IPv6 network security protection system

Abstract

The invention provides an IPv6 network security protection system, which comprises a static security protection module and a dynamic security operation module which are connected with each other through an IPv6 network, the static security protection module is used for carrying out isolation control on each unit or module through an IPv6 network, and adjusting corresponding security specificationsand control measures to monitor static security information of the IPv6 network; the dynamic safety operation module is used for discovering and managing network safety risks through safety detectionand matching of corresponding safety infrastructure, a safety organization unit, a safety strategy unit and a safety technology unit, and carrying out safety protection on a terminal network throughan IPv6 network. The isolation of three planes is logically realized; the intranet security of an enterprise is enhanced; the fault reporting transition period is safe; DNS security protection of fault reporting in an IPv4 network environment provides support for an IPv6 protocol, and network security risks and transition technology security risks are effectively controlled and prevented.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to an IPv6 network security protection system. Background technique [0002] Although IPv6 technology solves the current shortage of IP addresses, it also brings new changes and challenges to the network security protection of power grid companies. Due to the huge address space, IPv6 has natural advantages in dealing with some security attacks, and improves network security in terms of traceability, anti-hacker sniffing capabilities, neighbor discovery protocol, secure neighbor discovery protocol, and end-to-end IPSec secure transmission capabilities. . [0003] However, under the IPv6 network, new security issues will follow. For example, automatic scanning for security detection will become more and more difficult, user privacy will be exposed more easily, Internet exposure will also increase, and the IP address intelligence database will be difficult to be effective. T...

AI Technical Summary

Problems solved by technology

[0016] However, there are still some security flaws in the SEND protocol, and some security threats are even generated by the security extension function of the SEND protocol: (1) Although the CGA technology can realize identity authentication, it cannot guarantee the correctness of the IP address itself, and illegal nodes may generate Add your own public key and CGA address to the SEND message. This is because the public key generated by the CGA is not issued through a certificate. If you use a PKI (Public Key Infrastructure)-based method, it will be more difficult to deploy and implement.

(2) Although legitimate nodes can use the private key related to the public key to sign the SEND message and further ensure the legitimacy of their identity, this also makes it easy for attackers to turn to the CGA address and the RSA digital signature process for denial of service attack

Also for the RSA digital signature and verification with higher computational complexity, the attack node may also implement a denial of service attack

(3) On some insecure links, the attack node can capture the SEND message and change the parameters in the CGA option, causing the CGA verification to fail and thus preventing the communication of the legitimate node

This is caused by the plaintext transmission of IP packets in the network. The current solution is to protect the end-to-end packet transmission through IPSec, but the attacker still has a way to insert a false IPSec datagram, causing the receiving end to fail due to integrity issues. If the verification fails, the packet is discarded

[0017] Through the above analysis, we can know that the SEND protocol realizes the protection of core functions through security extension functions such as CGA and RSA authentication, which can prevent man-in-the-middle attacks, redirection attacks and partial denial of service attacks, but at the same time, it will introduce some denial of service attack

In addition, the defects caused by the complexity of the SEND protocol are also manifested in the following two points: (1) Frequent generation and verification of CGA and RSA digital signatures will consume a large amount of storage and computing resources, which will affect the performance of routers

(2) The ADD (Authorization Delegation Discovery) process defined by the SEND protocol is based on the PKI mechanism, and X.509 certificates need to be deployed on the nodes, and because the ADD process verifies the legal identity of the router through the form of certificate path verification Complete, this will most likely be a very long "trust chain", the end node must store all the certificates on the certificate path, in order to verify the router at the other end, this process will generate a large number of CPS and CPA messages, while transmitting certificates and The key process will also increase more communication traffic and consume network bandwidth and computing resources

[0018] To sum up, there are still some potential security threats in the security protection provided by the SEND protocol for identity authentication and router verification functions. How to improve the security of the SEND protocol while making the protocol operation more lightweight is the main research content of the SEND protocol

Images