基于IPv6的容器云内生安全机制

doi:10.3969/j.issn.1671-1122.2023.12.003

信息网络安全 ›› 2023, Vol. 23 ›› Issue (12): 21-28.doi: 10.3969/j.issn.1671-1122.2023.12.003

基于IPv6的容器云内生安全机制

李冬¹, 于俊清¹^,²(), 文瑞彬², 谢一丁²

1.华中科技大学网络与计算中心，武汉 430074
2.华中科技大学网络空间安全学院，武汉 430074

收稿日期:2023-10-11 出版日期:2023-12-10 发布日期:2023-12-13
通讯作者: 于俊清 E-mail:yjqing@hust.edu.cn
作者简介:李冬（1979—），男，湖北，高级工程师，博士，主要研究方向为计算机网络、软件定义网络、网络安全|于俊清（1975—），男，内蒙古，教授，博士，CCF会员，主要研究方向为数字媒体处理与检索、网络安全、多核计算与流编译|文瑞彬（1997—），男，贵州，硕士研究生，主要研究方向为网络安全、软件定义网络|谢一丁（1999—），男，福建，硕士研究生，主要研究方向为网络安全、可编程数据平面
基金资助:
国家重点研发计划(2020YFB1805601);中国高校产学研创新基金(2021FNA02005)

Endogenous Security Methods for Container Cloud Based on IPv6

LI Dong¹, YU Junqing¹^,²(), WEN Ruibin², XIE Yiding²

1. Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China
2. School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China

Received:2023-10-11 Online:2023-12-10 Published:2023-12-13

摘要/Abstract

摘要：

容器具有占用资源少、资源利用率高、启动速度快和弹性能力强等优点，在数据中心云计算资源建设中的应用越来越广泛。相关研究表明，目前容器云存在缺乏可信接入机制的问题，IPv6具有地址空间大和安全性高的特点，基于IPv6构建容器云平台能够建立端到端的透明连接，实现可信接入。针对容器云平台的安全可信问题，文章对IPv6真实源地址验证方法进行改进，将真实用户身份信息嵌入IPv6地址的后64位，同时针对容器多备份且高度动态性的特点，采用哈希加盐的方式生成用户标识，并在IPv6地址中嵌入数据索引，替代原有的加密编码方式，解决因密钥管理和线性匹配导致的效率低下问题。文章还对地址生成流程进行优化，降低了地址解析的时间复杂度，满足容器云平台的地址分配要求。实验结果表明，优化后的IPv6真实源地址验证方法在地址生成阶段效率提升约35%，在地址溯源阶段将时间复杂度从O(n)降到O(1)，有效避免了密钥的管理和匹配问题，能够适应容器多备份和高动态环境，提升了容器云平台的内生安全能力。

关键词: 网络安全, 容器云, 内生安全, 源地址验证, IPv6

Abstract:

Container is increasingly used in cloud computing resource management in data center because of its low resource consumption, high resource utilization, fast startup speed, and strong elasticity. Relevant studies have shown that current container cloud lack trustwworthy access mechanism. IPv6 with large address space and high safety can establish end-to-end transparent connection and achieve trustworthy access in container platform. To solve the trustworthy issue of container cloud platform, an improved method for authenticating the real source address of IPv6 was proposed. This method embeded real user identity information into the last 64 bits of the IPv6 address. Meanwhile, to account for the highly dynamic nature of container backups, user identifier was generated based on hash and salt-add algorithm, and the data index was also embedded in the IPv6 address, replacing the original encryption method with low efficiency because of key management and linear matching. By this way, the address generation process could be optimized, the time complexity of address resolution could be reduced, and the address allocation requirements of container cloud platform can be satisfied. Experimental results show that the optimized method could improve authenticating the real source address of IPv6 efficiency by approximately 35% in the address generation stage and reduce the time complexity from O(n) to O(1) in the address tracing stage. It can adapt to highly dynamic container environment and significantly enhance the endogeous security of container cloud platform.

Key words: network security, container cloud, endogenous security, source address validation, IPv6

中图分类号:

TP309

李冬, 于俊清, 文瑞彬, 谢一丁. 基于IPv6的容器云内生安全机制[J]. 信息网络安全, 2023, 23(12): 21-28.

LI Dong, YU Junqing, WEN Ruibin, XIE Yiding. Endogenous Security Methods for Container Cloud Based on IPv6[J]. Netinfo Security, 2023, 23(12): 21-28.

图/表 10

图1

表1

图2

图3

图4

表2

图5

图6

图7

图8

参考文献 20

[1]	FERREIRA A P, SINNOTT R. A Performance Evaluation of Containers Running on Managed Kubernetes Services[C]// IEEE. 2019 IEEE International Conference on Cloud Computing Technology and Science(CloudCom). New York: IEEE, 2019: 199-208.
[2]	ORDABAYEVA G K, OTHMAN M, KIRGIZBAYEVA B, et al. A Systematic Review of Transition from IPV4 to IPV6[C]// ACM. 6th International Conference on Engineering & MIS 2020. New York: ACM, 2020: 1-15.
[3]	YUAN Lirong. Research on Practical Methods of Cyber Attack Tracing and Traceability[J]. China High and New Technology, 2022(23): 52-54.
	袁利荣. 网络攻击追踪溯源实践方法研究[J]. 中国高新科技, 2022(23):52-54.
[4]	DE GUZMAN F E, GERARDO B D, MEDINA R P. Implementation of Enhanced Secure Hash Algorithm Towards a Secured Web Portal[C]// IEEE. 2019 IEEE 4th International Conference on Computer and Communication Systems(ICCCS). New York: IEEE, 2019: 189-192.
[5]	MOHAMED H, OULDMOHAMED Y, NACERA B. A Single-Packet IP Traceback: Combating DoS-DDoS Attacks[J]. EDPACS, 2022, 66(4): 1-12.
[6]	FAZIO P, TROPEA M, VOZNAK M, et al. On Packet Marking and Markov Modeling for IP Traceback: A Deep Probabilistic and Stochastic Analysis[EB/OL]. (2020-12-09)[2023-08-10]. https://www.sciencedirect.com/science/article/abs/pii/S1389128620311439.
[7]	PATEL H, JINWALA D C. LPM: A Lightweight Authenticated Packet Marking Approach for IP Traceback[J]. Computer Networks, 2018, 140: 41-50. doi: 10.1016/j.comnet.2018.04.014 URL
[8]	NUR A Y, TOZAL M E. Record Route IP Traceback: Combating DoS Attacks and the Variants[J]. Computers & Security, 2018, 72: 13-25. doi: 10.1016/j.cose.2017.08.012 URL
[9]	MURUGESAN V, SELVARAJ M S, YANG M H. HPSIPT: A High-Precision Single-Packet IP Traceback Scheme[J]. Computer Networks, 2018, 143: 275-288. doi: 10.1016/j.comnet.2018.07.013 URL
[10]	LIU Ying, REN Gang, WU Jianping, et al. Building an IPv6 Address Generation and Traceback System with NIDTGA in Address Driven Network[J]. Science China Information Sciences, 2015, 58(12): 1-14.
[11]	KUANG Peng, LIU Ying, HE Lin, et al. IEEE 802.1x-Based User Identity-Embedded IPv6 Address Generation Scheme[J]. Telecommunications Science, 2019, 35 (12): 15-23. doi: 10.11959/j.issn.1000-0801.2019289
	况鹏, 刘莹, 何林, 等. 基于IEEE 802.1x的嵌入用户身份标识的IPv6地址生成方案[J]. 电信科学, 2019, 35(12):15-23. doi: 10.11959/j.issn.1000-0801.2019289
[12]	LI Zhitao, LIU Ying, REN Gang, et al. Non-Client Migration Scheme for IPv6 Address Generation System Based on Web Portal[J]. Journal of Southeast University(Natural Science Edition), 2017, 47(S1): 80-85.
	李智涛, 刘莹, 任罡, 等. IPv6地址生成系统基于Web Portal的无客户端迁移方案[J]. 东南大学学报(自然科学版), 2017, 47(S1):80-85.
[13]	LI Dan, QIN Lancheng, WU Jianping, et al. Internet Source Address Verification Method Based on Synchronization and Dynamic Filtering in Address Domain[J]. Telecommunications Science, 2020, 36(10): 21-28. doi: 10.11959/j.issn.1000-0801.2020289
	李丹, 秦澜城, 吴建平, 等. 基于边界路由动态同步的互联网地址域内真实源地址验证方法[J]. 电信科学, 2020, 36(10):21-28. doi: 10.11959/j.issn.1000-0801.2020289
[14]	WU Jiangxing. Mimetic Defense Technology to Build Endogenous Security of National Information Cyberspace[J]. Information and Communications Technologies, 2019, 13(6): 4-6.
	邬江兴. 拟态防御技术构建国家信息网络空间内生安全[J]. 信息通信技术, 2019, 13(6):4-6.
[15]	XU Ke, FU Songtao, LI Qi, et al. The Research Progress on Intrinsic Internet Security Architecture[J]. Chinese Journal of Computers, 2021, 44(11): 2149-2172.
	徐恪, 付松涛, 李琦, 等. 互联网内生安全体系结构研究进展[J]. 计算机学报, 2021, 44(11):2149-2172.
[16]	LUO Lunhan, LI Xiang, YU Xinsheng. Development and Application of Endogenous Security Technologies in Cyberspace in the Digital Era[J]. Electronic Technology & Software Engineering, 2021(19): 255-257.
	罗论涵, 李翔, 余新胜. 数字化时代网络空间内生安全技术发展与应用[J]. 电子技术与软件工程, 2021(19):255-257.
[17]	LI Lingshu. Research on Key Technologies of Mimic SaaS Cloud Security Architecture[D]. Zhengzhou: PLA Strategic Support Force Information Engineering University, 2021.
	李凌书. 拟态SaaS云安全架构及关键技术研究[D]. 郑州: 战略支援部队信息工程大学, 2021.
[18]	GUO Junli, XU Mingyang, YUAN Haoyu, et al. Introduction of Endogenous Security of Zero Trust Model[J]. Journal of Zhengzhou University(Natural Science Edition), 2022, 54(6): 51-58.
	郭军利, 许明洋, 原浩宇, 等. 引入内生安全的零信任模型[J]. 郑州大学学报(理学版), 2022, 54(6):51-58.
[19]	DUNKELMAN O, KELLER N, RONEN E, et al. Quantum Time/Memory/Data Tradeoff Attacks[EB/OL]. [2023-08-10]. https://www.xueshufan.com/publication/3217041859.
[20]	ZONG Rui, DONG Xiaoyang, WANG Xiaoyun. Collision Attacks on Round-Reduced Gimli-Hash/Ascon-Xof/Ascon-Hash[EB/OL]. [2023-08-10]. https://www.xueshufan.com/publication/2982481869.

端口	IPv6	MAC	访问次数
1	IPv6_addr₁	MAC_addr₁	N₁
2	IPv6_addr₂	MAC_addr₂	N₂
3	IPv6_addr₃	MAC_addr₃	N₃
…	…	…	…

基于IPv6的容器云内生安全机制

Endogenous Security Methods for Container Cloud Based on IPv6

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 20

相关文章 15

编辑推荐

Metrics

本文评价

[1]	付静. 水利关键信息基础设施安全保护探索与实践[J]. 信息网络安全, 2023, 23(8): 121-127.
[2]	孙珵珵. 网络安全治理对策研究[J]. 信息网络安全, 2023, 23(6): 104-110.
[3]	王晓狄, 黄诚, 刘嘉勇. 面向网络安全开源情报的知识图谱研究综述[J]. 信息网络安全, 2023, 23(6): 11-21.
[4]	金志刚, 刘凯, 武晓栋. 智能电网AMI领域IDS研究综述[J]. 信息网络安全, 2023, 23(1): 1-8.
[5]	孙鹏宇, 谭晶磊, 李晨蔚, 张恒巍. 基于时间微分博弈的网络安全防御决策方法[J]. 信息网络安全, 2022, 22(5): 64-74.
[6]	金波, 唐前进, 唐前临. CCF计算机安全专业委员会2022年网络安全十大发展趋势解读[J]. 信息网络安全, 2022, 22(4): 1-6.
[7]	陈妍, 韦湘, 陆臻. 云计算环境下网络安全产品检测方法研究[J]. 信息网络安全, 2022, 22(12): 1-6.
[8]	刘忻, 王家寅, 杨浩睿, 张瑞生. 一种基于区块链和secGear框架的车联网认证协议[J]. 信息网络安全, 2022, 22(1): 27-36.
[9]	白宏鹏, 邓东旭, 许光全, 周德祥. 基于联邦学习的入侵检测机制研究[J]. 信息网络安全, 2022, 22(1): 46-54.
[10]	顾兆军, 姚峰, 丁磊, 隋翯. 基于半实物的机场供油自控系统网络安全测试[J]. 信息网络安全, 2021, 21(9): 16-24.
[11]	蔡满春, 王腾飞, 岳婷, 芦天亮. 基于ARF的Tor网站指纹识别技术[J]. 信息网络安全, 2021, 21(4): 39-48.
[12]	赵小林, 赵斌, 赵晶晶, 薛静锋. 基于攻击识别的网络安全度量方法研究[J]. 信息网络安全, 2021, 21(11): 17-27.
[13]	吴佳明, 熊焰, 黄文超, 武建双. 一种基于距离导向的模糊测试变异方法[J]. 信息网络安全, 2021, 21(10): 63-68.
[14]	金志刚, 王新建, 李根, 岳顺民. 融合攻击图和博弈模型的网络防御策略生成方法[J]. 信息网络安全, 2021, 21(1): 1-9.
[15]	刘大恒, 李红灵. QR码网络钓鱼检测研究[J]. 信息网络安全, 2020, 20(9): 42-46.