發(fā)布時間：2018-01-29 19:09

  本文關(guān)鍵詞： IPsec IKEv2 安全聯(lián)盟 ESP AH　出處：《西安電子科技大學(xué)》2015年碩士論文　論文類型：學(xué)位論文

【摘要】：隨著互聯(lián)網(wǎng)的發(fā)展,頻繁的網(wǎng)絡(luò)攻擊(如DOS攻擊等)給企業(yè)和用戶造成了不可估量的危害,因此網(wǎng)絡(luò)安全愈來愈引起大家的關(guān)注。為了從IP層來解決網(wǎng)絡(luò)安全的問題,在1998年IETF(Internet Engineering Task Force)公布了IPsec安全標(biāo)準(zhǔn),IPsec協(xié)議新標(biāo)準(zhǔn)為IP層及其上層的協(xié)議提供安全保障,包括:身份驗證、機(jī)密性以及密鑰管理等。安全聯(lián)盟是IPsec的關(guān)鍵,是成功建立IPsec安全隧道的前提條件。安全聯(lián)盟可以通過手工配置密鑰的方式進(jìn)行建立,但是對于大型的組網(wǎng)來說,因為節(jié)點比較多,使用手工配置密鑰的方式容易導(dǎo)致工作量大、出錯率高。IKE協(xié)議能夠為IPsec提供自動交換密鑰、建立安全聯(lián)盟的服務(wù),為IPsec的使用和管理提供方便,RFC2409中規(guī)定了早期IKE協(xié)議標(biāo)準(zhǔn),但由于該標(biāo)準(zhǔn)比較復(fù)雜,而且部分協(xié)議作用有限。因此,IETF于2005年發(fā)布了IKE的第二版本,該版本簡化了協(xié)商的過程、增強(qiáng)了安全性。本文提出基于IKEv2方式建立IPsec安全隧道的機(jī)制,在IKEv1設(shè)計框架的基礎(chǔ)之上,對協(xié)商消息的構(gòu)造、載荷的構(gòu)造以及報文重傳機(jī)制進(jìn)行更改,同時增加了SA重協(xié)商機(jī)制、Cookie-challenge機(jī)制。通過對以上的更改,使IKEv2具有更強(qiáng)的抗攻擊能力,密鑰交換能力更強(qiáng),報文交互數(shù)量較少等特點。本文設(shè)計并實現(xiàn)了利用IKEv2方式建立IPsec安全隧道的機(jī)制,參考開源程序openikev2,采用C編程語言,基于Linux平臺開發(fā)設(shè)計,并應(yīng)用在防火墻安全設(shè)備上,然后對IKEv2方式建立IPsec安全隧道進(jìn)行測試,測試結(jié)果表明IKEv2能夠完成IPsec安全隧道的建立,同等條件下相對于IKEv1具有更高的協(xié)商速率。
[Abstract]:With the development of Internet, frequent network attacks (such as DOS attacks) have caused immeasurable harm to enterprises and users. Therefore, network security has attracted more and more attention. In order to solve the problem of network security from IP layer. In 1998, IETF(Internet Engineering Task Force released the IPsec security standards. The new standard of IPsec protocol provides security for IP layer and its upper layer, including authentication, confidentiality and key management. Security alliance is the key of IPsec. Security alliance can be established by manually configuring the key, but for large network, because there are more nodes. It is easy to use manual configuration of key to lead to heavy workload. Ike protocol with high error rate can provide automatic key exchange for IPsec and set up security alliance service. In order to provide convenience for the use and management of IPsec, RFC2409 provides for the early IKE protocol standard, but because of the complexity of the standard, and part of the protocol function is limited. In 2005, IETF released the second version of IKE, which simplifies the negotiation process and enhances security. This paper proposes a mechanism to build IPsec secure tunnel based on IKEv2. Based on the design framework of IKEv1, the structure of negotiation message, the construction of load and the mechanism of message retransmission are changed, and the SA renegotiation mechanism is added. Cookie-challenge mechanism. Through the above changes, IKEv2 has a stronger ability to resist attacks, and the ability of key exchange is stronger. This paper designs and implements the mechanism of establishing IPsec secure tunnel by IKEv2, referring to open source program openikev2 and using C programming language. Based on Linux platform development and design, and applied to firewall security equipment, and then IKEv2 way to build IPsec security tunnel for testing. The test results show that IKEv2 can complete the construction of IPsec secure tunnel, and the negotiation rate is higher than that of IKEv1 under the same conditions.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2015
【分類號】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前1條

1 葉潤國;范科峰;徐克超;蔡磊;;云安全聯(lián)盟安全信任和保證注冊項目研究[J];信息技術(shù)與標(biāo)準(zhǔn)化;2014年06期

相關(guān)碩士學(xué)位論文 前3條

1 張旭成;美國“亞太再平衡”戰(zhàn)略背景下的美澳安全聯(lián)盟研究[D];上海社會科學(xué)院;2015年

2 謝建豪;IPsec下IKEv2協(xié)議的研究與實現(xiàn)[D];西安電子科技大學(xué);2015年

3 肖波;基于IPSec協(xié)議的安全聯(lián)盟設(shè)計及其應(yīng)用[D];重慶大學(xué);2013年

，

本文編號：1474141