基于IKEv2反射式拒绝服务研究
|
摘要
IKEv2协议广泛应用于IPSec的密钥交换、虚拟专用网认证授权和网络安全设备中。作为IKEv1协议的更新版,IKEv2协议在安全性、移动性和终端支持方面具备良好的特性。通过分析IKEv2协议在不同安全设备上的实现方式,对一个未明确界定的处理方式进行研究,分析出该协议实现可能具备反射型拒绝服务的风险。最后,通过在真实互联网环境下的试验,验证了目前由于策略原因可能造成反射式拒绝服务的效能。
The IKEv2 protocol is widely used in IPSec key exchange, virtual private network authentication,and network security equipment. As an updated version of the IKEv1 protocol, the IKEv2 protocol has good features in terms of security, mobility, and terminal support. By analyzing the implementation of IKEv2 protocol on different security devices, an undefined process is explored, and the analysis indicates that the implementation of this protocol may have the risk of reflective denial-of-service. Finally, experiments in the real Internet environment indicate that the reflective denial-of-service performance may be caused by policy reasons.
The IKEv2 protocol is widely used in IPSec key exchange, virtual private network authentication,and network security equipment. As an updated version of the IKEv1 protocol, the IKEv2 protocol has good features in terms of security, mobility, and terminal support. By analyzing the implementation of IKEv2 protocol on different security devices, an undefined process is explored, and the analysis indicates that the implementation of this protocol may have the risk of reflective denial-of-service. Finally, experiments in the real Internet environment indicate that the reflective denial-of-service performance may be caused by policy reasons.
引文
[1]Kaufman.Internet Key Exchange(IKEv2)Protocol[S].2007.
[2]Wikipedia.IKEv2词条[EB/OL].(2018-12-19)[2019-01-03].https://en.wikipedia.org/wiki/Internet_Key_Exchange.
[3]廖悦欣.IPSec协议实现技术研究[D].广州:华南理工大学,2013.LIAO Yue-xin.Research on IPSec Protocol Implementation Technology[D].Guangzhou:South China University of Technology,2013.
[4]李新.互联网密钥交换协议的研究与实现[D].北京:北京邮电大学,2010.LI Xin.Research and Implementation of Internet Key Exchange Protocol[D].Beijing:Beijing University of Posts and Telecommunications,2010.
[5]张倩倩.反射型分布式拒绝服务攻击中攻击源追踪的研究[D].济南:济南大学,2012.ZHANG Qian-qian.Research on Attack Source Tracking in Reflective Distributed Denial of Service Attacks[D].Jinan:Jinan University,2010.
[6]Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities[EB/OL].(2015-05-15)[2018-10-01].https://tools.cisco.com/security/center/content/Cisco Security Advisory/cisco-sa-20150325-ikev2.
[2]Wikipedia.IKEv2词条[EB/OL].(2018-12-19)[2019-01-03].https://en.wikipedia.org/wiki/Internet_Key_Exchange.
[3]廖悦欣.IPSec协议实现技术研究[D].广州:华南理工大学,2013.LIAO Yue-xin.Research on IPSec Protocol Implementation Technology[D].Guangzhou:South China University of Technology,2013.
[4]李新.互联网密钥交换协议的研究与实现[D].北京:北京邮电大学,2010.LI Xin.Research and Implementation of Internet Key Exchange Protocol[D].Beijing:Beijing University of Posts and Telecommunications,2010.
[5]张倩倩.反射型分布式拒绝服务攻击中攻击源追踪的研究[D].济南:济南大学,2012.ZHANG Qian-qian.Research on Attack Source Tracking in Reflective Distributed Denial of Service Attacks[D].Jinan:Jinan University,2010.
[6]Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities[EB/OL].(2015-05-15)[2018-10-01].https://tools.cisco.com/security/center/content/Cisco Security Advisory/cisco-sa-20150325-ikev2.