一种利用UDP封装实现IPSec_NAT穿越的改进方案2007

卖菜的大叔
1 ℃
2020-05-04

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

243Vol124,No.320073ComputerApplicationsandSoftwareMar.2007UDPIPSec2NAT(461000):2006-01-30:(0524220054);(200510480003),,:(NAT)(IPSec),,,UDPESPIPSec2NAT,NATIPSecUDPONEKINDIMPROVEMENTOFIPSec2NATTRAVERSALSOLUTIONUSINGTHEUDPENCAPSULATIONDuGenyuanTanShuimu(DepartmentofComputerScienceandTechnology,XuchangUniversity,XuchangHenan461000,China)AbstractInordertosolvethecompatiblequestionofNATwithIPSec,hasexhaustivelyanalyzedthetwoincompatibleperformanceandthereason,andhasanalyzedthecorrespondingsolution,producedonekindofESPpackageusingUDPencapsulationthustorealizetheim2provementofIPSec2NATtraversalsolution.Andhasproducedthesecureanalysis,hasthecertainpracticalsignificance.KeywordsNATtraversalIPSecprotocolUDPencapsulation1IPSecNATIPv4IPIPSec[1]InternetIETF,IPv6,,Internet,NAT[2]:(BasicNAT)(NAPT);(,)(,),IPSecNAT,Internet,,,InternetIPSecNAT,UDPESPIPSec2NAT2IPSec,IPSecNAT,IPSecNATIPSecNAT[36]:(1)NATTCP,UDPICMP,AH[7](AuthenticationHeader)ESP[8](EncapsulationSecurityPay2load)NAT(2)AHIPIPIPNATIP,AHESPIP,IP,,ESP(3)TCPUDPIPIP,NATIP,TCPUDPIPAHESP(4)SA(SecurityAssociation)NAT,SASPI(SecurityParameterIndex)AHESP,NAT,/SA(5)SPD(SecurityPolicyDatabase)NAT,IPSec,NAT,(6)NAPT(NetworkAddressPortTranslation),,AHESP(7)IKE(InternetKeyExchange)NAPTIKE500,NAPT1902007IKE,NAPT,NATIPSec,NATTCP/UDP,IPSecTCP/UDP;NATUDP,3IPSecNAT[3,5]IPSecNATIPSecNATIPSec,,IPSec,,NAT;,IPSec,NAT/,IETF3.1IPSecNAT:(1)IPSecNAT,(2)NATIPSecIPSecNAT,IP,,3.2RSIPRSIPIP,NATIPSec,IPSecRSIPRSIP,IPSecSPISPDNAT,IP,IKEIPSec,RSIPIKEIPSec,IKE,IPSecRSIP(AH/ESP)()RSIPIPSecNAT,RSIPRSIP,IPSecSA3.3UDP[9]RSIP,IPSecSPIIKECookie,NAT,IPSec;,NATRSIP,RSIPUDPNAT,,IPSec,NATNAT,;,,NAT,NATRSIPVPN,VPN,,UDP4UDP4.1UDPESPNAT,ESPUDP1,21UDPESP2UDPESP,UDPIKE,UDP0NATESPNATNAPT,UDPIPUDPUDPESP4.2IKEUDPESPIKE,IKEISAKMP[RFC2407]4BESP(Non2ESPMarker),Non2ESPMarkerUDPESPSPI,0IKEUDPESP,IPSec0SPI4.3NAT2Keepalive,IPSecNAT,NAT2KeepaliveUDPUDPIKE,0NAT2KeepaliveNATNATNAT2Keepalive,NAT2Keepalive3:SourceAddressDestinationAddressLengthChecksumTypeReserved3NAT2Keepalive4.4ESPIP,IPESP,IPESPUDP,IP3:UDPIPSec2NAT191UDPIKEUDP,IKEIKENAT2Keepalive4IP,UDP,IP,UDP,ESP(TCPUDP)NATIP,NAT,IP,ESPIPESP,IPIP/,,IKE:,;AHNAT5IPSecNATIPSecIP,(1)IPSecAHNAT,NAT,ESPAHESPAH,AHIP,ESP(2)ESP,IPAC()NAT,IPSecBAC;A,CWebCAIP,CA,,C,IPSec2NAT6IPSecNAT,IPSecNAT,IPSecNAT;NATRSIP,IP2SecNAT,,IPSecNAT,UDPESPNAT,IKE,NAT;,IPSec,,,NATIPSec[1]S.Kent,R.Atkinson.SecurityArchitecturefortheInternetProtocol[EB/OL].[2]P.Srisuresh,K.Egevang.TraditionalIPNetworkAddressTranslator(TraditionalNAT)[EB/OL].[3],IP[M],:,2002.[4]DoraswamyN,HarkinsD.IPSec:[M],:,2000.[5]B.Aboba,W.Dixon.IPsec-NetworkAddressTranslation(NAT)CompatibilityRequirements[EB/OL].[6]HuttunenA,SwanderB.UDPencapsulationofIPSecpackets(draft2ietf2IPSec2udp2encaps206.txt)[EB/OL].[7]S.Kent,R.Atkinson.IPauthenticationheader[EB/OL].[8]S.Kent,R.Atkinson.IPencapsulatingsecuritypayload(ESP)[EB/OL].[9]A.Huttunen,B.Swander,V.Volpe.UDPEncapsulationofIPSecPackets[EB/OL].(173)P2P,,,[1]ToloneWJ.Introspect:AMeta2levelSpecificationFrameworkforDy2namic,EvolvableCollaborationSupport.ThesisiforPh.D.1996.[2]GregoryAlanBolcer,MichaelGorlick,Peer2to2PeerArchitecturesandtheMagiOpen2SourceInfrasturcture,EndeavorsTechnology,Inc.,De2cember6,2000.[3]OlsonGM,etal.Disigningsoftwareforagrouppsneeds:Afunctionala2nalysisofsynchronousgroupware.In:BassL,DewanP,Eds.UserIn2fterfaceSoftware,1993.[4]TouI,etal.Prototypingsynchronousgroupapplications.IEEEComput2er,1994,27(5).[5],JXTA2JAVAP2P,,2003.6.[6]PattersonJF,etal.Rendezvous:Anarchitectureforsynchronousmulti2userapplications.In:ProceedingsoftheconferenceonCSCW,October1990.[7],CSCW,,1997.Vol.20,No.8,718724.