| With the continuous development of IPv6, there appears more complicated network structure in the process of the transitions to IPv6. For example, some networks only support IPv4, some only support IPv6 and others support not only IPv4 but also IPv6. Because of this, it brings inconvenience to the communications of hosts in the different networks and particularly to the company, organization and personal which use VPN technology for the sake of safety. The VPN is the network which uses encryption and authentication technologies to build up the safe and prvivate tunnel on the public network. The VPN expands the internal networks of the enterprise and helps remote users, branch organizations of some company and internal networks which are built by companies and their business enterprise or suppliers to build up authentic and safe connections and to assure the safe data transmission. Since it is so, how do we use the VPN technology to transmit data safely in the mixture networks? This is also the problem which this article studies and solves. My solution is setting a VPN router in the IPv4/IPv6 networks, and this router respectively builds up a IPv4 connection and a IPv6 connection with the IPv4 VPN router and the IPv6 VPN router. If any packet is received from one connection and whatever it is(a normal packet or a key exchange packet), the IPv4/IPv6 VPN router will pass it to the other connection. The IPv4/IPv6 VPN router here has the function that converts the VPN connection.This articl implements the safe commucations between hosts using VPN technology in the mixture networks based on CIPE which is the VPN implementation in Linux. Normally CIPE encrypts packets using symmetrical encryption algorithm then encapsulate them in the UDP and finally send them out through the normal UDP mechanism.In the key management aspect, CIPE has its own key exchange protocol and in this protocol CIPE uses either symmetrical encryption algorithm or asymmetrical encryption algorithm to encrypt keys which need to negotiate and are used to encrypt data. But it's a pity that CIPE don't support IPv6 and do not have authorization technology. How does the CIPE work? The kernel module of CIPE implements a pseudo network interface and implements the "send" operation and some ioctl commands of the interface. The "send" operation of interface encrypts original IP packets, encapsulate them in the UDP according to the CIPE procotol and then send them out. The daemon of CIPE set up a UDP socket and associate this socket to the network interface via customized ioctl command. When associating the socket to the interface, the kernel module substitutes the original "read" and "write" operations of the associated socket with customized "read" and "write" opertions. The new "write" operation of the socket encrypts the key exchange datagrams and then send them out through calling the original "write" operation of socket. The new "read" operation of the socket decrypt the received datagram. If the decrypted datagram is original packet, it will be replaced to the IP layer of network protocol stack. If the decrypted datagram is key exchange datagram, it will be passed to the daemon of CIPE via the original "read" operation of socket. After associating the socket to the interface, the daemon will read the socket repeatedly in the blocking mode until some fatal mistake appears. If receiving key exchange datagram from the associated socket, the daemon will be likely to send key exchange packet through the key exchange protocol of CIPE. Therefore, sending the key exchange datagrams is done by the customized "write" operation of the associated socket, sending the original IP packets is done by the "send" operation of the interface and receiving both of the key exchange datagrams and original IP packets is done by the "read" operation of the associated socket. Because both encryption operation and decryption operation are done by the Linux kernel, safety is raised.In the process of CIPE reformation, let CIPE support not only IPv4 but also IPv6 and its carrier network also can be IPv6. For any interface, its encapsulated packets can be IPv4 or IPv6, but its carrier is firmed(IPv4 or IPv6). Then the problem is how to implement converting the VPN connections. First make the function of the VPN routers of both ends changeless. That is using IPv4 or IPv6 to encapsulate encrypted IPv4 or IPv6. Then modify VPN router which converts the VPN connections, make it to associate the IPv4 connection and IPv6 connection. At last, make the "send" operation of the interface and the "write" operation of the socket null, and modify the "read" operation, make it to send out packets received from one connection and undecrypted directly by calling the original "write" operation of the associated socket. Therefore, the two ends deal with key exchange. The VPN router in middile do not decrypt packets, so efficiency and safety are raised.The end, the slight imperfection, not implement authentication, this needed a further research. |
PDF Full Text Request