Management Of IPSec Policy Based On The CIM/KeyNote

IPSec key negotiation based on policy in the Internet environment should resolve how to describe security policy, how to resolve security policy conflicts between different entities and user identification and authorization issues. However, the existing regulatory mechanisms of IPSec policy only provide the solution how to generate data packets filtering rule in the network layer, not considering whether this rule is permitted by IPSec policy. In the meanwhile, it can't efficiently deal with the vital issue that is what policy should be considered in the processing of Internet key Exchange (IKE).Therefore, all of above problems affect the further promotion and implementation of IPSec.So under premise of the analysis of the existing security mechanisms of IPSec policy, the thesis introduces the concept of"trust management"into management of IPSec security policy."Trust management"adopts a unified"security policy description language (Assertion)"not only resolving the question of how to describe the IPSec security policy, user identification and authorization will be more unified in the same time."Trust management"occurs in the IKE consultation process. It receives credentials coming from IPSec entity .Through its policy compliance checking to verify whether these credential are trustable, so determine whether these acts were authorized and under what conditions will be permitted .This kind of function will be very useful in the procession of resolving conflicts between different IPSec entities policies .In the light of such theory, the thesis developed an IPSec policy system based on the KeyNote which is the realization of"Trust management".In addition, in the distributed operating environment IPSec policy management system should also include followed issues: how to address the storage of IPSec security policy, the various entities how to acquire its own IPSec security policy and how to telecommunicate with centralized policy server and so on. In order to resolve such kind question, the thesis also presented an IPSec policy management model based on CIM/WBEM and preliminary achieved it. To realize a new, feasible IPSec policy management mechanism made useful attempt.