RSIPサーバにおけるポート番号によるパケットフィルタリングの提案とその性能検証  [in Japanese] A Proposal of Packet Filtering Methods Based on Port Numbers at RSIP Servers and the Performance Evaluation  [in Japanese]

Access this Article

Search this Article

Author(s)

Abstract

IPSecではIPのデータ領域を暗号化するため,TCPやUDPのポート番号を使用したアドレス変換を受けられない.この問題を解決するため,RSIP(Realm Specific IP)ではゲートウェイに通信相手のIPアドレスやポート番号などを登録しておき,送信元がポート番号を使用したアドレス変換を実行する.しかし,本方式を用いても途中経路上でポート番号が参照できないため,ファイアウォールでセキュリティポリシを強制することができない.そこで本論文では,RSIPクライアントが外部ホストにアクセスする場合を対象とし,RSIPサーバと外部ホストが協力することで暗号化されたデータグラムのポート番号によるパケットフィルタリングを実現する.このため,本方式では暗号化したデータグラムにポート番号などの情報のハッシュ値と同情報を暗号化した値を追加する.これらの情報から,RSIPサーバにポート番号を確認する手段を与えるとともに,このポート番号を外部ホストがデータグラムに上書きすることによって,RSIPサーバに登録した以外のポート番号を利用することを妨げる.次に,本方式におけるRSIPクライアント,RSIPサーバ,外部ホストをそれぞれFreeBSD上で実装し,本実装システムで機能検証と性能検証を行うことで,提案方式により十分なスループットを確保しつつ,セキュリティポリシを強制できることを示す.In IPSec, since IP data may be encrypted,NAPT (network port address translation) cannot be functioned.To solve this problem, in RSIP (Realm Specific IP),a source host registers the IP address and port number of the destination host to the gateway,and then executes NAPT by itself.Even if RSIP is used, however,the port numbers cannot be referred between the source host and destination host,and thus the firewall cannot enforce the security policy.This paper subjects the cases of accessing a RSIP client to outside host,and realizes filtering of encrypted datagrams based on the port numbers by cooperating the RSIP server and outside host.From this purpose,each datagram has the hashed value of the informations such as the port numbers,and the encrypted data of the informations.These values provide the method to confirm the port numbers for the RSIP server.The outside host overwrites the port numbers on the decrypted datagrams to prevent that the RSIP client uses unregistered port numbers.Finally, the proposal system is implemented on FreeBSD\@.The function validation and performance evaluation for the implementation system conclude that our system can provide the sufficient throughput and also enforce the security policy.

In IPSec, since IP data may be encrypted, NAPT (network port address translation) cannot be functioned To solve this problem, in RSIP (Realm Specific IP), a source host registers the IP address and port number of the destination host to the gateway, and then executes NAPT by itself Even if RSIP is used, however, the port numbers cannot be referred between the source host and destination host, and thus the firewall cannot enforce the security policy This paper subjects the cases of accessing a RSIP client to outside host, and realizes filtering of encrypted datagrams based on the port numbers by cooperating the.RSIP server and outside host From this purpose, each datagram has the hashed value of the informations such as the port numbers, and the encrypted data of the informations These values provide the method to confirm the port numbers for the RSIP server The outside host overwrites the port numbers on the decrypted datagrams to prevent that the RSIP client uses unregistered port numbers Finally, the proposal system is implemented on FreeBSD The function validation and performance evaluation for the implementation system conclude that our system can provide the sufficient throughput and also enforce the security policy

Journal

  • Transactions of Information Processing Society of Japan

    Transactions of Information Processing Society of Japan 45(2), 586-596, 2004-02-15

    Information Processing Society of Japan (IPSJ)

References:  15

Codes

  • NII Article ID (NAID)
    110002712109
  • NII NACSIS-CAT ID (NCID)
    AN00116647
  • Text Lang
    JPN
  • Article Type
    Journal Article
  • ISSN
    1882-7764
  • NDL Article ID
    6852520
  • NDL Source Classification
    ZM13(科学技術--科学技術一般--データ処理・計算機)
  • NDL Call No.
    Z14-741
  • Data Source
    CJP  NDL  NII-ELS  IR  IPSJ 
Page Top