【作者】 姜正强；

【导师】 陈传波；

【作者基本信息】 华中科技大学 ， 计算机应用技术， 2006， 硕士

【摘要】 IP协议本身不具有任何的安全特性,易遭受如地址欺骗、内容窃听、数据篡改、重播等攻击。IPSec协议是一组开放网络安全协议,可以“无缝”地为IP引入安全特性,提供了包括访问控制、无连接的完整性、数据源的认证、抗重播和自动密钥管理等一系列安全服务。ICMP协议是IP层的一个组成部分,是TCP/IP协议族中用于网络管理和调试的协议,提供了从路由器或其他主机向主机传送控制信息的方法。IPSec和ICMP两种协议在实际中都得到广泛应用。但当IPSec协议工作在通道模式下却不能正确转发ICMP差错报文。这是一个急需解决的问题,也是研究的重点。尽管目前已有的一些VPN设备能够解决这个问题,但都处于探索阶段,并没有统一的规范。由分析这两种协议可知,IPSec在通道模式下不能正确转发ICMP报文的根本原因是:回传的ICMP报文中包含的转发信息不足。基于SA改进的IPSec协议是在分析冲突原因,并重点研究IPSec安全协议的基础上提出的。其方法是将用于ICMP转发的主机信息,如最终源、目的地址和源端口号作为SA的选择符添加到网关的SAD。当接收到ICMP差错报文时,ICMP差错报文包含产成ICMP报文的IP数据包的IP头以及前八个字节,对与通道模式下的数据包,因此无论是AH或ESP安全协议生成的ICMP报文中都包含标识SA的三元组:SPI、目的地址和协议类型。根据ICMP所携带的三元组查找安全网关的外出“SAD”,取得用于转发的主机信息,并根据这些信息修改ICMP报文,进行数据包的转发。改进后的协议能够在保持原IPSec特性的基础上解决IPSec与ICMP冲突的问题,并能够与已有的IPSec实施方案兼容。以改进的IPSec协议为基础,在Windows操作系统建立独立的VPN模块,可分为IPSec安全协议处理模块、策略管理模块以及IKE协商模块等。不仅能够实现原有IPSec功能,并且可以解决ICMP报文转发的问题。具有实现简单、扩展性好等优点,有很好的应用前景。更多还原

【Abstract】 IP Security (IPSec) is a technical standard of security for all Internet communicates, designed to provide interoperable, high quality, eryptographically-based security for IPv4&IPv6. The set of security services offered includes access control, connectionless integrity, data-origin authentication, against replays, confidentiality and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.The Internet Control Message Protocol (ICMP) is an integral part of IP and must be implemented by every IP module. The purpose of ICMP is to provide feedback about problems in the communication environment.IPSec and ICMP are important protocols, but there is conflict between them. The problem is: the ICMP packets can’t forward correctly to the source host, when the IPSec used in Tunnel-mode. This conflict problem has been overcomed in some Router products. But the method is protected as business secret. By analyzing protocols, the reason of conflict is: in the packet of ICMP, there is not enough information for forwarding. Based on the SA of primary IPSec protocol, an improved IPSec protocol is put forward to avoid the problem. In this method, the Host Identify Information (HII) for forwarding are added into the SA as selectors, such as the source and destination host IP address, the port number of source host. When the gateway received the ICMP packets, the HII, contained in SA, will be found in the SAD by the triple-set. The triple-set is composed of the SPI, destination IP address and the security protocol of IPSec, contained in the ICMP packet.The IPSec VPN is designed according to the improved IPSec protocol. It works in Windows operating system, as a separate module, getting the IP datagram and processing, to build a new format of IP datagram. And then forward the datagram. The improved protocol can provide a satisfactory solution and has a good compatibility with the primary IPSec protocol without reducing the specialities of it.更多还原