Research On The Technologies Of Attack Defense And Secure Mobility Management In Identifier Networks

To deal with the defects of the traditional network, such as routing scalability, security, mobility and meeting the changing requirements of users, researchers are studying the new Internet architectures. It is one of the research hotspots to bring the ideas of locator/identifier separation and resource/location separation into the design of the future Internet architecture in recent years. Identifier networks separate the identity and location attributes of the IP address with independent access identifier and routing identifier, and separate resource and location with location independent content name. This dissertation focuses on the security technologies of identifier networks, mainly studies the attack defense and secure mobility management approaches. The main contributions and innovations are summarized as follows:1. A mapping-based DDoS defense approach is proposed in locator/identifier separation environment, which includes a network-based lightweight capability mechanism and a mapping filter-based active DDoS defense mechanism. The DDoS defense approach utilizes the mapping relationships between access identifiers and routing identifiers to distribute capabilities, and enables victims to request the network to block DDoS attack traffic actively. We demonstrate the feasibility and effectiveness of the mapping-based DDoS defense approach by means of comparison, experiment and numerical analysis.2. A network-based secure mobility control protocol (SMCP) is proposed to support the node mobility in locator/identifier separation environment. SMCP which is based on AAA model, designs the mobile node's secure initial access processes, the intra-domain mobile handover processes and the inter-domain mobile handover processes. This dissertation gives a handover delay analysis model, and compares SMCP with other mobility management methods. The results show that SMCP can prevent man-in-the-middle attack, replay attack and tampering attack. In addition, SMCP has lower authentication delay, handover delay, and handover blocking probability.3. A prefix identification-based collaborative defense approach is proposed to prevent the Interest flooding attack in resource and location separation environment. This approach detects the Interest flooding attack by examining the pending Interest table utilization rate and Interest satisfied rate periodically. After identifying the abnormal name prefixes from the pending Interest table, the content routers send feedback information to neighbor nodes, and then limit the forwarding rate of abnormal Interests. The simulation and comparison results show that the proposed approach can identify the abnormal name prefixes, suppress malicious Interests based on prefixes quickly, and reduce the impact of attacks on legitimate users.4. To support the content source mobility in resource and location separation environment, an identity-based source secure mobility management approach is proposed. This approach adopts the ideas of locator/identifier separation, control and data plane separation, and identity-based cryptography to support content source mobility. The mobile content source's secure handover processes and the method to choose the rendezvous points for content sources are presented in details. Comparison and numerical analysis results show that, the proposed approach has lower handover delay and cost. In addition, the proposed approach can complete the key agreement, prevent the fake location updates, and support mutual authentication and fast re-authentication.