移动IP的家乡代理实现及其与移动节点通信的IP Sec保护

详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文

英文题名：The Implementation of Home Agent and the Communication to Mobile Node Protection by IP Sec 作者：宋国东 论文级别：硕士 学科专业名称：计算机应用技术 学位年度：2004 导师：赵冬范 学科代码：081203 学位授予单位：吉林大学 论文提交日期：2004-04-01

摘要

1．移动IP提供的服务
    在日常生活和商务环境中人们更希望能将计算机以移动的方式接入通信网，接入企业的局域网（LAN），使移动商务能及时获得企业的数据。这一潜在的、巨大的、不可抗拒的商业需求给Internet带来了新的机遇、新的业务、新的技术难题，这就是移动IP。
    如何将移动节点无缝地接入互联网是移动IP要解决的主要问题，包括如下两个方面：
    节点在切换链路时不改变它的IP地址在新链路上接收数据包
    节点在移动过程中改变了它的IP地址而不中断和重启正在进行的通信。
    移动IP的提供以下的服务，以达到对移动IP的功能要求：
    1）代理搜索：通过代理搜索这一服务移动节点可以判定它当前是在家乡链路还是在外地链路，如果位于外地链路则通过外地代理或某个配置规程得到一个转交地址。
    2） 注册：通过注册，移动节点可以通知家乡代理它的转交地址。如果存在外地代理还需要向外地代理注册以得到它的路由服务。
    3）包传送：当移动节点连接在外地链路上时，家乡代理利用隧道技术转发其它节点发给移动节点的数据包。
    2．注册过程中的安全问题
    由于移动IP注册过程是用于通知家乡代理通过隧道向哪里发送数据包的，所以它提供了一个易受攻击的环节，攻击者只需简单地发送一条假的注册请求给移动节点的家乡代理，就可使所有的数据包送到攻击那里，而不是送给移动节点的合法转交地址。如果不让不法分子看到送给该移动
    
    
    节点的任一个数据包，那么该移动节点也不可能接收到任何数据包，也就不可能进行通信了。
    为对付这种攻击（称为拒绝服务攻击），移动IP要求对移动节点和家乡代理之间的注册消息进行认证。认证是一个发送节点向接收节点提供身份证明的过程。移动I P要求在移动节点和家乡代理之间进行严格的认证，这种认证不可能通过检查网上的数据包进行攻击。
     3．使用IPSec来实现移动IP的注册认证
    3.1 IPSec提供的服务
    IPSec(IP Security)协议是IETF提出的一系列安全标准，是在网络层对数据分组提供加密解密及安全鉴别等服务，包括以下几个方面：
    （1）数据源鉴别：保证数据的发送者是实际希望与之通信的对方；
    （2）数据完整性：保证数据没有在传输的过程中被篡改；
    （3）信息保密：保证数据在传输过程中不被偷看；
    （4）不可否认服务：保证发送方和接收方不能否认自己的通信行为；
    （5）抗重播：防止数据分组被复制后重复发送；
    （6）流量保密：使攻击者不能了解通信的类型及数据流量。
    IPSec主要由四个部分组成：安全协议、安全关联、加密解密和鉴别算法以及密钥管理。
    3.2 使用IPSec保护家乡代理与移动节点通信的优点
     IPSec能够有效地提供认证服务，及加密解密服务。使用IPSec来保护家乡代理与移动节点之间的的通信，可以达到较高的认证加密强度，并且可获得很好的扩展性，可以有效的利用IPSec的密钥管理机制来进行密钥管理。
    此外不但能够对注册的过程的通信进行保护，还可以保护家乡代理与移动节点之间的通信安全。
    IPSec是下一代Internet网络协议IPv6的组成部分，移动IP与IPv6
    
    
    的集成也是必然的趋势，因此在移动IPv4阶段即采用IPSec来保护保护家乡代理与移动节点之间的通信，实现基于IPSec的注册过程，有利于保证移动IP与IPv6的兼容性。
    3.3 保护的范围
     IPSec主要用来保护家乡代理与移动节点之间的控制数据，有以下几种：
    家乡代理与移动节点之间交换的注册请求与注册应答消息。
    保护家乡代理与移动节点之间的ICMP报文。
     IPSec也可用来保护家乡代理与移动节点之间的通信数据。
     3.4 IPSec保护需要完成的基本工作
    （1）对移动节点的注册注销方面应用IPSec的封装进行保护。
    （2）注册成功后利用可选择利用IPSec隧道封装家乡代理与移动节点之间的数据包。
    （3）用IPSec保护家乡代理与移动节点间的ICMP包。
    使用IPSec封装注册消息
    利用IPSec来实现认证功能，在网络层实现认证功能。
     经过IPSec封装后的注册请求消息格式为：
    
    IP头
    IP头
    ESP头
    UDP
    协议头
    注册请求数据
    
    
     经过IPSec封装后的注应答消息格式为：
    
    IP头
    IP头
    ESP头
    UDP
    协议头
    注册应答数据
    
    
     在此使用了IP-IN-IP的封装。对于注册请求消息而言，外层IP头的源地址为移动节点的转交地址，目的地址为家乡代理的地址；内层IP头的源地址为移动节点在家乡链路上的家乡地址，目的地址为家乡代理的地址。对于注册应答消息而言，外层IP头的源地址为家乡代理的地址，目的地址为移动节点的转交地址；内层IP头的源地址为家乡代理的地址，目的地址为移动节点的家乡地址。
    
     之所以采用此种IP-IN-IP的封装，主要因为在发送数据包时，IPSec是根据IP数据包的源地址、目的地址以及安全协议来定位安全关联的。如果不经过IP-IN-IP封装，则需要用IP头中的转交地址及家乡代理地址来定位安全关联。而转交地址是经常变化的，这样会导致安全关联定位经常失败，从而频繁启动IKE以建立新的安全关联，导致性能降低。
     因此使用IP-IN-IP的封装，使用内部IP头的家乡代理地址及移动节点的家乡地址作为安全关联的入口，避免频繁启动IKE协议来创建新的安全关联。
    3
1. The Services provided by Mobile IP
     Now a day, people hope to connect to the Internet with mobility in the business environment to get business data more efficiently. These requirements bring great opportunities, business and technical difficulties to us, that is Mobile IP.
     How to make the mobile notes connect to the Internet seamlessly is the primary problem that the Mobile IP must solve, it includes two aspects:
    The mobile node should be able to receive packets that sent to it on the new data-link when they change to it from the old data-link with its IP address no change.
    The data communication of the mobile node should not been cut off of restart when its IP address changes.
    The Mobile IP provides below services to fulfill the functional requirements:
    Agent search: mobile node can judge whether it is on home link or on foreign link. If it is on foreign link it would get a deliver address from the foreign agent or some other configuration program.
    Registration: by registration, mobile node can inform home agent its deliver address. If there is foreign agent, it should register to the foreign agent to get its route service.
    
    Packets deliver: When the mobile node is on the foreign link, the home agent of it would deliver the packets that other node sent to it through the tunnel.
    2. The security problem during the registration
     The registration is the step that vulnerable because it is the key program that is used to inform the home agent where to deliver the packets. The attacker can make all the packets delivered to him instead of to the mobile node by simply sending a bogus registration message to the home agent. If we do not let the attacker get any packet that are sent to the mobile node, the can receive the packets neither, and it can not communicate any more.
     In order to deal with this kind of attack (called Denial-of-Service attack), the Mobile IP requires the authentication between the home agent and the mobile node. Authentication is the program that a message sender provides the identity certification to the receiver. The Mobile IP requires that the authentication should be strong enough to avoid the attack by Hijacking.
    3. Using IPSec to Protect Signaling between Mobile Nodes and Home Agents
    3.1 The services provided by IPSec
     IPSec(IP Security) is a serious security standards defined by IETF. If function in network layer to provide Confidentiality and authentication services. It includes several aspects like below:
    Data original authentication: to ensure the sender of the data is the right opponent that the receiver wants to communicate
    
    
    with.
    The Integration of data: to ensure the data has not been modified during transfer.
    Data Confidentiality: to ensure the data confidential during transfer.
    Can not deny service: to ensure the both side of the communication can not deny the behavior of the communication to each other.
    Free to recast: to avoid the Denial-of-Service attack by sending cloned packets.
    Data flow confidentiality: to ensure the attacker can not know the type of the communication and the amount of the data packets.
    There are four components of IPsec, they are Security Protocols (AH, ESP), Security Associations (SA), Key Management (e.g. IKE) and Algorithms for authentication and encryption.
    3.2 The benefits of the communication between home agent and mobile node protection by IPSec
     IPSec can provide the authentication and confidentiality services efficiently. We can get strong authentication and confidentiality, as well as the expansibility, by using IPSec to Protect Signaling between Mobile Nodes and Home Agent, and we can use the mechanism of its encrypt key management.
     In addition of the protection to the registration, IPSec can also ensure the security of the communication between the mobile node and Home Agent.
     IPSec is the component of the next generation Internet
    
    
    protocol—Ipv6, the involving of the Mobile IP to the IPv6 is inevitable. So that use IPSec to Protect Signaling between Mobile Nodes and Home Agents, implement the r

引文

1. James D. Solomon, “Mobile IP: The Internet Unplugged”, ISBN
    0138562466, Prentice Hall PTR,1998
    2. James D. Solomon, 移动IP , 裘小峰译, 机械工业出版社, 2000
    3. C. Perkins, “ Mobile IP”, IEEE Communications Magazine, May 1997
    4. C. Perkins, “Mobile Networking through Mobile IP”, IEEE Internet
    Computing, January-February 1998
    5. C. Perkins, “Mobile IP:Design Principles and Practices”, ISBN 0-201-
    63469-4, Prentice Hall PTR, 1998
    6. W. Richard Stevens, “TCP/IP Illustrated, Volume 1: The Protocols”,
    ISBN 7-111-09505-7, Prentice Hall PTR, 1993
    7. [RFC-2002] C. Perkins, “IP Mobility Support”, October 1996
    8. [RFC-2401] Stephen Kent and Randall Atkinson, ”Security Architecture for the Internet Protocol”, RFC 2401,November 1998
    9. [RFC-2402] Stephen Kent and Randall Atkinson, ”IP Authentication Header”, November 1998
    10.[RFC-2406] Stephen Kent and Randall Atkinson, ”IP Encapsulating Security Payload (ESP)”, RFC 2406,November 1998
    11. [RFC-2003] C. Perkins, “IP Encapsulation within IP”, October 1996
    12. [RFC-2004] C. Perkins, “Minimal Encapsulation with IP”, October 1996
    13. [RFC-2005] J. Solomon, “Applicability Statement for IP Mobility
    Support”, October 1996
    14. [RFC-2344] G. Montenegro, “Reverse Tunneling for Mobile IP”, May
    1998
    15. [RFC-826] David C. Plummer, “An Ethernet Address Resolution
    Protocol”, November 1982
    16. [RFC-1701] S. Hanks and D. Farinacci and P. Traina and T. Li, “Generic
    Routing Encapsulation”, October 1994
    
    17. [IETF-DRAFT] C. Perkins and Pat R. Calhoun, “Mobile IPv4
    Challenge/Response Extensions”, June 2000
    18. [IETF-DRAFT] Eva Gustafsson and Ericsson and Annika Jonsson and
    Charles E. Perkins, “Mobile IP Regional Registration”, July 2000
    19. [IETF-DRAFT] C.Perkins and David B.Johnson, “Route Optimization
    in Mobile IP”, February 2000
    20. [IETF-DRAFT] G. Montenegro, “Reverse Tunneling for Mobile IP”,
    March 1997
    21. [IETF-DRAFT] C. Perkins and David B. Johnson and N. Asokan,
    “Registration Keys for Route Optimization”, July 2000
    22. [IETF-DRAFT] David B. Johnson and C. Perkins , “Mobility Support in
    IPv6”, April 2000
    23. [IETF-DRAFT] J. Arkko and V. Devarapalli and F. Dupont, “Using IPSec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents”, February 18, 2003