Yang Daoquan,Xu Yong,Zhang Ling

DOI: https://doi.org/10.3969/j.issn.1000-0801.2008.01.011

2008-01-01

Abstract:The architecture of true IPv6 address accessing is the key point to trusted next generation Internet. Based on the principle of SPF and cryptology, the structure of a trusted E-mail system based on true IPv6 address is designed in this paper, which supports SPF, encryption and digital signature.

Guangwu Hu,Wenlong Chen,Qi Li,Yong Jiang,Ke Xu

DOI: https://doi.org/10.1016/j.future.2016.09.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Despite the Internet has been rapidly developed in the past three decades, its intrinsic security mechanism, e.g., IP source address validation and user identification authentication, is still not well addressed. This results in numerous cyber security threats. In order to enhance the Internet accountability and deter potential cyber-attacks, in this paper, we propose TrueID, an IPv6 header extension scheme which can embed hash-based, creditable and undeniable user identity code inside IPv6 packets. We present the system architecture, header’s format and viable implementation approaches with different credibility granularities. Meanwhile, to verify packet credibility and integrity, we design an Autonomous System (AS) level public-key distribution system which can disseminate user’s public keys between allied ASes safely. Also, the prototype experiment has proved that our scheme possesses these features with desirable performance.

Longfei Zhen,Ke Ma

DOI: https://doi.org/10.1109/CCNS53852.2021.00032

2021-01-01

Abstract:Source address verification is to prevent nodes on the same link from deceiving each other’s IP addresses, to prevent hackers from gaining the trust of each other’s terminals, and then controlling the terminals, thus avoiding the penetration of attacks. Based on this, this paper proposes an inter-domain source IPv6 address encryption and verification scheme based on HMAC (HMAC-SAV). The verificati...

Jianping Wu

2007-01-01

Abstract:This document describes the detail mechanism and protocol definition of a light-weight signature based and end-to-end deployed method for preventing the spoofing of source IPv6 address.

LIU Wu,DUAN Hai-xin,WU Jian-ping,LI Xing,CHEN Qiao

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.001

2007-01-01

Abstract:Email is always one of the most important applications of the Internet.Current email systems based on SMTP protocol and C/S structure adopt the relaying mechanism which is similar to that of routing,as the server can not verify the authenticity of the original email sender,it always leads to the spread of spam,while the existing solutions to spam based on content analysis get high misjudgment rate and lead to lost of emails.This paper studied the architecture of authentic IPv6 address based P2P email system,proposed the Sender Identity Authentication based on authentic IPv6 address,designed and implemented the authentic IPv6 address based P2P email system which can verify and trace back to the original sender of the email,so spam of fake source address can never be sent out.

Jie Li,Jianping Wu,Ke Xu

DOI: https://doi.org/10.1109/glocom.2011.6133740

2012-01-01

Chinese Journal of Computers

Abstract:Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11758549_26

2006-01-01

Abstract:Many network attacks forge the source address in their IP packets to block traceback. This situation does not change much in IPv6 network since IPSEC is not enabled generally and most IP address spoof attacks have taken effect before packets reached destination. Although ingress filtering can be used to validate source addresses, it could only ensure that the network portion of an address is not spoofed. Since subnets are much larger in IPv6, even with RFC 2827-like filtering an adversary can spoof an enormous range of addresses. In this paper, we propose an IPv6 address assignment scheme to generate verifiable IPv6 addresses in one network. With this scheme, router could validate the IPv6 addresses quickly, thus allow all outgoing packets with improper source addresses and all incoming packets with improper destination addresses to be immediately identified. Apart from the obvious merit to counter denial of service attacks, this scheme also make network audit and pricing easier.

Zhu Min,Xu Ke,Li Qi

DOI: https://doi.org/10.1007/978-3-642-24403-2_26

2011-01-01

Abstract:Mobile IPv6 runs high risk of being attacked by IP spoofing due to the introduction of mobility and route optimization. In this paper, an authentic IP address validation scheme is proposed to protect mobile nodes in Mobile IPv6 against IP spoofing attack. The mobile nodes' historical traffic information is leveraged to validate the authenticity of its claimed home address in the scheme. Compared with other authentication schemes, this scheme is much simpler to implement and easier to deploy based on the usage of real data, and does not require additional computational overhead. It also solves the address ownership problem and the unauthenticated binding update issue in Mobile IPv6. Real traces are used to demonstrate the applicability of the scheme in this paper. The experimental results show that only three consecutive historical packet records are required to construct a unique authentication key, which can identify forged home address efficiently.

Guang Yao,Jun Bi

DOI: https://doi.org/10.1109/ICNS.2008.25

2008-01-01

Abstract:The lack of source address validation on the Internet makes attack with IP spoofing a serious problem. Many methods have been proposed to solve this problem, and among them, SPM and ARBIF are effective and feasible ones. We have implemented an IPv6 source address validation device with these two methods embedded, and this device is an open framework for other source address validation mechanisms.

LI Dan,QIN Lancheng,WU Jianping,SU Yingying,XU Mingwei,SHI Xingang,GU Yunan,LIN Tao

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020289

2020-01-01

Abstract:At the beginning of the design of the Internet architecture,it assumed that all network members were trusted,and did not fully consider the security threat brought by the untrusted network members.For a long time,routers only forward packets based on the destination IP address of the packet,and do not carry out any verification on the source IP address of the packet.The lack of packet level authenticity on the Internet results in the header being maliciously altered.A real source address verification mechanism with routing synchronization and dynamic filtering were proposed.This mechanism constructs the filter table based on the prefix-topology mapping synchronization,the problem of inconsistent state between the filter table and the route caused by routing asymmetry were solved,false positives and false negatives was avoided,and a low-overhead and low-latency source address verification of the IP address prefix level granularity in the address domain were realized.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

yu zhu,jun bi,yayuan sun

2012-01-01

Abstract:since global IPv4 address has already exhausted in 2011, IPv6 is going to be deployed more widely in the next years. Both IPv4 and IPv6 would coexist in Internet for many years. Some transition technologies can help IPv4 to work with IPv6, but most of them are vulnerable to IP address spoofing attack. This paper proposes a source address validation method which works with IPv4/IPv6 translation. Only one change is required in DNS translation, based on current translation technology. Currently, an IPv4 server's address in DNS reply would be translated to an IPv4-mapped IPv6 address by DNS translator. In this paper, we proposed a method called identify code (GIC) that the translator gateway embeds authentication information in IPv4- mapped IPv6 address in translated DNS reply. A host who receives this DNS reply would use this GIC embedded address to start communication. When packets reach translator gateway, validation is performed to check whether the GIC is correct. This technology can work with both stateful translation method and stateless translation method, including NAT-PT, NAT64 and IVI. This method will protect the address pool and filter the IP address spoofing attack.

Lin He,Gang Ren,Ying Liu,Guanglei Song,E. Jinlong,Jiahai Yang,Mingwei Xu

DOI: https://doi.org/10.1109/MNET.123.2200111

IF: 10.294

2023-01-01

IEEE Network

Abstract:IP spoofing is prevalently used for anonymity and reflection attacks, e.g., distributed denial of service (DDoS) attacks, which have shown increasingly destructive power in recent years because today's Internet lacks validation on source addresses. Moreover, the fast deployment of IPv6 on the Internet may further aggravate the damages of DDoS attacks. This paper proposes a novel source address validation mechanism called SAV6, which leverages the huge IPv6 address space to validate source addresses at an inter-autonomous system (AS) granularity. In SAV6, each IPv6 address contains an AS number (ASN), whose corresponding AS announces the prefix of the address to other ASes. An AS can determine the authenticity of the source address by whether the ASN in the address matches the corresponding prefix after receiving an incoming packet. The performance evaluation of a SAV6 prototype shows that it adds little performance overhead to the deployed infrastructures and is a lightweight and deployable protocol.

ZHOU Jiang,LI Hewu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2019288

2019-01-01

Abstract:As the network scale grows,it is especially important to fine-tune the network.In the next-generation Internet,embedding the user's trusted identity into the IPv6 address suffix to assign trusted addresses can further improve the traceability of network behavior.At present,many studies have attempted to embed the user’s identity information into IPv6 addresses based on portal authentication and DHCPv6,but the modification of DHCPv6 makes it not transparent to the terminal.A mechanism for trusted address assignment in IPv6 networks based on portal authentication was proposed.The collaboration between servers and software-defined networking (SDN) technology was used to realize the indirect assignment of IPv6 trusted addresses.Finally,a prototype system was implemented and its feasibility and performance were evaluated in the network of Nanjing Telecom in Jiangsu.The results show that the mechanism only brings little overhead and it is transparent to the terminal.

Jun Bi,Guang Yao,Jianping Wu

DOI: https://doi.org/10.4304/jnw.4.2.100-107

2009-01-01

Journal of Networks

Abstract:Since the Internet uses destination-based packet forwarding, malicious attacks have been launched using spoofed source addresses. In an effort to enhance the Internet with IP source address validation, we prototyped an implementation of the IPv6 Source Address Validation Architecture (SAVA) and conducted the evaluation on an IPv6 test-bed. This paper reports our prototype implementation and the test results, as well as the lessons and insights gained from our experimentation. Some enhanced methods are also introduced in this article.

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.

ZHANG Jia,DUAN Haixin,WU Jianping

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.01.022

2011-01-01

Abstract:Anonymous communications are widely accepted as an important mechanism to protect privacy.However,the Internet protocol(IP) addresses are essentially fixed in the current network environment,so an adversary can destroy anonymity in the system by tracing IP addresses.This paper presents a peer-to-peer(P2P) based anonymous communication mechanism to enhance the anonymity of communications in IPv6 networks.This method improves the IPv6 IP generation algorithm and the onion routing based anonymous communication mechanisms.The system uses IPv6 to provide a wide address space and to periodically change the IP address to avoid privacy loss caused by IP address.The onion routing based mechanism can hide the IP addresses among network segments and encrypt the data.Tests show that integration of these two methods enhances the anonymity of anonymous communication systems,while maintaining communication efficiency and system compatibility.

Fuliang Li,Changqing An,Jiahai Yang,Ning Jiang,Jianping Wu

DOI: https://doi.org/10.1109/APNOMS.2011.6077038

2011-01-01

Abstract:IPv6 protocol has been widely deployed in the world. As the IANA pool of IPv4 addresses has run out, IPv6 will become increasingly important. Although the IPv6 protocol stack presents considerable advantages compared with the IPv4 protocol stack, IP source address spoofing is still exploited in IPv6 to initiate malicious attacks. Some techniques are proposed and deployed to implement source address validation at fine granularity. In this paper, we investigate the efficiency of fine granularity IP source address validation, e.g. whether filtering technology is deployed to prevent hosts from using forged IP address. We develop a detection tool with controlled spoofing ability which can infer whether the function of filtering spoofing address packets is enabled. We run this tool in 12 famous universities in China and collect the testing data. We gather a total of 41373 probes from 324 clients, and each probe includes sending at least 5 packets with the same spoofing source address to the control server. Results reveal that, 77.02% of the spoofing probes are completely filtered, 0.29% of the spoofing probes are partly filtered and the rest spoofing probes are not filtered at all. Overall, this illustrates that techniques of source address validation have been widely deployed in campus networks. Our statistical results provide practical basis for the deployment and further development of source address validation protocols in IPv6 networks.

吴建平,任罡,李星

DOI: https://doi.org/10.3969/j.issn.2095-2783.2007.10.003

2007-01-01

Abstract:The current Internet addressing architecture does not verify the source address of a packet received and forwarded.This causes serious security problems.This paper proposed the solutions for Inter-AS source address validation in IPv6 network,which can improve the security of IPv6 network.An AS relation based method is proposed for directly connected AS,and a signature based method is proposed for ASes which are not directly connected.This paper discusses the details of design,implementation and deployment into the CNGI-CERNET2 infrastructure-a large-scale native IPv6 backbone network of the China Next Generation Internet project.

CHEN Hui,REN Yuan-biao

DOI: https://doi.org/10.3969/j.issn.1003-6199.2012.02.032

2012-01-01

Abstract:It is a serious problem that how to effectively judge the access user is a legal and real person in ipv6 campus network.We do a technology application research which is a project about Source Address Validation Implementation research based on ipv6 technology,then we can get a positive and effective way to improve the IPV6 campus network access security.It is a effective and secure validation way on campus network of ipv6 in future.The results of this research can be applied to new developments on campus network of ipv6 technology.