| As information times approach, information is becoming important and important day by day. At the same time security of information is becoming more and more serious. As a mature technology, IPSec has been used in many kinds of information security products. Frees/wan is such a mature product in Linux system. Other systems such as UNIX and MICROSOFT operating system have such kind IPSec products on which users can configure to protect information transition.(The development based on this article is done on Linux Frees/wan).This article do following research on IPSec on the following topics:1. The cooperation between IPSec and NAT. IPSec is used to do encryption and authorization. These operations hide or translate IP address and (TCP, UDP) ports. At the same time, NAT has to translate IP address and (TCP, UDP) ports when completing its function. So in the context where IPSec and NAT coexist, cooperation between them is an important issue. This article do research on this topic and give a design, and the design has put into practice in network security products.2. The use of IPSec in Mobile IP (MIP) network system. The fact that MIP can be moving and exchanging information and usually wireless decides that something must be done to fit these features. The Mobile PC changes it's deliver address changes from time to time. In original IPSec application, an negotiation of SA is necessary for a new IP address. In this situation, frequent negotiation causes long delay. When in wireless situation, the delay is especially serious. This articleadopts the methods of locating SA in SADB. In this way we sharply reduce negotiationwhen communicating host is moving.This article is organized in this way: IPSec's working theory is introduced in the first chart. The emphasis is put on the part that is related to NAT and IKE, including the process of IPSec, the content of IKE. The second chart introduces the problem between IPSec and NAT when used together. The reason and a design is given in this chart. The third charter analyzes the present mobile IP's security products based on IPSec/VPN, tells its disadvantages related to MIP context, then tells a design to improve it. This design simplifies the way that IPSec locate SA in OS kernel. In this way the number of IKE negotiations are sharply reduced, delay in communication is reduced communication efficiency is improved. The paper contributes the development of IPSec in the following issue:1. By adopting two HASH calculations, this paper enhances security of IETF draft on IPSec's NAT Traversal; the design has been implemented on UNIX system.2. By modifying the methods of locating SA in Operating System kernel, this article sharply reduces IKE negotiation times and improves efficiency of communication of IPSec/VPN based Mobile IP system-...
|
PDF Full Text Request