本文選題：IPSec　切入點(diǎn)：IKEv2　出處：《西安電子科技大學(xué)》2014年碩士論文　論文類型：學(xué)位論文

【摘要】：VPN（Virtual Private Network，虛擬專用網(wǎng)）是一種在不安全的網(wǎng)絡(luò)上建立安全、虛擬網(wǎng)絡(luò)通道的技術(shù)，IPSec（Internet Protocol Security，互聯(lián)網(wǎng)協(xié)議安全）是VPN技術(shù)的一種實(shí)現(xiàn)方式，其主要通過對(duì)IP數(shù)據(jù)包的加密與認(rèn)證來確保IP數(shù)據(jù)包在傳輸過程中的安全性。隨著網(wǎng)絡(luò)技術(shù)的不斷發(fā)展，接入企業(yè)用戶的網(wǎng)絡(luò)帶寬已經(jīng)從傳統(tǒng)的十兆、百兆發(fā)展到千兆、萬兆級(jí)別，而現(xiàn)有的Windows平臺(tái)IPSec客戶端軟件由于自身設(shè)計(jì)等因素，在千兆網(wǎng)絡(luò)環(huán)境下安全過濾帶寬較低，造成了網(wǎng)絡(luò)帶寬的浪費(fèi)。此外，由于Windows操作系統(tǒng)的不斷升級(jí)，現(xiàn)有的IPSec客戶端軟件在新版本操作系統(tǒng)上普遍存在一定的兼容性問題。 本文針對(duì)現(xiàn)有Windows平臺(tái)IPSec客戶端軟件的不足，基于Windows內(nèi)核網(wǎng)絡(luò)過濾驅(qū)動(dòng)與AES-NI（Advanced Encryption Standard-New Instruction，高級(jí)加密標(biāo)準(zhǔn)-新指令集）技術(shù)設(shè)計(jì)并實(shí)現(xiàn)了一款Windows平臺(tái)高性能IPSec客戶端軟件。該軟件主要分為用戶層應(yīng)用程序與內(nèi)核層網(wǎng)絡(luò)過濾驅(qū)動(dòng)程序兩個(gè)部分，其中用戶層應(yīng)用程序使用IKEv2（Internet Key Exchange，互聯(lián)網(wǎng)密鑰交換）協(xié)議與IPSec網(wǎng)關(guān)協(xié)商建立VPN通道；內(nèi)核層針對(duì)不同的Windows操作系統(tǒng)版本分別使用NDIS IM（Network Driver Interface Specification Intermediate，網(wǎng)絡(luò)驅(qū)動(dòng)接口標(biāo)準(zhǔn)中間層）與WFP（Windows Filtering Platform，Windows過濾平臺(tái)）兩種內(nèi)核網(wǎng)絡(luò)過濾驅(qū)動(dòng)框架實(shí)現(xiàn)了IPSec過濾驅(qū)動(dòng)程序，其解決了IPSec實(shí)現(xiàn)過程中常見的MTU（Maximum Transmission Unit，最大傳輸單元）與大數(shù)據(jù)包分片等問題，并使用AES-NI技術(shù)對(duì)IPSec的處理進(jìn)行加速。 千兆以太網(wǎng)環(huán)境中測(cè)試結(jié)果表明，本文所實(shí)現(xiàn)的客戶端軟件能夠滿足實(shí)際的功能需求，借助于AES-NI技術(shù)將IPSec處理性能提升至500Mbps左右，，且具有良好的操作系統(tǒng)版本兼容性與穩(wěn)定性。該軟件目前已經(jīng)成功部署于某部門使用，在近半年的使用過程中運(yùn)行穩(wěn)定、性能良好。
[Abstract]:VPN(Virtual Private Network (Virtual Private Network) is a kind of implementation method of VPN technology, which is to establish security on an insecure network, and the technology of virtual network channel is IPSec Protocol Security (Internet Protocol Security). With the continuous development of network technology, the network bandwidth of access enterprise users has developed from the traditional 10 megabytes, 100 megabytes to gigabytes. The existing IPSec client software of Windows platform, because of its own design and other factors, has low security filtering bandwidth in gigabit network environment, resulting in a waste of network bandwidth. In addition, because of the continuous upgrading of Windows operating system, The existing IPSec client software generally has some compatibility problems in the new version of the operating system. This paper aims at the deficiency of IPSec client software in existing Windows platform. Based on Windows kernel network filter driver and AES-NI(Advanced Encryption Standard-New structuring, advanced encryption standard-new instruction set), a high performance IPSec client software based on Windows platform is designed and implemented. The software is mainly divided into user layer application and kernel layer network. Two parts of the network filter driver, The user layer application program uses IKEv2(Internet Key Exchange (Internet key Exchange) protocol to negotiate with the IPSec gateway to establish the VPN channel. For different versions of Windows operating system, two kernel network filter driver frameworks, NDIS IM(Network Driver Interface Specification Intermediate (Network driver Interface Standard Intermediate) and WFP(Windows Filtering platform, are used to implement IPSec filter driver. It solves the problems of MTU(Maximum Transmission unit (maximum transmission unit) and large packet slicing in the process of IPSec implementation, and uses AES-NI technology to accelerate the processing of IPSec. The test results in gigabit Ethernet environment show that the client software realized in this paper can meet the actual functional requirements, and the processing performance of IPSec can be improved to about 500Mbps with the help of AES-NI technology. The software has been successfully deployed in some departments and has been running stably in the past half a year.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.1

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 鄧e

本文編號(hào)：1600274