基于重叠网的IPv6网络拓扑保护模型

计算机科学 ›› 2013, Vol. 40 ›› Issue (6): 71-75.

基于重叠网的IPv6网络拓扑保护模型

刘慧生,王振兴,张连成,侯毅

解放军信息工程大学郑州450002;解放军信息工程大学郑州450002;解放军信息工程大学郑州450002;解放军信息工程大学郑州450002

出版日期:2018-11-16 发布日期:2018-11-16
基金资助:
本文受国家重点基础研究发展计划(2007CB307102)资助

Overlay Network Based IPv6Network Architecture Protection Model

LIU Hui-sheng,WANG Zhen-xing,ZHANG Lian-cheng and HOU Yi

Online:2018-11-16 Published:2018-11-16

摘要/Abstract

摘要： 与IPv4不同,IPv6具有端到端通信、层次化地址结构等新特性,基于NAT掩蔽等手段的网络拓扑传统保护技术不再适用于IPv6环境。然而,现有的IPv6网络拓扑结构保护机制存在破坏端到端特性、难以适用网络层加密等问题。借鉴“隐真”和“示假”的军事思想,提出基于重叠网的IPv6网络结构保护模型。首先提出“重叠隐蔽网”的设计,即通过构建一个具有真实网络前缀的逻辑子网实现对网络真实结构的隐藏,然后给出重叠隐蔽网拓扑动态生成算法,以实现重叠隐蔽网的拓扑结构的动态变化。理论分析与实验测试结果表明,所提模型可有效隐蔽网络真实拓扑结构,并可通过虚假的拓扑结构欺骗攻击者,消耗其攻击资源。

关键词: IPv6,结构保护,重叠网,拓扑动态生成

Abstract: Different from IPv4,IPv6has some new properties,such as end-to-end communication,hierarchical address structure．Traditional network architecture protection schemes based on network address translation (NAT) are not in point as before．However,the proposed schemes for IPv6network architecture protection have some shortages,such as destroying the end-to-end property of the Internet,which leads to prevent the use of IPSec．Motivated by “showing falsity” and “hiding truth” in military tactics,an overlay network based network architecture protection model in IPv6(ON-NTPM6) was proposed．Firstly,an “Overlay Masking Network” design was presented,which is used to hide the true network architecture by deploying a virtual subnet with true allocated network prefix in the site．Then a topology dynamically generating algorithm was proposed,which is used to dynamically and randomly generate the topology of overlay masking network．Theoretical and empirical analysis results demonstrate that ON-NTPM6can effectively conceal the true architecture of protected network,and further deceive adversaries and consume their attack resources with virtual overlay network topology.

Key words: IPv6,Architecture protection,Overlay network,Topology dynamically generating

刘慧生,王振兴,张连成,侯毅. 基于重叠网的IPv6网络拓扑保护模型[J]. 计算机科学, 2013, 40(6): 71-75. https://doi.org/

LIU Hui-sheng,WANG Zhen-xing,ZHANG Lian-cheng and HOU Yi. Overlay Network Based IPv6Network Architecture Protection Model[J]. Computer Science, 2013, 40(6): 71-75. https://doi.org/

参考文献

[1] Srisuresh P,Egevand K．Traditional IP network address translator (traditional NAT)[M]．IETF RFC 3022,Network Working Group,Jan．2001
[2] Groat S,Dunlop M,Marchany R,et al．IPv6:nowhere to run,nowhere to hide[C]∥Proceeding of the 44th International Conference on System Sciences．Hawaii,2011:1-10
[3] Narten T,Draves R,Krishnan S．Privacy extensions for stateless address autoconfiguration in IPv6[M]．IETF,RFC 4941,Network Working Group,Sep．2007
[4] Wasserman M,Baker F.IPv6-to-IPv6network prefix translation[M]．IETF,RFC 6296,Network Working Group,June 2011
[5] De Velde G V,Hain T,Droms R,et al．Local network protection for IPv6[M]．IETF,RFC 4864,Network Working Group,May 2007
[6] Beitollahi H,Geert Deconinck G.An Overlay Protection Layer against Denial-of-Service Attacks[C]∥Proceeding of IEEE International Symposium on Parallel and Distributed Processing．2008:1-8
[7] Keromytis A D,Misra V,Rubenstein D.SOS:An Architecture for Mitigating DDoS Attacks[J]．IEEE Journal on selected areas in communications,2004,2(1):176-188
[8] Keromytis A D,Misra V,Rubenstein D．SOS:Secure OverlayServices[C]∥Proceeding of ACM SIGCOMM．2002:61-72
[9] Stavrou A,Keromytis A D,Nieh J,et al．MOVE:An End-to-End Solution to Network Denial of Service[C]∥Proceeding of the ISOC Symposium on Network and Distributed System Security．2005
[10] 杨柳,李振宇,张大方,等．冗余最小化的IPv6拓扑发现方法[J]．计算机研究与发展,2007,44(6):939-946
[11] Lyon G F．Nmap Network Scanning．The Official Nmap Project Guide to Network Discovery and Security Scanning[M]．USA,2009

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed