| Based on the characteristic of the security policy database supporting on security policies in IPSec of IPv6 and its enforcement, an "unified management, distributed control"of multi-hierachy and multi-domain security policy system is given in this paper to solve policy-driven of the IPv6 networks'security and the multi-hierachy and multi-domain of the military and commercial security applications. In the multi-hierachy and multi-domain security policy system, central policies are unified configured, the security domains download security policies according to their requriments and some local policies are configured by consultation. The paper focuses on how to effectively manage a multi-hierachy and multi-domain system in IPv6 networks including policy description, configuration and storage solution, as well as implementation. The realization of the multi-hierachy and multi-domain system has been proved also. Although IPSec can provide powerful security supports, in the policy-driven distributed network environment, from configuration, distributing to implementation, policies must be consistent. Otherwise, the expected safety target might not be reached. Causes of the conflicts are in-depth studied and solutions to each situation are given. Finally, the multi-hierachy and multi-domain system is combined with CERNET2 network and the IPSec policies of SPD are given. On the basis of the selector, expansion on SP is discussed and some examples are used to illustrate this.The system is flexible, suitable for the security domain management in the IPv6 environment. Security policies can protect the IPv6 network in maximum with correctly configured. The article also has practical significance to the CERNET2 network. |
PDF Full Text Request