WO2008003208A1 - A method, system for ensuring the security communication of mobile node and a mobile node - Google Patents

A method, system for ensuring the security communication of mobile node and a mobile node Download PDF

Info

Publication number
WO2008003208A1
WO2008003208A1 PCT/CN2007/001127 CN2007001127W WO2008003208A1 WO 2008003208 A1 WO2008003208 A1 WO 2008003208A1 CN 2007001127 W CN2007001127 W CN 2007001127W WO 2008003208 A1 WO2008003208 A1 WO 2008003208A1
Authority
WO
WIPO (PCT)
Prior art keywords
ler
security association
level
association request
lfa
Prior art date
Application number
PCT/CN2007/001127
Other languages
French (fr)
Chinese (zh)
Inventor
Gang Cheng
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008003208A1 publication Critical patent/WO2008003208A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • the invention relates to a network security technology, in particular to a method for guaranteeing secure communication of a mobile node. Background of the invention
  • Next Generation Network is a converged network that carries a variety of telecommunication services such as voice, image and data through an IP connection between communicating entities.
  • the mobility control and transmission function of the NGN service based on the Multi-Protocol Label Switching (MPLS) network is a hot topic.
  • MPLS provides signaling and transport mechanisms to support quality of service (QoS), traffic engineering, and virtual private network (VPN) capabilities.
  • QoS quality of service
  • VPN virtual private network
  • the inventor found that in a mobile network environment, a mobile node (MN) is often connected to a network through a wireless link, and an LSP (Label Switched Path) connected to these access links is easy. being attacked.
  • LSP Label Switched Path
  • the security mechanism based on the MPLS network does not provide a specific implementation method and processing procedure to ensure the security of the MN. Therefore, the prior art cannot guarantee the secure communication of the MN in the MPLS-based network. Summary of the invention
  • the main object of the present invention is to provide a method for securing secure communication of a mobile node, and the method provided by the present invention can ensure secure communication of the MN in an MPLS-based network.
  • another main object of the present invention is to provide a secure communication for a mobile node.
  • the system can guarantee the secure communication of the MN in the MPLS-based network.
  • another main object of the present invention is to provide a mobile node capable of securing its own secure communication in an MPLS-based network.
  • the present invention provides a method for securing secure communication of a mobile node, performing the following steps:
  • the mobile node MN establishes a security association with the MN secure communication between the label router/foreign agent LER7FA and the label router/home agent LER/HA.
  • the present invention further provides a system for ensuring secure communication of a mobile node, the system comprising: MN, LER/FA, and LER/HA;
  • the MN establishes a security association with LER/FA, and LER/HA to secure communication. Furthermore, the present invention further provides a mobile node, the MN including at least a request unit and a negotiation unit;
  • the requesting unit is configured to send a security association request to the LER/FA;
  • the negotiating unit establishes a security association with the LER/FA and the LER/HA to secure communication.
  • the invention provides a method for guaranteeing secure communication of a mobile node, and the MN establishes
  • the MN is used to establish a security association with the LER/FA and the LER/HA step by step, so that the MN can directly register with the adjacent LER/FA after moving to the new area without having to The LER/HA is registered, which reduces the number of times the message is sent to the LER7HA, and reduces the communication delay.
  • the present invention also provides a system for securing secure communication of a mobile node, and a mobile node.
  • 1 is a structural diagram based on an MPLS network; 1 is a flow chart of a method of a first preferred embodiment of the present invention
  • FIG. 3 is a flowchart of updating a security association according to a first preferred embodiment of the present invention.
  • FIG. 4 is a structural diagram of a system according to a first preferred embodiment of the present invention.
  • Figure 5 is a flow chart of a method of a second preferred embodiment of the present invention.
  • FIG. 6 is a flowchart of updating a security association according to a second preferred embodiment of the present invention
  • FIG. 7 is a flowchart of still updating a security association according to a second preferred embodiment of the present invention
  • FIG. 8 is a second preferred embodiment of the present invention
  • FIG. 9 is a flow chart of a method of a third preferred embodiment of the present invention.
  • FIG. 10 is a flowchart of updating a security association according to a third preferred embodiment of the present invention.
  • FIG. 11 is a flowchart of still updating a security association according to a third preferred embodiment of the present invention
  • FIG. 12 is a flowchart of still updating a security association according to a third preferred embodiment of the present invention
  • FIG. 13 is a third preferred embodiment of the present invention; a structural diagram of the example system
  • Figure 14 is a structural diagram of a mobile node of the present invention. Mode for carrying out the invention
  • SA Security Association
  • IP Security IP Security
  • the Label Edge Router/Foreign Agent and the Label Router/Home Agent establish security associations to ensure that the MN can communicate securely.
  • Figure 1 is a structural diagram based on an MPLS network.
  • LER/FA Label Edge Router/Local Foreign Agent
  • label router / regional foreign agent LER / RFA, Label Edge Router / The Regional Foreign Agent is a third-level foreign agent
  • Label Router/Gateway Foreign Agent LER/GFA, Label Edge Router/Gateway Foreign Agent
  • LER/HA is an MPLS router with home agent function
  • LER/LFA is an MPLS router with foreign agent function
  • LER/RFA is an MPLS router with regional foreign agent function
  • LER/GFA is one with The MPLS router functioning as a gateway foreign agent is responsible for the jurisdiction of an autonomous domain.
  • the LER/FA may include only the first-level foreign agent, and when only the first-level foreign agent is included, it may be LER/LFA, or LER/RFA, or LER/GFA.
  • the LER/FA may also include a secondary foreign agent, which may be: the first level LER/FA is LER/LFA, the second level LER/FA is LER/RFA; or the first level LER/FA is LER/LFA, The second stage LER/FA is LER/GFA; or, the first stage LER/FA is KER/RFA, and the second level LER/FA is LER/GFA.
  • FIG. 1 also describes four models in which the MN moves in the MPLS network when the LER/FA includes a tertiary foreign agent, and the MN communicates with the communication node user (CN, Correspondence Nod), including: intra-subnet access , refers to the movement of the MN in the same LER/LFA jurisdiction; inter-subnet access refers to the movement of the MN under different LER/LFA jurisdictions but within the same LER/RFA jurisdiction; inter-network access, Refers to the movement of the MN in different LER/LFA jurisdictions, but in the same LER/GFA jurisdiction; inter-autonomous network access refers to the MN in different autonomous domains under the LER/GFA jurisdiction. mobile.
  • intra-subnet access refers to the movement of the MN in the same LER/LFA jurisdiction
  • inter-subnet access refers to the movement of the MN under different LER/LFA jurisdictions but within the same LER/RFA jurisdiction
  • inter-network access Refers to the
  • LER/LFA In the MPLS network, hierarchical mobile management is implemented for both mobile IPv4 services and mobile IPv6 services.
  • LER/LFA, LER/RFA and LER/GFA support local registration.
  • the local registration function allows M to register directly with the adjacent LER/LFA, LER/RFA or LER/GFA after moving to the new area without having to register with the HA.
  • the MN establishes a security association with the LER/HA step by step.
  • the MN can directly establish a security association with the foreign agent corresponding to the new area after moving to the new area, without having to re-negotiate with the LER/HA to establish a security association, thereby reducing the security association with the LER/HA.
  • the number of process interactions reduces the switching delay.
  • the security association may be performed while the MN requests registration from the LER/HA.
  • the purpose of the MN registration with the LER/HA is to inform the LER/HA of its current Care-of Address (COA) so that the LER/HA knows its current area.
  • COA Care-of Address
  • the COA is used to provide the current location information of the MN.
  • Figure 2 is a flow chart of a method in accordance with a first preferred embodiment of the present invention. Since the description describes the process of establishing a security association with the LER/HA when the MN initially accesses the MPLS network, the LER/FA described here is the home LER/FA, that is, the LER/FA corresponding to the MN home address. In this embodiment, the LER/FA includes only the primary foreign agent, and the LER/FA may be LER/LFA, LER/RFA > or LER/GFA.
  • the specific process is as follows:
  • Step 201 The MN sends a registration request message to the LER/HA through the LER/FA of the current area, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • the home address is a permanent address assigned to the MN by the network side, and belongs to the home link of the mobile node. Through the MN's home address, the routing mechanism sends the packet addressed to the MN to its home link. The home address is used to identify the security association established by the MN. The COA is used to provide current location information of the MN to establish a security association.
  • the LER/FA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • the LER/FA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Step 203 The LER/FA sends a registration request message of the MN to the LER/HA.
  • Step 204 After receiving the registration request message for the MN sent by the LER/FA, the LER/HA registers the MN on the LER/HA, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establishing a security association with the MN; after the LER/HA and the MN successfully establish a security association, the LER/HA establishes a security association entry for the MN in its mobile node information table, and is used to save the established relationship with the MN. Security association.
  • the LER/HA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Steps 205 - 206 The LER/HA returns a registration response message to the MN through the LER/FA.
  • the method for establishing a security association between the MN and the LER/FA and the LER/HA may be:
  • the MN further carries the information used by the MN to establish a security association in the sent registration request message, for example, the MN can support The type of security protocol, information such as the type of authentication method that the MN can use.
  • LER/LFA and LER/HA need to establish a security association with the MN, then LER/FA and LER/HA are based on the security association information in the MN registration request message.
  • the MN returns an acknowledgment message to establish a security association between itself and the MN.
  • the method for establishing a security association between the MN and the LER/FA and the LER/HA may be: after receiving the registration request message sent by the MN by the LER/FA and the LER/HA, triggering the interaction between the MN and the MN to establish the security of the MN and the MN. Association.
  • the described LER/FA is LER/LFA, or LER/RPA, or LER/GFA.
  • the method of establishing a security association as described herein is equally applicable to the preferred embodiment described later in the present invention.
  • the MN since the security association is established step by step, when the M moves to move from one LER/FA to another LER/FA, the MN does not need to cooperate with the LER/HA. To establish a security association, you only need to establish a security association with the LER/FA that you are moving to, and only update the security association with LER/HA.
  • FIG. 3 is a flow chart of updating the MN security association of the MN moving from one LER/FA to another LER/FA. Specific steps are as follows:
  • Step 301 The MN sends a registration request message to the new LER/FA corresponding to the current new area to which the MN is located, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • Step 302 After receiving the registration request message sent by the MN, the new LER/FA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the LER/FA and the MN successfully establish a security association, the new LER/FA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN.
  • the LER/FA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • Step 303 The new LER/FA sends a registration request message of the MN to the original LER/FA where the MN moved before.
  • the mobile node information table obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
  • FIG. 4 is a system structure diagram corresponding to the preferred embodiment.
  • the system for secure communication of a mobile node the system comprising: MN41, LER/FA42 and LER/HA43.
  • the MN 41 is mainly used to send a registration request message to the LER/FA 42.
  • the LER/FA 42 is mainly used to receive the registration request message, establish a security association with the MN 41, and send a registration request message for the MN 41 to the LER/HA 43; LER/HA43, for receiving The registration request message establishes a security association with the MN 41.
  • the actual networking conditions of the described LER/FA 42 may be: LER/LFA, or LER/RFA, or LER/GFA.
  • the process of establishing an updated security association between the MN 401 and the LER/FA 402, and the LER/HA 403 can be referred to the related description in the preferred embodiment.
  • Figure 5 is a flow chart of a method in accordance with a second preferred embodiment of the present invention.
  • Figure 5 depicts the case where the LER/FA includes a secondary foreign agent, the first level LER/FA and the second level LER/FA.
  • the process described herein is to establish a security association with the LER/HA when the MN initially accesses the MPLS network
  • the first-level LER/FA and the second-level LER/ described herein are FA
  • both are foreign agents corresponding to the MN's home location.
  • the specific process of the preferred embodiment is as follows:
  • Step 501 The MN sends a registration request message to the LER/HA through the first-level LER/FA of the current area, and the registration request message carries the mobile node information such as the MN's COA and the MN's home address.
  • Step 502 After receiving the registration request message sent by the MN, the first-level LER/FA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table.
  • the first-level LER/FA establishes a security association entry for the MN in its mobile node information table, which is used for saving establishment. Security association.
  • Step 503 The first level LER/FA sends a registration request message of the MN to the second level LER/FA.
  • Step 504 The second level LER/FA performs the same operation as the first stage LER/FA of step 502, and details are not described in detail herein.
  • Step 505 The second-level LER/FA sends a registration request for the MN to the LER/HA.
  • Steps 507 - 509 The LER/HA returns a registration reply message to the MN through the second level LER/FA and the first LER/FA.
  • first level LER/FA and the second level LER/FA can be respectively: first level LER/FA is LER/LFA, second level LER/FA is LER/RFA Or, the first stage LER/FA is LER/LFA, and the second stage LER/FA is LER/GFA; or, the first stage LER/FA is LER/RFA, and the second stage LER/FA is LER/GFA.
  • the flow chart of the MN updating the security association is as shown in FIG. 6.
  • the flow chart of the MN updating the security association is as shown in FIG. 7.
  • Step 601 The MN sends a registration request message to the new first-level LER/FA corresponding to the current new area, and the registration request message carries the mobile node information such as the MN's COA and the MN's home address.
  • Step 602 After receiving the registration request message sent by the MN, the new first-level LER/FA performs the operation performed by the new LER/FA in step 302.
  • Step 603 The new first-level LER/FA sends a registration request message of the MN to the second-level LER/FA where the current MN is located.
  • the second-level LER/FA where the MN is currently located is also The second-level LER/FA to which the original first-level LER/FA belongs.
  • Step 604 The second-level LER/FA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA.
  • the second-level LER/FA since the second-level LER/FA has established a security association with the MN at this time, the second-level LER/FA does not need to re-establish a security association with the MN, but needs to update related information of the security association.
  • the specific update of the LER/RFA is to update the COA information corresponding to the security association of the current MN in the security association entry.
  • Steps 605 ⁇ 606 The second level LER/FA returns a registration response message to the MN through the new first level LER/FA.
  • Steps 701 ?? Step 702 The same operations as steps 601 - 602 are performed, and will not be described in detail herein.
  • Step 703 The new first level LER/FA sends a registration request message of the MN to the new second level LER/FA where the current MN is located.
  • Step 704 After receiving the registration request message sent by the MN, the new second-level LER7FA performs the operation performed by the new LER/FA in step 302.
  • Step 705 The new second-level LER/FA sends a registration request message of the MN to the original second-level LER/FA.
  • Step 706 The original second-level LER/FA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA; And searching for the mobile node information table of the MN, obtaining the security association entry of the MN, and updating the COA information of the security association corresponding to the current MN in the security association entry.
  • Steps 707 ⁇ 709 The original second-level LER/FA returns a registration response message to the MN through the new second-level LER/FA and the new first-level LER/FA.
  • FIG. 8 is a structural diagram of a system corresponding to the second preferred embodiment of the present invention.
  • the system includes: MN81, LER/FA82 and LER/HA83.
  • LER/FA82 includes: first level LER/FA821 and second level LER/FA822.
  • the first level LER/FA821 is connected to MN81 and the second level LER/FA822; the second level LER/FA822, and the first level LER/FA821 and LER/HA83.
  • the MN 81 is mainly used to send a registration request message to the first-level LER7FA; the first-level LER/FA 821 is configured to receive the registration request message, establish a security association with the MN 81, and send a registration for the MN81 to the second-level LER/FA 822. a request message; a second level LER/FA822, configured to receive a registration request message, establish a security association with the MN 81, and send a registration request message for the MN 81 to the LER/HA 83; LER/HA83, for receiving the registration request message, and the MN 81 Establish a security association.
  • the process of establishing an updated security association between the MN 81 and the first level LER/FA 821, the second level LER/FA 822, and the LER/HA 83 can be referred to the related description in the preferred embodiment.
  • Figure 9 is a flow chart of a method in accordance with a third preferred embodiment of the present invention.
  • Figure 9 depicts the case where LER/FA includes only three levels of foreign agents.
  • LER/FA can be LER/LFA, LER/RFA, LE /GFAo. The specific process is as follows:
  • Step 901 The MN sends a registration request message to the LER/HA through the LER/LFA of the current area, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • Step 902 After receiving the registration request message sent by the MN, the LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table, and A security association is established in association with the MN. After the LER/LFA and the MN successfully establish a security association, the LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save the established security association.
  • the purpose of the LER/LFA to save the security association between itself and the MN is to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • the LER/LFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Step 903 The LER/LFA sends a registration request message of the MN to the LER/RJFA.
  • Step 904 After receiving the registration request message of the MN sent by the LER/LFA, the LER/RFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table. And establishing a security association with the MN; after the LER/RFA and the MN successfully establish a security association, the LER/RFA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN. .
  • the LER/RFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Step 905. LER/RFA sends a registration request message of the MN to the LER/GFA.
  • the LER7GFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Step 907 The LER/GFA sends a registration request message of the MN to the LER/HA.
  • Step 908 After receiving the registration request message of the MN sent by the LER/GFA, the LER/HA registers the MN on the LER/HA, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information. In the table, the security association is established with the MN. After the LER/GFA and the MN successfully establish a security association, the LER7HA establishes a security association entry for the MN in its own mobile node information table, and is used to save the security association established between itself and the MN.
  • the LER/HA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
  • Steps 909 ⁇ 912 LER/HA returns a registration response message to the MN through LER/GFA, LER/RFA, and LER/LFA.
  • the LER/GFA is the home LER/GFA
  • the LER/RFA is the home LER/RFA
  • the LER/LFA is the home LER/LFA, that is, the LER/GFA, LER/RFA and the MN home address are corresponding.
  • LER/LFA is the home LER/GFA
  • the four models of MN movement in the MPLS network include: intra-subnet access, which refers to the MN moving in the same LER/LFA jurisdiction; inter-subnet access, refers to the MN in different LERs. /LFA jurisdiction, but in the same LER/RPA jurisdiction Movement within the network; inter-network access refers to the movement of the MN in different LER/LFA jurisdictions, but in the same LER/GFA jurisdiction; inter-autonomous network access refers to the MN in different Movements made in the autonomous domain under the jurisdiction of LER/GFA.
  • Figure 10 shows the process of updating its own security association when the MN moves from one LER/LFA jurisdiction to another within the LER/LFA jurisdiction within the same LER/RJFA jurisdiction. Since the MN does not exceed the jurisdiction of the same LER/RFA at this time, the MN only needs to regenerate its own security association with the new LER/LFA and update its security with the original LER/RFA when updating the security association. Just connect.
  • the process shown in Figure 10 can be performed simultaneously with the MN registering with LER/HA. Since the MPLS network implements hierarchical management, the registration process of the MN at this time only needs to be registered by the new LER/LFA, and then the new LER/FA can register with the original LER/RJFA.
  • the specific process is as follows:
  • Step 1001 The MN sends a registration request message to the new LER7LFA corresponding to the new area in which the MN is located.
  • the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • Step 1002 After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN; after the LER/LFA and the MN successfully establish a security association, the new LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save itself and establish with the MN. Security association.
  • the purpose of the LER/LFA to save the security association between itself and the MN is to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • Step 1003 The new LER/LFA sends a registration request message of the MN to the LER/RFA of the current area of the MN.
  • Step 1004 The LER/RFA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA.
  • the LER/RFA of the MN's jurisdiction does not change before and after the MN moves. . Since the LER/RFA has established a security association with the MN at this time, the LER/RPA does not need to re-establish a security association with the MN, but needs to update the relevant information of the security association.
  • the specific content of the LER/RFA update is: Update the COA information of the security association associated with the current MN in the security association entry.
  • Steps 1005 ⁇ 1006 The LER/RFA returns a registration response message to the MN through the new LER/LFA.
  • FIG. 11 shows a process in which the MN updates the security association when the MN moves from one LER/RFA jurisdiction to another within the LER/RJFA jurisdiction within the same LER/GFA jurisdiction.
  • the MN since the MN does not exceed the jurisdiction of the same LER/GFA, when the MN updates the security association, it only needs to regenerate its own security association with the new LER/LFA and LER/RFA, and update itself and the original.
  • the security association between LER/GFA is sufficient.
  • the process of updating the security association by the MN can also be performed simultaneously in the process of registering the MN with the LER/HA.
  • Step 1101 The MN sends a registration request message to the new LER/LFA corresponding to the new area in which the MN is located.
  • the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • Step 1102 After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the new LER/LFA and the MN successfully establish a security association, the new LER/LFA establishes a security association entry for the MN in its own mobile node information table, and is used to save the security association established between itself and the MN. .
  • the purpose of the new LER/LFA to secure its own association with the MN is that it can be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • Step 1103 The new LER/LFA sends a registration request message of the MN to the new LER/RFA corresponding to the current area of the MN.
  • Step 1104 After receiving the registration request message of the MN sent by the new LER/LFA, the new LER/RFA registers the MN that is currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establish a security association with the fixed negotiation; after the new LER/RFA and the MN successfully establish a security association, the new LER/RFA establishes a security association entry for the MN in its own mobile node information table, and is used to save itself and the MN. Established security associations.
  • Step 1105 The new LER/RFA sends a registration request message of the MN to the LER/GFA of the current area of the MN.
  • Step 1106 The LER/GFA performs registration update on the currently requested MN according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA.
  • the MN is in the same LER/GFA jurisdiction, from a LER/RFA The jurisdiction moved to another LER/RFA jurisdiction, so the LER/GFA in the jurisdiction of the MN did not change before and after the MN moved. Since the LER/GFA at this time has established a security association with the MN, the LER/GFA does not need to re-establish a security association with the MN, but needs to update the related information of the security association.
  • the LER/GFA searches its own mobile node information table, obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
  • Steps 1107 to 1109 The LER/GFA returns a registration response message to the MN through the new LER/RFA, and the new LER/LFA.
  • Figure 12 shows the case when the MN moves from one LER/GFA jurisdiction to another within the LER/GFA jurisdiction in two different LER/GFA jurisdictions, i.e., across inter-AS networks.
  • the security association is re-established to the new LER/GFA, and the new LER/GFA updates the security association information to the home LER/GFA.
  • the process of updating the security association by the MN can be performed simultaneously with the process of registering the MN with the LER/HA. Since the MPLS network implements hierarchical management, the MN only needs to register with the new LER/GFA first, and then register with the new LER/GFA to the home LER/GFA. The specific process is as follows:
  • Step 1201 The MN sends a registration request message to the new LER/LFA corresponding to the new area in which the MN is currently located.
  • the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
  • Step 1202 After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the LER/LFA and the MN successfully establish a security association, the LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN. Here, the LER/LFA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
  • Step 1203 The new LER/LFA sends a registration request message of the MN to the new LER/RFA corresponding to the current area of the MN.
  • Step 1204 After receiving the registration request message of the MN sent by the new LER/LFA, the new LER7RFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table. And establishing a security association with the MN; after the new LER/RFA and the MN successfully establish a security association, the new LER/RFA establishes a security association entry for the MN in its own mobile node information table, and is used to save the established relationship with the MN. Security association.
  • Step 1205 The new LER/RFA sends a registration request message of the MN to the new LER/GFA.
  • Step 1206 After receiving the registration request message of the MN sent by the new LER/RFA, the new LER/GFA registers the MN that is currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establish a security association with the MN; after the new LER/GFA and the MN successfully establish a security association, the new LER/GFA establishes a security association entry for the MN in its mobile node information table, and is used to save itself and the MN. Established security associations.
  • Step 1207 The new LER/GFA sends a registration request message of the MN to the home LER/GFA.
  • the LER/GFA currently in the MN must be directed to the MN's home LER/ GFA performs security associations and updates to residence information.
  • Step 1208 The home LER/GFA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA; and searches for itself.
  • Mobile node information The table obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
  • Steps 1209 ⁇ 1212 The home LER/GFA returns a registration response message to the MN via the new LER/GFA, the new LER/RFA, and the new LER/LFA.
  • FIG. 13 is a structural diagram of a system corresponding to the third preferred embodiment of the present invention.
  • the system includes: MN1301, LER/FA1302 and LER/HA1303.
  • the LER/FA1302 includes: LER/LFA13021, LER/RPA13022, and LER/GFA13023.
  • LER/LFA13021 connected to MN1301 and LER/RFA13022;
  • LER/RFA13022 connected to LER/LFA13021 and LER/GFA13023;
  • LER/GFA13023 connected to LER/RFA13022 and LER/HA1303.
  • MN1301, configured to send a registration request message to the LER/LFA 13021; LER/LFA 13021, configured to receive a registration request message of the MN 1301, establish a security association with the MN 1301, and send a registration request message for the MN 1301 to the LER/RFA 13022; LER/RFA13022, Receiving a registration request message, establishing a security association with the MN 1301, and sending a registration request message to the LER/GFA 13023 for the MN 1301; LER/GFA 13023, for receiving the registration request message, establishing a security association with the MN 1301, and transmitting to the LER/HA 1303 for the MN 1301
  • the registration request message; LER/HA1303, is configured to receive a registration request message, and establish a security association with the MN1301.
  • the present invention also provides an MN, the MN including at least a request unit and a negotiating unit.
  • the requesting unit 1401 is configured to send a registration request message to the LER7FA.
  • the negotiating unit 1402 establishes a security association with the LER FA and the LER/HA to secure communication.
  • the negotiation unit 1402 specifically establishes a process of security association, which can be referred to in the three preferred embodiments of the present invention, and will not be described in detail herein.
  • the process of establishing and updating the security association may be performed along with the registration of the MN; or the process of establishing the security association with the LER/FA and the LER/HA by the MN when the MN needs it. .
  • the security association request is sent to the LER/FA.
  • the security association request carries at least the home address and the COA, and then establishes the MN with the MN in the LER/FA.
  • the MN's security association request is sent to the LER/HA, and then the security association with the MN is established in the same way.
  • the MN may establish a security association with the LER/FA or the LER/HA.
  • the security association request sent by the MN further carries the authentication mode and/or security that the MN can support.
  • the protocol, LER/FA or LER/HA determines the authentication mode and/or security protocol used by the MN according to the security association request sent by the MN, and returns an acknowledgement message to the MN to establish a security association between itself and the MN.
  • the registration request described in the flowchart of the method of the present invention is actually a specific implementation of the security association request.

Abstract

A method for ensuring security communication of mobile node is disclosed, includes the following steps: MN establishes a security association with the LER/FA and LER/HA to ensure the security communication of the MN. Further, a system for ensuring security communication of MN and a MN are disclosed. The present invention uses the method of establishing security association with the LER/FA and LER/HA; in the present invention, the MN establishes security association with the LER/FA and LER/HA level by level, which makes the MN directly register to the nearby LER/FA after the MN has moved in a new area without registering to the LER/HA again, therefore the message times transmitted to the LER/HA is reduced and the communication delay is lowered.

Description

一种保障移动节点安全通信的方法、 系统、 以及移动节点 技术领域  Method, system and mobile node for guaranteeing secure communication of mobile node
本发明涉及网络安全技术,尤指一种保障移动节点安全通信的方法。 发明背景  The invention relates to a network security technology, in particular to a method for guaranteeing secure communication of a mobile node. Background of the invention
下一代网络( NG , Next Generation Network )是通过通信实体之间 的 IP连接来承载语音、 图像和数据等多种电信业务的融合网络。 NGN 业务基于多协议标签交换( MPLS, Multiprotocol Label Switching ) 网络 的移动性控制和传输功能是目前研究的一个热点。 MPLS提供了信令和 传输机制用以支持服务质量 ( QoS )、 流量工程以及虚拟专用网 ( VPN ) 功能。 目前, 大多数的移动网络已经过渡到使用 IP技术进行传输, 并且 大多数的 IP路由器都支持 MPLS功能。  Next Generation Network (NG) is a converged network that carries a variety of telecommunication services such as voice, image and data through an IP connection between communicating entities. The mobility control and transmission function of the NGN service based on the Multi-Protocol Label Switching (MPLS) network is a hot topic. MPLS provides signaling and transport mechanisms to support quality of service (QoS), traffic engineering, and virtual private network (VPN) capabilities. Currently, most mobile networks have transitioned to use IP technology for transmission, and most IP routers support MPLS.
发明人在实现本发明的过程中发现在移动网络环境中, 移动节点 ( MN )往往通过无线链路与网络相连, 与这些接入链路相连的标签交 换路径 ( LSP , Label Switched Path )很容易受到攻击。 而在目前所使用 的技术中, 基于 MPLS网络的安全机制并没有提供具体的实现方法以及 处理流程来保证 MN的安全性,因此现有技术无法保障 MN在基于 MPLS 网络中进行安全通信。 发明内容  In the process of implementing the present invention, the inventor found that in a mobile network environment, a mobile node (MN) is often connected to a network through a wireless link, and an LSP (Label Switched Path) connected to these access links is easy. being attacked. In the current technology, the security mechanism based on the MPLS network does not provide a specific implementation method and processing procedure to ensure the security of the MN. Therefore, the prior art cannot guarantee the secure communication of the MN in the MPLS-based network. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种保障移动节点安全通信 的方法,应用本发明所提供的方法能够保障 MN在基于 MPLS网络中的安 全通信。  In view of this, the main object of the present invention is to provide a method for securing secure communication of a mobile node, and the method provided by the present invention can ensure secure communication of the MN in an MPLS-based network.
同时, 本发明的又一主要目的在于提供一种保障移动节点安全通信 的系统, 该系统能够实现保障 MN在基于 MPLS网络中的安全通信。 Meanwhile, another main object of the present invention is to provide a secure communication for a mobile node. The system can guarantee the secure communication of the MN in the MPLS-based network.
另夕卜, 本发明的又一主要目的在于提供一种移动节点, 该移动节点 能够保障自身在基于 MPLS网络中安全通信。  In addition, another main object of the present invention is to provide a mobile node capable of securing its own secure communication in an MPLS-based network.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
本发明提供了一种保障移动节点安全通信的方法, 执行以下步骤: 移动节点 MN建立与标签路由器 /外地代理 LER7FA、 以及标签路由 器 /家乡代理 LER/HA之间的保障 MN安全通信的安全关联。  The present invention provides a method for securing secure communication of a mobile node, performing the following steps: The mobile node MN establishes a security association with the MN secure communication between the label router/foreign agent LER7FA and the label router/home agent LER/HA.
另夕卜, 本发明又提供了一种保障移动节点安全通信的系统, 该系统 包括: MN、 LER/FA以及 LER/HA;  In addition, the present invention further provides a system for ensuring secure communication of a mobile node, the system comprising: MN, LER/FA, and LER/HA;
所述 MN与 LER/FA、 以及 LER/HA建立保障安全通信的安全关联。 再者, 本发明又提供了一种移动节点, 该 MN至少包括请求单元和 协商单元;  The MN establishes a security association with LER/FA, and LER/HA to secure communication. Furthermore, the present invention further provides a mobile node, the MN including at least a request unit and a negotiation unit;
所述请求单元, 用于向 LER/FA发送安全关联请求;  The requesting unit is configured to send a security association request to the LER/FA;
所述协商单元, 与 LER/FA、 以及 LER/HA建立保障安全通信的安 全关联。  The negotiating unit establishes a security association with the LER/FA and the LER/HA to secure communication.
本发明所提供的一种保障移动节点安全通信的方法, MN通过建立  The invention provides a method for guaranteeing secure communication of a mobile node, and the MN establishes
MN在通信过程中安全性。 在本发明实施例的技术方案中, 采用 MN逐级 与 LER/FA以及 LER/HA建立安全关联 , 能够使 MN在移动到新区域后, 直接向临近的 LER/FA直接注册, 而不必再向 LER/HA进行注册, 减少了 向 LER7HA发送消息的次数, 降低了通信时延。 另外, 本发明还提供了 一种保障移动节点安全通信的系统、 以及一种移动节点。 附图简要说明 MN security during communication. In the technical solution of the embodiment of the present invention, the MN is used to establish a security association with the LER/FA and the LER/HA step by step, so that the MN can directly register with the adjacent LER/FA after moving to the new area without having to The LER/HA is registered, which reduces the number of times the message is sent to the LER7HA, and reduces the communication delay. In addition, the present invention also provides a system for securing secure communication of a mobile node, and a mobile node. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为基于 MPLS网络的结构图; 图 1为本发明第一较佳实施例方法的流程图; 1 is a structural diagram based on an MPLS network; 1 is a flow chart of a method of a first preferred embodiment of the present invention;
图 3为本发明第一较佳实施例更新安全关联的流程图;  3 is a flowchart of updating a security association according to a first preferred embodiment of the present invention;
图 4为本发明第一较佳实施例系统的结构图;  4 is a structural diagram of a system according to a first preferred embodiment of the present invention;
图 5为本发明第二较佳实施例方法的流程图;  Figure 5 is a flow chart of a method of a second preferred embodiment of the present invention;
图 6为本发明第二较佳实施例一更新安全关联的流程图; . 图 7为本发明第二较佳实施例又一更新安全关联的流程图; 图 8为本发明第二较佳实施例系统的结构图;  FIG. 6 is a flowchart of updating a security association according to a second preferred embodiment of the present invention; FIG. 7 is a flowchart of still updating a security association according to a second preferred embodiment of the present invention; FIG. 8 is a second preferred embodiment of the present invention; a structural diagram of the example system;
图 9为本发明第三较佳实施例方法的流程图;  9 is a flow chart of a method of a third preferred embodiment of the present invention;
图 10为本发明第三较佳实施例一更新安全关联的流程图;  FIG. 10 is a flowchart of updating a security association according to a third preferred embodiment of the present invention; FIG.
图 11为本发明第三较佳实施例又一更新安全关联的流程图; 图 12为本发明第三较佳实施例再一更新安全关联的流程图; 图 13为本发明第三较佳实施例系统的结构图;  FIG. 11 is a flowchart of still updating a security association according to a third preferred embodiment of the present invention; FIG. 12 is a flowchart of still updating a security association according to a third preferred embodiment of the present invention; FIG. 13 is a third preferred embodiment of the present invention; a structural diagram of the example system;
图 14为本发明移动节点的结构图。 实施本发明的方式  Figure 14 is a structural diagram of a mobile node of the present invention. Mode for carrying out the invention
安全关联(SA )是一种在两个使用 IP安全(IPSec ) 的实体间, 如 主机或路由器建立的逻辑连接。 安全关联定义了通信双方对通信过程中 某些要素的约定, 例如, 使用的安全协议、 协议的操作模式、 密码算法、 特定流中保护数据的共享密钥、以及密钥的生存周期等。因此,两个 IPSec 实体能够使用建立起来的安全关联进行安全通信。  Security Association (SA) is a logical connection established between two entities using IP Security (IPSec), such as a host or router. Security associations define the communication parties' conventions for certain elements of the communication process, such as the security protocol used, the protocol's mode of operation, the cryptographic algorithm, the shared key of the protected data in a particular stream, and the lifetime of the key. Therefore, two IPSec entities can use the established security association for secure communication.
Label Edge Router/Foreign Agent )、以及标签路由器 /家乡代理( LER/HA, Label Edge Router/Home Agent )建立安全关联, 从而保障 MN能够进行 安全通信。 The Label Edge Router/Foreign Agent and the Label Router/Home Agent (LER/HA, Label Edge Router/Home Agent) establish security associations to ensure that the MN can communicate securely.
参见图 1 , 图 1为基于 MPLS网络的结构图。 其中, 这里的 LER/FA 包括三级外地代理分别是: 标签路由器 /本次外地代理(LER/LFA, Label Edge Router/Local Foreign Agent ) 为第一级外地代理、 标签路由器 /区域 外地代理(LER/RFA, Label Edge Router/Regional Foreign Agent ) 为第 二级外地代理、和标签路由器 /网关外地家乡代理( LER/GFA, Label Edge Router/Gateway Foreign Agent )为第三级夕卜地代理。 Referring to Figure 1, Figure 1 is a structural diagram based on an MPLS network. Where LER/FA is here The three levels of foreign agents are: Label Router / Local Edge Agent (LER/LFA, Label Edge Router/Local Foreign Agent) is the first level foreign agent, label router / regional foreign agent (LER / RFA, Label Edge Router / The Regional Foreign Agent is a third-level foreign agent, and the Label Router/Gateway Foreign Agent (LER/GFA, Label Edge Router/Gateway Foreign Agent) is the third-level agent.
这里, LER/HA、 LER/LFA, LER/RFA以及 LER/GFA均为支持 MPLS 中设备。 LER/HA为一种具有家乡代理功能的 MPLS路由器; LER/LFA 是一种具有外地代理功能的 MPLS路由器; LER/RFA为一种具有区域外 地代理功能的 MPLS路由器; LER/GFA则为一具有网关外地代理功能的 MPLS路由器, 负责管辖的范围为一个自治域。  Here, LER/HA, LER/LFA, LER/RFA, and LER/GFA support devices in MPLS. LER/HA is an MPLS router with home agent function; LER/LFA is an MPLS router with foreign agent function; LER/RFA is an MPLS router with regional foreign agent function; LER/GFA is one with The MPLS router functioning as a gateway foreign agent is responsible for the jurisdiction of an autonomous domain.
基于 MPLS 网络的具体应用, LER/FA可以仅包括一级外地代理, 当仅包括一级外地代理时,可以是 LER/LFA、或 LER/RFA、或 LER/GFA。 LER/FA还可以包括二级外地代理, 具体可以为: 第一级 LER/FA 为 LER/LFA,第二级 LER/FA为 LER/RFA;或,第一级 LER/FA为 LER/LFA、 第二级 LER/FA为 LER/GFA; 或, 第一级 LER/FA为 KER/RFA、 第二级 LER/FA为 LER/GFA。  Based on the specific application of the MPLS network, the LER/FA may include only the first-level foreign agent, and when only the first-level foreign agent is included, it may be LER/LFA, or LER/RFA, or LER/GFA. The LER/FA may also include a secondary foreign agent, which may be: the first level LER/FA is LER/LFA, the second level LER/FA is LER/RFA; or the first level LER/FA is LER/LFA, The second stage LER/FA is LER/GFA; or, the first stage LER/FA is KER/RFA, and the second level LER/FA is LER/GFA.
另外, 在图 1 中还描述了当 LER/FA包括三级外地代理, MN与通 信节点用户 (CN, Correspondence Nod )进行通信时, MN在 MPLS网 络中移动的四种模型, 包括: 子网内访问, 指 MN在同一个 LER/LFA 管辖范围中进行的移动; 子网间访问, 指 MN在不同的 LER/LFA管辖 范围、 但在同一个 LER/RFA管辖范围中进行的移动; 网絡间访问, 指 MN在不同的 LER/LFA管辖范围中, 但在同一个 LER/GFA管辖范围中 进行的移动; 跨自治域网络间访问, 则是指 MN在不同的 LER/GFA管 辖的自治域中进行的移动。  In addition, FIG. 1 also describes four models in which the MN moves in the MPLS network when the LER/FA includes a tertiary foreign agent, and the MN communicates with the communication node user (CN, Correspondence Nod), including: intra-subnet access , refers to the movement of the MN in the same LER/LFA jurisdiction; inter-subnet access refers to the movement of the MN under different LER/LFA jurisdictions but within the same LER/RFA jurisdiction; inter-network access, Refers to the movement of the MN in different LER/LFA jurisdictions, but in the same LER/GFA jurisdiction; inter-autonomous network access refers to the MN in different autonomous domains under the LER/GFA jurisdiction. mobile.
现针对 LER/FA所包括的三种情况分别列举较佳实施例。 在 MPLS网络中, 无论是对移动 IPv4服务还是移动 IPv6服务都实 行层次化移动管理。 在层次化移动管理中, LER/LFA、 LER/RFA 和 LER/GFA都支持局部注册功能。局部注册功能可以使 M 在移动到新的 区域后直接向临近的 LER/LFA、 LER/RFA或 LER/GFA进行注册, 而不 必再向 HA进行注册。 The preferred embodiments are now listed for each of the three cases included in the LER/FA. In the MPLS network, hierarchical mobile management is implemented for both mobile IPv4 services and mobile IPv6 services. In hierarchical mobile management, LER/LFA, LER/RFA and LER/GFA support local registration. The local registration function allows M to register directly with the adjacent LER/LFA, LER/RFA or LER/GFA after moving to the new area without having to register with the HA.
因此, 在本实施例中, MN采用逐级与 LER/HA建立安全关联。 通 过这种方法可以使 MN在移动到新的区域后直接向新区域所对应的外地 代理建立安全关联, 而不必重新与 LER/HA进行协商建立安全关联, 从 而减少了与 LER/HA建立安全关联过程交互的次数, 减少了切换时延。  Therefore, in this embodiment, the MN establishes a security association with the LER/HA step by step. In this way, the MN can directly establish a security association with the foreign agent corresponding to the new area after moving to the new area, without having to re-negotiate with the LER/HA to establish a security association, thereby reducing the security association with the LER/HA. The number of process interactions reduces the switching delay.
在本发明实施例中, 安全关联可以是在 MN向 LER/HA请求注册的 同时进行。 这里, MN向 LER/HA注册的目的是为了将自身当前的转交 地址(COA )通知 LER/HA, 以使 LER/HA知道自身当前所在区域。 其 中, COA用来提供 MN当前的位置信息。  In the embodiment of the present invention, the security association may be performed while the MN requests registration from the LER/HA. Here, the purpose of the MN registration with the LER/HA is to inform the LER/HA of its current Care-of Address (COA) so that the LER/HA knows its current area. Among them, the COA is used to provide the current location information of the MN.
参见图 2, 图 2为本发明第一较佳实施例方法的流程图。 由于描述 的是 MN初始接入 MPLS网络时, 与 LER/HA建立安全关联的流程, 因 此这里所描述的 LER/FA 为家乡 LER/FA, 即与 MN 家乡地址对应的 LER/FA。 在本实施例中, LER/FA仅包括一级外地代理的情况, LER/FA 可以是 LER/LFA、 LER/RFA > 或 LER/GFA。 具体流程如下:  Referring to Figure 2, Figure 2 is a flow chart of a method in accordance with a first preferred embodiment of the present invention. Since the description describes the process of establishing a security association with the LER/HA when the MN initially accesses the MPLS network, the LER/FA described here is the home LER/FA, that is, the LER/FA corresponding to the MN home address. In this embodiment, the LER/FA includes only the primary foreign agent, and the LER/FA may be LER/LFA, LER/RFA > or LER/GFA. The specific process is as follows:
步骤 201 : MN通过当前自身所在区域的 LER/FA向 LER/HA发送 注册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地址等 移动节点信息。  Step 201: The MN sends a registration request message to the LER/HA through the LER/FA of the current area, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
所述家乡地址是网络侧分配给 MN的永久的地址, 属于移动节点的 家乡链路。 通过 MN的家乡地址, 路由机制会把发给 MN的分组发送到 其家乡链路。 家乡地址用于标识 MN建立的安全关联。 所述 COA用来 提供 MN当前的位置信息, 以建立安全关联。 步骤 202: LER/FA收到 MN发送来的注册请求消息后,对当前请求 注册的 MN进行注册,将 MN的移动节点信息, 包括家乡地址以及 COA 地址保存在自身的移动节点信息表中, 并与 MN协商建立安全关联; 待 LER/FA与 MN成功建立安全关联后, LER7FA为 MN在自身的移动节 点信息表中建立安全关联条目 , 用于保存建立的安全关联。 The home address is a permanent address assigned to the MN by the network side, and belongs to the home link of the mobile node. Through the MN's home address, the routing mechanism sends the packet addressed to the MN to its home link. The home address is used to identify the security association established by the MN. The COA is used to provide current location information of the MN to establish a security association. Step 202: After receiving the registration request message sent by the MN, the LER/FA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table, and A security association is established in association with the MN. After the LER/FA and the MN successfully establish a security association, the LER7FA establishes a security association entry for the MN in its own mobile node information table, and is used to save the established security association.
这里, LER/FA保存自身与 MN之间安全关联的目的在于, 供 MN 在以后的通信过程中使用, 保障 MN在通信过程中的安全性。  Here, the LER/FA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
这里, LER/FA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER/FA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 203: LER/FA向 LER/HA发送 MN的注册请求消息。  Step 203: The LER/FA sends a registration request message of the MN to the LER/HA.
步骤 204: LER/HA收到 LER/FA发送的针对 MN的注册请求消息 后, 在 LER/HA上为 MN进行注册, 将 MN的移动节点信息, 包括家乡 地址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建 立安全关联; 待 LER/HA与 MN成功建立安全关联后, LER/HA为 MN 在自身的移动节点信息表中建立安全关联条目 , 用于保存自身与 MN建 立的安全关联。  Step 204: After receiving the registration request message for the MN sent by the LER/FA, the LER/HA registers the MN on the LER/HA, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establishing a security association with the MN; after the LER/HA and the MN successfully establish a security association, the LER/HA establishes a security association entry for the MN in its mobile node information table, and is used to save the established relationship with the MN. Security association.
这里, LER/HA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER/HA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 205 - 206: LER/HA通过 LER/FA向 MN返回注册应答消息。 在图 2所示的流程中, MN与 LER/FA和 LER/HA建立安全关联的 方法可以是: MN在发送的注册请求消息中进一步携带 MN用于建立安 全关联的信息, 比如 MN能够支持的安全协议的种类, MN能够釆用的 认证方式的种类等信息。 当 LER/LFA和 LER/HA需要与 MN建立安全 关联时, 则 LER/FA和 LER/HA根据 MN注册请求消息中安全关联的信 MN返回确认信息, 以建立自身与 MN之间的安全关联。 MN与 LER/FA 和 LER/HA建立安全关联的方法, 还可以是: 由 LER/FA和 LER/HA收 到 MN发送的注册请求消息后, 触发自身与 MN的交互以建立自身与 MN 的安全关联。 这里, 本发明较佳实施例中, 所描述 LER/FA 为 LER/LFA、 或 LER/RPA、 或 LER/GFA。 此处介绍的建立安全关联的方 法同样适用于本发明后面介绍的较佳实施例。 Steps 205 - 206: The LER/HA returns a registration response message to the MN through the LER/FA. In the process shown in FIG. 2, the method for establishing a security association between the MN and the LER/FA and the LER/HA may be: The MN further carries the information used by the MN to establish a security association in the sent registration request message, for example, the MN can support The type of security protocol, information such as the type of authentication method that the MN can use. When LER/LFA and LER/HA need to establish a security association with the MN, then LER/FA and LER/HA are based on the security association information in the MN registration request message. The MN returns an acknowledgment message to establish a security association between itself and the MN. The method for establishing a security association between the MN and the LER/FA and the LER/HA may be: after receiving the registration request message sent by the MN by the LER/FA and the LER/HA, triggering the interaction between the MN and the MN to establish the security of the MN and the MN. Association. Here, in the preferred embodiment of the invention, the described LER/FA is LER/LFA, or LER/RPA, or LER/GFA. The method of establishing a security association as described herein is equally applicable to the preferred embodiment described later in the present invention.
在本较佳实施例所提供的技术方案中, 由于是采用的是逐级建立安 全联盟, 因此当 M 移动到从一个 LER/FA移动到另一个 LER/FA, MN 不需要与 LER/HA 再建立安全关联, 只需与移动至的、 当前所在的 LER/FA建立安全关联, 而只与 LER/HA更新安全关联即可。  In the technical solution provided by the preferred embodiment, since the security association is established step by step, when the M moves to move from one LER/FA to another LER/FA, the MN does not need to cooperate with the LER/HA. To establish a security association, you only need to establish a security association with the LER/FA that you are moving to, and only update the security association with LER/HA.
参见图 3 , 图 3为 MN从一个 LER/FA移动到另一个 LER/FA的, MN安全关联的更新流程图。 具体步骤如下:  Referring to FIG. 3, FIG. 3 is a flow chart of updating the MN security association of the MN moving from one LER/FA to another LER/FA. Specific steps are as follows:
步骤 301 : MN向自身移动至的、 当前所在新区域对应的新 LER/FA 发送注册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地 址等移动节点信息。  Step 301: The MN sends a registration request message to the new LER/FA corresponding to the current new area to which the MN is located, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
步骤 302: 新 LER/FA收到 MN发送来的注册请求消息后, 对当前 请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安全关 联; 待 LER/FA与 MN成功建立安全关联后, 新 LER/FA为 MN在自身 的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建立的安 全关联。  Step 302: After receiving the registration request message sent by the MN, the new LER/FA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the LER/FA and the MN successfully establish a security association, the new LER/FA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN.
这里, LER/FA保存自身与 MN之间安全关联的目的在于, 供 MN 在以后的通信过程中使用, 保障 MN在通信过程中的安全性。  Here, the LER/FA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
步骤 303: 新 LER/FA向 MN移动前所在的原 LER/FA发送 MN的 注册请求消息。 步骤 304: 原 LER/FA根据注册请求消息中携带移动节点信息, 对 当前请求注册的 MN进行注册更新, 即对移动节点信息表中记录的 MN 的移动节点信息进行更新, 包括 COA; 并查找自身的移动节点信息表, 得到所述 MN的安全关联条目,更新安全关联条目中当前 MN对应安全 关联的 COA信息。 Step 303: The new LER/FA sends a registration request message of the MN to the original LER/FA where the MN moved before. Step 304: The original LER/FA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA; and searches for itself. The mobile node information table obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
步骤 305 ~ 306: 原 LER/FA通过新 LER/FA向 MN返回注册应答消 另外, 参见图 4, 图 4本较佳实施例对应的系统结构图。 该保障移 动节点安全通信的系统,该系统包括: MN41、 LER/FA42以及 LER/HA43。 MN41主要用于向 LER/FA42发送注册请求消息; LER/FA42主要用于接 收注册请求消息, 与 MN41 建立安全关联, 并向 LER/HA43发送针对 MN41 的注册请求消息; LER/HA43, 用于接收所述注册请求消息, 与 MN41建立安全关联。 这里, 所描述的 LER/FA42可以实际的組网情况 可以是: LER/LFA、 或 LER/RFA、 或 LER/GFA。 另外, MN401 与 LER/FA402, 以及 LER/HA403 之间建立更新安全关联的流程可参见本 较佳实施例中的相关描述。  Steps 305 ~ 306: The original LER/FA returns a registration response to the MN through the new LER/FA. Further, referring to FIG. 4, FIG. 4 is a system structure diagram corresponding to the preferred embodiment. The system for secure communication of a mobile node, the system comprising: MN41, LER/FA42 and LER/HA43. The MN 41 is mainly used to send a registration request message to the LER/FA 42. The LER/FA 42 is mainly used to receive the registration request message, establish a security association with the MN 41, and send a registration request message for the MN 41 to the LER/HA 43; LER/HA43, for receiving The registration request message establishes a security association with the MN 41. Here, the actual networking conditions of the described LER/FA 42 may be: LER/LFA, or LER/RFA, or LER/GFA. In addition, the process of establishing an updated security association between the MN 401 and the LER/FA 402, and the LER/HA 403 can be referred to the related description in the preferred embodiment.
参见图 5, 图 5为本发明第二较佳实施例方法的流程图。 图 5中描 述的是 LER/FA 包括二级外地代理的情况, 第一级 LER/FA和第二级 LER/FA。 与第一较佳实施例相同, 由于此处描述的是 MN初始接入 MPLS网络时, 与 LER/HA建立安全关联的流程, 因此这里所描述的第 一级 LER/FA和第二级 LER/FA, 均为 MN归属地所对应的外地代理。 本较佳实施例的具体流程如下:  Referring to Figure 5, Figure 5 is a flow chart of a method in accordance with a second preferred embodiment of the present invention. Figure 5 depicts the case where the LER/FA includes a secondary foreign agent, the first level LER/FA and the second level LER/FA. As with the first preferred embodiment, since the process described herein is to establish a security association with the LER/HA when the MN initially accesses the MPLS network, the first-level LER/FA and the second-level LER/ described herein are FA, both are foreign agents corresponding to the MN's home location. The specific process of the preferred embodiment is as follows:
步骤 501: MN通过当前自身所在区域的第一級 LER/FA向 LER/HA 发送注册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地 址等移动节点信息。 步骤 502: 第一级 LER/FA收到 MN发送来的注册请求消息后, 对 当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址 以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安 全关联;待第一级 LER/FA与 MN成功建立安全关联后,第一级 LER/FA 为 MN在自身的移动节点信息表中建立安全关联条目, 用于保存建立的 安全关联。 Step 501: The MN sends a registration request message to the LER/HA through the first-level LER/FA of the current area, and the registration request message carries the mobile node information such as the MN's COA and the MN's home address. Step 502: After receiving the registration request message sent by the MN, the first-level LER/FA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table. And establishing a security association with the MN; after the first-level LER/FA and the MN successfully establish a security association, the first-level LER/FA establishes a security association entry for the MN in its mobile node information table, which is used for saving establishment. Security association.
步驟 503: 第一级 LER/FA向第二级 LER/FA发送 MN的注册请求 消息。  Step 503: The first level LER/FA sends a registration request message of the MN to the second level LER/FA.
步骤 504:第二级 LER/FA执行与步骤 502第一级 LER/FA相同的操 作, 具体细节在此不再详述。  Step 504: The second level LER/FA performs the same operation as the first stage LER/FA of step 502, and details are not described in detail herein.
步骤 505: 第二级 LER/FA向 LER/HA发送针对 MN的注册请求消 步骤 506: LER/HA接受到第二级 LER7FA发送的注册请求消息后, 执行步骤 204中 LER/HA执行的操作, 具体细节在此不再详述。  Step 505: The second-level LER/FA sends a registration request for the MN to the LER/HA. Step 506: After the LER/HA receives the registration request message sent by the second-level LER7FA, the LER/HA performs the operation performed by the LER/HA in step 204. The details will not be described in detail here.
步骤 507 - 509: LER/HA通过第二级 LER/FA和第一 LER/FA向 MN 返回注册应答消息。  Steps 507 - 509: The LER/HA returns a registration reply message to the MN through the second level LER/FA and the first LER/FA.
在本较佳实施例中, 第一级 LER/FA和第二级 LER/FA可以分別是 如何几种情况: 第一级 LER/FA 为 LER/LFA、 第二级 LER/FA 为 LER/RFA;或,第一级 LER/FA为 LER/LFA、第二级 LER/FA为 LER/GFA; 或, 第一级 LER/FA为 LER/RFA、 第二级 LER/FA为 LER/GFA。  In the preferred embodiment, how the first level LER/FA and the second level LER/FA can be respectively: first level LER/FA is LER/LFA, second level LER/FA is LER/RFA Or, the first stage LER/FA is LER/LFA, and the second stage LER/FA is LER/GFA; or, the first stage LER/FA is LER/RFA, and the second stage LER/FA is LER/GFA.
另外, 在本较佳实施例中, 当 MN从一个第一级 LER/FA移动到另 一个第一级 LER/FA, MN更新安全关联的流程图如图 6所示。 而当 MN 从一个第二级 LER/FA移动到另一个第二级 LER/FA, MN更新安全关联 的流程图如图 7所示。 现分别对以上这两个流程进行介绍。  In addition, in the preferred embodiment, when the MN moves from one first level LER/FA to another first level LER/FA, the flow chart of the MN updating the security association is as shown in FIG. 6. When the MN moves from one second-level LER/FA to another second-level LER/FA, the flow chart of the MN updating the security association is as shown in FIG. 7. These two processes are introduced separately.
参见图 6, 图 6的具体流程如下所示: 步骤 601: MN 向自身移动至的、 当前所在新区域对应的新第一级 LER/FA发送注册请求消息, 注册请求消息中携带 MN的 COA和 MN 的家乡地址等移动节点信息。 Referring to Figure 6, the specific flow of Figure 6 is as follows: Step 601: The MN sends a registration request message to the new first-level LER/FA corresponding to the current new area, and the registration request message carries the mobile node information such as the MN's COA and the MN's home address.
步骤 602: 新第一级 LER/FA收到 MN发送来的注册请求消息后, 执行步骤 302中新 LER/FA执行的操作。  Step 602: After receiving the registration request message sent by the MN, the new first-level LER/FA performs the operation performed by the new LER/FA in step 302.
步骤 603: 新第一级 LER/FA向当前 MN所在第二级 LER/FA发送 MN的注册请求消息。  Step 603: The new first-level LER/FA sends a registration request message of the MN to the second-level LER/FA where the current MN is located.
由于当前 MN是在同一个第二级 LER/FA的管辖范围内, 从一个第 一级 LER/FA移动到另一个第一级 LER/FA, 因此 MN当前所在的第二 级 LER/FA同样也是原第一级 LER/FA所属的第二级 LER/FA。  Since the current MN is within the jurisdiction of the same second-level LER/FA, moving from one first-level LER/FA to another first-level LER/FA, the second-level LER/FA where the MN is currently located is also The second-level LER/FA to which the original first-level LER/FA belongs.
步骤 604: 第二级 LER/FA根据注册请求消息中携带移动节点信息, 对当前请求注册的 MN进行注册更新, 即对移动节点信息表中记录的 MN 的移动节点信息进行更新, 包括 COA。 另外, 由于此时的第二级 LER/FA已经建立了与 MN之间的安全关联, 因此第二级 LER/FA不需 要与 MN 重新建立安全关联, 而需要更新安全关联的相关信息即可。 LER/RFA具体更新的内容为:更新安全关联条目中当前 MN对应安全关 联的 COA信息。  Step 604: The second-level LER/FA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA. In addition, since the second-level LER/FA has established a security association with the MN at this time, the second-level LER/FA does not need to re-establish a security association with the MN, but needs to update related information of the security association. The specific update of the LER/RFA is to update the COA information corresponding to the security association of the current MN in the security association entry.
步骤 605 ~ 606: 第二级 LER/FA通过新第一级 LER/FA向 MN返回 注册应答消息。  Steps 605 ~ 606: The second level LER/FA returns a registration response message to the MN through the new first level LER/FA.
参见图 7, 图 7的具体流程如下所示:  See Figure 7, Figure 7 for the specific process as follows:
步骤 701 ~ 702: 与步骤 601 - 602执行操作相同, 在此不再详述。 步骤 703: 新第一级 LER/FA向当前 MN所在新第二级 LER/FA发 送 MN的注册请求消息。  Steps 701 ~ 702: The same operations as steps 601 - 602 are performed, and will not be described in detail herein. Step 703: The new first level LER/FA sends a registration request message of the MN to the new second level LER/FA where the current MN is located.
步骤 704: 新第二级 LER7FA收到 MN发送来的注册请求消息后, 执行步骤 302中新 LER/FA执行的操作。 步骤 705: 新第二级 LER/FA向原第二级 LER/FA发送 MN的注册 请求消息。 Step 704: After receiving the registration request message sent by the MN, the new second-level LER7FA performs the operation performed by the new LER/FA in step 302. Step 705: The new second-level LER/FA sends a registration request message of the MN to the original second-level LER/FA.
步骤 706: 原第二级 LER/FA根据注册请求消息中携带移动节点信 息, 对当前请求注册的 MN进行注册更新, 即对移动节点信息表中记录 的 MN的移动节点信息进 更新, 包括 COA; 并查找自身的移动节点 信息表, 得到所述 MN的安全关联条目, 更新安全关联条目中当前 MN 对应安全关联的 COA信息。  Step 706: The original second-level LER/FA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA; And searching for the mobile node information table of the MN, obtaining the security association entry of the MN, and updating the COA information of the security association corresponding to the current MN in the security association entry.
步骤 707 ~ 709: 原第二级 LER/FA通过新第二级 LER/FA、 以及新 第一级 LER/FA向 MN返回注册应答消息。  Steps 707 ~ 709: The original second-level LER/FA returns a registration response message to the MN through the new second-level LER/FA and the new first-level LER/FA.
另外, 参见图 8, 图 8本发明第二较佳实施例对应的系统结构图。 该系统包括: MN81、 LER/FA82以及 LER/HA83。 其中, LER/FA82包 括: 第一级 LER/FA821和第二級 LER/FA822。 第一级 LER/FA821, 与 MN81 和第二级 LER/FA822 相连; 第二级 LER/FA822, 与第一级 LER/FA821和 LER/HA83。  In addition, referring to FIG. 8, FIG. 8 is a structural diagram of a system corresponding to the second preferred embodiment of the present invention. The system includes: MN81, LER/FA82 and LER/HA83. Among them, LER/FA82 includes: first level LER/FA821 and second level LER/FA822. The first level LER/FA821 is connected to MN81 and the second level LER/FA822; the second level LER/FA822, and the first level LER/FA821 and LER/HA83.
具体地, MN81主要用于向第一级 LER7FA发送注册请求消息; 第 一级 LER/FA821 , 用于接收注册请求消息, 与 MN81建立安全关联, 并 向第二级 LER/FA822 发送针对 MN81 的注册请求消息; 第二级 LER/FA822, 用于接收注册请求消息, 与 MN81 建立安全关联, 并向 LER/HA83发送针对 MN81 的注册请求消息; LER/HA83 , 用于收到注 册请求消息 ,与 MN81建立安全关联。另外, MN81与第一级 LER/FA821、 第二级 LER/FA822、 以及 LER/HA83之间建立更新安全关联的流程可参 见本较佳实施例中的相关描述。  Specifically, the MN 81 is mainly used to send a registration request message to the first-level LER7FA; the first-level LER/FA 821 is configured to receive the registration request message, establish a security association with the MN 81, and send a registration for the MN81 to the second-level LER/FA 822. a request message; a second level LER/FA822, configured to receive a registration request message, establish a security association with the MN 81, and send a registration request message for the MN 81 to the LER/HA 83; LER/HA83, for receiving the registration request message, and the MN 81 Establish a security association. In addition, the process of establishing an updated security association between the MN 81 and the first level LER/FA 821, the second level LER/FA 822, and the LER/HA 83 can be referred to the related description in the preferred embodiment.
其中, 第一级 LER/FA为 LER/LFA、 第二级 LER/FA为 LER/RFA; 或者,第一级 LER/FA为 LER/LFA、第二级 LER/FA为 LER/GFA;或者, 第一级 LER/FA为 LER/RFA、 第二级 LER/FA为 LER/GFA。 参见图 9, 图 9为本发明第三较佳实施例方法的流程图。 图 9中描 述的是 LER/FA仅包括三级外地代理的情况, LER/FA可以是 LER/LFA、 LER/RFA, LE /GFAo 具体流程如下: Wherein, the first level LER/FA is LER/LFA, and the second level LER/FA is LER/RFA; or, the first level LER/FA is LER/LFA, and the second level LER/FA is LER/GFA; or The first level LER/FA is LER/RFA, and the second level LER/FA is LER/GFA. Referring to Figure 9, Figure 9 is a flow chart of a method in accordance with a third preferred embodiment of the present invention. Figure 9 depicts the case where LER/FA includes only three levels of foreign agents. LER/FA can be LER/LFA, LER/RFA, LE /GFAo. The specific process is as follows:
步骤 901 : MN通过当前自身所在区域的 LER/LFA向 LER/HA发送 注册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地址等 移动节点信息。  Step 901: The MN sends a registration request message to the LER/HA through the LER/LFA of the current area, and the registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
步骤 902: LER/LFA收到 MN发送来的注册请求消息后, 对当前请 求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安全关 联; 待 LER/LFA与 MN成功建立安全关联后, LER/LFA为 MN在自身 的移动节点信息表中建立安全关联条目, 用于保存建立的安全关联。  Step 902: After receiving the registration request message sent by the MN, the LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table, and A security association is established in association with the MN. After the LER/LFA and the MN successfully establish a security association, the LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save the established security association.
这里, LER/LFA保存自身与 MN之间安全关联的目的在于, 供 MN 在以后的通信过程中使用, 保障 MN在通信过程中的安全性。  Here, the purpose of the LER/LFA to save the security association between itself and the MN is to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
这里, LER/LFA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER/LFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 903: LER/LFA向 LER/RJFA发送 MN的注册请求消息。  Step 903: The LER/LFA sends a registration request message of the MN to the LER/RJFA.
步骤 904: LER/RFA收到 LER/LFA发送的 MN的注册请求消息后, 对当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地 址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立 安全关联; 待 LER/RFA与 MN成功建立安全关联后, LER/RFA为 MN 在自身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建 立的安全关联。  Step 904: After receiving the registration request message of the MN sent by the LER/LFA, the LER/RFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table. And establishing a security association with the MN; after the LER/RFA and the MN successfully establish a security association, the LER/RFA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN. .
这里, LER/RFA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER/RFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 905.· LER/RFA向 LER/GFA发送 MN的注册请求消息。 步骤 906: LER/GFA收到 LER/RFA发送的 MN的注册请求消息后, 对当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地 址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立 安全关联; 待 LER/GFA与 MN成功建立安全关联后, LER/GFA为 MN 在自身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建 立的安全关联。 Step 905. LER/RFA sends a registration request message of the MN to the LER/GFA. Step 906: After receiving the registration request message of the MN sent by the LER/RFA, the LER/GFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the LER/GFA and the MN successfully establish a security association, the LER/GFA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN. .
这里, LER7GFA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER7GFA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 907: LER/GFA向 LER/HA发送 MN的注册请求消息。  Step 907: The LER/GFA sends a registration request message of the MN to the LER/HA.
步骤 908: LER/HA收到 LER/GFA发送的 MN的注册请求消息后, 在 LER/HA上为 MN进行注册, 将 MN的移动节点信息, 包括家乡地址 以及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安 全关联; 待 LER/GFA与 MN成功建立安全关联后, LER7HA为 MN在 自身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建立 的安全关联。  Step 908: After receiving the registration request message of the MN sent by the LER/GFA, the LER/HA registers the MN on the LER/HA, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information. In the table, the security association is established with the MN. After the LER/GFA and the MN successfully establish a security association, the LER7HA establishes a security association entry for the MN in its own mobile node information table, and is used to save the security association established between itself and the MN.
这里, LER/HA与 MN协商建立安全关联, 需要根据注册请求消息 中携带的家乡地址以及 COA。  Here, the LER/HA negotiates with the MN to establish a security association, which needs to be based on the home address and COA carried in the registration request message.
步骤 909 ~ 912: LER/HA通过 LER/GFA、 LER/RFA和 LER/LFA向 MN返回注册应答消息。  Steps 909 ~ 912: LER/HA returns a registration response message to the MN through LER/GFA, LER/RFA, and LER/LFA.
在上述流程中, 所述的 LER/GFA为家乡 LER/GFA、 LER/RFA为家 乡 LER/RFA、 LER/LFA为家乡 LER/LFA, 即与 MN 家乡地址对应的 LER/GFA, LER/RFA和 LER/LFA。  In the above process, the LER/GFA is the home LER/GFA, the LER/RFA is the home LER/RFA, and the LER/LFA is the home LER/LFA, that is, the LER/GFA, LER/RFA and the MN home address are corresponding. LER/LFA.
如图 1所示为, MN在 MPLS网络中移动的四种模型, 包括: 子网 内访问, 指 MN在同一个 LER/LFA管辖范围中进行的移动; 子网间访 问, 指 MN在不同的 LER/LFA管辖范围、 但在同一个 LER/RPA管辖范 围中进行的移动; 网络间访问, 指 MN在不同的 LER/LFA管辖范围中, 但在同一个 LER/GFA管辖范围中进行的移动; 跨自治域网络间访问, 则是指 MN在不同的 LER/GFA管辖的自治域中进行的移动。 As shown in Figure 1, the four models of MN movement in the MPLS network include: intra-subnet access, which refers to the MN moving in the same LER/LFA jurisdiction; inter-subnet access, refers to the MN in different LERs. /LFA jurisdiction, but in the same LER/RPA jurisdiction Movement within the network; inter-network access refers to the movement of the MN in different LER/LFA jurisdictions, but in the same LER/GFA jurisdiction; inter-autonomous network access refers to the MN in different Movements made in the autonomous domain under the jurisdiction of LER/GFA.
以下分别针对这四种网络层次移动模型, 介绍 MN更新安全关联的 方法。 - 当 MN的移动范围局限于子网内访问,由于 MN在同一个 LER/LFA 管辖区域内进行移动, MN移动后也不必建立新的 LSP路径。 因此, MN与 LER/HA之间也不必更新已经建立的安全关联, MN与 CN之间 也可以安全的继续进行通信。  The following describes the methods for MN to update security associations for these four network-level mobility models. - When the MN's mobility is limited to intra-subnet access, since the MN moves within the same LER/LFA jurisdiction, it is not necessary to establish a new LSP path after the MN moves. Therefore, it is not necessary to update the established security association between the MN and the LER/HA, and the communication between the MN and the CN can be safely continued.
参见图 10, 图 10为当 MN在同一 LER/RJFA管辖区域内, 从一个 LER/LFA管辖区域移动到另一个 LER/LFA管辖区域内时, 更新自身安 全关联的过程。由于此时, MN并没有超出同一个 LER/RFA的管辖范围 , 因此 MN更新安全关联时, 只需重新生成自身与新 LER/LFA的安全关 联、 并更新自身与原 LER/RFA之间的安全关联即可。 如图 10所示的流 程可以在 MN向 LER/HA注册的过程同时进行。由于 MPLS网络实行层 次化管理, 因此 MN此时的注册过程只需通过新 LER/LFA进行注册, 再由新 LER/FA向原 LER/RJFA进行注册即可。 具体过程如下所示:  Referring to Figure 10, Figure 10 shows the process of updating its own security association when the MN moves from one LER/LFA jurisdiction to another within the LER/LFA jurisdiction within the same LER/RJFA jurisdiction. Since the MN does not exceed the jurisdiction of the same LER/RFA at this time, the MN only needs to regenerate its own security association with the new LER/LFA and update its security with the original LER/RFA when updating the security association. Just connect. The process shown in Figure 10 can be performed simultaneously with the MN registering with LER/HA. Since the MPLS network implements hierarchical management, the registration process of the MN at this time only needs to be registered by the new LER/LFA, and then the new LER/FA can register with the original LER/RJFA. The specific process is as follows:
步骤 1001 : MN向自身当前所在新区域对应的新 LER7LFA发送注 册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地址等移 动节点信息。  Step 1001: The MN sends a registration request message to the new LER7LFA corresponding to the new area in which the MN is located. The registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
步骤 1002: 新 LER/LFA收到 MN发送来的注册请求消息后, 对当 前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址以 及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安全 关联; 待 LER/LFA与 MN成功建立安全关联后, 新 LER/LFA为 MN在 自身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建立 的安全关联。 Step 1002: After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN; after the LER/LFA and the MN successfully establish a security association, the new LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save itself and establish with the MN. Security association.
这里, LER/LFA保存自身与 MN之间安全关联的目的在于, 供 MN 在以后的通信过程中使用 , 保障 MN在通信过程中的安全性。  Here, the purpose of the LER/LFA to save the security association between itself and the MN is to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
步驟 1003: 新 LER/LFA向 MN当前所在区域的 LER/RFA发送 MN 的注册莆求消息。  Step 1003: The new LER/LFA sends a registration request message of the MN to the LER/RFA of the current area of the MN.
步骤 1004: LER/RFA根据注册请求消息中携带移动节点信息,对当 前请求注册的 MN进行注册更新, 即对移动节点信息表中记录的 MN的 移动节点信息进行更新, 包括 COA。  Step 1004: The LER/RFA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA.
同时, 由于 MN是在同一 LER/RFA管辖区域内, 从一个 LER/LFA 管辖区域移动到另一个 LER/LFA管辖区域内, 因此在 MN移动的前后, MN所在管辖区域的 LER/RFA没有发生变化。 由于此时的 LER/RFA已 经建立了与 MN之间的安全关联, 因此 LER/RPA不需要与 MN重新建 立安全关联, 而需要更新安全关联的相关信息即可。 LER/RFA具体更新 的内容为: 更新安全关联条目中当前 MN对应安全关联的 COA信息。  At the same time, since the MN is moving from one LER/LFA jurisdiction to another LER/LFA jurisdiction within the same LER/RFA jurisdiction, the LER/RFA of the MN's jurisdiction does not change before and after the MN moves. . Since the LER/RFA has established a security association with the MN at this time, the LER/RPA does not need to re-establish a security association with the MN, but needs to update the relevant information of the security association. The specific content of the LER/RFA update is: Update the COA information of the security association associated with the current MN in the security association entry.
步骤 1005 ~ 1006:所述 LER/RFA通过新 LER/LFA向 MN返回注册 应答消息。  Steps 1005 ~ 1006: The LER/RFA returns a registration response message to the MN through the new LER/LFA.
参见图 11 , 图 11为当 MN在同一 LER/GFA管辖区域内, 从一个 LER/RFA管辖区域移动到另一个 LER/RJFA管辖区域内时, MN更新安 全关联的过程。 此时, 由于 MN并没有超出同一个 LER/GFA的管辖范 围, 因此 MN更新安全关联时, 只需重新生成自身与新 LER/LFA、 以及 LER/RFA之间的安全关联、 并更新自身与原 LER/GFA之间的安全关联 即可。 这里, MN更新安全关联的过程, 同样可以在 MN向 LER/HA注 册的过程同时进行。 由于 MPLS网络实行层次化管理, 这里 MN只需通 过新 LER/LFA、新 LER/RFA进行注册,再由新 LER/RFA向原 LER/GFA 进^"注册即可。 具体过程如下所示: 步骤 1101 : MN向自身当前所在新区域对应的新 LER/LFA发送注册 请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地址等移动 节点信息。 Referring to FIG. 11, FIG. 11 shows a process in which the MN updates the security association when the MN moves from one LER/RFA jurisdiction to another within the LER/RJFA jurisdiction within the same LER/GFA jurisdiction. At this time, since the MN does not exceed the jurisdiction of the same LER/GFA, when the MN updates the security association, it only needs to regenerate its own security association with the new LER/LFA and LER/RFA, and update itself and the original. The security association between LER/GFA is sufficient. Here, the process of updating the security association by the MN can also be performed simultaneously in the process of registering the MN with the LER/HA. Since the MPLS network implements hierarchical management, the MN only needs to register with the new LER/LFA and the new LER/RFA, and then the new LER/RFA can register with the original LER/GFA. The specific process is as follows: Step 1101: The MN sends a registration request message to the new LER/LFA corresponding to the new area in which the MN is located. The registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
步骤 1102: 新 LER/LFA收到 MN发送来的注册请求消息后, 对当 前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址以 及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安全 关联; 待新 LER/LFA与 MN成功建立安全关联后, 新 LER/LFA为 MN 在自身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建 立的安全关联。  Step 1102: After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the new LER/LFA and the MN successfully establish a security association, the new LER/LFA establishes a security association entry for the MN in its own mobile node information table, and is used to save the security association established between itself and the MN. .
这里, 新 LER/LFA保存自身与 MN之间安全关联的目的在于, 供 MN在以后的通信过程中使用, 保障 MN在通信过程中的安全性。  Here, the purpose of the new LER/LFA to secure its own association with the MN is that it can be used by the MN in future communication processes to ensure the security of the MN in the communication process.
步骤 1103:新 LER/LFA向 MN当前所在区域对应的新 LER/RFA发 送 MN的注册请求消息。  Step 1103: The new LER/LFA sends a registration request message of the MN to the new LER/RFA corresponding to the current area of the MN.
步骤 1104:新 LER/RFA收到新 LER/LFA发送的 MN的注册请求消 息后, 对当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括 家乡地址以及 COA地址保存在自身的移动节点信息表中 , 并与固协 商建立安全关联; 待新 LER/RFA 与 MN 成功建立安全关联后, 新 LER/RFA为 MN在自身的移动节点信息表中建立安全关联条目,用于保 存自身与 MN建立的安全关联。  Step 1104: After receiving the registration request message of the MN sent by the new LER/LFA, the new LER/RFA registers the MN that is currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establish a security association with the fixed negotiation; after the new LER/RFA and the MN successfully establish a security association, the new LER/RFA establishes a security association entry for the MN in its own mobile node information table, and is used to save itself and the MN. Established security associations.
步骤 1105: 新 LER/RFA向 MN当前所在区域的 LER/GFA发送 MN 的注册请求消息。  Step 1105: The new LER/RFA sends a registration request message of the MN to the LER/GFA of the current area of the MN.
步骤 1106: 所述 LER/GFA根据注册请求消息中携带移动节点信息, 对当前请求注册的 MN进行注册更新, 即对移动节点信息表中记录的 MN的移动节点信息进行更新, 包括 COA。  Step 1106: The LER/GFA performs registration update on the currently requested MN according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA.
同时, 由于 MN是在同一 LER/GFA管辖区域内, 从一个 LER/RFA 管辖区域移动到另一个 LER/RFA管辖区域内, 因此在 MN移动的前后, MN所在管辖区域的 LER/GFA没有发生变化。 由于此时的 LER/GFA已 经建立了与 MN之间的安全关联, 因此 LER/GFA不需要与 MN重新建 立安全关联, 而需要更新安全关联的相关信息即可。 LER/GFA查找自身 的移动节点信息表, 得到所述 MN的安全关联条目, 更新安全关联条目 中当前 MN对应安全关联的 COA信息。 At the same time, since the MN is in the same LER/GFA jurisdiction, from a LER/RFA The jurisdiction moved to another LER/RFA jurisdiction, so the LER/GFA in the jurisdiction of the MN did not change before and after the MN moved. Since the LER/GFA at this time has established a security association with the MN, the LER/GFA does not need to re-establish a security association with the MN, but needs to update the related information of the security association. The LER/GFA searches its own mobile node information table, obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
步骤 1107 ~ 1109: 所述 LER/GFA通过新 LER/RFA,新 LER/LFA向 MN返回注册应答消息。  Steps 1107 to 1109: The LER/GFA returns a registration response message to the MN through the new LER/RFA, and the new LER/LFA.
参见图 12, 图 12为当 MN在两个不同 LER/GFA管辖区域内,从一 个 LER/GFA管辖区域移动到另一个 LER/GFA管辖区域内的情况, 即跨 自治域网络间访问。 在这种情况下, 在 MN移动到新 LER/GFA管辖区 域内, 则向新 LER/GFA 重新建立安全关联, 由新 LER/GFA 向家乡 LER/GFA进行安全关联信息更新。 这里, MN更新安全关联的过程, 可 以伴随着 MN向 LER/HA注册的过程同时进行。由于 MPLS网络实行层 次化管理, 因此 MN只需先向新 LER/GFA进行注册, 再由新 LER/GFA 向家乡 LER/GFA进行注册即可。 具体过程如下所示:  Referring to Figure 12, Figure 12 shows the case when the MN moves from one LER/GFA jurisdiction to another within the LER/GFA jurisdiction in two different LER/GFA jurisdictions, i.e., across inter-AS networks. In this case, after the MN moves into the new LER/GFA jurisdiction, the security association is re-established to the new LER/GFA, and the new LER/GFA updates the security association information to the home LER/GFA. Here, the process of updating the security association by the MN can be performed simultaneously with the process of registering the MN with the LER/HA. Since the MPLS network implements hierarchical management, the MN only needs to register with the new LER/GFA first, and then register with the new LER/GFA to the home LER/GFA. The specific process is as follows:
步骤 1201 : MN向自身当前所在新区域对应的新 LER/LFA发送注 册请求消息, 注册请求消息中携带 MN的 COA和 MN的家乡地址等移 动节点信息。  Step 1201: The MN sends a registration request message to the new LER/LFA corresponding to the new area in which the MN is currently located. The registration request message carries the mobile node information such as the COA of the MN and the home address of the MN.
步骤 1202: 新 LER/LFA收到 MN发送来的注册请求消息后, 对当 前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括家乡地址以 及 COA地址保存在自身的移动节点信息表中, 并与 MN协商建立安全 关联; 待 LER/LFA与 MN成功建立安全关联后, LER/LFA为 MN在自 身的移动节点信息表中建立安全关联条目, 用于保存自身与 MN建立的 安全关联。 这里, LER/LFA保存自身与 MN之间安全关联的目的在于, 供 MN 在以后的通信过程中使用, 保障 MN在通信过程中的安全性。 Step 1202: After receiving the registration request message sent by the MN, the new LER/LFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its mobile node information table. And establishing a security association with the MN. After the LER/LFA and the MN successfully establish a security association, the LER/LFA establishes a security association entry for the MN in its mobile node information table, and is used to save the security association established between itself and the MN. Here, the LER/LFA saves the security association between itself and the MN in order to be used by the MN in future communication processes to ensure the security of the MN in the communication process.
步骤 1203:新 LER/LFA向 MN当前所在区域对应的新 LER/RFA发 送 MN的注册请求消息。  Step 1203: The new LER/LFA sends a registration request message of the MN to the new LER/RFA corresponding to the current area of the MN.
步骤 1204:新 LER7RFA收到新 LER/LFA发送的 MN的注册请求消 息后, 对当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括 家乡地址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协 商建立安全关联; 待新 LER/RFA 与 MN 成功建立安全关联后, 新 LER/RFA为 MN在自身的移动节点信息表中建立安全关联条目,用于保 存自身与 MN建立的安全关联。  Step 1204: After receiving the registration request message of the MN sent by the new LER/LFA, the new LER7RFA registers the MN currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node information table. And establishing a security association with the MN; after the new LER/RFA and the MN successfully establish a security association, the new LER/RFA establishes a security association entry for the MN in its own mobile node information table, and is used to save the established relationship with the MN. Security association.
步骤 1205: 新 LER/RFA向新 LER/GFA发送 MN的注册请求消息。 步骤 1206:新 LER/GFA收到新 LER/RFA发送的 MN的注册请求消 息后, 对当前请求注册的 MN进行注册, 将 MN的移动节点信息, 包括 家乡地址以及 COA地址保存在自身的移动节点信息表中, 并与 MN协 商建立安全关联; 待新 LER/GFA 与 MN 成功建立安全关联后, 新 LER/GFA为 MN在自身的移动节点信息表中建立安全关联条目,用于保 存自身与 MN建立的安全关联。  Step 1205: The new LER/RFA sends a registration request message of the MN to the new LER/GFA. Step 1206: After receiving the registration request message of the MN sent by the new LER/RFA, the new LER/GFA registers the MN that is currently requesting registration, and saves the mobile node information of the MN, including the home address and the COA address, in its own mobile node. In the information table, and establish a security association with the MN; after the new LER/GFA and the MN successfully establish a security association, the new LER/GFA establishes a security association entry for the MN in its mobile node information table, and is used to save itself and the MN. Established security associations.
步骤 1207:新 LER/GFA向家乡 LER/GFA发送 MN的注册请求消息。 当 MN在两个不同的 LER/GFA所管辖的区域内移动时, 不论移动 前的区域是否为家乡 LER/GFA 管辖, 在移动后, MN 当前所在的 LER/GFA都必须向 MN的家乡 LER/GFA进行安全关联以及住处信息的 更新。  Step 1207: The new LER/GFA sends a registration request message of the MN to the home LER/GFA. When the MN moves within the jurisdiction of two different LER/GFAs, regardless of whether the pre-mobile area is under the jurisdiction of the home LER/GFA, after the move, the LER/GFA currently in the MN must be directed to the MN's home LER/ GFA performs security associations and updates to residence information.
步骤 1208: 家乡 LER/GFA根据注册请求消息中携带移动节点信息, 对当前请求注册的 MN进行注册更新, 即对移动节点信息表中记录的 MN的移动节点信息进行更新, 包括 COA; 并查找自身的移动节点信息 表, 得到所述 MN的安全关联条目, 更新安全关联条目中当前 MN对应 安全关联的 COA信息。 Step 1208: The home LER/GFA performs registration update on the MN that is currently requesting registration according to the mobile node information in the registration request message, that is, updates the mobile node information of the MN recorded in the mobile node information table, including the COA; and searches for itself. Mobile node information The table obtains the security association entry of the MN, and updates the COA information corresponding to the security association of the current MN in the security association entry.
步骤 1209 ~ 1212: 家乡 LER/GFA通过新 LER/GFA、 新 LER/RFA 和新 LER/LFA向 MN返回注册应答消息。  Steps 1209 ~ 1212: The home LER/GFA returns a registration response message to the MN via the new LER/GFA, the new LER/RFA, and the new LER/LFA.
另外, 参见图 13, 图 13本发明第三较佳实施例对应的系统结构图。 该系统包括: MN1301 、 LER/FA1302 以及 LER/HA1303。 其中, LER/FA1302包括: LER/LFA13021、 LER/RPA13022和 LER/GFA13023。 LER/LFA13021 , 与 MN1301和 LER/RFA13022相连; LER/RFA13022, 与 LER/LFA13021 和 LER/GFA13023 相连; LER/GFA13023 , 与 LER/RFA13022和 LER/HA1303相连。  In addition, referring to FIG. 13, FIG. 13 is a structural diagram of a system corresponding to the third preferred embodiment of the present invention. The system includes: MN1301, LER/FA1302 and LER/HA1303. The LER/FA1302 includes: LER/LFA13021, LER/RPA13022, and LER/GFA13023. LER/LFA13021, connected to MN1301 and LER/RFA13022; LER/RFA13022, connected to LER/LFA13021 and LER/GFA13023; LER/GFA13023, connected to LER/RFA13022 and LER/HA1303.
MN1301 , 用 于向 LER/LFA13021 发送注册请求消 息; LER/LFA13021 , 用于接收 MN1301的注册请求消息, 与 MN1301建立 安全关联, 并向 LER/RFA13022发送针对 MN1301 的注册请求消息; LER/RFA13022, 用于接收注册请求消息, 与 MN1301 建立安全关联, 并向 LER/GFA13023 发送针对 MN1301 的注册请求消息; LER/GFA13023 , 用于接收注册请求消息, 与 MN1301建立安全关联, 并向 LER/HA1303发送针对 MN1301的注册请求消息; LER/HA1303 , 用于接收注册请求消息, 与 MN1301建立安全关联。 另外, MN1301与 LER/LFA13021 LER/RFA13022, LER/GFA13023 , 以及 LER/HA1303 之间建立更新安全关联的流程可参见本较佳实施例中的相关描述。  MN1301, configured to send a registration request message to the LER/LFA 13021; LER/LFA 13021, configured to receive a registration request message of the MN 1301, establish a security association with the MN 1301, and send a registration request message for the MN 1301 to the LER/RFA 13022; LER/RFA13022, Receiving a registration request message, establishing a security association with the MN 1301, and sending a registration request message to the LER/GFA 13023 for the MN 1301; LER/GFA 13023, for receiving the registration request message, establishing a security association with the MN 1301, and transmitting to the LER/HA 1303 for the MN 1301 The registration request message; LER/HA1303, is configured to receive a registration request message, and establish a security association with the MN1301. In addition, the process of establishing an update security association between the MN1301 and the LER/LFA13021 LER/RFA13022, LER/GFA13023, and LER/HA1303 can be referred to the related description in the preferred embodiment.
另夕卜, 本发明还提供了一种 MN, 该 MN至少包括请求单元和协商 单元。 其中, 请求单元 1401 , 用于向 LER7FA发送注册请求消息。 协商 单元 1402, 与 LER FA、 以及 LER/HA建立保障安全通信的安全关联。 这里, 协商单元 1402 具体建立安全关联的过程, 可以参见本发明三个 较佳实施例中的介绍, 在此不再详述。 在本发明实施例中, 建立和更新安全关联的过程可以伴随着 MN的 注册而进行;也可以是在 MN有需要时,由 MN发起与 LER/FA、LER/HA 逐级建立安全关联的过程。 由于在伴随着 MN注册建立安全关联的过程 中, 主要利用了注册请求消息中携带的家乡地址和 COA。 因此在不依靠 注册请求消息建立安全关联时, 只需要在 MN 建立安全关联时, 向 LER/FA发送安全关联请求,安全关联请求中至少携带家乡地址和 COA, 然后在 LER/FA建立了与 MN之间的安全关联后, LER/FA再将 MN的 安全关联请求发送至 LER/HA, 再依次按照相同的方法建立与 MN之间 的安全关联。 In addition, the present invention also provides an MN, the MN including at least a request unit and a negotiating unit. The requesting unit 1401 is configured to send a registration request message to the LER7FA. The negotiating unit 1402 establishes a security association with the LER FA and the LER/HA to secure communication. Here, the negotiation unit 1402 specifically establishes a process of security association, which can be referred to in the three preferred embodiments of the present invention, and will not be described in detail herein. In the embodiment of the present invention, the process of establishing and updating the security association may be performed along with the registration of the MN; or the process of establishing the security association with the LER/FA and the LER/HA by the MN when the MN needs it. . Since the security association is established along with the MN registration, the home address and the COA carried in the registration request message are mainly utilized. Therefore, when the security association is established by the MN, the security association request is sent to the LER/FA. The security association request carries at least the home address and the COA, and then establishes the MN with the MN in the LER/FA. After the security association between the LER/FA, the MN's security association request is sent to the LER/HA, and then the security association with the MN is established in the same way.
当 MN通过发送安全关联请求建立安全关联时, MN与 LER/FA或 LER/HA建立安全关联的方法可以是, 在 MN发送的安全关联请求中, 进一步携带 MN能够支持的认证方式和 /或安全协议, LER/FA或 LER/HA 根据 MN发送的安全关联请求确定自身与 MN釆用的认证方式和 /或安 全协议, 并且向 MN返回确认消息, 建立自身与 MN之间的安全关联。 由此可见, 本发明方法流程图中所描述的注册请求实际上是安全关联请 求的一种具体实现方式。  When the MN establishes a security association by sending a security association request, the MN may establish a security association with the LER/FA or the LER/HA. The security association request sent by the MN further carries the authentication mode and/or security that the MN can support. The protocol, LER/FA or LER/HA determines the authentication mode and/or security protocol used by the MN according to the security association request sent by the MN, and returns an acknowledgement message to the MN to establish a security association between itself and the MN. Thus, the registration request described in the flowchart of the method of the present invention is actually a specific implementation of the security association request.
以上所述仅为本发明的较佳实施例而已 , 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所做的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are made within the spirit and principles of the present invention, should be included in the present invention. Within the scope of protection.

Claims

权利要求书 Claim
1、 一种保障移动节点安全通信的方法, 其特征在于,  A method for securing secure communication of a mobile node, characterized in that
移动节点 MN建立与标签路由器 /外地代理 LER/FA、 以及标签路由 器 /家乡代理 LER/HA之间的保障 MN安全通信的安全关联。  The mobile node MN establishes a security association with the label router/foreign agent LER/FA, and the label router/home agent LER/HA to secure the MN secure communication.
2、 根据权利要求 1所述的方法, 其特征在于, 所述 LER/FA为: 标 签路由器 /本地外地代理 LER/LFA、 或标签路由器 /区域外地代理 LER/RFA> 或标签路由器 /网关外地家乡代理 LER/GFA。  2. The method according to claim 1, wherein the LER/FA is: a label router/local foreign agent LER/LFA, or a label router/area foreign agent LER/RFA> or a label router/gateway foreign hometown Agent LER/GFA.
3、 根据权利要求 2 所述的方法, 其特征在于, 所述 MN建立与 LER/FA, 以及 LER/HA之间的安全关联, 包括以下步骤:  The method according to claim 2, wherein the MN establishes a security association with the LER/FA and the LER/HA, including the following steps:
Al、 所述 MN向所述 LER/FA发送安全关联请求;  Al, the MN sends a security association request to the LER/FA;
Bl、 所述 LER/FA收到所述 MN的安全关联请求后, 与所述 MN建 立安全关联, 并向所述 LER/HA发送针对所述 MN的安全关联请求; Cl、 所述 LER/HA收到所述安全关联请求后, 与所述 MN建立安全 关联。  After the LER/FA receives the security association request of the MN, establish a security association with the MN, and send a security association request for the MN to the LER/HA; Cl, the LER/HA After receiving the security association request, a security association is established with the MN.
4、 根据权利要求 1所述的方法, 其特征在于, 所述 LER/FA包括: 笫一级 LER/FA和第二级 LER/FA。  4. The method according to claim 1, wherein the LER/FA comprises: a first level LER/FA and a second level LER/FA.
5、 才艮据权利要求 4 所述的方法, 其特征在于, 所述 MN建立与 LER/FA, 以及 LER/HA之间的安全关联, 包括以下步骤:  5. The method according to claim 4, wherein the MN establishes a security association with the LER/FA and the LER/HA, and the following steps are included:
A2、 所述 MN向第一级 LER/FA发送安全关联请求;  A2. The MN sends a security association request to the first level LER/FA.
B2、 所述第一级 LER/FA收到所述 MN的安全关联请求后, 与所述 B2, after the first-level LER/FA receives the security association request of the MN,
MN建立安全关联, 并向所述第二级 LER/FA发送针对 MN的安全关联 请求; The MN establishes a security association and sends a security association request for the MN to the second level LER/FA;
C2、 所述第二级 LER/FA收到安全关联请求后, 与 MN建立安全关 联, 并向所述 LER/HA发送针对 MN的安全关联请求; D2、所述 LER/HA收到所述安全关联请求后,与 MN建立安全关联。After receiving the security association request, the second-level LER/FA establishes a security association with the MN, and sends a security association request for the MN to the LER/HA; D2: After receiving the security association request, the LER/HA establishes a security association with the MN.
6、 根据权利要求 4或 5所述的方法, 其特征在于, 6. A method according to claim 4 or 5, characterized in that
所述第一级 LER7FA为 LER/LFA、所述第二級 LER/FA为 LER/RFA; 或, 所述第一级 LER/FA 为 LER/LFA、 所述第二级 LER/FA 为 LER/GFA;  The first stage LER7FA is LER/LFA, and the second level LER/FA is LER/RFA; or, the first stage LER/FA is LER/LFA, and the second level LER/FA is LER/ GFA;
或, 所述第一级 LER/FA 为 LER/RFA、 所述第二级 LER/FA 为
Figure imgf000024_0001
Or the first stage LER/FA is LER/RFA, and the second level LER/FA is
Figure imgf000024_0001
7、 根据权利要求 1所述的方法, 其特征在于, 所述 LER/FA包括: LER/LFA、 LER/RFA和 LER/GFA。  7. The method according to claim 1, wherein the LER/FA comprises: LER/LFA, LER/RFA, and LER/GFA.
8、 根据权利要求 7 所述的方法, 其特征在于, 所述 MN建立与 LER/FA, 以及 LER/HA之间的安全关联, 包括以下步骤:  The method according to claim 7, wherein the MN establishes a security association with the LER/FA and the LER/HA, including the following steps:
A3、 所述 MN向所述 LER/LFA发送安全关联请求;  A3. The MN sends a security association request to the LER/LFA.
B3、 所述 LER/LFA收到所述 MN的安全关联请求后, 与所述 MN 建立安全关联, 并向所述 LER/RFA发送针对所述 MN的安全关联请求; B3. After receiving the security association request of the MN, the LER/LFA establishes a security association with the MN, and sends a security association request for the MN to the LER/RFA.
C3、 所述 LER/RFA收到所述安全关联请求后, 与所述 MN建立安 全关联, 并向所述 LER/GFA发送针对所述 MN的安全关联请求; C3. After receiving the security association request, the LER/RFA establishes a security association with the MN, and sends a security association request for the MN to the LER/GFA.
D3、 所述 LER/GFA收到所述安全关联清求后, 与所述 MN建立安 全关联, 并向所述 LER/HA发送针对所述 MN的安全关联请求;  D3. After receiving the security association request, the LER/GFA establishes a security association with the MN, and sends a security association request for the MN to the LER/HA.
E3、 所述 LER/HA收到所述安全关联请求后, 与所述 MN建立安全 关联。  E3. After receiving the security association request, the LER/HA establishes a security association with the MN.
9、 根据权利要求 1、 2、 3、 4、 5、 7或 8所述的方法, 其特征在于, 所述安全关联请求中至少包括: MN家乡地址、 转交地址, MN 能够使 用的安全寸办议和 /或认证方式;  The method according to claim 1, 2, 3, 4, 5, 7 or 8, wherein the security association request includes at least: a MN home address, a care-of address, and a security address that the MN can use. Discussion and / or certification method;
所述建立安全关联为: 根据安全关联请求中携带的转交地址、 MN 的家乡地址, MN能够使用的安全协议和 /或认证方式, 与 MN建立安全 关联。 The establishing the security association is: establishing a security with the MN according to the care-of address carried in the security association request, the home address of the MN, the security protocol and/or the authentication mode that the MN can use, Association.
10、 居权利要求 9所述的方法, 其特征在于, 所述更新安全关联 为: 根据安全关联请求中携带的 MN当前的转交地址, 更新所述 MN安 全关联中的转交地址。  The method of claim 9, wherein the updating the security association is: updating the care-of address in the MN security association according to the current care-of address of the MN carried in the security association request.
11、才艮据权利要求 1、 2、 3、 4、 5、 7或 8所述的方法, 其特征在于, 所述安全关联请求为 MN发送的注册请求。  11. The method of claim 1, 2, 3, 4, 5, 7 or 8, wherein the security association request is a registration request sent by the MN.
12、 一种保障移动节点安全通信的系统, 其特征在于, 该系统包括: 固、 LER/FA以及 LER/HA;  12. A system for securing secure communication of a mobile node, the system comprising: solid, LER/FA, and LER/HA;
所述 MN,与 LER/FA和 LER/HA相连,用于与 LER/FA和 LER/HA 建立保障安全通信的安全关联。  The MN is connected to the LER/FA and the LER/HA for establishing a security association with the LER/FA and the LER/HA to secure communication.
13、 根据权利要求 12所述的系统, 其特征在于, 所述 LER/FA为: LER/LFA, 或 LER/RPA、 或 LER/GFA。  13. The system according to claim 12, wherein the LER/FA is: LER/LFA, or LER/RPA, or LER/GFA.
14、 才 据权利要求 13所述的系统, 其特征在于,  14. The system of claim 13 wherein:
所述 MN, 用于发送安全关联请求;  The MN is configured to send a security association request;
所述 LER/FA,用于接收所述 MN发送的安全关联请求,与所述 MN 建立安全关联, 并发送针对所述 MN的安全关联请求;  And the LER/FA is configured to receive a security association request sent by the MN, establish a security association with the MN, and send a security association request for the MN;
所述 LER/HA, 用于接收所述 LER/FA发送的安全关联请求, 与所 述 MN建立安全关联。  And the LER/HA is configured to receive a security association request sent by the LER/FA, and establish a security association with the MN.
15、 居权利要求 12所述的系统,其特征在于,所述 LER/FA包括: 第一级 LER/FA和第二级 LER7FA;  The system of claim 12, wherein the LER/FA comprises: a first level LER/FA and a second level LER7FA;
所述第一级 LER/FA, 与 MN和第二级 LER/FA相连;  The first stage LER/FA is connected to the MN and the second level LER/FA;
所述第二级 LER/FA, 与第一级 LER/FA和 LER7HA相连。  The second stage LER/FA is connected to the first stage LER/FA and LER7HA.
16、 根据权利要求 15所述的系统, 其特征在于,  16. The system of claim 15 wherein:
所述 MN, 用于发送安全关联请求;  The MN is configured to send a security association request;
所述第一级 LER/FA, 用于接收所述 MN发送的安全关联请求, 与 所述 MN建立安全关联, 并发送针对 MN的安全关联请求; The first level LER/FA is configured to receive a security association request sent by the MN, and The MN establishes a security association and sends a security association request for the MN;
所述第二级 LER7FA,用于接收所述第一级 LER/FA发送的安全关联 请求, 与 MN建立安全关联, 并发送针对 MN的安全关联请求;  The second level LER7FA is configured to receive a security association request sent by the first level LER/FA, establish a security association with the MN, and send a security association request for the MN;
所述 LER/HA, 用于接收所述第二級 LER/FA发送的安全关联请求, 与 MN建立安全关联。  The LER/HA is configured to receive a security association request sent by the second-level LER/FA, and establish a security association with the MN.
17、 根据权利要求 15或 16所述的系统, 其特征在于,  17. A system according to claim 15 or claim 16 wherein:
所述第一级 LER/FA为 LER/LFA、所述第二级 LER7FA为 LER7RFA; 或, 所述第一级 LER/FA 为 LER/LFA、 所述第二级 LER/FA 为 LER/GFA;  The first stage LER/FA is LER/LFA, and the second level LER7FA is LER7RFA; or, the first stage LER/FA is LER/LFA, and the second level LER/FA is LER/GFA;
或, 所述第一级 LER/FA 为 LER/RFA、 所述第二级 LER7FA 为
Figure imgf000026_0001
Or the first stage LER/FA is LER/RFA, and the second level LER7FA is
Figure imgf000026_0001
18、根据权利要求 12所述的系统,其特征在于,所述 LER/FA包括: LER/LFA, LER/RFA和 LER/GFA;  The system according to claim 12, wherein the LER/FA comprises: LER/LFA, LER/RFA and LER/GFA;
所述 LER/LFA, 与 MN和 LER/RFA相连;  The LER/LFA is connected to the MN and the LER/RFA;
所述 LER/RFA, 与 LER/LFA和 LER/GFA相连;  The LER/RFA is connected to LER/LFA and LER/GFA;
所述 LER/GFA, 与 LER/RFA和 LER/HA相连。  The LER/GFA is connected to LER/RFA and LER/HA.
19、 根据权利要求 18所述的系统, 其特征在于,  19. The system of claim 18, wherein:
所述 MN, 用于发送安全关联请求;  The MN is configured to send a security association request;
所述 LER/LFA, 用于接收所述 MN发送的安全关联请求, 与所述 MN建立安全关联, 并发送针对所述 MN的安全关联请求;  And the LER/LFA is configured to receive a security association request sent by the MN, establish a security association with the MN, and send a security association request for the MN;
所述 LER/RFA, 用于接收所述 LER/LFA发送的安全关联请求, 与 所述 MN建立安全关联, 并发送针对所述 MN的安全关联请求;  And the LER/RFA is configured to receive a security association request sent by the LER/LFA, establish a security association with the MN, and send a security association request for the MN;
所述 LER/GFA, 用于接收所述 LER/RFA发送的安全关联请求, 与 所述 MN建立安全关联, 并发送针对所述 MN的安全关联请求;  And the LER/GFA is configured to receive a security association request sent by the LER/RFA, establish a security association with the MN, and send a security association request for the MN;
所述 LER/HA, 用于接收所述 LER/GFA发送的安全关联请求, 与所 述 MN建立安全关联。 The LER/HA, configured to receive a security association request sent by the LER/GFA, and The MN establishes a security association.
20、 一种 MN, 其特征在于, 该 MN至少包括请求单元和协商单元; 所述请求单元, 用于向 LER/FA发送安全关联请求;  An MN, the MN includes at least a requesting unit and a negotiating unit, and the requesting unit is configured to send a security association request to the LER/FA;
所述协商单元, 与 LER/FA、 以及 LER/HA建立保障安全通信的安 全关联。  The negotiating unit establishes a security association with the LER/FA and the LER/HA to secure communication.
PCT/CN2007/001127 2006-06-30 2007-04-09 A method, system for ensuring the security communication of mobile node and a mobile node WO2008003208A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610091147.1 2006-06-30
CNA2006100911471A CN101098228A (en) 2006-06-30 2006-06-30 Method for guaranteeing safety communication of mobile node

Publications (1)

Publication Number Publication Date
WO2008003208A1 true WO2008003208A1 (en) 2008-01-10

Family

ID=38894181

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001127 WO2008003208A1 (en) 2006-06-30 2007-04-09 A method, system for ensuring the security communication of mobile node and a mobile node

Country Status (2)

Country Link
CN (1) CN101098228A (en)
WO (1) WO2008003208A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7848329B2 (en) * 2008-09-30 2010-12-07 Verizon Patent And Licensing Inc. Handoffs in hierarchical mobility label-based network
CN104661279B (en) * 2011-04-13 2018-04-20 德国电信股份公司 It is used for transmission the method for MPLS header, the method for establishing MPLS paths and the method for performing the switching of MPLS paths

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1386339A (en) * 2000-08-05 2002-12-18 三星电子株式会社 Packet transmission method for mobile internet
CN1706152A (en) * 2002-11-20 2005-12-07 诺基亚公司 Routing optimization proxy in IP networks
US7035640B2 (en) * 2003-05-15 2006-04-25 Motorola, Inc. Method for improving the reliability of low latency handoffs

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1386339A (en) * 2000-08-05 2002-12-18 三星电子株式会社 Packet transmission method for mobile internet
CN1706152A (en) * 2002-11-20 2005-12-07 诺基亚公司 Routing optimization proxy in IP networks
US7035640B2 (en) * 2003-05-15 2006-04-25 Motorola, Inc. Method for improving the reliability of low latency handoffs

Also Published As

Publication number Publication date
CN101098228A (en) 2008-01-02

Similar Documents

Publication Publication Date Title
US20220225263A1 (en) Interworking function using untrusted network
JP5502905B2 (en) Method for secure network-based route optimization in mobile networks
KR100813295B1 (en) Method for security association negotiation with Extensible Authentication Protocol in wireless portable internet system
JP3501994B2 (en) How to establish a routing path that distributes packets to destination nodes
US9172722B2 (en) Method for network access, related network and computer program product therefor
JP4909357B2 (en) Method for transmitting data packets based on an Ethernet transmission protocol between at least one mobile communication unit and a communication system
JP2003051818A (en) Method for implementing ip security in mobile ip networks
WO2006021156A1 (en) A method for realizing the mobility of the network host and the multi-hometown function
WO2007112645A1 (en) A method and system for implementing a mobile virtual private network
WO2006137037A1 (en) Adaptive ipsec processing in mobile-enhanced virtual private networks
US9398515B2 (en) VPNv4 route control for LTE X2 SON using import route maps and outbound route filtering
WO2008031334A1 (en) Route updating method, system and router
US20150109955A1 (en) X2 son for lte networks through automated x2 address discovery
JP5147995B2 (en) Host identity protocol server address configuration
WO2007073654A1 (en) Method for realizing mobile ip management and the network system thereof
US8532618B2 (en) System and method for communications device and network component operation
JP3831331B2 (en) How to secure access to a mobile IP network
JP4748157B2 (en) Mobile communication control method, mobile communication system, routing device, management device, and program
WO2008003208A1 (en) A method, system for ensuring the security communication of mobile node and a mobile node
WO2011044807A1 (en) Method for registration and communication of anonymous communication and transceiver system for data message
WO2009155863A1 (en) Method and system for supporting mobility security in the next generation network
JP4000419B2 (en) Route optimization system and method and program
KR100737140B1 (en) The processing apparatus and method for providing internet protocol virtual private network service on mobile communication
WO2007124671A1 (en) A method, device and system of negotiating the encrypting algorithm between the user equipment and the network
JP5276106B2 (en) Mobile node location update

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720700

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07720700

Country of ref document: EP

Kind code of ref document: A1