基于ARM的嵌入式IPv6防火墙研究与设计
摘要
随着计算机网络的高速发展,现有IPv4网络的地址空间不足,安全性较差等先天缺陷已日益显现。IPv6作为下一代互联网协议以其海量的地址空间和较强的安全特性得到业界的一致认可,并正在全球范围内普及和推广。但IPv6协议并不是完美的,许多新的协议机制的引入,带来了新的安全隐患。
防火墙作为网络安全的重要手段,已广泛应用于IPv4网络。但目前支持IPv6的防火墙大多部署在主干IPv6网络上,而适用于小型局域网或者企业网的IPv6防火墙产品很少,因此本文对基于ARM的嵌入式IPv6防火墙进行深入研究和设计。
本文在深刻地分析IPv6网络环境下数据包的特性以及IPv6网络存在的安全问题的基础上,结合目前对IPv6防火墙的研究成果,提出了IPv6环境下的防火墙整体过滤方案。该方案的基本思想是:添加IPsec模块对AH或ESP的数据包进行认证或解密处理,通过Linux 2.6内核中的ip6tables工具对未经加密或解密后的明文数据包进行过滤,用户可以根据实际需要添加过滤规则。
在上述方案的基础上,设计了基于ARM的嵌入式IPv6防火墙系统。该防火墙的硬件平台以S3C2240(ARM9)为核心处理器,扩展SDRAM和NAND-Flash存储器,两颗DM9000网络控制芯片分别连接外部非可信网络和内部可信网络。通过在硬件平台上移植bootloader、嵌入式Linux、YAFFS文件系统、DM9000双网卡驱动程序、ip6tables工具集等构建了系统的软件平台。
在深入分析了ip6tables核心过滤机制之后,设计了IPv6数据包过滤模块,并为防火墙添加了一组过滤规则,用户可在此基础上进一步扩充过滤规则。最后对防火墙的已添加的过滤规则进行了测试实验,测试结果表明所设计的嵌入式IPv6防火墙能够按照用户制定的过滤规则进行正确的数据包过滤处理。
With the rapid development of computer networks, the existing IPv4 network defects such as the lack of address space and poor security has already been exposed. IPv6, as the next generation Internet Protocol, provides many improvements considering address space and quality of security. It has been recognized in communication industry. IPv6 networks are deployed around the world. But the IPv6 protocol is not perfect. The introduction of many protocol mechanisms has brought new security risks.
Firewall as an important means of network security has been widely used in IPv4 networks. However firewalls which support IPv6 protocol are mostly applied in the IPv6 network backbone, they can not be deployed in small local area network and corporate network. Therefore in this paper we will research and design an ARM-based embedded IPv6 firewall.
In this paper, a profound analysis of IPv6 packet, and the characteristics of the existing IPv6 network security issues has been carryed on. Combined with current IPv6 firewall research results, the overall filtering firewall program in IPv6 environment is also proposed. The program adds IPsec AH and ESP module for the authentication and decryption of IPv6 packets operations, filters the unencrypted or decrypted plaintext IPv6 packet with the Linux 2.6 kernel ip6tables tools. Users can add the filter rules according to actual needs.
Based on the above program an ARM-based embedded IPv6 firewall system is designed. The firewall hardware platform takes S3C2240 (ARM9) as the core processor, SDRAM and NAND-Flash as expansion memory, two DM9000 network control chips are connected to an external non-trusted network and the internal trusted network. The firewall software platform is built by transplanting bootloader, embedded Linux, YAFFS file system, DM9000 dual network interface card drivers and ip6tables tool sets.
After the deep analysis of the ip6tables core filtering mechanism, we design the IPv6 packet filtering module, and add a set of firewall filter rules. Based on these rules users can also add the filter rules according to actual needs. Finally, we test these filter rules which has been added to the firewall. Test results show that the designed ARM-based embedded IPv6 firewall can rightly filter IPv6 package according to user setting rules.
防火墙作为网络安全的重要手段,已广泛应用于IPv4网络。但目前支持IPv6的防火墙大多部署在主干IPv6网络上,而适用于小型局域网或者企业网的IPv6防火墙产品很少,因此本文对基于ARM的嵌入式IPv6防火墙进行深入研究和设计。
本文在深刻地分析IPv6网络环境下数据包的特性以及IPv6网络存在的安全问题的基础上,结合目前对IPv6防火墙的研究成果,提出了IPv6环境下的防火墙整体过滤方案。该方案的基本思想是:添加IPsec模块对AH或ESP的数据包进行认证或解密处理,通过Linux 2.6内核中的ip6tables工具对未经加密或解密后的明文数据包进行过滤,用户可以根据实际需要添加过滤规则。
在上述方案的基础上,设计了基于ARM的嵌入式IPv6防火墙系统。该防火墙的硬件平台以S3C2240(ARM9)为核心处理器,扩展SDRAM和NAND-Flash存储器,两颗DM9000网络控制芯片分别连接外部非可信网络和内部可信网络。通过在硬件平台上移植bootloader、嵌入式Linux、YAFFS文件系统、DM9000双网卡驱动程序、ip6tables工具集等构建了系统的软件平台。
在深入分析了ip6tables核心过滤机制之后,设计了IPv6数据包过滤模块,并为防火墙添加了一组过滤规则,用户可在此基础上进一步扩充过滤规则。最后对防火墙的已添加的过滤规则进行了测试实验,测试结果表明所设计的嵌入式IPv6防火墙能够按照用户制定的过滤规则进行正确的数据包过滤处理。
With the rapid development of computer networks, the existing IPv4 network defects such as the lack of address space and poor security has already been exposed. IPv6, as the next generation Internet Protocol, provides many improvements considering address space and quality of security. It has been recognized in communication industry. IPv6 networks are deployed around the world. But the IPv6 protocol is not perfect. The introduction of many protocol mechanisms has brought new security risks.
Firewall as an important means of network security has been widely used in IPv4 networks. However firewalls which support IPv6 protocol are mostly applied in the IPv6 network backbone, they can not be deployed in small local area network and corporate network. Therefore in this paper we will research and design an ARM-based embedded IPv6 firewall.
In this paper, a profound analysis of IPv6 packet, and the characteristics of the existing IPv6 network security issues has been carryed on. Combined with current IPv6 firewall research results, the overall filtering firewall program in IPv6 environment is also proposed. The program adds IPsec AH and ESP module for the authentication and decryption of IPv6 packets operations, filters the unencrypted or decrypted plaintext IPv6 packet with the Linux 2.6 kernel ip6tables tools. Users can add the filter rules according to actual needs.
Based on the above program an ARM-based embedded IPv6 firewall system is designed. The firewall hardware platform takes S3C2240 (ARM9) as the core processor, SDRAM and NAND-Flash as expansion memory, two DM9000 network control chips are connected to an external non-trusted network and the internal trusted network. The firewall software platform is built by transplanting bootloader, embedded Linux, YAFFS file system, DM9000 dual network interface card drivers and ip6tables tool sets.
After the deep analysis of the ip6tables core filtering mechanism, we design the IPv6 packet filtering module, and add a set of firewall filter rules. Based on these rules users can also add the filter rules according to actual needs. Finally, we test these filter rules which has been added to the firewall. Test results show that the designed ARM-based embedded IPv6 firewall can rightly filter IPv6 package according to user setting rules.
引文
[1]阎慧,王伟,宁宇鹏.防火墙原理与技术[M].北京:机械工业出版社,2000:1~4.
[2]KEITH E. STRASSBERG, RICHARD J. GONDEK, GARY ROLLIE著,李昂,刘芳萍,杨旭译.防火墙技术大全[M].北京:机械工业出版社,2003:52-63.
[3]Yingxu Lai, Guangzhi Jiang, Jian Li, Zhen Yang.Design and Implementation of Distributed Intelligent Firewall based on IPv6[C].2009 International Conference on Communication Software and Networks, Feb 2009:428~432.
[4]郑德政,陈金牛,曾文华.基于Intel XScale IXP425处理器的嵌入式IPv6防火墙设计与实现[J].福建电脑,2008,(2):2~3.
[5]Deering S, Hinden IL. Internet Protocol Version 6(IPv6)[M].USA:Jones and Bartlett Publishers,2003:199-206.
[6]B.H. Jung, J.D.Lim, Y.H. Kim, K.Y.Kim. An Analysis of Security Threats and Network Attacks in IPv6[C]. Electronics and Telecommunications Trends, Feb 2007,22(1):37~50.
[7]张云勇,刘韵洁,张智江.基于IPv6的下一代互联网[M].北京:电子工业出版社,2004:62~165.
[8]JOSEPH Davies著.杨轶,苏啸鸣,吴超译.深入解析IPv6[M].北京:人民邮电出版社,2009:66~85.
[9]Jiang HanPing, Yan Jun. Research and design for IPSec architecture on kernel [C].1st International Workshop on Knowledge Discovery and Data Mining, July 2008:509-512.
[10]Bouras, C, Gkamas, A, Primpas, D, Stamos, K. IPv6 deployment:Real time applications and QoS aspects[C]. Computer Communications,May 2006:1393~1401.
[11]王常杰,秦浩,王育民.基于IPv6的防火墙设计[J].计算机学报,2001,(2):219~223.
[12]Wes Noonan, Ido Dubrawsky著,陈麒帆译.防火墙基础[M].北京:人民邮电出版社,2007:3~30.
[13]刘林强,宋如顺,徐峰.一种深度入侵防御系统的研究和设计[J].计算机工程与设计,2005,26(6):1522~1524.
[14]陈彬彬.IPv6网络防火墙技术研究[D].郑州:中国人民解放军信息工程大学,2006.
[15]John Wu, Yongdae Kim, Ryan Marotz, Ranga Ramanujan, James Tyra. Logical network boundary controller[C].Cybersecurity Applications and Technology Conference for Homeland Security, March 2009:261~266.
[16]ChuHsing Lin, JungChun Liu, ChienTing Kuo, MeiChun Chou, TsungChe Yang. Safeguard Intranet Using Embedded and Distributed Firewall System[C].2008 2nd International Conference on Future Generation Communication and Networking, Dec 2008,(1):489~492.
[17]Mohd.Khairil Sailan, Rosilah Hassan, Ahmed Patel. A Comparative Review of IPv4 and IPv6 for Research Test Bed [C].2009 International Conference on Electrical Engineering and Informatics, Aug 2009,(2):427~433.
[18]David C.lee, Daniel L.lough, Scott F.Midkiff, Nathaniel J.Davis IV, Phillip E.Benchoff. The Next Generation of the Internet:Aspects of the Internet Protocol Version 6 [C]. IEEE Piscataway NJ United States, Jan 1998(12):28~33.
[19]王相林.IPv6核心技术[M].北京:科学出版社,2009:6~45.
[20]杨富国,吕志军.网络设备安全与防火墙[M].北京:清华大学出版社,2005:126~209.
[21]Anne Carasik-Henmi著.李华飚,柳帧良,王恒译.防火墙核心技术精解[M].北京:中国水利水电出版社,2005:12~62.
[22]黎连业,张维,向东明.防火墙及其应用技术[M].北京:清华大学出版社,2004:45~132.
[23]赵轩.基于状态检测的硬件防火墙实现技术研究[D].长沙:国防科技大学,2004.
[24]V.V.Preetham著.冉晓旻等译.Internet安全与防火墙[M].北京:清华大学出版社,2004:41~160.
[25]Qing Li, Jinmei Tatuya, Keiichi Shima. IPv6 Core Protocols Implementation [M]. San Fransisco:Morgan Kaufmann Publishers,2006:131~285.
[26]Naganand Doraswamy著,京京工作室译.IPSEC:新一代因特网安全标准[M].北京:机械工业出版社,1999:39~124.
[27]陈坚,王闽.IPSec安全策略及实现[J].情报探索,2004,1(89):5~7.
[28]李振强,赵晓宇,马严.IPv6安全脆弱性研究[J].计算机应用研究,2006,1(11):109~112.
[29]M.K. Shin, H.J.Kim. IPv6 Transition Security Implications [J]. Electronics and Telecommunications Trends, Oct 2006,5(21):163~170.
[30]Sun Yanpeng, Peng Peng, Zhang Yuan. Linux Transplantation Based on The Processor S3C2440[C].9th International Conference on Electronic Measurement and Instruments, Aug 2009:2306~2309.
[31]Yongtao Zhou, Xiaohu Chen, Xuping Wang, Chunjiang Yao. Design of Equipment Remote Monitoring System Based on Embedded Web [C].2008 International Conference on Embedded Software and Systems Symposia, July 2008:73~78.
[32]孙秋野,孙凯,冯建.ARM嵌入式系统开发典型模块[M].北京:人民邮电出版社,2007:3~258.
[33]王黎明,陈双桥,闫晓玲.ARM9嵌入式系统开发与实践[M].北京:北京航空航天大学出版社,2008:43~124.
[34]张峰.基于ARM处理器的嵌入式防火墙的研究与实现[D].南京:南京航空航天大学,2008.
[35]黄智伟,邓月明,王彦.ARM9嵌入式系统设计基础教程[M].北京:北京航空航天大学出版社,2008:20~229.
[36]孙天泽,袁文菊.嵌入式设计及Linux驱动开发指南-基于ARM9处理器.北京:电子工业出版社,2009.26~180.
[37]弓雷.ARM嵌入式Linux系统开发详解[M].北京:清华大学出版社,2010:142~295.
[38]马忠梅,祝烈煌. ARM & Linux嵌入式系统教程[M].北京:北京航空航天大学出版社,2008:50~375.
[39]王绪国,李海涛.嵌入式系统中Nand闪存文件系统Yaffs的实现[J].电脑与信息技术,2009,17(6):16~18.
[40]李剑雄,张策,杨军.基于ARM和DM9000的网卡接口设计与实现.微计算机信息,2008,24(5-2):123~138.
[41]FangYinglan, Han Bing, Li Yebai. The Design and Realization of the Packet Filter Firewall based on Linux [C].2009 International Conference on Industrial and Information Systems, April 2009:327-329.
[42]Michael Rash著,陈健译.Linux防火墙[M].北京:人民邮电出版社,2009:1~63.
[43]O.T.Satyanarayanan, J.Shiva Shankar. Management of NAT-based Private Networks [C]. IFIP/IEEE International Symposium on Integrated Network Management, May 2005(2005):573-586.
[2]KEITH E. STRASSBERG, RICHARD J. GONDEK, GARY ROLLIE著,李昂,刘芳萍,杨旭译.防火墙技术大全[M].北京:机械工业出版社,2003:52-63.
[3]Yingxu Lai, Guangzhi Jiang, Jian Li, Zhen Yang.Design and Implementation of Distributed Intelligent Firewall based on IPv6[C].2009 International Conference on Communication Software and Networks, Feb 2009:428~432.
[4]郑德政,陈金牛,曾文华.基于Intel XScale IXP425处理器的嵌入式IPv6防火墙设计与实现[J].福建电脑,2008,(2):2~3.
[5]Deering S, Hinden IL. Internet Protocol Version 6(IPv6)[M].USA:Jones and Bartlett Publishers,2003:199-206.
[6]B.H. Jung, J.D.Lim, Y.H. Kim, K.Y.Kim. An Analysis of Security Threats and Network Attacks in IPv6[C]. Electronics and Telecommunications Trends, Feb 2007,22(1):37~50.
[7]张云勇,刘韵洁,张智江.基于IPv6的下一代互联网[M].北京:电子工业出版社,2004:62~165.
[8]JOSEPH Davies著.杨轶,苏啸鸣,吴超译.深入解析IPv6[M].北京:人民邮电出版社,2009:66~85.
[9]Jiang HanPing, Yan Jun. Research and design for IPSec architecture on kernel [C].1st International Workshop on Knowledge Discovery and Data Mining, July 2008:509-512.
[10]Bouras, C, Gkamas, A, Primpas, D, Stamos, K. IPv6 deployment:Real time applications and QoS aspects[C]. Computer Communications,May 2006:1393~1401.
[11]王常杰,秦浩,王育民.基于IPv6的防火墙设计[J].计算机学报,2001,(2):219~223.
[12]Wes Noonan, Ido Dubrawsky著,陈麒帆译.防火墙基础[M].北京:人民邮电出版社,2007:3~30.
[13]刘林强,宋如顺,徐峰.一种深度入侵防御系统的研究和设计[J].计算机工程与设计,2005,26(6):1522~1524.
[14]陈彬彬.IPv6网络防火墙技术研究[D].郑州:中国人民解放军信息工程大学,2006.
[15]John Wu, Yongdae Kim, Ryan Marotz, Ranga Ramanujan, James Tyra. Logical network boundary controller[C].Cybersecurity Applications and Technology Conference for Homeland Security, March 2009:261~266.
[16]ChuHsing Lin, JungChun Liu, ChienTing Kuo, MeiChun Chou, TsungChe Yang. Safeguard Intranet Using Embedded and Distributed Firewall System[C].2008 2nd International Conference on Future Generation Communication and Networking, Dec 2008,(1):489~492.
[17]Mohd.Khairil Sailan, Rosilah Hassan, Ahmed Patel. A Comparative Review of IPv4 and IPv6 for Research Test Bed [C].2009 International Conference on Electrical Engineering and Informatics, Aug 2009,(2):427~433.
[18]David C.lee, Daniel L.lough, Scott F.Midkiff, Nathaniel J.Davis IV, Phillip E.Benchoff. The Next Generation of the Internet:Aspects of the Internet Protocol Version 6 [C]. IEEE Piscataway NJ United States, Jan 1998(12):28~33.
[19]王相林.IPv6核心技术[M].北京:科学出版社,2009:6~45.
[20]杨富国,吕志军.网络设备安全与防火墙[M].北京:清华大学出版社,2005:126~209.
[21]Anne Carasik-Henmi著.李华飚,柳帧良,王恒译.防火墙核心技术精解[M].北京:中国水利水电出版社,2005:12~62.
[22]黎连业,张维,向东明.防火墙及其应用技术[M].北京:清华大学出版社,2004:45~132.
[23]赵轩.基于状态检测的硬件防火墙实现技术研究[D].长沙:国防科技大学,2004.
[24]V.V.Preetham著.冉晓旻等译.Internet安全与防火墙[M].北京:清华大学出版社,2004:41~160.
[25]Qing Li, Jinmei Tatuya, Keiichi Shima. IPv6 Core Protocols Implementation [M]. San Fransisco:Morgan Kaufmann Publishers,2006:131~285.
[26]Naganand Doraswamy著,京京工作室译.IPSEC:新一代因特网安全标准[M].北京:机械工业出版社,1999:39~124.
[27]陈坚,王闽.IPSec安全策略及实现[J].情报探索,2004,1(89):5~7.
[28]李振强,赵晓宇,马严.IPv6安全脆弱性研究[J].计算机应用研究,2006,1(11):109~112.
[29]M.K. Shin, H.J.Kim. IPv6 Transition Security Implications [J]. Electronics and Telecommunications Trends, Oct 2006,5(21):163~170.
[30]Sun Yanpeng, Peng Peng, Zhang Yuan. Linux Transplantation Based on The Processor S3C2440[C].9th International Conference on Electronic Measurement and Instruments, Aug 2009:2306~2309.
[31]Yongtao Zhou, Xiaohu Chen, Xuping Wang, Chunjiang Yao. Design of Equipment Remote Monitoring System Based on Embedded Web [C].2008 International Conference on Embedded Software and Systems Symposia, July 2008:73~78.
[32]孙秋野,孙凯,冯建.ARM嵌入式系统开发典型模块[M].北京:人民邮电出版社,2007:3~258.
[33]王黎明,陈双桥,闫晓玲.ARM9嵌入式系统开发与实践[M].北京:北京航空航天大学出版社,2008:43~124.
[34]张峰.基于ARM处理器的嵌入式防火墙的研究与实现[D].南京:南京航空航天大学,2008.
[35]黄智伟,邓月明,王彦.ARM9嵌入式系统设计基础教程[M].北京:北京航空航天大学出版社,2008:20~229.
[36]孙天泽,袁文菊.嵌入式设计及Linux驱动开发指南-基于ARM9处理器.北京:电子工业出版社,2009.26~180.
[37]弓雷.ARM嵌入式Linux系统开发详解[M].北京:清华大学出版社,2010:142~295.
[38]马忠梅,祝烈煌. ARM & Linux嵌入式系统教程[M].北京:北京航空航天大学出版社,2008:50~375.
[39]王绪国,李海涛.嵌入式系统中Nand闪存文件系统Yaffs的实现[J].电脑与信息技术,2009,17(6):16~18.
[40]李剑雄,张策,杨军.基于ARM和DM9000的网卡接口设计与实现.微计算机信息,2008,24(5-2):123~138.
[41]FangYinglan, Han Bing, Li Yebai. The Design and Realization of the Packet Filter Firewall based on Linux [C].2009 International Conference on Industrial and Information Systems, April 2009:327-329.
[42]Michael Rash著,陈健译.Linux防火墙[M].北京:人民邮电出版社,2009:1~63.
[43]O.T.Satyanarayanan, J.Shiva Shankar. Management of NAT-based Private Networks [C]. IFIP/IEEE International Symposium on Integrated Network Management, May 2005(2005):573-586.