高级检索

    IPSec和IP Filter在路由器中部署策略的研究

    On the Deployment Approach of IPSec and IP Filter in Routers

    • 摘要: IPSec和IP Filter是IPv6路由器中的重要安全部件.IPSec的安全关联查找引擎具有类似于IP Filter的功能,也需要对IP包进行过滤和匹配,路由器中流动的IP包可能需要经过这两个部件的重复过滤,因此,这两个部件之间的部署策略将会直接影响到IP包的处理效率.从路由器整体安全的角度分析了两个安全部件之间的相互关系,提出了一个新的部署策略.与国际上著名的开放源码IPv6协议栈KAME相比较,该部署策略可以提高IPSec的处理效率,减轻IP Filter对IPSec的负面影响,同时,也减少了IP包在路由器中的重复过滤,提高了IP包的处理效率.

       

      Abstract: IPSec and IP Filter are among the most important security modules of IPv6 routers. Similar to the function of IP Filter, the security-association query engine of IPSec also needs filtering and matching the IP packages. The IP packages flowing inside the router could be filtered by IP Filter and IPSec for more than once. Thus, the method of deployment between the two modules will have direct influence on the processing performance of IP packages. In this work, the inter-relationship between the two security modules is given in a perspective of router global security. Moreover, a novel deployment approach is proposed. Compared with the open-source IPv6 protocol stack KAME, the improved processing performance of IPSec is obtained and the negative influence of IP Filter on the IPSec is reduced. Meanwhile, the duplicated IP package filtering within the routers is reduced to improve the processing performance of IP package.

       

    /

    返回文章
    返回