[go: up one dir, main page]

WO2008052470A1 - Method for establishing mobile ip security mechanism, security system and the relevant device - Google Patents

Method for establishing mobile ip security mechanism, security system and the relevant device Download PDF

Info

Publication number
WO2008052470A1
WO2008052470A1 PCT/CN2007/070964 CN2007070964W WO2008052470A1 WO 2008052470 A1 WO2008052470 A1 WO 2008052470A1 CN 2007070964 W CN2007070964 W CN 2007070964W WO 2008052470 A1 WO2008052470 A1 WO 2008052470A1
Authority
WO
WIPO (PCT)
Prior art keywords
pmn
key
mobile
aaa
proxy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2007/070964
Other languages
French (fr)
Chinese (zh)
Inventor
Jie Zhao
Jie Wang
Xia Yang
Jixing Liu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008052470A1 publication Critical patent/WO2008052470A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/04Registration at HLR or HSS [Home Subscriber Server]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to the field of wireless communications, and more particularly to mobile IP technologies.
  • CDMA2000 Code Division Multiple Access 2000
  • ITU International Telecommunications Union
  • WCDMA Wideband Code Division Multiple Access
  • TD-SCDMA Time Division Synchronous Code Division Multiple Access
  • CDMA2000 networks including CDMA2000 lx and High Rate Packet Data (“HRPD”) systems, require their packet domains to support mobile IP technologies, specifically, mobile IPv4 and mobile IPv6.
  • HRPD High Rate Packet Data
  • MN Mobile Node
  • ' ⁇ ' Home Address
  • CoA Care-of Address
  • HoA - remains unchanged, so when the MN moves to the foreign network, the address is still used to maintain communication continuity and reachability.
  • the CoA is different. It is assigned to the MN by the foreign network. When the MN obtains a new CoA, it needs to bind this address to the HoA Home Agent (' Home'), so that HA can other entities.
  • the message sent to the MN is forwarded to the MN by using a tunnel between the MN and the HA, and the message sent by the MN to other entities is forwarded.
  • the message used is the "RRQ-Registration Request” message sent by the MN to the HA and the "RRP-Registration Reply” message sent by the HA.
  • MIP6 Mobile IPv6
  • the message used by this binding process is sent by the MN to the HA.
  • the mobile terminal MS can perform the address binding process after obtaining the HA address and the HoA.
  • IPsec SA IPsec SA
  • step 101 the MS performs a link layer establishment process.
  • the MS obtains bootstrap information about the MIP from the RADIUS server by means of a Packet Data Serving Node (PDSN);
  • Step 102 if a new HoA is allocated to the MS in step 101, the MS This HoA will be used.
  • PDSN Packet Data Serving Node
  • the MS automatically generates a global unicast address as the HoA according to the home link prefix obtained in step 101;
  • Step 103 the MS sends a binding update to the HA, where the BU message includes the MS and the authentication, authorization, Message Summary Server (Authentication, Authorization, Account, referred to as "AAA") shared key calculation message digest - MN-AAA mobile authentication option for HA to check the integrity of the message; MS's NAI The logo) is also included in the BU.
  • AAA Authentication, Authorization, Account
  • Step 104 The HA obtains parameters such as the NAI of the MS and the MN-AAA authentication option from the BU message, and the HA sends the parameters to the RADIUS server of the home network by using the RADIUS "Access Request"message; Step 105; The RADIUS server of the home network will use the key shared between the MS and the server to verify the correctness of the MN-AAA mobile authentication option. If it is correct, the message is not tampering and the MS is a legitimate user.
  • the binding operation is performed, and then the RADIUS server calculates the key IK for protecting the subsequent MS and HA binding process; at the same time, the MS can perform the same calculation to obtain the IK; in step 106, the RADIUS server sends "Access Accept”. (Accept Access) "Message to HA, the "MIP6-Session Key” extension of the message contains the key IK calculated in step 105; Step 107, HA saves the received key IK. The HA performs a replay attack check according to the Mesg-ID mobility option in the BU; in step 108, the HA sends a BA message to the MS. This message contains the MN-HA mobile message authentication option calculated with IK, the MN-NAI move option, and the Mesg-ID move option. Step 109, when the MS receives the BA, The integrity of the message is checked with IK.
  • X.P0044 Mobile IPv4 Enhancement ⁇ provisionally translated as “X.P0044 Mobile IPv4 Enhanced Edition" is an enhancement to MIP4 in X.S0011.
  • the specification primarily defines how to dynamically assign HA to the MS on the visited network, how to perform MIP registration, and the security mechanism for registration.
  • step 201 a Point To Point Protocal (“PPP") connection is established between the MS and the PDSN.
  • the PDSN sends an "Agent Advertisements" message to the MS, including the MN. - FA Challenge extension (the challenge extension of the MN and the foreign agent FA);
  • step 203 the MS sends the RRQ to the PDSN, which includes the MN-NAI Extension (the extension of the MN and the NAI), the MN-FA Challenge Extension, and the MN-AAA Authentication Extension ( MN and AAA authentication extension).
  • MN-AAA authentication extension is calculated using a pre-shared key between the MS and HAAA (Home AAA).
  • the addresses of the HA and HoA in the RRQ are set to 0.0.0.0, indicating that the MS wishes to request dynamic HA and HoA; in step 204, the PDSN sends a "RADIUS Access-Request" message to the VAAA (Visit AAA), and then Forwarded by VAAA to HAAA.
  • the purpose is to authenticate the MN-AAA authentication extension sent by the MS.
  • the PDSN also indicates support for local, that is, the ability to allocate HA on the visited network in the request;
  • Step HAAA verifies that the MN-AAA is successful, and therefore sends a "RADIUS Access-Accept" message to the PDSN.
  • the message further includes an indication that the PDSN is authorized to allocate the HA locally; in step 206, the PDSN allocates the HA to the MS based on the policy of the visited network; in step 207, the PDSN sends the RRQ to the allocated HA again, and the MN is still included in the message.
  • - AAA authentication extension Step 208, HA allocates HoA to the MS; Step 209, the HA sends a "RADIUS Access-Request" message to the HAAA, and then checks the MN-AAAauthenticator (MN-AAA authentication) sent by the MS.
  • the message also contains the MN-HA SPI (Security Parameter Index) VSA, which is used to request the MN-HA key.
  • MN-HA SPI Security Parameter Index
  • the parameters for calculating the key also include the HoA, and the Identification field in the RRQ, ie the timestamp, which is placed in the MIP4-Mesg-ID VSA; in step 210, the HAAA verifies the MN-AAA authenticator again. If successful, HAAA will calculate the MN-HA key, that is, IK, for MS and HA to protect subsequent registration messages; Step 211, HAAA will MN-HA secret The key is sent to the HA by using a "RADIUS Access-Accept" message. In step 212, the HA binds the HoA of the MS to the CoA. And generate RRQ, where the MN-HA authentication extension is calculated using the MN-HA key. The HA sends the RRQ to the MS. In step 213, the MS also calculates the MN-HA key in the same way as the HAAA, and verifies the MN-HA authentication extension in the received RRP. If successful, the binding process ends.
  • the MN-HA key
  • 3GPP2 is currently developing a fast handover process for HRPD.
  • the session state of the source PDSN is transferred to the switched target PDSN, so that the network access point of the MS becomes the target PDSN.
  • FIG. 3 shows the HRPD fast handover reference architecture.
  • HA is the home agent in the mobile IP.
  • S-PDSN is the source PDSN,
  • the T-PDSN is the target PDSN.
  • the S-AN is the source access network device, and the T-AN is the target access network device.
  • Fast handoff consists of three parts: P-P tunnel establishment, MS context transfer and execution agent mobility IP, and conversion of data access points. Among them, the context transfer of the MS and the execution of the proxy mobile IP are optional procedures.
  • the PP interface in FIG. 3 is used to encapsulate user data tunnels and pass between AGWs (access gateways) during fast handover.
  • AGWs access gateways
  • the MS After performing the context transfer process, the MS will transfer to the target access network in the source access gateway, and the target access gateway becomes the endpoint of the data link.
  • the point-to-point protocol is used as the data link layer, that is, the point The endpoint of the point protocol.
  • the signaling between the access gateway and the MS will be handled by the switched target access gateway.
  • MS session state includes point to Point protocol status, QoS (Quality of Service) parameters, mobility status, and more.
  • the execution of the proxy mobile IP is a process in which the PDSN replaces the terminal with the mobile IP signaling to register and bind to the HA. Used to update the route from HA to PDSN.
  • FIG. 4 shows the fast handover procedure of HRPD being developed by 3GPP2.
  • the MS establishes a point-to-point protocol connection with the source PDSN. If the MS supports mobile IP, it also needs to obtain information required to register the mobile IP, such as HA address, HoA, and the like.
  • the source PDSN performs the proxy mobile IP, binding the address of the MS with its own address (the proxy mobile IP is not performed for the MS of the mobile IP4).
  • the PDSN allocates an IP address to the MS; Step 402, the MS is in an active state, and the source AN finds that the handover needs to be performed, so the parameters required for the handover are sent to the target AN; Step 403, the target AN establishes an A10 connection with the target PDSN; Step 404, Target The PDSN initiates a request for establishing a point-to-point connection to the source PDSN, and the source PDSN accepts the request and transmits the context of the MS to the target PDSN, where the context includes a point-to-point protocol state, a mobile IP state, a mobile IP security parameter, a QoS parameter, etc.; Passing between the HA-source PDSN-target PDSN-T-AN; Step 405, the target PDSN performs binding of the proxy mobile IP, binding the address of the MS with its own address, and changing the routing of the data.
  • the service data is transmitted between the HA-target PDSN-T-AN.
  • the PDSN performs the proxy mobile IP to perform the binding instead of the terminal, so that in the case of a simple IP, the address remains unchanged when the terminal switches between PDSNs.
  • the service data is switched from the source PDSN to the target PDSN, thereby maintaining the continuity of the session. For MSs that support mobile IP, this also ensures that after the MS switch, it will not initiate mobile IP binding and reduce the delay.
  • the guarantee mechanism for the security of the proxy mobile IP has not been determined.
  • the proxy mobile IP is also involved in other fields than wireless cellular communication, for example, through proxy mobile IP. Local mobility, etc., but the final specification for these applications has not yet been determined. Among these specifications, it is conceivable that security mechanisms will be an important part of them.
  • FIG. 5 shows a proxy mobile IP security mechanism that has been proposed.
  • the MS in this process only supports Simple IPv6 (SIPv6), as shown in the figure: First,
  • Step 501 The PDSN establishes a link layer connection with the MS, the PDSN initiates authentication of the MS, and the MS returns the authentication information.
  • Step 502 The PDSN sends a "RADIUS Access-Request" message to the AAA to check the authentication response returned by the MS, and the PDSN indicates that it can support the proxy mobile IP;
  • AAA returns an "Access-Accept" message, which includes the address of the allocated HA, and the root key PMN-HA-RK for deriving the PMN-HA key.
  • PMN-HA is used to handle message protection between IP clients (here PDSN) and HA; PMN-HA is generated by PMN-HA-RK, HA address, and PDSN address calculation.
  • step 504 the PDSN sends an "Initial Proxy Binding Update" message to the HA, and the PDSN uses the PMN-HA key to generate a PMN-HA Mobility Message Authentication Option (PMN-HA Mobile Information Authentication Option).
  • PMN-HA Mobile Information Authentication Option PMN-HA Mobile Information Authentication Option
  • Step 505 there is no binding for the MS on the HA, so the HA sends a "RADIUS Access-Request" message to the HAAA, requesting the key PMN-HA-RK;
  • Step 506 the AAA sends a response, and returns a PMN-HA-RK, so that the HA can calculate the PMN-HA key according to the key;
  • Step 507 After receiving the response, the HA calculates the PMN-HA key, verifies the integrity of the BU, and if successful, sends a BA message to the PDSN.
  • the BA message includes the new SPI value generated by HA, PMIP SPL, the MN-HA Mobility Message Authentication option calculated with the PMN-HA key, and the assigned Home Address option. );
  • Step 508 After receiving the BA, the PDSN uses the PMN-HA key to verify the integrity of the BA message. And save the SPI value sent by the HA for use in subsequent binding; the PDSN also sends an RA (router advertisement) to the MS according to the content of the Home Address option, and the MS automatically configures the address according to the prefix value in the RA;
  • RA router advertisement
  • Step 509 the service data of the MS is delivered by the PDSN and the HA;
  • the process is similar to that of simple IPv6.
  • the PDSN authenticates the MS
  • the AAA returns the authentication result
  • it also carries two sets of information required to register the mobile IP, and one set is used for client mobility.
  • IP registration another set of proxy mobile IP registration
  • each set of mobile IP information includes HA address, HoA, HL (home location). The addresses of the two HAs are different.
  • the PDSN performs the registration of the proxy mobile IP, it will use the proxy mobile IP related letter. Interest.
  • the MS will initiate the BU/BA with the HA itself after obtaining the client HoA and HA addresses.
  • the target PDSN When the terminals of SIPv6 and MIP6 are switched, the target PDSN obtains the PMN-HA-RK from the source PDSN, and calculates a new PMN-HA key according to its own IP address and the IP address of the HA, and sends a BU message to the HA.
  • the SPI used is also the aforementioned PMN-SPI.
  • the HA When the HA is connected to the BU, the new PMN-HA is recalculated.
  • the newly generated SPI value is also carried when the BA is sent.
  • the PDSN also performs proxy MIP instead of MS.
  • the required key PMN-HA-RK is also obtained from HAAA through the access authentication process.
  • the PMN-HA key is calculated using PMN-HA-RK.
  • the target PDSN also obtains the PMN-HA-RK from the source PDSN, calculates a new PMN-HA, and performs binding.
  • the source PDSN and the target PDSN use a fixed value SPI, that is, PMN-SPI, to initiate an initial mobile IP binding to the HA, and the value is a value of 0 - 255.
  • SPI that is, PMN-SPI
  • the HA After receiving such a binding request, the HA triggers the update of the PMN-HA key.
  • the source PDSN when the MS accesses the network for the first time, the source PDSN also obtains the required key PMN-HA-RK from HAAA in the access authentication process, and also obtains the SPI generated by the AAA. The source PDSN uses this SPI value when performing proxy mobile IP. When a handover occurs, the source PDSN passes both the PMN-HA-RK and the SPI to the target PDSN. When the target PDSN sends a BU/RRQ, it continues to use the SPI sent from the source PDSN.
  • the problem with this method is that, since the target PDSN sends the BU/RRQ, the key has already used the newly generated PMN-HA. If the original SPI is used, the old key will be used for verification on the HA side, but the check is performed. Will not pass. At this time, HA will update the PMN-HA key. Or, after the HA finds the address change of the PDSN, it actively updates the PMN-HA key.
  • the main technical problem to be solved by various embodiments of the present invention is to provide a method for establishing a security mechanism for a proxy mobile IP, a security system, and related devices.
  • an embodiment of the present invention provides a method for establishing a proxy mobile IP security mechanism, including:
  • the agent of the mobile IP obtains the PMN-AAA key shared between the corresponding home authentication, authorization, accounting server HAAA and the agent, and protects the binding request of the registered mobile IP by using the PMN-AAA key, and then sends the To the home agent HA;
  • the agent of the mobile IP receives the binding response sent by the HA, and calculates a key PMN-HA key shared with the HA according to the obtained PMN-AAA key, and uses the PMN-HA key pair.
  • the binding response is verified; wherein the binding response is a message that the HA is protected by a PMN-HA key, and the PMN-HA key is the PMN-AAA that is utilized by the HAAA
  • the PMN-AAA key or the PMN-AAA root key is a key between the proxy and the HA generated by the proxy of the mobile IP; and the binding
  • the response further carries a security parameter index SPI for indexing the PMN-HA key; after performing the verification, the agent of the mobile IP uses the PMN-HA key and the SPI to perform subsequent movements. The integrity of IP messages is protected.
  • the embodiment of the present invention further provides a method for establishing a proxy mobile IP security mechanism, including: the home agent HA receives a binding mobile IP binding request sent by a mobile IP proxy, where the binding request is the mobile IP
  • the agent uses the PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the agent to protect the message;
  • the HA verifies the binding request by using the PMN-AAA key that the HAAA has by interacting with the HAAA;
  • the HA adopts a shared key PMN-HA between the agent and the HA generated by the agent of the mobile IP according to the PMN-AAA key or the PMN-AAA key.
  • a key configured to protect a binding response message sent by the proxy of the mobile IP, where the binding response message carries a security parameter index SPI for indexing the PMN-HA key, the PMN - the HA key and the SPI for the mobile IP agent calculate the PMN-HA using the PMN-AAA obtained by the proxy, and use the PMN-HA to verify the binding response, after the subsequent movement is adopted
  • the key and index of the integrity of the IP message is adopted.
  • the embodiment of the invention further provides a mobile IP proxy, the proxy comprising:
  • a PMN-AAA key acquisition module configured to: obtain a PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the proxy corresponding to the proxy;
  • a binding request sending module configured to: protect the binding request of the registered mobile IP by using the acquired PMN-AAA key, and send the binding request to the home agent HA;
  • a verification module configured to: after the mobile IP proxy receives the binding response sent by the HA, calculate the PMN-HA by using the acquired PMN-AAA, and use the PMN-HA to bind the binding Responding to the verification; wherein, the binding response is a message that the HA is protected by using a PMN-HA key, and the PMN-HA key is a pair of the PMN-AAA pair that is used by the HAAA After the request is verified, the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA root key; and the binding response further carries an index for indexing The security parameter index SPI of the PMN-HA key;
  • a protection module configured to: protect the integrity of the subsequent mobile IP message by using the PMN-HA key and the SPI.
  • the embodiment of the invention also provides a home agent, comprising:
  • a binding request receiving module configured to: receive a binding request of a registered mobile IP sent by a proxy of the mobile IP, where the binding request is used by the agent of the mobile IP to use the home authentication, authorization, and accounting server acquired by the proxy a message that is protected by the PMN-AAA key between the HAAA and the proxy; a binding response sending module, configured to: use the PMN that the HAAA has by the home agent through interaction with the HAAA After the AAA authenticates the binding request, the PMN-HA key between the proxy and the HA generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is used.
  • the agent uses the PMN-AAA obtained by the proxy to calculate the PMN-HA, and after using the PMN-HA to verify the binding response, the key used to protect the integrity of the subsequent mobile IP message is index
  • the embodiment of the present invention further provides a proxy mobile IP security system, the system comprising: a mobile IP proxy, a home agent HA, and a home authentication, authorization, and accounting server HAAA, where: the mobile IP proxy is used : Obtaining a PMN-AAA key between the corresponding HAAA and the agent of the mobile IP, and protecting the binding request of the registered mobile IP by using the PMN-AAA key, and then sending the request to the home agent HA;
  • the HA is used to:
  • the HAAA is used to: provide the PMN-AAA key.
  • the proxy of the mobile IP such as the PDSN, the access gateway, or the control access node
  • the proxy mobile IP binding for the first time, such as establishing and
  • the PMN-AAA key between the HAAA and the agent is used to protect the binding request for registering the mobile IP sent to the HA, and the agent is generated according to the PMN-AAA key.
  • Key PMN-HA key with HA is generated according to the PMN-AAA key.
  • the HA authenticates the binding request and obtains the PMN-HA key through interaction with the HAAA, returns a binding response to the proxy after the verification is passed, and carries the binding for carrying the PMN-HA key in the binding response.
  • SPI The agent and the HA protect the integrity of subsequent mobile IP messages through the PMN-HA key and SPI. Enables HA to correctly process all legal binding requests without modifying the existing protocol, update the key and generate the corresponding SPI according to different situations, ensuring the accuracy of message verification between the agent and the HA, and satisfying the mobile IP security.
  • the proxy since the proxy uses the PMN-AAA key to perform integrity protection on the binding request, the HA can authenticate the binding request through the HAAA, and the HAAA can also use the identity identifier of the MS to the corresponding PMN-AAA key. Verifying the binding request so that the registration of the proxy mobile IP does not require major changes to the existing device (especially HA), thereby enabling the present invention to have Larger application value.
  • the proxy When the MS establishes the connection with the proxy for the first time, the proxy needs to send the authentication information of the MS to the HAAA, and the HAAA sends the PMN-AAA key (or PMN-) to the proxy after the authentication of the authentication information is passed.
  • the root key of the AAA key, the PMN-AAA key is obtained by the proxy based on the root key, and the information required for proxy mobile IP registration and client mobile IP registration.
  • the proxy may request the information required for the client mobile IP registration, and complete the registration of the client mobile IP according to the information, so that the present invention can further
  • the prior art is compatible.
  • Figure 1 is a schematic diagram of the binding process for IPv6 in the MIP6 scenario defined in the X.S0011 cdma2000 Wireless IP Network Standard;
  • Figure 2 is a schematic diagram of the security mechanism involved in the X.P0044 Mobile IPv4 Enhancement ⁇ , which is dynamically allocated HA, MIP registration and registration for the MS in the visited network;
  • Figure 3 shows the reference architecture of the fast handover procedure of HRPD being developed by 3GPP2
  • Figure 4 is a schematic diagram of the fast handover procedure of HRPD being developed by 3GPP2;
  • FIG. 5 is a schematic diagram of a security mechanism of a proxy mobile IP that has been proposed so far;
  • FIG. 6 is a schematic diagram of a relationship between key derivation and delivery according to the present invention.
  • FIG. 7 is a flow chart showing a method for establishing a proxy mobile IP security mechanism according to a first embodiment of the present invention
  • FIG. 8 is a flow chart showing a method for establishing a proxy mobile IP security mechanism according to a fifth embodiment of the present invention.
  • the agent of the mobile IP such as the PDSN
  • the HAAA obtains the PMN-AAA key (or obtains the PMN-AAA root key, and obtains the PMN-AAA key according to the root key) instead of the PMN-HA key, and the PDSN uses the PMN-AAA key to send to the HA.
  • a binding request BU or RRQ message for registering a mobile IP the PMN-AAA key used to calculate a MN-AAA authentication extension (used in MIP4) or an authentication option in a BU or RRQ message (used in MIP6), and carries a fixed SPI value that has been assigned to these extensions or options in the BU or RRQ message.
  • the HA After receiving the BU or RRQ message, the HA authenticates the MN-AAA authentication extension or authentication option in the BU or RRQ message through HAAA. If the authentication succeeds, the HAAA generates a PMN-HA key for the HA and the PDSN for subsequent use. Bind, and send the PMN-HA to the HA.
  • the PDSN can calculate the PMN-HA key according to the PMN-AAA key and other parameters (such as PDSN address, HA address, etc.).
  • the HA When the HA sends a Binding Response BA or RRP message to the PDSN, it uses the PMN-HA key to calculate the MN-HA authentication extension/authentication option. At the same time, the HA also includes the SPI value in the BA or RRP message.
  • the SPI can be a random and guaranteed unique value generated by HAAA or HA, or it can be a fixed value agreed with the PDSN, or a calculated value. .
  • the PDSN After receiving the BA or RRP message, the PDSN verifies the BA or RRP message according to its calculated PMN-HA key. If the verification is successful, the SPI value sent by HA is saved. The PDSN and the HA use the MIP-HA key and the SPI carried in the binding response to protect the integrity of subsequent mobile IP messages in subsequent bindings.
  • the source PDSN sends the PMN-AAA key (or the PMN-AAA root key) to the target PDSN, and the target PDSN still uses the PMN-AAA (if the MN-HAAA root density is obtained from the source PDSN)
  • the key obtains the MN-AAA authentication extension/authentication option based on the root key to obtain the PMN-AAA key, and sends a BU or RRQ message to the HA.
  • the SPI used for indexing is also a fixed value defined in the protocol.
  • the HA After receiving the new PMN-HA key, the HA calculates the MN-HA authentication extension/authentication option with the PMN-HA key and returns a BA or RRP message containing the new SPI value.
  • the SPI can be HA.
  • a random and guaranteed unique value is generated, which can also be a fixed value agreed with the PDSN.
  • the target PDSN and HA can use the PMN-HA key and SPI value to protect the integrity of subsequent mobile IP messages.
  • HAAA uses the shared key between the MS and HAAA as the proxy MIP client PMIP Client (such as PDSN) and the HA derived PMN-HA key, or static. Save a PMN-AAA key. HAAA will pass the PMN-AAA key to the first proxy MIP client (PMIP Clientl). When PMIP Clientl initially performs mobile IP binding, PMN-AAA key is used, followed by HA The PMN-HA1 key can be obtained from HAAA. PMIP Clientl can also calculate and use the PMN-HA1 key by itself.
  • PMIP Clientl can also calculate and use the PMN-HA1 key by itself.
  • PMIP Clientl passes the PMN-AAA key to PMIP Client2 (if the source PDSN passes the PMN-AAA key to the target PDSN).
  • the initial registration of PMIP Client2 also uses the PMN-AAA key, HAAA generates PMN-HA2 to pass to HA, and subsequent HA and PMIP Client2 use PMN-HA2.
  • the HAAA is transmitted to the PMIP Client by the PMN-AAA root key PMN-AAA-RK.
  • PMN-AAA-RK root key
  • HAAA can also directly pass PMN-AAA to HA, so that HA can calculate the required PMN-HA by itself, without having to calculate it through HAAA every time.
  • the mobile IP proxy can also be an access gateway or other network entity such as an access point.
  • the present embodiment relates to a method for establishing a proxy mobile IP security mechanism.
  • the MS supports both simple IPv6 and mobile IPv6, and the mobile IP proxy is a PDSN. MIP6, the specific process is shown in Figure 7.
  • step 701 the MS establishes a connection with the PDSN for the first time, the PDSN initiates authentication to the MS, and the MS returns an authentication response.
  • the PDSN sends the authentication response of the MS to the HAAA, and indicates that it supports the function of the proxy mobile IP.
  • the HAAA authentication MS if successful, and allowing the PDSN to perform the function of the proxy mobile IP, returns an indication that the PDSN is authorized to perform the proxy mobile IP.
  • the HAAA also sends the PDSN a PMN-AAA key between the PDSN and HAAA required to register the Proxy Mobile IP.
  • the MS supports both the mobile IP and the simple IP. Therefore, the HAAA also sends information such as the HA address, HoA, HL and the like required for proxying the mobile IP registration and the client mobile IP registration to the PDSN.
  • the HAAA may not send the PMN-AAA key to the PDSN, but send the key of the PMN-AAA key to the PDSN, and the PDSN calculates according to the root key.
  • the PMN-AAA key is obtained to further improve the security of the proxy mobile IP.
  • the HAAA After the authentication of the MS authentication information is passed, the HAAA sends a PMN-AAA key (or a root key of the PMN-AAA key, and the PDSN obtains the PMN-AAA key according to the root key) to the PDSN, Information required for proxy mobile IP registration and client mobile IP registration is also sent to the PDSN. So that after the registration of the proxy mobile IP is completed, the MS can request the client to move the IP note to the PDSN. The required information is registered, and the registration of the client mobile IP is completed based on the information, so that the present invention can be further compatible with the prior art.
  • the HA address information in the information required for the proxy mobile IP registration and the client mobile IP registration is different, and the registration of the mobile IP by different HA addresses is the proxy mobile IP registration or the client mobile IP registration.
  • the PDSN performs a binding registration process of the proxy mobile IP. Specifically, the PDSN performs integrity protection on the binding request BU message for registering the mobile IP by using the PMN-AAA key obtained in step 703, that is, the MN-AAA authentication option is included in the message, which is carried.
  • the SPI value is a fixed value defined in the protocol.
  • the HA needs to verify the correctness of the MN-AAA authentication option by using HAAA, and therefore forwards the request to the HAAA, requesting the HAAA to perform the authentication on the BU message.
  • the HAAA uses the identity identifier of the MS to the corresponding PMN-AAA key to verify the message. If successful, the PMN-HA key is calculated. Marked as PMN-HA1. HAAA will return a message that the verification was successful, and the message contains the key PMN-HA1. This eliminates the need to make major changes to existing equipment (especially HA), which in turn makes the invention more valuable.
  • the HA sends a binding response BA message to the PDSN, where the message is integrity protected by the PMN-HA1, and the message further includes a new SPI value, and the SPI may be a random generated by the HA. And the value of the uniqueness, or a fixed value agreed with the PDSN.
  • the PDSN verifies the PMN-HA authentication option with its own calculated PMN-HA key, which is based on the PMN-AAA key obtained in step 703, and other parameters (such as PDSN). Address, HA address, etc.) are calculated. If the PMN-HA authentication option is verified correctly, the binding registration process ends and the PDSN saves the received SPI value.
  • the PDSN uses the SPI values assigned by PMN-HA1 and HA in subsequent bindings to protect the subsequent mobile IP messages integrity.
  • the PDSN performs a process of assigning an address to the MS according to the proxy mobile IP information obtained from the HAAA.
  • DHCP Dynamic Host Configuration Protocol
  • the MS completes the MIP binding registration process with the HA according to the obtained client mobile IP registration required information.
  • step 711 the MS moves, and the switching between the PDSNs needs to be performed, that is, from the
  • the PDSN (source PDSN) is switched to the target PDSN.
  • the source PDSN establishes a PP interface with the target PDSN, and the source PDSN forwards all context information of the MS to the target PDSN, where the MIP security related parameter is mainly a PMN-AAA key, that is, the target PDSN is The PMN-AAA key is obtained at the source PDSN.
  • the source PDSN may not directly send the PMN-AAA key to the target PDSN, but send the root key of the PMN-AAA key to the target PDSN, and the target PDSN obtains the PMN-AAA secret according to the root key. Key to further improve the security of the proxy mobile IP.
  • the target PDSN completes the installation of the context.
  • the target PDSN performs a binding registration process of the proxy mobile IP, and still uses the PMN-AAA key to calculate the MN-AAA authentication option, and performs integrity protection on the binding request BU message for registering the mobile IP, that is,
  • the MN-AAA authentication option calculated using the PMN-AAA key is included in the BU message, and the carried SPI value is a fixed value defined in the protocol.
  • the HA does not include the MN-HA authentication option, but the MN-AAA authentication option, and therefore forwards the request to the HAAA, requesting the HAAA to the BU.
  • the message is verified.
  • the HAAA receives the request from the HA, it verifies the correctness of the BU request message. If it is correct, it calculates a new PMN-HA key for the HA, that is, PMN-HA2, and the HAAA transmits the PMN-HA2 to Target PDSN.
  • the HA sends a binding response BA message to the target PDSN, where the message is integrity protected with a new PMN-HA2 key, and the BA message further includes a new SPI value, and the SPI may be A random and guaranteed unique value generated by the HA may also be a fixed value agreed with the PDSN.
  • the target PDSN verifies the response message with its own calculated PMN-HA key, and the PMN-HA key is It is calculated based on the PMN-AAA key obtained in step 712, and some other parameters (such as PDSN address, HA address, etc.). If successful, then The target PDSN holds the received SPI value.
  • the target PDSN uses the SPI values assigned by PMN-HA2 and HA in subsequent bindings to perform integrity protection on subsequent Mobile IP messages.
  • step 718 the data is switched from the source PDSN to the target PDSN, thus deleting the P-P interface.
  • the integrity protection of the BU message is performed by using the PMN-AAA, so that the HA can correctly process all legal binding requests without modifying the existing protocol, and update the confidentiality according to different situations.
  • the key and the corresponding SPI are generated to ensure the accuracy of the message verification between the agent and the HA, and the security of the mobile IP is satisfied.
  • a second embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism.
  • the present embodiment is substantially the same as the first embodiment except that in the first embodiment, the BU message from the PDSN is verified by the HAAA, and A PMN-HA key is sent to the HA.
  • the HA uses the identity of the MS to request the HAAA-AAA key to be sent to the HAAA, and the HA uses the PMN-AAA key to verify the BU message, and the HA is based on the PMN.
  • the AAA key gets the PMN-HA key. Therefore, when the PDSN is switched, the HA can perform the message verification and the key update independently in the subsequent processing, and the interaction with the HAAA is no longer needed, which simplifies the process.
  • the HA or HAAA may also generate the PMN-HA key in the PMN-AAA key, and does not affect the implementation of the embodiment of the present invention.
  • the PMN-HA key or the PMN-AAA key may also be calculated by using the IP address of the proxy, the IP address of the HA, and/or the timestamp as input.
  • the third embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism.
  • the present embodiment is substantially the same as the first embodiment except that in the first embodiment, the HAAA authenticates the MS authentication information. After the information required for the proxy mobile IP registration and the client mobile IP registration sent to the PDSN, the HA address information is different, and the registration of the mobile IP by different HA addresses is the proxy mobile IP registration or the client mobile IP registration.
  • the same HA address information can still be used, that is, the HAAA is not required to send the information of the two HA addresses to the PDSN, but an HA address is used.
  • the fourth embodiment of the present invention relates to a method for establishing a security mechanism of a proxy mobile IP.
  • the present embodiment is substantially the same as the first embodiment, except that the MS supports only simple IPv6 in this embodiment, and therefore the HAAA authenticates the MS. After the authentication is passed, there is no need to send two sets of mobile IP information, and only the information required for proxy mobile IP registration is sent to the PDSN, and the MS does not need to perform the registration binding process of the mobile IP of the client.
  • a fifth embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism.
  • the MS supports a simple Ipv4
  • the mobile IP proxy is a PDSN
  • the PDSN uses a MIP4.
  • the specific process is as shown in FIG. 8.
  • step 801 the MS establishes a connection with the PDSN for the first time, the PDSN initiates authentication to the MS, and the MS returns an authentication response.
  • the PDSN sends the authentication response of the MS to the HAAA, and indicates that it supports the function of the proxy mobile IP.
  • the HAAA authentication MS if successful, and allowing the PDSN to perform the function of the proxy mobile IP, returns an indication authorizing the PDSN to perform proxy mobile IP.
  • the HAAA also sends the PDSN a PMN-AAA key and other information (such as an HA address) between the PDSN and the HAAA required to register the proxy mobile IP.
  • the HAAA may not send the PMN-AAA key to the PDSN, but send the certificate key of the PMN-AAA key to the PDSN, and the PDSN according to the root density.
  • the key is calculated to obtain the PMN-AAA key to further improve the security of the proxy mobile IP.
  • the PDSN performs a binding registration process of the proxy mobile IP. Specifically, the PDSN performs integrity protection on the binding request RRQ message for registering the mobile IP by using the PMN-AAA key obtained in step 803, that is, the MN-AAA authentication extension is included in the message, where SPI is a fixed value defined in the protocol, HoA is all 0s.
  • step 805 after receiving the binding request message RRQ, the HA needs to use HAAA to verify the correctness of the MN-AAA authentication extension, and therefore forwards the request to the HAAA, requesting the HAAA to verify the RRQ message.
  • the HAAA uses the identity identifier of the MS to the corresponding PMN-AAA key to verify the message, and if successful, calculates the PMN-HA key, which may be Marked as PMN-HA1.
  • HAAA will return a message that the verification was successful, the message contains The key PMN-HA1. In this way, the registration of the proxy mobile IP does not need to make major changes to the existing device (especially HA), thereby making the invention have greater application value.
  • the HA allocates the HoA, and sends a binding response RRP message to the PDSN, the message is integrity-protected by the PMN-HA1, and the message further includes a new SPI value, and the SPI may be HA. Generate a random and guaranteed unique value.
  • the PDSN verifies the PMN-HA authentication extension with its own calculated PMN-HA key. If correct, the binding ends and the PDSN saves the received HoA and SPI values.
  • the PDSN uses the SPI values assigned by PMN-HA1 and HA in subsequent bindings to protect the integrity of subsequent mobile IP messages.
  • the PDSN allocates an address for the MS, and the address is the HoA obtained by the PDSN from the HAAA.
  • step 809 the MS moves, and switching between PDSNs needs to be performed, that is, switching from the PDSN (source PDSN) to the target PDSN.
  • the source PDSN establishes a P-P interface with the target PDSN, and the source PDSN forwards all context information of the MS to the target PDSN, where the parameters related to the MIP security aspect are mainly PMN-AAA keys. That is, the target PDSN obtains the PMN-AAA key from the source PDSN.
  • the source PDSN may not directly send the PMN-AAA key to the target PDSN, but send the root key of the PMN-AAA key to the target PDSN, and the target PDSN obtains the PMN-AAA secret according to the root key. Key to further improve the security of the proxy mobile IP.
  • the target PDSN completes the installation of the context.
  • the target PDSN performs the binding registration process of the proxy mobile IP, and still uses the PMN-AAA key to calculate the MN-AAA authentication extension, and performs integrity protection on the binding request RRQ message, that is, includes in the RRQ message.
  • the MN-AAA authentication extension calculated using the PMN-AAA key carries the SPI value which is a fixed value defined in the protocol.
  • the HA does not include the MN-HA authentication extension, but the MN-AAA authentication extension, and therefore forwards the request to the HAAA, requesting the HAAA to the RRQ.
  • the message is verified.
  • the HAAA verifies the correctness of the RRQ message. If correct, the HA calculates a new PMN-HA key, that is, PMN-HA2, and the HAAA transmits the PMN-HA2 to the target. PDSN.
  • the HA sends a binding acknowledgement RRP message to the target PDSN, where the message is integrity protected with a new PMN-HA2 key, and the RRP message further includes a new SPI value, and the SPI may be A random and guaranteed unique value generated by the HA; after receiving the response, the target PDSN verifies the response message with its own calculated PMN-HA key. If successful, the target PDSN saves the received SPI value.
  • the target PDSN uses PMN-HA2 and HA-assigned SPI values in subsequent bindings to integrity protect subsequent Mobile IP messages.
  • step 816 the data is switched from the source PDSN to the target PDSN, thus deleting the P-P interface.
  • the integrity protection of the RRQ message is performed by using the PMN-AAA, so that the HA can correctly process all legal binding requests without modifying the existing protocol, and update the confidentiality according to different situations.
  • the key and the corresponding SPI are generated to ensure the accuracy of the message verification between the agent and the HA, and the security of the mobile IP is satisfied.
  • a sixth embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism.
  • the present embodiment is substantially the same as the fifth embodiment except that in the fifth embodiment, the RRQ message from the PDSN is verified by the HAAA, and A PMN-HA key is sent to the HA.
  • the HA uses the identity of the MS to request the HAAA-AAA key to be sent to the HAAA, and the HA uses the PMN-AAA key to verify the RRQ message, and the HA is based on the PMN.
  • the AAA key gets the PMN-HA key. Therefore, when the PDSN is switched, the HA can perform the message verification and the key update independently in the subsequent processing, and the interaction with the HAAA is no longer needed, which simplifies the process.
  • a seventh embodiment of the present invention relates to a proxy mobile IP security system, including a mobile IP proxy, HAAA, and HA.
  • the mobile IP proxy includes: a binding request module, configured to use the PMN-AAA between the HAAA and the proxy when the proxy mobile IP binding is performed for the first time, such as when establishing a connection with the MS or when the MS switches to the proxy.
  • the key protects a binding request sent to the HA for registering the mobile IP; and a key generation module is configured to generate a PMN-HA key between the agent and the HA according to the PMN-AAA key.
  • the HA includes: an authentication request module, configured to verify a binding request from the proxy by interacting with the HAAA; a key obtaining module, configured to acquire a PMN-HA key through interaction with the HAAA; and a binding response module , used to return a binding response to the proxy after the validation is passed, and the binding is ringing
  • the security parameter index SPI used to index the PMN-HA key should be carried.
  • the HAAA includes: an interaction module, configured to perform authentication on the binding request with the HA and related interaction of the HA to acquire the PMN-HA key.
  • the mobile IP agent and HA protect the integrity of subsequent mobile IP messages based on the PMN-HA key and SPI.
  • HA can correctly process all legal binding requests without modifying the existing protocol, update the key according to different situations and generate corresponding SPI, which ensures the accuracy of message verification between the agent and the HA. Meet the security of mobile IP.
  • the agent of the mobile IP can obtain the PMN-AAA key by: if the binding request module needs to send a binding request when establishing a connection with the mobile terminal, the proxy forwards the authentication information of the MS to the HAAA, After the authentication of the authentication information is performed by the HAAA, the PMN-AAA key is sent to the proxy to obtain the PMN-AAA key; or the authentication of the authentication information by the HAAA is passed, and the PMN is sent to the proxy.
  • the key of the AAA key the agent obtains the PMN-AAA key based on the root key.
  • the binding request module needs to send a binding request when the MS switches to the proxy, obtain a PMN-AAA key from the source proxy, or obtain a root key of the PMN-AAA key from the source proxy, according to the root key, Obtain the PMN-AAA key.
  • the HA's authentication request module can interact with the HAAA interaction module to verify the binding request:
  • the verification request module of the HA requests the interaction module of the HAAA to verify the binding request, and the interaction module uses the identity identifier of the MS to index the corresponding PMN-AAA key, and uses the PMN-AAA key to perform integrity verification on the binding request. , to verify the binding request.
  • the verification requesting module uses the identifier of the MS to request the interaction module to deliver the corresponding PMN-AAA key, and after obtaining the PMN-AAA key, use the PMN-AAA key to perform integrity verification on the binding request. , to verify the binding request.
  • the key acquisition module of the HA interacts with the interaction module of the HAAA to obtain the PMN-HA key:
  • the key acquisition module directly requests the interaction module to deliver the PMN-HA key.
  • the key acquisition module requests the interaction module to deliver the PMN-AAA key, and obtains the PMN-HA according to the PMN-AAA key. Key.
  • An eighth embodiment of the present invention relates to a mobile IP proxy, the proxy comprising:
  • a PMN-AAA key acquisition module configured to: obtain a PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the proxy corresponding to the proxy;
  • a binding request sending module configured to: protect the binding request of the registered mobile IP by using the acquired PMN-AAA key, and send the binding request to the home agent HA;
  • a verification module configured to: after the mobile IP proxy receives the binding response sent by the HA, calculate the PMN-HA by using the acquired PMN-AAA, and use the PMN-HA to bind the binding Responding to the verification; wherein, the binding response is a message that the HA is protected by using a PMN-HA key, and the PMN-HA key is a pair of the PMN-AAA pair that is used by the HAAA After the request is verified, the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA root key; and the binding response further carries an index for indexing The security parameter index SPI of the PMN-HA key;
  • a protection module configured to: protect the integrity of the subsequent mobile IP message by using the PMN-HA key and the SPI.
  • a ninth embodiment of the present invention relates to a home agent, including:
  • a binding request receiving module configured to: receive a binding request of a registered mobile IP sent by a proxy of the mobile IP, where the binding request is used by the agent of the mobile IP to use the home authentication, authorization, and accounting server acquired by the proxy a message that is protected by the PMN-AAA key between the HAAA and the proxy; a binding response sending module, configured to: use the PMN that the HAAA has by the home agent through interaction with the HAAA After the AAA authenticates the binding request, the PMN-HA key between the proxy and the HA generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is used.
  • the agent uses the PMN-AAA obtained by the proxy to calculate the PMN-HA, and after using the PMN-HA to verify the binding response, the key used to protect the integrity of the subsequent mobile IP message is index
  • a tenth embodiment of the present invention relates to a proxy mobile IP security system, the system comprising: a mobile IP proxy, a home agent HA, and a home authentication, authorization, and accounting server HAAA, wherein:
  • the mobile IP agent is used to:
  • the HA is used to:
  • the HAAA is used to: provide the PMN-AAA key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for establishing mobile IP security mechanism, a security system and a relevant device are disclosed, which belong to wireless communication field and enable the HA to process all of the valid binding requests properly. In the invention, when a mobile IP agent is performing IP binding, a binding request for registering mobile IP would be sent to the HA by means of a PMN-AAA key between the HAAA and the agent, and a PMN-HA key between the agent and the HA is generated based on the PMN-AAA key. By interacting with the HAAA, the HA authenticates the binding request, obtains the PMN-HA key, returns a binding response to the agent after passing the authentication, and carries the SPI for indexing the PMN-HA key in the binding response. The agent and HA would protect the integrity of the following mobile IP messages by means of the PMN-HA key and the SPI.

Description

代理移动 IP的安全机制建立方法、 安全系统及相关设备 本申请要求于 2006 年 10 月 27 日提交中国专利局、 申请号为 200610143418.3、 发明名称为"代理移动 IP的安全机制建立方法、 安全系统及 相关设备"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  The present invention claims to be submitted to the Chinese Patent Office on October 27, 2006, the application number is 200610143418.3, and the invention name is "Proxy Mobile IP Security Mechanism Establishment Method, Security System and The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. Technical field

本发明涉及无线通信领域, 特别涉及移动 IP技术。  The present invention relates to the field of wireless communications, and more particularly to mobile IP technologies.

背景技术 Background technique

码分多址 2000 ( Code Division Multiple Access 2000 , 简称" CDMA2000" ) 是国际电信联盟 ( International Telecommunications Union, 简称" ITU" )确定的 3G通信的三大主流无线接口标准之一, 其余两种标准分别是宽带码分多址 ( Wideband Code Division Multiple Access, 简称" WCDMA" )和时分同步码分 多址 ( Time Division Synchronous Code Division Multiple Access , 简称 "TD-SCDMA" )0 Code Division Multiple Access 2000 ("CDMA2000") is one of the three mainstream wireless interface standards for 3G communication determined by the International Telecommunications Union ("ITU"). The other two standards are respectively Wideband Code Division Multiple Access (WCDMA) and Time Division Synchronous Code Division Multiple Access (TD-SCDMA) 0

现有 CDMA2000网络, 包括 CDMA2000 lx和高速分组数据 ( High Rate Packet Data, 简称" HRPD" ) 系统, 都要求其分组域支持移动 IP技术, 具体地 说, 包括移动 IPv4和移动 IPv6两种情况。  Existing CDMA2000 networks, including CDMA2000 lx and High Rate Packet Data ("HRPD") systems, require their packet domains to support mobile IP technologies, specifically, mobile IPv4 and mobile IPv6.

下面对移动 IP技术进行简要说明。  The following is a brief description of mobile IP technology.

在移动 IP技术中, 移动节点 (Mobile Node, 简称" MN" )有两种地址: 家乡地址(Home Address, 简称' ΉοΑ" )和转交地址( Care-of Address, 简称 "CoA"  In mobile IP technology, the mobile node (Mobile Node, referred to as "MN") has two kinds of addresses: Home Address (referred to as 'ΉοΑ') and Care-of Address ("CoA").

其中 , HoA—直保持不变 , 因此在 MN移动到外地网络时, 仍旧使用该 地址保持通信的连续性和可达性。 而 CoA不同, 它是由外地网络给 MN分配 的,当 MN得到新的 CoA时 ,需要将这个地址与 HoA在家乡代理( Home Agent, 简称' ΉΑ" )上做绑定, 以便 HA将其他实体发给 MN的报文利用 MN与 HA 间的隧道转发给 MN , 以及将 MN发送给其他实体的报文转发过去。  Among them, HoA - remains unchanged, so when the MN moves to the foreign network, the address is still used to maintain communication continuity and reachability. The CoA is different. It is assigned to the MN by the foreign network. When the MN obtains a new CoA, it needs to bind this address to the HoA Home Agent (' Home'), so that HA can other entities. The message sent to the MN is forwarded to the MN by using a tunnel between the MN and the HA, and the message sent by the MN to other entities is forwarded.

对于移动 IPv4( MIP4 ),所使用的消息是 MN发给 HA的" RRQ-Registration Request (注册请求) "消息和 HA回送的 "RRP-Registration Reply (注册应答) " 消息。  For Mobile IPv4 (MIP4), the message used is the "RRQ-Registration Request" message sent by the MN to the HA and the "RRP-Registration Reply" message sent by the HA.

对于移动 IPv6 ( MIP6 ), 这个绑定流程所使用的消息是 MN发给 HA的 "BU-Binding Update (绑定更新 ) "消息和 HA 回送的 "BA-Binding Acknowledgement (绑定确认) "消息。 译为《X.S0011 CDMA2000 无线 IP网络标准》)所定义的 MIP6场景下, 移动 终端 MS在获得了 HA的地址以及 HoA后 , 就可以进行地址绑定流程。 For Mobile IPv6 (MIP6), the message used by this binding process is sent by the MN to the HA. The "BU-Binding Update" message and the "BA-Binding Acknowledgement" message returned by the HA. In the MIP6 scenario defined in the X.S0011 CDMA2000 Wireless IP Network Standard, the mobile terminal MS can perform the address binding process after obtaining the HA address and the HoA.

需要指出的是, 在 MIP6的主要标准 RFC3775中要求, MS和 HA间先建 立 IPsec SA ( Ipsec安全联盟), BU和 BA消息用该 SA进行保护。  It should be noted that in the main standard RFC3775 of MIP6, IPsec SA (IPsec SA) is established between MS and HA, and BU and BA messages are protected by this SA.

但是图 1所示的绑定过程未遵循上述要求,取而代之的是使用了 RFC4285 所定义的认证协议, 具体过程参见图 1。  However, the binding process shown in Figure 1 does not follow the above requirements. Instead, the authentication protocol defined in RFC4285 is used. See Figure 1 for the specific process.

如图所示, 步骤 101 , MS执行链路层建立过程。 MS借助分组数据服务 节点 ( Packet Data Serving Node, 简称" PDSN" )从 RADIUS服务器中获得有 关 MIP的自举(bootstrap )信息; 步骤 102, 如果在步骤 101中给 MS分配了 一个新的 HoA, MS将使用这个 HoA。 否则, MS将根据步骤 101中获得的家 乡链路前缀自动生成一个全局的单播地址作为 HoA; 步骤 103, MS发送绑定 更新到 HA, 该 BU消息中, 包含了用 MS 与认证、 授权、 计费协议服务器 ( Authentication、 Authorization、 Account , 简称" AAA" )共享的密钥计算的消 息摘要 - MN-AAA移动认证选项 ,用于让 HA检查消息的完整性; MS的 NAI (网^矣入标识 )也包含在 BU中。 步骤 104, HA从 BU消息中获得了 MS 的 NAI, MN-AAA认证选项等参数, HA将这些参数利用 RADIUS的" Access Request (接入请求) "消息发给归属网络的 RADIUS服务器; 步骤 105, 归属 网络的 RADIUS服务器将使用 MS和服务器间共享的密钥验证 MN-AAA移动 认证选项的正确性, 如果正确, 说明消息没有篡改, MS是合法用户。 因此执 行绑定操作,接着 RADIUS服务器会计算用于保护后续 MS和 HA间绑定流程 的密钥 IK;与此同时, MS也可以执行相同的计算得到 IK;步骤 106, RADIUS 服务器发送" Access Accept (接受接入 ) "消息给 HA, 该消息的" MIP6-Session Key"扩展中包含了步骤 105中计算的密钥 IK; 步骤 107, HA保存所收到的密 钥 IK。 HA根据 BU中的 Mesg-ID移动选项执行重放攻击检查; 步骤 108, HA 发送 BA消息给 MS。这个消息中包含了用 IK计算的 MN-HA移动消息认证选 项、 MN-NAI移动选项以及 Mesg-ID移动选项。 步骤 109, MS在收到 BA时, 会用 IK检查消息的完整性。 As shown in the figure, in step 101, the MS performs a link layer establishment process. The MS obtains bootstrap information about the MIP from the RADIUS server by means of a Packet Data Serving Node (PDSN); Step 102, if a new HoA is allocated to the MS in step 101, the MS This HoA will be used. Otherwise, the MS automatically generates a global unicast address as the HoA according to the home link prefix obtained in step 101; Step 103, the MS sends a binding update to the HA, where the BU message includes the MS and the authentication, authorization, Message Summary Server (Authentication, Authorization, Account, referred to as "AAA") shared key calculation message digest - MN-AAA mobile authentication option for HA to check the integrity of the message; MS's NAI The logo) is also included in the BU. Step 104: The HA obtains parameters such as the NAI of the MS and the MN-AAA authentication option from the BU message, and the HA sends the parameters to the RADIUS server of the home network by using the RADIUS "Access Request"message; Step 105; The RADIUS server of the home network will use the key shared between the MS and the server to verify the correctness of the MN-AAA mobile authentication option. If it is correct, the message is not tampering and the MS is a legitimate user. Therefore, the binding operation is performed, and then the RADIUS server calculates the key IK for protecting the subsequent MS and HA binding process; at the same time, the MS can perform the same calculation to obtain the IK; in step 106, the RADIUS server sends "Access Accept". (Accept Access) "Message to HA, the "MIP6-Session Key" extension of the message contains the key IK calculated in step 105; Step 107, HA saves the received key IK. The HA performs a replay attack check according to the Mesg-ID mobility option in the BU; in step 108, the HA sends a BA message to the MS. This message contains the MN-HA mobile message authentication option calculated with IK, the MN-NAI move option, and the Mesg-ID move option. Step 109, when the MS receives the BA, The integrity of the message is checked with IK.

需要补充的是, 在此后的通信流程中, 如果 MN的 CoA发生改变, 需要 再次执行绑定流程, 它将使用与 HA共享的密钥 IK对消息进行保护。  It should be added that in the subsequent communication process, if the MN's CoA changes, the binding process needs to be performed again, and it will protect the message using the key IK shared with the HA.

目前, 正在制订的规范 《X.P0044 Mobile IPv4 Enhancement^ (暂译为 《X.P0044移动 IPv4增强版》)是对 X.S0011中 MIP4提出的增强。 该规范主 要定义了如何在拜访网络为 MS动态分配 HA, 如何进行 MIP注册, 以及注册 的安全机制。  Currently, the specification being developed "X.P0044 Mobile IPv4 Enhancement^ (provisionally translated as "X.P0044 Mobile IPv4 Enhanced Edition") is an enhancement to MIP4 in X.S0011. The specification primarily defines how to dynamically assign HA to the MS on the visited network, how to perform MIP registration, and the security mechanism for registration.

参见图 2,首先,在步骤 201中, MS和 PDSN间建立点到点协议( Point To Point Protocal, 简称" PPP" )连接; 在步骤 202, PDSN 向 MS 发送" Agent Advertisements"消息, 其中包括 MN-FA Challenge扩展(MN与外地代理 FA 的挑战扩展 );步骤 203 , MS发送 RRQ到 PDSN,其中包含 MN-NAI Extension ( MN 与 NAI 的扩展)、 MN-FA Challenge Extension 以及 MN-AAA Authentication Extension ( MN与 AAA的认证扩展)。 MN-AAA认证扩展是利 用 MS与 HAAA (家乡 AAA )间预共享的密钥计算的。 RRQ中的 HA和 HoA 的地址设为 0.0.0.0, 表示 MS希望请求动态的 HA和 HoA;步骤 204, PDSN向 VAAA (拜访 AAA )发送" RADIUS Access-Request (无线接入请求) "消息, 再由 VAAA转发给 HAAA。 目的是为了认证 MS发送的 MN-AAA认证扩展。 此外, PDSN还在请求中表示支持本地, 也就是在拜访网络分配 HA的能力; 步骤 205 , HAAA校验 MN-AAA成功, 因此发送 "RADIUS Access-Accept (接 受无线接入 ) "消息给 PDSN, 该消息中还包含授权 PDSN在本地分配 HA的 指示;步骤 206,基于拜访网络的策略, PDSN为 MS分配 HA;步骤 207, PDSN 将 RRQ又发给所分配的 HA , 并且在消息中仍然包括 MN-AAA认证扩展; 步 骤 208 , HA 为 MS 分配 HoA; 步骤 209, HA 向 HAAA发送" RADIUS Access-Request"消息 , 再次对 MS发送的 MN-AAAauthenticator ( MN-AAA认 证)进行校验。 消息中还包含了 MN-HA SPI (安全参数索引) VSA, 用来请 求 MN-HA密钥。计算密钥的参数还包括 HoA,以及 RRQ中的 Identification field (鉴定字段),即时间戳,这个值放在 MIP4-Mesg-ID VSA中;步骤 210, HAAA 再次验证 MN-AAA authenticator。 若成功, HAAA会计算 MN-HA密钥, 也就 是 IK, 用于 MS和 HA保护后续的注册消息; 步骤 211, HAAA将 MN-HA密 钥利用 "RADIUS Access-Accept"消息发给 HA; 步骤 212, HA将 MS的 HoA 和 CoA绑定。 并生成 RRQ, 其中 MN-HA认证扩展是利用 MN-HA密钥计算 的。 HA发送 RRQ给 MS;步骤 213, MS也用与 HAAA相同的方面计算 MN-HA 密钥, 并且校验收到的 RRP中的 MN-HA认证扩展, 如果成功, 则绑定流程 结束。 Referring to FIG. 2, first, in step 201, a Point To Point Protocal ("PPP") connection is established between the MS and the PDSN. In step 202, the PDSN sends an "Agent Advertisements" message to the MS, including the MN. - FA Challenge extension (the challenge extension of the MN and the foreign agent FA); Step 203, the MS sends the RRQ to the PDSN, which includes the MN-NAI Extension (the extension of the MN and the NAI), the MN-FA Challenge Extension, and the MN-AAA Authentication Extension ( MN and AAA authentication extension). The MN-AAA authentication extension is calculated using a pre-shared key between the MS and HAAA (Home AAA). The addresses of the HA and HoA in the RRQ are set to 0.0.0.0, indicating that the MS wishes to request dynamic HA and HoA; in step 204, the PDSN sends a "RADIUS Access-Request" message to the VAAA (Visit AAA), and then Forwarded by VAAA to HAAA. The purpose is to authenticate the MN-AAA authentication extension sent by the MS. In addition, the PDSN also indicates support for local, that is, the ability to allocate HA on the visited network in the request; Step 205, HAAA verifies that the MN-AAA is successful, and therefore sends a "RADIUS Access-Accept" message to the PDSN. The message further includes an indication that the PDSN is authorized to allocate the HA locally; in step 206, the PDSN allocates the HA to the MS based on the policy of the visited network; in step 207, the PDSN sends the RRQ to the allocated HA again, and the MN is still included in the message. - AAA authentication extension; Step 208, HA allocates HoA to the MS; Step 209, the HA sends a "RADIUS Access-Request" message to the HAAA, and then checks the MN-AAAauthenticator (MN-AAA authentication) sent by the MS. The message also contains the MN-HA SPI (Security Parameter Index) VSA, which is used to request the MN-HA key. The parameters for calculating the key also include the HoA, and the Identification field in the RRQ, ie the timestamp, which is placed in the MIP4-Mesg-ID VSA; in step 210, the HAAA verifies the MN-AAA authenticator again. If successful, HAAA will calculate the MN-HA key, that is, IK, for MS and HA to protect subsequent registration messages; Step 211, HAAA will MN-HA secret The key is sent to the HA by using a "RADIUS Access-Accept" message. In step 212, the HA binds the HoA of the MS to the CoA. And generate RRQ, where the MN-HA authentication extension is calculated using the MN-HA key. The HA sends the RRQ to the MS. In step 213, the MS also calculates the MN-HA key in the same way as the HAAA, and verifies the MN-HA authentication extension in the received RRP. If successful, the binding process ends.

以上参照图 2, 介绍了根据规范《X.P0044 Mobile IPv4 Enhancements)), 拜访网络为 MS动态分配 HA, 以及进行 MIP注册的过程和注册的安全机制。  Referring to Figure 2 above, the process of dynamically assigning HA to the MS and the MIP registration process and the registration security mechanism according to the specification "X.P0044 Mobile IPv4 Enhancements") are introduced.

在以前的 lx系统的 PDSN间的切换中, 当 MS移动到目标 PDSN时, 目 标 PDSN和服务 PDSN间建立 P-P (点对点 )连接, 使得业务数据在源 PDSN 和目标 PDSN间传递,由此保证 PPP端点仍然在源 PDSN, MS的地址不更新, 从而维持业务的连续性。  In the handover between PDSNs of the previous lx system, when the MS moves to the target PDSN, a PP (peer-to-peer) connection is established between the target PDSN and the serving PDSN, so that the service data is transmitted between the source PDSN and the target PDSN, thereby securing the PPP endpoint. Still at the source PDSN, the MS's address is not updated, thereby maintaining business continuity.

但是, 这会产生另外的问题。 具体的说, 如果点到点协议的端点维持在源 PDSN而不改变, 会导致在活动分组会话期间, A10连接和 PDSN间 P-P连接 同时存在, 从而增加了源 PDSN的负担, 消耗了源 PDSN的处理资源和 PDSN 间的链路资源。  However, this creates additional problems. Specifically, if the endpoint of the point-to-point protocol is maintained at the source PDSN without change, the PP connection between the A10 connection and the PDSN exists simultaneously during the active packet session, thereby increasing the burden on the source PDSN and consuming the source PDSN. Handle link resources between resources and PDSNs.

有鉴于此, 目前 3GPP2正在制订 HRPD的快速切换流程。  In view of this, 3GPP2 is currently developing a fast handover process for HRPD.

在 HRPD网络的 PDSN间切换过程中, 将源 PDSN的会话状态转移到切 换后的目标 PDSN上来, 使得 MS的网络接入点变成目标 PDSN。  During the inter-PDSN handover of the HRPD network, the session state of the source PDSN is transferred to the switched target PDSN, so that the network access point of the MS becomes the target PDSN.

图 3示出 HRPD快速切换参考架构。  Figure 3 shows the HRPD fast handover reference architecture.

如图所示, 其中的 HA为移动 IP中的家乡代理。 S-PDSN为源 PDSN, As shown in the figure, HA is the home agent in the mobile IP. S-PDSN is the source PDSN,

T-PDSN为目标 PDSN。 S-AN为源接入网设备, T-AN为目标接入网设备。 The T-PDSN is the target PDSN. The S-AN is the source access network device, and the T-AN is the target access network device.

快速切换由三部分构成: P-P隧道建立、 MS的上下文转移和执行代理移 动 IP, 以及转换数据接入点。 其中, MS的上下文转移和执行代理移动 IP是 可选的过程。  Fast handoff consists of three parts: P-P tunnel establishment, MS context transfer and execution agent mobility IP, and conversion of data access points. Among them, the context transfer of the MS and the execution of the proxy mobile IP are optional procedures.

具体的说,图 3中的 P-P接口用来在快速切换过程中将用户数据隧道封装 后在 AGW (接入网关 ) 间传递。 执行上下文转移过程后 MS在源接入网关的 ^舌状态将转移到目标接入网络, 目标接入网关成为数据^舌的端点,在使用 点到点协议作为数据链路层时, 也就是点到点协议的端点。 转移后, 接入网关 和 MS之间的信令将由切换后的目标接入网关处理。 MS的会话状态包括点到 点协议状态、 QoS (服务质量)参数、 移动性状态等。 Specifically, the PP interface in FIG. 3 is used to encapsulate user data tunnels and pass between AGWs (access gateways) during fast handover. After performing the context transfer process, the MS will transfer to the target access network in the source access gateway, and the target access gateway becomes the endpoint of the data link. When the point-to-point protocol is used as the data link layer, that is, the point The endpoint of the point protocol. After the transfer, the signaling between the access gateway and the MS will be handled by the switched target access gateway. MS session state includes point to Point protocol status, QoS (Quality of Service) parameters, mobility status, and more.

执行代理移动 IP是 PDSN代替终端用移动 IP信令向 HA进行注册绑定的 过程。 用来更新 HA到 PDSN的路由。  The execution of the proxy mobile IP is a process in which the PDSN replaces the terminal with the mobile IP signaling to register and bind to the HA. Used to update the route from HA to PDSN.

图 4示出 3GPP2正在制订的 HRPD的快速切换流程。 如图所示: 首先, 步骤 401, MS与源 PDSN建立点对点协议连接, 如果 MS支持移动 IP, 还需 要获得注册移动 IP所需的信息, 如 HA地址, HoA等。 源 PDSN执行代理移 动 IP, 将 MS的地址与自己的地址绑定(对于移动 IP4的 MS不执行代理移动 IP )。 PDSN给 MS分配 IP地址; 步骤 402, MS处于激活态, 并且源 AN发现 需要执行切换, 因此向目标 AN发送切换所需的参数; 步骤 403, 目标 AN与 目标 PDSN建立 A10连接; 步骤 404, 目标 PDSN向源 PDSN发起建立点对 点连接的请求, 源 PDSN接受请求, 并将 MS的上下文传给目标 PDSN, 上下 文包括点对点协议状态, 移动 IP状态, 移动 IP安全参数, QoS参数等; 这时 业务数据流在 HA -源 PDSN -目标 PDSN - T-AN间传递; 步骤 405, 目标 PDSN执行代理移动 IP的绑定, 将 MS的地址和自己的地址绑定, 改变数据 的路由。  Figure 4 shows the fast handover procedure of HRPD being developed by 3GPP2. As shown in the figure: First, in step 401, the MS establishes a point-to-point protocol connection with the source PDSN. If the MS supports mobile IP, it also needs to obtain information required to register the mobile IP, such as HA address, HoA, and the like. The source PDSN performs the proxy mobile IP, binding the address of the MS with its own address (the proxy mobile IP is not performed for the MS of the mobile IP4). The PDSN allocates an IP address to the MS; Step 402, the MS is in an active state, and the source AN finds that the handover needs to be performed, so the parameters required for the handover are sent to the target AN; Step 403, the target AN establishes an A10 connection with the target PDSN; Step 404, Target The PDSN initiates a request for establishing a point-to-point connection to the source PDSN, and the source PDSN accepts the request and transmits the context of the MS to the target PDSN, where the context includes a point-to-point protocol state, a mobile IP state, a mobile IP security parameter, a QoS parameter, etc.; Passing between the HA-source PDSN-target PDSN-T-AN; Step 405, the target PDSN performs binding of the proxy mobile IP, binding the address of the MS with its own address, and changing the routing of the data.

这时业务数据在 HA-目标 PDSN-T-AN间传递。  At this time, the service data is transmitted between the HA-target PDSN-T-AN.

PDSN执行代理移动 IP是代替终端执行绑定, 这样可以保证简单 IP情况 下, 终端发生 PDSN间切换时, 地址保持不变。 根据代理移动 IP绑定的变化, 业务数据从源 PDSN切换到目标 PDSN, 从而维护会话的连续性。 对于支持移 动 IP的 MS, 这样也可以保证 MS切换后, 不会自己发起移动 IP绑定, 减少 时延。  The PDSN performs the proxy mobile IP to perform the binding instead of the terminal, so that in the case of a simple IP, the address remains unchanged when the terminal switches between PDSNs. According to the change of the proxy mobile IP binding, the service data is switched from the source PDSN to the target PDSN, thereby maintaining the continuity of the session. For MSs that support mobile IP, this also ensures that after the MS switch, it will not initiate mobile IP binding and reduce the delay.

但是目前仍然有两个问题值得注意, 一是尚未确定对于代理移动 IP的安 全性的保证机制; 二是代理移动 IP在除无线蜂窝通信以外的其他领域也被涉 及到, 例如通过代理移动 IP提供本地移动性等, 但是对这些应用的最终规范 尚未确定, 在这些规范中, 可想而知的是安全机制将是其中的重要组成部分。  However, there are still two issues worth noting. First, the guarantee mechanism for the security of the proxy mobile IP has not been determined. Second, the proxy mobile IP is also involved in other fields than wireless cellular communication, for example, through proxy mobile IP. Local mobility, etc., but the final specification for these applications has not yet been determined. Among these specifications, it is conceivable that security mechanisms will be an important part of them.

图 5示出一种已经提出的代理移动 IP安全机制 , 该流程中的 MS只支持 简单 IPv6 ( SIPv6 ), 如图所示: 首先,  Figure 5 shows a proxy mobile IP security mechanism that has been proposed. The MS in this process only supports Simple IPv6 (SIPv6), as shown in the figure: First,

步骤 501, PDSN和 MS建立链路层连接, PDSN发起对 MS的认证, 并 且 MS返回认证信息; 步骤 502, PDSN向 AAA发送" RADIUS Access-Request"消息, 以检查 MS 返回的认证响应, 并且 PDSN指示它可以支持代理移动 IP; Step 501: The PDSN establishes a link layer connection with the MS, the PDSN initiates authentication of the MS, and the MS returns the authentication information. Step 502: The PDSN sends a "RADIUS Access-Request" message to the AAA to check the authentication response returned by the MS, and the PDSN indicates that it can support the proxy mobile IP;

步骤 503 , AAA返回" Access-Accept"消息 ,该消息中包含所分配的 HA的 地址, 以及用于衍生 PMN-HA密钥的根密钥 PMN-HA-RK。 PMN-HA用于代 理 IP客户端(这里就是 PDSN )和 HA间的消息保护; PMN-HA由 PMN-HA-RK、 HA的地址、 PDSN的地址计算生成。  Step 503, AAA returns an "Access-Accept" message, which includes the address of the allocated HA, and the root key PMN-HA-RK for deriving the PMN-HA key. PMN-HA is used to handle message protection between IP clients (here PDSN) and HA; PMN-HA is generated by PMN-HA-RK, HA address, and PDSN address calculation.

步骤 504, PDSN发送" Initial Proxy Binding Update(初始的代理绑定更新 )" 消息到 HA, PDSN 使用 PMN-HA 密钥生成 PMN-HA Mobility Message Authentication Option ( PMN-HA 移动信息认证选项), 该选项中的 SPI 是 PMN-SPI, 这个值是一个固定值;  In step 504, the PDSN sends an "Initial Proxy Binding Update" message to the HA, and the PDSN uses the PMN-HA key to generate a PMN-HA Mobility Message Authentication Option (PMN-HA Mobile Information Authentication Option). The SPI in is PMN-SPI, this value is a fixed value;

步骤 505, HA 上没有针对该 MS 的绑定, 因此 HA 发送" RADIUS Access-Request"消息到 HAAA, 请求 密钥 PMN-HA-RK;  Step 505, there is no binding for the MS on the HA, so the HA sends a "RADIUS Access-Request" message to the HAAA, requesting the key PMN-HA-RK;

步骤 506, AAA发送响应, 返回 PMN-HA-RK, 使得 HA可以根据这个密 钥计算 PMN-HA密钥;  Step 506, the AAA sends a response, and returns a PMN-HA-RK, so that the HA can calculate the PMN-HA key according to the key;

步骤 507, HA收到响应后, 计算 PMN-HA密钥, 验证 BU的完整性, 如 果成功, 则发送 BA消息给 PDSN。 BA消息中包括了 HA生成的新的 SPI值 PMIP SPL 用 PMN-HA密钥计算的 MN-HA Mobility Message Authentication option ( MN-HA移动信息认证选项), 以及所分配的 Home Address option (家 乡地址选项);  Step 507: After receiving the response, the HA calculates the PMN-HA key, verifies the integrity of the BU, and if successful, sends a BA message to the PDSN. The BA message includes the new SPI value generated by HA, PMIP SPL, the MN-HA Mobility Message Authentication option calculated with the PMN-HA key, and the assigned Home Address option. );

步骤 508 , PDSN收到 BA后, 用 PMN-HA密钥校验 BA消息的完整性。 并保存 HA发送的 SPI值, 以便在后续的绑定中使用; PDSN还根据 Home Address option的内容发送 RA ( router advertisement )给 MS , MS才艮据 RA中 的前缀值自动配置地址;  Step 508: After receiving the BA, the PDSN uses the PMN-HA key to verify the integrity of the BA message. And save the SPI value sent by the HA for use in subsequent binding; the PDSN also sends an RA (router advertisement) to the MS according to the content of the Home Address option, and the MS automatically configures the address according to the prefix value in the RA;

步骤 509, MS的业务数据通过 PDSN和 HA传递;  Step 509, the service data of the MS is delivered by the PDSN and the HA;

补充说明一下, 对于支持 MIP6的终端, 流程与简单 IPv6类似, 但 PDSN 对 MS进行认证过程中 , AAA返回认证结果时 , 还会携带两套注册移动 IP所 需的信息, 一套用于客户端移动 IP的注册, 另一套用于代理移动 IP的注册, 每套移动 IP信息中包括了 HA地址、 HoA、 HL (家乡位置)。 两个 HA的地址 是不同的。 PDSN在执行代理移动 IP的注册时, 会使用代理移动 IP的相关信 息。 除了执行上述流程, MS在获取了客户端 HoA和 HA地址后还会自己发起 与 HA的 BU/BA。 In addition, for a terminal that supports MIP6, the process is similar to that of simple IPv6. However, when the PDSN authenticates the MS, when the AAA returns the authentication result, it also carries two sets of information required to register the mobile IP, and one set is used for client mobility. IP registration, another set of proxy mobile IP registration, each set of mobile IP information includes HA address, HoA, HL (home location). The addresses of the two HAs are different. When the PDSN performs the registration of the proxy mobile IP, it will use the proxy mobile IP related letter. Interest. In addition to performing the above process, the MS will initiate the BU/BA with the HA itself after obtaining the client HoA and HA addresses.

当 SIPv6 和 MIP6 的终端发生切换时, 目标 PDSN从源 PDSN获得 PMN-HA-RK,并根据自己的 IP地址和 HA的 IP地址计算新的 PMN-HA密钥 , 并发送 BU消息到 HA, 所使用的 SPI也是前面提到的 PMN-SPI, 当 HA接到 BU后, 会重新计算新的 PMN-HA。 在发送 BA时也携带了新生成的 SPI值。  When the terminals of SIPv6 and MIP6 are switched, the target PDSN obtains the PMN-HA-RK from the source PDSN, and calculates a new PMN-HA key according to its own IP address and the IP address of the HA, and sends a BU message to the HA. The SPI used is also the aforementioned PMN-SPI. When the HA is connected to the BU, the new PMN-HA is recalculated. The newly generated SPI value is also carried when the BA is sent.

对于简单 IPv4的终端, 与上述流程类似, PDSN也会代替 MS执行代理 MIP, 所需要的密钥 PMN-HA-RK也通过接入认证过程中从 HAAA获得。 并 用 PMN-HA-RK计算 PMN-HA密钥。  For a simple IPv4 terminal, similar to the above process, the PDSN also performs proxy MIP instead of MS. The required key PMN-HA-RK is also obtained from HAAA through the access authentication process. The PMN-HA key is calculated using PMN-HA-RK.

对于支持 MIP4的终端, 为了简化处理, 目前考虑不支持代理移动 IP。 当 SIPv4的终端发生切换时,过程和 IPv6类似, 目标 PDSN也从源 PDSN 得到 PMN-HA-RK, 计算新的 PMN-HA, 并执行绑定。  For terminals that support MIP4, in order to simplify processing, it is currently considered that proxy mobile IP is not supported. When the handover of the SIPv4 terminal occurs, the process is similar to that of IPv6. The target PDSN also obtains the PMN-HA-RK from the source PDSN, calculates a new PMN-HA, and performs binding.

在上述方案中, 源 PDSN以及目标 PDSN在向 HA发起初始的移动 IP绑 定时使用了固定值的 SPI, 即 PMN-SPI, 这个值是 0 - 255的保留值中的某个 值。 HA在收到这样的绑定请求后, 会触发更新 PMN-HA的密钥。  In the above scheme, the source PDSN and the target PDSN use a fixed value SPI, that is, PMN-SPI, to initiate an initial mobile IP binding to the HA, and the value is a value of 0 - 255. After receiving such a binding request, the HA triggers the update of the PMN-HA key.

但是,问题在于在目前的技术中并没有一个合适的值可以使用 ,换句话说, 没有给 MN-HA认证选项 /扩展分配一个固定的 SPI值。此外,如果申请一个新 的值, 对现有技术改动比较大, 会延长方案的实施。  However, the problem is that there is not a suitable value to use in the current technology. In other words, no fixed SPI value is assigned to the MN-HA authentication option/extension. In addition, if a new value is applied and the prior art changes are large, the implementation of the program will be extended.

除了上述方案之外,在 MS第一次接入网络时, 源 PDSN也在接入认证过 程中, 从 HAAA得到所需的密钥 PMN-HA-RK, 此外还会获得 AAA生成的 SPI。 源 PDSN在执行代理移动 IP时, 会使用这个 SPI值。 当发生切换时, 源 PDSN将 PMN-HA-RK和 SPI都传给目标 PDSN。 当目标 PDSN发送 BU/RRQ 时, 继续使用源 PDSN发来的 SPI。  In addition to the above solution, when the MS accesses the network for the first time, the source PDSN also obtains the required key PMN-HA-RK from HAAA in the access authentication process, and also obtains the SPI generated by the AAA. The source PDSN uses this SPI value when performing proxy mobile IP. When a handover occurs, the source PDSN passes both the PMN-HA-RK and the SPI to the target PDSN. When the target PDSN sends a BU/RRQ, it continues to use the SPI sent from the source PDSN.

这种方式的问题在于, 由于目标 PDSN发送 BU/RRQ时, 密钥已使用新 生成的 PMN-HA, 如果继续使用原来的 SPI, 在 HA侧会使用旧的密钥进行校 验,但校验不会通过。 这时 HA才会更新 PMN-HA密钥。或者 HA发现 PDSN 的地址变化后, 主动更新 PMN-HA密钥。 这些方法都与目前 HA的处理不同, 都需要修改 HA。  The problem with this method is that, since the target PDSN sends the BU/RRQ, the key has already used the newly generated PMN-HA. If the original SPI is used, the old key will be used for verification on the HA side, but the check is performed. Will not pass. At this time, HA will update the PMN-HA key. Or, after the HA finds the address change of the PDSN, it actively updates the PMN-HA key. These methods are different from the current HA processing, and all need to modify HA.

发明内容 本发明各实施方式要解决的主要技术问题是提供一种代理移动 IP的安全 机制建立方法、 安全系统及相关设备。 Summary of the invention The main technical problem to be solved by various embodiments of the present invention is to provide a method for establishing a security mechanism for a proxy mobile IP, a security system, and related devices.

为解决上述技术问题, 本发明实施例提供了一种代理移动 IP的安全机制 建立方法, 包括:  To solve the above technical problem, an embodiment of the present invention provides a method for establishing a proxy mobile IP security mechanism, including:

移动 IP的代理获取与对应的家乡认证、 授权、 计费服务器 HAAA与代理 之间共享的 PMN-AAA密钥 , 并利用该 PMN-AAA密钥对注册移动 IP的绑定 请求进行保护后, 发送至家乡代理 HA;  The agent of the mobile IP obtains the PMN-AAA key shared between the corresponding home authentication, authorization, accounting server HAAA and the agent, and protects the binding request of the registered mobile IP by using the PMN-AAA key, and then sends the To the home agent HA;

所述移动 IP 的代理收到所述 HA发送的绑定响应, 根据所获取的所述 PMN-AAA密钥计算得到与 HA共享的密钥 PMN-HA密钥 , 利用该 PMN-HA 密钥对所述绑定响应进行验证;其中 ,所述绑定响应为所述 HA采用 PMN-HA 密钥进行保护的消息, 所述 PMN-HA密钥为利用所述 HAAA所具有的所述 PMN-AAA 密钥对所述绑定请求验证通过后, 所述 PMN-AAA 密钥或 PMN-AAA根密钥而为所述移动 IP的代理所生成的该代理和 HA间的密钥; 且该绑定响应中还携带有用于索引所述 PMN-HA密钥的安全参数索引 SPI; 所述移动 IP的代理在进行所述验证通过后, 利用所述 PMN-HA密钥和所 述 SPI对后续的移动 IP消息的完整性进行保护。  The agent of the mobile IP receives the binding response sent by the HA, and calculates a key PMN-HA key shared with the HA according to the obtained PMN-AAA key, and uses the PMN-HA key pair. The binding response is verified; wherein the binding response is a message that the HA is protected by a PMN-HA key, and the PMN-HA key is the PMN-AAA that is utilized by the HAAA After the key is verified by the binding request, the PMN-AAA key or the PMN-AAA root key is a key between the proxy and the HA generated by the proxy of the mobile IP; and the binding The response further carries a security parameter index SPI for indexing the PMN-HA key; after performing the verification, the agent of the mobile IP uses the PMN-HA key and the SPI to perform subsequent movements. The integrity of IP messages is protected.

本发明实施例还提供了一种代理移动 IP的安全机制建立方法, 包括: 家乡代理 HA收到移动 IP的代理发送的注册移动 IP的绑定请求, 其中, 该绑定请求为所述移动 IP的代理利用其所获取的家乡认证、 授权、 计费服务 器 HAAA与代理之间的 PMN-AAA密钥进行保护后的消息;  The embodiment of the present invention further provides a method for establishing a proxy mobile IP security mechanism, including: the home agent HA receives a binding mobile IP binding request sent by a mobile IP proxy, where the binding request is the mobile IP The agent uses the PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the agent to protect the message;

所述 HA通过与所述 HAAA 的交互, 利用所述 HAAA所具有的所述 PMN-AAA密钥对所述绑定请求进行验证;  The HA verifies the binding request by using the PMN-AAA key that the HAAA has by interacting with the HAAA;

在所述验证通过后 ,所述 HA采用根据所述 PMN-AAA密钥或 PMN-AAA 才艮密钥而为所述移动 IP的代理所生成的该代理和 HA间的共享密钥 PMN-HA 密钥, 对向所述移动 IP的代理所发送的绑定响应消息进行保护; 其中, 所述 绑定响应消息中携带有用于索引所述 PMN-HA密钥的安全参数索引 SPI, 所 述 PMN-HA密钥以及 SPI为所述移动 IP的代理在利用其获取的 PMN-AAA计 算得到 PMN-HA, 并利用该 PMN-HA对所述绑定响应验证通过后 , 所采用的 对后续的移动 IP消息的完整性进行保护的密钥及索引。 本发明实施例还提供了一种移动 IP的代理, 该代理包括: After the verification is passed, the HA adopts a shared key PMN-HA between the agent and the HA generated by the agent of the mobile IP according to the PMN-AAA key or the PMN-AAA key. a key, configured to protect a binding response message sent by the proxy of the mobile IP, where the binding response message carries a security parameter index SPI for indexing the PMN-HA key, the PMN - the HA key and the SPI for the mobile IP agent calculate the PMN-HA using the PMN-AAA obtained by the proxy, and use the PMN-HA to verify the binding response, after the subsequent movement is adopted The key and index of the integrity of the IP message. The embodiment of the invention further provides a mobile IP proxy, the proxy comprising:

PMN-AAA密钥获取模块, 用于: 获取与该代理对应的家乡认证、 授权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥;  a PMN-AAA key acquisition module, configured to: obtain a PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the proxy corresponding to the proxy;

绑定请求发送模块, 用于: 利用所获取的所述 PMN-AAA 密钥对注册移 动 IP的绑定请求进行保护后, 发送至家乡代理 HA;  a binding request sending module, configured to: protect the binding request of the registered mobile IP by using the acquired PMN-AAA key, and send the binding request to the home agent HA;

验证模块, 用于: 在所述移动的 IP代理收到所述 HA发送的绑定响应后, 利用所获取的所述 PMN-AAA计算得到 PMN-HA, 利用该 PMN-HA对所述绑 定响应进行验证; 其中, 所述绑定响应为所述 HA采用 PMN-HA密钥进行保 护的消息 ,所述 PMN-HA密钥为利用所述 HAAA所具有的所述 PMN-AAA对 所述绑定请求验证通过后 , 根据所述 PMN-AAA或 PMN-AAA根密钥而为所 述移动 IP的代理所生成的该代理和 HA间的密钥; 且该绑定响应中还携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI;  a verification module, configured to: after the mobile IP proxy receives the binding response sent by the HA, calculate the PMN-HA by using the acquired PMN-AAA, and use the PMN-HA to bind the binding Responding to the verification; wherein, the binding response is a message that the HA is protected by using a PMN-HA key, and the PMN-HA key is a pair of the PMN-AAA pair that is used by the HAAA After the request is verified, the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA root key; and the binding response further carries an index for indexing The security parameter index SPI of the PMN-HA key;

保护模块, 用于: 利用所述 PMN-HA密钥和所述 SPI对后续的移动 IP消 息的完整性进行保护。  And a protection module, configured to: protect the integrity of the subsequent mobile IP message by using the PMN-HA key and the SPI.

本发明实施例还提供了一种家乡代理, 包括:  The embodiment of the invention also provides a home agent, comprising:

绑定请求接收模块, 用于: 接收移动 IP的代理发送的注册移动 IP的绑定 请求, 其中, 该绑定请求为所述移动 IP的代理利用其所获取的家乡认证、 授 权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥进行保护后的消息; 绑定响应发送模块, 用于: 在所述家乡代理通过与所述 HAAA的交互, 在利用所述 HAAA所具有的所述 PMN-AAA对所述绑定请求进行验证通过后, 采用根据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所生成 的该代理和 HA间的 PMN-HA密钥 ,对向所述移动 IP的代理所发送的携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI的绑定响应消息进行保护; 其中, 所述 PMN-HA 密钥以及 SPI 为所述移动 IP 的代理在利用其获取的 PMN-AAA计算得到 PMN-HA, 并利用该 PMN-HA对所述绑定响应验证通过 后, 所采用的对后续的移动 IP消息的完整性进行保护的密钥及索引。  a binding request receiving module, configured to: receive a binding request of a registered mobile IP sent by a proxy of the mobile IP, where the binding request is used by the agent of the mobile IP to use the home authentication, authorization, and accounting server acquired by the proxy a message that is protected by the PMN-AAA key between the HAAA and the proxy; a binding response sending module, configured to: use the PMN that the HAAA has by the home agent through interaction with the HAAA After the AAA authenticates the binding request, the PMN-HA key between the proxy and the HA generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is used. Protecting, by the binding of the mobile IP, a binding response message carrying a security parameter index SPI for indexing the PMN-HA key; wherein the PMN-HA key and the SPI are the mobile IP The agent uses the PMN-AAA obtained by the proxy to calculate the PMN-HA, and after using the PMN-HA to verify the binding response, the key used to protect the integrity of the subsequent mobile IP message is index

本发明实施例还提供了一种代理移动 IP的安全系统, 该系统包括: 移动 IP的代理、 家乡代理 HA、 和家乡认证、 授权、 计费服务器 HAAA, 其中: 所述移动 IP的代理用于: 获取与其对应的 HAAA与该移动 IP的代理之间的 PMN-AAA密钥 ,并利 用该 PMN-AAA密钥对注册移动 IP的绑定请求进行保护后, 发送至家乡代理 HA; 和, The embodiment of the present invention further provides a proxy mobile IP security system, the system comprising: a mobile IP proxy, a home agent HA, and a home authentication, authorization, and accounting server HAAA, where: the mobile IP proxy is used : Obtaining a PMN-AAA key between the corresponding HAAA and the agent of the mobile IP, and protecting the binding request of the registered mobile IP by using the PMN-AAA key, and then sending the request to the home agent HA;

在收到所述 HA发送的绑定响应,利用所获取的所述 PMN-AAA计算得到 PMN-HA, 利用该 PMN-HA对所述绑定响应进行验证, 并在进行所述 -险证通 过后, 利用所述 PMN-HA密钥、 以及所述绑定响应中所携带的 SPI对后续的 移动 IP消息的完整性进行保护;  Receiving the binding response sent by the HA, calculating the PMN-HA by using the acquired PMN-AAA, verifying the binding response by using the PMN-HA, and performing the Afterwards, the integrity of the subsequent Mobile IP message is protected by using the PMN-HA key and the SPI carried in the binding response;

所述 HA用于:  The HA is used to:

通过与所述 HAAA的交互 , 在利用所述 HAAA所具有的所述 PMN-AAA 对所述绑定请求进行验证通过后 , 采用根据所述 PMN-AAA或 PMN-AAA根 密钥而为所述移动 IP的代理所生成的该代理和 HA间的 PMN-HA密钥 , 对向 所述移动 IP的代理所发送的携带有用于索引所述 PMN-HA密钥的安全参数索 引 SPI的绑定响应消息进行保护;  After the binding request is verified by using the PMN-AAA that the HAAA has, by using the interaction with the HAAA, adopting according to the PMN-AAA or PMN-AAA root key The PMN-HA key between the proxy and the HA generated by the agent of the mobile IP, and the binding response sent to the proxy of the mobile IP carrying the security parameter index SPI for indexing the PMN-HA key Message protection;

所述 HAAA用于: 提供所述 PMN-AAA密钥。  The HAAA is used to: provide the PMN-AAA key.

通过比较可以发现,本发明的技术方案与现有技术的主要区别在于, 由移 动 IP的代理如 PDSN、 接入网关、 或控制接入节点, 在初次执行代理移动 IP 绑定时, 如建立与 MS的连接或 MS切换到本代理时, 使用 HAAA与本代理 之间的 PMN-AAA密钥来保护向 HA发送的用于注册移动 IP的绑定请求, 并 根据 PMN-AAA密钥生成本代理与 HA之间的密钥 PMN-HA密钥。 HA通过 与 HAAA的交互, 对绑定请求进行验证并获得 PMN-HA密钥, 在验证通过后 向该代理返回绑定响应, 并在该绑定响应中携带用于索引 PMN-HA 密钥的 SPI。 该代理与该 HA通过 PMN-HA密钥和 SPI对后续的移动 IP消息的完整 性进行保护。使得 HA能在不修改现有协议的前提下, 正确处理所有合法的绑 定请求, 根据不同情况更新密钥和生成对应的 SPI, 保证了代理与 HA之间消 息验证的准确性, 满足了移动 IP的安全性。  By comparison, it can be found that the main difference between the technical solution of the present invention and the prior art is that, when the proxy of the mobile IP, such as the PDSN, the access gateway, or the control access node, performs the proxy mobile IP binding for the first time, such as establishing and When the MS connection or the MS switches to the agent, the PMN-AAA key between the HAAA and the agent is used to protect the binding request for registering the mobile IP sent to the HA, and the agent is generated according to the PMN-AAA key. Key PMN-HA key with HA. The HA authenticates the binding request and obtains the PMN-HA key through interaction with the HAAA, returns a binding response to the proxy after the verification is passed, and carries the binding for carrying the PMN-HA key in the binding response. SPI. The agent and the HA protect the integrity of subsequent mobile IP messages through the PMN-HA key and SPI. Enables HA to correctly process all legal binding requests without modifying the existing protocol, update the key and generate the corresponding SPI according to different situations, ensuring the accuracy of message verification between the agent and the HA, and satisfying the mobile IP security.

而且, 由于代理使用 PMN-AAA 密钥对绑定请求进行完整性保护, 因此 HA可通过 HAAA对绑定请求进行验证, 在 HAAA中也可以利用 MS的身份 标识索引到相应的 PMN-AAA密钥, 对该绑定请求进行验证, 使得代理移动 IP的注册无需对现有设备 (尤其是 HA )作出较大改动, 进而使得本发明具有 较大的应用价值。 Moreover, since the proxy uses the PMN-AAA key to perform integrity protection on the binding request, the HA can authenticate the binding request through the HAAA, and the HAAA can also use the identity identifier of the MS to the corresponding PMN-AAA key. Verifying the binding request so that the registration of the proxy mobile IP does not require major changes to the existing device (especially HA), thereby enabling the present invention to have Larger application value.

MS在第一次建立与代理的连接时, 该代理需将该 MS的认证信息发送给 HAAA , 由该 HAAA对该认证信息的鉴权通过后向该代理发送 PMN-AAA密 钥(或 PMN-AAA密钥的根密钥 ,由代理根据该根密钥得到 PMN-AAA密钥), 和代理移动 IP注册和客户端移动 IP注册所需的信息。 在代理移动 IP的注册 完成后, 如果该 MS支持移动 IP , 则可以向该代理请求客户端移动 IP注册所 需的信息, 并根据该信息完成客户端移动 IP的注册, 使得本发明能进一步与 现有技术相兼容。  When the MS establishes the connection with the proxy for the first time, the proxy needs to send the authentication information of the MS to the HAAA, and the HAAA sends the PMN-AAA key (or PMN-) to the proxy after the authentication of the authentication information is passed. The root key of the AAA key, the PMN-AAA key is obtained by the proxy based on the root key, and the information required for proxy mobile IP registration and client mobile IP registration. After the registration of the proxy mobile IP is completed, if the MS supports the mobile IP, the proxy may request the information required for the client mobile IP registration, and complete the registration of the client mobile IP according to the information, so that the present invention can further The prior art is compatible.

附图说明 DRAWINGS

图 1是《X.S0011 cdma2000 Wireless IP Network Standard》所定义的 MIP6 场景下的对于 IPv6的绑定流程示意图;  Figure 1 is a schematic diagram of the binding process for IPv6 in the MIP6 scenario defined in the X.S0011 cdma2000 Wireless IP Network Standard;

图 2为正在制定的《X.P0044 Mobile IPv4 Enhancement^中涉及的 , 在拜 访网络为 MS动态分配 HA, MIP注册以及注册的安全机制的示意图;  Figure 2 is a schematic diagram of the security mechanism involved in the X.P0044 Mobile IPv4 Enhancement^, which is dynamically allocated HA, MIP registration and registration for the MS in the visited network;

图 3示出 3GPP2正在制订的 HRPD的快速切换流程的参考架构; 图 4是 3GPP2正在制订的 HRPD的快速切换流程示意图;  Figure 3 shows the reference architecture of the fast handover procedure of HRPD being developed by 3GPP2; Figure 4 is a schematic diagram of the fast handover procedure of HRPD being developed by 3GPP2;

图 5是目前已经提出的一种代理移动 IP的安全机制流程示意图; 图 6是根据本发明的密钥衍生和传递的关系示意图;  5 is a schematic diagram of a security mechanism of a proxy mobile IP that has been proposed so far; FIG. 6 is a schematic diagram of a relationship between key derivation and delivery according to the present invention;

图 7是根据本发明第一实施方式的代理移动 IP的安全机制建立方法流程 图;  7 is a flow chart showing a method for establishing a proxy mobile IP security mechanism according to a first embodiment of the present invention;

图 8是才 据本发明第五实施方式的代理移动 IP的安全机制建立方法流程 图。  FIG. 8 is a flow chart showing a method for establishing a proxy mobile IP security mechanism according to a fifth embodiment of the present invention.

具体实施方式 detailed description

为使本发明的目的、技术方案和优点更加清楚, 下面将结合附图对本发明 作进一步地详细描述。  In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings.

在本发明中, 当 MS第一次接入网络时, 由移动 IP的代理如 PDSN, 从 In the present invention, when the MS accesses the network for the first time, the agent of the mobile IP, such as the PDSN,

HAAA处获取 PMN-AAA密钥 (或获取 PMN-AAA根密钥, 根据该根密钥得 到 PMN-AAA密钥), 而非 PMN-HA密钥, PDSN使用该 PMN-AAA密钥向 HA发送用于注册移动 IP的绑定请求 BU或 RRQ消息 , 该 PMN-AAA密钥用 于计算 BU或 RRQ消息中的 MN-AAA认证扩展( MIP4中使用)或认证选项 ( MIP6中使用), 并在该 BU或 RRQ消息中携带已经分配给这些扩展或选项 的固定的 SPI值。 HA接到 BU或 RRQ消息后 , 通过 HAAA对 BU或 RRQ消 息中的 MN-AAA认证扩展或认证选项进行验证,如果验证成功则 HAAA会为 HA和 PDSN生成 PMN-HA密钥, 用于后续的绑定, 并将 PMN-HA发给 HA, PDSN可根据 PMN-AAA密钥和其他的一些参数 (如 PDSN地址 , HA地址等 ) 计算得到 PMN-HA密钥。 The HAAA obtains the PMN-AAA key (or obtains the PMN-AAA root key, and obtains the PMN-AAA key according to the root key) instead of the PMN-HA key, and the PDSN uses the PMN-AAA key to send to the HA. A binding request BU or RRQ message for registering a mobile IP, the PMN-AAA key used to calculate a MN-AAA authentication extension (used in MIP4) or an authentication option in a BU or RRQ message (used in MIP6), and carries a fixed SPI value that has been assigned to these extensions or options in the BU or RRQ message. After receiving the BU or RRQ message, the HA authenticates the MN-AAA authentication extension or authentication option in the BU or RRQ message through HAAA. If the authentication succeeds, the HAAA generates a PMN-HA key for the HA and the PDSN for subsequent use. Bind, and send the PMN-HA to the HA. The PDSN can calculate the PMN-HA key according to the PMN-AAA key and other parameters (such as PDSN address, HA address, etc.).

HA在向 PDSN发送绑定响应 BA或 RRP消息时, 会使用 PMN-HA密钥 计算 MN-HA认证扩 ^/认证选项。同时 HA也会在 BA或 RRP消息中包含 SPI 值, 该 SPI可以是 HAAA或者 HA生成的一个随机的并保证唯一性的值, 也 可以是与该 PDSN约定的固定值, 或者通过计算得到的值。 PDSN接到 BA或 RRP消息后 , 根据自己计算的 PMN-HA密钥校验 BA或 RRP消息。 如果校验 成功则保存 HA发来的 SPI值。 PDSN和 HA在后续的绑定中使用 MIP-HA密 钥和绑定响应中携带的 SPI对后续的移动 IP消息的完整性进行保护。  When the HA sends a Binding Response BA or RRP message to the PDSN, it uses the PMN-HA key to calculate the MN-HA authentication extension/authentication option. At the same time, the HA also includes the SPI value in the BA or RRP message. The SPI can be a random and guaranteed unique value generated by HAAA or HA, or it can be a fixed value agreed with the PDSN, or a calculated value. . After receiving the BA or RRP message, the PDSN verifies the BA or RRP message according to its calculated PMN-HA key. If the verification is successful, the SPI value sent by HA is saved. The PDSN and the HA use the MIP-HA key and the SPI carried in the binding response to protect the integrity of subsequent mobile IP messages in subsequent bindings.

当发生 PDSN的切换后 , 源 PDSN将 PMN-AAA密钥 (或 PMN-AAA根 密钥 )发送给目标 PDSN, 目标 PDSN仍然用 PMN-AAA (如果从源 PDSN处 获得的是 MN-HAAA根密钥, 则根据该根密钥得到 PMN-AAA 密钥 )计算 MN-AAA认证扩 ^/认证选项 , 向 HA发送 BU或 RRQ消息。 用于索引的 SPI 也是协议中定义的固定值。当 HA收到 BU或 RRQ消息时,仍然会利用 HAAA 去校验消息和生成新的 PMN-HA密钥。 HA收到新的 PMN-HA密钥后, 会用 PMN-HA密钥计算 MN-HA认证扩展 /认证选项, 并回送 BA或 RRP消息, 消 息中包含了新的 SPI值,该 SPI可以是 HA生成的一个随机的并保证唯一性的 值, 也可以是与 PDSN约定的固定值。在后续的绑定中, 目标 PDSN和 HA可 使用 PMN-HA密钥和 SPI值对后续的移动 IP消息的完整性进行保护。  After the PDSN handover occurs, the source PDSN sends the PMN-AAA key (or the PMN-AAA root key) to the target PDSN, and the target PDSN still uses the PMN-AAA (if the MN-HAAA root density is obtained from the source PDSN) The key obtains the MN-AAA authentication extension/authentication option based on the root key to obtain the PMN-AAA key, and sends a BU or RRQ message to the HA. The SPI used for indexing is also a fixed value defined in the protocol. When the HA receives a BU or RRQ message, it still uses HAAA to verify the message and generate a new PMN-HA key. After receiving the new PMN-HA key, the HA calculates the MN-HA authentication extension/authentication option with the PMN-HA key and returns a BA or RRP message containing the new SPI value. The SPI can be HA. A random and guaranteed unique value is generated, which can also be a fixed value agreed with the PDSN. In subsequent bundling, the target PDSN and HA can use the PMN-HA key and SPI value to protect the integrity of subsequent mobile IP messages.

其中 , 密钥的^ "生和传递的关系如图 6所示。 HAAA根据 MS和 HAAA 间的共享密钥为代理 MIP客户端 PMIP Client(如 PDSN )和 HA衍生 PMN-HA 密钥, 或者静态保存一个 PMN-AAA密钥。 HAAA将把 PMN-AAA密钥传给 第一个代理 MIP客户端 ( PMIP Clientl )。 PMIP Clientl初始执行移动 IP的绑 定时, 使用 PMN-AAA密钥 , 后续 HA可以从 HAAA获得 PMN-HA1密钥。 而 PMIP Clientl也可以自己计算和使用 PMN-HA1密钥。当切换发生后, PMIP Clientl将 PMN-AAA密钥传给 PMIP Client2 (如源 PDSN将 PMN-AAA密钥 传给目标 PDSN )。 PMIP Client2的初始注册也使用 PMN-AAA密钥, HAAA 会生成 PMN-HA2传给 HA, 后续 HA和 PMIP Client2使用 PMN-HA2。 The relationship between the birth and delivery of the key is shown in Figure 6. HAAA uses the shared key between the MS and HAAA as the proxy MIP client PMIP Client (such as PDSN) and the HA derived PMN-HA key, or static. Save a PMN-AAA key. HAAA will pass the PMN-AAA key to the first proxy MIP client (PMIP Clientl). When PMIP Clientl initially performs mobile IP binding, PMN-AAA key is used, followed by HA The PMN-HA1 key can be obtained from HAAA. PMIP Clientl can also calculate and use the PMN-HA1 key by itself. When the handover occurs, PMIP Clientl passes the PMN-AAA key to PMIP Client2 (if the source PDSN passes the PMN-AAA key to the target PDSN). The initial registration of PMIP Client2 also uses the PMN-AAA key, HAAA generates PMN-HA2 to pass to HA, and subsequent HA and PMIP Client2 use PMN-HA2.

以上给出了密钥衍生的一种实例 ,但也存在其他可能。如 HAAA传给 PMIP Client的是 PMN-AAA的根密钥 PMN-AAA-RK。 PMIP Client执行初始绑定时, 需要自己从 PMN-AAA-RK衍生 PMN-AAA。另外 HAAA也可以将 PMN-AAA 直接传给 HA, 这样 HA可以自己计算所需的 PMN-HA, 不用每次通过 HAAA 计算。  An example of key derivation is given above, but there are other possibilities as well. For example, the HAAA is transmitted to the PMIP Client by the PMN-AAA root key PMN-AAA-RK. When the PMIP Client performs initial binding, it needs to derive PMN-AAA from PMN-AAA-RK. In addition, HAAA can also directly pass PMN-AAA to HA, so that HA can calculate the required PMN-HA by itself, without having to calculate it through HAAA every time.

当然, 移动 IP的代理也可以是接入网关或控制接入点等其他网络实体。 下面对本发明的第一实施方式进行伴细阐述,本实施方式涉及代理移动 IP 的安全机制建立方法, 在本实施方式中, MS同时支持简单 IPv6和移动 IPv6, 移动 IP的代理为 PDSN, PDSN采用 MIP6, 具体流程如图 7所示。  Of course, the mobile IP proxy can also be an access gateway or other network entity such as an access point. The following is a detailed description of the first embodiment of the present invention. The present embodiment relates to a method for establishing a proxy mobile IP security mechanism. In this embodiment, the MS supports both simple IPv6 and mobile IPv6, and the mobile IP proxy is a PDSN. MIP6, the specific process is shown in Figure 7.

在步骤 701中, MS第一次与 PDSN建立连接, 该 PDSN发起对 MS的认 证 , MS返回认证响应。  In step 701, the MS establishes a connection with the PDSN for the first time, the PDSN initiates authentication to the MS, and the MS returns an authentication response.

接着, 进入步骤 702, 该 PDSN将 MS的认证响应发给 HAAA, 同时表示 自己支持代理移动 IP的功能。  Then, proceeding to step 702, the PDSN sends the authentication response of the MS to the HAAA, and indicates that it supports the function of the proxy mobile IP.

接着, 进入步骤 703 , HAAA认证 MS, 如果成功, 并且允许该 PDSN执 行代理移动 IP的功能, 则返回授权该 PDSN执行代理移动 IP的指示。 HAAA 还给该 PDSN发送用于注册代理移动 IP 需要的 PDSN 与 HAAA之间的 PMN-AAA密钥。 在本实施方式中, MS同时支持移动 IP和简单 IP, 因此, HAAA还将代理移动 IP注册和客户端移动 IP注册所需要的 HA地址、 HoA、 HL等信息也发给该 PDSN。 需要说明的是, 在本步骤中, HAAA还可以不把 PMN-AAA密钥发送给该 PDSN, 而是将 PMN-AAA密钥的 密钥发送给该 PDSN, 由该 PDSN根据该根密钥计算得到 PMN-AAA密钥, 以进一步提高代 理移动 IP的安全性。  Next, proceeding to step 703, the HAAA authentication MS, if successful, and allowing the PDSN to perform the function of the proxy mobile IP, returns an indication that the PDSN is authorized to perform the proxy mobile IP. The HAAA also sends the PDSN a PMN-AAA key between the PDSN and HAAA required to register the Proxy Mobile IP. In this embodiment, the MS supports both the mobile IP and the simple IP. Therefore, the HAAA also sends information such as the HA address, HoA, HL and the like required for proxying the mobile IP registration and the client mobile IP registration to the PDSN. It should be noted that, in this step, the HAAA may not send the PMN-AAA key to the PDSN, but send the key of the PMN-AAA key to the PDSN, and the PDSN calculates according to the root key. The PMN-AAA key is obtained to further improve the security of the proxy mobile IP.

HAAA在对该 MS认证信息的鉴权通过后除了向该 PDSN发送 PMN-AAA 密钥(或 PMN-AAA密钥的根密钥 , 由该 PDSN根据该根密钥得到 PMN-AAA 密钥),还向该 PDSN发送代理移动 IP注册和客户端移动 IP注册所需的信息。 以便在代理移动 IP的注册完成后, 该 MS可向该 PDSN请求客户端移动 IP注 册所需的信息, 并根据该信息完成客户端移动 IP的注册, 使得本发明能进一 步与现有技术相兼容。 其中, 代理移动 IP注册和客户端移动 IP注册所需信息 中的 HA地址信息不同, 通过不同的 HA地址区分移动 IP的注册是代理移动 IP注册或客户端移动 IP注册。 After the authentication of the MS authentication information is passed, the HAAA sends a PMN-AAA key (or a root key of the PMN-AAA key, and the PDSN obtains the PMN-AAA key according to the root key) to the PDSN, Information required for proxy mobile IP registration and client mobile IP registration is also sent to the PDSN. So that after the registration of the proxy mobile IP is completed, the MS can request the client to move the IP note to the PDSN. The required information is registered, and the registration of the client mobile IP is completed based on the information, so that the present invention can be further compatible with the prior art. The HA address information in the information required for the proxy mobile IP registration and the client mobile IP registration is different, and the registration of the mobile IP by different HA addresses is the proxy mobile IP registration or the client mobile IP registration.

接着, 进入步骤 704, 该 PDSN执行代理移动 IP的绑定注册过程。 具体 地说, 该 PDSN使用在步骤 703中得到的 PMN-AAA密钥对用于注册移动 IP 的绑定请求 BU消息进行完整性保护, 即在该消息中包含了 MN-AAA认证选 项, 所携带的 SPI值是协议中已定义的固定值。  Next, proceeding to step 704, the PDSN performs a binding registration process of the proxy mobile IP. Specifically, the PDSN performs integrity protection on the binding request BU message for registering the mobile IP by using the PMN-AAA key obtained in step 703, that is, the MN-AAA authentication option is included in the message, which is carried. The SPI value is a fixed value defined in the protocol.

接着, 进入步骤 705, HA接到绑定请求 BU消息后, 需要利用 HAAA验 证 MN-AAA认证选项的正确性 , 因此向 HAAA转发请求 , 请求该 HAAA对 该 BU消息进行^证。  Then, proceeding to step 705, after receiving the binding request BU message, the HA needs to verify the correctness of the MN-AAA authentication option by using HAAA, and therefore forwards the request to the HAAA, requesting the HAAA to perform the authentication on the BU message.

接着, 进入步骤 706, HAAA接到 HA的请求后, 利用 MS的身份标识索 引到相应的 PMN-AAA密钥,对该消息进行验证,如果成功,则计算 PMN-HA 密钥 , 这个密钥可标为 PMN-HA1。 HAAA将返回验证成功的消息 , 消息中包 含了密钥 PMN-HA1。 这样无需对现有设备(尤其是 HA )作出较大改动, 进 而使得本发明具有较大的应用价值。  Then, proceeding to step 706, after receiving the HA request, the HAAA uses the identity identifier of the MS to the corresponding PMN-AAA key to verify the message. If successful, the PMN-HA key is calculated. Marked as PMN-HA1. HAAA will return a message that the verification was successful, and the message contains the key PMN-HA1. This eliminates the need to make major changes to existing equipment (especially HA), which in turn makes the invention more valuable.

接着, 进入步骤 707, HA向该 PDSN发送绑定响应 BA消息, 该消息用 PMN-HA1进行完整性保护, 同时在该消息中还包含了新的 SPI值, 该 SPI可 以是 HA生成的一个随机的并保证唯一性的值,也可以是与 PDSN约定的固定 值。 该 PDSN收到应答后 , 用自己计算的 PMN-HA密钥验证 PMN-HA认证选 项 , 该 PMN-HA密钥 据在步骤 703中得到的 PMN-AAA密钥、 和其它的一 些参数 (如 PDSN地址, HA地址等 )计算出来。 如果 PMN-HA认证选项验 证正确, 则绑定注册过程结束, 该 PDSN保存收到的 SPI值。 该 PDSN在以后 的绑定中使用 PMN-HA1和 HA分配的 SPI值对后续的移动 IP消息进行完整 性保护。  Then, proceeding to step 707, the HA sends a binding response BA message to the PDSN, where the message is integrity protected by the PMN-HA1, and the message further includes a new SPI value, and the SPI may be a random generated by the HA. And the value of the uniqueness, or a fixed value agreed with the PDSN. After receiving the response, the PDSN verifies the PMN-HA authentication option with its own calculated PMN-HA key, which is based on the PMN-AAA key obtained in step 703, and other parameters (such as PDSN). Address, HA address, etc.) are calculated. If the PMN-HA authentication option is verified correctly, the binding registration process ends and the PDSN saves the received SPI value. The PDSN uses the SPI values assigned by PMN-HA1 and HA in subsequent bindings to protect the subsequent mobile IP messages integrity.

接着 , 进入步骤 708 , 该 PDSN根据从 HAAA得到的代理移动 IP信息执 行对 MS分配地址的流程。  Next, proceeding to step 708, the PDSN performs a process of assigning an address to the MS according to the proxy mobile IP information obtained from the HAAA.

接着,进入步骤 709, MS和该 PDSN执行动态主机配置协议( Dynamic Host Configuration Protocol, 简称" DHCP" ), 完成 MS请求客户端移动 IP注册所需 信息的过程, 以便该 MS根据该信息, 完成客户端移动 IP的注册, 使得本发 明能进一步与现有技术相兼容。 Then, proceeding to step 709, the MS and the PDSN execute a Dynamic Host Configuration Protocol ("DHCP"), which is required for the MS to request client mobile IP registration. The process of information, so that the MS completes the registration of the client mobile IP based on the information, so that the present invention can be further compatible with the prior art.

接着, 进入步骤 710, MS根据得到的客户端移动 IP注册所需信息, 与 HA完成 MIP的绑定注册过程。  Next, proceeding to step 710, the MS completes the MIP binding registration process with the HA according to the obtained client mobile IP registration required information.

接着, 进入步骤 711, MS发生移动, 需要执行 PDSN间的切换, 即从该 Then, proceeding to step 711, the MS moves, and the switching between the PDSNs needs to be performed, that is, from the

PDSN (源 PDSN )切换到目标 PDSN。 The PDSN (source PDSN) is switched to the target PDSN.

接着, 进入步骤 712, 源 PDSN与目标 PDSN建立 P-P接口, 源 PDSN将 MS的所有上下文信息转发给目标 PDSN, 其中 MIP安全方面相关的参数主要 是 PMN-AAA密钥 , 也就是说, 目标 PDSN从源 PDSN处获取到 PMN-AAA 密钥。 当然, 源 PDSN也可以不直接将 PMN-AAA密钥发送给目标 PDSN, 而 是将 PMN-AAA密钥的根密钥发送给目标 PDSN,由该目标 PDSN根据该根密 钥得到 PMN-AAA密钥 , 以进一步提高代理移动 IP的安全性。  Then, proceeding to step 712, the source PDSN establishes a PP interface with the target PDSN, and the source PDSN forwards all context information of the MS to the target PDSN, where the MIP security related parameter is mainly a PMN-AAA key, that is, the target PDSN is The PMN-AAA key is obtained at the source PDSN. Of course, the source PDSN may not directly send the PMN-AAA key to the target PDSN, but send the root key of the PMN-AAA key to the target PDSN, and the target PDSN obtains the PMN-AAA secret according to the root key. Key to further improve the security of the proxy mobile IP.

接着, 进入步骤 713, 目标 PDSN完成上下文的安装。  Next, proceeding to step 713, the target PDSN completes the installation of the context.

接着, 进入步骤 714, 目标 PDSN执行代理移动 IP的绑定注册过程, 仍 然使用 PMN-AAA密钥计算 MN-AAA认证选项, 对用于注册移动 IP的绑定 请求 BU消息进行完整性保护,即在该 BU消息中包含了使用 PMN-AAA密钥 计算的 MN-AAA认证选项, 所携带的 SPI值是协议中已定义的固定值。  Next, proceeding to step 714, the target PDSN performs a binding registration process of the proxy mobile IP, and still uses the PMN-AAA key to calculate the MN-AAA authentication option, and performs integrity protection on the binding request BU message for registering the mobile IP, that is, The MN-AAA authentication option calculated using the PMN-AAA key is included in the BU message, and the carried SPI value is a fixed value defined in the protocol.

接着, 进入步骤 715, HA收到目标 PDSN的绑定请求 BU消息后, 发现 消息中没有包含 MN-HA认证选项 , 而是 MN-AAA认证选项 , 因此向 HAAA 转发请求, 请求该 HAAA对该 BU消息进行验证。  Then, proceeding to step 715, after receiving the binding request BU message of the target PDSN, the HA does not include the MN-HA authentication option, but the MN-AAA authentication option, and therefore forwards the request to the HAAA, requesting the HAAA to the BU. The message is verified.

接着 , 进入步骤 716, HAAA接到 HA的请求后 , 验证 BU请求消息的正 确性, 如果正确, 则为 HA计算新的 PMN-HA密钥, 即 PMN-HA2, 该 HAAA 将 PMN-HA2传给目标 PDSN。  Then, proceeding to step 716, after the HAAA receives the request from the HA, it verifies the correctness of the BU request message. If it is correct, it calculates a new PMN-HA key for the HA, that is, PMN-HA2, and the HAAA transmits the PMN-HA2 to Target PDSN.

接着, 进入步骤 717, HA向目标 PDSN发送绑定应答 BA消息, 该消息 用新的 PMN-HA2 密钥进行完整性保护, 同时在该 BA消息中还包含了新的 SPI值, 该 SPI可以是 HA生成的一个随机的并保证唯一性的值, 也可以是与 PDSN约定的固定值; 目标 PDSN收到应答后, 用自己计算的 PMN-HA密钥 验证应答消息 , 该 PMN-HA密钥才 据在步骤 712中得到的 PMN-AAA密钥、 和其它的一些参数(如 PDSN地址, HA地址等)计算出来。 如果成功, 则目 标 PDSN保存收到的 SPI值。 目标 PDSN在以后的绑定中使用 PMN-HA2和 HA分配的 SPI值对后续的移动 IP消息进行完整性保护。 Next, proceeding to step 717, the HA sends a binding response BA message to the target PDSN, where the message is integrity protected with a new PMN-HA2 key, and the BA message further includes a new SPI value, and the SPI may be A random and guaranteed unique value generated by the HA may also be a fixed value agreed with the PDSN. After receiving the response, the target PDSN verifies the response message with its own calculated PMN-HA key, and the PMN-HA key is It is calculated based on the PMN-AAA key obtained in step 712, and some other parameters (such as PDSN address, HA address, etc.). If successful, then The target PDSN holds the received SPI value. The target PDSN uses the SPI values assigned by PMN-HA2 and HA in subsequent bindings to perform integrity protection on subsequent Mobile IP messages.

接着, 进入步骤 718, 此时数据从源 PDSN切换到了目标 PDSN, 因此删 除 P-P接口。  Next, proceeding to step 718, the data is switched from the source PDSN to the target PDSN, thus deleting the P-P interface.

由此可见,在本实施方式中 ,通过使用 PMN-AAA对 BU消息进行完整性 保护,使得 HA能在不修改现有协议的前提下,正确处理所有合法的绑定请求, 根据不同情况更新密钥和生成对应的 SPI, 保证了代理与 HA之间消息验证的 准确性, 满足了移动 IP的安全性。  Therefore, in this embodiment, the integrity protection of the BU message is performed by using the PMN-AAA, so that the HA can correctly process all legal binding requests without modifying the existing protocol, and update the confidentiality according to different situations. The key and the corresponding SPI are generated to ensure the accuracy of the message verification between the agent and the HA, and the security of the mobile IP is satisfied.

本发明的第二实施方式涉及代理移动 IP的安全机制建立方法, 本实施方 式与第一实施方式大致相同, 其区别仅在于, 在第一实施方式中, 由 HAAA 验证来自 PDSN的 BU消息 , 并向该 HA发送 PMN-HA密钥。 而在本实施方 式中,由 HA利用 MS的身份标识向 HAAA请求下发相应的 PMN-AAA密钥, HA利用该 PMN-AAA密钥, 对该 BU消息进行验证, 并且, 由该 HA根据 PMN-AAA密钥得到 PMN-HA密钥。 因此,在发生 PDSN的切换时, 可由 HA 在后续的处理中独立完成消息验证和密钥更新, 而不再需要与 HAAA进行交 互, 简化了流程。  A second embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism. The present embodiment is substantially the same as the first embodiment except that in the first embodiment, the BU message from the PDSN is verified by the HAAA, and A PMN-HA key is sent to the HA. In this embodiment, the HA uses the identity of the MS to request the HAAA-AAA key to be sent to the HAAA, and the HA uses the PMN-AAA key to verify the BU message, and the HA is based on the PMN. - The AAA key gets the PMN-HA key. Therefore, when the PDSN is switched, the HA can perform the message verification and the key update independently in the subsequent processing, and the interaction with the HAAA is no longer needed, which simplifies the process.

此外, 在本发明优选实施例中, HA或 HAAA也可以 ^居 PMN-AAA的 才艮密钥生成所述 PMN-HA密钥, 并不影响本发明实施例的实现。 在具体应用 中, 还可以采用所述代理的 IP地址、 HA的 IP地址和 /或时间戳作为输入, 计 算所述 PMN-HA密钥或 PMN-AAA密钥。  In addition, in the preferred embodiment of the present invention, the HA or HAAA may also generate the PMN-HA key in the PMN-AAA key, and does not affect the implementation of the embodiment of the present invention. In a specific application, the PMN-HA key or the PMN-AAA key may also be calculated by using the IP address of the proxy, the IP address of the HA, and/or the timestamp as input.

本发明的第三实施方式涉及代理移动 IP的安全机制建立方法, 本实施方 式与第一实施方式大致相同, 其区别仅在于, 在第一实施方式中, HAAA在 对 MS认证信息的鉴权通过后 , 向 PDSN发送的代理移动 IP注册和客户端移 动 IP注册所需信息中, HA地址信息不同, 通过不同的 HA地址区分移动 IP 的注册是代理移动 IP注册或客户端移动 IP注册。 而在本实施方式中, 仍可使 用相同的 HA地址信息, 也就是说, 不需要 HAAA给 PDSN发送两个 HA地 址的信息 , 而是使用一个 HA地址。 但 PDSN与 MS发送的 BU和 HA响应的 BA消息中, 用不同的标识来区分移动 IP的注册是代理移动 IP注册或客户端 移动 IP注册。 本发明的第四实施方式涉及代理移动 IP的安全机制建立方法, 本实施方 式与第一实施方式大致相同,其区别仅在于,本实施例中 MS只支持简单 IPv6, 因此 HAAA在对 MS认证信息的鉴权通过后 , 不用发送两套移动 IP信息 , 只 需向 PDSN发送代理移动 IP注册需要的信息, 并且 MS不需要执行客户端的 移动 IP的注册绑定流程。 The third embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism. The present embodiment is substantially the same as the first embodiment except that in the first embodiment, the HAAA authenticates the MS authentication information. After the information required for the proxy mobile IP registration and the client mobile IP registration sent to the PDSN, the HA address information is different, and the registration of the mobile IP by different HA addresses is the proxy mobile IP registration or the client mobile IP registration. In the present embodiment, the same HA address information can still be used, that is, the HAAA is not required to send the information of the two HA addresses to the PDSN, but an HA address is used. However, in the BA message of the BU and HA response sent by the PDSN and the MS, the registration with different identifiers to distinguish the mobile IP is the proxy mobile IP registration or the client mobile IP registration. The fourth embodiment of the present invention relates to a method for establishing a security mechanism of a proxy mobile IP. The present embodiment is substantially the same as the first embodiment, except that the MS supports only simple IPv6 in this embodiment, and therefore the HAAA authenticates the MS. After the authentication is passed, there is no need to send two sets of mobile IP information, and only the information required for proxy mobile IP registration is sent to the PDSN, and the MS does not need to perform the registration binding process of the mobile IP of the client.

本发明的第五实施方式涉及代理移动 IP的安全机制建立方法, 在本实施 方式中, MS支持简单 Ipv4, 移动 IP的代理为 PDSN, PDSN采用 MIP4, 具 体流程如图 8所示。  A fifth embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism. In this embodiment, the MS supports a simple Ipv4, the mobile IP proxy is a PDSN, and the PDSN uses a MIP4. The specific process is as shown in FIG. 8.

在步骤 801中, MS第一次与 PDSN建立连接, 该 PDSN发起对 MS的认 证, MS返回认证响应。  In step 801, the MS establishes a connection with the PDSN for the first time, the PDSN initiates authentication to the MS, and the MS returns an authentication response.

接着, 进入步骤 802, 该 PDSN将 MS的认证响应发给 HAAA, 同时表示 自己支持代理移动 IP的功能。  Next, proceeding to step 802, the PDSN sends the authentication response of the MS to the HAAA, and indicates that it supports the function of the proxy mobile IP.

接着, 进入步骤 803, HAAA认证 MS, 如果成功, 并且允许该 PDSN执 行代理移动 IP的功能, 则返回授权该 PDSN执行代理移动 IP的指示。 HAAA 还给该 PDSN发送用于注册代理移动 IP 需要的 PDSN 与 HAAA之间的 PMN-AAA密钥和其他信息(如 HA地址)。需要说明的是,在本步骤中 , HAAA 还可以不把 PMN-AAA密钥发送给该 PDSN, 而是将 PMN-AAA密钥的才艮密 钥发送给该 PDSN, 由该 PDSN根据该根密钥计算得到 PMN-AAA密钥, 以进 一步提高代理移动 IP的安全性。  Next, proceeding to step 803, the HAAA authentication MS, if successful, and allowing the PDSN to perform the function of the proxy mobile IP, returns an indication authorizing the PDSN to perform proxy mobile IP. The HAAA also sends the PDSN a PMN-AAA key and other information (such as an HA address) between the PDSN and the HAAA required to register the proxy mobile IP. It should be noted that, in this step, the HAAA may not send the PMN-AAA key to the PDSN, but send the certificate key of the PMN-AAA key to the PDSN, and the PDSN according to the root density. The key is calculated to obtain the PMN-AAA key to further improve the security of the proxy mobile IP.

接着, 进入步骤 804, 该 PDSN执行代理移动 IP的绑定注册过程。 具体 地说, 该 PDSN使用在步骤 803中得到的 PMN-AAA密钥对用于注册移动 IP 的绑定请求 RRQ消息进行完整性保护, 即在该消息中包含了 MN-AAA认证 扩展, 其中的 SPI是协议中已定义的固定值, HoA为全 0。  Next, proceeding to step 804, the PDSN performs a binding registration process of the proxy mobile IP. Specifically, the PDSN performs integrity protection on the binding request RRQ message for registering the mobile IP by using the PMN-AAA key obtained in step 803, that is, the MN-AAA authentication extension is included in the message, where SPI is a fixed value defined in the protocol, HoA is all 0s.

接着, 进入步骤 805, HA接到绑定请求消息 RRQ后, 需要利用 HAAA 验证 MN-AAA认证扩展的正确性, 因此向 HAAA转发请求, 请求该 HAAA 对该 RRQ消息进行验证。  Then, in step 805, after receiving the binding request message RRQ, the HA needs to use HAAA to verify the correctness of the MN-AAA authentication extension, and therefore forwards the request to the HAAA, requesting the HAAA to verify the RRQ message.

接着, 进入步骤 806, HAAA接到 HA的请求后, 利用 MS的身份标识索 引到相应的 PMN-AAA密钥,对该消息进行验证,如果成功,则计算 PMN-HA 密钥 , 这个密钥可标为 PMN-HA1。 HAAA将返回验证成功的消息 , 消息包含 了密钥 PMN-HA1。这样可以使得代理移动 IP的注册无需对现有设备 (尤其是 HA )作出较大改动, 进而使得本发明具有较大的应用价值。 Next, proceeding to step 806, after receiving the HA request, the HAAA uses the identity identifier of the MS to the corresponding PMN-AAA key to verify the message, and if successful, calculates the PMN-HA key, which may be Marked as PMN-HA1. HAAA will return a message that the verification was successful, the message contains The key PMN-HA1. In this way, the registration of the proxy mobile IP does not need to make major changes to the existing device (especially HA), thereby making the invention have greater application value.

接着, 进入步骤 807, HA分配 HoA, 并向该 PDSN发送绑定响应 RRP 消息, 该消息用 PMN-HA1 进行完整性保护, 同时在该消息中还包含了新的 SPI值, 该 SPI可以是 HA生成的一个随机的并保证唯一性的值。 该 PDSN收 到应答后 , 用自己计算的 PMN-HA密钥验证 PMN-HA认证扩展。 如果正确 , 则绑定结束, 该 PDSN保存收到的 HoA和 SPI值。 该 PDSN在以后的绑定中 使用 PMN-HA1和 HA分配的 SPI值对后续的移动 IP消息进行完整性保护。  Next, proceeding to step 807, the HA allocates the HoA, and sends a binding response RRP message to the PDSN, the message is integrity-protected by the PMN-HA1, and the message further includes a new SPI value, and the SPI may be HA. Generate a random and guaranteed unique value. After receiving the response, the PDSN verifies the PMN-HA authentication extension with its own calculated PMN-HA key. If correct, the binding ends and the PDSN saves the received HoA and SPI values. The PDSN uses the SPI values assigned by PMN-HA1 and HA in subsequent bindings to protect the integrity of subsequent mobile IP messages.

接着, 进入步骤 808, 该 PDSN为 MS分配地址, 这个地址就是该 PDSN 从 HAAA得到的 HoA。  Next, proceeding to step 808, the PDSN allocates an address for the MS, and the address is the HoA obtained by the PDSN from the HAAA.

接着, 进入步骤 809, MS发生移动, 需要执行 PDSN间的切换, 即从该 PDSN (源 PDSN )切换到目标 PDSN。  Next, proceeding to step 809, the MS moves, and switching between PDSNs needs to be performed, that is, switching from the PDSN (source PDSN) to the target PDSN.

接着, 进入步骤 810, 源 PDSN与目标 PDSN建立 P-P接口, 源 PDSN将 MS的所有上下文信息转发给目标 PDSN, 其中 MIP安全方面相关的参数主要 是 PMN-AAA密钥。 也就是说, 目标 PDSN从源 PDSN处获取到 PMN-AAA 密钥。 当然, 源 PDSN也可以不直接将 PMN-AAA密钥发送给目标 PDSN, 而 是将 PMN-AAA密钥的根密钥发送给目标 PDSN,由该目标 PDSN根据该根密 钥得到 PMN-AAA密钥 , 以进一步提高代理移动 IP的安全性。  Next, proceeding to step 810, the source PDSN establishes a P-P interface with the target PDSN, and the source PDSN forwards all context information of the MS to the target PDSN, where the parameters related to the MIP security aspect are mainly PMN-AAA keys. That is, the target PDSN obtains the PMN-AAA key from the source PDSN. Of course, the source PDSN may not directly send the PMN-AAA key to the target PDSN, but send the root key of the PMN-AAA key to the target PDSN, and the target PDSN obtains the PMN-AAA secret according to the root key. Key to further improve the security of the proxy mobile IP.

接着, 进入步骤 811, 目标 PDSN完成上下文的安装。  Next, proceeding to step 811, the target PDSN completes the installation of the context.

接着, 进入步骤 812, 目标 PDSN执行代理移动 IP的绑定注册过程, 仍 然使用 PMN-AAA密钥计算 MN-AAA认证扩展, 对绑定请求 RRQ消息进行 完整性保护,即在该 RRQ消息中包含了使用 PMN-AAA密钥计算的 MN-AAA 认证扩展, 所携带的 SPI值是协议中已定义的固定值。  Then, proceeding to step 812, the target PDSN performs the binding registration process of the proxy mobile IP, and still uses the PMN-AAA key to calculate the MN-AAA authentication extension, and performs integrity protection on the binding request RRQ message, that is, includes in the RRQ message. The MN-AAA authentication extension calculated using the PMN-AAA key carries the SPI value which is a fixed value defined in the protocol.

接着, 进入步骤 813 , HA收到目标 PDSN的绑定请求 RRQ消息后, 发现 消息中没有包含 MN-HA认证扩展, 而是 MN-AAA认证扩展, 因此向 HAAA 转发请求, 请求该 HAAA对该 RRQ消息进行验证。  Then, in step 813, after receiving the binding request RRQ message of the target PDSN, the HA does not include the MN-HA authentication extension, but the MN-AAA authentication extension, and therefore forwards the request to the HAAA, requesting the HAAA to the RRQ. The message is verified.

接着, 进入步骤 814, HAAA接到 HA的请求后, 验证 RRQ消息的正确 性, 如果正确, 则为 HA计算新的 PMN-HA密钥, 即 PMN-HA2, 该 HAAA 将 PMN-HA2传给目标 PDSN。 接着, 进入步骤 815, HA向目标 PDSN发送绑定应答 RRP消息, 该消息 用新的 PMN-HA2密钥进行完整性保护 , 同时在该 RRP消息中还包含了新的 SPI值, 该 SPI可以是 HA生成的一个随机的并保证唯一性的值; 目标 PDSN 收到应答后, 用自己计算的 PMN-HA密钥验证应答消息。 如果成功, 则目标 PDSN保存收到的 SPI值。 目标 PDSN在以后的绑定中使用 PMN-HA2和 HA 分配的 SPI值对后续的移动 IP消息进行完整性保护。 Then, proceeding to step 814, after receiving the HA request, the HAAA verifies the correctness of the RRQ message. If correct, the HA calculates a new PMN-HA key, that is, PMN-HA2, and the HAAA transmits the PMN-HA2 to the target. PDSN. Next, proceeding to step 815, the HA sends a binding acknowledgement RRP message to the target PDSN, where the message is integrity protected with a new PMN-HA2 key, and the RRP message further includes a new SPI value, and the SPI may be A random and guaranteed unique value generated by the HA; after receiving the response, the target PDSN verifies the response message with its own calculated PMN-HA key. If successful, the target PDSN saves the received SPI value. The target PDSN uses PMN-HA2 and HA-assigned SPI values in subsequent bindings to integrity protect subsequent Mobile IP messages.

接着, 进入步骤 816, 此时数据从源 PDSN切换到了目标 PDSN, 因此删 除 P-P接口。  Next, proceeding to step 816, the data is switched from the source PDSN to the target PDSN, thus deleting the P-P interface.

由此可见, 在本实施方式中, 通过使用 PMN-AAA对 RRQ消息进行完整 性保护, 使得 HA能在不修改现有协议的前提下, 正确处理所有合法的绑定请 求, 根据不同情况更新密钥和生成对应的 SPI, 保证了代理与 HA之间消息验 证的准确性, 满足了移动 IP的安全性。  Therefore, in this embodiment, the integrity protection of the RRQ message is performed by using the PMN-AAA, so that the HA can correctly process all legal binding requests without modifying the existing protocol, and update the confidentiality according to different situations. The key and the corresponding SPI are generated to ensure the accuracy of the message verification between the agent and the HA, and the security of the mobile IP is satisfied.

本发明的第六实施方式涉及代理移动 IP的安全机制建立方法, 本实施方 式与第五实施方式大致相同, 其区别仅在于, 在第五实施方式中, 由 HAAA 验证来自 PDSN的 RRQ消息 , 并向该 HA发送 PMN-HA密钥。 而在本实施方 式中,由 HA利用 MS的身份标识向 HAAA请求下发相应的 PMN-AAA密钥, HA利用该 PMN-AAA密钥 , 对该 RRQ消息进行验证, 并且, 由该 HA根据 PMN-AAA密钥得到 PMN-HA密钥。 因此,在发生 PDSN的切换时, 可由 HA 在后续的处理中独立完成消息验证和密钥更新, 而不再需要与 HAAA进行交 互, 简化了流程。  A sixth embodiment of the present invention relates to a method for establishing a proxy mobile IP security mechanism. The present embodiment is substantially the same as the fifth embodiment except that in the fifth embodiment, the RRQ message from the PDSN is verified by the HAAA, and A PMN-HA key is sent to the HA. In this embodiment, the HA uses the identity of the MS to request the HAAA-AAA key to be sent to the HAAA, and the HA uses the PMN-AAA key to verify the RRQ message, and the HA is based on the PMN. - The AAA key gets the PMN-HA key. Therefore, when the PDSN is switched, the HA can perform the message verification and the key update independently in the subsequent processing, and the interaction with the HAAA is no longer needed, which simplifies the process.

本发明的第七实施方式涉及代理移动 IP的安全系统,包含移动 IP的代理、 HAAA, 和 HA。  A seventh embodiment of the present invention relates to a proxy mobile IP security system, including a mobile IP proxy, HAAA, and HA.

在移动 IP的代理中包含: 绑定请求模块, 用于在初次执行代理移动 IP绑 定时, 如在建立与 MS的连接或 MS切换到本代理时, 使用 HAAA与代理之 间的 PMN-AAA密钥保护向 HA发送的用于注册移动 IP的绑定请求; 和密钥 生成模块,用于根据 PMN-AAA密钥生成本代理与 HA之间的 PMN-HA密钥。  The mobile IP proxy includes: a binding request module, configured to use the PMN-AAA between the HAAA and the proxy when the proxy mobile IP binding is performed for the first time, such as when establishing a connection with the MS or when the MS switches to the proxy. The key protects a binding request sent to the HA for registering the mobile IP; and a key generation module is configured to generate a PMN-HA key between the agent and the HA according to the PMN-AAA key.

在 HA中包含: 验证请求模块, 用于通过与 HAAA的交互, 验证来自代 理的绑定请求; 密钥获取模块, 用于通过与 HAAA的交互, 获取 PMN-HA密 钥; 和绑定响应模块, 用于在验证通过后向代理返回绑定响应, 并在该绑定响 应中携带用于索引 PMN-HA密钥的安全参数索引 SPI。 The HA includes: an authentication request module, configured to verify a binding request from the proxy by interacting with the HAAA; a key obtaining module, configured to acquire a PMN-HA key through interaction with the HAAA; and a binding response module , used to return a binding response to the proxy after the validation is passed, and the binding is ringing The security parameter index SPI used to index the PMN-HA key should be carried.

在 HAAA中包含: 交互模块, 用于与 HA进行关于绑定请求的验证和该 HA获取 PMN-HA密钥的相关交互。  The HAAA includes: an interaction module, configured to perform authentication on the binding request with the HA and related interaction of the HA to acquire the PMN-HA key.

在移动 IP的代理和 HA根据 PMN-HA密钥和 SPI对后续的移动 IP消息的 完整性进行保护。  The mobile IP agent and HA protect the integrity of subsequent mobile IP messages based on the PMN-HA key and SPI.

由此可见, HA可以在不修改现有协议的前提下, 正确处理所有合法的绑 定请求, 根据不同情况更新密钥和生成对应的 SPI, 保证了代理与 HA之间消 息验证的准确性, 满足了移动 IP的安全性。  It can be seen that HA can correctly process all legal binding requests without modifying the existing protocol, update the key according to different situations and generate corresponding SPI, which ensures the accuracy of message verification between the agent and the HA. Meet the security of mobile IP.

具体地说, 移动 IP的代理可通过以下方式获得 PMN-AAA密钥: 如果绑定请求模块在与移动终端建立连接时需发送绑定请求,则该代理通 过将 MS的认证信息转发给 HAAA, 由该 HAAA对该认证信息的鉴权通过后 向该代理发送 PMN-AAA密钥, 获得该 PMN-AAA密钥; 或者, 由该 HAAA 对该认证信息的鉴权通过后向该代理发送 PMN-AAA 密钥的 密钥, 该代理 根据该根密钥, 获得该 PMN-AAA密钥。  Specifically, the agent of the mobile IP can obtain the PMN-AAA key by: if the binding request module needs to send a binding request when establishing a connection with the mobile terminal, the proxy forwards the authentication information of the MS to the HAAA, After the authentication of the authentication information is performed by the HAAA, the PMN-AAA key is sent to the proxy to obtain the PMN-AAA key; or the authentication of the authentication information by the HAAA is passed, and the PMN is sent to the proxy. The key of the AAA key, the agent obtains the PMN-AAA key based on the root key.

如果绑定请求模块在 MS切换到本代理时需发送绑定请求,则向源代理获 取 PMN-AAA密钥, 或者向源代理获取 PMN-AAA密钥的根密钥, 根据该根 密钥, 获得该 PMN-AAA密钥。  If the binding request module needs to send a binding request when the MS switches to the proxy, obtain a PMN-AAA key from the source proxy, or obtain a root key of the PMN-AAA key from the source proxy, according to the root key, Obtain the PMN-AAA key.

HA的验证请求模块可通过以下方式与 HAAA的交互模块进行交互,验证 绑定请求:  The HA's authentication request module can interact with the HAAA interaction module to verify the binding request:

HA的验证请求模块请求 HAAA的交互模块验证绑定请求,该交互模块通 使用 MS的身份标识索引到相应的 PMN-AAA密钥, 利用该 PMN-AAA密钥 对该绑定请求进行完整性验证, 实现对该绑定请求的验证。  The verification request module of the HA requests the interaction module of the HAAA to verify the binding request, and the interaction module uses the identity identifier of the MS to index the corresponding PMN-AAA key, and uses the PMN-AAA key to perform integrity verification on the binding request. , to verify the binding request.

或者, 验证请求模块利用 MS 的身份标识请求交互模块下发相应的 PMN-AAA密钥, 并在获得该 PMN-AAA密钥后, 利用该 PMN-AAA密钥对 该绑定请求进行完整性验证, 实现对该绑定请求的验证。  Alternatively, the verification requesting module uses the identifier of the MS to request the interaction module to deliver the corresponding PMN-AAA key, and after obtaining the PMN-AAA key, use the PMN-AAA key to perform integrity verification on the binding request. , to verify the binding request.

HA的密钥获取模块通过以下方式与 HAAA的交互模块进行交互, 获取 PMN-HA密钥:  The key acquisition module of the HA interacts with the interaction module of the HAAA to obtain the PMN-HA key:

密钥获取模块直接请求交互模块下发 PMN-HA密钥; 或者, 密钥获取模 块请求交互模块下发 PMN-AAA密钥, 根据该 PMN-AAA密钥得到 PMN-HA 密钥。 The key acquisition module directly requests the interaction module to deliver the PMN-HA key. Alternatively, the key acquisition module requests the interaction module to deliver the PMN-AAA key, and obtains the PMN-HA according to the PMN-AAA key. Key.

本发明第八实施例涉及一种移动 IP的代理, 该代理包括:  An eighth embodiment of the present invention relates to a mobile IP proxy, the proxy comprising:

PMN-AAA密钥获取模块, 用于: 获取与该代理对应的家乡认证、 授权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥;  a PMN-AAA key acquisition module, configured to: obtain a PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the proxy corresponding to the proxy;

绑定请求发送模块, 用于: 利用所获取的所述 PMN-AAA 密钥对注册移 动 IP的绑定请求进行保护后, 发送至家乡代理 HA;  a binding request sending module, configured to: protect the binding request of the registered mobile IP by using the acquired PMN-AAA key, and send the binding request to the home agent HA;

验证模块, 用于: 在所述移动的 IP代理收到所述 HA发送的绑定响应后, 利用所获取的所述 PMN-AAA计算得到 PMN-HA, 利用该 PMN-HA对所述绑 定响应进行验证; 其中, 所述绑定响应为所述 HA采用 PMN-HA密钥进行保 护的消息 ,所述 PMN-HA密钥为利用所述 HAAA所具有的所述 PMN-AAA对 所述绑定请求验证通过后 , 根据所述 PMN-AAA或 PMN-AAA根密钥而为所 述移动 IP的代理所生成的该代理和 HA间的密钥; 且该绑定响应中还携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI;  a verification module, configured to: after the mobile IP proxy receives the binding response sent by the HA, calculate the PMN-HA by using the acquired PMN-AAA, and use the PMN-HA to bind the binding Responding to the verification; wherein, the binding response is a message that the HA is protected by using a PMN-HA key, and the PMN-HA key is a pair of the PMN-AAA pair that is used by the HAAA After the request is verified, the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA root key; and the binding response further carries an index for indexing The security parameter index SPI of the PMN-HA key;

保护模块, 用于: 利用所述 PMN-HA密钥和所述 SPI对后续的移动 IP消 息的完整性进行保护。  And a protection module, configured to: protect the integrity of the subsequent mobile IP message by using the PMN-HA key and the SPI.

本发明第九实施例涉及一种家乡代理, 包括:  A ninth embodiment of the present invention relates to a home agent, including:

绑定请求接收模块, 用于: 接收移动 IP的代理发送的注册移动 IP的绑定 请求, 其中, 该绑定请求为所述移动 IP的代理利用其所获取的家乡认证、 授 权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥进行保护后的消息; 绑定响应发送模块, 用于: 在所述家乡代理通过与所述 HAAA的交互, 在利用所述 HAAA所具有的所述 PMN-AAA对所述绑定请求进行验证通过后, 采用根据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所生成 的该代理和 HA间的 PMN-HA密钥 ,对向所述移动 IP的代理所发送的携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI的绑定响应消息进行保护; 其中, 所述 PMN-HA 密钥以及 SPI 为所述移动 IP 的代理在利用其获取的 PMN-AAA计算得到 PMN-HA, 并利用该 PMN-HA对所述绑定响应验证通过 后, 所采用的对后续的移动 IP消息的完整性进行保护的密钥及索引。  a binding request receiving module, configured to: receive a binding request of a registered mobile IP sent by a proxy of the mobile IP, where the binding request is used by the agent of the mobile IP to use the home authentication, authorization, and accounting server acquired by the proxy a message that is protected by the PMN-AAA key between the HAAA and the proxy; a binding response sending module, configured to: use the PMN that the HAAA has by the home agent through interaction with the HAAA After the AAA authenticates the binding request, the PMN-HA key between the proxy and the HA generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is used. Protecting, by the binding of the mobile IP, a binding response message carrying a security parameter index SPI for indexing the PMN-HA key; wherein the PMN-HA key and the SPI are the mobile IP The agent uses the PMN-AAA obtained by the proxy to calculate the PMN-HA, and after using the PMN-HA to verify the binding response, the key used to protect the integrity of the subsequent mobile IP message is index

本发明第十实施例涉及一种代理移动 IP的安全系统, 该系统包括: 移动 IP的代理、 家乡代理 HA、 和家乡认证、 授权、 计费服务器 HAAA, 其中: 所述移动 IP的代理用于: A tenth embodiment of the present invention relates to a proxy mobile IP security system, the system comprising: a mobile IP proxy, a home agent HA, and a home authentication, authorization, and accounting server HAAA, wherein: The mobile IP agent is used to:

获取与其对应的 HAAA与该移动 IP的代理之间的 PMN-AAA密钥 ,并利 用该 PMN-AAA密钥对注册移动 IP的绑定请求进行保护后, 发送至家乡代理 HA; 和,  Obtaining a PMN-AAA key between the corresponding HAAA and the proxy of the mobile IP, and protecting the binding request of the registered mobile IP by using the PMN-AAA key, and sending the request to the home agent HA;

在收到所述 HA发送的绑定响应,利用所获取的所述 PMN-AAA计算得到 Receiving the binding response sent by the HA, using the obtained PMN-AAA calculation

PMN-HA, 利用该 PMN-HA对所述绑定响应进行验证, 并在进行所述 -险证通 过后, 利用所述 PMN-HA密钥、 以及所述绑定响应中所携带的 SPI对后续的 移动 IP消息的完整性进行保护; PMN-HA, using the PMN-HA to verify the binding response, and after performing the risk pass, using the PMN-HA key, and the SPI pair carried in the binding response The integrity of subsequent mobile IP messages is protected;

所述 HA用于:  The HA is used to:

通过与所述 HAAA的交互, 在利用所述 HAAA所具有的所述 PMN-AAA 对所述绑定请求进行验证通过后, 采用根据所述 PMN-AAA或 PMN-AAA根 密钥而为所述移动 IP的代理所生成的该代理和 HA间的 PMN-HA密钥, 对向 所述移动 IP的代理所发送的携带有用于索引所述 PMN-HA密钥的安全参数索 引 SPI的绑定响应消息进行保护;  After the binding request is verified by using the PMN-AAA that the HAAA has, by using the interaction with the HAAA, adopting according to the PMN-AAA or PMN-AAA root key The PMN-HA key between the proxy and the HA generated by the agent of the mobile IP, and the binding response sent to the proxy of the mobile IP carrying the security parameter index SPI for indexing the PMN-HA key Message protection;

所述 HAAA用于: 提供所述 PMN-AAA密钥。  The HAAA is used to: provide the PMN-AAA key.

虽然通过参照本发明的某些优选实施方式,已经对本发明进行了图示和描 述,但本领域的普通技术人员应该明白,可以在形式上和细节上对其作各种改 变, 而不偏离本发明的精神和范围。  Although the invention has been illustrated and described with reference to the preferred embodiments of the present invention, it will be understood The spirit and scope of the invention.

Claims

权 利 要 求 Rights request 1. 一种代理移动 IP的安全机制建立方法, 其特征在于, 包括:  A method for establishing a proxy mobile IP security mechanism, comprising: 移动 IP的代理获取与对应的家乡认证、 授权、 计费服务器 HAAA与代理 之间共享的 PMN-AAA密钥 , 并利用该 PMN-AAA密钥对注册移动 IP的绑定 请求进行保护后, 发送至家乡代理 HA;  The agent of the mobile IP obtains the PMN-AAA key shared between the corresponding home authentication, authorization, accounting server HAAA and the agent, and protects the binding request of the registered mobile IP by using the PMN-AAA key, and then sends the To the home agent HA; 所述移动 IP 的代理收到所述 HA发送的绑定响应, 根据所获取的所述 PMN-AAA密钥计算得到与 HA共享的密钥 PMN-HA密钥 , 利用该 PMN-HA 密钥对所述绑定响应进行验证;其中,所述绑定响应为所述 HA采用 PMN-HA 密钥进行保护的消息, 所述 PMN-HA密钥为利用所述 HAAA所具有的所述 PMN-AAA 密钥对所述绑定请求验证通过后, 居所述 PMN-AAA 密钥或 PMN-AAA根密钥而为所述移动 IP的代理所生成的该代理和 HA间的密钥; 且该绑定响应中还携带有用于索引所述 PMN-HA密钥的安全参数索引 SPI; 所述移动 IP的代理在进行所述验证通过后,利用所述 PMN-HA密钥和所 述 SPI对后续的移动 IP消息的完整性进行保护。  The agent of the mobile IP receives the binding response sent by the HA, and calculates a key PMN-HA key shared with the HA according to the obtained PMN-AAA key, and uses the PMN-HA key pair. The binding response is verified; wherein the binding response is a message that the HA is protected by a PMN-HA key, and the PMN-HA key is the PMN-AAA that is utilized by the HAAA a key between the agent and the HA generated by the key of the mobile IP agent after the key is verified by the binding request, and the key is generated by the PMN-AAA key or the PMN-AAA root key; and the binding The fixed response further carries a security parameter index SPI for indexing the PMN-HA key; after performing the verification, the agent of the mobile IP uses the PMN-HA key and the SPI pair to follow The integrity of mobile IP messages is protected. 2.根据权利要求 1所述的方法, 其特征在于, 在所述移动 IP的代理与移 动终端建立连接时, 所述移动 IP的代理获取 PMN-AAA密钥的具体实现为: 所述移动 IP的代理将所述移动终端的认证信息转发给所述 HAAA;  The method according to claim 1, wherein when the agent of the mobile IP establishes a connection with the mobile terminal, the specific implementation of the agent of the mobile IP to obtain the PMN-AAA key is: the mobile IP The agent forwards the authentication information of the mobile terminal to the HAAA; 在所述 HAAA对该认证信息的鉴权通过后, 所述移动 IP的代理接收该 HAAA发送的所述 PMN-AAA密钥; 或者, 在由所述 HAAA对该认证信息的 鉴权通过后 ,所述移动 IP的代理接收所述 HAAA发送的所述 PMN-AAA密钥 的根密钥,所述移动 IP的代理根据该根密钥,计算得到所述 PMN-AAA密钥。  After the HAAA authenticates the authentication information, the agent of the mobile IP receives the PMN-AAA key sent by the HAAA; or, after the authentication of the authentication information by the HAAA is passed, The agent of the mobile IP receives the root key of the PMN-AAA key sent by the HAAA, and the agent of the mobile IP calculates the PMN-AAA key according to the root key. 3.根据权利要求 2所述的方法, 其特征在于, 在所述 HAAA对所述移动 终端的认证信息的鉴权通过后 , 所述移动 IP的代理接收所述 HAAA所发送的 代理移动 IP注册所需的信息 , 该信息包含所述 HA的地址、 家乡地址 HoA、 家乡链路前缀。  The method according to claim 2, wherein after the HAAA authenticates the authentication information of the mobile terminal, the agent of the mobile IP receives the proxy mobile IP registration sent by the HAAA Required information, including the address of the HA, the home address HoA, and the home link prefix. 4.根据权利要求 3所述的方法, 其特征在于, 在所述代理移动 IP的注册 完成后, 所述移动 IP的代理将所述移动终端执行移动 IP注册所需的信息发送 给该移动终端。  The method according to claim 3, wherein after the registration of the proxy mobile IP is completed, the proxy of the mobile IP sends the information required by the mobile terminal to perform mobile IP registration to the mobile terminal. . 5.根据权利要求 1所述的方法, 其特征在于, 在移动终端从源移动 IP的 代理切换到作为目标移动 IP的代理的所述移动 IP的代理时,所述目标移动 IP 的代理获取 PMN-AAA密钥的具体实现为: The method according to claim 1, wherein the mobile terminal moves the IP from the source When the proxy switches to the proxy of the mobile IP as the proxy of the target mobile IP, the specific implementation of the proxy of the target mobile IP to obtain the PMN-AAA key is: 所述目标移动 IP的代理从所述源移动 IP的代理处获取所述 PMN-AAA密 钥; 或者, 所述目标移动 IP 的代理从所述源移动 IP 的代理处, 获取所述 PMN-AAA密钥的根密钥, 根据该根密钥, 计算得到所述 PMN-AAA密钥。  The agent of the target mobile IP acquires the PMN-AAA key from the agent of the source mobile IP; or the agent of the target mobile IP obtains the PMN-AAA from the agent of the source mobile IP The root key of the key, and the PMN-AAA key is calculated according to the root key. 6.根据权利要求 1〜5任意一项所述的方法, 其特征在于, 所述利用所述 HAAA所具有的所述 PMN-AAA密钥对所述绑定请求验证的具体实现为: 由所述 HAAA通过以下方式验证所述绑定请求: 使用移动终端的身份标 识索引到相应的 PMN-AAA密钥 , 利用该 PMN-AAA密钥对所述绑定请求进 行完整性验证;  The method according to any one of claims 1 to 5, wherein the specific implementation of verifying the binding request by using the PMN-AAA key of the HAAA is: The HAAA verifies the binding request by: using an identity index of the mobile terminal to the corresponding PMN-AAA key, and performing integrity verification on the binding request by using the PMN-AAA key; 所述 据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所 生成的该代理和 HA间的密钥的具体实现为:  The specific implementation of the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA key is: 所述 HAAA根据所述 PMN-AAA或 PMN-AAA 密钥生成所述 PMN-HA , 并将所述 PMN-HA发送给所述 HA。  The HAAA generates the PMN-HA according to the PMN-AAA or PMN-AAA key, and sends the PMN-HA to the HA. 7.根据权利要求 1〜5任意一项所述的方法, 其特征在于, 所述利用所述 The method according to any one of claims 1 to 5, wherein the utilizing the HAAA所具有的所述 PMN-AAA对所述绑定请求验证的具体实现为: The specific implementation of the binding request verification by the PMN-AAA that the HAAA has is: 由所述 HA通过以下方式验证所述绑定请求:该 HA利用移动终端的身份 标识从所述 HAAA请求得到所述 PMN-AAA密钥或者根据获得的根密钥计算 得到 PMN-AAA密钥 , 所述 HA利用该 PMN-AAA密钥对所述绑定请求进行 完整性-险证;  The binding request is verified by the HA by: using the identity of the mobile terminal to obtain the PMN-AAA key from the HAAA request or calculating the PMN-AAA key according to the obtained root key, The HA performs the integrity-risk certificate on the binding request by using the PMN-AAA key; 所述 据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所 生成的该代理和 HA间的密钥的具体实现为:  The specific implementation of the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA key is: 所述 HA利用请求得到的所述 PMN-AAA密钥或者 PMN-AAA根密钥 , 计算得到所述 PMN-HA。  The HA calculates the PMN-HA by using the PMN-AAA key or the PMN-AAA root key obtained by the request. 8.根据权利要求 1〜5任意一项所述的方法, 其特征在于, 所述 SPI是所 述 HAAA或者 HA生成的一个随机且唯一的值, 或是与所述移动 IP的代理约 定的固定值, 或者通过计算得到的值。  The method according to any one of claims 1 to 5, wherein the SPI is a random and unique value generated by the HAAA or the HA, or is fixed by an agent agreed with the mobile IP. Value, or a value obtained by calculation. 9.根据权利要求 1〜5任意一项所述的方法, 其特征在于, 采用所述代理 的 IP地址、 HA的 IP地址和 /或时间戳作为输入, 计算所述 PMN-HA密钥。 The method according to any one of claims 1 to 5, wherein the PMN-HA key is calculated by using an IP address of the proxy, an IP address of the HA, and/or a timestamp as an input. 10. —种代理移动 IP的安全机制建立方法, 其特征在于, 包括: 家乡代理 HA收到移动 IP的代理发送的注册移动 IP的绑定请求, 其中, 该绑定请求为所述移动 IP的代理利用其所获取的家乡认证、 授权、 计费服务 器 HAAA与代理之间的 PMN-AAA密钥进行保护后的消息; A method for establishing a security mechanism of a proxy mobile IP, comprising: receiving, by a home agent HA, a binding request of a registered mobile IP sent by a proxy of a mobile IP, wherein the binding request is the mobile IP The agent uses the PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the agent to obtain the protected message; 所述 HA通过与所述 HAAA 的交互, 利用所述 HAAA所具有的所述 Passing the HA with the HAAA, utilizing the PMN-AAA密钥对所述绑定请求进行验证; The PMN-AAA key verifies the binding request; 在所述验证通过后 ,所述 HA采用根据所述 PMN-AAA密钥或 PMN-AAA 才艮密钥而为所述移动 IP的代理所生成的该代理和 HA间的共享密钥 PMN-HA 密钥, 对向所述移动 IP的代理所发送的绑定响应消息进行保护; 其中, 所述 绑定响应消息中携带有用于索引所述 PMN-HA密钥的安全参数索引 SPI, 所 述 PMN-HA密钥以及 SPI为所述移动 IP的代理在利用其获取的 PMN-AAA计 算得到 PMN-HA, 并利用该 PMN-HA对所述绑定响应验证通过后 , 所采用的 对后续的移动 IP消息的完整性进行保护的密钥及索引。  After the verification is passed, the HA adopts a shared key PMN-HA between the agent and the HA generated by the agent of the mobile IP according to the PMN-AAA key or the PMN-AAA key. a key, configured to protect a binding response message sent by the proxy of the mobile IP, where the binding response message carries a security parameter index SPI for indexing the PMN-HA key, the PMN - the HA key and the SPI for the mobile IP agent calculate the PMN-HA using the PMN-AAA obtained by the proxy, and use the PMN-HA to verify the binding response, after the subsequent movement is adopted The key and index of the integrity of the IP message. 11.根据权利要求 10 所述的方法, 其特征在于, 所述 HA通过与所述 行验证的具体实现为:  The method according to claim 10, wherein the specific implementation of the HA and the line verification is: 所述 HA将所述绑定请求发送至所述 HAAA;  Sending, by the HA, the binding request to the HAAA; 所述 HAAA使用移动终端的身份标识索引到相应的 PMN-AAA密钥, 利 用该 PMN-AAA密钥对所述绑定请求进行完整性验证; 或者所述 HAAA索引 到对应的根密钥, 利用该根密钥计算 PMN-AAA密钥, 利用该 PMN-AAA密 钥对所述绑定请求进行完整性验证;  The HAAA uses the identity index of the mobile terminal to the corresponding PMN-AAA key, and uses the PMN-AAA key to perform integrity verification on the binding request; or the HAAA index to the corresponding root key, and utilizes The root key calculates a PMN-AAA key, and the PMN-AAA key is used to perform integrity verification on the binding request; 所述 据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所 生成 PMN-HA密钥的具体实现为:  The specific implementation of the PMN-HA key generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is: 所述 HAAA 居所述 PMN-AAA 或者 PMN-AAA 密钥生成所述 PMN-HA, 并将所述 PMN-HA发送给所述 HA。  The HAAA generates the PMN-HA with the PMN-AAA or PMN-AAA key, and sends the PMN-HA to the HA. 12.根据权利要求 10 所述的方法, 其特征在于, 所述 HA通过与所述 行验证的具体实现为:  The method according to claim 10, wherein the specific implementation of the HA pass and the line verification is: 所述 HA收到所述绑定请求后, 利用移动终端的身份标识从所述 HAAA 请求得到所述 PMN-AAA密钥 , 所述 HA利用该 PMN-AAA密钥对所述绑定 请求进行完整性验证; 或者所述 HA从所述 HAAA请求得到所述 PMN-AAA 根密钥, 利用该根密钥计算得到 PMN-AAA 密钥, 并对所述请求进行完整性 校验; After receiving the binding request, the HA uses the identity of the mobile terminal from the HAAA Requesting the PMN-AAA key, the HA performing integrity verification on the binding request by using the PMN-AAA key; or the HA requesting the PMN-AAA root key from the HAAA request, Calculating the PMN-AAA key by using the root key, and performing integrity verification on the request; 所述根据所述 PMN-AAA或 PMN-AAA根密钥而为所述移动 IP的代理所 生成 PMN-HA密钥的具体实现为:  The specific implementation of generating the PMN-HA key for the agent of the mobile IP according to the PMN-AAA or PMN-AAA root key is: 所述 HA利用请求得到的所述 PMN-AAA密钥或者 PMN-AAA根密钥 , 计算得到所述 PMN-HA。  The HA calculates the PMN-HA by using the PMN-AAA key or the PMN-AAA root key obtained by the request. 13.根据权利要求 10〜12任意一项所述的方法, 其特征在于, 在所述移动 IP的代理与移动终端建立连接时, 所述移动 IP的代理获取 PMN-AAA密钥的 具体实现为:  The method according to any one of claims 10 to 12, wherein when the agent of the mobile IP establishes a connection with the mobile terminal, the specific implementation of the agent of the mobile IP to obtain the PMN-AAA key is : 所述移动 IP的代理将所述移动终端的认证信息转发给所述 HAAA;  The agent of the mobile IP forwards the authentication information of the mobile terminal to the HAAA; 所述 HAAA对该认证信息的鉴权通过后向所述移动 IP的代理发送所述 PMN-AAA密钥; 或者 , 由所述 HAAA对该认证信息的鉴权通过后 , 向所述 移动 IP的代理发送所述 PMN-AAA密钥的 密钥,所述移动 IP的代理 ^居该 根密钥 , 计算得到所述 PMN-AAA密钥。  After the HAAA authenticates the authentication information, the PMN-AAA key is sent to the agent of the mobile IP; or, after the authentication of the authentication information by the HAAA, the mobile IP is sent to the mobile IP. The proxy sends the key of the PMN-AAA key, and the proxy of the mobile IP resides in the root key, and the PMN-AAA key is calculated. 14.根据权利要求 10〜12任意一项所述的方法, 其特征在于, 在移动终端 从源移动 IP的代理切换到作为目标移动 IP的代理的所述移动 IP的代理时, 所述移动 IP的代理获取 PMN-AAA密钥的具体实现为:  The method according to any one of claims 10 to 12, wherein, when the mobile terminal switches from a proxy of the source mobile IP to a proxy of the mobile IP as a proxy of the target mobile IP, the mobile IP The specific implementation of the proxy to obtain the PMN-AAA key is: 所述移动 IP的代理从所述源移动 IP的代理处获取所述 PMN-AAA密钥; 或者, 所述移动 IP的代理从所述源移动 IP的代理处, 获取所述 PMN-AAA密 钥的根密钥, 根据该根密钥, 计算得到所述 PMN-AAA密钥。  The agent of the mobile IP acquires the PMN-AAA key from an agent of the source mobile IP; or the agent of the mobile IP acquires the PMN-AAA key from an agent of the source mobile IP The root key, based on the root key, calculates the PMN-AAA key. 15. 一种移动 IP的代理, 其特征在于, 该代理包括:  15. A mobile IP proxy, characterized in that the proxy comprises: PMN-AAA密钥获取模块, 用于: 获取与该代理对应的家乡认证、 授权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥;  a PMN-AAA key acquisition module, configured to: obtain a PMN-AAA key between the home authentication, authorization, and accounting server HAAA and the proxy corresponding to the proxy; 绑定请求发送模块, 用于: 利用所获取的所述 PMN-AAA密钥对注册移 动 IP的绑定请求进行保护后, 发送至家乡代理 HA;  a binding request sending module, configured to: protect the binding request of the registered mobile IP by using the obtained PMN-AAA key, and send the binding request to the home agent HA; 验证模块, 用于: 在所述移动的 IP代理收到所述 HA发送的绑定响应后, 利用所获取的所述 PMN-AAA计算得到 PMN-HA, 利用该 PMN-HA对所述绑 定响应进行验证; 其中, 所述绑定响应为所述 HA采用 PMN-HA密钥进行保 护的消息 ,所述 PMN-HA密钥为利用所述 HAAA所具有的所述 PMN-AAA对 所述绑定请求验证通过后 , 根据所述 PMN-AAA或 PMN-AAA根密钥而为所 述移动 IP的代理所生成的该代理和 HA间的密钥; 且该绑定响应中还携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI; a verification module, configured to: after the mobile IP proxy receives the binding response sent by the HA, calculate, by using the acquired PMN-AAA, the PMN-HA, and use the PMN-HA to bind the Verifying that the binding response is a message that the HA is protected by a PMN-HA key, and the PMN-HA key is the PMN-AAA pair that is used by the HAAA After the binding request is verified, the key between the proxy and the HA generated by the proxy of the mobile IP according to the PMN-AAA or PMN-AAA root key; and the binding response is further carried in the binding response Indexing the security parameter index SPI of the PMN-HA key; 保护模块, 用于: 利用所述 PMN-HA密钥和所述 SPI对后续的移动 IP消 息的完整性进行保护。  And a protection module, configured to: protect the integrity of the subsequent mobile IP message by using the PMN-HA key and the SPI. 16.一种家乡代理, 其特征在于, 包括:  16. A home agent, characterized by comprising: 绑定请求接收模块, 用于: 接收移动 IP的代理发送的注册移动 IP的绑定 请求, 其中, 该绑定请求为所述移动 IP的代理利用其所获取的家乡认证、 授 权、 计费服务器 HAAA与代理之间的 PMN-AAA密钥进行保护后的消息; 绑定响应发送模块, 用于: 在所述家乡代理通过与所述 HAAA的交互, 在利用所述 HAAA所具有的所述 PMN-AAA对所述绑定请求进行验证通过后, 采用根据所述 PMN-AAA或 PMN-AAA 密钥而为所述移动 IP的代理所生成 的该代理和 HA间的 PMN-HA密钥,对向所述移动 IP的代理所发送的携带有 用于索引所述 PMN-HA密钥的安全参数索引 SPI的绑定响应消息进行保护; 其中, 所述 PMN-HA 密钥以及 SPI 为所述移动 IP 的代理在利用其获取的 PMN-AAA计算得到 PMN-HA, 并利用该 PMN-HA对所述绑定响应验证通过 后, 所采用的对后续的移动 IP消息的完整性进行保护的密钥及索引。  a binding request receiving module, configured to: receive a binding request of a registered mobile IP sent by a proxy of the mobile IP, where the binding request is used by the agent of the mobile IP to use the home authentication, authorization, and accounting server acquired by the proxy a message that is protected by the PMN-AAA key between the HAAA and the proxy; a binding response sending module, configured to: use the PMN that the HAAA has by the home agent through interaction with the HAAA After the AAA authenticates the binding request, the PMN-HA key between the proxy and the HA generated by the proxy for the mobile IP according to the PMN-AAA or PMN-AAA key is used. Protecting, by the binding of the mobile IP, a binding response message carrying a security parameter index SPI for indexing the PMN-HA key; wherein the PMN-HA key and the SPI are the mobile IP The agent uses the PMN-AAA obtained by the proxy to calculate the PMN-HA, and after using the PMN-HA to verify the binding response, the key used to protect the integrity of the subsequent mobile IP message is index 17. —种代理移动 IP的安全系统, 其特征在于, 该系统包括: 移动 IP的 代理、 家乡代理 HA、 和家乡认证、 授权、 计费服务器 HAAA, 其中:  17. A proxy mobile IP security system, characterized in that the system comprises: a mobile IP proxy, a home agent HA, and a home authentication, authorization, accounting server HAAA, wherein: 所述移动 IP的代理用于:  The mobile IP agent is used to: 获取与其对应的 HAAA与该移动 IP的代理之间的 PMN-AAA密钥 ,并利 用该 PMN-AAA密钥对注册移动 IP的绑定请求进行保护后, 发送至家乡代理 HA; 和,  Obtaining a PMN-AAA key between the corresponding HAAA and the proxy of the mobile IP, and protecting the binding request of the registered mobile IP by using the PMN-AAA key, and sending the request to the home agent HA; 在收到所述 HA发送的绑定响应,利用所获取的所述 PMN-AAA计算得到 PMN-HA, 利用该 PMN-HA对所述绑定响应进行验证, 并在进行所述 -险证通 过后, 利用所述 PMN-HA密钥、 以及所述绑定响应中所携带的 SPI对后续的 移动 IP消息的完整性进行保护; 所述 HA用于: Receiving the binding response sent by the HA, calculating the PMN-HA by using the acquired PMN-AAA, verifying the binding response by using the PMN-HA, and performing the Afterwards, the integrity of the subsequent Mobile IP message is protected by using the PMN-HA key and the SPI carried in the binding response; The HA is used to: 通过与所述 HAAA的交互 , 在利用所述 HAAA所具有的所述 PMN-AAA 对所述绑定请求进行验证通过后 , 采用根据所述 PMN-AAA或 PMN-AAA根 密钥而为所述移动 IP的代理所生成的该代理和 HA间的 PMN-HA密钥 , 对向 所述移动 IP的代理所发送的携带有用于索引所述 PMN-HA密钥的安全参数索 引 SPI的绑定响应消息进行保护;  After the binding request is verified by using the PMN-AAA that the HAAA has, by using the interaction with the HAAA, adopting according to the PMN-AAA or PMN-AAA root key The PMN-HA key between the proxy and the HA generated by the agent of the mobile IP, and the binding response sent to the proxy of the mobile IP carrying the security parameter index SPI for indexing the PMN-HA key Message protection; 所述 HAAA用于: 提供所述 PMN-AAA密钥。  The HAAA is used to: provide the PMN-AAA key. 18.根据权利要求 17所述的系统, 所述移动的 IP代理为分组数据服务节 点、 接入网关或控制介入点。  18. The system of claim 17, the mobile IP proxy being a packet data serving node, an access gateway, or a control intervention point.
PCT/CN2007/070964 2006-10-27 2007-10-26 Method for establishing mobile ip security mechanism, security system and the relevant device Ceased WO2008052470A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610143418.3 2006-10-27
CN2006101434183A CN101170806B (en) 2006-10-27 2006-10-27 Establishment method, secure system and related device for secure mechanism in agent mobile IP

Publications (1)

Publication Number Publication Date
WO2008052470A1 true WO2008052470A1 (en) 2008-05-08

Family

ID=39343833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070964 Ceased WO2008052470A1 (en) 2006-10-27 2007-10-26 Method for establishing mobile ip security mechanism, security system and the relevant device

Country Status (2)

Country Link
CN (1) CN101170806B (en)
WO (1) WO2008052470A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431756A (en) * 2007-11-08 2009-05-13 华为技术有限公司 Method, system and apparatus for preventing hostile attack
CN101754200B (en) * 2008-12-08 2014-09-03 华为技术有限公司 Registration method, registration system and registration device
DE102009029828B4 (en) * 2009-06-18 2011-09-01 Gigaset Communications Gmbh DEFAULT encryption
WO2012152128A1 (en) * 2011-05-10 2012-11-15 中兴通讯股份有限公司 Handover method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
WO2005101793A1 (en) * 2004-04-14 2005-10-27 Nortel Networks Limited Securing home agent to mobile node communication with ha-mn key
CN1714560A (en) * 2002-11-22 2005-12-28 思科技术公司 Method and device for dynamic session key generation and key reset in mobile IP

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
CN1714560A (en) * 2002-11-22 2005-12-28 思科技术公司 Method and device for dynamic session key generation and key reset in mobile IP
WO2005101793A1 (en) * 2004-04-14 2005-10-27 Nortel Networks Limited Securing home agent to mobile node communication with ha-mn key

Also Published As

Publication number Publication date
CN101170806A (en) 2008-04-30
CN101170806B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
JP5004037B2 (en) Method for creating a security association in a mobile IP network
CN101185311B (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
RU2437238C2 (en) Methods and device for provision of pmip keys hierarchy in wireless communication network
KR101401605B1 (en) Method and system for providing an access-specific key
JP5166525B2 (en) Access network-core network trust relationship detection for mobile nodes
JP5378603B2 (en) Pre-registration security support in multi-technology interworking
US8011001B2 (en) Method for managing security in a mobile communication system using proxy mobile internet protocol and system thereof
CN101006682B (en) Fast network attachment
EP2633718A1 (en) Secure route optimization in mobile internet protocol using trusted domain name servers
EP2633717A1 (en) Enhanced cryptographically generated addresses for secure route optimization in mobile internet protocol
EP1547400A2 (en) System and method for resource authorizations during handovers
WO2008052470A1 (en) Method for establishing mobile ip security mechanism, security system and the relevant device
CN101079705B (en) Method and system for generating and distributing mobile IP keys after re-authentication
KR100687721B1 (en) How to extend the Diameter AA protocol that supports Mobile iPad 6
CN101227458B (en) Mobile IP system and method for updating local agent root key
KR101588646B1 (en) Authentication method and system of wireless communication system
Chen et al. Fast handoff in mobile virtual private networks
Kim et al. Secure and low latency handoff scheme for proxy mobile ipv6
KR20090041155A (en) Method and device for fast IP address setting in proxy mobile IP based portable internet network
Tschofenig RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-00. txt
Marques et al. An 802.1 X-based Security Architecture for MIP
WO2009067905A1 (en) A method, system and apparatus for preventing hostile attack

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07817155

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07817155

Country of ref document: EP

Kind code of ref document: A1