摘 要
無線網絡飛速發展,人們在充分享受各種無線接入網絡便利的同時,各種安全問題也逐漸暴露出來。由於ipsec 能夠提供較好的安全保護,能夠有效解決上述問題,應用範圍不斷擴大。在傳統的tcp協議中,假設丟包都是由網絡擁塞造成的,這不適用於錯誤丟包比擁塞丟包更容易發生的無線鏈路。此時,啟用擁塞控制機制,將導致tcp端到端的性能降低。而且現有的很多改進方案無法用於加密通信中,因為ipsec與tcp在無線網絡中的改進方案之間存在衝突。在無線通信網絡中,要保證通信的安全性和tcp協議的性能,就必須解決他們之間的衝突。而在在vpn系統的大規模應用中,由於其部署環境複雜,也面臨不同軟件在ndis內核框架中的衝突和內核模塊開發,移植,維護困難等問題。
在對目前流行的基於windows平台的vpn系統體系結構及其實現技術進行深入分析的基礎上,針對嵌入式終端的特點,提出了一種新的基於虛擬網卡的技術,詳細闡述了其原理和優點。然後給出了在wince vpn系統中實現該技術的體系結構,能夠從根本上解決上述問題。
根據應用存在的性能問題,對現有的各種無線網絡下tcp性能改進機制與ipsec vpn的兼容性進行了詳細的分析,比較各種可能方案之間的優點與缺點。在分析現有改進算法的基礎上,提出了一種適用於有線/無線混合網絡ipsec兼容的端到端的優化機制。通過接收端數據包到達時間間隔的變化累積來判斷無線鏈路的狀況,用ack標記eln通知發送端,避免不必要的擁塞控制而導致性能下降。通過ns2仿真實驗, 並與tcp reno進行了性能對比。結果表明,該機制能有效提高tcp在無線移動場景下的網絡傳輸性能,同時和現有的安全機制也相兼容。關鍵詞:tcp ;vpn體系結構;虛擬網卡;有線無線混合網絡;性能評價;擁塞控制;端到端
abstract
while wireless access technology has experienced a rapid growth in recently people while fully are enjoying each kind wireless, a number of security concerns have been raised for wireless networks in general. tcp is originally designed only for wired network and assumes that any loss is due to congestion. however, it is different in wireless situation in that wireless errors are more likely to occur than congestion. such non-congestion packet loss, when dealt with invoking a congestion control algorithm, resulting in degrade end-to-end performance. at the same time, many exist approach can not work when the encryption is used in the communication. so the security mechanism and tcp improving mechanism compatibility also is taken into considering of our works. but in the large-scale application of vpn system, because the deployment environment is complex, frequently can face the different software in ndis kernel frame conflict, simultaneously the kernel module development, the transplant, maintains question and so on difficulty.
this paper deeply analyses the popular architecture and implement technology based on windows vpn system structure, simultaneously aims at embed terminal characteristic, proposed one kind new based on virtual network card technology, in detail elaborated its principle and the merit. the produced system has realized this technical system structure in wince vpn, could fundamentally solve the above problem.
aiming at the performance problem of vpn apply , this paper proposed a new end-to-end tcp performance improving mechanism, by using the interval movement cumulated of the packets received time on receiver, which can estimate the wireless link condition. then it marks the eln(explicit loss notification)bit to notify the sender and tcp could be modified so as to refrain from going into congestion avoidance. comparing the tcp reno and the modified tcp ,by simulations using ns2,the results show it achieves an great improvement over mobile wireless networks and can work together with current security ords:tcp ; virtual network card; wired-cum-wireless networks ; performance evaluation; congestion control end-to-end ; ipsec; vpn architecture
目 錄
學校代碼10487 密級i
摘 要i
abstractii
目 錄iv
1緒 論1
1.1研究背景1
1.2國內外研究現狀3
1.3主要研究內容6
2無線網絡vpn解決方案8
2.1無線網絡tcp與vpn協議8
2.2無線tcp性能改進模型15
2.3tcp改進方案性能分析與ipsec兼容性解決方案22
2.4本章小結24
3基於虛擬網卡的vpn體系結構25
3.1基於windows vpn系統設計25
3.2新的vpn體系結構圖28
3.3虛擬網卡啟動流程32
3.4報文處理過程的分析33
3.5本章小結34
4新的無線tcp性能改進方案36
4.1ns2仿真工具的介紹36
4.2modified-tcp的定義37
4.3modified-tcp的設計思想38
4.4時間變化累計的計算42
4.5modified-tcp改進的實現43
4.6本章小結45
5vpn系統結構分析和性能評價47
5.1與傳統vpn體系結構的比較47
5.2tcp改進模型性能的評估標準47
5.3modified-tcp參數分析48
5.4modified-tcp性能分析49
5.5本章小結52
6總結與展望54
6.1總結54
6.2展望55
致 謝56
附錄1 攻讀學位期間發表論文目錄60參考文獻[1]tor, f. wlan security threats & solutions[c]. in lcn '03. XX.[2], j.s. dicoi, d., wlan security: current and future[j]. internet computing, XX. 7(5): p. 60 - 65.[3]g, c.z.h.f.h. a new authentication and key exchange protocol in wlan[c]. in itcc XX. XX.[4]2401, security architecture of the internet protocol[s], , ietf,*ietf 1998.[5].京京工作室, ipsec:新一代因特網安全標準. 1999, 北京: 機械工業出版社.[6]amsi, a. saito, t. a technical comparison of ipsec and ssl [c]. in aina XX. XX.[7].林闖單志廣任豐原, 計算機網絡的服務質量(qos). XX, 北京: 清華大學出版社. 4-9.[8].h, b., s. s, and k.r. h, improving reliable transport and handoff performance in cellular wireless networks [j]. 1995. 1(4): p. 469-481.[9]-min, l.y.y.m.z. improve tcp performance over wireless link[c]. in pimrc XX. XX.[10]1631, the ip network address translator (nat), , ietf,*ietf 1994.[11]2709, security model with tunnel-mode ipsec for nat domains[s], , ietf,*ietf 1999.[12]2341, cisco layer two forwarding (protocol) "l2f", in ietf1998.[13]2661, layer two tunneling protocol "l2tp", in ietf1999.[14]2153, the point-to-point protocol (ppp), , ietf,*ietf 1994.[15]2865, remote authentication dial in user service (radius), , ietf,*ietf XX.[16]1701, generic routing encapsulation (gre), , ietf,*ietf 1994.[17]e, a. badrinath, b.r. i-tcp: indirect tcp for mobile hosts[c]. in distributed computing systems, 1995., proceedings of the 15th international conference. 1995.[18]e, a.v. badrinath, b.r., implementation and performance evaluation of indirect tcp[j]. computers, 1997. 3(46): p. 260 - 278.[19],guru,s seshan, a.g.n.r. mtcp:scalable tcp-like congest control for reliable multicast[c]. in infocom. 1999.[20],j. moronisk, d. ak, a.v.g. freeze-tcp:a true end-to-end tcp enhancement mechanism for mobile environments[c]. in infocom. XX.[21].林華生,程時端, 移動自組織網絡中tcp性能優化的研究. 計算機工程與應用, XX. 12(12).[22].符剛. 移動vpn解決方案. in 無線及移動通信委員會學術年會論文集. XX.[23].g. de blas, m. patrono, l. marra, p. tomasicchio, g. an ipsec-aware tcp pep for integrated mobile satellite networks ciccarese[c]. in personal, indoor and mobile radio communications, XX. XX. italy: ieee international symposium onpublication.[24].尤晉元史美林陳向羣, windows操作系統原理. XX, 北京: 機械工業出版社.[25].陳向羣王雷馬洪兵等編著, windows 系統分析及實驗教程. XX, 北京: 機械工業出版社.[26] w, j.a. a a new explicit loss notification and acknowledgement for wireless tcp [c]. in pimrc XX. XX. san diego ca.[27]ens, w.r., tcp/ip詳解卷1. vol. 1. XX, 北京: 機械工業出版社.[28]2409, the internet key exchange(ike)[s], , ietf,*ietf 1998.[29]2402, ip authentication header [s], , ietf,*ietf 1998.[30]2406, ip encapsulation security payload (esp)[s], , ietf,*ietf 1998.[31]se, j.f. and k.w. boss, 計算機網絡自頂向下方法與internet特色. XX, 北京: 機械工業出版社. 335-338 341-355.[32]2883, an extension to the selective acknowledgement (sack) option for tcp, , ietf,*ietf XX.[33]hata, s. kimura, s. ebihara, y. kawashima, k. a queue management method for improving tcp performance in wireless environments[c]. in wcnc'XX. XX.[34]ayo, a. williamson, c., multi-layer analysis of web browsing performance for wireless pdas[j]. local computer networks, XX: p. 660 - 667.[35], x.w.z.l.j.s.y., bit-error identification for tcp performance improvement[c]. emerging technologies: frontiers of mobile and wireless communication, XX. 2(2): p. 561 - 566.[36]dar, o. shirazi, m.n.b.z. improving ecn-based tcp performance over wireless networks using a homogeneous implementation of ewln[c]. in ict XX. XX. kyoto, japan.[37].鄧曉衡陳志剛,張連明, tcp yuelu: 一種基於有線/無線混合網絡端到端的擁塞控制機制. 計算機學報, XX(8): p. 1342-1350.[38].m. gerla, m. y. sanadidi, r.w., tcp westwood: bandwidth estimation for enhanced transport over wireless links. ucla computer science, XX.[39].江小丹,李宏,李晃等, 顯式丟失通告算法的實現及其性能分析. 計算機工程, XX. 29(18).[40]ta, m. helal, a. lee, c. ilc-tcp: an interlayer collaboration protocol for tcp performance improvement in mobile and wireless environments[c]. in wcnc XX. XX.[41]i, m. on the analytical computation of the interference statistics with applications to the performance evaluation of mobile radio systems[c]. in communications, ieee transactions. 1997.[42]rca, f. de vendictis, a. baiocchi, a., optimal design of hybrid fec/arq schemes for tcp over wireless links with rayleigh fading[j]. mobile computing, XX. 5(4): p. 289 - 302.[43]rca, f. de vendictis, a. todini, a. baiocchi, a. on the effects of arq mechanisms on tcp performance in wireless environments[c]. in globecom '03. XX.[44], z.j. agrawal, p. mobile-tcp: an asymmetric transport protocol design for mobile systems[c]. in icc 97. 1997.[45], m.c. ramjee, r. improving tcp/ip performance over third generation wireless networks[c]. in infocom XX. XX.[46]am, k. matta, i. wtcp: an efficient mechanism for improving tcp performance over wireless links[c]. in iscc '98. 1998.[47]ou li jacob, l. proactive-wtcp: an end-to-end mechanism to improve tcp performance over wireless links[c]. in lcn '03. XX.[48]2246, transport layer security version 1.0[s], in ietf1999.[49].s, b. transport-friendly esp (or layer violations for fun and profit) [c] network distributed system security symp. in ndss′99. 1999. san diego ca.[50], a., 公鑰基礎設施(pki)—實現和管理電子安全. XX, 北京: 清華大學出版社.[51].武安河, windows XX/xp wdm設備驅動程序開發. 第二版 ed. vol. 3-9. XX, 北京: 電子工業出版社.[52]ter, j., windows核心編程. XX, 北京: 機械工業出版社. 190-226397-410.[53].徐雷鳴龐博趙耀, ns與網絡模擬. XX, 北京: 人民郵電出版社. 3-9.[54].李之棠劉剛肖凌, 一種與ipsec兼容的基於有線無線混合網絡的tcp性能優化機制. 小型微型計算機系統, XX.[55]3561, ad hoc on-demand distance vector (aodv) routing, in ietfXX.[56]strom, a. brunstrom, a. rendon, j., impact of gprs buffering on tcp performance[j]. electronics letters, XX. 40(20): p. 1279 - 1281.[57]ye ,iu , ley , j.k. modeling tcp throughput:a simple model and its empirical validation. in acm sigcomm'98. 1998.