IPv4/IPv6过渡阶段下的防火墙技术研究与实现
摘要
随着网络技术的广泛应用,网络安全的重要性日渐突出,网络安全也已经成为关系国家安全、社会稳定的重大课题。各个国家纷纷投入大量的人力物力进行网络安全技术研究。防火墙作为保护网络安全的第一道防线,放置在内部受保护网络和外部公众网之间的边界上,使得内部网与外部网之间所有的流量都必须通过它的检验,从而保证了网络流量的合法性,提高了网络性能,是网络安全技术的重要组成部分。
同时,IPv6协议作为下一代网络的核心协议,较好地解决了IPv4协议存在的缺陷,适应了未来网络基础设施在数量和质量上的需求。然而在短时间内是难以将Internet和各个企业网络中的所有系统从IPv4升级到IPv6的,IPv4向IPv6的过渡是IPv6技术应用的重要问题。因此分析和研究这一过渡阶段下的网络安全技术成为当前的一个热点。
基于这样的研究背景,本论文首先详细介绍了各种IPv4/IPv6过渡技术,同时分析了它们本身可能产生的安全威胁,并总结了过渡阶段网络环境下可能存在的安全问题,由此说明了研究和实现IPv4/IPv6过渡阶段下防火墙技术的重要性。接着,通过研究防火墙技术,进一步分析了其在过渡阶段下的安全需求,并提出了解决方案。然后,在阐述IPv4/IPv6过渡阶段下Netfilter防火墙体系结构的基础上,重点论述了数据包过滤模块的实现。此外,实现了针对该防火墙的用户管理界面,从而增强了用户的可操作性。最后给出了该防火墙系统的测试方案,根据所得的测试结果,验证了方案的有效性。
论文的创新点在于引入了过渡规则的概念,把Netfilter内核中的IPv4和IPv6进行了关联,通过跨协议操作保证了过渡阶段下网络数据包的合法性。
With the penetration of network technology into people's daily life, network security is becoming more and more important and it is the main project concerned with national security and society welfare. Many countries have invested a lot on the research and development of network security technology. As the first line of network defence, firewall checks all the traffic between inner protected network and outer Internet, which verifies the legitimacy of traffic and improves the capability of network. Therefore, firewall is an important technology of network security.
Meanwhile, as the key protocol of Next Generation Network, IPv6 protocol preferably solves the problems faced by current IPv4 protocol. IPv6 protocol is also designed to meet the requirements for quantity and quality of future network infrastructure. However, it's difficult to update all the infrastructure from IPv4 to IPv6 at a short term. Nowadays, IPv6 Transition/Coexistence becomes a very important problem when IPv6 is put in practice. Therefore, it becomes a focus to analyse and research network security technology during this period.
Under such a research background, the thesis is organized as follows. First, the principles of IPv4/IPv6 transition mechanisms are introduced and their security considerations are presented in detail. Then the thesis summarizes the security problems that may occur under the environment of IPv4/IPv6 network, which reflects the significance to research and implement firewall during the period of IPv4/IPv6. Subsequently, firewall technology is introduced, and its security requirements are further analyzed. Then, the thesis proposes a solution. The thesis also describes the system structure of Netfilter and particularly pays attention to the implemention of packet filter module during the period of IPv4/IPv6. Additionally, the firewall's graphic interface is realized, which provides a convenient way for adding and modifing rules. Finally, the thesis presents the testing process of firewall to prove the validity of the solution.
The innovation of the thesis is to introduce the concept of transitional rules and associate IPv4 and IPv6 in Netfilter. Consequently, firewall can still play an important role during the period of IPv4/IPv6.
同时,IPv6协议作为下一代网络的核心协议,较好地解决了IPv4协议存在的缺陷,适应了未来网络基础设施在数量和质量上的需求。然而在短时间内是难以将Internet和各个企业网络中的所有系统从IPv4升级到IPv6的,IPv4向IPv6的过渡是IPv6技术应用的重要问题。因此分析和研究这一过渡阶段下的网络安全技术成为当前的一个热点。
基于这样的研究背景,本论文首先详细介绍了各种IPv4/IPv6过渡技术,同时分析了它们本身可能产生的安全威胁,并总结了过渡阶段网络环境下可能存在的安全问题,由此说明了研究和实现IPv4/IPv6过渡阶段下防火墙技术的重要性。接着,通过研究防火墙技术,进一步分析了其在过渡阶段下的安全需求,并提出了解决方案。然后,在阐述IPv4/IPv6过渡阶段下Netfilter防火墙体系结构的基础上,重点论述了数据包过滤模块的实现。此外,实现了针对该防火墙的用户管理界面,从而增强了用户的可操作性。最后给出了该防火墙系统的测试方案,根据所得的测试结果,验证了方案的有效性。
论文的创新点在于引入了过渡规则的概念,把Netfilter内核中的IPv4和IPv6进行了关联,通过跨协议操作保证了过渡阶段下网络数据包的合法性。
With the penetration of network technology into people's daily life, network security is becoming more and more important and it is the main project concerned with national security and society welfare. Many countries have invested a lot on the research and development of network security technology. As the first line of network defence, firewall checks all the traffic between inner protected network and outer Internet, which verifies the legitimacy of traffic and improves the capability of network. Therefore, firewall is an important technology of network security.
Meanwhile, as the key protocol of Next Generation Network, IPv6 protocol preferably solves the problems faced by current IPv4 protocol. IPv6 protocol is also designed to meet the requirements for quantity and quality of future network infrastructure. However, it's difficult to update all the infrastructure from IPv4 to IPv6 at a short term. Nowadays, IPv6 Transition/Coexistence becomes a very important problem when IPv6 is put in practice. Therefore, it becomes a focus to analyse and research network security technology during this period.
Under such a research background, the thesis is organized as follows. First, the principles of IPv4/IPv6 transition mechanisms are introduced and their security considerations are presented in detail. Then the thesis summarizes the security problems that may occur under the environment of IPv4/IPv6 network, which reflects the significance to research and implement firewall during the period of IPv4/IPv6. Subsequently, firewall technology is introduced, and its security requirements are further analyzed. Then, the thesis proposes a solution. The thesis also describes the system structure of Netfilter and particularly pays attention to the implemention of packet filter module during the period of IPv4/IPv6. Additionally, the firewall's graphic interface is realized, which provides a convenient way for adding and modifing rules. Finally, the thesis presents the testing process of firewall to prove the validity of the solution.
The innovation of the thesis is to introduce the concept of transitional rules and associate IPv4 and IPv6 in Netfilter. Consequently, firewall can still play an important role during the period of IPv4/IPv6.
引文
[1] Silvia Hagen著.技桥译.IPv6精髓.北京.清华大学出版社.2004.5.
[2] 周逊著.IPv6——下一代互联网的核心.北京.电子工业出版社.2003.8.
[3] 张宏科.IPv6互联网络技术的现状与未来.中国数据通信.2005 Vol.7 No.4.17-20
[4] E. Davies, P. Savola. IPv6 Transition/Coexistence Security Considerations. RFC4942. September 2007.
[5] E. Nordmark, R. Gilligan. Basic Transition Mechanisms for IPv6 Hosts and Routers. RFC4213. October 2005.
[6] B. Carpenter, C. Jung. Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. RFC2529. March 1999.
[7] B. Carpenter, K. Moore. Connection of IPv6 Domains via IPv4 Clouds. RFC3056. February 2001.
[8] F. Templin, M. Talwar, D. Thaler. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). RFC4214. October 2005.
[9] A. Durand, P. Fasano, I. Guardini, D. Lento. IPv6 Tunnel Broker. RFC3053. January 2001.
[10] C. Huitema. Teredo: Tunneling IPv6 over UDP. RFC4380. February 2006.
[11] E. Nordmark. Stateless IP/ICMP Translation Algorithm (SILT). RFC2765. February 2000.
[12] G. Tsirtsis, P. Srisures. Network Address Translation - Protocol Translation (NAT-PT). RFC2766. February 2000.
[13] C.Aoun, E.Davies. Reasons to Move the Network Address Translator-Protocol Translator (NAT-PT) to Historic Status. RFC4966. July 2007
[14] 杨义先,钮心忻.网络安全理论与技术.北京.人民邮电出版社.2003.10.
[15] P. Savola, C. Patel. Security Considerations for 6to4. RFC3964. December 2004.
[16] T.Narten, E.Nordmark. Neighbor Discovery for IP Version 6(IPv6). RFC2461. December 1998.
[17] S. Roy, A. Durand, J. Paugh. IPv6 Neighbor Discovery On-Link Assumption Considered Harmful. RFC4943. September 2007.
[18] J. Hoagland, S. Krishnan. Teredo Security Concerns. draft-ietf-v6ops-teredo-security-concerns -01. November 2007.
[19] Kris Kaspersky著.罗爱国 郑艳杰等译.Shellcoder编程揭秘.北京.电子工业出版社.2006.9.273-295
[20] 王睿,林海波等著.网络安全与防火墙技术.北京.清华大学出版社.2004.2
[21] 李之棠,李伟明,陈琳译.Terry William Ogletree著.防火墙原理与实施.北京.电子工业出版社.2001.
[22] SLLSCN. Iptables指南1.1.19. http://man.lupaworld.com/content/network/ iptables-tutorial-cn-1.1.19.html#prelude
[23] JONATHAN CORBET'ALESSAND RORUBINI著.魏永明等译.LINUX设备驱动程序.北京.中国电力出版社.2006.7.137-149
[24] Rusty Russell, Harald Welte. Linux netfilter Hacking HOWTO. http://debian, linuxsir.org /book/nhh/Free Will/netfilter-haeking-HOWTO.htm
[25] 周晓梅.Linux内核防火墙及其应用.北京.网络安全技术与应用.2007.6.19-21
[26] DANIEL P. BOVET,MARCO CESATI.深入理解Linux内核.北京.中国电力出版社.2004.6.
[27] W.Richard Stevens.TCP/IP详解.卷1:协议.北京.机械工业出版社.2004.8.1-126
[28] STEVE SUEHRING著.何泾沙译.Linux防火墙.北京.机械工业出版社.2006.
[29] 米国治.基于Linux的IPv4/IPv6双协议栈防火墙的设计与实现[学位论文].兰州.兰州理工大学.2004.19-40
[30] W.Richard Stevens著.尤晋元等译.UNIX环境高级编程(第2版).北京.人民邮电出版社.2006.5.66-67
[31] W.Richard Stevens著.杨继张译.UNIX网络编程第1卷:套接口API(第3版).北京.清华大学出版社.2003.5 56-102,398-416
[32] 宋国伟.GTK+2.0编程范例.北京.清华大学出版社.2002.
[2] 周逊著.IPv6——下一代互联网的核心.北京.电子工业出版社.2003.8.
[3] 张宏科.IPv6互联网络技术的现状与未来.中国数据通信.2005 Vol.7 No.4.17-20
[4] E. Davies, P. Savola. IPv6 Transition/Coexistence Security Considerations. RFC4942. September 2007.
[5] E. Nordmark, R. Gilligan. Basic Transition Mechanisms for IPv6 Hosts and Routers. RFC4213. October 2005.
[6] B. Carpenter, C. Jung. Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. RFC2529. March 1999.
[7] B. Carpenter, K. Moore. Connection of IPv6 Domains via IPv4 Clouds. RFC3056. February 2001.
[8] F. Templin, M. Talwar, D. Thaler. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). RFC4214. October 2005.
[9] A. Durand, P. Fasano, I. Guardini, D. Lento. IPv6 Tunnel Broker. RFC3053. January 2001.
[10] C. Huitema. Teredo: Tunneling IPv6 over UDP. RFC4380. February 2006.
[11] E. Nordmark. Stateless IP/ICMP Translation Algorithm (SILT). RFC2765. February 2000.
[12] G. Tsirtsis, P. Srisures. Network Address Translation - Protocol Translation (NAT-PT). RFC2766. February 2000.
[13] C.Aoun, E.Davies. Reasons to Move the Network Address Translator-Protocol Translator (NAT-PT) to Historic Status. RFC4966. July 2007
[14] 杨义先,钮心忻.网络安全理论与技术.北京.人民邮电出版社.2003.10.
[15] P. Savola, C. Patel. Security Considerations for 6to4. RFC3964. December 2004.
[16] T.Narten, E.Nordmark. Neighbor Discovery for IP Version 6(IPv6). RFC2461. December 1998.
[17] S. Roy, A. Durand, J. Paugh. IPv6 Neighbor Discovery On-Link Assumption Considered Harmful. RFC4943. September 2007.
[18] J. Hoagland, S. Krishnan. Teredo Security Concerns. draft-ietf-v6ops-teredo-security-concerns -01. November 2007.
[19] Kris Kaspersky著.罗爱国 郑艳杰等译.Shellcoder编程揭秘.北京.电子工业出版社.2006.9.273-295
[20] 王睿,林海波等著.网络安全与防火墙技术.北京.清华大学出版社.2004.2
[21] 李之棠,李伟明,陈琳译.Terry William Ogletree著.防火墙原理与实施.北京.电子工业出版社.2001.
[22] SLLSCN. Iptables指南1.1.19. http://man.lupaworld.com/content/network/ iptables-tutorial-cn-1.1.19.html#prelude
[23] JONATHAN CORBET'ALESSAND RORUBINI著.魏永明等译.LINUX设备驱动程序.北京.中国电力出版社.2006.7.137-149
[24] Rusty Russell, Harald Welte. Linux netfilter Hacking HOWTO. http://debian, linuxsir.org /book/nhh/Free Will/netfilter-haeking-HOWTO.htm
[25] 周晓梅.Linux内核防火墙及其应用.北京.网络安全技术与应用.2007.6.19-21
[26] DANIEL P. BOVET,MARCO CESATI.深入理解Linux内核.北京.中国电力出版社.2004.6.
[27] W.Richard Stevens.TCP/IP详解.卷1:协议.北京.机械工业出版社.2004.8.1-126
[28] STEVE SUEHRING著.何泾沙译.Linux防火墙.北京.机械工业出版社.2006.
[29] 米国治.基于Linux的IPv4/IPv6双协议栈防火墙的设计与实现[学位论文].兰州.兰州理工大学.2004.19-40
[30] W.Richard Stevens著.尤晋元等译.UNIX环境高级编程(第2版).北京.人民邮电出版社.2006.5.66-67
[31] W.Richard Stevens著.杨继张译.UNIX网络编程第1卷:套接口API(第3版).北京.清华大学出版社.2003.5 56-102,398-416
[32] 宋国伟.GTK+2.0编程范例.北京.清华大学出版社.2002.