| With the development of communication technologies,especially the Internet's rapid spread,there have been many new applications appear,such as video conferencing, distributed systems,Computer Cooperative work and so on。Multicast (IP Layer Multicast) is a new,highly efficient network transmission project proposed for these applications。In recent years,due to the continuous improvement of Multicast, multicast applications have also shown a sustained trend of expansion。However,due to the characteristics of multicast architectures,multicast traffic is more vulnerable to attack than unicast traffic。The existing multicast routing is difficult to guarantee this,so it is still a hot spot for Secure Multicast。Securing IP Multicast has not been addressed while the IP multicast model was being specified。The underlying goal of the Internet Engineering Task Force (IETF) was to provide an open IP Multicast model。This model provides public multicast addresses while keeping the receivers anonymous for their sources as well as the multicast routers。In fact,the subnet multicast router does not maintain host's identity after processing its membership request and does not transmit such an identity upstream in the delivery tree。Furthermore,any host can request traffic from or send traffic to any multicast group。Such options simplify the management of multicast groups and enable IP multicast scaling to large groups。However,this is achieved at the expense of introducing an important security hole in the multicast infrastructure。This security hole is due to the lack of receiver and sender access control mechanisms to the delivery tree。In this situation, this thesis is based on the national 863 project "end to end virtual circuit-based network security architecture" which adopts a new kind of network security calculation model,it uses end-to-end virtual circuit mechanism for data transmission。The end-to-end virtual circuit is between a port from the source node to the other ports of the target node,it is the channel to send packet which is established by the software。The difference between the end-to-end virtual circuit and the traditional virtual circuit is port-related。This means that not only support subnet resources but also support the mechanisms of the socket,And the access control module can further ensure the safety。The end-to-end virtual circuit topology of the network are consists of the public network and a large number of units of area networks which consists of all the hosts within the region,while the public network is composed of routers,routers of the public network are divided into transmission routers and access control routers according to the functions。Access control routers with end-system authentication and assessment subsystem to control the end-system,user authentication/authorization。It is only through user authentication and end-system security assessment,the terminal can access to a dynamic network。Finally,based on the structure of the end-to-end virtual circuit,we design and implement the SGMP (Security Group Management Protocol) protocol which authenticate the group memberships by the access control routers。Only the access control routers can accept host requests,transmission routers are only responsible for multicast data transmission。Thus,it ensures malicious hosts can not enter the multicast groups。... |
PDF Full Text Request