高性能IPSec客户端软件设计与实现

发布时间：2018-03-11 23:00

本文选题：IPSec　切入点：IKEv2　出处：《西安电子科技大学》2014年硕士论文　论文类型：学位论文

【摘要】：VPN（Virtual Private Network，虚拟专用网）是一种在不安全的网络上建立安全、虚拟网络通道的技术，IPSec（Internet Protocol Security，互联网协议安全）是VPN技术的一种实现方式，其主要通过对IP数据包的加密与认证来确保IP数据包在传输过程中的安全性。随着网络技术的不断发展，接入企业用户的网络带宽已经从传统的十兆、百兆发展到千兆、万兆级别，而现有的Windows平台IPSec客户端软件由于自身设计等因素，在千兆网络环境下安全过滤带宽较低，造成了网络带宽的浪费。此外，由于Windows操作系统的不断升级，现有的IPSec客户端软件在新版本操作系统上普遍存在一定的兼容性问题。本文针对现有Windows平台IPSec客户端软件的不足，基于Windows内核网络过滤驱动与AES-NI（Advanced Encryption Standard-New Instruction，高级加密标准-新指令集）技术设计并实现了一款Windows平台高性能IPSec客户端软件。该软件主要分为用户层应用程序与内核层网络过滤驱动程序两个部分，其中用户层应用程序使用IKEv2（Internet Key Exchange，互联网密钥交换）协议与IPSec网关协商建立VPN通道；内核层针对不同的Windows操作系统版本分别使用NDIS IM（Network Driver Interface Specification Intermediate，网络驱动接口标准中间层）与WFP（Windows Filtering Platform，Windows过滤平台）两种内核网络过滤驱动框架实现了IPSec过滤驱动程序，其解决了IPSec实现过程中常见的MTU（Maximum Transmission Unit，最大传输单元）与大数据包分片等问题，并使用AES-NI技术对IPSec的处理进行加速。千兆以太网环境中测试结果表明，本文所实现的客户端软件能够满足实际的功能需求，借助于AES-NI技术将IPSec处理性能提升至500Mbps左右，，且具有良好的操作系统版本兼容性与稳定性。该软件目前已经成功部署于某部门使用，在近半年的使用过程中运行稳定、性能良好。
[Abstract]:VPN(Virtual Private Network (Virtual Private Network) is a kind of implementation method of VPN technology, which is to establish security on an insecure network, and the technology of virtual network channel is IPSec Protocol Security (Internet Protocol Security). With the continuous development of network technology, the network bandwidth of access enterprise users has developed from the traditional 10 megabytes, 100 megabytes to gigabytes. The existing IPSec client software of Windows platform, because of its own design and other factors, has low security filtering bandwidth in gigabit network environment, resulting in a waste of network bandwidth. In addition, because of the continuous upgrading of Windows operating system, The existing IPSec client software generally has some compatibility problems in the new version of the operating system. This paper aims at the deficiency of IPSec client software in existing Windows platform. Based on Windows kernel network filter driver and AES-NI(Advanced Encryption Standard-New structuring, advanced encryption standard-new instruction set), a high performance IPSec client software based on Windows platform is designed and implemented. The software is mainly divided into user layer application and kernel layer network. Two parts of the network filter driver, The user layer application program uses IKEv2(Internet Key Exchange (Internet key Exchange) protocol to negotiate with the IPSec gateway to establish the VPN channel. For different versions of Windows operating system, two kernel network filter driver frameworks, NDIS IM(Network Driver Interface Specification Intermediate (Network driver Interface Standard Intermediate) and WFP(Windows Filtering platform, are used to implement IPSec filter driver. It solves the problems of MTU(Maximum Transmission unit (maximum transmission unit) and large packet slicing in the process of IPSec implementation, and uses AES-NI technology to accelerate the processing of IPSec. The test results in gigabit Ethernet environment show that the client software realized in this paper can meet the actual functional requirements, and the processing performance of IPSec can be improved to about 500Mbps with the help of AES-NI technology. The software has been successfully deployed in some departments and has been running stably in the past half a year.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.1

【参考文献】