WO2011120276A1 - 一种终端实现连接建立的方法及系统 - Google Patents
一种终端实现连接建立的方法及系统 Download PDFInfo
- Publication number
- WO2011120276A1 WO2011120276A1 PCT/CN2010/076142 CN2010076142W WO2011120276A1 WO 2011120276 A1 WO2011120276 A1 WO 2011120276A1 CN 2010076142 W CN2010076142 W CN 2010076142W WO 2011120276 A1 WO2011120276 A1 WO 2011120276A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- initiator
- location
- mapping
- responder
- connection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/12—Setup of transport tunnels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Definitions
- the present invention relates to an IPSPLIT (ID/locator separation in NGN) technology, and more particularly to a method and system for establishing a connection in a IPSPLIT network.
- IPSPLIT ID/locator separation in NGN
- each layer protocol entity has its own name space, which is: a media access control (MAC, Media Access Control) address of the link layer, an IP address of the network layer, The IP address and port number of the transport layer, as well as the domain name of the application layer.
- MAC media access control
- IP IP address
- port number the domain name of the application layer.
- the IP address is only required to be unique within the subnet, and the port number is unique within the host.
- the domain name and IP address are resolved by a domain name server (DNS, Domain Name Server).
- DNS Domain Name Server
- the IP address has a dual function as both the location identifier of the communication terminal host network interface of the network layer in the network topology and the identity of the transport layer host network interface.
- Transmission Control Protocol/Internet Protocol was not designed with host mobility in mind, but with the development of Next Generation Networks (NGN), user mobility and host multi-homing
- NTN Next Generation Networks
- the problem of (multi homing) is becoming more and more common, and the semantic overload defects of such IP addresses are becoming more and more obvious.
- IP address of the host changes, not only the route changes, but also the identity of the communication terminal host changes. Changes to the route are acceptable, but changes to the host identity can cause disruptions to applications and connections.
- IPSPLIT identity and location separation in next-generation networks
- NGN next-generation networks
- the host identifier (Node ID) is used as the identity of the host, and the host identifier is used to uniquely identify each host connected to the Internet in the world. The purpose is to separate the transport layer from the network layer.
- IP address In an IPSPLIT network, the IP address only indicates the routing location of the communication terminal host in the network topology. IPSPLIT technology solves the semantic overload problem of IP addresses, and separates the dual functions of IP addresses to support multi-mobility, multiple townships, dynamic redistribution of IP addresses, and mutual visits between different network areas.
- FIG. 1 is a schematic diagram of the architecture of the existing IPSPLIT network system.
- a bold one-dot chain line indicates a control signal
- a bold two-dot chain line indicates a management signal
- a bold dotted line indicates a media stream.
- the IPSPLIT network architecture includes a network access control part, an identity and location separation control part, an identity and location separation mapping part, a resource control part, a transmission part, a service control function part, and a user terminal/user network. section.
- the network access control part provides functions such as registration, authentication authorization, address allocation, parameter configuration, and location management for the user terminal/user network accessing the NGN network, such as the network attachment control function (NACF, shown in FIG. 1).
- NACF network attachment control function
- the identity and location separation control functions store and dynamically update identity and location separation ID/LOC mappings.
- the resource control part performs functions such as admission control and resource reservation when the user terminal/user network accesses the network based on the policy and network resource status, such as the Resource and Admission Control Functions (RACF) in the ITU-T NGN network. Access management functions in NGN.
- the transmission part completes the transmission of information, such as the Transport Functions in the ITU-T NGN network.
- the Service Control Functions part is part of the service layer (Service stratum), which performs registration, authentication, and resource control functions at the service level, such as ITU-T NGN. Service terminal authentication and authentication process in the network.
- the user terminal/user network part provides network access functions to the user, such as User Equipment (UE, User Equipment) in the ITU-T NGN network.
- UE User Equipment
- FIG. 2 is a schematic diagram of the functional framework of the existing IPSPLIT system, as shown in Figure 2, where NACF contains the following functional entities:
- Transport Layer User Configuration Functional Entity TUP-FE, Transport User Profile Functional
- Entity responsible for saving user information related to the transport level
- the Authentication and Authentication Function Entity (TAA-FE) is used to provide the transport layer authentication and authentication function, and perform authentication and authorization check on the user's network access based on the user information.
- An Access Management Functional Entity configured to translate and translate a network access request initiated by a user, and send a request for assigning an IP address and other network configuration parameters to the NAC-FE;
- Transport Layer Management Functional Entity used to register the IP address assigned to the user and other network location information provided by the NAC-FE;
- the network access management function entity (NAC-FE, Network Access Configuration Functional Entity) is used to assign an IP address to the user terminal, and may assign other network configuration parameters to the user terminal, such as the address of the DNS server, the address of the signaling agent, and the like. ;
- the identity and location separation mapping storage function entity (ILMS-FE, Id-loc-split mapping storage function entity) is used as a user identity and location separation mapping storage entity in the NGN, and is used to store the user identity Node ID with one or more Mapping of LOC locations;
- the identity and location separation mapping function (ILMU-FE, Id-loc-split mapping update function entity) is used as the user identity and location separation mapping update entity in the NGN, and is used to implement the user identity Node ID with one or more Update of the mapping of LOC locations.
- the functional entities included in the transfer function are as follows:
- the ILM-FE, Id-loc-split mapping function entity, is used as a mapping database entity of the user identity and location separation system in the NGN, and is used to implement the user identity Node ID with one or more Mapping of location LOCs;
- Policy enforcement functional entity is a functional entity of transport layer policy enforcement.
- the service entity includes a function entity (SUP-FE, Service User Profile Functional Entity), which is used to configure user information of the service layer.
- SUP-FE Service User Profile Functional Entity
- the functions included in the UE are identity and location separation mapping functions (ILMF, Id-loc-Mapping functions).
- the host-based IPSPLIT uses the HIP (Node Identity Protocol) protocol.
- the HIP protocol is an end-to-end protocol.
- Figure 3 is a schematic diagram of a host connection establishment process using the HIP protocol. As shown in Figure 3, the host connection establishment process using the HIP protocol includes: When the initiator initiates a HIP to the responder When connecting, the initiator host registers its own IP address and identity node ID_I in the server and Rendezvous Server (RVS server). The initiator obtains the RVS server where the responder is located by querying the directory server DNS. address.
- RVS server Rendezvous Server
- the initiator sends the authentication packet II to the RVS server where the responder is located, where at least the identity identifier Node ID_I of the initiator and the identity identifier Node ID_R of the responder are carried, and the RVS server searches for the current IP address of the responder host, RVS.
- the server forwards the corresponding authentication packet II to the responder, and the responder replies to the R1 message, that is, the response message.
- the 12 message and the R2 message in the figure can carry the data in the basic exchange.
- the main purpose of the present invention is to provide a method for a terminal to implement connection establishment.
- the system in the IPSPLIT network, in the case of separation of transmission and control, the process of establishing a connection between the terminals is realized.
- a method for establishing a connection by a terminal which is applied to an IPSPLIT network in which identity and location are separated in a next-generation network.
- the method further includes: the initiator obtains a response party through a domain name server DNS query. An address of the mapping server; the initiator sends an ID/LOC mapping query message to the mapping server, and obtains location information of the responding party; the mapping server saves the identity identifier and the location mapping of the terminal;
- the initiator establishes a connection with the responder according to the obtained location information.
- the establishment of the connection between the initiator and the responder includes:
- the initiator sends a message carrying the location information of the location where the initiator is located to the responder; after verifying the received message, the responder updates the mapping relationship between the local association and the own address and the location of the initiator Returning a response message; the initiating direction responding party responding to the response confirmation message;
- the responder After receiving the response confirmation message, the responder confirms that the verification of the location of the initiator is successful, and establishes a connection with the initiator.
- the response message returned by the location of the response direction initiator carries a response parameter for verifying the location information of the location of the initiator, and a security parameter index.
- the message sent by the initiating direction responder also carries the lifetime of the location information of the location where the initiator is located.
- the method further includes:
- the initiator resends the message carrying the location information of the location where it is located.
- the mapping server where the responder is located is an identity identification and location separation mapping storage function entity
- the ILMS-FE or identity and location separation mapping update function entity ILMU-FE is a registered trademark of Cisco Systems, Inc.
- a system for implementing connection establishment where the system includes at least an initiator, a DNS, a mapping server, and a responder, where
- An initiator configured to obtain, by using a domain name server DNS query, an address of a mapping server where the responding party is located; sending an ID/LOC mapping query message to the mapping server, obtaining location information of the responding party; and obtaining the location information and the responding party according to the obtained location information establish connection;
- the DNS is used to receive the query of the initiator, and provide the address of the mapping server where the responder is located.
- the mapping server is configured to receive the query of the initiator, obtain the location information of the responder by using the identity identifier and the location mapping query, and return the location information to the initiator. Save the identity and location mapping of the terminal, ie ID/LOC mapping;
- Responder used to establish a connection with the initiator.
- the initiator is further configured to perform a data encapsulation transmission or decapsulation operation with the responder using the secure encapsulation protocol ESP channel.
- the mapping server is an identity and location separation mapping storage function entity ILMS-FE, or an identity and location separation mapping update function entity ILMU-FE.
- the initiating party obtains the address of the mapping server where the responder is located through the domain name server (DNS) query; the initiator finds through the ID/LOC mapping query through the mapping server of the responding party.
- DNS domain name server
- the address of the responder; the initiator and responder establish a connection through a basic exchange.
- the access of the service uses the identity identifier Node ID, and the terminal connection process finds the location of the opposite user through the identity identifier, and directly establishes a connection between the initiator and the responder, which not only realizes separation of transmission and control. In this case, the terminal establishes the connection process and ensures the reliability of the connection.
- FIG. 1 is a schematic structural diagram of an existing IPSPLIT network system
- 2 is a schematic diagram of a functional framework of an existing IPSPLIT system
- FIG. 3 is a schematic diagram of a process of establishing a host connection using the existing HIP protocol
- FIG. 4 is a schematic flowchart of a method for establishing a connection by a terminal according to the present invention
- FIG. 5 is a flowchart of an embodiment of a method for a terminal to implement connection establishment according to the present invention. detailed description
- FIG. 4 is a schematic flowchart of a method for establishing a connection by a terminal according to the present invention. As shown in FIG. 4, in an IPSPLIT network, when an initiator initiates a connection to a responder, after the initiator completes the registration authentication, the method includes:
- the initiator obtains the address of the mapping server where the responder is located through the DNS query. Then, the initiator finds the location of the responder by using the ID/LOC mapping query through the ID/LOC mapping query of the responding party. Information (LOC); The mapping server saves the identity and location mapping of the terminal, ie the ID/LOC mapping.
- the initiator establishes a connection with the responder based on the obtained location information.
- sender and the responder perform data encapsulation transmission or decapsulation operations through an IPSec Encapsulating Security Protocol (ESP) channel.
- ESP IPSec Encapsulating Security Protocol
- the application and the service layer are mapped with the identity identifier, and the identity identifier is unchanged when the terminal changes due to the location, so that the service and the application are not interrupted.
- the access of the service uses the identity identifier Node. ID
- the terminal connection process finds the peer user through the identity identifier, which not only realizes the process of establishing connection between the terminal in the case of separation of transmission and control, but also ensures the reliability of the connection.
- the method includes at least an initiator, a DNS, a mapping server, and a responder, where
- An initiator configured to obtain, by using a domain name server DNS query, an address of a mapping server where the responding party is located; sending an ID/LOC mapping query message to the mapping server, obtaining location information of the responding party; and obtaining the location information and the responding party according to the obtained location information establish connection;
- the DNS is used to receive the query of the initiator, and provide the address of the mapping server where the responder is located.
- the mapping server is configured to receive the query of the initiator, and use the identity identifier and the location mapping query to find the response by using the identity identifier of the responder.
- the location information of the party is returned to the initiator; the identity and location mapping of the terminal are saved, ie ID/LOC mapping;
- Responder used to establish a connection with the initiator.
- the initiator is also used to perform operations such as data encapsulation transmission or decapsulation with the responder using the Secure Encapsulation Protocol (ESP) channel.
- ESP Secure Encapsulation Protocol
- FIG. 5 is a flowchart of an embodiment of a method for establishing a connection by a terminal according to the present invention.
- FIG. 5 assumes that the initiator is UE1 and the responder is UE2. After UE1 completes the registration authentication, UE1 starts the connection establishment process, as shown in FIG. Show, including the following steps:
- Step 500 UE1 queries the DNS server to obtain the IP address of the mapping server where UE2 is located.
- the mapping server refers to ILMS-FE or ILMU-FE.
- Step 501 The UE1 sends an ID/LOC mapping query (ID/LOC mapping query) to the mapping server where the UE2 is located, where the identity identifier of the UE2 is carried.
- ID/LOC mapping query an ID/LOC mapping query
- Step 502 The mapping server of the UE2 obtains the LOC information of the UE2 by using the identity identifier of the UE2, and carries the obtained LOC information of the UE2 in the ID/LOC mapping response to the UE1.
- the mapping server where UE2 is located stores the identity and location mapping of the terminal, that is, the ID/LOC mapping.
- Step 503 The UE1 is connected to the UE2, and specifically includes:
- the UE1 sends a message carrying the LOC information of its own location to the UE2.
- the UE1 also carries the identity identifier Node ID1 of the UE1 and the identity identifier Node ID2 of the UE2 and the security parameter index, and the parameter includes the location of the UE1.
- the lifetime of the LOC information After UE1 sends the message, it waits for an acknowledgment from UE2. Further, if the response from UE2 is not received within the preset time period, retransmission may be performed.
- UE2 After receiving the message sent by UE1 and verifying, UE2 updates the local association between the UE2 and the UE2 address. The relationship is mapped and a response message is returned to the location of UE1 (indicated by the LOC information of the location where UE1 is located). At the same time, in order to verify the LOC information of the location of the UE1, the UE2 carries the response parameter in the response message, and the response message also carries the security parameter index.
- UE1 processes the response message from UE2 and replies to UE2 with a response confirmation message. After receiving the response confirmation message, UE2 considers that the LOC information insurance certificate for the location of UE1 is successfully completed, and establishes a connection between UE1 and UE2.
- the specific implementation of the verification between the initiator and the responder can be implemented in various ways, and is not intended to limit the scope of the present invention.
- the present invention emphasizes that access to the service uses an identity identifier, and the terminal connection process finds the location of the peer user through the identity identifier and establishes a connection directly between the initiator and the responder.
- UE1 and UE2 After establishing a connection between UE1 and UE2, UE1 and UE2 use the ESP channel to perform operations such as data encapsulation transmission or decapsulation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
一种终端实现连接建立的方法及系统 技术领域
本发明涉及下一代网络中身份标识与位置分离 (IPSPLIT, ID/locator separation in NGN )技术, 尤其涉及一种 IPSPLIT网络中, 终端实现连接建 立的方法及系统。 背景技术
当前, 因特网的各层结构中, 除了物理层以外, 各层协议实体均有自 己的名字空间, 分别是: 链路层的介质访问控制 ( MAC , Media Access Control )地址、 网络层的 IP地址、 传输层的 IP地址和端口号, 以及应用层 的域名。 在上述名字空间中, MAC地址只要求在子网内唯一, 端口号只要 求在主机内部唯一, 这样, 因特网中存在两个重要的全局名字空间, 即 IP 地址和域名。 域名和 IP 地址中间通过域名服务器 (DNS , Domain Name Server )实现解析。 在这样的名字空间结构中, IP地址具有双重功能, 既作 为网络层的通信终端主机网络接口在网络拓朴中的位置标识, 又作为传输 层主机网络接口的身份标识。
传输控制协议 /因特网协议(TCP/IP )设计之初并没有考虑主机移动的 情况, 但是, 随着下一代网络(NGN, Next Generation Networks ) 的发展, 用户移动性 ( mobility )和主机多穴性( multi homing ) 的问题越来越普遍, 这种 IP地址的语义过载缺陷日益明显。 当主机的 IP地址发生变化时, 不仅 路由要发生变化, 通信终端主机的身份标识也会发生变化。 对于路由的变 化是可以接受的, 但是主机身份标识的变化却会导致应用和连接的中断。
为了支持用户移动性和主机多穴性, 更好地支持通话的连续性, 业界 提出了下一代网络中身份标识与位置分离( IPSPLIT, ID/locator separation in
NGN )技术。 在 IPSPLIT技术中 , 釆用主机标识符( Node ID )作为主机的 身份标识, 主机标识符用于全球唯一地标识每台连接到 Internet的主机, 其 目的是将传输层与网络层分开, 为 Internet提供一个安全的主机移动和多宿 主的方法; 进一步地, 提供一个加密的主机标识命名空间, 更容易地对通 信双方进行认证, 从而实现安全的、 可信任的网络系统。 在 IPSPLIT 网络 中, IP地址仅表示通信终端主机在网络拓朴中的路由位置。 IPSPLIT技术 解决 IP地址的语义过载问题,将 IP地址的双重功能进行分离, 实现对多移 动性、 多家乡性、 IP地址动态重分配及不同网络区域之间的互访等问题的 支持。
图 1为现有 IPSPLIT网络体系的架构示意图, 图 1 中加粗单点划线表 示控制信号, 加粗双点划线表示管理信号, 加粗虚线表示媒体流。 如图 1 所示, IPSPLIT网络体系架构包括网络接入控制部分、 身份标识与位置分离 控制部分、 身份标识与位置分离映射部分、 资源控制部分、 传输部分、 业 务控制功能部分和用户终端 /用户网络部分。 其中, 网络接入控制部分为接 入 NGN 网络的用户终端 /用户网络提供注册、 鉴权授权、 地址分配、 参数 配置、 位置管理等功能, 例如图 1 中所示的网络附着控制功能(NACF, Network Attachment Control Functions )。 身份标识与位置分离控制功能 ( ILCF, Id-loc- control functions )进行身份标识与位置分离 ID/LOC映射的 存储和动态更新。 资源控制部分基于策略和网络资源状态, 完成用户终端 / 用户网络接入网络时接纳控制、 资源预留等功能, 例如 ITU-T NGN网络中 资源接纳控制功能( RACF, Resource and Admission Control Functions ), NGN 中接入管理功能( Access management Functions )。传输部分完成信息的传输 功能, 例如 ITU-T NGN网络中传输功能(Transport Functions )。 业务控制 功能 ( Service Control Functions )部分属于业务层 ( Service stratum )中的一 部分,在业务层次上完成注册、鉴权授权、资源控制等功能,例如 ITU-T NGN
网络中业务终端认证和鉴权过程。 用户终端 /用户网络部分向用户提供网络 接入功能, 例如 ITU-T NGN网络中用户设备 ( UE , User Equipment )。
图 2为现有 IPSPLIT的体系功能框架示意图,如图 2所示,其中, NACF 包含如下功能实体:
传输层用户配置功能实体 ( TUP-FE, Transport User Profile Functional
Entity ), 负责保存与传输层面相关的用户信息;
认证和鉴权功能实体 ( TAA-FE , Transport Authentication and Authorization Functional Entity ) , 用于提供传输层鉴权和认证功能, 基于用 户信息对用户的网络接入执行鉴权和授权检查;
接入管理功能实体(AM-FE, Access Management Functional Entity ), 用于对用户发起的网络接入请求进行翻译转换, 将分配 IP地址和其它网络 配置参数的请求发送给 NAC-FE;
传输层位置管理功能实体(TLM-FE, Transport Location Management Functional Entity ), 用于注册分配给用户的 IP地址和 NAC-FE提供的其它 网络位置信息;
网络接入管理功能实体 ( NAC-FE , Network Access Configuration Functional Entity ),用于向用户终端分配 IP地址, 同时可能向用户终端分配 其他网络配置参数, 如 DNS服务器的地址、 信令代理的地址等;
身份标识与位置分离映射存储功能实体( ILMS-FE , Id-loc-split mapping storage function entity ), 作为 NGN中用户身份标识与位置分离映射存储实 体, 用于存储用户身份标识 Node ID与一个或多个位置 LOC的映射;
身份标识与位置分离映射更新功能实体( ILMU-FE, Id-loc-split mapping update function entity ), 作为 NGN中用户身份标识与位置分离映射更新实 体,用于实现用户身份标识 Node ID与一个或多个位置 LOC的映射的更新。
传输功能包含的功能实体如下:
身份标识与位置分离映射功能实体 ( ILM-FE , Id-loc-split mapping function entity ), 作为 NGN中用户身份标识与位置分离系统的映射数据库 实体, 用于实现用户身份标识 Node ID与一个或多个位置 LOC的映射; 策略执行功能实体(PE-FE, Policy enforcement functional entity ), 是传 输层策略执行的功能实体。
业务控制功能包含的功能实体为业务层用户配置功能实体( SUP-FE, Service User Profile Functional Entity ), 用于负责配置业务层用户信息。
UE包含的功能有身份标识与位置分离映射功能( ILMF, Id-loc-Mapping functions )。
基于主机的 IPSPLIT 釆用的是 端点标识协议 ( HIP , Node Identity Protocol)协议。 HIP协议是端到端的协议, 图 3为釆用 HIP协议的主机连接 建立过程的示意图, 如图 3所示, 釆用 HIP协议的主机连接建立过程包括: 当发起方要发起对响应方的 HIP 连接时, 发起方主机先在会和服务器 ( Rendezvous Server, 简称为 RVS服务器) 中注册自己的 IP地址和身份标 识 Node ID— I, 发起方通过查询目录服务器 DNS , 获得响应方所在的 RVS 服务器的地址。
发起方发送认证包 II到响应方所在的 RVS服务器,其中至少携带有发 起方的身份标识 Node ID— I和响应方的身份标识 Node ID— R, RVS服务器查 找响应方主机当前的 IP地址, RVS服务器将相应的认证包 II转发送到响应 方, 响应方回复 R1消息即响应消息。 从第三个包开始, 如图中的 12消息 和 R2消息, 能够在基本交换中携带发送数据。
但是, 现有技术中, 没有基于主机的 IPSPLIT的 HIP连接建立的实现 方法。 发明内容
有鉴于此, 本发明的主要目的在于提供一种终端实现连接建立的方法
及系统, 能够在 IPSPLIT 网络中, 传输与控制分离的情况下, 实现终端建 立连接的过程。
为达到上述目的, 本发明的技术方案是这样实现的:
一种终端实现连接建立的方法, 应用在下一代网络中的身份标识与位 置分离的 IPSPLIT网络中, 在发起方完成注册认证后, 该方法还包括: 发起方通过域名服务器 DNS查询,获得响应方所在映射服务器的地址; 发起方发送 ID/LOC映射查询消息给所述映射服务器,获得响应方的位 置信息; 所述映射服务器保存终端的身份标识与位置映射;
发起方根据获得的所述位置信息与响应方建立连接。
所述发起方和响应方建立连接包括:
所述发起方发送携带有自身所在位置的位置信息的消息给响应方; 所述响应方对接收到的消息验证后, 更新本地关联与自身地址之间的 映射关系并向所述发起方所在位置返回响应消息; 所述发起方向响应方回 复响应确认消息;
所述响应方收到响应确认消息后, 确认对所述发起方所在位置验证成 功, 建立与所述发起方之间的连接。
在所述发起方向响应方发送的消息中, 还携带有所述发起方的身份标 识符、 所述响应方的身份标识符以及安全参数索引;
所述响应方向发起方所在位置返回的响应消息中, 携带有用于对所述 发起方所在位置的位置信息进行验证的响应参数, 及安全参数索引。
所述发起方向响应方发送的消息中还携带有所述发起方所在位置的位 置信息的生命期。
所述发送方向响应方发送消息后, 如果在预设时间段内未收到来自响 应方的响应, 该方法还包括:
所述发起方重新发送所述携带有自身所在位置的位置信息的消息。
所述响应方所在映射服务器为身份标识与位置分离映射存储功能实体
ILMS-FE或身份标识与位置分离映射更新功能实体 ILMU-FE。
一种终端实现连接建立的系统, 该系统至少包括发起方、 DNS、 映射 服务器和响应方, 其中,
发起方, 用于通过域名服务器 DNS查询, 获得响应方所在映射服务器 的地址;发送 ID/LOC映射查询消息给所述映射服务器,获得响应方的位置 信息; 根据获得的所述位置信息与响应方建立连接;
DNS, 用于接收发起方的查询, 提供响应方所在映射服务器的地址; 映射服务器, 用于接收发起方的查询, 通过身份标识与位置映射查询, 获得响应方的位置信息并返回给发起方; 保存终端的身份标识与位置映射 即 ID/LOC映射;
响应方, 用于与发起方建立连接。
所述发起方, 还用于与响应方使用安全封装协议 ESP通道, 执行数据 封装发送或解封操作。
所述映射服务器为身份标识与位置分离映射存储功能实体 ILMS-FE, 或身份标识与位置分离映射更新功能实体 ILMU-FE。
从上述本发明提供的技术方案可以看出, 包括发起方通过域名服务器 ( DNS ) 查询, 获得响应方所在映射服务器的地址; 发起方通过响应方所 在映射 务器,通过 ID/LOC映射查询查找到响应方的地址;发起方和响应 方通过基本交换, 建立连接。 本发明方法中, 业务的访问使用身份标识符 Node ID, 终端连接过程通过身份标识符找到对端用户的位置, 并在发起方 与响应方之间直接建立连接, 不仅实现了传输与控制分离的情况下, 终端 建立连接的过程, 而且保证了连接的可靠性。 附图说明
图 1为现有 IPSPLIT网络体系的架构示意图;
图 2为现有 IPSPLIT的体系功能框架示意图;
图 3为现有釆用 HIP协议的主机连接建立过程的示意图;
图 4为本发明终端实现连接建立的方法的流程示意图;
图 5为本发明终端实现连接建立的方法的实施例的流程图。 具体实施方式
图 4为本发明终端实现连接建立的方法的流程示意图, 如图 4所示, 在 IPSPLIT 网络中, 当发起方要发起对响应方的连接时, 在发起方完成注 册认证后, 包括:
首先, 发起方通过 DNS查询, 获得响应方所在映射服务器的地址; 然后, 发起方通过响应方所在映射服务器, 通过 ID/LOC映射查询, 利 用响应方的身份标识符 Node ID查找到响应方的位置信息(LOC ); 所述映 射服务器保存终端的身份标识与位置映射即 ID/LOC映射。
最后, 发起方根据获得的所述位置信息与响应方建立连接。
进一步地, 发送方和响应方通过 IPSec封装式安全协议(ESP )通道, 执行将数据封装发送或解封操作。 具体实现属于现有技术, 这里不再赘述。
在 IPSPLIT 网络中, 应用和业务层与身份标识符相映射, 当终端因位 置发生改变时身份标识符不变, 从而业务和应用不会中断, 本发明方法中, 业务的访问使用身份标识符 Node ID,终端连接过程通过身份标识符找到对 端用户, 不仅实现了传输与控制分离的情况下, 终端建立连接的过程, 而 且保证了连接的可靠性。
针对本发明方法, 还提供一种终端实现连接建立的系统, 如图 4所示, 至少包括发起方、 DNS、 映射服务器和响应方, 其中,
发起方, 用于通过域名服务器 DNS查询, 获得响应方所在映射服务器 的地址;发送 ID/LOC映射查询消息给所述映射服务器,获得响应方的位置 信息; 根据获得的所述位置信息与响应方建立连接;
DNS, 用于接收发起方的查询, 提供响应方所在映射服务器的地址; 映射服务器, 用于接收发起方的查询, 通过身份标识与位置映射查询, 利用响应方的身份标识符 Node ID查找到响应方的位置信息并返回给发起 方; 保存终端的身份标识与位置映射即 ID/LOC映射;
响应方, 用于与发起方建立连接。
发起方, 还用于与响应方使用安全封装协议(ESP )通道, 执行数据封 装发送或解封等操作。
图 5为本发明终端实现连接建立的方法的实施例的流程图, 图 5中假 设发起方为 UE1 , 响应方为 UE2, 当 UE1完成注册认证后, UE1开始进行 连接建立过程, 如图 5所示, 包括以下步骤:
步骤 500: UE1查询 DNS服务器, 获得 UE2所在映射服务器的 IP地 址。 本步骤中, 映射服务器指 ILMS-FE或 ILMU-FE。
步骤 501 : UE1向 UE2所在映射服务器发送 ID/LOC映射查询( ID/LOC mapping query ) , 其中携带有 UE2的身份标识符。
步骤 502: UE2所在映射服务器,利用 UE2的身份标识符查询获得 UE2 的 LOC 信息, 并将获得的 UE2 的 LOC 信息携带在 ID/LOC 映射响应 ( ID/LOC mapping response ) 中返回给 UE1。 UE2所在映射服务器保存终 端的身份标识与位置映射即 ID/LOC映射。
步骤 503: UE1与 UE2连接建立, 具体包括:
UE1发送携带有自身所在位置的 LOC信息的消息给 UE2 ,在该消息中, 还携带有 UE1的身份标识符 Node ID1和 UE2的身份标识符 Node ID2以及 安全参数索引, 同时参数中包含 UE1所在位置的 LOC信息的生命期。 UE1 发送该消息后, 等待来自 UE2的确认。 进一步地, 如果在预设时间段内未 收到来自 UE2的响应, 可以进行重发。
UE2收到 UE1发送的消息并验证后,更新本地关联与 UE2地址之间的
映射关系并向 UE1所在位置 (由 UE1所在位置的 LOC信息指示)返回响 应消息。 同时, UE2为了对 UE1所在位置的 LOC信息进行验证, 会在响 应消息中携带响应参数, 响应消息中还应携带有安全参数索引。
UE1处理来自 UE2的响应消息并向 UE2回复响应确认消息。 UE2收到 响应确认消息后, 认为对 UE1 所在位置的 LOC信息险证成功完成, 建立 UE1与 UE2之间的连接。
需要说明的是, 发起方与响应方之间的验证具体实现可以釆用现有多 种方式实现, 这里并不用于限定本发明保护范围。 本发明强调的是, 业务 的访问使用身份标识符, 终端连接过程通过身份标识符找到对端用户的位 置, 并在发起方与响应方之间直接建立连接。
UE1与 UE2之间建立连接后, UE1与 UE2使用 ESP通道, 执行数据 封装发送或解封等操作。
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围, 凡在本发明的精神和原则之内所作的任何修改、 等同替换和改进 等, 均应包含在本发明的保护范围之内。
Claims
1、 一种终端实现连接建立的方法, 应用在下一代网络中的身份标识与 位置分离的 IPSPLIT 网络中, 发起方完成注册认证后, 其特征在于, 该方 法还包括:
发起方通过域名服务器 DNS查询,获得响应方所在映射服务器的地址; 发起方发送 ID/LOC映射查询消息给所述映射服务器,获得响应方的位 置信息, 其中, 所述映射服务器保存终端的身份标识与位置映射;
发起方与响应方建立连接。
2、 根据权利要求 1所述的方法, 其特征在于, 所述发起方和响应方建 立连接包括:
所述发起方发送携带有自身所在位置的位置信息的消息给响应方; 所述响应方对接收到的消息验证后, 更新本地关联与自身地址之间的 映射关系并向所述发起方所在位置返回响应消息; 所述发起方向响应方回 复响应确认消息;
所述响应方收到响应确认消息后, 确认对所述发起方所在位置验证成 功, 建立与所述发起方之间的连接。
3、 根据权利要求 2所述的方法, 其特征在于, 在所述发起方向响应方 发送的消息中, 还携带有所述发起方的身份标识符、 所述响应方的身份标 识符以及安全参数索引;
所述响应方向发起方所在位置返回的响应消息中, 携带有用于对所述 发起方所在位置的位置信息进行验证的响应参数, 及安全参数索引。
4、 根据权利要求 3所述的方法, 其特征在于, 所述发起方向响应方发 送的消息中还携带有所述发起方所在位置的位置信息的生命期。
5、 根据权利要求 4所述的方法, 其特征在于, 所述发送方向响应方发 送消息后, 如果在预设时间段内未收到来自响应方的响应, 该方法还包括: 所述发起方重新发送所述携带有自身所在位置的位置信息的消息。
6、 根据权利要求 1所述的方法, 其特征在于, 所述响应方所在映射服 务器为身份标识与位置分离映射存储功能实体 ILMS-FE或身份标识与位置 分离映射更新功能实体 ILMU-FE。
7、 一种终端实现连接建立的系统, 其特征在于, 该系统至少包括发起 方、 DNS、 映射服务器和响应方, 其中,
发起方, 用于通过域名服务器 DNS查询, 获得响应方所在映射服务器 的地址;发送 ID/LOC映射查询消息给所述映射服务器,获得响应方的位置 信息; 根据获得的所述位置信息与响应方建立连接;
DNS, 用于接收发起方的查询, 提供响应方所在映射服务器的地址; 映射服务器, 用于接收发起方的查询, 通过身份标识与位置映射查询, 获得响应方的位置信息并返回给发起方; 保存终端的身份标识与位置映射 即 ID/LOC映射;
响应方, 用于与发起方建立连接。
8、 根据权利要求 7所述的系统, 其特征在于, 所述发起方, 还用于与 响应方使用安全封装协议 ESP通道, 执行数据封装发送或解封操作。
9、 根据权利要求 7或 8所述的系统, 其特征在于, 所述映射服务器为 身份标识与位置分离映射存储功能实体 ILMS-FE, 或身份标识与位置分离 映射更新功能实体 ILMU-FE。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010101405793A CN102209012A (zh) | 2010-03-29 | 2010-03-29 | 一种终端实现连接建立的方法及系统 |
CN201010140579.3 | 2010-03-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011120276A1 true WO2011120276A1 (zh) | 2011-10-06 |
Family
ID=44697683
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/076142 WO2011120276A1 (zh) | 2010-03-29 | 2010-08-19 | 一种终端实现连接建立的方法及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN102209012A (zh) |
WO (1) | WO2011120276A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104378335A (zh) * | 2013-08-15 | 2015-02-25 | 中兴通讯股份有限公司 | 节点注册方法及系统、节点解析方法及系统、网关 |
WO2019017835A1 (zh) * | 2017-07-20 | 2019-01-24 | 华为国际有限公司 | 网络验证方法、相关设备及系统 |
CN108924954B (zh) * | 2018-07-29 | 2023-11-14 | 江苏博克斯科技股份有限公司 | 基于无线网络的水污染监测方法及系统 |
CN114067447B (zh) * | 2020-07-31 | 2024-10-18 | 阿里巴巴集团控股有限公司 | 电子票信息处理方法、装置及电子设备 |
WO2024168882A1 (zh) * | 2023-02-17 | 2024-08-22 | 京东方科技集团股份有限公司 | 信息交互方法及装置、计算设备、存储介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801764A (zh) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
US20080005275A1 (en) * | 2000-06-02 | 2008-01-03 | Econnectix, Llc | Method and apparatus for managing location information in a network separate from the data to which the location information pertains |
CN101656765A (zh) * | 2009-09-14 | 2010-02-24 | 中兴通讯股份有限公司 | 身份位置分离网络的名址映射系统及数据传输方法 |
-
2010
- 2010-03-29 CN CN2010101405793A patent/CN102209012A/zh active Pending
- 2010-08-19 WO PCT/CN2010/076142 patent/WO2011120276A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080005275A1 (en) * | 2000-06-02 | 2008-01-03 | Econnectix, Llc | Method and apparatus for managing location information in a network separate from the data to which the location information pertains |
CN1801764A (zh) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | 一种基于身份与位置分离的互联网接入方法 |
CN101656765A (zh) * | 2009-09-14 | 2010-02-24 | 中兴通讯股份有限公司 | 身份位置分离网络的名址映射系统及数据传输方法 |
Also Published As
Publication number | Publication date |
---|---|
CN102209012A (zh) | 2011-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8914486B2 (en) | Method, system and device for implementing identity identifier and location separation | |
EP2477428B1 (en) | Method for anonymous communication, method for registration, method and system for transmitting and receiving information | |
WO2013071819A1 (zh) | 实现身份位置分离、分配接口标识的方法及网元和ue | |
WO2007051407A1 (fr) | Systeme de communication mobile ameliore et procede d’enregistrement de terminal correspondant | |
WO2009089780A1 (fr) | Procédé d'établissement d'une connexion de données dans un réseau mobile, réseau mobile et entité de contrôle de politique | |
WO2011044808A1 (zh) | 一种匿名通信的溯源方法及系统 | |
WO2011032462A1 (zh) | 一种数据传输、接收的方法及系统及路由器 | |
WO2011035615A1 (zh) | 一种数据传输方法、系统及装置 | |
WO2012119450A1 (zh) | 一种身份位置分离网络中的映射服务器及其实现方法 | |
WO2011035667A1 (zh) | 实现网间漫游的方法、系统及查询和网络附着方法及系统 | |
WO2011131097A1 (zh) | 数据报文处理方法、系统及接入服务节点 | |
WO2012088882A1 (zh) | 一种数据传输方法、系统及接入网关 | |
TW201043052A (en) | Apparatus and method for selecting IP services | |
US8705471B2 (en) | Method and system for implementing ID/locator mapping | |
WO2011120365A1 (zh) | 多穴终端建立连接的方法和系统 | |
WO2011120276A1 (zh) | 一种终端实现连接建立的方法及系统 | |
WO2011050676A1 (zh) | 一种匿名通信的方法及注册、取消方法及接入节点 | |
WO2011006320A1 (zh) | Ngn中身份标识和位置分离的附着方法及系统 | |
WO2017124231A1 (zh) | 分配互联网协议地址的方法、控制面网关和用户面网关 | |
WO2011057556A1 (zh) | 一种减少ip地址需求的方法和移动网络系统 | |
WO2011032417A1 (zh) | 发起通信、信息/数据报文的转发及路由配置方法和系统 | |
WO2011044807A1 (zh) | 一种匿名通信的注册、通信方法及数据报文的收发系统 | |
WO2011032478A1 (zh) | 一种获取终端身份标识的方法、装置及终端 | |
WO2013026299A1 (zh) | 一种地址解析方法、装置及信息传输方法 | |
WO2014169590A1 (zh) | 一种数据业务通信方法、设备及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10848735 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10848735 Country of ref document: EP Kind code of ref document: A1 |