Netinfo Security ›› 2024, Vol. 24 ›› Issue (1): 113-120.doi: 10.3969/j.issn.1671-1122.2024.01.011

Previous Articles     Next Articles

Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address

ZHANG Bowen1, LI Dong2, ZHAO Yizhu1, YU Junqing1,2()   

  1. 1. School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
    2. Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China
  • Received:2023-10-15 Online:2024-01-10 Published:2024-01-24
  • Contact: YU Junqing E-mail:yjqing@hust.edu.cn

Abstract:

Cloud networking can rapidly deploy and configure virtual network resource on cloud platform according to different business scenarios, which is an important guarantee for performance and security in modern data center. However, traditional cloud network cannot make transparent end-to-end transmission due to the limitation of IPv4. The multi-tenant feature makes it difficult for cloud manager to constrain traffic on tenant subnets, and external security solutions lack of traceability of traffic from different tenants, making it impossible to restrict attack at the source. IPv6 has large address space, strong addressing ability, and high security. Guided by the endogenous security concept and centered on IPv6 address driven, this article proposed an IPv6 address driven cloud network endogenous security hierarchy architecture, including address generation layer, address verification layer, and address utilization layer.At the address generation layer, the tenant identity was embedded into the last 64 bits of IPv6 address using symmetric encryption algorithm, and the DHCPv6 address allocation strategy was modified. The implementation was based on Openstack Neutron. At the address verification layer, a dynamic source address verification method was designed and implemented for cloud networks. Specific transition methods and security policies were designed for different port status sets. At the address utilization layer, based on the characteristics of real IPv6 address, a packet tracing mechanism and an access control policy based on IPv6 addresses were implemented.

Key words: cloud network, endogenous security, source address validation, address generation, IPv6

CLC Number: