摘要: 与IPv4不同,IPv6具有端到端通信、层次化地址结构等新特性,基于NAT掩蔽等手段的网络拓扑传统保护技术不再适用于IPv6环境。然而,现有的IPv6网络拓扑结构保护机制存在破坏端到端特性、难以适用网络层加密等问题。借鉴“隐真”和“示假”的军事思想,提出基于重叠网的IPv6网络结构保护模型。首先提出“重叠隐蔽网”的设计,即通过构建一个具有真实网络前缀的逻辑子网实现对网络真实结构的隐藏,然后给出重叠隐蔽网拓扑动态生成算法,以实现重叠隐蔽网的拓扑结构的动态变化。理论分析与实验测试结果表明,所提模型可有效隐蔽网络真实拓扑结构,并可通过虚假的拓扑结构欺骗攻击者,消耗其攻击资源。
[1] Srisuresh P,Egevand K.Traditional IP network address translator (traditional NAT)[M].IETF RFC 3022,Network Working Group,Jan.2001 [2] Groat S,Dunlop M,Marchany R,et al.IPv6:nowhere to run,nowhere to hide[C]∥Proceeding of the 44th International Conference on System Sciences.Hawaii,2011:1-10 [3] Narten T,Draves R,Krishnan S.Privacy extensions for stateless address autoconfiguration in IPv6[M].IETF,RFC 4941,Network Working Group,Sep.2007 [4] Wasserman M,Baker F.IPv6-to-IPv6network prefix translation[M].IETF,RFC 6296,Network Working Group,June 2011 [5] De Velde G V,Hain T,Droms R,et al.Local network protection for IPv6[M].IETF,RFC 4864,Network Working Group,May 2007 [6] Beitollahi H,Geert Deconinck G.An Overlay Protection Layer against Denial-of-Service Attacks[C]∥Proceeding of IEEE International Symposium on Parallel and Distributed Processing.2008:1-8 [7] Keromytis A D,Misra V,Rubenstein D.SOS:An Architecture for Mitigating DDoS Attacks[J].IEEE Journal on selected areas in communications,2004,2(1):176-188 [8] Keromytis A D,Misra V,Rubenstein D.SOS:Secure OverlayServices[C]∥Proceeding of ACM SIGCOMM.2002:61-72 [9] Stavrou A,Keromytis A D,Nieh J,et al.MOVE:An End-to-End Solution to Network Denial of Service[C]∥Proceeding of the ISOC Symposium on Network and Distributed System Security.2005 [10] 杨柳,李振宇,张大方,等.冗余最小化的IPv6拓扑发现方法[J].计算机研究与发展,2007,44(6):939-946 [11] Lyon G F.Nmap Network Scanning.The Official Nmap Project Guide to Network Discovery and Security Scanning[M].USA,2009 |
No related articles found! |
|