【正文】 re will conceivable to it means end user transmitting data station utilized work element likely to met absence their dam within sight back. But do so should gotten enterprise work Tnumber now that, figure full high speed, cheapness bine possesses resolvability, general design to depot private and confidential information up. In despite of cause how about, now versus work security requirements ratio anciently tighten up, too still necessity to know clearly. It was be on the foundation upward strain for security insure of IPlayer or still definitely said yes at each IP grouping that both data stream among as a matter of fact us has manifold means useful for protective work. Could through the medium of be on the fringe erect one fire wall, filter e off those undefeated data stream out for of dedicated work. Application and transport protocols mand thereof own security mechanism. Other kind of technology, considering hereinafter several cause lead such approach possess definite meaning to： 1. The Intra big city yes repose IP 39。 2. Both it could shield and isolation higher level application exempt meets with safeness attack。 4. It could took the part of above inter erect one extendible, secure VPN. Both it is time for in order to met the needs of above IPlayer realize safeness, IETF came into existence know clearly IP security (IPSec) workgroup. Transit effort, to workgroup already fetch round robin at IPV four and IPV six upward strains for work layer safeness agreement, mechanism kimono devote one39。 2. data origin authentication(demonstration every last IP grouping)； 3. replay protection (Prevent attacker eavesdrop to certain grouping bine IP 協(xié)議 及 IPSec 協(xié)議安 全 分析 專業(yè) 班級(jí) :計(jì)算機(jī)科學(xué)與技術(shù) 5 after some hour playback)； 4. data integrity (Test withal make IP grouping at transport process suffer have no by distort certain out)。 encryption (Part of past encrypt should grouping stash) 6. limited traffic flow management (The IP address of the conceal originality dispatcher) 7. key management IPSec frame initially definitive agreement include inspect weight head (AH), encapsulation security lotus (ESP) and key management. 2 IPSec:IP layer protocol security IPSec protocol bring necessity forth IPSec at IP layer endue safety service, it lead system be able to according to require select secure protocol, take serve station utilized algorithm in time for clap demand serve required key to relevant OSI in for to with. The path of the IPSec be used to shield a stick of or multiyear mainframe and mainframe partment, safety shut and safety shut partment, safety shut and mainframe partment. Both IPSec be able to submitted safety service multitude include access control, connectionless integrality, data source authentication, reject retransmitted packet(partial sequence integrality form), privacy and finitude transmission current privacy. For these serve equal at IP layer endue, so any higher level protocol use they, for instance TCP, UDP, ICMP, BGP and so on. It was through the medium of twain large transmission secure protocol, header authentication(AH)and encapsulation safe load(ESP), and key manager harmonize discuss 39。WRAPT lead system crash39。 data at transport process suffer by human amend。versus replay offensive shield with as well to. IPSec usable it supplies security protection with IP very upper layer protocol (TCP and UDP grade). It was throng accident prevention 39。graveness superiority at rest with that the log, routing protocol event and error logging grade, for administration of works personnel make fault analysis, orient and statistics of the both the security of the both the attack； past MAC address and IP address binding, confine per port 39。operating characteristic of electrical apparatus and EMC environmental deteriorate grade into of the usually, physical layer the shield instrument include of the potential safety hazard, such as both encapsulation attack, broadcast packet attack, MAC waterflooding, spanning tree attack grade second floor attack, as well as mendacious ICMP message, ICMP waterflooding, source address beguile , route oscillation grade aim at threeply consultative attack into of the that of usually, physical layer menace be from equipments drawing unreliability, such as sheet caloric IP 協(xié)議 及 IPSec 協(xié)議安 全 分析 專業(yè) 班級(jí) :計(jì)算機(jī)科學(xué)與技術(shù) 7 spoil, physical interface39。potential safety hazard, such as both encapsulation attack, broadcast packet attack, MAC waterflooding, spanning tree attack grade second floor attack, as well as mendacious ICMP messenger, ICMP waterflooding, source address beguile , route oscillation grade aim at threeply consultative attack into. At application layer, mostly have got direct , FTP/TFTP, tel and through the medium of electronic mail blaze viral attack abroad as well to. toward these attack, be available to39。attack；past MAC address and IP address binding, confine per port39。ACL, foundation security user tunnel grade came kept away aim at two tiered attack； Past route filtration, versus route informational encrypt and authentication, orient multicasting control, bump route rapidity of convergence withal relieve route oscillation impact grade measure, came muscle threeply Network security up at up. In order to pose construct safety Tnumber, return ought adopt rest safety precautions.(one)incorporation AAA authentication, natpt, two/threeply mpls VPN, repose ACL standard visit list and static state spread visit list, phony sliver fold attack grade came realize safety precautions in.(two)past route filtration, static route, policy route and route loadsharing came realize security route.(three)through the medium of sshv2(secure shell beta two edition), snmpv3(Simple Network Management Protocol beta three edition), ex., endue tenor visit security, line visit security with.(fo