一的安全参数 索引, 或者在安全联盟冲突检测时的三元组比较中将未指定地址与任何地 忽略目的地址、 仅以三元组的其它部分作为索引进行冲突检测)等措施, 可以防止在安全联盟的创建或者刷新过程中可能产生的一些沖突。 可以应 用于移动 IPv6中的 IPSec安全联盟的创建、 OSPFv3等路由协议中或者其它目 的地址不定或者多个的场合中 IPSec安全联盟的创建。 Certainly, in step 19, the address change may be an address that is changed from an unspecified address to a certain address (away from the home network), or may be changed from a determined address to an unspecified address (back to the home network), or may be Change from one determined address to another (from one foreign network to another). Correspondingly, similar to step 20 above, the security association destination address refresh is required. It can be seen from the foregoing specific embodiments that the present invention assigns a unique security parameter index to the security association, or ignores the destination address and the triplet only in the triple comparison in the security association conflict detection. Other measures, such as index detection for conflict detection, can prevent some conflicts that may occur during the creation or refresh of the security association. It can be applied to the creation of IPSec SAs in Mobile IPv6, OSPFv3 and other routing protocols, or the creation of IPSec SAs in other occasions where the destination address is uncertain or multiple.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并 不局限于此,任何熟悉本技术领域的技术人员在本发明公开的技术范围内, 可轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本 发明的保护范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope of the present disclosure. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权 利 要 求 Rights request
1、 一种 IPSec安全联盟的创建方法, 该方法创建的安全联盟由目的地 址、 安全参数索引和安全协议组成的三元组唯一确定, 其特征在于, 包括 如下步骤:  A method for creating an IPSec security association. The security association created by the method is uniquely determined by a triplet composed of a destination address, a security parameter index, and a security protocol, and is characterized by the following steps:
创建目的地址为未指定地址的安全联盟;  Create a security association whose destination address is an unspecified address.
当安全联盟能够确定其所使用的目的地址时, 用确定的目的地址信息 更新安全联盟中的作为目的地址的未指定地址。  When the security association is able to determine the destination address it uses, it updates the unspecified address in the security association as the destination address with the determined destination address information.
2、 根据权利要求 1所述的 IPSec安全联盟的创建方法, 其特征在于, 还 包括为创建的安全联盟分配唯一的安全参数索引。  2. The method for creating an IPSec security association according to claim 1, further comprising assigning a unique security parameter index to the created security association.
3、 根据权利要求 1所述的 IPSec安全联盟的创建方法, 其特征在于, 所 创建的安全联盟在冲突检测的三元组比较中, 所述未指定地址与任何地址 相比较的结果为相同。  3. The method for creating an IPSec security association according to claim 1, wherein the created security association compares the unspecified address with any address in a triplet comparison of collision detection.
4、 根据权利要求 1所述的 IPSec安全联盟的创建方法, 其特征在于, 所创建的安全联盟在沖突检测时, 所述未指定地址与其可能取值的、 限定 范围内的地址相比较的结果为相同。  The method for creating an IPSec security association according to claim 1, wherein the created security association compares the unspecified address with an address within a limited range that may be valued during collision detection. For the same.
5、 根据权利要求 2至 4中任一项所述的 IPSec安全联盟的创建方法, 其 特征在于, 所创建的目的地址为未指定地址的安全联盟时, 在进行解密匹 配时忽略目的地址。  The method for creating an IPSec security association according to any one of claims 2 to 4, wherein when the created destination address is a security association with no specified address, the destination address is ignored when the decryption match is performed.
6、 根据权利要求 5所述的 IPSec安全联盟的创建方法, 其特征在于, 所 述创建的安全联盟是移动 IPv6中归属地代理为与移动节点建立安全连接而 创建的、 目的地址为未指定地址的入方向安全联盟。  The method for creating an IPSec security association according to claim 5, wherein the created security association is created by the home agent in the mobile IPv6 to establish a secure connection with the mobile node, and the destination address is an unspecified address. Inbound security alliance.
7、 根据权利要求 6所述的 IPSec安全联盟的创建方法, 其特征在于, 还 包括, 所述归属地代理根据移动节点移动到外地网络后发送的绑定更新 BU 报文确定入方向安全联盟的目的地址。  The method for creating an IPSec security association according to claim 6, further comprising: determining, by the home agent, the inbound security association according to the binding update BU message sent by the mobile node after being moved to the foreign network. Destination address.
8、 根据权利要求 6所述的 IPSec安全联盟的创建方法, 其特征在于, 还 包括, 所述归属地代理根据所收到的绑定更新 BUf艮文中的地址信息更新入 方向安全联盟的目的地址。  The method for creating an IPSec security association according to claim 6, further comprising: the home agent updating the destination address of the inbound security association according to the received address information in the binding update BUf message. .
9、 根据权利要求 7所述的 IPSec安全联盟的创建方法, 其特征在于, 还包括, 所述归属地代理在移动节点返回归属地网络后将相应的入方向安 全联盟目的地址设置为未指定地址。  The method for creating an IPSec security association according to claim 7, further comprising: after the mobile node returns to the home network, the home agent sets the corresponding inbound security association destination address to an unspecified address. .
PCT/CN2006/001186 2005-06-03 2006-06-02 A method for creating a ipsec security association WO2006128384A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510074908.8 2005-06-03
CN2005100749088A CN1874343B (en) 2005-06-03 2005-06-03 Method for creating IPSec safety alliance

Publications (1)

Publication Number Publication Date
WO2006128384A1 true WO2006128384A1 (en) 2006-12-07

Family

ID=37481239

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001186 WO2006128384A1 (en) 2005-06-03 2006-06-02 A method for creating a ipsec security association

Country Status (2)

Country Link
CN (1) CN1874343B (en)
WO (1) WO2006128384A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733175A (en) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 Data encryption method and device based on ESP (electronic stability program) protocol
CN115529180A (en) * 2022-09-28 2022-12-27 芯启源(南京)半导体科技有限公司 IPSec encryption and decryption unloading method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088438B (en) * 2009-12-03 2013-11-06 中兴通讯股份有限公司 Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client
CN102271061B (en) * 2010-06-07 2013-12-25 杭州华三通信技术有限公司 Method and device for determining number of IP security virtual private network tunnels

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1420559A1 (en) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism
WO2004086718A1 (en) * 2003-03-27 2004-10-07 Motorola Inc Communication between a private network and a roaming mobile terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1138367C (en) * 2001-09-17 2004-02-11 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1420559A1 (en) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Method and device for supporting a 6to4 tunneling protocol across a network address translation mechanism
WO2004086718A1 (en) * 2003-03-27 2004-10-07 Motorola Inc Communication between a private network and a roaming mobile terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ARKKO J. ET AL.: "Using IPsec to protect mobile IPv6 signaling between mobile nodes and home agents", RFC3776, June 2004 (2004-06-01), XP015009556 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733175A (en) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 Data encryption method and device based on ESP (electronic stability program) protocol
CN115529180A (en) * 2022-09-28 2022-12-27 芯启源(南京)半导体科技有限公司 IPSec encryption and decryption unloading method

Also Published As

Publication number Publication date
CN1874343B (en) 2010-04-21
CN1874343A (en) 2006-12-06

Similar Documents

Publication Publication Date Title
US11038846B2 (en) Internet protocol security tunnel maintenance method, apparatus, and system
US6976177B2 (en) Virtual private networks
JP5470113B2 (en) Dynamic host configuration and network access authentication
Arkko et al. Using IPsec to protect mobile IPv6 signaling between mobile nodes and home agents
EP1495621B1 (en) Security transmission protocol for a mobility ip network
US8437345B2 (en) Terminal and communication system
US8732816B2 (en) Method and apparatus for exchanging data between a user equipment and a core network via a security gateway
US20020066036A1 (en) System and method for secure network mobility
US20050063352A1 (en) Method to provide dynamic Internet Protocol security policy service
JP2009516435A (en) Secure route optimization for mobile networks using multi-key encryption generated addresses
US20080219224A1 (en) System and Method for Providing Secure Mobility and Internet Protocol Security Related Services to a Mobile Node Roaming in a Foreign Network
EP1466458B1 (en) Method and system for ensuring secure forwarding of messages
JP3515551B2 (en) Electronic device having wireless data communication relay function
EP2201742B1 (en) Provisioning mobility services to legacy terminals
US10313877B2 (en) Method and system for facilitating participation of an intermediary network device in a security gateway communication between at least one base station and a core network portion in a cellular communication network
US7969933B2 (en) System and method for facilitating a persistent application session with anonymity between a mobile host and a network host
WO2006128384A1 (en) A method for creating a ipsec security association
WO2011064858A1 (en) Wireless authentication terminal
JP2006191205A (en) Communication apparatus, communication method, and communication system
JP2006345302A (en) Gateway device and program
Arkko et al. RFC 3776: Using IPsec to protect mobile IPv6 signaling between mobile nodes and home agents
KR20030050550A (en) Simple IP virtual private network service in PDSN system
FI113597B (en) Method of sending messages over multiple communication connections
Dupont Network Working Group J. Arkko Request for Comments: 3776 Ericsson Category: Standards Track V. Devarapalli Nokia Research Center

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06742073

Country of ref document: EP

Kind code of ref document: A1