978-1-5386-2165-3/17/$31.00 ©2017 IEEE 2790
2017 13th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD 2017)
Comparative Studies of IPv6 Tunnel Security
Kejun Gu, Liancheng Zhang, Zhenxing Wang, Yazhou Kong
China National Digital Switching System Engineering and Technological Research Center
Zhengzhou City, China
Email: liancheng17@gmail.com
Abstract—Along with the deployment of IPv6 is becoming more
and more widely, IPv4 networks will coexist with IPv6 networks
for a relatively long time. The tunnel mechanisms are the best
choice for a smooth transition to IPv6. With the wild deployment
of the tunnel mechanisms, more and more security issues have
been noticed. The security problems faced by tunnel mechanisms
such as injection, address spoofing and reflector attack are
analyzed, and corresponding countermeasures are concluded into
three directions: filter, deep packet inspection (DPI) and IPsec.
Some questions are pointed out for research in next steps.
Keywords-IPv6; transition; tunnel; security; comparative
studies
I.
I
NTRODUCTION
IPv4 is the basic communication protocol for the Internet at
present. It has played a crucial role in the development of the
Internet. However, with the development of the Internet, IPv4
address exhaustion is gradually reflected. The Internet
Assigned Numbers Authority (IANA) distributed its last five
IPv4 address blocks equally to the five Regional Internet
Registries (RIRs) on February 3, 2011. The top IPv4 address
pool has been exhausted. The problem of IPv4 address
exhaustion was proposed and considered in the late 1980s, and
the IPv6 protocol cluster was proposed to replace IPv4.
Comparing to IPv4, IPv6 has many advantages, including end-
to-end security, the global routability of hosts, and good
mobility. With the blowout development of the Internet after
2000 and the increasing consumption of IPv4 addresses, the
transition from IPv4 to IPv6 is very urgent.
Because of the huge differences between IPv4 packets and
IPv6 packets, we need change network devices to support IPv6
protocol. Since the size of the Internet is so huge, we need
change all network devices in a long period, called the
transition period, which means IPv4 need coexist with IPv6 in
this long period. IPv6 transition mechanisms enable
communication between network devices with same or
different internet protocol that makes IPv4 and IPv6 coexist
with each other.
Transition mechanisms are divided into three categories [1].
The first is Dual Stack. It deploys IPv4 and IPv6 protocol stack
in one network node, so that the node can support both
protocols. It is not only an independent transition mechanism
but also the basis of other IPv6 transition mechanisms. The
second is Tunnel. It enables IPv6 hosts and networks to
communicate with each other over IPv4 networks. The basic
idea is regarding IPv6 packets as the payload of IPv4 packets
and forwarding it to IPv6 destination host or network through
IPv4 networks. The last one is Translation. Through the
conversion of packets format and information between IPv4
and IPv6, it enables hosts or networks with different internet
protocol to communicate with each other.
Comparing with dual stack and translation mechanisms, the
tunnel mechanism is more flexible and simple [2]. Then, the
tunnel mechanism has gradually been widely deployed.
However, with the wild deployment of tunnel mechanisms,
more and more security issues have been noticed.
In this paper, we pay attention to the security of the tunnel
mechanisms used in IPv4-to-IPv6 transition period. We
introduce the tunnel technologies and main mechanisms in
section II. In section III, we compare the researches on the
tunnel security, analyze the security problems faced by tunnel
mechanisms and conclude the countermeasures into three
directions. The conclusion and prospect are presented in
section IV.
II. T
UNNEL
T
ECHNOLOGIES
Tunnel technology is one of the key technology in the
transition period. Tunnel just like a bridge of two IPv6 network
separated by IPv4 network that enables IPv6 packets to be
forwarded over IPv4 network by regarding the IPv4 network as
link layer. Each tunnel has at least two endpoints: ingress
endpoint and egress endpoint. Endpoints are dual stack routers
and they deal with the encapsulation, decapsulation, and
management processes. When IPv6 packet arrives ingress
endpoint, it would be encapsulated with IPv4 header as the
payload of the IPv4 packet. The source address and destination
address of the IPv4 header are IPv4 addresses of ingress and
egress endpoints. Then, the IPv4 packet would be forwarded to
egress endpoint across IPv4 network as a normal IPv4 packet.
When the IPv4 packet arrives egress endpoint, it would be
decapsulated to get the original IPv6 packet. Then, egress
endpoint would forward the IPv6 packet to the destination. The
keys of the tunnel mechanism are endpoints and management.
According to the way of finding egress endpoints, the tunnel
mechanism is divided in two types: manual tunnels and
automatic tunnels.
A. Manual Tunnels
This work is supported by the National Natural Science
Foundation of China (61402526, 61402525, 61502528).
资源评论
weixin_38673909
- 粉丝: 10
- 资源: 926
最新资源
- (源码)基于Python和Selenium的jksb系统健康申报助手.zip
- (源码)基于HiEasyX库的学习工具系统.zip
- (源码)基于JSP+Servlet+JDBC的学生宿舍管理系统.zip
- (源码)基于Arduino和Raspberry Pi的自动化花园系统.zip
- (源码)基于JSP和Servlet的数据库管理系统.zip
- (源码)基于Python的文本相似度计算系统.zip
- (源码)基于Spring Boot和Redis的高并发秒杀系统.zip
- (源码)基于Java的Web汽车销售管理系统.zip
- (源码)基于Python的智能家居系统.zip
- (源码)基于Python和CPM模型的中文文本生成系统.zip
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
