本文選題：防火墻 + IPv6�。� 參考：《電子科技大學》2014年碩士論文

【摘要】：隨著IPv4地址的日益枯竭弊端顯現(xiàn),IPv6的普及推廣速度越來越快。我校適逢搬遷新校區(qū)網(wǎng)絡(luò)擴容的機遇。為了實現(xiàn)公網(wǎng)的IPv4接入與教育網(wǎng)的IPv6接入,實施網(wǎng)絡(luò)升級工程。而設(shè)計出一個提供IPv4下網(wǎng)絡(luò)安全防護和IPv6下網(wǎng)絡(luò)安全防護的防火墻方案就被提上了日程。本文以同時支持IPv4/IPv6雙棧協(xié)議的防火墻為研究課題,重點研究了雙棧下的混合路由、IPv4協(xié)議下的iptables與IPv6協(xié)議下的ip6tables、以及防火墻性能調(diào)優(yōu)等,主要研究內(nèi)容分為五部分。首先簡單地對IPv6介紹后,討論了IPv4向IPv6過渡的幾種過渡技術(shù),討論了雙棧技術(shù)、隧道技術(shù)和轉(zhuǎn)換機制這幾種常用的過渡技術(shù)。對校園網(wǎng)絡(luò)升級方案中設(shè)計采用支持雙棧的防火墻進行論證。接著討論解決了雙棧條件下的混合路由問題。對在防火墻上實現(xiàn)混合路由功能進行了分析與設(shè)計,使用到了策略路由技術(shù),為以后實現(xiàn)均衡負載打下了技術(shù)基礎(chǔ),留有一定的升級空間。同時也在防火墻上安裝了Quagga軟件,隨著以后網(wǎng)絡(luò)規(guī)模的擴大,以及拓撲結(jié)構(gòu)變得更加復(fù)雜,這里通過使用開源Quagga軟件來實現(xiàn)IPv6的路由功能。同時為將來的技術(shù)升級留下了余量。然后從網(wǎng)絡(luò)層和傳輸層入手,以協(xié)議原理為基礎(chǔ),從數(shù)據(jù)包頭部結(jié)構(gòu)、協(xié)議本身、驗證、流量四個方面,對攻擊實現(xiàn)方法進行分析。雖然IPv6解決了IPv4地址空間的問題,以及協(xié)議本身的改進,可以消除一些針對驗證和流量的攻擊,但是從網(wǎng)絡(luò)分層模型上來說是類似的,那就意味著攻擊可以一定程度上沿用IPv4的思路,并進行拓展,所以IPv6的安全形勢也不容樂觀。論文分別在IPv4與IPv6協(xié)議下,對防火墻的iptables和ip6tables進行了腳本設(shè)計與編寫,并對完成的策略分別進行TCP和UDP測試。在防火墻各個模塊功能正常完成測試后,即開始進行整機入校園網(wǎng)功能測試。并著手進行了防火墻優(yōu)化工作,同時以O(shè)penSWAN為平臺加入了IPsec功能。在防火墻調(diào)優(yōu)工作中,實現(xiàn)了有狀態(tài)的UDP、TCP、ICMP和FTP會話的檢查;有狀態(tài)的IPv4和IPv6之間翻譯分組的檢查;處理EH,路由選擇、逐跳、選項和分段頭部;端口到應(yīng)用映射(PAM),允許網(wǎng)絡(luò)管理員定制使用的TCP和UDP端口。這個特征允許它們實行基于內(nèi)容的接入控制,甚至在一個更寬的端口范圍內(nèi)。
[Abstract]:Along with the IPv4 address increasingly exhausted malpractice manifests the IPv6 popularizing speed is faster and faster. Our school coincides with relocation of the new campus network expansion opportunities. In order to realize IPv4 access of public network and IPv6 access of education network, network upgrade project is carried out. The design of a firewall to provide network security protection under IPv4 and network security protection under IPv6 has been put on the agenda. In this paper, the firewall which supports IPv4/IPv6 dual stack protocol is taken as the research topic. The emphasis is put on the research of iptables and ip6tablesunder the iptables and IPv6 protocols under the dual stack, and the performance tuning of the firewall. The main research contents are divided into five parts. After a brief introduction of IPv6, several transition technologies from IPv4 to IPv6 are discussed, including double stack technology, tunnel technology and conversion mechanism. The firewall supporting double stacks is used to demonstrate the design of campus network upgrade scheme. Then the mixed routing problem under the condition of double stack is discussed. This paper analyzes and designs the implementation of hybrid routing function on the firewall, uses the policy routing technology, lays a technical foundation for the realization of load balancing in the future, and leaves a certain space for upgrading. At the same time, the Quagga software is installed on the firewall. With the expansion of the network scale and the complexity of the topology, the routing function of IPv6 is realized by using open source Quagga software. At the same time for the future technology upgrade left a margin. Then, starting with the network layer and the transport layer, based on the protocol principle, the attack implementation method is analyzed from four aspects: the packet header structure, the protocol itself, the verification, and the traffic. Although IPv6 solves the problem of IPv4 address space and the protocol itself improves to eliminate some attacks against authentication and traffic, it is similar in terms of the network hierarchy model. That means that the attack can to some extent follow the idea of IPv4 and expand, so the security situation of IPv6 is not optimistic. In this paper, the iptables and ip6tables of the firewall are designed and written under the IPv4 and IPv6 protocols, and the completed policies are tested by TCP and UDP, respectively. After each module function of firewall completes the test normally, starts to carry on the whole machine to enter the campus network function test. At the same time, the OpenSWAN is used as the platform to add the IPsec function. In the course of firewall tuning, the checking of stateful UDP / TCP / ICMP and FTP sessions, the checking of translating packets between stateful IPv4 and IPv6, the processing of EHs, routing, hop by hop, options and segmented headers are implemented. Port-to-application mapping allows network administrators to customize the TCP and UDP ports used. This feature allows them to implement content-based access control even within a wider port range.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.18;TP393.08

【參考文獻】

相關(guān)碩士學位論文 前1條

1 陳炯;基于IPv6/IPv4防火墻技術(shù)研究[D];武漢理工大學;2005年

，

本文編號：1866049