| With the rapid development of computer hardware and network technology, it gradually has been the key factor of promoting the development of economy and society. At the same time people share information with others, they must incept the fact of severity of security questions increasingly.The Firewall, and packet filters in particular, have become an essential part of the Internet. They provide protection to individual hosts and networks from the nasty elements of the Internet: attackers, viruses and worms. The creation of a new version of the Internet Protocol, IPv6, has been hailed as the solution to many of the ills of the current protocol. It has in-built security via IPsec. Even with all this, the packet filter is still expected to be a part of the IPv6 Internet at least until the problems associated with the automatic exchange of keys for IPsec are resolved. This thesis will discuss the challenges posed in filtering IPv6 packets by both stateless and dynamic means. It is called stateless packet filtering because the processing of each packet does not depend on the previous packets sent and received in the connection. In general, packet filtering firewalls inspect only the IP, and in some instances the TCP, header information. Dynamic filtering, so-called "stateful" filtering, creates state on the firewall for each connection that leaves the local network through the firewall and remembers the source and destination ports and addresses of the packet. This state creates a dynamic rule in the packet filter ruleset that allows the return packets from the outgoing connection back in through the packet filter. This means that it is not necessary to specify reverse rules in the ruleset for each service that is allowed through the filter, to allow the relevant return packets back in.IPv6 filter is similar as IPv4 filter. But because of its own features, changes in design must be practiced. This thesis has discussed how to design stateless filter and sataeful filter. The abilities of stateless filter are as follows: deal with the situation of multiple address per interface, checking the extend head, care the end to end encrypt, watch the situation of IPv4 to IPv6 Transition Mechanisms, using the TARP address to predigest firewall structure. On the other hand, using the fields of address, port, TCP sequence, window size and new field -- flow label, I designed IPv6 stateful filter. To make sure the feasibility of flow label, I have practiced test through IPv6 the web site in internet. The result shows that using flow label in constructing stateful firewall is feasible. It will enhance the robusticity of firewall, to against spoofing attack and inject attack. |
PDF Full Text Request