An ipv6 network security protection system

Abstract

The present invention provides an IPv6 network security protection system, including a static security protection module and a dynamic security operation module interconnected through an IPv6 network; the static security protection module is used to isolate, control and adjust each unit or module through the IPv6 network. Corresponding security specifications and control measures monitor the static security information of the IPv6 network; the dynamic security operation module is used to discover and manage through security detection and the cooperation of the corresponding security infrastructure, security organization unit, security policy unit and security technology unit Network security risks, and provide security protection to the terminal network through the IPv6 network. The present invention also realizes the isolation of three planes logically; strengthens the security of the enterprise's intranet; reports the security in the transition period; Security risks and transition technology security risks.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to an IPv6 network security protection system. Background technique [0002] Although IPv6 technology solves the current shortage of IP addresses, it also brings new changes and challenges to the network security protection of power grid companies. Due to the huge address space, IPv6 has natural advantages in dealing with some security attacks, and improves network security in terms of traceability, anti-hacker sniffing capability, neighbor discovery protocol, secure neighbor discovery protocol, and end-to-end IPSec secure transmission capability. . [0003] However, under the IPv6 network, new security issues also follow. For example, automatic scanning for security detection will become more and more difficult, user privacy is more likely to be exposed, the exposure of the Internet is also increasing, and the IP address intelligence database is also difficult to be effec...

AI Technical Summary

Problems solved by technology

[0016] However, there are still some security flaws in the SEND protocol, and some security threats are even generated by the security extension function of the SEND protocol: (1) Although the CGA technology can realize identity authentication, it cannot guarantee the correctness of the IP address itself, and illegal nodes may generate Add your own public key and CGA address to the SEND message. This is because the public key generated by the CGA is not issued through a certificate. If you use a PKI (Public Key Infrastructure)-based method, it will be more difficult to deploy and implement.

(2) Although legitimate nodes can use the private key related to the public key to sign the SEND message and further ensure the legitimacy of their identity, this also makes it easy for attackers to turn to the CGA address and the RSA digital signature process for denial of service attack

Also for the RSA digital signature and verification with higher computational complexity, the attack node may also implement a denial of service attack

(3) On some insecure links, the attack node can capture the SEND message and change the parameters in the CGA option, causing the CGA verification to fail and thus preventing the communication of the legitimate node

This is caused by the plaintext transmission of IP packets in the network. The current solution is to protect the end-to-end packet transmission through IPSec, but the attacker still has a way to insert a false IPSec datagram, causing the receiving end to fail due to integrity issues. If the verification fails, the packet is discarded

[0017] Through the above analysis, we can know that the SEND protocol realizes the protection of core functions through security extension functions such as CGA and RSA authentication, which can prevent man-in-the-middle attacks, redirection attacks and partial denial of service attacks, but at the same time, it will introduce some denial of service attack

In addition, the defects caused by the complexity of the SEND protocol are also manifested in the following two points: (1) Frequent generation and verification of CGA and RSA digital signatures will consume a large amount of storage and computing resources, which will affect the performance of routers

(2) The ADD (Authorization Delegation Discovery) process defined by the SEND protocol is based on the PKI mechanism, and X.509 certificates need to be deployed on the nodes, and because the ADD process verifies the legal identity of the router through the form of certificate path verification Complete, this will most likely be a very long "trust chain", the end node must store all the certificates on the certificate path, in order to verify the router at the other end, this process will generate a large number of CPS and CPA messages, while transmitting certificates and The key process will also increase more communication traffic and consume network bandwidth and computing resources

[0018] To sum up, there are still some potential security threats in the security protection provided by the SEND protocol for identity authentication and router verification functions. How to improve the security of the SEND protocol while making the protocol operation more lightweight is the main research content of the SEND protocol

Images