【作者】 杨明；

【导师】 张载鸿；

【作者基本信息】 北京工业大学 ， 计算机应用， 2003， 硕士

【摘要】 随着政府上网、电子商务、金融电子化等不断推进，网络应用越来越广泛，企业和组织机构不断发展壮大，过去的那种大投入、高消费、低利用的网络建设方式已经不能适应企业和组织的发展需要。在这种情况下，虚拟专用网(Virtual Private Network，VPN)技术应运而生，它综合了传统数据网络的性能优点和Internet网络结构的优点，彻底改变了传统网络的建设方式，符合企业和组织发展的需求，代表了当今网络发展的最新趋势。但需要指出的是：如果在未采取安全措施的虚拟专用网上传输数据时，数据容易被监听、篡改和伪造，将会给企业和组织造成难以估量的损失。针对Internet的安全需求，因特网工程任务组（IETF）于1998年11月颁布了IP层安全标准IPSec（IP Security）。其目标是为IPv4和IPv6提供具有较强的互操作能力、高质量和基于密码的安全。IPSec在网络层发挥作用，对传输的IP包进行保护和认证，它提供了在Internet这样无保护的网络中传送敏感信息的安全保证。IPSec实现多种安全服务，包括访问控制、无连接完整性、数据源验证、抗重播、机密性（加密）和有限的业务流机密性。本文以北京市第一个“数字体育”项目——基于IPSec的虚拟专用网在北京市东城区体育局一卡通网络安全的研究为背景，首先分析了网络安全状况以及与本项目相关的VPN和IPSec技术背景，对比传统的安全实现方式，按照用户需求进行了细致的分析与设计，提出本系统基于IPSec虚拟专用网的实现方案。方案对传统的一卡通安全机制和IPSec实现方式进行了改进，本项目的成功实施无论是对于2008数字奥运还是对于其它金卡工程都具有广泛的意义。IPSec体系结构包括AH、ESP、IKE等多个协议的结构。本文没有涉及IPSec协议族框架中所有协议和服务，只着重就IPSec对数据包进入处理流程和数据包外出处理流程、IPSec实施模式以及IPSec协议栈等重要方面做了详细的介绍。在课题研究中借鉴了机器学习的思想，文中给出了一个基于ID3决策树的SPD策略分析模型及其实现算法。虽然IPsec中的一些组件还需要完善，但可以预料，随着IPv6技术的推广和IP网络的建设，IPsec必将成为网络安全的产业标准。更多还原

【Abstract】 With the development of E-Government, E-Business, E-Finance, we have entered an information era, which is based on the Internet. With the development of enterprises and organizations, it’s not fit for them to set up the networks by high investments, high consumption and in return by low value in use. VPNs technologies were developed in that time, which make full use of the benefits of conventional networks and the structure of Internet. VPNs, which completely change the situations and fit for the need of enterprises and organizations, are the trend of networks development. But we should give attention to the security of VPNs. If the hackers sniff, alter or fake the unprotected data while transferring through public networks, it may cause incalculable loss.With much concern to networks security, Internet Engineering Task Force (IETF) provided the IP security guarantee for transferring sensitive information in an unprotected network in Nov., 1998. IPSec provides these security services at the IP layer. It protects and authenticates IP packets transferring between IPSec devices. With IPSec, data needn’t worry about being sniffed, altered or faked while transferring through Internet. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec makes the Virtual Private Networks (VPNs) available.This paper based on the project (Research and Implementation of IPSec in VPN Environment), which supported by the digital sports of Beijing Dongcheng sports bureau. This paper first introduced some related technology backgrounds, through carefully analyzed and designed, the IPSec security solution was presented according to users requirements. IPSec was implemented on a Sports IC system in VPN environment for the first time, and it’s of great benefit to 2008 digital Olympiad and the other IC projects.The architecture of IPSec contains AH, ESP and IKE protocols etc. Based on these, some researches were made on the methods to implement IPSec in VPN environment. The paper wouldn’t refer to all the services and implements of IPSec, but make detailed introductions about dealing with data packages by IPSec, the implement modes of IPSec, IPSec protocol stack, etc. Due to my comprehension and practice, a SPD model and an algorithm of ID3 were provided, which based on knowledge of Machine Learning. Although some components of IPSec need improving, but it can be predicted that with IPv6 technology and IP networks developing, IPSec will be the standards of networks security in the near future.更多还原