基于IPv6域名的自动注册认证系统的设计与实现
|
摘要
IPv6作为下一代互联网的核心协议,有着广阔的应用前景。与IPv4相比,IPv6具有很多新特性:巨大的地址空间、即插即用、内在的安全机制等等。即插即用功能很方便的使得在没有任何人工干预的情况下,IPv6网络节点可以自动获取IP地址。当节点地址发生变化时,用户可以正常的使用网络。
但IP地址长度的增加和动态的改变都使得用户直接使用IP地址通信更为复杂,而且也很难在具有动态IP地址的主机上架设服务器。如果能为每个网络节点分配一个授权的域名,注册认证成功后,节点的域名和动态的地址会被映射在DNS中,用户就能够使用便于记忆的固定的域名通信和享受合理的资源,并能方便的在地址动态改变的节点上架设服务器。
本文在研究DNS动态更新和认证的基础上,提出了客户端/服务器并支持Web模式的解决方案——IPv6域名自动注册认证系统。即在IPv6网络的节点上安装自动注册认证服务器和Web服务器,用户可以安装客户端,也可以使用web.自动注册认证服务器根据认证的结果,决定向DNS服务器发送动态更新消息还是向NAS发访问控制信息。本文介绍了自动注册认证系统的设计与实现,并详细阐地址检测、记录轮询监视、访问控制等关键技术的实现细节。在对该系统做了功能性测试后,证明了本系统方案的可行性。
IPv6 is the most important protocol of the next generation network and has the vast application prospect. Comparing with IPv4, IPv6 has many new characteristic: large IP address space, plug and play and internal security architecture, etc. Plug and play function is very convenient to enable IPv6 network nodes to obtain IP addresses automatically without any manual help. When a node address varies, Users can keep connection with the network without any influence.
However, the long length and dynamic change of IP addresses make it very complicated for network nodes to communicate each other by IP addresses, and it is almost impossible to install servers on these kinds of nodes. If we can give every node an authorized domain name, after the success of authenitication, the domain name of nodes and dynamic address will be mapped to DNS server, users can communicate with each other by their fixed domain names, enjoy rational resource and be easy to install servers on the nodes whose IP addresses change dynamically.
This thesis presents a method to solve this problem that is to develop an automatic registration authentication system that support web mode. Install registration authentication server on a node and web server on other. Users can register by client or web. The server will send dymatic update message to DNS or access control message to NAS according to authentication. This thesis introduces the design and implementation of the automatic registration authentication system and explains the key techniques such as address checking, validity polling, and access control particularly. The functional test proves the feasibility of this proposal.
但IP地址长度的增加和动态的改变都使得用户直接使用IP地址通信更为复杂,而且也很难在具有动态IP地址的主机上架设服务器。如果能为每个网络节点分配一个授权的域名,注册认证成功后,节点的域名和动态的地址会被映射在DNS中,用户就能够使用便于记忆的固定的域名通信和享受合理的资源,并能方便的在地址动态改变的节点上架设服务器。
本文在研究DNS动态更新和认证的基础上,提出了客户端/服务器并支持Web模式的解决方案——IPv6域名自动注册认证系统。即在IPv6网络的节点上安装自动注册认证服务器和Web服务器,用户可以安装客户端,也可以使用web.自动注册认证服务器根据认证的结果,决定向DNS服务器发送动态更新消息还是向NAS发访问控制信息。本文介绍了自动注册认证系统的设计与实现,并详细阐地址检测、记录轮询监视、访问控制等关键技术的实现细节。在对该系统做了功能性测试后,证明了本系统方案的可行性。
IPv6 is the most important protocol of the next generation network and has the vast application prospect. Comparing with IPv4, IPv6 has many new characteristic: large IP address space, plug and play and internal security architecture, etc. Plug and play function is very convenient to enable IPv6 network nodes to obtain IP addresses automatically without any manual help. When a node address varies, Users can keep connection with the network without any influence.
However, the long length and dynamic change of IP addresses make it very complicated for network nodes to communicate each other by IP addresses, and it is almost impossible to install servers on these kinds of nodes. If we can give every node an authorized domain name, after the success of authenitication, the domain name of nodes and dynamic address will be mapped to DNS server, users can communicate with each other by their fixed domain names, enjoy rational resource and be easy to install servers on the nodes whose IP addresses change dynamically.
This thesis presents a method to solve this problem that is to develop an automatic registration authentication system that support web mode. Install registration authentication server on a node and web server on other. Users can register by client or web. The server will send dymatic update message to DNS or access control message to NAS according to authentication. This thesis introduces the design and implementation of the automatic registration authentication system and explains the key techniques such as address checking, validity polling, and access control particularly. The functional test proves the feasibility of this proposal.
引文
[1]Christian Huitema.IPv6 The New Internet Protocol.Second Edition.清华大学出版社.1999年5 月.
[2]Marcus Goncalves,Kitty Niles.IPv6 网络.人民邮电出版社.2000 年 4 月.
[3]Silvia Hagen.IPv6 精髓.清华大学出版社.2004 年 5 月.
[4]S.Kent,R.Atkinson,"IP Security Document Roadmap",RFC 2411,November 1998.
[5]范红,冯登国.安全协议理论与方法.科学出版社.2003年10月.
[6]S.Kent,R.Atkinson,"Security Architecture for the Internet Protocol",RFC 2401,November 1998.
[7]S.Kent,R.Atkinson,"IP Authentication Header",RFC 2402,November 1998.
[8]S.Kent,R.Atkinson,"IP Encapsulating Security Payload(ESP)",RFC 2406,November 1998.
[9]Sam Brown,Brian Browne,Neal Chen.Cisco IOS的IPv6配置.电子工业出版社.2003年1月.
[10]Naganand Doraswamy,Dan Harkins.IPSEC新一代因特网安全标准.机械工业出版社.2000年1月.
[11]Paul Albitz,Cricket Liu.DNS与BIND.第四版.中国电力出版社.2002年8月.
[12]P.Mockapetris,"Domain Names - Concepts and Facilities",RFC 1034,November 1987.
[13]P.Mockapetris,"Domain Names - Implementation and Specification",RFC 1035,November 1987.
[14]P.Vixie,Editor,S.Thomson,Bellcore,Y.Rekhter,J.Bound,"Dynamic Updates in the Domain Name System(DNS UPDATE)",RFC 2136,April 1997.
[15]P.Vixie,O.Gudmundsson,D.Eastlake 3~(rd),B.Wellington,"Secret Key Transaction Authentication for DNS(TSIG)",RFC 2845,May 2000.
[16]D.Eastlake 3rd,"Secure Domain Name System Dynamic Update",RFC 2137,April 1997.
[17]B.Wellington,"Secure Domain Name System(DNS)Dynamic Update",RFC 3007,November 2000.
[18]H.Kitamura,"Domain Name Auto-Registration for Plugged-in IPv6 Nodes",draft-ietf-dnsext-ipv6-name-auto-reg-01.txt,July 2003
[19]王欲静.IP安全与工PSeC协议的研究[硕士学位论文][D].郑州,郑州大学.2002
[20]R.Arends,"Protocol Modifications for the DNS Security Extensions",RFC4035,March 2005
[21]Joseph Davies Understanding IPv6清华大学出版社2004年3月。
[2]Marcus Goncalves,Kitty Niles.IPv6 网络.人民邮电出版社.2000 年 4 月.
[3]Silvia Hagen.IPv6 精髓.清华大学出版社.2004 年 5 月.
[4]S.Kent,R.Atkinson,"IP Security Document Roadmap",RFC 2411,November 1998.
[5]范红,冯登国.安全协议理论与方法.科学出版社.2003年10月.
[6]S.Kent,R.Atkinson,"Security Architecture for the Internet Protocol",RFC 2401,November 1998.
[7]S.Kent,R.Atkinson,"IP Authentication Header",RFC 2402,November 1998.
[8]S.Kent,R.Atkinson,"IP Encapsulating Security Payload(ESP)",RFC 2406,November 1998.
[9]Sam Brown,Brian Browne,Neal Chen.Cisco IOS的IPv6配置.电子工业出版社.2003年1月.
[10]Naganand Doraswamy,Dan Harkins.IPSEC新一代因特网安全标准.机械工业出版社.2000年1月.
[11]Paul Albitz,Cricket Liu.DNS与BIND.第四版.中国电力出版社.2002年8月.
[12]P.Mockapetris,"Domain Names - Concepts and Facilities",RFC 1034,November 1987.
[13]P.Mockapetris,"Domain Names - Implementation and Specification",RFC 1035,November 1987.
[14]P.Vixie,Editor,S.Thomson,Bellcore,Y.Rekhter,J.Bound,"Dynamic Updates in the Domain Name System(DNS UPDATE)",RFC 2136,April 1997.
[15]P.Vixie,O.Gudmundsson,D.Eastlake 3~(rd),B.Wellington,"Secret Key Transaction Authentication for DNS(TSIG)",RFC 2845,May 2000.
[16]D.Eastlake 3rd,"Secure Domain Name System Dynamic Update",RFC 2137,April 1997.
[17]B.Wellington,"Secure Domain Name System(DNS)Dynamic Update",RFC 3007,November 2000.
[18]H.Kitamura,"Domain Name Auto-Registration for Plugged-in IPv6 Nodes",draft-ietf-dnsext-ipv6-name-auto-reg-01.txt,July 2003
[19]王欲静.IP安全与工PSeC协议的研究[硕士学位论文][D].郑州,郑州大学.2002
[20]R.Arends,"Protocol Modifications for the DNS Security Extensions",RFC4035,March 2005
[21]Joseph Davies Understanding IPv6清华大学出版社2004年3月。