Design And Implementation Of The Interconnection Model Of LANs In Different Area Based On IPSec Protocol

With the development of computer network techniques and changing requirements, it is quite common that one organization has multiple LANs in different areas. Researchers draw more and more attention on the problem of the interconnection of LANs nowadays.Currently, network interconnection technologies are divided into two categories. First, private lines can be rented for the interconnection of LANs within one organization. Although this way guarantees the information security and resource sharing, it is difficult to be employed by small organizations because of the high cost. Second, connecting LANs by Internet. Cost can be reduced but information resources of organizations suffer hidden trouble since the Internet itself is not safe enough. Based on the advantages and disadvantages of these two ways, how to construct an interconnection model of LANs with low cost and high security is a problem to be solved. For the purpose of solving this problem, this thesis analyzes the Virtual Private Network technologies and IPSec protocols and constructs an interconnection model for LANs in different areas based on IPSec protocols. This model consists of two parts. The first part including the global strategy base, IKE modules and user interface is implemented on the application layer. It is responsible for the maintenance and negotiation of strategies. The global strategy base stores and manages the security strategies of data package. User interface provides the functionality of manual strategy modification. IKE modules take charge of the communication identification, strategy negotiation and the creation of security alliance. The other part is the core of the model which stays between the network layer and the network card driver. It is responsible for the IPSec management of data package. It is composed of encryption and identification algorithm base, IPSec management modules, SPD base and SAD base. IPSec module handles the data package using fixed security strategy. Algorithm base contains the encryption and identification algorithms required by the system. SPD and SAD bases are the concrete mappings of the global strategy base. The SPD which is constructed in the form of Radix tree structure seeks corresponding security alliances according to selection symbols. However, the SAD base is constructed by Hash table. It stores specific security alliances. SPD and SAD are connected by the Security Alliance Identification (SAID). Based on this model, this thesis also describes the strategy execution flow of the management of the input and output data package. This thesis analyzes the main techniques used during the model development and provides an example about the implementation of the security tunnel of the interconnection of LANs if the security strategy is already known. This example is implemented by Windows 2000 DDK and analyzed by Sniffer Pro. It presents the construction process of a security tunnel based on the analysis of the results of package capture. The interconnection model proposed by this thesis enables the LANs in different areas to communicate safely with relative low cost. Meanwhile, the tunnel example provides technological references to the implementation of the model.