{"title":"关于建立最小数量的隧道:一种管理IPSec/VPN策略的有序分割方法","authors":"Yanyan Yang, C. Martel, S. F. Wu","doi":"10.1109/NOMS.2004.1317665","DOIUrl":null,"url":null,"abstract":"Most of the current work in policy management for IPSec/VPN focuses on how to configure a single IPSec box or a pair of IPSec boxes. However, it has been shown (Fu et al. (2001)) that the local correctness of IPSec policies in every box individually does not necessarily guarantee global correctness. Therefore, it is critical to have a systematic way to analyze the security requirements globally and to generate, automatically and correctly, a set of IPSec policies to ensure the security for all the end-to-end connections. Previously (Fu et al. (2001)), two different algorithms (i.e. bundle and direct) were introduced to solve the policy generation problem in an \"offline\" fashion. While these two algorithms are efficient in producing globally correct policy rules, the number of output policy rules (i.e., the results themselves) is much greater than necessary. In other words, while the existing approaches can produce a solution quickly, the quality of the solution is far from optimal. In practice, this is undesirable for several reasons. For instance, \"more IPSec policy rules\" implies \"more complicated virtual network topology\". Therefore, in this paper, we focus on \"how to produce a minimum set of IPSec/VPN tunnels\". We formulate this problem as a special type of task-scheduling problem and develop a new method, the ordered-split approach, to produce a provably minimum set of globally correct policy rules. We have also compared the new approach with existing methods in simulation, and our results clearly demonstrate that the ordered-split approach performs significantly better.","PeriodicalId":260367,"journal":{"name":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":"{\"title\":\"On building the minimum number of tunnels: an ordered-split approach to manage IPSec/VPN policies\",\"authors\":\"Yanyan Yang, C. Martel, S. F. Wu\",\"doi\":\"10.1109/NOMS.2004.1317665\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Most of the current work in policy management for IPSec/VPN focuses on how to configure a single IPSec box or a pair of IPSec boxes. However, it has been shown (Fu et al. (2001)) that the local correctness of IPSec policies in every box individually does not necessarily guarantee global correctness. Therefore, it is critical to have a systematic way to analyze the security requirements globally and to generate, automatically and correctly, a set of IPSec policies to ensure the security for all the end-to-end connections. Previously (Fu et al. (2001)), two different algorithms (i.e. bundle and direct) were introduced to solve the policy generation problem in an \\\"offline\\\" fashion. While these two algorithms are efficient in producing globally correct policy rules, the number of output policy rules (i.e., the results themselves) is much greater than necessary. In other words, while the existing approaches can produce a solution quickly, the quality of the solution is far from optimal. In practice, this is undesirable for several reasons. For instance, \\\"more IPSec policy rules\\\" implies \\\"more complicated virtual network topology\\\". Therefore, in this paper, we focus on \\\"how to produce a minimum set of IPSec/VPN tunnels\\\". We formulate this problem as a special type of task-scheduling problem and develop a new method, the ordered-split approach, to produce a provably minimum set of globally correct policy rules. We have also compared the new approach with existing methods in simulation, and our results clearly demonstrate that the ordered-split approach performs significantly better.\",\"PeriodicalId\":260367,\"journal\":{\"name\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"volume\":\"42 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2004-04-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"21\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NOMS.2004.1317665\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2004.1317665","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 21
摘要
目前,IPSec/VPN的策略管理工作主要集中在如何配置单个或一对IPSec盒子上。然而,研究表明(Fu et al.(2001)),每个盒子中IPSec策略的本地正确性并不一定保证全局正确性。因此,有一种系统的方法来全局分析安全需求,并自动正确地生成一套IPSec策略,以确保所有端到端连接的安全性是至关重要的。以前(Fu et al.(2001)),引入了两种不同的算法(即bundle和direct)以“离线”方式解决策略生成问题。虽然这两种算法在生成全局正确的策略规则方面是有效的,但输出策略规则的数量(即结果本身)远远大于所需的数量。换句话说,虽然现有的方法可以快速生成解决方案,但解决方案的质量远非最佳。在实践中,出于几个原因,这是不可取的。例如,“IPSec策略规则越多”意味着“虚拟网络拓扑结构越复杂”。因此,本文的重点是“如何生成一个最小的IPSec/VPN隧道集”。本文将此问题表述为一类特殊的任务调度问题,并提出了一种新的方法——有序分割法,来生成全局正确策略规则的可证明最小集。我们还将新方法与现有方法进行了仿真比较,结果清楚地表明,有序分割方法的性能明显更好。
On building the minimum number of tunnels: an ordered-split approach to manage IPSec/VPN policies
Most of the current work in policy management for IPSec/VPN focuses on how to configure a single IPSec box or a pair of IPSec boxes. However, it has been shown (Fu et al. (2001)) that the local correctness of IPSec policies in every box individually does not necessarily guarantee global correctness. Therefore, it is critical to have a systematic way to analyze the security requirements globally and to generate, automatically and correctly, a set of IPSec policies to ensure the security for all the end-to-end connections. Previously (Fu et al. (2001)), two different algorithms (i.e. bundle and direct) were introduced to solve the policy generation problem in an "offline" fashion. While these two algorithms are efficient in producing globally correct policy rules, the number of output policy rules (i.e., the results themselves) is much greater than necessary. In other words, while the existing approaches can produce a solution quickly, the quality of the solution is far from optimal. In practice, this is undesirable for several reasons. For instance, "more IPSec policy rules" implies "more complicated virtual network topology". Therefore, in this paper, we focus on "how to produce a minimum set of IPSec/VPN tunnels". We formulate this problem as a special type of task-scheduling problem and develop a new method, the ordered-split approach, to produce a provably minimum set of globally correct policy rules. We have also compared the new approach with existing methods in simulation, and our results clearly demonstrate that the ordered-split approach performs significantly better.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
