IPv6在校园网中的应用-IP安全分析 第12页
Chapter6: Conclusion
We have implemented Ipsec on IPv4 and IPv6 comprehensive network which based on campus network, and will distinguished the different before implemented Ipsec and after implemented IPSEC. In order to achieve the platform, we will do the following things
In IPv4, we will provide DHCP, DNS.FTP.NAT etc services
In IPv6, we will provide NATPT, 6to4. autoaddress configuration, DNS, FTP, WEB etc services.
We will implement IPSEC on different subnets, and capture the data which transmitted on communication links through capture tools. We will distinguish the different format of the data before implemented IPSEC and after implemented IPSEC. At last, we will summarize the IP security above IPv4
We will implement IPSEC on different subnets, and capture the data which transmitted on communication links through capture tools. We will distinguish the different format of the data before implemented IPSEC and after implemented IPSEC. At last, we will summarize the IP security above IPv4
6.1 The result of lab
The platform of this lab is as picture 4-1, in this lab, we have the following devices:
3 routers which are manufactured by huawei with AR28-31; 3 switchs which are manufactured by huawei with Quidway s3026; one normal hub; 3 switchs which are manufactured by huammer, 6 normal PC. The router which is manufactured by huawei, can partly support IPv6. mostly of PCs are windows server 2003 enterprise edition.
6.1.1 1 designs the platform.
We will provide DHCP service by one of PC which will provide DHCP service for the whole IPv4 network. We will apply NAT on router2’ E 0/1 which will convert the private addresses (101.1.1.0/24, 102.2.2.0/24, 103.3.3.0/24) to public addresses (202.203.132.64/192). It can provide inner subnet access Internet. The PC which provides DHCP service also provides FTP, DNS service for whole networks. On router1, we will allocate IPv6 address 2002:303:303:1::1 64,1::1 64 to E 0/0, S 2/0. On router2, we will allocate IPv6 address 2002:505:505::1::1 64,1::2 64, 2::1 64 to E 0/0, S 1/0, S 1/1.
6.1.2 2 test the platform.
When the subnets can access each other, it provide connect is ok.
It provides we have success about FTP, WWW. DNS, when inner network can use FTP, Web services. The inner network can access Internet, it display our NAT is success. Inner network can access FTP, Web service through IPv6 address, indicated that we have success above IPv6 in our lab. When inner network with only IPv6 address provide that we gain success about NATPT.
6.1.3 Implements IPSEC.
In IPv4, we choose subnet 102.2.2.0/24 and subnet 103.3.3.0/24 to implement IPSEC. We will implement IPSEC on router1’s interface which will go to 102.2.2.0/24. On router3 we will implement IPSEC on the interface which will go to 103.3.3.0/24. In the lab, we will use tunnel mode as IPSEC mode, 3DES as security protocol, HMAX-MD5 as authentication protocol.
In IPv6, we choose two PC which belong the same subnet to implement IPSEC. We use transport mode as IPSEC mode, HMAC-MD5 as authentication mode
6.1.4 4 analyses IPSEC.
In IPv4, we will contrast the packets which have been captured by sniffer. We will analysis the different before implement IPSEC and after implemented IPSEC. We have the following results: the packets were encrypted after implemented IPSEC; it can provide confidentiality and Limited traffic flow confidentiality. And we have use HMAC-MD5 as authentication protocol, so it also provide data origin authentication. In IPv6, we use transport as IPSEC mode, which is encrypted data, but it can provide authentication. It also provide connectionless integrity and limited rejection of replayed packets
6.1.5 conclusion.
In the comprehensive network with IPv4 and IPv6, IPSEC is mandatory in IPv6, so it can support for high security data communication. In IPv4, we can apply IPsec depending on what security we want. We can choose different IPSEC mode, and the different encryption protocol, authentication protocol. IPSEC can enhance the security at the process of network transport, so it have a great foreground for government networks, military networks and commercial networks, especially with the new generation IP
Reference books
[1] William Stallings. Network Security Essentials: Applications and Standards. 清华大学出版社, March 2002.
[2] Silvia Hagen. IPv6精髓. Tsinghua University Press, May 2004
[3] 华为3COM技术有限公司. IPv6技术. 清华大学出版社, December 2004
[4] Andrew G. Mason CISCO安全虚拟专用网络. 人民邮电出版社, August 2002
[5] Joseph Davies. 理解 IPv6. 清华大学出版社, March 2004
[6] 张云勇 刘韵洁。 基于Ipv6 的下一代互联网,电子工业出版社, July 2004
[7] SmarTraining 工作室 从日全 等。 Windows server 2003 网络构架, September 2005.
[8] S. Deering and R. Hinden. RFC2460. Internet Protocol, Version 6 (IPv6) Specification, December 1998
[9] S. Deering and R. Hinden. RFC4291. IP Version 6 Addressing Architecture. February 2006.
[10] S. kent and K. Seo. RFC4301. Security Architecture for the Internet Protocol, December 2005
[11] S. kent. RFC4302. IP Authentication Header, December 2005
[12] S.kent. RFC4303. IP Encapsulating Security Payload (ESP), December 2005
[13] C. Kaufman, Ed. RFC4306. Internet Key Exchange (IKEv2), Protocol, December 2005
The introduce of guide teacher
Shengyuan Xu,male, was born 1945.
Shijun Wen, male, was born Feb., 1976, engineer. He graduated from southwest forestry college (SWFC) at July, 1999. Now, he is subdirector of Information and network center of SWFC. He has planned and constructed the first project of SWFC’s campus network at 2000, planned and constructed the second project of SWFC’s campus network during 2001-2003.From 2003 to now, he is the main principal of construct, manage, Running of SWFC’s network and the informational construct. From 2005 to now, he is developing the management system for SWFC’s network center
Acknowledgement
Thanks to my tutor Shengyuan Xu, Shijun Wen, who have guided and encouraged me complete this project. I have learned a lot from their style during last few years. Not only let me know how to study, but also let me know how to work and life.
Thanks to Prof. Kunrong HU, Mr. Xiaolin Wang, who taught me lessons in the past four years and solved the project’s handicap for me
Thanks to all the teachers and friend who taught me lessons and encouraged me in the time when we are together. Yours great lectures and warm help make this happen