本文關鍵詞： VPN IPSec NAT NAT-T IKE UDP封裝　出處：《淮北師范大學》2014年碩士論文　論文類型：學位論文

【摘要】：近幾年，隨著IPSec技術與NAT技術應用越來越廣泛，同時兩者之間的矛盾越來越突出，IPSec技術與NAT技術結合使用即可以提高內(nèi)網(wǎng)與外網(wǎng)數(shù)據(jù)通信安全性，又可以解決IPv4資源耗費和代價較高的問題。但是這兩種技術在各自的架構上，傳輸原理上，協(xié)議運行機制上等方面在兼容性上有著先天的不足。 本文充分收集國內(nèi)、國外對IPSec和NAT兼容性研究的理論及實踐文獻，深入了解IPSec技術與NAT技術，研究了IPSec技術與NAT技術共同工作的方案和NAT-T機制，并針對NAT-T過程提出了改進。 1、研究了本課題的相關技術，VPN技術應用、IPSec安全體系、NAT工作機制。結合復雜工作流程分析了NAT和IPSec/IKE產(chǎn)生不兼容的方面及已有的解決方法。同時指出了這幾種方法各自的優(yōu)勢和劣勢。 2、重點分析了IKE協(xié)商機制的第一階段和第二階段。在此基礎之上提出了針對NAT-D載荷二次散列計算，保證IKE協(xié)議數(shù)據(jù)的完整性，對防止旁路監(jiān)聽、網(wǎng)絡數(shù)據(jù)截取篡改起到了一定的作用。 3、采用基于信任第三方改進NAT-T穿越�，F(xiàn)有UDP封裝實現(xiàn)IPSec和NAT兼容方案的不僅必須使用ESP封裝格式，，還必須限定首先發(fā)起IKE協(xié)商的主機，首先發(fā)起IKE協(xié)商的主機必須位于NAT設備后面的內(nèi)網(wǎng)（私有網(wǎng)絡）中。根本原因在于該機制是實際應用在的單向NAT-T穿越，即“IPSec—NAT—公網(wǎng)—IPSec”模式。本論文提出基于信任第三方改進NAT-T穿越，實現(xiàn)了“結點—IPSec—NAT—公網(wǎng)—NAT—IPSec—結點”模式的網(wǎng)絡通信，同時通過采用PKE證書機制提高通信實體的安全性。
[Abstract]:In recent years, with the application of IPSec technology and NAT technology more and more widely, the contradiction between them is more and more prominent. The combination of IPSec technology and NAT technology can improve the security of data communication between intranet and extranet. It can also solve the problem of high cost and cost of IPv4 resources, but these two technologies have inherent inadequacies in compatibility in their respective architecture, transmission principle and protocol running mechanism. In this paper, the domestic and foreign theoretical and practical literatures on the compatibility of IPSec and NAT are collected, the IPSec and NAT technologies are deeply understood, the scheme and NAT-T mechanism of IPSec and NAT are studied, and the improvement of NAT-T process is put forward. 1. This paper studies the related technology of this subject, the application of NAT security system and the working mechanism of Nat. The incompatibility between NAT and IPSec/IKE and the existing solutions are analyzed with the help of complex workflow. At the same time, the methods are pointed out. Self-advantage and weakness. 2. The first and second stages of IKE negotiation mechanism are analyzed. Based on this, the secondary hash calculation of NAT-D load is proposed to ensure the integrity of IKE protocol data and prevent bypass monitoring. Network data interception and tampering played a certain role. 3. To improve NAT-T traversal based on trust, the existing UDP encapsulation scheme for IPSec and NAT compatibility must not only use ESP encapsulation format, but also limit the host that initiated IKE negotiation first. The host that initiated the IKE negotiation at first must be in the inner network (private network) behind the NAT device. The root reason is that the mechanism is a one-way NAT-T traversal used in practice. In this paper, we propose to improve NAT-T traversal based on trust third party, realize the network communication of "Node-IPSec-NAT-NAT-NAT-IPSec-Node" mode, and improve the security of communication entity by using PKE certificate mechanism.
【學位授予單位】：淮北師范大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.04

【參考文獻】

相關期刊論文 前10條

1 彭近兵;龍翔;高小鵬;陳賢欽;;一種新的IPSEC穿越NAT方法[J];北京航空航天大學學報;2007年01期

2 袁琦,田輝;IPSec穿越NAT技術要求[J];電信網(wǎng)技術;2004年06期

3 孟博;王丹華;王雪;張磊;陳雷;;基于PPTP-SSH隧道網(wǎng)關的VPN系統(tǒng)研究與實現(xiàn)[J];廣西大學學報(自然科學版);2011年S1期

4 朱婧;常會友;;一種基于UDP穿越NAT方案的設計與實現(xiàn)[J];計算機工程與應用;2006年35期

5 楊璐;沈悅;蔣蕾;;一種TCP協(xié)議穿透Symmetric NAT方案[J];計算機工程與應用;2007年06期

6 張建偉;蔡增玉;郭云飛;賀蕾;;基于UDP交換路由的NAT互聯(lián)技術研究[J];計算機科學;2008年09期

7 陳熊貴;曹珍富;郭圣;;IPSec穿越NAT多用戶的一種實現(xiàn)方案[J];計算機工程;2006年20期

8 張國印;葉在偉;曲麗君;;一種UDP穿越NAT的新方案[J];計算機工程;2008年12期

9 劉春燕;陳名松;冼莉莉;;基于端口探測的SIP穿透NAT的設計與實現(xiàn)[J];計算機工程;2008年17期

10 陸敏鋒;平玲娣;李卓;;基于IPSec網(wǎng)絡協(xié)議的VPN測試系統(tǒng)[J];計算機工程;2010年03期

本文編號：1529790