Analysis And Design Of IPv6 Source Address Validation Architecture

With the development of Internet technology and the increasing popularity of the Internet, the influence of network technology on people's daily lives is increasing. People began to depend more and more on Internet, while the security issues of Internet is getting serious. Source address spoofing is one of network threafts at present.IP address spoofing is a kind of attack based on forge the source address of packets. Attackers modify the source address of packets for the following three purposes: 1.covering up the real address of the attacker while launching DoS/DDoS attacks, in order to prevent the vicitims from distinguishing normal and abnormal packets. 2.accessing to a unauthorized host by Man-In-The-Middle attacks. 3. hiding the address of the attacker to prevent the victims from tracing back.There are lots of technologies which are used for source address verification. These technologies can be divided into three categories roughly: cryptographic verification, filtering and tracing back. However, all those techonologies are not deployed widely, because of some obvious drawbacks, for example, high error detection rate and deployment cost. Some proposals need to sacrifice the performance of core network equipment, and some need thorough knowledge of whole network topology. All of the defects mentioned above are related to poor scalability and flexibility.This paper introduces a new kind of source address verification architecture, which would protect the IPv6 network from source address spoofing attacks. The architecture is based on a new kind of IPv6 extension header, CGA extension header, which is introduced in this paper. The CGA extension header comprehends four kinds of options, which are used to bind the content of packet, source address, public key, private key and signature. The source address is verified by checking the binding relationship above. The architecture is composed of two parts, access network filtering and terminal verification. Access network filtering would prevent the hosts in a subnet from forgering the addresses which are not only belong to other subnets, but also the valid addresss in the same subnet. Terminal verification would be used when a peer needs to verify the address of the other side.The following are the main tasks which are accomplished in this paper:1. Carrying out general investigation on the current technologies of source address verification.2. Studying the background technologies deeply, grasping related protocols and algorithm.3. Accomplishing the design of IPv6 source address verification architecture.4. Desiging, developing and testing the prototype system of the verification architecture.5. Analyzing the security and performance of the verificaiont architecture based on the prototype system.