IP安全机制及相关问题研究
|
摘要
IPSec是因特网的安全标准,它主要由ESP、AH和IKE三个协议组成,它也是下一代IP协议IPv6的必要组成部分。IPSec为高层应用提供了一个通用的标准的安全基础结构。研究IPSec的安全机制,对于我们设计安全的网络通信系统和以之为基础各种应用很有帮助。
在本文中,作者丰要介绍了IPSec的基本结构,着重介绍了ESP、AH、IKE协议的工作原理以及对它们的安全性分析和最新的一些进展,研究了IPSec与网络地址转换的共存问题,并对几种使用了IPSec的防火墙系统改进,使其同时具有IPSec保护和地址转换功能。作者还研究了IPSec与IP多播安全的密钥分配问题,并给出了一种多播安全密钥分配方案。该方案结合了多播安全架构的文档和组安全密钥管理协议文档,给出了主机的安全多播实现框图。该方案可以同时实现多个多播组,并利用多个多播组减少网络流量和组成员主机的处理。
IPSec is the security standard for the Internet, his primarily composed of three protocols ESP, AH and IKE. It is also an indispensable part of IPv6, the next generation of Internet protocol suite. IPSec provides a general-purpose and standard security infrastructure on network layer for applications on higher layers. Study of the mechanism of IPSec is helpful when we design a secure communication system and applications based on it.
In this paper, we primarily introduce the basic architecture of IPSec, especially the priciple of ESP, Al-I, IKE and some analysis of them and their recent progress. We study the coexistence of IPSec and network address translation. We also study IPSec and IP multicast security key management, at last we put forward a multicast key management scheme. In the scheme, we proposed the multicast security functional building block of implementation on host0 In the scheme we build several multicast groups at the same time, and with multiple groups we can reduce the network traffic and the work of group member.
在本文中,作者丰要介绍了IPSec的基本结构,着重介绍了ESP、AH、IKE协议的工作原理以及对它们的安全性分析和最新的一些进展,研究了IPSec与网络地址转换的共存问题,并对几种使用了IPSec的防火墙系统改进,使其同时具有IPSec保护和地址转换功能。作者还研究了IPSec与IP多播安全的密钥分配问题,并给出了一种多播安全密钥分配方案。该方案结合了多播安全架构的文档和组安全密钥管理协议文档,给出了主机的安全多播实现框图。该方案可以同时实现多个多播组,并利用多个多播组减少网络流量和组成员主机的处理。
IPSec is the security standard for the Internet, his primarily composed of three protocols ESP, AH and IKE. It is also an indispensable part of IPv6, the next generation of Internet protocol suite. IPSec provides a general-purpose and standard security infrastructure on network layer for applications on higher layers. Study of the mechanism of IPSec is helpful when we design a secure communication system and applications based on it.
In this paper, we primarily introduce the basic architecture of IPSec, especially the priciple of ESP, Al-I, IKE and some analysis of them and their recent progress. We study the coexistence of IPSec and network address translation. We also study IPSec and IP multicast security key management, at last we put forward a multicast key management scheme. In the scheme, we proposed the multicast security functional building block of implementation on host0 In the scheme we build several multicast groups at the same time, and with multiple groups we can reduce the network traffic and the work of group member.
引文
1. [ANDR01] Andrew Krywaniuk, "Security Properties of the IPsec Protocol Suite", Internet Draft, July 9, 2001
2. [ATKI98] Kent, S., and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
3. [BORE01] M. Borella et al., "Realm Specific IP: Framework", RFC3102, October 2001 .
4. [CANET] R. Canetti et al.," An Architecture for Secure Internet Multicast ", Internet Draft.
5. [CHRIOO] Christopher B.McCubbin et al., "Initialization Vector Attacks on the IPSec Protocols" , IEEE 2000 p171-175.
6. [GLEN98] Glenn, R., and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November 1998.
7. [HARK01] Dan Harkins ,Charlie Kaufman,Radia Perlman, "Internet Key Exchange (IKE) Protocol", Internet Draft, November 2001 .
8. [HARK98] Harkins, D., and D. Carrel, D., "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
9. [HARN01] H Hamey, A Colegrove et al., "Group Secure Association Key Management Protocol", Internet Draft, March 2001.
10. [KENT98] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
11. [KENTS98] Kent, S., and R. Atkinson, "IP Authentication Header", RFC2402, November 1998.
12. [KIVI01] T. Kivinen, "Fixing IKE Phase 1 & 2 Authentication Hashs", Internet Draft, Novemer2001.
13. [KRAW97] H. Krawczyk, M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for Message Authentication " , RFC2104, February 1997.
14. [KRYW01] Andrew Krywaniuk, "Security Properties of the IPsec Protocol Suite", Internet Draft, July 9, 2001.
15. [LAKS99] Laksshminath R. Dondeti, Sarit Mukherjee, "A Dual Encryption Protocol for Scalable Secure Multicasting", IEEE 1999.
16. [MARK01] Mark Baugher (Cisco), Ran Canetti (IBM), Lakshminath Dondeti (Nortel), "Group Key Management Architecture", Internet Draft, June 23, 2001 .
17. [MATT99] Matthew J.Moyer et al., " A Survey of Security Issues in Multicast Communications ", IEEE Network Nov./Dec.,1999.
18. [MAUG98] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998.
19. [MICHOO] Michael S. Borella, "Methods and Protocols for Secure Key Negotiation Using IKE", IEEE Network July/August 2000.
20. [MONT01] Montenegro, G. and M. Borella, "RSIP Support for End-to-end IPSEC", RFC 3104, October 2001.
21. [MURR] Murry Hill, "Security Problem in the TCP/IP Protocol Suite" AT&T Bell Laboratories.
22. [NAGA99] Nagnand Doraswamy&Dan Harkins, “IPSec-新一代因特网安全标准”, 机
械工业出版社,1999.
23. [ORMA98] Orman, H., "The OAKLEY Key Determination Protocol", RFC2412, November 1998.
24. [PIPE98] Piper, D., "The Internet IP Security Domain Of Interpretation for ISAKMP", RFC 2407, November 1998.
25. [RADH01] Radha Poovendran, John S. Baras, "An Information-Theoretic Approach for Design And Analysis of Rooted-Tree-Based Multicast Key Management Schemes",IEEE Transaction on Informatin Theory, Vol.47,No.7, November 2001.
26. [RICH00] W. Richard Stevens, “TCP/IP 详解,卷1:协议”,p50-330,April 2000.
27. [SRIS01] P. Srisuresh et al., "Traditional IP Network Address Translator(Traditional NAT)", RFC3022, January 2001.
28. [SRIS99] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC2663, August 1999.
29. [WALL99] D. Wallner, E. Harder, R. Agee, "Key Management for Multicast: Issues and Architectures", RFC2627, June 1999.
30.[WANG01] 王常杰,秦浩,王育民,“基于IPv6防火墙设计”,计算机学报,第24卷,第2期,pp.219-223,2001.2
31.[WANG98] 王育民,刘建伟,“通信网的安全—理论与技术”,p430-509,西安电子科技大学出版社,1999.
32. [ZHOU99] J.Zhou, "Fixing of Security Flaw in IKE Protocol", IEE electronic letters vol.35. No.13. June 1999.
2. [ATKI98] Kent, S., and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
3. [BORE01] M. Borella et al., "Realm Specific IP: Framework", RFC3102, October 2001 .
4. [CANET] R. Canetti et al.," An Architecture for Secure Internet Multicast ", Internet Draft.
5. [CHRIOO] Christopher B.McCubbin et al., "Initialization Vector Attacks on the IPSec Protocols" , IEEE 2000 p171-175.
6. [GLEN98] Glenn, R., and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November 1998.
7. [HARK01] Dan Harkins ,Charlie Kaufman,Radia Perlman, "Internet Key Exchange (IKE) Protocol", Internet Draft, November 2001 .
8. [HARK98] Harkins, D., and D. Carrel, D., "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
9. [HARN01] H Hamey, A Colegrove et al., "Group Secure Association Key Management Protocol", Internet Draft, March 2001.
10. [KENT98] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
11. [KENTS98] Kent, S., and R. Atkinson, "IP Authentication Header", RFC2402, November 1998.
12. [KIVI01] T. Kivinen, "Fixing IKE Phase 1 & 2 Authentication Hashs", Internet Draft, Novemer2001.
13. [KRAW97] H. Krawczyk, M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for Message Authentication " , RFC2104, February 1997.
14. [KRYW01] Andrew Krywaniuk, "Security Properties of the IPsec Protocol Suite", Internet Draft, July 9, 2001.
15. [LAKS99] Laksshminath R. Dondeti, Sarit Mukherjee, "A Dual Encryption Protocol for Scalable Secure Multicasting", IEEE 1999.
16. [MARK01] Mark Baugher (Cisco), Ran Canetti (IBM), Lakshminath Dondeti (Nortel), "Group Key Management Architecture", Internet Draft, June 23, 2001 .
17. [MATT99] Matthew J.Moyer et al., " A Survey of Security Issues in Multicast Communications ", IEEE Network Nov./Dec.,1999.
18. [MAUG98] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998.
19. [MICHOO] Michael S. Borella, "Methods and Protocols for Secure Key Negotiation Using IKE", IEEE Network July/August 2000.
20. [MONT01] Montenegro, G. and M. Borella, "RSIP Support for End-to-end IPSEC", RFC 3104, October 2001.
21. [MURR] Murry Hill, "Security Problem in the TCP/IP Protocol Suite" AT&T Bell Laboratories.
22. [NAGA99] Nagnand Doraswamy&Dan Harkins, “IPSec-新一代因特网安全标准”, 机
械工业出版社,1999.
23. [ORMA98] Orman, H., "The OAKLEY Key Determination Protocol", RFC2412, November 1998.
24. [PIPE98] Piper, D., "The Internet IP Security Domain Of Interpretation for ISAKMP", RFC 2407, November 1998.
25. [RADH01] Radha Poovendran, John S. Baras, "An Information-Theoretic Approach for Design And Analysis of Rooted-Tree-Based Multicast Key Management Schemes",IEEE Transaction on Informatin Theory, Vol.47,No.7, November 2001.
26. [RICH00] W. Richard Stevens, “TCP/IP 详解,卷1:协议”,p50-330,April 2000.
27. [SRIS01] P. Srisuresh et al., "Traditional IP Network Address Translator(Traditional NAT)", RFC3022, January 2001.
28. [SRIS99] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC2663, August 1999.
29. [WALL99] D. Wallner, E. Harder, R. Agee, "Key Management for Multicast: Issues and Architectures", RFC2627, June 1999.
30.[WANG01] 王常杰,秦浩,王育民,“基于IPv6防火墙设计”,计算机学报,第24卷,第2期,pp.219-223,2001.2
31.[WANG98] 王育民,刘建伟,“通信网的安全—理论与技术”,p430-509,西安电子科技大学出版社,1999.
32. [ZHOU99] J.Zhou, "Fixing of Security Flaw in IKE Protocol", IEE electronic letters vol.35. No.13. June 1999.