The Research Of Secure DHCPv6System Based On SAVI Technology

Introduction of IPv6protocol solves the problem of address crisis that prevents the development of the Internet, while IPv6addresses security issues are also highly. DHCPv6protocol is used as the host made dynamically assigned IPv6addresses and other configuration information, but itself defects become the primary means by attackers to initiate IPv6source address attack. To prevent source address attacks, strategies have been proposed about the deployment structure of IPv6source address validation and the structure of IPv6address to ensure the allocation process safety and security during use of IPv6address.Firstly, paper analyzes the characteristics and security of the relevant protocols and technologies, including DHCPv6protocol, SAVI technology and the composition and generation algorithm of CGA address. SAVI technology proposes establish address-binding entry through listening DHCPv6protocol in access network switch, filtering the attack packed of illegal address in the second layer, but because of the lack of inter-transmission entity authentication, making the packets will be Man-in-the-middle attacks. CGA mechanism proposes use policy that binds the IPv6address and Public-key to perform entity authentication of the owner and distributor. Bos.analyzes the security of CGA mechanism, and verify CGAs are exposed to global time-memory trade-off attacks, garbage attacks and reply attacks. Moreover, the computational complexity of address generation limits the practical application of the CGA mechanism.According to the results, the paper proposes DHCPv6security system based on SAVI technology. From the perspective of the access network deployment structure of IPv6source address validation, we improve CGA mechanism on the basis of DHCPv6Snooping security technology. On an equivalent level of security, we use ECC encryption algorithm instead of the RSA encryption algorithm to reduce the key length and accelerate the generation rate of the key. While we improve algorithm for generating Hash2value to reduce the number of iterations of compression function in hash algorithm which based on block processing, and further accelerate the CGA generation rate. Meanwhile, the signature generation algorithm has been optimized to the CGA, increased the anti-attack capability of CGA address. Finally, the paper also provides experimental test and some test results.