基于IPv6的IPSec协议安全机制研究

下一代互联网将是基于IPv6的,IPv6的实现必须支持IPsec,IPsec提供了两种安全机制:加密和认证。本文重点对IPsec协议安全体系结构、各部分功能及其相互间关系进行了深入分析研究,并对IPsec协议在IPv6中工作原理、实施应用问题等提出新的见解。最后总结了IPsec在基于IPv6的下一代互联网带来的安全特性和将面对的挑战。     

基于IPv6的IPsec VPN技术与应用

IPsec在Internet中属于IP层的安全协议,下一代IP协议IPv6中内嵌了对IPsec的支持.在分析IPv6协议优势的基础上,详细介绍了使用IPv6内嵌的IPsec实现VPN的关键技术—基于IPv6的IPsec协议及其体系结构、工作模式和相关机制.提出了一种在不改变现有IP本地网络环境的情况下,构建基于IPv6...     

基于TCL的IPsec协议一致性测试

IPsec协议体系是IETF制定的新一代网络安全协议标准，用于在IP层为IPv4和IPv6提供可交互操作的、高质量的、基于加密的安全．针对协议一致性测试的要求和IPsec协议体系的特点，设计了一种基于Tcl的IPv6协议体系中的IPsec协议一致性测试系统，并给出一个实例说明如何使用该系统进行测试例的开发,实践表明，该系统具有方便、灵活、模块独立性好等优点，基于Tel的一致性测试是一种有效的协议一致性测试技术．     

Ipv6环境下的网络威胁与安全机制的研究

IPv6是下一代互联网的核心协议。本文在分析了IPv6网络安全隐患分析的基础上,重点研究了IPv6的网络安全机制,包括IPsec保护通信机制、时间戳重放保护机制、虚拟专用网机制以及返回路径可达机制等,为IPv6在通信网络中的应用提供一定的参考价值。     

Implementing IPsec — making security work on VPNs,intranets and extranets: Elizabeth Kaufman and Andrew Newman

For anyone who doesn’t know, the IPsec protocols were “designed to clear the hit list of well-known security flaws in the current Internet Protocol version 4 (Ipv4) and to provide a pre-emptive strike against these same flaws in its possible replacement, the Internet protocol version 6 (Ipv6)”. So, is IPsec the answer to all our network security problems, the simple cure all, or is this too good to be true? The authors of this particular book are of the opinion that IPsec “has raised by far the most hope…as a possible cure for the widespread security problems of networks and networked applications”. But, while offering hope to those responsible for increasingly more complex networks, the authors also prudently point out that “IPsec products can wreak havoc on critical applications and other enhanced networked services.” The problem is, while IPsec can indeed provide solutions never offered before (or in a manner never offered before) interoperability problems, limitations in the base protocols and failure to address known operational conflicts could court disaster. And here is the rub: the potential havoc wreaked could leave the most ambitious of doom laden hackers crazy with envy.     

无线应用场景下基于IPsec VPN的研究与实现

随着无线局域网日益发展,无线网的安全问题倍受人们的关注。同时因特网的安全协议IPsec技术已相当成熟,将IPsec技术延伸到无线网络部分,以确保无线局域网的安全,这也是一种较好的解决方案。文中在扼要介绍虚拟专用网VPN安全机制的基础上,研究和分析了IPsec协议族的主要技术;在分析简化IPsec协议的基础上,结合具体常见的无线应用场景和IKEv2的密钥管理新技术来实现IPsec VPN;同时重点分析了无线场景下IPsec安全隧道建立的过程和协议中对数据包的处理流程;最后,指出了无线网络技术的应用前景和未来IPsec的研究方向。     

IPv6分片重组在SNORT中的实现

IPv6协议把IPSec协议作为必选的协议,保证数据在不安全的网络上进行安全传输,使网络层的安全性得到增强,但是无法有效防止针对协议本身的攻击,因此在以IPv6为基础的下一代因特网中,安全问题依然重要。本文通过讨论IP分片攻击的表现形式、IPv6分片重组机制,给出了IPv6分片重组在Snort的具体实现方案。     

纯IPv6网络环境下的应用互通技术研究

在向下一代互联网的转换中,使用户能够无感知地使用 IPv6 是一个理想的目标,而这需要网络运营商、网络内容提供商、网络设备提供商、终端厂商、互联网应用公司五方的共同合作。本研究聚焦于互联网过渡到纯 IPv6 环境下用户工作的情况,从过渡技术及相关机制、访问场景、应用需求等方面对纯 IPv6 网络应用互通进行了初步的理论性研究。在中国科技网网络环境中,构建了一个能与 IPv4 网络应用互通的纯 IPv6 实验网络环境,对不同访问机制下的主流互联网络商业应用进行测试和评价,验证了我们的研究结论的有效性。     

安全的NAT-PT转换网关的设计

基于NAT-PT的转换网关实现IPv4向IPV6过渡存在诸多的不足,且不能兼容Ipsec,IPsec是IPv6下的强制安全协议,提供网络层数据的安全。本文在分析了几种转换网关的原理及与IPsec不兼容的原因后,提出了自己兼容IPsec协议的转换网关的设计方案。     

IPv4/IPv6过渡机制的研究与实现

IPv6是面向下一代因特网的IP协议。与IPv4相比,IPv6有许多优点,例如提供更大的地址空间,提供路由聚集和即插即用等自动配置功能,因而提高了因特网的扩展性、可管理性等性能。在因特网全部采用IPv6之前,显然会存在一个需要v4和v6共存和相互通信的过渡期。在过渡期间,必须要有一整套强有力的、灵活的v4到v6过渡机制。该文对目前各种过渡机制进行了分析,重点研究了能使IPv4和IPv6直接互通的转换器NAT-PT,给出了设计的总体方案和实现过程,并在实际的网络环境下进行了测试,证明了文章实现的转换器是可行和实用的。     

Internet security architecture

Fear of security breaches has been a major reason for the business world's reluctance to embrace the Internet as a viable means of communication. A widely adopted solution consists of physically separating private networks from the rest of Internet using firewalls. This paper discusses the current cryptographic security measures available for the Internet infrastructure as an alternative to physical segregation. First the IPsec architecture including security protocols in the Internet Layer and the related key management proposals are introduced. The transport layer security protocol and security issues in the network control and management are then presented. The paper is addressed to readers with a basic understanding of common security mechanisms including encryption, authentication and key exchange techniques.     

IPv6的安全机制——IPSec协议的分析与研究

IPv6被称为下一代互联网的标准协议,它的出现标志着网络技术史上的重要升级．它将逐步取代IPv4成为网络的基础设施,并将对网络技术产生积极的影响。着重对基于IPv6的安全机制——IPsec协议进行研究,分析IPSec的基本架构,以及其中包含的三种协议——AH、ESP和IKE。通过实验,分别在Windows和Linux下实现了IPSecVPN,并验证了VPN在保护网络通信安全方面的功能,得出一些定性和定量的结论。     

Supporting next generation Internet applications today

Want to multicast real time applications over IPv4 without upgrading? Two protocols can help right now. New protocols are a response to the growing variety and volume of traffic on the Internet and intranets. The developers of IPv6 specifically refer to supporting a future in which low-power, handheld devices may tap into the Internet, as may refrigerators, soda machines, and electric meters. They acknowledge that any protocol developed will be viable only if it remains compatible with current standards and plans for incremental change-few companies can afford to change their systems all at once. Protocols such as IPv6, RSVP (Resource Reservation Protocol), and RTP (Real-Time Transport Protocol) are attempting to take the Internet into the future while meeting the needs of users today     

IPsec协议的研究和分析

IPsec设计的目的是通过身份鉴别、数据加密和数据完整性保护,使端对端用户完成安全的通信。IPsec也成为构建VPN的一个基本协议。IPsec的体系结构随着对安全问题的探索而变得越来越庞杂。文章对IPsec的框架体系进行了研究,并分析了各个部分引入的安全问题。     

基于协议分析的IPv6入侵检测系统设计

目前的网络是基于IPv4的,但是IPv4的种种局限性限制了网络的持续高速发展.IPv6较IPv4有很多优势,例如:巨大的地址空间,自动配置机制,简化的报头结构,内置IPSec,扩展报头,以及对流标签的支持等等.目前对IPv6的安全问题研究主要集中在协议本身的安全,对上层的安全问题无法保障.就IPv6提出了一种基于协议分析方法的入侵检测模型.设计出的系统可以很好的应用于IPv6环境中,还可以适用于IPv4到IPv6过渡时期.     

基于IPv6网络的4G网络系统安全研究

随着4G网络中IPv6安全机制的引进,网络层的安全性得到增强,同时,IPv6安全机制的应用对4G网络系统安全也提出了新的要求和挑战,其次基于IPv6核心网络下4G网络安全面临威胁和存在安全问题,IP技术的使用为产业带来新业务、新活力,同时为网络带来新的安全隐患。最后提出在IPv6技术是下一代互联网的核心技术下对IPv6技术分析和4G网络防范和对策。     

Towards a Secure IPv6 Autoconfiguration

ABSTRACT

Stateless Address Autoconfiguration (SLAAC) is one of the novel features introduced in IPv6 Neighbor Discovery Protocol (NDP) providing for self-configuration of nodes and supplementing the reduction of operational and deployment cost of networks. Although self-configuration elevates the idea of autonomy for network, it has also introduced vulnerabilities that require substantial solutions. The SLAAC is pivoted on the presumption that network consists of authentic and entrusted nodes, however with inception of public sector wireless networks; any node can affix to the link with trivial authentication and situation changes radically. Although some security extensions like IPsec or SeND have been proposed, but these security protocols have been reported to have serious limitations like complex cryptographic algorithms which negate their adoption. This paper revisits the stateless auto configuration process and discusses its inherent vulnerabilities. The paper surveys existing research and available defense mechanisms available to protect SLAAC. The paper also suggests some guidelines from existing literature which can further promote and supplement the research to secure the auto configuration process. Finally, a novel technique is proposed for securing IPv6 link layer communication against DoS and Man-in-the-Middle attack which can be used as an alternate approach for CGA and SeND protocol.     

A unified and flexible solution for integrating CRL and OCSP into PKI applications

Public key certificates (PKCs) are used nowadays in several security protocols and applications, so as to secure data exchange via transport layer security channels, or to protect data at the application level by means of digital signatures. However, many security applications often fail to manage properly the PKCs, in particular when checking their validity status. These failures are partly due to the lack of experience (or training) of the users who configure these applications or protocols, and partly due to the scarce support offered by some common cryptographic libraries to the application developers. This paper describes the design and implementation of a light middleware dealing with certificate validation in a unified way. Our middleware exploits on one side the libraries that have already been defined or implemented for certificate validation, and it constructs a thin layer, which provides flexibility and security features to the upper layer applications. In our current approach, this layer boasts an integrated approach to support various certificate revocation mechanisms, it protects the applications from some common security attacks, and offers several configuration and performance options to the programmers and to the end users. We describe the architecture of this approach as well as its practical implementation in the form of a library based on the famous OpenSSL security library, and that can be easily integrated with other certificate‐aware security applications. Copyright © 2009 John Wiley & Sons, Ltd.     

基于IPv6的防火墙设计

IPv是下一代的IP协议,它的提出解决了现有协议的一些安全问题,它可在网络层支持对每个分组的认证和加密,它的应用将对现有的防火墙机制产生影响。文中介绍了基于IPv6协议的防火墙的设计,并对常见的三类防火墙系统进行了改进。改进后的系统除了具有目前防火墙系统的分组过滤和应用代理等功能外,还能够实现对IP数据报的源地址的认证,分组内容的完整性检验,以及对分组的加解密。