1. Technical Field
The present invention relates to a method and system for preventing Internet Protocol version 6 (IPv6) packet forgery in an IPv6-IPv4 network of a dual stack transition mechanism (DSTM) environment.
2. Related Art
The term “Internet Protocol version 6 (IPv6)-Internet Protocol version 4 (IPv4) network” refers to a network in which an IPv6 network and an IPv4 network coexist. The IPv6 network has been proposed to overcome the exhaustion of IPv4 addresses due to extensive use. After the introduction of the newly proposed IPv6 network, the traditional IPv4 network and the new IPv6 network must coexist. The coexistence of the IPv4 network and the IPv6 network will be maintained until the traditional IPv4 network is completely replaced by the IPv6 network. Due to the coexistence of the IPv4 network and the IPv6 network, data communication technologies between the IPv4 network and the IPv6 network are being required.
The communication technologies between the IPv4 network and the IPv6 network are being studied in various fields, such as IPv6/IPv4 dual stack tunneling technology and transition technology. The IPv6/IPv4 tunneling technology includes 6 to 4, dual stack transition mechanism (DSTM), intra site automatic tunnel addressing protocol (ISATAP), TEREDO, and tunnel broker, for example. The transition technology includes network address transition protocol transition (NAT-PT), stateless IPv6-IPv4 translator (SIIT), and bump-in-the-API (BIA), for example. The IPv6/IPv4 transition technologies are being studied in the Internet engineering task force (IETF) v6ops work group (WG).
Among them, DSTM technology refers to a technology in which upgradeable nodes in conventional IPv4 systems are formed in a dual stack structure supporting both IPv4 and IPv6, a node is assigned an IPv6 address to operate as an IPv6 node, and the node is assigned an IPv4 address dynamically each time it desires to communicate with an IPv4 node. The DSTM technology is applicable to the last phase wherein all networks are replaced by IPv6 networks.
Under DSTM environments, a node (hereinafter referred to as a “DSTM node”) at a side of an IPv6 network desiring to communicate with the IPv4 network is assigned an IPv4 address by a DSTM server, and communicates with the IPv4 network using the assigned IPv4 address.
However, there may be the following drawbacks in assigning an IPv4 address to the DSTM node.
In order to smoothly communicate with the IPv4 network, the DSTM server is requested to assign an IPv4 address. However, due to an illegal and repetitive request by a wrongful node for the assignment of an IPv4 address, IPv4 addresses may be exhausted in the DSTM server. The reason is that the illegal request for the assignment of the IPv4 address can be repeatedly performed using a forged media access control (MAC) or IPv6 address. Thus, in DSTM environments, a denial-of-service (Dos) attack can be caused by the illegal and repetitive request for the assignment of an IPv4 address using a forged IPv6 packet. The IPv6 packet passing through a tunnel end point (TEP) from the DSTM node and forwarded to the IPv4 network may also be forged. In other words, the DSTM node can communicate with the IPv4 network using an illegal IPv4 address abnormally assigned in response to a request to the DSTM server for the assignment of the IPv4 address.
In the DSTM environment, in order to overcome the drawbacks in assigning the IPv4 address and communicating with the IPv4 network, when a Domain Name System Security Extension (DNSSEC) DHCPv6 server is used as the DSTM server, the use of an authentication message of DHCPv6 has been recommended for a domain name server (DNS). However, these technologies have a drawback in that a security protocol or an encryption technique should be additionally used in the DSTM structure itself.