IPsec在卫星IP网络中的改进与应用

发布时间：2018-04-04 09:54

本文选题：卫星IP网络　切入点：IPsec　出处：《电子科技大学》2014年硕士论文

【摘要】：卫星IP网络作为地面IP网络的延伸,已经成为当前信息基础设施建设的重要组成部分。由于卫星IP网络是将TCP/IP协议栈承载于卫星信道上,因此,它继承了卫星信道差错率高、传输时延长、信道不对称以及广播等固有特性。前三个特性对终端设备之间的TCP通信会产生实质性的影响,带来TCP性能问题;而广播特性以及全球范围的覆盖能力,又带来了卫星IP网络的安全问题。IPsec是IETF提出的Internet安全框架,它为IP层提供标准、可靠、可扩充、基于加密的安全性,包括访问控制、数据源认证、抗重放攻击、数据完整性、数据机密性等服务。是目前唯一的能够在任何形式的网络通信中提供安全保护,最完整、最易于扩充的一种安全解决方案。对于TCP在卫星IP网络中的性能问题,业界主要提出了两类性能增强技术:端到端的解决办法和基于中间件的解决办法。前者虽然能在一定程度上提高TCP在卫星IP网络中的性能,但不能彻底消除卫星信道对TCP性能的影响。后者使用性能增强型网关,通过将TCP分段,能够极大地提高卫星IP网络中TCP的性能。对于卫星IP网络的安全问题,业界主要提出了基于IPsec的多层安全保护方案和用传输层安全机制代替IPsec的安全方案。然而,基于性能增强型网关的TCP性能增强技术与IPsec的端到端特性相冲突,传输层安全机制又存在使用局限性和性能方面的不足。这两种方案均不能有效应用于卫星IP网络中。为此,本文对当前的卫星IP网络技术、IPsec技术以及业界针对卫星IP网络提出的安全解决方案进行了详尽的研究。基于IPsec进行改进,提出了一种全新的卫星IP网络安全解决方案。首先,针对卫星IP网络长时延、高误码的特性,全新设计了一套基于公钥体制的密钥协商协议;然后,为了尽可能在不降低卫星IP网络传输效率的基础上适应TCP性能增强技术,对IPsec的封装模式和作用域进行了改进设计;最后,为了进一步提高卫星IP网络的传输效率,引入了PMTU发现技术和IPComp技术,并针对改进后的IPsec封装模式进行了适应性改进。基于上述研究和设计,本文对适用于卫星IP网络的IPsec网关进行了原理样机的设计和工程实现,并对主要功能和性能进行了测试和验证。
[Abstract]:Satellite IP network, as an extension of terrestrial IP network, has become an important part of current information infrastructure construction.Because the satellite IP network carries the TCP/IP protocol stack on the satellite channel, it inherits the inherent characteristics of the satellite channel, such as high error rate, extended transmission time, asymmetric channel and broadcast.The first three characteristics will have a substantial impact on the TCP communication between terminal devices, which will bring about the problem of TCP performance, while the broadcast characteristics and the global coverage capability will bring about the security problem of satellite IP network. IPsec is the Internet security framework proposed by IETF.It provides standard, reliable, extensible, encryption-based security for the IP layer, including access control, data source authentication, replay protection, data integrity, data confidentiality, and so on.It is the only security solution that can provide security protection in any form of network communication and is the most complete and easy to expand.For the performance of TCP in satellite IP networks, two kinds of performance enhancement techniques are proposed: end-to-end solutions and middleware based solutions.Although the former can improve the performance of TCP in satellite IP network to some extent, it can not completely eliminate the influence of satellite channel on TCP performance.The latter can greatly improve the performance of TCP in satellite IP network by segmenting TCP using performance enhancement gateway.For the security of satellite IP network, the industry mainly puts forward the multi-layer security protection scheme based on IPsec and the security scheme of replacing IPsec with transport layer security mechanism.However, the TCP performance enhancement technology based on the performance enhancement gateway conflicts with the end-to-end characteristics of IPsec, and the transport layer security mechanism has its limitations and performance shortcomings.Neither of these schemes can be effectively applied to satellite IP networks.In this paper, the current satellite IP network technology IPsec technology and the industry for satellite IP network security solutions are studied in detail.Based on the improvement of IPsec, a new security solution for satellite IP network is proposed.First of all, in view of the long delay and high error rate of satellite IP network, a new key agreement protocol based on public key system is designed, and then, in order to adapt to the TCP performance enhancement technology without reducing the transmission efficiency of satellite IP network as much as possible, a new key agreement protocol based on public key cryptosystem is designed.Finally, in order to further improve the transmission efficiency of satellite IP network, PMTU discovery technology and IPComp technology are introduced, and adaptive improvement is made for the improved IPsec encapsulation mode.Based on the above research and design, this paper designs and implements the principle prototype of IPsec gateway suitable for satellite IP network, and tests and verifies the main function and performance.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TN927.2

【参考文献】