摘要
IPsec VPN网关在使用数字证书对IPsec对等实体(远程用户、远程VPN网关)进行身份认证建立安全关联时,存在有效CRL及时性差、IPsec VPN安全网关开销过大和IKE认证时延过长等问题。为解决此类问题,给出了两种设计方案,分别为根据静态固定查询周期和根据自适应算法动态调整查询周期从LDAP服务器上获取CRL。这两种方案能有效平衡网关开销、提高认证速度并能较大提高有效CRL的及时性。
When IPsec VPN gateway carries out the IPSec peer entity( e. g. remote users, distant VPN gateway)authentication with certificate for establishing SA in IKE interaction, there are some problems such as poor timeliness of effective CRLs, hight overhead of IPsec VPN gateway and long time-delay in IKE authentication. The paper proposes two design schemes to solve these problems,one gains CRLs from the LDAP server according to the statically fixed polling period and the other gains by dynamically adjusting the polling period using adaptive algorithm. The two approaches effectively balanced the overhead of IPsec VPN gateway, speeded up the authentication process and improved the timeliness of CRLs a lot.
出处
《计算机应用与软件》
CSCD
北大核心
2008年第5期59-61,共3页
Computer Applications and Software
基金
江苏省自然科学基金项目资助(BK2004039)。