WO2006128384A1 - Procede de creation d'une combinaison securisee de protocole de securite ip - Google Patents

Procede de creation d'une combinaison securisee de protocole de securite ip Download PDF

Info

Publication number
WO2006128384A1
WO2006128384A1 PCT/CN2006/001186 CN2006001186W WO2006128384A1 WO 2006128384 A1 WO2006128384 A1 WO 2006128384A1 CN 2006001186 W CN2006001186 W CN 2006001186W WO 2006128384 A1 WO2006128384 A1 WO 2006128384A1
Authority
WO
WIPO (PCT)
Prior art keywords
security association
address
destination address
security
creating
Prior art date
Application number
PCT/CN2006/001186
Other languages
English (en)
Chinese (zh)
Inventor
Hui Wang
Zhengbin Tang
Jian Xu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006128384A1 publication Critical patent/WO2006128384A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to the field of network communication security technologies, and in particular, to a method for creating an IPSec security association. Background technique
  • IP Security Protocol is a security protocol widely used in network communication.
  • SA security association
  • SPI Security Parameter Index
  • a home agent is deployed and maintained by an operator, and a mobile node is also a controllable user of the operator (the identity can be verified and controlled by means of a mobile subscriber identity code or a CA certificate) Therefore, in the security mechanism of the mobile IP signaling security, a security association may be established in advance for the mobile node and the home agent to ensure security between the mobile node and the home agent.
  • the peer communication node (Correspondent Node) accepts the binding update message from the mobile node, and establishes a corresponding binding relationship, and then the subsequent The traffic is forwarded to the new care-of address of the mobile node to ensure security between the mobile node and the communication node.
  • IPSec can be used to establish a security association between the home agent and the mobile node to protect the transport mode.
  • the control message between the mobile node and the home agent protects the control or payload message between the mobile node and the communication node in a tunnel mode.
  • the destination address of the inbound security association is the home agent address (Home Agent Address);
  • the destination address of the alliance is the home address of the mobile node.
  • the current implementation is to establish a pair of security associations between each home agent proxy address and the mobile node home address between the home agent and the mobile node.
  • the home agent has three home agent addresses (HAAddrl, HAAddr2, HAAddr3); the mobile node's home address is HomeAddr; IPSec uses the ESP security protocol; the security protocol encapsulation mode is the transport mode; then the home agent will establish 3 For security alliances.
  • an object of the present invention is to provide a method for creating an IPSec security association, which can perform simple and flexible processing and facilitate maintenance management when the destination address is indefinite or multiple.
  • the method for creating an IPSec security association is provided by the present invention.
  • the security association created by the method is uniquely determined by a triplet composed of a destination address, a security parameter index, and a security protocol, and includes the following steps:
  • the security association When the security association is able to determine the destination address it uses, it updates the unspecified address in the security association as the destination address with the determined destination address information.
  • the created security association compares the unspecified address with any address in the triple comparison of conflict detection.
  • the result of comparing the unspecified address with the address within the limited range that may be valued is the same.
  • the destination address is an SA with no specified address
  • the destination address is ignored when the decryption match is performed.
  • the created security association is an inbound security association created by the home agent in the mobile IPv6 to establish a secure connection with the mobile node and whose destination address is an unspecified address.
  • the home agent determines the destination address of the inbound security association according to the binding update BU message sent by the mobile node after being moved to the foreign network.
  • the home agent updates the destination address of the inbound security association according to the address information in the received binding update BU message. After the mobile node returns to the home network, the home agent sets the address of the corresponding inbound security association PI to an unspecified address.
  • the present invention provides a destination address by creating a security association whose destination address is an unspecified address and performing address refresh when the address can be determined to provide a more complete security association.
  • a method for creating an IPSec SA that is simple, flexible, and easy to maintain when there are multiple or multiple destination addresses.
  • the result of assigning a unique security parameter index to the security association, or comparing the unspecified address with any address in the triple comparison at the time of the security association conflict detection is considered to be the same (ie, the conflict in the security association and its subsequent security association)
  • the purpose of ignoring the destination address and using only the other parts of the triplet as the index for collision detection can prevent some conflicts that may occur during the creation or refreshing of the security association.
  • the present invention can be applied not only to the creation of an IPSec SA in Mobile IPv6, but also to a routing protocol such as OSPFv3 (the destination address of the routing message may be a different multicast address or a unicast address) or other destination addresses may be indefinite or The creation of an IPSec security association.
  • OSPFv3 the destination address of the routing message may be a different multicast address or a unicast address
  • other destination addresses may be indefinite or The creation of an IPSec security association.
  • FIG. 1 is a flowchart of a process when the present invention is applied in IPv6. detailed description
  • the core idea of the present invention is to provide a flexible and simple method for creating a security association by creating a security association whose destination address is an unspecified address and performing address refresh when the address can be determined to provide a more robust security association.
  • IPv6 There may be multiple home agent addresses provided by the home agent to the mobile node when using IPSec, and which home agent address is used by the mobile node, depending on the mobile node selection; the application of the present invention in IPv6 may be as follows: The process flow shown in Figure 1.
  • Step 11 Assign a unique security parameter index to the created SA. That is, the security parameter index is unique to the inbound SA or the outbound SA. The security parameter index cannot be compared with the existing security parameter index. The same, the future assigned security parameter index is also Cannot be the same as this security parameter index. Of course, it is not necessary to adopt a method of assigning a unique security parameter index, and other methods for preventing conflicts may be adopted to prevent security alliance conflicts. For example, the created security association can compare the unspecified address with any address in the triple comparison of conflict detection, that is, the destination address is ignored when comparing, and only the other parts of the triple are used as indexes.
  • Collision detection that is, regardless of the destination address, only consider SPI and security protocol, as long as any one of the SPI and the security protocol is different (such as the same SPI, but the security protocol is not the same), that is, no conflict, not once the SPI is the same It is also a conflict; the created security association can also compare the unspecified address with the address within the limited range when the conflict detection is performed, that is, the range of possible values except the unspecified address when comparing In addition to the security alliances that may constitute conflicts, other security associations use triples as an index for collision detection.
  • Step 12 After obtaining the unique security parameter index, use the security parameter index and combine the other configuration conditions to create an SA with the destination address as an unspecified address.
  • the home agent creates a pair of security associations for the mobile node. The situation here is that the home agent has three home agent addresses (HAAddrl, HAAddr2, HAAddr3) for the mobile node to select, the mobile node home address is HomeAddr;
  • IPSec uses the Encapsulating Security Payload (ESP) security protocol.
  • IPsec Encapsulating Security Payload ESP is a major protocol in the IPsec architecture designed primarily for hybrid applications that provide security services in both IPv4 and IPv6.
  • the encapsulation mode of the ESP security protocol is the transmission mode.
  • the destination address of the inbound SA is the unspecified address 0::0.
  • the only security parameter is SPI-11 and the security protocol is ESP (Encapsulated Security Payload).
  • Table 1 A pair of security associations created by the home agent in IPv6 for the mobile node.
  • Step 13 waiting or performing other corresponding processing; the destination address is the security of the unspecified address Once the alliance is created, it can be used.
  • Step 14 Receive a message
  • Step 15 Determine whether the destination address of the created security association is determined.
  • step 16 If the destination address is undefined, perform step 16, if the destination address is determined, go to step 17;
  • Step 16 Ignore the destination address when decrypting the message.
  • Step 17 performing a complete triple match when the message is decrypted
  • Step 18 Determine whether the message decryption is successful by using the check value or the parameter, that is, whether the message decryption is successfully performed, and if not, return to step 13 to perform corresponding error processing or wait for receiving the message again; Yes, it means that the correct message was received.
  • Step 19 After receiving the correct packet, further determine whether the received packet advertises the information of the change of the destination address of the security association. If yes, go to step 20; otherwise, return to step 13 to continue with other subsequent processing.
  • Step 20 Refresh the destination address of the security association, and then proceed to step 13 for other processing.
  • Table 2 the status of the home agent to the security association after the refresh. This refresh is performed by the home agent security association after the mobile node moves to the foreign network and sends a Binding Update (BU) message to the home node to announce that the home agent address selected by the mobile node is HAAddrl.
  • BU Binding Update
  • the address change may be an address that is changed from an unspecified address to a certain address (away from the home network), or may be changed from a determined address to an unspecified address (back to the home network), or may be Change from one determined address to another (from one foreign network to another).
  • the security association destination address refresh is required. It can be seen from the foregoing specific embodiments that the present invention assigns a unique security parameter index to the security association, or ignores the destination address and the triplet only in the triple comparison in the security association conflict detection. Other measures, such as index detection for conflict detection, can prevent some conflicts that may occur during the creation or refresh of the security association. It can be applied to the creation of IPSec SAs in Mobile IPv6, OSPFv3 and other routing protocols, or the creation of IPSec SAs in other occasions where the destination address is uncertain or multiple.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention a trait à un procédé de création d'une combinaison sécurisée de protocole de sécurité IP comprenant la fourniture d'une combinaison de sécurité plus robuste par la création d'une combinaison de sécurité dont l'adresse de destination est une adresse non spécifiée et la mise à jour d'une adresse lors de la détermination de l'adresse. Ainsi, le procédé réduit la quantité de la combinaison sécurisée créée lorsque l'adresse de destination est incertaine et améliore l'aptitude au maintien de la combinaison sécurisée, de sorte qu'il constitue un procédé souple et pratique pour la création de la combinaison sécurisée.
PCT/CN2006/001186 2005-06-03 2006-06-02 Procede de creation d'une combinaison securisee de protocole de securite ip WO2006128384A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2005100749088A CN1874343B (zh) 2005-06-03 2005-06-03 IPSec安全联盟的创建方法
CN200510074908.8 2005-06-03

Publications (1)

Publication Number Publication Date
WO2006128384A1 true WO2006128384A1 (fr) 2006-12-07

Family

ID=37481239

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001186 WO2006128384A1 (fr) 2005-06-03 2006-06-02 Procede de creation d'une combinaison securisee de protocole de securite ip

Country Status (2)

Country Link
CN (1) CN1874343B (fr)
WO (1) WO2006128384A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733175A (zh) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 一种基于esp协议的数据加密方法及设备
CN115529180A (zh) * 2022-09-28 2022-12-27 芯启源(南京)半导体科技有限公司 IPSec加解密卸载方法
CN115529180B (zh) * 2022-09-28 2024-05-31 芯云晟(杭州)电子科技有限公司 IPSec加解密卸载方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088438B (zh) * 2009-12-03 2013-11-06 中兴通讯股份有限公司 一种解决因特网协议安全性客户端地址冲突的方法及客户端
CN102271061B (zh) * 2010-06-07 2013-12-25 杭州华三通信技术有限公司 一种确定ip安全虚拟专用网隧道数量的方法和装置

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1420559A1 (fr) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Procédé et dispositif supportant un protocol tunnel 6to4 à l'aide d'un mécanisme de conversion des adresses de réseau
WO2004086718A1 (fr) * 2003-03-27 2004-10-07 Motorola Inc Communication entre un reseau prive et un terminal mobile itinerant

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1138367C (zh) * 2001-09-17 2004-02-11 华为技术有限公司 用于网络区域节点间安全通信的安全联盟产生方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1420559A1 (fr) * 2002-11-13 2004-05-19 Thomson Licensing S.A. Procédé et dispositif supportant un protocol tunnel 6to4 à l'aide d'un mécanisme de conversion des adresses de réseau
WO2004086718A1 (fr) * 2003-03-27 2004-10-07 Motorola Inc Communication entre un reseau prive et un terminal mobile itinerant

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ARKKO J. ET AL.: "Using IPsec to protect mobile IPv6 signaling between mobile nodes and home agents", RFC3776, June 2004 (2004-06-01), XP015009556 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733175A (zh) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 一种基于esp协议的数据加密方法及设备
CN115529180A (zh) * 2022-09-28 2022-12-27 芯启源(南京)半导体科技有限公司 IPSec加解密卸载方法
CN115529180B (zh) * 2022-09-28 2024-05-31 芯云晟(杭州)电子科技有限公司 IPSec加解密卸载方法

Also Published As

Publication number Publication date
CN1874343B (zh) 2010-04-21
CN1874343A (zh) 2006-12-06

Similar Documents

Publication Publication Date Title
US11038846B2 (en) Internet protocol security tunnel maintenance method, apparatus, and system
US6976177B2 (en) Virtual private networks
JP5470113B2 (ja) 動的ホスト構成およびネットワークアクセス認証
EP1495621B1 (fr) Protocole de transmission de securite pour un reseau ip mobile
US8437345B2 (en) Terminal and communication system
US20020066036A1 (en) System and method for secure network mobility
US20050063352A1 (en) Method to provide dynamic Internet Protocol security policy service
US20120204253A1 (en) Method and apparatus for exchanging data between a user equipment and a core network via a security gateway
JP2009516435A (ja) 複数鍵暗号化生成アドレスを使ったモバイルネットワークのためのセキュアな経路最適化
US20080219224A1 (en) System and Method for Providing Secure Mobility and Internet Protocol Security Related Services to a Mobile Node Roaming in a Foreign Network
EP1466458B1 (fr) Procede et systeme pour assurer le reacheminement de messages en toute securite
JP3515551B2 (ja) 無線データ通信の中継機能を有する電子機器
EP2201742B1 (fr) Approvisionnement de services de mobilité à des terminaux hérités
US10313877B2 (en) Method and system for facilitating participation of an intermediary network device in a security gateway communication between at least one base station and a core network portion in a cellular communication network
US7969933B2 (en) System and method for facilitating a persistent application session with anonymity between a mobile host and a network host
WO2006128384A1 (fr) Procede de creation d'une combinaison securisee de protocole de securite ip
WO2011064858A1 (fr) Terminal d'authentification sans fil
JP2006191205A (ja) 通信装置及び通信方法、通信システム
JP2006345302A (ja) ゲートウェイ装置およびプログラム
Arkko et al. RFC 3776: Using IPsec to protect mobile IPv6 signaling between mobile nodes and home agents
KR20030050550A (ko) 패킷데이터서비스 네트워크의 심플 아이피 가상 사설망서비스 방법
FI113597B (fi) Menetelmä viestien lähettämiseksi usean yhteyden läpi

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06742073

Country of ref document: EP

Kind code of ref document: A1