无线局域网认证与快速切换的设计与实现
|
摘要
Internet的网络规模和处理能力已经迅猛发展超过了二十余年。在二十纪末IEEE出台了无线局域网802.11协议,它将Internet带入了一个崭新的应用空间,也带来了层出不穷的新兴业务。然而人们面临新问题的出现——如何在不破坏现有网络结构的前提下,设计出一种网络结构可以满足分布式、大数据吞吐量和时延要求高的接入网络迫在眉睫,此外如何进一步扩展网上运行的应用种类和提高网络的服务质量也是目前人们关注的问题。
本文以IETF“分割式MAC”无线局域网为设计原型,基于802.11i标准协议设计、实现了如何对用户进行身份认证与密钥协商的解决方案,在这种方案的作用下用户获得了高质量的安全保障;此外在安全网络上为提供系统内无线用户的漫游服务,还设计、实现了二层数据链路层切换和三层IP层的快速移动过程,经过切换的用户虽然分配了不同网段的网络地址,但是上层应用协议完全感觉不到底层网络的变化,因此保障了用户在不同接入点之间漫游时数据通信的连接不会中断。
本文所涉及的功能模块均在CNGI的“有线无线宽带统一接入控制器”中实现,并通过测试验收。
The scale and processing ability of Internet have been developed for more than twenty years. At the end of the twentieth century IEEE published the first 802.11 wireless network standard. From then on Internet came into a brand new era. Although wireless brings many new applications and businesses, it causes some other problems. How to design a kind of network structure, which keeps compatible with older networks and handles easily with distributed, bulk data transferred and low time delayed applications, become an urgent question for network engineers. Additional, network designers also keep concern on how to improve the quality of services in wireless LAN.
This article is originally based on IETF split-MAC structure and 802.11i protocol. Based on the prototype a new kind of user authentication and key negotiation method was designed and realized. After this method was executed, the communication data between user and access point will be highly protected. More over for the mobility of the wireless system the layer 2 and layer 3 fast handover was also proposed and implemented, the user will completely unaware of the low level network switching and also the applications' data through upper protocol will not be interrupted.
本文以IETF“分割式MAC”无线局域网为设计原型,基于802.11i标准协议设计、实现了如何对用户进行身份认证与密钥协商的解决方案,在这种方案的作用下用户获得了高质量的安全保障;此外在安全网络上为提供系统内无线用户的漫游服务,还设计、实现了二层数据链路层切换和三层IP层的快速移动过程,经过切换的用户虽然分配了不同网段的网络地址,但是上层应用协议完全感觉不到底层网络的变化,因此保障了用户在不同接入点之间漫游时数据通信的连接不会中断。
本文所涉及的功能模块均在CNGI的“有线无线宽带统一接入控制器”中实现,并通过测试验收。
The scale and processing ability of Internet have been developed for more than twenty years. At the end of the twentieth century IEEE published the first 802.11 wireless network standard. From then on Internet came into a brand new era. Although wireless brings many new applications and businesses, it causes some other problems. How to design a kind of network structure, which keeps compatible with older networks and handles easily with distributed, bulk data transferred and low time delayed applications, become an urgent question for network engineers. Additional, network designers also keep concern on how to improve the quality of services in wireless LAN.
This article is originally based on IETF split-MAC structure and 802.11i protocol. Based on the prototype a new kind of user authentication and key negotiation method was designed and realized. After this method was executed, the communication data between user and access point will be highly protected. More over for the mobility of the wireless system the layer 2 and layer 3 fast handover was also proposed and implemented, the user will completely unaware of the low level network switching and also the applications' data through upper protocol will not be interrupted.
引文
[1] IEEE, STD 802.11 Wireless LAN Medium Access Control(MAC)and Physical Layer(PHY) Specifications, 1999-Reaffirmed 2003-06。
[2] Belkin International, Inc., Wireless Pre-N Router,http://catalog.belkin.com/IWCatProductPage.process?Product_Id=184316, 2007-04-01。
[3] Humphrey Cheung,The Feds can own your WLAN too,http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=24251 & ltemid=100, 2005-3-31。
[4] IEEE, OFFICIAL IEEE 802.11 WORKING GROUP PROJECT TIMELINES,http://grouper.ieee.org/groups/802/11/Reports/802.11_timelines.htm, 2007-04-09。
[5] IEEE, 802.21 Handover and Interoperability, http://www.ieee802.org/21/, 2006。
[6] 3rd Generation Partnership Project (3GPP), 3GPP Specification detail,http://www.3gpp.org/ftp/Specs/html-info/43318.htm, 2007-04-16。
[7] Francis Dacosta, What is Third Generation Meshs,http://wireless-straight-talk.blogspot.com/2006/11/talkin-bout-my-generation.html, 2006-12-16。
[8] The Internet Engineering Task Force, RFC 3990 CAPWAP Problem Statement, http://www.ietf.org/rfc/rfc3990.txt?number=3990, 2005-02。
[9] The Internet Engineering Task Force, RFC 4564 Objectives for CAPWAP,http://www.ietf.org/rfc/rfc4564.txt?number=4564, 2006-07.
[10] The Internet Engineering Task Force, RFC 4565 Evaluation of Candidate CAPWAP Protocols, http://www.ietf.org/rfc/rfc4565.txt?number=4565, 2006-07。
[11] Kim Getgen,不要让您的无线LAN成为移动 http://www.ibm.com/developerworks/cn/security/wi-sec1/index.html, 2001-11-01。
[12] IEEE, STD 802.11i Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004-06。
[13] The Internet Engineering Task Force, RFC 3748 Extensible Authentication Protocol, http://www.ietf.org/rfc/rfc3748.txt?number=3748, 2004-06。
[14] IEEE, STD 802.1X Port-Based Network Access Control, 2004-Revision。
[15] Matthew Gast, 802.11无线网络校权位指南, http://www.oreillynet.com/wireless/2005/05/20/graphics/802.11Poster.pdf, 2005-05。
[16] 陈鑫, Linux系统内核空间与用户空间通信的实现与分析, http://www-128.ibm.com/developerworks/cn/linux/l-netlink/, 2004-07-01。
[17] 唐鼎,有线无线一体化接和认证研究,中国科学院声学研究所博士学位论文,2005-05。
[18] Iames D.Solomm,裘晓峰译,移动IP,机械工业出版社。2000-01。
[19] The Internet Engineering Task Force, RFC 3344 IP Mobility Support for IPv4,http://www.ietf.org/rfc/rfc3344.txt?number=3344, 2002-08。
[20] The Internet Engineering Task Force, RFC 3775 Mobility Support in IPv6,http://www.ietf.org/rfc/rfc3775.txt?number=3775, 2004-06。
[21] The Internet Engineering Task Force, RFC 2460 Internet Protocol, Version 6 (IPv6) Specification, http://www.ietf.org/rfc/rfc2460.txt?number=2460, 1998-12。
[22] The Internet Engineering Task Force, RFC 4068 Fast Handovers for Mobile IPv6,http://www.ietf.org/rfc/rfc4068.txt?number=4068, 2005-07。
[23] ARUNESH MISHRA, MIN HO SHIN, NICK L. PETRONI, JR., T. CHARLES CLANCY, AND WILLIAM A. ARBAUGH, Pro-active Key Distribution using Neighbor Graphs,www.cs.umd.edu/~mhshin/paper/Proactive_Key_Dist_NG.pdf, 2004-02。
[24] The Internet Engineering Task Force, RFC 4260 Mobile IPv6 Fast Handovers for 802.11 Networks, http://www.ietf.org/rfc/rfc4260.txt?number=4260, 2005-02。
[25] Pekka Nikander, IP version 6 (MIPv6) Route Optimization Security Design, http://research.microsoft.com/users/fuomaura/Publications/nikander+-vtc2003f.pdf。
[26] David Halasz, IEEE 802.11i and wireless security,http://www.embedded.com/showArticle.jhtml?articleID=34400002, 2003。
[27] Nancy Cam-Winger, IEEE 802.11i Overview.ppt。
[28] Jesse Walker, 02.11i Overview.pdf。
[29] 陈鑫,Linux系统内核空间与用户空间通信的实现与分析,http://www-128.ibm.com/developerworks/cn/linux/l-netlink/, 2004。
[2] Belkin International, Inc., Wireless Pre-N Router,http://catalog.belkin.com/IWCatProductPage.process?Product_Id=184316, 2007-04-01。
[3] Humphrey Cheung,The Feds can own your WLAN too,http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=24251 & ltemid=100, 2005-3-31。
[4] IEEE, OFFICIAL IEEE 802.11 WORKING GROUP PROJECT TIMELINES,http://grouper.ieee.org/groups/802/11/Reports/802.11_timelines.htm, 2007-04-09。
[5] IEEE, 802.21 Handover and Interoperability, http://www.ieee802.org/21/, 2006。
[6] 3rd Generation Partnership Project (3GPP), 3GPP Specification detail,http://www.3gpp.org/ftp/Specs/html-info/43318.htm, 2007-04-16。
[7] Francis Dacosta, What is Third Generation Meshs,http://wireless-straight-talk.blogspot.com/2006/11/talkin-bout-my-generation.html, 2006-12-16。
[8] The Internet Engineering Task Force, RFC 3990 CAPWAP Problem Statement, http://www.ietf.org/rfc/rfc3990.txt?number=3990, 2005-02。
[9] The Internet Engineering Task Force, RFC 4564 Objectives for CAPWAP,http://www.ietf.org/rfc/rfc4564.txt?number=4564, 2006-07.
[10] The Internet Engineering Task Force, RFC 4565 Evaluation of Candidate CAPWAP Protocols, http://www.ietf.org/rfc/rfc4565.txt?number=4565, 2006-07。
[11] Kim Getgen,不要让您的无线LAN成为移动 http://www.ibm.com/developerworks/cn/security/wi-sec1/index.html, 2001-11-01。
[12] IEEE, STD 802.11i Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004-06。
[13] The Internet Engineering Task Force, RFC 3748 Extensible Authentication Protocol, http://www.ietf.org/rfc/rfc3748.txt?number=3748, 2004-06。
[14] IEEE, STD 802.1X Port-Based Network Access Control, 2004-Revision。
[15] Matthew Gast, 802.11无线网络校权位指南, http://www.oreillynet.com/wireless/2005/05/20/graphics/802.11Poster.pdf, 2005-05。
[16] 陈鑫, Linux系统内核空间与用户空间通信的实现与分析, http://www-128.ibm.com/developerworks/cn/linux/l-netlink/, 2004-07-01。
[17] 唐鼎,有线无线一体化接和认证研究,中国科学院声学研究所博士学位论文,2005-05。
[18] Iames D.Solomm,裘晓峰译,移动IP,机械工业出版社。2000-01。
[19] The Internet Engineering Task Force, RFC 3344 IP Mobility Support for IPv4,http://www.ietf.org/rfc/rfc3344.txt?number=3344, 2002-08。
[20] The Internet Engineering Task Force, RFC 3775 Mobility Support in IPv6,http://www.ietf.org/rfc/rfc3775.txt?number=3775, 2004-06。
[21] The Internet Engineering Task Force, RFC 2460 Internet Protocol, Version 6 (IPv6) Specification, http://www.ietf.org/rfc/rfc2460.txt?number=2460, 1998-12。
[22] The Internet Engineering Task Force, RFC 4068 Fast Handovers for Mobile IPv6,http://www.ietf.org/rfc/rfc4068.txt?number=4068, 2005-07。
[23] ARUNESH MISHRA, MIN HO SHIN, NICK L. PETRONI, JR., T. CHARLES CLANCY, AND WILLIAM A. ARBAUGH, Pro-active Key Distribution using Neighbor Graphs,www.cs.umd.edu/~mhshin/paper/Proactive_Key_Dist_NG.pdf, 2004-02。
[24] The Internet Engineering Task Force, RFC 4260 Mobile IPv6 Fast Handovers for 802.11 Networks, http://www.ietf.org/rfc/rfc4260.txt?number=4260, 2005-02。
[25] Pekka Nikander, IP version 6 (MIPv6) Route Optimization Security Design, http://research.microsoft.com/users/fuomaura/Publications/nikander+-vtc2003f.pdf。
[26] David Halasz, IEEE 802.11i and wireless security,http://www.embedded.com/showArticle.jhtml?articleID=34400002, 2003。
[27] Nancy Cam-Winger, IEEE 802.11i Overview.ppt。
[28] Jesse Walker, 02.11i Overview.pdf。
[29] 陈鑫,Linux系统内核空间与用户空间通信的实现与分析,http://www-128.ibm.com/developerworks/cn/linux/l-netlink/, 2004。