臺灣博碩士論文加值系統

在 IPsec 的使用上，網際網路安全性政策的目的，是為了滿足網路管理者對安全性所制訂的所有要求，而為了達到這個目的，我們需要一套有效率的機制，能夠自動產生正確且適當的政策以供執行。在許多制訂出來的政策當中，可能潛藏著彼此發生衝突的可能性，這樣的矛盾衝突會造成整個網路異常的阻塞情形，或者帶來網路安全上的大漏洞。因此，在此篇論文中，我們分析了所有可能造成政策彼此抵觸衝突的情形，歸納出這些問題的根源，並且為每一種可能造成衝突的情形提供有效率的解決辦法，而後，我們提出一套演算法，能夠自動地根據網路管理者所提出的所有安全性要求，產生出沒有任何衝突的正確政策，以達到所有網路安全上的目標，最後，我們也分析模擬我們的演算機制，並且和目前文獻中有關的演算法相比較，在比較中可以發現，我們所提出的機制優於目前所提出過的所有自動產生政策的演算法。

IPsec will function correctly only if its security policies satisfy all the requirements. If the security policies cannot satisfy our requirements, we said there might be policy conflicts. In this paper, we analyze all situations which could possibly lead to a policy conflict and try to resolve all of them. We induced only two situations which could cause conflicts and also proposed a method to automatically generate conflict-free policies which satisfy all requirements. We also implement our algorithm and compare the result of simulation with the other approaches and show that it outperforms existing approaches in the literature.

摘要 II
ABSTRACT IV
TABLE OF CONTENT V
LIST OF TABLES VI
LIST OF FIGURES VII
1. INTRODUCTION 1
2. RELATED WORK 6
2.1. CATEGORIES OF SECURITY REQUIREMENTS 6
2.2. SPECIFICATION OF SECURITY REQUIREMENTS 7
2.3. SPECIFICATION OF SECURITY POLICIES 9
2.4. THE BUNDLE APPROACH 11
2.5. THE DIRECT APPROACH 14
2.6. THE ORDERED-SPLIT ALGORITHM 14
3. POLICY CONFLICT PROBLEM 16
4. POLICY-GENERATION ALGORITHM 22
5. SIMULATION 33
6. CONCLUSION AND FUTURE WORK 39
REFERENCES 40

[1]Zhi Fu, S., Felix Wu, He Huang, Kung Loh, Fengmin Gong, Ilia Baldine, and Chong Xu “IPsec/VPN Security Policy: Correctness, Conflict Detection, and Resolution,” IEEE Policy 2001 Workshop, 2001.
[2]Zhi Fu and S. Felix Wu “Automatic Generation of IPsec/VPN Security Policies in an Intra-Domain Environment,” 12th International Workshop on Distributed Systems: Operations & Management (DSOM 2001), 2001.
[3]Yanyan Yang, Charles U. Martel, and S. Felix Wu “On Building the Minimal Number of Tunnels - An Ordered-Split approach to manage IPsec/VPN policies,” 9th IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), 2004.
[4]William Stallings “Cryptography and Network Security: Principles and Practices,” 3/e, ISBN: 0131115022, Prentice Hall, 2002.
[5]The IPsec-Tools Project, http://ipsec-tools.sourceforge.net/
[6]S. Kent, R. Atkinson, “Security Architecture for the Internet Protocol,” RFC 2401, Internet Society, Network Working Group, November 1998
[7]S. Kent, R. Atkinson, “IP Authentication Header,” RFC 2402, Internet Society, Network Working Group, November 1998
[8]S. Kent, R. Atkinson, “IP Encapsulating Security Payload (ESP),” RFC 2406, Internet Society, Network Working Group, November. 1998
[9]D. Maughan, M. Schertler, M. Schneider, et al., “Internet Security Association and Key Management Protocol (ISAKMP),” RFC 2408, Internet Society, Network Working Group, November 1998
[10]J. Jason, “IPsec Configuration Policy Model,” Internet Draft, , March 2000.
[11]J. D. Moffett, “Requirements and Policies,” Position paper for Policy Workshop 1999
[12]S. Ortiz Jr., “Virtual Private Networks: Leveraging the Internet,” IEEE Computer, Vol. 30, No. 11, pp. 18-20, November 1997.
[13]P. Knight and C. Lewis, “Layer 2 and 3 Virtual Private Networks: Taxonomy, Technology, and Standardization Efforts,” IEEE Communications Magazine, Vol. 42, No. 6, pp. 124-131, June 2004.
[14]O. Elkeelany, M. M. Matalgah, K. P. Sheikh, M. Thaker, G. Chaudhry, D. Medhi, and J. Qaddour, “Performance Analysis of IPSec Protocol: Encryption and Authentication,” Proceedings of 2002 IEEE International Conference on Communications (ICC 2002), Vol. 2, pp. 1164-1168, April 2002.
[15]J.C. Lin, C.T. Chang, and W.T. Chung, “Design, Implementation and Performance Evaluation of IP-VPN,” Proceedings of 17th International Conference on Advanced Information Networking and Applications (AINA 2003), pp. 206-209, March 2003.
[16]S. Khanvilkar and A. Khokhar, “Virtual Private Networks: An Overview with Performance Evaluation,” IEEE Communications Magazine, Vol. 42, No. 10, pp. 146-154, October 2004.
[17]C. Metz, “The Latest in Virtual Private Networks: Part I,” IEEE Internet Computing, Vol. 7, No. 1, pp. 87-91, January/February 2003.
[18]C. Metz, “The Latest in Virtual Private Networks: Part II,” IEEE Internet Computing, Vol. 8, No. 3, pp. 60-65, May/June 2003.
[19]M. Carugi and J. De Clercq, “Virtual Private Network Services: Scenarios, Requirements and Architectural Constructs from a Standardization Perspective,” IEEE Communications Magazine, Vol. 42, No. 6, pp. 116-122, June 2004.
[20]J. De Clercq and O. Paridaens, “Scalability Implications of Virtual Private Networks,” IEEE Communications Magazine, Vol. 40, No. 5, pp. 151-157, May 2002.
[21]B. Devlin, J. Gray, B. Laing, and G. Spix, “Scalability Terminology: Farms, Clones, Partitions, and Packs: RACS and RAPS,” Microsoft Research Technical Report MS-TR-99-85, December 1999.
[22]R. Friend, “Making the Gigabit IPsec VPN Architecture Secure,” IEEE Computer, Vol. 37, No. 6, pp. 54-60, June 2004.
[23]Y.N. Lin, C.H. Lin, Y.D. Lin, and Y.C. Lai, “VPN Gateways over Network Processors: Implementation and Evaluation,” Proceedings of 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2005), pp. 480-486, March 2005.
[24]D. E. Comer, “Network Systems Design Using Network Processors,” Prentice Hall, ISBN: 0-13-141792-4, January 2003.
[25]Y. Yang, Z. Fu, S.F. Wu, “BANDS: An Inter-Domain Internet Security Policy Management System for IPSec/VPN,” 8th IFIP/IEEE International Symposium on Integrated Network Management 2003, Colorado Springs, Colorado, March 2003.