| The research and building of next genaration internet now become a hotspot of the information technology field.The network secruity based on IPv6 is a very important field in the research of the next generation internet.Now the CERNET2 which is the first next genaration internet in CHina has been founded.It means that the research of next genaration has made great progress.Eastern China (North) Regional Network Center of CERNET provides CERNET connection and internet service for high schools and other education and research institutions in Jiangsu, Shandong and Anhui Province.Because It is one of the important node of CERNET2,its maintenance and management are very important,the network security is one of the very important subsystem of it. Now the intrusion detection system MONSTER3.0 we use in the center has been developed ealier,it can not support the requirement of detect CERNET2.In this case,it is very meaningful to develop the intrusion detection system under IPv6 environment now.The thesis From presenting main difference between IPv6 and IPv4 to start with at first, then it tells IPv6 addressingarchitecture and security architecture in detail. And then it also discusses the tactics that IPv4 carries out the transition to IPv6 as well as the state of development of IPv6 and it's developing direction.Then it introduce the structure and fuction of each module of MONSTER3.0. And then this thesis summarizes the technology of IDS from the respect of the concept, development course, architecture and technical classification of IDS.Based on the above technical background, this thesis launches the discussionabout the demand analysis and the detailed design of the modules in the system..Those intrutions which characters are stored in the information base will be detect well by the abuse intrusion detection system,its minsinformation are very little.It needs the strongly support of intrution detection rules.The thesis do some research of the impletetion of intrution detection rules under IPv6 network.At the begining discusses the similarity and difference of the network security between IPv4 and IPv6.Then we analyze the adaptability of the intrution detection rules based on IPv4 under IPv6,keep the ones we can use,modify the ones can not adapt and then discard the ones we can not use any more. After that we discussed the how to change the rules under IPv4 to IPv6 automatically.At last discusses the great capacity of address under IPv6 will do what to the DDoS.Packet classification algorithms is the technique to implete network packet classify.It means classfy the packets base on the rules gives by the user,use different filter action to different packets.The thesis gives the intergrate description of packet classification algorithms.Then analyze the similarity and difference of the packet header between IPv4 and IPv6.After that it provide the implete of parse the IPv6 packet and how to defragment the ip fragments,this solve the biggest problem in the impletetion of two protocol parse.At last analyze the time complexity and the space complexity of the new algorithms.The whole framework and the design and implementation of each model are presented, as well as test in real network environment. In the end the thesis summarizes and expects future work. |
