【作者】 张峰；

【导师】 叶澄清；

【作者基本信息】 浙江大学 ， 计算机科学与技术， 2003， 博士

【摘要】 网络应用的日益丰富使得社会对网络的依赖性增强，网络已经成为信息传输的主要媒介，网络信息传输的安全性、信息的保密、信息源的认证越来越受到重视。在网络迅速发展的时代，要求下一代的网络设备将需要既具有高速处理能力，又具有容易编程的能力，以便于在一致的软件体系结构下提供大量新功能。在这种情况下网络处理器应运而生。因此网络处理器将成为下一代网络设备的核心硬件，本文的研究问题是基于网络处理器的网络信息传输的安全性。 第一部分：本文首先分析了TCP／IP网络的安全性，在比较网络层、传输层、应用层安全方案特点的基础上，阐述了TCP／IP网络安全的发展趋势，提出在IP层实现的安全协议能够适合多方面安全传输的需要，同时也是实现虚拟网络安全的主要方法。 第二部分：本文对IXP1200网络处理器进行了分析，IXP1200网络处理器是一个高度集成的综合数据处理器。它提供高性能并行处理能力，适用于各种网络通信场合。IXP1200网络处理器应用领域包括：多服务交换机、路由器、服务提供者／通信公司及企业边缘的集成平台；包括多个G比特路由器的核心系统；VPN、防火墙和入侵检测系统；VoIP网关和web交换设置。本文对IXP1200网络处理器的研究的应用领域是VPN。 第三部分：本文在分析了TCP／IP协议堆栈的数据流的基础上，提出了基于IXP1200网络处理器的虚拟专用网的软件体系结构。这样的体系结构能够灵活地扩展新的网络服务功能，而且不影响原有的逻辑框架结构，从而提高了体系结构的可扩展性。这样的体系结构使得无论是传输的数据包，还是发送的数据包，都要经过它。它可以基于传输模式或者通道模式增加安全头。通过在体系结构中实现安全服务来保证数据报传输的安全性。 第四部分：本文对IP安全协议进行分析，IP安全协议是由Internet工程技术任务组(IETF)开发的开放标准框架。它提供了在Internet这样开放的网络中传输敏感信息的安全保证。它在网络层发挥作用，对参与IP安全协议的设备(即对等设备)之间传输的IP包进行保护和认证。其中采用AH协议对IP包进行认证，ESP协议对IP包进行认证和加密。通过AH和ESP协议来以下的安全服务：访问控制，无连接完整性，数据源认证，重放攻击保护，机密性和有限的通信流保密性。 第五部分：Internet的密钥认证是进行用户身份认证的重要措施。本文采用一种可扩展性的机制，采用公钥机制，构建分层式的公钥分配架构的体系。 第六部分:hitemet的密钥管理是用户进行安全通信的必要条件，本文采用了hitemet密钥交换协议IKE(hitemet Key Exchange)，本文采用有限状态机来描述密钥的协商过程。有限状态机能够为网络协议建立直观的，_简洁的模型。本文提出了一种动态检测对方活性的算法来验证对方的活性。 第七部分:安全策略作为IP安全协议的重要组成部分，为两个实体定义安全关联，保护相互间的通信。本文阐明了安全策略系统的体系结构以及安全策略和安全关联的定义和表示方法;提出一种在主动网络下保证安全策略实时更新的方法，在主动网络下利用移动程序代码的可执行能力和计算能力来进行安全策略的快速和安全地动态更新，保证VPN节点之间安全策略的一致性，而且具有很好的扩展性，并且对协议进行了安全性分析和可靠性论证。既可以避免各个节点之间安全策略的冲突，而且保证各个节点之间安全策略的一致性和实时性。 最后，本文根据以上的描述从总体上对在网络处理器的虚拟专用网进行总体综述，总体的框架结构，通过伪代码来描述数据平面的处理模型，对微引擎进行有效的分工和协作，旨在提高整个系统的性能和扩展新的服务功能。更多还原

【Abstract】 The development of Internet application increases the connection demand, Internet has become the main media of information propagation, more and more focus has project on security and integrity of information transmission, authentication of information source. As development of Internet, the network device in the next generation is high process and easy program. And it can provide much new network function in the same soft architecture. And now the network processor is come on. As network processor become core hardware in the next generation network device. The research in this paper is security of network information transmission based-on network processor.The dissertation analyzes the security of TCP/IP protocol, on the basis of compare secure scheme characteristics in layer of network, transport and application. We give the tendency of this area and bring the point that the network layer security protocol is fit for the need of much way security transmission, it is also the main method to construct virtual private network.The IXP1200 network processor is analyzed in this paper. The IXP1200 is a integration data processor. It provide high performance process and it can fit for all kind of network communication occasion. The application of IXP1200 network processor includes much service exchange computer, routers, service provider/ integration platform of communication company and corporation edge; core system of much G bit router; Virtual Private Network,Firewall and Intrusion Detection Systems; VoIP gateway and web exchange device. The research of network processor in this paper is Virtual Private Network. Active compute element is adopted in this paper, and it can expand flexible new network service function.The dissertation analyzes the data flow of TCP/IP protocol stack, a software architecture is brought forward that is based on IXP1200 network processor. It is extended new services in the architecture. And it can not impact the original architecture. The data that is transported or received is processed by the architecture. The secure service in the secure module can protect security of packet in the transmission.IP security protocol is analyzed in the paper. IP security protocol is an opened standard frame that established by Internet Engineering Task Force. And transmission security is provided in the Internet. It is applied in IP layer, security protection andauthentication is used for IP packets. The AH protocol provides authentication for IP packets, and ESP protocol provides authentication and privacy for IP packets. It can provide security service that includes access control, integrality, authentication, replay attack protection, privacy and privacy of finite communication.Authentication of Internet key is an important measure to authenticate identity of user. The paper introduces an expanded and public key mechanism to construct hierarchical public key distributed architecture.Management of Internet key is a necessary condition to communicate security. The paper introduces Internet key exchange protocol to provide key management. And finite state machine is use for the procedure of Internet key exchange. It can provide compact model for network protocol by finite state machine. We provide a dynamically detecting method to verify the liveliness of opposite peer that can avoid the network congestion.Security policy, which defines the security association to protect the communication between two entities, is an important part of the IPSec. This paper proposes architecture for security policy system. It describes approaches for defining and representing security policy and security association. A novel method is proposed to overcome the difficulty of real-time refreshing security policy in traditional network framework by using the computing power of program. It has high scalability when VPN node joins virtual private network. When security policy in security policy server is modified, the modified security policy is deployed to VPN node securely and real-time, and it can更多还原