The Research And Implementation Of Group Security Association Management Protocol Of Multiple-Source Multicast Based On IPSec

With the development of Internet, more and more multimedia applications, which needs broad bandwidth, has caused large consumption of network bandwidth and congestion of network. Multicasting is a method of data transmission between unicasting and broadcasting. Multicasting provides a mechanism of 1-to-n or n-to-m communication, which efficiently save bandwidth and decreases network load. Therefore, multicasting is widely used in net-meeting, internet audio/video broadcasting, AOD/VOD, stock market information publishing, multimedia distance education, CSCW cooperating computation and distance consultation, etc.The IPSec has provided a good solution to the safety problem of unicasting, but the multicasting communication system is more vulnerable to invasions due to its own structure, such as the denial of service (DOS). Therefore, there are more requirements for safety in multicasting communication system, which includes secrecy, group member identification, source identification, anonymity and integrity.In this thesis, we first introduce the structure and security requirement of multicasting, and several important components of IPSec, such as security association, security policy, AH, ESP and IKE. Then, we discuss GDOI which is a group security association management protocol based on IPSec. We also analyze the security defect and management complexity of GDOI under the environment of multiple-source multicasting. On the basis of GDOI protocol, we propose a new group security associationmanagement protocol------MGDOI, which can solve source authentication,reply protection and DoS resistance issues under the environment of multiple-source multicast. The mechanism of this new protocol is the allocation and management of SA and transmission of SPI through the double loop. Furthermore, we implement this protocol by modifying the program isakmpd in Linux, which is a daemon program for keyword management of unicasting. Finally, we validate that the transmission delay of SPI data in our protocol meet the practical requirement by using the network simulation program NS-2.