基于LINUX的IPSEC协议的研究与实现
摘要
随着网络技术的高速发展,网络已经普及到了社会的各个方面,但是它在提供开放和共享资源的同时,也不可避免的存在着安全隐患。如何有效地保障机密信息在网络中安全传输,成为人们日益关注的焦点。
IPSec的提出正是为了有效地解决网络安全问题。IPSec为IP及上层协议提供了无连接完整性、数据源身份认证、抗重播攻击、数据内容的机密性和有限的通信流量机密性等安全服务。由于IPSec的强大功能和诸多优势,使得IPSec具有广泛的应用前景,而只有开发出具有自主知识产权的IPSec产品,才能真正保护我国的网络安全,所以对IPSec的研究和实现具有重要的意义。
本论文首先对IPSec协议体系作了总结性介绍,包括一些基本概念如安全策略、安全联盟、选择符等,以及IPSec协议体系的各个组件如SPD、SAD、AH、ESP、IKE等,详细阐述了IPSec的处理流程,并总结了IPSec协议的优点。
在对IPSec协议体系和Linux下TCP/IP协议栈深入分析的基础上,重点进行了Linux平台下IPSec的实现。参照常用的IPSec协议的实现方式,本论文采用了一种在Linux网络协议栈插入IPSec处理模块的方式,并对通道模式下的ESP协议作了实现。本实现可以应用于安全网关中。这种实现方式的优点是IPSec处理模块独立于Linux内核,几乎对内核没有进行修改,而是进行了功能上的扩充。
最后构造了一个试验性的VPN模型,对所实现的IPSec进行了测试并加以应用。测试分为功能测试和性能测试两部分。在功能测试中,通过使用Ethereal包嗅探器对通信数据包进行捕获和分析,结果表明数据包被加密,其内容为无用的乱码,验证了其安全功能。在性能测试中,主要测试了加入IPSec处理对系统性能的影响。
With the rapid development of the network technology, the network has already been popularized in the society, but there are inevitably some potential security problems when the network is providing open and shared resources. How to protect the transmission of secret information on the network effectively has increasingly become the focus that people concern.
The proposition of IPSec aims to solve network security problems effectively. IPSec offers security services including connectionless integrity, data origin authentication, protection against replays, confidentiality and limited traffic flow confidentiality for IP and upper layer protocols. Owing to its great function and various advantages, IPSec has extensive application prospects. Network security of our country could be really protected only by having developed IPSec products with independent intellectual property right. Therefore, it is significant to study and implement IPSec.
Firstly, IPSec architecture is briefly introduced, including some basic concepts, for example, security policy, security association, selector, and each component of IPSec architecture such as SPD, SAD, AH, ESP and IKE, etc.. The processing of IPSec is explained in detail, and its merits are summarized.
Secondly, based on deep analysis of IPSec and Linux TCP/IP stack, the implementation of IPSec under Linux is especially completed. Referring to some commonly used methods of implementation, this thesis adopts a method, which is inserting the IPSec processing module into Linux protocol stack. ESP of tunnel mode is implemented, and this implementation can be applied to security gateway. In this implementation method, IPSec processing module is independent of Linux kernel, and the function of Linux kernel is enhanced.
Finally, the implementation of IPSec is tested and applied by constructing a tentative VPN model. In function test, the communication packets are monitored and analysed by using Ethereal software, the result indicates that the content of packets is encrypted and the safe function of IPSec is verified. In performance test, the impact of IPSec on systematic performance is mainly tested.
IPSec的提出正是为了有效地解决网络安全问题。IPSec为IP及上层协议提供了无连接完整性、数据源身份认证、抗重播攻击、数据内容的机密性和有限的通信流量机密性等安全服务。由于IPSec的强大功能和诸多优势,使得IPSec具有广泛的应用前景,而只有开发出具有自主知识产权的IPSec产品,才能真正保护我国的网络安全,所以对IPSec的研究和实现具有重要的意义。
本论文首先对IPSec协议体系作了总结性介绍,包括一些基本概念如安全策略、安全联盟、选择符等,以及IPSec协议体系的各个组件如SPD、SAD、AH、ESP、IKE等,详细阐述了IPSec的处理流程,并总结了IPSec协议的优点。
在对IPSec协议体系和Linux下TCP/IP协议栈深入分析的基础上,重点进行了Linux平台下IPSec的实现。参照常用的IPSec协议的实现方式,本论文采用了一种在Linux网络协议栈插入IPSec处理模块的方式,并对通道模式下的ESP协议作了实现。本实现可以应用于安全网关中。这种实现方式的优点是IPSec处理模块独立于Linux内核,几乎对内核没有进行修改,而是进行了功能上的扩充。
最后构造了一个试验性的VPN模型,对所实现的IPSec进行了测试并加以应用。测试分为功能测试和性能测试两部分。在功能测试中,通过使用Ethereal包嗅探器对通信数据包进行捕获和分析,结果表明数据包被加密,其内容为无用的乱码,验证了其安全功能。在性能测试中,主要测试了加入IPSec处理对系统性能的影响。
With the rapid development of the network technology, the network has already been popularized in the society, but there are inevitably some potential security problems when the network is providing open and shared resources. How to protect the transmission of secret information on the network effectively has increasingly become the focus that people concern.
The proposition of IPSec aims to solve network security problems effectively. IPSec offers security services including connectionless integrity, data origin authentication, protection against replays, confidentiality and limited traffic flow confidentiality for IP and upper layer protocols. Owing to its great function and various advantages, IPSec has extensive application prospects. Network security of our country could be really protected only by having developed IPSec products with independent intellectual property right. Therefore, it is significant to study and implement IPSec.
Firstly, IPSec architecture is briefly introduced, including some basic concepts, for example, security policy, security association, selector, and each component of IPSec architecture such as SPD, SAD, AH, ESP and IKE, etc.. The processing of IPSec is explained in detail, and its merits are summarized.
Secondly, based on deep analysis of IPSec and Linux TCP/IP stack, the implementation of IPSec under Linux is especially completed. Referring to some commonly used methods of implementation, this thesis adopts a method, which is inserting the IPSec processing module into Linux protocol stack. ESP of tunnel mode is implemented, and this implementation can be applied to security gateway. In this implementation method, IPSec processing module is independent of Linux kernel, and the function of Linux kernel is enhanced.
Finally, the implementation of IPSec is tested and applied by constructing a tentative VPN model. In function test, the communication packets are monitored and analysed by using Ethereal software, the result indicates that the content of packets is encrypted and the safe function of IPSec is verified. In performance test, the impact of IPSec on systematic performance is mainly tested.
引文
[1] RFC2401, Security Architecture for the Intemet Protocol.
[2] RFC2402, IP Authentication Header.
[3] RFC2406, IP Encapsulation Security Payload.
[4] RFC2408, Internet Security Association and Key Management Protocol(ISAKMP).
[5] RFC2409, The Internet Key Exchange (IKE).
[6] RFC2003, IP Encapsulation within IP.
[7] RFC2004, Minimal Encapsulation within IP.
[8] Naganand Doraswamy,Dan Harkins.《IPSec—新一代因特网安全标准》.京京工作室译.北京:机械工业出版社,2000
[9] mu er ha moM.W..;MurhammerMartin W.著.孔雷译.《虚拟私用网络技术》.北京:清华大学出版社,2000
[10] William Stallings.《密码编码学与网络安全:原理与实践》.杨明等译.第二版.北京:电子工业出版社,2001
[11] 李善平等著.《Linux 内核2.4版源代码分析大全》.北京:机械工业出版社,2002
[12] DavisCarlton R.著.《IPSec:VPN的安全实施》.周永彬译.北京:清华大学出版社,2002
[13] Yingliua Wu; Jianping Wu; Ke Xu; Mingwei Xu. "The Design and implementation of router security subsystem based on IPSEC". TENCON'02.Proceedings. 2002 IEEE Region 10 Conference on Computers,Communications, Control and Power Engineering, Volume:1, 2002 Page(s):160-165
[14] Keromytis, A.D.; Ioannidis, J.; Smith, J.M.. "Implementing Ipsec". Global Telecommunications Conference, 1997. GLOBECOM '97., IEEE, Volume: 3,3-8 Nov 1997 Page(s): 1948-1952 vol.3
[15] Glenn Herrin. "Linux IP Networking--A Guide to the Implementation and Modification of the Linux Protocol Stack". May 31, 2000
[16] kossak, lifeline. "Building Into The Linux Network Layer" Phrack Magazine. Issue 55
[17] 唐寅,王蔚然.“一种IPSec实现机制”.系统工程与电子技术.2002,第
24卷第3期
[18] 许进,马殿富,怀进鹏,李巍.“IPSec设计及实现”。北京航空航天大学学报.2001年8月,第27卷第4期
[19] 秦忠林,黄本雄.“IPSec研究及实现”.计算机应用.2001年4月,第21卷
[20] 翁亮,陈依群,诸鸿文.“基于IPSec的网络层VPN技术”.通信技术.1999年第4期总第107期
[21] 陆建德.“基于IPSec协议的LinuxVPN安全网关的研究与设计”.小型微型计算机系统.2001年7月第22卷第7期
[22] Elkeelany, O.; Matalgah, M.M.; Sheikh, K.P.; Thaker, M.; Chaudhry, G.; Medhi,D.; Qaddour, J.. "Performance analysis of IPSec protocol: encryption and authentication Communications ". 2002. ICC 2002. IEEE Intemational Conference on, Volume: 2,2002 Page(s): 1164-1168 vol.2
[23] Zhao Aqun; Yuan Yuan; Ji Yi; Gu Guanqun. "Research on tunneling techniques in virtual private networks Communication Technology Proceedings". 2000. WCC - ICCT 2000. International Conference on, Volume: 1, 2000 Page(s):691-697 vol.1
[24] 李春艳,郭轶尊,杨永田.“基于IPSec安全体系结构的虚拟专用网”.哈尔滨工程大学学报.2001年12月第22卷第6期
[25] 周成,吴卫东,姚旺生.“IPSec的功能实现分析”.数据通信.2002年第1期
[26] Glenn Herrin. "Linux IP Networking"
[27] Alan Cox. "Network Buffers"
[28] N.Ferguson and B.Schneier. "A Cryptographic Evaluation of IPSec". Counterpane Internet Security, Inc.
[29] Yongguang Zhang, Bikramjit Singh. "A multi-layer IPsec protocol". HRL Laboratories, LLC, Malibu, California 90265, U.S.A
[30] M. Karir. "IPSEC and the Intemet". Master Thesis, University of Maryland,December 1999
[31] W. Richard Stevens著.《TCP/IP详解卷1:协议》.范建华等译.北京:机械工业出版社,2001
[32] Gary R.Wright;W.Richard Stevens著.《TCP/IP详解卷2:实现》。陆雪莹等译.北京:机械工业出版社,2000
[33]谭毓安著.《网络攻击防护编码设计》.北京:北京希望电子出版社,2002
[34]StangerJames;LanePatrick T.著.《Linux黑客防范开放源代码安全指南》。钟日红等译.北京:机械工业出版社,2002
[35]张斌等著.《Linux网络编程》.北京:清华大学出版社,2000
[36]红旗软件技术公司.《Linux/Unix高级编程》.北京:清华大学出版社,2001
[37]Anonymous John Ray著.《Linux安全最大化》.汪辉等译.北京:电子工业出版社,2002
[38]谢希仁著.《计算机网络》.北京:电子工业出版社,1999
[39]森林图书工作室编.《Linux&Unix C程序员参考大全》.北京:国防工业出版社,2001
[40]RubiniAlessandro著.《LINUX设备驱动程序》.Linux源码小组译.北京:中国电力出版社,2000
[41]陈莉君著.《深入分析Linux内核源代码》.北京:人民邮电出版社,2002
[42]潘纲.“Linux网络设备分析”.浙江大学计算机系
[43]LinuxKernel核心中文手册
[44]http://www.ietf.org
[45]http://www.freeswan.org
[46]http://linuxipsecvpn.cosoft.org.cn
[47]http://www.cisco.com
[48]http://www.linuxaid.com.cn
[49]http://www.kemeli.org
[50]http://www.linuxj ournal.com
[51]http://www.techrepublic.com
[52]http://www.lisoleg.net
[53]http://www.cns911.com
[2] RFC2402, IP Authentication Header.
[3] RFC2406, IP Encapsulation Security Payload.
[4] RFC2408, Internet Security Association and Key Management Protocol(ISAKMP).
[5] RFC2409, The Internet Key Exchange (IKE).
[6] RFC2003, IP Encapsulation within IP.
[7] RFC2004, Minimal Encapsulation within IP.
[8] Naganand Doraswamy,Dan Harkins.《IPSec—新一代因特网安全标准》.京京工作室译.北京:机械工业出版社,2000
[9] mu er ha moM.W..;MurhammerMartin W.著.孔雷译.《虚拟私用网络技术》.北京:清华大学出版社,2000
[10] William Stallings.《密码编码学与网络安全:原理与实践》.杨明等译.第二版.北京:电子工业出版社,2001
[11] 李善平等著.《Linux 内核2.4版源代码分析大全》.北京:机械工业出版社,2002
[12] DavisCarlton R.著.《IPSec:VPN的安全实施》.周永彬译.北京:清华大学出版社,2002
[13] Yingliua Wu; Jianping Wu; Ke Xu; Mingwei Xu. "The Design and implementation of router security subsystem based on IPSEC". TENCON'02.Proceedings. 2002 IEEE Region 10 Conference on Computers,Communications, Control and Power Engineering, Volume:1, 2002 Page(s):160-165
[14] Keromytis, A.D.; Ioannidis, J.; Smith, J.M.. "Implementing Ipsec". Global Telecommunications Conference, 1997. GLOBECOM '97., IEEE, Volume: 3,3-8 Nov 1997 Page(s): 1948-1952 vol.3
[15] Glenn Herrin. "Linux IP Networking--A Guide to the Implementation and Modification of the Linux Protocol Stack". May 31, 2000
[16] kossak, lifeline. "Building Into The Linux Network Layer" Phrack Magazine. Issue 55
[17] 唐寅,王蔚然.“一种IPSec实现机制”.系统工程与电子技术.2002,第
24卷第3期
[18] 许进,马殿富,怀进鹏,李巍.“IPSec设计及实现”。北京航空航天大学学报.2001年8月,第27卷第4期
[19] 秦忠林,黄本雄.“IPSec研究及实现”.计算机应用.2001年4月,第21卷
[20] 翁亮,陈依群,诸鸿文.“基于IPSec的网络层VPN技术”.通信技术.1999年第4期总第107期
[21] 陆建德.“基于IPSec协议的LinuxVPN安全网关的研究与设计”.小型微型计算机系统.2001年7月第22卷第7期
[22] Elkeelany, O.; Matalgah, M.M.; Sheikh, K.P.; Thaker, M.; Chaudhry, G.; Medhi,D.; Qaddour, J.. "Performance analysis of IPSec protocol: encryption and authentication Communications ". 2002. ICC 2002. IEEE Intemational Conference on, Volume: 2,2002 Page(s): 1164-1168 vol.2
[23] Zhao Aqun; Yuan Yuan; Ji Yi; Gu Guanqun. "Research on tunneling techniques in virtual private networks Communication Technology Proceedings". 2000. WCC - ICCT 2000. International Conference on, Volume: 1, 2000 Page(s):691-697 vol.1
[24] 李春艳,郭轶尊,杨永田.“基于IPSec安全体系结构的虚拟专用网”.哈尔滨工程大学学报.2001年12月第22卷第6期
[25] 周成,吴卫东,姚旺生.“IPSec的功能实现分析”.数据通信.2002年第1期
[26] Glenn Herrin. "Linux IP Networking"
[27] Alan Cox. "Network Buffers"
[28] N.Ferguson and B.Schneier. "A Cryptographic Evaluation of IPSec". Counterpane Internet Security, Inc.
[29] Yongguang Zhang, Bikramjit Singh. "A multi-layer IPsec protocol". HRL Laboratories, LLC, Malibu, California 90265, U.S.A
[30] M. Karir. "IPSEC and the Intemet". Master Thesis, University of Maryland,December 1999
[31] W. Richard Stevens著.《TCP/IP详解卷1:协议》.范建华等译.北京:机械工业出版社,2001
[32] Gary R.Wright;W.Richard Stevens著.《TCP/IP详解卷2:实现》。陆雪莹等译.北京:机械工业出版社,2000
[33]谭毓安著.《网络攻击防护编码设计》.北京:北京希望电子出版社,2002
[34]StangerJames;LanePatrick T.著.《Linux黑客防范开放源代码安全指南》。钟日红等译.北京:机械工业出版社,2002
[35]张斌等著.《Linux网络编程》.北京:清华大学出版社,2000
[36]红旗软件技术公司.《Linux/Unix高级编程》.北京:清华大学出版社,2001
[37]Anonymous John Ray著.《Linux安全最大化》.汪辉等译.北京:电子工业出版社,2002
[38]谢希仁著.《计算机网络》.北京:电子工业出版社,1999
[39]森林图书工作室编.《Linux&Unix C程序员参考大全》.北京:国防工业出版社,2001
[40]RubiniAlessandro著.《LINUX设备驱动程序》.Linux源码小组译.北京:中国电力出版社,2000
[41]陈莉君著.《深入分析Linux内核源代码》.北京:人民邮电出版社,2002
[42]潘纲.“Linux网络设备分析”.浙江大学计算机系
[43]LinuxKernel核心中文手册
[44]http://www.ietf.org
[45]http://www.freeswan.org
[46]http://linuxipsecvpn.cosoft.org.cn
[47]http://www.cisco.com
[48]http://www.linuxaid.com.cn
[49]http://www.kemeli.org
[50]http://www.linuxj ournal.com
[51]http://www.techrepublic.com
[52]http://www.lisoleg.net
[53]http://www.cns911.com