主动网络的体系结构与安全性研究
|
摘要
主动网络是网络发展过程中出现的一门最新的技术,是下一代网络体系结构的理想解决方案。主动网络中传输的分组被称为主动分组,主动分组不仅带有数据信息和分组头部信息,而且还可以携带一段程序代码。有计算能力的主动网络中间节点(主动路由器、主动交换机)提供执行环境,解释并执行主动分组中携带的程序或者利用主动分组中携带的参数执行已经存在该节点上的程序。从而将传统网络的“存储——转发”的处理模式改为“存储——计算——转发”的处理模式。用户可以向网络节点插入自己定制的程序,以此来修改或者扩展网络的基础配置,从而实现快速、动态的部署新协议、提供新服务,使网络更具灵活性和可扩展性。
本文通过对主动网络理论的深入研究,分析了主动网络体系结构的实现方式和主动网络面临的安全威胁,了解了主动网络体系的运行机制,总结了现今关于主动网络的主要研究成果。在ANTS体系结构上,提出了一种新的智能化主动网络传输系统(IANTS),采用了集成法和离散法相结合的方式实现,设计了主动分组的格式、主动代码的分发机制、主动代码的加载策略,在体系结构中设置了主动代码服务器和认证中心。对于采用集成法的分组,可以直接调用其中携带的程序执行;对于采用离散法的分组,可以根据加载策略,从代码服务器上下载代码到本地执行。IANTS还提供了可行的安全传输方案,采用了加密、鉴别、认证等技术来保证各个网络实体相互之间的安全通信。采用JAVA编程语言对系统模块进行了编程实现,以ANTS作为执行环境、JANOS作为节点操作系统对系统进行了测试。
IANTS体系结构体现了主动网络的灵活性、安全性,并且有较高的性能。
Active network is one of the newest technologies arisen in the course of the network development,it is the ideal solution of the next generation's network architecture.The packet transmitted in the active network is called active packet, it carries not only the data information and the header information,but also a section of code.The active node(active router,active switch) which has the ability of computing provides a executive environment, interprets and executes the code carried in the active packet,or executes the code existed in the node with the parameters carried in the active packet. It changes the network processing mode from "storage -forward" to "storage - compute-forward". The user can insert his own program to the node in order to modify or expand the basis of network configuration,deploy the new protocol and provide new service dynamic and rapidly,enable the network to have more flexibility and extendibility.
Through the in-depth research of active network, this article analyses implement method of active network's architecture and the security threats,realizes the operating mechanisms, sums up the current main research results on active nerwork.Based on ANTS architecture, we propose a new Intelligent Network Transmission System (IANTS),use the combining way of integrated method and discrete method.IANTS designs the format of the active packet,the deployment and loading strategy of active code.IANTS has the code server and CA.For the integrated method, node can call the code directly from zhe packet; for the discrete method, based on loading strategy, when needed , to download the code from the CS.IANTS also presents a security transfer method, use the technologies of encryption, identification, authentication to secure communications between different entities.Using JAVA programming language to implements the modules of IANTS system..Test the system based on ANTS Executive Environment and JANOS Node Operation System.
IANTS architecture reflects the active network's flexibility,security, and a higher degree of performance.
本文通过对主动网络理论的深入研究,分析了主动网络体系结构的实现方式和主动网络面临的安全威胁,了解了主动网络体系的运行机制,总结了现今关于主动网络的主要研究成果。在ANTS体系结构上,提出了一种新的智能化主动网络传输系统(IANTS),采用了集成法和离散法相结合的方式实现,设计了主动分组的格式、主动代码的分发机制、主动代码的加载策略,在体系结构中设置了主动代码服务器和认证中心。对于采用集成法的分组,可以直接调用其中携带的程序执行;对于采用离散法的分组,可以根据加载策略,从代码服务器上下载代码到本地执行。IANTS还提供了可行的安全传输方案,采用了加密、鉴别、认证等技术来保证各个网络实体相互之间的安全通信。采用JAVA编程语言对系统模块进行了编程实现,以ANTS作为执行环境、JANOS作为节点操作系统对系统进行了测试。
IANTS体系结构体现了主动网络的灵活性、安全性,并且有较高的性能。
Active network is one of the newest technologies arisen in the course of the network development,it is the ideal solution of the next generation's network architecture.The packet transmitted in the active network is called active packet, it carries not only the data information and the header information,but also a section of code.The active node(active router,active switch) which has the ability of computing provides a executive environment, interprets and executes the code carried in the active packet,or executes the code existed in the node with the parameters carried in the active packet. It changes the network processing mode from "storage -forward" to "storage - compute-forward". The user can insert his own program to the node in order to modify or expand the basis of network configuration,deploy the new protocol and provide new service dynamic and rapidly,enable the network to have more flexibility and extendibility.
Through the in-depth research of active network, this article analyses implement method of active network's architecture and the security threats,realizes the operating mechanisms, sums up the current main research results on active nerwork.Based on ANTS architecture, we propose a new Intelligent Network Transmission System (IANTS),use the combining way of integrated method and discrete method.IANTS designs the format of the active packet,the deployment and loading strategy of active code.IANTS has the code server and CA.For the integrated method, node can call the code directly from zhe packet; for the discrete method, based on loading strategy, when needed , to download the code from the CS.IANTS also presents a security transfer method, use the technologies of encryption, identification, authentication to secure communications between different entities.Using JAVA programming language to implements the modules of IANTS system..Test the system based on ANTS Executive Environment and JANOS Node Operation System.
IANTS architecture reflects the active network's flexibility,security, and a higher degree of performance.
引文
[1]David L,Tennenhouse et al,A survey of active network research.IEEE Commum.Mag,1997,35(1):80-86.
[2]唐寅,王蔚然.可编程网络体系分析.无线电工程.2001(2)
[3]D L.Tennenhouse,D Wetherall.Towards an Active Network Architecture.In Multimedia Computing and Networking 96,1996
[4]D.Alexander,W.Arbaugh,A.Keromytis,et al.A Secure Active Network Architecture:Realization in Switch Ware IEEE Network,1998,12(3):37-45
[5]T.Lavian,Phil Yonghui Wang.Active Networking on A Programmable Networking Platform.in:Open Architecture and Network Programming Proceedings.2001IEEE.2001.95-103
[6]David J.Wetherall,John Guttag,and David L,Tennenhouse.ANTS:A toolkit for building and dynamically deploying network protocols.In Proceedings of the 1998 IEEE Conference on Open Architecture and Network Programming(OPENARCH' 98),April 1998
[7]Alexander D.Etc.The Switch Ware Active Network Architecture.IEEE Network Special Issue on Active and Programmable Networks May 1998
[8]Yemini,y.,and Da Silva,S,Towards Programmable Networks,IEEE International Workshop on Distributed Systems:Operations and Management,Italy,1996
[9]Active Network Backbone,http://www,isi.edu/abone/,2003.5
[10]Alexander D,Arbaugh W,Keromytis A,et al.A Secure Active Network Architecture:Realization in Switch Ware IEEE Network,1998,12(3):37-45
[11]Psounis K.Active Networks:application,security,safety,and architectures.IEEE Comm Surveys,1999,2(1):445-457
[12]DOD.Trusted Computer System Evaluation Criteria.Technical Report DOD 5200.28-STD,Department of Defense,December 1985
[13]敖志刚.主动网络及其实现技术.北京:中国水利水电出版社.2007.01
[14]R.Atkinson.Security Architecture for the Internet Protocol.RFC 1825,August 1995
[15]王育民,刘建伟,通信网的安全理论与技术,陕西:西安电子科技大学出版社,2000
[16]B.Lampson and R.Rivest.Cryptography and Information Security Group Research Project:A Simple Distributed Security Infrastructure.Technical report,MIT,1997
[17]Hicks M,Moore J.T,Wetherall D,et al.Experiences with Capsule-based Active Networking.in:DARPA Active Networks Conference and Exposition.2002.Proceeding 2002.16-24
[18]Ghonaimy M.A.R.New Generation Internet and the Evolution Towards Active and Programmable Networks.in:Radio Science Conference.1999.NRSC'99.Proceedings of the 16th National.Feb 1999.301-314.
[19]K.Calvert,et al.Architectural Framework for Active Networks,Technical report.AN Architecture working Group.2000
[20]Active Networks Working Group.Architectural framework for active networks(Versionl.0)[EB/OL].http://www.cc.gatech.edu/projects/canes/arch-1-0.ps,1999-07-27/2000-02-15.
[21]Perterson,Larry.Node OS Interface Specification[R].DARPA Architecture Working Group drafts pecification,January 24,2000.
[22]Scott D A,Bob B,Carl A G;et al.ANEP:Active network encapsulation Protocol.http://www.cis.upenn.edu/switchware/ANEP/docs/ANEP.txt 1997-07
[23]陈茹,朱小骏.主动网络节点研究及安全实现。微机发展,2003年8月,第8期,108-109.
[24]B.Schwartz,A.Jackson,T.Strayer,,.Zhou,R.Rockwell,and C.Partridge.Smart packets for active networks.In Proceedings of the 1999 IEEE 200 Conference on Open Architectures and Network Programming(OPENARCH' 99),March 1999
[25]Erik L.Nygren,Stephen J.Garland,and M.Frans Kaashoek.PAN:A High-Performance Active Network Node Supporting Multiple Mobible Code Systems.In proceedings of OpenArch'99.Pages 78-89.New York,New York.March 27,1999.
[26]S.Merugu,S.Bhattacharjee,E.Zegura and K.Calvert.Bowman:A Node OS for Active Networks.IEEE Infocom 2000
[27]S.Merugu,S.Bhattacharjee,Y.Chae,M.Sanders,K.Calvert and E.Zegura.Bowman and CANES:Implementation of an Active Network.37" annual Allerton Conference on Communication,Control and Computing,Monticello,Illinois,September 1999
[28]Electronic Commerce Promotion Council of Japan Certification Authority Working Group Certification Authority Guidelines Alpha Version.URL:http://www.ecom.or.jp/eng/output/ca/eng-guideline.htm
[29]Rivest R.The MD5 Message-Digest Algorithm IS].RFC 1321.MIT Laboratory for Computer Science and RSA DATA Security,Inc.1992.4
[30]Michael Hicks,Angelos D.Keromytis,A secure PLAN,IWAN1999,Berlin,Germany,1999.6
[31]ZhaoyuLiu,RoyH.Campbell,M.Dennis Mickunas.Scuring the Node of an Active Network.2000.
[32]S.Murphy,ed al.Strong security for Active Networks.IEEE OPENARCH,2001
[33]C Adams,S Farrell.Internet X.509 Public Key Infrastructure Certificate Management Protocols.RFC 2510,March 1999
[34]孙明保,沈明玉.一种基于证书机制的主动网络安全方案.计算机工程与设计.Vol.27 No.15 2006年8月2866-2868
[35]D.J.Wetherall."ANTS:A Toolkit for Building and Dynamically Deploying Network Protocols".Submitted to ACM SIGCOMM97
[36]David J.Wetherall "Service Introduction in an Active Network" Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the Massachusetts Institute of Technology February 1999
[37]刘刚,李建勇.主动网络工具集ANTS的主动包格式分析.计算机应用与软件.第22卷第1期,2005年。17-18.
[38]江勇,吴建平,徐恪,吴英华.基于组件的路由器操作维护系统的研究.小型微型计算机系统,1999。
[39]The Janos Project:Java-oriented Active Network Operating System,URL:http://www.cs.utah.edu/flux/janos
[40]ANTS API Documentation.URL:http://www.cs.utah.edu/flux/janos/ants-apidoc
[41]Rich Helton,Johennie Helton.JAVA安全解决方案(袁泉等译).北京:清华大学出版社.2003。
[42]汪跃,沈明玉.基于组件服务器的主动网络安全策略及实现.计算机技术应用与发展.2004年。1001-1003
[43]夏正友.主动网络安全结构模型及其相关技术研究[博士学位论文].复旦大学,2004年4月。
[44]唐寅.基于授权的主动网络安全防护技术研究[博士学位论文].电子科技大学,2003年。
[45]吕建勇.基于组件动态装载(CDL)的主动网络的研究与实现[硕士学位论文].合肥工业大学,2005年5月。
[46]寇雅楠.主动网络关键安全机制及应用的研究[博士学位论文].西安交通大学,2003年9月。
[47]Najafi-Koopai,Mohammed Kazem..Modelling,routing and architecture in active networks[博士学位论文].University of Toronto(Canada).2001
[2]唐寅,王蔚然.可编程网络体系分析.无线电工程.2001(2)
[3]D L.Tennenhouse,D Wetherall.Towards an Active Network Architecture.In Multimedia Computing and Networking 96,1996
[4]D.Alexander,W.Arbaugh,A.Keromytis,et al.A Secure Active Network Architecture:Realization in Switch Ware IEEE Network,1998,12(3):37-45
[5]T.Lavian,Phil Yonghui Wang.Active Networking on A Programmable Networking Platform.in:Open Architecture and Network Programming Proceedings.2001IEEE.2001.95-103
[6]David J.Wetherall,John Guttag,and David L,Tennenhouse.ANTS:A toolkit for building and dynamically deploying network protocols.In Proceedings of the 1998 IEEE Conference on Open Architecture and Network Programming(OPENARCH' 98),April 1998
[7]Alexander D.Etc.The Switch Ware Active Network Architecture.IEEE Network Special Issue on Active and Programmable Networks May 1998
[8]Yemini,y.,and Da Silva,S,Towards Programmable Networks,IEEE International Workshop on Distributed Systems:Operations and Management,Italy,1996
[9]Active Network Backbone,http://www,isi.edu/abone/,2003.5
[10]Alexander D,Arbaugh W,Keromytis A,et al.A Secure Active Network Architecture:Realization in Switch Ware IEEE Network,1998,12(3):37-45
[11]Psounis K.Active Networks:application,security,safety,and architectures.IEEE Comm Surveys,1999,2(1):445-457
[12]DOD.Trusted Computer System Evaluation Criteria.Technical Report DOD 5200.28-STD,Department of Defense,December 1985
[13]敖志刚.主动网络及其实现技术.北京:中国水利水电出版社.2007.01
[14]R.Atkinson.Security Architecture for the Internet Protocol.RFC 1825,August 1995
[15]王育民,刘建伟,通信网的安全理论与技术,陕西:西安电子科技大学出版社,2000
[16]B.Lampson and R.Rivest.Cryptography and Information Security Group Research Project:A Simple Distributed Security Infrastructure.Technical report,MIT,1997
[17]Hicks M,Moore J.T,Wetherall D,et al.Experiences with Capsule-based Active Networking.in:DARPA Active Networks Conference and Exposition.2002.Proceeding 2002.16-24
[18]Ghonaimy M.A.R.New Generation Internet and the Evolution Towards Active and Programmable Networks.in:Radio Science Conference.1999.NRSC'99.Proceedings of the 16th National.Feb 1999.301-314.
[19]K.Calvert,et al.Architectural Framework for Active Networks,Technical report.AN Architecture working Group.2000
[20]Active Networks Working Group.Architectural framework for active networks(Versionl.0)[EB/OL].http://www.cc.gatech.edu/projects/canes/arch-1-0.ps,1999-07-27/2000-02-15.
[21]Perterson,Larry.Node OS Interface Specification[R].DARPA Architecture Working Group drafts pecification,January 24,2000.
[22]Scott D A,Bob B,Carl A G;et al.ANEP:Active network encapsulation Protocol.http://www.cis.upenn.edu/switchware/ANEP/docs/ANEP.txt 1997-07
[23]陈茹,朱小骏.主动网络节点研究及安全实现。微机发展,2003年8月,第8期,108-109.
[24]B.Schwartz,A.Jackson,T.Strayer,,.Zhou,R.Rockwell,and C.Partridge.Smart packets for active networks.In Proceedings of the 1999 IEEE 200 Conference on Open Architectures and Network Programming(OPENARCH' 99),March 1999
[25]Erik L.Nygren,Stephen J.Garland,and M.Frans Kaashoek.PAN:A High-Performance Active Network Node Supporting Multiple Mobible Code Systems.In proceedings of OpenArch'99.Pages 78-89.New York,New York.March 27,1999.
[26]S.Merugu,S.Bhattacharjee,E.Zegura and K.Calvert.Bowman:A Node OS for Active Networks.IEEE Infocom 2000
[27]S.Merugu,S.Bhattacharjee,Y.Chae,M.Sanders,K.Calvert and E.Zegura.Bowman and CANES:Implementation of an Active Network.37" annual Allerton Conference on Communication,Control and Computing,Monticello,Illinois,September 1999
[28]Electronic Commerce Promotion Council of Japan Certification Authority Working Group Certification Authority Guidelines Alpha Version.URL:http://www.ecom.or.jp/eng/output/ca/eng-guideline.htm
[29]Rivest R.The MD5 Message-Digest Algorithm IS].RFC 1321.MIT Laboratory for Computer Science and RSA DATA Security,Inc.1992.4
[30]Michael Hicks,Angelos D.Keromytis,A secure PLAN,IWAN1999,Berlin,Germany,1999.6
[31]ZhaoyuLiu,RoyH.Campbell,M.Dennis Mickunas.Scuring the Node of an Active Network.2000.
[32]S.Murphy,ed al.Strong security for Active Networks.IEEE OPENARCH,2001
[33]C Adams,S Farrell.Internet X.509 Public Key Infrastructure Certificate Management Protocols.RFC 2510,March 1999
[34]孙明保,沈明玉.一种基于证书机制的主动网络安全方案.计算机工程与设计.Vol.27 No.15 2006年8月2866-2868
[35]D.J.Wetherall."ANTS:A Toolkit for Building and Dynamically Deploying Network Protocols".Submitted to ACM SIGCOMM97
[36]David J.Wetherall "Service Introduction in an Active Network" Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the Massachusetts Institute of Technology February 1999
[37]刘刚,李建勇.主动网络工具集ANTS的主动包格式分析.计算机应用与软件.第22卷第1期,2005年。17-18.
[38]江勇,吴建平,徐恪,吴英华.基于组件的路由器操作维护系统的研究.小型微型计算机系统,1999。
[39]The Janos Project:Java-oriented Active Network Operating System,URL:http://www.cs.utah.edu/flux/janos
[40]ANTS API Documentation.URL:http://www.cs.utah.edu/flux/janos/ants-apidoc
[41]Rich Helton,Johennie Helton.JAVA安全解决方案(袁泉等译).北京:清华大学出版社.2003。
[42]汪跃,沈明玉.基于组件服务器的主动网络安全策略及实现.计算机技术应用与发展.2004年。1001-1003
[43]夏正友.主动网络安全结构模型及其相关技术研究[博士学位论文].复旦大学,2004年4月。
[44]唐寅.基于授权的主动网络安全防护技术研究[博士学位论文].电子科技大学,2003年。
[45]吕建勇.基于组件动态装载(CDL)的主动网络的研究与实现[硕士学位论文].合肥工业大学,2005年5月。
[46]寇雅楠.主动网络关键安全机制及应用的研究[博士学位论文].西安交通大学,2003年9月。
[47]Najafi-Koopai,Mohammed Kazem..Modelling,routing and architecture in active networks[博士学位论文].University of Toronto(Canada).2001