网络处理器平台下VPN系统的一体化设计

本文介绍了Intel IXP425的软件体系结构，分析了Linux下防火墙的netfilter框架，给出了防火墙策略和vpn策略在linux下的一体化表示方法，最后，对集防火墙、VPN、NAT功能为一体的vpn系统在IXP425下进行了一体化的设计。     

头部压缩技术在无线虚拟专用网中的应用研究

无线虚拟专用网技术解决了移动办公员工希望通过移动终端随时随地访问公司局域网的问题。但是用来实现VPN技术的IPsec安全机制引起了数据包的增大,这是在无线网络中所不希望看到的。针对该问题,研究传统的头部压缩机制只压缩外部IP头的不足,并提出应用头部压缩技术对IPsec数据包内外部IP头进行压缩的机制。该机制在IP数据包未进行ESP封装之前先运用IPHC算法进行IP头部压缩处理,然后再进行ESP封装,最后再对ESP封装的数据包的外部IP头和ESP头运用ROHC算法进行压缩处理。分析结果表明：该机制有效地减小数据包大小,从而降低无线虚拟专用网中的丢包率和传输代价。     

安全策略系统在虚拟组网环境下的应用研究

在网络信息安全领域中,对于端到端通信的安全性研究是非常必要的。文章提出端到端虚拟组网的思想,研究了IPsec、安全策略系统和虚拟组网技术,并将三者有机结合,设计出虚拟组网原型系统总体框架,介绍了系统的实现过程和关键技术。     

IPsec策略管理的研究

基于策略的管理是当前安全研究的热点问题之一。该文首先介绍IPsec策略的定义及冲突的原因,随后分析了对策略管理提出的要求,在此基础上提出了IPsec策略管理的一个通用框架,并对其中的关键部件给出了具体的解决方案,包括采用SPP协议进行网关和策略发现,使用Keynote信任管理系统进行策略的一致性检查。最后,讨论了当前研究存在的问题及今后的研究方向。     

IPv6安全问题的探讨与研究

本文分析了IPv6的国内外发展现状,对IPv6的特点和安全机制进行了详细叙述,最后提出了IPv6可能面临的安全问题。     

IP网上实现用户专用网接入

文章介绍了以本单位的IP over SDH为架构的在IP黉带网中利用流行VPN技术，采用Tunnel(隧道）实现安全，高速的集团用户虚拟专用网的接入。     

IPSec VPN与SSL VPN的比较分析

主要介绍了目前两种主流VPN技术：SSL VPN与IPSec VPN,从安全性、使用的复杂性以及可扩展性等几个方面对其进行了比较和分析,并归纳出这两种VPN技术各自适合的应用领域及发展趋势。     

基于负载均衡的高吞吐量IPsec VPN系统

为了解决连接网络型IPsec VPN随着用户接入增多、网络流量增大,而引起的响应时间延长、吞吐量降低的问题,提出一种高吞吐量IPsec VPN解决方案。在网关处组建服务器集群,利用特定的负载均衡策略,实现了对IPsec数据流的均匀分配。模拟实验结果表明,随着网络流量的增加,负载均衡技术可以一定程度减少IPsec VPN系统响应时间,提高系统的吞吐量。     

Mobile multi-layered IPsec

To achieve high throughput in wireless networks, smart forwarding and processing of packets in access routers is critical for overcoming the effects of the wireless links. However, these services cannot be provided if data sessions are protected using end-to-end encryption as with IPsec, because the information needed by these algorithms resides inside the portion of the packet that is encrypted, and can therefore not be used by the access routers. A previously proposed protocol, called Multi-layered IPsec (ML-IPsec) modifies IPsec in a way so that certain portions of the datagram may be exposed to intermediate network elements, enabling these elements to provide performance enhancements. In this paper we extend ML-IPsec to deal with mobility and make it suitable for wireless networks. We define and implement an efficient key distribution protocol to enable fast ML-IPsec session initialization, and two mobility protocols that are compatible with Mobile IP and maintain ML-IPsec sessions. Our measurements show that, depending on the mobility protocol chosen, integrated Mobile IP/ML-IPsec handoffs result in a pause of 53–100 milliseconds, of which only 28–75 milliseconds may be attributed to ML-IPsec. Further, we provide detailed discussion and performance measurements of our MML-IPsec implementation. We find the resulting protocol, when coupled with SNOOP, greatly increases throughput over scenarios using standard TCP over IPsec (165% on average). By profiling the MML-IPsec implementation, we determine the bottleneck to be sending packets over the wireless link. In addition, we propose and implement an extension to MML-IPsec, called dynamic MML-IPsec, in which a flow may switch between plaintext, IPsec and MML-IPsec. Using dynamic MML-IPsec, we can balance the tradeoff between performance and security. Heesook Choi is a Ph.D. candidate in the Department of Computer Science and Engineering at the Pennsylvania State University. She received her B.S. degree in Computer Science and Statistics and M.S. degree in Computer Science from the Chungnam National University, Korea, in 1990 and 1992 respectively. She was a senior research staff in Electronics and Telecommunications Research Institute (ETRI) in Korea before she enrolled in the Ph.D. program at the Pennsylvania State University in August 2002. Her research interests lie in security and privacy in distributed systems and wireless mobile networks, focusing on designing algorithms and conducting system research. Hui Song is a Ph.D. candidate in the Department of Computer Science and Engineering at the Pennsylvania State University, University Park. He received the M.E. degree in Computer Science from Tsinghua University, China in 2000. His research interests are in the areas of network and system security, wireless ad-hoc and sensor networks, and mobile computing. He was a recipient of the research assistant award of the Department of Computer Science and Engineering at the Pennsylvania State University in 2005. Guohong Cao received his BS degree from Xian Jiaotong University, Xian, China. He received the MS degree and Ph.D. degree in computer science from the Ohio State University in 1997 and 1999 respectively. Since then, he has been with the Department of Computer Science and Engineering at the Pennsylvania State University, where he is currently an Associate Professor. His research interests are wireless networks and mobile computing. He has published over one hundred papers in the areas of sensor networks, wireless network security, data dissemination, resource management, and distributed fault-tolerant computing. He is an editor of the IEEE Transactions on Mobile Computing and IEEE Transactions on Wireless Communications, a guest editor of special issue on heterogeneous wireless networks in ACM/Kluwer Mobile Networking and Applications, and has served on the program committee of many conferences. He was a recipient of the NSF CAREER award in 2001. Thomas F. La Porta received his B.S.E.E. and M.S.E.E. degrees from The Cooper Union, New York, NY, and his Ph.D. degree in Electrical Engineering from Columbia University, New York, NY. He joined the Computer Science and Engineering Department at Penn State in 2002 as a Full Professor. He is the Director of the Networking and Security Research Center at Penn State. Prior to joining Penn State, Dr. La Porta was with Bell Laboratories since 1986. He was the Director of the Mobile Networking Research Department in Bell Laboratories, Lucent Technologies where he led various projects in wireless and mobile networking. He is a Bell Labs Fellow. Dr. La Porta was the founding Editor-in-Chief of the IEEE Transactions on Mobile Computing and served as Editor-in-Chief of IEEE Personal Communications Magazine. He is currently the Director of Magazines for the IEEE Communications Society and is a member of the Communications Society Board of Governors. He has published over 50 technical papers and holds 28 patents. His research interests include mobility management, signaling and control for wireless networks, mobile data systems, and protocol design.     

面向IPsec安全策略的VPN性能评估模型

IPsec安全策略复杂的语义增加了IPsec VPN性能分析的难度,为了解决IPsec VPN性能分析过程中缺乏框架结构而无法保证评估有效性的问题,提出了基于IPsec安全策略的VPN性能评估模型。模型构建了可扩展的虚拟VPN环境,通过维护IPsec安全策略提高VPN性能的可控性,利用多线程并发控制实现数据的并行统计。最后通过实验验证了模型在VPN性能评估中的可靠性和可用性。