接入认证 1) 家乡注册
首先,MN发送向HA注册的IKE/SA初始化消息。
MN→HA: {CERTMN,Ni,SAi1,KEi}SigMN
然后,HA的接入网关MAC-GateHA对截获的IKE请求进行强制访问判决,用两个比特的数“W”来表示通信的方向。
MAC-GateHA判别允许的数据传输方向: ① 当通信只能从MN到HA时,
MAC-GateHA→HA: kMAC-GateHA{{CERTMN,Ni,SAi1,KEi}SigMN,W}
MAC-GateHA→MN: {CERTHA,Ni,NMAC-GateHA,W}SigMAC-GateHA (CERTHA删除?) HA→MAC-GateHA: kMAC-GateHA{{CERTHA,Nr,SAr1,KEr}SigHA}
MAC-GateHA→MN: {CERTHA,Nr,SAr1,KEr}SigHA (随机数Ni的处理) MN→HA: SK{UIDMN,AUTH,SAi2,SAis}
HA→MAC-GateHA: kMAC-GateHA{SK{UIDHA,AUTH,SAr2,SArs}} MAC-GateHA→MN: SK{UIDHA,AUTH,SAr2,SArs} ② 当通信只能从HA到MN时, MAC-GateHA→HA:
MAC-GateHA{{CERTMN,Ni,SAi1,KEi}SigMN,W}
MAC-GateHA→MN: {Ni,NMAC-GateHA,W}SigMAC-GateHA HA→MN: {CERTHA,Nr,SAr1,KEr}SigHA
MN→MAC-GateHA: SK{UIDMN,AUTH,SAi2,SAis}
MAC-GateHA→HA: kMAC-GateHA{SK{UIDMN,AUTH,SAi2,SAis}} HA→MN: SK{UIDHA,AUTH,SAr2,SArs}
2) 本地注册
首先,MN向本地代理LA发送IKE/SA初始化信息。
MN→LA: {CERTMN,CoAMN,Ni,SAi1,KEi}SigMN
然后,LA的接入网关MAC-GateLA对截获的IKE请求进行强制访问判决,用两个比特的数“W”来表示通信的方向。
MAC-GateLA→HA: kMAC-GateLA{{CERTMN,CoAMN,Ni,SAi1,KEi}SigMN,W}
MAC-GateHA→MN: {Ni,NMAC-GateLA,W}SigMAC-GateLA MAC-GateHA判别允许的数据传输方向: ① 当通信只能从MN到LA时,
LA→MAC-GateLA: kMAC-GateLA{{CERTLA,Nr,SAr1,KEr}SigLA} MAC-GateLA→MN: {CERTLA,Nr,SAr1,KEr}SigLA MN→LA: SK{UIDMN,AUTH,SAi2,SAis}
LA→MAC-GateLA: kMAC-GateLA{SK{UIDLA,AUTH,SAr2,SArs}} MAC-GateLA→MN: SK{UIDLA,AUTH,SAr2,SArs} ② 当通信只能从LA到MN时,
LA→MN: {CERTLA,Nr,SAr1,KEr}SigLA
MN→MAC-GateLA: SK{UIDMN,AUTH,SAi2,SAis}
MAC-GateLA→LA: kMAC-GateLA{SK{UIDMN,AUTH,SAi2,SAis}} LA→MN: SK{UIDLA,AUTH,SAr2,SArs} 将家乡地址与本地转交地址绑定,并返回确认信息。
MN→HA: FBU(HoAMNCoAMN) HA→MN: BACK
