Tu Rui,Su Jinshu,Chen Feng

DOI: https://doi.org/10.1109/nas.2009.34

2009-01-01

International Journal of Communications Network and System Sciences

Abstract:Legacy IP address-based access control has met many challenges, because the network nodes cannot be identified accurately based on their variable IP addresses. “Locator/Identifier Split” has made it possible to build a network access control mechanism based on the permanent identifier. With the support of “Locator/Identifier Split” routing and addressing concept, the Identifier-based Access Control (IBAC) makes network access control more accurate and efficient, and fits for mobile nodes’ access control quite well. Moreover, Self-verifying Identifier makes it possible for the receiver to verify the packet sender’s identity without the third part authentication, which greatly reduces the probability of “Identifier Spoofing”.

卢宁宁,周华春,张宏科

DOI: https://doi.org/10.3969/j.issn.1673-0291.2009.02.010

2009-01-01

Abstract:Making significant adjustment to the network architecture and including the security requirement at the beginning of the new architecture design is becoming a common view of the computer networking domain.Based on the 973 project Universal network architecture,we use self-certifying address structure as the endpoint identifier and design a new access authorization mechanism. The corresponding protocol flow and protocol format were presented in this paper.Finally,the authors study the seourity of these new idea using SVO logic and find that this new architecture successfully guarantees authenticity of IP packet's sonrce addtess.

Ming Wan,Jianqiang Tang,Ying Liu,Hongke Zhang

2010-01-01

Abstract:In the study of future Internet architecture, the scheme of ID/locator separation is the focus of future development, however the relevant access authentication scheme has not been proposed under this architecture. This paper proposes a new authentication scheme under ID/locator separation architecture, and it introduces the identity label to implement the sustainable authentication for the terminal. This scheme uses the challenge-response approach and achieves the double-way authentication between the terminal and access network, besides successfully guarantees the authenticity of the source under ID/locator separation architecture.

Yangyang Gao,Kai Wang,Yajuan Qin

DOI: https://doi.org/10.1049/cp.2011.1418

2011-01-01

Abstract:The traditional network design puts little emphasis on security and management of the transport layer mechanisms. However, new applications requiring security such as on-line bank and on-line shopping emerge sharply. Besides, various new applications induce the problem of management for pricing, reliability and resource distribution. Hence, a secure and manageable transport layer mechanism is significant and urgent under these occasions. In this paper, we propose an identified transport layer mechanism (ITM) in the locator/identifier separation protocol (LISP) context. ITM employs mapping cache to manage the packet transmitting process and separates host identifiers from the port numbers in the transport layer. Based on this mechanism, we can achieve enhanced security and management of the network transport layer.

Wentao Shang,Congxiao Bao,Xing Li

DOI: https://doi.org/10.1109/CECNet.2012.6202059

2012-01-01

Abstract:Current Internet architecture is facing challenges from the IP layer such as host mobility, multi-homing and routing scalability. ID/locator separation is a new Internet architecture that eliminates the duality of the IP address semantics and thus solves the problems of the traditional IP network. In this paper we analyze the concept of ID/locator separation, as well as its benefits and challenges. We also discuss the design of the key components in the ID/locator separation architecture and study several Internet architecture designs that implement the ID/locator separation philosophy.

LIU Jian-qiang,CHENG Dong-nian,WU Jiang-xing,ZHANG Jian-wei,LAN Ju-long

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.09.071

2010-01-01

Abstract:Universal network is a new architecture based on identity/locator separating. A challenge from the separating is how to find a locator for a identity. This paper designed a three tiers system for mapping entries storing and resolving. Stored mapping entries in different tier with the difference frequency odds of the remote communication terminal called,and flowed from one tier to another. In order to reduce the cost of large scale mobility,policy of report to the top tier was different. It shows that the resolving system satisfies the require of universal network identity mapping resolving.

唐建强,刘颖,周华春,张宏科

DOI: https://doi.org/10.3724/sp.j.1146.2012.00782

2013-01-01

Abstract:For the mobility issue in Locator/Identifier Separation Protocol (LISP) networks, a network-based Secure Mobility Control Protocol (LISP-SMCP) is proposed. Taking access networks as different mobile domains, LISP SMCP supports mobile nodes intra-domain handoff and inter-domain handoff efficiently, and achieves local authentication and mutual authentication. The security and performance analysis results show that, LISP-SMCP can resist man-in-the-middle attacks, replay attacks and modified attacks. And it outperforms existing schemes in terms of authentication latency, handoff latency and handoff blocking probability.

Peng Wenwen,Dong Ping,Luo Hongbin

2012-01-01

Abstract:Recently,the problem of internet routing scalability has become a big pitfall for the rapid development of Internet.There is a common consideration in the trade that the locator/identifier separation protocol(LISP) is an effective way to solve this issue.The paper proposes a method of simulating the separation map mechanism based on NS2,by implementing the LISP on NS2 and creating simulation topology,the approach conducts the simulative analysis on LISP,it makes up the deficiency of the actual system that it cannot simulate the large-scale network due to the size restriction.

Hengkui Wu,Dong Yang,Deyun Gao,Hongke Zhang

2011-01-01

China Communications

Abstract:The locator/ID separation paradigm has been widely discussed to resolve the serious scalability issue that today's Internet is facing. Many researches have been carried on with this issue to alleviate the routing burden of the Default Free Zone (DFZ), improve the traffic engineering capabilities and support efficient mobility and multihoming. However, in the locator/ID split networks, a third party is needed to store the identifier-to-locator pairs. How to map identifiers onto locators in a scalable and secure way is a really critical challenge. In this paper, we propose SS-MAP, a scalable and secure locator/ID mapping scheme for future Internet. First, SS-MAP uses a near-optimal DHT to map identifiers onto locators, which is able to achieve the maximal performance of the system with reasonable maintenance overhead relatively. Second, SS-MAP uses a decentralized admission control system to protect the DHT-based identifier-to-locator mapping from Sybil attacks, where a malicious mapping server creates numerous fake identities (called Sybil identifiers) to control a large fraction of the mapping system. This is the first work to discuss the Sybil attack problem in identifier-to-locator mapping mechanisms with the best knowledge of the authors. We evaluate the performance of the proposed approach in terms of scalability and security. The analysis and simulation results show that the scheme is scalable for large size networks and can resistant to Sybil attacks.

Zhao-Hui Sun,Shui-Gen Yang,Feng Qiu,Hong-Ke Zhang,Ya-Juan Qin

2008-01-01

Abstract:In the traditional TCP/IP stack, the IP address represents both the identifier and locator roles of a node. This dual nature makes it difficult to support mobility, security, routing scalability and other functions well. The new idea of separating the identifier and locator roles of the IP address becomes a hot research top in next generation Internet. In order to achieve the separation of identifier and locator, the universal network introduces access identifier, switch route identifier, and access switch router to divide the network into the access layer using access identifier and the backbone layer using switch route identifier. This paper mainly designs and implements the separation and mapping scheme of identifier and locator in the universal network based on Linux platform, including the packet forwarding process and the data structure of mapping relationship tables.

Jiahui Sun,Ningchun Liu,Shuai Gao,Wei Su

DOI: https://doi.org/10.1109/nana53684.2021.00029

2021-01-01

Abstract:In recent years, the rapid development of Programmable Data Plane(PDP) technology provides the possibility for the large-scale deployment of Smart Identifier Network(SINET). As a revolutionary network architecture, SINET supports terminal mobility and network extensibility natively by adopting the separation of identifier and locator. At the beginning of the SINET design, the security of the mapping information in the mapping publish/query protocol was not considered. At the same time, because of the PDP-based SINET using a separate control and forwarding architecture, the mapping information between the control plane and the data plane is more vulnerable to eavesdropping attacks and man-in-the-middle attacks.In this paper, we proposed a secure Identifier-to-Locator mapping mechanism in the PDP-based SINET. We designed a bCPA(bit-wise CPA) algorithm to protect the mapping information in the mapping publish/query protocol. We implemented the mechanism and evaluated its performance in the prototype system. The experimental results show that the method we designed guarantees the security of the mapping information without affecting the mapping publish/query performance and has less time increment compared to existing methods.

LI Xue-xia,GAO Shuai,WANG Li-li,ZHANG Hong-ke

DOI: https://doi.org/10.3979/j.issn.1673-825x.2012.01.017

2012-01-01

Abstract:The Locator/ID Separating Network successfully separated the identifier and locator of IP,which supports the single host mobility,but had no consideration on the network mobility management.In order to solve this problem,this paper proposes a graded multi-layer mapping mechanism,by enabling a subnet to enjoy the same Routing Identifier,which not only supports the network mobility,but also decreases the network signaling overhead and handoff delay.The theoretical and numerical analyses show that,compared to the single registration mode,the block registration mode based on the graded multi-layer mapping mechanism can significantly decrease the overall network signaling overhead and handoff delay,especially that in the core network.It improves the network performance and simultaneously saves the resources of the core network.

Ping Dong,Hongke Zhang

DOI: https://doi.org/10.1109/CMC.2010.261

2010-01-01

Abstract:With the boom of network technologies, the Internet architecture is being challenged by new problems such as routing scalability and mobility in these days. Although some related proposals were proposed, an interesting and open issue is that how to support mobility in the locator/ID separation based routing scalability networks. In this paper, we propose MobileID, which is an efficient approach to solve this issue. MobileID is a network-based proposal, in which the network is responsible for the mobility management of mobile nodes. Thus, it can satisfy the requirements of faster handover, route optimism, transport connection survivability, and so on. MobileID also inherit the characters of locator/ID separation protocol which can solve routing scalability problems. At the end of this paper, we describe MobileID analytic model, and compares MobileID handover performance with mobile IP and proxy mobile IP. The result shows the efficiency of MobileID.

Jessie Hui Wang,Yang Wang,Mingwei Xu,Jiahai Yang

DOI: https://doi.org/10.1109/icc.2012.6363725

2012-01-01

Abstract:Although most researchers have agreed that the locator/identifier separation is beneficial for the Internet, there is no consensus on how to define the “identifier”. In this paper, we propose a scheme in which identifiers are distributed by authorities to endpoints, and the authorities are responsible for maintaining real-time locators of endpoints with identifiers they distributed. This scheme can be helpful to accounting, security and other network management tasks. We also present in details how to implement this scheme with extended DNS and a new infrastructure, i.e., ID Mapping System (IDMS).

Hongchao Wang,Hongke Zhang,Chi-Yuan Chang,Han-Chieh Chao

DOI: https://doi.org/10.1016/j.camwa.2009.12.031

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:There have been many security events in the Internet. Many of them are due to arbitrary access permissions to the network resources of the malicious users, especially their free sending packets to anywhere in the network. However, current existing solutions such as ingress filtering and network firewalls cannot solve the problem of malicious access to the network flexibly and effectively. In this paper, we present an efficient access control method based on host identifiers, in which a safe and bidirectional authentication process is introduced whenever the host begins to access the network. Meanwhile, all the succeeding information exchanges between the host and the network can be controlled through the encrypt scheme negotiated during the access authentication process. Through analysis and experiments, we find that the proposed method has the following merits. First, our method has the capability to support various end-nodes to access the Internet in a uniform way. Second, with our method, end-nodes and the core network can establish a mutual trustworthy relationship to avoid any spoof from the other side. Third, our method can support host mobility very well.

Xu Dongxiao,Jiang Lingge

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.02.075

2010-01-01

Abstract:A novel identity separation protocol——Shinap is presented.Shinap keeps upper layer unchanged while separates the location identity at IP layer and the function of identification at host side.Moreover,it supports host's mobility and multihoming,and is compatible to legacy IPv6 hosts,so that it is easy to deploy the Shinap protocol step-by-step.Simulation result shows that Shinap has a higher throughput and lower handover latency than HIP protocol.

WAN Ming,ZHOU Hua-chun,LIU Ying,ZHANG Hong-ke

DOI: https://doi.org/10.3969/j.issn.1001-8360.2012.08.012

2012-01-01

Abstract:Aiming at assuring the authenticity and creditability of the terminals in the universal network,this paper proposes a new access authentication scheme based on the for the universal network.By combining the characteristics of the universal network architecture with the advantages of the existing digital certificate,the scheme uses the challenge-response approach to achieve the double-way authentication between the terminals and access network.In addition,the scheme introduces the identity label to bind the user's digital certificate and Access Identifier(AID) of the terminal,and accomplishes the real relation between the user's and the terminal.At the same time,by implementing the sustainable authentication for the terminals,the scheme successfully guarantees the authenticity of the sources in the universal network and effectively promotes the control-ability and manageability of the universal network.Finally,this paper presents a qualitative analysis for the security and the performance of this scheme,and gives a timing analysis for the sustainable authentication of the label.

Xiujuan Du,Zhigang Jin

DOI: https://doi.org/10.1109/ICCASM.2010.5619401

2010-01-01

Abstract:The paper analyzes the security of conventional network access authentication technology and provides a novel IP address pair based short signature technology which strengthens the security of authentication and control. Conforming to TNC architecture, the paper extends the endpoint access domination to MPLS backbone by IP address pair based short signature technology and depicts a new trustworthy network access scheme and realizes it on Network Processor. The scheme enriches the integrity measure of security client and administrator's security policy with ARP virus, fraud DHCP server, address spoofing of IP and MAC, thus enhances the safety and initiative defense ability of enterprise and public networks, and reduces the cost of enterprise for security deployments greatly while achieving the SP's excellent Return-on-Investment.

MA Yuan,LUO Hong-bin,LI Xiao-qian,ZHANG Si-dong

DOI: https://doi.org/10.3969/j.issn.1004-373x.2011.23.010

2011-01-01

Abstract:The need of variable-length identifier in the universal network is described.Based on studying the universal network architecture and mapping mechanisms,a uniform access scheme for the variable-length identifier access in the universal network is designed,the process to deal with 32 bits identifier accessing the universal network is analyzed,the module and the structure of the main function are designed.At last,the main functions of the universal network are simulated and tested according to the design program,and the results are in accordance with the expected analyzing and processing results.

TANG Jianqiang,LIU Ying,WAN Ming,ZHANG Hongke

DOI: https://doi.org/10.3969/j.issn.1673-0291.2012.02.009

2012-01-01

Abstract:Universal identifier-based network is proposed to solve the traditional network IP address ambiguity problems, which has location/identifier separation architecture. In this paper, we propose a user identity authentication protocol (UIAP) and design an access identifier with the digital certificate. This access identifier uniquely identifies a terminal in the universal identifier-based network, and implements the binding of the user identity with the terminal. The UIAP protocol uses Diffie-Hellman key exchange approach to achieve user identity bidirectional authentication, and it applies the puzzle mechanism and the stateless authentication to protect a receiver from DoS attack. The analysis of the security of the protocol proves that the method satisfies the session key security requirements defined in the C-K model.