摘要
IPSec是为Internet通信提供安全服务的一组标准协议,它封装了传输层中的一些重要信息,而防火墙则需要访问报文中的信息进行控制处理。针对如何能够让IPSec和防火墙协同工作提出一种双层IPSec处理思想:将IP报文分为协议头和数据两部分,使用复合安全关联(Composite SA)对其进行安全处理,使IPSec和防火墙可以各取所需,从而给出上述问题的一个解决方案。该方案的优点在于安全主机与防火墙之间复合安全关联的协商灵活多变,与传统IPSec相比协议格式变化不大,传输效率较高。
IPSec is a suite of standard protocols that provides security services for Internet communications, it encapsulates some important information of the transport layer of IP datagram, however, firewall requires the information above to process the access control work. About the problem of cooperation of IPSec and firewall, a technology of Double-Layer IPSec is provided, that is doing IPSec processes on protocol head and data in IP datagram separately, so we can solve the problem above. The advantage of our schema is the negotiation of Composite SA is variable between hosts and firewalls, changes of the format of IP datagram is very small and the transportation of imformation is efficient.
出处
《计算机应用研究》
CSCD
北大核心
2006年第10期107-109,共3页
Application Research of Computers
基金
国家自然科学基金资助项目(60273089)
陕西省自然科学研究计划资助项目(2003F37)
陕西省教育厅自然科学研究计划资助项目(03JK165)
