IPsec-IKE的实现与测试方案设计

发布时间：2018-05-30 01:39

本文选题：IPsec + IKE　；参考：《西安电子科技大学》2014年硕士论文

【摘要】：随着网络的快速发展和普及,现如今人们越来越重视网络安全问题。为了更好的解决网络安全问题,人们提出了各种解决方案来满足网络安全需求。而IPsec协议作为一种网络安全协议,能够保障网络数据传输的安全,主动保护网络端到端之间的传输数据,防止VPN专用网络[1]的各种攻击(窃听、篡改、重放等攻击),简化了IP上层的安全处理,并且通用性强。本文主要对IPsec-IKE协议族进行了系统的研究与分析,并介绍了一阶段主模式,二阶段快速模式的IPsec-IKE的实现方法,以及IPsec-IKE测试方案的设计。IPsec不是一个单一的协议,而是由多个协议构成,它提供的一套完整且系统的安全体系结构,能够有效地保障数据在网络上安全传输。而参与提供这一体系结构的成员包括AH、ESP和IKE(其中AH和ESP提供安全保护,IKE用于交换密钥),同时还包括一系列认证加密算法。IPsec为IP层的数据报文提供四种安全服务,包括数据加密安全服务、数据完整性校验服务、数据的来源认证以及防止数据的重放攻击服务。在IPsec使用数据保护协议(AH或ESP)对一个IP数据报文进行封装保护前,必须先生成IPsec保护通道,即IPsec SA(IPsec安全关联)。IPsec SA的生成方式分为两种,一种是使用手工配置生成,另一种是使用IKE协议协商生成。IKE不仅可以自动生成IPsec SA,而且能够提供更高的安全性,它在协商过程中不仅会对协商报文进行加密、完整性验证、身份认证和防止拒绝服务攻击,更重要的是,它使用的DH算法,使报文在交互过程中只交换使用的密钥材料,而不会交换密钥本身,因此即使有人在中间截获了报文,也无法获取到加密的密钥,进而无法破解交互的报文。根据IKE自动方式建立IPsec通道,进行数据保护的实现方法,对其整个处理流程进行详细的分析论述。整个流程包括两个阶段,一阶段协商建立IKE SA,该阶段主要完成以下工作:对双方所使用SA策略的确认,密钥信息的交换,以及ID信息和验证信息的交换。一阶段的协商模式有两种,主模式和野蛮模式。二阶段的交换称之为快速模式交换,该交换用来完成IPsec SA的生成。当一阶段IKE SA协商建立后,后续的交互报文都要由IKE SA进行加密和认证。若后续收到的协商交互报文没有受到IKE SA的保护,那么这些报文将被直接丢弃,不予处理。本文介绍的IPsec-IKE实现方法是针对一阶段使用主模式交换方式,二阶段使用快速模式交换方式的,详细分析了该实现方法中通信双方身份的协商确认过程,协商报文的构造方法以及对协商报文的处理过程,并结合其功能特性以及支持的测试组网进行了测试方案的设计,能够有效的帮助测试执行人员对IPsec-IKE有一个深入的了解。
[Abstract]:With the rapid development and popularization of network, people pay more and more attention to network security nowadays. In order to solve the problem of network security better, people put forward various solutions to meet the needs of network security. As a kind of network security protocol, IPsec protocol can guarantee the security of network data transmission, protect network end-to-end transmission data actively, and prevent all kinds of attacks (eavesdropping, tampering) of VPN private network. Replay and other attacks, simplify the IP upper layer of security processing, and strong versatility. This paper mainly studies and analyzes the IPsec-IKE protocol family, and introduces the IPsec-IKE implementation method of one stage main mode, two stage fast mode, and the design of IPsec-IKE test scheme. IPsec is not a single protocol. It provides a complete and systematic security architecture, which can effectively guarantee the secure transmission of data over the network. The members involved in providing this architecture include AH ESP and Ike (where AH and ESP provide security protection and Ike for key exchange, and a series of authentication encryption algorithms. IPsec provides four kinds of security services for IP layer data packets. Data encryption security services, data integrity verification services, data source authentication and protection against data playback attack services. Before IPsec uses data protection protocol (AH or ESP) to encapsulate an IP data packet, it is necessary to generate a IPsec protection channel, that is, IPsec SA(IPsec security association. IPsec SA can be generated in two ways, one is to use manual configuration to generate it. The other is that using IKE protocol negotiation generation. Ike can not only automatically generate IPsec SAs, but also provide higher security. In the negotiation process, it not only encrypts negotiation packets, integrity authentication, authentication and prevent denial of service attacks, More importantly, the DH algorithm it uses makes the message exchange only the key material used in the process of interaction, not the key itself, so that even if someone intercepts the message in the middle, they cannot obtain the encrypted key. Then the interactive message can not be deciphered. According to the IKE automatic way to establish the IPsec channel, to carry on the data protection realization method, to its entire processing flow carries on the detailed analysis and discussion. The whole process consists of two stages, one stage is to negotiate the establishment of IKE, and the main tasks are as follows: the confirmation of SA strategy used by both parties, the exchange of key information, and the exchange of ID information and verification information. There are two modes of negotiation in one stage, the main model and the barbaric model. Two-stage switching is called fast mode switching, which is used to complete the generation of IPsec SA. After one stage of IKE SA negotiation is established, the subsequent interactive packets must be encrypted and authenticated by IKE SA. If the subsequent negotiation interaction messages are not protected by IKE SA, these packets will be discarded directly and not processed. The IPsec-IKE implementation method introduced in this paper is aimed at the main mode switching mode in one stage and the fast mode exchange mode in the second stage. The negotiation and confirmation process of the identity of the communication parties in this implementation method is analyzed in detail. The construction method of negotiation packets and the process of processing negotiation packets, and the design of test scheme combined with its functional characteristics and supported test networking, can effectively help test executors to have a deep understanding of IPsec-IKE.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【共引文献】