VPN网络构架及基于客户的IPSec安全网关实现
摘要
本论文分成两大部份。第一部分在简要介绍了安全网络系统构成及
VPN的发展背景之后,比较分析了四种VPN网络构架类型(VLL、VPDN、
VPLS、VPRN)和关键技术,并着重讲述了用VR构建VPRN的技术和
应用优势。第二部分系统地介绍了在VPN实现上主要采用的协议规范—
—IP层安全协议、认证头协议、安全封装协议等,设计了利用IPSec安
全网关组成基于客户的完整VPN网络方案,并且实现了IPSec网关主要
的功能模块:出隧道模块、入隧道模块、IPSec管理模块。之后,本论文
给出了IPSec性能测试结果并进行了分析,其结果可用于将来进一步深入
的研究。最后论文根据IPSec中存在的问题提出了一种便捷灵活的安全机
制改进思路。
Subject: Communication and Information Engineering
Title:
VPN Network Architecture and
the Implementation of Client-Based Safety Gateway
Postgraduate Student: Chen Liii
Supervisor: Mao Yuming Yan Mei
This thesis is divided into two main parts.
The first part introduces the main network security technology and the VPN development trend, and gives four examples of the VPN architecture:VLL, VPLS, VPDN,VPRN.Then the thesis describes in detail about the method of using Virtual Router to construct the VPRN.
The second part systematically analyzes the protocols?functions, such as IPSec, AR, ESP, and designs the whole model of the Client-based VPN architecture. More importantly, it implements the main moduals of IPSec Security Gateway: In tunnel modular, out tunnel modular, IPSec management modular. Additionally, it shows the performance test results and draws some conclusion for further research.
In the end, the thesis summarizes the shortcomings of IPSec protocol and gives a modified simple picture of convinent, flexible IPSec operation.
VPN的发展背景之后,比较分析了四种VPN网络构架类型(VLL、VPDN、
VPLS、VPRN)和关键技术,并着重讲述了用VR构建VPRN的技术和
应用优势。第二部分系统地介绍了在VPN实现上主要采用的协议规范—
—IP层安全协议、认证头协议、安全封装协议等,设计了利用IPSec安
全网关组成基于客户的完整VPN网络方案,并且实现了IPSec网关主要
的功能模块:出隧道模块、入隧道模块、IPSec管理模块。之后,本论文
给出了IPSec性能测试结果并进行了分析,其结果可用于将来进一步深入
的研究。最后论文根据IPSec中存在的问题提出了一种便捷灵活的安全机
制改进思路。
Subject: Communication and Information Engineering
Title:
VPN Network Architecture and
the Implementation of Client-Based Safety Gateway
Postgraduate Student: Chen Liii
Supervisor: Mao Yuming Yan Mei
This thesis is divided into two main parts.
The first part introduces the main network security technology and the VPN development trend, and gives four examples of the VPN architecture:VLL, VPLS, VPDN,VPRN.Then the thesis describes in detail about the method of using Virtual Router to construct the VPRN.
The second part systematically analyzes the protocols?functions, such as IPSec, AR, ESP, and designs the whole model of the Client-based VPN architecture. More importantly, it implements the main moduals of IPSec Security Gateway: In tunnel modular, out tunnel modular, IPSec management modular. Additionally, it shows the performance test results and draws some conclusion for further research.
In the end, the thesis summarizes the shortcomings of IPSec protocol and gives a modified simple picture of convinent, flexible IPSec operation.
引文
[1] Steven M. Bellovin. "Security Problems in the TCP/IP protocol suite". Computer Communications Review, April 1989
[2] Rolf OppIiger,“Internet安全,防火墙及其它”.Communications of ACM,May 97 Vol.40.
[3] Kent, S., and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, Nov. 1998.
[4] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, Nov. 1998
[5] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload", RFC 2406, Nov. 1998
[6] Timon Sloane, Rick Bubenik, Abraham Young, "Network based IP VPN Architecture-using Virtual Routers", RFC2026, July 2000
[7] Nortel Network, Lucent Technologies, "A Framework for IP Based Virtual Private Networks", RFC2764, Feb.2000
[8] Bruce Schneier,应用密码学。机械工业出版社,2000
[9] 冯登国,裴定一, 密码学引导,科学出版社,1999
[10] 王育民,刘建伟,通信网的安全--理论与技术,西安电子科技大学 出版社,1999
[11] D.E.Comer,用TCP/IP进行网际互连(第二版),电子工业出版社, 1998
[2] Rolf OppIiger,“Internet安全,防火墙及其它”.Communications of ACM,May 97 Vol.40.
[3] Kent, S., and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, Nov. 1998.
[4] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, Nov. 1998
[5] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload", RFC 2406, Nov. 1998
[6] Timon Sloane, Rick Bubenik, Abraham Young, "Network based IP VPN Architecture-using Virtual Routers", RFC2026, July 2000
[7] Nortel Network, Lucent Technologies, "A Framework for IP Based Virtual Private Networks", RFC2764, Feb.2000
[8] Bruce Schneier,应用密码学。机械工业出版社,2000
[9] 冯登国,裴定一, 密码学引导,科学出版社,1999
[10] 王育民,刘建伟,通信网的安全--理论与技术,西安电子科技大学 出版社,1999
[11] D.E.Comer,用TCP/IP进行网际互连(第二版),电子工业出版社, 1998