扩展DNS实现主机标识协议的研究
|
摘要
计算机通信技术和计算机网络技术的高速发展,使得我们当前的互联网体系的局限性日益凸显。针对目前互联网存在的安全性差、缺乏可信度、不支持移动性和流媒体业务承载能力低下等主要问题,以及新一代互联网所提出的可信任、可扩展、可管理、可移动和可普及的重大需求,使得研究新一代高可信互联网体系结构及其关键支撑技术很有必要。在目前的网络环境下,存在一些难以解决的问题,其中一个重要的问题就是互联网主机系统的全局身份认证和访问授权问题。一方面,互联网主机大多是匿名的,身份无法得到有效的识别和验证,助长了网络用户行为的随意性。另一方面,用户对不同网络资源的访问大多依赖于这些资源本身的应用级的访问控制,缺乏一种统一的授权和访问控制机制。同时,随着IPv6协议的大力推广和应用,主机的移动特性、协议的加密特性也会导致问题变得更加复杂。主机的IP地址可以随时更换,IP地址将不再是主机的对外标识,通过传统的防火墙、IDS系统也已经难以实现对主机的身份认证和对用户行为的控制,新的攻击和非法访问手段将会随之出现。为了解决以上的问题,需要一种统一的身份标识和命名机制,配合相应的认证手段,来实现对CNGI网络上任意主机的身份识别、身份认证和访问控制。
本文首先研究了一种新的互联网名字空间——HI,即主机身份,作为IP地址和DNS命名空间的重要补充。同时在当前网络体系中引入了一个新的子层,主机标识协议层(Host Identity Protocol),处于网络层与传输层之间。HIP协议满足了主机对通信双方的身份认证和数据传输的安全性以及移动主机的安全性的需求,作为一个有效的安全通信框架弥补了当前网络结构的诸多不足之处。随着HIP协议的引入,需要对当前DNS的功能进行扩展以满足新的三元结构的名字空间的解析,即DNS域名、HI和IP地址。随后,描述了在Linux操作系统下实现的HIP协议的基本交换模块,HIP解析器以及扩展DNS系统。对基本交换的四次握手过程做了相详细的论述,分析了HIP协议基本交换在网络通信中所实现的安全性,并且给出了实现方案。同时针对HIP协议的域名解析需求,设计和实现了HIP域名解析器,并且对当前最流行的DNS服务器进行分析,通过添加处理HIP资源记录的代码对其进行扩展,使其支持对HIP协议的解析,从而实现整个HIP协议系统。后面针对所实现的系统分别介绍了数据报文的处理、部分功能实现的函数和数据结构。最后给出了IPv6实验网络中整个系统的实验和结果分析。
The development of communicating technology and computer networks has exposed many deficiencies of recent Internet. Against the problem of the lack of security, credibility and mobility of networks, the next generation high credible network structure and key technology are researched to satisfy the demand of credibility, extensibility, manageability and mobility of networks.
On the environment of network with IPv4 address, among many problems that have not been addressed, an important one is how to identify the computer in the global networks. On the one hand, many computers are anonymous, the identities of which can't be identified. On the other hand, every application has their own access control mechanism, which doesn't cooperate with each other. The IP address of host can change whenever it wants, which can not be as the identity of host. The coming of the firewall, IDS yet does not address this problem.
The development of communicating technology and computer networks has exposed many deficiencies of recent Internet. Against the problem of the lack of security, credibility and mobility of networks, the next generation high credible network structure and key technology are researched to satisfy the demand of credibility, extensibility, manageability and mobility of networks.
For addressing this problem mentioned above, a united identity identification and naming mechanism are necessary. So a new name space, HI, is researched in this paper, which is an important complement of IP address and DNS name space. At the same time, a new sub-layer is introduced in current network system, which is between the network layer and transport layer named Host Identity Protocol. HIP protocol satisfies the demands of security and identification of communication. As the introduction of HIP protocol, the resolving of the tri-name structure which contains DNS domain name, HI and IP address needs to be tackled. Then the implementation of the base exchange of HIP protocol in Linux OS and extended DNS system are described in this paper, and some functions and data structure are mentioned. At last, experiment and analysis of the result of experiment are described.
本文首先研究了一种新的互联网名字空间——HI,即主机身份,作为IP地址和DNS命名空间的重要补充。同时在当前网络体系中引入了一个新的子层,主机标识协议层(Host Identity Protocol),处于网络层与传输层之间。HIP协议满足了主机对通信双方的身份认证和数据传输的安全性以及移动主机的安全性的需求,作为一个有效的安全通信框架弥补了当前网络结构的诸多不足之处。随着HIP协议的引入,需要对当前DNS的功能进行扩展以满足新的三元结构的名字空间的解析,即DNS域名、HI和IP地址。随后,描述了在Linux操作系统下实现的HIP协议的基本交换模块,HIP解析器以及扩展DNS系统。对基本交换的四次握手过程做了相详细的论述,分析了HIP协议基本交换在网络通信中所实现的安全性,并且给出了实现方案。同时针对HIP协议的域名解析需求,设计和实现了HIP域名解析器,并且对当前最流行的DNS服务器进行分析,通过添加处理HIP资源记录的代码对其进行扩展,使其支持对HIP协议的解析,从而实现整个HIP协议系统。后面针对所实现的系统分别介绍了数据报文的处理、部分功能实现的函数和数据结构。最后给出了IPv6实验网络中整个系统的实验和结果分析。
The development of communicating technology and computer networks has exposed many deficiencies of recent Internet. Against the problem of the lack of security, credibility and mobility of networks, the next generation high credible network structure and key technology are researched to satisfy the demand of credibility, extensibility, manageability and mobility of networks.
On the environment of network with IPv4 address, among many problems that have not been addressed, an important one is how to identify the computer in the global networks. On the one hand, many computers are anonymous, the identities of which can't be identified. On the other hand, every application has their own access control mechanism, which doesn't cooperate with each other. The IP address of host can change whenever it wants, which can not be as the identity of host. The coming of the firewall, IDS yet does not address this problem.
The development of communicating technology and computer networks has exposed many deficiencies of recent Internet. Against the problem of the lack of security, credibility and mobility of networks, the next generation high credible network structure and key technology are researched to satisfy the demand of credibility, extensibility, manageability and mobility of networks.
For addressing this problem mentioned above, a united identity identification and naming mechanism are necessary. So a new name space, HI, is researched in this paper, which is an important complement of IP address and DNS name space. At the same time, a new sub-layer is introduced in current network system, which is between the network layer and transport layer named Host Identity Protocol. HIP protocol satisfies the demands of security and identification of communication. As the introduction of HIP protocol, the resolving of the tri-name structure which contains DNS domain name, HI and IP address needs to be tackled. Then the implementation of the base exchange of HIP protocol in Linux OS and extended DNS system are described in this paper, and some functions and data structure are mentioned. At last, experiment and analysis of the result of experiment are described.
引文
[1]P.Mockapetris.Domain names-concepts and facilities.RFC1043,November 1987.
[2]P.Mockapetris.Domain names-implementation and specification.RFC1035,November 1987.
[3]R.Moskowitz,P.Nikander.Host Identity Protocol(HIP) Architecture.RFC4423,May 2006.
[4]Al-Shraideh.F.Host Identity Protocol.ICNICONSMCL'06,IEEE,23-29 April 2006,203-203.
[5]D.Bauer,P.Hurley,R.Pletka,M.Waldvogel.Bringing efficient advanced queries to distributed hash tables.Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks(LCN'04),2004.
[6]R.Moskowitz,P.Nikander,T.Henderson.Host Identity Protocol.Internet-Draft,version 3,IETF,draft-ietf-hip-base-03,June 23,2005.
[7]Deering,S.and R.Hinden,"Internet Protocol,Version 6(ipv6) pecification",RFC 2460,December 1998.
[8]C.Perkins.IP mobility support,IETF RFC2002,1996.
[9]T.R.Henderson.Using HIP with legacy applications:raft-henderson-hip-applications-01,July 2005.Work n progress.Expires in January 19,2006.
[10]Sarela.M,Nikander.P.Applying host identity protocol to tactical networks,MILCOM 2004.IEEE Volume 2,31 Oct.-3 Nov.2004,Page(s):834-840.
[11]Chiappa,J.Endpoints and Endpoint Names:A Proposed Enhancement to the Internet Architecture.URL http://users.exis.net/~jnc/tech/endpoints.txt,1999.
[12]Nikander,P,Applying host identity protocol to the Internet addressing architecture.Applications and the Internet,2004.Proceedings,2004,Page(s):5.
[13]Nikander,P,J.Laganier,Host Identity Protocol(HIP) Domain Name System(DNS)Extensions.Internet-Draft,version 6,IETF,draft-ietf-hip-dns-06,February 24,2006.
[14]P.Nikander and,J.Laganier.Host Identity Protocol(HIP) Domain Name System(DNS)extensions:draft-ietf-hip-dns-08.txt,Oct.2006.
[15]J.Laganier,L.Eggert.Host Identity Protocol(HIP) Rendezvous Extension.Internet draft-ietf-hip-rvs-05.IETF HIP WG.June,2006.
[16]RAB IN MO.Digitalized Signatures and Public2Key Functions as Inftractable as Factorization.M IT Lab,For Computer Science,Cambridge,Mass,1977.
[17] R.Gilligan, S.Thomson, J.Bound, J.McCann, and W.Stevens.RFC 3493: Basic SocketInterface Extensions for IPv6.Internet Engineering Task Force, February 2003.
[18] J. Laganier, T. Koponen, L. Eggert Host Identity Protocol (HIP) Registration Extension. versionl, IETF, December 16,2005.
[19] T. Aura, A. Nagarajan, A. Gurtov, Analysis of the HIP Base Exchange Protocol. in Proceedings of 10th Australasian Conference on Information Security and Privacy, July 2003.
[20] E. Rescorla, Diffie-Hellman Key Agreement Method. RFC2631, June 1999.
[21] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, May 2003.
[22] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing forMessage Authentication. RFC 2104 (Informational), February 1997.
[23] T. Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998.
[24] Henderson. End-host mobility and multihoming with the host identity protocol: draft-ietf-hip-mm-05, Mar. 2007.
[25] T. Heer. LHIP lightweight authentication extension for HIP: draft-heer-hip-lhip-00.txt, Feb.2007.
[26] S. Novaczki, L. Bokor, S. Imre, Micromobility support in HIP: survey and extension of host identity protocol. MELECON 2006. IEEE Mediterranean, May 16-19 2006, Page(s): 651- 654.
[27] M. Richardson. A Method for Storing IPsec Keying Material in DNS. RFC4025, February 2005.
[28] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. RFC3597, September 2003.
[29] Koh S J, et al. Mobile SCTP for transport layer mobility[EBOL]. Internet draft, version 3, IETF, February 2004.
[30] Deering S, Hinden R. Internet Protocol [SOL]. Version 6(IPv6) Specification, RFC 2460, IETF IP Version 6 WorkingGroup, December 1998.
[31] S. Thomson, C. Huitema, V. Ksinant, M. Souissi.DNS Extensions to Support EP Version 6.RFC3596, October 2003.
[32] R. Bush, A. Durand, B. Fink, O. Gudmundsson, T. Hain. Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS). RFC3363, August 2002.
[33] M. Crawford, C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. RFC2874, July 2000.
[34] P. Vixie, O. Gudmundsson, D. Eastlake 3rd, B. Wellington, Secret Key Transaction Authentication for DNS (TSIG)。 RFC2845, May 2000.
[35 M. Crawford, Non-Terminal DNS Name Redirection.RFC2672,August 1999.
[36] P. Vixie.Extension Mechanisms for DNS (EDNS0).RFC2671, August 1999.
[37] D. Eastlake. Domain Name System Security Extensions.RFC2535, March 1999.
[38] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes.RFC1464, May 1993.
[39]M. Ratola, Which Layer for Mobility? - Comparing Mobile IPv6, HIP and SCTP. May 2005. URLwww.tml.hut.fi/Studies/T-110.551/2004/papers/Ratola.pdf.
[40] Gray R. Wright, W. Richard Stevens. 《TCP/IP Illustrated Volume 2: The Implementation》, China Machine Press, 2005,1049-1054
[41] Andrew S. Tanenbaum. 《Computer Networks》 Fourth Edition, Tsinghua University Press,2004,752-758
[2]P.Mockapetris.Domain names-implementation and specification.RFC1035,November 1987.
[3]R.Moskowitz,P.Nikander.Host Identity Protocol(HIP) Architecture.RFC4423,May 2006.
[4]Al-Shraideh.F.Host Identity Protocol.ICNICONSMCL'06,IEEE,23-29 April 2006,203-203.
[5]D.Bauer,P.Hurley,R.Pletka,M.Waldvogel.Bringing efficient advanced queries to distributed hash tables.Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks(LCN'04),2004.
[6]R.Moskowitz,P.Nikander,T.Henderson.Host Identity Protocol.Internet-Draft,version 3,IETF,draft-ietf-hip-base-03,June 23,2005.
[7]Deering,S.and R.Hinden,"Internet Protocol,Version 6(ipv6) pecification",RFC 2460,December 1998.
[8]C.Perkins.IP mobility support,IETF RFC2002,1996.
[9]T.R.Henderson.Using HIP with legacy applications:raft-henderson-hip-applications-01,July 2005.Work n progress.Expires in January 19,2006.
[10]Sarela.M,Nikander.P.Applying host identity protocol to tactical networks,MILCOM 2004.IEEE Volume 2,31 Oct.-3 Nov.2004,Page(s):834-840.
[11]Chiappa,J.Endpoints and Endpoint Names:A Proposed Enhancement to the Internet Architecture.URL http://users.exis.net/~jnc/tech/endpoints.txt,1999.
[12]Nikander,P,Applying host identity protocol to the Internet addressing architecture.Applications and the Internet,2004.Proceedings,2004,Page(s):5.
[13]Nikander,P,J.Laganier,Host Identity Protocol(HIP) Domain Name System(DNS)Extensions.Internet-Draft,version 6,IETF,draft-ietf-hip-dns-06,February 24,2006.
[14]P.Nikander and,J.Laganier.Host Identity Protocol(HIP) Domain Name System(DNS)extensions:draft-ietf-hip-dns-08.txt,Oct.2006.
[15]J.Laganier,L.Eggert.Host Identity Protocol(HIP) Rendezvous Extension.Internet draft-ietf-hip-rvs-05.IETF HIP WG.June,2006.
[16]RAB IN MO.Digitalized Signatures and Public2Key Functions as Inftractable as Factorization.M IT Lab,For Computer Science,Cambridge,Mass,1977.
[17] R.Gilligan, S.Thomson, J.Bound, J.McCann, and W.Stevens.RFC 3493: Basic SocketInterface Extensions for IPv6.Internet Engineering Task Force, February 2003.
[18] J. Laganier, T. Koponen, L. Eggert Host Identity Protocol (HIP) Registration Extension. versionl, IETF, December 16,2005.
[19] T. Aura, A. Nagarajan, A. Gurtov, Analysis of the HIP Base Exchange Protocol. in Proceedings of 10th Australasian Conference on Information Security and Privacy, July 2003.
[20] E. Rescorla, Diffie-Hellman Key Agreement Method. RFC2631, June 1999.
[21] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, May 2003.
[22] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing forMessage Authentication. RFC 2104 (Informational), February 1997.
[23] T. Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998.
[24] Henderson. End-host mobility and multihoming with the host identity protocol: draft-ietf-hip-mm-05, Mar. 2007.
[25] T. Heer. LHIP lightweight authentication extension for HIP: draft-heer-hip-lhip-00.txt, Feb.2007.
[26] S. Novaczki, L. Bokor, S. Imre, Micromobility support in HIP: survey and extension of host identity protocol. MELECON 2006. IEEE Mediterranean, May 16-19 2006, Page(s): 651- 654.
[27] M. Richardson. A Method for Storing IPsec Keying Material in DNS. RFC4025, February 2005.
[28] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. RFC3597, September 2003.
[29] Koh S J, et al. Mobile SCTP for transport layer mobility[EBOL]. Internet draft, version 3, IETF, February 2004.
[30] Deering S, Hinden R. Internet Protocol [SOL]. Version 6(IPv6) Specification, RFC 2460, IETF IP Version 6 WorkingGroup, December 1998.
[31] S. Thomson, C. Huitema, V. Ksinant, M. Souissi.DNS Extensions to Support EP Version 6.RFC3596, October 2003.
[32] R. Bush, A. Durand, B. Fink, O. Gudmundsson, T. Hain. Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS). RFC3363, August 2002.
[33] M. Crawford, C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. RFC2874, July 2000.
[34] P. Vixie, O. Gudmundsson, D. Eastlake 3rd, B. Wellington, Secret Key Transaction Authentication for DNS (TSIG)。 RFC2845, May 2000.
[35 M. Crawford, Non-Terminal DNS Name Redirection.RFC2672,August 1999.
[36] P. Vixie.Extension Mechanisms for DNS (EDNS0).RFC2671, August 1999.
[37] D. Eastlake. Domain Name System Security Extensions.RFC2535, March 1999.
[38] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes.RFC1464, May 1993.
[39]M. Ratola, Which Layer for Mobility? - Comparing Mobile IPv6, HIP and SCTP. May 2005. URLwww.tml.hut.fi/Studies/T-110.551/2004/papers/Ratola.pdf.
[40] Gray R. Wright, W. Richard Stevens. 《TCP/IP Illustrated Volume 2: The Implementation》, China Machine Press, 2005,1049-1054
[41] Andrew S. Tanenbaum. 《Computer Networks》 Fourth Edition, Tsinghua University Press,2004,752-758