CN1394042A - 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 - Google Patents
在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 Download PDFInfo
- Publication number
- CN1394042A CN1394042A CN 01119830 CN01119830A CN1394042A CN 1394042 A CN1394042 A CN 1394042A CN 01119830 CN01119830 CN 01119830 CN 01119830 A CN01119830 A CN 01119830A CN 1394042 A CN1394042 A CN 1394042A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- tunnel
- virtual interface
- private network
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
一种在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,是将在实际物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用,以使所有访问私有网的各类报文,不管其属于哪类协议,都能够得到IPSec的安全技术保障,保证通信安全。其包括有下列步骤:1、设置至少一项访问控制列表ACL(Access Control Lists),2、定义如何应用第1步设置的访问控制列表ACL的IPSec安全技术保障方法,3、设置隧道虚接口,4、在隧道虚接口上应用第2步生成的IPSec安全技术保障方法。
Description
本发明涉及一种保证互联网协议IP报文安全传输的方法,确切地说,涉及一种在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,属于数字信息的传输中保证通信安全的技术领域。
互联网协议安全IPSec(IP Security)是IETF制定的IP层报文安全传输的标准。在IP报文封装的方式上,互联网协议安全IPSec是提供隧道方式的封装,利用这个特性可以实现虚拟私有网VPN功能。在设置IPSec的安全保护技术手段的过程中,如果和访问控制列表ACL(Access Control Lists)相结合,可以实现对不同的数据流执行不同的安全保护措施。目前,传统技术是把设置好的安全保护技术措施应用到实际的物理接口上,完成对进出该物理接口的IP报文进行数据加密(解密)、验证、防重放攻击等保证通信安全的各项技术保障手段。如果IPSec的保证通信安全的各项技术方法只能应用在实际的物理接口上,那它就只能为进出这个实际物理接口上的IP报文实施安全保护。然而,在虚拟私有网VPN的隧道虚接口上,尚不能应用上述IPSec的保证通信安全的各项技术方法。如果在虚拟私有网VPN的隧道虚接口上也能够应用上述IPSec的安全技术保障手段的话,那将能够给进出该VPN的隧道虚接口的IP报文也提供安全保护的技术。这样,无疑将会受到虚拟私有网VPN的众多用户的衷心欢迎。
例如,参见图1所示,一个有着私有IP地址的私有网B中的用户A访问另外一个私有网C中的某一台服务器D,这两个私有网B、C之间则是通过Internet相连的(这是一个典型的虚拟私有网VPN的应用实例)。私有网B通过一台路由器R1和Internet连接。在路由器R1和Internet直接相连的物理接口上通常都是设置有应用IPSec的安全技术保障方法。该安全技术保障方法规定所有进出该物理接口、并且应用协议是传输控制协议TCP(Transmission ControlProtocol)的IP报文都应该使用IPSec的隧道加密功能。但是 该项安全技术保障方法是不想让其他应用协议(例如用户数据报协议UDP和普通路由封装GRE)的IP报文也能够应用IPSec的加密措施。然而,为了所有拥护不同应用层协议的IP报文都能实现虚拟私有网VPN功能,在路由器R1上创建了一个VPN的隧道虚接口,在这个虚接口上封装了普通路由封装GRE(Generic RoutingEncapsulation)协议,其指定隧道的对端地址是私有网C和Internet相连的路由器R2上的Internet网公有地址,并且由路由模块确定所有到私有网C的IP报文都要先经过这个VPN隧道虚接口。通常用户A以为所有通过Internet的TCP报文是可以经过IPSec加密而保证通信安全的,而实际的事实却是:在目前的状况下所有访问私有网C的TCP报文在Internet上传输时是不受IPSec保护的。
本发明的目的是提供一种在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,也就是说,将一种在实际物理接口上已经普遍使用的IPSec安全技术保障方法提供给虚拟私有网VPN的隧道虚接口上应用,以使所有访问私有网的各类报文,不管其属于哪类协议,都能够得到IPSec的安全技术保障,以保证通信安全。
本发明的目的是这样实现的:一种在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,其特征在于:将在实际物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用。
所述的将在实际物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用,包括有下列步骤:1、设置至少一项访问控制列表ACL(Access Control Lists),2、定义如何应用第1步设置的访问控制列表ACL的IPSec安全技术保障方法,3、设置隧道虚接口,4、在隧道虚接口上应用第2步生成的IPSec安全技术保障方法。
本发明的特点是将在在物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用,这样,所有IPSec安全技术保障方法应用在物理接口上所获得的好处,在VPN隧道虚接口上应用时同样可以获得,例如数据加密、报文验证、防重放攻击等。所以,如果应用本发明,图1中的用户A发出的通过Internet传输的TCP报文也可以得到IPSec安全技术保护了。
下面结合附图详细介绍本发明的方法步骤、特点和功效:
图1是应用本发明方法的第一实施例-用户A通过VPN访问服务器D-的系统组成示意图。
图2是应用本发明方法的第二实施例-GPRS/WCDMA中手机用户非透明方式通过Internet访问企业网-的系统组成示意图。
参见图1所示的一典型虚拟私有网VPN的应用实例:一个有着私有IP地址的私有网B中的用户A访问另外一个私有网C中的某一台服务器D,这两个私有网B、C之间则通过Internet相连。其中私有网B通过一台路由器R1和Internet连接。在路由器R1和Internet直接相连的物理接口上通常都设置有应用IPSec的安全技术保障方法。本发明则是将在实际物理接口上应用的IPSec安全技术保障方法,再移植到虚拟私有网VPN的隧道虚接口上应用。其具体包括有下列步骤:1、设置至少一项访问控制列表ACL(Access Control Lists),2、定义如何应用第1步设置的访问控制列表ACL的IPSec安全技术保障方法,3、设置隧道虚接口,4、在隧道虚接口上应用第2步生成的IPSec安全技术保障方法。
原来在路由器R1和Internet相连的物理接口上应用的IPSec安全技术保障方法是不想让应用层协议是普通路由封装GRE的报文也使用IPSec的加密功能,而且采用GRE+IPSec的方法实现虚拟私有网VPN的效率与直接使用IPSec的隧道方式实现VPN的效率相比较明显要低。但是,利用本发明的方法可以在路由器R1封装GRE协议的VPN隧道虚接口上直接应用IPSec的安全技术保障方法。此时,只要条件符合(即符合IPSec的安全技术保障方法中匹配的访问控制列表ACL的规定),就可以直接应用IPSec的安全技术保障方法了。
本发明的方法已经在通用分组无线业务GPRS/宽带码分多址WCDMA系统中进行实施试验,即在不同的手机用户拥有不同的访问点名APN(AccessPoint Name)所分配的相同的私有IP地址的环境下,通过使用本发明的方法,即在VPN的隧道虚接口上应用IPSec的安全技术保障方法,就可以实现各手机用户通过IPSec隧道访问不同APN的应用目的。实施试验的结果是成功的,达到了预期的效果。
为了能够让拥有相同私有IP地址的不同手机用户访问不同的APN,在GGSN上必须将相同IP地址的报文根据其所属的不同APN送入不同的VPN隧道虚接口,以便封装进不同的VPN隧道。图2所示的即为分属于APN1和APN2的两个手机用户MT的IP私有地址是相同的情况,此时,如果只能在实际物理接口上应用IPSec的安全技术保障方法,为了能够应用IPSec的方式安全地传输IP报文,就只能采取某种VPN协议(例如普通路由封装GRE)+IPSec这种低效率的传输方式(因为IPSec协议本身就直接支持VPN功能),而且不能根据实际的不同数据流应用不同的安全技术保障方法。因为经过VPN封装后的IP报文,它们的源和目的IP地址都是相同的,应用层协议也是相同的(VPN协议),即在IP层看来它们两者已经没有差异,无法区分开。然而,使用本发明的方法,在VPN隧道虚接口上直接应用IPSec的安全技术保障方法,那么,上述的所有缺点就都能够克服和解决了。图2中分属于APN1和APN2、且拥有相同IP私有地址的两个手机用户MT就可以根据其所属的不同APN送入不同的VPN隧道虚接口直接应用IPSec的安全技术保障方法,通过不同的IPSec隧道访问不同APN(例如图2中所示的两个企业网APN3和APN4)。
Claims (2)
1、一种在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,其特征在于:将在实际物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用。
2、如权利要求1所述的在虚拟私有网的隧道虚接口上保证互联网协议安全的实现方法,其特征在于:所述的将在实际物理接口上应用的IPSec安全技术保障方法,移植到虚拟私有网VPN的隧道虚接口上应用,包括有下列步骤:1、设置至少一项访问控制列表ACL(Access Control Lists),2、定义如何应用第1步设置的访问控制列表ACL的IPSec安全技术保障方法,3、设置隧道虚接口,4、在隧道虚接口上应用第2步生成的IPSec安全技术保障方法。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB011198303A CN1150718C (zh) | 2001-06-29 | 2001-06-29 | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB011198303A CN1150718C (zh) | 2001-06-29 | 2001-06-29 | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1394042A true CN1394042A (zh) | 2003-01-29 |
CN1150718C CN1150718C (zh) | 2004-05-19 |
Family
ID=4663745
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB011198303A Expired - Fee Related CN1150718C (zh) | 2001-06-29 | 2001-06-29 | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1150718C (zh) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100385885C (zh) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | 具ssl保护功能的安全网关及方法 |
WO2008092351A1 (fr) * | 2007-01-26 | 2008-08-07 | Maipu Communication Technology Co., Ltd. | Procédé de liaison dynamique de réseau privé virtuel |
CN100456739C (zh) * | 2003-07-04 | 2009-01-28 | 日本电信电话株式会社 | 远程访问虚拟专用网络中介方法和中介装置 |
US7657657B2 (en) | 2004-08-13 | 2010-02-02 | Citrix Systems, Inc. | Method for maintaining transaction integrity across multiple remote access servers |
US7724657B2 (en) | 2004-07-23 | 2010-05-25 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol |
US7757074B2 (en) | 2004-06-30 | 2010-07-13 | Citrix Application Networking, Llc | System and method for establishing a virtual private network |
US7849270B2 (en) | 2005-01-24 | 2010-12-07 | Citrix Systems, Inc. | System and method for performing entity tag and cache control of a dynamically generated object not identified as cacheable in a network |
US7921184B2 (en) | 2005-12-30 | 2011-04-05 | Citrix Systems, Inc. | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US7978714B2 (en) | 2004-07-23 | 2011-07-12 | Citrix Systems, Inc. | Methods and systems for securing access to private networks using encryption and authentication technology built in to peripheral devices |
CN101288272B (zh) * | 2003-11-19 | 2011-08-31 | 思科技术公司 | 隧道化安全性群组 |
CN101499972B (zh) * | 2009-03-16 | 2012-01-11 | 杭州华三通信技术有限公司 | Ip安全报文转发方法及装置 |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8700695B2 (en) | 2004-12-30 | 2014-04-15 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
US8856777B2 (en) | 2004-12-30 | 2014-10-07 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4426375B2 (ja) * | 2004-05-19 | 2010-03-03 | 日本電波工業株式会社 | 恒温槽を用いた高安定用の水晶発振器 |
-
2001
- 2001-06-29 CN CNB011198303A patent/CN1150718C/zh not_active Expired - Fee Related
Cited By (39)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100456739C (zh) * | 2003-07-04 | 2009-01-28 | 日本电信电话株式会社 | 远程访问虚拟专用网络中介方法和中介装置 |
US8559449B2 (en) | 2003-11-11 | 2013-10-15 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
CN101288272B (zh) * | 2003-11-19 | 2011-08-31 | 思科技术公司 | 隧道化安全性群组 |
US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US8261057B2 (en) | 2004-06-30 | 2012-09-04 | Citrix Systems, Inc. | System and method for establishing a virtual private network |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8726006B2 (en) | 2004-06-30 | 2014-05-13 | Citrix Systems, Inc. | System and method for establishing a virtual private network |
US7757074B2 (en) | 2004-06-30 | 2010-07-13 | Citrix Application Networking, Llc | System and method for establishing a virtual private network |
CN100385885C (zh) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | 具ssl保护功能的安全网关及方法 |
US8892778B2 (en) | 2004-07-23 | 2014-11-18 | Citrix Systems, Inc. | Method and systems for securing remote access to private networks |
US8897299B2 (en) | 2004-07-23 | 2014-11-25 | Citrix Systems, Inc. | Method and systems for routing packets from a gateway to an endpoint |
US8634420B2 (en) | 2004-07-23 | 2014-01-21 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol |
US8014421B2 (en) | 2004-07-23 | 2011-09-06 | Citrix Systems, Inc. | Systems and methods for adjusting the maximum transmission unit by an intermediary device |
US8019868B2 (en) | 2004-07-23 | 2011-09-13 | Citrix Systems, Inc. | Method and systems for routing packets from an endpoint to a gateway |
US8046830B2 (en) | 2004-07-23 | 2011-10-25 | Citrix Systems, Inc. | Systems and methods for network disruption shielding techniques |
US7724657B2 (en) | 2004-07-23 | 2010-05-25 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol |
US7978714B2 (en) | 2004-07-23 | 2011-07-12 | Citrix Systems, Inc. | Methods and systems for securing access to private networks using encryption and authentication technology built in to peripheral devices |
US9219579B2 (en) | 2004-07-23 | 2015-12-22 | Citrix Systems, Inc. | Systems and methods for client-side application-aware prioritization of network communications |
US8291119B2 (en) | 2004-07-23 | 2012-10-16 | Citrix Systems, Inc. | Method and systems for securing remote access to private networks |
US8914522B2 (en) | 2004-07-23 | 2014-12-16 | Citrix Systems, Inc. | Systems and methods for facilitating a peer to peer route via a gateway |
US8351333B2 (en) | 2004-07-23 | 2013-01-08 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol using false acknowledgements |
US7808906B2 (en) | 2004-07-23 | 2010-10-05 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol using false acknowledgements |
US7657657B2 (en) | 2004-08-13 | 2010-02-02 | Citrix Systems, Inc. | Method for maintaining transaction integrity across multiple remote access servers |
US8700695B2 (en) | 2004-12-30 | 2014-04-15 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling |
US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
US8856777B2 (en) | 2004-12-30 | 2014-10-07 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US8788581B2 (en) | 2005-01-24 | 2014-07-22 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8848710B2 (en) | 2005-01-24 | 2014-09-30 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US7849269B2 (en) | 2005-01-24 | 2010-12-07 | Citrix Systems, Inc. | System and method for performing entity tag and cache control of a dynamically generated object not identified as cacheable in a network |
US7849270B2 (en) | 2005-01-24 | 2010-12-07 | Citrix Systems, Inc. | System and method for performing entity tag and cache control of a dynamically generated object not identified as cacheable in a network |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US7921184B2 (en) | 2005-12-30 | 2011-04-05 | Citrix Systems, Inc. | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US8499057B2 (en) | 2005-12-30 | 2013-07-30 | Citrix Systems, Inc | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
WO2008092351A1 (fr) * | 2007-01-26 | 2008-08-07 | Maipu Communication Technology Co., Ltd. | Procédé de liaison dynamique de réseau privé virtuel |
CN101499972B (zh) * | 2009-03-16 | 2012-01-11 | 杭州华三通信技术有限公司 | Ip安全报文转发方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN1150718C (zh) | 2004-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1394042A (zh) | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 | |
US8693502B2 (en) | Method, system and terminal for accessing packet data serving node | |
CN102244895B (zh) | 一种增强移动性的分流方法及装置 | |
KR100956823B1 (ko) | 이동 통신 시스템에서 보안 설정 메시지를 처리하는 방법 | |
US8161543B2 (en) | VLAN tunneling | |
KR100886551B1 (ko) | 이동통신시스템에서 인터넷 프로토콜 버전에 따른 트래픽플로우 탬플릿 패킷 필터링 장치 및 방법 | |
EP1529375B2 (de) | Verfahren und system für gsm-billing bei wlan roaming | |
CN1099205C (zh) | 在移动通信网络中使用移动因特网进行通信的方法和设备 | |
EP1850531B1 (en) | Method and architecture for interworking of standardised networks | |
US20070135048A1 (en) | Method for 3GPP-WIMAX interworking | |
EP1463239A3 (en) | Protection of network infrastructure and secure communication of control information thereto | |
WO2009115132A1 (en) | Method and apparatus for use in a communications network | |
CN1910861A (zh) | 公共接入点 | |
CN1438809A (zh) | 上下文重定位方法 | |
JP4476996B2 (ja) | Wlanタイトカップリング解決法 | |
CN101904190A (zh) | 无线通信网络基站扩展 | |
KR20040075380A (ko) | 억세스 가상 사설망의 데이터 암호화 방법 | |
CN101075865A (zh) | 一种用户面加密的启动方法 | |
WO2006094088B1 (en) | Wireless communication systems and apparatus and methods and protocols for use therein | |
WO2005076726A3 (en) | Mobile network security system | |
CN104125599B (zh) | 无线局域网中接入点和用户终端信息获取、关联及统计分析方法 | |
CN100411335C (zh) | 一种无线局域网中分组数据关口获取用户身份标识的方法 | |
CN104954339A (zh) | 一种电力应急抢修远程通信方法及系统 | |
US7680102B2 (en) | Method and system for connecting manipulation equipment between operator's premises and the internet | |
CN1192565C (zh) | 一种基于无线分组网网关的上网方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040519 Termination date: 20170629 |