【作者】 周春月；

【导师】 张宏科；

【作者基本信息】 北京交通大学 ， 通信与信息系统， 2011， 博士

【摘要】 随着网络互联技术和企业间安全通信需求的迅猛发展,虚拟专用网(Virtual Private Network, VPN)技术成为了宽带互联网技术发展和研究的热点,成为近年来快速发展并得到应用普及的新兴互联网业务。VPN是一种利用公众信息网络基础设施、隧道协议和安全技术提供具有保密性、灵活性和低成本优势的专用数据网络。下一代网络的服务互通、复杂网络连接、多层次的服务体系结构的目标对未来虚拟专用网技术的发展提出了更高的要求。为了适应下一代网络的发展变化,未来的虚拟专用网技术应更加具多样性与灵活性,技术服务与需求趋向紧密结合,在保证安全的前提下,具有同时支持数据、语音和视频业务的能力；支持组播、服务质量和移动性；接入技术的多样性、复杂环境的适应能力和互操作性。本论文针对VPN组播、移动和服务质量等关键技术,主要研究工作与创新点如下：1、提出了基于虚拟路由器VR VPN的用户站点组播及骨干网络上的三种组播方案。首先,在用户站点组播实现方面提出了组播代理源/RP机制,基本思想是将与用户站点相连的VR作为站点内部的组播代理源/RP,VR作为用户站点组播流的出入接口,配置方式简单固定,为整个网络提供一致的视图,可以有效地减少站点内部的路由迂回和环路,实现了对VPN站点内部组播状态完整的控制。其次,针对不同的VR拓扑结构提出三种骨干网络上的组播实现方案,分别是基于共享树的组播、基于有源树的组播以及基于聚合共享树的组播,并从可扩展性、安全性、资源利用率、服务质量四个方面进行分析评价。结果表明,本文提出的组播实现机制在扩展性、安全性和服务质量方面优于现有的VPN组播方案。2、提出了一种基于非对称的正反向隧道的移动VPN方案。通过IPSec安全协议提供数据源验证以及数据的完整性和保密性服务,在确保安全性的基础上,利用互联网上下行流量分布非对称的特点建立非对称隧道,以合理的负载代价实现了传输效率的优化,通过预协商机制实现移动节点无缝切换功能。方案有效地解决了移动VPN节点漫游过程中的注册问题和数据传输,对现有VPN基础设施改动较小,利于实际部署。理论分析了方案在MIPv6以及移动网络环境下的适用性,并提出了移动网络环境下的改进方案。3、提出了一种基于VPN软管模型的满足最大最小公平性的带宽资源分配模型,在无需预知VPN网络拓扑结构和详细的流量分布矩阵前提下,依据对到达流的速率估算来实时分配软管预留资源,从而得到可预测的QoS性能保障及带宽的复用增益。该模型可以实现VPN网络吞吐量的最大化,并具有良好的可扩展性。为了更有效地适应动态变化网络的带宽管理,本文还提出了一种基于误差补偿机制的网络流量预测模型。应用于实际的VPN网络带宽资源管理可以有效地动态调整链路资源,使VPN共享链路上的负载得以有效地均衡分配。更多还原

【Abstract】 With the rapid development of inter-networking technology and the increasing needs of secure communications between corporations, Virtual Private Network (VPN) technology has attracted a lot of attention from researchers and developers on the broadband Internet technology. It is recently rising up as new Internet operations with rapid growth and extensive implications. VPN is a private data network that provides confidentiality, flexibility and lower cost through the use of public network infrastructure, tunneling protocol and security technologies. Characteristics of the next generation networks (NGN), such as the services interworking, complex connectivity and multi-level service architecture, have imposed higher requirements on the future development of Virtual Private Network. In order to adapt to the development of NGN, the VPN should be more diversified and flexible in order to make the technology services meet with the demands. Besides providing security insurance, the emerging requirements for VPN include supporting data, voice and video traffic simultaneously; multicast, quality of service (QoS) and mobility; service interworking scenarios, complex connectivity scenarios, customer-on-demand capabilities.The thesis studies the VPN technologies of multicast, mobility and QoS. The main research results and innovations are as follows:1、Three innovative VPN multicast mechanism on service provider backbone network and one scheme on the customer sites are proposed based on IP VPN using Virtual Routers. First, it put forward a Multicast Proxy Source/RP mechanism on the customer sites multicast, the main idea is to deploy the VR connecting to a customer site as a Multicast Proxy Source/RP of this VPN site, then the VR as the interface to access the multicast stream in customer sites. It provides consistent view of the whole network and simple configuration for customers and providers. It can effectively reduce the circuitous route and the loop within the site and complete control of multicast states within the VPN site. Second, according to different VR topology, three VPN multicast schemes on backbone network are proposed, respectively based on shared tree, Shortest Path Tree and aggregate share-based tree, then detailed analysis and evaluation on the scalability, safety, resource utilization and quality of service are presented. The results show that the proposed multicast mechanisms are superior to existing VPN Multicast schemes on scalability, security and quality of service.2、A mobile VPN scheme based on asymmetric tunnels is bring forward. It provides services of source authentication, data integrity and confidentiality through the IPSec security protocol. The establishment of the asymmetric tunnels is taking advantage of the asymmetry distribution of the total upstream and downstream traffic on Internet. It optimizes the transmission efficiency at the expense of a reasonable payload on the premise of ensuring the security, adopts pre-negotiation mechanism to achieve seamless handover and addresses the problems of the registration and data transmission effectively in the process of mobile nodes roaming. Only few modifications to existing VPN infrastructure makes it easy to be implemented. Theoretical analysis of the scheme in MIPv6 and the NEMO environment is presented and an improved solution in the NEMO environment is proposed.3、A novel bandwidth allocation model satisfied the Max-Min fairness is proposed for hose-modeled VPN. It realizes real-time hose bandwidth resource allocation based on the estimated arrival rate of the hose flow without the premise of detailed VPN network topology and traffic distribution matrix, thus achieve the predictable QoS performance guarantees and bandwidth multiplexing gain. It is proved, analytically, that the proposed model with weighing Max-Min fair allocation algorithm is able to achieve the maximum overall VPN throughput and good scalability. Moreover, we strictly prove the stability and adaptability of this fair allocation algorithm by theoretical analysis and simulation results. To better adapt to the bandwidth management in dynamic mutative network, it proposes a network traffic prediction model with error compensation. Applied to the actual VPN network, it can dynamically adjust link resources and effectively balance the payload on the sharing link of the VPN.更多还原