基于IPSEC的网络安全技术研究与应用
|
摘要
Internet的普及给网络安全技术提出了更高的要求。
IPSEC被誉为新一代的Internet安全标准,是解决目前Internet
严峻的安全危机的最佳选择。本文介绍了网络安全技术的种类及
它们在解决网络安全问题中所发挥的作用和地位,并强调了数据
包在传输途中的安全的重要性,比较了针对这类安全问题的各种
解决方案,突出了IPSEC解决这类安全问题中的特点和优势;本
文详细描述了IPSEC中的关键技术:密码算法、密钥管理,并阐
述了这些技术与IPSEC的联系以及它们对实现IPSEC所起的作
用;随后着重分析了IPSEC的体系结构,包的结构和处理过程。
鉴于密钥交换协议在IPSEC中的基础地位,还特别地详细介绍了
其密钥交换协议IKE的原理和包结构。文章的后面介绍了两个应
用IPSEC的例子,一个是利用PGPNET在局域网范围内实现安全
传输,并详细分析包结构;另外一个是模拟Internet的环境在
校园网内搭建基于IPSEC的VPN。
The Research and Application of Security Technology
of Network based on IPSEC
[ABSTRACT] IPSEC is a new choice to deal with the increasing requirement of security of Internet. It is honored as the new generation of standard of Network Security. Having described varieties of security technologies of network and their use and position in dealing with network security, the paper emphasizes on security importance of packet when it is traveling. Comparing with very kind of scheme to solve the problem, the paper gives prominence to IPSEC and describes its characteristic and prominence in solving the problem. The paper describes the key technology applied to IPSEC桝lgorithm, Key Management, and how they connect with and work on IPSEC in detail. Subsequently, the paper emphasizes on analyzing the framework, the structure of packets and the process to deal with IPSEC packets. Because of the base position of Key桬xchanging Protocol in IPSEC, the paper describes the theory and packet structure of its Key-Exchanging Protocol桰KE in detail. In the last of the paper, two examples are described how to apply with IPSEC, one of which applies PGPNET to transfer packet in secure way in Local Area Network, the other of which builds VPN based on IPSEC in Campus Network, which can simulate the situation of Internet.
IPSEC被誉为新一代的Internet安全标准,是解决目前Internet
严峻的安全危机的最佳选择。本文介绍了网络安全技术的种类及
它们在解决网络安全问题中所发挥的作用和地位,并强调了数据
包在传输途中的安全的重要性,比较了针对这类安全问题的各种
解决方案,突出了IPSEC解决这类安全问题中的特点和优势;本
文详细描述了IPSEC中的关键技术:密码算法、密钥管理,并阐
述了这些技术与IPSEC的联系以及它们对实现IPSEC所起的作
用;随后着重分析了IPSEC的体系结构,包的结构和处理过程。
鉴于密钥交换协议在IPSEC中的基础地位,还特别地详细介绍了
其密钥交换协议IKE的原理和包结构。文章的后面介绍了两个应
用IPSEC的例子,一个是利用PGPNET在局域网范围内实现安全
传输,并详细分析包结构;另外一个是模拟Internet的环境在
校园网内搭建基于IPSEC的VPN。
The Research and Application of Security Technology
of Network based on IPSEC
[ABSTRACT] IPSEC is a new choice to deal with the increasing requirement of security of Internet. It is honored as the new generation of standard of Network Security. Having described varieties of security technologies of network and their use and position in dealing with network security, the paper emphasizes on security importance of packet when it is traveling. Comparing with very kind of scheme to solve the problem, the paper gives prominence to IPSEC and describes its characteristic and prominence in solving the problem. The paper describes the key technology applied to IPSEC桝lgorithm, Key Management, and how they connect with and work on IPSEC in detail. Subsequently, the paper emphasizes on analyzing the framework, the structure of packets and the process to deal with IPSEC packets. Because of the base position of Key桬xchanging Protocol in IPSEC, the paper describes the theory and packet structure of its Key-Exchanging Protocol桰KE in detail. In the last of the paper, two examples are described how to apply with IPSEC, one of which applies PGPNET to transfer packet in secure way in Local Area Network, the other of which builds VPN based on IPSEC in Campus Network, which can simulate the situation of Internet.
引文
[1] (美)Bruce Schneier著,吴世忠、祝世雄、张文政等译;应用密码学——协议、算法与C源程序;机械工业出版社,2000.1
[2] (美)Naganand Doraswamy,Dan Harkins著,京京工作室译;IPSec——新一代因特网安全标准;机械工业出版社,2000.1
[3] RFC 1510; "The Kerberos Network AuthenticationService (V5)"
[4] RFC 2401; "Security Architecture for the Internet Protocol"
[5] RFC 2403; "The Use of HMAC-MD5-96 within ESP and AH"
[6] RFC 2404; "The Use of HMAC-SHA-1-96 within ESP and AH"
[7] RFC 2405; "The ESP DES-CBC Cipher Algorithm With Explicit IV"
[8] RFC 2406; "IP Encapsulating Security Payload (ESP)"
[9] RFC 2407; "The Internet IP Security Domain of Interpretation for ISAKMP"
[10] RFC 2408; "Internet Security Association and Key Management Protocol (ISAKMP)"
[11] RFC 2409; "The Internet Key Exchange (IKE)"
[12] ANSI X3.92; "American National Standard for Data Encryption Algorithm (DEA)"
[13] ANSI X3. 105; "American National Standard for Information Systems-Data Link Encryption"
[14] ANSI X3. 106; "American National Standard for Information Systems-Data Encryption Algorithm-Modes of Operation"
[15] William R. Cheswick, Steven M. Bellovin; Firewalls and Internet Security;
[16] (美)匿名著,前导工作室译;网络安全技术内幕;机械工业出版社,1999.4
[17] (美)Casey Wilson,Peter Doak著,钟鸣、魏允韬等译:虚拟专用网的创建与实现;机械工业出版社,2000.8
[18] 《微型机与应用》;网络安全技术研究与发展概况;2000.11
[19] www. freeswan. org
[20] athena-dis. mit. edu
[21] ftp. ifi. uio. no
[22] ftp. logisense. com
[23] ftp. xs4all. nl
[24] ftp. zcu. cz
[25] www. nexor. com
[26] pgpkeys. mit. edu
[27] infosec. cs. pku. edu. cn
[28] www. nsfocus. com
[29] 东南大学BBS; PGPi问答集、PGPi 2.6.3i 的安装和用法、PGP的安全性等
[2] (美)Naganand Doraswamy,Dan Harkins著,京京工作室译;IPSec——新一代因特网安全标准;机械工业出版社,2000.1
[3] RFC 1510; "The Kerberos Network AuthenticationService (V5)"
[4] RFC 2401; "Security Architecture for the Internet Protocol"
[5] RFC 2403; "The Use of HMAC-MD5-96 within ESP and AH"
[6] RFC 2404; "The Use of HMAC-SHA-1-96 within ESP and AH"
[7] RFC 2405; "The ESP DES-CBC Cipher Algorithm With Explicit IV"
[8] RFC 2406; "IP Encapsulating Security Payload (ESP)"
[9] RFC 2407; "The Internet IP Security Domain of Interpretation for ISAKMP"
[10] RFC 2408; "Internet Security Association and Key Management Protocol (ISAKMP)"
[11] RFC 2409; "The Internet Key Exchange (IKE)"
[12] ANSI X3.92; "American National Standard for Data Encryption Algorithm (DEA)"
[13] ANSI X3. 105; "American National Standard for Information Systems-Data Link Encryption"
[14] ANSI X3. 106; "American National Standard for Information Systems-Data Encryption Algorithm-Modes of Operation"
[15] William R. Cheswick, Steven M. Bellovin; Firewalls and Internet Security;
[16] (美)匿名著,前导工作室译;网络安全技术内幕;机械工业出版社,1999.4
[17] (美)Casey Wilson,Peter Doak著,钟鸣、魏允韬等译:虚拟专用网的创建与实现;机械工业出版社,2000.8
[18] 《微型机与应用》;网络安全技术研究与发展概况;2000.11
[19] www. freeswan. org
[20] athena-dis. mit. edu
[21] ftp. ifi. uio. no
[22] ftp. logisense. com
[23] ftp. xs4all. nl
[24] ftp. zcu. cz
[25] www. nexor. com
[26] pgpkeys. mit. edu
[27] infosec. cs. pku. edu. cn
[28] www. nsfocus. com
[29] 东南大学BBS; PGPi问答集、PGPi 2.6.3i 的安装和用法、PGP的安全性等