IPv6在校园网中的应用-IP安全分析 第2页
Chapter1: Preface
1.1 IP security overview
Due to early days of IPv4 designing, the designer didn’t consider that Internet can develop so rapid and it can be used so widely, so they didn’t consider the security issues that the data is transmitted. More and more network attacks were appeared. In 1998, in response to these issues, the IBA included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with IPv4 and IPv6. This means that vendors can begin offering these features now, and many vendors do now have some IPsec capability in their product.
1.2 The reach context
We have implemented Ipsec on IPv4 and IPv6 comprehensive network which based on campus network, and will distinguished the different before implemented Ipsec and after implemented IPSEC. In order to achieve the platform, we will do the following things
In IPv4, we will provide DHCP, DNS.FTP.NAT etc services
In IPv6, we will provide NATPT, 6to4. autoaddress configuration, DNS, FTP, WEB etc services.
We will implement IPSEC on different subnets, and capture the data which transmitted on communication links through capture tools. We will distinguish the different format of the data before implemented IPSEC and after implemented IPSEC. At last, we will summarize the IP security above IPv4
We will implement IPSEC on different subnets, and capture the data which transmitted on communication links through capture tools. We will distinguish the different format of the data before implemented IPSEC and after implemented IPSEC. At last, we will summarize the IP security above IPv4
1.3 The result of lab
The platform of this lab is as picture 4-1, in this lab, we have the following devices:
3 routers which are manufactured by huawei with AR28-31; 3 switchs which are manufactured by huawei with Quidway s3026; one normal hub; 3 switchs which are manufactured by huammer, 6 normal PC. The router which is manufactured by huawei, can partly support IPv6. mostly of PCs are windows server 2003 enterprise edition.
1.3.1 1 designs the platform.
We will provide DHCP service by one of PC which will provide DHCP service for the whole IPv4 network. We will apply NAT on router2’ E 0/1 which will convert the private addresses (101.1.1.0/24, 102.2.2.0/24, 103.3.3.0/24) to public addresses (202.203.132.64/192). It can provide inner subnet access Internet. The PC which provides DHCP service also provides FTP, DNS service for whole networks. On router1, we will allocate IPv6 address 2002:303:303:1::1 64,1::1 64 to E 0/0, S 2/0. On router2, we will allocate IPv6 address 2002:505:505::1::1 64,1::2 64, 2::1 64 to E 0/0, S 1/0, S 1/1.
1.3.2 2 test the platform.
When the subnets can access each other, it provide connect is ok.
It provides we have success about FTP, WWW. DNS, when inner network can use FTP, Web services. The inner network can access Internet, it display our NAT is success. Inner network can access FTP, Web service through IPv6 address, indicated that we have success above IPv6 in our lab. When inner network with only IPv6 address provide that we gain success about NATPT.
1.3.3 Implements IPSEC.
In IPv4, we choose subnet 102.2.2.0/24 and subnet 103.3.3.0/24 to implement IPSEC. We will implement IPSEC on router1’s interface which will go to 102.2.2.0/24. On router3 we will implement IPSEC on the interface which will go to 103.3.3.0/24. In the lab, we will use tunnel mode as IPSEC mode, 3DES as security protocol, HMAX-MD5 as authentication protocol.
In IPv6, we choose two PC which belong the same subnet to implement IPSEC. We use transport mode as IPSEC mode, HMAC-MD5 as authentication mode
1.3.4 4 analyses IPSEC.
In IPv4, we will contrast the packets which have been captured by sniffer. We will analysis the different before implement IPSEC and after implemented IPSEC. We have the following results: the packets were encrypted after implemented IPSEC; it can provide confidentiality and Limited traffic flow confidentiality. And we have use HMAC-MD5 as authentication protocol, so it also provide data origin authentication. In IPv6, we use transport as IPSEC mode, which is encrypted data, but it can provide authentication. It also provide connectionless integrity and limited rejection of replayed packets
1.3.5 conclusion.
In the comprehensive network with IPv4 and IPv6, IPSEC is mandatory in IPv6, so it can support for high security data communication. In IPv4, we can apply IPsec depending on what security we want. We can choose different IPSEC mode, and the different encryption protocol, authentication protocol. IPSEC can enhance the security at the process of network transport, so it have a great foreground for government networks, military networks and commercial networks, especially with the new generation IP
Chapter2: The introduce of Internet protocol (IP)
The role of Internet Protocol
An Internet Protocol (IP) provides the functionality for interconnecting end systems across multiple networks. For this purpose, IP is implemented in each end system and in routers, which are devices that provide connection between networks. Higher-level data at a source end system are encapsulated in an IP protocol data unit (PDU) for transmission. This PDU is then passed through one or more networks and connecting routers to reach the destination end system.
2.1 IPv4 header format
For decades, the keystone of the TCP/IP protocol architecture has been the Internet Protocol (IP) version 4.figure 1.1 show the IP header format, which is a minimum of 20 octets, or 160 bits. The fields are:
图表 2 1:IPv4 Header format
Version (4bits): Indicates version number, to allow evolution of the protocol; the value is 4.
Internet Header Length (IHL) (4bits): Length of header in 32-bits words. The minimum value is five, for a minimum header length of 20 octets.
Type of service (8bits): Provides guidance to end system IP modules and to routers along the packet’s path, in terms of the packet’s relative priority.
Total length (16bits): Total IP packet length, in octets.
Identification (16bits): A sequence number that, together with the source address, destination address, and user protocol, is intended to identify a packet uniquely. Thus, the identifier should be unique for the packet’s source address, destination address, and user protocol for the time during which the packet will remain in the internet
Flags (3bits): Only two of the bits are currently defined .When a packet is fragmented, the more bit indicates whether this is the last fragment in the original packet. The don’t fragmented bit prohibits fragmentation when set. This bit may be useful if it is known that destination does not have the capability to reassemble fragments. However, if this bit is set, the packet will be discarded if it exceeds the maximum size of an en route subnetwork. Therefore, if the bit is set, it may be advisable to use source routing to avoid subnetworks with small maximum packet size.
Fragment Offset (13bits): Indicates where in the original packet this fragment belong, measured in 64-bit units. This implies that fragments other than the last fragment must contain a data field that is a multiple of 64 bits in length.
Time to Live (8bits): Specifies how long, in second, a packet is allowed to remain in the internet. Every router that processes a packet must decrease the TTL by at least one, so the TTL is somewhat similar to a hop count.
Protocol (8 bits): Indicates the next higher level protocol, which is to receive the data field at the destination; thus, this field identifies the type of the next header in the packet after the IP header.
Header checksum (16bits): An error-detecting code applied to the header only. Because some header fields may change during transit (e.g., time to live, segmentation-related fields), this is verified recomputed at each router. The checksum field is the 16-bit ones complement addition of all 16-bit words in the header. For purposes of computation, the checksum field is itself initialized to a value of zero.
Source Address (32bits): Coded to allow a variable allocation of bits to specify the network and the end system attached to the specified network.
Destination Address(32bits):some characteristics as source address
Options (variable): Encodes the options requested by the sending user; these may include security label, source routing, record routing, and timestamping.
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>