VPN架构下基于IPSec协议的NAT-T研究与改进

发布时间：2018-02-24 09:45

本文关键词： VPN IPSec NAT NAT-T IKE UDP封装　出处：《淮北师范大学》2014年硕士论文　论文类型：学位论文

【摘要】：近几年，随着IPSec技术与NAT技术应用越来越广泛，同时两者之间的矛盾越来越突出，IPSec技术与NAT技术结合使用即可以提高内网与外网数据通信安全性，又可以解决IPv4资源耗费和代价较高的问题。但是这两种技术在各自的架构上，传输原理上，协议运行机制上等方面在兼容性上有着先天的不足。本文充分收集国内、国外对IPSec和NAT兼容性研究的理论及实践文献，深入了解IPSec技术与NAT技术，研究了IPSec技术与NAT技术共同工作的方案和NAT-T机制，并针对NAT-T过程提出了改进。 1、研究了本课题的相关技术，VPN技术应用、IPSec安全体系、NAT工作机制。结合复杂工作流程分析了NAT和IPSec/IKE产生不兼容的方面及已有的解决方法。同时指出了这几种方法各自的优势和劣势。 2、重点分析了IKE协商机制的第一阶段和第二阶段。在此基础之上提出了针对NAT-D载荷二次散列计算，保证IKE协议数据的完整性，对防止旁路监听、网络数据截取篡改起到了一定的作用。 3、采用基于信任第三方改进NAT-T穿越。现有UDP封装实现IPSec和NAT兼容方案的不仅必须使用ESP封装格式，，还必须限定首先发起IKE协商的主机，首先发起IKE协商的主机必须位于NAT设备后面的内网（私有网络）中。根本原因在于该机制是实际应用在的单向NAT-T穿越，即“IPSec—NAT—公网—IPSec”模式。本论文提出基于信任第三方改进NAT-T穿越，实现了“结点—IPSec—NAT—公网—NAT—IPSec—结点”模式的网络通信，同时通过采用PKE证书机制提高通信实体的安全性。
[Abstract]:In recent years, with the application of IPSec technology and NAT technology more and more widely, the contradiction between them is more and more prominent. The combination of IPSec technology and NAT technology can improve the security of data communication between intranet and extranet. It can also solve the problem of high cost and cost of IPv4 resources, but these two technologies have inherent inadequacies in compatibility in their respective architecture, transmission principle and protocol running mechanism. In this paper, the domestic and foreign theoretical and practical literatures on the compatibility of IPSec and NAT are collected, the IPSec and NAT technologies are deeply understood, the scheme and NAT-T mechanism of IPSec and NAT are studied, and the improvement of NAT-T process is put forward. 1. This paper studies the related technology of this subject, the application of NAT security system and the working mechanism of Nat. The incompatibility between NAT and IPSec/IKE and the existing solutions are analyzed with the help of complex workflow. At the same time, the methods are pointed out. Self-advantage and weakness. 2. The first and second stages of IKE negotiation mechanism are analyzed. Based on this, the secondary hash calculation of NAT-D load is proposed to ensure the integrity of IKE protocol data and prevent bypass monitoring. Network data interception and tampering played a certain role. 3. To improve NAT-T traversal based on trust, the existing UDP encapsulation scheme for IPSec and NAT compatibility must not only use ESP encapsulation format, but also limit the host that initiated IKE negotiation first. The host that initiated the IKE negotiation at first must be in the inner network (private network) behind the NAT device. The root reason is that the mechanism is a one-way NAT-T traversal used in practice. In this paper, we propose to improve NAT-T traversal based on trust third party, realize the network communication of "Node-IPSec-NAT-NAT-NAT-IPSec-Node" mode, and improve the security of communication entity by using PKE certificate mechanism.
【学位授予单位】：淮北师范大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.04

【参考文献】