Research Of The IPSec VPN Key Technology

With the development of Internet, the safety and secrecy of the information is more and more important. Now people attach importance to network security product increasingly. VPN system adopts the tunnel technology to offer its customers the service of safe transportation of private data via the public network, occupying an important position in the application of the network security product. Since IETF designed IPSec protocol to be an opening network-layer security protocol, IPSec has been used to construct VPN system. Then, IPSec VPN began to be a key problem of security research.Traditional IPSec VPN system is simpleness and efficiency. Although it can satisfy the most basic requirements of network security, it has inherent limitations. Based on practical analysis and research on IPSec VPN, the dissertation discusses three questions related to the usage of IPSec VPN among actual environments.1) The first is the solution concern how to make IPSec provide the support for multicast. IP traffic destined to a multicast or broadcast IP address cannot be handled by IPSec, which means that IP multicast traffic cannot traverse the IPSec tunnel. In view of high qualities of IPSec, we hope that IPSec can be used in multicast case. We explored how to use GRE in combination with IPSec to work around implicit limitations of native IPSec. We proposed the problem which probable suffer in hub-and-spoke architecture and then proposed the solution.2) The second is how to improve the organizational structure of security policy database (SPD). Core questions of security policy which is an important component of IPSec architecture are expression and implementation. Expression is the definition, the memory and the gain of security policy. Implementation is the application in the actual correspondence. Security policies applied to inbound and outbound IP packets are stored in the database called Security Policy Database (SPD). Because each IP packet should be inquiring SPD, the organizational structure of SPD has an obvious effect on efficiency of IPSec VPN system. It is very high requested for the search speed of SPD in practical application, especially in a complex network environment. Because the source address, the destination address in SPD is possibly a host address or a subnet address, the degree of search complexity is high. We improve the organizational structure of SPD and adopt suitable data structure to increase the search efficiency based on the characters of the database. Use multibit Trie tree and Radix tree for SPD, and find the difference between this two data construction.3) The last is how to deal with interrelated policies. Different security policies which massive internal nodes use respectively interlace with one another possibly. We need to process the relativity of policies properly. After analyzing the confusion induced by relativity of policies, we analyze the solution to this problem. Understood thoroughly how does the policy system to deal with interrelated policies in the complex network environment.Moreover, this paper proposed a security policy server model for VPN system. Because the configuration of the VPN system is a professional task, VPN is unable to connect frequently in actual application. Security policies which are concentrated in security policy server can be disposed and managed by network administrator. This avoids security policies inconsistent question.It is to make a more comprehensive understanding of IPSec VPN and enhance its efficiency for network security enterprise.During the period of graduate, the author took part in many IPSec VPN related projects in Dean Computer Technology Co., Ltd R&D, VPN Department. It has provided the practice foundation for the paper.