IPSec(Internet security,互联网协议安全性)通信方之间通过IPSec SA(security association,安全关联)来维护安全信道,而现有的SA参数管理机制过于复杂,导致用户主机与目标服务器建立SA所需的时间、CPU 负载、报文尺寸较大,降低了用户体验。通过分析CPN(customer premises network,用户驻地网)的结构特点,发现其中的DHCP(dynamic host configuration protocol,动态主机配置协议)服务器与其他基础网络服务器之间存在带外信任关系。利用这一信任关系以及DHCP扩展选项机制,设计并实现了一种针对CPN环境的轻量级的SA参数管理机制。实验结果表明,与传统机制相比,该机制在IPSec SA协商所需的时间、CPU负载、报文尺寸等方面均有显著改进。%Secure connection between IPSec participants is achieved via IPSec SAs.However,there are no simple and elegant approaches to the management of SA parameters currently.As a result,the cost of user devices and target servers to negotiate a SA is expensive in aspects of time,CPU load and network usage.By analyzing the topology and deployment features of CPN, this paper found that there existed outbound trust relationship between the DHCP server and other service providers.Based on such a trust relationship,it developed a lightweight SA management mechanism aiming at CPN environment.Simulation ex-periments show that compared with the traditional ones,this new mechanism costs significantly less time,CPU load and smal-ler IP packet size.
展开▼
