本文選題：DHCPv6 + DHCPv6Snooping技術(shù)��； 參考：《北京交通大學(xué)》2014年碩士論文

【摘要】：IPv6協(xié)議的設(shè)計解決了困擾互聯(lián)網(wǎng)發(fā)展的地址短缺問題,同時IPv6地址的安全性問題也備受關(guān)注。DHCPv6協(xié)議用來為主機動態(tài)分配IPv6地址和其他配置信息,但協(xié)議本身存在的缺陷使得攻擊者能夠發(fā)起基于IPv6源地址的攻擊。為了防止源地址攻擊,根據(jù)IPv6源地址驗證的部署結(jié)構(gòu)和地址本身的構(gòu)成策略,論文提出新的解決方案來確保IPv6地址分配和使用過程中的安全性。 論文深入分析了DHCPv6協(xié)議,SAVI技術(shù)的特點及其安全性,并對CGA地址的組成和生成算法進行了研究。SAVI技術(shù)通過接入網(wǎng)內(nèi)的二層交換機監(jiān)聽DHCPv6協(xié)議建立IPv6地址綁定,在二層交換機上過濾非法用戶的攻擊報文,但由于傳輸實體問缺乏身份認證,使得報文會受到中間人攻擊等安全威脅。CGA機制使用密鑰與地址綁定的策略來進行地址擁有者和分配者之間的實體認證。但CGA地址同樣也存在安全方面的限制和缺陷,而且CGA地址生成過程復(fù)雜,這也限制了CGA機制的實際應(yīng)用。 根據(jù)分析結(jié)果,論文提出了基于SAVI技術(shù)的安全DHCPv6系統(tǒng),從IPv6源地址驗證接入網(wǎng)部署結(jié)構(gòu)的角度,引入DHCPv6Snooping技術(shù),并在基于DHCPv6Snooping技術(shù)的安全基礎(chǔ)上對CGA機制進行了改進。在同等安全等級時,應(yīng)用ECC加密算法替代RSA加密算法,減小了密鑰長度；同時對Hash2的生成進行了改進,進一步減小了CGA地址的原始報文長度。基于SHA-1哈希算法的分塊特點,報文長度的減小減少了壓縮函數(shù)的迭代調(diào)用次數(shù),加快了CGA的生成速度。同時,我們對CGA生成算法的簽名進行了優(yōu)化,增加了CGA地址的抗攻擊能力。最后,論文還提供了對基于SAVI技術(shù)的安全DHCPv6系統(tǒng)的實驗測試和部分測試結(jié)果,驗證了DHCPv6Snooping技術(shù)抵御非法服務(wù)器和非法主機的攻擊能力。
[Abstract]:The design of IPv6 protocol solves the problem of address shortage, which puzzles the development of Internet. Meanwhile, the security of IPv6 address is also concerned. DHCPv6 protocol is used to dynamically distribute IPv6 address and other configuration information for host. However, the defects of the protocol allow attackers to launch IPv6 source address attacks. In order to prevent the source address attack, according to the deployment structure of IPv6 source address authentication and the configuration strategy of the address itself, this paper proposes a new solution to ensure the security of IPv6 address allocation and usage. This paper deeply analyzes the characteristics and security of DHCPv6 protocol SAVI, and studies the composition and generation algorithm of CGA address. SAVI technology establishes IPv6 address binding by monitoring DHCPv6 protocol by layer 2 switch in access network. Filter the attack message of the illegal user on the layer 2 switch, but because the transmission entity asks the lack of identity authentication, CGA mechanism uses key and address binding strategy to authenticate the entity between the address owner and the distributor. However, CGA addresses also have security limitations and defects, and CGA address generation process is complex, which also limits the practical application of CGA mechanism. Based on the analysis results, this paper proposes a secure DHCPv6 system based on SAVI technology. From the point of view of IPv6 source address verification access network deployment structure, the DHCPv6 snooping technology is introduced, and the CGA mechanism is improved based on the security of DHCPv6 snooping technology. At the same security level, ECC encryption algorithm is used to replace RSA encryption algorithm to reduce key length, and Hash2 generation is improved to further reduce the original message length of CGA address. Based on the block characteristics of SHA-1 hashing algorithm, the reduction of packet length reduces the number of iterated calls of the compression function and speeds up the generation of CGA. At the same time, we optimize the signature of the CGA generation algorithm, and increase the anti-attack ability of CGA address. Finally, the experiment and some test results of secure DHCPv6 system based on SAVI technology are provided to verify the ability of DHCPv6 snooping technology to resist the attack of illegal server and host.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前5條

1 蘇之陽;馬皓;張曉軍;張蓓;;基于實體認證的安全DHCPv6系統(tǒng)實現(xiàn)[J];廣西大學(xué)學(xué)報(自然科學(xué)版);2011年S1期

2 吳建平;任罡;李星;;構(gòu)建基于真實IPv6源地址驗證體系結(jié)構(gòu)的下一代互聯(lián)網(wǎng)[J];中國科學(xué)(E輯:信息科學(xué));2008年10期

3 劉建東;余有明;江慧娜;;單向Hash函數(shù)SHA-1的統(tǒng)計分析與算法改進[J];計算機科學(xué);2009年10期

4 禹龍;田生偉;;基于真實IPv6源地址的網(wǎng)絡(luò)接入認證技術(shù)研究[J];計算機應(yīng)用與軟件;2010年12期

5 劉志勇;落紅衛(wèi);;真實IPv6源地址驗證技術(shù)研究[J];現(xiàn)代電信科技;2011年Z1期

，

本文編號：2045321