| The rapid development of the network technology with the Internet as the main symbol has brought great convenience to people's life and the development of social production. Along with the network permeating every side of social life, the information security of the network has become the focus concerned by people. The technology of the firewalls as one of the main technology of safeguarding the information security of the network has become an ordinary method to construct safe and reliable networks at present. As the generation and the coming large-scale application of the IPng ---IPv6, to do research on and design the firewalls in IPv6 are necessary and urgent.Compared with the traditional Packet-filter and Application gateway firewalls, Stateful Inspection technology has the characters of fast speed and higher security, and is the mainstream technology in firewalls at present. Linux as operating system of Open source has an extensive applications. The 2.4 and 2.6 kernel edition of its, not only support IPv6 protocol stack, but also the frame of Netfilter/iptables adopted has brought in modularization construction method, which can realize firewalls in Ipv6 conveniently.The main purpose of this dissertation is to do research on and design firewalls in Ipv6 stateful inspection technology under Linux operating system. Round this goal, it has done the following work from three aspects:①On the basis of analyzing IPv4 stateful inspection technology and Linux firewall framework of Netfilter/iptables, through at NF-IP6-FORWARD hook-point of Netfilter loading user self-defined function of stateful inspection, by way of loaded kernel module, to realize the stateful inspection module in IPv6 firewall.②On the basis of the process that Patricia tries construction half-open connection list deals with the construction of TCP connection, making use of port queue to track each half-open connection ,according to the principle of FIFO, do traffic statistics and stateful inspeciton to each half-open connection. The imitative expriment suggest that module of stateful inspection in IPv6 firewall which has brought in this method can resist the attack of Syn Flood more effectively.③In order to improve the efficiency of matching rule table, adopt a new Hash function to solve the problem that caused by the 128 bit address in IPv6, More over, based on the thought of IP flow, at the head node of hash table adds an pointer which points to the node in collision list matched successfully last time to improve the searching speed of next match.This paper on the basis of theoretical analysis and the realization of technology, has done research on and designed firewalls in Ipv6 stateful inspection technology and has done optimization of its performance, and did an effective exploration for the network security in IPv6. |
PDF Full Text Request