

Secure Mobility Management for Mobile IPv6Networks

【作者】 赵蕾

【导师】 李小平;

【作者基本信息】 西安电子科技大学 , 测试计量技术及仪器, 2014, 博士

【摘要】 近年来,Internet网络互联技术和移动通信技术的高速发展带动了以IP技术为核心的移动互联网的发展。移动IPv6技术以其出色的移动性支持成为移动互联网首选组网协议。然而,移动网络环境的开放性、拓扑的动态性使得移动IPv6网络面临诸如中间人攻击、DoS攻击等各种安全威胁,而且在移动切换、数据传输等通信过程中移动IPv6协议并未提供任何安全保护措施,移动IPv6网络安全问题十分突出。此外与移动性相关的移动IPv6切换及注册绑定更新等过程引发的延时问题严重影响了网络的整体性能,进而影响了用户获取的服务质量。因此,研究移动IPv6网络环境下的安全移动性管理技术具有重要的理论意义和应用价值。本文对此展开了深入研究。本文首先深入分析了移动IPv6网络安全管理机制、移动IPv6切换管理与性能优化、移动IPv6子网安全与切换性能以及多宿移动子网的流量控制问题;然后设计了一套面向MIPv6网络的IP层安全架构,并基于该安全架构对MIPv6网络、移动子网以及多宿移动子网中的安全移动性管理技术进行了深入研究,提出了解决方案。本文的主要研究内容和成果如下:1.针对MIPv6网络移动性管理中的安全问题,基于对IPv6内嵌的IPSec协议的扩展,提出了一套MIPv6网络的IP层安全架构——MIPSec协议。该协议主要从业务流协议安全增强、安全策略优化、移动性的上下文支持、认证协议增强与扩展等几个方面做了设计和改进,使改进的协议不仅能够满足MIPv6网络移动性产生的安全需求,而且也为MIPv6通信提供了端到端的安全保护,有效抵抗各类网络攻击。2.针对MIPv6切换过程引入安全机制导致的延时过大的问题,提出了一种融合认证机制的安全快速的MIPv6切换方法。该方法在MIPSec安全架构下,利用FMIPv6切换信令,融合认证信息,实现切换与认证并发执行,消减了安全切换过程的复杂性,大大降低了接入认证给移动切换过程带来的延时开销。3.针对移动子网(NEMO)切换过程中的安全和性能问题,提出了安全异步切换方法。移动网络基本协议中采用网络嵌套结构和隧道机制来处理移动切换问题,除了移动路由器本身的切换延时,网络嵌套结构带来的迂回路由过程以及额外的认证过程使切换延时进一步增大,服务质量下降。本文充分考虑了移动网络特点,提出了移动子网移动路由器与移动网络节点分离的安全异步切换方法。该方法利用融合认证机制的快速切换方法实现移动路由器切换,使用授权前缀机制实现路由优化以及移动网络内节点切换。与基本NEMO协议相比,该方法不但实现了路由优化,而且能够保障安全性,并降低切换延时。4.多宿移动子网是为了提高移动子网可靠性而提出的一种移动网络结构,该网络可以拥有多个移动路由器,本文针对此类网络中路由器选择存在单点失效而导致的安全及流量不均衡导致网络拥堵问题,提出了一种基于信任的多宿移动子网安全路由选择方法。该方法基于多属性决策理论建立节点主观信任模型,并对每个移动路由器节点进行信任值评估,移动网络节点在进行接入路由器选择时,依据信任值最高者择优选择,从而避免了单点失效问题,增强安全性,均衡了网络流量,提高了网络整体性能。

【Abstract】 In recent years, the rapid development of Internet technology and mobilecommunication technology promote the development of IP based mobile Internettechnology. Mobile IPv6technology becomes the preferred networking protocols ofmobile Internet for its excellent mobility support. However, the openness for mobileenvironment and dynamic topology makes MIPv6network suffer from serious securitythreats, such as man-in-middle attack, DoS attack and so on. On the other hand, MIPv6protocol does not provide any security protection for mobile handover and datatransmission process. As a result, security problem in MIPv6network is veryconspicuous. Moreover, the mobility management such as handover and binding updateprocess of MIPv6caused by its dynamic topological structure degrade the overallnetwork performance, which affects the QoS of the network further. Hence, it is of greatsignificant to research secure mobility management technology of MIPv6networktheoretically and practically.In this thesis, security mechanisms in MIPv6network, MIPv6handovermanagement and performance optimization, the security and handover performance ofmobile network, traffic control of multi-homed mobile network are analyzed firstly.Then a security framework in IP layer is designed for MIPv6network, and securemobility management issues such as handover for node and mobile network, routingselection in multi-homed mobile network are studied in-depth based on this securityarchitecture. Main content and contributions in this paper are summarized as follows:1. A novel mobile IPsec protocol (MIPSec) for MIPv6network environment isproposed to solve the security issues for MIPv6network mobility management. MIPSecis a new IP layer security architecture extended from IPSec protocol which is embeddedin IPv6. In the proposed protocol, several aspects are designed to improve MIPv6network security, including traffic protocols security enhancement, security policyoptimization, contextual support for mobility, authentication protocol enhancement andextension. Security analysis indicates that the proposed MIPSec can not only meet theneeds of MIPv6mobility, but also provide end to end security protection to resistagainst almost all kinds of attacks effectively.2. A secure fast MIPv6handover scheme is proposed to solve the handover delayissues caused by the introduction of security mechanisms in MIPv6. Based on MIPSecarchitecture, the scheme combines FMIPv6signaling and authentication information to achieve handover and authentication simultaneously, which diminishes the handovercomplexity and thus reduces its handover delay greatly.3. A secure asynchronous handover scheme is proposed to solve the secure andperformance issues caused by handover process of network mobility (NEMO). Nestednetwork architecture and tunneling mechanism are used to deal with handover problemsin NEMO basic protocol. As a result, triangle routing process caused by nestedarchitecture and extra authentication process may increase the handover delay anddegrade the quality of service further. To solve the problems, an asynchronous handoverscheme is proposed, in which handover of mobile router and inner nodes are carried outasynchronously, and routing optimization is considered as well. Compared with thebasic NEMO protocol, the proposed scheme can not only achieves route optimizationand guaranteed handover safety, but also reduces handover delay.4. Multi-homed mobile network is appeared in order to improve the reliability ofthe mobile network with more than one mobile router. A trusted based routing selectionalgorithm in IPv6multi-homed mobile networks is proposed to avoid overloadingproblem caused by the concentration of a large quantity of data in a few mobile routers.The proposed algorithm establishes a multi-attribute decision model by introducingmultiple decision attribute information, and uses the combination weighting method tocalculate the trust value of each router. A mobile node can access to an optimal mobilerouter to avoid single point of failure problem and balance network traffic, thus improveoverall network performance and security.
