The Study Of Distributed Tunnel Module Based SSL VPN

The VPN(Virtual Private Network) technology can supply secure point-to-point communication service by encrypting and encapsulating private information. The present VPN systems all adopt server-centric C/S framework, and all the encrypted data must be retransmitted by the VPN server. With the increase of traffic, server becomes the bottleneck in VPN and leads performance decline. As the performance of transmission becomes the biggest obstacle constraining the widespread use of VPN, some solutions are proposed to improve the performance from the aspect of encryption mechanism. But because of the restriction of encryption algorithm, these approaches to performance improvement is limited. In this paper, focusing on the deficiency of present solution, we propose a new topology structure and working pattern for SSL VPN, and try to promote the performance of VPN by separating control stream and data stream. In order to reduce server's computing load, we introduce P2P model into the VPN network, let the edge nodes share the whole computing load of data transmission task, and make the process of resource access no longer rely on the VPN server.This paper makes deep research on three key technologies in the new structure: SSL based C2C quick handshake mechanism,connection strategy in distributed architecture, and static created based multi secure domain access control strategy, also, we designed a new SSL VPN system which is based on distributed tunnel module-DT-SSL VPN(Distributed Tunnel SSL VPN). In this system, with server's consulting, the members of nodes can establish direct SSL tunnel to transfer confidential data without server's retransmission. It improves the point-to-point transmission performance, takes full advantage of the computing power of member nodes, and increases the utilization of resources throughout the system. Moreover, as thoroughly shakes off the duty of packet forwarding, the VPN server can put more time and resources on the management of virtual network, and can potentially further improve the security of VPN system.In order to prove the validity of the new model, we implement the prototype of DT-SSL VPN system under the Kylin platform. Experiments are performed from the aspect of features and performance. The results proved that all the modules can operate normally, also, in the high load working environment, the point-to-point transmission performance and overall throughput both get a marked improvement, which proves the correctness and effective of our model.