一种基于IPv6安全通信机制的移动解决方案
摘要
在IPv6环境下,端对端的安全通信极其重要,因为在IPv6网络中计算机获取IP地址变得空前的简单。IPsec可以在IP层为端对端通信提供各种类型的安全保护,因此可以利用它来建立我们所需要的安全通信通道。但是,IPsec却十分难于使用,因为在使用IPsec建立安全通道的过程中,有太多的安全参数需要设定,并且这些参数的配置相当复杂。目前日本研科学家Y.K.Hei和Yamazaki设计出一种可以自动完成IPsec安全渠道协商与参数配置的解决方案。它改变了传统IPsec设计中以个体的安全性为考虑基础,而是结合个体的安全性从总体的安全角度出发,从而实现突出总体细化个体的安全设计思想。该方案最大的特点就是成员间可以随时、方便的从其它成员那里获取IPsec/IKE策略,来实现端对端的安全通信通道的自动配置。所以这套方案非常适合在移动IPv6通信领域中使用。同时移动IPv6通信正面临着严峻的安全威胁。由于缺乏相关的安全通信保护,在移动IPv6网络中,节点被冒充、通信被侦听的可能性十分大。而该方案在移动IPv6领域中的推广使用可以在很大程度上缓解这些安全威胁
结合上述方案的基本设计思想,本文提出了一种根据移动节点的预测驻留时间来选取管理节点的动态双层管理机制。双层管理机制的根本目的就是在各个移动子网中,通过动态的选取一个管理节点来实现安全通信节点分布式管理的目的。该机制沿用了基于亲密伙伴的安全通信机制中所提出的IPsec隧道自动分配安全策略,但同时它又丢弃了原方案中所提出的各个通信成员间基于单播交互的相互通告管理模式,引进了移动成员节点动态管理的概念。通过该机制的使用可以有效的解决原方案的不足,更重要的是该机制的使用为安全通信组在移动IPv6网络环境下的扩展提供了一个比较合理的解决方案。最后本文对该方案进行了仿真分析和比较,证明了该机制的可行性。
In the environment of IPv6, the end-to-end secure communication is extremely important. Because it is unprecedented simple for a computer to obtain an IP address. IPsec could provide various types of end-to-end communication secure protection in the IP layer. However, IPsec is difficult to use, because many complicated parameters are necessarily to be set for security channel. Y. K. Hei and Yamazaki propose an automatic configuration method for setting up the end-to-end secure channels between closed members in using IPsec. It changes the traditional design style that centralizes the individual security consideration, but combines individual with overall security together. And it gives the prominence to the team safety consideration, meanwhile refines the thinking of the security of the individual. Obtaining IPsec/IKE strategy conveniently from other members at any time, and configuring the end-to-end secure communication channel automatically are the most prominent features of the closed members scheme. So this scheme is suitable for the Mobile IPv6 communication field for its flexibility and mobility. Due to the lack of relevant safety communication protection in Mobile IPv6 network, mobile communications are facing severe security threats. It's a great possibility that nodes are imitated and communication is intercepted. Expanded use of the scheme in mobile IPv6 environment can largely mitigate these security threats.
Integrated the design thinking of the closed member scheme into the mobile environment consideration, this paper presents a new two layers management mechanism for secure communication scheme. Through construction of a management node dynamically in the mobile IPv6 networks, the new management mechanism solves these problems mentioned above properly. It inherits the design that auto-configuration of the secure communication channel. But it discards the working scheme using mutual advertisement mode between members. Through constructing a dynamic management node in mobile network, the expansion issue of the original solution in mobile IPv6 network environment is properly solved. Meanwhile it gives a reasonable solution for mobile IPv6 secure communication. Finally, to prove the feasibility of the new solution, we make the simulation and analysis of this scheme.
结合上述方案的基本设计思想,本文提出了一种根据移动节点的预测驻留时间来选取管理节点的动态双层管理机制。双层管理机制的根本目的就是在各个移动子网中,通过动态的选取一个管理节点来实现安全通信节点分布式管理的目的。该机制沿用了基于亲密伙伴的安全通信机制中所提出的IPsec隧道自动分配安全策略,但同时它又丢弃了原方案中所提出的各个通信成员间基于单播交互的相互通告管理模式,引进了移动成员节点动态管理的概念。通过该机制的使用可以有效的解决原方案的不足,更重要的是该机制的使用为安全通信组在移动IPv6网络环境下的扩展提供了一个比较合理的解决方案。最后本文对该方案进行了仿真分析和比较,证明了该机制的可行性。
In the environment of IPv6, the end-to-end secure communication is extremely important. Because it is unprecedented simple for a computer to obtain an IP address. IPsec could provide various types of end-to-end communication secure protection in the IP layer. However, IPsec is difficult to use, because many complicated parameters are necessarily to be set for security channel. Y. K. Hei and Yamazaki propose an automatic configuration method for setting up the end-to-end secure channels between closed members in using IPsec. It changes the traditional design style that centralizes the individual security consideration, but combines individual with overall security together. And it gives the prominence to the team safety consideration, meanwhile refines the thinking of the security of the individual. Obtaining IPsec/IKE strategy conveniently from other members at any time, and configuring the end-to-end secure communication channel automatically are the most prominent features of the closed members scheme. So this scheme is suitable for the Mobile IPv6 communication field for its flexibility and mobility. Due to the lack of relevant safety communication protection in Mobile IPv6 network, mobile communications are facing severe security threats. It's a great possibility that nodes are imitated and communication is intercepted. Expanded use of the scheme in mobile IPv6 environment can largely mitigate these security threats.
Integrated the design thinking of the closed member scheme into the mobile environment consideration, this paper presents a new two layers management mechanism for secure communication scheme. Through construction of a management node dynamically in the mobile IPv6 networks, the new management mechanism solves these problems mentioned above properly. It inherits the design that auto-configuration of the secure communication channel. But it discards the working scheme using mutual advertisement mode between members. Through constructing a dynamic management node in mobile network, the expansion issue of the original solution in mobile IPv6 network environment is properly solved. Meanwhile it gives a reasonable solution for mobile IPv6 secure communication. Finally, to prove the feasibility of the new solution, we make the simulation and analysis of this scheme.
引文
[1]虞俊峰.中国互联网络发展状况分析预测.科技经济市场.2007.04.6-7.
[2]闫广军.Ipv6及下一代互联网.沧州师范专科学校学报.2007.01.54-55.
[3]Silvia Hagen.技桥(译).IPv6精髓(第一版).清华大学出版社.北京.2004.05.
[4]Vinton Cerf.互联网的现在和未来.中国教育网络.2007.04.24-25.
[5]王征义.3G移动通信中的地址分配方案.武汉交通职业学院学报.2007.03.32-36.
[6]陈惠玲.3G移动通信基站建设和管理策略.通信世界.2007.19(6).12-14.
[7]周进怡.从全IP网络特征看3G发展方向..通信世界.2008.03(1).18-19.
[8]我国下一代互联网达世界领先水平.http://www.edu.cn/importantnews_ 1659/20061103/t20061103_203398.html.
[9]S.Kent,R.Atkinson.Security Architecture for the Internet Protocol (IPsec).RFC2401.November 1998.http://www.ietf.org/.
[10]VPN 技术概念及发展.http://www.itcso.com/html/vpn/pcdg/2006100811384822.html.
[11]FREESWANG PROGECT.http://www.freeswang.org/.
[12]OPENSWANG PROGECT.http://www.openswang.org/.
[13]STRONGSWAN PROGECT RESOURCE.http://www.strongswan.org/
[14]KAME official net.http://www.kame.net/
[15]SONG Jian,WANGYu-ying,SUN Wei.The analysis and research of the network performance for IPv6 network applied IPSec policy[C].ICSCI-2004.234-239.
[16]w.Richard Dtevents.范建华等(译).TCP/IP详解.机械工业出版社,2000.4.
[17]孙为,纯IPv6网络中IPsec的研究与应用,兰州理工大学硕士学位论文2003.5.
[18]I S.Kent,R.Atkinson.P.Encapsulating Security Payload(ESP).RFC2406.November 1998.http://www.ietf.org/.
[19]D.Harkins,D.Carrel,RFC2409:The lnternet Key Exchange(IKE),November 1998.http://www.ietf.org/.
[20]S.Bellovin,Ed.,J.Schiller,Ed.,C.Kaufman,Ed.,RFC3631:Security Mechanisms for the Internet,December 2003.http://www.ietf.org/.
[21]兰振平,於时才,孙岩国.基于PKI和IPsec的VPN安全研究.中国电子学会第九届青年学术年会论文集.浙江大学出版社.2003.8.36-40.
[22]Yuichiro Hei Katsuyuki Yamazaki.A Proposal of Configuring IPv6End-to-End Secure Channels for Closed Members.In Proceedings of SAINT 2005 Workshops,Jan.2005.6-9.
[23]Yuichiro Hei Katsuyuki Yamazaki.A Implementation and Evaluation of IPv6 End-to-End Secure Communication System for Closed Members.In Applications and the Internet Workshops,2006.SAINT Workshops 2006.International Symposiu.Jan.2006.23-27.
[24]李振强,赵晓宇,马严.IPv6安全脆弱性研究.计算机应用研究.2006.11.109-112.
[25]杨碧天,常立夏,詹德新.IPv6安全性能研究.网络安全技术与应用.2008.1.15-18.
[26]王尚平,邹永杰,邹又姣.引入层次型AAA的移动IPv6安全认证和注册协议.计算机技术与发展.2007.08.158-160.
[27]张玉军,田野.IPv6协议安全问题研究.中国科学院研究生院学报.2005.22(11).30-25.
[28]吴琼,李小平,董庆宽,刘彦明.基于IPv6安全策略系统及一致性研究.计算机科学.2007.12.25-27.
[29]陈璐,王亚弟,韩继红.基于IPv6的网络安全体系结构研究.2007.04(2).796-799.
[30]彭丹.基于IPv6的防火墙和IDS的研究.南京理工大学优秀硕士毕业论文.2006.7
[31]农双.IPv6的安全探讨及在移动环境中的应用.科技咨询.2006.25(9).17-18.
[32]王承文,陈志刚.移动Ipv6的安全威胁及对策.长沙航空职业技术学院学报.2006.03(9).48-50.
[33]吕波,谢晓尧.移动IPv6安全防火墙系统研究.计算机应用.2007.03.608-610.
[34]周爱东,顾华平,李松年,张世永.移动IPv6安全绑定更新机制研究.计算机应用与软件.2007.02.9-11.
[35]S.Kent,R.Atkinson,RFC 2402:IP Authentication Header,November 1998.
[36]A.Keromytis,N.Provos,RFC 2857:The Use of HMAC-RIPEMD-160-96within ESP and AH,June 2000.
[37]P.Hoffman,RFC 3664:The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol(IKE),January 2004.
[38]G.Huang,S.Beaulieu,D.Rochefort,RFC 3706:A Traffic-Based Method of Detecting Dead Internet Key Exchange(IKE)Peers,February 2004.
[39]D.Maughan,M.Schertler,M.Schneider,J.Turner,RFC 2408:Internet Security Association and Key Management Protocol(ISAKMP),November 1998.
[40]C.Madson,R.Glenn,RFC 2403:The Use of HMAC-MDS-96 within ESP and AH,November 1998.
[41]A.Keromytis,N.Provos,RFC 2857:The Use of HMAC-RIPEMD-160-96 within ESP and AH,June 2000.
[42]R.Housley,W.Ford,W.Polk,and D.Solo.Internet X.509 Public Key Infrastructure Certificate and CRL Profile.RFC2459.Jan.1999.
[43]Glass,T.Hiller,S.Jacobs.Mobile IP Authentication,Authorization,and Accounting Requirements.RFC2977.October.2000.
[44]Yen-Wen Chen,and Ming-Jen Huang.A Novel MAP Selection Scheme by Using Abstraction Node in Hierarchical MIPv6.Communications,2006 IEEE International Conference on Volume 12.June 2006.5408-5413.
[45]杨帆.基于NS2的分布式并行网络仿真平台的研究与实现.北京邮电大学优秀硕士论文.2007.05.
[46]刘亮.Ad Hoc网络中基于IPv6的Internct接入技术研究.天津大学优秀硕士论文.2004.01.
[47]NS2使用说明手册.http://140.116.72.80/-smallko/ns2/ns2.htm.
[48]何敏,刘心松,赵东风等.移动Ad hoc网络轮转接入控制协议.电子与信息学报.2005.11.1147-1151.
[49]樊巍.移动IPv6切换技术分析与研究.南京邮电大学优秀硕士论文.2004.01.
[50]秦勇.基于NS2仿真平台的Ad Hoc网络多播路由协议的研究.武汉理工大学优秀硕士论文.2006.01.
[2]闫广军.Ipv6及下一代互联网.沧州师范专科学校学报.2007.01.54-55.
[3]Silvia Hagen.技桥(译).IPv6精髓(第一版).清华大学出版社.北京.2004.05.
[4]Vinton Cerf.互联网的现在和未来.中国教育网络.2007.04.24-25.
[5]王征义.3G移动通信中的地址分配方案.武汉交通职业学院学报.2007.03.32-36.
[6]陈惠玲.3G移动通信基站建设和管理策略.通信世界.2007.19(6).12-14.
[7]周进怡.从全IP网络特征看3G发展方向..通信世界.2008.03(1).18-19.
[8]我国下一代互联网达世界领先水平.http://www.edu.cn/importantnews_ 1659/20061103/t20061103_203398.html.
[9]S.Kent,R.Atkinson.Security Architecture for the Internet Protocol (IPsec).RFC2401.November 1998.http://www.ietf.org/.
[10]VPN 技术概念及发展.http://www.itcso.com/html/vpn/pcdg/2006100811384822.html.
[11]FREESWANG PROGECT.http://www.freeswang.org/.
[12]OPENSWANG PROGECT.http://www.openswang.org/.
[13]STRONGSWAN PROGECT RESOURCE.http://www.strongswan.org/
[14]KAME official net.http://www.kame.net/
[15]SONG Jian,WANGYu-ying,SUN Wei.The analysis and research of the network performance for IPv6 network applied IPSec policy[C].ICSCI-2004.234-239.
[16]w.Richard Dtevents.范建华等(译).TCP/IP详解.机械工业出版社,2000.4.
[17]孙为,纯IPv6网络中IPsec的研究与应用,兰州理工大学硕士学位论文2003.5.
[18]I S.Kent,R.Atkinson.P.Encapsulating Security Payload(ESP).RFC2406.November 1998.http://www.ietf.org/.
[19]D.Harkins,D.Carrel,RFC2409:The lnternet Key Exchange(IKE),November 1998.http://www.ietf.org/.
[20]S.Bellovin,Ed.,J.Schiller,Ed.,C.Kaufman,Ed.,RFC3631:Security Mechanisms for the Internet,December 2003.http://www.ietf.org/.
[21]兰振平,於时才,孙岩国.基于PKI和IPsec的VPN安全研究.中国电子学会第九届青年学术年会论文集.浙江大学出版社.2003.8.36-40.
[22]Yuichiro Hei Katsuyuki Yamazaki.A Proposal of Configuring IPv6End-to-End Secure Channels for Closed Members.In Proceedings of SAINT 2005 Workshops,Jan.2005.6-9.
[23]Yuichiro Hei Katsuyuki Yamazaki.A Implementation and Evaluation of IPv6 End-to-End Secure Communication System for Closed Members.In Applications and the Internet Workshops,2006.SAINT Workshops 2006.International Symposiu.Jan.2006.23-27.
[24]李振强,赵晓宇,马严.IPv6安全脆弱性研究.计算机应用研究.2006.11.109-112.
[25]杨碧天,常立夏,詹德新.IPv6安全性能研究.网络安全技术与应用.2008.1.15-18.
[26]王尚平,邹永杰,邹又姣.引入层次型AAA的移动IPv6安全认证和注册协议.计算机技术与发展.2007.08.158-160.
[27]张玉军,田野.IPv6协议安全问题研究.中国科学院研究生院学报.2005.22(11).30-25.
[28]吴琼,李小平,董庆宽,刘彦明.基于IPv6安全策略系统及一致性研究.计算机科学.2007.12.25-27.
[29]陈璐,王亚弟,韩继红.基于IPv6的网络安全体系结构研究.2007.04(2).796-799.
[30]彭丹.基于IPv6的防火墙和IDS的研究.南京理工大学优秀硕士毕业论文.2006.7
[31]农双.IPv6的安全探讨及在移动环境中的应用.科技咨询.2006.25(9).17-18.
[32]王承文,陈志刚.移动Ipv6的安全威胁及对策.长沙航空职业技术学院学报.2006.03(9).48-50.
[33]吕波,谢晓尧.移动IPv6安全防火墙系统研究.计算机应用.2007.03.608-610.
[34]周爱东,顾华平,李松年,张世永.移动IPv6安全绑定更新机制研究.计算机应用与软件.2007.02.9-11.
[35]S.Kent,R.Atkinson,RFC 2402:IP Authentication Header,November 1998.
[36]A.Keromytis,N.Provos,RFC 2857:The Use of HMAC-RIPEMD-160-96within ESP and AH,June 2000.
[37]P.Hoffman,RFC 3664:The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol(IKE),January 2004.
[38]G.Huang,S.Beaulieu,D.Rochefort,RFC 3706:A Traffic-Based Method of Detecting Dead Internet Key Exchange(IKE)Peers,February 2004.
[39]D.Maughan,M.Schertler,M.Schneider,J.Turner,RFC 2408:Internet Security Association and Key Management Protocol(ISAKMP),November 1998.
[40]C.Madson,R.Glenn,RFC 2403:The Use of HMAC-MDS-96 within ESP and AH,November 1998.
[41]A.Keromytis,N.Provos,RFC 2857:The Use of HMAC-RIPEMD-160-96 within ESP and AH,June 2000.
[42]R.Housley,W.Ford,W.Polk,and D.Solo.Internet X.509 Public Key Infrastructure Certificate and CRL Profile.RFC2459.Jan.1999.
[43]Glass,T.Hiller,S.Jacobs.Mobile IP Authentication,Authorization,and Accounting Requirements.RFC2977.October.2000.
[44]Yen-Wen Chen,and Ming-Jen Huang.A Novel MAP Selection Scheme by Using Abstraction Node in Hierarchical MIPv6.Communications,2006 IEEE International Conference on Volume 12.June 2006.5408-5413.
[45]杨帆.基于NS2的分布式并行网络仿真平台的研究与实现.北京邮电大学优秀硕士论文.2007.05.
[46]刘亮.Ad Hoc网络中基于IPv6的Internct接入技术研究.天津大学优秀硕士论文.2004.01.
[47]NS2使用说明手册.http://140.116.72.80/-smallko/ns2/ns2.htm.
[48]何敏,刘心松,赵东风等.移动Ad hoc网络轮转接入控制协议.电子与信息学报.2005.11.1147-1151.
[49]樊巍.移动IPv6切换技术分析与研究.南京邮电大学优秀硕士论文.2004.01.
[50]秦勇.基于NS2仿真平台的Ad Hoc网络多播路由协议的研究.武汉理工大学优秀硕士论文.2006.01.