IPv6地址驱动的云网络内生安全机制研究

doi:10.3969/j.issn.1671-1122.2024.01.011

信息网络安全 ›› 2024, Vol. 24 ›› Issue (1): 113-120.doi: 10.3969/j.issn.1671-1122.2024.01.011

IPv6地址驱动的云网络内生安全机制研究

张博文¹, 李冬², 赵贻竹¹, 于俊清¹^,²()

1.华中科技大学网络空间安全学院，武汉 430074
2.华中科技大学网络与计算中心，武汉 430074

收稿日期:2023-10-15 出版日期:2024-01-10 发布日期:2024-01-24
通讯作者: 于俊清 E-mail:yjqing@hust.edu.cn
作者简介:张博文（1997—），男，河南，硕士研究生，主要研究方向为软件定义网络安全|李冬（1979—），男，湖北，高级工程师，博士，主要研究方向为计算机网络、软件定义网络、网络安全|赵贻竹（1976—）女，河南，副教授，博士，主要研究方向为软件定义网络安全|于俊清（1975—），男，内蒙古，教授，博士，主要研究方向为数字媒体处理与检索、网络安全
基金资助:
国家重点研发计划(2020YFB1805601);中国高校产学研创新基金(2021FNA02005)

Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address

ZHANG Bowen¹, LI Dong², ZHAO Yizhu¹, YU Junqing¹^,²()

1. School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
2. Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China

Received:2023-10-15 Online:2024-01-10 Published:2024-01-24
Contact: YU Junqing E-mail:yjqing@hust.edu.cn

摘要/Abstract

摘要：

云网络可以根据不同业务场景对云平台虚拟网络资源快速部署与配置，是现代数据中心性能和安全的重要保障。但传统云网架构中IPv4支撑能力有限，无法实现网络端到端的透明传输，多租户特性使得云管理者对租户子网进行流量管理和约束异常困难，外挂式的安全方案缺乏对不同租户流量的追溯能力，无法在源头对攻击行为进行限制。IPv6具有地址空间大、编址能力强、安全性高的特点，基于此，文章提出一种IPv6地址驱动的云网络内生安全机制，包括地址生成层、地址验证层和地址利用层。地址生成层以对称加密算法为基础，将租户身份信息嵌入IPv6地址后64位，修改DHCPv6地址分配策略，并基于Openstack Neutron进行实现。地址验证层设计实现了云网络动态源地址验证方法，针对不同端口状态集合设计针对性转移方法和安全策略。地址利用层基于IPv6真实地址的特性，实现了基于IPv6地址的数据包溯源机制和访问控制策略。

关键词: 云网络, 内生安全, 源地址验证, 地址生成, IPv6

Abstract:

Cloud networking can rapidly deploy and configure virtual network resource on cloud platform according to different business scenarios, which is an important guarantee for performance and security in modern data center. However, traditional cloud network cannot make transparent end-to-end transmission due to the limitation of IPv4. The multi-tenant feature makes it difficult for cloud manager to constrain traffic on tenant subnets, and external security solutions lack of traceability of traffic from different tenants, making it impossible to restrict attack at the source. IPv6 has large address space, strong addressing ability, and high security. Guided by the endogenous security concept and centered on IPv6 address driven, this article proposed an IPv6 address driven cloud network endogenous security hierarchy architecture, including address generation layer, address verification layer, and address utilization layer.At the address generation layer, the tenant identity was embedded into the last 64 bits of IPv6 address using symmetric encryption algorithm, and the DHCPv6 address allocation strategy was modified. The implementation was based on Openstack Neutron. At the address verification layer, a dynamic source address verification method was designed and implemented for cloud networks. Specific transition methods and security policies were designed for different port status sets. At the address utilization layer, based on the characteristics of real IPv6 address, a packet tracing mechanism and an access control policy based on IPv6 addresses were implemented.

Key words: cloud network, endogenous security, source address validation, address generation, IPv6

中图分类号:

TP309

张博文, 李冬, 赵贻竹, 于俊清. IPv6地址驱动的云网络内生安全机制研究[J]. 信息网络安全, 2024, 24(1): 113-120.

ZHANG Bowen, LI Dong, ZHAO Yizhu, YU Junqing. Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address[J]. Netinfo Security, 2024, 24(1): 113-120.

图/表 9

图1

图2

图3

图4

图5

图6

图7

图8

图9

参考文献 25

[1]	TABRIZCHI H, RAFSANJANI M K. A Survey on Security Challenges in Cloud Computing: Issues, Threats, and Solutions[J]. The Journal of Supercomputing, 2020, 76(12): 9493-9532. doi: 10.1007/s11227-020-03213-1
[2]	SINGH V, PANDEY S K. Revisiting Cloud Security Threats: IP Spoofing[C]//Springer. The International Conference on Soft Computing:Theories and Applications. Heidelberg: Springer, 2020: 225-236.
[3]	YU Quan, REN Jing, ZHANG Jiyan, et al. An Immunology-Inspired Network Security Architecture[J]. IEEE Wireless Communications, 2020, 27(5): 168-173. doi: 10.1109/MWC.7742 URL
[4]	WU Jiangxing. Mimic Defense Technology Constructs National Information Cyberspace Endogenous Safety and Security[J]. Information and Communications Technologies, 2019, 13(6): 4-6.
	邬江兴. 拟态防御技术构建国家信息网络空间内生安全[J]. 信息通信技术, 2019, 13(6):4-6.
[5]	JIANG Weiyu, LIU Bingyang, WANG Chuang, et al. Security-Oriented Network Architecture[J]. Security and Communication Networks, 2021(10): 1-16.
[6]	LI Lingshu. Research on Key Technologies of Mimic SaaS Cloud Security Architecture[D]. Zhengzhou: Information Engineering University of PLA, 2021.
	李凌书. 拟态SaaS云安全架构及关键技术研究[D]. 郑州: 战略支援部队信息工程大学, 2021.
[7]	GUO Junli, XU Mingyang, YUAN Haoyu, et al. Introduction of Endogenous Security of Zero Trust Model[J]. Journal of Zhengzhou University(Natural Science Edition), 2022, 54(6): 51-58.
	郭军利, 许明洋, 原浩宇, 等. 引入内生安全的零信任模型[J]. 郑州大学学报(自然科学版), 2022, 54(6):51-58.
[8]	OSANAIYE O A. Short Paper: IP Spoofing Detection for Preventing DDoS Attack in Cloud Computing[C]// IEEE. 18th International Conference on Intelligence in Next Generation Networks. New York: IEEE, 2015: 139-141.
[9]	MAHESHWARI A, MEHRAJ B, KHAN M S, et al. An Optimized Weighted Voting Based Ensemble Model for DDoS Attack Detection and Mitigation in SDN Environment[EB/OL]. [2023-09-11]. https://www.sciencedirect.com/science/article/abs/pii/S0141933121005585.
[10]	KAUTISH S, REYANA A, VIDYARTHI A. SDMTA: Attack Detection and Mitigation Mechanism for DDoS Vulnerabilities in Hybrid Cloud Environment[J]. IEEE Transactions on Industrial Informatics, 2022, 18(9): 6455-6463. doi: 10.1109/TII.2022.3146290 URL
[11]	XU Ke, FU Songtao, LI Qi, et. al. The Research Progress on Intrinsic Internet Security Architecture[J]. Chinese Journal of Computers, 2021, 44(11): 2149-2172.
	徐恪, 付松涛, 李琦, 等. 互联网内生安全体系结构研究进展[J]. 计算机学报, 2021, 44(11):2149-2172.
[12]	LIU Ying, REN Gang, WU Jianping, et al. Building an IPv6 Address Generation and Traceback System with NIDTGA in Address Driven Network[J]. SCIENCE CHINA Information Sciences, 2015, 58(12): 1-14.
[13]	WU Jianping, BI Jun, BAGNULO M, et al. RFC 7039: Source Address Validation Improvement (SAVI) Framework[EB/OL]. [2023-09-10]. http://ftp.otenet.gr/doc/rfc/rfc7039.txt.pdf.
[14]	HU Jinlong, WU Yisheng. Source Address Validation Based Ethernet Switches for IPv6 Network[C]// IEEE. 2012 IEEE International Conference on Computer Science and Automation Engineering(CSAE). New York: IEEE, 2012: 84-87.
[15]	LIU Bingyang, BI Jun, ZHOU Yu. Source Address Validation in Software Defined Networks[C]// ACM. The 2016 ACM SIGCOMM Conference. New York: ACM, 2016: 595-596.
[16]	CHEN Guolong, HU Guangwu, JIANG Yong, et al. SAVSH: IP Source Address Validation for SDN Hybrid Networks[C]// IEEE. 2016 IEEE Symposium on Computers and Communication(ISCC). New York: IEEE, 2016: 409-414.
[17]	ZHOU Qizhao. Research on Security Optimization Technologies of Flow Table in Software Defined Data Center Networks[D]. Wuhan: Huazhong University of Science and Technology, 2021.
	周启钊. 软件定义的数据中心网络流表安全保护性能优化方法研究[D]. 武汉: 华中科技大学, 2021.
[18]	CHEN Qing. Research on Optimization of Source Address Dynamic Validation Method in Software Defined Network[D]. Wuhan: Huazhong University of Science and Technology, 2019.
	陈清. 软件定义网络中源地址动态验证方法优化研究[D]. 武汉: 华中科技大学, 2019.
[19]	WANG Changping, CAI Yueping. Classified Flow Routing Scheme for Data Center Networks[J]. Journal of Chinese Computer Systems, 2016, 37(11): 2488-2492.
	王昌平, 蔡岳平. 数据中心网络流量分类路由机制研究[J]. 小型微型计算机系统, 2016, 37(11):2488-2492.
[20]	BEHAL S, KUMAR K. Detection of DDoS Attacks and Flash Events Using Novel Information Theory Metrics[J]. Computer Networks, 2017, 116: 96-110. doi: 10.1016/j.comnet.2017.02.015 URL
[21]	NG A. Sparse Autoencoder[J]. CS294A Lecture Notes, 2011, 72: 1-19.
[22]	BREIMAN L. Random Forests[J]. Machine Learning, 2001, 45: 5-32. doi: 10.1023/A:1010933404324 URL
[23]	ELSAYED M S, LE-KHAC N A, JURCUT A D. InSDN: A Novel SDN Intrusion Dataset[J]. IEEE Access, 2020, 8: 165263-165284. doi: 10.1109/Access.6287639 URL
[24]	WANG Zhihao, JIANG Dingde, HUO Liuwei, et al. An Efficient Network Intrusion Detection Approach Based on Deep Learning[EB/OL]. (2021-07-03) [2023-09-20]. https://link.springer.com/article/10.1007/s11276-021-02698-9.
[25]	ZANG Shiping, ZHAO Dongyan, HU Yi, et al. A High Speed SM3 Algorithm Implementation for Security Chip[C]// IEEE. 5th Advanced Information Technology, Electronic and Automation Control Conference(IAEAC). New York: IEEE, 2021: 915-919.

IPv6地址驱动的云网络内生安全机制研究

Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 25

相关文章 13

编辑推荐

Metrics

本文评价

[1]	李冬, 于俊清, 文瑞彬, 谢一丁. 基于IPv6的容器云内生安全机制[J]. 信息网络安全, 2023, 23(12): 21-28.
[2]	王腾飞, 蔡满春, 芦天亮, 岳婷. 基于iTrace_v6的IPv6网络攻击溯源研究[J]. 信息网络安全, 2020, 20(3): 83-89.
[3]	金志虎, 甘玉玺, 金毅, 胡龙斌. 构建安全可靠的IPv6驻地网络的探讨[J]. 信息网络安全, 2015, 15(8): 59-66.
[4]	钱福民;张海港. 浅谈下一代基于IPv6互联网的安全保护[J]. , 2012, 12(Z): 0-0.
[5]	温昱晖;任卫红;于毅;申永波. IPv6环境下信息安全等级保护面临的挑战与应对[J]. , 2012, 12(Z): 0-0.
[6]	沈亮;张艳;顾健. 物联网网络层中基于IPv6的信息安全产品发展趋势研究[J]. , 2012, 12(8): 0-0.
[7]	邹春明;顾健;宋好好. 基于下一代互联网的信息安全产品技术研究[J]. , 2012, 12(8): 0-0.
[8]	郝文江;武捷. IPv6安全技术分析[J]. , 2012, 12(7): 0-0.
[9]	铁玲;易勇;何迪. 多跳快速切换代理移动IPv6预认证协议的安全分析[J]. , 2012, 12(6): 0-0.
[10]	朱彦军;王斌君. 具有IPv4和IPv6转换功能的SSL VPN系统[J]. , 2012, 12(3): 0-0.
[11]	梅锋;孙东滨. IPv6环境下网络取证研究[J]. , 2012, 12(11): 0-0.
[12]	谢丰;彭勇;陈思聪;金海菲;李剑. (下一代)网络安全问题战略对策研究[J]. , 2011, 11(11): 0-0.
[13]	许丽娟;雷渭侣. IPv6威胁与零日漏洞的分析研究[J]. , 2009, 9(12): 0-0.