基于IPSec的安全路由器的设计与实现
|
摘要
随着越来越多的个人和机构联入互连网,网络安全问题成了世界各地研究的焦点。为了解决这个问题,实现网络信息传输的保密性、完整性、身份认证等安全特征,我们着手对IPSec安全协议体系和虚拟专用网VPN技术进行研究。
本文从网络安全的现状出发,详细介绍了安全协议IPSec技术和虚拟专用网VPN技术的原理,重点论述了对基于IPSec的安全路由器R101的设计与实现,并对R101的功能和性能进行测试。
全文共分五章。第一章简要介绍了网络安全的含义和关键技术。第二章详细介绍了IPSec和VPN网络安全技术的原理,包括VPN的含义和IPSec协议族。第三章是本论文的重点,提出了安全路由器的总体设计思想和体系结构,主要包括IPsec在Linux操作系统下的实现和对硬件加密的设计实现,以及对国家安全标准规定的各项安全功能的支持。第四章对R101的功能和性能进行测试,并获得测试结论。第五章是全文的总结,提出对R101改进的意见和未来的发展方向。
With more and more people and organizations connected to the Internet, network security has become a major concern and the focus of extensive research throughout the world. To solve this problem, and to provide confidentiality, integrity and authentication for information transmission on the network, we engaged on the research of IPSec protocol and Virtual Private Network (VPN).
This paper starts with the background information on the status of network security, followed by a brief introduction of the theories of IPSec and VPN. The design and implementation of security router R101 with IPSec are described in detail. The tests of the functionality and capability of R101 and their results are also discussed.
This thesis consists of five chapters. The first chapter introduces the background information of network security and key technologies. The second chapter surveys the theories of IPSec and VPN, which includes the meaning of VPN and several protocols of IPSec. The third chapter, which is the main body of the thesis, describes the overall design strategy, and the router architecture. The Linux-based implementation of IPsec, the design of Hardware-based Encryption, and the support of security functions specified by national standards on IT security are discussed with emphasis. In chapter 4, we present the tests of the function and capability of R101 and their results. The last chapter draws the conclusion of our study, points out the recommendations on improving R101, and indicates the future research directions of the system.
本文从网络安全的现状出发,详细介绍了安全协议IPSec技术和虚拟专用网VPN技术的原理,重点论述了对基于IPSec的安全路由器R101的设计与实现,并对R101的功能和性能进行测试。
全文共分五章。第一章简要介绍了网络安全的含义和关键技术。第二章详细介绍了IPSec和VPN网络安全技术的原理,包括VPN的含义和IPSec协议族。第三章是本论文的重点,提出了安全路由器的总体设计思想和体系结构,主要包括IPsec在Linux操作系统下的实现和对硬件加密的设计实现,以及对国家安全标准规定的各项安全功能的支持。第四章对R101的功能和性能进行测试,并获得测试结论。第五章是全文的总结,提出对R101改进的意见和未来的发展方向。
With more and more people and organizations connected to the Internet, network security has become a major concern and the focus of extensive research throughout the world. To solve this problem, and to provide confidentiality, integrity and authentication for information transmission on the network, we engaged on the research of IPSec protocol and Virtual Private Network (VPN).
This paper starts with the background information on the status of network security, followed by a brief introduction of the theories of IPSec and VPN. The design and implementation of security router R101 with IPSec are described in detail. The tests of the functionality and capability of R101 and their results are also discussed.
This thesis consists of five chapters. The first chapter introduces the background information of network security and key technologies. The second chapter surveys the theories of IPSec and VPN, which includes the meaning of VPN and several protocols of IPSec. The third chapter, which is the main body of the thesis, describes the overall design strategy, and the router architecture. The Linux-based implementation of IPsec, the design of Hardware-based Encryption, and the support of security functions specified by national standards on IT security are discussed with emphasis. In chapter 4, we present the tests of the function and capability of R101 and their results. The last chapter draws the conclusion of our study, points out the recommendations on improving R101, and indicates the future research directions of the system.
引文
[1] Martin W.Murhammer, et al, "A Guide to Virtual Private Networks", Prentice Hall PTR, 1999
[2] Phil Cornes著, 童寿彬等译,《Linux从入门到精通》,电子工业出版社,1998
[3] OlafKirch, Terry Dawson, "Linux Network Administrator's Guide", 2001
[4] Casey Wilson, Peter Doak, "Creating and Implementing Virtual Private Network", The Coriolis Group, 2000
[5] 孔雷,刘云新译,《虚拟私用网络技术》,清华大学出版社,1999
[6] 北京启明星信息技术有限公司编著,《网络信息安全技术基础》,电子工业出版社,2002
[7] S. Kent, BBN Corp, R. Atkinson, "Security Architecture for the Interact Protocol", RFC2401, November 1998
[8] S. Kent, BBN Corp, R.Atkinson, "IP Authentication Header", RFC2402, November 1998
[9] S. Kent, BBN Corp, R. Atkinson, "IP Encapsulating Security Payload", RFC2406, November 1998
[10] D. Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", RFC2407, November 1998
[11] D. Maughan, M. Schertler, M. Schneider, J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC2408, November 1998
[12] D. Harkins, D. Carrel, cisco Systems, "The Internet Key Exchange (IKE)", RFC2409, November 1998
[13] R. Thayer, Sable Technology Corporation, N. Doraswamy, Bay Networks, R. Glenn, NIST, "IP Security Document Roadmap", RFC2411, November 1998
[14] L.A. Sanchez, Megisto, M.N. Condell, BBN Corp, "Security Policy Protocol", January 2002
[15] 王斌,谢海永,《在Linux上实现因特网安全协议》,2001
[16] Bruce Schneier著,吴世忠等译,《应用密码学》,机械工业出版社,2000
[17] 汤隽,赵荣彩,李超,《Linux下IPSec协议的实现》,2002
[18] 汤隽,赵荣彩,宋成杰,《安全策略系统的研究及其在IPSec中的应用》,2002
[19] 中国标准出版社编,《信息系统安全技术 国家标准汇编》,中国标准出版社,2000
[20] 国家质量技术监督局发布,《信心技术安全性评估准则第1部分:简介和一般模型》,2001
[21] 国家质量技术监督局发布,《信心技术安全性评估准则第2部分:安全功能要求》,2001
[22] 国家质量技术监督局发布,《信心技术安全性评估准则第1部分:安全保证要求》,2001
[2] Phil Cornes著, 童寿彬等译,《Linux从入门到精通》,电子工业出版社,1998
[3] OlafKirch, Terry Dawson, "Linux Network Administrator's Guide", 2001
[4] Casey Wilson, Peter Doak, "Creating and Implementing Virtual Private Network", The Coriolis Group, 2000
[5] 孔雷,刘云新译,《虚拟私用网络技术》,清华大学出版社,1999
[6] 北京启明星信息技术有限公司编著,《网络信息安全技术基础》,电子工业出版社,2002
[7] S. Kent, BBN Corp, R. Atkinson, "Security Architecture for the Interact Protocol", RFC2401, November 1998
[8] S. Kent, BBN Corp, R.Atkinson, "IP Authentication Header", RFC2402, November 1998
[9] S. Kent, BBN Corp, R. Atkinson, "IP Encapsulating Security Payload", RFC2406, November 1998
[10] D. Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", RFC2407, November 1998
[11] D. Maughan, M. Schertler, M. Schneider, J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC2408, November 1998
[12] D. Harkins, D. Carrel, cisco Systems, "The Internet Key Exchange (IKE)", RFC2409, November 1998
[13] R. Thayer, Sable Technology Corporation, N. Doraswamy, Bay Networks, R. Glenn, NIST, "IP Security Document Roadmap", RFC2411, November 1998
[14] L.A. Sanchez, Megisto, M.N. Condell, BBN Corp, "Security Policy Protocol", January 2002
[15] 王斌,谢海永,《在Linux上实现因特网安全协议》,2001
[16] Bruce Schneier著,吴世忠等译,《应用密码学》,机械工业出版社,2000
[17] 汤隽,赵荣彩,李超,《Linux下IPSec协议的实现》,2002
[18] 汤隽,赵荣彩,宋成杰,《安全策略系统的研究及其在IPSec中的应用》,2002
[19] 中国标准出版社编,《信息系统安全技术 国家标准汇编》,中国标准出版社,2000
[20] 国家质量技术监督局发布,《信心技术安全性评估准则第1部分:简介和一般模型》,2001
[21] 国家质量技术监督局发布,《信心技术安全性评估准则第2部分:安全功能要求》,2001
[22] 国家质量技术监督局发布,《信心技术安全性评估准则第1部分:安全保证要求》,2001