Font Size: a A A

Performance And Security Improvement On IPv6 Tunneling Mechanisms And Security Devices

Posted on:2016-08-25Degree:DoctorType:Dissertation
Country:ChinaCandidate:Y CuiFull Text:PDF
GTID:1108330479478720Subject:Computer Science and Technology
Abstract/Summary:PDF Full Text Request
The internet is in the period of transition from IPv4 to IPv6, both ISPs and ICPs have deployed IPv6 networks and provide IPv6 contents step by step in recent years. To effectively protect the steady and nomal running of the internet in this transition period, security aspects on network devices, servers and security devices have become the key points in IPv6 researching. This paper studied on the performance and security problems on the tunneling techniques and security devices. By analyzing the summary on current researches, some inadequate aspects have been deeply studied and some missing aspcets are complementated.Firstly, the security problems of tunneling techniques are studied, and methods of Do S attacks on tunnels are summarized. For the devices of tunnels, security issues in mechanism of “Peer Status Management” and related security problems like “Do S in Peer List” with its influence are deeply analyzed. Based on Teredo, this paper pointed out two actual effective attacking methods. To improve the security and resist these kinds of attacks, methods of Two-Level-Trie, Status-Timelist-Expand and Optimize-Timelist-Update are presented which improve the capability and performance of “Peer Status Management” under Do S attacks and will not affect the other parts of tunnels.Secondly, tunnel devices, like “Relay”, are responsible for the work of encapsulating IPv6 packets, de-encapsulating IPv4 packets and forwading IPv4/IPv6 packets. Because of the complexity of tunnel implementations, tunnels can not be deployed on routers. As a result, soft routing algorithms are needed to effectively forward packets. Focused on the imbalance problems in lookup and update process in routing algorithm, the influence on general and special routeing algorithms of IPv6 are analyzed, and a new method called BSRPS(binary search on range of prefix sets) was presented. By Range-Partition and Sets-Partition on routing table, and Self-Recovery after updating, this method enhanced the lookup speed and reduced the impact of imbalance in updating.Thirdly, security devices, such as firewall and IDS, are deployed to inspect the incoming and outgoing traffic, and filter anomaly flows. If the security devices perform DPI(Deep Packet Inspection), they should have the capability of flow reconstructing. This paper analyzed the tunneling traffic, pointed out the diversity in layer-count and type of tunnels, and revealed the concept of “Wide-Tunnel”. By studing on the flow reconstructing processes of existing researches and open source softwares, problem of tunnel interference was pointed out which could be exploited to evade the inspection of security deivces and attack internal hosts. And as solutions, two methods, Record All and Hash for Each Header, are presented. By recording and comparing all external headers, both of them theoretically solve these problems to a great extent with a little influence on original sys tems.Forthly, under IPv6 and tunneling networks, this paper pointed out two kinds of Do S attacks on security devices seleves: “Multi-Layer Fragment Reassembly Amplification Attacks” and “Amplification Do S Attacks on Streams”. In multi-layer fragment attacks, the attacker could amplify the once reassembly process to multi times and increase the load of system. As a result, this paper presented the method of “Delay Reassembly”. By replacing the process of multi-reassembly to only once, this method effectively decreases the influence on the system. In attacks on streams, by analyzing on the mulit-addresses of host, this paper pointed out that attackers can configure large amounts of IPv6 addresses on one host and perform malicious connections to the target. As these connections are leagal and controlled by one host, traditional detecting and defensing mechanisms which based on singal IP address would not be effective any more. And because Do S attacks have not been thoroughly solved in IPv4, these attacks will aggravate the influence on IPv6 security devices. To defense this attack, the method of “Defense Framework based on Addresses Classification”(DFAC) was presented. By classifying addresses with different property and constructing property sets, DFAC could p erform detection and defense on this kind of amplification attack.
Keywords/Search Tags:IPv6, Tunnel, Security, Firewall, Routing
PDF Full Text Request
Related items