Abstract
Unlike Internet design policies of early stage, various types of tunneling are currently used in Internet for IPv4/IPv6 transition, IP multicasting and IP mobility. As tunneled packets have dual IP headers, general firewall systems apply the filtering rules only to the outer header but not to the inner header when these packets pass the firewall. Thus, many present firewall systems may have serious security problems to packet filtering for tunneled packets. To resolve this issue, a new packet filtering mechanism to filter tunneled packets is proposed in this paper. We design and implement the packet filtering mechanism by using Linux Netfilter. Through this study, the packet filtering system was also found operating correctly in the IPv6-in-IPv4/IP-in-IP tunneling.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Russell, R.: Linux 2.4 Packet Filtering HOWTO, http://www.netfilter.org
Russell, R.: Linux Netfilter Hacking HOWTO, http://www.netfilter.org
The 6NET Consortium, 6net: An IPv6 Deployment Guide (September 2005)
Gilligan, R., Nordmark, E.: Transition Mechanisms for IPv6 Hosts and Routers. RFC 2893 (August 2000)
Carpenter, B., Moore, K.: Connection of IPv6 Domains via IPv4 Clouds. RFC 3056 (February 2001)
Templin, F., et al.: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). draft-ietf-ngtrans-isatap-24.txt, work in progress (January 2005)
Huitema, C.: Teredo: Tunneling IPv6 over UDP through Network Address Translation (NATs). RFC 4380 (February 2006)
Bound, J., Toutain, L., Affifi, H.: Dual Stack Transition Mechanism (DSTM). Internet Draft, work in progress (August 2003)
Benvenuti, C.: Understanding LINUX Networking Internals, pp. 466–473. O’Reilly Press, Sebastopol (2006)
Davies, E., et al.: IPv6 Transition/Co-existence Security Considerations. draft-ietf-v6ops-security-overview-06.txt, work in progress (May 2005)
Savola, P.: Firewalling Considerations for IPv6. draft-savola-v6ops-firewalling-01.txt, work in progress (March 2003)
Heo, S.-Y., et al.: Design and Implementation of Packet Filtering Systems for IPv4/IPv6 Tunneling Environment. Journal of KISS: Information Networking 33 (2006)
Finlayson, R.: IP Multicast and Firewalls. RFC 2588 (May 1999)
Hayashi, T., et al.: Requirements for Accounting, Authentication and Authorization in Well Managed IP Multicasting Services. draft-ietf-mboned-maccnt-req-04.txt, work in progress (February 2006)
Savola, P.: Security of IPv6 Routing Header and Home Address Options. draft-savola-ipv6-rh-ha-security-03.txt, work in progress (December 2002)
Davies, E., Mohacsi, J.: Recommendations for Filtering ICMPv6 Messages in Firewalls. draft-ietf-v6ops-icmpv6-filtering-recs-02.txt, work in progress (January 2007)
Savola, P.: Security Considerations for 6to4. RFC 3964 (December 2004)
Graveman, R., et al.: Using IPsec to Secure IPv6-in-IPv4 Tunnels. draft-ietf-v6ops-ipsec-tunnels-02.txt, work in progress (March 2006)
IANA, Special-Use IPv4 Addresses. RFC 3330 (September 2002)
Libnet Homepage, http://libnet.sourceforge.net
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Lee, WJ., Heo, SY., Byun, TY., Sohn, YH., Han, KJ. (2007). A Secure Packet Filtering Mechanism for Tunneling over Internet. In: Lee, YH., Kim, HN., Kim, J., Park, Y., Yang, L.T., Kim, S.W. (eds) Embedded Software and Systems. ICESS 2007. Lecture Notes in Computer Science, vol 4523. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72685-2_59
Download citation
DOI: https://doi.org/10.1007/978-3-540-72685-2_59
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72684-5
Online ISBN: 978-3-540-72685-2
eBook Packages: Computer ScienceComputer Science (R0)