摘要
随着政府上网、电子商务、金融电子化等不断推进,网络应用越来越广泛,企业和组织机构不断发展壮大,过去的那种大投入、高消费、低利用的网络建设方式已经不能适应企业和组织的发展需要。在这种情况下,虚拟专用网(Virtual Private Network,VPN)技术应运而生,它综合了传统数据网络的性能优点和Internet网络结构的优点,彻底改变了传统网络的建设方式,符合企业和组织发展的需求,代表了当今网络发展的最新趋势。但需要指出的是:如果在未采取安全措施的虚拟专用网上传输数据时,数据容易被监听、篡改和伪造,将会给企业和组织造成难以估量的损失。
针对Internet的安全需求,因特网工程任务组(IETF)于1998年11月颁布了IP层安全标准IPSec(IP Security)。其目标是为IPv4和IPv6提供具有较强的互操作能力、高质量和基于密码的安全。IPSec在网络层发挥作用,对传输的IP包进行保护和认证,它提供了在Internet这样无保护的网络中传送敏感信息的安全保证。IPSec实现多种安全服务,包括访问控制、无连接完整性、数据源验证、抗重播、机密性(加密)和有限的业务流机密性。
本文以北京市第一个“数字体育”项目——基于IPSec的虚拟专用网在北京市东城区体育局一卡通网络安全的研究为背景,首先分析了网络安全状况以及与本项目相关的VPN和IPSec技术背景,对比传统的安全实现方式,按照用户需求进行了细致的分析与设计,提出本系统基于IPSec虚拟专用网的实现方案。方案对传统的一卡通安全机制和IPSec实现方式进行了改进,本项目的成功实施无论是对于2008数字奥运还是对于其它金卡工程都具有广泛的意义。
IPSec体系结构包括AH、ESP、IKE等多个协议的结构。本文没有涉及IPSec协议族框架中所有协议和服务,只着重就IPSec对数据包进入处理流程和数据包外出处理流程、IPSec实施模式以及IPSec协议栈等重要方面做了详细的介绍。在课题研究中借鉴了机器学习的思想,文中给出了一个基于ID3决策树的SPD策略分析模型及其实现算法。
虽然IPsec中的一些组件还需要完善,但可以预料,随着IPv6技术的推广和IP网络的建设,IPsec必将成为网络安全的产业标准。
With the development of E-Government, E-Business, E-Finance, we have entered an information era, which is based on the Internet. With the development of enterprises and organizations, it's not fit for them to set up the networks by high investments, high consumption and in return by low value in use. VPNs technologies were developed in that time, which make full use of the benefits of conventional networks and the structure of Internet. VPNs, which completely change the situations and fit for the need of enterprises and organizations, are the trend of networks development. But we should give attention to the security of VPNs. If the hackers sniff, alter or fake the unprotected data while transferring through public networks, it may cause incalculable loss.
With much concern to networks security, Internet Engineering Task Force (IETF) provided the IP security guarantee for transferring sensitive information in an unprotected network in Nov., 1998. IPSec provides these security services at the IP layer. It protects and authenticates IP packets transferring between IPSec devices. With IPSec, data needn't worry about being sniffed, altered or faked while transferring through Internet. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec makes the Virtual Private Networks (VPNs) available.
This paper based on the project (Research and Implementation of IPSec in VPN Environment), which supported by the digital sports of Beijing Dongcheng sports bureau. This paper first introduced some related technology backgrounds, through carefully analyzed and designed, the IPSec security solution was presented according to users requirements. IPSec was implemented on a Sports IC system in VPN environment for the first time, and it's of great benefit to 2008 digital Olympiad and the other IC projects.
The architecture of IPSec contains AH, ESP and IKE protocols etc. Based on these, some researches were made on the methods to implement IPSec in VPN environment. The paper wouldn't refer to all the services and implements of IPSec, but make detailed introductions about dealing with data packages by IPSec, the implement modes of IPSec, IPSec protocol stack, etc. Due to my comprehension and practice, a SPD model and an algorithm of ID3 were provided, which based on knowledge of Machine Learning.
Although some components of IPSec need improving, but it can be predicted that with IPv6 technology and IP networks developing, IPSec will be the standards of networks security in the near future.
引文
1 Chris Brenton, Cameron Hunt. 网络安全积极防御从入门到精通. 电子工业出版社. 2001.9
2 Steven Brown等. 构建虚拟专用网. 人民邮电出版社. 2000
3 Alderman Ellen, Carolyn Kennedy. The Right To Privacy. New York Knopf Publishing. 1995
4 W.Richard Stevens. TCP/IP详解卷1:协议. 机械工业出版社. 2000
5 周明天,汪文勇. TCP/IP网络原理与技术. 清华大学出版社. 2000
6 京京工作室. IPSec新一代因特网安全标准. 2000
7 Naganand Doraswarmy, Dan Harkins. IPSec: the new security standard for the internet, intranets and virtual private networks. Prentice Hall. 1999
8 蒲源. 浅谈虚拟专用网(VPN)技术. 电视技术. 2001:35~36
9 Keng Lim, L. Customizable virtual private network service with QoS. Elsevier Science. 2001.7:2~3
10 赵振宇. 互联网络中服务质量(QoS)的体系结构. 铁道通信信号. 2003.2:12~13
11 孙为清. VPN隧道技术. 计算机应用研究. 2000.8:55~57
12 陈兵,王立松. SOCKS v5服务器的研究与实现. 数据采集与处理. 2002.9:351~353
13 何宝宏. IP VPN技术新发展. 电信技术. 2002.2:21~23
14 Guichard J. MPLS and VPN Architectures. America: Cisco Press. 2000
15 陈语林,刘卫国. 企业虚拟专用网的构建与探索. 长沙电力学院学报. 2002.8:27~29
16 T. Braun, M. Gunter, I. Khalil. An architecture for managing QoS-enabled VPNs over the Internet, in: 24th IEEE Annual Conference on Local Computer Networks (LCN 99). 1999
17 Feistel, Horst. Crytography and Computer Privacy. Sams Publishing. 1999
18 Dwan, Berni. Implementing IPsec-making security work on VPNs, intranets and extranets. Elsevier Science. 2000.7
19 Goralski,W.J. Introduction to VPN Networking. McGraw-Hill. 2000
20 张大路,卢现峰. VPN核心技术研究. 计算机工程. 2000.3: 41~42
21 余坤等. L2TP虚拟专用网. 电子科技大学学报. 2002.8: 383~386
22 杨明,张载鸿. 数字体育精品—东体一卡通系统,中国计算机报,2003~3
23 沈梅芳. IC 智能卡的产生、应用和发展. 中国标准化. 2000.2 :26~28
24 岳峰. 展望IC设计新转变创新IC行业. 半导体技术. 2002.1
25 Dunbar, Neil. IPsec Networking Standards-An Overview. Miscellaneous. 2001.3
26 S. Kent R. Atkinson. Security Architecture for the Internet Protocol. RFC2401. 1998.11
27 洪帆,陈卓,王瑞民. IPSec安全机制的体系结构与应用研究. 小型微型计算机系统. 2002.8: 946~949
28 IAB and IESG. IPSec Domain of Interpret. RFC2407, November 1998
29 袁琦. IPSec的安全联盟. 电信工程技术与标准化. 2002.3
30 Moskowitz, Robert. Secure communications now or later. Elsevier Science. 1999.3 :65~67.
31 L.A.Sanchez,H.Orman,A Roadmap for IPsec Policy Management. 2000.11
32 Molva, Refik. Internet security architecture. Elsevier Science. 1999.8 :31~33
33 S. Kent R. Atkinson. IP Encapsulating Security Payload. RFC2406
34 黄智. IPSec协议的研究与分析. 计算机工程与应用. 2002.11 :160~163
35 N Ferguson,B Schneier. A Cryptographic Evaluation of IPSec. Counterpane Internet Security. 2000
36 卢朝晖. IPSec VPN及其在校园网中的应用. 2002.12 :81~84
37 S. Kent, R. Atkinson. IP Authentication Header. RFC2402
38 Radia Perlman, Charlie Kaufman. Key Exchange in IPSec: Analysis of IKE. IEEE Internet Computing. 2000.11 :50~56
39 RFC2409. The Inernet Key Exchange(IKE)
40 谢庆杰,黄令恭. IPSec策略管理机制. 计算机工程. 2001.8 :109~111
41 D Maughan M, Scherler M. Internet Security Association and Key Management Protocol(ISAKMP). 1998.11
42 刘小虎等. 决策树的优化算法http://www.i-power.com.cn/ipower/lib/rjxb/ 981015.htm
43 杨明,张载鸿. 基于ID3决策树的研究与实现. 微机发展,2002.10 :5~9
44 李习彬. 熵、信息、控制与系统的组织化程度. 四川科学技术出版社. 1993
45 Tu Pei-lei, Chung Jen-yao, A new decision-tree classification algorithm for machine learning. In Proceedings of the 1992 IEEE International Conference on Tools for Artificial Intelligence Arlington. 1992
46 Quinlan J R. Induction of decision trees. Kluwer Academic Press. 1986.1 :81~106
47 T. Mitchell. Machine Learning. McGraw Hill College Press. 1997
48 吕华峰,吴秋峰. IPSec:网络安全与虚拟专用网的基础. 计算机工程与应用. 2001.2 :36~38.
49 汤隽,李超. Linux下IPSec协议的实现. 计算机应用. 2002.6 :69~71.
50 陈莉君. Linux操作系统内核分析. 人民邮电出版社. 2001
51 David A. Linux Kernel. Prentice Hall. 1997
52 W.Richard Stevens. UNIX Network Programming Volum1 Networking APIs:Sockets and XTI. Prentice Hall PTR. 1998.
53 ICSA启明星辰公司著. Internet/Intranet网络安全结构设计. 清华大学出版社. 1999
54 Linux FreeS/WAN. http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ index.html
55 Cisco公司. http://www.cisco.com/warp/public/732/ip/index.html
56 Kurt Seifried. IP安全工具—IPSec. http://go7.163.com/boyzond/index/heike/ IPSec.htm
57 Iames D.Solomm. 移动IP. 机械工业出版社. 2000
58 余凯. IPv6打破TCP/IP的限制http://www.glisp.com.cn/feel/ipv6.htm