WO2009056024A1 - A method, system and device for registration of mn in ipv6 network - Google Patents

A method, system and device for registration of mn in ipv6 network Download PDF

Info

Publication number
WO2009056024A1
WO2009056024A1 PCT/CN2008/072524 CN2008072524W WO2009056024A1 WO 2009056024 A1 WO2009056024 A1 WO 2009056024A1 CN 2008072524 W CN2008072524 W CN 2008072524W WO 2009056024 A1 WO2009056024 A1 WO 2009056024A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
mobile node
home
home address
binding
Prior art date
Application number
PCT/CN2008/072524
Other languages
French (fr)
Chinese (zh)
Inventor
Sachin Dutta
Shanxiang Mao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009056024A1 publication Critical patent/WO2009056024A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0019Control or signalling for completing the hand-off for data sessions of end-to-end connection adapted for mobile IP [MIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to a technology for implementing mobility of a mobile node (MN, Mobile Node) in Internet Protocol Version 6 (IPv6), and more particularly to a MN registration method, system and apparatus for an IPv6 network.
  • MN Mobile node
  • IPv6 Internet Protocol Version 6
  • Mobile IPv6 is a protocol for implementing MN mobility in an IPv6 network. When a MN moves over an IPv6 network, it can maintain its reachability without changing its home address.
  • MN Home Agents
  • CNs Correspondence Nodes
  • MNs can move and access IPv6 networks through different links.
  • the network side but always maintains its reachability through its home address; HA, is the router in the MN home network, when the MN moves to other networks, registers the current care-of address with the HA, HA will MN's home address and The care-of address is bound to establish a tunnel between the HA and the MN.
  • the HA intercepts the message sent to the home address of the MN in the home network of the MN. After encapsulation, the packet is forwarded to the MN through the tunnel between the HA and the MN.
  • CN the node communicating with the MN, when sending the message to the MN, the message is sent to the home network of the MN, and the message is sent to the home address of the MN, and the CN may be another MN. Can be a fixed node.
  • FIG. 1 is a schematic structural diagram of a system for implementing MN mobility in an IPv6 network, as shown in the following figure, including: MN, HA, and CN, where the network where the MN is currently located is not its home network, and the MN interacts with the HA through the IPv6 network.
  • HA interacts with the CN through the IPv6 network.
  • the CN sends a packet to the MN, the packet carries the home address of the CN and the Media Access Control (MAC) address of the HA. After the packet passes through the IPv6 network, the packet is carried by the MAC address carried by the packet.
  • MAC Media Access Control
  • the HA intercepts, and the HA re-encapsulates the packet carrying the current care-of address of the MN according to the current care-of address corresponding to the home address of the MN, and sends the packet to the MN through the IPv6 network.
  • the first step is a dynamic HA discovery mechanism, that is, whenever the MN moves to the hometown Outside the network, the MN tries to discover the HA in the home network;
  • the second step is the registration step, that is, the MN registers with the HA, registers the current care-of address with the HA, and the HA transfers the home address of the MN and the current transfer.
  • the address is bound, the tunnel between the HA and the MN is established, and the home address of the MN is set in the home address list.
  • the third step is message transmission, that is, the MN communicates with the tunnel established between the HA and the MN. The text transmission receives the message sent by the HA to the current care-of address registered by the MN.
  • the HA finds that the home address of the MN has been stored by querying the home address list, that is, the MN has been registered, so the subsequent registration is not performed, and the message interaction is directly performed.
  • FIG. 2 is a flow chart of the method for registering the MN to the HA in the prior art, and the specific steps are as follows:
  • Step 201 The MN sends a binding update request message to the HA.
  • Step 202 After receiving the binding update request message, the HA performs verification on the MN.
  • DAD Duplicate Address Detection
  • the HA needs to obtain the home address of the MN, such as being carried by the binding update request message.
  • This duplicate address detection process ensures that the MN leaves the home network to other networks.
  • Other nodes that do not belong to the same home network are configured with the same home address as the MN. If the other node is configured with the same home address as the MN, the registration process will not succeed, and the HA will send a binding confirmation message to the MN to notify the MN that the DAD failed, that is, when the MN is not in the home network.
  • the other nodes are configured with the home address used by the MN.
  • step 203 Using the process of step 203 to perform DAD detection, the subsequent MN home can be guaranteed
  • the uniqueness of the binding between the home address and the current care-of address ensures the uniqueness of the tunnel between the MN and the HA, and ensures that the home address of the MN is reachable when transmitting the text.
  • Step 204 After the HA performs the time when the DAD process reaches the timer setting (the minimum set time is 1 second), no other MN uses the home address of the MN.
  • Step 205 The HA sends a binding acknowledgement message to the MN, carries the successful binding information, and generates a binding cache of the home address of the MN and the current care-of address on the HA, and establishes a tunnel between the HA and the MN. Set the home address of the MN to the home address list.
  • the current care-of address of the MN Before the MN's current care-of address is bound to the home address of the MN, the current care-of address of the MN needs to be obtained, and the current care-of address of the MN may be sent by the MN through the binding update request message.
  • the HA exists as an agent of the MN home address, and the HA directly saves the home address of the MN, and receives the message sent to the home address to the MN.
  • the tunnel is sent to the current care-of address of the MN through the tunnel established with the MN.
  • the process shown in FIG. 2 is the first registration of the MN to the HA outside the home network, and in the subsequent registration process, if the MN moves again, the DAD detection may not be performed, that is, the home address of the MN is determined to be In the established home address list, the home address and the current care-of address are directly re-bound to complete the tunnel establishment between the HA and the MN.
  • the first problem the possibility of a DOS (Denial of Service) attack during the registration process, is because there is a time interval when the MN leaves the home network to move to other networks, at this time. In the interval, the MN's home address can be used by other MNs, and it is highly likely that other MNs will configure the same home address as the MN's home address during this time interval. In this way, the DAD process performed by the HA will fail, and the MN cannot successfully register with the HA and cannot accept the mobile service.
  • DOS Delivery of Service
  • the HA still allows the other MNs on the home network to have the same home address as the MN during the time interval that must exist during the MN's movement.
  • the registration time in the registration process is a very important parameter, because the delay in the registration process will result in the discarding of the message transmitted by the MN and the interruption of the existing connection of the MN.
  • the delay when the MN moves is a set time (at least 1 second) introduced by the DAD process, so the registration time takes at least 1 second, and the delay is the MN.
  • the DAD process should normally be timed out, thereby indicating that the MN home address on the HA is not otherwise.
  • the MN uses, only when the DAD process fails, that is, after the HA sends the binding update request message and quickly receives the binding confirmation message, the registration failure process is faster.
  • the embodiment of the invention provides a MN registration method, system and device for an IPv6 network, which can ensure that the time for MN to HA registration is reduced.
  • An embodiment of the present invention provides a method for registering a mobile node of an IPv6 network, including: after receiving a binding update request sent by a mobile node, determining whether the home address of the mobile node is in a set of security associations, the security alliance The home address of the mobile node protected in the list is not accepted when requested by other nodes;
  • a binding confirmation message carrying the successful binding information is returned to the mobile node, and the binding of the mobile node's home address and the current care-of address is cached.
  • the embodiment of the present invention further provides a mobile node registration system for an IPv6 network, including: a mobile node, configured to send a binding update request to a home agent, and receive a home agent. A binding confirmation message sent with the binding success information;
  • a home agent configured to receive a binding update request sent by the mobile node, and detect that the home address of the mobile node is in the set security association list, and return a binding confirmation that carries the binding success information to the mobile node.
  • the message generates a binding cache that maps the mobile node's home address to the current care-of address.
  • the embodiment of the invention also provides a home agent, including:
  • a receiving module configured to receive a binding update request sent by the mobile node, and obtain a home address of the mobile node, and send the home address of the mobile node to the detection module;
  • a sending module configured to send, to the mobile node, a binding confirmation message that receives the binding success information received from the detecting module;
  • a detection module configured to detect, in the set security association list, the home node address of the mobile node, and send a binding confirmation message carrying the binding success information to the sending module and the processing module;
  • a processing module configured to receive, from the detecting module, a binding confirmation message that carries the binding success information, and generate a binding cache that uses the mobile node's home address and the current care-of address.
  • a security association list is established in the HA, and the extended home address list exists.
  • the home address of the mobility MN is saved in the security list for protection, so that other MNs in the home network are not configured.
  • the home address of the multicast so that in the registration process of the MN to the HA, and the registered home address is not in the home address list, the MN home address re-detection can be performed without using the DAD process.
  • DRAWINGS 1 is a schematic structural diagram of a system for implementing MN mobility in an IPv6 network according to the prior art
  • FIG. 2 is a flow chart of a method for registering a MN to HA in the prior art
  • FIG. 3 is a flowchart of a method for registering a MN to an HA according to an embodiment of the present invention
  • FIG. 4 is a flow chart of a method for transmitting a message by a HA as a proxy of a MN according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a system for registering a MN to an HA according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of an HA according to an embodiment of the present invention
  • a security association list is pre-established on the HA, and the security association list is generated dynamically or manually, and exists as an extended home address list, and the home address of the mobility MN is saved in the security association list.
  • the security association list established in the HA may be based on the interconnection.
  • SAs security associations
  • IPsec IP Security
  • IP Security network protocol security
  • Each home address in the SA list can also be identified by an identifier that does not need to be assigned to the home address used by other MNs.
  • the specific implementation of the present invention includes several parts: The first part performs the setting process of the security association list, and protects the home address in the security association list so that other nodes do not use the home address; the second part, The registration process when the MN with the home address in the security association list moves to the non-home network, the home address involved in the registration process is not in the established home address list; the third part, after completing the registration process of the second part, The HA associates the home address of the MN with the MAC address of the HA, multicasts through the neighbor advertisement message, and notifies other nodes that the HA exists as a proxy of the MN. After receiving the announcement message, the other node sends a message to the MN.
  • the home address of the MN and the associated MAC address can be carried, and the HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the carrying MN, so as to receive the packet.
  • the security association list is set on the HA.
  • the home address in the SA list is manually IPSEC.
  • IPSEC IP Security
  • HA obtains the MN from other network entities in the home network. After the home address, set it in the Security Alliance list.
  • a home address is requested.
  • N node neighbor announcement
  • NA Neighbor Advertisement
  • NA may carry information indicating that the home address and associated MAC address of the MN cached by the cache of other nodes are not updated, that is, the over-ridebit is set to 0, and other nodes that receive the NA are received.
  • the cache is not updated; if the NA carries information indicating the home address and associated MAC address of the MN cached by the cache of other nodes, it carries the home address and associated MAC of the MN that is cached by the cache that updates other nodes.
  • the address information, ie over - ridebit is set to 1.
  • FIG. 3 is a flowchart of a method for registering a MN to an HA according to an embodiment of the present invention, where specific steps are as follows:
  • Step 301 The MN moving to the other network sends a binding update request message to the HA of the home network when registering.
  • Step 302 After receiving the binding update request message initiated by the MN, the HA performs verification on the MN, and the verification succeeds, and step 303 is performed; if the verification fails, step 305 is performed.
  • This step is an optional step.
  • the HA may also not verify the received binding update request message, that is, the authentication function is not set in the HA, which can reduce the complexity of the HA processing. At this time, the HA determines all the received bindings.
  • the update request message is verifiable.
  • Step 303 The HA detects whether the home address of the MN is in the security association list, and if yes, step 304 is performed; if no, step 305 is performed.
  • the HA needs to obtain the home address of the MN, such as being carried by the binding update request message.
  • the home address of the MN in the set SAE list is protected, that is, the HA does not accept the request of the other node to request the home address in the SA list.
  • Step 304 The HA does not perform DAD detection on the home address of the MN, returns a binding acknowledgement message to the MN, carries the successful binding information, and generates the MN on the HA.
  • the binding address of the home address and the current care-of address and establish a tunnel between the HA and the MN, and set the home address of the MN to the home address list.
  • the home address in the security association list can be guaranteed.
  • the uniqueness of the MN is used, so the HA does not need to perform DAD detection on the home address of the MN, and does not need to perform the time required for the DAD process detection, thereby saving the registration time.
  • the current care-of address of the MN needs to be obtained before the current care-of address of the MN is bound to the home address of the MN.
  • the current care-of address of the MN may be sent by the MN through a binding update request message.
  • Step 305 After the HA passes the verification of the MN, the HA starts the DAD, and performs duplicate address detection on the home address of the MN.
  • Step 306 After the HA performs the time when the DAD process reaches the timer setting (the minimum set time is 1 second), no other MN uses the home address of the MN.
  • Step 307 The HA sends a binding acknowledgement message to the MN, carries the successful binding information, and generates a binding cache of the home address of the MN and the current care-of address on the HA, and establishes a tunnel between the HA and the MN. Set the home address of the MN to the home address list.
  • the method further includes: HA determining whether the home address of the MN is in the established home address list, and if so, directly executing 304; if not, performing step 303.
  • the HA After the home address in the security association is registered, that is, after performing step 304, the HA notifies the HA as the proxy of the MN home address, that is, the HA associates the home address of the MN with the MAC address of the HA, and carries the neighbor announcement.
  • multicast is performed, so that other nodes that receive the message through multicast know that the HA exists as the proxy of the MN home address.
  • the other node associates the home address of the MN with the MAC address of the HA for caching, such as being cached in the neighbor cache of other nodes.
  • an identifier may also be carried, Indicates whether other MNs need to update their neighbor cache, such as setting over-ride to 1.
  • the MN's home address and the associated MAC address can be carried.
  • the HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the MN, so that the MN can receive.
  • the nodes each have a neighbor cache, and the home address of the MN and the associated MAC address are cached.
  • the set link layer address compatible identifier (L) may be carried in the binding update message sent by the MN, where the identifier is used to indicate that the HA needs to be the link locality of the MN.
  • the home agent of the address and the global address when the registration is completed, the HA multicast neighbor announcement message carries the link local address of the MN as the home address and the association information of the global address and the MAC address of the HA, and receives the message.
  • the node updates its own cache.
  • the binding update message sent by the MN does not carry L or does not set L, the HA acts as a proxy for the global address of the MN.
  • the HA multicast neighbor announcement message carries the MN's global address as the home address.
  • FIG. 4 is a flow chart of a method for transmitting a message by the HA as a proxy of the MN according to an embodiment of the present invention, and the specific steps are as follows:
  • Step 401 After the HA registers with the MN that leaves the home network, associate the home address of the MN with the MAC address of the HA, and carry the multicast in the neighbor announcement message.
  • the neighbor announcement message further carries an identifier indicating whether the other node updates the cache. If the over-ride is set to 1, the identifier needs to be updated.
  • Step 402 The other node that receives the neighbor announcement message learns that the HA exists as the proxy of the MN home address, updates its own cache, and caches the MAC address of the associated HA and the home address of the MN.
  • Step 403 The other node sends a message to the MN, carrying the home address of the MN and the associated MAC address.
  • Step 404 The HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the carrying MN, so that the MN receives the packet. In this way, the MN that moves outside the home network receives the message, and the other nodes that send the message do not perceive that the MN has moved outside the home network.
  • FIG. 5 is a schematic diagram of a system for registering a MN to an HA according to an embodiment of the present invention, including
  • the MN 501 is configured to send a binding update request to the HA 502, and receive a binding acknowledgement message that is sent by the HA 502 and carries the binding success information.
  • the HA 502 is configured to receive a binding update request sent by the MN 501, and detect the MN.
  • the home address of the 501 is returned to the MN 501 in the set security association list, and the binding confirmation message carrying the binding success information is returned to the MN 501, and the binding cache of the home address of the MN 501 and the current care-of address is generated on the HA 502. At the same time, a tunnel between the HA 502 and the MN 501 is established.
  • the HA 502 detects that the home address of the MN 501 is in the set of the security association list, and is also used to determine that the home address of the MN 501 is not set in the home address list.
  • the HA 502 is further used to set the home address of the MN 501 in the home address list.
  • the HA 502 is further configured to detect that the home address of the MN 501 is not set in the security association list, and then register the MN 501 according to the prior art, and send a binding confirmation that carries the binding success information. Message.
  • the system further includes other nodes, configured to send the NS to the HA 502, requesting to use the home address of the MN 501.
  • the HA 502 is further configured to receive the NS, and after finding that the home address of the MN 501 is not set in the home address list, determining that the home address of the MN 501 is set in the security association list, returning to the other node to carry the request that cannot be used.
  • Hometown address of NA is further configured to receive the NS, and after finding that the home address of the MN 501 is not set in the home address list, determining that the home address of the MN 501 is set in the security association list, returning to the other node to carry the request that cannot be used.
  • Hometown address of NA is further configured to receive the NS, and after finding that the home address of the MN 501 is not set in the home address list, determining that the home address of the MN 501 is set in the security association list, returning to the other node to carry the request that cannot be used.
  • the HA 502 is further configured to: after the MN 501 registers, multicast the announcement message carrying the associated home address of the MN 501 and the MAC address of the HA 502 to other nodes, and intercept according to the MAC address of the MAC address.
  • the packet sent to the MN 501 is sent to the corresponding care-of address according to the home address of the MN 501 carried in the packet.
  • the other node after receiving the announcement message, updates its own cache with the associated home address of the MN 501 and the MAC address of the HA 502.
  • the message carries the associated message.
  • FIG. 6 is a schematic structural diagram of an HA according to an embodiment of the present invention, including a receiving module 610, a sending module 620, a detecting module 630, and a processing module 640, where
  • the receiving module 610 is configured to receive a binding update request sent by the MN, and obtain the home address of the MN, and send the home address of the MN to the detecting module 630.
  • the sending module 620 is configured to send, to the MN, a binding confirmation message that is received by the detecting module 630 and carries the binding success information.
  • the detecting module 630 is configured to detect, in the set security association list, the MN's home address, and send a binding confirmation message carrying the binding success information to the sending module 620 and the processing module 640.
  • the detecting module 630 detects that the MN's home address is in the set security association list, and is also used to determine that the MN's home address is not set in the home address list.
  • the processing module 640 is configured to receive, from the detecting module 630, a binding confirmation message carrying the binding success information, generate a binding cache of the home address of the MN and the current care-of address, and establish a tunnel between the HA and the MN.
  • the processing module 640 is further configured to set the home address of the MN in the home address list.
  • the detecting module 630 further includes a first detecting submodule, where the first detecting submodule is configured to detect that the home address of the MN is not set in the security association list, and then perform the MN according to the prior art.
  • the registration sends a binding confirmation message carrying the binding success information to the sending module 620 and the processing module 640.
  • the receiving module 610 further includes a second receiving submodule, configured to: after receiving the NS, determine that the home address of the MN is set in the security association list or/and the home address list, and then return to other nodes to carry Use the NA of the requested home address.
  • the sending module 620 further includes a third sending submodule, configured to multicast to other nodes to carry the associated home area of the MN after the MN registers.
  • the message of the MAC address of the address and the MAC address is intercepted by the MAC address of the MN, and the message is sent to the corresponding care-of address according to the home address of the MN carried in the message.
  • Intent including: HA with address 3ffe::l/64, which stores the home address of the MN (3ff::2/64) in the security association list, and moves to the care-of address of 8ff::2/64 to MN of other networks, CN with address 9ffe::2/64.
  • MN moves from the home network to another network, it needs to register with the HA.
  • the MN's care-of address 8ff::2/64 and the home address 3ff are ::2/64 Bind the cache and establish a tunnel between the HA and the MN.
  • the multicast After the registration is completed, the multicast carries the announcement message of the associated HA's MAC address and the MN's home address, and the CN that receives the message updates its own cache.
  • the CN sends a message carrying the home address of the MN 3ff::2/64 and the MAC address of the HA, the message is intercepted by the HA having the MAC address, and the HA passes the MN's home address according to the home address of the MN.
  • the tunnel sends the message to the MN's care-of address 8ff::2/64.
  • the registration time is saved because the DAD process is not performed during the MN to HA registration process. Due to the saving of the registration time, the possibility of being attacked by DOS due to the long time in the registration process of the MN to the HA due to the delay of registration, and the interruption of the message or the interruption of the existing connection may be avoid.

Abstract

A method, system and device for registration of MN in IPv6 network is disclosed. The method includes: receiving a BU message from a MN, and judging whether the home address of the MN is involved in a safety union list in which the home address of the MN involved can not be used by other MNs. If the home address of the MN is involved in the safety union list, sending a BA message that involves a binding complete information to the MN, and buffering the binding of the home address and the current CoA of the MN. Advantages of the invention: decreasing the time of registration to the HA , preventing the registration to the HA from suffering DOS attacking and packet discarding and connection interrupting, which is caused by time delay of the registration.

Description

因特网协议版本 6网络的移动节点注册方法、 系统及装置 技术领域  Mobile node registration method, system and device for Internet Protocol version 6 network
本发明涉及因特网协议版本 6 ( Internet Protocol Version 6, 以下 简称: IPv6 ) 中实现移动节点 ( MN , Mobile Node )移动性的技术, 特别涉及一种 IPv6网络的 MN注册方法、 系统及装置。 背景技术  The present invention relates to a technology for implementing mobility of a mobile node (MN, Mobile Node) in Internet Protocol Version 6 (IPv6), and more particularly to a MN registration method, system and apparatus for an IPv6 network. Background technique
移动 IPv6是在 IPv6网络中实现 MN移动性的协议,当 MN在 IPv6 网络中移动时, 可以不用更改其家乡地址, 仍旧可以保持其可达性。 在 IPv6网络中实现 MN移动性涉及三种实体: MN、 家乡代理( HA, Home Agents ) 以及通信对端 ( CN, Correspondent Nodes ), 其中, MN, 可以移动并通过不同的链路接入 IPv6网络的网络侧,但始终通 过其家乡地址保持其可达性; HA, 为 MN家乡网络中的路由器, 当 MN移动到其他网络中时, 向 HA注册当前的转交地址, HA将 MN 的家乡地址和转交地址相绑定, 建立 HA和 MN之间的隧道, HA在 MN的家乡网络中截获发向 MN家乡地址的 4艮文, 封装后, 通过 HA 和 MN间的隧道将报文转发给 MN在 HA注册的转交地址中; CN, 和 MN通信的节点, 给 MN发送报文时, 将报文发送到 MN的家乡 网络中, 即将报文发送给 MN的家乡地址, CN可以是其他 MN, 也 可以是固定节点。  Mobile IPv6 is a protocol for implementing MN mobility in an IPv6 network. When a MN moves over an IPv6 network, it can maintain its reachability without changing its home address. Implementing MN mobility in an IPv6 network involves three types of entities: MN, Home Agents (HA), and Correspondence Nodes (CNs), where MNs can move and access IPv6 networks through different links. The network side, but always maintains its reachability through its home address; HA, is the router in the MN home network, when the MN moves to other networks, registers the current care-of address with the HA, HA will MN's home address and The care-of address is bound to establish a tunnel between the HA and the MN. The HA intercepts the message sent to the home address of the MN in the home network of the MN. After encapsulation, the packet is forwarded to the MN through the tunnel between the HA and the MN. In the care-of address of the HA registration; CN, the node communicating with the MN, when sending the message to the MN, the message is sent to the home network of the MN, and the message is sent to the home address of the MN, and the CN may be another MN. Can be a fixed node.
图 1为现有技术在 IPv6网络中实现 MN移动性的系统结构示意 图, 如图所示: 包括 MN、 HA以及 CN, 其中, MN当前所在的网络 不是其家乡网络, MN通过 IPv6网络和 HA交互, HA通过 IPv6网 络和 CN进行交互。 当 CN向 MN发送报文时, 报文携带 CN的家乡 地址和 HA的介质访问控制( Media Access Control,以下简称: MAC ) 地址,报文通过 IPv6网络后被具有该报文携带的 MAC地址的 HA截 获, HA根据 MN 的家乡地址对应的当前转交地址, 重新封装携带 MN的当前转交地址的报文, 通过 IPv6网络发送给 MN。 为了在 IPv6网络中实现 MN的移动性, 即 MN移动到除家乡网 络之外的网络收发报文, 通常需要三个步骤: 第一个步骤为动态 HA 发现机制, 即无论 MN何时移动到家乡网络之外的网络, MN都试图 发现家乡网络中的 HA; 第二个步骤为注册步骤, 即 MN向 HA进行 注册, 将当前的转交地址注册到 HA, HA将 MN的家乡地址和当前 的转交地址进行绑定, 建立 HA和 MN之间的隧道, 将 MN的家乡 地址设置在家乡地址列表中; 第三个步骤为报文传输, 即 MN通过与 HA之间建立的隧道进行通信和 ^艮文传输, 接收 HA发送到 MN注册 的当前转交地址的报文。 FIG. 1 is a schematic structural diagram of a system for implementing MN mobility in an IPv6 network, as shown in the following figure, including: MN, HA, and CN, where the network where the MN is currently located is not its home network, and the MN interacts with the HA through the IPv6 network. HA interacts with the CN through the IPv6 network. When the CN sends a packet to the MN, the packet carries the home address of the CN and the Media Access Control (MAC) address of the HA. After the packet passes through the IPv6 network, the packet is carried by the MAC address carried by the packet. The HA intercepts, and the HA re-encapsulates the packet carrying the current care-of address of the MN according to the current care-of address corresponding to the home address of the MN, and sends the packet to the MN through the IPv6 network. In order to implement MN mobility in an IPv6 network, that is, the MN moves to a network other than the home network to send and receive messages, usually three steps are required: The first step is a dynamic HA discovery mechanism, that is, whenever the MN moves to the hometown Outside the network, the MN tries to discover the HA in the home network; the second step is the registration step, that is, the MN registers with the HA, registers the current care-of address with the HA, and the HA transfers the home address of the MN and the current transfer. The address is bound, the tunnel between the HA and the MN is established, and the home address of the MN is set in the home address list. The third step is message transmission, that is, the MN communicates with the tunnel established between the HA and the MN. The text transmission receives the message sent by the HA to the current care-of address registered by the MN.
后续 MN再次通过 HA进行艮文交互时 , HA通过查询家乡地址 列表发现已经存储了 MN的家乡地址的绑定, 即已经对 MN进行了 注册, 所以后续再不用注册了, 直接进行报文交互。  When the subsequent MN interacts with the HA again, the HA finds that the home address of the MN has been stored by querying the home address list, that is, the MN has been registered, so the subsequent registration is not performed, and the message interaction is directly performed.
其中, MN为了传输报文,必须到 HA进行当前转交地址的注册, 也就是进行第二个步骤,图 2为现有技术 MN到 HA进行注册的方法 流程图, 其具体步骤为:  In order to transmit the message, the MN must register the current care-of address with the HA, that is, perform the second step. FIG. 2 is a flow chart of the method for registering the MN to the HA in the prior art, and the specific steps are as follows:
步骤 201 , MN向 HA发送绑定更新请求消息。  Step 201: The MN sends a binding update request message to the HA.
步骤 202 , HA接收到绑定更新请求消息后,对该 MN进行验证。 步骤 203 , HA对该 MN验证通过之后, HA启动重复地址检测 ( DAD, Duplicate Address Detection ), 对该 MN的家乡地址进行重 复地址检测。  Step 202: After receiving the binding update request message, the HA performs verification on the MN. Step 203: After the HA passes the verification of the MN, the HA initiates Duplicate Address Detection (DAD) to perform duplicate address detection on the home address of the MN.
在本步骤中, HA需要获取到该 MN的家乡地址, 如通过绑定更 新请求消息携带。  In this step, the HA needs to obtain the home address of the MN, such as being carried by the binding update request message.
这个重复地址检测过程可以保证该 MN 离开家乡网络到其他网 络的过程中 ,没有属于同一家乡网络的其他节点配置了和该 MN相同 的家乡地址。如果其他节点配置了和该 MN相同的家乡地址,这个注 册过程就不会成功, HA会向该 MN发送绑定确认消息, 通知该 MN 进行的 DAD失败, 也就是在该 MN不在家乡网络时有其他节点配置 了该 MN使用的家乡地址。  This duplicate address detection process ensures that the MN leaves the home network to other networks. Other nodes that do not belong to the same home network are configured with the same home address as the MN. If the other node is configured with the same home address as the MN, the registration process will not succeed, and the HA will send a binding confirmation message to the MN to notify the MN that the DAD failed, that is, when the MN is not in the home network. The other nodes are configured with the home address used by the MN.
釆用步骤 203的过程进行 DAD检测, 就可以保证后续该 MN家 乡地址和当前的转交地址绑定的唯一性,从而保证该 MN和 HA建立 隧道的唯一性, 保证该 MN在传输 文时的家乡地址可达。 进行 Using the process of step 203 to perform DAD detection, the subsequent MN home can be guaranteed The uniqueness of the binding between the home address and the current care-of address ensures the uniqueness of the tunnel between the MN and the HA, and ensures that the home address of the MN is reachable when transmitting the text.
步骤 204, HA进行 DAD过程到达定时器设定的时间(最小设定 的时间为 1秒)后, 没有检测到其他 MN使用该 MN的家乡地址。  Step 204: After the HA performs the time when the DAD process reaches the timer setting (the minimum set time is 1 second), no other MN uses the home address of the MN.
步骤 205, HA向该 MN发送绑定确认消息,携带成功绑定信息, 并且在 HA上生成将该 MN的家乡地址和当前的转交地址的绑定緩 存, 建立 HA与该 MN之间的隧道, 将 MN的家乡地址设置在家乡 地址列表中。  Step 205: The HA sends a binding acknowledgement message to the MN, carries the successful binding information, and generates a binding cache of the home address of the MN and the current care-of address on the HA, and establishes a tunnel between the HA and the MN. Set the home address of the MN to the home address list.
在进行该 MN当前的转交地址和该 MN的家乡地址绑定之前, 需要获取该 MN当前的转交地址,该 MN当前的转交地址可以是 MN 通过绑定更新请求消息发送的。  Before the MN's current care-of address is bound to the home address of the MN, the current care-of address of the MN needs to be obtained, and the current care-of address of the MN may be sent by the MN through the binding update request message.
在建立了 HA和该 MN之间的隧道后, HA就作为 MN家乡地址 的代理存在, HA—直保存该 MN的家乡地址, 用于接收发送到该家 乡地址的给该 MN的 ^艮文且将该 ^艮文通过和 MN建立的隧道发送到 MN当前的转交地址上去。  After the tunnel between the HA and the MN is established, the HA exists as an agent of the MN home address, and the HA directly saves the home address of the MN, and receives the message sent to the home address to the MN. The tunnel is sent to the current care-of address of the MN through the tunnel established with the MN.
图 2所示的过程为移动到家乡网络外的 MN到 HA的第一次注 册, 再后续的注册过程中, 如 MN再次移动, 也就可以不进行 DAD 检测, 即判断该 MN的家乡地址在建立的家乡地址列表中,直接进行 家乡地址和当前的转交地址重新绑定即可完成 HA与该 MN之间的隧 道建立。  The process shown in FIG. 2 is the first registration of the MN to the HA outside the home network, and in the subsequent registration process, if the MN moves again, the DAD detection may not be performed, that is, the home address of the MN is determined to be In the established home address list, the home address and the current care-of address are directly re-bound to complete the tunnel establishment between the HA and the MN.
在 MN到 HA的第一次注册的过程中,存在两个问题, 以下分别 进行说明。  In the process of the first registration of MN to HA, there are two problems, which are explained below.
第一个问题, 在注册过程中可能会遭到 DOS ( Denial of Service, 拒绝服务)攻击的可能性,这是因为当 MN离开家乡网络移动到其他 网络的过程中有一个时间间隔, 在这个时间间隔中, MN的家乡地址 是可以被其他 MN所使用的, 就有很大可能其他 MN在这个时间间 隔中配置与该 MN 的家乡地址同样的家乡地址。 这样, HA进行的 DAD过程时就会失败, 该 MN就不能成功的向 HA注册, 也不能接 受到移动服务了。 所以即使 HA存储有该 MN的家乡地址(比如 HA 有手工配置的该 MN的家乡地址), HA仍允许在该 MN的移动过程 中必然存在的时间间隔中, 在家乡网络上的其他 MN 配置和该 MN 相同的家乡地址。 The first problem, the possibility of a DOS (Denial of Service) attack during the registration process, is because there is a time interval when the MN leaves the home network to move to other networks, at this time. In the interval, the MN's home address can be used by other MNs, and it is highly likely that other MNs will configure the same home address as the MN's home address during this time interval. In this way, the DAD process performed by the HA will fail, and the MN cannot successfully register with the HA and cannot accept the mobile service. So even if the HA stores the MN's home address (such as HA) With the manually configured home address of the MN, the HA still allows the other MNs on the home network to have the same home address as the MN during the time interval that must exist during the MN's movement.
第二个问题, 在注册过程中的注册时间是一个很重要的参数, 因 为注册过程中的时延会导致该 MN传输的 ^艮文的丟弃以及该 MN的 已有连接的中断。 在图 2所示的方法中, 该 MN移动时的时延是由 DAD过程引入的设定时间(最少为 1秒), 所以注册时间至少花费大 于 1秒的时间 ,这个延时是该 MN在发送绑定更新请求消息之后并等 待绑定确认消息间的最小超时时间,在该 MN进行注册的过程中,通 常都应该是超时退出 DAD过程, 从而说明在 HA上的该 MN家乡地 址没有被其他 MN使用, 只有当 DAD过程失败, 也就是 HA在发送 绑定更新请求消息之后并快速接收到绑定确认消息时,注册失败的过 程会快一些。  The second problem, the registration time in the registration process is a very important parameter, because the delay in the registration process will result in the discarding of the message transmitted by the MN and the interruption of the existing connection of the MN. In the method shown in FIG. 2, the delay when the MN moves is a set time (at least 1 second) introduced by the DAD process, so the registration time takes at least 1 second, and the delay is the MN. After the binding update request message is sent and waiting for the minimum timeout between the binding confirmation messages, during the registration process of the MN, the DAD process should normally be timed out, thereby indicating that the MN home address on the HA is not otherwise The MN uses, only when the DAD process fails, that is, after the HA sends the binding update request message and quickly receives the binding confirmation message, the registration failure process is faster.
综上, 申请人在实现本发明的过程中发现, 导致上述两个问题的 根源为 MN到 HA的第一次注册的时间过长而导致的,如何减小 MN 到 HA注册的时间成为了一个亟待解决的问题。 发明内容  In summary, the applicant found in the process of implementing the present invention that the root cause of the above two problems is that the first registration time of the MN to the HA is too long, and how to reduce the time of MN to HA registration becomes a Problems to be solved. Summary of the invention
本发明实施例提供一种 IPv6网络的 MN注册方法、系统及装置, 能够保证 MN到 HA注册的时间减少。  The embodiment of the invention provides a MN registration method, system and device for an IPv6 network, which can ensure that the time for MN to HA registration is reduced.
本发明实施例提出一种 IPv6网络的移动节点注册方法, 包括: 接收移动节点发送的绑定更新请求后,判断所述移动节点的家乡 地址是否在所设置的安全联盟列表中,所述安全联盟列表中保护的移 动节点的家乡地址, 在其他节点要求使用时, 不予接受;  An embodiment of the present invention provides a method for registering a mobile node of an IPv6 network, including: after receiving a binding update request sent by a mobile node, determining whether the home address of the mobile node is in a set of security associations, the security alliance The home address of the mobile node protected in the list is not accepted when requested by other nodes;
如果所述移动节点的家乡地址在所述安全联盟列表中,则向移动 节点返回携带成功绑定信息的绑定确认消息,将该移动节点的家乡地 址和当前的转交地址的绑定緩存。  If the home address of the mobile node is in the security association list, a binding confirmation message carrying the successful binding information is returned to the mobile node, and the binding of the mobile node's home address and the current care-of address is cached.
本发明实施例还提出一种 IPv6网络的移动节点注册系统, 包括: 移动节点, 用于向家乡代理发送绑定更新请求,接收家乡代理发 送的携带绑定成功信息的绑定确认消息; The embodiment of the present invention further provides a mobile node registration system for an IPv6 network, including: a mobile node, configured to send a binding update request to a home agent, and receive a home agent. A binding confirmation message sent with the binding success information;
家乡代理, 用于接收所述移动节点发送的绑定更新请求,检测到 所述移动节点的家乡地址在所设置的安全联盟列表中,向所述移动节 点返回携带绑定成功信息的绑定确认消息,生成将所述移动节点的家 乡地址和当前的转交地址的绑定緩存。  a home agent, configured to receive a binding update request sent by the mobile node, and detect that the home address of the mobile node is in the set security association list, and return a binding confirmation that carries the binding success information to the mobile node. The message generates a binding cache that maps the mobile node's home address to the current care-of address.
本发明实施例还提出一种家乡代理, 包括:  The embodiment of the invention also provides a home agent, including:
接收模块, 用于接收移动节点发送的绑定更新请求, 获取到所述 移动节点的家乡地址后, 将所述移动节点的家乡地址发送给检测模 块;  a receiving module, configured to receive a binding update request sent by the mobile node, and obtain a home address of the mobile node, and send the home address of the mobile node to the detection module;
发送模块,用于将从所述检测模块接收到的携带绑定成功信息的 绑定确认消息发送给所述移动节点;  a sending module, configured to send, to the mobile node, a binding confirmation message that receives the binding success information received from the detecting module;
检测模块,用于检测到所述移动节点的家乡地址在设置的安全联 盟列表中,向所述发送模块和处理模块发送携带所述绑定成功信息的 绑定确认消息;  a detection module, configured to detect, in the set security association list, the home node address of the mobile node, and send a binding confirmation message carrying the binding success information to the sending module and the processing module;
处理模块,用于从所述检测模块接收携带所述绑定成功信息的绑 定确认消息,生成将所述移动节点的家乡地址和当前的转交地址的绑 定緩存。  And a processing module, configured to receive, from the detecting module, a binding confirmation message that carries the binding success information, and generate a binding cache that uses the mobile node's home address and the current care-of address.
本发明实施例在 HA建立一个安全联盟列表,作为扩展的家乡地 址列表存在,预先将具有移动性的 MN的家乡地址保存在该安全列表 中进行保护, 以使该家乡网络中的其他 MN 不配置所组播的家乡地 址, 这样, 在 MN到 HA的注册过程中, 且该注册的家乡地址未在家 乡地址列表中, 就可以在不釆用 DAD过程进行 MN的家乡地址重检 测的情况下, 而直接对 MN进行注册, 保证移动到其他网络中的该 MN的家乡地址不被其家乡网络中的其他 MN配置为其他 MN的家乡 地址 , 从而节省了进行 DAD过程所占用的时间 , 保证 MN到 HA注 册的时间减少 ,避免在 MN向 HA注册过程中由于时间过长而导致被 DOS攻击的可能性以及报文丟弃或已有连接的中断问题。 附图说明 图 1为现有技术在 IPv6网络中实现 MN移动性的系统结构示意 图; In the embodiment of the present invention, a security association list is established in the HA, and the extended home address list exists. The home address of the mobility MN is saved in the security list for protection, so that other MNs in the home network are not configured. The home address of the multicast, so that in the registration process of the MN to the HA, and the registered home address is not in the home address list, the MN home address re-detection can be performed without using the DAD process. The MN is directly registered to ensure that the home address of the MN that is moved to other networks is not configured by other MNs in the home network as the home address of other MNs, thereby saving the time taken for the DAD process and ensuring the MN to The time for HA registration is reduced, avoiding the possibility of being attacked by DOS due to excessive time in the MN registration process with the HA, and the problem of packet drop or interruption of existing connections. DRAWINGS 1 is a schematic structural diagram of a system for implementing MN mobility in an IPv6 network according to the prior art;
图 2为现有技术 MN到 HA进行注册的方法流程图;  2 is a flow chart of a method for registering a MN to HA in the prior art;
图 3为本发明实施例 MN到 HA进行注册的方法流程图; 图 4为本发明实施例 HA作为 MN的代理,传输报文的方法流程 图;  FIG. 3 is a flowchart of a method for registering a MN to an HA according to an embodiment of the present invention; FIG. 4 is a flow chart of a method for transmitting a message by a HA as a proxy of a MN according to an embodiment of the present invention;
图 5为本发明实施例 MN到 HA进行注册的系统示意图; 图 6为本发明实施例 HA的结构示意图;  FIG. 5 is a schematic diagram of a system for registering a MN to an HA according to an embodiment of the present invention; FIG. 6 is a schematic structural diagram of an HA according to an embodiment of the present invention;
具体实施方式 detailed description
为使本发明的目的、技术方案和优点更加清楚, 下面结合附图对 本发明实施例作进一步的详细描述。  The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
现有技术 MN向 HA注册过程中的时间过长, 是因为 HA进行 DAD过程引起的。 所以为了节省 MN向 HA注册的时间 , 减少 MN 在移动过程中注册的时延,避免在 MN向 HA注册过程中由于时间过 长而导致被 DOS 攻击的可能性以及报文丟弃或已有连接的中断问 题, 本发明实施例在 MN向 HA注册的过程中不进行 DAD过程, 而 保证 MN的家乡地址不被同一家乡网络中的其他 MN配置。 因此, 本发明实施例在 HA上预先建立一个安全联盟列表,该安全联盟列表 动态或手工配置生成, 作为扩展的家乡地址列表存在, 将具有移动性 的 MN的家乡地址保存在该安全联盟列表中进行保护 ,以使该家乡网 络中的其他 MN不配置该安全联盟列表中的家乡地址, 这样, 在 MN 到 HA的注册过程中,该注册过程所涉及的家乡地址不在建立的家乡 地址列表中, 就可以到安全联盟列表中检测, 如果已经配置有该 MN 的家乡地址, 就可以在不釆用 DAD过程进行 MN的家乡地址重检测 的情况下,保证移动到其他网络中的该 MN的家乡地址不被其家乡网 络中的其他 MN配置为其他 MN的家乡地址并对该 MN进行注册。  Prior Art The time during which the MN registers with the HA is too long because the HA performs the DAD process. Therefore, in order to save the time that the MN registers with the HA, the delay of the MN registration during the mobile process is reduced, and the possibility of being attacked by the DOS due to the long time in the registration process of the MN to the HA and the packet drop or existing connection are avoided. The interruption problem of the embodiment of the present invention does not perform the DAD process in the process of the MN registering with the HA, but ensures that the home address of the MN is not configured by other MNs in the same home network. Therefore, in the embodiment of the present invention, a security association list is pre-established on the HA, and the security association list is generated dynamically or manually, and exists as an extended home address list, and the home address of the mobility MN is saved in the security association list. Protecting so that other MNs in the home network do not configure the home address in the security association list, so that during the registration process of the MN to the HA, the home address involved in the registration process is not in the established home address list. It can be detected in the security association list. If the MN's home address has been configured, the MN's home address can be guaranteed to be moved to other networks without using the DAD process to perform MN's home address re-detection. It is not configured by other MNs in its home network as the home address of other MNs and registers the MN.
在本发明实施例中,在 HA建立的安全联盟列表可以为基于互联 网协议安全(IPsec, IP Security )的安全联盟( S A, Security alliance ) 列表, 且作为 HA中扩展的家乡地址列表存在, 该列表用于对列表中 作为家乡地址的 MN的本地链路地址和全局地址进行保护,安全联盟 列表中的每个家乡地址还可以用一个标识对需要进行保护的,不允许 再分配给其他 MN使用的家乡地址进行标识。 In the embodiment of the present invention, the security association list established in the HA may be based on the interconnection. List of security associations (SAs) of the network protocol security (IPsec, IP Security), and exists as an extended home address list in the HA, which is used for the local link address and global address of the MN as the home address in the list. The address is protected. Each home address in the SA list can also be identified by an identifier that does not need to be assigned to the home address used by other MNs.
本发明具体实现时包括几个部分: 第一个部分, 进行安全联盟列 表的设置过程, 且对安全联盟列表中的家乡地址进行保护, 以便使其 他节点不使用该家乡地址; 第二个部分, 具有安全联盟列表中的家乡 地址的 MN移动到非家乡网络时的注册过程,该注册过程涉及的家乡 地址不在建立的家乡地址列表中; 第三个部分, 完成第二个部分的注 册过程后, HA将 MN的家乡地址和 HA的 MAC地址相关联, 通过 邻居宣告消息进行组播, 通知其他节点该 HA作为 MN的代理存在, 其他节点接收到该宣告消息后, 在向 MN发送报文时, 可以携带 MN 的家乡地址和相关联的 MAC地址, HA根据自身的 MAC地址截获 报文,根据携带 MN的家乡地址将报文发送到对应的转交地址上, 以 便匪接收。  The specific implementation of the present invention includes several parts: The first part performs the setting process of the security association list, and protects the home address in the security association list so that other nodes do not use the home address; the second part, The registration process when the MN with the home address in the security association list moves to the non-home network, the home address involved in the registration process is not in the established home address list; the third part, after completing the registration process of the second part, The HA associates the home address of the MN with the MAC address of the HA, multicasts through the neighbor advertisement message, and notifies other nodes that the HA exists as a proxy of the MN. After receiving the announcement message, the other node sends a message to the MN. The home address of the MN and the associated MAC address can be carried, and the HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the carrying MN, so as to receive the packet.
以下对三个部分分别进行详细的叙述。  The three sections are described in detail below.
第一部分, 在 HA设置安全联盟列表, 在安全联盟列表中的家乡 地址为手工 IPSEC 配置的, 当然, 也可以釆用其他动态方式获取配 置,如 HA从家乡网络中的其他网络实体中获取到 MN的家乡地址后, 设置在安全联盟列表中。  In the first part, the security association list is set on the HA. The home address in the SA list is manually IPSEC. Of course, other dynamic methods can also be used to obtain the configuration. For example, HA obtains the MN from other network entities in the home network. After the home address, set it in the Security Alliance list.
当有其他节点向 HA发送请求报文, 如邻居请求(NS, Neighbor Solicitation ) 时, 要求某个家乡地址, HA查找该家乡地址没有设置 在家乡地址列表中后, 再查找到设置在安全联盟列表中, 则向其他节 点回复响应, 如回复说明其他节点邻居宣告 (NA , Neighbor Advertisement ), 携带该家乡地址不能使用的信息。 这样, 就对 HA 设置的安全联盟列表中的家乡地址进行了保护。  When another node sends a request message to the HA, such as a neighbor request (NS, Neighbor Solicitation), a home address is requested. After the HA finds that the home address is not set in the home address list, it finds the setting in the security association list. In the middle, the response is replied to other nodes, such as replying to the other node neighbor announcement (NA, Neighbor Advertisement), carrying the information that the home address cannot be used. In this way, the home address in the security association list set by HA is protected.
在 MN在家乡网络时, 按照现有技术, 其他节点就会从 MN和 家乡网络的 HA接收到说明 MN的家乡地址已经被使用的 NA消息, 则 MN的家乡地址被保护。 When the MN is in the home network, according to the prior art, other nodes receive NA messages from the MN and the home network's HA indicating that the MN's home address has been used. Then the home address of the MN is protected.
在本发明实施例中, NA可以携带表示不更新其他节点的緩存所 緩存的 MN的家乡地址和相关联的 MAC地址的信息, 即将 over - ridebit设置为 0, 这时,接收到 NA的其他节点不更新緩存; 如果 NA 携带表示更新其他节点的緩存所緩存的 MN 的家乡地址和相关联的 MAC地址的信息, 则会携带表示更新其他节点的緩存所緩存的 MN 的家乡地址和相关联的 MAC地址的信息, 即将 over - ridebit设置为 1。  In the embodiment of the present invention, NA may carry information indicating that the home address and associated MAC address of the MN cached by the cache of other nodes are not updated, that is, the over-ridebit is set to 0, and other nodes that receive the NA are received. The cache is not updated; if the NA carries information indicating the home address and associated MAC address of the MN cached by the cache of other nodes, it carries the home address and associated MAC of the MN that is cached by the cache that updates other nodes. The address information, ie over - ridebit is set to 1.
第二部分  the second part
图 3为本发明实施例 MN到 HA进行注册的方法流程图,其具体 步骤为:  FIG. 3 is a flowchart of a method for registering a MN to an HA according to an embodiment of the present invention, where specific steps are as follows:
步骤 301 , 移动到其他网络中的 MN向家乡网络的 HA在注册时 发送绑定更新请求消息。  Step 301: The MN moving to the other network sends a binding update request message to the HA of the home network when registering.
步骤 302, HA接收到 MN发起的注册时的绑定更新请求消息后, 对该 MN进行验证, 验证通过, 执行步骤 303; 验证不通过, 则执行 步骤 305。  Step 302: After receiving the binding update request message initiated by the MN, the HA performs verification on the MN, and the verification succeeds, and step 303 is performed; if the verification fails, step 305 is performed.
该步骤为可选步骤, HA也可以不对接收到的绑定更新请求消息 进行验证, 即在 HA中没有设置验证功能, 这样可以减轻 HA处理的 复杂度, 这时, HA确定所有接收到的绑定更新请求消息都是可以通 过验证的。  This step is an optional step. The HA may also not verify the received binding update request message, that is, the authentication function is not set in the HA, which can reduce the complexity of the HA processing. At this time, the HA determines all the received bindings. The update request message is verifiable.
步骤 303 , HA检测该 MN的家乡地址是否在安全联盟列表中, 如果是, 执行步骤 304; 如果否, 则执行步骤 305。  Step 303: The HA detects whether the home address of the MN is in the security association list, and if yes, step 304 is performed; if no, step 305 is performed.
在本步骤中, HA需要获取到该 MN的家乡地址, 如通过绑定更 新请求消息携带。  In this step, the HA needs to obtain the home address of the MN, such as being carried by the binding update request message.
在本步骤中, 设置的安全联盟列表中的 MN的家乡地址被保护, 即 HA接收到其他节点要求使用该安全联盟列表中的家乡地址的请 求后, 不予接受。  In this step, the home address of the MN in the set SAE list is protected, that is, the HA does not accept the request of the other node to request the home address in the SA list.
步骤 304, HA对该 MN的家乡地址不进行 DAD检测 ,给该 MN 返回绑定确认消息, 携带成功绑定信息, 并且在 HA上生成将该 MN 的家乡地址和当前的转交地址的绑定緩存,同时建立 HA与该 MN之 间的隧道, 将 MN的家乡地址设置在家乡地址列表中。 Step 304: The HA does not perform DAD detection on the home address of the MN, returns a binding acknowledgement message to the MN, carries the successful binding information, and generates the MN on the HA. The binding address of the home address and the current care-of address, and establish a tunnel between the HA and the MN, and set the home address of the MN to the home address list.
在本步骤中, 由于该 MN的家乡地址设置在安全联盟列表中,且 该安全联盟列表用于保护所存储的家乡地址不被其他节点所使用,所 以在该安全联盟列表中的家乡地址能够保证该 MN使用的唯一性,所 以 HA就不需要对该 MN的家乡地址进行 DAD检测了 , 也不需要进 行 DAD过程检测所需要的时间, 从而节省了注册的时间。  In this step, since the MN's home address is set in the security association list, and the security association list is used to protect the stored home address from being used by other nodes, the home address in the security association list can be guaranteed. The uniqueness of the MN is used, so the HA does not need to perform DAD detection on the home address of the MN, and does not need to perform the time required for the DAD process detection, thereby saving the registration time.
在进行该 MN当前的转交地址和该 MN的家乡地址绑定之前, 需要获取该 MN当前的转交地址, 该 MN当前的转交地址可以是该 MN通过绑定更新请求消息发送的。  The current care-of address of the MN needs to be obtained before the current care-of address of the MN is bound to the home address of the MN. The current care-of address of the MN may be sent by the MN through a binding update request message.
步骤 305 , HA对该 MN验证通过之后, HA启动 DAD, 对该 MN的家乡地址进行重复地址检测。  Step 305: After the HA passes the verification of the MN, the HA starts the DAD, and performs duplicate address detection on the home address of the MN.
步骤 306, HA进行 DAD过程到达定时器设定的时间 (最小设定 的时间为 1秒)后, 没有检测到其他 MN使用该 MN的家乡地址。  Step 306: After the HA performs the time when the DAD process reaches the timer setting (the minimum set time is 1 second), no other MN uses the home address of the MN.
步骤 307, HA向该 MN发送绑定确认消息,携带成功绑定信息, 并且在 HA上生成将该 MN的家乡地址和当前的转交地址的绑定緩 存, 建立 HA与该 MN之间的隧道, 将 MN的家乡地址设置在家乡 地址列表中。  Step 307: The HA sends a binding acknowledgement message to the MN, carries the successful binding information, and generates a binding cache of the home address of the MN and the current care-of address on the HA, and establishes a tunnel between the HA and the MN. Set the home address of the MN to the home address list.
在进行图 3 所示的步骤 302之前, 该方法还包括: HA判断该 MN 的家乡地址是否在建立的家乡地址列表中, 如果是, 直接执行 304; 如果否, 执行步骤 303。  Before performing step 302 shown in FIG. 3, the method further includes: HA determining whether the home address of the MN is in the established home address list, and if so, directly executing 304; if not, performing step 303.
第三部分  the third part
当安全联盟中的家乡地址被注册之后, 即在执行完步骤 304 之 后, HA通知 HA作为该 MN家乡地址的代理存在, 即 HA将 MN的 家乡地址和 HA的 MAC地址相关联, 携带在邻居宣告消息中, 进行 组播,使得通过组播接收到该消息的其他节点获知 HA作为该 MN家 乡地址的代理存在。 这时, 其他节点接收到该邻居宣告消息后, 将该 MN的家乡地址和 HA的 MAC地址相关联进行緩存, 如緩存在其他 节点的邻居緩存中。 在该邻居宣告消息中, 还可以携带一个标识, 用 于指示其他 MN是否需要更新自身的邻居緩存 ,如设置 over-ride为 1。 在向 MN发送报文时,可以携带 MN的家乡地址和相关联的 MAC地 址, HA根据自身的 MAC地址截获报文, 根据携带 MN的家乡地址 将报文发送到对应的转交地址上, 以便 MN接收。 After the home address in the security association is registered, that is, after performing step 304, the HA notifies the HA as the proxy of the MN home address, that is, the HA associates the home address of the MN with the MAC address of the HA, and carries the neighbor announcement. In the message, multicast is performed, so that other nodes that receive the message through multicast know that the HA exists as the proxy of the MN home address. At this time, after receiving the neighbor advertisement message, the other node associates the home address of the MN with the MAC address of the HA for caching, such as being cached in the neighbor cache of other nodes. In the neighbor announcement message, an identifier may also be carried, Indicates whether other MNs need to update their neighbor cache, such as setting over-ride to 1. When sending a packet to the MN, the MN's home address and the associated MAC address can be carried. The HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the MN, so that the MN can receive.
在本发明实施例中,节点各自具有邻居緩存,緩存有 MN的家乡 地址和相关联的 MAC地址。  In the embodiment of the present invention, the nodes each have a neighbor cache, and the home address of the MN and the associated MAC address are cached.
在本发明实施例中,在图 3中,还可以在 MN发送的绑定更新消 息中携带置位的链路层地址兼容标识( L ) , 该标识用于指示 HA需要 作为 MN 的链路本地地址和全局地址的家乡代理, 当注册完成后, HA组播的邻居宣告消息中, 携带 MN的作为家乡地址的链路本地地 址和全局地址与 HA的 MAC地址的关联信息, 接收到该消息的节点 更新自身的緩存。当 MN发送的绑定更新消息中不携带 L或不置位 L 时, 则 HA作为 MN的全局地址的代理, 当注册完成后, HA组播的 邻居宣告消息中,携带 MN的作为家乡地址的全局地址与 HA的 MAC 地址的关联信息, 接收到该消息的节点更新自身的緩存, 这时, 该 MN的链路本地地址可以被其他节点所使用。  In the embodiment of the present invention, in FIG. 3, the set link layer address compatible identifier (L) may be carried in the binding update message sent by the MN, where the identifier is used to indicate that the HA needs to be the link locality of the MN. The home agent of the address and the global address, when the registration is completed, the HA multicast neighbor announcement message carries the link local address of the MN as the home address and the association information of the global address and the MAC address of the HA, and receives the message. The node updates its own cache. When the binding update message sent by the MN does not carry L or does not set L, the HA acts as a proxy for the global address of the MN. When the registration is completed, the HA multicast neighbor announcement message carries the MN's global address as the home address. The association information of the address and the MAC address of the HA, the node receiving the message updates its own cache, at this time, the link local address of the MN can be used by other nodes.
图 4为本发明实施例 HA作为 MN的代理,传输报文的方法流程 图, 其具体步骤为:  4 is a flow chart of a method for transmitting a message by the HA as a proxy of the MN according to an embodiment of the present invention, and the specific steps are as follows:
步骤 401 , 当 HA对离开家乡网络的 MN注册后, 将该 MN的家 乡地址和 HA的 MAC地址相关联, 携带在邻居宣告消息中组播。  Step 401: After the HA registers with the MN that leaves the home network, associate the home address of the MN with the MAC address of the HA, and carry the multicast in the neighbor announcement message.
在本步骤中,该邻居宣告消息中还携带指示其他节点是否更新緩 存的标识, 如设置 over-ride为 1 , 标识需要更新。  In this step, the neighbor announcement message further carries an identifier indicating whether the other node updates the cache. If the over-ride is set to 1, the identifier needs to be updated.
步骤 402, 接收到该邻居宣告消息的其他节点获知 HA作为该 MN家乡地址的代理存在,更新自身的緩存,将相关联的 HA的 MAC 地址和该 MN的家乡地址进行緩存。  Step 402: The other node that receives the neighbor announcement message learns that the HA exists as the proxy of the MN home address, updates its own cache, and caches the MAC address of the associated HA and the home address of the MN.
步骤 403 , 其他节点向该 MN发送报文, 携带 MN的家乡地址和 相关联的 MAC地址。  Step 403: The other node sends a message to the MN, carrying the home address of the MN and the associated MAC address.
步骤 404, HA根据自身的 MAC地址截获报文, 根据携带 MN 的家乡地址将报文发送到对应的转交地址上, 以使 MN接收。 这样,就使移动到家乡网络外的 MN接收到报文了, 而发送报文 的其他节点不会感知到该 MN已经移动到家乡网络之外了。 Step 404: The HA intercepts the packet according to its own MAC address, and sends the packet to the corresponding care-of address according to the home address of the carrying MN, so that the MN receives the packet. In this way, the MN that moves outside the home network receives the message, and the other nodes that send the message do not perceive that the MN has moved outside the home network.
图 5为本发明实施例 MN到 HA进行注册的系统示意图, 包括 FIG. 5 is a schematic diagram of a system for registering a MN to an HA according to an embodiment of the present invention, including
MN 501和 HA 502, 其中, MN 501 and HA 502, where
MN 501 , 用于向 HA 502发送绑定更新请求, 接收 HA 502发送 的携带绑定成功信息的绑定确认消息。  The MN 501 is configured to send a binding update request to the HA 502, and receive a binding acknowledgement message that is sent by the HA 502 and carries the binding success information.
HA 502 , 用于接收 MN 501发送的绑定更新请求 , 检测到该 MN The HA 502 is configured to receive a binding update request sent by the MN 501, and detect the MN.
501的家乡地址在所设置的安全联盟列表中, 向该 MN 501返回携带 绑定成功信息的绑定确认消息, 在 HA 502上生成将该 MN 501的家 乡地址和当前的转交地址的绑定緩存,同时建立 HA 502与该 MN 501 之间的隧道。 The home address of the 501 is returned to the MN 501 in the set security association list, and the binding confirmation message carrying the binding success information is returned to the MN 501, and the binding cache of the home address of the MN 501 and the current care-of address is generated on the HA 502. At the same time, a tunnel between the HA 502 and the MN 501 is established.
HA 502检测该 MN 501的家乡地址在所设置的安全联盟列表中 之前,还用于判断该 MN 501的家乡地址没有设置在家乡地址列表中。  The HA 502 detects that the home address of the MN 501 is in the set of the security association list, and is also used to determine that the home address of the MN 501 is not set in the home address list.
HA 502还进一步用于将 MN 501的家乡地址设置在家乡地址列 表中。  The HA 502 is further used to set the home address of the MN 501 in the home address list.
在本发明实施例中, HA 502还进一步用于检测该 MN 501的家 乡地址没有设置在安全联盟列表中, 则按照现有技术进行对 MN 501 的注册, 发送携带绑定成功信息的绑定确认消息。  In the embodiment of the present invention, the HA 502 is further configured to detect that the home address of the MN 501 is not set in the security association list, and then register the MN 501 according to the prior art, and send a binding confirmation that carries the binding success information. Message.
在本发明实施例中, 该系统还包括其他节点, 用于向 HA 502发 送 NS , 请求使用 MN 501的家乡地址。  In the embodiment of the present invention, the system further includes other nodes, configured to send the NS to the HA 502, requesting to use the home address of the MN 501.
HA 502, 进一步用于接收到 NS, 查找到 MN 501的家乡地址没 有设置在家乡地址列表中后,确定该 MN 501的家乡地址设置在安全 联盟列表中, 则向其他节点返回携带不能使用所请求的家乡地址的 NA。  The HA 502 is further configured to receive the NS, and after finding that the home address of the MN 501 is not set in the home address list, determining that the home address of the MN 501 is set in the security association list, returning to the other node to carry the request that cannot be used. Hometown address of NA.
在本发明实施例中, HA 502还进一步用于在 MN 501进行注册 后, 向其他节点组播携带相关联的该 MN 501的家乡地址和 HA 502 的 MAC地址的宣告消息, 根据自身 MAC地址截获发送给 MN 501 的报文,根据该报文携带的 MN 501的家乡地址将报文发送到对应的 转交地址上。 其他节点, 用于接收到该宣告消息后, 釆用相关联的该 MN 501 的家乡地址和 HA 502的 MAC地址更新自身緩存, 在给 MN 501发 送报文时, 该报文携带相关联的该 MN 501的家乡地址和 HA 502的 MAC地址。 In the embodiment of the present invention, the HA 502 is further configured to: after the MN 501 registers, multicast the announcement message carrying the associated home address of the MN 501 and the MAC address of the HA 502 to other nodes, and intercept according to the MAC address of the MAC address. The packet sent to the MN 501 is sent to the corresponding care-of address according to the home address of the MN 501 carried in the packet. The other node, after receiving the announcement message, updates its own cache with the associated home address of the MN 501 and the MAC address of the HA 502. When the message is sent to the MN 501, the message carries the associated message. The home address of the MN 501 and the MAC address of the HA 502.
图 6为本发明实施例 HA的结构示意图, 包括接收模块 610、 发 送模块 620、 检测模块 630和处理模块 640, 其中,  FIG. 6 is a schematic structural diagram of an HA according to an embodiment of the present invention, including a receiving module 610, a sending module 620, a detecting module 630, and a processing module 640, where
接收模块 610, 用于接收 MN发送的绑定更新请求, 获取到该 MN的家乡地址后, 将该 MN的家乡地址发送给检测模块 630。  The receiving module 610 is configured to receive a binding update request sent by the MN, and obtain the home address of the MN, and send the home address of the MN to the detecting module 630.
发送模块 620, 用于将从检测模块 630接收到的携带绑定成功信 息的绑定确认消息发送给该 MN。  The sending module 620 is configured to send, to the MN, a binding confirmation message that is received by the detecting module 630 and carries the binding success information.
检测模块 630, 用于检测 MN的家乡地址在设置的安全联盟列表 中,向发送模块 620和处理模块 640发送携带绑定成功信息的绑定确 认消息。  The detecting module 630 is configured to detect, in the set security association list, the MN's home address, and send a binding confirmation message carrying the binding success information to the sending module 620 and the processing module 640.
检测模块 630检测到 MN的家乡地址在所设置的安全联盟列表中 之前, 还用于判断该 MN的家乡地址没有设置在家乡地址列表中。  The detecting module 630 detects that the MN's home address is in the set security association list, and is also used to determine that the MN's home address is not set in the home address list.
处理模块 640, 用于从检测模块 630接收携带绑定成功信息的绑 定确认消息, 生成将该 MN 的家乡地址和当前的转交地址的绑定緩 存 , 同时建立 HA与该 MN之间的隧道。  The processing module 640 is configured to receive, from the detecting module 630, a binding confirmation message carrying the binding success information, generate a binding cache of the home address of the MN and the current care-of address, and establish a tunnel between the HA and the MN.
处理模块 640,还用于将 MN的家乡地址设置在家乡地址列表中。 在本发明实施例中, 检测模块 630还包括第一检测子模块, 其中, 第一检测子模块,用于检测该 MN的家乡地址没有设置的安全联盟列 表中,则按照现有技术进行对 MN的注册, 向发送模块 620和处理模 块 640发送携带绑定成功信息的绑定确认消息。  The processing module 640 is further configured to set the home address of the MN in the home address list. In the embodiment of the present invention, the detecting module 630 further includes a first detecting submodule, where the first detecting submodule is configured to detect that the home address of the MN is not set in the security association list, and then perform the MN according to the prior art. The registration sends a binding confirmation message carrying the binding success information to the sending module 620 and the processing module 640.
在本发明实施例中,接收模块 610还包括第二接收子模块, 用于 接收 NS后, 确定该 MN的家乡地址设置在安全联盟列表或 /和家乡 地址列表中, 则向其他节点返回携带不能使用所请求的家乡地址的 NA。  In the embodiment of the present invention, the receiving module 610 further includes a second receiving submodule, configured to: after receiving the NS, determine that the home address of the MN is set in the security association list or/and the home address list, and then return to other nodes to carry Use the NA of the requested home address.
在本发明实施例中,发送模块 620还包括第三发送子模块, 用于 在 MN进行注册后, 向其他节点组播携带相关联的该 MN的家乡地 址和 HA的 MAC地址的宣告消息 , 根据自身 MAC地址截获发送给 MN的报文,根据该报文中携带的 MN的家乡地址将该报文发送到对 应的转交地址上。In the embodiment of the present invention, the sending module 620 further includes a third sending submodule, configured to multicast to other nodes to carry the associated home area of the MN after the MN registers. The message of the MAC address of the address and the MAC address is intercepted by the MAC address of the MN, and the message is sent to the corresponding care-of address according to the home address of the MN carried in the message.
Figure imgf000015_0001
意图, 包括: 地址为 3ffe::l/64的 HA, 其在安全联盟列表中存储有 MN的 家乡地址(3ff::2/64 ), 移动到转交地址为 8ff::2/64的移动到其他网络 的 MN,地址为 9ffe::2/64的 CN。在 MN从家乡网络移动到其他网络 时, 需要到 HA进行注册, HA确定该 MN的家乡地址在所存储的安 全联盟列表后, 则将该 MN的转交地址 8ff::2/64和家乡地址 3ff::2/64 进行绑定緩存, 建立 HA和 MN之间的隧道。 注册完成后, 组播携带 相关联的 HA的 MAC地址和 MN的家乡地址的宣告消息,接收到该 消息的 CN更新自身的緩存。 在传输报文时, CN发送携带 MN的家 乡地址 3ff::2/64和 HA的 MAC地址的报文, 该报文被具有 MAC地 址的 HA截获, HA根据该 MN的家乡地址通过与 MN的隧道将 4艮文 发送到 MN的转交地址 8ff::2/64上。
Figure imgf000015_0001
Intent, including: HA with address 3ffe::l/64, which stores the home address of the MN (3ff::2/64) in the security association list, and moves to the care-of address of 8ff::2/64 to MN of other networks, CN with address 9ffe::2/64. When the MN moves from the home network to another network, it needs to register with the HA. After the HA determines that the home address of the MN is in the stored security association list, the MN's care-of address 8ff::2/64 and the home address 3ff are ::2/64 Bind the cache and establish a tunnel between the HA and the MN. After the registration is completed, the multicast carries the announcement message of the associated HA's MAC address and the MN's home address, and the CN that receives the message updates its own cache. When transmitting the message, the CN sends a message carrying the home address of the MN 3ff::2/64 and the MAC address of the HA, the message is intercepted by the HA having the MAC address, and the HA passes the MN's home address according to the home address of the MN. The tunnel sends the message to the MN's care-of address 8ff::2/64.
从本发明实施例提供的方法、 系统及装置可以看出, 由于在 MN 到 HA注册的过程中不进行 DAD过程, 从而节省了注册的时间。 由 于节省了注册的时间,所以由于注册的延时而引起的在 MN向 HA注 册过程中由于时间过长而导致被 DOS攻击的可能性以及报文丟弃或 已有连接的中断问题, 都可以避免。  It can be seen from the method, system and device provided by the embodiments of the present invention that the registration time is saved because the DAD process is not performed during the MN to HA registration process. Due to the saving of the registration time, the possibility of being attacked by DOS due to the long time in the registration process of the MN to the HA due to the delay of registration, and the interruption of the message or the interruption of the existing connection may be avoid.
以上是对本发明具体实施例的说明 ,在具体的实施过程中可对本 发明的方法进行适当的改进, 以适应具体情况的具体需要。 因此可以 理解, 根据本发明的具体实施方式只是起示范作用, 并不用以限制本 发明的保护范围。  The above is a description of specific embodiments of the present invention, and the method of the present invention can be appropriately modified in a specific implementation process to suit the specific needs of a specific situation. Therefore, it is to be understood that the specific embodiments of the present invention are not intended to limit the scope of the invention.

Claims

权利要求 Rights request
1、 一种因特网协议版本 6 IPv6网络的移动节点注册方法, 其特 征在于, 包括: 1. An internet protocol version 6 A mobile node registration method for an IPv6 network, which is characterized in that it comprises:
接收移动节点发送的绑定更新请求后,判断所述移动节点的家乡 地址是否在所设置的安全联盟列表中,所述安全联盟列表中保护的移 动节点的家乡地址, 在其他节点要求使用时, 不予接受;  After receiving the binding update request sent by the mobile node, determining whether the home address of the mobile node is in the set security association list, and the home address of the mobile node protected in the security association list is required to be used by other nodes. Not accepted;
如果所述移动节点的家乡地址在所述安全联盟列表中,则向移动 节点返回携带成功绑定信息的绑定确认消息,将该移动节点的家乡地 址和当前的转交地址的绑定緩存。  If the home address of the mobile node is in the security association list, a binding confirmation message carrying the successful binding information is returned to the mobile node, and the binding of the mobile node's home address and the current care-of address is cached.
2、 如权利要求 1所述的方法, 其特征在于, 在所述判断移动节 点的家乡地址是否在所设置的安全联盟列表中之前, 还包括:  2. The method according to claim 1, wherein before the determining whether the home address of the mobile node is in the set of security associations, the method further includes:
判断所述移动节点的家乡地址不在所设置的家乡地址列表中。  It is determined that the home address of the mobile node is not in the set home address list.
3、 如权利要求 1所述的方法, 其特征在于, 如果所述移动节点 的家乡地址在所述安全联盟列表中, 还包括:  The method according to claim 1, wherein if the home address of the mobile node is in the security association list, the method further includes:
建立家乡代理与所述移动节点之间的隧道。  Establish a tunnel between the home agent and the mobile node.
4、 如权利要求 2或 3所述的方法, 其特征在于, 如果所述移动 节点的家乡地址在所述安全联盟列表中, 还包括:  The method according to claim 2 or 3, wherein if the home address of the mobile node is in the security association list, the method further includes:
将所述移动节点的家乡地址设置在所述家乡地址列表中。  Setting the home address of the mobile node in the home address list.
5、 如权利要求 4所述的方法, 其特征在于,  5. The method of claim 4, wherein
如果所述移动节点的家乡地址不在所述安全联盟列表中,则对所 述移动节点进行重复地址检测;  If the home address of the mobile node is not in the security association list, performing duplicate address detection on the mobile node;
如果所述移动节点通过所述重复地址检测 ,向所述移动节点返回 所述携带成功绑定信息的绑定确认消息,将所述移动节点的家乡地址 和所述当前的转交地址的绑定緩存,建立所述家乡代理与所述移动节 点之间的隧道,将所述移动节点的家乡地址设置在所述家乡地址列表 中。  If the mobile node returns the binding confirmation message carrying the successful binding information to the mobile node by using the duplicate address detection, binding the home address of the mobile node and the binding address of the current care-of address Establishing a tunnel between the home agent and the mobile node, and setting a home address of the mobile node in the home address list.
6、 如权利要求 1所述的方法, 其特征在于, 所述安全联盟列表 是动态获取的或静态配置的。 6. The method of claim 1, wherein the security association list is dynamically acquired or statically configured.
7、 如权利要求 2所述的方法, 其特征在于, 所述在其他节点要 求使用时, 不予接受的过程为: 7. The method according to claim 2, wherein the process of not accepting when the other node requests to use is:
接收到其他节点发送的携带要使用家乡地址的请求,查找到所述 家乡地址没有设置在所述家乡地址列表中后,判定所述家乡地址设置 在安全联盟列表中,则给所述其他节点发送携带指示无法使用所述家 乡地址的响应。  Receiving a request sent by another node to carry a home address, and finding that the home address is not set in the home address list, determining that the home address is set in the security association list, sending the other node Carry a response indicating that the home address cannot be used.
8、 如权利要求 7所述的方法, 其特征在于, 所述响应携带表示 不更新所述其他节点緩存的信息。  8. The method of claim 7, wherein the response carries information indicating that the other node cache is not updated.
9、 如权利要求 4所述的方法, 其特征在于, 所述将移动节点的 家乡地址设置在家乡地址列表中之后, 还包括:  The method according to claim 4, wherein after the setting of the home address of the mobile node in the home address list, the method further includes:
将所述移动节点的家乡地址和介质访问控制地址相关联 ,通过邻 居宣告消息进行组播, 通知其他节点作为所述移动节点的代理存在, 使所述其他节点接收到所述邻居宣告消息,将相关联的所述移动节点 的家乡地址和所述介质访问控制地址进行緩存,在向所述移动节点发 送报文时 ,所述报文携带所述移动节点的家乡地址和相关联的所述介 质访问控制地址;  Correlating the home address of the mobile node with a medium access control address, multicasting by using a neighbor announcement message, notifying other nodes as a proxy of the mobile node, and causing the other node to receive the neighbor announcement message, The associated home address of the mobile node and the medium access control address are buffered, and when the message is sent to the mobile node, the message carries the home address of the mobile node and the associated medium Access control address;
根据所述介质访问控制地址截获所述报文 ,根据所述报文携带的 所述移动节点的家乡地址, 将所述 ^艮文发送到对应的转交地址上。  Obtaining the packet according to the media access control address, and sending the message to the corresponding care-of address according to the home address of the mobile node carried in the packet.
10、 如权利要求 9所述的方法, 其特征在于, 所述邻居宣告消息 携带表示更新其他节点緩存的标识,所述将相关联的移动节点的家乡 地址和介质访问控制地址緩存是根据所述标识进行的。  The method according to claim 9, wherein the neighbor announcement message carries an identifier indicating that the cache of the other node is updated, and the home address and the medium access control address cache of the associated mobile node are cached according to the The logo is carried out.
11、 如权利要求 9或 10所述的方法, 其特征在于, 所述绑定更 新消息中携带指示家乡代理需要作为移动节点的链路本地地址和全 局地址的家乡代理的标识;  The method according to claim 9 or 10, wherein the binding update message carries an identifier of a home agent indicating that the home agent needs to be a link local address and a global address of the mobile node;
所述邻居宣告消息携带的相关联的家乡地址和家乡代理的介质 访问控制地址是作为家乡地址的链路本地地址和全局地址与家乡代 理的介质访问控制地址的关联信息;  The associated home address carried by the neighbor announcement message and the media access control address of the home agent are associated information of the link local address and the global address of the home address and the media access control address of the home agent;
或者 ,所述绑定更新消息中携带指示家乡代理需要作为移动节点 的全局地址的家乡代理的标识; 所述邻居宣告消息携带的相关联的移动节点家乡地址和家乡代 理的介质访问控制地址是作为全局地址与家乡代理的介质访问控制 地址的关联信息。 Or the binding update message carries an identifier of a home agent indicating that the home agent needs to be the global address of the mobile node; The associated mobile node home address and the home agent's media access control address carried by the neighbor announcement message are associated information of the media address and the media access control address of the home agent.
12、 一种 IPv6网络的移动节点注册系统, 其特征在于, 包括: 移动节点, 用于向家乡代理发送绑定更新请求,接收家乡代理发 送的携带绑定成功信息的绑定确认消息;  12. A mobile node registration system for an IPv6 network, comprising: a mobile node, configured to send a binding update request to a home agent, and receive a binding confirmation message that is sent by the home agent and carries the binding success information;
家乡代理, 用于接收所述移动节点发送的绑定更新请求,检测到 所述移动节点的家乡地址在所设置的安全联盟列表中,向所述移动节 点返回携带绑定成功信息的绑定确认消息,生成将所述移动节点的家 乡地址和当前的转交地址的绑定緩存。  a home agent, configured to receive a binding update request sent by the mobile node, and detect that the home address of the mobile node is in the set security association list, and return a binding confirmation that carries the binding success information to the mobile node. The message generates a binding cache that maps the mobile node's home address to the current care-of address.
13、 如权利要求 12所述的系统, 其特征在于, 所述家乡代理检 测所述移动节点的家乡地址在所设置的安全联盟列表中之前,还用于 判断所述移动节点的家乡地址没有设置在家乡地址列表中。  The system according to claim 12, wherein the home agent detects that the home address of the mobile node is in the set security association list, and is further used to determine that the home address of the mobile node is not set. In the home address list.
14、 如权利要求 13所述的系统, 其特征在于, 所述家乡代理还 进一步用于将所述移动节点的家乡地址设置在所述家乡地址列表中。  The system according to claim 13, wherein the home agent is further configured to set a home address of the mobile node in the home address list.
15、 如权利要求 13所述的系统, 其特征在于, 所述家乡代理还 进一步用于在检测所述移动节点的家乡地址没有在所设置的安全联 盟列表中, 则对所述移动节点进行重复地址检测并通过后, 向所述移 动节点返回携带成功绑定信息的绑定确认消息,将所述移动节点的家 乡地址和当前的转交地址的绑定緩存 ,将所述移动节点的家乡地址设 置在所述家乡地址列表中。  The system according to claim 13, wherein the home agent is further configured to repeat the mobile node when detecting that the home address of the mobile node is not in the set security association list. After the address is detected and passed, the binding confirmation message carrying the successful binding information is returned to the mobile node, and the binding address of the mobile node's home address and the current care-of address is cached, and the mobile node's home address is set. In the home address list.
16、 如权利要求 12或 13所述的系统, 其特征在于, 还包括: 其他节点, 用于向所述家乡代理发送邻居请求,请求使用所述移 动节点的家乡地址;  The system according to claim 12 or 13, further comprising: another node, configured to send a neighbor request to the home agent, requesting to use a home address of the mobile node;
所述家乡代理, 进一步用于接收到所述邻居请求, 查找到所述移 动节点的家乡地址没有设置在所述家乡地址列表中后,确定所述移动 节点的家乡地址设置在安全联盟列表中,则向所述其他节点返回携带 不能使用所请求的家乡地址的邻居宣告。  The home agent is further configured to receive the neighbor request, and after determining that the home address of the mobile node is not set in the home address list, determine that the mobile node's home address is set in the security association list. Then, return to the other node to carry a neighbor announcement that cannot use the requested home address.
17、 如权利要求 16所述的系统, 其特征在于, 所述家乡代理还 进一步用于在所述移动节点进行注册后,向所述其他节点组播携带相 关联的该移动节点的家乡地址和家乡代理的介质访问控制地址的宣 告消息,根据自身介质访问控制地址截获发往移动节点的报文,根据 所述宣告消息携带的所述移动节点的家乡地址将所述报文发送到对 应的转交地址上; 17. The system of claim 16 wherein said home agent further Further, after the mobile node registers, the multicast message carrying the associated home address of the mobile node and the media access control address of the home agent is multicast to the other node, and is intercepted according to the media access control address of the mobile device. Sending, by the mobile node, the packet to the corresponding care-of address according to the home address of the mobile node carried in the announcement message;
所述其他节点, 还用于在接收到所述宣告消息后, 釆用相关联的 所述移动节点的家乡地址和所述家乡代理的介质访问控制地址更新 自身緩存, 在给所述移动节点发送报文时,携带相关联的所述移动节 点的家乡地址和所述家乡代理的介质访问控制地址。  The other node is further configured to: after receiving the announcement message, update the self cache with the associated home address of the mobile node and the media access control address of the home agent, and send the cache to the mobile node. The message carries the associated home address of the mobile node and the media access control address of the home agent.
18、 一种家乡代理, 其特征在于, 包括:  18. A home agent, characterized by comprising:
接收模块, 用于接收移动节点发送的绑定更新请求, 获取到所述 移动节点的家乡地址后, 将所述移动节点的家乡地址发送给检测模 块;  a receiving module, configured to receive a binding update request sent by the mobile node, and obtain a home address of the mobile node, and send the home address of the mobile node to the detection module;
发送模块,用于将从所述检测模块接收到的携带绑定成功信息的 绑定确认消息发送给所述移动节点;  a sending module, configured to send, to the mobile node, a binding confirmation message that receives the binding success information received from the detecting module;
检测模块,用于检测到所述移动节点的家乡地址在设置的安全联 盟列表中,向所述发送模块和处理模块发送携带所述绑定成功信息的 绑定确认消息;  a detection module, configured to detect, in the set security association list, the home node address of the mobile node, and send a binding confirmation message carrying the binding success information to the sending module and the processing module;
处理模块,用于从所述检测模块接收携带所述绑定成功信息的绑 定确认消息,生成将所述移动节点的家乡地址和当前的转交地址的绑 定緩存。  And a processing module, configured to receive, from the detecting module, a binding confirmation message that carries the binding success information, and generate a binding cache that uses the mobile node's home address and the current care-of address.
19、 如权利要求 18所述的家乡代理, 其特征在于, 所述检测模 块检测到所述移动节点的家乡地址在所设置的安全联盟列表中之前, 还用于判断所述移动节点的家乡地址没有设置在家乡地址列表中; 所述处理模块,还用于将所述移动节点的家乡地址设置在所述家 乡地址列表中。  The home agent according to claim 18, wherein the detecting module detects that the home address of the mobile node is in the set security association list, and is further used to determine the home address of the mobile node. The processing module is further configured to set a home address of the mobile node in the home address list.
20、 如权利要求 18所述的家乡代理, 其特征在于, 所述检测模 块, 还包括:  The home agent according to claim 18, wherein the detecting module further comprises:
第一检测子模块,用于在检测所述家乡代理的家乡地址没有在所 设置的安全联盟列表中, 则对移动节点进行重复地址检测并通过后, 向所述发送模块和所述处理模块发送携带所述绑定成功信息的绑定 确认消息。 a first detection sub-module, configured to detect that the home agent address of the home agent is not in the office In the set security association list, after the mobile node performs duplicate address detection and passes, the binding confirmation message carrying the binding success information is sent to the sending module and the processing module.
21、 如权利要求 18所述的家乡代理, 其特征在于, 所述接收模 块, 还包括:  The home agent according to claim 18, wherein the receiving module further comprises:
第二接收子模块, 用于接收邻居请求后, 确定所述移动节点的家 乡地址设置在安全联盟列表中,则向其他节点返回携带不能使用所请 求的家乡地址的邻居宣告。  The second receiving submodule is configured to: after receiving the neighbor request, determine that the home address of the mobile node is set in the security association list, and return a neighbor announcement carrying the home address that cannot be used to the other node.
22、 如权利要求 18所述的家乡代理, 其特征在于, 所述发送模 块还包括:  The home agent according to claim 18, wherein the sending module further comprises:
第三发送子模块, 用于在所述移动节点进行注册后, 向其他节点 组播携带相关联的所述移动节点的家乡地址和家乡地址的介质访问 控制地址的宣告消息,根据自身介质访问控制地址截获发往所述移动 节点的报文,根据所述报文携带的所述移动节点的家乡地址, 将所述 发送到对应的转交地址上。  a third sending submodule, configured to: after the mobile node registers, multicast an advertisement message carrying the media address of the associated mobile node and a media access control address of the home address to other nodes, according to the media access control The address intercepts the packet sent to the mobile node, and sends the packet to the corresponding care-of address according to the home address of the mobile node carried in the packet.
PCT/CN2008/072524 2007-10-29 2008-09-25 A method, system and device for registration of mn in ipv6 network WO2009056024A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710165107.1 2007-10-29
CN2007101651071A CN101426002B (en) 2007-10-29 2007-10-29 Mobile node registration method, system and apparatus in IPv6 network

Publications (1)

Publication Number Publication Date
WO2009056024A1 true WO2009056024A1 (en) 2009-05-07

Family

ID=40590537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072524 WO2009056024A1 (en) 2007-10-29 2008-09-25 A method, system and device for registration of mn in ipv6 network

Country Status (2)

Country Link
CN (1) CN101426002B (en)
WO (1) WO2009056024A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888370B (en) * 2009-05-11 2013-01-09 中兴通讯股份有限公司 Device and method for preventing IPv6 (Internet Protocol version 6) from being deceptively attached
CN101552724B (en) * 2009-05-11 2012-09-05 杭州华三通信技术有限公司 Generation method and apparatus for neighbor table items
CN101577723B (en) * 2009-06-03 2012-09-26 杭州华三通信技术有限公司 Method for preventing neighbor discovery protocol message attack and device
CN101656641B (en) * 2009-09-23 2012-01-11 中兴通讯股份有限公司 Method and device for detecting repeated addresses

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5758282A (en) * 1995-06-19 1998-05-26 Sharp Kabushiki Kaisha Radio terminal using allocated addresses
US20020075836A1 (en) * 2000-12-20 2002-06-20 Nec Corporation Wireless communication system
EP1489817A1 (en) * 2003-06-19 2004-12-22 Samsung Electronics Co., Ltd. Apparatus and method for detecting duplicate IP addresses in mobile ad hoc network environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5758282A (en) * 1995-06-19 1998-05-26 Sharp Kabushiki Kaisha Radio terminal using allocated addresses
US20020075836A1 (en) * 2000-12-20 2002-06-20 Nec Corporation Wireless communication system
EP1489817A1 (en) * 2003-06-19 2004-12-22 Samsung Electronics Co., Ltd. Apparatus and method for detecting duplicate IP addresses in mobile ad hoc network environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHAO C. ET AL.: "Mobility Support in IPv6 and Its Optimization Technologies .", MODEM ELECTRONIC TECHNIQUE., 30 June 2004 (2004-06-30), pages 4 - 7 *

Also Published As

Publication number Publication date
CN101426002A (en) 2009-05-06
CN101426002B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
EP1825651B1 (en) Communication route optimization method and corresponding system
JP2010507301A (en) Method in mixed network-based and host-based mobility management
JP2010527549A (en) Methods in mixed network-based and host-based mobility management
US20090262685A1 (en) Method and apparatus for mobile ip route optimization
US8218484B2 (en) Methods and apparatus for sending data packets to and from mobile nodes in a data network
JPWO2009037846A1 (en) Network node and mobile terminal
JP3822555B2 (en) Secure network access method
WO2008151557A1 (en) Method, equipment and proxy mobile ip system for triggering route optimization
WO2010072074A1 (en) Method, system and mobile access gateway for local routing optimization
JP4937270B2 (en) Communication path optimization method and communication path optimization control apparatus
US20110255511A1 (en) Handover method and mobile terminal and home agent utilized in said method
WO2009056024A1 (en) A method, system and device for registration of mn in ipv6 network
CN101031133B (en) Method and apparatus for determining mobile-node home agent
EP2177007B1 (en) A system and method of providing denial of service protection in a telecommunication system
WO2009117927A1 (en) Method for transmitting context information of mobile node, mobile system and device
US20110208847A1 (en) Address registration method, address registration system, mobile device and mobile management device
JP2008160665A (en) Switching method between heterogeneous communication interfaces, mobile terminal and management device
JP2010021713A (en) Proxy terminal, communication method, and communication program
KR100691286B1 (en) Apparatus supporting Seamless Mobility in the Ubiquitous Environment and its method
WO2008009239A1 (en) Method, apparatus and system for terminal relocation in communication system under idle mode
WO2008017224A1 (en) Routing optimizing method, system and apparatus in the mobile network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800995

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800995

Country of ref document: EP

Kind code of ref document: A1