IPv6源地址和网络业务验证体系结构

针对网络中存在的伪造源地址攻击和一些垃圾流量所造成的网络拥塞问题,提出了一种IPv6源地址和网络业务验证体系结构。该体系结构设置了一个管理服务器来安全管理密钥和处理用户请求,合法用户通过从管理服务器处获得的主机密钥来生成一个消息认证码,并将其嵌入数据包扩展首部中,关键路由器通过验证该消息认证码,来验证源地址和业务的合法性。该体系结构对真实IPv6源地址验证体系结构进行了扩展,实现了对主机源地址及网络业务合法性的同时验证,有效地减少了网络中的垃圾流量。     

真实源地址框架下的特定源组播接收者认证*

为了解决特定源组播接收者认证问题,在研究真实IPv6源地址验证体系结构的基础上,提出了一种该体系结构下的特定源组播接收者认证方案。该方案在与主机直连的路由器上加载了认证功能,能够对组播接收者的组播认证码进行认证,以此实现组播接收者的合法性验证,防止网络中组播服务盗用;设计了一种存储于三层交换机的组播端口列表,解决了同一局域网内组播接收者访问控制问题。通过仿真实验证明,该方案能够实现对组播接收者的认证功能,而且对组播效率影响不大。     

面向可信互联网的IP地址管理技术研究*

作为互联网最重要的基础资源,IP地址与互联网安全可信有着广泛的联系,包含IP地址分配、IP地址配置以及源地址验证等环节在内的IP地址管理工作的研究,是构建可信互联网环境的关键。在构建可信互联网的价值观下,探讨IP地址管理层面的研究内容,梳理近年来IP地址管理范畴内的研究热点以及相关问题的由来,分析相关的技术方案,并就未来的研究方向进行展望。     

MPFS: A truly scalable router architecture for next generation Internet

A new generation architecture of IP routers called massive parallel forwarding and switching （MPFS） is proposed, which is totally different from modern routers. The basic idea of MPFS is mapping complicated forwarding process into multilevel scalable switch fabric so as to implement packet forwarding in a pipelining and distributed way. This processing mechanism is named forwarding in switching （FIS）. By interconnecting multi-stage, lower speed components, called forwarding and switching nodes （FSN）, MPFS achieves better scalability in forwarding and switching performance just like MPP. We put emphasis upon IPv6 lookup problem in MPFS and propose a method for partitioning IPv6 FIB and mapping them to switch fabric. Simulation and computation results suggest that MPFS routers can support line-speed forwarding with a million of IPv6 prefixes at 40 Gbps. We also propose an implementation of 160 Tbps core router based on MPFS architecture at last.     

A new forwarding address for next generation networks

The forwarding address plays an important role in constructing a communication network.In this paper,a new forwarding address suitable for next generation networks named the vector address(VA) is proposed which is different from the forwarding address coding methods of current networks.The characteristics of the VA are analyzed.Complex network theory and a theoretical analysis method are introduced to study the average address length of the VA when used to construct a global network.Simulation experiments in a practical network topology model are carried out to validate the results.The results show that not only can the VA construct a simpler,more secure,and more scalable network,but it also can accommodate many more users than an Internet Protocol(IP) network with the same address length.     

论下一代网络与下一代Internet及其体系结构

对国际、国内有关下一代网络（NGN）和下一代Internet （NGI）研究与标准化工作进展情况进行了综述,分析了各类工作的优势与不足。在探讨NGI研究策略的基础上,以四川省网络通信技术重点实验室对NGI体系结构的研究工作为基础,概要地介绍了笔者提出的“单物理层用户数据传输与交换平台体系结构”（SUPA）及“面向以太网的物理帧时槽交换”（EPFTS）技术,探讨了如何用上述技术解决Internet所面临的高速交换、服务质量保障和网络安全问题。     

互联网自治域间IP源地址验证技术综述

当前互联网是基于目的地址转发,对源地址不做验证.而互联网很多安全问题的根源在于源地址的不可信.另一方面,随着互联网规模和复杂度的增大以及对政治、经济利益影响的加深,域间路由系统对互联网的稳定运行起着愈发关键作用.美国国土安全部将域间路由安全问题列入了美国信息安全的国家战略.近年来,以IP源地址伪造为主要方式的分布式拒绝服务攻击不断地对互联网的安全性和可用性造成极大的破坏,这其中以跨越多个管理域和国家的攻击最为频繁.因此,建立以自治域为单位的源地址验证防御体系对互联网的安全意义重大.尽管在相关的标准和研究领域已经提出了多种域间源地址验证技术,但是目前仍未有适用于大规模部署的技术方案.本文对域间源地址验证的已有研究和标准进展进行了细致的梳理.首先,本文分析了源地址安全性缺失的原因及后果,结合国际标准化领域的研究现状,指出了域间源地址验证的重要意义.其次,本文从域间源地址验证技术的特征类别入手,对已有各类研究成果的技术原理和优缺点进行了深入的总结,对研究的演进脉络进行了详细的分析,并在此基础上提出了目前域间源地址验证技术面临的困境及原因.最后,本文提出了域间源地址验证技术未来可能的研究发展方向及设计原则建议,为后续相关研究工作的开展提供参考.     

IP地址的安全机制研究

针对网络安全问题,对IP地址的安全性进行了系统化研究,提出了接入路由器的概念,在此基础上提出了在接入路由器中的IP验证和对其管辖局域网IP验证的思路和方法,从而从根本上解决了IP地址不可信的问题,可有效防御IP地址欺骗、DoS攻击等网络安全问题,为相关管理机关管理虚拟空间和侦查办案提供了良好的机制。     

互联网新型安全和管理体系结构研究展望*

随着互联网的发展,传统的基于TCP/IP体系结构的互联网在安全、管理等方面的缺陷逐渐暴露出来,尽管采取了一些补救措施,但仍显力不从心。学术界普遍感到需要针对当前互联网体系结构的缺陷和未来的应用需求,对下一代互联网安全和管理体系结构进行重新设计。为此,分析了当前互联网在安全和管理存在的若干主要问题,结合相关研究情况,总结了学术界在若干基础问题上的共识与分歧,并展望了进一步的研究方向。     

基于源地址伪造的Web服务DoS攻击防御方法

为缓解Web服务面临的DoS攻击,对Web服务安全标准(WSS)的核心内容进行研究,基于WSS中的安全令牌,设计并提出一种防范基于源地址伪造DoS攻击的安全令牌,并采用RSA算法对该令牌进行加密.实验结果表明,该安全令牌能够有效缓解基于源地址伪造的Web服务DoS攻击,提高Web服务的安全性.     

Extending next generation network (NGN) architecture for connection-oriented transport

Next Generation Network (NGN) is the architecture of the International Telecommunication Union-Telecommunication Standardization Sector (ITU-T in short) supporting the provisioning of Quality of Service (QoS)-guaranteed services over different packet transport technologies. Such capability derives from the effectiveness of a dynamic resource control performed by the Resource Admission Control Function (RACF) at service set-up.Control Plane (CP)-enabled connection-oriented transport networks can guarantee the QoS support for new bandwidth-greedy NGN services across the optical transport segment thanks to the ability of automatic path set-up and traffic segregation. But the Internet Engineering Task Force (IETF) standard for the CP in transport networks, i.e., the Generalized Multi-Protocol Label Switching (GMPLS) is not yet included within the NGN supported transport technologies.In this work, we outline architectural guidelines and design strategies for ITU-T RACF employment across GMPLS-controlled networks while providing a viable solution for dynamic resource control that takes into account operational issues for the integration of GMPLS capabilities within NGN architecture (i.e., supported interfaces, actual node capabilities).An NGN prototype implementing the proposed architectural enhancement is also presented as a proof of concept. The prototype highlights how the extended ITU-T NGN can set-up Multimedia over IP (MoIP) services using GMPLS-controlled transport objects.     

IP地址的规划在网络技术中的应用

本文说明了如何在IP技术中通过IP地址的规划进行网络的划分和应用。     

基于IP地址重拼接的DDOS攻击源追踪算法

为了提高对分布式拒绝服务(DDoS)攻击源反向追踪的效率和准确度,提出了一个新算法.此算法不同于AMS(Advanced Marking Schemes)算法,是利用IP地址拼接技术,重定义IP数据包头部分字段,利用一种新的路由器地址编码格式,使得一个数据包携带更多路由地址信息,提高重构路径的效率,大幅降低误报率.相对于AMS算法,新算法明显提高了IP反向追踪的性能,降低了误报率.     

软件体系结构脆性分析与验证

软件系统因具有节点众多、节点间联系复杂、随时间演化、自组织临界等特性可将其视为复杂系统。在软件安全领域,对软件体系结构的分析一直是研究的重点。软件体系结构具有自身的脆性,这体现在软件系统的运行过程会出现由于内部组件失效或外部攻击而导致的级联故障乃至系统崩溃。首次将软件系统视为复杂系统,对软件体系结构的脆性进行相关分析,并结合"数据抽象和面向对象"风格的软件体系结构,通过蚁群算法及GROD算法指出该体系结构脆性的最大崩溃路径及脆性源。这将对软件安全领域系统的设计、监控等方面的研究提供理论及实践方面的指导意义。     

互联网域间源地址验证的可部署性评价模型

近年来,IP源地址伪造被频繁应用于网络攻击中,对互联网安全造成极大威胁.域间源地址验证方法通过对IP报文进行自治域级别的验证来防御这类网络攻击.学术界提出了这类方法的评价指标,并依照该指标设计出很多新的方法.然而,这些方法尽管指标值优秀,却无一能在实际中得到互联网服务提供商的广泛部署.究其原因,是现有评价指标主要关注互联网整体的安全性,而没有考虑到互联网服务提供商的个体利益.文中首次从互联网服务提供商的经济诉求出发,研究域间源地址验证方法的可部署性评价模型.作者提出将部署收益、部署开销和运维风险作为可部署性评价的3项基本指标,并给出其形式化定义;从理论上证明了该指标体系的合理性;建立了评价模型,为每个指标设计了完善的量化评价方法;以现有著名域间源地址方法的部署收益评价为例,展示了将理论模型应用于方法评价的具体流程,并对评价结果进行深入分析;最后,作者讨论了方法可部署性与互联网整体安全性的关系、方法设计的优化目标以及如何应用模型指导方法的设计.该评价模型的提出,对于设计更易于部署的方法具有指导意义,并有利于促进域间源地址验证方法在互联网的部署.     

一种新的ATM／IP地址解析体系结构—NRS／HRS

提出了一种新的ATM/IP地址解析体系结构-NRS/HRS,并描述了该体系结构的工作机制,通过理论分析和软件仿真,证明NRS/HRS的解析效率有较大幅度的提高。     

Research achievements on the new generation Internet architecture and protocols

Despite the great success achieved by the Internet, it has been facing increasingly severe technical challenges that include address exhaustion, low-level network security and trustworthiness, weak quality-of- service control capability, limited bandwidth, and poor support toward mobility. In this paper we summarize the principal challenges facing the current Internet, introduce the research status of the future Internet, analyze the principal design goals of the new generation Internet evaluation methods and models of the present Internet architecture, introduce the research achievements made under the new generation Internet architecture in detail, and propose our next-step research priorities and perspectives in the face of an increasing number of innovative Internet applications.     

An advanced certificate validation service and architecture based on XKMS

The appearance of some laws that make the electronic signature (e‐signature) legally equivalent to the handwritten signature (under some circumstances) has favoured its use in different fields, such as e‐commerce and e‐government. In these fields, the e‐signatures associated to some documents have to remain valid over long periods of time. For these kinds of e‐signatures, Advanced Electronic Signature (AdES) forms have appeared. These forms specify the information to include along with the e‐signature so that it remains valid for a long time after its creation. Basically, this information comprises signers' certificates, a set of certificates up to a trust anchor, certificate validation responses, etc. These data can be gathered by using different Public Key Infrastructure‐compliant protocols. However, the support of different protocols is complex for clients. XML Key Management Specification (XKMS) appeared with the aim of simplifying the certificate management, but it only supports a simple validation mechanism that does not provide the information needed for long‐term validation. As a solution to this problem, we have extended XKMS by defining an advanced certificate validation service to support the obtaining of validation data needed for different scenarios, such as the building of AdES forms or validation data registries. This extension also defines the different components needed to support this kind of a service. Furthermore, the defined service has been implemented and incorporated into an e‐government infrastructure. Copyright © 2010 John Wiley & Sons, Ltd.     

Architectures for the future networks and the next generation Internet: A survey

Networking research funding agencies in USA, Europe, Japan, and other countries are encouraging research on revolutionary networking architectures that may or may not be bound by the restrictions of the current TCP/IP based Internet. We present a comprehensive survey of such research projects and activities. The topics covered include various testbeds for experimentations for new architectures, new security mechanisms, content delivery mechanisms, management and control frameworks, service architectures, and routing mechanisms. Delay/disruption tolerant networks which allow communications even when complete end-to-end path is not available are also discussed.     

Hidasav:一种层次化的域间真实源地址验证方法

可信任是下一代互联网的重要特征,真实地址访问是可信任的基础和前提.自治域级真实地址访问是整个可信任互联网体系结构中最为复杂的一个层次.基于标签的源地址验证不受拓扑结构影响,无需中间节点特殊处理,是实现域间真实地址访问的有效方法.然而,现有方法中信任联盟过于扁平化和单一化的问题导致验证开销随联盟规模增大而急剧增大,影响和制约了机制的可扩展性和过滤能力,难以进行增量部署.对此,文中提出了一种层次化的基于标签替换的域间真实源地址验证方法(Hidasav),该方法通过合理规划联盟层次和聚类整合,构建出一种多级并存的信任联盟体系结构,通过引入实现轻量级标签替换的联盟边界,将每一层级联盟和外界网络隔离,使得下层联盟和更高层联盟内部的网络环境彼此互不可见、互无影响.与现有同类典型方法在CNGI真实环境中的实验结果比较表明,该方法能够在确保域间高速通信的同时有效降低边界路由设备的状态机存储、更新和报文验证开销.