Song Wang,Hongbing Lv

DOI: https://doi.org/10.1109/iccps.2011.6089933

2011-01-01

Abstract:In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.

杜全文,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.039

2002-01-01

Abstract:It is necessary to implement IKE protocol when using IPSec protocol to ensure IP security.This paper describes how to implement a typical IKE message exchange by multithread in detail.

ZHANG Guo-qiang,XU Yong-qing,YANG Xiao-hu

2006-01-01

Journal of Computer Applications

Abstract:TCP(Transmission Control Protocol) is a widely used reliable transmission protocol,and it is designed on such assumption that most packet losses are caused by congestion.But in wireless networks,packets are lost usually because of bit-errors,which causes dramatic performance declining.Many current methods to improve TCP performance over wireless networks are TCP-aware.This paper proposed an alternative "TCP-unaware" scheme that is suitable for encrypted TCP traffic.It makes TCP source be capable of differentiating a loss due to congestion in the wired network from a loss due to bit-errors in wireless networks.Simulation results show that the scheme can improve TCP performance significantly in both LAN(Local Area Network) and WAN(Wide Area Network).

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

王彬,吴铁军

DOI: https://doi.org/10.3969/j.issn.1007-0249.2003.05.010

2003-01-01

Abstract:A new UDP congestion control scheme based on explicit rate is proposed. According to this scheme, the end-systems, supported by the network routers, get the fair bandwidth of the bottleneck link in the connection. The sender regulates their send-rate to its alloted fair bandwidth smoothly. The proposed UDP congestion control scheme is TCP-friendly and easy to be implemented. Result of simulations shows the new UDP congestion control scheme has better performance than the other UDP congestion control schemes such as TCP-Friendly Rate Control (TFRC) protocol, especial in the throughput and TCP-friendliness. And the result also reveals the scheme is robust to the algorithms of queue management, such as Droptail and RED.

Yanfei Fan,Bin Lin,Yixin Jiang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2008.ecp.891

2008-01-01

Abstract:In this paper, we propose an efficient privacy-preserving scheme for secure packet transmission at wireless link layer. The proposed scheme is constructed by using hash values in reverse hash chains as interface identifiers. It can successfully and efficiently resist the Media Access Control (MAC) address based attacks, such as flow tracking and traffic analysis, which are launched by either outside or even inside attackers. In addition, some optimization techniques are also introduced to further improve the efficiency of the proposed scheme. The extensive analysis and simulations demonstrate the enhanced security and efficiency of the proposed scheme.

符松,金志权,陈佩佩

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.10.045

2001-01-01

Abstract:IPSec is a security architecture for the Internet protocol ,which provides transparent protection services for upper protocols. It consists of the protocols of automatic key management, authentication and encryption. In this paper, some modifications and a new protocol for the runtime detection are presented to enhance the efficiency and security of the original architecture.

沈燕然,张青山,王新,薛向阳

2008-01-01

Abstract:Development of IPv6 networks brought the need of secure communication between private networks and different kind of personal devices.Secure and scalable communication protection scheme is required.While IPSec-VPN is a popular solution,it has several drawbacks such as forced requirement of accessor's knowledge about VPN gateways.In this paper,we proposed a new IPSec-VPN packaging mode-hybrid mode,and gave the implementation of it using Linux kernel netfiltering scheme.Applications show that the hybrid-mode IPSec-VPN works well for different VPN topologies and makes VPN gateways transparent to users.

Liu Xiang-jiang

2009-01-01

Abstract:Since the Point-to-Point protocol (PPP) provides no protection for the negotiations of algorithms, the Internet key exchange (IKE) protocol is introduced into PPP for the negotiations of shared keys and authentication, compression and encryption algorithms. Through the integrity protection of the control messages, this method effectively solves the security problem of negotiations in PPP. The analysis of the method shows that it is much more secure and more effective than the original PPP.

Yinghua Wu,Jianping Wu,Ke Xu,Mingwei Xu

DOI: https://doi.org/10.1109/TENCON.2002.1181240

2002-01-01

Abstract:IPSec protocols offer a standard security mechanism, used for security service to upper' protocols (such as UDP and TCP). This paper introduces the design and implementation of Router Security Subsystem based on IPSec, the important part of High Performance Security Router made by Tsinghua University. We complete consummate and reliable security functions, use various optimal methods to enhance the performance furthest.

Li Qi,Xu Mingwei,Xu Ke

DOI: https://doi.org/10.1109/ICOIN.2008.4472762

2008-01-01

Abstract:IP Security (IPSec) is an important protection mechanism for securing the Internet communication. However, IPSec is a complex security protocol family, and the management issue is still a challenge for mass deployment. Many researchers have investigated the IPSec management issue with various approaches, the policy configuration and distribution issue remain to be efficiently resolved. A certificate-based scheme to manage IPSec endpoints is proposed in this paper. A Role-based Access Control (RBAC) model is introduced to simplify the process of policy configuration, and policy control mechanism is proposed to check whether new security association conforms to local security policies. The analysis of the scheme shows the flexibility and efficiency of our approach. Based on our proposed scheme, we implement a prototype system with the proof-of-concept and conduct experimental studies to demonstrate the feasibility and performance of our approach.

Ya Hang Zhang,BoWen Cheng,Sihan Qing,Guang N. Zou,Weiping Wen

DOI: https://doi.org/10.1117/12.855391

2010-01-01

Abstract:To solve the conflict between TCP accelerating technology based on PEP middle node and IPSec protocol used in the Satellite Network, NASA and the Hughes Research Laboratory (HRL) each independently proposed a solution named Multilayer IPsec protocol which can integrate IPSec with TCP PEPs. The problem is: Traditional IKE protocol can't work with Multilayer IPSec protocol. In this study, the traditional IKE main mode and quick mode are enhanced for layered IPSec protocol, and an improved layered key distribution protocol: ML-IKE is proposed. This key distribution protocol is used for key exchange between peers and middle node, so that different nodes have different security associations (SA), and different security associations correspond to different IP packet fields, so different SA nodes have different authorization to different IP packet fields. ML-IKE protocol is suitable for layered IPSec, thus layered IPSec can be used for automatic key distribution and update.

周立峰,欧阳毅,张绍莲,金志权

DOI: https://doi.org/10.3969/j.issn.1007-130x.2003.02.014

2003-01-01

Abstract:This paper first analyzes the complexity and security of IPSec protocols, then some reformative features are discussed, which not only simplify some complex concepts, but also make effective progress in security performance.

Li Xiaozhan,Pan Jin-gui

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.02.057

2007-01-01

Abstract:The new version of IP protocol—IPv6 appears with the development of network,but IPSec of IPv6 conflicts with NAT of present network.In order to solve this problem,and promotes that IPv4 shifts toward IPv6 favorably.This paper introduces the basic theory of IPSec and Network Address Transform(NAT) protocol at first,then introduces the conflicts between IPSec and NAT protocol,at last,it anatomies two ways to solve these conflicts.

y e runguo,y u shuyao,HongWei Yang,Chuck Song

DOI: https://doi.org/10.1117/12.575599

2005-01-01

Abstract:Similar to conventional NAT gateways, NAT-PT gateways break traditional TCP/IP's end-to-end argument property; hence, any IP-based applications protected by IPSec protocol cannot traverse NAT-PT gateways properly. The interworking issues between IPSec and NAT-PT gateways under IPv4/IPv6 co-existent environments were studied: This paper first pointed out the deficiency of current NAT-Traversal scheme when interworking with NAT-PT gateways and proposed an enhanced scheme, which enabled interworking between IPSec and NAT-PT gateways and served the following three scenarios: 1) secure communication between IPv6 hosts and IPv4 hosts; 2) secure communication between IPv6 subnets and IPv4 subnets; 3) secure communication between remote IPv6 hosts and legacy IPv4 subnets.

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security

Huang Songhua,Ding Feng,Huang Hao

DOI: https://doi.org/10.3969/j.issn.1001-0505.2010.01.007

2010-01-01

Abstract:After analyzing the problems of the existing schemes in terms of flow balance and route optimization within the multihomed and nested mobile networks,an improved protocol is proposed with comprehensive flow balance and global and local route optimization support,which is based on a new and effective path evaluation metrics and a corresponding best path recognition algorithm.The improved protocol provides the comprehensive flow balances among multi-MNP(mobile network prefix),multi-MR(mobile router),multi-HA(home agent) and also route optimization inside and outside the multihomed and nested mobile networks,addressing suboptimal multi-angular routing and tunnel in tunnel problems.In addition,less modifications to previous protocols are required.Performance evaluation indicates that,compared with the existing solutions,this protocol cuts down the delay almost by half while available connections increase 30% and high throughput and stable performance are achieved.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Hung-Min Sun,Shih-Ying Chang,Yao-Hsin Chen,Bing-Zhe He,Cheng-Kai Chen

DOI: https://doi.org/10.1109/tencon.2007.4429003

2007-01-01

Abstract:IPSec has been popularly used in protecting data over IP network; however, how to detect and avoid policy conflicts is a big challenge. Under current architecture, user- space process can directly manipulate security associations database (SADB) or security policies database (SPDB) causing inter-application conflict, lack of access control, lack of conflict avoiding and recovering, and conflict diffusion. Previous proposed algorithms can only detect conflicts afterward instead of preventing them in advance. Therefore we propose a new architecture to avoid conflicts and provide recovery mechanism. Finally, we implement these functionalities and the evaluation of performance shows that this architecture is realistic and practical.

黄永峰,李星

2002-01-01

Abstract:QoS of IP telephony is worse than that of circuit telephony because the available bandwidth of Internet varies then results in the loss of voice packets. This paper suggests an adaptive voice codec which can be applied in the IP telephony gateway, it can output various bit rate when Internet's bandwidth varies, the most advantage of the codec is that it can decrease the ratio of packet-losing and improve the QoS of voice. In the implementation of the voice coder, this paper brings forward four algorithms, which include an algorithm for computing the ratio of packet-losing based on real-times transport protocol, an algorithm for implementing a coder that outputs various bit rate, an algorithm for voice packeting, and an adaptive algorithm for encoding and packeting.