藉由通道數量之最小化及通道轉送以便管理虛擬私人網路

Abstract

虛擬私人網路(VPN)是一種利用共用網路來傳遞私人資料的技術，其最大的應用之一為”企業內部之間的虛擬私人網路”，顧名思義，它可以讓一個企業的各個分公司之間的內部私人網路達到互通，為了達到這個目的，就必須使用”通道”(tunneling)的技巧，將原來在分公司內部的IP封包給封裝(encapsulation)起來，然後將此封裝過後的封包以共用網路傳送到另一端的私人網路，當封包進入另一端的私人網路前必須先解開此封包的封裝。在眾多的通道技巧中，IP Security(IPSec)是目前在業界中最受歡迎的一種，因為它不僅提供封包的封裝、解封裝，還提供了加密、解密、雜湊等功能。然而在每條IPSec通道建立之前通訊雙方必須先溝通好許多的參數，通道經常由於參數的設定不正確而無法順利建立起來。因此，本論文裡提出了”權力”(authority)的新概念，藉由減少通道數目來減低通道管理的複雜度。首先，我們提出分別在三種不同條件下做通道數量最小化的問題。這三種條件為: 沒有其它限制、通道路徑長度(TPL)限制、以及通道轉達程度(TRD)限制，並以圖形模型來定義這些問題以及相對的演算法。接著我們探討通道最精減所帶來的效果，發現在一般的企業通道拓撲下可以省下相當可觀的通道數量，在文中20個點的拓撲下最多可省90%的通道數。最後我們在實際的系統上(NetBSD/IPSec)實作通道轉送閘道器(tunnel relay gateway)；我們認為此減少通道數量的方法很容易在真實的系統中來實行。

A virtual private network (VPN) is a private data network that uses a shared data network to carry traffic between remote sites. One of the most popular VPN applications is the “Intranet/Extranet VPN”, which establishes network layer connections between remote Intranet sites using various tunneling protocols to create an IP overlay network. IP Security (IPSec), which is very prevalent in industry, is one of these tunneling protocols that not only provide encapsulation/de-capsulation but encryption/decryption and hashing. However, an IPSec tunnel often fails to be established due to the management overhead. In this work, a new concept of authority is proposed to reduce the management overhead by tunnel reduction. We first formalize the problem of tunnel minimization under three conditions: no constraint, constraint of Tunnel Path Length (TPL), and constraint of Tunnel Relay Degree (TRD), and then solve the problems using graph models and Zero-One Integer Programming (0-1 IP) algorithm. Second, we analyze the effect of tunnel minimization, and find that at most 90% of the tunnels can be reduced in a general enterprise topology. Finally, we implement the VPN tunnel relay gateway on NetBSD operating system with IPSec supported, and show that it is viable to deploy this idea in real-world system.