基于IPv6的防火墙设计

IPv是下一代的IP协议，它的提出解决了现有协议的一些安全问题，它可在网络层支持对每个分组的认证和加密，它的应用将对现有的防火墙机制产生影响。文中介绍了基于IPv6协议的防火墙的设计，并对常见的三类防火墙系统进行了改进。改进后的系统除了具有目前防火墙系统的分组过滤和应用代理等功能外，还能够实现对IP数据报的源地址的认证，分组内容的完整性检验，以及对分组的加解密。

The Design of Firewall Based on IPv6

With the development of computer science and the popularization of Internet, security has become one of the primary concerns when an organization connects its private network to the Internet. Regardless of the business, an increasing number of users on private networks are demanding access to Internet services such as the WWW, Internet Mail, and FTP. In addition, corporations want to offer WWW home pages and FTP servers for public access on the Internet. To perform the above application in security, building a firewall system between the private network and Internet is an approval suggestion. At the same time, the proposal of IPv6 (Internet Protocol version 6), will solve the security problems existed in current IP protocol, such as providing authentication and encryption for every packet at network layer. However, the adoption of IPv6 will also affect the security of current firewall mechanism. A simple example is that: a malicious exterior host computer can make a connection with the inner computer with tunnel mode ESP without being discovered by the normal firewall. In this paper, we give a frame of designing firewall system based on IPv6. Furthermore, an improvement of three kinds of firewall systems (i.e. Packet filtering router, Screened host firewall system and Screened subnet firewall system) is proposed. With our improvement, the Packet filtering router system can implement a simple authentication to the IPv6 packet. The Screened host firewall system can perform not only the functions of existing firewall systems such as packet filter and application proxy, but also the functions as the authentication of source address of the IP packet, integrity test of data and secrecy of packet. The Screened subnet firewall system will implement the security request of inner network.