【作者】 王树佳；

【导师】 苏义鑫；

【作者基本信息】 武汉理工大学 ， 控制科学与工程， 2010， 硕士

【摘要】 随着计算机网络的高速发展,现有IPv4网络的地址空间不足,安全性较差等先天缺陷已日益显现。IPv6作为下一代互联网协议以其海量的地址空间和较强的安全特性得到业界的一致认可,并正在全球范围内普及和推广。但IPv6协议并不是完美的,许多新的协议机制的引入,带来了新的安全隐患。防火墙作为网络安全的重要手段,已广泛应用于IPv4网络。但目前支持IPv6的防火墙大多部署在主干IPv6网络上,而适用于小型局域网或者企业网的IPv6防火墙产品很少,因此本文对基于ARM的嵌入式IPv6防火墙进行深入研究和设计。本文在深刻地分析IPv6网络环境下数据包的特性以及IPv6网络存在的安全问题的基础上,结合目前对IPv6防火墙的研究成果,提出了IPv6环境下的防火墙整体过滤方案。该方案的基本思想是：添加IPsec模块对AH或ESP的数据包进行认证或解密处理,通过Linux 2.6内核中的ip6tables工具对未经加密或解密后的明文数据包进行过滤,用户可以根据实际需要添加过滤规则。在上述方案的基础上,设计了基于ARM的嵌入式IPv6防火墙系统。该防火墙的硬件平台以S3C2240(ARM9)为核心处理器,扩展SDRAM和NAND-Flash存储器,两颗DM9000网络控制芯片分别连接外部非可信网络和内部可信网络。通过在硬件平台上移植bootloader、嵌入式Linux、YAFFS文件系统、DM9000双网卡驱动程序、ip6tables工具集等构建了系统的软件平台。在深入分析了ip6tables核心过滤机制之后,设计了IPv6数据包过滤模块,并为防火墙添加了一组过滤规则,用户可在此基础上进一步扩充过滤规则。最后对防火墙的已添加的过滤规则进行了测试实验,测试结果表明所设计的嵌入式IPv6防火墙能够按照用户制定的过滤规则进行正确的数据包过滤处理。更多还原

【Abstract】 With the rapid development of computer networks, the existing IPv4 network defects such as the lack of address space and poor security has already been exposed. IPv6, as the next generation Internet Protocol, provides many improvements considering address space and quality of security. It has been recognized in communication industry. IPv6 networks are deployed around the world. But the IPv6 protocol is not perfect. The introduction of many protocol mechanisms has brought new security risks.Firewall as an important means of network security has been widely used in IPv4 networks. However firewalls which support IPv6 protocol are mostly applied in the IPv6 network backbone, they can not be deployed in small local area network and corporate network. Therefore in this paper we will research and design an ARM-based embedded IPv6 firewall.In this paper, a profound analysis of IPv6 packet, and the characteristics of the existing IPv6 network security issues has been carryed on. Combined with current IPv6 firewall research results, the overall filtering firewall program in IPv6 environment is also proposed. The program adds IPsec AH and ESP module for the authentication and decryption of IPv6 packets operations, filters the unencrypted or decrypted plaintext IPv6 packet with the Linux 2.6 kernel ip6tables tools. Users can add the filter rules according to actual needs.Based on the above program an ARM-based embedded IPv6 firewall system is designed. The firewall hardware platform takes S3C2240 (ARM9) as the core processor, SDRAM and NAND-Flash as expansion memory, two DM9000 network control chips are connected to an external non-trusted network and the internal trusted network. The firewall software platform is built by transplanting bootloader, embedded Linux, YAFFS file system, DM9000 dual network interface card drivers and ip6tables tool sets.After the deep analysis of the ip6tables core filtering mechanism, we design the IPv6 packet filtering module, and add a set of firewall filter rules. Based on these rules users can also add the filter rules according to actual needs. Finally, we test these filter rules which has been added to the firewall. Test results show that the designed ARM-based embedded IPv6 firewall can rightly filter IPv6 package according to user setting rules.更多还原