Research Of Security Architecture Of IP Layer And Its Practice

TCP/IP protocol is widely used in IP-based information society, but TCP/IP has a lot of security problems because of its openness. The author focuses on presenting the security architecture model of IP layer and practicing under this model in this paper.First, the author has analyzed typical attacks on TCP/IP, and then the author has summarized the vulnerabilities and threats of IP layer, which are the bases of the following chapters.After reviewing the history of the security architecture of IP layer by introducing IPSO, swIPe and IPv6, the author has introduced and analyzed IPSec(the de facto standard of IP Security at present) thoroughly, and then the author has listed the problems and flaws existed in IPSec. The author has pointed out that after adding compression process and changing the contents of authentication, we can use ESP/tunnel mode only without the other three modes.To the issues that IPSec can't work with NAT and multicast very smoothly and IPSec couldn't also solve QoS problem, combined with the national high-tech project of 863, the author has put forward the following viewpoints in the research of the security architecture model of IP layer: as to IPSec's working with NAT, the author has proposed a scheme of using UDP encapsulation along with configuring IPSec tunnel by DHCP and substituting AH with ESP NULL encapsulation; as to IPSec's working with the multicast, the author has proposed that combined with key management using complete binary tree, IPSec security process using ESPv3 and AHv2 can cooperate with multicast smoothly in multicast environments; as to solving QoS, the author has proposed a scheme of using two-level classifying and two-level scheduling with encryption scheduler and forwarding scheduler. The author has pointed out that combining IPSec with PKI can make IPSec more flexible and more practical.Based on the previous researches, the author has made an analysis of security risks of IP layer. Referring to OSI security architecture, the author has given the security architecture of TCP/IP and has put forward the proposal ofwhat security services and what security mechanisms should be employed in IP layer. After that, the author has put forward the security architecture model of IP layer. Using this model, the author has given an answer to what security processings should be applied in IP layer, which is of great importance to the security practice of IP layer.Combined with the research projects under the sponsorship of funds for the national 10th-five-year-plan cryptography development, the author has applied our IP security architecture model to design high-speed IP-VPN device (1000M). The author has creatively put forward multi-system streamline parallel processing structure (MSSPPS) in the design scheme of this device, which is proven to be effective and correct both in theory and in practice. In this paper, the author has given a concept of no-overlap-rule table and then the author has put forward sparse-based ACL searching method in configuring security rules in IP-VPN device, and finally the author has discussed the searching algorithms of ACL.