基于IPSec协议的VPN网络安全技术的研究与实现
|
摘要
随着Internet商业应用的日益广泛,Internet的安全性愈来愈重要。企业租用专线进行数据传输,固然可以保证安全性,但费用昂贵。虚拟专用网VPN(Virtual Private
Network)技术是解决安全与费用矛盾,实现安全传输的重要手段。本文首先介绍了VPN所涉及的各项安全技术,包括隧道协议、加密技术、认证技术等,然后分析了基于IPSec协议的VPN网络安全体系结构以及各组件的功能、工作方式,并在此基础上给出了一种IPSec VPN的具体实现,提出了使用协议开关表和Linux的NetFilter机制将IPSec处理嵌入IP处理中;使用哈希表实现安全关联库;使用Radix结构实现安全策略库的设计思想,并着重讨论了框架结构、关键技术。最后,文章对现有的IPSec VPN系统中存在的问题进行了探讨,提出了自己的解决思路,构造了扩展的VPN模型,并对模型的可行性及设计实现做了分析。
With expanding of Internet applications in commerce, security of Internet becomes more and more important. For enterprises, physical private network is secure, but it is expensive. The technology of Virtual Private Network (VPN) is the major way to solve the contradiction of security and expenditure. In this paper, we introduce security technologies used in VPN, such as tunneling protocol, encryption, authentication and so on, and explain the architecture of VPN based on the protocol of IP Security (IPSec). After these, we propose the realization of IPSec VPN. In the realization, we discuss the design of implementing the transaction of IPSec with the protocol switching table and the NetFilter mechanism in Linux, implementing Security Association Database (SAD) with Hash table
and implementing Security Policy Database (SPD) with the structure of Radix tree. We also discuss the architecture and key technologies in detail. Finally, we analyze many problems in existing IPSec VPN and bring up a model of Expanding Virtual Private Network (EVPN).
Network)技术是解决安全与费用矛盾,实现安全传输的重要手段。本文首先介绍了VPN所涉及的各项安全技术,包括隧道协议、加密技术、认证技术等,然后分析了基于IPSec协议的VPN网络安全体系结构以及各组件的功能、工作方式,并在此基础上给出了一种IPSec VPN的具体实现,提出了使用协议开关表和Linux的NetFilter机制将IPSec处理嵌入IP处理中;使用哈希表实现安全关联库;使用Radix结构实现安全策略库的设计思想,并着重讨论了框架结构、关键技术。最后,文章对现有的IPSec VPN系统中存在的问题进行了探讨,提出了自己的解决思路,构造了扩展的VPN模型,并对模型的可行性及设计实现做了分析。
With expanding of Internet applications in commerce, security of Internet becomes more and more important. For enterprises, physical private network is secure, but it is expensive. The technology of Virtual Private Network (VPN) is the major way to solve the contradiction of security and expenditure. In this paper, we introduce security technologies used in VPN, such as tunneling protocol, encryption, authentication and so on, and explain the architecture of VPN based on the protocol of IP Security (IPSec). After these, we propose the realization of IPSec VPN. In the realization, we discuss the design of implementing the transaction of IPSec with the protocol switching table and the NetFilter mechanism in Linux, implementing Security Association Database (SAD) with Hash table
and implementing Security Policy Database (SPD) with the structure of Radix tree. We also discuss the architecture and key technologies in detail. Finally, we analyze many problems in existing IPSec VPN and bring up a model of Expanding Virtual Private Network (EVPN).
引文
[1] S. Kent、R. Atkinson, Security Architecture for the Internet Protocol, RFC2401, 1998.11
[2] S. Kent、R. Atkinson, IP Authentication Header(AH), RFC2402, 1998.11
[3] S. Kent、R. Atkinson, IP Encapsulating Security Payload (ESP), RFC2406, 1998.11
[4] D. Harkins、D. Carrel, The Internet Key Exchange, RFC2409, 1998.11
[5] R. Thayer、N. Doraswamy、R. Glenn, IP Security Document Roadmap, RFC2411,1998.11
[6] B. Gleeson、A. Lin、J. Heinanen、G. Armitage、A. Malis, A Framework for IP Based Virtual Private Networks, 2000.2
[7] R. Housley、W. Ford、W. Polk、D. Solo, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, 1999.1
[8] Steven Brown, Implementing Virtual Private Networks, McGraw-Hill, 2000.9
[9] Steven M. Bellovin, Distributed Firewalls, USENIX: login magazine, special issue on security, 1999.11, P37-39
[10] Sotiris Ioannidis、Angelos D. Keromytis、Steve M. Bellovin、Jonathan M. Smith, Implementing a Distributed Firewall, In 7th ACM Conference on Computer and Communications Security, 2000.11
[11] Charles Payne, Tom Markham, Architecture and Applications for a Distributed Embedded Firewall, In 17th Annual Computer Security Applications Conference, 2001.11
[12] FreeS/WAN Project: Home Page, http://www.freeswan.org
[13] FreeS/WAN redesign thoughts (KLIPS, IPSEC), http://www. wcug.wwu.edu
[14] NIST Cerberus: An IPSec Reference Implementation for Linux, http://dns.antd.nist.gov/cerberus/
[15] Prof. Dr. P. Heinzmann, VPN Concepts and Protocols (PPTP, L2TP, IPSec), http://www.ita.hsr.ch/vorlesungen/nws/unterlagen/6b-vpn.pdf
[16] Linux netfilter Hacking HOWTO, http://www. netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html
[17] Harald Welte, The netfilter framework in Linux 2.4, http://www. gnumonks.org/papers/netfilter-lk2000/presentation.html
[18] Doug Montgomery, "Testing" for Advanced Networking Technologies, https://w3.antd.nist.gov/antd-itl-ws.PDF/antd-itl-ws. PDF
[19] Makoto Kayashima、Minoru Koizumi、Tatsuya Fujiyama、Masato Terada、Kazunari Hirayama, Seamless VPN, http://www.isoc.org
[20] (美)Naganand Doraswamy、Dan Harkins著,京京工作室译,IPSec新一代因特网安全标准,机械工业出版社,2000.1
[21] (美)Martin W.Murhammer,et al.著,孔雷、刘云新译,虚拟私用网络,清华大学出版社,2000.4
[22] (美)Casey Wilson,Peter Doak著,钟鸣、魏允韬译,虚拟专用网的创建与实现,机械工业出版社,2000.8
[23] David Leon Clark著,于秀莲、徐惠民等译,虚拟专用网,人民邮电出版社,2000.7
[24] (美)Carlton R.Davis著,周永彬、冯登国等译,IPSec:VPN的安全实施,清华大学出版社,2002.1
[25] Gray R.Wright、W.Richard Stevens著,陆雪莹、蒋慧等译,谢希仁校,TCP/IP详解 卷2:实现,机械工业出版社,2000.2
[26] 毛德操、胡希明著,Linux内核源代码情景分析 上册,浙江大学出版社,2001.9
[27] 李善平、刘文峰、李程远等著,Linux内核2.4版源代码分析大全,机械工业出版社,2002.1
[28] 纪纯杰、贺晓能著,Linux内核分析及常见问题解答,人民邮电出版社,2000.7
[29] (美)Christopher Negus著,刘玉芬、梁津译,Red Hat Linux 7 宝典,电子工业出版社,2001.6
[30] 唐靖飚、周良源等著,UNIX平台下C语言高级编程指南,北京希望电子出版社 2000.2
[31] 赖溪松、韩亮、张真诚著,计算机密码学及其应用,国防工业出版社,2001.7
[32] 陆建德,基于IPSec协议的Linux VPN安全网关的研究与设计,小型微型计算机系统,2001.7,P878-880
[33] 许进、马殿富、怀进鹏、李巍,IPSec设计及实现,北京航空航天大学学报,2001.8,P386-390
[34] 汤隽、赵荣彩、李超,Linux下IPSec协议的实现,计算机应用,2002.6,P69-71
[35] 周立峰、周昕、金志权,基于IPSec的VPN在Linux下的实现,计算机应用研究,2002.5,P61-63
[36] 呙亚南、何涛、刘颖、杨寿保,基于IPSec的虚拟专用网技术及其在Linux上的实现,计算机科学,2001.5,P54-56
[37] 孟挂娥、熊云凤、杨宇航,基于PKI的IPSec-VPN网关的设计与实现,计算机工程,2001.2,P102-104
[38] 李新洪、李军、张永乐,Linux内核中IP包过滤的实现方法分析,指挥技术学院学报,2001.1,P26-29
[39] 王宏健、邵佩英、张籍,基于Linux内核防火墙Netfilter的安全应用的设计方
法,小型微型计算机系统,2001.12,P1516-1518
[40] 王作芬、王芙蓉、黄本熊,虚拟专用网中ipsec隧道技术的研究与实现,计算及工程,2001.6,P118-119、P152
[41] 赵阿群、吉逸、顾冠群,支持VPN的隧道技术研究,通信学报,2000.6,第21卷第6期,P85-91
[42] 周师熊、谢德龙,安全VPN和安全协议IPSec,中国数据通信,2001.1,P24-27
[43] 彭湘凯,VPN及其核心技术,成都大学学报(自然科学版),2001.3,P12-15
[44] 王海军、王中心等,VPN技术与解决方案,计算机系统应用,1999.11,P28-30
[45] 翁亮、陈依群、诸鸿文,虚拟专用网(VPN)信息加密技术研究,电讯技术,1999.3,P57-61
[46] 翟海生,IP VPN技术特点与安全机制,通信世界,2001年第33期
[47] 翟海生,IP VPN隧道协议及其应用,通信世界,2001年第34期
[48] 王延年,隧道及其应用技术的研究,郑州大学学报(自然科学版),2001.3,第33卷第1期,P26-31
[49] 宋伟、刘卫宁,虚拟专用网(VPN)——安全灵活的电子商务网络平台,计算机应用,1999.9,P43-45
[50] 谢怀军,VPN技术透视分析,中国金融电脑2000.10,P14-17
[51] 詹浩,VPN的技术分析,中国金融电脑,2000.12,P26-28
[52] 郭彬,IPSec协议(IP安全协议)介绍,沿海邮电之窗,2000.4,P17-20
[53] 基于Linux和IPSec的VPN网关, http://linuxipsecvpn.cosoft.org.cn
[54] 共创联盟: Project Info—Linux和IPSec的VPN网关, https://cosoft.org.cn/projects/linuxipsecvpn/
[55] 为什么VPN网关需要集成防火墙功能, http://neteye.neusoft.com/Docs/News/html/20020531110441331/htmlfile/20020531110441331.html
[56] 程朝辉,Swan技术手册,https://www.ruanxun.com
[57] IPSec-新一代开放性网络安全框架结构,http://www.sensecho.com/VPN2.htm
[58] 虚拟专用网络(VPN)的安全基础,http://www.cns911.com/docs/vpn/0001.php
[59] VPN潮起为哪般,http://sinbad.zhoubin.com/read.html?board=Network&num=65
[60] 李宝文,隧道技术及其应用,
[61] VPN的基本概念及在PIX Firewall上的实现,http://www.fixdown.com/article/article/151.htm
[62] yawl,Linux网络代码导读vO.2,http://www.nsfocus.net/
[63] yawl,linux防火墙实现技术比较,http://www.ionwing.org/firewall1.htm
[2] S. Kent、R. Atkinson, IP Authentication Header(AH), RFC2402, 1998.11
[3] S. Kent、R. Atkinson, IP Encapsulating Security Payload (ESP), RFC2406, 1998.11
[4] D. Harkins、D. Carrel, The Internet Key Exchange, RFC2409, 1998.11
[5] R. Thayer、N. Doraswamy、R. Glenn, IP Security Document Roadmap, RFC2411,1998.11
[6] B. Gleeson、A. Lin、J. Heinanen、G. Armitage、A. Malis, A Framework for IP Based Virtual Private Networks, 2000.2
[7] R. Housley、W. Ford、W. Polk、D. Solo, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, 1999.1
[8] Steven Brown, Implementing Virtual Private Networks, McGraw-Hill, 2000.9
[9] Steven M. Bellovin, Distributed Firewalls, USENIX: login magazine, special issue on security, 1999.11, P37-39
[10] Sotiris Ioannidis、Angelos D. Keromytis、Steve M. Bellovin、Jonathan M. Smith, Implementing a Distributed Firewall, In 7th ACM Conference on Computer and Communications Security, 2000.11
[11] Charles Payne, Tom Markham, Architecture and Applications for a Distributed Embedded Firewall, In 17th Annual Computer Security Applications Conference, 2001.11
[12] FreeS/WAN Project: Home Page, http://www.freeswan.org
[13] FreeS/WAN redesign thoughts (KLIPS, IPSEC), http://www. wcug.wwu.edu
[14] NIST Cerberus: An IPSec Reference Implementation for Linux, http://dns.antd.nist.gov/cerberus/
[15] Prof. Dr. P. Heinzmann, VPN Concepts and Protocols (PPTP, L2TP, IPSec), http://www.ita.hsr.ch/vorlesungen/nws/unterlagen/6b-vpn.pdf
[16] Linux netfilter Hacking HOWTO, http://www. netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html
[17] Harald Welte, The netfilter framework in Linux 2.4, http://www. gnumonks.org/papers/netfilter-lk2000/presentation.html
[18] Doug Montgomery, "Testing" for Advanced Networking Technologies, https://w3.antd.nist.gov/antd-itl-ws.PDF/antd-itl-ws. PDF
[19] Makoto Kayashima、Minoru Koizumi、Tatsuya Fujiyama、Masato Terada、Kazunari Hirayama, Seamless VPN, http://www.isoc.org
[20] (美)Naganand Doraswamy、Dan Harkins著,京京工作室译,IPSec新一代因特网安全标准,机械工业出版社,2000.1
[21] (美)Martin W.Murhammer,et al.著,孔雷、刘云新译,虚拟私用网络,清华大学出版社,2000.4
[22] (美)Casey Wilson,Peter Doak著,钟鸣、魏允韬译,虚拟专用网的创建与实现,机械工业出版社,2000.8
[23] David Leon Clark著,于秀莲、徐惠民等译,虚拟专用网,人民邮电出版社,2000.7
[24] (美)Carlton R.Davis著,周永彬、冯登国等译,IPSec:VPN的安全实施,清华大学出版社,2002.1
[25] Gray R.Wright、W.Richard Stevens著,陆雪莹、蒋慧等译,谢希仁校,TCP/IP详解 卷2:实现,机械工业出版社,2000.2
[26] 毛德操、胡希明著,Linux内核源代码情景分析 上册,浙江大学出版社,2001.9
[27] 李善平、刘文峰、李程远等著,Linux内核2.4版源代码分析大全,机械工业出版社,2002.1
[28] 纪纯杰、贺晓能著,Linux内核分析及常见问题解答,人民邮电出版社,2000.7
[29] (美)Christopher Negus著,刘玉芬、梁津译,Red Hat Linux 7 宝典,电子工业出版社,2001.6
[30] 唐靖飚、周良源等著,UNIX平台下C语言高级编程指南,北京希望电子出版社 2000.2
[31] 赖溪松、韩亮、张真诚著,计算机密码学及其应用,国防工业出版社,2001.7
[32] 陆建德,基于IPSec协议的Linux VPN安全网关的研究与设计,小型微型计算机系统,2001.7,P878-880
[33] 许进、马殿富、怀进鹏、李巍,IPSec设计及实现,北京航空航天大学学报,2001.8,P386-390
[34] 汤隽、赵荣彩、李超,Linux下IPSec协议的实现,计算机应用,2002.6,P69-71
[35] 周立峰、周昕、金志权,基于IPSec的VPN在Linux下的实现,计算机应用研究,2002.5,P61-63
[36] 呙亚南、何涛、刘颖、杨寿保,基于IPSec的虚拟专用网技术及其在Linux上的实现,计算机科学,2001.5,P54-56
[37] 孟挂娥、熊云凤、杨宇航,基于PKI的IPSec-VPN网关的设计与实现,计算机工程,2001.2,P102-104
[38] 李新洪、李军、张永乐,Linux内核中IP包过滤的实现方法分析,指挥技术学院学报,2001.1,P26-29
[39] 王宏健、邵佩英、张籍,基于Linux内核防火墙Netfilter的安全应用的设计方
法,小型微型计算机系统,2001.12,P1516-1518
[40] 王作芬、王芙蓉、黄本熊,虚拟专用网中ipsec隧道技术的研究与实现,计算及工程,2001.6,P118-119、P152
[41] 赵阿群、吉逸、顾冠群,支持VPN的隧道技术研究,通信学报,2000.6,第21卷第6期,P85-91
[42] 周师熊、谢德龙,安全VPN和安全协议IPSec,中国数据通信,2001.1,P24-27
[43] 彭湘凯,VPN及其核心技术,成都大学学报(自然科学版),2001.3,P12-15
[44] 王海军、王中心等,VPN技术与解决方案,计算机系统应用,1999.11,P28-30
[45] 翁亮、陈依群、诸鸿文,虚拟专用网(VPN)信息加密技术研究,电讯技术,1999.3,P57-61
[46] 翟海生,IP VPN技术特点与安全机制,通信世界,2001年第33期
[47] 翟海生,IP VPN隧道协议及其应用,通信世界,2001年第34期
[48] 王延年,隧道及其应用技术的研究,郑州大学学报(自然科学版),2001.3,第33卷第1期,P26-31
[49] 宋伟、刘卫宁,虚拟专用网(VPN)——安全灵活的电子商务网络平台,计算机应用,1999.9,P43-45
[50] 谢怀军,VPN技术透视分析,中国金融电脑2000.10,P14-17
[51] 詹浩,VPN的技术分析,中国金融电脑,2000.12,P26-28
[52] 郭彬,IPSec协议(IP安全协议)介绍,沿海邮电之窗,2000.4,P17-20
[53] 基于Linux和IPSec的VPN网关, http://linuxipsecvpn.cosoft.org.cn
[54] 共创联盟: Project Info—Linux和IPSec的VPN网关, https://cosoft.org.cn/projects/linuxipsecvpn/
[55] 为什么VPN网关需要集成防火墙功能, http://neteye.neusoft.com/Docs/News/html/20020531110441331/htmlfile/20020531110441331.html
[56] 程朝辉,Swan技术手册,https://www.ruanxun.com
[57] IPSec-新一代开放性网络安全框架结构,http://www.sensecho.com/VPN2.htm
[58] 虚拟专用网络(VPN)的安全基础,http://www.cns911.com/docs/vpn/0001.php
[59] VPN潮起为哪般,http://sinbad.zhoubin.com/read.html?board=Network&num=65
[60] 李宝文,隧道技术及其应用,
[61] VPN的基本概念及在PIX Firewall上的实现,http://www.fixdown.com/article/article/151.htm
[62] yawl,Linux网络代码导读vO.2,http://www.nsfocus.net/
[63] yawl,linux防火墙实现技术比较,http://www.ionwing.org/firewall1.htm