一个改进的IPSec协议及其实现研究
摘要
IP协议本身不具有任何的安全特性,易遭受如地址欺骗、内容窃听、数据篡改、重播等攻击。IPSec协议是一组开放网络安全协议,可以“无缝”地为IP引入安全特性,提供了包括访问控制、无连接的完整性、数据源的认证、抗重播和自动密钥管理等一系列安全服务。ICMP协议是IP层的一个组成部分,是TCP/IP协议族中用于网络管理和调试的协议,提供了从路由器或其他主机向主机传送控制信息的方法。
IPSec和ICMP两种协议在实际中都得到广泛应用。但当IPSec协议工作在通道模式下却不能正确转发ICMP差错报文。这是一个急需解决的问题,也是研究的重点。尽管目前已有的一些VPN设备能够解决这个问题,但都处于探索阶段,并没有统一的规范。
由分析这两种协议可知,IPSec在通道模式下不能正确转发ICMP报文的根本原因是:回传的ICMP报文中包含的转发信息不足。基于SA改进的IPSec协议是在分析冲突原因,并重点研究IPSec安全协议的基础上提出的。其方法是将用于ICMP转发的主机信息,如最终源、目的地址和源端口号作为SA的选择符添加到网关的SAD。当接收到ICMP差错报文时,ICMP差错报文包含产成ICMP报文的IP数据包的IP头以及前八个字节,对与通道模式下的数据包,因此无论是AH或ESP安全协议生成的ICMP报文中都包含标识SA的三元组:SPI、目的地址和协议类型。根据ICMP所携带的三元组查找安全网关的外出“SAD”,取得用于转发的主机信息,并根据这些信息修改ICMP报文,进行数据包的转发。改进后的协议能够在保持原IPSec特性的基础上解决IPSec与ICMP冲突的问题,并能够与已有的IPSec实施方案兼容。
以改进的IPSec协议为基础,在Windows操作系统建立独立的VPN模块,可分为IPSec安全协议处理模块、策略管理模块以及IKE协商模块等。不仅能够实现原有IPSec功能,并且可以解决ICMP报文转发的问题。具有实现简单、扩展性好等优点,有很好的应用前景。
IP Security (IPSec) is a technical standard of security for all Internet communicates, designed to provide interoperable, high quality, eryptographically-based security for IPv4&IPv6. The set of security services offered includes access control, connectionless integrity, data-origin authentication, against replays, confidentiality and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
The Internet Control Message Protocol (ICMP) is an integral part of IP and must be implemented by every IP module. The purpose of ICMP is to provide feedback about problems in the communication environment.
IPSec and ICMP are important protocols, but there is conflict between them. The problem is: the ICMP packets can’t forward correctly to the source host, when the IPSec used in Tunnel-mode. This conflict problem has been overcomed in some Router products. But the method is protected as business secret. By analyzing protocols, the reason of conflict is: in the packet of ICMP, there is not enough information for forwarding. Based on the SA of primary IPSec protocol, an improved IPSec protocol is put forward to avoid the problem. In this method, the Host Identify Information (HII) for forwarding are added into the SA as selectors, such as the source and destination host IP address, the port number of source host. When the gateway received the ICMP packets, the HII, contained in SA, will be found in the SAD by the triple-set. The triple-set is composed of the SPI, destination IP address and the security protocol of IPSec, contained in the ICMP packet.
The IPSec VPN is designed according to the improved IPSec protocol. It works in Windows operating system, as a separate module, getting the IP datagram and processing, to build a new format of IP datagram. And then forward the datagram. The improved protocol can provide a satisfactory solution and has a good compatibility with the primary IPSec protocol without reducing the specialities of it.
IPSec和ICMP两种协议在实际中都得到广泛应用。但当IPSec协议工作在通道模式下却不能正确转发ICMP差错报文。这是一个急需解决的问题,也是研究的重点。尽管目前已有的一些VPN设备能够解决这个问题,但都处于探索阶段,并没有统一的规范。
由分析这两种协议可知,IPSec在通道模式下不能正确转发ICMP报文的根本原因是:回传的ICMP报文中包含的转发信息不足。基于SA改进的IPSec协议是在分析冲突原因,并重点研究IPSec安全协议的基础上提出的。其方法是将用于ICMP转发的主机信息,如最终源、目的地址和源端口号作为SA的选择符添加到网关的SAD。当接收到ICMP差错报文时,ICMP差错报文包含产成ICMP报文的IP数据包的IP头以及前八个字节,对与通道模式下的数据包,因此无论是AH或ESP安全协议生成的ICMP报文中都包含标识SA的三元组:SPI、目的地址和协议类型。根据ICMP所携带的三元组查找安全网关的外出“SAD”,取得用于转发的主机信息,并根据这些信息修改ICMP报文,进行数据包的转发。改进后的协议能够在保持原IPSec特性的基础上解决IPSec与ICMP冲突的问题,并能够与已有的IPSec实施方案兼容。
以改进的IPSec协议为基础,在Windows操作系统建立独立的VPN模块,可分为IPSec安全协议处理模块、策略管理模块以及IKE协商模块等。不仅能够实现原有IPSec功能,并且可以解决ICMP报文转发的问题。具有实现简单、扩展性好等优点,有很好的应用前景。
IP Security (IPSec) is a technical standard of security for all Internet communicates, designed to provide interoperable, high quality, eryptographically-based security for IPv4&IPv6. The set of security services offered includes access control, connectionless integrity, data-origin authentication, against replays, confidentiality and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
The Internet Control Message Protocol (ICMP) is an integral part of IP and must be implemented by every IP module. The purpose of ICMP is to provide feedback about problems in the communication environment.
IPSec and ICMP are important protocols, but there is conflict between them. The problem is: the ICMP packets can’t forward correctly to the source host, when the IPSec used in Tunnel-mode. This conflict problem has been overcomed in some Router products. But the method is protected as business secret. By analyzing protocols, the reason of conflict is: in the packet of ICMP, there is not enough information for forwarding. Based on the SA of primary IPSec protocol, an improved IPSec protocol is put forward to avoid the problem. In this method, the Host Identify Information (HII) for forwarding are added into the SA as selectors, such as the source and destination host IP address, the port number of source host. When the gateway received the ICMP packets, the HII, contained in SA, will be found in the SAD by the triple-set. The triple-set is composed of the SPI, destination IP address and the security protocol of IPSec, contained in the ICMP packet.
The IPSec VPN is designed according to the improved IPSec protocol. It works in Windows operating system, as a separate module, getting the IP datagram and processing, to build a new format of IP datagram. And then forward the datagram. The improved protocol can provide a satisfactory solution and has a good compatibility with the primary IPSec protocol without reducing the specialities of it.
引文
[1] J Postel. Internet Control Message Protocol (ICMP). RFC792, 1981: 1~20
[2] S Kent, R Atkinson. Security architecture for the Internet protocol (IPSec). RFC2401, 1998: 3~64
[3] 秦忠林, 黄本雄. IPSec 研究与应用. 计算机应用, 2001,21(4): 25~27
[4] 宾晓华, 周世斌. 企业网络安全问题研究. 计算机工程与应用, 2002,38(1): 179~182
[5] 沈昌祥. 我国信息安全发展战略与产业化思路. 信息网络安全. 2002, (5): 10~13
[6] Man Li. Policy-based IPSec Management. IEEE Network. 2003,17(6): 36~43
[7] Oppliger R . Security at the Internet layer, Computer. 1998,31(9): 43 ~47
[8] 洪帆, 陈卓. IPSec 安全体制的体系结构及应用研究. 小型微型计算机系统, 2002, 23(8): 946~949
[9] 胡少凤,李之棠. 针对 ICMP 报文处理问题的 IPSec 协议改进方案. 计算机工程与科学, 2004, 26(2): 11~14
[10] R Rivest. The MD5 Message-Digest Algorithm. RFC1321, 1992: 1~21
[11] P Cheng. Test Cases for HMAC-MD5 and HMAC-SHA-1. RFC2202, 1997: 1~9
[12] R Venkateswaran. Virtual Private Networks. IEEE Potentials. 2001, 20(1): 11~15
[13] Chris Metz. The Latest in VPNs: Part I. IEEE Internet Computing, 2003, 7(1): 87~91
[14] Chris Metz. The Latest in VPNs: Part II. IEEE Internet Computing, 2004, 8(3):60~65
[15] 何宝宏. IP 虚拟专用网技术. 北京: 人民邮电出版社, 2002: 2~150
[16] 秦磊华. VPN 隧道技术研究. 计算机工程与科学, 2003, 25(2): 16~19
[17] 张双, 史浩山. VPN 实现技术研究. 计算机工程, 2002, 28(8): 276~278
[18] 王景丽, 杨斌. 基于 IPSec 协议的虚拟专用网技术. 现代计算机, 2003,(1): 44~47
[19] Zhao Aqun, Yuan Yuan, Ji Yi, et al. Research on Tunneling Techniques in Virtual Private Networks. Journal of Southeast University, 2000,16(1): 6~12
[20] R.Atkinson. Implementation and Application of Virtual Private Network. RFC 1827,1995: 1~65
[21] Casey Wilson, Peter Doak. 虚拟专用网的创建与实现. 北京: 机械工业出版社, 2000. 1~365
[22] 朱雁辉. Windows 防火墙与网络封包截获技术. 北京: 电子工业出版社, 2002. 40~158
[23] 尹恒. 基于 IPSec 的安全传输平台的研究:[硕士学位论文]. 华中科技大学图书馆, 2002.
[24] 胡渊. 基于IPSec协议的VPN网关的研究与实现:[硕士学位论文]. 电子科技大学图书馆, 2005.
[25] 王浩, 杨媛媛, 陆际光. 基于 TCP/IP 协议的网络安全分析. 中南民族大学学报, 2002, 21(1): 63~66
[26] 肖海涛. IPSEC 安全策略研究: [硕士学位论文]. 华中科技大学图书馆,2003.
[27] S Kent, R Atkinson. IP Encapsulating Security Payload (ESP). RFC2406, 1998: 2~15
[28] S Kent, R Atkinson. IP Authentication Header (AH). RFC2402, 1998: 2~20
[29] D Harkins, D Carrel. IP Internet key exchange (IKE). RFC2409, 1998: 2~30
[30] 李之棠, 尹恒. VPN 组策略的理论研究. 小型微型计算机系统, 2003,23(5): 532~535
[31] 周权, 肖德琴. IPSec 协议中加密算法使用研究.计算机工程与应用, 2003, 4(15): 143~145
[32] C.Madson, R.Glenn. The Use of HMAC-SHA-1-96 within ESP and AH. RFC2404, 1998: 1~7
[33] C. Madson, R. Glenn. The Use of HMAC-MD5-96 within ESP and AH. RFC2403, 1998: 1~7
[34] 祝芝梅. 支持 NAT 的 VPN 网关的研究与实现:[硕士学位论文]. 华中科技大学图书馆, 2004.
[35] Radia Perlman, Charlie Kaufman. Key Exchange in IPSec: Analysis of IKE. IEEE Internet Computing, 2000, 4(6): 50~56
[36] 张勇, 敖青云, 白英彩. Internet 密钥交换协议安全性分析. 计算机工程与应用, 2001, 3: 1~3
[37] 吴越, 疏朝明. 基于 IPSec 的虚拟专用网络密钥交换实现及安全分析. 东南大学学报, 2002, 32(4): 551~557
[38] 陈传波,姜正强,郑运平. 一种改进的 ICMP 差错报文处理的 IPSec 协议. 计算机工程与科学,已录用
[39] G. Shorrock, C. Awdry. Concert IP Secure—a Managed Firewall and VPN Service. BT Technology Journal, 2001,19(3): 99~106
[40] K Hamzeh. Point-to-Point Tunneling Protocol(PPTP). RFC2637, 1999: 3~54
[41] W Townsley. Layer Two Tunneling Protocol(L2TP). RFC2661, 1999: 3~70
[42] S Hanks. Generic Routing Encapsulation (GRE). RFC1701, 1994: 2~8
[43] S Hanks. Generic Routing Encapsulation over IPv4 networrks. RFC1702, 1994: 2~4
[44] 帅成江, 汪海航. 基于 IPSec 的安全 VPN 模型研究. 计算机应用,2001,(6): 75~77
[45] 濮荣强. 基于 IPSec 环境下实现虚拟私网技术的应用. 南京邮电学院学报. 2004,24(4): 54~58
[46] 刘剑波, 王能, 沈捷. VPN 网关的设计和实现, 计算机工程, 2003,30(3):130~132
[47] 娄雪明, 钱华林. 基于 IPSec VPN 全星型网络的实现. 计算机工程. 2005, 31(9): 115~117
[48] C. Madson, N. Doraswamy. The ESP DES-CBC Cipher Algorithm With Explicit IV. RFC2405, 1998: 1~10
[49] R.Glenn, S.Kent.The NULL Encryption Algorithm and Its Use With IPsec. RFC2410, 1998: 1~6
[50] 罗喜召, 王尚平, 秦波. IPSec 密钥交换的分析. 计算机工程. 2003, 9(6): 145~146
[51] 董晓虎, 徐明伟, 徐恪. 密钥交换协议 IKE 实现的可扩展性设计. 小型微型计算机系统. 2004, 25(6): 1000~1004
[2] S Kent, R Atkinson. Security architecture for the Internet protocol (IPSec). RFC2401, 1998: 3~64
[3] 秦忠林, 黄本雄. IPSec 研究与应用. 计算机应用, 2001,21(4): 25~27
[4] 宾晓华, 周世斌. 企业网络安全问题研究. 计算机工程与应用, 2002,38(1): 179~182
[5] 沈昌祥. 我国信息安全发展战略与产业化思路. 信息网络安全. 2002, (5): 10~13
[6] Man Li. Policy-based IPSec Management. IEEE Network. 2003,17(6): 36~43
[7] Oppliger R . Security at the Internet layer, Computer. 1998,31(9): 43 ~47
[8] 洪帆, 陈卓. IPSec 安全体制的体系结构及应用研究. 小型微型计算机系统, 2002, 23(8): 946~949
[9] 胡少凤,李之棠. 针对 ICMP 报文处理问题的 IPSec 协议改进方案. 计算机工程与科学, 2004, 26(2): 11~14
[10] R Rivest. The MD5 Message-Digest Algorithm. RFC1321, 1992: 1~21
[11] P Cheng. Test Cases for HMAC-MD5 and HMAC-SHA-1. RFC2202, 1997: 1~9
[12] R Venkateswaran. Virtual Private Networks. IEEE Potentials. 2001, 20(1): 11~15
[13] Chris Metz. The Latest in VPNs: Part I. IEEE Internet Computing, 2003, 7(1): 87~91
[14] Chris Metz. The Latest in VPNs: Part II. IEEE Internet Computing, 2004, 8(3):60~65
[15] 何宝宏. IP 虚拟专用网技术. 北京: 人民邮电出版社, 2002: 2~150
[16] 秦磊华. VPN 隧道技术研究. 计算机工程与科学, 2003, 25(2): 16~19
[17] 张双, 史浩山. VPN 实现技术研究. 计算机工程, 2002, 28(8): 276~278
[18] 王景丽, 杨斌. 基于 IPSec 协议的虚拟专用网技术. 现代计算机, 2003,(1): 44~47
[19] Zhao Aqun, Yuan Yuan, Ji Yi, et al. Research on Tunneling Techniques in Virtual Private Networks. Journal of Southeast University, 2000,16(1): 6~12
[20] R.Atkinson. Implementation and Application of Virtual Private Network. RFC 1827,1995: 1~65
[21] Casey Wilson, Peter Doak. 虚拟专用网的创建与实现. 北京: 机械工业出版社, 2000. 1~365
[22] 朱雁辉. Windows 防火墙与网络封包截获技术. 北京: 电子工业出版社, 2002. 40~158
[23] 尹恒. 基于 IPSec 的安全传输平台的研究:[硕士学位论文]. 华中科技大学图书馆, 2002.
[24] 胡渊. 基于IPSec协议的VPN网关的研究与实现:[硕士学位论文]. 电子科技大学图书馆, 2005.
[25] 王浩, 杨媛媛, 陆际光. 基于 TCP/IP 协议的网络安全分析. 中南民族大学学报, 2002, 21(1): 63~66
[26] 肖海涛. IPSEC 安全策略研究: [硕士学位论文]. 华中科技大学图书馆,2003.
[27] S Kent, R Atkinson. IP Encapsulating Security Payload (ESP). RFC2406, 1998: 2~15
[28] S Kent, R Atkinson. IP Authentication Header (AH). RFC2402, 1998: 2~20
[29] D Harkins, D Carrel. IP Internet key exchange (IKE). RFC2409, 1998: 2~30
[30] 李之棠, 尹恒. VPN 组策略的理论研究. 小型微型计算机系统, 2003,23(5): 532~535
[31] 周权, 肖德琴. IPSec 协议中加密算法使用研究.计算机工程与应用, 2003, 4(15): 143~145
[32] C.Madson, R.Glenn. The Use of HMAC-SHA-1-96 within ESP and AH. RFC2404, 1998: 1~7
[33] C. Madson, R. Glenn. The Use of HMAC-MD5-96 within ESP and AH. RFC2403, 1998: 1~7
[34] 祝芝梅. 支持 NAT 的 VPN 网关的研究与实现:[硕士学位论文]. 华中科技大学图书馆, 2004.
[35] Radia Perlman, Charlie Kaufman. Key Exchange in IPSec: Analysis of IKE. IEEE Internet Computing, 2000, 4(6): 50~56
[36] 张勇, 敖青云, 白英彩. Internet 密钥交换协议安全性分析. 计算机工程与应用, 2001, 3: 1~3
[37] 吴越, 疏朝明. 基于 IPSec 的虚拟专用网络密钥交换实现及安全分析. 东南大学学报, 2002, 32(4): 551~557
[38] 陈传波,姜正强,郑运平. 一种改进的 ICMP 差错报文处理的 IPSec 协议. 计算机工程与科学,已录用
[39] G. Shorrock, C. Awdry. Concert IP Secure—a Managed Firewall and VPN Service. BT Technology Journal, 2001,19(3): 99~106
[40] K Hamzeh. Point-to-Point Tunneling Protocol(PPTP). RFC2637, 1999: 3~54
[41] W Townsley. Layer Two Tunneling Protocol(L2TP). RFC2661, 1999: 3~70
[42] S Hanks. Generic Routing Encapsulation (GRE). RFC1701, 1994: 2~8
[43] S Hanks. Generic Routing Encapsulation over IPv4 networrks. RFC1702, 1994: 2~4
[44] 帅成江, 汪海航. 基于 IPSec 的安全 VPN 模型研究. 计算机应用,2001,(6): 75~77
[45] 濮荣强. 基于 IPSec 环境下实现虚拟私网技术的应用. 南京邮电学院学报. 2004,24(4): 54~58
[46] 刘剑波, 王能, 沈捷. VPN 网关的设计和实现, 计算机工程, 2003,30(3):130~132
[47] 娄雪明, 钱华林. 基于 IPSec VPN 全星型网络的实现. 计算机工程. 2005, 31(9): 115~117
[48] C. Madson, N. Doraswamy. The ESP DES-CBC Cipher Algorithm With Explicit IV. RFC2405, 1998: 1~10
[49] R.Glenn, S.Kent.The NULL Encryption Algorithm and Its Use With IPsec. RFC2410, 1998: 1~6
[50] 罗喜召, 王尚平, 秦波. IPSec 密钥交换的分析. 计算机工程. 2003, 9(6): 145~146
[51] 董晓虎, 徐明伟, 徐恪. 密钥交换协议 IKE 实现的可扩展性设计. 小型微型计算机系统. 2004, 25(6): 1000~1004