基于NS-2的移动IPv6的安全机制研究
摘要
IPv4协议是目前因特网互联技术公认的标准,然而由于近几年IPv4互联网规模的不断增大以及应用范围不断拓展,它在地址数量,移动性,服务质量和安全性等方面所具有的局限性越来越明显。为此因特网工程任务组IETF提出了新一代的互联协议—IPv6。随着无线接入和通信技术的飞速发展,出现了为移动主机提供网络服务的需求,移动IPv6应运而生,它将逐步取代IPv4成为网络的基础设施,并将对网络技术产生积极深远的影响。它极大地增加了可用地址空间,提供了即插即用的自动配置机制,简化了网络报头格式,增加了对身份验证和私密性的扩展,尤其是更好地支持移动IP功能,在IPv6的协议里,对移动性的要求成为了必须,而不像在IPv4中是可选项。
本文首先介绍了IPv6协议的演变进程、国内外的发展现状及趋势,解释了移动IPv6中常用的术语以及实体,详细说明了移动IPv6的工作原理和通信过程。
其次,总结了当前移动IPv6网络中上述4个过程中面临的主要威胁,并介绍、分析了相应的应对机制。移动IPv6的安全机制主要有:IPsec、返回路由可达过程(RRP,Return Routibility Procedure)以及加密形成地址(CGA)等。本文着重在移动IPv6的安全性方面做了细致深入的研究,随后介绍了移动IPv6协议的基本内容,并着重对基于移动IPv6的安全机制进行了讨论,讨论的重点是移动节点和通信节点以及家乡代理之间的安全通信。对迂回路由机制及其安全性进行了分析,提出了一种安全增强返回路由可达机制,用以抵御作者给出的攻击,并对增强的迂回路由机制的安全性进行了分析,证明它达到了作者想要实现的目的。
最后,在NS环境下对移动IPv6进行了通信模拟,并对已有Mobiwan进行扩展,达到对现有IPv6标准的良好支持。
IPv4 has been regarded as the standard protocol in recent Internet technology.However,with the repaid development and the increasingly expanded network,several problems come up to the surface,such as severely lack of IP addresses,insufficient support to mobility,quality of service and security,etc.As a result,the Internet Engineering Task Force(IETF)proposed a new generation internet protocol—IPv6.The new internet protocol solved these problems especially in the aspect in mobility support,because the support to mobility has been a compulsive part but not an optional part in IPv4. This paper is focus on the discussion of the security of the mobile IPv6.
The first part of this paper showed the research achievement in the field of mobile IPv6 aboard and domestic respectively,and then explained some terms and substances used in mobile IPv6 network.Security threat for the MIPv6 was analyzed in the following part,we simulate several kinds of usual attacks in the MIPv6 networks and pointed out the harms to the user.
In order to solve the problems addressed above,several security systems were introduced including:IPsec which mainly protect the binding update procedure between MN and HA,as well as RRP which hold the responsibility to protect the communication between MN and CN.In addition,we analyzed the asset and defect of each system respectively.
In the final part,we introduced an open-source simulation software NS-2, and a new component called Mobiwan which is for the Mipv6 simulation.We extended the Mobiwan in the purpose of doing the simulation of Mipv6 according to RFC3775.The simulation result showed that our extension is a successful one and made a lot of sense for the Mipv6 simulating.
本文首先介绍了IPv6协议的演变进程、国内外的发展现状及趋势,解释了移动IPv6中常用的术语以及实体,详细说明了移动IPv6的工作原理和通信过程。
其次,总结了当前移动IPv6网络中上述4个过程中面临的主要威胁,并介绍、分析了相应的应对机制。移动IPv6的安全机制主要有:IPsec、返回路由可达过程(RRP,Return Routibility Procedure)以及加密形成地址(CGA)等。本文着重在移动IPv6的安全性方面做了细致深入的研究,随后介绍了移动IPv6协议的基本内容,并着重对基于移动IPv6的安全机制进行了讨论,讨论的重点是移动节点和通信节点以及家乡代理之间的安全通信。对迂回路由机制及其安全性进行了分析,提出了一种安全增强返回路由可达机制,用以抵御作者给出的攻击,并对增强的迂回路由机制的安全性进行了分析,证明它达到了作者想要实现的目的。
最后,在NS环境下对移动IPv6进行了通信模拟,并对已有Mobiwan进行扩展,达到对现有IPv6标准的良好支持。
IPv4 has been regarded as the standard protocol in recent Internet technology.However,with the repaid development and the increasingly expanded network,several problems come up to the surface,such as severely lack of IP addresses,insufficient support to mobility,quality of service and security,etc.As a result,the Internet Engineering Task Force(IETF)proposed a new generation internet protocol—IPv6.The new internet protocol solved these problems especially in the aspect in mobility support,because the support to mobility has been a compulsive part but not an optional part in IPv4. This paper is focus on the discussion of the security of the mobile IPv6.
The first part of this paper showed the research achievement in the field of mobile IPv6 aboard and domestic respectively,and then explained some terms and substances used in mobile IPv6 network.Security threat for the MIPv6 was analyzed in the following part,we simulate several kinds of usual attacks in the MIPv6 networks and pointed out the harms to the user.
In order to solve the problems addressed above,several security systems were introduced including:IPsec which mainly protect the binding update procedure between MN and HA,as well as RRP which hold the responsibility to protect the communication between MN and CN.In addition,we analyzed the asset and defect of each system respectively.
In the final part,we introduced an open-source simulation software NS-2, and a new component called Mobiwan which is for the Mipv6 simulation.We extended the Mobiwan in the purpose of doing the simulation of Mipv6 according to RFC3775.The simulation result showed that our extension is a successful one and made a lot of sense for the Mipv6 simulating.
引文
[1]Bednarczyk M A,Bernardinello L,et al.Modular system development with pullbacks[J].In:Prco.24~(th)International Conference on Application and Theory of Petri nets[C].Eindboven,TheNetherlands,2003.130-160
[2]S.Deering,Hinden R,Internet Protocol.Version 6(IPv6)Specification.IETF RFC 2460[S],Dec.1998
[3]C.Pekrins,IP Mobility Support.RFC2002[S],1996
[4]C.Pekrins,IP Mobility Support for IPv4.RFC 3344[S],2002
[5]D.Johnson,C.Perkins,J.Arkko.Mobility Support in IPv6.IETF RFC 3775[S],June.2004
[6]J.Arkko,V.Devarapalli,EDupont Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents.IETF RFC 3776[S],Jun.2004
[7]邱翔鸥.IPv6标准的制定及在我国发展动态的分析.http://www.netl30.com/cms/pub/special/special_ipv6/22282.htin[EB/OL],2004.08.12.
[8]S.Deering,R.Hinden Internet Protocol,Version 6(IPv6)Specification,RFC1883[S],1995,12
[9]C.Perkins,"IP Encapsulation within IP",RFC2003[S],Oct.1996
[10]C.Perkins,Minimal Encapsulation within IP",RFC2004[S],Oct.1996
[11]J.Solomon,"Applicability Statement for Mobility Support",RFC2005[S],Oct.1996
[12]D.Cong,M.Hamlen,C.Perkins,"The Definitions of Managed Objects for IP Mobility Support using SMIv2",RFC2006[S],Oct.1996
[13]S.Hanks,T.Li,D.Farinacci,P.Traina,"Generic Routing Encapsulation(GRE)",RFC1701[S],Oct.1994
[14]T Aura.Cryptographically Generated Addresses(CGA).IETF RFC 3972[S],Mar.2005
[15]G O'shea.Child-proof Authentication for MIPv6(CAM).ACM Computer Communication Review,April.2001
[16]G Montenegro.Statistically Unique and Cryptographically Verifiable(SUCV)Identifiers and Address[A].In:Proc.Of Network and Distributed System Security Symposium[C],San Diego,California,2002
[17]Joseph Davies.理解IPv6[M].北京:清华大学出版社,2004:1-12,46-48.
[18]S.Kent,R.Aktinson.IP Authentication Header[S],RFC2402[S],1998
[19]S.Kent,R.Aktinson.IP Encapsulating Security Payload(ESP),RFC2406[S],1998
[20]T.Narten,R.Draves,Privacy Extension of Stateless Address Autoconfiguration in IPv6.RFC3041 IS],2001.
[21]R.Hinden,S.Deering,"Internet Protocol Version 6(IPv6)Addressing Architecture",RFC3513[S],Api.2003
[22]Deguang Le,Donghui Guo,Boxi Wu.Mobile IPv6 in WLAN Mobile Networks and its Implementation[A].In:The 14"IEEE 2003 International Symposium on Personal,Indoor and Mobile Radio Communication Proceedings[C].2003
[23]Silvia Hagen.IPv6 Essentials[M].技桥译.北京:清华大学出版社,2004
[24]T.Narten,E.Nordmark,W.Simpson.Neighbor Discovery for IP Version 6(IPv6).RFC2461[S],December 1998.
[25]S.Thomson,T.Narten.IPv6 Stateless Address Autoconfiguration.RFC2462[S],1998
[26]R.Droms,J.Bound,B.Volz,T.Lemon,C.Perkins and M.Carney.Dynamic Host Configuration Protocol for IPv6(DHCPv6).RFC3315[S],2003
[27]N.Moore,Optimistic Duplication Address Detection(DAD)for IPv6.RFC4429[S],2006
[28]D.Harkins,D.Carrel,The Internet Key Exchange(IKE),RFC2409[S],IETF,November.1998
[29]T.Narten,E.Nordmark,W.Simpson.Neighbor Discovery or IP Version 6(IPv6).RFC 1970[S],IETF,August.1996
[30]A.Conta,S.Deering.Genetic Packet Tunneling in IPv6 Specification.RFC2473[S],1998
[31]P.Nikander,T.Aura,J.Arkko,G.Montenegro,Mobile IP version 6 Route Optimization Security Design BAckground,draft-nikander-mobileIP-v6-ro-sec-00,IETF,April.2003
[32]马军锋,侯乐青.移动IPv6安全问题分析[J].电信网技术,2006,2-2:59-62
[33]F.DuPont.A note about 3rd party bombing in Mobile IPv6.draft-dupont-mipv6-3bombing-00[S].2002.
[34]T.Aura,J.Arkko.MIPv6 BU Attacks and Defenses.drafl-aura-v6-bu-attacks-01[S].2002
[35]G.Montenegro.MIPv6 Security:Assessment of Proposals.draft-Montenegro-mipv6-eceval-00[S].2001
[36]Q.Sun,L.Mu.Security Issues in Dynamic Home Agent Address Discovery.Internet-Draft draft-sun-mipv6-dhaadsecurity-00[S],Nov.2004
[37]陆音,石进,黄皓,谢立.综述:关于IPv6安全性问题的研究[J].计算机科学.2006,05:5-21
[38]F.Dupont,J M.Combus.Using IPsec between Mobile and Correspondent IPv6 Nodes.Internet -Draft draft-dupont-mipv6-cn-IPsec-01[S],Jun.2004
[39]J.Arkko,Issues in Protecting MIPv6 Binding Updates,Internet Draft draft-arkko-mipv6-bu-security-01[S],Nov.2001
[40]Sun Q,Mu L.Security Issues in Dynamic Home Agent address Discovery.Internet-Draft,Draft-sun-mipv6-dhaadsecurity-00[S],Nov.2004
[41]S.Kent,R.Atkinson.Security Architecture for the Internet Protocol.RFC2401[S].1998
[42]S.Kent,K.Seo.Security Architecture for the Internet Protocol.RFC4301[S].Dec.2005
[43]S.Kent.IP Authentication Header.RFC4302[S].Dec.2005
[44]D.Eastlake.Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload(ESP)and Authentication Header(AH).RFC4305[S].Dec.2005
[45]C.Kaufman.Internet Key Exchange(IKEv2)Protocol.RFC4306[S].Dec.2005
[46]V.Torvinen,E.Nordmark,Weak Identifier Multi homing Protocol(WIMP),draft-ylitalo-multi6-wimp-00[S],IETF,January.2004
[47]J.Arkko,and C.Vogt,"Credit-Based Authorization for Binding Lifetime Extension"[S].May.2004
[48]周瑛,吴中福,王浩,李峰.基于CGA算法的绑定更新信息验证机制[J].计算机工程.2008,03:95-97
[49]秦冀,姜雪松.移动IP技术与NS-2模拟[M].机械工业出版社,2006:86-87
[50]徐雷鸣.庞博.赵耀.NS与网络模拟[M].人民邮电出版社,2003:5-6
[51]K.Fall,K.Varadhan.The ns Manual.http://www.isi.edu/nsnarn/ns/ns-documentation.html [EB/OL].2007:151-152.
[52]Mobiwan NS-2 extensions to study mobility in wide-area IPv6 network[EB/OL].http://www.inrialpes.fr/planete/Mobiwan.
[53]http://www.inrialpes.fr/planete/mobiwan[EB/OL].
[2]S.Deering,Hinden R,Internet Protocol.Version 6(IPv6)Specification.IETF RFC 2460[S],Dec.1998
[3]C.Pekrins,IP Mobility Support.RFC2002[S],1996
[4]C.Pekrins,IP Mobility Support for IPv4.RFC 3344[S],2002
[5]D.Johnson,C.Perkins,J.Arkko.Mobility Support in IPv6.IETF RFC 3775[S],June.2004
[6]J.Arkko,V.Devarapalli,EDupont Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents.IETF RFC 3776[S],Jun.2004
[7]邱翔鸥.IPv6标准的制定及在我国发展动态的分析.http://www.netl30.com/cms/pub/special/special_ipv6/22282.htin[EB/OL],2004.08.12.
[8]S.Deering,R.Hinden Internet Protocol,Version 6(IPv6)Specification,RFC1883[S],1995,12
[9]C.Perkins,"IP Encapsulation within IP",RFC2003[S],Oct.1996
[10]C.Perkins,Minimal Encapsulation within IP",RFC2004[S],Oct.1996
[11]J.Solomon,"Applicability Statement for Mobility Support",RFC2005[S],Oct.1996
[12]D.Cong,M.Hamlen,C.Perkins,"The Definitions of Managed Objects for IP Mobility Support using SMIv2",RFC2006[S],Oct.1996
[13]S.Hanks,T.Li,D.Farinacci,P.Traina,"Generic Routing Encapsulation(GRE)",RFC1701[S],Oct.1994
[14]T Aura.Cryptographically Generated Addresses(CGA).IETF RFC 3972[S],Mar.2005
[15]G O'shea.Child-proof Authentication for MIPv6(CAM).ACM Computer Communication Review,April.2001
[16]G Montenegro.Statistically Unique and Cryptographically Verifiable(SUCV)Identifiers and Address[A].In:Proc.Of Network and Distributed System Security Symposium[C],San Diego,California,2002
[17]Joseph Davies.理解IPv6[M].北京:清华大学出版社,2004:1-12,46-48.
[18]S.Kent,R.Aktinson.IP Authentication Header[S],RFC2402[S],1998
[19]S.Kent,R.Aktinson.IP Encapsulating Security Payload(ESP),RFC2406[S],1998
[20]T.Narten,R.Draves,Privacy Extension of Stateless Address Autoconfiguration in IPv6.RFC3041 IS],2001.
[21]R.Hinden,S.Deering,"Internet Protocol Version 6(IPv6)Addressing Architecture",RFC3513[S],Api.2003
[22]Deguang Le,Donghui Guo,Boxi Wu.Mobile IPv6 in WLAN Mobile Networks and its Implementation[A].In:The 14"IEEE 2003 International Symposium on Personal,Indoor and Mobile Radio Communication Proceedings[C].2003
[23]Silvia Hagen.IPv6 Essentials[M].技桥译.北京:清华大学出版社,2004
[24]T.Narten,E.Nordmark,W.Simpson.Neighbor Discovery for IP Version 6(IPv6).RFC2461[S],December 1998.
[25]S.Thomson,T.Narten.IPv6 Stateless Address Autoconfiguration.RFC2462[S],1998
[26]R.Droms,J.Bound,B.Volz,T.Lemon,C.Perkins and M.Carney.Dynamic Host Configuration Protocol for IPv6(DHCPv6).RFC3315[S],2003
[27]N.Moore,Optimistic Duplication Address Detection(DAD)for IPv6.RFC4429[S],2006
[28]D.Harkins,D.Carrel,The Internet Key Exchange(IKE),RFC2409[S],IETF,November.1998
[29]T.Narten,E.Nordmark,W.Simpson.Neighbor Discovery or IP Version 6(IPv6).RFC 1970[S],IETF,August.1996
[30]A.Conta,S.Deering.Genetic Packet Tunneling in IPv6 Specification.RFC2473[S],1998
[31]P.Nikander,T.Aura,J.Arkko,G.Montenegro,Mobile IP version 6 Route Optimization Security Design BAckground,draft-nikander-mobileIP-v6-ro-sec-00,IETF,April.2003
[32]马军锋,侯乐青.移动IPv6安全问题分析[J].电信网技术,2006,2-2:59-62
[33]F.DuPont.A note about 3rd party bombing in Mobile IPv6.draft-dupont-mipv6-3bombing-00[S].2002.
[34]T.Aura,J.Arkko.MIPv6 BU Attacks and Defenses.drafl-aura-v6-bu-attacks-01[S].2002
[35]G.Montenegro.MIPv6 Security:Assessment of Proposals.draft-Montenegro-mipv6-eceval-00[S].2001
[36]Q.Sun,L.Mu.Security Issues in Dynamic Home Agent Address Discovery.Internet-Draft draft-sun-mipv6-dhaadsecurity-00[S],Nov.2004
[37]陆音,石进,黄皓,谢立.综述:关于IPv6安全性问题的研究[J].计算机科学.2006,05:5-21
[38]F.Dupont,J M.Combus.Using IPsec between Mobile and Correspondent IPv6 Nodes.Internet -Draft draft-dupont-mipv6-cn-IPsec-01[S],Jun.2004
[39]J.Arkko,Issues in Protecting MIPv6 Binding Updates,Internet Draft draft-arkko-mipv6-bu-security-01[S],Nov.2001
[40]Sun Q,Mu L.Security Issues in Dynamic Home Agent address Discovery.Internet-Draft,Draft-sun-mipv6-dhaadsecurity-00[S],Nov.2004
[41]S.Kent,R.Atkinson.Security Architecture for the Internet Protocol.RFC2401[S].1998
[42]S.Kent,K.Seo.Security Architecture for the Internet Protocol.RFC4301[S].Dec.2005
[43]S.Kent.IP Authentication Header.RFC4302[S].Dec.2005
[44]D.Eastlake.Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload(ESP)and Authentication Header(AH).RFC4305[S].Dec.2005
[45]C.Kaufman.Internet Key Exchange(IKEv2)Protocol.RFC4306[S].Dec.2005
[46]V.Torvinen,E.Nordmark,Weak Identifier Multi homing Protocol(WIMP),draft-ylitalo-multi6-wimp-00[S],IETF,January.2004
[47]J.Arkko,and C.Vogt,"Credit-Based Authorization for Binding Lifetime Extension"[S].May.2004
[48]周瑛,吴中福,王浩,李峰.基于CGA算法的绑定更新信息验证机制[J].计算机工程.2008,03:95-97
[49]秦冀,姜雪松.移动IP技术与NS-2模拟[M].机械工业出版社,2006:86-87
[50]徐雷鸣.庞博.赵耀.NS与网络模拟[M].人民邮电出版社,2003:5-6
[51]K.Fall,K.Varadhan.The ns Manual.http://www.isi.edu/nsnarn/ns/ns-documentation.html [EB/OL].2007:151-152.
[52]Mobiwan NS-2 extensions to study mobility in wide-area IPv6 network[EB/OL].http://www.inrialpes.fr/planete/Mobiwan.
[53]http://www.inrialpes.fr/planete/mobiwan[EB/OL].
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |