VPN产品中IPSec协议分析及产品的测试方法研究

【作者】 熊正光；

【导师】 谢冬青；

【作者基本信息】 湖南大学 ， 计算机应用技术， 2002， 硕士

【摘要】 随着信息时代的到来，信息安全受到国内外各界人士的高度重视，因为它是信息系统健康发展的基础。IPSec协议，即IP协议层的安全体系结构，是对网络层的IP协议进行安全扩展，加入安全关联协商、数据报的加密、认证和面向主机的访问控制等安全措施，为上层的协议和应用程序提供Internet上一致的安全保护。 对根据IPSec协议开发的VPN(虚拟专用网)产品的安全性测试、评估和认可是使其广泛应用的基础。其中测试又是为评估和认可提供最可信的依据，因此对测试进入深入研究显得迫切而需要。 本文详细介绍了IPSec协议的工作原理及安全机制，并根据信息技术安全评估通用准则(CC)和实际对VPN产品的测试经验，导出了VPN产品的保护轮廓，提出了VPN产品的安全功能和安全保证要求。在此基础上，推导出了VPN产品的测试要求，根据自己所写的测试要求，撰写测试要求和大纲。 所有送检产品的测试都必须依据相应的测试准则，测试VPN产品的基本参考资料就是VPN产品保护轮廓。在此基础上，本文作者提出了VPN产品的导出测试要求(以下称为DTR)，根据自己所写的导出性测试，撰写测试要求和大纲，并且，以上述两准则为依据，联系测试实际，将测试的几大方面即性能测试、功能测试、协议一致性测试和安全性测试的每个方面均以分类、定量的方法细分成多个测试项，且每个测试项都有对应的测试指标和测试结果。 本文还设计开发了一套基于FreeBSD操作系统的测试工具。该测试工具可以测试出VPN产品对IPSec协议的实现是否遵守有关的RFC以及相关的密码算法是否正确，并用它测试了一些VPN产品。在测试原理上，摒弃了已往“记录通信双方会话数据做离线分析”的测试原理，采用了“测试机与被测机直接对话”的测试原理，具有易如实现、测试结果精确等优点。对IPSec协议一致性的测试在国内、国外目前还没有人做过，属于开创性的工作，具有重要的理论意义和实用价值。更多还原

【Abstract】 As the Information time coming, information security is grasping more and more attention from the home and abroad because it is the foundation of information system. IPSec protocol, security architecture of IP protocol, is the security extension of IP protocol of network layer. Joined by security association negotiation encryption of datagram authentication and access control basing host-oriented and otherwise security measure, it can provide security protection for the upper protocol and application.Security test evaluation and certification of VPN production basing on IPSec protocol provide the foundation for its popular application. Because test can provide the most believable thereunder for evaluation and certification, it is urgent and needful for us to research the test deeply.This paper detailedly introduces the principle and security mechanism of IPSec protocol. Based on the common criteria for information technology security evaluation (CC) and the experience of test VPN production practically, we have derived the protection profile of VPN production and put forward the security functions and assurance requirements of VPN production. Upon this achievement, the test requirements of VPN production is derived and brought forward and the test requirements and outline is scribed.All alpha stage products should be tested under the prescribed test standard, the main testing reference is protect outline of VPN product. Based on above, the author proposed the Derived Test Requirement (DTR), write the test requirement and brief follow the self-written DTR, and according to above standards, considering the test practice, the author divide every aspects of performance tes functional tes protocol conformance test and security test into many test items with the methods of classification and quantification, and every test item has its related test index and test result.. There is a very important one in the tests to the VPN production-EPSec protocol conformance test. This paper designed and developed a test tool basing FreeBSD. The bottom modules of the test tool are realized by C language and the top ones are developed by Perl language. This test tool can detect if the VPN production abides by the related RFCs and the related cipher arithmetics are correct. Some VPN productions have been tested by this tool. On the aspect of test principle, the author abandoned the principle of ’off-line analysis of communication record data’ , adapted the principle of ’direct dialog of tester and testee’ . With this approach, the system has the advantages of easy to realize and having accurate testing result. The conformance test towards the IPSec protocol is the first instance in the world, It belongs to the initiate work, and has important theoretic meanings and pratical value.更多还原