CN103051611A - Security mobility management method in identity and location separation system - Google Patents

Security mobility management method in identity and location separation system Download PDF

Info

Publication number
CN103051611A
CN103051611A CN201210530551XA CN201210530551A CN103051611A CN 103051611 A CN103051611 A CN 103051611A CN 201210530551X A CN201210530551X A CN 201210530551XA CN 201210530551 A CN201210530551 A CN 201210530551A CN 103051611 A CN103051611 A CN 103051611A
Authority
CN
China
Prior art keywords
eid
atr
message
packet header
mobile node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210530551XA
Other languages
Chinese (zh)
Other versions
CN103051611B (en
Inventor
刘颖
唐建强
周华春
张宏科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201210530551.XA priority Critical patent/CN103051611B/en
Publication of CN103051611A publication Critical patent/CN103051611A/en
Application granted granted Critical
Publication of CN103051611B publication Critical patent/CN103051611B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a security mobility management method in an identity and location separation system. An access network is used as a mobile management area, a subnet is controlled by an access tunnel router, and each access network consists of a plurality of subnets; the tunnel router is used as a mobile anchor point of a mobile node in the area to store location information of the mobile node in the area, and the securely moved and switch data of the mobile node in the area is transmitted by a tunnel and is forwarded by local routing identifier pathfinding; an AAA (Authentication, Authorization and Accounting) server as well as a tunnel router and the access tunnel router pre-establish a security alliance in the access network; the access tunnel router and the AAA server share a group key in the access network; the mobile node and an HAAA (Home Authentication, Authorization and Accounting) server pre-negotiate the sharing of the key; before the mobile node roams in different networks, the initial security access of the mobile node is firstly completed in a home domain; and when the mobile node moves, the connection between the mobile node and a correspondent node is not interrupted.

Description

Secure mobility management method under a kind of identity and the position separation system
Technical field
The present invention relates to the secure mobility management method under a kind of identity and the position separation system, belong to technical field of the computer network.
Background technology
Current internet faces serious route scalability problem.The bgp routing table clauses and subclauses of IPv4 kept rapid growth always in recent years, had surpassed at present 400,000 clauses and subclauses, and this disposal ability and storage capacity to core router all is very large challenge.Along with applying gradually of IPv6, the address space that IPv6 is huge will cause more massive bgp routing table.In order to solve the problems such as route extensibility, the various countries researcher has proposed such as ILNP, LISP, GLI-Split, Ivip, many schemes such as integrated identification network.In general, these schemes all based on network identity separate (Locator/Identifier Separation) system with the position.
Identity and position separation system are separated into terminal iidentification (EID, Endpoint Identifier) and station location marker (LOC, Locator) with the Traditional IP address.Terminal iidentification represents terminal identity information, is used for transport layer and application layer marking terminal, has uniqueness, does not change with terminal location; Station location marker represents that terminal is connected to the topology location in the network, changes with fast mobile terminal.Simultaneously, identity and position separation system separate core net (Core Network) and Access Network (AN, Access Network), reduce the variation of Access Network routing iinformation to the impact of core net routing table.Packet use location sign in core net is carried out pathfinding and is transmitted.The communication mode of terminal room is identical with current network in the Access Network, and the tunnel router of the packets need source and destination end of two terminals is finished respectively packet tunnel encapsulation reconciliation encapsulation process according to map information (EID-to-LOC) between Access Network.Tunnel router inquiry mapped system obtains corresponding map information, and in the mapping buffer memory buffer memory most recently used map information.The map information of terminal comes storage and maintenance by mapped system, present more existing mapped system schemes, LISP-ALT for example, DHT-MAP, FIRM, LISP-TREE.
Along with popularizing of mobile device and increasing rapidly of mobile subscriber, people are increasing to the demand of mobile communication.In order under identity and position separation system, to support mobility, need to define safely and effectively mobility management protocol.Present correlative study mainly concentrates on mobility management scheme design basic under identity and the position separation system, concentrates to be absorbed in and reduces handover delay and packet loss, does not consider its fail safe.
The LISP-MN technical scheme of one of prior art:
The LISP-MN technical scheme is based on the mobility management scheme of main frame, and mobile node is carried out the function of tunnel router, finishes packet encapsulation and decapsulation.Mobile node uses mapping server (MS, Map Server) as its mobile anchor point, when mobile node moves, (EID) is constant for terminal iidentification, network distributes new station location marker (LOC) for it, new map information after mobile node directly upgrades it and moves to mapping server (MS, Map Server).Simultaneously, its map information of the renewal of the tunnel router of mobile node proactive notification opposite end.Along with increasing of mobile node, the map updating message that mapping server is received also just increases thereupon, and this has just increased the burden of mapped system.
The shortcoming of one of prior art LISP-MN technical scheme:
1. need to revise the protocol stack of mobile node, make its function that has tunnel router, and run counter to the original intention that LISP does not revise host protocol;
2. there are the problems such as handover delay, packet loss, signaling consumption;
3. along with mobile node increases, the burden of mapping server increases the weight of gradually, affects the extensibility of mapped system;
4. do not consider that mobile node moves the fail safe of switching.
Two IM technical scheme of prior art:
The IM technical scheme is based on the mobility solution of network.IM is divided in interregional movement and the zone mobile according to the large young pathbreaker's mobile node of moving range.Interregional movement refers to the movement of mobile node between the mobile management zone, moves in the zone and refers to that mobile node is in the movement of mobile management intra-zone.In IM, the tunnel router as convergent point (Rendezvous Point) in the zone is mobile anchor point.When mobile node was mobile in the zone, tunnel router sent agent binding update messages to convergent point, the positional information of announcement mobile node, and set up the transfer of data that mobile node is finished in the tunnel; Mobile node is interregional when mobile, and then interregional convergent point tunnel router model tunnel transmission mobile node data are upgraded the map information of opposite end tunnel router by the convergent point tunnel router, finish routing optimality.
The shortcoming of two IM technical schemes of prior art:
1. when mobile node moved, the node in the identical mobile management zone mail to that the data of mobile node have larger packet loss in the one's respective area;
2. do not consider that mobile node moves the fail safe of switching.
For prior art scheme above shortcomings, the present invention is proposed.
Summary of the invention
The invention provides the secure mobility management method under a kind of identity and the position separation system.The present invention provides motion management method for identity and position separation system, ensures that the safety moving of mobile node switches, and has less authentication time delay and handover delay, and can prevent man-in-the-middle attack, Replay Attack and message Tampering attack.
The present invention proposes based on network secure mobility management agreement under a kind of identity and the position separation system.This agreement does not need to revise the protocol stack of mobile node, mobile node can be roamed in network and does not interrupt session connection.This agreement has provided the safe access procedure of mobile node, mobile node in the zone handoff-security process and mobile node in interregional handoff-security process.This agreement is supported local authentication and two-way authentication, can prevent man-in-the-middle attack, Replay Attack and message Tampering attack etc., has less authentication time delay, handover delay.
The technical solution adopted for the present invention to solve the technical problems is: the secure mobility management method under a kind of identity and the position separation system, in identity and position separation system, introduce incoming tunnel router (ATR, Access Tunnel Router) as the Mobile Access Gateway (MAG of mobile node, Mobile Access Gateway), its address is local routing sign (LLOC, Local Locator);
An Access Network (AN, Access Network) is as a mobile management zone (MD, Mobile Domain), and an incoming tunnel router is controlled a subnet, and each Access Network is comprised of several subnets;
The mobile anchor point of mobile node (MN) in tunnel router (TR) the conduct zone, the positional information (EID-LLOC) of mobile node in the storage area; The data communication device that the safety moving of mobile node switches in the zone is crossed tunnel transmission, adopts the pathfinding of local routing sign to transmit;
Has an aaa server in each Access Network at least;
Aaa server and tunnel router and incoming tunnel router have been set up Security Association (Security Association) in advance in the Access Network, and this Security Association has been stipulated the parameters such as protocol type, cryptographic algorithm, authentication mode, shared key and cryptographic key existence cycle of protecting aaa server and tunnel router to communicate by letter with the incoming tunnel Router Security;
Incoming tunnel router and aaa server have been shared group key (Group Key) in advance in the Access Network;
Mobile node and hometown AAA server (HAAA, Home AAA) have been consulted shared key in advance; Before mobile node is roamed, must at first finish the initial safe access of mobile node in the territory, local in heterogeneous networks;
Shared in advance the identification information of key and mobile node etc. between HAAA and the visited aaa server (VAAA, Visited AAA), otherwise mobile node can not be in this access domain roaming;
When mobile node moved, the connection of mobile node and Correspondent Node (CN, Corresponding Node) can not interrupted.
Beneficial effect of the present invention: the present invention makes identity and position separation system can support mobility, and need not revise the protocol stack of mobile node; When mobile node is roamed, do not need to interrupt the session connection of mobile node in network; The present invention has ensured the initial safe access of mobile node, and the safety moving of mobile node in the zone switches and switch at interregional safety moving; The present invention supports mobile node to carry out local authentication in different mobile managements zone, reduces authentication time delay and handover delay, supports the two-way authentication of mobile node and network, and can prevent man-in-the-middle attack, Replay Attack and message Tampering attack etc.
Description of drawings
The present invention is further described below in conjunction with drawings and Examples.
Fig. 1 is mobile node initial safe access procedure schematic diagram of the present invention;
Safety moving handoff procedure figure in Fig. 2 mobile node zone;
The interregional safety moving handoff procedure of Fig. 3 mobile node figure;
Fig. 4 example schematic.
Embodiment
Embodiment 1:
Mobile node at the initial safe access procedure in territory, local as shown in Figure 1, step is as follows:
Step 1, MN are attached to ATR 1
Step 2, ATR 1Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, the key P that uses MN and HAAA to share in advance encrypts CV and R 1, calculate E P(CV||R 1), calculate message cryptographic Hash H (EID 2|| CV||E P(CV||R 1)), then to ATR 1Send the access authentication request, message comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E P(CV||R 1) and cryptographic Hash H (EID 2|| CV||E P(CV||R 1)).E wherein k(m) ciphertext behind the expression use key k enciphered message m, H () is hash function, " || " is the character string connector;
Step 4, ATR 1The access authentication request message is sent to HAAA;
Step 5, HAAA at first check cryptographic Hash H (EID 2|| CV||E P(CV||R 1)), the integrality of acknowledge message.Then the key P deciphering of using MN and HAAA to share in advance obtains CV, and with message in unencrypted CV relatively.If cryptographic Hash or CV matching error are then refused the MN access, stop initial access process.If the match is successful for two values, then can confirm the MN identity.Then, HAAA uses handover key value GK=H (S||EID between the hash function computational fields 2) and the territory in switch key value LK=H (G||EID 2), wherein S is the wildcard of HAAA and other VAAA, G is the HAAA group key shared with the interior ATR in zone.Then HAAA uses wildcard P to encrypt GK, LK and R 1, calculate E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1)), wherein Au is the authentication success sign of MN;
Step 6, HAAA send to ATR with access confirmation message 1, content comprises authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1));
Step 7, ATR 1According to authentication success sign A u, confirm the MN authentication success, allow the MN access;
Step 8, ATR 1To TR 2Send position registration (Location-Register) message, the positional information EID of registration MN 2-LLOC 1
Step 9, TR 2Send mapping registration message (Map-Register) to mapping server MS, the map information EID of registration MN 2-to-LOC 2
Step 10, MS return mapping notice (Map-Notify) message, and the registration of affirmation MN map information is finished;
Step 11, TR 2To ATR 1Home position is confirmed (Location-Acknowledgement) message, confirms that the position information registration of MN is finished;
Step 12, ATR 1Access confirmation message is sent to MN, and content comprises authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1));
Step 13, MN check cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1)), check the R that deciphering obtains 1With the R that had before sent 1Whether identical, check that Au confirms the authenticity of network, deciphering obtains GK and LK and storage, finishes two-way authentication;
Step 14, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 15, TR 1Send map locating (Map-Request) message to MS, the map information of inquiry MN;
Step 16, MS are to TR 1Return mapping and reply (Map-Reply) message, comprise the map information EID of MN 2-to-LOC 2
Step 17, TR 1According to the map information encapsulated data packet of MN, for raw data packets adds new outside packet header, this source and destination address, packet header is respectively LOC 1And LOC 2Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 18, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 2Positional information EID according to MN 2-LLOC 1Packet is sent to ATR by the tunnel 1, concrete operations are TR 2For raw data packets increases new outside packet header, this packet header destination address is LLOC 1
Step 19, ATR 1After receiving the tunneling data bag, remove outside packet header, raw data packets is transmitted to MN.
Embodiment 2:
When mobile node switches in the zone, do not need aaa server to participate in, as shown in Figure 2.The handoff-security step of mobile node in the territory is as follows:
Step 1, MN and ATR 1Disconnect, be attached to ATR 2
Step 2, ATR 2Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, handover key LK, encryption CV and R in the territory that obtains when using access 1, calculate E LK(CV||R 1), calculate cryptographic Hash H (EID 2|| CV||E LK(CV||R 1)), then to ATR 2Send and switch access request message, content comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E LK(CV||R 1) and cryptographic Hash H (EID 2|| CV||E LK(CV||R 1));
Step 4, ATR 2Check H (EID 2|| CV||E LK(CV||R 1)), handover key LK=H (G||EID in the territory of the group key G calculating MN that use and HAAA share in advance 2).Deciphering E LK(CV||R 1) obtain CV, and with message in unencrypted CV relatively, if the match is successful, ATR then 2Allow the MN access network, then calculate H (Au||EID 2|| R 1);
Step 5, ATR 2To ATR 1Send building tunnel request (AR-Tunne1-REQ) message, upgrade ATR 1The positional information of middle MN is EID 2-LLOC 2
Step 6, ATR 1To ATR 2Return building tunnel and reply (AR-Tunne1-Reply) message, finish and ATR 2Building tunnel, after this, ATR 1To ATR 2Transmitting the destination by the tunnel is EID 2Data;
Step 7, ATR 2Send switch acknowledgment message to MN, content comprises: authentication success sign A u, the terminal iidentification EID of MN 2With cryptographic Hash H (Au||EID 2|| R 1);
Step 8, MN check cryptographic Hash H (Au||EID 2|| R 1), check the random number R that deciphering obtains 1Random number R with previous generation 1Whether identical, confirm to finish handoff procedure;
Step 9, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 10, TR 1According to map information EID 2-to-LOC 2Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 2Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 11, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 2Positional information EID according to MN 2-LLOC 1Packet is sent to ATR by the tunnel 1, concrete operations are TR 2For raw data packets increases new outside packet header, this packet header destination address is LLOC 1
Step 12, ATR 1After receiving the tunneling data bag, remove its outside packet header, and be that the raw data packets of MN is transmitted to ATR by the tunnel with the destination 2, concrete operations are ATR 1For raw data packets increases new outside packet header, this packet header destination address is LLOC 2
Step 13, ATR 2After receiving the tunneling data bag, remove outside packet header, raw data packets is transmitted to MN;
Step 14, ATR 2Send the position and upgrade (Location Update) message, upgrade TR 2The positional information EID of middle MN 2-LLOC 2
Step 15, TR 2Home position is confirmed (Location Acknowledgement) message, confirms that the position renewal of MN is finished;
Step 16, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 17, TR 1According to map information EID 2-to-LOC 2Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 2Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 18, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 2Positional information EID according to MN 2-LLOC 2Packet is sent to ATR by the tunnel 2, concrete operations are TR 2For raw data packets increases new outside packet header, this packet header destination address is LLOC 2
Step 19, the data that mail to MN are no longer passed through ATR 1, directly arrive ATR 2, ATR 2After receiving the tunneling data bag, remove its outside packet header, raw data packets is transmitted to MN.
Embodiment 3:
Mobile node is in interregional handoff-security process, and the mobile node authentication does not need VAAA and HAAA mutual, as shown in Figure 3.Mobile node is as follows in interregional handoff-security step:
Step 1, MN and ATR 2Disconnect, be attached to ATR 3
Step 2, ATR 3Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, handover key GK, encryption CV and R between the territory that obtains when using access 1, calculate E GK(CV||R 1), calculate message cryptographic Hash H (EID 2|| CV||E GK(CV||R 1)), then to ATR 3Send the mobile access request message of switching, content comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E GK(CV||R 1) and cryptographic Hash H (EID 2|| CV||E GK(CV||R 1));
Step 4, ATR 3To move switching access request message and be forwarded to VAAA;
Step 5, VAAA check cryptographic Hash H (EID 2|| CV||E GK(CV||R 1)), the integrality of acknowledge message.Use the wildcard S of VAAA and HAAA to calculate GK=H (S||EID 2), unencrypted CV checks in the CV that deciphering is obtained and the message, if check successfully, then the MN identity is confirmed, otherwise refusal MN access network.Switch key value LK=H (G||EID in the territory of the group key G calculating MN that VAAA uses and the interior ATR in zone shares in advance 2), use GK to calculate E GK(LK||R 1), encrypt LK and R 1, calculate cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 6, VAAA send to ATR with switch acknowledgment message 3, content comprises: authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E GK(LK||R 1) and cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 7, ATR 3Confirm the MN authentication success according to Au, allow the MN access network;
Step 8, ATR 3To TR 3Send position registration (Location Register) message, the positional information EID of registration MN 2-LLOC 3
Step 9, TR 3To TR 2Send building tunnel request (TR-Tunne1-REQ) message, content comprises the positional information TR that MN is new 3(LOC 3) etc., inform the map information EID that its MN is new 2-to-LOC 3
Step 10, TR 2To TR 3Return building tunnel and reply (TR-Tunne1-Reply) message, finish and TR 3Building tunnel, and to TR 3The data of MN are mail in transmission;
Step 11, TR 3To ATR 3Home position is confirmed (Location Acknowledgement) message, confirms that the position registration of MN is finished;
Step 12, TR 3Send switch acknowledgment message to MN, message content comprises: the terminal iidentification EID of authentication success sign A u, MN 2, enciphered message E GK(LK||R 1) and cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 13, MN check cryptographic Hash H (Au||EID 2|| E GK(LK||R 1)), check the R that deciphering obtains 1Random number R with previous generation 1Whether identical, check and confirm to finish handoff procedure, and switch key value LK in the storage territory;
Step 14, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 15, TR 1According to the map information encapsulated data packet of MN, for raw data packets adds new outside packet header, this source and destination address, packet header is respectively LOC 1And LOC 2
Step 16, TR 2After receiving tunnel packet, remove its outside packet header and obtain raw data packets.Because by the 9th step TR 2Known that MN moves to new zone, so TR 2Raw data packets is arrived TR by tunnel transmission 3, concrete operations are TR 2For adding new outside packet header in the raw data packets, its source and destination address is respectively LOC 2And LOC 3
Step 17, TR 3The outside packet header of removing the tunneling data bag obtains raw data packets.TR 3Positional information according to MN arrives ATR with Packet Generation 3, concrete operations are TR 3For raw data packets increases new data external packet header, its destination address is LLOC 3
Step 18, ATR 3Remove the outside packet header of tunneling data bag, raw data packets is transmitted to MN;
Step 19, TR 3Send map updating (Map-Update) message of MN to MS, upgrade the map information EID of MN 2-to-LOC 3
Step 20, MS are to TR 3Return mapping announcement (Map-Notifiy) message, confirm to finish map information and upgrade;
Step 21, TR 3To Correspondent Node TR 1Send map updating (MN-Map-Update) message of MN, to TR 1The map information of announcement MN is updated to EID 2-to-RLOC 3
Step 22, TR 1To TR 3Return map updating and answer (MN-Map-Reply) message, confirm that the map information of finishing MN upgrades, and finishes and mails to MN data transfer path optimization;
Step 23, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 24, TR 1According to map information EID 2-to-LOC 3Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 3Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 25, TR 3Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 3Positional information EID according to MN 2-LLOC 3Packet is sent to ATR by the tunnel 3, concrete operations are TR 3For raw data packets increases new outside packet header, this packet header destination address is LLOC 3
Step 26, ATR 3After receiving the tunneling data bag, remove its outside packet header, raw data packets is transmitted to MN.
Embodiment 4:
Handover key and interregional handover key generation method in the zone of mobile node.The present invention uses the shared key of identity information and the aaa server of mobile node, when aaa server generates the handover key of mobile node in addition, can also increase extra information, such as Access Network coded message or aaa server sign etc.
Such as Fig. 4, have an aaa server in the Access Network at least, CN is in Access Network AN1, and MN moves to AN3 from Access Network AN2.MN is at ATR 1Finish initial access, then the mobile ATR that is attached to 2, move to again AN3 and be attached to ATR 3MN is at ATR 1Initial access process switches to ATR in AN2 2Process, and move to AN3 from AN2 and be attached to ATR 3Handoff procedure respectively with the present invention in mobile node initial safe access procedure, in the territory between mobile security handoff procedure and territory the mobile security handoff procedure corresponding.
Abbreviation and Key Term definition
Internet Engineering Task Force (IETF) Internet Engineering task groups
Locator/Identifier Separation identity is separated with the position
Proxy Mobile IPv6 (PMIPv6) proxy mobile IPv 6
Endpoint Identifier (EID) terminal iidentification
Locator (LOC) station location marker
Local Locator (LLOC) local position sign
Mobile Access Gateway (MAG) Mobile Access Gateway
The local mobile agent of Local Mobility Anchor (LMA)
Mobile Node (MN) mobile node
Map Server (MS) mapping server
Tunnel Router (TR) tunnel router
Access Tunnel Router (ATR) incoming tunnel router
Authentication, Authorization and Accounting (AAA) aaa server
Home AAA (HAAA) territory, local aaa server
Visited AAA (VAAA) access domain aaa server
Security Association (SA) Security Association
Access Network (AN) Access Network
Mobile Domain (MD) mobile management zone.

Claims (5)

1. the secure mobility management method under an identity and the position separation system, it is characterized in that: separate in the map architecture option with the position in identity, introduce incoming tunnel router (ATR, Access Tunnel Router) as the Mobile Access Gateway (MAG of mobile node, Mobile Access Gateway), its address is local routing sign (LLOC, Local Locator); An Access Network (AN, Access Network) is as a mobile management zone (MD, Mobile Domain), and an incoming tunnel router is controlled a subnet, and each Access Network is comprised of several subnets;
The mobile anchor point of mobile node (MN) in tunnel router (TR) the conduct zone, the positional information (EID-LLOC) of mobile node in the storage area; The data communication device that the safety moving of mobile node switches in the zone is crossed tunnel transmission, adopts the pathfinding of local routing sign to transmit;
Has an aaa server in each Access Network at least;
Aaa server and tunnel router and incoming tunnel router have been set up Security Association (Security Association) in advance in the Access Network, this Security Association has been stipulated the protocol type of protecting aaa server and tunnel router to communicate by letter with the incoming tunnel Router Security, cryptographic algorithm, authentication mode, shared key, the parameters such as cryptographic key existence cycle;
Incoming tunnel router and aaa server have been shared group key (Group Key) in advance in the Access Network;
Mobile node and hometown AAA server (HAAA, Home AAA) have been consulted shared key in advance; Before mobile node is roamed, must at first finish the initial safe access of mobile node in the territory, local in heterogeneous networks;
Shared in advance the identification information of key and mobile node etc. between HAAA and the visited aaa server (VAAA, Visited AAA), otherwise mobile node can not be in this access domain roaming;
When mobile node moved, the connection of mobile node and Correspondent Node (CN, Corresponding Node) can not interrupted.
2. the secure mobility management method under a kind of identity according to claim 1 and the position separation system, it is characterized in that: mobile node is as follows in the initial safe access procedure step in territory, local:
Step 1, MN are attached to ATR 1
Step 2, ATR 1Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, the key P that uses MN and HAAA to share in advance encrypts CV and R 1, calculate E P(CV||R 1), calculate message cryptographic Hash H (EID 2|| CV||E P(CV||R 1)), then to ATR 1Send the access authentication request, message comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E P(CV||R 1) and cryptographic Hash H (EID 2|| CV||E P(CV||R 1)), E wherein k(m) key k enciphered message m is used in expression, and H () is hash function, and " || " is the character string connector;
Step 4, ATR 1The access authentication request message is sent to HAAA;
Step 5, HAAA at first check cryptographic Hash H (EID 2|| CV||E P(CV||R 1)), the integrality of acknowledge message; Then the key P deciphering of using MN and HAAA to share in advance obtains CV, and with message in unencrypted CV relatively, if cryptographic Hash or CV matching error, then refuse the MN access, stop initial access process, if the match is successful for two values, then can confirm the MN identity, then, HAAA uses handover key value GK=H (S||EID between the hash function computational fields 2) and the territory in switch key value LK=H (G||EID 2), wherein S is the wildcard of HAAA and other VAAA, and G is the HAAA group key shared with the interior ATR in zone, and then HAAA uses wildcard P to encrypt GK, LK and R 1, calculate E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1)), wherein Au is the authentication success sign of MN;
Step 6, HAAA send to ATR with access confirmation message 1, content comprises authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1));
Step 7, ATR 1According to authentication success sign A u, confirm the MN authentication success, allow the MN access;
Step 8, ATR 1To TR 2Send position registration (Location-Register) message, the positional information EID of registration MN 2-LLOC 1
Step 9, TR 2Send mapping registration message (Map-Register) to mapping server MS, the map information EID of registration MN 2-to-LOC 2
Step 10, MS return mapping notice (Map-Notify) message, and the registration of affirmation MN map information is finished;
Step 11, TR 2To ATR 1Home position is confirmed (Location-Acknowledgement) message, confirms that the position information registration of MN is finished;
Step 12, ATR 1Access confirmation message is sent to MN, and content comprises authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E P(GK||LK||R 1) and cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1));
Step 13, MN check cryptographic Hash H (Au||EID 2|| E P(GK||LK||R 1)), check the R that deciphering obtains 1With the R that had before sent 1Whether identical, the authenticity of affirmation network, deciphering obtains GK and LK and storage, finishes two-way authentication;
Step 14, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 15, TR 1Send map locating (Map-Request) message to MS, the map information of inquiry MN;
Step 16, MS are to TR 1Return mapping and reply (Map-Reply) message, comprise the map information EID of MN 2-to-LOC 2
Step 17, TR 1According to the map information encapsulated data packet of MN, for raw data packets adds new outside packet header, this source and destination address, packet header is respectively LOC 1And LOC 2, core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 18, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation; Then, TR 2Positional information EID according to MN 2-LLOC 1Packet is sent to ATR1 by the tunnel, and concrete operations are that this packet header destination address is LLOC for raw data packets increases new outside packet header 1
Step 19, ATR 1After receiving the tunneling data bag, remove outside packet header, raw data packets is transmitted to MN.
3. the secure mobility management method under a kind of identity according to claim 1 and the position separation system is characterized in that: the safety moving switch step of mobile node is as follows in the zone:
Step 1, MN and ATR 1Disconnect, be attached to ATR 2
Step 2, ATR 2Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, handover key LK encrypts CV and R in the territory that obtains when using access 1,Calculate E LK(CV||R 1), calculate cryptographic Hash H (EID 2|| CV||E LK(CV||R 1)), then to ATR 2Send and switch access request message, content comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E LK(CV||R 1) and cryptographic Hash H (EID 2|| CV||E LK(CV||R 1));
Step 4, ATR 2Check H (EID 2|| CV||E LK(CV||R 1)), handover key LK=H (G||EID in the territory of the group key G calculating MN that use and HAAA share in advance 2), deciphering E LK(CV||R 1) obtain CV, and with message in unencrypted CV relatively, if the match is successful, ATR then 2Allow the MN access network, then calculate H (Au||EID 2|| R 1);
Step 5, ATR 2To ATR 1Send building tunnel request (AR-Tunne1-REQ) message, upgrade ATR 1The positional information of middle MN is EID 2-LLOC 2
Step 6, ATR 1To ATR 2Return building tunnel and reply (AR-Tunne1-Reply) message, finish and ATR 2Building tunnel, after this, ATR 1To ATR 2The forwarding destination is EID 2Data;
Step 7, ATR 2Send switch acknowledgment message to MN, content comprises: authentication success sign A u, the terminal iidentification EID of MN 2With cryptographic Hash H (Au||EID 2|| R 1) etc.;
Step 8, MN check cryptographic Hash H (Au||EID 2|| R 1), check the random number R that deciphering obtains 1Random number R with previous generation 1Whether identical, confirm to finish handoff procedure;
Step 9, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 10, TR 1According to map information EID 2-to-LOC 2Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 2Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 11, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 2Positional information EID according to MN 2-LLOC 1Packet is sent to ATR by the tunnel 1, concrete operations are TR 2For raw data packets increases new outside packet header, this packet header destination address is LLOC 1
Step 12, ATR 1After receiving the tunneling data bag, remove its outside packet header, and be that the raw data packets of MN is transmitted to ATR by the tunnel with the destination 2, concrete operations are ATR 1For raw data packets increases new outside packet header, this packet header destination address is LLOC 2
Step 13, ATR 2After receiving the tunneling data bag, remove outside packet header, raw data packets is transmitted to MN;
Step 14, ATR 2Send the position and upgrade (Location Update) message, upgrade TR 2The positional information EID of middle MN 2-LLOC 2
Step 15, TR 2Home position is confirmed (Location Acknowledgement) message, confirms that the position renewal of MN is finished;
Step 16, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 17, TR 1According to map information EID 2-to-LOC 2Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 2Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 18, TR 2Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 2Positional information EID according to MN 2-LLOC 2Packet is sent to ATR by the tunnel 2, concrete operations are TR 2For raw data packets increases new outside packet header, this packet header destination address is LLOC 2
Step 19, the data that mail to MN are no longer passed through ATR 1, directly arrive ATR 2, ATR 2After receiving the tunneling data bag, remove its outside packet header, raw data packets is transmitted to MN.
4. the secure mobility management method under a kind of identity according to claim 1 and the position separation system is characterized in that the safety moving switch step of mobile node in the zone is as follows:
Step 1, MN and ATR 2Disconnect, be attached to ATR 3
Step 2, ATR 3Send identity request and challenging value CV (Challenge Value) to MN;
Step 3, MN generate random number R 1, handover key GK encrypts CV and R between the territory that obtains when using access 1, calculate E GK(CV||R 1), calculate message cryptographic Hash H (EID 2|| CV||E GK(CV||R 1)), then to ATR 3Send the mobile access request message of switching, content comprises: the terminal iidentification EID of MN 2, challenging value CV, enciphered message E GK(CV||R 1) and cryptographic Hash H (EID 2|| CV||E GK(CV||R 1)) etc. content;
Step 4, ATR 3To move switching access request message and be forwarded to VAAA;
Step 5, VAAA check cryptographic Hash H (EID 2|| CV||E GK(CV||R 1)), the integrality of acknowledge message uses the wildcard S of VAAA and HAAA to calculate GK=H (S||EID 2), deciphering obtained unencrypted CV checks in CV and the message, if check successfully, then the MN identity is confirmed, otherwise refusal MN access network, VAAA use with the zone in the group key G that shares in advance of ATR calculate switching key value LK=H (G||EID in the territory of MN 2), use GK to calculate E GK(LK||R 1), encrypt LK and R 1, calculate cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 6, VAAA send to ATR with switch acknowledgment message 3, content comprises: authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E GK(LK||R 1) and cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 7, ATR 3Confirm the MN authentication success according to Au, allow the MN access network;
Step 8, ATR 3To TR 3Send position registration (Location Register) message, the positional information EID of registration MN 2-LLOC 3
Step 9, TR 3To TR 2Send building tunnel request (TR-Tunne1-REQ) message, content comprises the positional information TR that MN is new 3(LOC 3) etc., inform the map information EID that its MN is new 2-to-LOC 3
Step 10, TR 2To TR 2Return building tunnel and reply (TR-Tunne1-Reply) message, finish and TR 3Building tunnel, and to TR 3The data of MN are mail in transmission;
Step 11, TR 3To ATR 3Home position is confirmed (Location Acknowledgement) message, confirms that the position registration of MN is finished;
Step 12, TR 3Send switch acknowledgment message to MN, message content comprises: authentication success sign A u, the terminal iidentification EID of MN 2, enciphered message E GK(LK||R 1) and cryptographic Hash H (Au||EID 2|| E GK(LK||R 1));
Step 13, MN check cryptographic Hash H (Au||EID 2|| E GK(LK||R 1)), check the R that deciphering obtains 1Random number R with previous generation 1Whether identical, confirm to finish handoff procedure, and switch key value LK in the storage territory;
Step 14, CN send the general data bag to MN, and source data packet and destination address are respectively EID 1And EID 2
Step 15, TR 1According to the map information encapsulated data packet of MN, for raw data packets adds new outside packet header, this source and destination address, packet header is respectively LOC 1And LOC 2
Step 16, TR 2After receiving tunnel packet, remove its outside packet header and obtain raw data packets, because by the 9th step TR 2Known that MN moves to new zone, so TR 2Raw data packets is arrived TR by tunnel transmission 3, concrete operations are TR 2For adding new outside packet header in the raw data packets, its source and destination address is respectively LOC 2And LOC 3
Step 17, TR 3The outside packet header of removing the tunneling data bag obtains raw data packets, TR 3Positional information according to MN arrives ATR with Packet Generation 3, concrete operations are TR 3For raw data packets increases new data external packet header, its destination address is LLOC 3
Step 18, ATR3 remove the outside packet header of tunneling data bag, and raw data packets is transmitted to MN;
Step 19, TR 3Send map updating (Map-Update) message of MN to MS, upgrade the map information EID of MN 2-to-LOC 3
Step 20, MS are to TR 3Return mapping announcement (Map-Notifiy) message, confirm to finish map information and upgrade;
Step 21, TR 3To Correspondent Node TR 1Send map updating (MN-Map-Update) message of MN, to TR 1The map information of announcement MN is updated to EID 2-to-RLOC 3
Step 22, TR 1To TR 3Return map updating and answer (MN-Map-Reply) message, confirm that the map information of finishing MN upgrades, and finishes and mails to MN data transfer path optimization;
Step 23, CN are to TR 1Send the general data bag, source data packet and destination address are respectively EID 1And EID 2
Step 24, TR 1According to map information EID 2-to-LOC 3Be the outside packet header of packet encapsulation, outside packet header source address and destination address are respectively LOC 1And LOC 3Core net is carried out the pathfinding forwarding according to the Route Distinguisher of tunneling data bag to it;
Step 25, TR 3Decapsulation tunneling data bag removes TR 1The outside packet header of encapsulation, then TR 3Positional information EID according to MN 2-LLOC 3Packet is sent to ATR by the tunnel 3, concrete operations are TR 3For raw data packets increases new outside packet header, this packet header destination address is LLOC 3
Step 26, ATR 3After receiving the tunneling data bag, remove its outside packet header, raw data packets is transmitted to MN.
5. the secure mobility management method to 4 any described a kind of identity and the position separation system according to claim 1 is characterized in that handover key and interregional handover key generation method in the zone of mobile node; Use the identity information of mobile node and the shared key of aaa server, when aaa server generates the handover key of mobile node in addition, can increase extra information, increase Access Network coded message or aaa server sign etc.
CN201210530551.XA 2012-12-11 2012-12-11 Secure mobility management method under a kind of identity and position separation system Expired - Fee Related CN103051611B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210530551.XA CN103051611B (en) 2012-12-11 2012-12-11 Secure mobility management method under a kind of identity and position separation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210530551.XA CN103051611B (en) 2012-12-11 2012-12-11 Secure mobility management method under a kind of identity and position separation system

Publications (2)

Publication Number Publication Date
CN103051611A true CN103051611A (en) 2013-04-17
CN103051611B CN103051611B (en) 2015-10-28

Family

ID=48064110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210530551.XA Expired - Fee Related CN103051611B (en) 2012-12-11 2012-12-11 Secure mobility management method under a kind of identity and position separation system

Country Status (1)

Country Link
CN (1) CN103051611B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327020A (en) * 2013-06-19 2013-09-25 国家电网公司 Security access method and system based on region dividing
WO2015180024A1 (en) * 2014-05-26 2015-12-03 华为技术有限公司 Network mobility management processing method and instrument
CN107786443A (en) * 2017-09-19 2018-03-09 新华三技术有限公司 LISP business suppresses the method and device for removing of solicited status
WO2018046017A1 (en) * 2016-09-12 2018-03-15 ***通信有限公司研究院 Information processing method, device, electronic equipment and computer storage medium
CN110832904A (en) * 2017-05-12 2020-02-21 瑞典爱立信有限公司 Local Identifier Locator Network Protocol (ILNP) breakout

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164149A (en) * 2011-05-17 2011-08-24 北京交通大学 Method for guarding against mapping cheat based on identifying separation mapping network
CN102256236A (en) * 2011-06-08 2011-11-23 北京交通大学 System and method for mobility management under separate mapping mechanism
CN102355663A (en) * 2011-06-30 2012-02-15 北京交通大学 Credible inter-domain rapid authentication method on basis of separation mechanism network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164149A (en) * 2011-05-17 2011-08-24 北京交通大学 Method for guarding against mapping cheat based on identifying separation mapping network
CN102256236A (en) * 2011-06-08 2011-11-23 北京交通大学 System and method for mobility management under separate mapping mechanism
CN102355663A (en) * 2011-06-30 2012-02-15 北京交通大学 Credible inter-domain rapid authentication method on basis of separation mechanism network

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327020A (en) * 2013-06-19 2013-09-25 国家电网公司 Security access method and system based on region dividing
WO2015180024A1 (en) * 2014-05-26 2015-12-03 华为技术有限公司 Network mobility management processing method and instrument
CN105308928A (en) * 2014-05-26 2016-02-03 华为技术有限公司 Network mobility management processing method and instrument
CN105308928B (en) * 2014-05-26 2018-11-16 华为技术有限公司 The processing method and equipment of Network Mobility management
WO2018046017A1 (en) * 2016-09-12 2018-03-15 ***通信有限公司研究院 Information processing method, device, electronic equipment and computer storage medium
CN110832904A (en) * 2017-05-12 2020-02-21 瑞典爱立信有限公司 Local Identifier Locator Network Protocol (ILNP) breakout
CN110832904B (en) * 2017-05-12 2022-02-08 瑞典爱立信有限公司 Local Identifier Locator Network Protocol (ILNP) breakout
CN107786443A (en) * 2017-09-19 2018-03-09 新华三技术有限公司 LISP business suppresses the method and device for removing of solicited status
CN107786443B (en) * 2017-09-19 2020-04-03 新华三技术有限公司 Method and device for releasing LISP service inhibition request state

Also Published As

Publication number Publication date
CN103051611B (en) 2015-10-28

Similar Documents

Publication Publication Date Title
US8437345B2 (en) Terminal and communication system
JP5054772B2 (en) Method and system for providing an access-only key
JP4806028B2 (en) Method and server for providing mobility key
US8611543B2 (en) Method and system for providing a mobile IP key
US8769261B2 (en) Subscriber-specific enforcement of proxy-mobile-IP (PMIP) instead of client-mobile-IP (CMIP)
US20020147820A1 (en) Method for implementing IP security in mobile IP networks
KR101002799B1 (en) mobile telecommunication network and method for authentication of mobile node in mobile telecommunication network
US8780922B2 (en) Method for the transmission of ethernet transmission protocol-based data packets between at least one mobile communication unit and a communication system
EP2151142B1 (en) Methods and apparatus for sending data packets to and from mobile nodes
WO2007079628A1 (en) A COMMUNICATION METHOD FOR MIPv6 MOBILE NODES
US20120271965A1 (en) Provisioning mobility services to legacy terminals
CN103051611B (en) Secure mobility management method under a kind of identity and position separation system
CN101193130B (en) Method for penetrating NAT in mobile IPv6
Sethom et al. Wireless MPLS: a new layer 2.5 micro-mobility scheme
KR100395494B1 (en) Method of intra-domain handoff in Mobile IP networks
CN102869000B (en) Certificate authorization method of separation-mechanism mobile management system
JP5298540B2 (en) Network system, data transmission / reception method, and data transmission / reception program
JP5180085B2 (en) Wireless terminal method and apparatus for establishing a connection
CN100536471C (en) Method for effective protecting signalling message between mobile route and hometown agent
JP5132372B2 (en) Mobile communication system
CN102546356A (en) Method and system capable of ensuring service quality of mobile nodes in logo network
CN101098228A (en) Method for guaranteeing safety communication of mobile node
Shah et al. Delay sensitive low-cost security mechanism for mobile IP
CN101742703A (en) Method, device and system for mobile routing of networks
Choi et al. Secure handoff based on dual session keys in mobile IP with AAA

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20130417

Assignee: China High Speed Rail Technology Limited by Share Ltd

Assignor: Beijing Jiaotong University

Contract record no.: 2016990000184

Denomination of invention: Security mobility management method in identity and location separation system

Granted publication date: 20151028

License type: Common License

Record date: 20160505

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20151028

Termination date: 20201211

CF01 Termination of patent right due to non-payment of annual fee