基于包验证的面向IPv6翻译机制的IP追溯方法

doi:10.3724/SP.J.1087.2013.00926

计算机应用 ›› 2013, Vol. 33 ›› Issue (04): 926-930.DOI: 10.3724/SP.J.1087.2013.00926

基于包验证的面向IPv6翻译机制的IP追溯方法

朱田¹,²,田野¹,³,马迪¹,³,毛伟¹,²

1. 中国互联网络信息中心，北京 100190
2. 中国科学院计算机网络信息中心，北京 100190
3. 中国科学院计算机网络信息中心

收稿日期:2012-10-19 修回日期:2012-12-03 出版日期:2013-04-01 发布日期:2013-04-23
通讯作者: 朱田
作者简介:朱田（1985-），男，湖北监利人，硕士研究生，主要研究方向：下一代互联网、可信网络；田野（1979-），男，重庆人，博士，主要研究方向：下一代互联网、可信网络；马迪（1984-），男，安徽六安人，博士研究生，主要研究方向：下一代互联网、可信网络；毛伟（1968-），男，四川自贡人，研究员，博士生导师，主要研究方向：下一代互联网、网络寻址与定位。
基金资助:
国家自然科学基金资助项目（61005029）

Packet verification based traceback method for IPv6 translation mechanism

ZHU Tian¹,²,³,TIAN Ye¹,²,³,MA Di¹,²,³, ¹,²,³

1. China Internet Network Information Center, Beijing 100190, China
2. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China
3. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China

Received:2012-10-19 Revised:2012-12-03 Online:2013-04-01 Published:2013-04-23
Contact: ZHU Tian

摘要/Abstract

摘要： IP地址安全一直是互联网面临的核心问题，在IPv6过渡时期，多种IP地址分配方式，IPv6过渡技术和IP欺骗引起的IP地址不确定性向IP地址资源安全提出了挑战。新兴IPv6家庭网络、小企业网、校园网与传统IPv4网络互联互通的IPv6翻译场景是典型的IPv6过渡场景，然而，传统的IP追溯技术无法直接应用于IPv6翻译场景。基于这种现状，提出一种IP追溯方案来解决IPv6翻译场景下的IP追溯问题，该方案打通了IPv6翻译网关，实现了目的网络对源网络的可知性，进而保证了互联网的IP地址资源安全。

关键词: IP地址管理, IP追溯, IPv6过渡, 数据包验证, IPv6翻译机制

Abstract: IP address security is always a critical Internet security issue. As the transition from IPv4 to IPv6, multiple allocation modes of IP address, IPv6 translation techniques and IP spoofing increase the uncertainty of IP address of the host and the host has multiple IP addresses, which makes IP address resource more insecure. The emerging IPv6 home network, small enterprise network and campus network interconnect with traditional IPv4 network, which is typical and inevitable IPv6 translation scenario, and traditional IP traceback techniques cannot directly be applied to these scenarios. Therefore, this paper presented a new approach to solve IP traceback issue under these scenarios, which is able to go across the gateway that interconnects between IPv4 network and IPv6 network, and makes the destination network knowable for the source network. The traceback method guarantees the Internet fundamental resource safe.

Key words: IP address management, IP traceback, IPv6 transition, packet verification, IPv6 translation mechanism

中图分类号:

TP393.03

朱田田野马迪毛伟. 基于包验证的面向IPv6翻译机制的IP追溯方法[J]. 计算机应用, 2013, 33(04): 926-930.

ZHU Tian TIAN Ye MA Di. Packet verification based traceback method for IPv6 translation mechanism[J]. Journal of Computer Applications, 2013, 33(04): 926-930.

参考文献

［1］毕军，王优，冷晓翔. IPv6过渡研究综述［J］. 电信科学，2008，24(10): 12-22.

［2］BAKER F，毕军，殷康. IPv4/IPv6的共存、过渡与寻址［J］. 电信科学，2008,24(10): 30-37.

［3］BELLOVIN S, TAYLOR T. RFC 2026, ICMP traceback messages ［S］. ［S.l.］: IETF, 2003.

［4］WU S F, ZHANG L X, MASSEY D, et al. draft-wu-itrace-intention-00, Intention-driven ICMP traceback［S］.［S.l.］: IETF, 2001.

［5］SAVAGE S, WETHERALL D, KARKIN A, et al.Practical network support for IP traceback ［C］// ACM Special Interest Group Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. New York: ACM Press, 2000: 295-306.

［6］BELENKY A, ANSARI N. Tracing multiple attackers with Deterministic Packet Marking (DPM) ［C］// IEEE Pacific Rim Conference on Communications, 2003. New York: IEEE, 2003: 49-52.

［7］BELENKY A, ANSARI N. IP traceback with deterministic packet marking ［J］。 IEEE Communications Letters, 2003, 7(4): 162-164.

［8］SNOEREN A C, PARTRIDGE C, SANCHEZ L A, et al.Hash-based IP traceback ［C］// SIGCOMM’01. New York: ACM Press, 2001:3-14.

［9］SNOEREN A C, PARTRIDGE C, SANCHEZ L A, et al. Single-packet IP traceback ［J］. IEEE/ACM Transactions on Networking, 2002, 10(6): 721-734.

［10］FERGUSON P, SENIE D. RFC 2267, Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing［S］.［S.l.］: IETF, 1998.

［11］STONE R. CenterTrack: an IP overlay network for tracking DoS floods ［C］// Proceedings of the 9th USENIX Security Symposium, 2000. Berkley: USENIX, 2000:199-212.

［12］BURCH H, CHESWICK B. Tracing anonymous packets to their approximate source ［C］// USENIX LISA ’00. Berkley: USENIX, 2000: 319-327.

［13］WU J P, BI J, LI X, et al. RFC 5210, A Source Address Validation Architecture (SAVA) testbed and deployment experience ［S］. ［S.l.］: IETF, 2008.

［14］吴建平，任罡，李星. IPv6网络自治系统间源地址验证技术研究［J］. 中国科技论文在线，2007,2(10): 715-719.

［15］吴建平，毕军. 可信任的下一代互联网及其发展［J］.中兴通讯技术，2008,14(1): 8-12.

［16］吴建平，任罡，李星. 构建基于真实IPv6源地址验证体系结构的下一代互联网［J］. 中国科学: 信息科学，2008,38(10):1583-1593.

［17］GILLIGAN R, NORDMARK E. RFC 2893, Transition mechanisms for IPv6 hosts and routers ［S］. ［S.l.］: IETF, 2000.

［18］TSIRTSIS G, SRISURESH P. RFC 2766, Network Address Translation-protocol Translation (NAT-PT) ［S］.［S.l.］: IETF, 2000.

［19］HAGEN S. IPv6精髓［M］. 北京: 清华大学出版社, 2004.

［20］SRISURESH P, EGEVANG K. RFC 3022, Traditional IP network address translator (traditional NAT) ［S］.［S.l.］: IETF, 2001.

［21］BAGNULO M, MATTHEWS P, BEIJNUM I V. RFC 6146, Stateful NAT64: network address and protocol translation from IPv6 clients to IPv4 servers ［S］.［S.l.］: IETF, 2011.

［22］NORDMARK E. RFC2765, Stateless IP/ICMP Translation Algorithm (SIIT) ［S］. ［S.l.］: IETF,2000.

［23］LI X, BAO C X, CHEN M K, et al. RFC 6219, The China Education and Research Network (CERNET) IVI translation design and deployment for the IPv4/IPv6 coexistence and transition (IVI) ［S］.［S.l.］: IETF, 2011.

［24］MANKIN A, MASSEY D, WU C L, et al. On design and evaluation of “intention-driven” ICMP traceback［C］// IEEE 10th International Conference on Computer Communications and Networks. New York: IEEE, 2001: 159-165.

［25］BURCH H, CHESWICK B. Tracing anonymous packets to their approximate source ［C］// Conference: USENIX Systems Administration Conference - LISA. Berkley: USENIX, 1999:319-327.

［26］SAGER G. Presentation at the Internet 2 working group: security fun with Ocxmon and Cflowd ［R］. San Diego: Pacific Institute for Computer Security, 1998.

［27］STRAYER W T， JONES C E，TCHAKOUNTIO F， et al. SPIE-IPv6: Single IPv6 Packet Traceback ［C］// LCN'04: Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks. Washington, DC: IEEE Computer Society, 2004:118-125.

[1]	韩国梁, 盛茂家, 包丛笑, 李星. IPv4网络与IPv6互联网的无状态通信机制[J]. 计算机应用, 2015, 35(8): 2113-2117.
[2]	杨志义李晓燕. 基于多核的IPv4/IPv6过渡技术的研究与实现[J]. 计算机应用, 2009, 29(3): 678-680.

基于包验证的面向IPv6翻译机制的IP追溯方法

Packet verification based traceback method for IPv6 translation mechanism

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics