摘要
本文从网络安全的现状谈起,探讨了网络安全的主要威胁因素和相应的攻击手段,同时也归纳了针对这些威胁因素和攻击手段而采取的提高网络安全的安全措施和技术手段。详细分析了IPv6的安全协议——IPSec的安全能力、IPSec的安全体系的构成、IPSec的工作方式以及IPSec在IPv4和IPv6中的实现方式。论述了IPSec在IP报文的完整性、机密性、数据来源认证和抗重播等方面的能力,IPSec的基本协议——认证报文头(AH)和安全封装载荷报头(ESP)与IPSec安全体系的其它组成部分如安全策略、加密和认证算法、密钥管理等如何合作,共同完成对IP报文的安全保护。
本文对IPSec在纯IPv6网络中的应用进行了实验研究。在这些实验中,实现了针对不同的通信流应用不同的IPSec策略;通过选择符的使用形成了比较细致的保护策略;创新性的将IPSec策略应用到了移动IPv6网络中。对应用IPSec策略前后的网络性能进行了量化分析。得出了应用IPSec策略会对网络传输性能产生影响以及其程度大小的初步结论。在进行了有关测试之后,根据这些测试数据,总结了实验结果;分析了目前实验的不足;并对技术的进一步研究提出了自己的建议和思考。
At the begin of the dissertation, we has discussed the state of security on Internet, analyzed the factors caused frangibility of Internet, and intrudced some means used to provide security services for Internet. After that, this dissertation focuses on deep research on secure network access as follows. The IPv6 security component IPSec is analyzed in detail in the structure, function, work mode and implementation of IPSec in IPv4 and IPv6. The ability of keeping the IP packet's integrity, secrecy, authentication, data origination, anti-relay is discussed. The relationship of IPSec component Authentication Header (AH), Encapsulating Security Payload (ESP) and IKE (Internet Key Exchange) is also talked about. This discussion of IPSec makes the impression that IPSec make IP layer security enough.
Then, I have designed a group of experiments based the fore theory, further proceeding research for IPSec applied in the native IPv6. In these experiments, realized to aim at the different communication stream apply the different the policy of IPSec; Pass the usage of selectors forminged the meticulous protection policy; creatively applied the policy of IPSec to mobile IPv6 network inside. In the dissertation I have compared the network transmission performance that before and after applied IPSec policy to carry through the quantitative analysis. Get a fringe conclusion that applied the IPSec policy would influence network transmission performance and its degree. After implemented experiments, accorded to these test dataes, analyzed deficiency of currently experiments, and put forward our suggestion and consideration for further research of technical in future.
引文
[1] S. Kent, R. Atkinson, RFC 2401: Security Arthitecture for the Internet Protocol, Novermber 1998.
[2] J. Postel, RFC 791: Internet Protocol, September 1981.
[3] S. Deering, R. Hinden, RFC1883: Internet Protocol, Version 6 (Ipv6) pecification, December 1996.
[4] S. Deering, R. Hinden, RFC2460: Internet Protocol, Version 6 (Ipv6) pecification, December 1998.
[5] S. Kent, R. Atkinson, RFC 2402: IP Authentication Header, November 1998.
[6] S. Kent, R. Atkinson, RFC 2406: IP Encapsulating Security Payload (ESP),November 1998.
[7] D. Harkins, D. Carrel, RFC 2409: The Internet Key Exchange (IKE), November 1998.
[8] D. Maughan, M. Schertler, M. Schneider, J, Turner, RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP), November 1998.
[9] C. Madson, R. Glenn, RFC 2403: The Use of HMAC-MD5-96 within ESP and AH, November 1998.
[10] D. Piper, RFC 2407: The Internet IP Security Domain of Interpretation for ISAKMP, November 1998.
[11] Christian Huitema, IPv6 The New Internet Protocol, Second Edition, Prentice-Hall International Inc, 1998, 清华大学出版社(1999影印版).
[12] R. Hinden, S. Deering, Editors, RFC 1884: IP Version 6 Addressing Architecture, December 1995。
[13] 吕德旭,新一代Internet协议IPv6研究及Linux平台下的组网技术[D],兰州:甘肃工业大学硕士论文,2001.3.
[14] 余政,多平台移动IPv6的研究与实现[D],兰州:甘肃工业大学硕士论文,2002.4.
[15] L. A. Sanchez, H. ORMAN. "A Roadmap for IPSec Policy Management".
Draft-ietf-ipsp-roadmap-01. txt, November 16, 2000.
[16] R. Hinden, S. Deering, RFC 2373: IP Version 6 Addressing Architecture, July 1998。
[17] S. O. Bradner, A. Mankin, IPng: Internet Protocol Next Generation, Addison-Wesley, 1995.
[18] 余政,宋健,袁占亭,移动IP综述,计算机工程,2002年第七期.
[19] Carlton R.Davis,IPSec:VPN的安全实施,清华大学出版社,2002.1.
[20] R. Gilligan, S. Thomson. J. Bound, W. Stevens. "Basic Socket Interfae Extensions for IPv6". RFC 2553. March 1999.
[21] K. Ramakrishnan, S. Floyd, D. Black. RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP, September 2001.
[22] IETF站点, http://www, ietf. org.
[23] 6bone站点, http://www. 6bone. net.
[24] KAME站点, http://www. kame. net.
[25] 中国教育与科研网IPv6实验床, http://www, ipv6. net. edu. cn.
[26] CERNET与诺基亚(Nokia)公司合作项目网站,http://www. internet6, com. cn.
[27] 微软(MicroSoft)公司IPv6站点,http://research. microsoft, com/msripv6/
[28] http://www. bieringer. de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO. html.