IPSec协议体系理论的分析研究以及基于IPSec协议的VPN的实现与组建

【作者】 高明虎；

【导师】 钟叔玉；

【作者基本信息】 昆明理工大学 ， 管理科学与工程， 2004， 硕士

【摘要】 近年来，计算机网络取得了突飞猛进的发展，网络已经成为人类社会的基础通信设施。在其出现的最初几十年里，它主要用于在各个大学的研究人员之间传送电子邮件，以及共同合作的职员之间共享打印机。在这种条件下，安全未能引起足够的重视。但随着计算机网络在人们的社会中发挥的作用越来越大，网络安全的重要性也越来越凸现出来。 网络安全问题一直都是研究的热门话题。信息被窃取、篡改和伪造，因而保护信息就是为了为信息提供保密性、完整性，并提供身份验证。虚拟专用网VPN则提供这种保护的一种强有力的设备。VPN技术就是一种正被逐渐推广的网络安全技术，它利用公共网络如Internet来实现移动用户与企业网、公司各个子公司与母公司以及商业伙伴与公司之间的可靠连接，提供了数据加密、数据源确认、数据完整性检验等安全保护，能够抵抗多种网络攻击，并且能在建设企业网时节省投资。 VPN设备位于受保护的子网和路由器之间，两个VPN设备联合起来，对两个子网之间的通讯实施安全保护。当VPN的安全策略被配置后，两个VPN进行协商，建立起双方共享的安全参数，即建立起了一个IPSEC安全通道。两个受保护的子网的主机进行通讯时，在子网区域内，数据处于明文状态，当其进入安全通道时，则被加密和验证，保证了数据的机密性和完整性，并提供了源身份验证。 VPN技术能够被多个网络层次上的安全协议所支持，如数据链路层上的PPTP，网络层上的IPSEC，会话层上的SOCKS等，由于基于TCP／IP的各个应用都要通过网络层将数据封装成一个IP包在进行传送，并且在网络层进行能够对上层应用提供安全透明服务，所以本文选择了基于IPSEC来实现VPN技术。IPSEC安全协议共包括AH协议、ESP协议以及进行自动密码交换的IKE协议。 本文对VPN的协议体系、实现机制以及安全机制进行了比较详细的分析和论述。更多还原

【Abstract】 Developing rapidly in the recent years, the computer network has become the communication infrastructure of the human society. Its security was not noticed in the first few years when it came into being and was used to transmit email among the researchers in the university and to share printer among collaborative employees, but its importance becomes more and more outstanding along with its more and more value in the social life.Security of network has been a hot topic of research. The protection to the information, which is easy to be peeked, modified and counterfeited, is to offer secrecy, integrity and source verification. Virtual Network is an effective device to provide such protections. The technology of VPN is being popularized. It links consumers,subsidiary companies and commerce-partners to corporation through internet and provides secrecy, integrity and identity verification. VPN can resist attack from internet and economizes money.The device of VPN which is between protected subnet and router can keep communication of network away from attack if more than two devices are used all together. Two VPN devices negotiate about shared parameter in order to establish a secure tunnel when security policies were configured. The data in the protected subnet are not encrypted, but are encrypted in the tunnel in order to keep its secrecy, integrity.The technology of VPN can be used in the every layer of net-model, for example: Data Link Layer, Network Layer and Session Layer . This article is about the implement of VPN based on IPSEC because data will be encapsulated IP-pack before data are transmitted, moreover, the operation of data in the network layer can offer secure and transparent service for up layer.It is very detail that article is about IPSEC VPN.更多还原