摘要： 在IETF的IKEv2方案中，离线移动后的安全关联(SA)更新过程中可能存在无法通信的情况，而MOBIKE方案的SA更新效率低，且无法抵御恶意反射攻击。为此，通过改进SA的建立过程，减少移动节点的SA重协商次数，采取安全关联与移动节点家乡地址相关联的方法，提出一种安全管理方案。分析结果表明，与MOBIKE方案相比，该方案可以在离线移动情况下确保安全关联的更新，并具有更高的切换效率和安全性。

关键词: 安全关联, IKEv2方案, 安全关联数据库, 家乡地址, 切换, 绑定更新

Abstract: There are disconnection problems in Internet Key Exchange version2(IKEv2) scheme of IETF standards when nodes changing IP address during Security Association(SA) update. Mobile IKE(MOBIKE) has low efficiency and is unable to resist malicious reflection attack during SA update. So this paper presents a new management scheme by improving the creation of SA, decreasing renegotiation processing on mobile nodes SA, creating relativity between security association and mobile node’s home address. Analysis result shows that the new scheme guarantees the SA update when mobile nodes changing address off-line and behaves better in efficiency and security compared with MOBIKE.

Key words: Security Association(SA), Internet Key Exchange version2(IKEv2) scheme, Security Association Database(SAD), home address, handover, Binding Update(BU)

中图分类号: 

• TP309.2