Internet Engineering Task Force (IETF) F. Baker
Request for Comments: 6018 Cisco Systems
Category: Informational W. Harrop
ISSN: 2070-1721 G. Armitage
Swinburne University of Technology
September 2010
Internet Engineering Task Force (IETF) F. Baker
Request for Comments: 6018 Cisco Systems
Category: Informational W. Harrop
ISSN: 2070-1721 G. Armitage
Swinburne University of Technology
September 2010
IPv4 and IPv6 Greynets
IPv4和IPv6 Greynets
Abstract
摘要
This note discusses a feature to support building Greynets for IPv4 and IPv6.
本说明讨论了支持为IPv4和IPv6构建GreyNet的功能。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6018.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6018.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. History and Experience . . . . . . . . . . . . . . . . . . 3
2. Deploying Greynets . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Deployment Using Routing - Darknets . . . . . . . . . . . . 4
2.2. Deployment Using Sparse Address Space - Greynets . . . . . 4
2.3. Other Filters . . . . . . . . . . . . . . . . . . . . . . . 6
3. Implications for Router Design . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . . 8
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. History and Experience . . . . . . . . . . . . . . . . . . 3
2. Deploying Greynets . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Deployment Using Routing - Darknets . . . . . . . . . . . . 4
2.2. Deployment Using Sparse Address Space - Greynets . . . . . 4
2.3. Other Filters . . . . . . . . . . . . . . . . . . . . . . . 6
3. Implications for Router Design . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . . 8
Darknets, also called "Network Telescopes" among other things, have been deployed by several organizations (including CAIDA, Team Cymru, and the University of Michigan) to look at traffic directed to addresses in blocks that are not in actual use. Such traffic becomes visible by either direct capture (it is routed to a collector) or by virtue of its backscatter (its resulting in ICMP traffic or transport-layer resets).
达克奈特,也称为“网络望远镜”,除其他外,已经由几个组织(包括CADA,CyrMu团队,和密歇根大学)部署在没有实际使用的块中寻找指向地址的流量。通过直接捕获(它被路由到收集器)或通过其后向散射(它导致ICMP流量或传输层重置),此类流量变得可见。
Darknets, of course, have two problems. As their address spaces become known, attackers stop probing them, so they are less effective. Also, the administrators of those prefixes are pressured by Regional Internet Registry (RIR) policy and business requirements to deploy them in active networks.
当然,黑暗有两个问题。当它们的地址空间变得已知时,攻击者停止探测它们,因此它们的效率较低。此外,这些前缀的管理员受到区域Internet Registry(RIR)策略和业务需求的压力,必须将它们部署到活动网络中。
[Harrop] defines a 'Greynet' by extension, in these words:
[Harrop]通过扩展定义了“Greynet”,即:
Darknets are often proposed to monitor for anomalous, externally sourced traffic, and require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. We introduce and evaluate the Greynet - a region of IP address space that is sparsely populated with "darknet" addresses interspersed with active (or "lit") IP addresses. Based on a small sample of traffic collected within a university campus network we saw that relatively sparse greynets can achieve useful levels of network scan detection.
暗网通常用于监控异常的、外部来源的流量,并且需要大量连续的未使用IP地址块,这对于企业网络运营商来说并不总是可行的。我们介绍并评估Greynet—一个IP地址空间区域,其中稀疏地填充着“暗”地址,中间点缀着活动(或“亮”)IP地址。基于在大学校园网内收集的一小部分流量样本,我们发现相对稀疏的greynet可以实现有用的网络扫描检测。
In other words, instead of setting aside prefixes that an attacker might attempt to probe and in so doing court discovery, Harrop proposed that individual (or small groups of adjacent) addresses in subnets be set aside for the purpose, using different host identifiers in each subnet to make it more difficult for an address
换言之,Harrop建议将子网中的单个(或一小群相邻)地址预留出来,在每个子网中使用不同的主机标识符,使地址更难识别,而不是将攻击者可能试图探测的前缀放在一边,并在这样做的过程中进行法庭发现
scan to detect them. The concept has value in the sense that it is harder to map the addresses or prefixes out of an attacker's search pattern, as their presence is more obscure. Harrop's research was carried out using IPv4 [RFC0791] and yielded interesting information.
扫描以检测它们。这一概念的价值在于,由于地址或前缀的存在更加模糊,因此很难将其映射出攻击者的搜索模式。哈洛普的研究是使用IPv4[RFC0791]进行的,并获得了有趣的信息。
The research supporting this proposal includes two prototypes, one with IPv4 [RFC0791] and one with IPv6 [RFC2460]. Both have limitations, being research experiments as opposed to deployment of a finished product.
支持该提案的研究包括两个原型,一个是IPv4[RFC0791],另一个是IPv6[RFC2460]。两者都有局限性,都是研究实验,而不是部署成品。
The original research was done by Warren Harrop and documented in [Harrop]. This was IPv4-only. His premise was that one would put a virtual or physical machine on a LAN that one was not otherwise using, and use it to identify scans of various kinds. As reported in his paper, the concept worked effectively in a prototype deployment at the Centre for Advanced Internet Architectures (CAIA), Swinburne University of Technology. The basic reason was that there was a reasonable expectation on the part of a potential attacker that a given address might be represented, and there was no pattern that would enable the attacker to predict which addresses were being used in this way. CAIA developed and released a prototype FreeBSD-based Greynet system in 2008 built around this premise [Armitage].
最初的研究由Warren Harrop完成,并记录在[Harrop]中。这只是IPv4。他的前提是将虚拟机或物理机放在一个局域网上,然后用它来识别各种扫描。正如他的论文所报道的,这个概念在斯文本科技大学高级互联网架构(CAIA)中心的原型部署中有效地工作。基本原因是,潜在攻击者有一个合理的预期,即给定的地址可能会被表示,并且没有任何模式使攻击者能够预测以这种方式使用的地址。CAIA于2008年开发并发布了一个基于FreeBSD的Greynet原型系统,该系统就是围绕这个前提而构建的[Armitage]。
Baker's addition to his concept started from the router, the idea that the router would be highly likely to encounter any such scan if it came from off-LAN, and the fact that the router would have to use Address Resolution Protocol (ARP) or Neighbor Discovery (ND) to identify -- or fail to identify -- the machine in question. In effect, any address that is not currently instantiated in the subnet acts as a Greynet trigger address. This clearly also works for any system that would implement ARP or ND, but the router is an obvious focal point in any subnet.
Baker对其概念的补充是从路由器开始的,路由器的想法是,如果它来自局域网外,路由器很可能会遇到任何这样的扫描,并且路由器必须使用地址解析协议(ARP)或邻居发现(ND)来识别——或无法识别——所讨论的机器。实际上,当前未在子网中实例化的任何地址都将充当Greynet触发器地址。这显然也适用于任何实现ARP或ND的系统,但路由器显然是任何子网中的焦点。
Tim Chown, of the School of Electronics and Computer Science, University of Southampton, offered privately to do some research on it, and had Owen Stephens do a Linux prototype in spring 2010. They demonstrated that the technology was straightforward to implement and in fact worked in a prototype IPv6 implementation.
南安普敦大学电子与计算机科学学院的Tim Chown私下里为这项研究做了一些研究,并让Owen Stephens在2010春季做了一个Linux原型。他们证明了这项技术易于实现,事实上,它在IPv6原型实现中起到了作用。
The question that remains with IPv6 address scanning is the likelihood that the attack would occur at all. Chown originally argued in [RFC5157] that address scans were impossible due to the sheer number of possibilities. However, in September 2010 a report was made to NANOG of an IPv6 address scan. Additionally, there are ways to limit the field; for example, one can observe that a company buys a certain kind of machine or network interface card (NIC), and
IPv6地址扫描仍然存在的问题是攻击发生的可能性。Chown最初在[RFC5157]中提出,地址扫描是不可能的,因为存在的可能性太多了。然而,2010年9月,NANOG收到了一份IPv6地址扫描报告。此外,还有一些方法可以限制该字段;例如,可以观察到一家公司购买了某种机器或网络接口卡(NIC),并且
therefore its probable EUI-64 addresses are limited to a much smaller range than 2^64 -- more like 2^24 addresses on a given subnet -- or one can observe DNS, SMTP envelopes, Extensible Messaging and Presence Protocol (XMPP) messages, FTP, HTTP, etc., that carry IP addresses in other ways. Such attacks can be limited by the use of Privacy Addresses [RFC4941], which periodically change, rendering historical information less useful, but the fact is that such analytic methods exist.
因此,其可能的EUI-64地址被限制在比2^64小得多的范围内——更像是给定子网上的2^24地址——或者可以观察以其他方式承载IP地址的DNS、SMTP信封、可扩展消息和状态协议(XMPP)消息、FTP、HTTP等。这种攻击可以通过使用隐私地址[RFC4941]加以限制,隐私地址会定期更改,使历史信息变得不那么有用,但事实上,这种分析方法是存在的。
Corporate IT departments and other network operators frequently run collectors or other kinds of sensors. A collector is a computer system on the Internet that is expressly set up to attract and "trap" nefarious attempts to penetrate computer systems. Such systems may simply record the attempt or the datagram that initiated the attempt (darknets/Greynets), or they may act as a decoy, luring in potential attacks in order to study their activities and study their methods (honeypots).
公司IT部门和其他网络运营商经常运行收集器或其他类型的传感器。收藏家是互联网上的一个计算机系统,专门用来吸引和“诱捕”渗透计算机系统的邪恶企图。此类系统可以简单地记录尝试或发起尝试的数据报(暗网/灰网),也可以充当诱饵,引诱潜在攻击,以研究其活动和方法(蜜罐)。
To accomplish this, we separate nefarious traffic from that which is likely normal and important, studying one and facilitating the other.
为了实现这一点,我们将邪恶的流量与可能正常和重要的流量分开,研究其中一个并促进另一个。
One obvious way to isolate and identify nefarious traffic is to realize that it is sent to a prefix or address that is not instantiated. If a campus uses an IPv4 /24 prefix or an IPv6 /56 prefix but contains less than 100 actual subnets, for example, we might use only odd numbered subnets (128 of the 256 available in that prefix), and not quite all of those. Knowing that the active prefixes are more specific and therefore attract appropriate traffic, we might also advertise the default prefix from the collector, attracting traffic directed to the uninstantiated prefixes in that routing domain.
隔离和识别恶意流量的一个明显方法是认识到它被发送到未实例化的前缀或地址。例如,如果校园使用IPv4/24前缀或IPv6/56前缀,但实际包含的子网少于100个,则我们可能只使用奇数编号的子网(该前缀中256个可用子网中的128个),而不是全部子网。知道活动前缀更具体,因此会吸引适当的流量,我们还可以从收集器中公布默认前缀,从而吸引指向该路由域中未实例化前缀的流量。
A second question involves mimicking a host under attack; the collector may simply record this uninvited traffic, or may reply as a honeypot system.
第二个问题涉及模仿受到攻击的主机;收集器可以简单地记录这些未被邀请的流量,也可以作为蜜罐系统进行回复。
IPv4 subnets usually have some unallocated space in them, if only because Classless Inter-Domain Routing (CIDR) allocates O(2^n) addresses to an IP subnet and there are not exactly that many systems there.
IPv4子网中通常有一些未分配的空间,这仅仅是因为无类域间路由(CIDR)将O(2^n)个地址分配给IP子网,并且那里没有那么多系统。
Similarly, with active IPv6 prefixes, even a very large switched LAN is likely to use a small fraction of the available addresses. This is by design, as discussed in Section 2.5.1 of [RFC4291]. If the addresses are distributed reasonably randomly among the possible values, the likelihood of an attacker guessing what addresses are in actual use is limited. This gives us an opportunity with respect to unused addresses within an IP prefix.
类似地,使用活动IPv6前缀,即使是非常大的交换LAN也可能使用可用地址的一小部分。如[RFC4291]第2.5.1节所述,这是通过设计实现的。如果地址在可能的值之间合理地随机分布,攻击者猜测实际使用的地址的可能性是有限的。这为我们提供了一个在IP前缀中未使用地址的机会。
Routers use IPv4 ARP [RFC0826] and IPv6 Neighbor Discovery [RFC4861] to determine the MAC (Media Access Control) address of a neighbor to which a datagram needs to be sent. Both specifications intend that when a datagram arrives at a router that serves the target prefix, but that doesn't know the MAC address of the intended destination, it should:
路由器使用IPv4 ARP[RFC0826]和IPv6邻居发现[RFC4861]来确定需要向其发送数据报的邻居的MAC(媒体访问控制)地址。这两个规范都打算,当数据报到达为目标前缀服务的路由器,但不知道目标的MAC地址时,它应该:
o Enqueue the datagram,
o 将数据报排队,
o Emit a Neighbor Solicitation or ARP Request,
o 发出邻居请求或ARP请求,
o Await a Neighbor Advertisement or ARP Response, and
o 等待邻居广告或ARP响应,以及
o On receipt, dequeue and forward the datagram.
o 收到数据报后,退出队列并转发数据报。
Once the host's MAC address is in the router's tables (and in so doing the address proven valid), the matter is not an issue.
一旦主机的MAC地址在路由器的表中(这样做的话地址被证明是有效的),问题就不存在了。
In [Harrop], the Greynet is described as being instantiated on an end-host that replies to ARP Requests for all 'dark' IP addresses. However, a small modification to router behavior can augment this model. As well as queuing or dropping a datagram that has triggered an ARP Request or Neighbor Solicitation, the router forwards a copy of this datagram over an independent link to the Greynet's analytic equipment. This independent link may be a different physical interface, a circuit, VLAN, tunnel, UDP, or other encapsulation, or in fact any place such a datagram could be handled. Depending on the requirements of the receiving collector, one could also imagine summarizing information in a form similar to IP Flow Information Export (IPFIX) [RFC5101] [RFC5610].
在[Harrop]中,Greynet被描述为在一个终端主机上被实例化,该主机对所有“暗”IP地址的ARP请求作出响应。然而,对路由器行为的一个小的修改可以增强这个模型。除了排队或丢弃触发ARP请求或邻居请求的数据报外,路由器还通过独立链路将该数据报的副本转发给Greynet的分析设备。该独立链路可以是不同的物理接口、电路、VLAN、隧道、UDP或其他封装,或者实际上可以处理此类数据报的任何位置。根据接收收集器的要求,还可以想象以类似于IP流信息导出(IPFIX)[RFC5101][RFC5610]的形式汇总信息。
The analytic equipment will now receive two types of datagrams. Of most interest will be those destined for 'dark' IP addresses. Of less interest will be the irregular case where a datagram arrives for a legitimate local neighbor who has, for some temporary reason, no MAC address in the router's tables. Datagrams arriving for an IP destination for which an ARP reply (or Neighbor Advertisement) has not yet received might also be forwarded to the analytical equipment over the independent link -- or might not, if they are considered to be unlikely to provide new analytic information.
分析设备现在将接收两种类型的数据报。最令人感兴趣的将是那些指定为“黑暗”IP地址的人。不太令人感兴趣的是,不规则的情况下,数据报到达一个合法的本地邻居,由于某种暂时的原因,在路由器的表中没有MAC地址。到达IP目的地但尚未收到ARP回复(或邻居公告)的数据报也可能通过独立链路转发给分析设备——或者,如果认为它们不太可能提供新的分析信息,则可能不转发。
Analytic equipment, depending on the router to recognize 'dark' IP addresses in this manner, can easily track arrival patterns of datagrams destined to unused parts of the network. It may also optionally choose to respond to such datagrams, acting as a honeypot to elicit further datagrams from the remote source.
分析设备依靠路由器以这种方式识别“暗”IP地址,可以轻松跟踪发送到网络未使用部分的数据报的到达模式。它还可以选择响应此类数据报,充当蜜罐,从远程源获取更多数据报。
If the collector replies directly, the attacker may be able to identify the fact through information in or about the datagram - datagrams sent to the same IP subnet may come back with different TTL values, for example. Hence, it may be advisable for the collector to send the reply back through the tunnel and therefore as if from the same IP subnet. Naturally, the collector in this scenario should not respond to datagrams destined for 'lit' IP addresses -- the intended destination will eventually respond to the router's ARP or Neighbor Solicitation anyway.
如果收集器直接应答,攻击者可能能够通过数据报中或关于数据报的信息来识别事实-例如,发送到同一IP子网的数据报可能返回不同的TTL值。因此,可能建议收集器通过隧道发送回复,因此就好像来自同一IP子网一样。当然,在这种情况下,采集器不应该响应发送到“lit”IP地址的数据报——预期的目的地最终将响应路由器的ARP或邻居请求。
One implication of this model is that distributed denial-of-service (DDoS) attacks terminate on router subnets within a network, as opposed to stopping on inter-router links.
该模型的一个含义是分布式拒绝服务(DDoS)攻击在网络内的路由器子网上终止,而不是在路由器间链路上停止。
An obvious extension of the concept would include traffic identified by other filters as appropriate to send to the collector. For example, one might configure the system to forward traffic that fail a unicast Reverse Path Forwarding (uRPF) check [RFC2827] to the collector via the same tunnel.
这一概念的一个明显扩展将包括由其他过滤器识别并发送到收集器的流量。例如,可以将系统配置为通过同一隧道将未通过单播反向路径转发(uRPF)检查[RFC2827]的流量转发给收集器。
The implication for router design applies to the IPv4 ARP and IPv6 Neighbor Discovery algorithms. It might be interesting to provide, under configuration control, the ability to forward to an analytic system the arriving datagrams that trigger an ARP Request or Neighbor Solicit, and then fail to receive the intended response, to an interface, circuit, VLAN, or tunnel.
路由器设计的含义适用于IPv4 ARP和IPv6邻居发现算法。在配置控制下,将触发ARP请求或邻居请求的到达数据报转发给分析系统,然后无法接收到接口、电路、VLAN或隧道的预期响应,这可能很有趣。
This note describes a tool for managing IPv4 and IPv6 network security. Like any tool, it has limitations and possible attacks. If discarding traffic under overload is a good thing, then holding and subsequently forwarding the traffic instead places a potential load on the network and the router in question, and as such represents a possible attack. Such an attack has obvious mitigations, however; one simply selects (in a manner the operator deems appropriate) a subset of the traffic to forward and discards the rest. In addition, this attack is not new; it is only changed in
本说明描述了用于管理IPv4和IPv6网络安全的工具。与任何工具一样,它也有局限性和可能的攻击。如果在过载情况下丢弃通信量是一件好事,那么保持并随后转发通信量反而会给相关网络和路由器带来潜在负载,因此表示可能的攻击。然而,这种攻击有明显的缓解措施;只需选择(以运营商认为合适的方式)要转发的流量子集,并丢弃其余的流量。此外,这种攻击也不是新的;它只不过是换了一种颜色而已
character. A stream that would instantiate the attack today results in a load of ARP or Neighbor Solicit messages that all listening hosts must intelligently discard. The new attack additionally consumes bandwidth that is presumably set aside specifically for that purpose.
性格今天,一个实例化攻击的流会导致ARP或邻居请求消息的负载,所有侦听主机都必须智能地丢弃这些消息。新的攻击会额外消耗专门为此目的预留的带宽。
The question of exactly what subset of traffic is interesting and economical to forward is intentionally left open. Key questions in algorithm design include what can be learned from a given sample (Are bursts happening? If so, with what data?), what the impact on the router and other equipment in question is, how that might be mitigated, etc. Possible selection algorithms dependent only on state and algorithms typically available in a router include:
究竟哪一部分流量有趣且经济,这一问题是有意保留的。算法设计中的关键问题包括从给定样本中可以学到什么(是否发生突发事件?如果是,使用什么数据?),对路由器和其他相关设备的影响是什么,如何减轻影响,等等。可能的选择算法仅依赖于状态和路由器中通常可用的算法,包括:
o Select all datagrams that trigger an ARP Request or Neighbor Solicit.
o 选择触发ARP请求或邻居请求的所有数据报。
o Select the subset of those that are not responded to within some stated interval and are therefore likely dark.
o 选择那些在规定的时间间隔内没有响应的,因此可能是黑暗的子集。
o Select the subset of those that are new; if the address is currently being solicited, forwarding redundant data may not be useful.
o 选择新的子集;如果当前正在请求地址,转发冗余数据可能没有用。
o Select all datagrams up to some rate.
o 选择高达某个速率的所有数据报。
o Select all datagrams matching (or not matching) a specified filter rule.
o 选择与指定筛选规则匹配(或不匹配)的所有数据报。
Algorithms for learning about Internet attack behavior by observing backscatter traffic have been used by CAIDA, University of Michigan, Team Cymru, and others. Harrop extended them in his research. This formulation of the notion originated in a discussion among the authors in 2005. This note grew out of a conversation with Paul Vixie and Rhette Marsh on Internet traffic sensors; they also made useful comments on it. Albert Manfredi commented on the distinction between a LAN (as defined by IEEE 802) and an IP subnet.
CAEDA,密歇根大学,团队CYMRU和其他人已经使用了通过观察反向散射业务来学习互联网攻击行为的算法。哈洛普在他的研究中扩展了它们。这一概念的表述起源于2005年作者之间的讨论。这张便条出自与Paul Vixie和Rhette Marsh关于互联网流量传感器的对话;他们还就此发表了有益的评论。Albert Manfredi评论了LAN(由IEEE 802定义)和IP子网之间的区别。
Tim Chown [RFC5157] has observed that, at least at the time of writing that RFC, address scanning attacks in IPv6 have not been reported in the wild. However, as mentioned in Section 1.1 above, a (partial) scanning attack was recently reported on the NANOG mailing list. Rhette Marsh has suggested the structure of such an attack, however, and Fred Baker has suggested approaches based on addressing
Tim Chown[RFC5157]观察到,至少在撰写本文时,IPv6中的RFC、地址扫描攻击尚未在野外报告。然而,如上文第1.1节所述,NANOG邮件列表最近报告了一次(部分)扫描攻击。然而,Rhette Marsh提出了这种攻击的结构,Fred Baker提出了基于寻址的方法
information exchanged by applications. Hence, we believe that such issues may be relevant to IPv6 in the future, when IPv6 is a more interesting target.
应用程序交换的信息。因此,我们认为这些问题可能与未来的IPv6有关,因为IPv6是一个更有趣的目标。
Tim Chown and Owen Stephens tested the proposal, and made useful comments that have been incorporated in this text. His fundamental comment was, however, that "it works".
蒂姆·乔恩(Tim Chown)和欧文·斯蒂芬斯(Owen Stephens)对提案进行了测试,并提出了有用的意见,这些意见已纳入本文。然而,他的基本评论是“它有效”。
[Harrop] Harrop, W. and G. Armitage, "Greynets: a definition and evaluation of sparsely populated darknets", IEEE LCN IEEE 30th Conference on Local Computer Networks, 2005.
[Harrop]Harrop,W.和G.Armitage,“Greynets:人烟稀少的黑暗地带的定义和评估”,IEEE LCN IEEE第30届本地计算机网络会议,2005年。
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.
[RFC0791]Postel,J.,“互联网协议”,STD 5,RFC 7911981年9月。
[RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware", STD 37, RFC 826, November 1982.
[RFC0826]Plummer,D.,“以太网地址解析协议:或将网络协议地址转换为48位以太网地址,以便在以太网硬件上传输”,STD 37,RFC 826,1982年11月。
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006.
[RFC4291]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 42912006年2月。
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007.
[RFC4861]Narten,T.,Nordmark,E.,Simpson,W.,和H.Soliman,“IP版本6(IPv6)的邻居发现”,RFC 48612007年9月。
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 4941, September 2007.
[RFC4941]Narten,T.,Draves,R.,和S.Krishnan,“IPv6中无状态地址自动配置的隐私扩展”,RFC 49412007年9月。
[Armitage] Armitage, G., Harrop, W., Heyde, A., Parry, L., "Greynets: Passive Detection of Unsolicited Network Scans in Small ISP and Enterprise networks", CAIA, Swinburne University of Technology, December 2008, http://caia.swin.edu.au/greynets/.
[阿米蒂奇]阿米蒂奇,G,HARROP,W.,Heyde,A,Parry,L,“GryNets:被动检测在小ISP和企业网络中的未经请求的网络扫描”,CAIA,斯文本科技大学,2008年12月,http://caia.swin.edu.au/greynets/.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008.
[RFC5101]Claise,B.,“用于交换IP流量信息的IP流量信息导出(IPFIX)协议规范”,RFC 5101,2008年1月。
[RFC5157] Chown, T., "IPv6 Implications for Network Scanning", RFC 5157, March 2008.
[RFC5157]Chown,T.,“IPv6对网络扫描的影响”,RFC 5157,2008年3月。
[RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby, "Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements", RFC 5610, July 2009.
[RFC5610]Boschi,E.,Trammell,B.,Mark,L.,和T.Zseby,“为IP流信息导出(IPFIX)信息元素导出类型信息”,RFC 56102009年7月。
Authors' Addresses
作者地址
Fred Baker Cisco Systems Santa Barbara, California 93117 USA
美国加利福尼亚州圣巴巴拉市弗雷德·贝克思科系统公司,邮编:93117
EMail: fred@cisco.com
EMail: fred@cisco.com
Warren Harrop Centre for Advanced Internet Architectures Swinburne University of Technology PO Box 218 John Street, Hawthorn, Victoria, 3122 Australia
沃伦哈罗普先进互联网架构中心斯文本科技大学PO盒218约翰街,Hawthorn,Victoria,3122澳大利亚
EMail: wazz@bud.cc.swin.edu.au
EMail: wazz@bud.cc.swin.edu.au
Grenville Armitage Centre for Advanced Internet Architectures Swinburne University of Technology PO Box 218 John Street, Hawthorn, Victoria, 3122 Australia
格伦维尔阿米蒂奇高级互联网架构中心,斯文本科技大学邮政信箱218约翰街,Hawthorn,Victoria,3122澳大利亚
EMail: garmitage@swin.edu.au
EMail: garmitage@swin.edu.au