动态多点VPN的设计与实现
摘要
目前,使用IPSec协议建立的虚拟专用网(VPN)已经成为企业最常用的虚拟专用网解决方案,用于解决分布在不同地理位置的子公司或部门之间通信的安全性和完整性问题。但是传统的IPSec VPN存在过于依赖手工配置的静态隧道、不支持隧道动态获取IP地址等问题,因此随着企业规模的扩大,尤其在拥有众多部门的企业中,传统VPN面临更加严重的问题。为了解决这些问题,基于传统的VPN模型,我提出了动态多点VPN模型。
本文主要阐述了路由器上IPSec与SSH协议的实现。在研究和分析了VPN相关技术的基础上提出了路由器上的动态多点VPN模型,实现了IPSec隧道的动态建立和保护应用层数据的SSH隧道。论文主要突出了对IPSec与SSH技术的理解、实现和改进。
本人在VLRT路由器上实现了由改进后,带有下一跳服务器(NHS)子模块的IPSec和SSH组成的VPN模型,实现了LAN-TO-LAN VPN和SITE-TO-LAN隧道的动态建立。为隧道中的数据提供完整性和安全性保障,并提供对接入用户认证的功能。在此基础上,对项目产品进行了详细的测试和分析,并且提出对IPSec隧道的动态建立和SSH协商过程改进的想法和见解。
Nowadays, corporations build the Virtual Private Network (VPN) in order to provide the security and integrity for the communication between different departments of them. The most popular way is by using IPSec to do this. However, the traditional IPSec VPN depends on the static tunnel too much, which is configurated by manually, at the same time, the traditional IPSec VPN don't provide the service which is to configurate IP address dynamically. With the development of corporation, the traditional VPN faces a lot of problems, especially in the corporation which has a lot of departments. In order to resolve these problems, I have put forward Dynamic Multipoint VPN to build the IPSec tunnel dynamically.
In this article, I have describe the process of developing the IPSec and SSH protocols in routers. I have put forward the dynamic multi-point VPN module as well as developed establishment of IPSec tunnel and SSH tunnel after I study and analysis the VPN technology. I am focus on the process of comprehending, developing and improving the IPSec and SSH technology in this article.
I have developed the dynamic multipoint VPN function module on routers, which includes IPSec module with a new NHS module and SSH module. At the same time I have established the tunnel between LAN-TO LAN and SITE-TO-LAN dynamically. By doing this, I make it more integrate and safe to transfer data by using the tunnel. Besides, I developed the authentication function of access client. After this, I have tested and analyzed the software in detail. At last, I have put forward some ideas of improving both dynamic establishment of IPSec and negotiation process of SSH to make the software more efficiently.
本文主要阐述了路由器上IPSec与SSH协议的实现。在研究和分析了VPN相关技术的基础上提出了路由器上的动态多点VPN模型,实现了IPSec隧道的动态建立和保护应用层数据的SSH隧道。论文主要突出了对IPSec与SSH技术的理解、实现和改进。
本人在VLRT路由器上实现了由改进后,带有下一跳服务器(NHS)子模块的IPSec和SSH组成的VPN模型,实现了LAN-TO-LAN VPN和SITE-TO-LAN隧道的动态建立。为隧道中的数据提供完整性和安全性保障,并提供对接入用户认证的功能。在此基础上,对项目产品进行了详细的测试和分析,并且提出对IPSec隧道的动态建立和SSH协商过程改进的想法和见解。
Nowadays, corporations build the Virtual Private Network (VPN) in order to provide the security and integrity for the communication between different departments of them. The most popular way is by using IPSec to do this. However, the traditional IPSec VPN depends on the static tunnel too much, which is configurated by manually, at the same time, the traditional IPSec VPN don't provide the service which is to configurate IP address dynamically. With the development of corporation, the traditional VPN faces a lot of problems, especially in the corporation which has a lot of departments. In order to resolve these problems, I have put forward Dynamic Multipoint VPN to build the IPSec tunnel dynamically.
In this article, I have describe the process of developing the IPSec and SSH protocols in routers. I have put forward the dynamic multi-point VPN module as well as developed establishment of IPSec tunnel and SSH tunnel after I study and analysis the VPN technology. I am focus on the process of comprehending, developing and improving the IPSec and SSH technology in this article.
I have developed the dynamic multipoint VPN function module on routers, which includes IPSec module with a new NHS module and SSH module. At the same time I have established the tunnel between LAN-TO LAN and SITE-TO-LAN dynamically. By doing this, I make it more integrate and safe to transfer data by using the tunnel. Besides, I developed the authentication function of access client. After this, I have tested and analyzed the software in detail. At last, I have put forward some ideas of improving both dynamic establishment of IPSec and negotiation process of SSH to make the software more efficiently.
引文
[1]Andrew S.Tanenbaum,计算机网络(第四版),清华大学出版社,2004年8月。
[2]王达,虚拟专用网(VPN)精解,清华大学出版社,2004年1月。
[3]Richard Deal著,姚军玲,郭稚晖译,Cisco VPN完全配置指南,2007年3月。
[4]周贤伟,IPSec解析,国防工业出版社,2006年5月。
[5]Carlton R.Davis,IPSec:VPN的安全实施,清华大学出版社,2002年1月。
[6]陈卓,张正文,IPSec安全策略系统研究,计算机安全,2007年第10期。
[7]高海英,薛元星,辛阳等编著,VPN技术,机械工业出版社,2004年4月。
[8]Rita Puzmanova,路由与交换,人民邮电出版社,2004年4月。
[9]Danie J.Barrett,Richard E.Silverman,SSH权威指南,中国电力出版社,2003年4月。
[10]Dayuan Zhao,Yixin Jiang,Yanxi Li,Implementation and Performance Evaluation of IPSec VPN,武汉大学学报自然科学英文版,2005年10卷第一期.
[11]S.Kent,R.Atkinson,Security Architecture for the Internet Protocol,RFC2401,November 1998.
[12]S.Kent,R.Atkinson,IP Authentication Header,RFC 2402,November 1998.
[13]S.Kent,R.Atkinson,IP Encapsulating Security Payload(ESP),RFC 2406,November 1998.
[14]Vijay Bollapragada,IPSec VPN Design,Cisco Press,May 2006.
[15]Kaufman,Elizabeth,IPSec(Computer network protocol),Wiley Press,March 1999.
[16]T.Ylonen,The SSH(Secure Shell)Remote Login Protocol,Internet-Draft,November 1995.
[2]王达,虚拟专用网(VPN)精解,清华大学出版社,2004年1月。
[3]Richard Deal著,姚军玲,郭稚晖译,Cisco VPN完全配置指南,2007年3月。
[4]周贤伟,IPSec解析,国防工业出版社,2006年5月。
[5]Carlton R.Davis,IPSec:VPN的安全实施,清华大学出版社,2002年1月。
[6]陈卓,张正文,IPSec安全策略系统研究,计算机安全,2007年第10期。
[7]高海英,薛元星,辛阳等编著,VPN技术,机械工业出版社,2004年4月。
[8]Rita Puzmanova,路由与交换,人民邮电出版社,2004年4月。
[9]Danie J.Barrett,Richard E.Silverman,SSH权威指南,中国电力出版社,2003年4月。
[10]Dayuan Zhao,Yixin Jiang,Yanxi Li,Implementation and Performance Evaluation of IPSec VPN,武汉大学学报自然科学英文版,2005年10卷第一期.
[11]S.Kent,R.Atkinson,Security Architecture for the Internet Protocol,RFC2401,November 1998.
[12]S.Kent,R.Atkinson,IP Authentication Header,RFC 2402,November 1998.
[13]S.Kent,R.Atkinson,IP Encapsulating Security Payload(ESP),RFC 2406,November 1998.
[14]Vijay Bollapragada,IPSec VPN Design,Cisco Press,May 2006.
[15]Kaufman,Elizabeth,IPSec(Computer network protocol),Wiley Press,March 1999.
[16]T.Ylonen,The SSH(Secure Shell)Remote Login Protocol,Internet-Draft,November 1995.