摘要
为测试IPv6防火墙对潜在IPv6网络威胁的防护能力,研究了IPv6防火墙防护能力评测方法。通过对IPv6协议的研究,构造了针对ICMPv6、单一扩展报头、多扩展报头、分片、地址范围的五类存在安全隐患的测试数据包,构建了C/S架构的防火墙测试框架;基于框架和测试数据包构建了用于各类测试的独立测试模块,搭建了可用于测试有状态防火墙的测试环境,并提供了相应的测试方法。利用所提出的方法,对思科ASA5505防火墙进行了测试,发现了它的一些优点与不足。
In order to test the defensive capability of IPv6 firewall to against potential IPv6 network threats,this paper studied IPv6 firewall defensive capability testing technology. Through the research of IPv6 protocol,this paper constructed five kinds of test packets with security risks,such as ICMPv6,single extended header,multi-extension header,fragmentation and address scopes,and proposed a firewall testing framework with C/S architecture. It built independent test modules for every kind of testing based on the framework and test packets,set up test environments that could be used to test stateful firewalls,and provided appropriate test methods. Using the method,this paper tested a Cisco ASA5505 firewall and found its advantages and disadvantages.
引文
[1] NRO. Free pool of IPv4 address space depleted[EB/OL].(2011-02-03)[2018-01-21]. https://www. nro. net/ipv4-free-pool-depleted/.
[2] APNIC. Labs. APNIC. NET:IPv4 address allocation report[EB/OL].[2018-03-06]. https://labs. apnic. net/ipv4/report. html.
[3] Goldsmith D,Schiffman M. Firewalking[EB/OL].(1998-10). http://packetfactory. openwall. net/projects/firewalk/firewalk-final.pdf.
[4]刘福超.基于HTTP隧道的个人防火墙穿透技术研究[D].上海:上海交通大学,2010.(Liu Fuchao. Research on penetration techniques of personal firewall based on HTTP-tunnel[D]. Shanghai:Shanghai Jiao Tong University,2010.)
[5] Davies E,Mohacsi J. RFC 4890,Recommendations for filtering ICMPv6 messages in firewalls[S/OL].(2015-10-14). https://datatracker. ietf. org/doc/rfc4890/.
[6] Huitema C. RFC 4380,Teredo:tunneling IPv6 over UDP through network address translations(NATs)[S/OL].(2006-02). https://www. rfc-editor. org/rfc/rfc4380. txt.
[7] Abley J,Savola P,Neville-Neil G. RFC 5095,Deprecation of type 0routing headers in IPv6[S/OL].(2007-12). https://datatracker.ietf. org/doc/rfc5095/? include_text=1.
[8] Perkins C,Johnson D,Arkko J. RFC 6275,Mobility support in IPv6[S/OL].(2011-07). https://datatracker. ietf. org/doc/rfc6275/?include_text=1.
[9] Davies E,Krishnan S,Savola P. RFC 4942,IPv6 transition/coexistence security considerations[S/OL].(2007-09-04). https://www.rfc-archive. org/getrfc? rfc=4942.
[10]Gont F,Linkova J,Chown T,et al. RFC 7872,Observations on the dropping of packets with IPv6 extension headers in the real world[S].(2016-06). https://www. rfc-editor. org/rfc/rfc7872. txt.
[11]Gont F,Liu W,Bonica R. Recommendations on the filtering of IPv6packets containing IPv6 extension headers[EB/OL].(2014-07-25). https://datatracker. ietf. org/meeting/90/materials/slides-90-opsec-1/.
[12]Deering S, Hinden R. RFC 8200, Internet protocol, version 6(IPv6)specification[S/OL].(2017-07). https://datatracker.ietf. org/doc/rfc8200/? include_text=1.
[13]Atlasis A. Attacking IPv6 implementation using fragmentation[EB/OL].(2012-03-16)[2018-01-21]. https://media. blackhat. com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP. pdf.
[14] Goel J N,Mehtre B M. Dynamic IPv6 activation based defense for IPv6 router advertisement flooding(Do S)attack[C]//Proc of IEEE International Conference on Computational Intelligence and Computing Research. Piscataway,NJ:IEEE Press,2014:1-5.
[15]Elejla O E,Anbar M,Belaton B. ICMPv6-based Do S and DDo S attacks and defense mechanisms:review[J]. IETE Technical Review,2017,34(4):390-407.
[16] Debbarma S,Debnath P. Internet protocol version 6(IPv6)extension headers:issues,challenges and mitigation[C]//Proc of the 2nd International Conference on Computing for Sustainable Global Development. Piscataway,NJ:IEEE Press,2015:923-928.
[17]Hendriks L,Velan P,Schmidt R D O,et al. Threats and surprises behind IPv6 extension headers[C]//Proc of Network Traffic Measurement and Analysis Conference. Piscataway,NJ:IEEE Press,2017:1-9.
[18]Gont F,Chown T. RFC 7707,Network reconnaissance in IPv6 networks[S/OL].(2016-03). https://datatracker. ietf. org/doc/rfc7707/? include_text=1.