NSIS中的NATFW信令应用及其在移动环境下的研究
|
摘要
随着网络技术的发展以及手提电脑的普及,移动办公已经成为了生活工作的需要,移动IP技术应运而生。为了网络安全而广泛应用的防火墙技术在与移动IPv6融合过程中出现了很多问题,有许多需要协调的地方。这对移动IPv6的广泛应用带来了困难。
本文对防火墙技术在移动IPv6网络环境中应用的过程中出现的问题进行了详细的分析,对NSIS(Next Steps in Signaling)协议进行了详细的介绍,其中重点研究了NSIS协议中的NATFW NSLP信令应用。NATFW NSLP信令应用中提出可以通过信令改变信令所经过的路径上的防火墙的规则,因此可以应用NATFW NSLP协议来解决防火墙穿越的问题。
目前,网络中部署的大部分防火墙不支持移动IPv6,利用NSIS协议的NAT/FW NSLP配置防火墙策略是一种通过信令方式使移动IP消息穿越防火墙的方案,本文旨在解决移动IPv6环境下利用NSIS协议穿越防火墙过程中防火墙发现的问题,降低信令的复杂度,以节省开销,降低网络时延。防火墙发现和防火墙穿越都是基于NSIS的信令来实现,减少信令复杂度。
当移动节点发现自己已经发生了移动,离开了家乡链路后引入防火墙发现机制,由移动节点首先探测防火墙是否存在,在存在防火墙的情况下根据不同的网络拓扑结构,以及要选用的路由方式,应用NATFW NSLP协议,参与通讯的节点发出信令,创建NSIS会话,通过安全认证建立了NSIS会话后,就可以通过对防火墙规则的改变来解决因为移动性而带来的穿越问题。
With the development of network technology and the popularization of notebook, mobile work becomes more and more important to people's life and work. Mobile IPv6 can help people realized this demand. Now, although firewalls are deployed widely, there are many problems on the integration of Mobile IPv6 and firewall to be solved. Those problems will encumber the Mobile IPv6's application and needs to be solved in time.
In this paper, we introduce a new protocol-NSIS NATFW NSIS Signaling Layer Protocol. NSIS Signaling Layer Protocol proposes that we can change the firewall's ruler in the data path through signaling. So we propose that we can use the NSIS NATFW NSIS Signaling Layer Protocol to solve those problems. When the mobile node finds that he left the home link, we will introduce the firewall finding mechanism and the mobile node will implement the firewall detection procedure. If the firewall existed, NSIS Signaling Layer Protocol is needed which can communicate with these firewalls and instruct them to bypass these Mobile IPv6 messages. And in order to solve those problems, it can instruct the firewall to change their rules after authenticating. At the last, we analyze the feasibility of this protect.
本文对防火墙技术在移动IPv6网络环境中应用的过程中出现的问题进行了详细的分析,对NSIS(Next Steps in Signaling)协议进行了详细的介绍,其中重点研究了NSIS协议中的NATFW NSLP信令应用。NATFW NSLP信令应用中提出可以通过信令改变信令所经过的路径上的防火墙的规则,因此可以应用NATFW NSLP协议来解决防火墙穿越的问题。
目前,网络中部署的大部分防火墙不支持移动IPv6,利用NSIS协议的NAT/FW NSLP配置防火墙策略是一种通过信令方式使移动IP消息穿越防火墙的方案,本文旨在解决移动IPv6环境下利用NSIS协议穿越防火墙过程中防火墙发现的问题,降低信令的复杂度,以节省开销,降低网络时延。防火墙发现和防火墙穿越都是基于NSIS的信令来实现,减少信令复杂度。
当移动节点发现自己已经发生了移动,离开了家乡链路后引入防火墙发现机制,由移动节点首先探测防火墙是否存在,在存在防火墙的情况下根据不同的网络拓扑结构,以及要选用的路由方式,应用NATFW NSLP协议,参与通讯的节点发出信令,创建NSIS会话,通过安全认证建立了NSIS会话后,就可以通过对防火墙规则的改变来解决因为移动性而带来的穿越问题。
With the development of network technology and the popularization of notebook, mobile work becomes more and more important to people's life and work. Mobile IPv6 can help people realized this demand. Now, although firewalls are deployed widely, there are many problems on the integration of Mobile IPv6 and firewall to be solved. Those problems will encumber the Mobile IPv6's application and needs to be solved in time.
In this paper, we introduce a new protocol-NSIS NATFW NSIS Signaling Layer Protocol. NSIS Signaling Layer Protocol proposes that we can change the firewall's ruler in the data path through signaling. So we propose that we can use the NSIS NATFW NSIS Signaling Layer Protocol to solve those problems. When the mobile node finds that he left the home link, we will introduce the firewall finding mechanism and the mobile node will implement the firewall detection procedure. If the firewall existed, NSIS Signaling Layer Protocol is needed which can communicate with these firewalls and instruct them to bypass these Mobile IPv6 messages. And in order to solve those problems, it can instruct the firewall to change their rules after authenticating. At the last, we analyze the feasibility of this protect.
引文
[1]IP,Internet Protocol.http://www.networksorcery.com/enp/protocol/ip.htm
[2]P,Srisuresh,Jasmine and K_ Egevang.RFC 3022,"Traditional IP Network Address Translator(Traditional NAT)".2001。
[3]IPNG http://www.ietf.org/html.charters/OLD/ipngwg-charter.html
[4]张云勇,刘韵杰,张智江。基于IPv6的下一代互联网。北京:电子工业出版社,2004:4-14。
[5]S.Bradner.RFC1550,"IP:Next Generation(IPng)White Paper Solocication".1993,11.
[6]Ross Callon,DEC.RFC1347," TCP and UDP with Bigger Addresses(TUBA),A Simple Proposal for Intenret Addressing and Routing".1992,6.
[7]R.Ullmann.RFC1475,"TP/IX:The Next Internet".1993,6.
[8]R.Hinden.RFC1710," Simple Internet Protocol Plus White Paper".1994,10.
[9]S.Deering,R.Hinden.RFC2460,"Intemet Protocol,Version6(IPv6)Specification"1998,11
[10]W.Wimer.RFC1542,"Clarifications and Extensions for the Bootstrap Protocol".1993,10
[11]R.Droms.RFC2131,"Dynamic Host Configuration Protocol".1997,3
[12]S.Thomson,T.Narten.RFC2462,"IPv6 Stateless Address Auto configuration".1998,1t2
[13]T.Narten,E.Nordmark,W.Simpson,RFC 2461,"Neighbor Discovery for IPV ersion6(IPv6)".1998,12
[14]A.Conta,S.Deering.RFC1885,"Internet Control Message Protocol(ICMPv6)for the Internet Protocol Version6(IPv6)Specification".1995,11
[15]C Roltun,D.Ferguson,J.Moy.RFC2740."OSPF for IPv6".1999,12
[16]G.Malkin,R.Minnear.RFC2080,"RIPng for IP v6".1997.1
[17]IGRP Documentation.http://www.cisco.com/univercd/cc/td/doe/cisintwk/ito_doc/eni grp.html
[18]Hopps,E.Christian."Routing IPv6 with IS-IS".2005,10
[19]RSVP Protocol Overview.hitp://www.isi.ediVrsvp/overview.html
[20]S.Kent.RFC 2401,"Security Architecture for the Internet Protocol" 1998,11
[21]R.Thayer,N.Doraswamy,RFC 2411,"IP Security Document Roadmap". 1998,11
[22]S.Kent,R.Atkinson.RFC 2402,"IP Authentication Header".1998,11
[23]S.Kent,R.Atkinson.RFC 2406,"IP Encapsulating Security Payload(ESP)".1998,11
[24]T.Socolofsky,C.Kale.RFCll80,"ATCP/IP Tutorial".1991,1
[25]VPN Technologies:Definitions and Requirements.Http://w ww.vpne.org/vpn-technotogies.html
[26]WLAN.http://www.webopedia.com/TERM/WlWLAN.html
[27]R.Droms.RFC 2131,"Dynamic Host Configuration Protocol".1997,3
[28]孙允标,王志刚等.现代通信及网络技术.国防工业出版社.2005,7:60-62
[29]C.Perkins.RFC 2002," IP Mobility Support" ·1996,10
[30]D.Johnson,C.Perkins and J.Arkko.RFC 3775,"Mobility Support in IPv6".2004,6
[31]IPv6 技术白皮书.http://www_ntl.ict.ac.cn/v6-topic/IPv6%20tech%20paper.htm
[32]移动IPv6介绍.http://www.microsoft.conr/china/technet/community/columns/cableguy/cgO904.mspx.
[33]阎慧,王伟,宁宇鹏.防火墙原理与技术.机械工业出版社.2004:6-15
[34]F.Le,S.Faccin and H.Tschofenig."Mobile IPv6 and Firewalls Problem statement".2005,2
[35]M.Stiemerling."A NAT/Firewall NSIS Signaling Layer Protocol(NSLP)",draft-ietf-nsis-nslp-natfw-03(work in progress).2004,7
[36]B.Carpenter and S.Brim.RFC 3234,"Middleboxes:Taxonomy and Issues".2002,2
[37]R.Hancock,G.Karagiannis.RFC 4080 "Next Steps in Signaling(NSIS):Framework".2005,6
[38]A.Westerincn,J.Sclulizlein,Strassner,and S.Waldbusser.RFC 3198,"Terminology for Policy-Based Management".2001,11
[39]Yang Shen,Zhang Sidong,Zhang Hongke and Miao Fuyou."Firewall Traversal for Mobile IPv6",draft-miao-mip6-ft-00(work in progress).2005,3
[2]P,Srisuresh,Jasmine and K_ Egevang.RFC 3022,"Traditional IP Network Address Translator(Traditional NAT)".2001。
[3]IPNG http://www.ietf.org/html.charters/OLD/ipngwg-charter.html
[4]张云勇,刘韵杰,张智江。基于IPv6的下一代互联网。北京:电子工业出版社,2004:4-14。
[5]S.Bradner.RFC1550,"IP:Next Generation(IPng)White Paper Solocication".1993,11.
[6]Ross Callon,DEC.RFC1347," TCP and UDP with Bigger Addresses(TUBA),A Simple Proposal for Intenret Addressing and Routing".1992,6.
[7]R.Ullmann.RFC1475,"TP/IX:The Next Internet".1993,6.
[8]R.Hinden.RFC1710," Simple Internet Protocol Plus White Paper".1994,10.
[9]S.Deering,R.Hinden.RFC2460,"Intemet Protocol,Version6(IPv6)Specification"1998,11
[10]W.Wimer.RFC1542,"Clarifications and Extensions for the Bootstrap Protocol".1993,10
[11]R.Droms.RFC2131,"Dynamic Host Configuration Protocol".1997,3
[12]S.Thomson,T.Narten.RFC2462,"IPv6 Stateless Address Auto configuration".1998,1t2
[13]T.Narten,E.Nordmark,W.Simpson,RFC 2461,"Neighbor Discovery for IPV ersion6(IPv6)".1998,12
[14]A.Conta,S.Deering.RFC1885,"Internet Control Message Protocol(ICMPv6)for the Internet Protocol Version6(IPv6)Specification".1995,11
[15]C Roltun,D.Ferguson,J.Moy.RFC2740."OSPF for IPv6".1999,12
[16]G.Malkin,R.Minnear.RFC2080,"RIPng for IP v6".1997.1
[17]IGRP Documentation.http://www.cisco.com/univercd/cc/td/doe/cisintwk/ito_doc/eni grp.html
[18]Hopps,E.Christian."Routing IPv6 with IS-IS".2005,10
[19]RSVP Protocol Overview.hitp://www.isi.ediVrsvp/overview.html
[20]S.Kent.RFC 2401,"Security Architecture for the Internet Protocol" 1998,11
[21]R.Thayer,N.Doraswamy,RFC 2411,"IP Security Document Roadmap". 1998,11
[22]S.Kent,R.Atkinson.RFC 2402,"IP Authentication Header".1998,11
[23]S.Kent,R.Atkinson.RFC 2406,"IP Encapsulating Security Payload(ESP)".1998,11
[24]T.Socolofsky,C.Kale.RFCll80,"ATCP/IP Tutorial".1991,1
[25]VPN Technologies:Definitions and Requirements.Http://w ww.vpne.org/vpn-technotogies.html
[26]WLAN.http://www.webopedia.com/TERM/WlWLAN.html
[27]R.Droms.RFC 2131,"Dynamic Host Configuration Protocol".1997,3
[28]孙允标,王志刚等.现代通信及网络技术.国防工业出版社.2005,7:60-62
[29]C.Perkins.RFC 2002," IP Mobility Support" ·1996,10
[30]D.Johnson,C.Perkins and J.Arkko.RFC 3775,"Mobility Support in IPv6".2004,6
[31]IPv6 技术白皮书.http://www_ntl.ict.ac.cn/v6-topic/IPv6%20tech%20paper.htm
[32]移动IPv6介绍.http://www.microsoft.conr/china/technet/community/columns/cableguy/cgO904.mspx.
[33]阎慧,王伟,宁宇鹏.防火墙原理与技术.机械工业出版社.2004:6-15
[34]F.Le,S.Faccin and H.Tschofenig."Mobile IPv6 and Firewalls Problem statement".2005,2
[35]M.Stiemerling."A NAT/Firewall NSIS Signaling Layer Protocol(NSLP)",draft-ietf-nsis-nslp-natfw-03(work in progress).2004,7
[36]B.Carpenter and S.Brim.RFC 3234,"Middleboxes:Taxonomy and Issues".2002,2
[37]R.Hancock,G.Karagiannis.RFC 4080 "Next Steps in Signaling(NSIS):Framework".2005,6
[38]A.Westerincn,J.Sclulizlein,Strassner,and S.Waldbusser.RFC 3198,"Terminology for Policy-Based Management".2001,11
[39]Yang Shen,Zhang Sidong,Zhang Hongke and Miao Fuyou."Firewall Traversal for Mobile IPv6",draft-miao-mip6-ft-00(work in progress).2005,3