作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2006, Vol. 32 ›› Issue (21): 170-172. doi: 10.3969/j.issn.1000-3428.2006.21.059

• 安全技术 • 上一篇    下一篇

支持交叉认证与状态检测的IPsec-VPN设计

杜春燕,杨绚渊,陆建德   

  1. (苏州大学计算机学院江苏省计算机信息处理技术重点实验室,苏州215006)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2006-11-05 发布日期:2006-11-05

Design of Enhanced IPsec-VPN Supporting Cross-certification and Status-detection

DU Chunyan, YANG Xuanyuan, LU Jiande   

  1. (Jiangsu Province Computer IT Key Lab, School of Computer of Soochow University, Suzhou 215006)
  • Received:1900-01-01 Revised:1900-01-01 Online:2006-11-05 Published:2006-11-05

摘要: IPsec是为VPN制定的一组IP层安全协议,但随着应用的扩展和深入也出现了一些新的问题。文章将公钥基础设施PKI引入其中,结合ECC公钥技术,并增加了交叉认证接口设计,提出了一个基于改进的PKI体系的增强型IPsec VPN安全网关原型系统;同时对DPD协议进行了研究,设计并实现了对DPD的支持,从而有效弥补了现有IPsec VPN在身份认证和状态检测方面的缺陷,提高了VPN的安全性、可扩展性和健壮性。最后给出了一个基于Linux2.6内核的设计方案。

关键词: VPN, IKE, PKI, ECC, 交叉认证, DPD

Abstract: IPsec is a set of security protocols in IP layer used for VPN. However, with its extensive and deep applications, some new problems have occurred. This paper introduces PKI and combines it with ECC technique and the design of cross certification interface, proposing an enhanced IPsec VPN security gateway prototype. Meanwhile, Dead peer detection (DPD) protocol is studied and implemented, so as to effectively improve on authentication and status detection to current IPsec VPN, assuring the security, extensibility and robustness of the VPN system. It gives out an implementing scheme based on Linux 2.6.

Key words: VPN, IKE, PKI, ECC, Cross-certification, Dead peer detection(DPD)

中图分类号: