Research On Security-enhanced Techniques For6to4and ISATAP Tunnel In IPv6

Due to the increasingly serious problem of IPv4, IETF developed IPv6protocol,and began the migration to IPv6. Tunneling, by far the most widely used, is one ofthe transition mechanisms. The traffic of6to4and ISATAP tunnel has over the49%of the entire IPv6traffic, so the security issues of6to4and ISATAP mechanism havebeen a research focus. And the address spoofing attacks are major security threats fortunel technology, how to reduce address spoofing attacks has great significance. Thispaper mainly focused on the address spoofing attacks problems of6to4and ISATAPmechanism.First of all, this paper describes the types of address spoofing attacks which the6to4and ISATAP tunnel can Meet.The main security issues of6to4and ISATAPmechanism contains: one is the address spoofing attacks between the6to4orISATAP client and IPv6host, another is the address spoofing attacks between the6to4or ISATAP client and the6to4or ISATAP client.The former can divided intotwo parts: the address spoofing attacks between the6to4or ISATAP client and router,and the address spoofing attacks between the6to4or ISATAP router and IPv6host.Secondly, focused on these problems, this paper presents source addressverification technology, using IPSec to protect its’ keys safety, that filtering thepackets which not allow to pass the router because its’ source address not be verified,so it can reduce the illegal attacks on hosts within the domain of the tunnel.Meanwhile, it adopts IPSec to enhance security of the tunnel traffics between twotunnel hosts, which can protect the tunnel communication between each node andeffectively filter the packets forged source address which is not verified by sourceaddress verification system, so it reduces the address spoofing attacks within domain.At last, through the correctness and performance testing by comparing with theunsecured tunnel, the source address verification and using IPSec to protect thetraffics between two tunnel node can defense the tunnel against the address spoofingattacks, and reduce the packets forged source address. However, this mechanismtakes nearly100%faster in download speeds than just using IPSec protect tunnel,which even has0.012%packet loss, so it affects the users’s intended purposes.