基于I386EX和IPSec的安全的实时嵌入式网络系统的设计
|
摘要
21世纪初,世界主流计算机技术已进入了后PC时代。后PC时代,即非PC信息设备大显神通的时代。嵌入式系统正是非PC信息设备的主体,并伴随着互联网技术在世界范围的扩展和中国通信事业的高速发展,嵌入式产品尤其是嵌入式网络产品必将具有更为广泛的应用、研发和市场前景。嵌入式网络产品要求非PC接入Internet,即嵌入式微型互联网。利用嵌入式微型互联网技术可实现基于Internet的远程数据采集、远程监控、远程维护、自动发送e-mail、上传/下载文件、工业自动化等,因而Internet也延伸到了嵌入式设备中。嵌入式设备在Internet上的信息交互必将使其在开放的Internet中存在着一些安全隐患。所以开发具有安全服务的嵌入式网络产品是大势所趋,反过来,安全服务也促使嵌入式网络产品具有更为广泛的应用。
在这样的背景下,本文结合了实时嵌入式网络系统的关键技术和网络安全协议IPSec,设计并实现了在IP层提供安全服务的嵌入式网络产品,并对如何提供系统性能以及系统的实时性和安全协议IPSec的完全实施进行了研究和探讨。其目的是掌握快速设计并实现具有高性价比且扩展性极强的较为通用的实时嵌入式网络系统。在此基础上通过对嵌入式设备接入Internet时所带来的安全威胁的分析,针对嵌入式系统的特点,选择并实施了网络安全协议IPSec,使本文所设计的提供安全服务的嵌入式网络产品将具有更为广泛的应用。
本文首先探讨了嵌入式网络的原理和设计要求,接着介绍了本文所开发的嵌入式系统的硬件平台的设计(包括处理器的选择与配置、存储器的选择和IO设备的选用等),系统的启动(包括BIOS和DOS的启动以及嵌入式操作系统VRTX的配置和引导),网络及其安全服务的实现(包括嵌入式协议栈USNET的选取、底层驱动程序的设计和安全协议IPSec的分析与实施)。最后作者论述了自己对系统为实施安全协议所做的调整与优化;同时笔者也对进一步提高系统的可靠性和实时性提出了自己的建议,并在操作系统与协议栈的无缝连接方面进行了初步探讨。
本文所研制的实时嵌入式网络产品已被一些公司、高校和科研院所采用。从目前的使用情况来看,该产品基本达到了预期的效果。
At the beginning of the 21st century, as the mainstream of current computer technologies, post-PC is becoming more and more important. Therefore, significant research activities have been seen in the embedded system development, especially embedded networks development, which is the main part of post-PC. Embedded networks require access to the Internet to form embedded micro-internet, so that many services such as remote data collection, remote monitoring, remote maintenance, e-mailing, file transfer and industrial automation can be available on embedded micro-internet. Because of convenient information exchanges and Internet's extending into embedded systems, information security thus also becomes one of the most important concerns in the embedded systems development.
To meet this requirement, a secure embedded networks system has been implemented based on IPSec protocol and current key technologies of real-time embedded networks. And some researches on improvements of embedded system's performance and reliability have been carried out. Finally some probably useful suggestions have also been proposed. The article is composed of 4 parts.
Part 1 ( chapter 2 ) introduces the principle of real-time embedded system and embedded-networking system, including their characteristics and requirements. The status in quo and the development trend of real-time embedded-networking system is also introduced.
Part 2 ( chapter 3 and 4 ) analyzes and designs the embedded-networking system based on Intel 386EX, VRTX RTOS and USNET. It includes chip selection, schematic circuit design, CPU selection and configuration, startup of the system, selection and configuration of embedded operation system, selection and configuration of TCP/IP software. It also describes some driver programming techniques of network controller.
Part 3 ( chapter 5 and 6 ) briefly introduces encryption technology and the IPSec protocol system, including architecture, mode, security association, security policy, implementation mode, processing of in/out packet, ESP(encapsulation security payload), AH(authentication header), IKE(internet key exchange) etc. The security requirements of embedded-networking is also analyzed.
Part 4 ( chapter 7 ) is about the study of highly efficient implementation of IPSec. Firstly, it narrates processing of in/out packet, constructing SPD(security policy database) and SADB(security association database), studying IKE, realizing the module of encryption algorithm by modifying USNET. Secondly, it introduces some ways to improve the capability of the whole system that has implemented IPSec. Finally, it brings forward a new plan on the capability improvement of the whole system.
在这样的背景下,本文结合了实时嵌入式网络系统的关键技术和网络安全协议IPSec,设计并实现了在IP层提供安全服务的嵌入式网络产品,并对如何提供系统性能以及系统的实时性和安全协议IPSec的完全实施进行了研究和探讨。其目的是掌握快速设计并实现具有高性价比且扩展性极强的较为通用的实时嵌入式网络系统。在此基础上通过对嵌入式设备接入Internet时所带来的安全威胁的分析,针对嵌入式系统的特点,选择并实施了网络安全协议IPSec,使本文所设计的提供安全服务的嵌入式网络产品将具有更为广泛的应用。
本文首先探讨了嵌入式网络的原理和设计要求,接着介绍了本文所开发的嵌入式系统的硬件平台的设计(包括处理器的选择与配置、存储器的选择和IO设备的选用等),系统的启动(包括BIOS和DOS的启动以及嵌入式操作系统VRTX的配置和引导),网络及其安全服务的实现(包括嵌入式协议栈USNET的选取、底层驱动程序的设计和安全协议IPSec的分析与实施)。最后作者论述了自己对系统为实施安全协议所做的调整与优化;同时笔者也对进一步提高系统的可靠性和实时性提出了自己的建议,并在操作系统与协议栈的无缝连接方面进行了初步探讨。
本文所研制的实时嵌入式网络产品已被一些公司、高校和科研院所采用。从目前的使用情况来看,该产品基本达到了预期的效果。
At the beginning of the 21st century, as the mainstream of current computer technologies, post-PC is becoming more and more important. Therefore, significant research activities have been seen in the embedded system development, especially embedded networks development, which is the main part of post-PC. Embedded networks require access to the Internet to form embedded micro-internet, so that many services such as remote data collection, remote monitoring, remote maintenance, e-mailing, file transfer and industrial automation can be available on embedded micro-internet. Because of convenient information exchanges and Internet's extending into embedded systems, information security thus also becomes one of the most important concerns in the embedded systems development.
To meet this requirement, a secure embedded networks system has been implemented based on IPSec protocol and current key technologies of real-time embedded networks. And some researches on improvements of embedded system's performance and reliability have been carried out. Finally some probably useful suggestions have also been proposed. The article is composed of 4 parts.
Part 1 ( chapter 2 ) introduces the principle of real-time embedded system and embedded-networking system, including their characteristics and requirements. The status in quo and the development trend of real-time embedded-networking system is also introduced.
Part 2 ( chapter 3 and 4 ) analyzes and designs the embedded-networking system based on Intel 386EX, VRTX RTOS and USNET. It includes chip selection, schematic circuit design, CPU selection and configuration, startup of the system, selection and configuration of embedded operation system, selection and configuration of TCP/IP software. It also describes some driver programming techniques of network controller.
Part 3 ( chapter 5 and 6 ) briefly introduces encryption technology and the IPSec protocol system, including architecture, mode, security association, security policy, implementation mode, processing of in/out packet, ESP(encapsulation security payload), AH(authentication header), IKE(internet key exchange) etc. The security requirements of embedded-networking is also analyzed.
Part 4 ( chapter 7 ) is about the study of highly efficient implementation of IPSec. Firstly, it narrates processing of in/out packet, constructing SPD(security policy database) and SADB(security association database), studying IKE, realizing the module of encryption algorithm by modifying USNET. Secondly, it introduces some ways to improve the capability of the whole system that has implemented IPSec. Finally, it brings forward a new plan on the capability improvement of the whole system.
引文
[1]王育民、何大可.保密学—基础与应用.西安电子科技出版社,1990
[2]王育民、刘建伟.通信网的安全—理论与技术.西安电子科技出版社,1999
[3]卢开澄.计算机密码学—计算机网络中的数据安全与保密.第二版.清华大学出版社,1998
[4]Andrew s.Tanenbaum著.熊桂喜、王小虎译.计算机网络.第三版.清华大学出版社,1998
[5]Bruce Schneieier著.吴世忠等译.应用密码学—协议、算法和C源程序.机械工业出版社,2000
[6]Carlisle Adams Steve Lloyd著.冯登国等译.公开密钥基础设施—概念、标准和实施.人民邮电出版社,2001
[7]关振胜编著,公钥基础设施PKI认证机构CA.电子工业出版社,2002
[8]William stallings著.杨明译.密码编码与网络安全.电子工业出版社,2001
[9]Steve Burnett著.冯登国译.密码工程实践指南.清华大学出版社,2001
[10]Carlten R.Davis著.周永彬译.IPSec:VPN的安全实施.清华大学出版社,2001
[11]Anonymous著.朱鲁华译.最高安全机密.机械工业出版社,2003
[12]宁磊著,Linux网络安全与管理.人民邮电出版社,2001
[13]RFC 2202: Cheng,P. and R.Glenn,"Test Cases for HMAC-MD5 and HMAC-SHA-1", September 1997.
[14]RFC 2401: Security Architecture for the Internet Protocol, November 1998.
[15]RFC 2402: IP Authentication Header, November 1998.
[16]RFC 2411: IP Security Document Roadmap, November 1998.
[17]RFC 1828: IP Authentication using Keyed MD5, August 1995.
[18]RFC 1829: The ESP DES-CBC Transform, August 1995.
[19]RFC 1827: IP Encapsulating Security Payload (ESP), August 1995.
[20]RFC 1241: S. Bradner, Benchmarking Terminology for Network Interconnection Devices, July 1991
[21]RFC 2544: S. Bradner, Benchmarking Terminology for Network Interconnection Devices, July 1991
[22]Naganand Doraswamy著.京京工作室译.IPSec新一代因特网安全标准.机械工业出版社,2001
[23]Intel386~(TM)Ex Embedded Microprocessor User's Manual, Intel Inc, 1996.
[24]陈文钦著.BIOS研发技术剖析.清华大学出版社,2001
[25]System BIOS for IBM PCs,Compatibles,and EISA Computers, Phoenix Technologes Ltd, 1994.
[26]VRTX x86/rm User Guide, Microtec Inc.
[27]US NET User Guide, US Ssofiware Inc.
[28]GM71C18163C CMOS DYNAMIC RAM, Hynix Co.,Ltd.
[29]DS12887 Real Time Clock, DALLAS Semiconductor Co.,Ltd.
[30]SST28SF020A SuperFlash EEPROM, Silicon Storage Technology, Inc.
[31]In-System Programmable High Density PLD 1032EA, Lattice Semiconductor Co.,Ltd.
[32]RTLS019AS Realtek Full-Duplex Ethernet Controller, REALTEK SEMI-CONDUCTOR Co.,Ltd.
[33]AT93C46 3-wire Serial EEPROMs, ATMEL SEMI-CONDUCTOR Co.,Ltd.
[34]VHDL and Verilog Simulation User Manual, Lattice Semiconductor Co.,Ltd.
[35]孔祥营著.嵌入式实时操作系统.中国电力出版社,2001
[36]王田苗著.嵌入式系统设计与实例开发.清华大学出版社,2002
[37]USNET Real-Time TCP/IP Embedded-Networking, US Software, 1999.
[38]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第一卷.电子工业出版社,2001
[39]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第二卷.电子工业出版社,2001
[40]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第三卷.电子工业出版社,2001
[41]宋万杰著.CPLD技术及其应用.西安电子科技大学出版社,1999
[42]贾新章著.电子电路CAD技术.西安电子科技大学出版社,2002
[43]刘笃仁著.用ISP器件设计现代电路.西安电子科技大学出版社,2002
[44]王金明著.数字系统设计与Verilog HDL.电子工业出版社,2002
[45]孙青著.电子元器件可靠性工程.电子工业出版社,2002
[46]邬宽明著.现代总线技术应用选编.北京航空航天大学出版社,2002
[47]葛本修.计算机组织与结构.北京航空航天大学出版社,1992
[48]Steven Brown著.董晓宇等译.构建虚拟专用网.人民邮电出版社,2000
[49]张昆藏编著.计算机系统结构教程.国防工业出版社,2001
[50]夏云.现代计算机网络技术与应用.科学出版社,1999
[51]李鹏.计算机通信程序设计.西安电子科技大学出版社,1992
[52]John W.Satzinger著.朱群雄译.系统分析与设计.机械工业出版社,2002
[2]王育民、刘建伟.通信网的安全—理论与技术.西安电子科技出版社,1999
[3]卢开澄.计算机密码学—计算机网络中的数据安全与保密.第二版.清华大学出版社,1998
[4]Andrew s.Tanenbaum著.熊桂喜、王小虎译.计算机网络.第三版.清华大学出版社,1998
[5]Bruce Schneieier著.吴世忠等译.应用密码学—协议、算法和C源程序.机械工业出版社,2000
[6]Carlisle Adams Steve Lloyd著.冯登国等译.公开密钥基础设施—概念、标准和实施.人民邮电出版社,2001
[7]关振胜编著,公钥基础设施PKI认证机构CA.电子工业出版社,2002
[8]William stallings著.杨明译.密码编码与网络安全.电子工业出版社,2001
[9]Steve Burnett著.冯登国译.密码工程实践指南.清华大学出版社,2001
[10]Carlten R.Davis著.周永彬译.IPSec:VPN的安全实施.清华大学出版社,2001
[11]Anonymous著.朱鲁华译.最高安全机密.机械工业出版社,2003
[12]宁磊著,Linux网络安全与管理.人民邮电出版社,2001
[13]RFC 2202: Cheng,P. and R.Glenn,"Test Cases for HMAC-MD5 and HMAC-SHA-1", September 1997.
[14]RFC 2401: Security Architecture for the Internet Protocol, November 1998.
[15]RFC 2402: IP Authentication Header, November 1998.
[16]RFC 2411: IP Security Document Roadmap, November 1998.
[17]RFC 1828: IP Authentication using Keyed MD5, August 1995.
[18]RFC 1829: The ESP DES-CBC Transform, August 1995.
[19]RFC 1827: IP Encapsulating Security Payload (ESP), August 1995.
[20]RFC 1241: S. Bradner, Benchmarking Terminology for Network Interconnection Devices, July 1991
[21]RFC 2544: S. Bradner, Benchmarking Terminology for Network Interconnection Devices, July 1991
[22]Naganand Doraswamy著.京京工作室译.IPSec新一代因特网安全标准.机械工业出版社,2001
[23]Intel386~(TM)Ex Embedded Microprocessor User's Manual, Intel Inc, 1996.
[24]陈文钦著.BIOS研发技术剖析.清华大学出版社,2001
[25]System BIOS for IBM PCs,Compatibles,and EISA Computers, Phoenix Technologes Ltd, 1994.
[26]VRTX x86/rm User Guide, Microtec Inc.
[27]US NET User Guide, US Ssofiware Inc.
[28]GM71C18163C CMOS DYNAMIC RAM, Hynix Co.,Ltd.
[29]DS12887 Real Time Clock, DALLAS Semiconductor Co.,Ltd.
[30]SST28SF020A SuperFlash EEPROM, Silicon Storage Technology, Inc.
[31]In-System Programmable High Density PLD 1032EA, Lattice Semiconductor Co.,Ltd.
[32]RTLS019AS Realtek Full-Duplex Ethernet Controller, REALTEK SEMI-CONDUCTOR Co.,Ltd.
[33]AT93C46 3-wire Serial EEPROMs, ATMEL SEMI-CONDUCTOR Co.,Ltd.
[34]VHDL and Verilog Simulation User Manual, Lattice Semiconductor Co.,Ltd.
[35]孔祥营著.嵌入式实时操作系统.中国电力出版社,2001
[36]王田苗著.嵌入式系统设计与实例开发.清华大学出版社,2002
[37]USNET Real-Time TCP/IP Embedded-Networking, US Software, 1999.
[38]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第一卷.电子工业出版社,2001
[39]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第二卷.电子工业出版社,2001
[40]Douglas E.Comer著.林瑶等译.用TCP/IP进行网际互联.第三卷.电子工业出版社,2001
[41]宋万杰著.CPLD技术及其应用.西安电子科技大学出版社,1999
[42]贾新章著.电子电路CAD技术.西安电子科技大学出版社,2002
[43]刘笃仁著.用ISP器件设计现代电路.西安电子科技大学出版社,2002
[44]王金明著.数字系统设计与Verilog HDL.电子工业出版社,2002
[45]孙青著.电子元器件可靠性工程.电子工业出版社,2002
[46]邬宽明著.现代总线技术应用选编.北京航空航天大学出版社,2002
[47]葛本修.计算机组织与结构.北京航空航天大学出版社,1992
[48]Steven Brown著.董晓宇等译.构建虚拟专用网.人民邮电出版社,2000
[49]张昆藏编著.计算机系统结构教程.国防工业出版社,2001
[50]夏云.现代计算机网络技术与应用.科学出版社,1999
[51]李鹏.计算机通信程序设计.西安电子科技大学出版社,1992
[52]John W.Satzinger著.朱群雄译.系统分析与设计.机械工业出版社,2002
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |