Research on IPv6 intrusion defense technology

With the rapid development of computer and communication technologies, the Internet expands at an unimaginable rate, the IP service is growing explosively, and applications on IP networks are increasing, making the original IPv4 network increasingly inadequate. The IP network is evolving to the next generation. IPv6 will undoubtedly be the core of the Next Generation Network (NGN). In addition to increasing the address space, IPv6 also has many excellent features, such as security, service quality, and mobility, its advantages are even more obvious.

At the same time, due to the wide application of IPv4, the transition from IPv4 to IPv6 will be long-term and gradual. During this period, different transition policies will be used to solve the interconnection problem between IPv4 and IPv6. Representative transition policy solutions mainly include dual-protocol stack, tunneling, and protocol translation. During the transition period, the network data traffic will show a trend of complexity, including not only IPv4 traffic, but also IPv6 traffic, and IPv6 over IPv4 or IPv4 over IPv6 traffic.

In this new network environment, network attacks inevitably present new features and pose new challenges to our security technologies and products. Especially for the emerging Intrusion defense technology in the past two years, this technology enables the Intrusion detection System to link with the firewall. Compared with the traditional single firewall, the Intrusion defense System IPS (Intrusion Prevention System) the control capability of data packets has been greatly improved, and the detection capability of application layer and high-level Protocols has been greatly improved. At the same time, the intrusion detection technology can be combined with the firewall blocking function in real time. When network intrusion is detected, the firewall is linked to take action to prevent attacks, which greatly simplifies the work of the system administrator, this improves system security. However, because the intrusion defense technology has not been proposed for a long time, there is little research on how to implement this technology in the IPv6 environment when IPv6 has not been truly applied on a large scale, therefore, studying the new intrusion defense technology in the IPv6 environment is of great significance to ensure the transition from IPv4 to IPv6 and the network security in the future.

1 IPv6 network security problems

From IPv4 to IPv6, the network address space increases from 32-bit to 128-bit, so that the number of IPv6 addresses far exceeds the number of IPv4 addresses, therefore, it is difficult to send test packets one by one to IP addresses in the IP address space of the CIDR block. However, it is foreseeable that scanning attacks still exist in the IPv6 environment, but in the new network environment, IPS will focus on scanning behavior detection, scan behavior on some hosts or a host.

The traditional IPv4 protocol does not fully consider network security. The IPv6 protocol uses the IPSec protocol as a part of IPv6, greatly increasing security. This is achieved through the AH and ESP tags and the Corresponding Key Management Protocol PKL. Because the IPSec protocol can provide data source authentication and encryption protection for communication data, attackers will not be able to use IP Address Spoofing, TCP serial number spoofing, and other means to attack the system. Therefore, IPS in the IPv6 environment can be considered as IPSec-protected data streams to be credible, and detection of this type of data packets is omitted, thus improving the detection efficiency of IPS.

Packet sharding is also different from IPV4 in IPv6. Packet sharding is performed only by the source node, but not by the Intermediate router. Therefore, the segment length does not change during packet transmission. This provides a new method for detecting attacks that use fragments to escape rule matching in IPv6. If we find that the segmentation data packets of the same original group are split into the last part) when the data packet size is inconsistent, it can be considered that there is an exception, so that you do not have to wait until all the parts are reorganized into a package containing complete information, and then pass it to the detection engine for rule matching.

IPv6 requires that each link on the network transmission path has 1280 or more eight-bit groups of MTU. Except for some special IPv6 packets, such as ICMPv6 packets and the last segment of the packet, the size of IPv6 packets should not be smaller than 1280 eight-bit groups. Therefore, we can detect abnormal data traffic by checking the size of IPv6 data packets. For example, we can collect statistics on the size of IPv6 data packets and set an IPv6 packet size threshold based on the statistics, if IPS detects that the data packet is smaller than this value, the data packet can be listed as a suspicious object.

In IPv6, attackers can use the limited number of hops in the IPv6 basic header field similar to the TTL In the IPv4 header) to test the path from the local to the target of the attack, the method is to send packets that jump to the number segment value progressively increasing, TCP/UDP), and then reconstruct the path based on the source address of the destination cannot reach the packet. Therefore, IPS must be able to detect possible path test packets. If the value of the hop count field for packets arriving at the protected network is 1, it may be a potential path test. Therefore, you can set a detection rule for the number of hops limit field to find the path test in IPv6.

In the transition environment from IPv4 to IPv6, there will be a large number of tunnel packages, including IPv6 over IPv4 and IPv4 over IPv6. Attackers can construct tunnel attacks and send attack packets to the attacked host. Therefore, intrusion detection in IPv6 must be capable of analyzing and detecting tunnel data packets.

In addition, IPv6 has a great impact on traditional firewalls. For the packet filter firewall, because the IPv4 IP layer and the TCP layer are close together and the length is basically fixed, the firewall can quickly locate the header and use the corresponding filter rules, IPv6 will use a large number of Extended Headers in the IP layer, so that the firewall can filter only the next header one by one until TCP or UDP. In this way, high bandwidth will have a great impact on the performance. For address translation firewalls, because the address translation technology (NAT) does not match the IPSec function, it is difficult to use IPSec communication through the address translation firewall. For example, when the AH address is used for authentication, the IP layer is also the authentication object and therefore cannot be converted. As for the application proxy firewall, it mainly works at the application layer, therefore, IPv6 has a lower impact.

Most network security problems are not caused by the network layer, such as defects in some network applications and improper system configurations. These security risks still exist in the IPv6 environment. This also requires that our IPS be easy to configure and have a friendly user configuration and management interface.

2 System Design

This system is a new intrusion detection and Defense Technology in the IPv6 environment under relevant topics, pay special attention to various network intrusion and high-speed network data collection technologies that can detect IPv4/IPv6 Coexistence Network environments, and design and develop active response and intrusion defense functions after intrusion detection. The IPv6 network security issues mentioned above are fully taken into account in the design.

The system functions can be divided into the main control module, high-speed network data collection, dual-Protocol parsing engine, detection engine preprocessing module, vulnerability attack feature rule processing, detection engine processing module, alarm log recording, active blocking response, traffic feature analysis, and graphical management. The functions and technical points of each module are described as follows:

Main Control Module: system initialization and related calls of each function module.

High-speed network data collection: One of the system's design goals is to be able to adapt to intrusion defense at a bandwidth of Mbit/s. This module is an important first step in intrusion detection, it is also a key step that determines whether the system can adapt to high-speed networks. Here, we use the "zero copy" technology to achieve packet capture at a speed of mbps bandwidth.

Dual-Protocol parsing engine: This module must have both an IPv4 protocol parsing engine and an IPv6 protocol parsing engine, which can parse both network protocols at the same time, through the interaction mechanism of the two protocol parsing engines, we can accurately and conveniently parse all IPv6 over IPv4 Tunnel packets and IPv4 over IPv6 tunnel packets. At the same time, this module implements the deep protocol parsing function. Although feature pattern matching is the main technology, it has the disadvantages of slow speed and low efficiency. protocol analysis is the main technology of the new generation of IDS attack detection techniques, it uses the high regularity of network protocols to quickly detect the existence of attacks.

Detection engine pre-processing module: This module performs pre-processing on data packets after Protocol parsing and before rule matching. For IPv6, the required pre-processing functions include IPv6 fragment reorganization and IPv6 port scanning.

Vulnerability attack feature Rule Processing: the system's intrusion detection function is based on pattern matching. to efficiently and quickly match known attack features, based on the analysis of various IPv4 and IPv6 attack features, design a language rule that describes the attack features. It is necessary to establish an effective organization of known attack rules in the memory. Therefore, we have designed an intrusion rule tree that supports both IPv6 and IPv4.

Detection engine processing module: This module is the core of the system. It matches rules based on the Rule tree structure established by the Vulnerability attack feature rule processing module. When a data packet arrives, first match the rule header, and then match the rule options for the data packet that matches the rule header. The matching content of the rule header and rule options is shown in figure 3. Finally, the matching of packet load content in Rule option matching is critical, and a good matching algorithm is crucial. This system uses the famous Boyer-Moore algorithm.

Alarm log record: Real-time file writing and display of alarms, and write logs to the MySQL database, which can be used by subsequent analysis and traffic characteristic analysis modules.

Active blocking: This module is an important part of the system. It must support both IPv4 and IPv6 active blocking. For details, see section 4.

Traffic Feature Analysis: exception-based detection is performed based on the logs and alarm information in the database. This method can detect unknown attacks. The disadvantage is that pattern matching is sometimes inaccurate, therefore, they can be combined to complement pattern matching.

Graphical management: intrusion alarm information analysis is designed based on the B/S mode. The backend MySQL database is used to store network traffic data for various periods of IPv6/IPv4 networks, including daily reports, monthly reports, and annual reports. And store the alarm information. The front-end uses the PHP language and the Apache HTTP Server System to provide users with a friendly WEB operation interface. Because the alarm information is sensitive data, the Apache SSL module is used for data transmission encryption.

3. Key Technologies for active defense

Ip6tables is an open source network firewall software based on IPv6 in Linux. Our IPv6 intrusion detection system is designed to work with Ip6tables to implement active blocking of intrusions and implement active defense. In this active blocking mode, the system has two functions: Firewall and intrusion detection system to implement intrusion defense. At this time, unlike the general intrusion detection bypass Sniffer mode, the system will be configured at the entrance of the network like a firewall, in the routing mode, forward packets from the Intranet and the Internet.

The active blocking reaction must be able to block packets under IPv4 and IPv6 in real time at the same time. In IPv6, we use the firewall ip6tables, ip6tables's extended function module ip6_queue.o uses the netlink socket interface to send core-state data packets to the user space program ip_queue.o, which is the module in iptables for IPv4 ). At the same time, the function of the system in the data collection subsystem is changed, and packets are not captured directly from the link layer, instead, it is used as a user space program to get data packets from the packet queue generated by the ip6tables/iptables ip6_queue/ip_queue module, then perform mode matching, and use the built-in rules to query whether attack behaviors exist, if yes, the fate of the data packet is determined based on the Rule Configuration. Three actions are designed: DROP, ACCEPT, and REJECT ). After the action is executed, the result is finally returned to Ip6tables, Which is filtered by Ip6tables. If you need to re-inject the modified data packet to the kernel for Ip6tables forwarding.

Key features

Simultaneously capturing IPv4 and IPv6 data packets is the focus of this module. The experiment shows that the packets in the two queues (ip6_queue and ip_queue) block each other's packet fetch functions when they are captured. To solve this problem, multithreading technology is used, that is, two threads are derived to control the ip_queue and ip6_queue data packet queues respectively and read data packets from them, which will not cause blocking. The experiment shows that the dual-thread has little impact on the system performance. The two packet capture threads do not conflict with each other. packet capture is normal and timely.

The multi-threaded packet fetch algorithm uses the principle of producer/consumer issues: two producers continuously obtain data packets from two queues and send them to the consumer's main thread) for processing. However, because you need to perform operations on packages such as DROP), the producer can only produce one data packet at a time. The producer can continue production only after the package is consumed. Because there are two producers working at the same time, in order to let consumers know whether the packet to be processed is IPv4 or IPv6, they need to prepare a queue to store the order in which the two packets are generated, to avoid confusion during data packet processing, the consumer automatically uses the data produced by the corresponding producer based on the version value obtained from the queue.

In addition, for some attacks, a reset packet is constructed to reset the connection, that is, the action REJECT is executed. We construct a reset package through the Libnet function library. The interface functions provided by this library mainly implement and encapsulate the packet construction and sending process, based on the TCP/IP protocol, send RST packets to the TCP connection to reset the connection; send ICMP/ICMPv6 ports to the UDP port to unattainable data packets, and reset the UDP connection.

4 Conclusion

In this article, we describe the technical route and framework for implementing the intrusion defense system (IPS) in the new IPv6 environment, and discuss the key technologies, system Intrusion Detection (IDS) refer to the open source software snort and make major improvements based on different IPv6 protocols. In large-scale network planning, it is difficult to resist complicated and Integrated Hybrid attacks by relying solely on the passive static defense of the firewall, and internal users' unauthorized access cannot be monitored. At the same time, simple intrusion detection functions cannot effectively curb attacks in real time. IPS has become an important part of IPv6's three-dimensional in-depth and multi-level defense system. The implementation of this system provides an effective guarantee for the transition from IPv4 to IPv6.

In the final implementation and testing process, the system can provide users with a simple configuration management interface, and effectively detect and prevent multiple attacks, achieving the purpose of design research. At the same time, the experiment also found some shortcomings. Using ip_queue, ip6_queue module and netlink interface to send data packets back to the user space will delay data processing speed and affect system performance. The following improvements can be made to improve the performance by running the kernel module in the kernel space using the rule matching function, specifically, the task of matching rule headers is put in the kernel space. If the rule header does not match, it is immediately discarded in the kernel space. Only when the rule header matches, then, copy the data packet to the user space to match the rule options. This can greatly increase the data processing speed. This solution is challenging and will be our next step.