【作者】 刘小甜；

【导师】 宋健；

【作者基本信息】 兰州理工大学 ， 计算机软件与理论， 2008， 硕士

【摘要】 在IPv6环境下,端对端的安全通信极其重要,因为在IPv6网络中计算机获取IP地址变得空前的简单。IPsec可以在IP层为端对端通信提供各种类型的安全保护,因此可以利用它来建立我们所需要的安全通信通道。但是,IPsec却十分难于使用,因为在使用IPsec建立安全通道的过程中,有太多的安全参数需要设定,并且这些参数的配置相当复杂。目前日本研科学家Y.K.Hei和Yamazaki设计出一种可以自动完成IPsec安全渠道协商与参数配置的解决方案。它改变了传统IPsec设计中以个体的安全性为考虑基础,而是结合个体的安全性从总体的安全角度出发,从而实现突出总体细化个体的安全设计思想。该方案最大的特点就是成员间可以随时、方便的从其它成员那里获取IPsec/IKE策略,来实现端对端的安全通信通道的自动配置。所以这套方案非常适合在移动IPv6通信领域中使用。同时移动IPv6通信正面临着严峻的安全威胁。由于缺乏相关的安全通信保护,在移动IPv6网络中,节点被冒充、通信被侦听的可能性十分大。而该方案在移动IPv6领域中的推广使用可以在很大程度上缓解这些安全威胁结合上述方案的基本设计思想,本文提出了一种根据移动节点的预测驻留时间来选取管理节点的动态双层管理机制。双层管理机制的根本目的就是在各个移动子网中,通过动态的选取一个管理节点来实现安全通信节点分布式管理的目的。该机制沿用了基于亲密伙伴的安全通信机制中所提出的IPsec隧道自动分配安全策略,但同时它又丢弃了原方案中所提出的各个通信成员间基于单播交互的相互通告管理模式,引进了移动成员节点动态管理的概念。通过该机制的使用可以有效的解决原方案的不足,更重要的是该机制的使用为安全通信组在移动IPv6网络环境下的扩展提供了一个比较合理的解决方案。最后本文对该方案进行了仿真分析和比较,证明了该机制的可行性。更多还原

【Abstract】 In the environment of IPv6, the end-to-end secure communication is extremely important. Because it is unprecedented simple for a computer to obtain an IP address. IPsec could provide various types of end-to-end communication secure protection in the IP layer. However, IPsec is difficult to use, because many complicated parameters are necessarily to be set for security channel. Y. K. Hei and Yamazaki propose an automatic configuration method for setting up the end-to-end secure channels between closed members in using IPsec. It changes the traditional design style that centralizes the individual security consideration, but combines individual with overall security together. And it gives the prominence to the team safety consideration, meanwhile refines the thinking of the security of the individual. Obtaining IPsec/IKE strategy conveniently from other members at any time, and configuring the end-to-end secure communication channel automatically are the most prominent features of the closed members scheme. So this scheme is suitable for the Mobile IPv6 communication field for its flexibility and mobility. Due to the lack of relevant safety communication protection in Mobile IPv6 network, mobile communications are facing severe security threats. It’s a great possibility that nodes are imitated and communication is intercepted. Expanded use of the scheme in mobile IPv6 environment can largely mitigate these security threats.Integrated the design thinking of the closed member scheme into the mobile environment consideration, this paper presents a new two layers management mechanism for secure communication scheme. Through construction of a management node dynamically in the mobile IPv6 networks, the new management mechanism solves these problems mentioned above properly. It inherits the design that auto-configuration of the secure communication channel. But it discards the working scheme using mutual advertisement mode between members. Through constructing a dynamic management node in mobile network, the expansion issue of the original solution in mobile IPv6 network environment is properly solved. Meanwhile it gives a reasonable solution for mobile IPv6 secure communication. Finally, to prove the feasibility of the new solution, we make the simulation and analysis of this scheme.更多还原