Title: | 网络层安全的设计和实现的研究 |
Author: | 谢海永
|
Issued Date: | 2000
|
Major: | 计算机应用技术
|
Degree Grantor: | 中国科学院软件研究所
|
Place of Degree Grantor: | 中国科学院软件研究所
|
Degree Level: | 博士
|
Keyword: | 网络层安全
; 嵌入式系统
; 网间设备
|
Abstract: | 目前,Internet正在经历着飞速的发展,极大和深远地影响着人们的生活方式和社会的运行模式。然而,在现有的信息基础设施中,存在着巨大的安全隐患。安全问题从Internet开始出现那一刻起,就成为困扰所有Internet用户的重大问题。本论文主要论述在IPv4协议中加入网络层安全机制。在论文中,分析了安全机制在网络各层的实现代价,并着重分析了在网络层实现相应安全机制的可行性;然后提出了一种可移植性、开放性、和设备无关性良好的设计思路,并描述了在一个具体操作系统上修改核心网络层、实现网络层安全的过程。全文共分五章来讨论对网络层安全的研究和实现。第一章分析了安全问题在网络发展中的地位。指出了在网络各层实现安全机制的可行性、必要性。第二章主要是分析在网络层实现安全机制的解决方案,和IETF制定的网络层安全标准。在第三章中阐述了在Linux上实现网络层安全的设计和实现,它由IPSec虚拟网络设备模块、IPSec核心控制界面模块、IPSec核心安全策略模块、加密算法模块、认证算法模块、IPSec调试模块以及外部IPSec管理程序模块构成。最后,阐述了对这种实现的结构和性能分析。第四章主要是描述了网络层安全的一个人具体应用实例,即在ISDN-Internet网间互联设备上实现网络层安全,以实现VPN技术的实例。然后对这种实现作了性能分析。第五章重点是对在网络层实现安全机制的总结,指出了改进和未来的发展方向。第六章是结束语。 |
English Abstract: | Now Internet has been experiencing rapidly growth and international corporations, large companies, small companies, and personal users are all getting access to it, to make it worse, most of them are making money from Internet. So emerge the problems: SECURITY. Security has been the most important problem since Internet began to expand. It has brought tremendous influences on all of the Internet users. This paper mainly deals with how to solve most of the security problem neatly and simply in the network layer. As we know, security properties can be provided on different levels. From the highest level, which is application and user level, to the level of physical layer, e.g. Ethernet, can security be implemented. The paper is divided into several chapters as follow: The first chapter shows the background of network security problems, points out that there are almost next to no security mechanisms in the current and popular IPv4 implementations. Then it explores the possibility and necessity of implementing security mechanisms in each level of network. The second chapter deals with implementation of security properties in the IP level or network level. Firstly, I introduced some simple thoughts and realizations in this area. Then I will describe the IP security standards in details. Then comes the third chapter, which is the main body of the thesis. In this chapter, I pay every effort to describe how to implement IP security in a real operating system, i.e. Linux, in detail. To make it neat and easy to be understood, I separate the system into several modules: IPSec virtual device module, IPSec kernel support/control interface module, IPSec kernel security policy module, IPSec cryptographic algorithms module, IPSec authentication algorithms module, and userlevel IPSec management module. Only the last module resides and runs in the user space of the OS. Other modules are all kernel-space modules. After the details. I will describe the performance analysis of the implementation and give some optimizations. In chapter 4, I apply the IP security system into an existing network environment, which consists of our testing bed for network applications. It is an important application since only in the simulated real network world can I test the system's performance, bugs, and other properties. Chapter 5 draws the conclusion. It assess the implementation generally, points out the defects of the current implementation which is described as above, and indict the future directions of the system. |
Language: | 中文
|
Content Type: | 学位论文
|
URI: | http://ir.iscas.ac.cn/handle/311060/6938
|
Appears in Collections: | 中科院软件所
|
File Name/ File Size |
Content Type |
Version |
Access |
License |
|
LW002131.pdf(1519KB) | -- | -- | 限制开放 | -- | 联系获取全文 |
|
Recommended Citation: |
谢海永. 网络层安全的设计和实现的研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2000-01-01.
|
|
|