CN111343008B - Comprehensive measurement method and system for discovering IPv6 accelerated deployment state - Google Patents

Comprehensive measurement method and system for discovering IPv6 accelerated deployment state Download PDF

Info

Publication number
CN111343008B
CN111343008B CN202010090769.2A CN202010090769A CN111343008B CN 111343008 B CN111343008 B CN 111343008B CN 202010090769 A CN202010090769 A CN 202010090769A CN 111343008 B CN111343008 B CN 111343008B
Authority
CN
China
Prior art keywords
ipv6
network
protocol
traffic
measurement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010090769.2A
Other languages
Chinese (zh)
Other versions
CN111343008A (en
Inventor
熊刚
苟高鹏
崔天宇
石俊峥
李镇
夏葳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202010090769.2A priority Critical patent/CN111343008B/en
Publication of CN111343008A publication Critical patent/CN111343008A/en
Application granted granted Critical
Publication of CN111343008B publication Critical patent/CN111343008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/251Translation of Internet protocol [IP] addresses between different IP versions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention relates to a comprehensive measurement method and a comprehensive measurement system for discovering an IPv6 accelerated deployment state. The invention forms a normal network state by using the public data set and the scanning result of the active measurement thereof and the IPv4 network traffic collected by the passive measurement, forms an accelerated network state by using the IPv6 network traffic collected by the passive measurement during the accelerated deployment, and deeply analyzes the accelerated deployment state of the IPv6 by comparing the normal state with the accelerated deployment state under a plurality of standards such as address distribution, traffic trend, service deployment, protocol detection, safety problem analysis and the like. The invention combines the active measurement and the passive measurement to complete the measurement work and comprehensively analyze the IPv6 network state from multiple angles, and can more effectively discover the network condition of the IPv6 accelerated deployment state by comparing the normal state with the accelerated deployment state.

Description

Comprehensive measurement method and system for discovering IPv6 accelerated deployment state
Technical Field
The invention belongs to the technical field of networks, and particularly relates to a comprehensive measurement method and a comprehensive measurement system for discovering an IPv6 accelerated deployment state.
Background
IPv6 is the next generation IP protocol of the network layer. Due to the lack of IPv4 address space, IPv6 has been developed for some time to address the problems of IPv4 networks. The development of IPv6 networks has now reached a new stage. A significant proportion of IPv6 traffic in the network should no longer be ignored by researchers. The study of the current situation of the IPv6 world is crucial to meet the growing demand of future IPv6 networks for traffic management.
Since 2011 date of world IPv6 and 2012 date of world IPv6 startup, many countries in the world have begun to deploy IPv6 network devices on a large scale, such as china. By 2016, there have been 220 applications for IPv6 addresses in a number of countries and regions around the world. However, the usage degree of IPv6 in various regions is very different, and as of 8 months in 2017, the prevalence rate of IPv6 traffic in china ranks at the 67 th position in the world, which is only 0.6%. In this case, china released the "push internet protocol version 6 (IPv6) deployment action plan on a scale" in 2017. At present, china is greatly promoting the deployment of IPv6 network devices.
Network measurements are the sum of a series of activities that use software or hardware tools to measure the operational state of a network, characterizing the network, according to certain methods and techniques. The application of the method comprises monitoring network faults, testing protocol behaviors, describing flow characteristics and evaluating network performance. The classification according to the measurement content mainly comprises: 1) network topology measurement, i.e. knowing the network topology, is used for resource scheduling and traffic allocation. 2) And (4) performance measurement, namely, the reachability, the utilization rate, the network load and the like of the network are known by monitoring the characteristics of the end-to-end delay, the jitter, the packet loss rate and the like of the network. 3) Flow measurement, that is, characteristics of network data flow are monitored and analyzed to grasp flow characteristics of the network, such as usage of a protocol, distribution of applications, and behavior characteristics of users. In the field of flow measurement, a great deal of research has generated a great push to the IPv6 measurement work. There are many papers in the literature that provide valuable data about IPv6 from various perspectives. For example, some studies characterize IPv6 traffic from the perspective of one or more ISPs; other work goes into examining IPv6 activity, such as DNS, in a single way. The means of measurement include: 1) and active measurement, namely, measurement is actively initiated by a measurement user, a detection packet is injected into the network, and the performance of the network is analyzed according to the transmission condition of the measurement data flow. 2) Passive measurement, that is, network traffic is recorded by capturing data by packets on links or devices (such as routers, switches, etc.) in a network, and the traffic is analyzed to obtain the performance status of the network.
Existing measurement work bodies measure only one aspect of IPv6 (e.g., traffic trends) and/or over a restricted area where traffic is limited (e.g., a server or campus network). The whole Chinese IPv6 network state is rarely observed by adopting a wider method and combining a plurality of methods. In addition, much work has been done based on the basic state of IPv 6. The state of the art has been fully studied for steady-state traffic analysis of IPv6, and the field of measurement lacks insight into significant IPv6 events worldwide. In contrast to most work, the present invention aims to reveal an overview of accelerated IPv6 state and to find problems with accelerated IPv6 network deployment.
Disclosure of Invention
The invention aims to provide a comprehensive measurement method and a comprehensive measurement system for discovering an IPv6 accelerated deployment state.
The invention combines active measurement and passive measurement to complete measurement and comprehensively analyze the IPv6 network state from multiple angles. The present invention makes a measurement framework that combines public data sets to form normal IPv6 network states. The network condition of the IPv6 accelerated deployment state can be more effectively discovered by comparing the normal state with the accelerated deployment state.
The technical scheme adopted by the invention is as follows:
a comprehensive measurement method for discovering IPv6 accelerated deployment state comprises the following steps:
identifying an IPv6 address set and an application layer protocol field in network traffic in a passive measurement mode;
fusing an IPv6 address set obtained by a passive measurement mode with a public data set, and discovering an active host in a network by using the fused data in an active measurement mode;
and carrying out big data analysis on results obtained by passive measurement and active measurement to obtain the network condition of the IPv6 accelerated deployment state.
Further, the application layer protocol field is obtained by the following steps:
performing IPv6 and IPv4/IPv6 transition technology identification to identify and filter IPv6 traffic from background traffic of the network;
anonymizing TCP/UDP flow to protect the privacy of users;
identifying an application layer protocol, and extracting the content of the application layer protocol;
and analyzing the extracted application layer protocol to extract the field content, and storing the field on a storage server.
Further, the IPv6 and IPv4/IPv6 transition technology identification includes:
capturing the network flow through a high-speed flow capturing interface, and analyzing a network flow data packet to obtain protocol fields or protocol key domain information;
by screening the protocol fields or protocol critical domains of the network layer to match IPv6 traffic with IPv4/IPv6 transitional technology traffic.
Further, the TCP/UDP traffic anonymization includes:
the separation of a network layer and a transmission layer is realized by extracting TCP/UDP flow, and the association record is made between the network layer and the transmission layer of a data packet;
and keeping the encrypted text of the IPv6 address in the network layer by a Hash technology to realize the anonymization of the TCP/UDP traffic.
Further, the identifying the application layer protocol and extracting the content of the application layer protocol includes:
filtering the TCP/UDP traffic to identify key protocol features thereof;
and transmitting the identified position of the header of the protocol data packet to a corresponding protocol entry program to wait for deep analysis of the protocol entry program by an application layer protocol program.
Further, the parsing the extracted application layer protocol to extract the field content, and storing the field on the storage server includes:
after the position of a protocol data packet header of an application layer is obtained, a protocol entry program respectively extracts protocol fields of corresponding application layer protocols, and the extracted key fields form logs;
and after the protocol analysis is finished, the formed log files are transmitted back to the storage server in batches, and the data is stored through the database.
Further, the fusing the IPv6 address set obtained by passive measurement with the public data set, and discovering an active host and its activity level in the network by active measurement using the fused data, includes:
the method comprises the steps of obtaining public data set links of a network and crawling public data sets of websites;
carrying out data fusion processing on the public data set and an IPv6 address set collected in a passive measurement mode to form a complete original scanning file;
the original scan file is actively scanned to discover and authenticate active hosts in the network.
Further, the big data analysis of the results obtained by the passive measurement and the active measurement is to selectively analyze the current state of the network from five standards of address distribution, traffic trend, service deployment, protocol detection and security problem, and deeply analyze the accelerated deployment state of the IPv6 by comparing the normal state with the accelerated deployment state.
A comprehensive measurement system for discovering IPv6 accelerated deployment status, comprising:
the passive measurement module is used for identifying an IPv6 address set and an application layer protocol field in network traffic in a passive measurement mode;
the active measurement module is used for fusing an IPv6 address set obtained in a passive measurement mode with a public data set and discovering an active host in a network by using the fused data in an active measurement mode;
and the data analysis module is used for carrying out big data analysis on the results obtained by the passive measurement module and the active measurement module to obtain the network condition of the IPv6 accelerated deployment state.
The key points of the invention report:
1) the invention uses the IPv6 flow collected by passive measurement for a long time for the first time, and compares the IPv6 flow collected by passive measurement with the IPv4 flow collected by passive measurement, an accessible public data set and a scanning result collected by active measurement. This combination of comparison results effectively reveals the real world of IPv 6.
2) The present invention makes a measurement framework that combines public data sets to form normal IPv6 network states. The method can obtain the analysis conclusion of the accelerated deployment by comparing the normal state with the accelerated deployment state.
3) The present invention finds that often accelerating IPv6 deployment is accompanied by unstable states. Furthermore, the accelerated deployment state lacks security because of many issues including low content encryption rates and excessive IPv4/IPv6 transition technology usage.
4) The invention explores common characteristics for accelerating IPv6 deployment and predicts future traffic trends. Based on these, the present invention provides suggestions for future developments in IPv 6. This work will continue to work to guide future networks.
The comprehensive measurement method and the system for finding the IPv6 accelerated deployment state have the following advantages:
1) compared with the prior work, the invention provides a more comprehensive measurement method, and can comprehensively analyze and mine the potential information under the current network state.
2) Under passive measurement, the measuring system can correctly process IPv6 traffic of 5 months and analyze the traffic into log storage for effective analysis. The measurement and analysis angles include address distribution, traffic trend, service deployment and protocol detection. It correctly finds the imbalance and instability of the accelerated deployment state.
3) After comparing the IPv6 public data set with the accelerated IPv6 deployment traffic, the invention effectively discovers the difference between the accelerated network state under the accelerated IPv6 deployment and the normal network state. Meanwhile, the invention discovers the safety problem hidden in the state of accelerating the IPv6 to deploy the network, namely the use problem of 30.4 percent of lower IPv6 encrypted traffic utilization rate and transitional IPv6 tunnel technology.
4) The present invention will continue to operate and work for future regional IPv6 deployments.
Drawings
Fig. 1 is a basic framework diagram of a comprehensive measurement method for discovering IPv6 accelerated deployment status.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, the present invention shall be described in further detail with reference to the following detailed description and accompanying drawings.
The comprehensive measurement method for the IPv6 accelerated deployment state provided by the embodiment comprises the following technical steps:
1. data set
Fig. 1 is a basic framework diagram of a comprehensive measurement method for discovering IPv6 accelerated deployment status. The invention utilizes the public data set and the scanning result of the active measurement thereof and IPv4 network traffic collected by the passive measurement to form a normal network state (hereinafter referred to as a normal network state data set), and utilizes IPv6 network traffic collected by the passive measurement during accelerated deployment to form an accelerated network state (hereinafter referred to as an accelerated deployment state data set). The accelerated deployment state of the IPv6 is deeply analyzed by comparing the normal state and the accelerated deployment state under multiple standards of address distribution, traffic trend, service deployment, protocol detection, security problem analysis and the like.
The 'accelerated deployment state of the IPv 6' in the invention refers to a network state presented by traffic captured during accelerated deployment of the IPv6, and the specific experiment is implemented on a certain important network node during large-scale deployment in China from 3 months in 2018 to 7 months in 2018 to capture the IPv6 network traffic during accelerated deployment.
An example of a public data set used in the present embodiment is as follows:
1)MAXMIND GeoLite2 City
2)RIR Address Allocations
3)Routing:Route Views
4)Google IPv6 Client Adoption
5)Verisign TLD Zone Files
6)Alexa Top Sites
7)CAIDA IPv6 Day and Launch Day
2. measuring frame
1) Passive measurement
In passive measurement, the program first identifies IPv6 traffic (including native IPv6 and IPv6 tunnel traffic) by address format and protocol stack structure. It separates the network layer and the transport layer for anonymization. The present invention extracts the active IPv6 addresses and application layer protocol fields into the database, respectively.
As shown in fig. 1, the passive measurement includes the following steps:
a) IPv6 and IPv4/IPv6 transition technology identification
The purpose of this step is to identify and filter out IPv6 traffic from the background traffic of the network, and the specific implementation steps are as follows:
firstly, a measurement framework captures network flow passing through a high-speed flow capturing interface, and a program analyzes a network flow data packet to obtain protocol fields or protocol key domain information. The IPv6 and IPv4/IPv6 transition technologies identify network layer protocol fields or protocol critical domains by screening to match IPv6 traffic and IPv4/IPv6 transition technology traffic.
b) TCP/UDP traffic anonymization
The method aims to realize traffic anonymization and guarantee user privacy, and specifically comprises the following steps:
the traffic anonymization technology firstly extracts TCP/UDP traffic to realize the separation of a network layer and a transmission layer, makes associated record between the network layer and the transmission layer of a data packet, and retains an encrypted text of an IPv6 address in the network layer through a Hash technology to realize the traffic anonymization of the TCP/UDP.
c) Application layer protocol identification
The step aims to extract the application layer protocol content, and is concretely implemented as follows:
the application layer protocol used by the invention is mainly DNS, SSL/TLS and HTTP protocol. In order to extract the three application layer protocols, the measurement framework filters the TCP/UDP traffic to identify key protocol features thereof. And transmitting the identified position of the header of the protocol data packet to a corresponding protocol entry program to wait for deep analysis of the protocol entry program by an application layer protocol program.
d) Field extraction and log storage
The purpose of this step is to analyze the application layer protocol that is extracted in order to extract the field content, store the field on the storage server finally, the concrete implementation step is as follows:
after the position of the header of the protocol data packet of the application layer is obtained, the protocol entry program respectively extracts the protocol fields of the corresponding application layer protocol, and the extracted key fields form a log. And after the protocol analysis is finished, the formed log files are transmitted back to the storage server in batches and are stored through the MongoDB database.
e) IP layer abstraction
The purpose of this step is to extract IPv6 address collected by passive measurement to form IPv6 address set, the concrete implementation steps are as follows:
after separating the transport layer and the network IP layer, the IP layer is protocol resolved to wait for extracting IPv6 addresses, forming an IPv6 address set for passively measuring traffic.
f) Address fetch and log store
The purpose of this step is to carry on IPv6 address extraction to the analytic protocol content that IP layer gets after extracting in order to form IPv6 address set of the passive measurement flow, carry on the log storage finally, the concrete implementation step is as follows:
and the measurement framework extracts the source address and the destination address field in the analyzed IP layer content to collect the IPv6 address to form an address set, and finally writes the collected address set into a log and respectively returns the log to the active measurement module and the MongoDB database server. The active measurement module will use the address set to complete the active measurement task.
2) Active measurement
The program automatically captures the daily public data set for analysis or scanning. After data pre-processing, the Alexa Top site and active IPv6 addresses are actively scanned by sending IPv6 TCP SYN to all remote ports or using an automatic jwhois query. After receiving the response, the results are recorded and stored in a database.
As shown in fig. 1, the active measurement includes the following steps:
a) data crawling and fusing
The purpose of this step is to crawl the public data set of network and carry on the data fusion to process in order to wait for the initiative to scan, the concrete implementation step is as follows:
the measurement framework firstly acquires a public data set link of a network, crawls a website public data set through a Python crawler, then performs data fusion processing on the public data set and an IPv6 address set in an accelerated deployment state data set collected by a passive measurement module of the measurement framework, completes data splicing under a database to form a complete original scanning file, and waits for the module to perform active scanning work.
b) Active scanning and log storage
The purpose of this step is to actively scan the original scan file to discover and verify the active IPv6 host in the network, and the specific implementation steps are as follows:
the active measurement module uses Nmap tools to send IPv6 TCP SYN to all remote ports or uses automatic jwhois queries to actively scan for Alexa Top sites and active IPv6 addresses. And finally, the measuring frame writes the scanning result into a log and transmits the scanning result back to the storage server for log storage.
3) Big data analysis
After data storage, the invention uses Spark to perform rapid big data analysis. The program can selectively analyze the current state of the network from five criteria of address distribution, traffic trend, service deployment, protocol detection and security problem. Finally, data visualization is used to obtain observations of the overall state of the network.
As shown in fig. 1, big data analysis includes the following steps:
a) cluster processing and analysis
The step aims to quickly process large-scale data and select an evaluation standard for network state analysis, and is specifically realized by the following steps:
the big data analysis module is connected and manages MongoDB data on the storage server through the cluster, and the network state evaluation work of five standards of address distribution, flow trend, service deployment, protocol detection and safety problems is completed through rapidly calculating and screening data required by the evaluation standard. And finally, converging the calculation data of the evaluation result into data content required by data visualization to perform data visualization.
b) Data visualization
The step aims to draw visual data representation and draw a real IPv6 network state, and is concretely implemented as follows:
and the data visualization utilizes a third-party library such as Pandas, Pygal, Basemap and the like of Python to complete a data mapping part so as to draw the difference between the normal network state and the accelerated network state.
3. Examples of the invention:
example 1 Address distribution analysis
The address distribution analysis uses the address set collected in the passive measurement module to carry out rapid geographical positioning and visual display, and uses the scanning result of the active measurement module to carry out rapid analysis on the AS domain and the prefix ratio where the active measurement module is located. The geolocation database used for address distribution is MAXMIND GeoLite2 City.
By using the comprehensive measurement method and the comprehensive measurement system for accelerating the deployment state of the IPv6, the IPv6 traffic of a certain operator network is captured in 3-7 months in 2018. The invention finds that the unique addresses in the traffic belong to 1,680 and 2,558 prefixes in China and the world respectively. In the prefix level, the first 10 prefixes occupy approximately 90% of the unique IPv6 addresses. Early statistics are removed. In 2018, the invention in Japan, 4 months and 1 discovers 858 IPv6 prefixes. On the 10 th 7 th month in 2018, 2,559 IPv6 prefixes were collected and increased by 3 times in the three-month process. The comprehensive measurement method and the comprehensive measurement system for the IPv6 accelerated deployment state effectively analyze the address distribution characteristics.
Example 2 flow Trend analysis
The traffic trend analysis calculates the traffic data quantity of the hour, day, month and year level through the cluster to finish traffic trend depiction on a time axis, and respectively realizes traffic trend analysis on a normal network state data set and an accelerated deployment state data set so as to better find the change details of the accelerated deployment network state.
By using the comprehensive measurement method and the comprehensive measurement system for accelerating the deployment state of the IPv6, the IPv6 traffic of a certain operator network is captured in 3-7 months in 2018. The present invention found a 10-fold increase in traffic during accelerated deployment. In addition, the invention also discovers the rule of using the IPv6 traffic in one week. The difference in IPv6 traffic user usage for the first three days of the week is significantly less than for the other days of the week, particularly tuesday. The use of IPv6 traffic reaches the highest average on saturday. This indicates that IPv6 users are more likely to use IPv6 networks on monday, friday and saturday because IPv6 traffic is on average higher. The comprehensive measurement method and the comprehensive measurement system for the IPv6 accelerated deployment state effectively analyze the traffic trend characteristics.
Instance 3 service deployment analysis
The service deployment analysis obtains a service deployment result in a normal network state through a scanning result of the cluster computing active measurement module, the cluster computing passive measurement module calculates key domain information in a log data set of an application layer protocol to mine attributes and quantity statistics of a server and a client under an accelerated deployment network, and finally data visualization is used for finishing data display.
By using the comprehensive measurement method and system of the IPv6 accelerated deployment state, the invention actively scans 1,696 Chinese domain names out of 10,000 global websites and 100 ten thousand domain names of Alexa Top. Only 2,161 and 9 web sites in the two groups responded to the IPv6 scan of the present invention. The ratio is 21.69% and 0.005%, which indicates that the deployment of the Chinese IPv6 website is extremely rare. In addition to HTTP related services, a few sites offer SSH, FTP and other services. The comprehensive measurement method and the comprehensive measurement system for the IPv6 accelerated deployment state effectively analyze service deployment characteristics.
Example 4 protocol Probe analysis
And the protocol detection analysis completes the statistics of the contents of each field of the protocol through the key domain statistical information in the log data set of the application layer protocol collected by the cluster computing passive measurement module. The used contents comprise Query and Answer fields of DNS, handbreak, SNI and Certificate fields of SSL/TLS, Response Line, URL, Host, User-Agent, VIA and the like of HTTP. Finally, the effective protocol analysis task is completed by comparing with the normal network state data set.
By using the comprehensive measurement method and the comprehensive measurement system for accelerating the deployment state of the IPv6, the IPv6 traffic of a certain operator network is captured in 3-7 months in 2018. The present invention finds that the IPv6 network contains a large number of protocols, the first 10 of which are HTTP, DNS, SSL/TLS, BGP, NTP, IMAPS, FTP, BOOTPS, SMTP and nicanaem. In DNS traffic, the present inventors have found that during accelerated IPv6 deployment, the percentage of IPv6-Only domain names present in traffic appears to be 22 times the normal IPv6 state (accelerated deployment traffic and. com and. net domain names are 2.44% and 0.11%, respectively). The percentage of AAAA total record field is 7.32%, which is 1.7 times the normal state provided by a company. Thus, the present invention finds accelerated deployment of increased user requests to IPv 6-Enable's web sites. The comprehensive measurement method and the comprehensive measurement system for the IPv6 accelerated deployment state effectively analyze the protocol characteristics.
Example 5 Security problem analysis
The safety problem analysis is characterized in that randomness of the flow collected by the passive measurement module is rapidly calculated through a cluster so as to identify the encrypted flow and calculate the proportion of the encrypted flow in the total flow, and the randomness is determined through calculating character entropy. The cluster judges through the address format to identify the IPv6 transition technology traffic and calculate the statistical information thereof.
By using the comprehensive measurement method and the comprehensive measurement system for accelerating the deployment state of the IPv6, the IPv6 traffic of a certain operator network is captured in 3-7 months in 2018. The invention finds that the encrypted traffic accounts for 30.4% of the whole IPv6 traffic, and the user privacy problem is about to face a huge challenge. And more than 30% of users access the IPv6 network by using the IPv4/IPv6 transition technology, and the development of IPv6 will face serious problems in the future. The comprehensive measurement method and system for the IPv6 accelerated deployment state effectively discover security problems existing during accelerated deployment.
Based on the same inventive concept, another embodiment of the present invention provides a comprehensive measurement system for discovering IPv6 accelerated deployment status, comprising:
the passive measurement module is used for identifying an IPv6 address set and an application layer protocol field in network traffic in a passive measurement mode;
the active measurement module is used for fusing an IPv6 address set obtained in a passive measurement mode with a public data set and discovering an active host in a network by using the fused data in an active measurement mode;
and the data analysis module is used for carrying out big data analysis on the results obtained by the passive measurement module and the active measurement module to obtain the network condition of the IPv6 accelerated deployment state.
Wherein the specific implementation process of each module takes part in the description of the method of the present invention.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device (computer, server, smartphone, etc.) comprising a memory storing a computer program configured to be executed by the processor and a processor, the computer program comprising instructions for performing the steps of the inventive method.
Based on the same inventive concept, another embodiment of the present invention provides a computer-readable storage medium (e.g., ROM/RAM, magnetic disk, optical disk) storing a computer program, which when executed by a computer, performs the steps of the inventive method.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the principle and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (7)

1. A comprehensive measurement method for discovering IPv6 accelerated deployment state is characterized by comprising the following steps:
identifying an IPv6 address set and an application layer protocol field in network traffic in a passive measurement mode;
fusing an IPv6 address set obtained by a passive measurement mode with a public data set, and discovering an active host in a network by using the fused data in an active measurement mode;
carrying out big data analysis on results obtained by passive measurement and active measurement to obtain the network condition of the IPv6 accelerated deployment state;
obtaining the application layer protocol field by adopting the following steps:
performing IPv6 and IPv4/IPv6 transition technology identification to identify and filter IPv6 traffic from background traffic of the network;
anonymizing TCP/UDP flow to protect the privacy of users; the anonymization of the TCP/UDP traffic comprises the following steps: the separation of a network layer and a transmission layer is realized by extracting TCP/UDP flow, and the association record is made between the network layer and the transmission layer of a data packet; the IPv6 address in the network layer is kept with the encrypted text through a Hash technology to realize the anonymization of TCP/UDP traffic;
identifying an application layer protocol, and extracting the content of the application layer protocol;
analyzing the extracted application layer protocol to extract field contents, and storing the fields on a storage server;
the big data analysis of the results obtained by the passive measurement and the active measurement is to selectively analyze the current state of the network from five standards of address distribution, traffic trend, service deployment, protocol detection and security problem, and deeply analyze the accelerated deployment state of the IPv6 by comparing the normal state with the accelerated deployment state.
2. The method of claim 1, wherein the IPv6 and IPv4/IPv6 transition technique identification comprises:
capturing the network flow through a high-speed flow capturing interface, and analyzing a network flow data packet to obtain protocol fields or protocol key domain information;
by screening the protocol fields or protocol critical domains of the network layer to match IPv6 traffic with IPv4/IPv6 transitional technology traffic.
3. The method of claim 1, wherein the performing application layer protocol identification and extracting the content of the application layer protocol comprises:
filtering the TCP/UDP traffic to identify key protocol features thereof;
and transmitting the identified position of the header of the protocol data packet to a corresponding protocol entry program to wait for deep analysis of the protocol entry program by an application layer protocol program.
4. The method of claim 1, wherein parsing the extracted application layer protocol to extract field contents, storing the fields on a storage server, comprises:
after the position of a protocol data packet header of an application layer is obtained, a protocol entry program respectively extracts protocol fields of corresponding application layer protocols, and the extracted key fields form logs;
and after the protocol analysis is finished, the formed log files are transmitted back to the storage server in batches, and the data is stored through the database.
5. The method according to claim 1, wherein the fusing the IPv6 address set obtained by means of passive measurement with a public data set, and discovering active hosts and their activity levels in the network by means of active measurement using the fused data includes:
the method comprises the steps of obtaining public data set links of a network and crawling public data sets of websites;
carrying out data fusion processing on the public data set and an IPv6 address set collected in a passive measurement mode to form a complete original scanning file;
the original scan file is actively scanned to discover and authenticate active hosts in the network.
6. A comprehensive measurement system for discovering IPv6 accelerated deployment state by adopting the method of any claim 1-5, comprising:
the passive measurement module is used for identifying an IPv6 address set and an application layer protocol field in network traffic in a passive measurement mode;
the active measurement module is used for fusing an IPv6 address set obtained in a passive measurement mode with a public data set and discovering an active host in a network by using the fused data in an active measurement mode;
and the data analysis module is used for carrying out big data analysis on the results obtained by the passive measurement module and the active measurement module to obtain the network condition of the IPv6 accelerated deployment state.
7. An electronic apparatus, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the method of any of claims 1-5.
CN202010090769.2A 2020-02-13 2020-02-13 Comprehensive measurement method and system for discovering IPv6 accelerated deployment state Active CN111343008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010090769.2A CN111343008B (en) 2020-02-13 2020-02-13 Comprehensive measurement method and system for discovering IPv6 accelerated deployment state

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010090769.2A CN111343008B (en) 2020-02-13 2020-02-13 Comprehensive measurement method and system for discovering IPv6 accelerated deployment state

Publications (2)

Publication Number Publication Date
CN111343008A CN111343008A (en) 2020-06-26
CN111343008B true CN111343008B (en) 2021-09-21

Family

ID=71186856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010090769.2A Active CN111343008B (en) 2020-02-13 2020-02-13 Comprehensive measurement method and system for discovering IPv6 accelerated deployment state

Country Status (1)

Country Link
CN (1) CN111343008B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115460144A (en) * 2022-08-16 2022-12-09 北京连星科技有限公司 IPv 6-based panoramic monitoring method for enterprise network engineering

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192951A (en) * 2006-11-29 2008-06-04 华为技术有限公司 Measuring method and device for utilization rate of IPv6 network link and IPv6 network router

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100384153C (en) * 2005-12-26 2008-04-23 北京交通大学 Network performance analysis report system based on IPv6 and its implementing method
CN103248606A (en) * 2012-02-02 2013-08-14 哈尔滨安天科技股份有限公司 Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6)
CN104022999A (en) * 2013-09-05 2014-09-03 北京科能腾达信息技术股份有限公司 Network data processing method and system based on protocol analysis
US10575220B2 (en) * 2017-03-21 2020-02-25 Electronics And Telecommunications Research Institute Session management method based on reallocation of PDU session anchor device, and device performing the session management method
US10439930B2 (en) * 2017-04-26 2019-10-08 Futurewei Technologies, Inc. Packet batch processing with graph-path based pre-classification

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192951A (en) * 2006-11-29 2008-06-04 华为技术有限公司 Measuring method and device for utilization rate of IPv6 network link and IPv6 network router

Also Published As

Publication number Publication date
CN111343008A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
US20160191549A1 (en) Rich metadata-based network security monitoring and analysis
Vasilomanolakis et al. A honeypot-driven cyber incident monitor: lessons learned and steps ahead
Dainotti et al. Estimating internet address space usage through passive measurements
RU2634209C1 (en) System and method of autogeneration of decision rules for intrusion detection systems with feedback
Czyz et al. Understanding IPv6 internet background radiation
Khan et al. As-level topology collection through looking glass servers
Zirngibl et al. Rusty clusters? dusting an IPv6 research foundation
Xu et al. Secure the Internet, one home at a time
García et al. Large scale measurement on the adoption of encrypted DNS
Garant et al. Mining botnet behaviors on the large-scale web application community
Feng et al. Active profiling of physical devices at internet scale
CN113438332B (en) DoH service identification method and device
Musa et al. An investigation into peer-to-peer network security using wireshark
CN111343008B (en) Comprehensive measurement method and system for discovering IPv6 accelerated deployment state
CN114401097A (en) Method for identifying HTTPS service traffic based on SSL certificate fingerprint
Tsai et al. WhatsApp network forensics: Discovering the communication payloads behind cybercriminals
JP2020022133A (en) Infection expansion attack detection device, attack source identification method and program
Vieira et al. Identifying attack signatures for the internet of things: an IP flow based approach
Oudah et al. Using burstiness for network applications classification
Cui et al. A comprehensive study of accelerating ipv6 deployment
JP2010239392A (en) System, device and program for controlling service disabling attack
Karamollahi Pandemic Effects on Campus Network Traffic
Mangino et al. A multidimensional network forensics investigation of a state-sanctioned internet outage
Hussain Measurement and spectral analysis of denial of service attacks
Patel et al. Analyzing network traffic data using Hive queries

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant