IPv6地址驱动的云网络内生安全机制研究  被引量：3

作　　者：张博文[1] 李冬 赵贻竹[1] 于俊清[1,2] ZHANG Bowen;LI Dong;ZHAO Yizhu;YU Junqing(School of Cyber Science and Engineering,Huazhong University of Science and Technology,Wuhan 430074,China;Network and Computation Center,Huazhong University of Science and Technology,Wuhan 430074,China)

机构地区：[1]华中科技大学网络空间安全学院,武汉430074 [2]华中科技大学网络与计算中心,武汉430074

出　　处：《信息网络安全》2024年第1期113-120,共8页Netinfo Security

基　　金：国家重点研发计划[2020YFB1805601];中国高校产学研创新基金[2021FNA02005]。

摘　　要：云网络可以根据不同业务场景对云平台虚拟网络资源快速部署与配置,是现代数据中心性能和安全的重要保障。但传统云网架构中IPv4支撑能力有限,无法实现网络端到端的透明传输,多租户特性使得云管理者对租户子网进行流量管理和约束异常困难,外挂式的安全方案缺乏对不同租户流量的追溯能力,无法在源头对攻击行为进行限制。IPv6具有地址空间大、编址能力强、安全性高的特点,基于此,文章提出一种IPv6地址驱动的云网络内生安全机制,包括地址生成层、地址验证层和地址利用层。地址生成层以对称加密算法为基础,将租户身份信息嵌入IPv6地址后64位,修改DHCPv6地址分配策略,并基于Openstack Neutron进行实现。地址验证层设计实现了云网络动态源地址验证方法,针对不同端口状态集合设计针对性转移方法和安全策略。地址利用层基于IPv6真实地址的特性,实现了基于IPv6地址的数据包溯源机制和访问控制策略。Cloud networking can rapidly deploy and configure virtual network resource on cloud platform according to different business scenarios,which is an important guarantee for performance and security in modern data center.However,traditional cloud network cannot make transparent end-to-end transmission due to the limitation of IPv4.The multi-tenant feature makes it difficult for cloud manager to constrain traffic on tenant subnets,and external security solutions lack of traceability of traffic from different tenants,making it impossible to restrict attack at the source.IPv6 has large address space,strong addressing ability,and high security.Guided by the endogenous security concept and centered on IPv6 address driven,this article proposed an IPv6 address driven cloud network endogenous security hierarchy architecture,including address generation layer,address verification layer,and address utilization layer.At the address generation layer,the tenant identity was embedded into the last 64 bits of IPv6 address using symmetric encryption algorithm,and the DHCPv6 address allocation strategy was modified.The implementation was based on Openstack Neutron.At the address verification layer,a dynamic source address verification method was designed and implemented for cloud networks.Specific transition methods and security policies were designed for different port status sets.At the address utilization layer,based on the characteristics of real IPv6 address,a packet tracing mechanism and an access control policy based on IPv6 addresses were implemented.

关 键 词：云网络 内生安全 源地址验证 地址生成 IPV6 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]