IPv4 / IPv6 Security Gateway Principle and Application Analysis
1 Introduction
IPv6 replacing IPv4 has become a recognized fact, but this will be a long-term, gradual process. The deployment of IPv6 roughly goes through a process. In the initial stage, in the ocean of IPv4 networks, there will be a number of partially scattered IPv6 islands. In order to maintain communication, these islands are connected to each other through a tunnel across IPv4. With the application of IPv6 scale, the original islands have gradually aggregated into a backbone IPv6 Internet network, forming a situation in which IPv4 backbone networks coexist. A large number of new services can be introduced in the IPv6 backbone, and at the same time, the advantages of IPv6 can be fully utilized. In order to realize the mutual access of IPv6 and IPv4 network resources, it is also necessary to convert the server to realize the interworking of IPv6 and IPv4. Finally, the IPv4 backbone network has gradually shrunk into local islands. Through tunnel connections, IPv6 dominates and has global connectivity.
IPv6 provides many transition technologies to achieve this gradual process. These transition technologies mainly focus on solving two types of problems: IPv6 island interworking technology-to achieve interworking between IPv6 networks and IPv6 networks; IPv6 and IPv4 interworking technology-to achieve mutual access to resources between two different networks. Therefore, we propose to develop the IPv4 / IPv6 Internet gateway, to solve the problem of interconnection between IPv4 and IPv6 through the mechanism of protocol address translation, and realize the smooth transition from IPv4 to IPv6. The device can be applied to metropolitan area networks, campus networks, enterprise networks, and other private networks to achieve secure access to existing IPv6 / IPv4 resources at all levels of subnets. Figure 1-1 shows a typical application scenario of an IPv4 / IPv6 gateway. Figure 1-2 shows the connection of IPv4 / IPv6 gateway networking.
Figure 1-1 Typical application scenarios of IPv4 / IPv6 security gateway
Figure 1-2 IPv4 / IPv6 security gateway networking
2 Principle of IPv4 / IPv6 Security Gateway
The IPv4 / IPv6 security gateway is mainly composed of four parts, namely the mechanical structure part, the router electrical part, the primary power supply and the ventilation and cooling system. The mechanical part includes the main box and the distribution frame. The main box can be purchased or customized according to the mechanical size. The distribution frame adopts the standard distribution frame of the 19-inch chassis; the primary power supply and the power supply manufacturer negotiate to customize; the ventilation and cooling system consists of two sets of fans , Responsible for the heat dissipation of the gateway main frame and power supply; router appliances will use the main control board, switching board, power supply redundancy design and other modules to achieve a modular structure design, with smooth upgradeability. The architecture of the IPv4 / IPv6 security gateway is shown in Figure 1-3.
Figure 1-3 IPv4 / IPv6 gateway architecture
The security gateway mainly includes supporting subsystem, routing protocol processing subsystem (mainly BGP4 + agent), IPv4 / IPv6 interconnection gateway core function processing subsystem, IP forwarding subsystem (distributed structure), operation management subsystem and so on. Figure 1-4 shows the schematic diagram of IP packet flow under this architecture.
Figure 1-4 Schematic diagram of IP packet processing
Operation and Management Subsystem
The operation and management subsystem (OAM subsystem) is the control core of the entire IPv4 / IPv6 interconnection gateway. It needs to realize the control and management of the entire IPv4 / IPv6 interconnected gateway system. The main functions of the operation and management subsystem include: providing a variety of user operation interfaces, including consoles, virtual terminals and SNMP network management; implementing information exchange between managed modules; providing distributed support; implementing error detection and error recovery functions ; Provide a complete set of runtime debugging interface.
IP forwarding subsystem
The forwarding subsystem implements the basic function of routers in the IPv4 / IPv6 interconnected gateway system—IP packet forwarding. The subsystem implements the three main protocols of IPv6, ICMPv6 and Neighbor Discovery and the corresponding protocols in the IPv4 protocol stack, and can simultaneously support IP packet forwarding on single-processor platforms and distributed multi-processor platforms.
Routing protocol processing subsystem
The routing protocol processing subsystem mainly implements the BGP4 + proxy on the IPv4 / IPv6 interconnection gateway. The 4to6 transition protocol needs to support the IPv4 routing table to propagate to IPv6 and learn the IPv4 routing table from the IPv6 network. This part mainly implements the routing processing mechanism in the 4to6 transition protocol, including the support of multicast routing.
Support subsystem
The supporting subsystem is the service provider of the upper layer application entity of the entire IPv4 / IPv6 interconnection gateway system. From a protocol perspective, it provides services for the BGP4 + agent and the network management protocol SNMP; from a system perspective, it is a means of operating and managing the system. The support subsystem will implement the protocol specifications of its three components, implement end-to-end data transmission, and provide a means of remote login access.
IPv4 / IPv6 security gateway core function processing subsystem
The core function processing of the security gateway is mainly to realize the IPv4 / IPv6 network transition mechanism and transition technology, which currently includes protocol translation conversion technology, tunnel technology, 4to6 transition technology and application layer gateway technology. Three main parts of the security gateway: message translation, DNS application layer gateway, FTP application layer gateway.
Figure 1-5 The overall structure of NAT_PT
Message translation
The message translation part is the most basic part of NAT_PT. It is responsible for the translation between IPv4 and IPv6 messages. The specific implementation is mainly for the translation of three different types of packets of TCP, UDP and ICMP. Due to TCP's own characteristics, in the time of address mapping and when TCP establishes a connection, the operation of the dynamic address pool is different from UDP and ICMP.
DNS application layer gateway
The DNS application layer gateway part is to support the IPv6 extension function of DNS. It mainly translates DNS_UDP packets for the destination port / source port = 53. The main function of the DNS application layer gateway is to support external IPv4 hosts to access servers in the IPv6 domain. In this way, when the external DNSv4 query message passes through the router, it will be translated and sent to the IPv6 DNS server in the IPv6 domain. Similarly, the DNSv6 reply message from the IPv6 DNS server in the IPv6 domain will also be translated and returned to the original IPv4 host.
FTP application layer gateway
Because the IPv6 extension function of FTP is different from the existing IPv4 FTP commands and is not completely compatible, it is necessary to translate the FTP commands. At the same time, due to the change in the load length of TCP messages, it is necessary to modify the sequence numbers of all TCP datagrams for an FTP connection. The gateway part of the FTP application layer mainly translates the FTP_TCP packets for the destination port / source port = 21.
3 IPv4 / IPv6 security gateway solution
According to the principles and market requirements of the IPv4 / IPv6 security gateway, from the perspective of performance, scalability, and high reliability, it is recommended to use EVOC's network system platform NPC-8205 as the hardware platform of the solution. It is reliable here Implements an IPv4 / IPv6 security gateway on the platform.
NPC-8205 is a high-end network application system product based on Intlel's new generation server JasperForest platform. The server platform adopted, Northbridge is integrated in the CPU, which greatly improves the CPU's access speed to memory and peripherals. Fully modular network design, flexible choice of photoelectric combination, and flexible switching between Gigabit and 10G. The motherboard supports two CPUs, 12 DIMM memory slots, and 6 SATA interfaces. Support CF card, onboard PCI expansion slot and two PCI-E expansion slots. The whole machine supports three full-module network expansion, supports two 2.5-inch pull-out hard disk positions, supports LCD display, onboard 2 Gigabit electrical ports, 1 serial port, 2 USB, the front panel can be expanded two PCI – E equipment, supporting redundant power supply.
Using JASPER FOREAST platform has the following advantages:
(1) Support Hyper-Threading: The third-generation Hyper-Threading technology.
(2) Support for virtualized device input / output (VT-d): Adding device input / output virtualization to the previous virtualized CPU-based approach can effectively improve the performance and efficiency of virtual machines.
(3) Kernel Acceleration Mode (Turbo Mode): The kernel runs dynamically. You can turn on, off, and speed up the operation of a single core as needed. Such dynamic adjustments can improve the overall energy efficiency ratio of the system and the CPU.
(4) Cache design: adopts three-level full-inclusive Cache design, L1 design is the same as Core micro-architecture; L2 adopts ultra-low latency design, each core is 256KB; L3 adopts shared design, shared by all cores on the chip .
(5) Integrated memory controller (IMC): moved from the chipset to the CPU chip, supports multi-channel DDR3 memory, the latency of memory reading is greatly reduced, and the memory bandwidth is greatly improved, up to three times.
(6) QPI: "Fast Channel Interconnection", a point-to-point connection technology that replaces the front-side bus (FSB). The 20-bit wide QPI connection has an amazing bandwidth of 25.6GB per second, which is far from FSB. QPI was originally able to issue splendor on server platforms that support multiple processors. QPI can be used to interconnect multiple processors.
Freely switchable photoelectric module design
You can replace the optical port module and the electrical port module arbitrarily without opening the cover and operating directly on the front panel. It can flexibly match different numbers of light outlets. Different number of electrical ports. The optical port module and the electrical port module are mixed and used at the same time.
(Application schematic)
4 Conclusion
To sum up, EVOC's network system platform NPC-8205, as a hardware platform to implement the IPv4 / IPv6 security gateway solution, solves the problems of the IPv4 / IPv6 security gateway for computing performance, storage performance, reliable performance, and extended performance. Demand is a relatively good solution.
references:
Feng Dengguo. Computer Communication Network Security (M). Beijing: Tsinghua University Press, 2001.2.
Intel Embedded and Communication Product Resources, Technologies and Solutions
Christopher Y. Metz. IP Switching Protocols and Architeetures. Beijing: Machinery Industry Press, November 1999
Professional Glass Wall Lamp manufacturer is located in China, including Glass Wall Sconce,Glass Wall Lights,Coloured Glass Wall Lights, etc.
the types of lamps include pendant lamps, table & floor lamps, chandelier, Wall Lamp ,desk lamp and etc., the materials include steel, metal, fabric, crystal, glass, aryclic and so on.
We offer samples with new designs every month to update our showroom and well display in lighting exihibtions.
We can make samples for his own designs as per shop drawings even potential idea from customers.
Glass Wall Lamp
Glass Wall Lamp,Glass Wall Sconce,Glass Wall Lights,Coloured Glass Wall Lights
Monike lighting , https://www.monikelight.com