无线自组织互联网的用户管理——Radius服务器的功能设计与实现
|
摘要
现代个人无线通信和IP通信技术的快速发展与逐渐融合,以及高科技智能化数字产品的大量涌现,使得人们越来越希望能够随时随地得到及时可靠的通信服务,能够享受到高质量的语音、图像、视频、数据等信息。
结合当今无线移动通信网络、IP网络、Ad Hoc网络三者的优势,我们提出并设计了无线移动自组织互联网。它是一种新型的无线自组织多跳网络,摆脱了有线网络的线缆羁绊,可以灵活快捷的构建网络环境,方便用户接入Internet,尤其是在移动性方面的支持,为随时随地实现个人通信奠定基础。因为它不同于传统网络,所以对用户接入管理和网络安全带来了新的质询。而如何保证只有签约用户才能接入网络享受网络资源,如何保障合法用户移动过程中通信的连续性,是本课题的一个关键技术,也是本文的核心任务。
鉴于本系统采用分级路由的网络结构,移动用户的主机通过无线网点接入,无线网点之间形成骨干IP网络进行动态路由,所以,我们提出在一个管理域中使用集中式用户管理的方案:利用Radius服务器,在AAA管理的基础上,将用户位置登记和跟踪管理纳入用户管理的范畴中,统一通过“用户-NAS-Radius服务器”的三级接入模型,实现对用户的接入管理和用户位置跟踪。从而,能够对用户进行认证、授权、记账和位置管理,特别是当发生移动时保证通信不被中断,从根本上保障了签约用户的利益。
本文从Radius服务器的角度,分析和阐述了实现这种用户管理的设计思想和实现方案。通过对RADIUS协议的分析,提出实施方案的具体办法,然后在Linux环境下以FreeRADIUS为蓝本,设计扩展Radius服务器的功能,增加后认证和位置管理功能模块。最终通过软件编程实现了这两个扩展功能,为最终解决用户的“透明”再认证和位置跟踪管理铺平道路。
最后,本文简要分析了无线自组织互联网中用户认证系统的安全问题。分析了WR和Radius服务器中可能存在的安全漏洞,同时对解决网络中的单项认证问题提出了借用802.1x认证框架采用EAP的前端认证方案,有待于进一步论证和实施。
With the rapid development and gradual mergence of Personal Wireless Communication and IP technology, and with more and more high-tech digital electronic products available, people are eager to acquire trustworthy communication anywhere and anytime. In the meanwhile, they also want to enjoy multiple services such as audio, video, data and so on.
Nowadays, there are three main popular networks: Mobile Wireless Communication network, IP network, and Ad Hoc network. Combining the advantages of these networks, we design a new type of multi-hop network named Wireless Mobile Self-organized Network (WMSN). WMSN is independent of wired infrastructure and can be deployed easily and flexibly. It can provide Internet access for its subscribers. Especially its mobility support lays a foundation for personal communication. The difference from traditional networks makes user management and network security great challenges in WMSN. Thus, it is very important how to ensure the subscribers' benefits and permit them enjoy the network resource, how to prohibit no license users access the network, how to maintain subscribers' communication during handoff. All these are crucial technologies in our project and also the central task in the thesis.
For the two-hierarchy network architecture, we put forward a centralized subscriber management solution in a management realm. This solution is based on the AAA function provided by the RADIUS server and extends new functions of location register and location tracking of the wireless hosts. We make full use of the user-NAS-RADIUS Server three-section model to realize authentication, authorization, accounting and location management. So even if the user is in motion, he might be always online.
The paper analyzes the centralized user management solution and expatiates on how to design and implement it on the RADIUS Server part. Based on the FreeRADIUS, I program to extend the server's function of user authentication, user register and user location query for our WMSN.
At the end of the thesis, I focus on the security of the user authentication system and bring forward an alternative front-end authentication solution upon 802.1x-EAP protocol. The WR and RADIUS Server is not secure enough, so all these solutions need to be researched and developed in next step.
结合当今无线移动通信网络、IP网络、Ad Hoc网络三者的优势,我们提出并设计了无线移动自组织互联网。它是一种新型的无线自组织多跳网络,摆脱了有线网络的线缆羁绊,可以灵活快捷的构建网络环境,方便用户接入Internet,尤其是在移动性方面的支持,为随时随地实现个人通信奠定基础。因为它不同于传统网络,所以对用户接入管理和网络安全带来了新的质询。而如何保证只有签约用户才能接入网络享受网络资源,如何保障合法用户移动过程中通信的连续性,是本课题的一个关键技术,也是本文的核心任务。
鉴于本系统采用分级路由的网络结构,移动用户的主机通过无线网点接入,无线网点之间形成骨干IP网络进行动态路由,所以,我们提出在一个管理域中使用集中式用户管理的方案:利用Radius服务器,在AAA管理的基础上,将用户位置登记和跟踪管理纳入用户管理的范畴中,统一通过“用户-NAS-Radius服务器”的三级接入模型,实现对用户的接入管理和用户位置跟踪。从而,能够对用户进行认证、授权、记账和位置管理,特别是当发生移动时保证通信不被中断,从根本上保障了签约用户的利益。
本文从Radius服务器的角度,分析和阐述了实现这种用户管理的设计思想和实现方案。通过对RADIUS协议的分析,提出实施方案的具体办法,然后在Linux环境下以FreeRADIUS为蓝本,设计扩展Radius服务器的功能,增加后认证和位置管理功能模块。最终通过软件编程实现了这两个扩展功能,为最终解决用户的“透明”再认证和位置跟踪管理铺平道路。
最后,本文简要分析了无线自组织互联网中用户认证系统的安全问题。分析了WR和Radius服务器中可能存在的安全漏洞,同时对解决网络中的单项认证问题提出了借用802.1x认证框架采用EAP的前端认证方案,有待于进一步论证和实施。
With the rapid development and gradual mergence of Personal Wireless Communication and IP technology, and with more and more high-tech digital electronic products available, people are eager to acquire trustworthy communication anywhere and anytime. In the meanwhile, they also want to enjoy multiple services such as audio, video, data and so on.
Nowadays, there are three main popular networks: Mobile Wireless Communication network, IP network, and Ad Hoc network. Combining the advantages of these networks, we design a new type of multi-hop network named Wireless Mobile Self-organized Network (WMSN). WMSN is independent of wired infrastructure and can be deployed easily and flexibly. It can provide Internet access for its subscribers. Especially its mobility support lays a foundation for personal communication. The difference from traditional networks makes user management and network security great challenges in WMSN. Thus, it is very important how to ensure the subscribers' benefits and permit them enjoy the network resource, how to prohibit no license users access the network, how to maintain subscribers' communication during handoff. All these are crucial technologies in our project and also the central task in the thesis.
For the two-hierarchy network architecture, we put forward a centralized subscriber management solution in a management realm. This solution is based on the AAA function provided by the RADIUS server and extends new functions of location register and location tracking of the wireless hosts. We make full use of the user-NAS-RADIUS Server three-section model to realize authentication, authorization, accounting and location management. So even if the user is in motion, he might be always online.
The paper analyzes the centralized user management solution and expatiates on how to design and implement it on the RADIUS Server part. Based on the FreeRADIUS, I program to extend the server's function of user authentication, user register and user location query for our WMSN.
At the end of the thesis, I focus on the security of the user authentication system and bring forward an alternative front-end authentication solution upon 802.1x-EAP protocol. The WR and RADIUS Server is not secure enough, so all these solutions need to be researched and developed in next step.
引文
【1】 IEEE 802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.1999
【2】 Network Working Group.RFC2865."Remote Authentication Dial In User Service (RADIUS)",June 2000
【3】 Network Working Group.RFC2906."AAA Authorization Requirements", August 2000
【4】 RFC2246:The TLS Protocol Version 1.0 T.Dierks ,C.Allen Certicom January, 1999
【5】 RFC2716:PPP EAP TLS Authentication Protocol B.Aboba,D.Simon,Microsoft October ,1999
【6】 Network Working Group.RFC1994."PPP Challenge Handshake Authentication Protocol (CHAP)", August 1996
【7】 Mobile Ad-hoc Networks(MANET) Working Group. http ://www.ietf.org/html.charters/manet-charter.html.2003.Working in progress.
【8】 IEEE-SA Standarts Board.IEEE Std 802.1x.Port-Based Network Access Control.US: American National Standards Institute,June 2001
【9】 http://www.missl.cs.umd.edu/wireless/eaptls/
【10】 Gerhard Mourani. Securing and Optimizing Linux:RedHat Edition June 07,2000
【11】 周武旸,陆晓文,朱近康.无线互联网.北京:人民邮电出版社,
2000. 92~107.156~161
【12】 Douglas E.Comer.用TCP/IP进行网际互连 第一卷:原理、协议和体系结构(林瑶,蒋慧,杜蔚轩等译).北京:电子工业出版社,1998,131~362
【13】 Douglas E.Comer.用TCP/IP进行网际互连 第三卷:客户-服务器编程与应用(赵刚,林瑶,蒋慧等译).北京:电子工业出版社,2001,71~150
【14】 Warren W.Gay著. Advanced UNIX Programming (潇湘工作室 译).北京:人民邮电出版社,2001,6~590
【15】 王育明,刘建伟.通信网的安全 —— 理论与技术.西安:西安电子科技大学出版社,2000.233~257.298~306
【16】 Naba Barkakati著. RedHat Linux Secrets 3rd Edition (魏永明,李铁民,游华云等译).北京:电子工业出版社,2000,519~792
【17】 柏钢,蔡彤军,王正. 基于以太网端口的用户访问控制技术. 中兴通信技术,2002,Vol.39:17~23
【18】 赵启志 著. PHP 4 + MySQL完整自学方案 北京:中国铁道出版社,2001,20~105
【19】 范晓玲,许享华.移动IP的移动性管理机制.中国数据通信,2001,No.8:47~49
【20】 刘立群,郭峰.移动主机的网络层认证.西安电子科技大学学报,1999, Vol26.No:1~5
【2】 Network Working Group.RFC2865."Remote Authentication Dial In User Service (RADIUS)",June 2000
【3】 Network Working Group.RFC2906."AAA Authorization Requirements", August 2000
【4】 RFC2246:The TLS Protocol Version 1.0 T.Dierks ,C.Allen Certicom January, 1999
【5】 RFC2716:PPP EAP TLS Authentication Protocol B.Aboba,D.Simon,Microsoft October ,1999
【6】 Network Working Group.RFC1994."PPP Challenge Handshake Authentication Protocol (CHAP)", August 1996
【7】 Mobile Ad-hoc Networks(MANET) Working Group. http ://www.ietf.org/html.charters/manet-charter.html.2003.Working in progress.
【8】 IEEE-SA Standarts Board.IEEE Std 802.1x.Port-Based Network Access Control.US: American National Standards Institute,June 2001
【9】 http://www.missl.cs.umd.edu/wireless/eaptls/
【10】 Gerhard Mourani. Securing and Optimizing Linux:RedHat Edition June 07,2000
【11】 周武旸,陆晓文,朱近康.无线互联网.北京:人民邮电出版社,
2000. 92~107.156~161
【12】 Douglas E.Comer.用TCP/IP进行网际互连 第一卷:原理、协议和体系结构(林瑶,蒋慧,杜蔚轩等译).北京:电子工业出版社,1998,131~362
【13】 Douglas E.Comer.用TCP/IP进行网际互连 第三卷:客户-服务器编程与应用(赵刚,林瑶,蒋慧等译).北京:电子工业出版社,2001,71~150
【14】 Warren W.Gay著. Advanced UNIX Programming (潇湘工作室 译).北京:人民邮电出版社,2001,6~590
【15】 王育明,刘建伟.通信网的安全 —— 理论与技术.西安:西安电子科技大学出版社,2000.233~257.298~306
【16】 Naba Barkakati著. RedHat Linux Secrets 3rd Edition (魏永明,李铁民,游华云等译).北京:电子工业出版社,2000,519~792
【17】 柏钢,蔡彤军,王正. 基于以太网端口的用户访问控制技术. 中兴通信技术,2002,Vol.39:17~23
【18】 赵启志 著. PHP 4 + MySQL完整自学方案 北京:中国铁道出版社,2001,20~105
【19】 范晓玲,许享华.移动IP的移动性管理机制.中国数据通信,2001,No.8:47~49
【20】 刘立群,郭峰.移动主机的网络层认证.西安电子科技大学学报,1999, Vol26.No:1~5