您的当前位置：首页 ipv6sec

ipv6sec

来源：尚车旅游网

AppliedIPv6Security

Version0.8.923.Nov2002DominikSchnitzer1

ThisarticlegivesashortintroductiontotheIPv6protocol,usedforthenextgenerationInternet,andanoverviewofitssecurityfeatures.IP-Secguaran-teeingEncryptionanddataAuthenticityisarequiredpartofthenewprotocolstack.InadditiontothisintroductiontoIPv6-SecthearticlepinpointsweakanddangerousIP-Secconﬁgurationsandshowshowtosecurelydoittherightway.ItcloseswithaconcisehowtodescribinginthreestepshowtogetonlineinthealreadyheavilydeployedIPv6Internet,the6Bone,andstartexperimentingyourself.

Contents

1Introduction

2IPv6Essentials

2.1AddressNotation.........................2.2AddressTypes..........................2.3HeaderStructure.....

....................2.3.1ExtensionHeaders

....................

3IPv6Security

3.1InternetThreats..........................3.2IP-SecArchitecture...........

.............3.2.1SecurityAssociations(SAs)...............3.2.2Authentication......................3.2.3Encryption........................3.2.4AuthenticationandEncryption.............3.3PuttingitTogether........................3.4CurrentImplementations.....................3.5OpenProblems..........................3.6Conclusion.............................

4GettingStarted

223345556679111112121313

1Introduction

ThisdocumentfocusesonthenextgenerationInternetprotocol(IPv6)andthesecuritymechanismsitimplements.InsomeyearsIPv6willfullyreplacethecurrentIPv4basedInternetandit’ssubnetworks.SomesaythiswillhappensoonbecauseofIPaddressspacerunningout,otherssaythenewfeatures,likeIPv6’sextrememobility,simplenodeconﬁgurationorgoodsupportforadditionalextensionswillﬁnallybethedeadofIPv4andriseofIPv6.IPv6essentialsarethecontenttheﬁrstpartofthisarticle,sketchingtheprotocolbasicsandgivingyouasneakpreviewhowthenextgenerationInternetlookslike.

BesidesthecoolIPv6featureslistedabove,anIPv6networkstackalsore-quiresafullimplementationofIPSecurityfeatures.ThatmeansthateveryparticipantintheIPv6Internethasthepossibilitytoencryptandsignit’snetworktraﬃc,generallyandintheorymakingmakingallcurrentlydeployedinsecureInternetservicessecure!Iftherewasn’ttheproblemofanonexist-ingPublicKeyInfrastructure(PKI).IP-SecisasaprotocolalreadyavailableanddeployedforonIPv4networksanddidwellinprovidingsecurityinex-istingIPv4networksusingit.InIPv4IP-Secisjustanoptionaladdon,youcanorcannotinstallanduse.Inthesecondandmoreindepthgoingpartofthisarticle,thefunctioningofIP-Secandit’sintegrationintheIPv6stackispicturedandthediﬀerentwaysofusingIPv6securityfeaturestose-cureyourInternetbusinessareworkedout:authentication,typesofnetworktunneling,encryptionandchoosingtheappropriateandmostsecuresolutionfordiﬀerenttasks.ThesecondpartalsodetailsasecurityanalysisofIP-SecespeciallycommentingonpossibledangersofthecomplexityoftheIP-Secstandard.Anoutlook,showinghowtoIPv6connectandstartexperimentingtoday,ﬁnalizesthearticle.

2IPv6Essentials

Manythingsinacomputerslifechangefast,usuallyindicatingthatthingsneedimprovementorarejustoutdatedandold.Ontheotherhandotherthings,unnoticedlikethebeloved1.44MBﬂoppy[4]diskwhichdebuted1984,justworkforyearsandyears.

TheIPv4networkprotocolisalsoamongthoseworkingthings.It’sinuseforover15yearsnowandemergedtothemostwidelyusednetworkprotocolintheworld.Weallknowhowtoconﬁgure,useitandﬁndnetworkerrorswithit.SowhywouldonewanttoreplaceandupdateIPv4?

IPv4surviveduntiltodaymainlybecauseofit’ssimplicityandextremeex-tensibility.TokeeptrackwiththenewrequirementsfortheworldwideInter-net,IPv4wasextendedwithnewoptionalfeaturesoften,justtakelikeNAT(NameAddressTranslation)orIP-Secasanexample.ButonelimitationofIPv4couldnotbeworkedout:IPv4addressesare32Bit,andthereforehaveforthecurrentInternetaverylimitedaddressrange.FirstconcernsabouttheInternetandit’sIPaddressshortagewereraisedinamemo1992[1].TheIETFevendatedtheInternetdayofdoominMarch1994.EightyearsafterwestilluseIPv4,sincelastminutetweakslikeNATandnewroutingprotocolsapparentlyprolongedthelifeofIPv4alasttime.

NowhavinglearnedfromtheproblemsoccurringwithIPv4deploymentandtryingtoforeseetheupcominggrowthoftheInternet,anewheavilyex-tendedandimprovedIPstandardwascreated:IPv6–capableofaddressing1Trillionhostsand1Billiondiﬀerentnetworks[5],shouldmakeIPv6alongusedstandard.

2.1AddressNotation

IPv6addressesare128Bit,sointhecurrentlyknownnotationanIPaddresswouldlooklike:

2.128.0.0.0.0.0.0.2.2.179.255.2.31.131.41

noteasilyrememberedbyahuman.Sothehexadecimalrepresentationwaschosen–dividingtheaddressintoeight16Bitblocks.Inadditiontothatleadingzeroesina16Bitblockcanbeskipped:FF80:0000:0000:0000:0202:B3FF:FE1E:8329FF80:0:0:0:202:B3FF:FE1E:8329

Youcanalsoreplaceasetofrepeatedzeroesbyadoublecolon,whichwouldmakeatypicalIPv6addresslooklikethis:FF80::202:B3FF:FE1E:8329

2.2AddressTypes

IPv6hasthreediﬀerenttypesofaddresses[5],introducinganewtypeofaddressandobsoletingtheIPv4broadcastaddress:

1.UnicastAddressesThistypeofaddressuniquelyidentiﬁesaninterfaceonanIPv6node.PacketssenttoanUnicastinterfacearedeliveredtothisveryinterface.2.MulticastAddressesidentifyagroupofaddresses.Whensendingpack-etstoaMulticastaddress,everyinterfaceconﬁguredwiththisMulti-castaddressreceivesthepackage.ForexamplethepredeﬁnedMulti-castaddressFF05::101specifyallNTPtimeserversonthesamesiteasthesender.Multicastaddressesarealsousedasabroadcastaddress,knownfromIPv4.3.AnycastAddressesGroupsofhostsareconﬁguredwithanAnycastad-dress.WhensendingapackagetoanAnycastaddress,onlyonehostoftheAnycastgroup,thenearestone,receivesthepackage.AnAnycastaddressalreadyinuseistheaddress::192.88.99.1,specifyingyournearestIPv6toIPv4router(basicallyanIPv4nodeactingasanentrypointtotheIPv6Internet).

2.3HeaderStructure

TheexactheaderstructureinIPv6packagesisspeciﬁedintheRFC2460[2].TheheaderinformationofanIPv6packagehasaﬁxedlengthof40Bytes.ToaddextendedheaderinformationtoapackageIPv6usesthesocalledextensionheaders.BesidesIPv6obsoletedmanyspecialIPv4caseslikeactivefragmentationofpackages,inthespiritofsimplicity.SinceasourceanddestinationaddressinIPv6take2x16Bytes,only8Bytesareleftforadditionalpackageheaderinformation.ThefollowingﬁeldscharacterizeastandardIPv6header[5]:

󰂈Version,4Bits:TheVersionoftheprotocol(6)

󰂈TraﬃcClass,1Byte:Usedtosetprioritiestothepackages,toprivilegecertaindatapackageslikevoiceorvideostreampackages.

󰂈FlowLabel,20Bits:InformationforrouterstohelpingthemidentifyingIPv6packagesthatbelongtogether.Enablesfasterprocessingofdata.󰂈PayloadLength,2Bytes:SizeofdatafollowingtheIPv6header󰂈NextHeader,1Byte:AnidentiﬁcationbyteforeventualfollowingsubheadersintheIPv6headerchain.IPv6usesheaderchains(extensionheaders)tointegrateotherIPextensionslikesecurity,authenticationorroutingheaders.

󰂈HopLimit,1Byte:Numberofmaximumhops.Everytimethepackagepassesarouter,therouterhastodecrementthisvalue.IfHopLimitgetszero,thepackageisdiscardedandanICMPerrormessageissentbacktothesender.

󰂈SourceandDestinationAddress,32Bytes2.3.1

ExtensionHeaders

Atthetimeofthiswriting,IPv6deﬁnessixdiﬀerentextensionheaders[6]:Hop-by-Hopoptionsheader,Routingheader,Fragmentheader,Destina-tionOptionsheader,AuthenticationheaderandEncryptedSecurityPayloadheader.Asyoumayhavenoticed,thelasttwoextensionheadersalreadyindicatewhereencryptionandsecuritymechanismsinIPv6havebeenim-plemented.

3IPv6Security

Duringthelastyearsitbecameclear,thatgoodandstandardizedsecuritymechanismswillbetherequirementforthefurthersuccessoftheInternet.ForthenetworkingexpertsitwasverysurprisingthattheInternetwithallit’sinheritedinsecuritiesbecameasubstantialandanimportantfactorinrealworld/realmoneybusiness.Manysecuritymechanismshadtobeim-plementedtoensuresecurityforimportantdatatransfersviatheInternet.SSLonbaseoftheHTTPprotocolorSSHasareplacementfortheinsecuretelnetservicearethemostfamousexamplesofsecurityaddonswhichwereinventedtomakeinsecureservicesusableagain.Allofthesesecuritymech-anismshaveonethingincommon,theyareimplementedontheApplicationLayer–writtenforaspecialkindofapplication,usingaspecialmoreorlesssecureencryptionorauthenticationmethod.

IP-Sectakesadiﬀerentapproachinimplementingsecurity.Itimplementssecurityontopofthenetworklayer,thusenablingallservicesworkingontopofIPtoautomaticallyuseit’ssecuritymechanisms.

3.1InternetThreats

Hereisalist[5]ofthethreediﬀerentarchetypesofattacksonnetworkedservices.ItwouldbeniceiftheuseofIP-Seccouldpreventallofthem.Thefollowingchapterswillcomebacktothesethreatsandre-analyzethemregardingIP-SecandIPv6.

󰂈DisruptionofServiceorDenialofServiceattacks.Thiskindofat-tackstopsservicesfromrunningnormalbystopping,overloadingorsimplydestroyingthem.Theyareeasilydetectedcausetheyhaveanimmediateandnoticeableimpact.

󰂈Fabrication,ModiﬁcationorDeletionofInformationTheseattacksarenoteasilydetectedandarecharacterizedbyinﬁltratingfalseinforma-tioninpaymentsystems,emailoranyothertrustedcommunication.󰂈ElectronicEavesdroppingPassiveattackslikethisareusuallyimpos-sibletodetectandinahugenetworkliketheInternetimpossibletoprevent.AttackslikeSniﬃngIPtraﬃc,ortogiveamoreobviousexam-ple,simplysilentlyduplicatingandstoringallpagessenttoaprinter,fallinthiscategoryofattacks.

HowcanIP-Secbeusedtopreventorcomplicateattackslikethis?Canitpreventthoseattacksatall?

3.2IP-SecArchitecture

TheIPSecurityframeworkhasbeenstandardizedbytheIETFinalargeeﬀort.Thewholestandardisstillunderdevelopment,andcitingtheoﬃcialprogressdocument,theIP-SecstandardwillbereadyinDecember2002.Theprogressdocumentisopenlyavailableathttp://www.ietf.org/html.charters/ipsec-charter.html.3.2.1

SecurityAssociations(SAs)

TheSecurityAssociationistheinternalbaseconstructofIP-Sec[6].ForeachconnectionaSAspeciﬁesthecommunicationmodetobeused.Forexample,let’sassumeanIP-Secdatapackagecomesin,nowtherecipientofthispack-ageuses¡protocol,source-IP,sourceport,destination-IP,destinationport¿asakeytolookupthematchingSAassociatedwiththisveryconnection.Se-curityAssociationsarestoredinthesocalledSecurityAssociationDatabase(SADB).Staticsystemwidesecuritypolicies,explicitlytellingasystemtousecertainSAwhenaconnectionoccursarestoredintheSecurityPolicyDatabase(SPD)andcanbeadoptedbythesystemadministrator.Forin-stanceinMicrosoftWindowstheservicemanagingallthesesecurityrulesetsiscalled”IP-SecPolicyAgent”.IntheLinuxIP-SecFree/SWANpackageSAsaremanagedbythespicommand.

ThesearethemostimportantparameterswhichspecifyaSecurityAssocia-tion[5]:

󰂈TheSecurityParameterIndex(SPI)󰂈ThedesiredIP-Secservice(AHorESP)󰂈Thetransmissionmode(Tunnel/Transport)󰂈SourceandDestinationaddress󰂈Usedauthentication/encryptionmethod󰂈UsedKeys

EstablishingSAswithanotherhostisdonebyusingtheIKE(InternetKeyExchange)protocoldiscussedlater.3.2.2

Authentication

KnowinghowsecurityismanagedinIP-Secwenowrequestauthenticityforourpackages,meaningwewanttobecertainthatwereceiveadatapackageunmodiﬁedandfromtheverycomputerwerequestedit.ToensureauthenticityIP-Secaddsanewextensionheadertotheheaderchain:theAuthenticationHeader(AH).Thisheaderaddscryptographicinformationtothedatapackage,sothesenderofthedatapackagecanclearlybeveriﬁed.TheAuthenticationExtensionheaderincludesthefollowinginformationalﬁeldsinthedatapackage[5]:

󰂈NextHeader,1Byte:Likeeveryextensionheaderthisparameterspec-iﬁesthenextIPv6headertocomeaftertheAH.

󰂈LengthofPayload,1Byte:Describeshowmany32BitﬁeldsfollowtheSPIﬁeld,necessarybecausediﬀerentauthenticationalgorithmsareallowed.

󰂈Reserved,2Bytes:notusedyet,zeroeddata

󰂈SecurityParameterIndex(SPI),4Bytes:Indicatesthechecksumalgo-rithmused.Currentlytwodiﬀerentchecksumalgorithmsarerequiredtobeimplemented:HMAC-MD5-96andHMAC-SHA-1-96.HMACisaamechanismformessageauthenticationusingcryptographichashfunc-tions.ItisusedincombinationwithMD5andSHA-1orotheriterativecryptographichashfunction.

󰂈SequenceNumber,4Bytes:Thesequencenumberistheretopreventreplayattacks.Theknownlimitationofthisreplayattackpreventionnumberisthatconnectionsusingmorethan232packetscantheoreti-callybecompromised.

󰂈AuthenticationData,VariableByteLength:acryptographicallysecurechecksumoverthepayloadandsomeheaderﬁeldsoftheIPandexten-sionheaders.

BasicallythereexisttwomodesofAuthenticatingadatapackage:

1.PayloadAuthentication:InthisModeonlythecarrieddataplussomeIPheadersaresignedandtherebyauthenticated.ThisusuallyhappensinthesocalledTransportMode.Figure1illustratesthisbehavior.Allsignedheaderinformationisﬁlledwithdarkgraycolor.

Figure1:TransportModeAuthenticationheader(darkgray=authenticateddata)

2.HeaderandPayloadAuthentication:ThisauthenticationmodesignsthewholeIPpacket.Toachievethis,thewholeoriginaldatapackagehastobesignedandencapsulatedinanewIPpackage.ThismodeiscalledtheTunnelMode,comingfromthefact,thattheoriginalIPpackageistransferredtunneledinanewpackage.Figure2showstheauthenticateddatainthismode.ByusingIPauthenticatedtraﬃc,onecanpreventthatanattackercanin-ﬁltratehisspoofedpackagesinthecommunication.Moreoverevenreplayattackscanbeprevented,renderingovertakingofsessionsbyalisteningattackerimpossible.AuthenticatedIPtraﬃcisforexamplesuﬃcientforex-changingpublic,wellknowninformationlikeroutingtraﬃc.Butit’stotallyinsuﬃcientfortransmittingimportantdata,sinceitstillcanbereadbyaneavesdropper.

Figure2:TunnelModeAuthenticationheader(darkgray=authenticateddata)3.2.3

Encryption

AnotherextensionheaderinIPv6,namelytheEncryptionSecurityPayload(ESP)extensionheader,ﬁnallyaddsencryptiontothetransmittedpackage.TypicalapplicationswhichthencouldusethisencryptionareFTP,telnetormailsending/retrievingsessions.Makingallthenamedservicessecurewithouttheneedofchangingtheprotocol.TheESPextensionheaderhasthefollowingrequiredﬁelds[6]:

󰂈SecurityParameterIndex(SPI),4Bytes:Theencryptionalgorithmused

󰂈SequenceNumber,4Bytes:Preventsattacksrelyingonreplayingtraﬃc󰂈PayloadData,VariableByteLength:Theencrypteddata.

IPv6IP-Secrequiresoneencryptionalgorithmtobeavailableoneverysys-temimplementingIPv6:DES-CBC(DataEncryptionStandardinCypherBlockChainingmode).DESoperateswithakeylengthof56Bitandisnotrecommendedtobeusedanymore.Onthe19thJanuary1999forexamplea56DESkeywascrackedinabout22hoursbydistributed.net,adistributedcomputingproject.Theencryptedmessagestated:SeeyouinRome(sec-ondAESConference,March22-23,1999)[7].AESisthenextgenerationencryptionstandardandis,since26thofMay2002,theoﬃcialencryptionstandardoftheUSA[8].AESwillbeavailableforIP-Sectoo.Howeverto-dayyoushouldinanycaseuseTriple-DESinyourIP-Secconnectionswhichisthebestencryptionalgorithm,requiredtobeimplementedinacurrentIPv6-Secprotocolstack.

Likeauthenticateddata,encrypteddatacanbesentintwodiﬀerentways:

1.PayloadEncryption:Thisisthesocalledtransportmode,whichjustencryptsthepayload(includingTCPinformationlikethedestinationport).Figure3showstheencryptedpartsofapackagesentintransportmode.

Figure3:TransportModeEncryption(darkgray=encrypteddata)2.HeaderandPayloadEncryption:IfitisrequiredtoencryptthewholeIPpackage,theencryptedIPpackagehastobewrappedwithanouterIPpackage(tunneled),enablingrouterstoreadtheimportantouterIPheaderinformation.

Figure4:TunnelModeEncryption(darkgray=encrypteddata)

Byusingencryptionit’spossibletohidesensitivedatafromanattacker,makingitimpossiblefortheattackertoreadtheinformationsent.Butbyjustusingencryptionforourdata,asyoucanseeinFigure4,theattackercanagainchangeorspoofimportantheaderinformation,causethepacketisnotauthenticated.It’snotrecommendedtosolelyrelyonencryptionwhentransmittingdatawithIP-Sec.

3.2.4

AuthenticationandEncryption

Usingthemechanismsshownaboveit’spossibletoﬁrstencryptandthenauthenticatetheencryptedpackage.ThisisdonebyprecedinganAHheaderbeforeanESPheader.Becauseintegrity,authenticityandconﬁdentialityiswantedinthemostcases,it’spossibletoappendanAHtrailer(seeFigure4)totheESPtrailerwhichresultsinsmallerIPpackets.Thiscombinationisthemostsecurewayofensuringpacketintegrityandsecurityandshouldbeusedwheneverencryptioniswanted.

3.3PuttingitTogether

ToestablishaSecurityAssociationbetweentwohostsforfurthermoreusingauthenticationand/orencryptionincommunication,thetwohostsmustﬁrstagreeuponthecommonsecuritypolicyandusedcryptographicalgorithms.ThereforetheIKE(InternetKeyExchange[3])protocolwasdeﬁned.IKEisimplementedonapplicationlayer,workingonUDPport500andgenerallyisanadaptionofbasicallythreemoregeneralprotocols[5]and[6]:1.ISAKMP:TheInternetSecurityAssociationandKeyManagementProtocol(deﬁnedinRFC2408)managestheinitializationofconnec-tionsanddeﬁnestheirSAsbydescribingthenegotiatedconnectionproperties.2.IP-SecDOIforISAKMP:Atightspeciﬁcationwhichtellshowtoin-terprettheratherabstractISAKMPspeciﬁcationinregardtoIP-Sec3.Oakleykeydeterminationprotocol:IsdeﬁnedinRFC2412andbasesontheDiﬃe/Hellmankeyexchange.IKEcanbasicallybedescribedasanegationprotocol,thatusesISAKMPtoexchangekeyandSAinformation.BesidesIKEthereexistotherproposalsnegotiationlikePhoturis(experimentalRFC2522,2523)andSKIP.

IKEworksintwophases.IntheﬁrstphaseThetwomachinesinvolvedsetupasecureauthenticatedchannel.ForinstancethischannelcouldbesetupbyencryptingthedatawithanRSAkey.AfterobtainingtheISAKMPSA,thecommunicatingpartnersusethesecurechannelinthesecondphasetoexchangeIP-SecSAsnecessaryfortheupcomingIP-Sectraﬃc.IKEisdeﬁnedasaveryﬂexibleprotocol,allowingfurtherextensiontoallowfetchingeventuallyneededpublickeysfromaPKI(PublicKeyInfrastructure)intheInternet,whichdoesnotexistyet.

3.4CurrentImplementations

TodaytherealreadyexistmanymoreorlessstableIPv6implementations.NotallofthemimplementIP-Secyet.Thefollowingtableisasummaryofthecapabilitiesofthe4mainIPv6stacksbeingimplemented.

GNU/LinuxVanillaKernel(2.4)doesnotsupportIP-Secoutofthebox.

AnIPv6-SecstackisbeingdevelopedbytheUSAGIproject.AHintransportmodeisfullyworking,ESPandAHtunnelmodeareinde-velopment.Seehttp://www.linux-ipv6.org/WindowsXPdoessupportIPv6andIP-SecoutoftheboxwithAHtunnel

andtransportmodeworking.ESPmodeworkstoo,butironicallydoesnotencryptanydatasent.HasnoIKEsupport,currentlySAshavetobesetmanually.Seehttp://www.microsoft.com/windowsxp/pro/techinfo/administration/ipv6/default.asp*BSDMostcompleteandbestfreelyavailableimplementationofanIPv6

andIP-Secstack.TheKAMEprojectisworkingonit’simplementa-tion.TheirworkwasalreadymergedintoFreeBSD4.0,OpenBSD2.7,NetBSD1.5andBSD/OS4.2.Seehttp://www.kame.net/CiscoLatestCiscoIOsreleases(startingwithversion12.2)havefullIPv6

andIP-Secsupport.TherearestillmissingsomespecialRFCs(likeIP-SecoveraNAT-edconnection)butbasicallytheirstackisreadyforuseinproductionenvironment.Seehttp://www.cisco.com/warp/public/732/Tech/

3.5OpenProblems

Ithasalreadybeenmentioned,thatNATisproblematicwhenusedincon-junctionwithIP-Sec.NATisactivelyrewritingpacketheaders,changingsourceanddestinationaddressinthepacketheader.Thismakesauthentica-tionimpossible.Anotherpointnotyetaddressed100%istheIKEprocess,whereforinstanceproblemsarisewhenthemobilityfeaturesorQualityofServicecomeintoplay.

¨CriticsofIP-Sec[9]alsostatethatIP-Secistoocomplextobesecure:The

simplestsolutionisthebest¨.TheIP-Secstandardisacollectionofmorethan35RFCdocuments,introducingagreatlevelofinterpretationrangeandcomplexity.ThemanydiﬀerentwaysofreachingthesamegoalwithIP-Secarealsoapointofcriticism.Addingfurtherfunctionalitysuchasthe

variousmodesoftunnelingwillcertainlyaddcomplexityandthusendangertheoriginalideaifprovidingasimplebutsecuresecuritymechanismforIPv6.

3.6Conclusion

DespiteallcriticismIP-Secisthebestnetworksecuritysolutioncurrentlyavailable.ItallowstwonetworkstosecurelyconnectovertheInternet,orjustenablingsecuredatatransmissionfornetworkservicesoperatingincleartext.Itshouldbenoted,however,thatIP-Secdoesnotautomaticallysecureeverything,it’sassecureasthecomputer,operatingsystemorapplicationitisworkingon.IP-SecdoesattempttostandardizesecuritymechanismsintheInternetandisagreatsteptowardamoresecureInternet.

4GettingStarted

ThissectionintroducesyouhowtostartyourownexperimentswithIPv6andIP-Sec.ThestepsaresketchedinageneralwayassumingthatyouhaveastaticIPv4address,noexistingIPv6infrastructure.Besidestheheredescribed6Bonemanyother(mostlycommercial)testingnetworkslikethe6net(Cisco)exist.

Toconnecttothe6Bone,yougenerallyhavetofollowthosethreestepsdescribedhere:

1.EnablingtheIPv6stackTheﬁrststepbeforeexperimentingwiththethingsdescribedabove,youhavetodownloaddownloadyourlatestIPv6vendorstackandenableit.ForinstanceInGNU/Linux,IPv6supporthastobecompiledintothekernel,inWindowsXPIPv6andIP-Secsupportjusthastobeactivatedwithaspecialcommandlinetool.2.Gettingonthe6BoneAfterenablingtheIPv6protocol,yourEthernetcardsalreadyautomaticallyhaveanIP-addressassigned:thesocalledlinklocaladdress.AnuniqueIPaddresscomputedusingyourMACaddress.Togetonthe6Bone,you’llneedaglobalIPv6IP.Youcannowcomputeyourpersonal6to4IPv6-address:

2002:hhhh:hhhh::1

hhhh:hhhhisthehexadecimalequivalentofyourglobalIPv4address.Younowhaveanaddressspaceof280(globallyvalid)diﬀerentIPv6IPs,whichgivesyoumoreIPsthanthecurrentIPv4Internethasforexperiments.AftersettingthecalculatedIPonyoursystem,justadd:::192.88.99.1

asyourdefaultgatewaytothe6Bone.::192.88.99.1isaspecialnotationforoldIPv4addressesinIPv6.192.88.99.1isanAnycastaddress(asdescribedintheﬁrstSection)whichalwayspointstothenext4to6router.Yourclosestentrypointinthe6BonecouldberightatyourISP,ifyouarelucky.

3.StartingExperimentsUsingtheping6command,youcannowtrytopingmeonthe6BoneorvisitanIPv6-onlywebsite:http://zoidberg.ipv6.chello.at/usinganIPv6enabledbrowserlikeMozilla.aeneas@blackhole:~$ping6-c2-natlantis.relax.ath.cx

PINGatlantis.relax.ath.cx(2002:3eb2:51cf::1)56databytes

bytesfrom2002:3eb2:51cf::1:icmp_seq=1ttl=time=0.35msbytesfrom2002:3eb2:51cf::1:icmp_seq=2ttl=time=0.31msWelcometothenextgenerationInternet!

References

[1]P.GrossandP.Almquist,1992.IESGDeliberationsonRoutingand

Addressing,IETF,http://www.ietf.org/rfc/rfc1380.txt.[2]S.DeeringandR.Hinden,December1998.InternetProtocol,Version6

(IPv6)Speciﬁcation,IETF,http://www.ietf.org/rfc/rfc2460.txt.[3]D.HarkinsandD.Carrel,November1998.TheInternetKeyExchange

(IKE),IETF,http://www.ietf.org/rfc/rfc2409.txt.[4]Computerhope,2002.ComputerHardware-Informationaboutcom-puterﬂoppydrives,computerhope.com,http://www.computerhope.com/help/floppy.htm[5]S.Hagen,July2002.IPv6Essentials-IntegratingIPv6intoyourIPv4

Network,O’Reilly,p1-4,12-16,77-104.[6]W.Stallings,1998.CryptographyandNetworkSecurity:Principlesand

Practice,PrenticeHall,p399-432.[7]D.McNett,Janurary1999.Pressrelease-USgovernment’sencryp-tionstandardbrokeninlessthanaday,distributed.net,http://www.distributed.net/des/release-desiii.txt[8]USComputerSecurityDevision,January2002.AdvancedEncryp-tionStandard(AES)-QuestionsandAnswers,NationalInstituteofStandardsandTechnology,http://csrc.nist.gov/encryption/aes/aesfact.html[9]N.FergusonandB.Schneier,2002.ACryptographicEvaluationofIP-sec,CounterpaneLabs,http://www.counterpane.com/ipsec.html

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文