HUANG Hao-you,LU Jian-gang

2006-01-01

Abstract:The GAP principles is briefly introduced.A novel implementation method based on FPGA technology is presented.The SCSI protocol controller,SDRAM controller and core controller are integrated in the FPGA chip.It has been proved that the reliability and compatibility of this novel method are superior to those of MCU+SCSI protocol controller.

Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

张旭光,平玲娣,潘雪增

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.14.037

2004-01-01

Abstract:With the development of the Internet technologies and computer communication technologies, the traditionary circuit-switch based network must evolves to the new generation network which is based on the packet-switch technology. Facing the progress and status of the convergence of the three-networks, This document presents a distributed and SIP protocal based VoIP system prototype. Due to combinating of merits of SIP and IP, this model not only provides the interoperation with the existed network, but also provides an extendable plat for the NGN. This model uses private VoIP network to achieve the QoS.

Lu Yin,Shi Jin,Huang Hao,Xie Li

DOI: https://doi.org/10.3969/j.issn.1000-386x.2007.09.003

2005-01-01

Abstract:To ensure the network security in the period of IPv4/IPv6 transition and co-existence is the key for NGI evolution.This paper proposes a novel secure gateway system model based on NAT/PT-NAPTSG,which is aimed at providing the function of high-performance access control and interconnections on the IPv4/IPv6 network border.The considerations about its design is discussed in detail.In the last part of the(paper),the working progress of prototype and testing is described.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

张赫男,冯冬芹

DOI: https://doi.org/10.3969/j.issn.1005-2852.2008.z1.015

2008-01-01

Abstract:Aiming at the network access problem when there are Wireless Nodes in industrial control and measurement systems,we designed an EPA standard oriented Gateway interface and corresponding protocol stack.Relying on this protocol stack,each wireless node is represented by a wired EPA device in plant owning to the Gateway.Every device within the system(including wireless one)is indiscriminatingly operated with the same communication specification from system monitor's point of view.

陆敏锋,平玲娣,李卓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.051

2010-01-01

Abstract:Aiming at the problem that the IPSec-based VPN product, this paper designs and achieves a IPSec-based VPN test system running on the Linux platform. This paper introduces the IPSec protocol and its architecture, and presents the design and achievement of the test system through analyzing the principle of the IPSec protocol. Experiment result shows that this test system is feasible and effective.

Lu WANG,Yin-dong JI,Xin-ya SUN,Xu-feng XIA

DOI: https://doi.org/10.3969/j.issn.1674-3415.2007.24.013

2007-01-01

Abstract:Communication network of large automatic control system is composed by many subnets,and the protocols of the subnets are generally different from each other.So it makes poor expansibility and cost too much in maintenance and modification.This paper presents a modularized software design of communication gateway,which converts each communication protocol to an internal protocol to achieve intercommunication,so that the core module is irrelative from protocol.While new protocol is brought in,it just needs to add the new interface and the protocol transferring function.The application in control system demonstrates this gateway is extendable and flexible.

沈燕然,张青山,王新,薛向阳

2008-01-01

Abstract:Development of IPv6 networks brought the need of secure communication between private networks and different kind of personal devices.Secure and scalable communication protection scheme is required.While IPSec-VPN is a popular solution,it has several drawbacks such as forced requirement of accessor's knowledge about VPN gateways.In this paper,we proposed a new IPSec-VPN packaging mode-hybrid mode,and gave the implementation of it using Linux kernel netfiltering scheme.Applications show that the hybrid-mode IPSec-VPN works well for different VPN topologies and makes VPN gateways transparent to users.

Zonghua Gu,Zhu Wang,Shijian Li,Haibin Cai

DOI: https://doi.org/10.1109/isorcw.2012.20

2012-01-01

Abstract:The automotive telematics gateway is an important part of modern high-end cars providing various safety and convenience services for the vehicle owner. We have developed a software platform for automotive gateway based on virtualization technology. It runs two guest OSes concurrently on the same processor: one connected to in-vehicle embedded networks for running hard real-time applications, and the other connected to the outside internet for running soft or non-real-time applications. Several representative applications have been implemented on this platform, including car taillight switch, virtual instrumentation panel, task migration in the pervasive computing environment, multimedia migration based on NFC, etc.

钱治强,孙新亚

DOI: https://doi.org/10.3969/j.issn.1006-6047.2003.07.013

2003-01-01

Abstract:CPGW(Communication Protocol Gateway)plays an important ro le in substation automation system,which not only converts data frame from one communication protocol into another but also greatly increases communication e fficiency.Now it is the foundational device in power communica-tion network.A CPGW is designed,which takes the tailored Linux as its operating system platfo rm and runs on industrial control computer.The system reliability is improved e ffectively and the cost is reduced greatly.

Yan Jiang,Jing Huang,Yunsong Fan,Xiaobin Zhu

DOI: https://doi.org/10.13052/jcsm2245-1439.1345

2024-06-14

Journal of Cyber Security and Mobility

Abstract:With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.

Zhao Da-yuan,Jiang Yi-xin,Lin Chuang,Li Yan-xi

DOI: https://doi.org/10.1007/bf02828626

2005-01-01

Wuhan University Journal of Natural Sciences

Abstract:We mainly explore two problems when combining IPSec module into TCP/IP stack by porting the famous IPSec software (FreeS/WAN) into a security gateway. One is how to implement the IPSec module based on Netfilter in Linux 2.4. x kernel. The other problem is the performance evaluation. We test the throughput of our security gateway before and after applying IPSec with different encryption/decryption algorithms, including the software-based and hardware-based method. With these testing data, we analyze further system performance bottleneck. In the end, we also infer the quantitative relation between the system throughput and the speed of encryption/decryption algorithm and propose some valuable conclusions for improving performance.

Fei Yu,Qiang Wei,Yangyang Geng,Yunchao Wang

DOI: https://doi.org/10.1109/imcec51613.2021.9482240

2021-06-18

Abstract:Industrial network boundary protection equipment faces threats from attackers when protecting the industrial control system network. The similarity and static characteristics caused by large-scale and long-term deployment determine that it could only defend against known attacks but could not deal with unknown APT threats, which leads to the breakthrough of one defense line is equivalent to the breakthrough of all defense lines and may bring challenges to industrial production safety. This paper proposes a mimic defense model of industrial isolation gateway based on endogenous security. With the dynamic scheduling mechanism to transform the attack surface, the gateway selects multiple heterogeneous filter executors to process the same packet simultaneously. By comparing the processing results of each executor, anomaly detection is carried out to realize the dynamic defense of the industrial isolation gateway. The experimental results show that the industrial isolation gateway based on mimic architecture can significantly increase the difficulty of backdoor utilization, such as paralysis, rule tampering, and information theft, and effectively defend the industrial control system from the threats caused by the backdoors and vulnerabilities of the isolation gateway while exerting the normal boundary protection function.

Yaxuan Qi,Fei He,Xiang Wang,Xinming Chen,Yibo Xue,Jun Li

DOI: https://doi.org/10.1016/j.comcom.2010.03.035

IF: 5.047

2011-01-01

Computer Communications

Abstract:In this paper, we propose an extensible open network services gateway (OpenGate) for high-performance network processing at the edge of high-speed networks. The OpenGate system embraces recent advances of open network technologies: the performance is guaranteed by using open-standard ATCA platforms; and the extensibility is achieved by employing parallelized open source software. As an application example of OpenGate, a high-performance security gateway, OpenGate-SG, was developed using existing ATCA platforms and open source software. This system provides multiple security services, including stateful firewall, intrusion prevention and anti-virus. Experimental results show that, OpenGate-SG can achieve up to 200Gbps stateful firewall throughput with 8Gbps intrusion prevention and anti-virus, which is competitive to the performance of today’s high-end security products. OpenGate-SG has also been tested as a security gateway for a university campus network with more than 1000 students.

Yinghua Wu,Jianping Wu,Ke Xu,Mingwei Xu

DOI: https://doi.org/10.1109/TENCON.2002.1181240

2002-01-01

Abstract:IPSec protocols offer a standard security mechanism, used for security service to upper' protocols (such as UDP and TCP). This paper introduces the design and implementation of Router Security Subsystem based on IPSec, the important part of High Performance Security Router made by Tsinghua University. We complete consummate and reliable security functions, use various optimal methods to enhance the performance furthest.

y e runguo,y u shuyao,HongWei Yang,Chuck Song

DOI: https://doi.org/10.1117/12.575599

2005-01-01

Abstract:Similar to conventional NAT gateways, NAT-PT gateways break traditional TCP/IP's end-to-end argument property; hence, any IP-based applications protected by IPSec protocol cannot traverse NAT-PT gateways properly. The interworking issues between IPSec and NAT-PT gateways under IPv4/IPv6 co-existent environments were studied: This paper first pointed out the deficiency of current NAT-Traversal scheme when interworking with NAT-PT gateways and proposed an enhanced scheme, which enabled interworking between IPSec and NAT-PT gateways and served the following three scenarios: 1) secure communication between IPv6 hosts and IPv4 hosts; 2) secure communication between IPv6 subnets and IPv4 subnets; 3) secure communication between remote IPv6 hosts and legacy IPv4 subnets.

Hua Jiang,Qingrui Wang,Gang Zhang,Jinpo Fan

DOI: https://doi.org/10.1088/1742-6596/1176/4/042007

2019-03-01

Journal of Physics: Conference Series

Abstract:IPSec VPN is a virtual private network technology implemented using the IPSec protocol. Aiming at the problem that the national secret algorithm is relatively less applied to network security products, a gateway based on Openwrt system equipment is designed. The OpenWRT system includes the complete strongswan software, making it easy to set up a VPN. The design replaces the aes algorithm, the sha256 algorithm and the ECDSA algorithm used in the IPSec VPN in the StrongSwan source code with the SM4, SM3 and SM2 algorithms respectively, and replaces the ECDSA-SHA256 certificate with the SM2-SM3 certificate according to the X509 certificate standard to achieve the national secret standard. The SM4, SM3 and SM2 algorithms are provided by the SSX0912 encryption chip, and the certificate is placed in the SSX0912 encryption chip for dense storage. It is proved that the scheme is completely feasible, and the IPSec VPN that can be realized can run stably for a long time and has high practical value. By setting up the development environment test, the gateway runs stably, has small delay, and has higher security, and the device has high communication speed, small occupation volume, high flexibility, and strong specificity.

张玉芳,熊忠阳,赖苏,张科,刘君,王银辉

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.04.028

2009-01-01

Computer Science

Abstract:The existing packet filtering firewall is helpless for the spread of network virus,making a study on the designed of anti-virus firewall is very necessary.This paper designed and realized an experimental anti-virus firewall in IPv6.The firewall was realized in the form of kernel loadable module,and can be used to filter virus above link layer.The special TCP/IP used for firewall is rebuilt because transparent mode firewall cannot be run in the original TCP/IP of Linux.The firewall can get and resolve IPv6 packets and the IPv6 in IPv4 tunnel packet.It can also traverse every extension header until higher protocol layers.The firewall uses open source software to filter the virus in the network and ensures network security.For working in the kernel mode,the detecting speed was improved.The experimental results show that the performance and function of the firewall achieve the desired objectives.

张要伟,杨志义,沈沉,张保华

DOI: https://doi.org/10.3969/j.issn.1007-130x.2008.06.030

2008-01-01

Abstract:Wireless sensor networks are widely used in the modernization of agriculture. This paper analyzes the importance of a gateway in greenhouse intelligent measuring and controlling systems, proposes the design principle of a gateway, and makes the choice of devices. Based on the low-power PXA270 embedded processor, the hardware platform of a gateway is implemented with the Ethernet, the USB host, and the CF card interface. Finally, we analyze elaborately the booting process of the boot loader, and implement the porting of Blob in the gateway designed by ourselves.