| The VPN technology based on IPSec protocol can provide secure network transport services such as identity authentication, confidential data, and integrity protection of data flow. It plays an important role in network security area. However, the setting up of large number of VPN equipments brings a reticular structure, which finally results in the complex management of VPN.Aim at localization of the reticulation, the architecture of Hierarchically Switched VPN(HS_VPN) is proposed, in which new technologies are adopted such as switching tunnel, LVS etc, and is compatible with existing environment of reticulation. HS_VPN reference model is suggested via construct all kinds of VPN equipments to hierarchy which has the following characteristics: high availability, high performance and easy to extend. Open Diff_serv mechanism so that can afford VPN QoS in the kernel of the system that is QoS_enabled VPN.Based on the application environment of VPN, a prototype of HS_VPN is proposed, which is based on NMS as policy center, high-end VPN as switching core, middle-end VPN as equipment nodes, end-level VPN and desktop VPN as boundaries and provides three layer interlinkage operation to users. Work over the application of the prototype in allusion to VPN system of government network to illuminate prototype's feasibility.Widely used NAT equipments conflict with VPN equipments based on IPSec protocol. RSIP or UDP encapsulation can solve this problem. Ordinary end-to-end tunnel can not support the case, which takes NAT protocol on both sides. This restricts the development of VPN application. After analyzing the IPSec and NAT protocol we solve the problems by offering two work modes (encrypt_ decrypt and IP encapsulation) of switch VPN.After comparing support to VPN of typical QoS modes we choose Diff-Serv mechanism according to the characteristic of hierarchy. By experimenting and analyzing on QoS_enabled Hierarchically Switched VPN gateway latency, in comparison with traditional VPN gateways, it is found that this new kind of VPN system overhead on performance is reasonable. In order to research QoS on VPN, we have designed a Diff-Serv prototype on Linux's IPSec and have written several programs to test the performance of QoS on it. The results shows implementing Diff-Serv on VPN system to differentiate multimedia data from others can significantly improve the performance of multimedia application in VPN.
|
PDF Full Text Request