·¢²¼Ê±¼ä£º2014-11-27 À´Ô´£ºÈË´ó¾­¼ÃÂÛ̳

±ÏÒµÂÛÎÄÈý¼¶Ä¿Â¼¼°ÕªÒªºÍ²Î¿¼ÎÄÏ×_²Î¿¼ÎÄÏ× Õª  Òª       ÎÞÏßÍøÂç·ÉËÙ·¢Õ¹,ÈËÃÇÔÚ³ä·ÖÏíÊܸ÷ÖÖÎÞÏß½ÓÈëÍøÂç±ãÀûµÄͬʱ£¬¸÷ÖÖ°²È«ÎÊÌâÒ²Öð½¥±©Â¶³öÀ´¡£ÓÉÓÚIPSec Äܹ»Ìṩ½ÏºÃµÄ°²È«±£»¤£¬Äܹ»ÓÐЧ½â¾öÉÏÊöÎÊÌ⣬ӦÓ÷¶Î§²»¶ÏÀ©´ó¡£ÔÚ´«Í³µÄTCPЭÒéÖУ¬¼ÙÉ趪°ü¶¼ÊÇÓÉÍøÂçÓµÈûÔì³ÉµÄ£¬Õâ²»ÊÊÓÃÓÚ´íÎ󶪰ü±ÈÓµÈû¶ª°ü¸üÈÝÒ×·¢ÉúµÄÎÞÏßÁ´Â·¡£´Ëʱ£¬ÆôÓÃÓµÈû¿ØÖÆ»úÖÆ£¬½«µ¼ÖÂTCP¶Ëµ½¶ËµÄÐÔÄܽµµÍ¡£¶øÇÒÏÖÓеĺܶà¸Ä½ø·½°¸ÎÞ·¨ÓÃÓÚ¼ÓÃÜͨÐÅÖÐ,ÒòΪIPSecÓëTCPÔÚÎÞÏßÍøÂçÖеĸĽø·½°¸Ö®¼ä´æÔÚ³åÍ»¡£ÔÚÎÞÏßͨÐÅÍøÂçÖУ¬Òª±£Ö¤Í¨ÐŵݲȫÐÔºÍTCPЭÒéµÄÐÔÄÜ£¬¾Í±ØÐë½â¾öËûÃÇÖ®¼äµÄ³åÍ»¡£¶øÔÚÔÚVPNϵͳµÄ´ó¹æÄ£Ó¦ÓÃÖУ¬ÓÉÓÚÆ䲿Êð»·¾³¸´ÔÓ,Ò²ÃæÁÙ²»Í¬Èí¼þÔÚNDISÄں˿ò¼ÜÖеijåÍ»ºÍÄÚºËÄ£¿é¿ª·¢,ÒÆÖ²,ά»¤À§ÄѵÈÎÊÌâ¡£ ÔÚ¶ÔÄ¿Ç°Á÷ÐеĻùÓÚWindowsƽ̨µÄVPNϵͳÌåϵ½á¹¹¼°ÆäʵÏÖ¼¼Êõ½øÐÐÉîÈë·ÖÎöµÄ»ù´¡ÉÏ£¬Õë¶ÔǶÈëʽÖն˵ÄÌص㣬Ìá³öÁËÒ»ÖÖеĻùÓÚÐéÄâÍø¿¨µÄ¼¼Êõ,Ïêϸ²ûÊöÁËÆäÔ­ÀíºÍÓŵ㡣Ȼºó¸ø³öÁËÔÚWinCE VPNϵͳÖÐʵÏָü¼ÊõµÄÌåϵ½á¹¹,Äܹ»´Ó¸ù±¾ÉϽâ¾öÉÏÊöÎÊÌâ¡£ ¸ù¾ÝÓ¦ÓôæÔÚµÄÐÔÄÜÎÊÌâ,¶ÔÏÖÓеĸ÷ÖÖÎÞÏßÍøÂçÏÂTCPÐÔÄܸĽø»úÖÆÓëIPSec VPNµÄ¼æÈÝÐÔ½øÐÐÁËÏêϸµÄ·ÖÎö,±È½Ï¸÷ÖÖ¿ÉÄÜ·½°¸Ö®¼äµÄÓŵãÓëȱµã¡£ÔÚ·ÖÎöÏÖÓиĽøËã·¨µÄ»ù´¡ÉÏ£¬Ìá³öÁËÒ»ÖÖÊÊÓÃÓÚÓÐÏß/ÎÞÏß»ìºÏÍøÂçIPSec¼æÈݵĶ˵½¶ËµÄÓÅ»¯»úÖÆ¡£Í¨¹ý½ÓÊÕ¶ËÊý¾Ý°üµ½´ïʱ¼ä¼ä¸ôµÄ±ä»¯ÀÛ»ýÀ´ÅжÏÎÞÏßÁ´Â·µÄ×´¿ö£¬ÓÃACK±ê¼ÇELN֪ͨ·¢ËͶˣ¬±ÜÃâ²»±ØÒªµÄÓµÈû¿ØÖƶøµ¼ÖÂÐÔÄÜϽµ¡£Í¨¹ýNS2·ÂÕæʵÑé, ²¢ÓëTCP Reno½øÐÐÁËÐÔÄܶԱȡ£½á¹û±íÃ÷£¬¸Ã»úÖÆÄÜÓÐЧÌá¸ßTCPÔÚÎÞÏßÒƶ¯³¡¾°ÏµÄÍøÂç´«ÊäÐÔÄÜ,ͬʱºÍÏÖÓеݲȫ»úÖÆÒ²Ïà¼æÈÝ¡£ ¹Ø¼ü´Ê£ºTCP £»VPNÌåϵ½á¹¹;ÐéÄâÍø¿¨;ÓÐÏßÎÞÏß»ìºÏÍøÂ磻ÐÔÄÜÆÀ¼Û£»ÓµÈû¿ØÖÆ£»¶Ëµ½¶Ë    Abstract While wireless access technology has experienced a rapid growth in recently years.The people while fully are enjoying each kind wireless, a number of security concerns have been raised for wireless networks in general. TCP is originally designed only for wired network and assumes that any loss is due to congestion. However, it is different in wireless situation in that wireless errors are more likely to occur than congestion. Such non-congestion packet loss,  when dealt with invoking a congestion control algorithm, resulting in degrade end-to-end performance. At the same time, many exist approach can not work when the encryption is used in the communication. So the security mechanism and TCP improving mechanism compatibility also is taken into considering of our works. But in the large-scale application of VPN system, because the deployment environment is complex, frequently can face the different software in NDIS kernel frame conflict, simultaneously the kernel module development, the transplant, maintains question and so on difficulty. This paper deeply analyses the popular architecture and implement technology based on Windows VPN system structure, simultaneously aims at embed terminal characteristic, proposed one kind new based on virtual Network card technology, in detail elaborated its principle and the merit. The produced system has realized this technical system structure in WinCE VPN, could fundamentally solve the above problem. Aiming at the performance problem of  VPN apply , this paper proposed a new end-to-end TCP performance improving mechanism, by using the interval movement cumulated of the packets received time on receiver, which can estimate the wireless link condition. Then it marks the ELN£¨Explicit loss notification£©bit to notify the sender and TCP could be modified so as to refrain from going into congestion avoidance. Comparing the TCP Reno and the modified TCP ,by simulations using NS2£¬the results show it achieves an great improvement over mobile wireless networks and can work together with current security mechanism. Keywords£ºTCP ; Virtual NetWork Card; Wired-cum-Wireless Networks ; Performance Evaluation; Congestion Control end-to-end ; IPSec; VPN Architecture   Ä¿  ¼ ѧУ´úÂë10487              Ãܼ¶ I Õª  Òª I ABSTRACT II Ä¿  ¼ IV 1 Ð÷  ÂÛ 1 1.1 Ñо¿±³¾° 1 1.2 ¹úÄÚÍâÑо¿ÏÖ×´ 3 1.3 Ö÷ÒªÑо¿ÄÚÈÝ 6 2 ÎÞÏßÍøÂçVPN½â¾ö·½°¸ 8 2.1 ÎÞÏßÍøÂçTCPÓëVPNЭÒé 8 2.2 ÎÞÏßTCPÐÔÄܸĽøÄ£ÐÍ 15 2.3 TCP¸Ä½ø·½°¸ÐÔÄÜ·ÖÎöÓëIPSEC¼æÈÝÐÔ½â¾ö·½°¸ 22 2.4 ±¾ÕÂС½á 24 3 »ùÓÚÐéÄâÍø¿¨µÄVPNÌåϵ½á¹¹ 25 3.1 »ùÓÚWINDOWS VPNϵͳÉè¼Æ 25 3.2 ÐµÄVPNÌåϵ½á¹¹Í¼ 28 3.3 ÐéÄâÍø¿¨Æô¶¯Á÷³Ì 32 3.4 ±¨ÎÄ´¦Àí¹ý³ÌµÄ·ÖÎö 33 3.5 ±¾ÕÂС½á 34 4 ÐµÄÎÞÏßTCPÐÔÄܸĽø·½°¸ 36 4.1 NS2·ÂÕ湤¾ßµÄ½éÉÜ 36 4.2 MODIFIED-TCPµÄ¶¨Òå 37 4.3 MODIFIED-TCPµÄÉè¼Æ˼Ïë 38 4.4 Ê±¼ä±ä»¯ÀۼƵļÆËã 42 4.5 MODIFIED-TCP¸Ä½øµÄʵÏÖ 43 4.6 ±¾ÕÂС½á 45 5 VPNϵͳ½á¹¹·ÖÎöºÍÐÔÄÜÆÀ¼Û 47 5.1 Ó봫ͳVPNÌåϵ½á¹¹µÄ±È½Ï 47 5.2 TCP¸Ä½øÄ£ÐÍÐÔÄܵÄÆÀ¹À±ê×¼ 47 5.3 MODIFIED-TCP²ÎÊý·ÖÎö 48 5.4 MODIFIED-TCPÐÔÄÜ·ÖÎö 49 5.5 ±¾ÕÂС½á 52 6 ×ܽáÓëÕ¹Íû 54 6.1 ×ܽá 54 6.2 Õ¹Íû 55 Ö  л 56 ¸½Â¼1  ¹¥¶ÁѧλÆڼ䷢±íÂÛÎÄĿ¼ 60   ²Î¿¼ÎÄÏ×    [1]. Majstor, F. WLAN security threats & solutions[C]. in LCN '03. 2003.    [2]. Park, J.S.   Dicoi, D., WLAN security: current and future[J]. Internet Computing, 2003. 7(5): p. 60 - 65.    [3]. Liang, C.Z.H.F.H. A new authentication and key exchange protocol in WLAN[C]. in ITCC 2005. 2005.    [4]. RFC2401, Security Architecture of the Internet Protocol[S], , IETF,*IETF 1998.    [5]. ¾©¾©¹¤×÷ÊÒ, IPSEC:ÐÂÒ»´úÒòÌØÍø°²È«±ê×¼. 1999, ±±¾©: »úе¹¤Òµ³ö°æÉç.    [6]. Alshamsi, A.   Saito, T. A technical comparison of IPSec and SSL [C]. in AINA 2005. 2005.    [7]. ÁÖ´³µ¥Ö¾¹ãÈηáÔ­, ¼ÆËã»úÍøÂçµÄ·þÎñÖÊÁ¿(QoS). 2004, ±±¾©: Ç廪´óѧ³ö°æÉç. 4-9.    [8]. H, B., S. S, and K.R. H, Improving Reliable Transport and Handoff Performance in Cellular Wireless Networks [J]. 1995. 1(4): p. 469-481.    [9]. Hui-min, L.Y.Y.M.Z. Improve TCP performance over wireless link[C]. in PIMRC 2003. 2003.   [10]. RFC1631, The IP Network Address Translator (NAT), , IETF,*IETF 1994.   [11]. RFC2709, Security Model with Tunnel-mode IPsec for NAT Domains[S], , IETF,*IETF 1999.   [12]. RFC2341, Cisco Layer Two Forwarding (Protocol) L2F, in IETF1998.   [13]. RFC2661, Layer Two Tunneling Protocol L2TP, in IETF1999.   [14]. RFC2153, The Point-to-Point Protocol (PPP), , IETF,*IETF 1994.   [15]. RFC2865, Remote Authentication Dial In User Service (RADIUS), , IETF,*IETF 2000.   [16]. RFC1701, Generic Routing Encapsulation (GRE), , IETF,*IETF 1994.   [17]. Bakre, A.   Badrinath, B.R. I-TCP: indirect TCP for mobile hosts[C]. in Distributed Computing Systems, 1995., Proceedings of the 15th International Conference. 1995.   [18]. Bakre, A.V.   Badrinath, B.R., Implementation and performance evaluation of Indirect TCP[J]. Computers, 1997. 3(46): p. 260 - 278.   [19]. I.Rhee,N.Balaguru,S Seshan, A.G.N.R. MTCP:Scalable TCP-like congest control for reliable multicast[C]. in INFOCOM. 1999.   [20]. T.Goff,J. Moronisk, D. S.Phatak, A.V.G. Freeze-TCP:A true end-to-end TCP enhancement mechanism for mobile environments[C]. in INFOCOM. 2000.   [21]. ÁÖ»ªÉú£¬³Ìʱ¶Ë, Òƶ¯×Ô×éÖ¯ÍøÂçÖÐTCPÐÔÄÜÓÅ»¯µÄÑо¿. ¼ÆËã»ú¹¤³ÌÓëÓ¦ÓÃ, 2004. 12(12).   [22]. ·û¸Õ. Òƶ¯VPN½â¾ö·½°¸. in ÎÞÏß¼°Òƶ¯Í¨ÐÅίԱ»áѧÊõÄê»áÂÛÎļ¯. 2004.   [23]. G.   De Blas, M.   Patrono, L.   Marra, P.   Tomasicchio, G. An IPSec-aware TCP PEP for integrated mobile satellite networks Ciccarese[C]. in Personal, Indoor and Mobile Radio Communications, 2004. 2004. Italy: IEEE International Symposium on Publication.   [24]. ÓȽúԪʷÃÀÁÖ³ÂÏòȺ, Windows²Ù×÷ϵͳԭÀí. 2001, ±±¾©: »úе¹¤Òµ³ö°æÉç.   [25]. ³ÂÏòȺÍõÀ×Âíºé±øµÈ±àÖø, Windows CE.NET ϵͳ·ÖÎö¼°ÊµÑé½Ì³Ì. 2003, ±±¾©: »úе¹¤Òµ³ö°æÉç.   [26]. Ding W, J.A. A A New Explicit Loss Notification and Acknowledgement for Wireless TCP [C]. in PIMRC 2001. 2001. San Diego CA.   [27]. Stevens, W.R., TCP/IPÏê½â¾í1. Vol. 1. 2004, ±±¾©: »úе¹¤Òµ³ö°æÉç.   [28]. RFC2409, The Internet Key Exchange(IKE)[S], , IETF,*IETF 1998.   [29]. RFC2402, IP Authentication Header [S], , IETF,*IETF 1998.   [30]. RFC2406, IP Encapsulation Security Payload (ESP)[S], , IETF,*IETF 1998.   [31]. Kurose, J.F. and K.W. Boss, ¼ÆËã»úÍøÂç×Ô¶¥ÏòÏ·½·¨ÓëInternetÌØÉ«. 2005, ±±¾©: »úе¹¤Òµ³ö°æÉç. 335-338 341-355.   [32]. RFC2883, An Extension to the Selective Acknowledgement (SACK) Option for TCP, , IETF,*IETF 2000.   [33]. Ohzahata, S.   Kimura, S.   Ebihara, Y.   Kawashima, K. A queue management method for improving TCP performance in wireless environments[C]. in WCNC'2004. 2004.   [34]. Omotayo, A.   Williamson, C., Multi-layer analysis of Web browsing performance for wireless PDAs[J]. Local Computer Networks, 2004: p. 660 - 667.   [35]. Min, X.W.Z.L.J.S.Y., Bit-error identification for TCP performance improvement[C]. Emerging Technologies: Frontiers of Mobile and Wireless Communication, 2004. 2(2): p. 561 - 566.   [36]. Shagdar, O.   Shirazi, M.N.B.Z. Improving ECN-based TCP performance over wireless networks using a homogeneous implementation of EWLN[C]. in ICT 2003. 2003. Kyoto, Japan.   [37]. µËÏþºâ³ÂÖ¾¸Õ,ÕÅÁ¬Ã÷, TCP Yuelu: Ò»ÖÖ»ùÓÚÓÐÏß/ÎÞÏß»ìºÏÍøÂç¶Ëµ½¶ËµÄÓµÈû¿ØÖÆ»úÖÆ. ¼ÆËã»úѧ±¨, 2005(8): p. 1342-1350.   [38]. M. Gerla, M. Y. Sanadidi, R.W., TCP Westwood: Bandwidth Estimation for Enhanced Transport over Wireless Links. UCLA Computer Science, 2001.   [39]. ½­Ð¡µ¤,Àîºê,Àî»ÎµÈ, ÏÔʽ¶ªÊ§Í¨¸æËã·¨µÄʵÏÖ¼°ÆäÐÔÄÜ·ÖÎö. ¼ÆËã»ú¹¤³Ì, 2003. 29(18).   [40]. Chinta, M.   Helal, A.   Lee, C. ILC-TCP: an interlayer collaboration protocol for TCP performance improvement in mobile and wireless environments[C]. in WCNC 2003. 2003.   [41]. Zorzi, M. On the analytical computation of the interference statistics with applications to the performance evaluation of mobile radio systems[C]. in Communications, IEEE Transactions. 1997.   [42]. Vacirca, F.   De Vendictis, A.   Baiocchi, A., Optimal Design of Hybrid FEC/ARQ Schemes for TCP over Wireless Links with Rayleigh Fading[J]. Mobile Computing, 2006. 5(4): p. 289 - 302.   [43]. Vacirca, F.   De Vendictis, A.   Todini, A.   Baiocchi, A. On the effects of ARQ mechanisms on TCP performance in wireless environments[C]. in GLOBECOM '03. 2003.   [44]. Haas, Z.J.   Agrawal, P. Mobile-TCP: an asymmetric transport protocol design for mobile systems[C]. in ICC 97. 1997.   [45]. Chan, M.C.   Ramjee, R. Improving TCP/IP performance over third generation wireless networks[C]. in INFOCOM 2004. 2004.   [46]. Ratnam, K.   Matta, I. WTCP: an efficient mechanism for improving TCP performance over wireless links[C]. in ISCC '98. 1998.   [47]. Yizhou Li   Jacob, L. Proactive-WTCP: an end-to-end mechanism to improve TCP performance over wireless links[C]. in LCN '03. 2003.   [48]. RFC2246, Transport Layer Security Version 1.0[S], in IETF1999.   [49]. S, B. Transport-friendly ESP (or Layer Violations for Fun and Profit) [C] Network Distributed System Security Symp. in NDSS¡ä99. 1999. San Diego CA.   [50]. Nash, A., ¹«Ô¿»ù´¡ÉèÊ©£¨PKI£©ÊµÏֺ͹ÜÀíµç×Ó°²È«. 2002, ±±¾©: Ç廪´óѧ³ö°æÉç.   [51]. Îä°²ºÓ, Windows 2000/XP WDMÉ豸Çý¶¯³ÌÐò¿ª·¢. µÚ¶þ°æ ed. Vol. 3-9. 2005, ±±¾©: µç×Ó¹¤Òµ³ö°æÉç.   [52]. Richter, J., WindowsºËÐıà³Ì. 2000, ±±¾©: »úе¹¤Òµ³ö°æÉç. 190-226 397-410.   [53]. ÐìÀ×ÃùÅÓ²©ÕÔÒ«, NSÓëÍøÂçÄ£Äâ. 2003, ±±¾©: ÈËÃñÓʵç³ö°æÉç. 3-9.   [54]. ÀîÖ®ÌÄÁõ¸ÕФÁè, Ò»ÖÖÓëIPSec¼æÈݵĻùÓÚÓÐÏßÎÞÏß»ìºÏÍøÂçµÄTCPÐÔÄÜÓÅ»¯»úÖÆ. СÐÍ΢ÐͼÆËã»úϵͳ, 2007.   [55]. RFC3561, Ad hoc On-Demand Distance Vector (AODV) Routing, in IETF2003.   [56]. Wennstrom, A.   Brunstrom, A.   Rendon, J., Impact of GPRS buffering on TCP performance[J]. Electronics Letters, 2004. 40(20): p. 1279 - 1281.   [57]. J.Padhye ,V.Firoiu , D.Towsley , J.K. Modeling TCP Throughput:A Simple Model and its Empirical Validation. in ACM SIGCOMM'98. 1998.