「我國 ipv6 建置發展計畫」 92 年度 期中成果報告 研究發展分項計畫...
Post on 19-Dec-2015
275 views
TRANSCRIPT
「我國 IPv6 建置發展計畫」92 年度期中成果報告研究發展分項計畫
子計畫一:新一代網際網路移動環境與資訊家電技術之研究
子計畫一:新一代網際網路移動環境與資訊家電技術之研究
清華大學交通大學
黃能富
陳耀宗
1在整合型具 IPv6 環境的隨意行動網路上設計與製作一個即時和服務品質保證的繞徑協定
中正大學黃仁竑
陳裕賢
2應用 IPv6 Multihoming 技術的家庭網路代理伺服器之設計與實作 成功大學
黃崇明許政穆
3IPv6 網路之攻擊、防禦及密碼模組之開發研究 成功大學
賴溪松曾龍
4結合 IC 卡的 IPv6 安全機制設計與實
現高雄師範大學 楊中皇
5IPv6 xDSL 上網機制雛型服務系統研製
中華電信研究所 鄭石源
Mobile IPv6 over MANET 之雛形系統的研製
計畫主持人:國立中正大學 資工系 陳裕賢 副教授
黃仁竑 教授
Outline Part I: Mobile IPv6 over MANET 之運作原理
介紹 :Why is the need of "Mobile IPv6 over MANET" ?The key difference between Mobile IPv4 over MA
NET with Mobile IPv6 over MANETThe difficulty of implementing the Mobile IPv6 ov
er MANET
Part II: Mobile IPv6 over MANET 之雛形系統架構
Part I: Mobile IPv6 over MANET 之運作原理介紹 :
Why is the need of "Mobile IPv6 over MANET" ?
The key difference between Mobile IPv4 over MANET with Mobile IPv6 over MANET.
The difficulty of implementing the Mobile IPv6 over MANET.
1. Why is the need of "Mobile IPv6 over MANET" ?
APAP AP AP
筆記型電腦
筆記型電腦
筆記型電腦
筆記型電腦
筆記型電腦
Internet BackBone
1. Why is the need of "Mobile IPv6 over MANET" ?
AP AP AP AP
筆記型電腦
筆記型電腦
筆記型電腦
筆記型電腦
筆記型電腦
Internet BackBone
筆記型電腦
2. The key difference between Mobile IPv4 over MANET with Mobile IPv6 over MANET
Internet v4
HA
FA
Subnet 140.123.1.0
Subnet 140.123.2.0
HA FA由 移動到
packet MN1送 給
HA MN1紀錄H_addr CoA和 的對應關係
140.123.1.15 140.123.2.10
Subnet 140.123.3.0
MN1 : 140.123.1.15MN1 : 140.123.1.15CoA : 140.123.2.10
CN
BindingBinding
Tunneling to the Care-of Address
The basic operation of Mobile IPv6 由於 IPv6 有 Stateless Address Autoconfiguration和 Neighbor Discovery 這兩種通訊協定,因此就不需要 Foreign Agent 的存在。而 Home Agent 、Home Network 以及 Encapsulation 等觀念則和 IPv4 的想法接近。
MH 取得一個 Care-of Address( 使用 Neighbor Discovery 和 Stateless Address Autoconfiguration)後,和 Home Agent 作認證 ( 使用 Authentication Header) 。
Mobile IPv6 Operation 當 MN 移到另一個 link 時 , 會以 autoconfiguration 去取得一 IP, 之
後 MN 會送一 “ binding update” 給他的 HA. (destination option) 之後 HA 會回一個 ” binding acknowledgement” 給 MN. (destinatio
n option)
Triangle Routing 當 CN 第一次傳送封包給 MN 時 , 因為 binding updat
e 裡沒有 MN 的資料 , 因此先傳送至 HA, 再由 HA 以 tunneled to MN. (IPv6 Encapsulation)
3. The difficulty of implementing the Mobile IPv6 over MANET
Multi-hop routing on MANET under IPv6.Different kernel
Integrate MANET to IPv6 backbone
MN3 3ffe:3600:2000:2100::7/64
MN4
Router2
Internet v6
3ffe:3600:2000:2100::3/64
3ffe:3600:2000:2100::5/64
Router1
MN1
MN2 3ffe:3600:2000:2000::15/64
3ffe:3600:2000:2000::10/64
3ffe:3600:2000:2000::5/64
Web Server3ffe:3600:2000:1000::100/64
PacketPacket
MANET Routing (DSDV)
IP Protocol
MANET Routing (DSDV)
IP Protocol
MANET Routing (DSDV)
Router2
MN3
MN5 : 3ffe:3600:2000:2000::5/64
MN6
Router1 & MN5's HA
CNInternet v6
3ffe:3600:2000:2000::2/64
3ffe:3600:2000:2100::3/64
ICMPv6
CoA: 3ffe:3600:2000:2100::7/64
Binding
MN5’s IP: 3ffe:3600:2000:2000::5/64 CoA: 3ffe:3600:2000:2100::7/64
Packet
encapsulate Packet
Packet
Binding
MN5’s IP: 3ffe:3600:2000:2000::5/64 CoA: 3ffe:3600:2000:2100::7/64
Router2
MN3
Router1 & MN5's HA
CNInternet v6
3ffe:3600:2000:2000::2/64
3ffe:3600:2000:2100::3/64
MN6
Router
MN1
3ffe:3600:2000:2200::4/64
MN5 : 3ffe:3600:2000:2000::5/64
ICMPv6
CoA: 3ffe:3600:2000:2200::23/64
MN5’s IP: 3ffe:3600:2000:2000::5/64
BindingBinding
Old CoA: 3ffe:3600:2000:2100::7/64New CoA: 3ffe:3600:2000:2200::23/64
Packet
Part II: Mobile IPv6 over MANET 之雛形系統架構 現有成果
Multi-hopping (MANET) routing under IPv4 MANET interconnect with IPv4 backbone
現在努力的目標 Multi-hopping (MANET) routing under IPv4 MANET routing interconnects with IPv6 backbone
未來目標 Mobile IPv6 over MANET
MN1 192.168.10.10MN2 192.168.10.13
MN3 192.168.10.15
DSDV
DSDV
Routing Table192.168.10.15192.168.10.13192.168.10.10
Routing Table192.168.10.15192.168.10.13192.168.10.10
Routing Table192.168.10.15192.168.10.13192.168.10.10 IPv4 Backbone
Linux 1對外主機
Linux 2對外主機
IPv4
IPv4
MN4
MN5
應用 IPv6 Multihoming 技術的家庭網路代理伺服器之設計與實作
國立成功大學資訊工程系國立中正大學資訊工程系
Outline Multihoming Introduction Related Multihoming Internet-Draft Project Design and Implementation Conclusion Reference
Multihoming Introduction A host or router has two more
different network connection.
ISP1ISP1 ISP2ISP2
Internet
Internet
Multihoming Gateway
Multihoming Advantages Fault Tolerance Load Balance Provider Selection Link Aggregation
ISP-1
ISP-1
ISP-2
ISP-2
Internet
Internet
Multihoming Gateway
A B
C D
If B is broken, the connectionwill be forwarded by A.
If D is broken, the connection will be forwarded by E.
E
Multihoming Scope Provider-Level
draft-ieft-inpgwg-ipv6multihome-with-aggr-01
Site-Level At site exit routers, RFC 3178
Subnet/Host-Level
Multihoming Problems ISPs cannot advertise prefixes of
other ISPs Site cannot advertise to upstream
providers’ prefixes longer than their assigned prefix
Multihoming Solutions Router-based Solutions Host-based Solutions Mobile-based Solutions Geographic or Exchange-based
Solutions
Router-based Solutions GSE/8+8
draft-ipng-gseaddr-00 GSE: Global, Site, and End System Address Elem
ents Multihoming with Route Aggregation
draft-ietf-ipngwg-ipv6multihome-with-aggr-01
Multihoming Using Router Renumbering draft-ietf-ipngwg-multi-isp-00
Router-based Solutions (Con’t) Multihoming Support at Site Exit Route
rs IPv6 Multihoming Support at Site Exit Rout
ers, RFC 3178 Multihoming Aliasing Protocol (MHAP)
draft-py-mhap-intro-00
Host-based Solutions Host-Centric IPv6 Multihoming
draft-huitema-multi6-hosts-01 Host Identity Payload Protocol (HIP)
Mobile-based Solutions draft-bagnulo-multi6-mnm-00
Application of the MIPv6 protocol to the multi-homing problem
Geographic or Exchange-based Solutions GAPI: A Geographically Aggregatable Pr
ovider Independent Address Space to Support Multihoming in IPv6 draft-py-multi6-gapi-00
Extension Header for Site Multihoming Support draft-bagnulo-multi6-mhExtHdr-00
Related Internet-Draft draft-ietf-multi6-multihoming-requirements-0
6 Goals for IPv6 Site-Multihoming Architectures.
draft-savola-multi6-nowwhat-00 IPv6 Site Multihoming: Now What?
draft-de-launois-multi6-naros-00 NAROS : Host-Centric IPv6 Multihoming with Traffic
Engineering. draft-kurtis-multihoming-longprefix-00
Multihoming in IPv6 by multiple announcements of longer prefixes.
Related Internet-Draft (Con’t) draft-hain-ipv6-pi-addr-use-04
Application and Use of the IPv6 Provider Independent. draft-py-multi6-gapi-00
GAPI: A Geographically Aggregatable Provider Independent Address Space to Support Multihoming in IPv6.
draft-kurtis-multi6-roadmap-00 A road-map for multihoming in IPv6.
draft-savola-multi6-asn-pi-00 Multihoming Using IPv6 Addressing Derived from AS
Numbers.
Our Design Goals To build a Multihoming Gateway for IP
v6-based HomeNetwork Multiple Outgoing Interfaces Fault Tolerance Load Balance Bandwidth Aggregation Web Proxy …
Our Experimental Architecture
default route
2001:0238::1/32
2001:0238::2/32
2001:0288::2/32
2001:0288::1/32
eth0
eth1
eth1
eth0
RouterA:Hinet RouterB:Tanet
eth0 eth2
eth1
eth0
Multihome Gateway
Home Client
default route
2001:288:1:1::2/64
2001:288:1:1::1/64
2001:288:1:1:1:1:0:3/96
Browser / Mozilla
Proxy / Squid
Web / Apache
2001:238:1:1::1/64Master Outgoing LinkSlave Outgoing Link
System Implementation Interface/Link Detection
Using ICMPv6 to detect the interface is available or not
Interface/Link Detection Periodically Modify/Setup Routing Information
System Implementation (Con’t) Fault Tolerance (Redundant Link)
Assume ISPs assign a prefix to users, not only one IPv6 address.
Multihoming Gateway connects two outgoing links from different ISPs, with different ipv6 prefix
Choose a master link to communicate The other is a slave/backup link
default route
2001:0238::1/32
2001:0238::2/32
2001:0288::2/32
2001:0288::1/32
eth0
eth1
eth1
eth0
RouterA:Hinet RouterB:Tanet
eth0 eth2
eth1
eth0
Multihome Gateway
Home Client
default route
2001:288:1:1::2/64
2001:288:1:1::1/64
2001:288:1:1:1:1:0:3/96Browser / Mozilla
Proxy / Squid
Web / Apache
2001:238:1:1::1/64Master Outgoing LinkSlave Outgoing Link
When the master link is crashed The slave/backup link will be used The client need not change their IPs to fit t
he prefix of the slave/backup link Use the IPv6 address of the slave/backup link t
o communicate Using Network Address Translation Table
Current Support ICMPv6 TCP/UDP
default route
2001:0238::1/32
2001:0238::2/32
2001:0288::2/32
2001:0288::1/32
eth0
eth1
eth1
eth0
RouterA:Hinet RouterB:Tanet
eth0 eth2
eth1
eth0
Multihome Gateway
Home Client
default route
2001:288:1:1::2/64
2001:288:1:1::1/64
2001:288:1:1:1:1:0:3/96
Proxy / Squid
Web / Apache
2001:238:1:1::1/64Slave Outgoing Link
Mapping Table
System Implementation (Con’t) Load Balance
Equal Cost Multi Path (ECMP) – IPv4 RFC 2391
Round Robin Least Load First Least Traffic First Least Weighted Load First
Weight Round Robin (WRR) – IPv4
Web Proxy on the Multihoming Gateway Squid supporting IPv6 Installed on Multihoming Gateway Use the Fault-Tolerance to make the squid
server workable at any time, expect all link are failed.
Conclusions Introduce the benefits of Multihoming
Fault Tolerance Load Balance …
Apply Mulithoming to IPv6 HomeNetwork Multihoming Gateway including the web proxy
Describe Our Design Goals and Current System Implementation Reduce Cost Increase Performance
References http://www.ietf.org/html.charters/multi6-charter.html. draft-ietf-multi6-multihoming-requirements-06.txt. Il-sun Whang and Dongkyun Kim, “IPv6 Multihoming
”, KRnet2002. David BINET, “Home Networking: The IPv6 killer appli
cation?”, France Telecom R&D, 2002. Jeff Doyle, “Issues in IPv6 Deployment.“, Juniper
NETWORKS.
The Design and Implementation of an IPv6-enabled Intrusion detection System:
Status report
Leader:
C. S. Lai(NCKU)
Core team-members:
B. Tseng(Hsing-Kuo Univ.)
P. Chen(NCKU)
Agenda
• Intrusion Detection System: An Overview
• Our Work: IPv6-enabled Intrusion detection System
• Further works:
I.Intrusion Detection System: An Overview
• What is Intrusion Detection System• Model and Architecture• Data Source• Core technology• Metric and Testing methodology• Testing Environment and Test reports• Development methodology: A software-
engineering viewpoint• Other topics
Intrusion Detection System:What
Intrusion detectionIntrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network.
Intrusions are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them.
Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs) are software orhardware products that automate this monitoring and analysis
process.
IDS in a Network
防火牆
集線器
集線器
InternetIE
工作站
Apache Server
Oracle DB
HIDS
NIDS
NIDS路由器
工作站工作站 IDS Management
Host Intrusion detection system, HIDS
Model
Denning, D. E., "An Intrusion-Detection Model,"IEEE Transactions on Software Engineering, vol. 13, pp. 222-232, 1987.
Hypothesis:: exploitation of a system's vulnerabilities involves abnormal use, of the system; therefore, security violations could be detected from abnormal patterns of system usage.
The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.
Six main components
• Subjects: Initiators of activity on a target system- normally users.
• Objects: Resources managed by the system-files, commands, devices, etc.
• Audit records: Generated by the target system in response to actions performed or attempted by subjects on objects-user login, command execution, file access, etc.
• Profiles: Structures that characterize the behavior of subjects with respect to objects in terms of statistical metrics and models of observed activity. Profiles are automatically generated and initialized from templates.
• Anomaly records: Generated when abnormal behavior is detected.
• Activity rules: Actions taken when some condition is satisfied, which update profiles, detect abnormal behavior, relate anomalies to suspected intrusions, and produce reports.
Architecture
• Monolithic
• Hierarchal structure
• Agent-based IDS
• Distributed IDS
Monolithic
Hierarchal structure
Agent-based IDS
Distributed IDS:GrIDS
1.DIDS (Distributed Intrusion Detection System,1991/1992)::U. C. Davis
2.GrIDS:A GRAPH BASED INTRUSION DETECTION SYSTEM (1996/1999)::U. C. Davis
3.EMERALD(1997)
Distributed IDS:AAFIDAutonomous Agents for Intrusion Detection (AAFID):: Purdue University(1998)
Data Source
1.Audit log:: SUN Solaris/BSM(Basic security Module) WINDOWS/Event log System log Linux/*BSD::syslog App. Log too many,…..
2.Network packet flow:
3.Windows registry:only for Windows Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, and Sal Stolfo (Columbia University), RAID 2002, LNCS 2516, pp. 36–53, 2002.
……
WINDOWS::Event Log
Packets captured
Windows registry
Core technology:Anomaly detection vs Misuse detection
Anomaly detectorsAnomaly detectors identify abnormal unusual behavior (anomalies) on a host or network.
They function on the assumption that attacks aredifferent from “normal” (legitimate) activity and can
therefore be detected by systems that identify these differences.
Anomaly detectors construct profiles representing normal behavior of users, hosts, or network connections. These profiles are constructed from historical data collected over a period of normal operation. The detectors then collect event data and use a variety of measures to determine when monitored activity deviates from the norm.
Anomaly detection
• statistical methods::(NIDES,…)
• Rule induction::(ASAX,..)
• (artificial) neural networks::(many,…C.S.Lai)
• fuzzy set theory::(T.Y.Lin1994)
• machine learning algorithms(Lane, Brodley1997,…)
• artificial immune systems::(Forrest, Hofmeyr,..)
• signal processing methods• temporal sequence learning::(Lane, Brodley1999)
• Data mining::(W.Lee..)……..
Misuse detection::
Misuse detectorsMisuse detectors analyze system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.
“signature-based detection.”
The most common form of misuse detection used incommercial products specifies each pattern of events
corresponding to an attack as a separate signature.
• Expert System::• “state-based” analysis techniques• Genetic algorithm::(GASSATA1998,..)• …………………………..
Testing Environment and Test reports
• Mitre(1997):Netranger, Realsecure, ASIM
• Information Warfare Conf.(1998):
Realsecure, NFR
• MIT/Lincoln Labs(1998/1999): DARPA-funded
• SANS 2000 ID-NET(2000.3):Intrusion-detection-focused conf.
• ……………………………..
•1998 DARPA Intrusion Detection Evaluation
•1999 DARPA Intrusion Detection Evaluation
SparcSparcUltra Ultra
InsideTraffic
Generator
OutsideTraffic
Generator
WebServerSniffer
Linux 2.0.27 SunOS 4.1.4 Solaris 2.5.1Simulation
Status Target Machines
Simulation Network for Off-line EvaluationSimulation Network for Off-line Evaluation
Locke172.16.112.10
Zeno172.16.113.50
Pascal172.16.112.50
Hobbes172.16.112.20
Solomon192.168.1.90
Calvin192.168.1.10
Aesop192.168.1.20
Marx172.16.114.50
= Pentium II pcs running modified Linux kernel (based on 2.0.32)which allows these machines to spoof many different ip addresses
SunOS 5.6
486 P2 P2P2
Solaris 2.5.1
““Inside”Inside”
172.16 => eyrie.af.mil
““Outside”Outside”
192.168.1 => world.net194.27.251 => plum.net
197.218.177 => grape.mil(plus all other domains used)
RouterCiscoAGS+
MIT Lincoln Laboratorydm: last modified 3/24/98
A B
Ethernet Hub InfoA: AsanteHub 1012 (no ip)B: HP EtherTwist Hub PLUS (ip = 192.168.1.5)
hub
Router Interface InfoA: 172.16.112.1B: 198.168.1.1
hub
1998 DARPA Intrusion Detection Evaluation
•
1998 Training Data Attack
1998 Anomaly Training Data
The simulation featured
6 users whose activity
can be used to test
anomaly detection systems.
Test the following types of misuse
1. Denial of service 2. Unauthorized access from a remote
machine 3. Unauthorized transition to root by
an unprivileged user 4. Surveillance and probing 5. Anomalous user behavior
locke172.16.112.10
Sniffer
plato
Ethernet HubRouter
192.168.1.2
192.168.1.1
172.16.112.5
172.16.0.1
RouterCISCO
HP HP
1999 DARPA Intrusion Detection Evaluation::Simulation Network 99
attacker
attackerattackerattacker
hobbes172.16.112.20
Gateway
pascal172.16.112.50 Victim
zeno172.16.113.50
Victim
marx172.16.114.50
Victim
hume172.16.112.100
Victim
kant172.16.112.110
Victim
NTNT 9898
monitor192.168.1.30
SNMP Monitor
solomon192.168.1.90
Sniffer
calvin192.168.1.10Gateway
aesop192.168.1.20
Web Server
attacker
NTNT
Virtual Inside Hosts
Virtual Outside Hosts
Cisco 2514
Linux Linux
Linux Linux NT
SunOS MacOS SunOS Linux Solaris SunOS Linux NT Win98
. . .. . .
II. Our Work:Current Status
• Focus on::IPv6-enabled(only) Intrusion detection System
• Next Step::IPv4/v6 Dual-Stack IDS,………
• Challenges::IPv4IPv6
(1)different Header structure
(2)many transition/translation mechanisms
(3)IPsec-secure packet
(4)many misconfiguration-scenarios
(5) Possible attacks
………………..
Need a fully-understanding of these topics
Our Design::
Information sources
Pattern matcher
Alarm/report generator
Profile engine
Anomaly detector
Policy rules
Modules::
IPv6 IDS
DataPreprocessor
IntrusionDetector
DataCollector
Tcpdump Perl script
IntelligentComponent
Neural Network ::LNKnet
LNKnetgenerated C
code
MLP
Application Ccode
Data Processing
Ethereal::IPv6 ready
20 Octets+Options : 13 fields, include 3 flag bits
0 bits 84 16 31
Ver IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
24
Service Type
Options and Padding
Time to Live Header ChecksumProtocol
RemovedChanged
different Header structure:IPv4 Header
IPv6 Header::40 Octets, 8 fields
0 31
Version Class Flow Label
Payload Length Next Header Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 2416
Simple test
Window XP SP1
IPv4::a.b.c.98
• Window .NET server 2003 rc2
• IPv4::a.b.c.100
Network Monitor::
IPv6 Ready
Ethereal::
IPv6 Ready
IPv6 Header ::8 fields
IPv6 support in Major Operation Sysms
Current• Windows 2000 Server + PatchAutomatic tunneling• Windows XP/.NET server 2003 6to4 Tunneling• Linux (Red Hat 9)Tunnel Broker• *BSD(FreeBSD 5.1) Tunnel Broker
• Linux(Mandrake 9.1)…SUSE• *BSD(OpenBSD 3.3, NetBSD 1.6.1)• Solaris(8/9)
Windows 2000 Server + Patch
區域連線介面,可以採用 Neighbor Discovery 或手動設定
Automatic Tunneling
Automatic Tunnel
Simple test
Window XP SP1
IPv4::a.b.c.98
• Window .NET server 2003 rc2
• IPv4::a.b.c.100
Network Monitor::
IPv6 Ready
Ethereal::
IPv6 Ready
Windows .NET server RC2
ISATAP
Windows XP SP1(98)
6to4 ::6to4 derives a IPv6 from an IPv4 address.
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP):: draft-ietf-ngtrans-isatap-13.txt
Simple Deployment Scenario of ISATAP (Hosts… .)
ICMPv6
IPv4
ICMP IGMP ARP RARP
IPv6
ICMPv6(RFC 2463)
Neighbor Discovery(rfc2461)
support M-IPv6
ICMPv6 messages
• grouped into two classes: error messages and informational messages.
ICMPv6 error messages:1 Destination Unreachable2 Packet Too Big3 Time Exceeded 4 Parameter Problem
ICMPv6 informational messages:128 Echo Request129 Echo Reply
ICMPv6 Informational Messages::Echo Request
Echo Reply Message
XP(98).NET(100)::ISATAP
.NET Server 2003
XP .NET
IPv6 Tunnel Broker
Motivation
Tunnel Broker Virtual IPv6 ISP
IPV6 Tunnel Broker 設定
Red Hat 9.0::IPV6 Tunnel Broker 設定
FREEBSD 5.1 IPV6 Tunnel Broker 設定
1. ifconfig gif0 create
2. ifconfig gif0 tunnel 61.221.197.98 64.71.128.82
3. ifconfig gif0 inet6 2001:470:1F00:FFFF::843 2001:470:1F00:FFFF::842 prefixlen 128
4. route -n add -inet6 default 2001:470:1F00:FFFF::842
5. ifconfig gif0 up
nmap 3.2.7:(FREEBSD5.1:: 使用 port 快速安裝 )
Further Works:
In the near future
• A IPv6 testbed with different OS and server will be built up
• More packets captured and audit logs will be analyzed
• A prototype will be built up
• Some simple attacks will be tested
計畫名稱:結合 IC 卡的 IPv6 安全機制設計與實現
計畫主持人:楊中皇 博士報告人:翁木龍
報告大綱 研究架構 IPSec 機制 IC 卡的優點 計畫執行進度 後續工作
研究架構圖
INTERNETSmart card
Security Gateway
INTERNETSmart card
Smart card
INTERNETSmart card
Security Gateway
INTERNETSmart card
Smart card
Security Gateway
IPv6 測試環境
Security Gateway
Security GatewayRouter
IPv6
網段電腦
IPv6
網段電腦
預期研究成果 在 linux 環境中,將身分認證的 KEY 放
在 IC 卡中,以提高 IPSec 通訊安全 架構出 IPv6 之 VPN 環境,建立屬於自
己的私有網路,保障網路互連之安全性及隱私性
IPSec IETF(Internet Engineering Task Force) 所訂
定的一套開放標準網路安全協定 IPSec(IP Security) ,將密碼學的技術應用在網路層,以提供傳送、接收端做資料的認證 (Authentication) 、完整性 (Integrity) 、存取控制 (Access Control) 以及機密性 (Confidentiality) 等安全服務。
IPSec 在 IPv4 與 IPv6: IPv4: 隨意的 (Optional) IPv6: 強制的 (Mandatory)
IPSec 架構
–SAD: Security Association Database
–SPD: Security Policy Database
IPSec, SA
金鑰管理
SKIP
資料封包轉換
ESP
DES-CBC Triple-DES
AH
MD5 SHA-1
IPSec 之結構 ( 續 )
IKE
IPSec 的金鑰交換與管理 運用 IPSec 的實體兩端必須建立一組相對應
的加解密及驗證金鑰才能達到安全的目的 密鑰可以用人工手動或系統自動的方式交換 IETF 定義了一組金鑰交換的通訊協定 Inter
net Key Exchange(IKE) ,可自動交換密鑰
IKE
在 IPSec 通信雙方之間,建立起 IKE SA 及 IPSec SA ,並對 SADB 進行填充。
是 Oakley 和 SKEME 協定的混合,並在由I S A K M P 規定的一個框架內運作 。
ISAKMP 定義: 資料封包格式與封包處理程序及原則 對對方的身份進行驗證 密鑰交換時交換資訊的方法 如何協商安全服務 由 IKE 及 IPSec DOI 實做
ISAKMP Payloads 共有 13種 payloads SA Proposal Transform Key Exchange Identification Certification Certificate Request
Hash Signature Nonce Notification Delete Vendor
ISKAMP headerInitiator cookie
Responder cookie
Next payload
Mj ver
Mi ver
Exchange type
Flags
Message ID
Message Length
IKE的 2個 Phase
IKE 有 2 個 phase操作,是用 ISAKMP 的定義︰ Phase 1: 建立 IKE SA ,建立了一個已通過身份驗
證和安全保護的通道,為 Phase 2 協商安全服務(來源驗證、完整性及加密 )。目前標準有 main mode和 Aggressive mode 。
Phase 2: 建立 IPSec SA ,建立 SA content 供 AH或 ESP 使用。
IKE Main mode
目的︰建立 IKE SA 及產生新的 Key
共有三個 two-way exchange 。即六條
message
身份驗證
Main mode with shared key
Main mode with digital signature
Main mode with public key cryptography
Main mode with revised public key cryptography
Linux IPv6 IPSec implement Kernel 2.4 之後版本 iABG( www.ipv6.iabg.de) USAGI( www.linux-ipv6.org)
IC 卡優點 記憶容量大 資料可重複多次寫入 不易偽造 卡片真偽辨識 資料存取控制 內存資料可加密
IC 卡配合身分認證 Key 以 linux平台作為 security gateway效率高,成本低
但 linux 環境下尚沒有一致的 IC 卡讀寫標準
將身分認證 Key寫入 IC 卡中,有助於密鑰管理
計畫執行進度 研究環境已建立完成 主要的 IETF IPSEC Working Group 之 R
FC已完成研讀 Linux 環境下的 IC 卡讀卡程式,已進行
Coding 工作,正處於測試階段。 累計進度完成度: 38%
後續工作 如何將 IC 卡與 IPSec 機制作更完整的結
合 完成 IC 卡讀卡程式 Coding IPSec 原始碼研讀
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Agenda Introduction IPv4/IPv6轉移機制
Dual Stack Tunneling Translator
IPv6 xDSL上網機制之雛形服務系統 Tunnel Broker Service Model(RFC 3053) System Architecture Functional Diagram Software Requirement Dial-Up ADSL IPv6 Connection
Conclusion
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Internet Transition Trend
Only IPv4
Only IPv4
IPv6Islan
d
IPv6Islan
d
IPv4 Ocean
IPv4 Ocean
IPv4 Island
IPv4 Island
IPv6Ocean
IPv6Ocean IPv6
Ocean
IPv6Ocean
IPv4 Ocean
IPv4 Ocean
TB6to4
6over4NAT-PT
multi mechanism
NAT-PTDSTM4to6
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Next Generation Transition
V6OPSV6OPS
Translator
Dual Stack
Tunneling
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Transition Mechanisms(1)
Source: Stuart Prevost, BT, Global Summit in Madrid 2001
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Transition Mechanisms(2)
6Over
4
6To4
ISA-TAP
DSTMNAT-PT
SIIT BIS
Trans.
Relay
SOCKSG/W
BIA
Dual Stack Host ◎ ◎ ◎ ◎? ◎
Upper Message Manipulation
◎ ◎ ◎
IP Header translation ◎ ◎ ◎
Tunneling ◎ ◎ ◎ ◎In Host ◎ ◎ ◎ ◎ ◎ ◎ ◎In Gate ◎ ◎ ◎ ◎ ◎Consider Appls. ◎ ◎
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Dual Stack
RFC 2893/RFC 1933
NGTRANS draft :Draft-ietf-ngtrans-dstm-08.txt
IPv4/IPv6IPv4/IPv6
DualStack
DualStack
IPv6IPv6
IPv4IPv4
DualStack
AIIH(DHCPv6,
DNS)
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Tunneling
RFC 2529
RFC 3056
RFC 3053
IPv4IPv4
IPv4IPv4IPv6IPv6 IPv6IPv6
IPv6 IPv66over4
6to4
IPv4IPv4IPv6IPv6
IPv4/IPv6 Tunnel Broker
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Translator
RFC 2765 ; RFC 2766
RFC 2767
RFC 3089 ; RFC 3142
IPv6IPv6 IPv4IPv4NATPT
SIIT
IPv4 Apps
BITS
IPv6 Stack
IPv4 Apps
BITS
IPv6 Stack
IPv6Host IPv6 IPv4
IPv4Host
Socks-GatewayTCPUDP-Relay
Chunghwa Telecom Labs.中華電信研究所寬網研究室
適合我國 xDSL 網路環境與應用習性之轉移機制 -IPv6 Tunnel Broker
提供一個 IPv4 轉移至 IPv6 之轉移機制 利用既有的 IPv4 網路設備 可服務固接與動態撥接用戶 節省人工設定成本與時間 免除使用者窗口申請的麻煩
Chunghwa Telecom Labs.中華電信研究所寬網研究室
IPv6 xDSL上網機制之雛形服務系統
Tunnel Broker Service Model(RFC 3053)
System Architecture Functional Diagram Software Requirement Tunneling Concept Dial-Up ADSL IPv6 Connection
Chunghwa Telecom Labs.中華電信研究所寬網研究室
IPv6
Functions and Characteristics:1.A friendly Web-based GUI management
system2.Provide an easy access to the IPv6 network3.Exploit the existing network equipments for
accessing IPv6.4.Automation of the tunnel configuration
process using the dynamically assigned IPv6 address
5.Provide user network configuration batch file for easy user configuration
IPv6 xDSL上網機制之雛形服務系統
Ether-BasedAccess User
(FTTB)
IPv6 Net
Customer
Tunnel Server
IPv4
xTU-R
xDSL(ADSL/VDSL)WLAN
LeasedLine User
IPv4 Internet
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Tunnel Broker Service Model(RFC 3053)
DNS
Server
IPv4 Network
Tunnel Broker
(2)(1)
(3)
UserTunnel Server
IPv6 Network
(4)
Tunnel End-Point
Tunnel End-Point
IPv6 over IPv4 Tunnel
Chunghwa Telecom Labs.中華電信研究所寬網研究室
System Architecture
IPv6 Net
IPv4 Net
RADIUS Server
AAA
xDSL 上網機制之雛形服務系統
Customer using Web browser
Tunnel Server
IPv6
IPv4
FirewallAuthentication Only
DNS Server
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Functional Diagram
Tunnel Server
使用者端
IPv6 位址自動指派模組
Tunnel 要求處理模組
使用者認證模組
使用者資料更新模組
網路連線測試模組
Tunnel 指派設定管理模組
使用者網路設定檔產生模組
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Software Requirement
Windows 2000 Server Internet Information Server(內含 ASP) Free ASP Components
ASPExec SA-SMTPMail
SQL Server 2000 Standard Edition Active Perl(Free) Visual C++
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Tunneling Concept
IPv6 H Payload
IPv6 over IPv4 TunnelIPv6 over IPv4 TunnelTunnel ServerDual-Stack Node
(Router)
IPv6 IPv6 InternetInternetNative IPv6 NetworkNative IPv6 Network
((33FFE:3600:1C:100::/56FFE:3600:1C:100::/56)) IPv4IPv4 Internet Internet
Tunnel End-PointIPv4 Address:210.242.96.193
IPv6 Address:3FFE:3600:1E::16
Tunnel End-PointIPv4 Address:61.231.55.80
IPv6 Address:3FFE:3600:1E::17
Chunghwa Telecom Labs.中華電信研究所寬網研究室
IPv6 over IPv4 tunnel
IPv4 H IPv6 H Payload
IPv6 Header & Payload
Version IHL TOS Total Length
Identification FlagsFragmentation Offset
Source Address(61.231.55.80)
Destination Address(210.242.96.193)
Padding
Options
Time To Live Protocol 41 Header ChecksumIPv4 Header
Payload
IPv6 over IPv4 TunnelIPv6 over IPv4 TunnelTunnel ServerDual-Stack Node
(Router)
IPv6 IPv6 InternetInternetNative IPv6 NetworkNative IPv6 Network
((33FFE:3600:1C:100::/56FFE:3600:1C:100::/56)) IPv4IPv4 Internet Internet
PayloadIPv6 H Payload
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Dial-Up ADSL IPv6 Connection
IPv4 Net
FE
Bridge Mode
PC
ATM Network
BBRAS
STM-1
DSLAMDSLAM
STM-1
FiberFiberATU-RATU-R
Loop
PPPoE Client
IPv6 Net Tunnel Server
IPv4
IPv6
IPv4 Tunnel
RADIUS Server
AAA
Chunghwa Telecom Labs.中華電信研究所寬網研究室
Future Vision
IPv6Let’s go to
Next-Generation Internet New EraAnytime, Anywhere, Everything Connecting On the Internet
IPv6Let’s go to
Next-Generation Internet New EraAnytime, Anywhere, Everything Connecting On the Internet IPv6IPv6