基于IPSec协议VPN的AAA管理的研究与开发
|
摘要
目前VPN技术在互联网和电子商务中的应用日益广泛,IPSec协议以其强大功能成为目前最易于扩展、最完整的网络安全方案。同VPN技术的发展相比,VPN的管理产品发展相对缓慢,不能满足当前的应用需求。本文对VPN技术组成和IPSec协议的体系结构进行了较深入地分析研究。介绍了VPN的分类、加密和隧道等相关技术;IPSec协议的组成、工作模式和具体的实施方案;AAA的概念、各部分的功能和几种目前常用的AAA协议。本文在系统设计与实现部分使用分散管理与策略化网络连接的思想,给出了一个基于IPSec协议VPN的全面用户管理的系统框架。制订了一套完整的AAA管理通信协议。本文对报文的格式、功能、传输以及每个字段的含义都做了详细的说明。针对IPSec协议的特点,定义了基本的用户数据库和系统运行期间所用到的主要变量结构。论文就系统设计和开发过程中使用的重点技术作了详细的解释。在系统安全性方面,运用MD5、3DES、OTP多种技术手段保障报文的安全合法性。在优化服务器性能方面,使用哈希表、多线程、共享内存提高服务器处理速度。在论文的最后,举例说明了VPN系统及其管理系统的配置过程。
Now the technology of VPN is applied on the Internet and Electronic Business widely. The Protocol of IPSec becomes be the easiest extended and integrated project because of its strong function. Compared to the VPN's technology, the development of VPN's management products is too slow to satisfy the extension of application. By deeply study and analysis of VPN and IPSec, the thesis introduces the technologies of VPN, such as kinds of VPN, encryption, tunneling and so on. It also introduces the constitution, work modes and application of IPSec. It recommends the conception AAA, every parts' function and several often used AAA protocol. The thesis uses the thinking of scattered management and strategic configuration of tunnel connection, then presents an AAA management system architecture based on IPSec's VPN. It designs a set of communication protocol.. Every type packages is demonstrated in detail in the aspect of format, function, transmission and meaning of every field. Based on the specialty of IPSec, it defines user data base and chiefly variables' structure used by the system. It explains the important technologies used in the system. It uses several methods to improve system security, such as MD5 algorithm, 3DES algorithm and OTP system. To optimize the capability of server, the system uses hash table, multi-thread and shared memory to improve server's running speed . At the end of the thesis, it uses an example to illustrate how to install and configure VPN system and its management system.
Now the technology of VPN is applied on the Internet and Electronic Business widely. The Protocol of IPSec becomes be the easiest extended and integrated project because of its strong function. Compared to the VPN's technology, the development of VPN's management products is too slow to satisfy the extension of application. By deeply study and analysis of VPN and IPSec, the thesis introduces the technologies of VPN, such as kinds of VPN, encryption, tunneling and so on. It also introduces the constitution, work modes and application of IPSec. It recommends the conception AAA, every parts' function and several often used AAA protocol. The thesis uses the thinking of scattered management and strategic configuration of tunnel connection, then presents an AAA management system architecture based on IPSec's VPN. It designs a set of communication protocol.. Every type packages is demonstrated in detail in the aspect of format, function, transmission and meaning of every field. Based on the specialty of IPSec, it defines user data base and chiefly variables' structure used by the system. It explains the important technologies used in the system. It uses several methods to improve system security, such as MD5 algorithm, 3DES algorithm and OTP system. To optimize the capability of server, the system uses hash table, multi-thread and shared memory to improve server's running speed . At the end of the thesis, it uses an example to illustrate how to install and configure VPN system and its management system.
引文
[1]Naganand Doraswamy,Dan Harkins著,IPSec 新一代因特网安全标准,京京工作室译,第1版,[2000/1],机械工业出版社
[2]Bruce Perlmutter著,VIRTUAL PRIVATE NETWORKING,[2000],Prentice Hall PTR
[3]Cisco system, http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[4]Chris Hare,Karanjit siyan著,Internet 防火墙与网络安全,刘成勇、刘明刚、王明举等译,[1998/5],机械工业出版社
[5]Cisco Systems公司著,网络核心技术内幕-Cisco网络安全解决方案,希望图书创作室译,第1版,[2000/2],北京希望电子出版社
[6]Cisco Systems公司著,网络核心技术内幕-网络协议解决方案,希望图书创作室译.第1版[2000/2].北京希望电子出版社
[7]Kent,S., and R.Atkinson, Security Architecture for IP, RFC2401, November 1998
[8]Kent,S., and R.Atkingson, IP Authentication Header, RFC2402, November 1998
[9]Kent,S., and R.Atkingson, IP Encapsulating Security Payload(ESP), RFC2406, November 1998
[10]D.Maughan, M.Schertler, M.Schneider, J.Turner, Internet Security Association and Key Management Protocol(ISAKMP), RFC2408, November 1998
[11]D.Harkins, D.Carrel, The Internet Key Exchange(IKE), RFC2409, November 1998
[12]A.Rubens Merit、W.Simpson DayDreamer, S.Willens, Remote Authentication Dial In User Service, RFC2138, April 1997
[13]C Rigney, Radius Accounting, RFC2139, April 1997
[14]IBM Corporation, Using IPSec to Construct Secure Virtual Private Networks, White Paper, 1998
[15]Cisco Systems Inc., Implementing the Server-Based AAA Subsystem, January 2000
[16]Cisco System Inc., Named Method Lists for AAA Authorization and Accounting
[17]J.Kohl, Digital Equipment Corporation, C.Nueman, The Kerberos Network Authentication Service(V5), September 1993
[18]Douglas E.Comer著,用TCP/IP进行网际互连-第一卷原理、协议和体系结构,林瑶、蒋慧、杜蔚轩等译,第3版[1998/4],电子工业出版社
[19]W.Richard Stevens著,TCP/IP详解——卷1:协议,范建华、胥光辉、张涛等译,[2000/4]第一版,机械工业出版社
[20]Douglas E.Comer, David L.Stevens著,用TCP/IP进行网际互连-第三卷客户机-服务器编程和应用,赵刚、林瑶、蒋慧等译,第2版[1998/6],电子工业出版社。
[21]James D.Solomon著,移动IP,裘晓峰等译,第1版[2000/1],机械工业出版社
[22]Bruce Eckel著,C++编程思想,刘宗田、邢大红、孙慧杰等译,[2000/1],机械工艺出版社
[23]Richard C.Leinecker, Tom Archer著,Visual C++6宝典,张艳、王立学、张谦、尹岩清等译,电子工业出版社[1999/4]
[24]严蔚敏、吴伟民著,数据结构(C语言版),[1997/4],清华大学出版社
[25]李卓桓、瞿华等著,Linux网络编程,[2000/5],机械工业出版社
[26]David Bennett等著,Visual C++5开发人员指南,徐军等译,[1998/9],机械工业出版社
[27]R.Rivest, MD5 Message-Digest Algorithm RFCl321,Aprils1992
[28]W.Richard Stevens著,UNIX网络编程(第一卷、第二卷),施振川、周利民、孙宏晖等译,[1999/7],清华大学出版社
[29]卢开澄著,计算机密码学——计算机网络中的数据保密与安全,第2版[1998/7],清华大学出版社
[30]J.Linn., The Kerberos Version 5 GSS-API Mechanism RFC1964、June1996
[2]Bruce Perlmutter著,VIRTUAL PRIVATE NETWORKING,[2000],Prentice Hall PTR
[3]Cisco system, http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[4]Chris Hare,Karanjit siyan著,Internet 防火墙与网络安全,刘成勇、刘明刚、王明举等译,[1998/5],机械工业出版社
[5]Cisco Systems公司著,网络核心技术内幕-Cisco网络安全解决方案,希望图书创作室译,第1版,[2000/2],北京希望电子出版社
[6]Cisco Systems公司著,网络核心技术内幕-网络协议解决方案,希望图书创作室译.第1版[2000/2].北京希望电子出版社
[7]Kent,S., and R.Atkinson, Security Architecture for IP, RFC2401, November 1998
[8]Kent,S., and R.Atkingson, IP Authentication Header, RFC2402, November 1998
[9]Kent,S., and R.Atkingson, IP Encapsulating Security Payload(ESP), RFC2406, November 1998
[10]D.Maughan, M.Schertler, M.Schneider, J.Turner, Internet Security Association and Key Management Protocol(ISAKMP), RFC2408, November 1998
[11]D.Harkins, D.Carrel, The Internet Key Exchange(IKE), RFC2409, November 1998
[12]A.Rubens Merit、W.Simpson DayDreamer, S.Willens, Remote Authentication Dial In User Service, RFC2138, April 1997
[13]C Rigney, Radius Accounting, RFC2139, April 1997
[14]IBM Corporation, Using IPSec to Construct Secure Virtual Private Networks, White Paper, 1998
[15]Cisco Systems Inc., Implementing the Server-Based AAA Subsystem, January 2000
[16]Cisco System Inc., Named Method Lists for AAA Authorization and Accounting
[17]J.Kohl, Digital Equipment Corporation, C.Nueman, The Kerberos Network Authentication Service(V5), September 1993
[18]Douglas E.Comer著,用TCP/IP进行网际互连-第一卷原理、协议和体系结构,林瑶、蒋慧、杜蔚轩等译,第3版[1998/4],电子工业出版社
[19]W.Richard Stevens著,TCP/IP详解——卷1:协议,范建华、胥光辉、张涛等译,[2000/4]第一版,机械工业出版社
[20]Douglas E.Comer, David L.Stevens著,用TCP/IP进行网际互连-第三卷客户机-服务器编程和应用,赵刚、林瑶、蒋慧等译,第2版[1998/6],电子工业出版社。
[21]James D.Solomon著,移动IP,裘晓峰等译,第1版[2000/1],机械工业出版社
[22]Bruce Eckel著,C++编程思想,刘宗田、邢大红、孙慧杰等译,[2000/1],机械工艺出版社
[23]Richard C.Leinecker, Tom Archer著,Visual C++6宝典,张艳、王立学、张谦、尹岩清等译,电子工业出版社[1999/4]
[24]严蔚敏、吴伟民著,数据结构(C语言版),[1997/4],清华大学出版社
[25]李卓桓、瞿华等著,Linux网络编程,[2000/5],机械工业出版社
[26]David Bennett等著,Visual C++5开发人员指南,徐军等译,[1998/9],机械工业出版社
[27]R.Rivest, MD5 Message-Digest Algorithm RFCl321,Aprils1992
[28]W.Richard Stevens著,UNIX网络编程(第一卷、第二卷),施振川、周利民、孙宏晖等译,[1999/7],清华大学出版社
[29]卢开澄著,计算机密码学——计算机网络中的数据保密与安全,第2版[1998/7],清华大学出版社
[30]J.Linn., The Kerberos Version 5 GSS-API Mechanism RFC1964、June1996