[go: up one dir, main page]

WO2013127281A1 - Method and system for processing ipv6 stateless address - Google Patents

Method and system for processing ipv6 stateless address Download PDF

Info

Publication number
WO2013127281A1
WO2013127281A1 PCT/CN2013/070850 CN2013070850W WO2013127281A1 WO 2013127281 A1 WO2013127281 A1 WO 2013127281A1 CN 2013070850 W CN2013070850 W CN 2013070850W WO 2013127281 A1 WO2013127281 A1 WO 2013127281A1
Authority
WO
WIPO (PCT)
Prior art keywords
hash function
address
identifier
output
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2013/070850
Other languages
French (fr)
Chinese (zh)
Inventor
周苏静
张瑞山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2013127281A1 publication Critical patent/WO2013127281A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/604Address structures or formats
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/695Types of network addresses using masks or ranges of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5092Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and system for processing IPv6 (Internet Protocol version 6). Background technique
  • IPv6 uses a 128-bit network address, providing ample address space and multiple address generation methods.
  • the 128-bit standard IPv6 address in the latest version of the "IPv6 Address Structure" published by the IETF (Internet Engineering Task Force) in the RFC (Request for Comments) 4291 may be unstructured; It can consist of a subnet prefix and an interface identifier, or in a more complicated case, a global route prefix, a subnet prefix, and an interface identifier.
  • the interface identifier usually follows the format of Modified EUI-64 (modified 64-bit extended extended unique identifier), and the 6-7 bits of the format (from left to right and counted from 0) are "u", "g" respectively. "Sign bit.
  • Interface identification can be obtained from the interface of the IEEE (American Institute of Electrical and Electronics Engineers, Institute of
  • RFC4941 proposes that the interface identifier is periodically generated randomly, the purpose is to protect Host privacy.
  • the first hash function output is determined based on the modifier value and the public key, etc., to determine the value of the final CGA address and associated CGA parameters (often referred to as address parameters).
  • Step 1A concatenating the modified value, all bytes 0, public key, and extended field of 9 bytes long;
  • Step 1B calculating the output after the input of the second hash function HASH2 function 101 in step 1A, wherein the HASH2 function is intercepted The SHA-1 function output by the first 112 bits;
  • Step 1C Check whether the hash output 102 satisfies the stop condition, that is, whether the first 16*sec bit of the output is 0; if the stop condition is satisfied, the number of collisions is 0, and the process proceeds to step 1D; otherwise, the value of the modified value is increased by 1, and continues. Step 1A;
  • Step 1D concatenating the modified value, the subnet prefix, the number of conflicts, the public key, and the extended field;
  • Step 1E calculating the output of the first hash function HASH1 function 107 in the step 1D, wherein the HASH1 function is before the interception 64 The SHA-1 function output by the bit;
  • Step 1F Replace the first 3 bits of the HASH1 output with the value of sec, and set the sixth and seventh ratios of the HASH1 output to 0.
  • the interface identifier combine the subnet prefix and the interface identifier into an IPv6 address to check whether there is an address conflict. If there is an address conflict and the number of collisions is less than 3, the number of collisions is increased by 1 to continue with step 1D. If there is no address conflict and the number of collisions is less than 3, the final CGA 114 is determined, including the subnet prefix 113 and the security parameter 111. , fixed flag bit 112, and partial output of HASH1; the subnet prefix, public key, extended field, and finally selected modifier value, number of collisions are written to the data structure of the CGA parameter accompanying the CGA address.
  • CGA address verification process :
  • the corresponding data is read from the CGA parameters, including the modifier value, subnet prefix, number of collisions, public key, and extended field. If the number of collisions of the CGA parameter is not equal to 0, 1, 2, the verification fails; if the subnet prefix of the CGA parameter is not equal to the first 64 bits of the CGA address, the verification fails; otherwise, the verification continues as follows:
  • the second hash function output is calculated based on the data read from the CGA parameters and the security parameters in the interface identifier to verify whether the stop condition is satisfied.
  • Step 2A concatenating the modified value, subnet prefix, conflict number, public key, and extended field read from the CGA parameter;
  • Step 2B calculating the output of the first hash function HASH1 function 107 in step 2A, wherein the HASH1 function is the SHA-1 function outputted by the first 64 bits;
  • Step 2C Compare whether the HASH1 output and the interface identifier are the same (ignoring the first 3 bits and the sixth,
  • Step 2D concatenating the modified value, 0, public key, extended field
  • Step 2E calculating the output of the second hash function HASH2 function 101 in step 2D, wherein the HASH2 function intercepts the SHA-1 function outputted by the first 112 bits;
  • Step 2F Check if the hash output 102 satisfies the stop condition, that is, whether the first 16*sec bit of the output is 0; if the stop condition is satisfied, the verification is successful, otherwise the verification fails.
  • the CGA address enhancement protocol security in addition to replacing the IPv6 address with the CGA address, it is accompanied by sending a CGA parameter, where the CGA parameters include a subnet prefix field, a public key field, an extended field field, Modification value field, collision number field.
  • the resulting CGA is a concatenation of a 64-bit subnet prefix and a 64-bit interface identifier, where the interface identifier is a modifier value field, a subnet prefix field, a collision number field, a public key field, an extension field.
  • the field is input to the first 64 bits of the output of the hash function in the above order, and the 0-2th bit is assigned by sec, and the 6th-7th bit (ie, "u", "g") is assigned a value of 0.
  • One prior art adds an indication of the hash function used in the extension field of the CGA parameter, but doing so would cause a downgrade attack, ie the CGA address and CGA parameters can be replaced with a hash function with a lower security strength.
  • the main object of the present invention is to provide a method and system for processing an IPv6 stateless address, which ensures that the generated address can represent multiple hashes without reducing security strength.
  • the function makes the generated address have hash function agility; even if the hash function used is broken, it can be easily replaced with a more secure hash function.
  • a method for processing an IPv6 stateless address comprising:
  • Pre-selecting the security parameters and the hash function selecting the initial value of the modified value and determining the final value of the modified value according to the stopping condition;
  • the resulting address is determined based on the above selected parameters.
  • the value of the modifier value changes from the initial value until the stop condition is satisfied; the stop condition is related to the second hash function output, the security parameter identifier, and the number of occupied bits of the hash function identifier in the address.
  • the finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output.
  • the input applied when calculating the output of the first hash function includes a final value of the modified value.
  • the security parameter identification and/or hash function identification is included in the address parameter accompanying the finally generated address and is not included in the finally generated address.
  • the method also includes:
  • the security parameter identifier and the hash function identifier are extracted from the generated address and/or the address parameter accompanying the address, and the first hash function is extracted from the generated address.
  • the method also includes: Before the verification of the address or after the verification is successful, it is determined according to the local security policy whether the security parameter identifier and/or the hash function identifier satisfy the acceptance condition.
  • a method for processing an IPv6 stateless address comprising:
  • the method also includes:
  • the security parameter identifier and/or the hash function identifier satisfy the acceptance condition.
  • An IPv6 stateless address processing system comprising a parameter selection unit and an address generation unit;
  • the parameter selection unit is configured to pre-select a security parameter and a hash function, select an initial value of the modified value, and determine a final value of the modified value according to the stopping condition;
  • the address generating unit is configured to determine a finally generated address according to the parameter selected by the parameter selection unit.
  • the value of the modifier value changes from the initial value until the stop condition is satisfied; the stop condition is related to the second hash function output, the security parameter identifier, and the number of occupied bits of the hash function identifier in the address.
  • the finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output; and the input applied when calculating the output of the first hash function includes a final value of the modified value.
  • the security parameter identifier and/or hash function identifier or a combination of a security parameter and a hash function
  • the identifier is included in the address parameter accompanying the finally generated address and is not included in the finally generated address.
  • the system further includes a security policy verification unit for determining whether the security parameter identifier and/or the hash function identifier meets the acceptance condition according to a local security policy before or after the verification of the address.
  • An IPv6 stateless address processing system where the system includes a parameter obtaining unit and an address insurance unit;
  • the parameter obtaining unit is configured to extract a security parameter identifier and a hash function identifier from an address to be verified and/or an address parameter accompanying the address, and extract a first hash function output from the address to be verified;
  • the address verification unit is configured to calculate a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verify whether the output of the first hash function and the extracted The first hash function output is consistent; and the second hash function output is calculated according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and the output of the second hash function is verified to be satisfied. condition.
  • the verification unit includes a first verification unit and a second verification unit
  • the first verification unit is configured to calculate a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verify whether the first hash function output is extracted The first hash function output is consistent;
  • the second verification unit is configured to calculate a second hash function output according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and verify whether the output of the second hash function satisfies a stop condition .
  • the first verification unit and the second verification unit are combined or divided.
  • the system further includes a security policy verification unit, configured to determine whether the security parameter identifier and/or the hash function identifier meets the acceptance condition according to a local security policy before or after the verification of the address.
  • a security policy verification unit configured to determine whether the security parameter identifier and/or the hash function identifier meets the acceptance condition according to a local security policy before or after the verification of the address.
  • FIG. 1 is a schematic diagram of a generation principle of a prior art CGA
  • FIG. 2 is a schematic diagram of a verification principle of a prior art CGA
  • FIG. 3 is a schematic diagram showing a hash function identification and a security parameter in a CGA in the prior art
  • FIG. 4 is a schematic diagram of a macro address structure according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a refinement address according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a principle for generating an address according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of the principle of a dangerous card address according to an embodiment of the present invention.
  • FIG. 8 is a schematic flow chart of generating an address according to an embodiment of the present invention.
  • FIG. 9 is a schematic flow chart of verifying an address according to an embodiment of the present invention. detailed description
  • the selected parameter is calculated according to the selected hash function, and the second hash function output is checked to check whether the stop condition is satisfied. If not, the modified value is changed until the stop condition is satisfied; wherein the stop condition is identified by the security parameter, the hash function The number of digits in the address is determined together; the modifier value that satisfies the stop condition is the final value of the modifier value;
  • the first hash function output is determined according to the modified value and the public key, the extended field, etc., thereby determining the value of the finally generated CGA address and the associated CGA parameter.
  • the resulting address contains an independent security parameter identifier, a hash function identifier, and a first hash function output.
  • the security parameter identifier, the hash function identifier, and the first hash function output may be extracted from the address to be verified;
  • the IPv6 address finally generated by the present invention includes a subnet prefix and an interface identifier, where the interface identifier includes a security parameter identifier, a hash function identifier, a first hash function output, and other contents.
  • the interface identifier includes a security parameter identifier, a hash function identifier, a first hash function output, and other contents.
  • the order of the contents of the interface identifier is not limited by this figure.
  • the order in which the sec, Hid, and first hash function outputs are in the interface identifier is not limited by this figure.
  • the first hash function output is determined based on the modifier value and the public key, etc., to determine the value of the final CGA address and the associated CGA parameter.
  • Step 6A Same as step 1A in Figure 1, that is, the serialized modified value, the 9-byte 0, the public key, and the extended field;
  • Step 6B Calculate the output after the input of the second hash function HASH2 function in step 6A, wherein the HASH2 function is determined by the pre-selected hash function identifier Hid, and the output bit number of HASH2 depends not only on Hid but also on preselection.
  • the output length of output 601 should not be less than the output value of f ( sec, n ); if the stop condition is met, the number of collisions is 0, go to step 6D; otherwise, increase the value of the modified value by 1, continue to step 6A;
  • Step 6D Same as step 1D in Figure 1, that is, the concatenation modification value, the subnet prefix, the number of collisions, the public key, and the extension field;
  • Step 6E The calculation step 6D serially inputs the output of the first hash function HASH1 function, wherein the HASH1 function is determined by the pre-selected hash function identifier Hid, and the output digit of the HASH1 is not less than the security parameter identifier in the interface identifier.
  • the number of bits remaining except the identifier of the "u”, "g", and the first hash function of the embodiment is the first 56 bits of the hash function represented by Hid;
  • Step 6F Serially connect sec (3 bits), hash function identifier Hid (3 bits), "u” and "g” identifiers assigned 0, and connect the 8 bits in the first hash function output.
  • the front of the 604 is used as the interface identifier, and the subnet prefix and the interface identifier are combined into an IPv6 address to check whether there is an address conflict. If there is an address conflict and the number of collisions is less than 3, the number of collisions is increased by 1 to continue with step 6D; The address conflicts and the number of collisions is less than three, then the final CGA 608 is determined to include a subnet prefix 113, a security parameter 111, a fixed flag bit 112, a hash function identifier 606, and a partial output 607 of HASH1. Write the subnet prefix, the public key, the extended field, and the final selected modifier value and the number of collisions to the data structure of the CGA parameter accompanying the CGA address;
  • the second hash function output digits may also be added to the content of the CGA parameter to indicate the number of output bits of the second hash function that needs to be intercepted during the verification process.
  • the corresponding data is read from the CGA parameters. If the number of collisions of the CGA parameters is not equal to 0, 1, 2, the verification fails; if the subnet prefix of the CGA parameter is not equal to CGA The first 64 bits, the verification fails; otherwise, continue the verification as follows:
  • Step 7A Step 2A of Figure 2, that is, tandem modification value, subnet prefix, collision number, public key, and extension field;
  • Step 7B The calculation step 7A serially inputs the output of the first hash function HASH1 function, wherein the HASH1 function is determined by the pre-selected hash function identifier Hid, and the output bit number of the HASH1 is not less than the security parameter identifier in the interface identifier, Other than the function identifier, "u", "g" The remaining number of bits, the embodiment takes the first hash function output as the first 56 bits of the hash function represented by Hid;
  • Step 7C Compare whether the HASH1 output 604 and the last 56 bits in the interface identifier are the same; if different, the verification fails; otherwise, the process proceeds to step 7D, and the verification continues;
  • Step 7D Step 2D of Figure 2, that is, serially decorated value, 9 bytes long 0, public key, extended field;
  • Step 7E Calculate the output after the input of the second hash function HASH2 function in step 7D, wherein the HASH2 function is determined by the pre-selected hash function identifier Hid, and the output bit number of HASH2 depends not only on Hid but also on preselection.
  • the effect of the fixed security parameter sec further, if the content of the CGA parameter includes the second hash function output bit number, the output bit number of the second hash function may be determined by the parameter;
  • Step 7F It is determined whether the second hash function output 601 satisfies a stop condition, such as whether the pre-sec, n) bit is 0.
  • a stop condition such as whether the pre-sec, n) bit is 0.
  • f (sec, n) 16 * sec + n
  • the second hash function is taken.
  • the output length of output 601 should be no less than the output value of f( see n ); if the output of step 7F is "Yes", the risk certificate is successful, otherwise the risk certificate fails.
  • the operation of the present invention for processing an IPv6 stateless address can respectively represent the flows shown in FIG.
  • Step 810 Pre-select the security parameter and the hash function, select the initial value of the modified value, and determine the final value of the modified value according to the stopping condition.
  • Step 820 Determine the finally generated address according to the selected parameters.
  • the final generated address contains an independent security parameter identifier, a hash function identifier, and a first hash function output.
  • step 810 the preparation for generating the address such as the security parameter in advance may be performed by the parameter selection unit, and the specific address generation operation in step 820 may be performed by the address generation unit.
  • the specific functions that these two units can achieve are detailed in the aforementioned technical description.
  • Figure 9 includes the following steps:
  • Step 910 Extract the security parameter identifier, the hash function identifier, and the first hash function output from the address to be verified.
  • Step 920 Calculate a first hash function output according to the data in the CGA parameter accompanying the address and the extracted hash function identifier, and verify whether the first hash function output and the extracted first hash are The function output is consistent; and the second hash function output is calculated according to the data of the CGA parameter and the extracted security parameter identifier and the hash function identifier, and it is verified whether the second hash function output satisfies the stop condition.
  • the extraction operation in step 910 may be performed by the parameter acquisition unit, and the operation of verifying the output of the first hash function in step 920 may be performed by the first verification unit, and the operation of verifying the output of the second hash function may be performed. It is performed by the second verification unit.
  • the specific functions that can be implemented by the three units are described in detail in the foregoing technical description, and are not described herein again.
  • the first verification unit and the second verification unit may be separately configured or combined. When combining, the first verification unit and the second verification unit may be collectively referred to as an address verification unit.
  • the stop condition in the process of generating the address combines the security parameter and the hash function to identify the occupied digits in the address, so that the finally generated address contains the security parameter identifier, the first
  • the hash function output it can also contain independent hash function identifiers, so it can represent multiple hash functions without reducing the security strength.
  • the security parameter identifier and hash function can be extracted from the address to be verified. The identification, the first hash function output, can therefore perform address verification based on the hash function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method and system for processing IPv6 stateless address. The method comprises: pre-selecting security parameters and HASH functions; selecting initial values of the masks and determining, according to stop conditions, final selected values of the masks; and determining final generated address according to the selected parameters. In the invention, the stop conditions in the process of address generation combine the occupied bits of the security parameters and the HASH function identifiers in the address, the final generated address is enabled to include independent HASH function identifiers besides the security parameter identifiers and the first HASH function output, and thus multiple HASH functions can be denoted while the security strength is not lowered; moreover, as the security parameter identifiers, the HASH function identifiers and the first HASH function output can be extracted from the address to be verified, the address verification can be executed based on the HASH functions.

Description

一种 IPv6无状态地址的处理方法和系统 技术领域  Method and system for processing IPv6 stateless address

本发明涉及通信领域, 具体涉及一种 IPv6 (网络互联协议第六版, Internet Protocol version 6 )无^夫态地址的处理方法和系统。 背景技术  The present invention relates to the field of communications, and in particular, to a method and system for processing IPv6 (Internet Protocol version 6). Background technique

IPv6采用 128比特的网络地址, 提供了充足的地址空间和多种地址生 成方法。  IPv6 uses a 128-bit network address, providing ample address space and multiple address generation methods.

IETF (互联网工程任务组, Internet Engineering Task Force )在 RFC (请 求意见文档, Request For Comments ) 4291中公布的最新版的 "IPv6地址结 构" 中规范 IPv6地址的所有 128比特可以是无结构的; 也可以由子网前缀 和接口标识组成, 或者在更复杂的情况下由全局路由前缀、 子网前缀、 接 口标识组成。接口标识通常遵循 Modified EUI-64 (修改的 64比特长的扩展 的唯一标识符)格式, 该格式的第 6-7比特(从左到右且从 0开始计数)分 别为 "u"、 "g" 标志位。  The 128-bit standard IPv6 address in the latest version of the "IPv6 Address Structure" published by the IETF (Internet Engineering Task Force) in the RFC (Request for Comments) 4291 may be unstructured; It can consist of a subnet prefix and an interface identifier, or in a more complicated case, a global route prefix, a subnet prefix, and an interface identifier. The interface identifier usually follows the format of Modified EUI-64 (modified 64-bit extended extended unique identifier), and the 6-7 bits of the format (from left to right and counted from 0) are "u", "g" respectively. "Sign bit.

接口标识可以从接口的 IEEE (美国电气和电子工程师协会, Institute of Interface identification can be obtained from the interface of the IEEE (American Institute of Electrical and Electronics Engineers, Institute of

Electrical and Electronics Engineers ) EUI-64 地址或 IEEE MAC地址简单转 换生成, 也可以是随机的 64比特(除了 "u"、 "g"标志位), 例如 RFC4941 提出接口标识定期随机生成, 其目的是保护主机的隐私。 Electrical and Electronics Engineers ) EUI-64 address or IEEE MAC address simple conversion generation, or random 64 bits (except "u", "g" flag), for example, RFC4941 proposes that the interface identifier is periodically generated randomly, the purpose is to protect Host privacy.

为了增强协议的安全性, 尤其是防止地址欺骗, 还有现有技术提出将 公钥和整个 IPv6地址绑定在一起, 如主机标识协议 ( RFC5201 )。 更进一步 地, "Cryptographically Generated Addresses (密码生成地址, CGA ),, (RFC 3972 )提出一种安全性更强地将公钥和 IPv6地址绑定的方法, 目前已经应 用于 IPv6的安全邻居发现协议 ( Secure Neighbor Discovery, SEND;), 移动 IP协议 ( Mobility in IPv6, MIPv6 )、 多穴协议 ( Site Multihoming by IPv6 Intermediation, Shim6 )等。 In order to enhance the security of the protocol, especially to prevent address spoofing, the prior art proposes to bind the public key to the entire IPv6 address, such as the Host Identity Protocol (RFC5201). Furthermore, "Cryptographically Generated Addresses (CGA)," (RFC 3972) proposes a method for more securely binding public keys to IPv6 addresses, which has been applied to IPv6 Secure Neighbor Discovery Protocol. (Secure Neighbor Discovery, SEND;), Mobile IP protocol (Mobility in IPv6, MIPv6), Site Multihoming by IPv6 Intermediation (Shim6), etc.

CGA地址的配置过程:  CGA address configuration process:

要生成 CGA地址,首先随机选择一个具有一定长度的修饰值的初始值, 预先选定安全参数 sec ( 3比特), 接下来的操作包括如下两个过程:  To generate a CGA address, first randomly select an initial value of a modified value with a certain length, and pre-select the security parameter sec (3 bits). The following operations include the following two processes:

根据第二哈希函数输出和由安全参数单独确定的停止条件确定修饰值 的取值;  Determining the value of the modified value according to the second hash function output and the stop condition determined by the security parameter separately;

根据修饰值和公钥等确定第一哈希函数输出,从而确定最终 CGA地址 和相关 CGA参数(通常称为地址参数) 的值。  The first hash function output is determined based on the modifier value and the public key, etc., to determine the value of the final CGA address and associated CGA parameters (often referred to as address parameters).

具体的地址生成步驟如图 1所示:  The specific address generation steps are shown in Figure 1:

步驟 1A: 串接修饰值、 9个字节长的全 0、 公钥、 扩展字段; 步驟 1B:计算步驟 1A中串接输入第二哈希函数 HASH2函数 101后的 输出, 其中 HASH2函数是截取前 112比特所输出的 SHA-1函数;  Step 1A: concatenating the modified value, all bytes 0, public key, and extended field of 9 bytes long; Step 1B: calculating the output after the input of the second hash function HASH2 function 101 in step 1A, wherein the HASH2 function is intercepted The SHA-1 function output by the first 112 bits;

步驟 1C: 检查哈希输出 102是否满足停止条件, 即输出的前 16*sec比 特是否为 0; 如果满足停止条件, 取沖突次数为 0, 进入步驟 1D; 否则将 修饰值的值增加 1 , 继续步驟 1A;  Step 1C: Check whether the hash output 102 satisfies the stop condition, that is, whether the first 16*sec bit of the output is 0; if the stop condition is satisfied, the number of collisions is 0, and the process proceeds to step 1D; otherwise, the value of the modified value is increased by 1, and continues. Step 1A;

步驟 1D: 串接修饰值、 子网前缀、 沖突次数、 公钥、 扩展字段; 步驟 1E:计算步驟 1D中串接输入第一哈希函数 HASH1函数 107后的 输出, 其中 HASH1函数是截取前 64比特所输出的 SHA-1函数;  Step 1D: concatenating the modified value, the subnet prefix, the number of conflicts, the public key, and the extended field; Step 1E: calculating the output of the first hash function HASH1 function 107 in the step 1D, wherein the HASH1 function is before the interception 64 The SHA-1 function output by the bit;

步驟 1F: 将 HASH1输出的前 3比特替换成 sec的值, 将 HASH1输出 的第 6、 7比特写为 0, 作为接口标识, 将子网前缀和接口标识组合成 IPv6 地址, 检查是否有地址沖突; 如果存在地址沖突且沖突次数小于 3 , 则将沖 突次数增加 1 , 继续步驟 1D; 如果不存在地址沖突且沖突次数小于 3 , 则 确定最终的 CGA 114, 具体包含子网前缀 113、 安全参数 111、 固定的标志 位 112、 和 HASH1的部分输出; 将子网前缀、 公钥、 扩展字段和最终选择 的修饰值、 沖突次数写入伴随 CGA地址的 CGA参数的数据结构。 CGA地址的验证过程: Step 1F: Replace the first 3 bits of the HASH1 output with the value of sec, and set the sixth and seventh ratios of the HASH1 output to 0. As the interface identifier, combine the subnet prefix and the interface identifier into an IPv6 address to check whether there is an address conflict. If there is an address conflict and the number of collisions is less than 3, the number of collisions is increased by 1 to continue with step 1D. If there is no address conflict and the number of collisions is less than 3, the final CGA 114 is determined, including the subnet prefix 113 and the security parameter 111. , fixed flag bit 112, and partial output of HASH1; the subnet prefix, public key, extended field, and finally selected modifier value, number of collisions are written to the data structure of the CGA parameter accompanying the CGA address. CGA address verification process:

给定一个 CGA地址及其伴随的 CGA参数,从 CGA参数读取相应数据, 包括修饰值、 子网前缀、 沖突次数、 公钥、 扩展字段。 如果 CGA参数的沖 突次数不等于 0,1,2则验证失败;如果 CGA参数的子网前缀不等于 CGA地 址的前 64比特则验证失败; 否则按如下过程继续验证:  Given a CGA address and its accompanying CGA parameters, the corresponding data is read from the CGA parameters, including the modifier value, subnet prefix, number of collisions, public key, and extended field. If the number of collisions of the CGA parameter is not equal to 0, 1, 2, the verification fails; if the subnet prefix of the CGA parameter is not equal to the first 64 bits of the CGA address, the verification fails; otherwise, the verification continues as follows:

根据从 CGA参数读取的数据, 计算第一哈希函数输出, 验证是否和 CGA地址中接口标识中的第一哈希函数输出一致;  Calculating the output of the first hash function according to the data read from the CGA parameter, and verifying whether it is consistent with the output of the first hash function in the interface identifier in the CGA address;

根据从 CGA参数读取的数据和接口标识中的安全参数,计算第二哈希 函数输出, 验证是否满足停止条件。  The second hash function output is calculated based on the data read from the CGA parameters and the security parameters in the interface identifier to verify whether the stop condition is satisfied.

具体的险证步驟如图 1所示:  The specific risk certification steps are shown in Figure 1:

步驟 2A: 串接从 CGA参数读取的修饰值、 子网前缀、 沖突次数、 公 钥、 扩展字段;  Step 2A: concatenating the modified value, subnet prefix, conflict number, public key, and extended field read from the CGA parameter;

步驟 2B:计算步驟 2A中串接输入第一哈希函数 HASH1函数 107后的 输出, 其中 HASH1函数是截取前 64比特所输出的 SHA-1函数;  Step 2B: calculating the output of the first hash function HASH1 function 107 in step 2A, wherein the HASH1 function is the SHA-1 function outputted by the first 64 bits;

步驟 2C:比较 HASH1输出和接口标识是否相同(忽略前 3比特和第 6、 Step 2C: Compare whether the HASH1 output and the interface identifier are the same (ignoring the first 3 bits and the sixth,

7比特); 如果不同, 验证失败; 否则进入步驟 2D继续验证; 7 bits); if different, the verification fails; otherwise, proceed to step 2D to continue verification;

步驟 2D: 串接修饰值、 0、 公钥、 扩展字段;  Step 2D: concatenating the modified value, 0, public key, extended field;

步驟 2E:计算步驟 2D中串接输入第二哈希函数 HASH2函数 101后的 输出, 其中 HASH2函数是截取前 112比特所输出的 SHA-1函数;  Step 2E: calculating the output of the second hash function HASH2 function 101 in step 2D, wherein the HASH2 function intercepts the SHA-1 function outputted by the first 112 bits;

步驟 2F: 检查哈希输出 102是否满足停止条件, 即输出的前 16*sec比 特是否为 0; 如果满足停止条件, 验证成功, 否则验证失败。  Step 2F: Check if the hash output 102 satisfies the stop condition, that is, whether the first 16*sec bit of the output is 0; if the stop condition is satisfied, the verification is successful, otherwise the verification fails.

综上所述, 要使用 CGA地址增强协议的安全性, 除了把 IPv6地址用 CGA地址替换外, 还要伴随发送一个 CGA参数, 其中 CGA参数包括子网 前缀字段、 公钥字段、 扩展字段字段、 修饰值字段、 沖突次数字段。 最终 生成的 CGA是 64比特的子网前缀和 64比特的接口标识的串接,其中接口 标识是修饰值字段、 子网前缀字段、 沖突次数字段、 公钥字段、 扩展字段 字段按上述顺序输入哈希函数的输出的前 64比特, 且第 0-2比特被 sec赋 值、 第 6-7比特(也就是 "u"、 "g" )被 0赋值。 In summary, to use the CGA address enhancement protocol security, in addition to replacing the IPv6 address with the CGA address, it is accompanied by sending a CGA parameter, where the CGA parameters include a subnet prefix field, a public key field, an extended field field, Modification value field, collision number field. The resulting CGA is a concatenation of a 64-bit subnet prefix and a 64-bit interface identifier, where the interface identifier is a modifier value field, a subnet prefix field, a collision number field, a public key field, an extension field. The field is input to the first 64 bits of the output of the hash function in the above order, and the 0-2th bit is assigned by sec, and the 6th-7th bit (ie, "u", "g") is assigned a value of 0.

但是现有 CGA地址的生成只规范了一种哈希函数, 即 SHA-1哈希函 数,随着对哈希函数的研究进展, 目前使用的哈希函数存在被攻破的威胁, 于是提出了在 CGA地址中增加表示哈希函数的标识。  However, the generation of the existing CGA address only specifies a hash function, that is, the SHA-1 hash function. With the research progress on the hash function, the currently used hash function has a threat of being compromised, so it is proposed An identifier indicating a hash function is added to the CGA address.

一种现有技术在 CGA参数的扩展字段中增加表示所用哈希函数的标识, 但是这样做会引起降级攻击, 也就是 CGA地址和 CGA参数可以被替换成 安全强度比较低的哈希函数。  One prior art adds an indication of the hash function used in the extension field of the CGA parameter, but doing so would cause a downgrade attack, ie the CGA address and CGA parameters can be replaced with a hash function with a lower security strength.

还有一种现有技术在 CGA地址中增加表示所用哈希函数的标识,也就 是在接口标识的除安全参数 sec和 "u"、 "g" 以外剩下的 59比特中再占用 若干位表示哈希函数, 这样 CGA地址中哈希函数的输出位数就减少了, 而 哈希函数的安全性和输出位数有正相关关系, 因此这种现有技术将牺牲 CGA的安全性。  There is also a prior art technique for adding an identifier indicating a hash function used in a CGA address, that is, occupying a number of bits in the remaining 59 bits of the interface identifier except the security parameters sec and "u", "g". The Greek function, such that the output bit number of the hash function in the CGA address is reduced, and the security of the hash function has a positive correlation with the number of output bits, so this prior art will sacrifice the security of the CGA.

还有一种现有技术使用 CGA地址中的接口标识的第 0-2比特位表示哈 希函数, 由于这 3位已经被安全参数 sec占用, 因此这 3个比特位就有了双 重含义, 具体含义需要重新定义, 在规范中给出了 sec=0,l,2的定义(如图 3所示 ):  There is also a prior art that uses the 0-2 bit of the interface identifier in the CGA address to represent the hash function. Since these 3 bits are already occupied by the security parameter sec, the three bits have a double meaning, the specific meaning Need to be redefined, the definition of sec=0,l,2 is given in the specification (as shown in Figure 3):

sec=0表示使用 SHA-1函数且安全参数为 0; sec=l表示使用 SHA-1函 数且安全参数为 1 ; sec=2表示使用 SHA-1函数且安全参数为 2。  Sec=0 means that the SHA-1 function is used and the security parameter is 0; sec=l means that the SHA-1 function is used and the security parameter is 1; sec=2 means that the SHA-1 function is used and the security parameter is 2.

这种技术可以表示的安全参数和哈希函数的组合只有 8种,非常有限。 可见, 目前无法在不降低安全强度的同时表示多种哈希函数,导致 IPv6 地址不具有哈希函数敏捷性。 发明内容  There are only eight combinations of security parameters and hash functions that this technique can represent, which is very limited. It can be seen that it is currently impossible to represent multiple hash functions without reducing the security strength, resulting in the IPv6 address not having hash function agility. Summary of the invention

有鉴于此, 本发明的主要目的在于提供一种 IPv6无状态地址的处理方 法和系统, 保证所生成的地址能够在不降低安全强度的同时表示多种哈希 函数, 使得所生成的地址具有哈希函数敏捷性; 即便所采用的哈希函数被 攻破后, 也能够方便地替换为安全性更高的哈希函数。 In view of this, the main object of the present invention is to provide a method and system for processing an IPv6 stateless address, which ensures that the generated address can represent multiple hashes without reducing security strength. The function makes the generated address have hash function agility; even if the hash function used is broken, it can be easily replaced with a more secure hash function.

为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:

一种 IPv6无状态地址的处理方法, 该方法包括:  A method for processing an IPv6 stateless address, the method comprising:

预先选定安全参数和哈希函数, 选择修饰值的初始值并根据停止条件 确定修饰值的最终取值;  Pre-selecting the security parameters and the hash function, selecting the initial value of the modified value and determining the final value of the modified value according to the stopping condition;

根据所选的上述参数确定最终生成的地址。  The resulting address is determined based on the above selected parameters.

所述修饰值的取值从初始值开始变化, 直至满足停止条件; 所述停止 条件与第二哈希函数输出、 安全参数标识和哈希函数标识在所述地址中的 占用位数均相关。  The value of the modifier value changes from the initial value until the stop condition is satisfied; the stop condition is related to the second hash function output, the security parameter identifier, and the number of occupied bits of the hash function identifier in the address.

最终生成的所述地址中包含独立的安全参数标识、 哈希函数标识、 第 一哈希函数输出; 计算所述第一哈希函数输出时所应用的输入包括修饰值 的最终取值。  The finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output. The input applied when calculating the output of the first hash function includes a final value of the modified value.

所述安全参数标识和 /或哈希函数标识, 或安全参数和哈希函数的组合 标识, 包含于伴随所述最终生成的地址的地址参数中, 而不包含于所述最 终生成的地址中。  The security parameter identification and/or hash function identification, or a combination identification of the security parameter and the hash function, is included in the address parameter accompanying the finally generated address and is not included in the finally generated address.

该方法还包括:  The method also includes:

要险证生成的所述地址时, 从生成的所述地址中和 /或伴随该地址的地 址参数中提取安全参数标识、 哈希函数标识, 从生成的所述地址中提取第 一哈希函数输出;  When the address generated by the risk is generated, the security parameter identifier and the hash function identifier are extracted from the generated address and/or the address parameter accompanying the address, and the first hash function is extracted from the generated address. Output

根据伴随所述地址的地址参数中的数据和提取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输出是否与提取的所述第一 哈希函数输出一致; 还根据所述地址参数的数据和提取的所述安全参数标 识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是 否满足停止条件。  Calculating a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verifying whether the first hash function output is consistent with the extracted first hash function output And calculating, according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, a second hash function output, and verifying whether the second hash function output meets a stop condition.

该方法还包括: 在对地址验证之前或验证成功之后, 根据本地的安全策略判定所述安 全参数标识和 /或哈希函数标识是否满足接受条件。 The method also includes: Before the verification of the address or after the verification is successful, it is determined according to the local security policy whether the security parameter identifier and/or the hash function identifier satisfy the acceptance condition.

一种 IPv6无状态地址的处理方法, 该方法包括:  A method for processing an IPv6 stateless address, the method comprising:

从要验证的地址中和 /或伴随该地址的地址参数中提取安全参数标识、 哈希函数标识, 从要验证的地址中提取第一哈希函数输出;  Extracting the security parameter identifier and the hash function identifier from the address to be verified and/or the address parameter accompanying the address, and extracting the first hash function output from the address to be verified;

根据伴随所述地址的地址参数中的数据和提取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输出是否与提取的所述第一 哈希函数输出一致; 还根据所述地址参数的数据和提取的所述安全参数标 识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是 否满足停止条件。  Calculating a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verifying whether the first hash function output is consistent with the extracted first hash function output And calculating, according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, a second hash function output, and verifying whether the second hash function output meets a stop condition.

该方法还包括:  The method also includes:

在对地址验证之前或验证成功之后, 根据本地的安全策略判定所述安 全参数标识和 /或哈希函数标识是否满足接受条件。  Before the address verification or after the verification is successful, it is determined according to the local security policy whether the security parameter identifier and/or the hash function identifier satisfy the acceptance condition.

一种 IPv6无状态地址的处理系统, 该系统包括参数选择单元、 地址生 成单元; 其中,  An IPv6 stateless address processing system, the system comprising a parameter selection unit and an address generation unit; wherein

所述参数选择单元, 用于预先选定安全参数和哈希函数, 选择修饰值 的初始值并根据停止条件确定修饰值的最终取值;  The parameter selection unit is configured to pre-select a security parameter and a hash function, select an initial value of the modified value, and determine a final value of the modified value according to the stopping condition;

所述地址生成单元, 用于根据参数选择单元选择的所述参数确定最终 生成的地址。  The address generating unit is configured to determine a finally generated address according to the parameter selected by the parameter selection unit.

所述修饰值的取值从初始值开始变化, 直至满足停止条件; 所述停止 条件与第二哈希函数输出、 安全参数标识和哈希函数标识在所述地址中的 占用位数均相关。  The value of the modifier value changes from the initial value until the stop condition is satisfied; the stop condition is related to the second hash function output, the security parameter identifier, and the number of occupied bits of the hash function identifier in the address.

所述最终生成的地址中包含独立的安全参数标识、 哈希函数标识、 第 一哈希函数输出; 计算所述第一哈希函数输出时所应用的输入包括修饰值 的最终取值。  The finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output; and the input applied when calculating the output of the first hash function includes a final value of the modified value.

所述安全参数标识和 /或哈希函数标识, 或安全参数和哈希函数的组合 标识, 包含于伴随所述最终生成的地址的地址参数中, 而不包含于所述最 终生成的地址中。 The security parameter identifier and/or hash function identifier, or a combination of a security parameter and a hash function The identifier is included in the address parameter accompanying the finally generated address and is not included in the finally generated address.

该系统还包括安全策略验证单元, 用于在对地址验证之前或验证成功 之后, 根据本地的安全策略判定所述安全参数标识和 /或哈希函数标识是否 满足接受条件。  The system further includes a security policy verification unit for determining whether the security parameter identifier and/or the hash function identifier meets the acceptance condition according to a local security policy before or after the verification of the address.

一种 IPv6无状态地址的处理系统, 该系统包括参数获取单元、 地址险 证单元; 其中,  An IPv6 stateless address processing system, where the system includes a parameter obtaining unit and an address insurance unit;

所述参数获取单元, 用于从要验证的地址中和 /或伴随该地址的地址参 数中提取安全参数标识、 哈希函数标识, 从要验证的地址中提取第一哈希 函数输出;  The parameter obtaining unit is configured to extract a security parameter identifier and a hash function identifier from an address to be verified and/or an address parameter accompanying the address, and extract a first hash function output from the address to be verified;

所述地址验证单元, 用于根据伴随所述地址的地址参数中的数据和提 取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输 出是否与提取的所述第一哈希函数输出一致; 还根据所述地址参数的数据 和提取的所述安全参数标识、 哈希函数标识, 计算第二哈希函数输出, 验 证该第二哈希函数输出是否满足停止条件。  The address verification unit is configured to calculate a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verify whether the output of the first hash function and the extracted The first hash function output is consistent; and the second hash function output is calculated according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and the output of the second hash function is verified to be satisfied. condition.

所述验证单元包括第一验证单元、 第二验证单元; 其中,  The verification unit includes a first verification unit and a second verification unit;

所述第一验证单元, 用于根据伴随所述地址的地址参数中的数据和提 取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输 出是否与提取的所述第一哈希函数输出一致;  The first verification unit is configured to calculate a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verify whether the first hash function output is extracted The first hash function output is consistent;

所述第二验证单元, 用于根据所述地址参数的数据和提取的所述安全 参数标识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数 输出是否满足停止条件。  The second verification unit is configured to calculate a second hash function output according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and verify whether the output of the second hash function satisfies a stop condition .

所述第一验证单元与第二验证单元合设或分设。  The first verification unit and the second verification unit are combined or divided.

该系统还包括安全策略验证单元, 用于在对地址验证之前或验证成功 之后, 根据本地的安全策略判定所述安全参数标识和 /或哈希函数标识是否 满足接受条件。 本发明保证所生成的地址能在不降低安全强度的同时表示多种哈希函 数, 并支持进一步基于所述哈希函数进行地址验证。 附图说明 The system further includes a security policy verification unit, configured to determine whether the security parameter identifier and/or the hash function identifier meets the acceptance condition according to a local security policy before or after the verification of the address. The present invention ensures that the generated address can represent multiple hash functions without reducing security strength, and supports further address verification based on the hash function. DRAWINGS

图 1为现有技术的 CGA的生成原理示意图;  1 is a schematic diagram of a generation principle of a prior art CGA;

图 2为现有技术的 CGA的验证原理示意图;  2 is a schematic diagram of a verification principle of a prior art CGA;

图 3为现有技术的 CGA中同时表示哈希函数标识和安全参数的示意图; 图 4为本发明实施例的宏观地址结构示意图;  3 is a schematic diagram showing a hash function identification and a security parameter in a CGA in the prior art; FIG. 4 is a schematic diagram of a macro address structure according to an embodiment of the present invention;

图 5为本发明实施例的细化地址结构示意图;  FIG. 5 is a schematic structural diagram of a refinement address according to an embodiment of the present invention; FIG.

图 6为本发明实施例生成地址的原理示意图;  6 is a schematic diagram of a principle for generating an address according to an embodiment of the present invention;

图 7为本发明实施例险证地址的原理示意图;  7 is a schematic diagram of the principle of a dangerous card address according to an embodiment of the present invention;

图 8为本发明实施例生成地址的流程简图;  8 is a schematic flow chart of generating an address according to an embodiment of the present invention;

图 9为本发明实施例验证地址的流程简图。 具体实施方式  FIG. 9 is a schematic flow chart of verifying an address according to an embodiment of the present invention. detailed description

在进行地址生成时, 首先选择安全参数、 哈希函数, 并且选择一个具 有一定长度的随机值作为修饰值的初始值; 选择其他参数, 包括公钥、 扩 展字段等;  When performing address generation, first select the security parameter, the hash function, and select a random value with a certain length as the initial value of the modified value; select other parameters, including the public key, the extended field, and the like;

将所选参数按照所选哈希函数计算第二哈希函数输出, 检查是否满足 停止条件, 如果不满足, 对修饰值进行变化, 直至满足停止条件; 其中停 止条件由安全参数标识、 哈希函数标识在地址中的所占位数共同确定; 满 足停止条件的修饰值即是修饰值的最终取值;  The selected parameter is calculated according to the selected hash function, and the second hash function output is checked to check whether the stop condition is satisfied. If not, the modified value is changed until the stop condition is satisfied; wherein the stop condition is identified by the security parameter, the hash function The number of digits in the address is determined together; the modifier value that satisfies the stop condition is the final value of the modifier value;

之后, 根据修饰值和公钥、 扩展字段等确定第一哈希函数输出, 从而 确定最终生成的 CGA地址和相关 CGA参数的取值。  Thereafter, the first hash function output is determined according to the modified value and the public key, the extended field, etc., thereby determining the value of the finally generated CGA address and the associated CGA parameter.

最终生成的地址包含独立的安全参数标识、 哈希函数标识、 第一哈希 函数输出。 在进行地址验证时, 可以从要验证的地址中提取安全参数标识、 哈希 函数标识、 第一哈希函数输出; The resulting address contains an independent security parameter identifier, a hash function identifier, and a first hash function output. When performing address verification, the security parameter identifier, the hash function identifier, and the first hash function output may be extracted from the address to be verified;

之后, 根据从 CGA参数读取的数据和接口标识中的哈希函数标识, 计 算第一哈希函数输出, 验证该第一哈希函数输出是否和接口标识中的第一 哈希函数输出一致;  Then, calculating the first hash function output according to the data read from the CGA parameter and the hash function identifier in the interface identifier, and verifying whether the first hash function output is consistent with the output of the first hash function in the interface identifier;

并且, 根据从 CGA参数读取的数据和接口标识中的安全参数标识、 哈 希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是否满足 停止条件。  And, calculating the second hash function output according to the data read from the CGA parameter and the security parameter identifier and the hash function identifier in the interface identifier, and verifying whether the second hash function output satisfies the stop condition.

下面将结合附图对本发明实施方式做进一步说明。  The embodiments of the present invention will be further described below in conjunction with the accompanying drawings.

参见图 4, 本发明最终生成的 IPv6地址包括子网前缀和接口标识两部 分, 其中接口标识包括安全参数标识、 哈希函数标识、 第一哈希函数输出 以及其他内容。 接口标识中各项内容的顺序不受该图的限制。  Referring to FIG. 4, the IPv6 address finally generated by the present invention includes a subnet prefix and an interface identifier, where the interface identifier includes a security parameter identifier, a hash function identifier, a first hash function output, and other contents. The order of the contents of the interface identifier is not limited by this figure.

参见图 5 , CGA 500中的接口标识中的前 3比特为安全参数,接下来的 第 3-5比特表示哈希函数标识, 因此哈希函数标识位数 n=3 , 第 6-7比特表 示 "u"、 "g" 标识位, 其余为第一哈希函数输出;  Referring to FIG. 5, the first 3 bits in the interface identifier in the CGA 500 are security parameters, and the next 3-5 bits represent the hash function identifier, so the hash function identifies the number of bits n=3, and the 6-7th bit represents "u", "g" flag, the rest is the first hash function output;

CGA 501中的接口标识中的前 3比特为安全参数,接下来的第 3-4比特 表示哈希函数标识,因此哈希函数标识位数 n=2,第 6-7比特表示 "u"、 "g" 标识位, 其余为第一哈希函数输出;  The first 3 bits in the interface identifier in the CGA 501 are security parameters, and the next 3-4 bits represent the hash function identifier, so the hash function identifies the number of bits n=2, and the 6-7 bits represent "u", "g" flag, the rest is the first hash function output;

CGA 502中的接口标识中的前 2比特为安全参数,接下来的第 2-4比特 表示哈希函数标识,因此哈希函数标识位数 n=3 ,第 6-7比特表示 "u"、 "g" 标识位, 其余为第一哈希函数输出;  The first 2 bits in the interface identifier in the CGA 502 are security parameters, and the next 2-4 bits represent the hash function identifier, so the hash function identifies the number of bits n=3, and the 6-7 bits represent "u", "g" flag, the rest is the first hash function output;

CGA 503中的接口标识中的前 2比特为安全参数,接下来的第 2-3比特 表示哈希函数标识,因此哈希函数标识位数 n=2,第 6-7比特表示 "u"、 "g" 标识位, 其余为第一哈希函数输出;  The first 2 bits in the interface identifier in the CGA 503 are security parameters, and the next 2-3 bits represent the hash function identifier, so the hash function identifies the number of bits n=2, and the 6-7 bits represent "u", "g" flag, the rest is the first hash function output;

CGA 504中的接口标识中的前 3比特为安全参数, 接下来的第 3比特 表示哈希函数标识,因此哈希函数标识位数 n=l ,第 6-7比特表示 "u"、 "g" 标识位, 其余为第一哈希函数输出; The first 3 bits in the interface identifier in the CGA 504 are security parameters, and the next 3rd bit represents the hash function identifier, so the hash function identifies the number of bits n=l, and the 6-7th bits represent "u", "g". " Flag bit, the rest is the first hash function output;

接口标识中 sec、 Hid和第一哈希函数输出的顺序不受该图的限制。  The order in which the sec, Hid, and first hash function outputs are in the interface identifier is not limited by this figure.

参见图 6, 该图以哈希函数标识位数 n=3为例, 并且, 预先选定安全参 数 sec和哈希函数标识 Hid;  Referring to Figure 6, the figure takes the hash function identification digit n=3 as an example, and pre-selects the security parameter sec and the hash function identifier Hid;

可以根据图 6进行如下操作:  The following operations can be performed according to Figure 6:

根据第二哈希函数输出和由安全参数标识、 哈希函数标识共同确定的 停止条件确定修饰值的取值;  Determining the value of the modified value according to the second hash function output and the stop condition determined by the security parameter identifier and the hash function identifier;

并且,根据修饰值和公钥等确定第一哈希函数输出,从而确定最终 CGA 地址和相关 CGA参数的值。  And, the first hash function output is determined based on the modifier value and the public key, etc., to determine the value of the final CGA address and the associated CGA parameter.

上述操作可以细化为如下步驟:  The above operations can be refined into the following steps:

步驟 6A: 同图 1 中的步驟 1A, 即串接修饰值、 9个字节的 0、 公钥、 扩展字段;  Step 6A: Same as step 1A in Figure 1, that is, the serialized modified value, the 9-byte 0, the public key, and the extended field;

步驟 6B:计算步驟 6A中串接输入第二哈希函数 HASH2函数后的输出, 其中 HASH2函数由预先选定的哈希函数标识 Hid决定, HASH2的输出位 数不仅取决于 Hid, 还受预先选定的安全参数 sec的影响;  Step 6B: Calculate the output after the input of the second hash function HASH2 function in step 6A, wherein the HASH2 function is determined by the pre-selected hash function identifier Hid, and the output bit number of HASH2 depends not only on Hid but also on preselection. The effect of the specified security parameter sec;

步驟 6C:判定第二哈希函数输出 601是否满足停止条件,比如前 sec,n ) 比特位是否为 0, 该实施例取 f ( sec,n ) =16*sec+n, 第二哈希函数输出 601 的输出长度应不小于 f ( sec, n ) 的输出值; 如果满足停止条件, 取沖突次 数为 0, 进入步驟 6D; 否则将修饰值的值增加 1 , 继续步驟 6A;  Step 6C: Determine whether the second hash function output 601 satisfies a stop condition, such as before sec, n) whether the bit is 0, and the embodiment takes f (sec, n) = 16 * sec + n, the second hash function The output length of output 601 should not be less than the output value of f ( sec, n ); if the stop condition is met, the number of collisions is 0, go to step 6D; otherwise, increase the value of the modified value by 1, continue to step 6A;

步驟 6D: 同图 1中的步驟 1D, 即串接修饰值、 子网前缀、 沖突次数、 公钥、 扩展字段;  Step 6D: Same as step 1D in Figure 1, that is, the concatenation modification value, the subnet prefix, the number of collisions, the public key, and the extension field;

步驟 6E: 计算步驟 6D串接输入第一哈希函数 HASH1函数的输出, 其 中 HASH1函数由预先选定的哈希函数标识 Hid决定, HASH1的输出位数 不小于接口标识中除去安全参数标识、 哈希函数标识、 "u"、 "g" 标识以外 所剩下的位数, 该实施例取第一哈希函数输出为 Hid所表示的哈希函数的 前 56比特; 步驟 6F: 将 sec ( 3比特)、 哈希函数标识 Hid ( 3比特)、 赋值为 0的 "u"、 "g" 标识串接在一起, 将这 8比特串接在第一哈希函数输出 604的 前面作为接口标识, 再将子网前缀和接口标识组合成 IPv6地址, 检查是否 有地址沖突; 如果存在地址沖突且沖突次数小于 3 , 则将沖突次数增加 1 , 继续步驟 6D; 如果不存在地址沖突且沖突次数小于 3 , 则确定最终的 CGA 608 包含子网前缀 113、 安全参数 111、 固定的标志位 112、 哈希函数标识 606和 HASH1的部分输出 607。 将子网前缀、 公钥、 扩展字段和最终选择 的修饰值、 沖突次数写入伴随 CGA地址的 CGA参数的数据结构; Step 6E: The calculation step 6D serially inputs the output of the first hash function HASH1 function, wherein the HASH1 function is determined by the pre-selected hash function identifier Hid, and the output digit of the HASH1 is not less than the security parameter identifier in the interface identifier. The number of bits remaining except the identifier of the "u", "g", and the first hash function of the embodiment is the first 56 bits of the hash function represented by Hid; Step 6F: Serially connect sec (3 bits), hash function identifier Hid (3 bits), "u" and "g" identifiers assigned 0, and connect the 8 bits in the first hash function output. The front of the 604 is used as the interface identifier, and the subnet prefix and the interface identifier are combined into an IPv6 address to check whether there is an address conflict. If there is an address conflict and the number of collisions is less than 3, the number of collisions is increased by 1 to continue with step 6D; The address conflicts and the number of collisions is less than three, then the final CGA 608 is determined to include a subnet prefix 113, a security parameter 111, a fixed flag bit 112, a hash function identifier 606, and a partial output 607 of HASH1. Write the subnet prefix, the public key, the extended field, and the final selected modifier value and the number of collisions to the data structure of the CGA parameter accompanying the CGA address;

需要说明的是, CGA参数的内容中也可以增加第二哈希函数输出位数, 用于指示验证过程中需要截取的第二哈希函数输出位数。  It should be noted that the second hash function output digits may also be added to the content of the CGA parameter to indicate the number of output bits of the second hash function that needs to be intercepted during the verification process.

参见图 7, 给定一个 CGA及其伴随的 CGA参数, 从 CGA参数读取相 应数据, 如果 CGA参数的沖突次数不等于 0,1,2则验证失败; 如果 CGA参 数的子网前缀不等于 CGA的前 64比特, 则验证失败; 否则按如下过程继 续验证:  Referring to Figure 7, given a CGA and its accompanying CGA parameters, the corresponding data is read from the CGA parameters. If the number of collisions of the CGA parameters is not equal to 0, 1, 2, the verification fails; if the subnet prefix of the CGA parameter is not equal to CGA The first 64 bits, the verification fails; otherwise, continue the verification as follows:

根据从 CGA参数读取的数据和接口标识中的哈希函数标识,计算第一 哈希函数输出, 验证该第一哈希函数输出是否和接口标识中的第一哈希函 数输出一致;  Calculating the output of the first hash function according to the data read from the CGA parameter and the hash function identifier in the interface identifier, and verifying whether the output of the first hash function is consistent with the output of the first hash function in the interface identifier;

并且, 根据从 CGA参数读取的数据和接口标识中的安全参数标识、 哈 希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是否满足 停止条件。  And, calculating the second hash function output according to the data read from the CGA parameter and the security parameter identifier and the hash function identifier in the interface identifier, and verifying whether the second hash function output satisfies the stop condition.

上述过程可以细化为如下步驟:  The above process can be refined into the following steps:

步驟 7A: 同图 2的步驟 2A, 即串接修饰值、 子网前缀、 沖突次数、 公钥、 扩展字段;  Step 7A: Step 2A of Figure 2, that is, tandem modification value, subnet prefix, collision number, public key, and extension field;

步驟 7B: 计算步驟 7A串接输入第一哈希函数 HASH1函数的输出,其 中 HASH1函数由预先选定的哈希函数标识 Hid决定, HASH1的输出位数 不小于接口标识中除去安全参数标识、 哈希函数标识、 "u"、 "g" 标识以外 所剩下的位数, 该实施例取第一哈希函数输出为 Hid所表示的哈希函数的 前 56比特; Step 7B: The calculation step 7A serially inputs the output of the first hash function HASH1 function, wherein the HASH1 function is determined by the pre-selected hash function identifier Hid, and the output bit number of the HASH1 is not less than the security parameter identifier in the interface identifier, Other than the function identifier, "u", "g" The remaining number of bits, the embodiment takes the first hash function output as the first 56 bits of the hash function represented by Hid;

步驟 7C: 比较 HASH1输出 604和接口标识中的后 56比特是否相同; 如果不同, 验证失败; 否则进入步驟 7D, 继续验证;  Step 7C: Compare whether the HASH1 output 604 and the last 56 bits in the interface identifier are the same; if different, the verification fails; otherwise, the process proceeds to step 7D, and the verification continues;

步驟 7D: 同图 2的步驟 2D, 即串接修饰值、 9个字节长的 0、 公钥、 扩展字段;  Step 7D: Step 2D of Figure 2, that is, serially decorated value, 9 bytes long 0, public key, extended field;

步驟 7E:计算步驟 7D中串接输入第二哈希函数 HASH2函数后的输出, 其中 HASH2函数由预先选定的哈希函数标识 Hid决定, HASH2的输出位 数不仅取决于 Hid, 还受预先选定的安全参数 sec的影响; 另外需要说明的 是, 如果 CGA参数的内容包括第二哈希函数输出位数, 则第二哈希函数输 出位数可由该参数确定;  Step 7E: Calculate the output after the input of the second hash function HASH2 function in step 7D, wherein the HASH2 function is determined by the pre-selected hash function identifier Hid, and the output bit number of HASH2 depends not only on Hid but also on preselection. The effect of the fixed security parameter sec; further, if the content of the CGA parameter includes the second hash function output bit number, the output bit number of the second hash function may be determined by the parameter;

步驟 7F:判定第二哈希函数输出 601是否满足停止条件,比如前 sec,n ) 比特位是否为 0, 该实施例取 f ( sec,n ) =16*sec+n, 第二哈希函数输出 601 的输出长度应不小于 f( see n )的输出值;如果步驟 7F的输出结果是"是", 险证成功, 否则险证失败。  Step 7F: It is determined whether the second hash function output 601 satisfies a stop condition, such as whether the pre-sec, n) bit is 0. In this embodiment, f (sec, n) = 16 * sec + n, the second hash function is taken. The output length of output 601 should be no less than the output value of f( see n ); if the output of step 7F is "Yes", the risk certificate is successful, otherwise the risk certificate fails.

结合以上描述可见, 本发明处理 IPv6无状态地址的操作思路可以分别 表示如图 8、 9所示的流程。  As can be seen from the above description, the operation of the present invention for processing an IPv6 stateless address can respectively represent the flows shown in FIG.

其中, 图 8所示流程包括以下步驟:  The process shown in Figure 8 includes the following steps:

步驟 810: 预先选定安全参数和哈希函数,选择修饰值的初始值并根据 停止条件确定修饰值的最终取值。  Step 810: Pre-select the security parameter and the hash function, select the initial value of the modified value, and determine the final value of the modified value according to the stopping condition.

步驟 820: 根据所选的上述参数确定最终生成的地址。  Step 820: Determine the finally generated address according to the selected parameters.

通常, 最终生成的地址中包含独立的安全参数标识、 哈希函数标识、 第一哈希函数输出。  Usually, the final generated address contains an independent security parameter identifier, a hash function identifier, and a first hash function output.

需要说明的是, 步驟 810 中预先选定安全参数等生成地址的准备工作 可以由参数选择单元进行, 步驟 820 中具体的地址生成操作则可以由地址 生成单元进行。 这两个单元所能实现的具体功能已在前述技术描述中的详 图 9包括以下步驟: It should be noted that, in step 810, the preparation for generating the address such as the security parameter in advance may be performed by the parameter selection unit, and the specific address generation operation in step 820 may be performed by the address generation unit. The specific functions that these two units can achieve are detailed in the aforementioned technical description. Figure 9 includes the following steps:

步驟 910: 从要验证的地址中提取安全参数标识、哈希函数标识、 第一 哈希函数输出。  Step 910: Extract the security parameter identifier, the hash function identifier, and the first hash function output from the address to be verified.

步驟 920: 根据伴随所述地址的 CGA参数中的数据和提取的所述哈希 函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输出是否与提取 的所述第一哈希函数输出一致;还根据所述 CGA参数的数据和提取的所述 安全参数标识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希 函数输出是否满足停止条件。  Step 920: Calculate a first hash function output according to the data in the CGA parameter accompanying the address and the extracted hash function identifier, and verify whether the first hash function output and the extracted first hash are The function output is consistent; and the second hash function output is calculated according to the data of the CGA parameter and the extracted security parameter identifier and the hash function identifier, and it is verified whether the second hash function output satisfies the stop condition.

需要说明的是, 步驟 910 中的提取操作可以由参数获取单元进行, 步 驟 920 中有关验证第一哈希函数输出的操作可以由第一验证单元进行, 有 关验证第二哈希函数输出的操作可以由第二验证单元进行。 这三个单元所 能实现的具体功能已在前述技术描述中的详细描述,在此不再赘述。另外, 第一验证单元与第二验证单元可以分设或合设, 合设时可以将第一验证单 元与第二验证单元统称为地址验证单元。  It should be noted that the extraction operation in step 910 may be performed by the parameter acquisition unit, and the operation of verifying the output of the first hash function in step 920 may be performed by the first verification unit, and the operation of verifying the output of the second hash function may be performed. It is performed by the second verification unit. The specific functions that can be implemented by the three units are described in detail in the foregoing technical description, and are not described herein again. In addition, the first verification unit and the second verification unit may be separately configured or combined. When combining, the first verification unit and the second verification unit may be collectively referred to as an address verification unit.

综上所述可见, 无论是方法还是系统, 由于生成地址过程中的停止条 件结合了安全参数和哈希函数标识在地址中的占用位数, 使得最终生成的 地址在包含安全参数标识、 第一哈希函数输出之外还能够包含独立的哈希 函数标识, 因此能够在不降低安全强度的同时表示多种哈希函数; 另外, 由于可以从要验证的地址中提取安全参数标识、 哈希函数标识、 第一哈希 函数输出, 因此能够基于所述哈希函数进行地址验证。  In summary, it can be seen that both the method and the system, because the stop condition in the process of generating the address combines the security parameter and the hash function to identify the occupied digits in the address, so that the finally generated address contains the security parameter identifier, the first In addition to the hash function output, it can also contain independent hash function identifiers, so it can represent multiple hash functions without reducing the security strength. In addition, since the security parameter identifier and hash function can be extracted from the address to be verified. The identification, the first hash function output, can therefore perform address verification based on the hash function.

以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 Claim 1、 一种网络互联协议第六版 IPv6 无状态地址的处理方法, 其特征在 于, 该方法包括:  A method for processing a state-of-the-art address of a network interconnection protocol, which is characterized in that: 预先选定安全参数和哈希函数, 选择修饰值的初始值并根据停止条件 确定修饰值的最终取值;  Pre-selecting the security parameters and the hash function, selecting the initial value of the modified value and determining the final value of the modified value according to the stopping condition; 根据所选的上述参数确定最终生成的地址。  The resulting address is determined based on the above selected parameters. 2、 根据权利要求 1所述的方法, 其特征在于,  2. The method of claim 1 wherein 所述修饰值的取值从初始值开始变化, 直至满足停止条件; 所述停止 条件与第二哈希函数输出、 安全参数标识和哈希函数标识在所述地址中的 占用位数均相关。  The value of the modifier value changes from the initial value until the stop condition is satisfied; the stop condition is related to the second hash function output, the security parameter identifier, and the number of occupied bits of the hash function identifier in the address. 3、 根据权利要求 1所述的方法, 其特征在于,  3. The method of claim 1 wherein: 最终生成的所述地址中包含独立的安全参数标识、 哈希函数标识、 第 一哈希函数输出; 计算所述第一哈希函数输出时所应用的输入包括修饰值 的最终取值。  The finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output. The input applied when calculating the output of the first hash function includes a final value of the modified value. 4、 根据权利要求 1所述的方法, 其特征在于,  4. The method of claim 1 wherein: 所述安全参数标识和 /或哈希函数标识, 或安全参数和哈希函数的组合 标识, 包含于伴随所述最终生成的地址的地址参数中, 而不包含于所述最 终生成的地址中。  The security parameter identification and/or hash function identification, or a combination identification of the security parameter and the hash function, is included in the address parameter accompanying the finally generated address and is not included in the finally generated address. 5、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 该方法还包 括:  The method according to any one of claims 1 to 4, further comprising: 要险证生成的所述地址时, 从生成的所述地址中和 /或伴随该地址的地 址参数中提取安全参数标识、 哈希函数标识, 从生成的所述地址中提取第 一哈希函数输出;  When the address generated by the risk is generated, the security parameter identifier and the hash function identifier are extracted from the generated address and/or the address parameter accompanying the address, and the first hash function is extracted from the generated address. Output 根据伴随所述地址的地址参数中的数据和提取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输出是否与提取的所述第一 哈希函数输出一致; 还根据所述地址参数的数据和提取的所述安全参数标 识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是 否满足停止条件。 Calculating a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verifying whether the first hash function output is extracted from the first The output of the hash function is consistent; and the output of the second hash function is further calculated according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and whether the output of the second hash function satisfies the stop condition. 6、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 该方法还包 括:  The method according to any one of claims 1 to 4, characterized in that the method further comprises: 在对地址验证之前或验证成功之后, 根据本地的安全策略判定所述安 全参数标识和 /或哈希函数标识是否满足接受条件。  Before the address verification or after the verification is successful, it is determined according to the local security policy whether the security parameter identifier and/or the hash function identifier satisfy the acceptance condition. 7、 一种 IPv6无状态地址的处理方法, 其特征在于, 该方法包括: 从要验证的地址中和 /或伴随该地址的地址参数中提取安全参数标识、 哈希函数标识, 从要验证的地址中提取第一哈希函数输出;  A method for processing an IPv6 stateless address, the method comprising: extracting a security parameter identifier and a hash function identifier from an address to be verified and/or an address parameter accompanying the address, from which the verification is to be performed. Extracting the first hash function output from the address; 根据伴随所述地址的地址参数中的数据和提取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输出是否与提取的所述第一 哈希函数输出一致; 还根据所述地址参数的数据和提取的所述安全参数标 识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数输出是 否满足停止条件。  Calculating a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verifying whether the first hash function output is consistent with the extracted first hash function output And calculating, according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, a second hash function output, and verifying whether the second hash function output meets a stop condition. 8、 根据权利要求 7所述的方法, 其特征在于, 该方法还包括: 在对地址验证之前或验证成功之后, 根据本地的安全策略判定所述安 全参数标识和 /或哈希函数标识是否满足接受条件。  The method according to claim 7, wherein the method further comprises: determining whether the security parameter identifier and/or the hash function identifier is satisfied according to a local security policy before or after verifying the address. Accept the conditions. 9、 一种 IPv6 无状态地址的处理系统, 其特征在于, 该系统包括参数 选择单元、 地址生成单元; 其中,  A system for processing an IPv6 stateless address, the system comprising a parameter selection unit and an address generation unit; 所述参数选择单元, 用于预先选定安全参数和哈希函数, 选择修饰值 的初始值并根据停止条件确定修饰值的最终取值;  The parameter selection unit is configured to pre-select a security parameter and a hash function, select an initial value of the modified value, and determine a final value of the modified value according to the stopping condition; 所述地址生成单元, 用于根据参数选择单元选择的所述参数确定最终 生成的地址。  The address generating unit is configured to determine a finally generated address according to the parameter selected by the parameter selection unit. 10、 根据权利要求 9所述的系统, 其特征在于,  10. The system of claim 9 wherein: 所述修饰值的取值从初始值开始变化, 直至满足停止条件; 所述停止 条件与第二哈希函数输出、 安全参数标识和哈希函数标识在所述地址中的 占用位数均相关。 The value of the modification value changes from the initial value until the stop condition is satisfied; The condition is related to the number of bits occupied by the second hash function output, the security parameter identifier, and the hash function identifier in the address. 11、 根据权利要求 9所述的系统, 其特征在于,  11. The system of claim 9 wherein: 所述最终生成的地址中包含独立的安全参数标识、 哈希函数标识、 第 一哈希函数输出; 计算所述第一哈希函数输出时所应用的输入包括修饰值 的最终取值。  The finally generated address includes an independent security parameter identifier, a hash function identifier, and a first hash function output; and the input applied when calculating the output of the first hash function includes a final value of the modified value. 12、 根据权利要求 9所述的系统, 其特征在于,  12. The system of claim 9 wherein: 所述安全参数标识和 /或哈希函数标识, 或安全参数和哈希函数的组合 标识, 包含于伴随所述最终生成的地址的地址参数中, 而不包含于所述最 终生成的地址中。  The security parameter identification and/or hash function identification, or a combination identification of the security parameter and the hash function, is included in the address parameter accompanying the finally generated address and is not included in the finally generated address. 13、 根据权利要求 9至 12任一项所述的系统, 其特征在于, 该系统还 包括安全策略验证单元, 用于在对地址验证之前或验证成功之后, 根据本 地的安全策略判定所述安全参数标识和 /或哈希函数标识是否满足接受条件。  The system according to any one of claims 9 to 12, wherein the system further comprises a security policy verification unit, configured to determine the security according to a local security policy before or after verifying the address. The parameter identifier and/or hash function identifies whether the acceptance condition is met. 14、 一种 IPv6无状态地址的处理系统, 其特征在于, 该系统包括参数 获取单元、 地址验证单元; 其中,  A system for processing an IPv6 stateless address, the system comprising a parameter obtaining unit and an address verifying unit; 所述参数获取单元, 用于从要验证的地址中和 /或伴随该地址的地址参 数中提取安全参数标识、 哈希函数标识, 从要验证的地址中提取第一哈希 函数输出;  The parameter obtaining unit is configured to extract a security parameter identifier and a hash function identifier from an address to be verified and/or an address parameter accompanying the address, and extract a first hash function output from the address to be verified; 所述地址验证单元, 用于根据伴随所述地址的地址参数中的数据和提 取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输 出是否与提取的所述第一哈希函数输出一致; 还根据所述地址参数的数据 和提取的所述安全参数标识、 哈希函数标识, 计算第二哈希函数输出, 验 证该第二哈希函数输出是否满足停止条件。  The address verification unit is configured to calculate a first hash function output according to the data in the address parameter accompanying the address and the extracted hash function identifier, and verify whether the output of the first hash function and the extracted The first hash function output is consistent; and the second hash function output is calculated according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and the output of the second hash function is verified to be satisfied. condition. 15、 根据权利要求 14所述的系统, 其特征在于, 所述验证单元包括第 一验证单元、 第二验证单元; 其中,  The system according to claim 14, wherein the verification unit comprises a first verification unit and a second verification unit; 所述第一验证单元, 用于根据伴随所述地址的地址参数中的数据和提 取的所述哈希函数标识, 计算第一哈希函数输出, 验证该第一哈希函数输 出是否与提取的所述第一哈希函数输出一致; The first verification unit is configured to: according to data in an address parameter accompanying the address Taking the hash function identifier, calculating a first hash function output, and verifying whether the first hash function output is consistent with the extracted first hash function output; 所述第二验证单元, 用于根据所述地址参数的数据和提取的所述安全 参数标识、 哈希函数标识, 计算第二哈希函数输出, 验证该第二哈希函数 输出是否满足停止条件。  The second verification unit is configured to calculate a second hash function output according to the data of the address parameter and the extracted security parameter identifier and the hash function identifier, and verify whether the output of the second hash function satisfies a stop condition . 16、 根据权利要求 15所述的系统, 其特征在于, 所述第一验证单元与 第二验证单元合设或分设。  The system according to claim 15, wherein the first verification unit and the second verification unit are combined or divided. 17、 根据权利要求 14所述的系统, 其特征在于, 该系统还包括安全策 略验证单元, 用于在对地址验证之前或验证成功之后, 根据本地的安全策 略判定所述安全参数标识和 /或哈希函数标识是否满足接受条件。  The system according to claim 14, wherein the system further comprises a security policy verification unit, configured to determine the security parameter identifier and/or according to a local security policy before or after the verification of the address. The hash function identifies whether the acceptance condition is met.
PCT/CN2013/070850 2012-02-28 2013-01-22 Method and system for processing ipv6 stateless address Ceased WO2013127281A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210047474.2A CN103297550B (en) 2012-02-28 2012-02-28 A kind of processing method and system of IPv6 stateless address
CN201210047474.2 2012-02-28

Publications (1)

Publication Number Publication Date
WO2013127281A1 true WO2013127281A1 (en) 2013-09-06

Family

ID=49081610

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/070850 Ceased WO2013127281A1 (en) 2012-02-28 2013-01-22 Method and system for processing ipv6 stateless address

Country Status (2)

Country Link
CN (1) CN103297550B (en)
WO (1) WO2013127281A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917852B (en) * 2015-05-29 2019-01-18 中国科学院信息工程研究所 A kind of data quick-processing method for the address IPv6
CN117354063B (en) * 2023-12-04 2024-04-02 明阳产业技术研究院(沈阳)有限公司 IPv 6-based intelligent internet terminal management method, system, medium and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020807A1 (en) * 2003-03-27 2006-01-26 Microsoft Corporation Non-cryptographic addressing
CN101536395A (en) * 2005-06-28 2009-09-16 微软公司 Human input security code
CN101960814A (en) * 2008-03-04 2011-01-26 爱立信电话股份有限公司 IP address delegation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020807A1 (en) * 2003-03-27 2006-01-26 Microsoft Corporation Non-cryptographic addressing
CN101536395A (en) * 2005-06-28 2009-09-16 微软公司 Human input security code
CN101960814A (en) * 2008-03-04 2011-01-26 爱立信电话股份有限公司 IP address delegation

Also Published As

Publication number Publication date
CN103297550B (en) 2018-05-04
CN103297550A (en) 2013-09-11

Similar Documents

Publication Publication Date Title
JP4944845B2 (en) Internet protocol addressing mechanism
US8473744B2 (en) Methods and systems for unilateral authentication of messages
US8843751B2 (en) IP address delegation
JP5301680B2 (en) How to protect the first message of a security protocol
CN101690135A (en) System and method for access network multi-homing
JP5949572B2 (en) Vehicle improper state detection method, control method in vehicle system, and system
JP6348019B2 (en) COMMUNICATION SYSTEM, COMMUNICATION DEVICE, AUTOMOBILE, AND COMMUNICATION METHOD
JP6190404B2 (en) Receiving node, message receiving method and computer program
CN104579998B (en) Load balancing processing device
CN102333039B (en) Method for forwarding message, and method and device for generating table entry
JP2012516654A (en) Methods and apparatus related to address generation, communication and / or validity checking
JP5643741B2 (en) Authentication apparatus, authentication method, and authentication program
WO2013127281A1 (en) Method and system for processing ipv6 stateless address
JP2016134834A (en) In-vehicle gateway device and in-vehicle network system
WO2009043304A1 (en) Method, system, and device for verifying the relation of dada link layer address and its transmitting party
CN106302386A (en) A kind of method promoting IPv6 protocol data bag safety
CN104994085A (en) Identity authentication method and system in wireless sensor network
CN101616005A (en) Endorsement method, device and signature verification method, device and system
CN106506410B (en) Method and device for establishing safety table item
JP2007208632A (en) Information processing apparatus and method, program, and recording medium
KR100547119B1 (en) Method and apparatus for generating IPv6 address using interface ID
US9923713B2 (en) Denial-of-service attack protection for a communication device
CN106534070A (en) Counterfeiting-resisting low-overhead router marking generation method
JP2006140881A (en) Network identifier generating device with authentication information and device authentication device
CN104137492B (en) Method and device for processing packet in trill network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13755883

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13755883

Country of ref document: EP

Kind code of ref document: A1