《计算机科学与技术专业毕业设计(论文)外文翻译.doc》由会员分享,可在线阅读,更多相关《计算机科学与技术专业毕业设计(论文)外文翻译.doc(34页珍藏版)》请在三一文库上搜索。
1、IP协议及IPSec协议安全分析 专业班级:计算机科学与技术郑州轻工业学院本科毕业设计 文献翻译 题 目 IP协议及IPSec协议安全分析 学生姓名 专业班级 计算机科学与技术 2003-1班 学 号 56 院 (系) 计算机与通信工程学院 指导教师 ) 完成时间 2007 年 6 月 6 日 33英文原文The Analysis Of IP and IPSec Protocols Security Problem1. OSI model in time for TCP/IP protocol Overview1.1 OSI model in time for TCP/IP protocol
2、introduce It was repose International Organization for Standardization suggest to whereas extend arisen, it broke into seven layer into to that OSI model (open system interconnection reference model). The overdone bulkiness, intricacy incur know clearly heap criticism of the is ISO constitutive OSI
3、reference model. As shown in the following chart Application layerApplication layerPresentation layerSession layerTransport layerTransport layerNetwork layerNetwork layerData link layerNetwork interface layerPhysical layerGraphic 1.1 OSI model and TCP/IP modelThe practical application sense nope ver
4、y large, thereof forsooth toward fathom network protocol interior wield did very avail out of the refer to network cannot but talk OSI reference model, notwithstanding OSI reference model. In reins network world liner, TCP/IP protocol suite obtain know clearly still for extensive application. These
5、OSI seven layer model suffer, per layer big city provide thereon thickness with, combine one visit mouthpiece or interface. The homology hierarchy entitled peer layer of the differ mainframe of compartment. Stand for and mainframe B menses presentation layer each other for peer layer, mainframe A me
6、nses session layer and mainframe B menses session layer each other for peer layer grade among as if mainframe A. Session layer and stand for (these double-deck function by merge to application layer realize) among at TCP/IP reference model suffer, take out know clearly OSI reference model. 1.2 TCP/I
7、P presence frangibility It was run low of virtual security authentication and crypto system, there into up most factor namely IP address problem that IP layered major defect. R command , NFS, X window grade big city is repose IP address versus user proceed authentication and authorization to among t
8、hat of TCP/IP protocol with IP address came by way of network node alone one identification, heap TCP/IP serve, include Berkeley. Source IP address estimation compact technique authenticity and security among both that of currently TCP/IP cellular security mechanism primarily repose IP address WRAPT
9、 filtration(packet filtering) and authentication (authentication) technology, its validity incarnate at could warranty IP WRAPT. The shield, sans versus IP fold misogyny IP address authenticity authentication mechanism and security measure in of whereas IP address lie heap problem, consultative maxi
10、ma shortcoming namely sans versus IP address. The shield, sans versus IP fold misogyny IP address authenticity authentication mechanism and security measure in of whereas IP address lie heap problem, consultative maxima shortcoming namely sans versus IP address.It was repose IP protocol of last, TCP
11、 subsection and UDP protocol data packet is encapsulation be on the security menace of IP WRAPT suffer at network upper Tran missive, wherefore sameness be confronted with IP layer station encounter that owing to UDP. Now that people all the while in thought method set, yet still avoid less namely a
12、s per TCP tie hour in at rest thrice handshake Machine-made attack. Either these attack summarize arisen include:One: source address cheat(source address spoofing) or IP cheat(IP spoofing);Two: source routing select cheat(source routing spoofing);Three: rip attack(rip attacks);Four: discriminate att
13、ack(authentication attacks);Five: TCP serial number cheat(TCP sequence number spoofing);Six: TCP/IP protocol data stream adopt plaintext transmission;Seven: TCP serial number BOMB attack(TCP SYN flooding attack), for short SYN attack;Eight: easy fraudulence (ease of spoofing).1.3 Network Security Bo
14、th moiety end user versus thereof visit, furthermore enterprise network proper no more will exterior closed among be mainframe computer system suffer among it was one relatively walkway that it was resource that both that of one be indispensable to whereas important factor among Network security rig
15、ht through data network. Preparatory network suffer, none but calculator proper and application. Shield this resource. Confidential data by memory at one fit on glass hall. Past crypto guard make inspect weight, nothing but allowed at enterprise network. Versus heap government sector and academic in
16、stitution came said, internet except one design to transponder electronic mail and proceed document transmission instrument.There be the resource completeness exposure at hacker, juggler and those hellion attack of down, there into likely to return include some immoral numerator in order to or certa
17、in still ugly motive station ongoing destroy of it was completeness visible that the revolution transfer know clearly possession all these of the both internet and computer technology. Now, calculator full high speed, cheapness combine possess resolvability, general design to depot private and confi
18、dential information. Internet in the range of get folk in an OSI to at global proceed without a hitch corresponding also, thereof unreliability no more will conceivable. These purport end user transmitting data station utilized network element likely to met absence their dam within sight back. If da
19、ta proper yes confidential, it with met expose likely to burglar, by have no right limit user check or bowdlerize through to. In the meanwhile, special enterprise network too need for use internet combine therewith mutual to. Internet at advertisement and e-business aspect repose whereabouts huge bu
20、siness opportunity, versus user came said internet must. Figure full high speed, cheapness combine possess resolvability, general design to depot private and confidential information up lead folk in a OSI to at global within range proceed without a hitch corresponding also, thereof unreliability no
21、more will conceivable to it means end user transmitting data station utilized network element likely to met absence their dam within sight back. But do so should gotten enterprise network T-number now that, figure full high speed, cheapness combine possesses resolvability, general design to depot pr
22、ivate and confidential information up. In despite of cause how about, now versus network security requirements ratio anciently tighten up, too still necessity to know clearly.It was be on the foundation upward strain for security insure of IP-layer or still definitely said yes at each IP grouping th
23、at both data stream among as a matter of fact us has manifold means useful for protective network. Could through the medium of be on the fringe erect one fire wall, filter come off those undefeated data stream out for of dedicated network. Application and transport protocols command thereof own secu
24、rity mechanism. Other kind of technology, considering hereinafter several cause lead such approach possess definite meaning to:1. The Intranet big city yes repose IP of the both internet and enterprise. Proprietary data stream quantity big city must through IP-layer. Proprietary data too big city ye
25、s by IP grouping came load-supporting;2. Both it could shield and isolation higher level application exempt meets with safeness attack;3. It took the part of in being higher level security mechanism;4. It could took the part of above internet erect one extendible, secure VPN.Both it is time for in o
26、rder to met the needs of above IP-layer realize safeness, IETF came into existence know clearly IP security (IPSec) workgroup. Transit effort, to workgroup already fetch round robin at IPV four and IPV six upward strains for network layer safeness agreement, mechanism kimono devote ones efforts to.I
27、PSec frame station took the part of serve include hereinafter content:1. access control;2. data origin authentication(demonstration every last IP grouping);3. replay protection (Prevent attacker eavesdrop to certain grouping combine after some hour playback);4. data integrity (Test withal make IP gr
28、ouping at transport process suffer have no by distort certain out);5. data confidentiality & encryption (Part of past encrypt should grouping stash)6. limited traffic flow management (The IP address of the conceal originality dispatcher)7. key managementIPSec frame initially definitive agreement inc
29、lude inspect weight head (AH), encapsulation security net lotus (ESP) and key management.2 IPSec:IP layer protocol security2.1 IPSec protocol bring necessity forth IPSec at IP layer endue safety service, it lead system be able to according to require select secure protocol, take serve station utiliz
30、ed algorithm in time for clap demand serve required key to relevant OSI in for to with. The path of the IPSec be used to shield a stick of or multiyear mainframe and mainframe compartment, safety net shut and safety net shut compartment, safety net shut and mainframe compartment. Both IPSec be able
31、to submitted safety service multitude include access control, connectionless integrality, data source authentication, reject retransmitted packet(partial sequence integrality form), privacy and finitude transmission current privacy. For these serve equal at IP layer endue, so any higher level protoc
32、ol use they, for instance TCP, UDP, ICMP, BGP and so on. It was through the medium of twain large transmission secure protocol, header authentication(AH)and encapsulation safe load(ESP), and key manager harmonize discuss use came finished as well that these object. It was by user, application, and /
33、 or site, organize versus security and systemic demand came decision that that of required IPSec protocol multitude content very utilized mode.Both the instant correct realize, use these mechanism, they ought not versus use these security mechanism shield tarn missive user, mainframe and rest hero s
34、pecial net part bring negative impact forth. This mechanism too by is designed for algorithm independent. Such modularity permit select different algorithm multitude instead of impact rest segmental realize for to. For example:In the event of, different user communication is available to different a
35、lgorithm multitude.It was a sort of away hair homology serial number WRAPT lead system crash method of attack grade means came attack to that of whereas IPv6 WRAPT proper without supply any security protection, hacker could past information packet detect, IP spoofing, joint captive, replay attack. T
36、he data packet be in existence hereinafter hazard of the wherefore, us receive:No came from legal dispatcher; data at transport process suffer by human amend; data content afterwards by human pick (for instance military secret equiponderance ask informational dialogue) for brains. Both that of that
37、of IPSec purpose namely by way of realize data transfer integrality (source address demonstration and guarantee data have no modify) and confidentiality (without by human run over) and endue to a certainty degree versus replay offensive shield with as well to. IPSec usable it supplies security prote
38、ction with IP very upper layer protocol (TCP and UDP grade). It was throng accident prevention syntheses, whereas IPv6IPSec mechanism yes there into important constituent, endue know clearly protocol layer plane last consistency set, these no more will IPv6 compare IPv6graveness superiority at rest
39、with that the log, routing protocol event and error logging grade, for administration of networks personnel make fault analysis, orient and statistics of the both the security of the both the attack;past MAC address and IP address binding, confine per port MAC address use quantity, establish per por
40、t broadcast packet flow threshold, use repose port and VLAN ACL, foundation security user tunnel grade came kept away aim at two tiered attack;past route filtration, versus route informational encrypt and authentication, orient multicasting control, bump route rapidity of convergence withal relieve
41、route oscillation impact grade measure, came muscle three-ply Network security update of the cow originate in equipments drawing unreliability, such as sheet caloric spoil, physical interface operating characteristic of electrical apparatus and EMC environmental deteriorate grade into of the usually
42、, physical layer the shield instrument include of the potential safety hazard, such as both 802.1q encapsulation attack, broadcast packet attack, MAC water-flooding, spanning tree attack grade second floor attack, as well as mendacious ICMP message, ICMP water-flooding, source address beguile , rout
43、e oscillation grade aim at three-ply consultative attack into of the that of usually, physical layer menace be from equipments drawing unreliability, such as sheet caloric spoil, physical interface operating characteristic of electrical apparatus and EMC environmental deteriorate grade. Versus such
44、potential safety hazard, could past allocate redundancy unit, redundancy circuit, security power supply, insure EMC environment and muscle supervise came shield up as well. At physical layer upwards stratification plane, subsistent potential safety hazard mostly has be from aim at different kinds of
45、 consultative security menace, as well as with a view of illegality occupancy network resource or exhaust network resource. At application layer mostly has direct http, FTP/TFTP, telnet and through the medium of electronic mail blaze viral attack abroad as well to. toward these attack, be available
46、to through the medium of allocate redundancy unit, redundancy circuit, security power supply, insure EMC environment and muscle supervise came shield up as well have got direct http, FTP/TFTP, telnet and through the medium of electronic mail blaze viral attack abroad as well to:past AAA, Tacacs+, ra
47、dius grade security access control protocol, Control user versus Network access authority, phony catch aim at application layer be on the shield instrument include of application layer, mostly have got direct http, FTP/TFTP, telnet and through the medium of electronic mail blaze viral attack abroad
48、as well to. toward these attack, be available to in such a way that route filtration, versus route informational encrypt and authentication, orient multicasting control, advance route rapidity of convergence withal alleviate route oscillation impact grade measure, filter , versus route informational encrypt and authentication, orient multicasting control, bump route rapidity of convergence withal relieve route oscillation impact grade measure, came muscle three-ply Network security up at up