校园网络综合管理系统及用户自服务系统的研究
摘要
随着校园网规模的日益增大,新的网络应用类型不断出现,网络的管理也越来越难。信息化程度的不断提高给校园网的安全性、可用性、稳定性以及可扩展性提出了越来越高的要求。新的网络综合管理模式和用户服务模式已经成为我们必须研究的课题。
本文将改进的802.1x协议、PPPoE协议与CISCO SCE 2000相结合,设计实现了一整套用户接入控制、服务质量管理、网络应用管理、网络实时监控以及计费系统,即校园网综合管理系统。设计实现了一套校园网用户自服务系统,从最大程度上方便了用户,简化了管理。设计实现了网上支付平台,兼容多家网上银行及校园卡,供用户自服务系统及学校其它单位使用。同时,系统对IEEE 802.1x的改进没有改变其标准通讯机制和数据报文格式,因此可与所有厂商的交换机配合使用,避免了使用厂商私有客户端时受限于其设备的问题。
本文通过对该系统设计方案的实现,解决了所涉及的各项关键技术,完成了对802.1x协议的改进,开发了天津大学自己的认证客户端,整个网络综合管理系统已经经过测试,支付平台已经投入使用。经过研究表明,本系统可以从很大程序上增强校园网的安全性、可用性及稳定性,并提高了其可扩展性。文中所介绍的关键技术都已经测试成功,可以进一步推广。
With the campus networks grow bigger and bigger, new network applications come forth faster than ever, the management of network become more difficult than few years ago. But the growing degree of informationization demand the network must have more security, availability, stability and scalability. Studies of new general-purpose network management pattern and user service model become the thing we must do.
In this paper, the implementation of a general-purpose campus network management system, which includes user access control, quality of service management, network application management, network real-time monitoring, network billing system, and a user self-service system is proposed. IEEE 802.1x is deployed for the system, PPPoE and CISCO SCE 2000 is introduced into the system. An online payment system, which is compatible with many net bank and campus card, is implemented. It can be used by the self-service system and other systems in campus network. The normal communication mechanism and PDU format is not changed by our deployment, so the system can work with any vendor’s Ethernet switches. The restriction that must work with specified switches when using some vendor’s private 802.1x client is not introduced to the system.
In this paper, the design proposal of the system is implemented, the key technology problems are resolved, and the adaptive 802.1x protocol and the authentication client are developed. The general-purpose campus network management system and user self-service system were tested; the online payment system is in use now. The study indicates that the systems in this paper can enhance the security, availability, stability and scalability of campus network.
本文将改进的802.1x协议、PPPoE协议与CISCO SCE 2000相结合,设计实现了一整套用户接入控制、服务质量管理、网络应用管理、网络实时监控以及计费系统,即校园网综合管理系统。设计实现了一套校园网用户自服务系统,从最大程度上方便了用户,简化了管理。设计实现了网上支付平台,兼容多家网上银行及校园卡,供用户自服务系统及学校其它单位使用。同时,系统对IEEE 802.1x的改进没有改变其标准通讯机制和数据报文格式,因此可与所有厂商的交换机配合使用,避免了使用厂商私有客户端时受限于其设备的问题。
本文通过对该系统设计方案的实现,解决了所涉及的各项关键技术,完成了对802.1x协议的改进,开发了天津大学自己的认证客户端,整个网络综合管理系统已经经过测试,支付平台已经投入使用。经过研究表明,本系统可以从很大程序上增强校园网的安全性、可用性及稳定性,并提高了其可扩展性。文中所介绍的关键技术都已经测试成功,可以进一步推广。
With the campus networks grow bigger and bigger, new network applications come forth faster than ever, the management of network become more difficult than few years ago. But the growing degree of informationization demand the network must have more security, availability, stability and scalability. Studies of new general-purpose network management pattern and user service model become the thing we must do.
In this paper, the implementation of a general-purpose campus network management system, which includes user access control, quality of service management, network application management, network real-time monitoring, network billing system, and a user self-service system is proposed. IEEE 802.1x is deployed for the system, PPPoE and CISCO SCE 2000 is introduced into the system. An online payment system, which is compatible with many net bank and campus card, is implemented. It can be used by the self-service system and other systems in campus network. The normal communication mechanism and PDU format is not changed by our deployment, so the system can work with any vendor’s Ethernet switches. The restriction that must work with specified switches when using some vendor’s private 802.1x client is not introduced to the system.
In this paper, the design proposal of the system is implemented, the key technology problems are resolved, and the adaptive 802.1x protocol and the authentication client are developed. The general-purpose campus network management system and user self-service system were tested; the online payment system is in use now. The study indicates that the systems in this paper can enhance the security, availability, stability and scalability of campus network.
引文
[1] IEEE Std 802.1X-2004 . IEEE Standard for Local and metropolitan area networks Port-Based Network Access Control [S]. http://www.ieee802.org/1/pages/802.1X-rev.html , 2004.
[2] Rivest, R. The MD5 Message-Digest Algorithm, RFC1321[R]. April 1992.
[3] Blunk, L. and J. Vollbrecht. PPP Extensible Authentication Protocol (EAP), RFC 2284[R]. March 1998.
[4] Rigney, C. Remote Authentication Dial In User Service (RADIUS), RFC 2865[R]. June 2000.
[5] Rigney, C. RADIUS Accounting, RFC 2866[R], June 2000.
[6] Cisco SCE 2000 Series Document[DB/OL]. http://www.cisco.com/en/US/products/ps6151/index.html, 2006.
[7] Simpson,W. PPP Challenge Handshake Authentication Protocol,RFC1994[R]. http://www.ietf.org/rfc/rfc1994.txt, 1996-8.
[8] Zorn, G. RADIUS Accounting Modifications for Tunnel Protocol Support, RFC 2867[R]. June 2000.
[9] Zorn, G. RADIUS Attributes for Tunnel Protocol Support, RFC 2868[R]. June 2000.
[10] Rigney, C. RADIUS Extensions, RFC 2869[R]. June 2000.
[11] Aboba, B. RADIUS and IPv6, RFC 3162[R]. August 2001.
[12] Housley, R. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3280[R]. April 2002.
[13] Chiba, M. Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), RFC 3576[R]. July 2003.
[14] Aboba, B. RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP), RFC 3579[R]. September 2003.
[15] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control. IEEE Std 802.1X-2001[S]. June 2001.
[16] Krawczyk, H. HMAC: Keyed-Hashing for Message Authentication, RFC 2104[R]. February 1997.
[17] Zorn, G. Microsoft Vendor-specific RADIUS Attributes, RFC 2548[R]. March 1999.
[18] Aboba, B. PPP EAP TLS Authentication Protocol, RFC 2716[R]. October 1999.
[19] Dobbertin, H. The Status of MD5 After a Recent Attack[J]. CryptoBytes Vol.2 No.2, Summer 1996.
[20] Congdon,P. IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines[R]. September 2003.
[21] IEEE Standards for Local and Metropolitan Area Networks: Draft Standard for Virtual Bridged Local Area Networks[S]. P802.1Q. January 1998.
[22] ISO/IEC 8802-3 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications[S]. ANSI/IEEE Std 802.3- 1996, 1996.
[23] Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications[S]. IEEE Std, 802.11-1999, 1999.
[24] Cisco SCE 2000系列服务控制引擎[J],世界宽带网络, 2006年13卷10期, 109-109.
[25]侯俊杰,深入浅出MFC[M],武汉:华中科技大学出版社,2001.
[26] M Jeff Prosise,MFC Windows程序设计[M],北京:清华大学出版社,2001.
[27] L. Mamakos, K. A Method for Transmitting PPP Over Ethernet (PPPoE)[R]. February 1999.
[28] J. Risson. Survey of Research towards Robust Peer-to-Peer Networks: Search Methods[R]. September 2007.
[29] P. Phaal. InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks[R]. September 2001.
[30] B. Claise. Cisco Systems NetFlow Services Export Version 9[R]. October 2004.
[31] B. Lloyd. PPP Authentication Protocols[R]. October 1992.
[2] Rivest, R. The MD5 Message-Digest Algorithm, RFC1321[R]. April 1992.
[3] Blunk, L. and J. Vollbrecht. PPP Extensible Authentication Protocol (EAP), RFC 2284[R]. March 1998.
[4] Rigney, C. Remote Authentication Dial In User Service (RADIUS), RFC 2865[R]. June 2000.
[5] Rigney, C. RADIUS Accounting, RFC 2866[R], June 2000.
[6] Cisco SCE 2000 Series Document[DB/OL]. http://www.cisco.com/en/US/products/ps6151/index.html, 2006.
[7] Simpson,W. PPP Challenge Handshake Authentication Protocol,RFC1994[R]. http://www.ietf.org/rfc/rfc1994.txt, 1996-8.
[8] Zorn, G. RADIUS Accounting Modifications for Tunnel Protocol Support, RFC 2867[R]. June 2000.
[9] Zorn, G. RADIUS Attributes for Tunnel Protocol Support, RFC 2868[R]. June 2000.
[10] Rigney, C. RADIUS Extensions, RFC 2869[R]. June 2000.
[11] Aboba, B. RADIUS and IPv6, RFC 3162[R]. August 2001.
[12] Housley, R. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3280[R]. April 2002.
[13] Chiba, M. Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), RFC 3576[R]. July 2003.
[14] Aboba, B. RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP), RFC 3579[R]. September 2003.
[15] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control. IEEE Std 802.1X-2001[S]. June 2001.
[16] Krawczyk, H. HMAC: Keyed-Hashing for Message Authentication, RFC 2104[R]. February 1997.
[17] Zorn, G. Microsoft Vendor-specific RADIUS Attributes, RFC 2548[R]. March 1999.
[18] Aboba, B. PPP EAP TLS Authentication Protocol, RFC 2716[R]. October 1999.
[19] Dobbertin, H. The Status of MD5 After a Recent Attack[J]. CryptoBytes Vol.2 No.2, Summer 1996.
[20] Congdon,P. IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines[R]. September 2003.
[21] IEEE Standards for Local and Metropolitan Area Networks: Draft Standard for Virtual Bridged Local Area Networks[S]. P802.1Q. January 1998.
[22] ISO/IEC 8802-3 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications[S]. ANSI/IEEE Std 802.3- 1996, 1996.
[23] Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications[S]. IEEE Std, 802.11-1999, 1999.
[24] Cisco SCE 2000系列服务控制引擎[J],世界宽带网络, 2006年13卷10期, 109-109.
[25]侯俊杰,深入浅出MFC[M],武汉:华中科技大学出版社,2001.
[26] M Jeff Prosise,MFC Windows程序设计[M],北京:清华大学出版社,2001.
[27] L. Mamakos, K. A Method for Transmitting PPP Over Ethernet (PPPoE)[R]. February 1999.
[28] J. Risson. Survey of Research towards Robust Peer-to-Peer Networks: Search Methods[R]. September 2007.
[29] P. Phaal. InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks[R]. September 2001.
[30] B. Claise. Cisco Systems NetFlow Services Export Version 9[R]. October 2004.
[31] B. Lloyd. PPP Authentication Protocols[R]. October 1992.