基于IPSec VPN的移动安全系统的设计与实现

为解决移动网络与固定IP网络之间跨网域的VPN安全接入问题，提出并实现了一种新型的基于IPSec VPN的移动安全系统。该系统在基于IPSec协议的虚拟专用网技术和远程访问服务的基础上，建立了一套完善的基于智能卡和X.509证书进行身份认证的机制，并且具有统一的安全信息服务平台。实验结果表明，该系统能够实现固网信息安全无缝地移动扩展。     

基于VPN／IPSec的移动IP安全网络模型

在综合考虑移动网络的各种特性和特殊安全需求的基础上，提出了一种基于VPN／IPSec的移动IP安全网络模型，模型具有很强的移动性，灵活性和扩展性，同时结合VPN，IPSec，防火墙等技术，利用认证和加密隧道，实现了高度的安全性和可靠性。     

IPv6路由器安全移动功能的设计与实现

为满足移动用户在改变接入网时仍能保持与网络的通信，并对移动节点提供安全保护，在已有IPv6路由器的基础上，设计并实现了基于IPSec的移动IPv6功能．文章介绍了安全移动IPv6的设计和实现，对移动IPv6路由器截获、转发数据和用IPSec保护移动IPv6等设计难点做了详细论述．     

基于Petri网的移动IPSec快速切换的建模与分析

使用IPSec对移动网络中的数据进行封装是保证无线网络传输安全的有效方法.这里提出了一种移动IPSec的快速切换模型,该模型通过减少移动节点在链路切换时重建IPSec隧道的过程消耗来降低IPSec与移动IP通信切换的复杂度.使用Petri网对该模型建模,利用Petri网分析器验证了模型的可行性,同时分析了移动节点在进行链路切换时易于遭受的两种攻击:拒绝服务攻击和重放攻击,并分别对攻击过程建模,验证了移动IPSec的快速切换模型对这两种攻击的防御能力.     

基于MIPv6的AAA及安全系统研究

为实现移动IPv6中移动节点的访问控制,提出了基于Linux平台运用Diameter AAA协议来实施授权、认证及计费功能.同时为确保移动节点间消息传递的机密性、一致性和完整性,提出了在移动节点上利用FreeS/WAN来建立安全联盟SA.该综合性的解决方案将AAA协议与网络层安全协议IPSec有机地融合在一起,有效地实现了移动节点在不同管理域间移动的接入控制及信息安全.     

一种安全的移动自组网链路状态路由协议：SOLSR

移动自组网是一种新型的无线移动网络，具有无中心、自组织、拓扑结构变化频繁以及开放式通讯信道等特性，因此移动自组网下的路由协议所面临的安全问题比有线网环境下更为严重。OLSR（Optimized Link State Routing）协议于2003年成为RFE3626草案，该协议首先假设网络中所有节点都是友好的，无恶意行为，同时认为安全问题可以利用IPSec来解决，但是，OLSR协议的通讯通常是“一对多”的广播形式，IPSec是针对端到端通讯的安全方案，故而单单依靠IPSec并不能完全解决OLSR的安全问题。由于OLSR自身还存在着机制上的漏洞，恶意节点针对这些漏洞进行攻击，可以导致路由协议无法正常工作，继而影响到整个网络的运行。本文在对OLSR的安全性分析的基础上，对协议进行了改进，加强了协议中对“邻居关系”的定义，同时引入了虫洞检测和身份认证机制，以及通讯报文的安全附加项，从而提出了安全链路状态路由协议——SOLSR来保证移动自组网中路由协议的正常运行。     

物联网环境下移动节点可信接入认证协议

无线传感器网络（WSN）中的移动节点缺乏可信性验证,提出一种物联网（IoT）环境下移动节点可信接入认证协议。传感器网络中移动汇聚节点（Sink节点）同传感器节点在进行认证时,传感器节点和移动节点之间完成相互身份验证和密钥协商。传感器节点同时完成对移动节点的平台可信性验证。认证机制基于可信计算技术,给出了接入认证的具体步骤,整个过程中无需基站的参与。在认证时利用移动节点的预存的假名和对应公私钥实现移动节点的匿名性,并在CK（Canetti-Krawczyk）模型下给出了安全证明。在计算开销方面与同类移动节点认证接入方案相比,该协议快速认证的特点更适合物联网环境。     

IPSec在路由器中的实现

IPSec是由Internet工程技术任务组(IETF)开发的开放标准框架。它提供了在Internet这样无保护的网络中传送敏感信息的安全保证。它在网络层发挥作用,对参与IPSec的设备(即对等设备)之间传输的IP包进行保护和认证。本文研究的主要内容是IPSec的体系结构;并且在此基础上,研究了IPSec在路由器中实现的方式。     

支持可信认证的移动IPSec VPN系统设计

基于IPSec协议的移动VPN系统为移动终端的远程接入提供了可行的解决方案,但IPSec协议的普通身份认证没有考虑移动终端系统的完整性和可信性,造成终端安全漏洞,给被接入系统和被访问信息带来安全隐患.针对这个问题,提出支持可信认证的移动IPSec VPN系统,并给出其系统架构和关键技术.该系统在实现了普通IPSec VPN系统的安全功能之外,增加了多因子与可信证明相结合的复合认证功能、基于信任的动态访问控制功能.并对其进行了原型实现和性能测试及分析,表明了在将时间代价合理控制的前提下,该系统有效确保了终端的可信接入、通信信道中数据传输的安全可靠以及被接入网络的资源安全及应用服务的可用性和可管控性.     

网络安全标准IPSec分析及应用

IP安全是保证Internet网络安全的重要部分,IPSec为网络提供了安全标准。本文从IPSec安全标准体系结构入手.详细分析了对IP数据包进行IPSec处理所制定的各项标准,包括安全协议、认证和加密算法、安全联盟及密钥交换机制,同时对IPSec两种操作模式进行了比较,给出了基于IPSec构建虚拟专用网(VPN)的一种典型应用。     

End-to-End Security Across Wired-Wireless Networks for Mobile Users

ABSTRACT

Recent advances in mobile computing and wireless communication technologies are enabling high mobility and flexibility of anytime, anywhere service access for mobile users. As a result, network connections of such users often span over heterogeneous networking environments consisting of wired and wireless networking technologies. Both network heterogeneity and user mobility make the securing of data transmission over heterogeneous networks challenging and complex. In this paper, we focus on the challenge of providing secure end-to-end network transmissions to wireless mobile users. To minimize service interruption during ongoing secure sessions of mobile users, we present the design and implementation of an approach based on the well-known Internet Protocol Security (IPSec) standard. We conducted a performance evaluation of our implementation using a Voice over IP (VoIP) application over an actual network testbed. Our empirical performance results demonstrate a packet loss improvement of 17% to 34% (for various VoIP packet sizes) and a handoff delay improvement of almost 24% validating the high efficiency of our proposed approach.     

A novel approach for securing IPv6 link local communication

ABSTRACT

Link local communication is one of the predominant components and intrinsic features of Internet Protocol Version 6 (IPv6) networks. IPv6 nodes utilize link local communication for ascertaining the presence of other nodes on the link, for resolving their link local addresses, and for determining the reachability information of the other nodes. To achieve link local communication, IPv6 nodes employ the services of Neighbor Discovery Protocol (NDP). The protocol also suffices and forms the fundamental core in IPv6 mobile communication, enabling multihop communication. The NDP presumes that the network consists of trusted nodes; however, with the genesis of public unsecured wireless networks, any random node with minimum authentication can affix itself to the link and launch various attacks. As in the case of NDP Stateless Address Auto Configuration (SLAAC), there is no inclusion of central address configuration servers, thereby making the process vulnerable to denial-of-service (DoS) attacks on duplicate address detection (DAD). Also, in the case of the NDP address resolution process, man-in-the-middle attacks (MITM) can be launched, whereby the attackers impersonate the legitimate nodes address. Thus access to the link can be obstructed and network traffic can be redirected without the knowledge of users. To vanquish these problems, the Internet Engineering Task Force (IETF) proposed the use of cryptographically generated addresses (CGAs), which are an intrinsic element of the Secure Neighbor Discovery (SEND) protocol. The use of CGAs ensures message integrity, authentication, and address impersonation mitigation, but at the cost of higher computation and resource utilization. This article proposes some novel approaches for securing IPv6 link layer communication operations. These techniques are implemented programmatically for securing DoS on IPv6 DAD and MITM attacks and used as an alternate approach for CGAs and the SEND protocol.     

IPv6中的DoS/DDoS攻击流量突发检测算法

IPv6下的安全体系结构IPSec对IPv6网络的安全起到了一定的作用,但是它对某些特殊攻击的防范,例如泛洪DoS/DDoS攻击,却无能为力。该文通过对IPv6中泛洪DoS/DDoS攻击发生时的流量特征的分析,对基于网络流量突发变化的DoS/DDoS攻击检测算法在IPv6下的应用进行研究,分别用Matlab和NS-2对算法进行有效性和可行性验证。结果表明,突发流量检测算法在IPv6环境中运行良好。     

基于IPSec的虚拟专用网的实现和安全性分析

IPSec作为网络层的安全协议套件，是实现VPN的重要途径。在Linux系统下通过对网络部分代码的修改，可便捷地实现IPSec协议。该文描述了基于IPSec的VPN系统的结构和实现，并对系统的安全性进行了分析。     

车联网的多跳广播协议及移动模型仿真的研究现状

由于车联网(VANET,vehicular Ad Hoc networks)的节点移动速度快、拓扑动态变化以及移动轨迹局限性等特性,多跳广播成为VANET中车间通信的有效方式之一.此外,由于直接在真实环境中评估VANET的性能是非常困难的,仿真成为研究VANET的有效工具.为此,先分析VANET的网络结构,再讨论了广播协议的发展现状,并分析了典型的广播协议.随后论述了VANET移动模型仿真的发展现状,并重点分析、对比了当前交通仿真器和网络仿真器的特点.最后,探讨了车载自组网仿真器未来的发展方向.     

支持多路负载平衡的IPSec VPN系统的设计与实现

VPN解决全球化企业联网的能力使其越来越受到关注.IPSec作为网络层的安全协议族,是实现VPN的重要途径.文章针对现有IPSecVPN系统存在的问题,提出并实现了一种基于Linux平台的、支持多路负载平衡功能的IPSecVPN网关系统.该系统利用Netfilter框架的HOOK机制实现IP层处理、IPSec处理及多路负载平衡功能的有机结合,使VPN网关之间的流量能够在多条链路之间合理分配,提高了VPN系统的性能和可靠性.     

Betweenness estimation in OLSR-based multi-hop networks for distributed filtering

In traditional networks special efforts are put to secure the perimeter with firewalls: particular routers that analyze and filter the traffic to separate zones with different levels of trust. In wireless multi-hop networks the perimeter is a concept extremely hard to identify, thus, it is much more effective to enforce control on the nodes that will route more traffic. But traffic filtering and traffic analysis are costly activities for the limited resources of mesh nodes, so a trade-off must be reached limiting the number of nodes that enforce them. This work shows how, using the OLSR protocol, the centrality of groups of nodes with reference to traffic can be estimated with high accuracy independently of the network topology or size. We also show how this approach greatly limits the impact of an attack to the network using a number of firewalls that is only a fraction of the available nodes.     

IPSec安全策略形式化技术的研究

IPSec安全策略配置是一项复杂和易出错的工作。为解决这问题,提出了通过有序两元判定图表(OBDD)提供全面的IPSec安全策略冲突识别和分类的通用架构模型,并基于该架构模型,开发了一组在通用IPSec策略配置过程中发现策略内部的冲突问题的技术。实验测试证明了该架构模型和技术在发现和解决策略冲突问题的有效性。     

基于混合方法的IPSec VPN加密流量识别

文中提出了一种混合方法,将指纹识别与机器学习方法相结合,实现了IPSec VPN加密流量的识别。该方法首先基于负载特征从网络流量中筛选出IPSec VPN流量;接着,基于时间相关的流特征,利用随机森林算法建立了IPSec VPN流量分类模型,通过参数优化以及特征选择,整体流量识别的准确率达到了93%。实验结果验证了通过流特征提取的机器学习方法识别IPSec VPN流量的可行性;同时表明了该方法能够有效均衡识别精度与识别速度,达到了高效识别IPSec VPN加密流量的效果。     

Multi-layer MPLS network design: The impact of statistical multiplexing

The possibility of adding multi protocol label switching (MPLS) support to transport networks is considered an important opportunity by telecom carriers that want to add packet services and applications to their networks. However, the question arises whether it is suitable to have MPLS nodes just at the edge of the network to collect packet traffic from users, or to introduce also MPLS facilities on a subset of the core nodes in order to exploit packet switching flexibility and multiplexing, thus inducing a better bandwidth allocation. In this paper, we propose a mathematical programming model for the design of two-layer networks where MPLS is considered on top of transport networks (SDH or WDM depending on required link speed). Our models take into account the tradeoff between the cost of adding MPLS support in the core nodes and the savings in the link bandwidth allocation due to the statistical multiplexing and the traffic grooming effects induced by MPLS nodes. The traffic matrix specifies for each point-to-point request a pair of values: a mean traffic value and an additional one. Using this traffic model, the effect of statistical multiplexing on a link allows to allocate a capacity equal to the sum of all the mean values of the traffic demands routed on the link and only the highest additional one. We propose a path-based Mixed Integer Programming (MIP) model for the problem of optimizing the number and location of MPLS nodes in the network and the link capacities. We apply Lagrangian relaxation to this model and use the subgradient method to obtain a lower bound of the network cost. As the number of path variables used to model the routing grows exponentially with the graph size, we use an initially limited number of variables and a column generation approach. We also introduce a heuristic approach to get a good feasible solution. Computational results are reported for small size and real-world instances.