IPv6在校园网中的应用-IP安全分析 第4页
Extension Headers Order
Extension headers are processed in the order in which they are present. Because the only extension header that is processed by every node on the path is the Hop-by-Hop Options header, it must be first. There are similar rules for other extension headers. In RFC 2460, it is recommended that extension headers be placed in the IPv6 header in the following order:
1. Hop-by-Hop Options header
2. Destination Options header (for intermediate destinations when the Routing header is present)
3. Routing header
4. Fragment header
5. Authentication header
6. Encapsulating Security Payload header
7. Destination Options header (for the final destination)
Chapter3: The developing state of IPv6 and ip security analysis
3.1 The developing state of other country
2003 and early 2004 witnessed Asia countries allocating millions for IPv6 capable networks. China’s major carriers are deploying the China Next Generation Internet (CNGI) with expected completion by 2005. In 2003, Japan’s NTT was the first Japanese commercial ISP to offer IPv6 service. This service was offered in Japan, Europe and the US. In the US, the NTT IPv6 traffic could be exchanged with any network (commercial or corporate) at the PAIX, Equinix, or S-IX exchange points. Japan’s government allocated $18 million in 2003 to rollout IPv6 capable networks by 2005. Taiwan plans to spend $78 million (US) to networks deployed by 2007. In 2003, South Korea announced plans to spend 83.6 billion won ($72 million US) to deploy IPv6 capable networks by 2011. These planned expenditures have helped spur commercial vendors to provide IPv6 service.
During 2003, the United States saw continued steps toward deployment of IPv6. In June of 2003 John Stenbit, the Chief Information officer for the US Department of Defense (DOD) announced moving to IPv6 for all future systems. In February 2004 at the February NANOG, Jay Adelson of Equinix indicated that Apple was content peering on IPv6 across the Equinix exchange point. However, the actual traffic between all participants using the IPv6 service (NTT, Huricane Electric, Tiscali, Japan Telecom, etc.) was still pretty small
3.2 The developing state of CHINA
From 1990's starts, the university, the merchant and operation business starts to track and to pay attention to the IPv6 technological development , invests the IPv6 technology research and development, and completes the IPv6 testbed and the experimental network one after another, like 6TNet (IPv6 Telecom Trial Network) the next generation IP telecommunication experiment network, the Hunan IPv6 experiment network, China educate and scientific research computer net CERNET the IPv6 experiment network, the Academia IPv6 demonstration network and so on. Among: The Hunan IPv6 experiment network is China at present the only 1 commercial IPv6 experiment network, is at the leading position in the domestic IPv6 commercial use service exploration; 6TNet the next generation IP telecommunication experiment network is Chinese first also is present biggest face the commercial experimental IPv6 experiment network.
In April 5 of 2005, the top forum of IPv6 has been hold in bejing, china. It means that china’s IPv6 developing has granted by other countries and china will invest more and more energy to research and develop IPv6 technology.
3.3 The security analysis of Internet protocol
Attacks on the security of a computer system or network are best characterized by viewing the function of the computer system as providing information. In general, there is a flow of information from a source, such as a file or a region of main memory, to a destination, such as another file or a user. This normal flow is depicted in figure 1.1a. The remaining parts of the figure show the following four general categories of attacks:
图表 3 1
Interruption: An asset of the system is destroyed or becomes or becomes unavailable or unusable. This is an attack on availability. Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication line, or the disabling of the file management system.
Interception: An unauthorized party gains access to an asset. This is an attack on confidentiality. The unauthorized party could be a person, a program, or a computer. Example includes wiretapping to capture data in a network, and unauthorized copying of files or programs.
Modification: An unauthorized party not only gains access but tampers with an asset. This is an attack on integrity. Examples include changing values in a data file, altering a program so that it performs differently, and modifying the content of messages being transmitted in a network
Fabrication: An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. Examples include the insertion of spurious messages in a network or the addition of records to a file.
A useful categorization of these attacks is in terms of passive attacks and active attacks.
图表 3 2
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmission. The goal of the opponent is to obtain information that is being transmitted. Two type of passive attacks are release of message contents and traffic analysis.
The release of message contexts is easily understood. A telephone conversation, an electronic mail massage, and a transferred file may contain sensitive or confidential information. We would like to prevent the opponent from learning the contents of these transmissions
The second passive attack, traffic analysis, is more subtle. Suppose that we had a way of masking the contents of messages or other information traffic so that opponent, even if they captured the message, could not extract the information from the message. The common technique for masking contexts is encryption. If we had encryption in place, an opponent might still be able to observe the pattern of these message. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of message being exchanged. This information might be useful in guessing the nature of the communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of the data. However, it is feasible to prevent the success of these attacks. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active attacks
The second major category of attack is active attacks. These attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of message, and denial of
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>