KR20230125944A - Method and apparatus for encapsulated packet communication in packet tunneling network using disposable identifiers - Google Patents

Abstract

The present invention relates to a method, apparatus, and system for transmitting and receiving encapsulated packets in a packet tunneling network, and more specifically, to a moving target defense (MTD), which is a kind of network security technology by modulating network configuration. ) protocol is applied to techniques that make it difficult to infiltrate and investigate improper tunneling networks. A network system according to an aspect of the present invention may include a sending terminal, a sending security device, a receiving side security device, and at least one receiving terminal. The sender-side security device is configured to generate and store at least one sender-side temporary identifier in a list, convert a normal packet transmitted by a sender terminal into an encapsulated packet, and transmit the encapsulated packet to a receive-side security device, wherein the encapsulated packet includes a header, at least one payload, and at least one sender-side temporary identifier, and the receiving-side security device generates and stores at least one receiving-side temporary identifier in a list, An encapsulated packet is received, it is determined whether the sender temporary identifier included in the encapsulated packet corresponds to at least one of the receive side temporary identifiers in the list, and only when it is determined that it corresponds, the encapsulated packet is sent. It may be characterized by converting into a normal packet.

Description

Encapsulated packet communication method and apparatus in packet tunneling network using temporary identifier

The present invention relates to a method, apparatus, and system for transmitting and receiving encapsulated packets in a packet tunneling network, and more specifically, to a moving target defense (MTD), which is a kind of network security technology by modulating network configuration. ) protocol is applied to techniques that make it difficult to infiltrate and investigate improper tunneling networks.

For an attacker attempting fraudulent access to a network, the initial stage of intrusion involves so-called reconnaissance. In the reconnaissance phase, attackers can gather information about potential targets in the network environment and their characteristics. The information on the characteristics may include, for example, information about an exposed Internet Protocol (IP) address, an exposed port number, and a network relay path to a target. An attacker can acquire valid characteristic information that can reach a target by repeatedly attempting fraudulent communication for reconnaissance purposes against a target whose existence has not been confirmed, and based on the result, malicious code or malicious code for attack Information weapons such as packet payloads can be developed.

The static nature of computer networks facilitates attackers to perform such network reconnaissance actions. That is, since the shape of the network is fixed while repetitive reconnaissance is being performed, the identity of the network may be exposed to an attacker through reconnaissance taking time. In order to offset these advantages of an attacker, a so-called "Moving Target Defense (MTD)" security technology has been developed and used in the past. When a network-based MTD (NMTD) is applied, the configuration of the network is dynamically and arbitrarily changed to invalidate existing information obtained by an attacker through reconnaissance periodically.

Security by NMTD is largely classified into a method of changing a real host identifier and a method of changing a virtual host identifier. Some of the conventional NMTD security schemes periodically change the actual host identifier (eg, the host's IP address), and this change is called “hopping”. On the other hand, in the case of software-based or intermediate gateway-based NMTD security schemes, hopping is performed only on the virtual host identifier (e.g., the external IP address of the gateway) while keeping the real host identifier hidden outside the network. .

Such NMTDs are sufficient to defeat automated and novice attackers, but may not be effective against skilled human attackers. It can also be vulnerable to passive host profiling attacks, which passively infer hosts from flow-level traffic. A passive host profiling attack can obtain the currently active IP address and port combination of the host being protected.

In order to cope with such a skilled human attacker and passive host profiling attack, the information set space of the identifier changed by hopping should be as wide as possible, and the frequency of hopping should be as frequent as possible. MT6D (Moving Target IPv6 Defense), one of the conventional NMTD field known technologies, uses IPv6, an identifier having a maximum length of 128 bits, as an identifier to be changed in order to expand a hopping space. In addition, in the conventional known technology, there is also a technique for reducing the hopping time interval by performing low frequency mutation (LFM) and high frequency mutation (HFM) in parallel.

In the NMTD technology, when the hopping space is small, there is a concern that an arbitrary attacker may establish effective communication within a limited hopping time through a brute force attack on the hopping space. However, there is a limit to expanding the hopping space, because no matter how much the address is anonymized, since the packet has to be delivered to the gateway of the receiving side at least, the minimum address that can identify the corresponding gateway must be left.

In addition, if the hopping time interval is minimized to prevent attacker interference, there is a problem that the network routing table must be updated frequently, and the IP address that has already been bound by being notified to the network interface must be continuously released and reassociated. there is. In this case, there is a risk of significant communication speed degradation.

Therefore, according to the conventional NMTD technology, although hopping is theoretically possible in units of packets, there is a problem in that it cannot be practically implemented, and this problem leads to the technical problem of the present invention.

A technical problem of the present invention is to provide a method of using a temporary identifier by expanding a hopping space while minimizing a hopping time interval. Another technical problem of the present invention is to provide a method of applying a temporary identifier to all encapsulated packets in order to maximize unpredictability in a large hopping space and a very small hopping time interval.

A method for processing an encapsulated packet according to an aspect of the present invention to solve the above problem is a packet by a receiving side security device in a network including a receiving side security device, a sending side security device, and at least one receiving terminal As a processing method, obtaining a receiving terminal address for the at least one receiving terminal, generating at least one receiving side temporary identifier generated by a first algorithm and belonging to a first information set and storing it in a list Step, receiving at least one encapsulated packet from a security device on the transmission side (the encapsulated packet includes a header, a payload, and a temporary identifier on the transmission side belonging to a second information set), wherein the temporary identifier on the transmission side is Determining whether the temporary identifier of the receiver corresponds to one of the temporary identifiers of the receiver stored in the list; If the temporary identifier of the transmitter corresponds to any one of the temporary identifiers of the receiver stored in the list, the address of the receiver is obtained from the encapsulated packet. The method may include obtaining a normal packet including a normal packet, deleting the corresponding temporary identifier of the receiving party from the list, and transmitting the normal packet to a receiving terminal based on the address of the receiving terminal.

The list is newly created whenever a new address of the called terminal is obtained, and the first algorithm determines that, when the list for the address of the called terminal is empty, at least one of all or part of the address of the called terminal and current time information. If the list is not empty, at least one of all or some of the recipient temporary identifiers already stored in the list and current time information is used to create a new recipient temporary identifier. It can be configured to generate.

The step of generating and storing at least one recipient temporary identifier in the list is configured to continuously generate at least a first threshold or more temporary identifiers and store them in the list, wherein the recipient temporary identifier is stored in the list. It may be configured to be repeatedly executed whenever the number of temporary identifiers stored in the list becomes less than or equal to the second critical number due to the operation being deleted from .

The second information set is equivalent to the first information set (G1=G2) or a subset (G1⊇G2), and it is determined whether the sender temporary identifier corresponds to one of the receiver temporary identifiers stored in the list. The step may include determining whether the two temporary identifiers are the same.

The obtaining of the normal packet may include obtaining one of the normal packets from one or more of the encapsulated packets.

The sender temporary identifier is: 1) at the front of the encapsulated packet, 2) at the front or inside of the header of the encapsulated packet, 3) at the front or inside of the payload of the encapsulated packet, 4) at the front of the encapsulated packet It can be obtained from what is stored in any one of the positions at the back of .

The list includes components of the first information set and counters allocated to each component, and the step of generating and storing the recipient temporary identifier in the list includes: and increasing a counter value assigned to any one element by 1, wherein the determining step is, if the counter value assigned to the corresponding recipient temporary identifier in the list is less than 1, determining that it does not correspond. The method may further include deleting the recipient temporary identifier from the list by decrementing a counter value assigned to the recipient temporary identifier to be deleted from the list by 1.

The first security device and the second security device are packet relay devices utilizing MTD (Moving Target Defense), the encapsulated packet corresponds to the MTD-based tunneling packet protocol, and the receiving terminal address is IPv6 address, and at least one of the encapsulated packet and the normal packet may be an IPv6 packet.

A method for processing an encapsulated packet according to an aspect of the present invention for solving the above problems is a method for processing packets by a transmission-side security device in a network including a transmission terminal, a transmission-side security device, and a reception-side security device. generating at least one sender temporary identifier generated by a second algorithm and belonging to a second information set and storing it in a list; receiving at least one general packet including a receiver terminal address from the sender terminal; selecting one sender temporary identifier in order from the list, and deleting the selected sender temporary identifier from the list, the selected sender temporary identifier and at least one encapsulated packet from the normal packet. Generating (the encapsulated packet includes a header, payload, and the sending side temporary identifier), and transmitting the encapsulated packet to the receiving side security device.

The list is newly created whenever a new address of the called terminal is acquired, and the second algorithm, if the list for the address of the called terminal is empty, at least one of all or part of the address of the called terminal and current time information. A new sender temporary identifier is generated using one, and if the list is not empty, at least one of all or some of the sender temporary identifiers already stored in the list and current time information is used to generate a new sender temporary identifier. It can be configured to generate.

The generating and storing at least one temporary identifier of the sender side in the list is configured to continuously generate at least a third threshold or more temporary identifiers and store them in the list, wherein the temporary identifier of the sender side is stored in the list. It may be configured to be repeatedly executed whenever the number of temporary identifiers stored in the list becomes equal to or less than the fourth threshold due to the operation being deleted from .

The second information set may be configured to correspond to any one of the components of the first information set.

The second information set may be equivalent to the first information set (G1=G2) or may be a subset (G1⊇G2).

The generating of the encapsulated packet may include dividing and inserting one normal packet into payloads of one or more encapsulated packets.

The sender temporary identifier is: 1) at the front of the encapsulated packet, 2) at the front or inside of the header of the encapsulated packet, 3) at the front or inside of the payload of the encapsulated packet, 4) at the front of the encapsulated packet It can be inserted at any one of the positions at the back of.

The first security device and the second security device are packet relay devices utilizing MTD (Moving Target Defense), the encapsulated packet corresponds to the MTD-based tunneling packet protocol, and the receiving terminal address is IPv6 address, and at least one of the encapsulated packet and the normal packet may be an IPv6 packet.

In order to solve the above problems, a receiving side security device in a network according to an aspect of the present invention includes a network management unit acquiring a receiving terminal address for at least one receiving terminal, and at least one receiving side belonging to a first information set. A temporary identifier generation unit that generates a temporary identifier, a storage unit that stores a list of at least one temporary identifier on the receiving side, and a receiving unit that receives at least one encapsulated packet from the transmitting side security device (the encapsulated packet includes a header and a payload) , and a sending side temporary identifier belonging to the second information set), it is determined whether the sending side temporary identifier corresponds to one of the receiving side temporary identifiers stored in the storage unit, and the sending side temporary identifier corresponds to the storage unit. a processing unit that obtains a general packet including an address of a receiving terminal from the encapsulated packet, and deletes the corresponding temporary identifier of the receiving side from the list of the storage unit, if it corresponds to any one of the temporary identifiers of the receiving side stored in ; It may be an apparatus for receiving an encapsulated packet including a transmitter for transmitting the general packet to a receiving terminal based on an address of the receiving terminal.

In order to solve the above problem, a transmitter security device in a network according to an aspect of the present invention includes a temporary identifier generation unit for generating at least one transmitter temporary identifier belonging to a second information set, and at least one transmitter temporary identifier. A storage unit for storing a list of identifiers, a receiver for receiving at least one general packet including the address of a receiver terminal from a transmitter terminal, selecting one sender temporary identifier in order from the list in the storage unit, and selecting the selected transmitter party A processor for deleting a temporary identifier from the list and generating at least one encapsulated packet from the selected sender temporary identifier and the normal packet (the encapsulated packet includes a header, a payload, and the sender temporary identifier) ), and a transmitter for transmitting the encapsulated packet to the receiving side security device.

A network system including a sending terminal, a sending security device, a receiving side security device, and at least one receiving terminal according to an aspect of the present invention for solving the above problems, wherein the sending side security device includes at least one generating and storing a sender temporary identifier in a list, receiving a normal packet including a receiver terminal address from a sender terminal, converting the normal packet into an encapsulated packet including at least one sender temporary identifier, and Delete the included sender temporary identifier from the list, and transmit the encapsulated packet to a receive side security device, wherein the encapsulated packet includes a header, at least one payload, and at least one sender temporary identifier. wherein the receiving-side security device generates and stores at least one receiving-side temporary identifier in a list, receives the encapsulated packet from the sending-side security device, and sends the sending-side temporary identifier included in the encapsulated packet It is determined whether the identifier corresponds to at least one of the temporary identifiers of the receiving side in the list, and only if it is determined that the identifier corresponds to, the temporary identifier of the receiving side determined to correspond is deleted from the list, and the encapsulated packet is converted into a normal packet. and transmits the general packet to the receiving terminal based on the receiving terminal address, wherein the sending-side temporary identifier belongs to a second information set generated by a second algorithm in the sending-side security device. information, and has a corresponding relationship with the receiving-side temporary identifier generated in the first information set by a first algorithm in the receiving-side security device, and the corresponding relationship between any sending-side temporary identifier and any receiving-side temporary identifier is It is configured to be determined by the receiving-side security device, and the sending-side temporary identifier is 1) the front end of the encapsulated packet, 2) the front or inside of the header, 3) the front or inside of the payload, and 4) the back of the encapsulated packet. It may be characterized in that it is inserted into any one of the positions.

The first algorithm and the second algorithm are the same temporary identifier generation algorithm, the second information set is equivalent to the first information set (G1=G2) or a subset (G1⊇G2), and the random transmission The method of determining the correspondence between the temporary identifier of the side and the temporary identifier of the receiving side may include a step of determining whether the temporary identifier of the sending side is the same as the temporary identifier of the receiving side.

According to the technology of the present invention, the information space of an identifier to be searched by an attacker is greatly increased to prevent active scanning, and an attacker performing passive scanning is prevented from accessing a host to be protected using an illegally obtained identifier, This has the effect of preventing an attacker from profiling a protected host by changing the host identifier at a fairly high frequency. In addition, the NMTD security method according to the present invention provides the ability to designate a different temporary identifier for every packet with low overhead.

1 is a conceptual diagram of an NMTD system based on the present invention;
2 is a more detailed conceptual diagram of the NMTD system based on the present invention,
3 is an exemplary view of an attack attempt on the NMTD system based on the present invention;
4 is a general exemplary diagram of an encapsulated packet in the NMTD system on which the present invention is based;
5 is an exemplary diagram of an identifier hopping time interval and an attack attempt made therebetween in the NMTD system based on the present invention;
6 is a conceptual diagram showing an operating method of an NMTD system according to an embodiment of the present invention;
7 is a flowchart illustrating a method of operating a transmitting-side security device;
8 is a flowchart illustrating a method of operating a receiving side security device;
9A is an exemplary diagram of how encapsulated packets are implemented in one embodiment of a conventional MT6D-based NMTD system;
9B is an exemplary diagram of a method for implementing an encapsulated packet in an NMTD system according to an embodiment of the present invention;
9C is an exemplary diagram of a method in which an encapsulated packet according to the present invention is modified and implemented in various embodiments;
10A is a conceptual diagram illustrating the generation and correspondence relationship between a temporary identifier on a sender side and a temporary identifier on a receiver side according to an embodiment of the present invention;
10B is a conceptual diagram illustrating a process in which an attacker's fraudulent packet is blocked by a correspondence relationship between temporary identifiers according to an embodiment of the present invention;
10C is a conceptual diagram illustrating a process in which encapsulated packets arriving differently from an actual transmission order are accepted in a normal order by a temporary identifier according to an embodiment of the present invention;
11A is a conceptual diagram illustrating an example of a relationship between an information set of a sender's temporary identifier and a receiver's temporary identifier according to an embodiment of the present invention;
11B is a conceptual diagram illustrating another example of a relationship between an information set of a temporary identifier of a transmitter and a temporary identifier of a receiver according to an embodiment of the present invention;
11C is a conceptual diagram illustrating another example of a relationship between an information set of a temporary identifier of a sender and a temporary identifier of a receiver according to an embodiment of the present invention;
12 is a conceptual diagram showing the structure of a transmitting-side security device;
13 is a conceptual diagram showing the structure of a receiving side security device;
14 is a conceptual diagram for operating successively formed temporary identifiers according to a critical number;
15 is an experiment result diagram showing performance derivation results of FTP according to an embodiment of the present invention.

Since the present invention can make various changes and have various embodiments, specific embodiments are illustrated in the drawings and described in detail.

However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The term “and/or” includes any combination of a plurality of related recited items or any one of a plurality of related recited items.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when an element is referred to as “directly connected” or “directly connected” to another element, it should be understood that no other element exists in the middle.

Terms used in this application are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this application, the terms "include" or "have" are intended to designate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the present application, they should not be interpreted in an ideal or excessively formal meaning. don't

When the term "apparatus" is used in describing the invention in this application, it is intended to describe an embodiment for explaining any function of the present invention that can be implemented as a device, and the function of the device must be independent. It is not meant to be implemented as a single device. Depending on the functional characteristics of the communication network, one device may be implemented with a plurality of devices performing the same function, or conversely, one device may be installed to simultaneously perform the functions of a plurality of devices. Functions of a certain device may be implemented by other devices through software means or by general computers and information processing devices. In addition, when a plurality of devices are used, each device may be connected only to a communication network and may be separated from each other in a physical space. Since this is an area of various embodiments that can be taken by a person skilled in the art in the communication network technology field to implement the same technical idea, any detailed implementation method should be construed as being included in the technical idea area of the present invention.

Hereinafter, with reference to the accompanying drawings, preferred embodiments of the present invention will be described in more detail. In order to facilitate overall understanding in the description of the present invention, the same reference numerals are used for the same components in the drawings, and redundant descriptions of the same components are omitted.

Overview of the NMTD system

1 is a conceptual diagram of a Network-based Moving Target Defense (NMTD) system to be implemented by the present invention. Since the essential concept of NMTD, which is a network security technology, has been described in the background art section, it will be omitted, and in this section, technical configurations included in the present invention and necessary for understanding the present invention will be explained.

Referring to FIG. 1 , the NMTD system 100 guarantees smooth transmission of communication data from a transmitting terminal 110 to a receiving terminal 140, and a host terminal 110 including a transmitting terminal 110 and a receiving terminal 140. , 140) has the purpose of interfering with an attacker's approach, such as reconnaissance. The unit name indicating the communication data may include an Ethernet frame, an IP packet, or a unit name according to any other communication message protocol according to a communication protocol or layer, but in this specification, it is referred to as a "packet" for easy explanation. let's name it However, the use of these terms does not mean that the method of implementing the present invention is dependent on a specific technical concept such as “packet”.

Referring to FIG. 1, a normal packet 150 transmitted from a sending terminal 110 to a receiving terminal 140 among hosts on both sides is first encapsulated by the sending side security device 120 applying NMTD security (160). After being converted to , it is transmitted to the receiving side security device 130, where it is converted into a normal packet 170 again and reaches the receiving terminal 140.

In the NMTD system, a goal is to hide the real address identifiers of both host terminals 110 and 140, in particular, the identifier of the receiving terminal 140 from outside the network. Therefore, from the encapsulated packet 160, only the external configurations of the transmission side security device 120 and the reception side security device 130 are exposed, and the identifiers of the actual host terminals 110 and 140 are hidden. In this case, the identifier may refer to various objects according to embodiments, and may be regarded as IP addresses (including IPv4 or IPv6 addresses), MAC addresses, and other UID-based identifiers. In this specification, for easy explanation, it is assumed that the identifier is an "IP address" by the TCP/IP and IPv6 protocols, and in particular, an IP address complying with the IPv6 standard. However, the use of these terms does not mean that the present invention is limited to or dependent on specific technical concepts and/or protocols such as the TCP/IP protocol and/or IPv6 address system.

In order to achieve the above function, the transmitting-side security device 120 performs packet encapsulation. In one general prior art embodiment, packet encapsulation encrypts the contents of a normal packet 170, inserts it as a payload of a new packet, and attaches a header for network communication to the new packet to generate an encapsulated packet 160. It may be a process of In the same embodiment, the encapsulated packet 160 as described above may be converted into a regular packet 170 in such a way that the receiving side security device 130 decrypts its payload. The procedure of establishing secure communication between two security devices by the encapsulated packet 160 is commonly referred to as "packet tunneling", and in this specification, for easy explanation, "packet tunneling" is referred to as "packet tunneling" for a similar concept. want to use the term. However, the use of these terms does not mean that the method of implementing the present invention is dependent on a specific technical concept such as “packet” or “tunneling”.

The host terminals 110 and 140 including the transmitting terminal 110 or the receiving terminal 140 may be terminals intended to perform predetermined network communication via a network. According to an embodiment of the present invention, the host terminals 110 and 140 may include arbitrary devices including various communication functions (including Internet access and web browser execution functions) and data processing functions. The host terminal 110, 140 includes a mobile station (MS), user equipment (UE), user terminal (UT), wireless terminal, access terminal (AT), terminal, fixed or mobile subscriber unit (subscriber unit). Unit), subscriber station (SS), cellular telephone, wireless device, wireless communication device, wireless transmit/receive unit (WTRU), mobile node, mobile, mobile station, personal portable information It may be referred to as a personal digital assistant (PDA), smartphone, laptop, netbook, personal computer, wireless sensor, consumer electronics (CE), Internet of Things (IoT) device, or other terms. Various embodiments of the host terminals 110 and 140 include a cellular phone, a smart phone having a wireless communication function, a personal digital assistant (PDA) having a wireless communication function, a wireless modem, a portable computer having a wireless communication function, and a wireless communication function. A photographing device such as a digital camera having a wireless communication function, a gaming device having a wireless communication function, a music storage and reproducing home appliance having a wireless communication function, an Internet appliance capable of wireless Internet access and browsing, as well as a portable type incorporating a combination of such functions. It may include units or terminals, but is not limited thereto.

2 is a more detailed conceptual diagram of the NMTD system on which the present invention is based. In the NMTD system 200, a plurality of transmitting terminals 110 may be connected to one transmitting side security device 120 to receive security functions, and a plurality of receiving terminals 140 may be connected to one transmitting side security device 120. A security function may be provided by being connected to the receiving side security device 130 . Of course, one transmitting terminal 110 may communicate using a plurality of transmitting-side security devices 120, or one receiving terminal 140 may communicate via a plurality of receiving-side security devices 130. This embodiment is omitted in FIG. 2 .

Referring further to FIG. 2 , a transmitting-side internal network 210 may exist to connect at least one transmitting terminal 110 and at least one transmitting-side security device 120 as described above. Similarly, a receiving-side internal network 230 for connecting at least one receiving-side security device 130 and at least one receiving terminal 140 may exist. Normally, the internal networks 210 and 230 are protected from the outside by the NMTD.

Therefore, according to an embodiment of the present invention, the transmission side security device 120 and the reception side security device 130 are packet relay devices, respectively, and each internal network 210, 230 or external network 220 Receives a predetermined packet from the packet, extracts a destination on the network from the packet, designates an optimal path for the transmission, and sends the packet along the path to each internal network (210, 230) or external network (220). It may be a device configured to relay communications by transmitting via Preferably, the transmission-side security device 120 and the reception-side security device 130 may include devices such as routers, switches, or gateways configured to perform the relaying operation. Also, the transmission-side security device 120 and the reception-side security device 130 may be implemented as a single device, but may also be implemented as an aggregate of a plurality of devices.

Also, the host terminals 110 and 140 may actually be relay terminals connected to an internal network of another layer to which a plurality of terminals are connected. In short, the internal networks 210 and 230 may be hierarchically structured. Since the configuration of such a hierarchical network topology corresponds to the principle of network configuration that is obvious to those skilled in the art, the more complicated embodiments in this way also do not deviate from the scope of rights as long as they have the characteristics described later in the present invention. It is self-evident that it will not

In FIG. 2 , contents passing through an external network 220 are also shown in a process in which the encapsulated packet 160 is transmitted from the transmitting side security device 120 to the receiving side security device 130 . According to a typical embodiment of the present invention, the external network 220 may be a public network such as the Internet, in which it is difficult to ensure complete security of packets without a separate security procedure. In this environment, the NMTD security method of the present invention is used to prevent an attacker's reconnaissance behavior and an attack through it from a public network.

3 is an exemplary diagram of an attack attempt on the NMTD system on which the present invention is based. Referring to FIG. 3 , an attacker terminal 310 attempting an attack on the NMTD system 300 is shown. It is considered that the attacker terminal 310 attempts an attack by transmitting packets 320 and 330 for an attack purpose through the external network 220 . For example, the attacker terminal 310 may attempt to detect a valid IP address or port number of the receiving side security device 130 by sending the reconnaissance packet 320 . If the attack target is identified by such a valid reconnaissance action, the attacker terminal 310 interrupts the normal packet tunneling procedure by the NMTD system 300 by a method such as transmission of an RST packet, and uses this to disrupt the forged encapsulated packet 330 is sent to reach the receiving terminal 140 as a forged normal packet 340 on the receiving side, so that the receiving terminal 140 can be attacked. As another possibility, the attacker terminal 310 hacks the external network 220, passively collects 350 normal encapsulated packets 160, profiles them, and generates forged encapsulated packets 330 based on this. You can do it.

In the above, one example of the installed external network 220 and the attacks 320, 330, and 350 executed therefrom have been described as a type of threat to be counteracted by the present invention. This corresponds to an embodiment of how the NMTD system of the present invention can be implemented in any form and in which environment. However, the implementation and application of the present invention are not limited to the above examples. In another embodiment of the present invention, the external network 220 is an internal network that is not public, and the NTMD system according to the present invention may be implemented assuming that an attacker is in the internal network. In another embodiment of the present invention, the transmission-side security device 120 and the reception-side security device 130 are functions inherent in substantially the same device, and communication between the two devices does not pass through a network line, but inside the device. It may correspond to communication made in , and the NTMD system according to the present invention may be applied and implemented assuming that an attacker may interfere with internal communication of the device.

In various embodiments as described above, the present invention separates or merges devices or groups of devices that perform the same or similar functions as the transmission-side security device 120 or the reception-side security device 130 to be described later into any functional unit. If implemented, it is obvious that it will fall within the scope of the present invention as implementing the technical spirit of the present invention.

Figure 4 is a general exemplary diagram of an encapsulated packet in the NMTD system on which the present invention is based. As described above, the encapsulated packet used to maintain security in the NMTD system may be implemented by inserting the normal packet 400 as the payload of the encapsulated packet 450. The general packet 400 shown in (a) of FIG. 4 (substantially the same object as the symbols 150 and 170 in FIGS. 1 to 3) is, for example, a TCP/IP protocol-based packet generally used in a network. , more preferably, may be a packet using the IPv6 protocol. Such a packet 400 can be divided into a header 410 and a payload 420. The header 410 can include the address of the receiving terminal to which the packet is directed, and the payload 420 can contain various data that are actually carried. may be included. When packet profiling by an attacker occurs, it becomes a problem that various information including the address of the receiving terminal included in the header 410 is analyzed and leaked. Therefore, as shown in (b) of FIG. 4, an encapsulated packet 430 having the entire contents of the normal packet 400 as a payload 440 (substantially the same object as 160 in FIGS. 1 to 3) is) is created. The header 430 of the encapsulated packet is regarded as a normal packet, and may be based on TCP/IP and/or IPv6 protocols, as in the above example. Preferably, the encapsulated payload 440 is encrypted, so that even if an attacker hijacks the packet, its analysis is difficult. The encapsulated packet 430 can be delivered by a normal network device, but by embedding the actual packet 400 in the payload 440, it has an advantage of concealing the information of the actual transmitting/receiving terminal.

5 is an exemplary diagram of an identifier hopping time interval and an attack attempt made therebetween in the NMTD system based on the present invention. The NMTD system uses the encapsulated packet 160 as described above to perform secure communication between the sending security device 120 and the receiving side security device 130, while providing an identifier such as an address of the receiving side security device 130. It is intended to prevent reconnaissance or analysis of the secure communication by the attacker 310 through a periodically changing hopping operation. To this end, the sender-side security device 120 and the receiver-side security device 130 synchronize changes in identifiers such as the receiver's IP address through a tunneling synchronization procedure. The method of synchronization may be by communication, it is irrelevant whether it is by a rule agreed upon in advance by both parties, and even if it is any other method, it does not affect the implementation of the present invention.

As a result of the synchronization, when the identifier for communication is changed on the transmitting side and the receiving side, respectively, the transmitting side security device 120 transmits the encapsulated packet 160 using the changed identifier as the destination address, and receives After receiving it, the side security device 130 may take an action of converting it into a general packet 170 and forwarding it to the receiving terminal 140 .

The normal time interval 520 until the identifier changes 510 and 512 occur once again after the predetermined communication as described above is referred to as a “hopping time interval”. As described above, the shorter the hopping time interval 520 is, the more advantageous it is for security, but technically there is a limitation that it cannot be shortened beyond a certain interval. In addition, even if a sufficiently short hopping interval is maintained, the attacker 310 existing in the client network or the target network between the hopping time intervals may eavesdrop and reconnaissance, such as the sending side security device 120 and the receiving side security device Passive scanning (540) may be performed for packets passing between (130). Even if the actual hosts 110 and 140 on both sides are not known, the attacker 310 can eavesdrop (540) a packet communicating between the two unknown hosts in the middle. If the hopping time interval 520 is large, an attacker may take time to analyze information of the two hosts 110 and 140 from the intercepted packet 540 and attempt to identify them. If the hopping time interval 520 is smaller than a certain level, an attacker may not be able to accurately identify two hosts within a certain amount of time, but at least the identifier of the security devices 120 and 130 relaying between the two hosts, for example, currently active IP and port combinations can be obtained.

Using the information obtained from the eavesdropped 540 packet, the attacker 310 may inject 542 a forged network reset signal packet (so-called RST packet) into the network. The forged packet 542 may ultimately be received by the transmitting terminal 110 through the transmitting side security device 120 . As a result, a series of TCP/IP connections from the sending terminal 110 to the receiving terminal 140 are reconnected, and this process may also be eavesdropped 544 by the attacker 310 and information of valid identifier combinations may be leaked. there is.

Now, the attacker 310 transmits the RST packet to the sending terminal 110 again (546), and the receiving terminal 110 and the sending side security device 120 ahead of the receiving side security device 130 and the receiving side terminal 140 ), creating a so-called "race condition" that causes the TCP/IP connection to be established (548). This makes it possible for an attacker 310 to infiltrate (550) the protected channel before the identifier is changed (512) by hopping. As long as the above attack can be accomplished over a plurality of packets within a time period (530) shorter than the predetermined hopping time interval (520), it is obvious that the conventional security scheme has limitations.

The present invention proposes a new method of minimizing the hopping time interval in order to neutralize an attacker's reconnaissance behavior occurring within the hopping time interval as described above. Although hopping in the present invention occurs in units of identifiers, as described above, there is an advantage in that identifiers can be quickly changed for all packets without performing an operation such as changing the configuration of a gateway. Hereinafter, the characteristic configuration of the present invention will be described in more detail.

Enhancing NMTD using temporary identifiers (DIDs)

The present invention proposes a technique for strengthening NMTD with a Disposable Identifier (DID). A temporary identifier is introduced to maximize unpredictability with a wide hopping space and a very small hopping time interval. Since the temporary identifier is used instead of an address for identifying a receiving terminal and is used only for one packet, the destination identifier can be changed for each packet.

In the attack model assumed in the present invention, an attacker exists anywhere in a client network or a target network, and may utilize active scanning or passive scanning as a kind of reconnaissance behavior. Active scanning and passive scanning involve collecting information by actively sending probing packets or passively observing traffic on the network, respectively. As described above, when an attack by sophisticated passive scanning occurs, there is a possibility that penetration into a protected line cannot be prevented even with a small hopping time interval of a certain level or more.

An extreme implementation example of NMTD to prevent such an attack is to change the host identifier for each packet. Minimizing the hopping time interval helps to effectively defend against skilled human attackers and manual host profiling attacks. However, the existing NMTD security method does not provide a function of changing the host identifier for each packet. For example, in order to change an identifier, a flow table of a network switch must be updated, but there is a practical limit to the speed. The NMTD security technique of changing the actual host identifier has a problem in that it has a limitation in frequently updating the routing table, or it has to notify the network interface to continuously release and reassociate the bound IP address. That is, in a modern high-speed communication network, changing an identifier in units of packets leads to a considerable waste of information processing resources and leads to a substantially unacceptable level of communication speed degradation.

In addition, in order to change the host identifier for each packet, a wide information aggregation space in which the host identifier can be changed is required. For example, if the packet size is 1,050 bytes and the target communication speed is 100 Mbps, approximately 12,000 identifiers are required per second. If the NMTD security method fails to derive an identifier quickly, this may also cause delay in communication. In addition, if the changeable information space of the host identifier is too narrow, a specific host identifier may appear repeatedly, which counteracts the effect of minimizing the hopping time interval and provides an advantageous condition for an attacker's scanning.

In short, there is a realistic speed limit in performing identifier change by changing the address itself between the sending side security device and the receiving side security device, and there is a risk that an attacker's attack attempt can be completed within the limit. In the conventional known technology, the external IP address of the receiving side security device is used as a virtual identifier, and the hopping time is reduced through a method in which low frequency mutation (LFM) and high frequency mutation (HFM) are performed in parallel. Even if the interval is minimized, there is no escape from the above realistic speed limit as long as the actual identifier is changed frequently.

6 is a conceptual diagram illustrating an operating method of an NMTD system according to an embodiment of the present invention. In the NMTD system 600 according to an embodiment of the present invention, a virtual identifier such as an external IP address of a receiving side security device is used as an LFM target, and a separate temporary identifier is used as an HFM target, up to individual packet units. hopping can be performed. In a preferred embodiment, LFM identifier modulation for address change of the receiving side security device may be configured to be compatible with MT6D (Moving Target IPv6 Defense), one of the conventional NMTD field known technologies.

In one embodiment of the present invention, an obscured IPv6 address for a receiving side security device may be computed. The disambiguation address may be an external IP address used by the receiving side security device to receive packets. In addition, the ambiguous address may be generated corresponding to an individual receiving terminal 140, or one may be generated for a plurality of receiving terminals 140, or a plurality of ambiguous addresses may be generated for one receiving terminal 140. ) can be specified. In any implementation, the disambiguation address is used to route encapsulated packets transmitted from the sending security device 120 to the receiving security device 130 . That is, the disambiguation address may be used to maintain NMTD packet tunneling 620 over the public network 210. The tunneling 620 may be established by a predetermined packet routing path and network device binding on the public network 210, and an interval agreed upon in advance by the sending side security device 120 and the receiving side security device 130. According to this, it can be configured to be reset every time a new disambiguation address is calculated by hopping by the LFM cycle.

In addition to this, in the present invention, a temporary identifier applied differently to each packet is provided, and the receiving terminal 140, which is the final destination of communication, can be identified through this. That is, a pair of ambiguous addresses and temporary identifiers can be used to identify one receiving terminal 140 . The temporary identifier may be created as a list consisting of one or more temporary identifiers at once, and in this case, all temporary identifiers in the list may be configured to refer to the same receiving terminal 140 . Therefore, by sequentially using a plurality of temporary identifiers in the list, it is possible to implement a configuration in which the temporary identifier changes at most every packet as described above. In addition, the change of such a temporary identifier can be regarded as hopping by the HFM cycle. However, the temporary identifier does not necessarily need to be converted for each packet, and in an embodiment in which the HFM cycle is longer, it does not matter if a temporary identifier is differently applied to each random number of 1 or more, and the random number conforms to a predetermined rule. It is irrelevant even if it is changed by

The operation method of the temporary identifier will be described in more detail. Each time a disambiguation address is computed, the system 600 creates a list of temporary identifiers. In a preferred embodiment of the present invention, the transmitting side security device 120 and the receiving side security device 130 may be configured to generate the same temporary identifier list according to the same method agreed in advance. In one embodiment of the present invention, when transmitting the encapsulated packet as described above, the transmitting-side security device 120 sets the ambiguous address as a destination and inserts one temporary identifier into the payload of the packet. The inserted temporary identifier is deleted from the transmitting side security device 120 and is not reused. After receiving the encapsulated packet 160 via packet tunneling 620, the receiving side security device 130 checks the temporary identifier.

A set of temporary identifiers on the receiving side is conceptually represented through a filter 640 in FIG. 6 . If the sender's temporary identifier included in the encapsulated packet 160 matches (642) any one temporary identifier belonging to the list of the receiver, this is an agreement between the sender's security device and the receiver's security device in advance. Since it can be recognized that the temporary identifier generated by the method is legitimate, it is possible to analyze the payload of the encapsulated packet to obtain the normal packet 170 and deliver it to the receiving terminal 140. However, if the temporary identifier does not exist in the list of the receiving side, or if the temporary identifier is not confirmed, the corresponding encapsulated packet 160 can be configured to be discarded 644 because it can be known that it is invalid or forged. there is.

Changing the temporary identifier does not affect the packet tunneling 620 established by the ambiguous address. This means that the routing path calculated in the public network 210 in relation to the packet tunneling 620 and bound network devices are not affected by frequent changes in the temporary identifier. Through this, the present invention can maintain an extremely short hopping cycle while alleviating the burden of resetting a network routing path due to frequent hopping that the prior art had as described above. In addition, by having such a hierarchical hopping structure, a third party (eg, an attacker terminal) ignorant of the actual operation method of the system 600 may have a plurality of non-existent network terminals (not the actual receiving terminal 140) 650) may be mistaken for existence, and through this, the system 600 of the present invention safely protects the internal virtual networks 630 and 230 and the receiving terminal 140 from reconnaissance and hacking by an attacker.

Operation of sender side security device

7 is a flowchart illustrating a method of operating a transmitting-side security device. Prior to the operation of the sending side security device, at any time, it is considered that the sending side security device has gone through an agreement procedure (Handshaking) on the operation method with the receiving side security device (S710). The agreement procedure may preferably be performed by exchanging communication messages for pairing of two devices, but various known technologies used in the communication security area between devices may be applied. For example, synchronization based on the current time, synchronization by mutually sharing the same key value, synchronization by mutually using the same algorithm, synchronization by symmetric key or asymmetric key encryption method, or various other methods to be considered. It is possible, and some of the above methods may be applied in combination or overlapping.

The agreement procedure of step S710 may consist of a procedure for sharing information on a specific implementation method of the present invention between the transmitting side and the receiving side. The information includes: 1) the format of the encapsulated packet; 2) ambiguous addresses and methods of generating them; 3) Temporary identifiers and methods of generating the list may be included.

The sending side security device receives a general packet intended to be delivered from the sending terminal to the receiving terminal (S720). When the normal packet is received, it is first determined whether hopping (LFM hopping) of ambiguous addresses is required (S730). The process of determining necessity of hopping in step S730 may be determined according to the result of an agreement between the transmitter and the receiver in step S710. For example, both the sending side and the receiving side may be configured to newly generate an ambiguous address every predetermined time (eg, 5 seconds), and in this case, if the time has elapsed since the last ambiguous address generation, the ambiguous address is performed through hopping. It is clear that the fire address must be newly created. As a result, hopping by the LFM cycle can be performed.

If it is determined that a new ambiguous address binding (S735) is required, an ambiguous address is generated. The disambiguation address is generated from the real address of the receiving terminal, such as an address which may be referred to as an internal IP address or a protected IP address, and preferably includes all or part of said IP address together with a shared session key, current time information. An input value containing can be calculated and generated by a given function. According to one embodiment, the function may be a type of hash function.

Equation 1 is a formula representing an embodiment of a method for generating an ambiguous address.

In Equation 1, IID _x represents the real IP address of the receiving terminal, KS represents the shared symmetric key, and t _i represents _current time information when generating the ith temporary identifier. H represents a hash function, and in Equation 1, the first 64 bits of the result value derived through the hash function are represented as H [·] _0→63 . The receiving terminal address value modulated by Equation 1 is expressed _as IID'x . An ambiguous address is generated by concatenating the subnet section of the original receiving terminal IP address to the modulated 64-bit address value. That is, the ambiguous address is an IP address that can reach the subnet gateway to which the receiving terminal belongs (preferably, it may be the same as the receiving side security device), but may be an address that does not expose the address of the actual receiving terminal. there is.

Next, whenever a disambiguation address is calculated according to Equation 1 above, corresponding to the disambiguation address, a list consisting of one or more temporary identifiers includes information including the disambiguation address, the shared symmetric key, and current time information. From, according to a preferred embodiment, it can be generated using means such as a hash function H (S770, S772, S774).

In Equations 2 and 3 above, DID ^k _x(i) represents the ( k +1)th temporary identifier for host x at time t _i . A temporary identifier may be generated by Equations 2 and 3 above (S770). At this time, DID ⁰ _x(i) , that is, the first temporary identifier generated in the list can be calculated from the ambiguous address generated at time t _i . Another consecutive temporary identifier in the list, ie DID ^k _x(i) , can be calculated from the previous temporary identifier, ie DID ^k-1 _x(i) .

The temporary identifier generated (S770) is stored in a list corresponding to the ambiguous address (S772). This list may be referred to as a sender side temporary identifier list. In one embodiment of the present invention, at the time of binding the new ambiguous address (S735), one or more temporary identifiers may be successively generated in advance and stored in the list. For example, the transmitting side security device may be configured to set the critical number of temporary identifiers to be generated at once in the list as n, and to continuously generate n number of temporary identifiers when generating them once (S774). For example, if the critical number n is 8, DID ⁰ _x(i) is obtained by Equation 2, and then DID ¹ _x(i) , DID ² _x(i) , . . . , DID ⁷ _{x (i)} may be configured to generate (S770) and store (S772). 14(a) is a conceptual diagram showing a list of 8 temporary identifiers continuously formed. By continuously generating a plurality of temporary identifiers in this way, it is possible to more easily provide temporary identifiers in real time in the process of encapsulating packets transmitted at high speed.

According to an embodiment of the present invention, the process of continuously generating temporary identifiers may be implemented in a manner in which calculation results are divided and used after performing calculations fewer than n times. For example, when the critical number n is 8 and the length of the temporary identifier is set to 64 bits, information including an ambiguous address, a shared symmetric key, and current time information is obtained by a conventional hash function such as "crypto/sha512". A 512-bit hash value may be generated from , and the value may be divided into eight 64-bit values to be used as values of DID ⁰ _{x (i)} to DID ⁷ _{x (i)} , respectively. That is, DID ⁰ _x(i) = H [(...)] _0→63 , and DID ⁷ _x(i) = H [(...)] _448→511 .

If the ambiguous address is prepared and the list of temporary identifiers is prepared by each of the above procedures, the procedure of encapsulating the received normal packet (S720) can be performed (S740). One embodiment of the encapsulation procedure is described with reference to FIGS. 9A-9B. In the conventional MT6D system, in step S740, as shown in FIG. 9A, after removing the IP address of the sending terminal and the IP address of the receiving terminal from the IP header 410 of the normal packet (410'), the payload of the packet encapsulating the normal packet (440). In the present invention, as shown in FIG. 9B, a temporary identifier is sequentially selected from the list (S780), and the selected temporary identifier 920 is included in the header 430 of the encapsulated packet and the header 410 of the payloaded normal packet. ') as a transmitter temporary identifier may be further included in step S740.

In the process of encapsulating the packet (S740), one normal packet may be converted into one or more encapsulated packets. This may exceed the limited length of the packet if the encapsulated packet and the normal packet are of the same format, for example, IPv6 packets, and if all information of the packet including the header is to be loaded as the packet payload of the same standard. Because there is a possibility. In this case, information belonging to one general packet may be transmitted in one or more encapsulated packets. Since this procedure is a prior art used in a typical packet tunneling technology, it cannot be a factor forming or limiting the scope of the present invention, and therefore, a detailed description thereof will be omitted.

The process of selecting a temporary identifier (S780) in the process of encapsulating the packet (S740) may be implemented in a first in first out (FIFO) method in a preferred embodiment. That is, it may be configured to be selected according to the order of creation. That is, the temporary identifier of the sender side can be used as a value for proving the preferred transmission order of packets according to the generation order.

After the selected temporary identifier is used as many times as necessary for packet encapsulation, preferably once, it is deleted from the list (S782). As a result, the temporary identifier is changed for every small number of packets, preferably every packet, and the temporary identifier used once is not used again, so that hopping by the HFM cycle can be performed.

In FIG. 9B, the position where the temporary identifier is inserted and the information inserted into the encapsulated packet are only examples that can be selected. Referring to FIG. 9C, the temporary identifier may be inserted in another location of the encapsulated packet. In addition, as long as the configuration information of the encapsulated packet includes the temporary identifier 920, it is clear that any configuration conforms to the spirit of the present invention.

Various embodiments shown in FIG. 9C will be described. In the first modified embodiment 900-1 of the encapsulated packet shown in FIG. 9C, the temporary identifier 920 is positioned at the front of the encapsulated packet 900-1. In the above embodiment, the temporary identifier 920 is located at the top of the packet and precedes the capsule header 430 according to the conventional protocol. Therefore, although the transmission of the packet 900-1 according to the embodiment may be impossible in a conventional network, it may be implemented in this way in a network whose configuration is designed or changed so that the packet 900-1 can be transmitted. In the second modified embodiment 900-2, the temporary identifier 920 is inserted between the normal packet header 410' and the normal packet payload 420. In the third modified embodiment 900-3, the temporary identifier 920 is positioned at the end of the encapsulated packet 900-3. In the fourth modified embodiment 900-4, the temporary identifier 920 is included in the modified capsule header 940. The capsule header 940 of the modified form may preferably be a header of the IPv6 protocol or an extension header for the MT6D function. In the fifth modified embodiment 900-5, the temporary identifier 920 is included in the general packet header 950 in a modified form. The general packet header 950 of the modified form may preferably be a header of an IPv6 protocol or an extension header for use attached to a general packet. In the sixth modified embodiment 900-6, an intact normal packet header 410 from which the sending terminal IP address and the receiving terminal IP address are not removed is inserted into the encapsulated packet. In the seventh embodiment 900-7, the normal packet header 410 is completely omitted during the encapsulation process, and only the encapsulated header 430 and temporary identifier 920 are included to generate an encapsulated packet 900-7. do.

9B and 9C are various embodiments showing that the temporary identifier of the present invention can be inserted at any position in an encapsulated packet, and those skilled in the art can enjoy various advantages in practicing the present invention. One of the described embodiments or any other method may be selected. Therefore, it is obvious that any method and means for transmitting an encapsulated packet used for packet tunneling including a temporary identifier without being limited to the above embodiments may be included within the scope of the present invention.

As described above, when the packet is encapsulated (S740), the corresponding packet is transmitted to the receiving side security device through the network using the ambiguous address (S750). In the encapsulated packet transmitted in this way, according to a preferred embodiment, the IP addresses of the sending terminal and the receiving terminal cannot be obtained even if all contents of the packet are analyzed, and the temporary identifier is added to the ambiguous address at a fast cycle. According to, by changing every packet, it can be robust against reconnaissance and profiling by an attacker existing in the network.

The above-described procedure in the transmitting-side security device is repeated as long as there are more normal packets to be transmitted (S760). In the process, if hopping of the ambiguous address becomes necessary after a certain time or a certain packet interval (S730), a new ambiguous address is generated and bound (S735).

Meanwhile, as the temporary identifier is deleted from the list (S782), the size of the list may become smaller than the threshold number m. 14(b) shows a case where the number of temporary identifiers becomes smaller than the threshold number m (1402), in this case 5. Maintaining a certain number of temporary identifiers in the list is important to easily provide temporary identifiers in real time in the process of encapsulating packets transmitted at high speed. Therefore, in one embodiment of the present invention, when the size of the remaining temporary identifier list becomes smaller than the threshold number m (S784), the temporary identifier successive generation procedure (S770, S772, S774) is executed again to replenish temporary identifiers. there is. Referring to (c) of FIG. 14 , it can be seen that the temporary identifiers corresponding to the threshold number n (1401) are replenished through the above procedure, and the list length of temporary identifiers is restored to the threshold number m (1402) or more.

Additionally, as shown in (d) of FIG. 14, when the threshold number m (1402') greater than the threshold number n (1401) is used, the temporary identifier successive generation procedure (S770, S772, S774) is repeated one or more times. It may have to be executed (S784), and since this is within the range of modifications that can be easily taken by a person skilled in the art according to modifications of the embodiments embodying the present invention, even if such modifications are taken in the practice of the invention, the rights of the present invention It is self-evident that it does not deviate from the range.

The operation of the transmission-side security device may end when there are no more normal packets to be transmitted (S760).

FIG. 12 is a conceptual diagram showing the structure of the transmitting-side security device 1200 performing the method of FIG. 7 described above. The transmission-side security device 1200 of FIG. 12 may be regarded as the same as the device of reference numeral 120 described above with reference to FIGS. 1 to 3 . The agreement procedure (S710) shown in FIG. 7 may be implemented in the form of a synchronization message (1290) passing through the public network (210). Receiving (S720) the normal packet 150 from the transmitting terminal 110 may be performed through the receiving unit 1230. The step of generating a temporary identifier (S770) may be performed through the temporary identifier generator 1210, and the step of listing and storing the temporary identifier (S772) and selecting a temporary identifier if necessary (S780) This may be performed through the storage unit 1220. It is determined whether a sufficient number of temporary identifiers are generated or maintained (S774, S784), the need for hopping of ambiguous addresses is determined (S730), new ambiguous addresses are calculated and bound (S735), or packets are actually encapsulated (S735). Steps related to various calculations, judgments, and information processing, such as step S740), may be performed through the processing unit 1240. Transmitting the encapsulated packet 160 to the receiving side security device (S750) may be performed through the transmission unit 1250, and the receiving side security device may exist in a form connected to the public network 210.

Behavior of Receiving Side Security Devices

8 is a flowchart illustrating a method of operating a receiving side security device. Prior to the operation of the receiving side security device, at any time, it is considered that the receiving side security device has gone through an agreement procedure (Handshaking) on the operation method with the sending side security device (S810). A description of the embodiment of the agreement procedure is the same as that of the agreement procedure (S710) of the transmitting side security device, and thus will be omitted.

In addition, it is considered that there is a preparation step (S815) in which at least one receiving terminal accesses the receiving side security device prior to the operation of the receiving side security device. By recognizing the connection of the receiving terminal, the receiving-side security device checks information including the IP address of the receiving-side terminal to be protected by the security device, and obtains information for restoring a general packet to be delivered to the corresponding receiving terminal. can do.

The receiving side security device must specify the disambiguation address to receive the encapsulated packet transmitted from the sending side security device. Prior to receiving the encapsulated packet, it is first determined whether hopping (LFM hopping) of an ambiguous address is necessary (S820). The description of the process of determining the need for hopping in step S820 is the same as the hopping determination process (S730) of the transmitting side security device, and thus will be omitted.

If it is determined that a new ambiguous address binding (S825) is required, an ambiguous address is calculated. The ambiguous address is generated from a real address of the receiving terminal, such as an address that may be referred to as an internal IP address or a protected IP address, and the IP address of the receiving terminal secured in the preparation step may be utilized. The description of the ambiguous address and its calculation method is the same as the above description of the ambiguous address generating procedure (S735) of the security device at the sending side, and thus will be omitted.

Whenever the disambiguation address is newly calculated, a list of one or more temporary identifiers corresponding to the disambiguation address is obtained from information including the disambiguation address, shared symmetric key, and current time information, according to a preferred embodiment. It can be generated using the same means as hash function H (S870, S872, S874). In a preferred embodiment, the temporary identifier generation formula using the hash function may be the same as Equations 2 and 3 used to obtain the temporary identifier DID ^k _x(i) in the transmitting side security device.

The temporary identifier generated (S870) is stored in a list corresponding to the ambiguous address (S872). This list may be referred to as a recipient side temporary identifier list. In one embodiment of the present invention, at the time of binding the new ambiguous address (S825), one or more temporary identifiers may be successively generated in advance and stored in the list. For example, the receiving side security device may be configured to set the critical number of temporary identifiers generated at once in the list as n, and perform n consecutive generation when generating temporary identifiers once (S774). A description of how to generate the temporary identifier and store it in the list is the same as the procedure for generating the temporary identifier and storing the list (S770, S772, S774) in the security device at the sender side, so it will be omitted.

If an appropriate ambiguous address is bound and a list of temporary identifiers is prepared, the encapsulated packet transmitted using the ambiguous address from the sending security device may be received in the receiving side security device (S830). The receiving-side security device analyzes the encapsulated capsule to determine whether the sending-side temporary identifier inserted by the sending-side security device exists and, if so, what its value is. The receiving-side security device may want to identify the sending-side temporary identifier from various locations of the encapsulated packet, and an embodiment of the location is as described above with reference to FIGS. 9B and 9C. If the sender's temporary identifier is confirmed, it can be checked whether the value corresponds to all temporary identifier values in the recipient's temporary identifier list, respectively (S840).

According to a preferred embodiment of the present invention, when both the transmitter and the receiver generate temporary identifiers by the same implementation of Equations 2 and 3 as in the above-described embodiment, the method of matching (S840) , can be a way to check whether two values are the same. However, in another embodiment of the present invention, different implementations of Equations 2 and 3 may be used or a more advanced temporary identifier operating method may be used, and this case will be separately described later.

According to the result of the comparison (S840), if the temporary identifier of the receiving side corresponding to the temporary identifier of the transmitting side obtained from the encapsulated packet is verified, it is determined that the encapsulated packet is legitimately transmitted by the security device of the transmitting side. It can be. In this case, the receiving side security device may release the encapsulation of the packet (S860). Conversely, if the corresponding temporary identifier of the receiving side is not confirmed, the corresponding encapsulated packet is regarded as forged or incorrectly received, and the receiving side security device discards the packet without processing it (S890).

The comparison (S840) procedure can be regarded as implementing the filter 640 previously described with reference to the conceptual diagram of FIG. 6 . It can be considered that step S860 is executed when the packet is accepted (642) in FIG. 6, and step S890 is executed when the packet is discarded (644) in FIG. Accordingly, those skilled in the art can easily understand how the procedure of FIG. 8 implements the technical idea of the present invention shown in FIG. 6 .

The temporary identifier for which the correspondence is confirmed is deleted from the list after being used as many times as necessary to decapsulate the packet, preferably once, in step S880. In this way, the temporary identifier is changed for every small number of packets, preferably for every packet, and packets received by attaching the temporary identifier to which a packet is normally received are rejected in the future, so that hopping based on the HFM cycle can be performed.

The description of the decapsulation method may be regarded as the reverse order of the procedure described above with reference to FIGS. 9A to 9C in relation to the encapsulation method of the packet in the transmission-side security device. Referring to FIG. 9B , in one embodiment of the present invention, the temporary identifier 920 is obtained from the frontmost part of the encapsulated payload 930, the verification procedure (S840) is performed, and the decapsulation (S860) is performed. If it is determined to do so, the subsequent payload part is restored to the normal packet header 410' and the normal packet payload 420. Next, the normal packet header is supplemented with the ambiguous address and the receiving terminal address from which the receiving side temporary identifier is derived (410), so that the corresponding normal packet can be normally transmitted to the receiving terminal. When the normal packet is recovered through the above procedure (S860), the receiving side security device may transmit the normal packet to the receiving terminal (S862).

In the process of decapsulating the packet (S860), one normal packet may be derived from one or more encapsulated packets. This has been previously described in the description of the security device on the sender side, and since this procedure is a conventional technology used in general packet tunneling technology, it cannot be a factor forming or limiting the scope of the present invention, and therefore a detailed description thereof. will be omitted.

In the process of decapsulating the packets (S860), checking (S840) whether or not all the temporary identifier values correspond to each of the packets is, according to a preferred embodiment of the present invention, even if the packets are received in an order different from the order in which they were transmitted. This is to ensure that this is normally accepted. This will be described with reference to FIGS. 10A to 10C.

Referring to FIG. 10A, in the transmitting side security device, the transmitting side temporary identifier DID ^1→5 x(i) (1020-1 to 1020-5) from the calculated value (1010) of DID ⁰ _{x (i)} in Equation 2 ) are sequentially generated and stored in the list 1060, and are sequentially inserted into encapsulated packets 1030 and transmitted via packet tunneling 620. On the other hand, in the receiving security device, from the calculated value (1015) of DID ⁰ _x(i) in Equation 2 above, the sending side temporary identifier DID ^1→5 _x(i) (1025-1 to 1025-5) is sequentially Create and save to list 1065. If the packets arrive at the receiving side security device in the order they were sent, the receiving side sequentially checks the list (e.g., matching the sender's temporary identifier 1020-1 against the recipient's temporary identifier 1025-1) to encapsulate the encapsulated packets. can be verified. 10B, an encapsulated packet 1050 including an illegal identifier 1040 that is not in the sender temporary identifier list 1060 will not be accepted because the temporary identifier cannot be matched in the receiver security device (644). It can be seen that

Next, referring to FIG. 10C , since the packet tunneling 620 is performed via the public network 210, it can be seen that packets may arrive differently from the transmission order. However, since the recipient temporary identifier list 1065 has already created and stored a predetermined number of recipient temporary identifiers, even if the sender temporary identifier (e.g., 1020-3) that corresponds to the lower priority arrives first, it is displayed on the list. There is no problem in receiving after it is determined that it corresponds to one of the temporary identifiers (1025-3) by comparing all the temporary identifiers on the receiving side. In addition, since the actual transmission order of the packets to which the temporary identifier 1020-3 is assigned can be known, all encapsulated packets are sent normally despite confusion in the packet transmission order occurring in the TCP/IP-based packet network. Depending on the order, it can be changed to a normal packet. Particularly, in the present invention to change the temporary identifier on a packet-by-packet basis, the procedure of the above embodiment has an effect of preventing sequence confusion of transmitted packets based on ambiguous addresses.

The above-described procedure in the receiving side security device is repeated as long as there are more encapsulated packets to be received (S864). In the process, if hopping of the ambiguous address becomes necessary after a certain time or a certain packet interval (S820), a new ambiguous address is generated and bound (S825).

Meanwhile, as the temporary identifier is deleted from the list (S880), the size of the list may become smaller than the threshold number m. Therefore, in an embodiment of the present invention, when the size of the remaining temporary identifier list becomes smaller than the threshold number m (S885), the temporary identifier successive generation procedure (S870, S872, and S874) is performed again to replenish temporary identifiers. there is.

The operation of the receiving side security device may end when there are no more encapsulated packets to be received (S864).

FIG. 13 is a conceptual diagram showing the structure of the receiving side security device 1300 performing the method of FIG. 8 described above. The receiving side security device 1300 of FIG. 13 may be regarded as the same as the device of reference numeral 130 described above with reference to FIGS. 1 to 3 . The agreement procedure (S810) shown in FIG. 8 may be implemented in the form of a synchronization message (1390) passing through the public network (210). The step of securing the address of the receiving terminal through the connection of the receiving terminal 140 (S815) may be performed through the network management unit 1360. Receiving (S830) the encapsulated packet 160 originating from the transmitting-side security device may be performed through the receiving unit 1330. Generating the temporary identifier (S870) may be performed through the temporary identifier generator 1310, and listing and storing the temporary identifier (S872) may be performed through the storage unit 1320. It is determined whether a sufficient number of temporary identifiers are generated or maintained (S874, S885), the need for hopping of ambiguous addresses is determined (S820), a new ambiguous address is calculated and bound (S825), or transmission included in a packet is determined. Various calculations such as comparing the side temporary identifier with the list of recipient side temporary identifiers (S840) to determine the corresponding relationship (S850), and releasing the encapsulation of the packet (S860) or discarding the packet (S890) according to the result. Steps related to , determination, and information processing may be performed through the processing unit 1340 . Transmitting the decapsulated normal packet 170 to the receiving terminal (S862) may be performed through the transmitter 1350.

Temporary identifier information set and applied embodiments

According to a preferred embodiment of the present invention, both the transmitting side and the receiving side can generate the temporary identifier by the same implementation of Equations 2 and 3. In this case, as described above, a method of checking whether two temporary identifiers correspond to each other (for example, S840) may be a method of checking whether two values are the same. However, in another embodiment of the present invention, implementations of Equations 2 and 3 that are different from each other may be used at the transmitting side and the receiving side for more enhanced security.

Referring to FIG. 10A, in order to establish NMTD communication according to the present invention, temporary identifiers 1020 generated by the transmitting side should correspond 1:1 to temporary identifiers 1025 generated by the receiving side. Able to know. However, this is not true only when the temporary identifiers of each side are the same, so various embodiments can be applied.

11A is a conceptual diagram illustrating an information set space in which temporary identifiers are generated according to Equations 2 and 3. Here, the information set space is defined as representing a set of all possible values calculated by a predetermined binary information processing algorithm. For example, the size of the information set space of the result value of an algorithm capable of outputting an arbitrary 8-bit value has 2 ⁸ =256 elements.

In FIG. 11A , set 1110 is an information set space in which a sender-side temporary identifier is created, and set 1120 is an information set space in which a receiver-side temporary identifier is created. As shown in FIG. 11A, as long as the set 1110 is equivalent to or a subset of the set 1120, all sender-side temporary identifiers 1020 correspond to at least one receiver-side temporary identifier 1025, so that the sender-side security device uses the temporary identifier It can be seen that the possibility that all packets transmitted by attaching . are normally received by the receiving side security device is guaranteed. In the embodiment of FIG. 11A, the method of comparing two temporary identifiers is to determine whether all or part of the values of the two temporary identifiers are the same. Also, in a more preferred embodiment, it is recommended that sets 1110 and 1120 be sets of equality with no complement set. This is because there is a possibility that the receiving side temporary identifier 1130 belonging to the complement set corresponds to an illegal or forged temporary identifier with a low probability, thereby lowering the security level.

On the other hand, FIG. 11B shows an embodiment in which sets 1110 and 1120 are sets that are equivalent to each other, but a 1:1 correspondence relationship is independently configured. In this embodiment, one sender's temporary identifier 1020 is implemented to have a corresponding relationship with another receiver's temporary identifier 1025 in the same set. Depending on the embodiment, this relationship is based on a mathematical correlation between the hash function H send used by the sending security device to generate the temporary identifier and the hash function H _recv used by the receiving security device to generate the _temporary identifier. It can be achieved by putting If the embodiment of FIG. 11B is applied, an attempt to predict a valid temporary identifier by an attacker can be made more difficult.

Further, in FIG. 11C, an embodiment is shown in which sets 1110 and 1120 are distinct sets completely separate from each other. In this embodiment, one sender side temporary identifier 1020 is implemented to have a corresponding relationship with one receiver side temporary identifier 1025 belonging to a completely different set. Depending on the embodiment, the sender's security device generates a sender's temporary identifier using the hash function H _send , and the receiver's security device takes the hash function again on the result of the hash function, H _recv [ H It can be established by generating a temporary identifier on the receiving side using _[send ]. In this case, the determination of the correspondence between the two temporary identifiers may be performed by taking a hash function H _recv on the temporary identifier of the sender and determining whether the result value matches the temporary identifier of the receiver. In this case, even if an attacker secures the temporary identifier list of either the sender or the receiver security device through hacking, etc., it is difficult to forge an encapsulated packet by regenerating a valid temporary identifier using this, thereby providing safety from attacks. can obtain more.

In this way, since the information set of the temporary identifier of the sender and the temporary identifier of the receiver can be operated in various ways, the threshold number n, m used to manage the list of temporary identifiers on the sender and the number of thresholds used to manage the list of temporary identifiers on the receiver The critical numbers n and m used may be the same as or different from each other. For example, even if the information sets of the two temporary identifiers are equivalent, for performance reasons, both security devices may be configured to create and maintain different numbers of lists. However, since the present invention can operate both in the case where n and m on both sides are the same and different, it can be seen that the embodiment to which these modifications are applied also does not deviate from the scope of the present invention.

Embodiments of redundancy of temporary identifiers

In the process of generating and operating a list of temporary identifiers through successive generation of temporary identifiers, when a hash function H is used according to an embodiment, a temporary identifier having the same value with a low probability is 2 according to the characteristics of the hash function H. It is likely to appear more than once. For example, in the case of using the "crypto/sha512" hash function package to generate temporary identifiers and extracting 8 temporary identifiers in units of 64 bits from the resulting 512-bit hash value, the extracted temporary identifiers are There is a very low probability that it will be identical to other temporary identifiers previously stored in the list.

In one embodiment of the present invention, when the overlapping temporary identifier is obtained as described above, the corresponding temporary identifier may be excluded and used. However, in another embodiment of the present invention, more efficient communication can be pursued by operating the list of temporary identifiers in a counter-based manner.

The above embodiment will be described again with reference to FIGS. 7 and 8 . In FIG. 7 , in the step of storing the temporary identifier generated by the sender side security device in the list (S772), even if it is found that a duplicate temporary identifier is used, it may be registered in the list without being excluded. Since the security device on the sending side only selects (S780) a temporary identifier according to the FIFO method, inserts it into the packet encapsulation (S740) process, and transmits (S750), even if a duplicate temporary identifier is used, the operation is affected. may not receive However, in FIG. 8, since the receiving side security device is configured to compare the temporary identifier included in the received encapsulated packet with the temporary identifier in the list (S840) and delete it from the list (S880), two temporary identifiers with overlapping temporary identifiers are used. Encapsulated packets after the th may be mistaken for illegal packets and discarded (S890). However, in the above embodiment, when the receiving side security device stores the temporary identifier in the list (S872), it may be configured to record the number of occurrences of the duplicate temporary identifier as a counter. For example, storage may be performed by increasing a counter value for a corresponding temporary identifier value by 1. In this case, the step of deleting the temporary identifier from the list (S880) may operate in a manner of decreasing the counter value by 1. In addition, the step of determining whether the temporary identifiers correspond (S850) may further include determining that the temporary identifiers do not correspond when the counter value assigned to the temporary identifier on the constant reception side is less than 1.

According to the method of the above embodiment, normal reception of an encapsulated packet in which duplicate temporary identifiers are inserted can be guaranteed. In particular, the embodiment based on the counter can respond even when the arrival order of two packets with the same temporary ID is different when overlapping temporary identifiers are used within a short interval in which the arrival order of packets can be mixed, as shown in FIG. 10c. there will be

Implementation examples and experimental results according to preferred embodiments of the present invention

In order to confirm the feasibility of the present invention, a preferred embodiment of the present invention was actually implemented by adding functions for processing the methods based on the temporary identifier to the open source MT6D implementation written in the conventional Go language.

To create temporary identifiers on the sender and receiver, both sides use the same "crypto/sha512" package. That is, in this embodiment, the information set correspondence relationship of FIG. 11A is implemented. In addition, in this embodiment, a method of generating eight 64-bit DIDs from a 512-bit hash value is adopted to reduce the number of function calls. Accordingly, since two DIDs may have the same value with a very low probability, an implementation method using a counter is adopted as described above.

If the target communication speed is 100 Mbps and the packet size is 1,050 bytes, about 12,000 temporary identifiers are needed per second. If the interval (LFM cycle) for generating ambiguous addresses by hopping IPv6 addresses in the network interface is 10 seconds, it is inefficient to generate 120,000 temporary identifiers at the same time at the start of the 10-second interval. Therefore, in this embodiment, the initial temporary identifier list has 24,000 temporary identifiers, and whenever the remaining unused temporary identifiers become less than 12,000, 12,000 temporary identifiers are additionally generated and added to the list. . That is, both the critical number n and the critical number m on both sides were considered to be 12,000.

The performance of the implemented software according to the above embodiment was evaluated using a virtual system on a host computer running Ubuntu 18.04 and VirtualBox 5.2.42. The computer has an Intel Xeon E5-2650v4 octa-core CPU and 64 GB memory. Two VMs are created in VirtualBox. Each VM is assigned two processors and 2GB of memory, and Ubuntu 18.04 is used as the operating system.

For performance evaluation, we use two FTP programs, vsftp and lftp, which are used as FTP server and FTP client, respectively. Use lftp to designate the MT6D's internal network interface or hidden network interface as the destination interface for FTP packets sent by the FTP client.

15 is an experiment result diagram showing performance derivation results of FTP according to an embodiment of the present invention. Referring to FIG. 15, the FTP throughput of downloading a 1GB file 30 times is shown. The average FTP performance of the prior art embodiment (MT6D) is 59.86 Mbps. The average performance of the preferred embodiment of the present invention (MT6D-DID) is 58.63 Mbps, which is 97.94% of the average performance of MT6D. This means that the overhead of changing the host identifier with a very high frequency due to the introduction of the temporary identifier is only 2.06%. Through this, the NMTD system according to the preferred embodiment of the present invention significantly improves the security of the MT6D-based NMTD system as described above, although it causes a performance degradation of about 2% for the operation of the temporary identifier in terms of FTP performance. Able to know.

The NMTD system according to the present invention incapacitates an attacker performing active scanning by greatly increasing the space that an attacker needs to scan through the additional use of a temporary identifier. This is because, for example, in the preferred embodiment of the present invention described above, the 64-bit IID and the 64-bit temporary identifier are continuously changed. In addition, in the NMTD system according to the present invention, since the destination identifier, which is a pair of ambiguous IPv6 address and temporary identifier, is changed for each packet, an attacker during passive scanning prevents unauthorized access to a receiving terminal to be protected using the obtained identifier. For example, an attacker cannot induce the receiving side security device to reconnect to a fraudulent terminal by injecting an RST packet. Therefore, an attacker cannot create a race condition in which an identifier obtained before a packet of a receiving side security device reaches a receiving terminal is reused.

Although it has been described with reference to the drawings and examples, it does not mean that the scope of protection of the present invention is limited by the drawings or examples, and those skilled in the art can understand the spirit of the present invention described in the following claims. And it will be understood that the present invention can be variously modified and changed without departing from the scope.

Claims (20)

A method for processing a packet by a receiving security device in a network including a receiving side security device, a sending side security device, and at least one receiving terminal, the method comprising:
obtaining a receiving terminal address for the at least one receiving terminal;
generating at least one recipient temporary identifier generated by a first algorithm and belonging to a first information set and storing it in a list;
receiving at least one encapsulated packet from a source security device, the encapsulated packet including a header, a payload, and a temporary identifier belonging to a second information set;
determining whether the sender's temporary identifier corresponds to one of the receiver's temporary identifiers stored in the list;
If the sending side temporary identifier corresponds to any one of the receiving side temporary identifiers stored in the list, a general packet including the receiving terminal address is obtained from the encapsulated packet, and the corresponding receiving side temporary identifier is added to the list. deleting from; and
and transmitting the general packet to a receiving terminal based on the address of the receiving terminal.
According to claim 1,
The list is newly created each time a new destination terminal address is acquired;
The first algorithm generates a new recipient temporary identifier using at least one of all or part of the recipient terminal address and current time information when the list for the recipient terminal address is empty, and the list is empty. If not, generate a new temporary identifier of the receiving side using at least one of all or part of the temporary identifiers of the receiving side already stored in the list and current time information.
According to claim 1 or 2,
The step of generating and storing at least one recipient temporary identifier in the list is configured to continuously generate at least a first critical number or more temporary identifiers and store them in the list;
Wherein the step is configured to be repeatedly executed whenever the number of temporary identifiers stored in the list becomes equal to or less than a second threshold number due to the operation of deleting the temporary identifier of the receiving side from the list.
According to claim 1,
The second information set is equivalent to the first information set (G1=G2) or a subset (G1⊇G2),
The step of determining whether the temporary identifier of the sending side corresponds to one of the temporary identifiers of the receiving side stored in the list includes determining whether the two temporary identifiers are the same. method.
According to claim 1,
The method of processing an encapsulated packet, wherein the obtaining of the normal packet includes obtaining one of the normal packets from one or more of the encapsulated packets.
According to claim 1,
The sender temporary identifier,
1) the front of the encapsulated packet;
2) before or inside the header of the encapsulated packet;
3) before or inside the payload of the encapsulated packet;
4) end of the encapsulated packet;
A method for processing encapsulated packets, characterized in that obtaining stored in any one of the locations.
According to claim 1,
The list includes elements of the first information set and counters assigned to each element,
The step of generating and storing the recipient temporary identifier in the list includes increasing a counter value assigned to any one element belonging to the first information set by 1;
The determining step further includes determining that the counter value assigned to the corresponding receiving side temporary identifier in the list is less than 1, not corresponding;
The step of deleting the temporary identifier of the receiving side from the list is configured to decrease a counter value assigned to the temporary identifier of the receiving side to be deleted from the list by 1.
According to claim 1,
The first security device and the second security device are packet relay devices utilizing MTD (Moving Target Defense), the encapsulated packet corresponds to the MTD-based tunneling packet protocol, and the receiving terminal address is An IPv6 address, and at least one of the encapsulated packet and the normal packet is an IPv6 packet.
A method for processing a packet by a sending security device in a network including a sending terminal, a sending security device, and a receiving side security device,
generating and storing at least one sender temporary identifier generated by a second algorithm and belonging to a second information set in a list;
receiving at least one general packet including the address of the receiving terminal from the transmitting terminal;
selecting one sender's temporary identifier in order from the list, and deleting the selected sender's temporary identifier from the list;
generating at least one encapsulated packet from the selected sender temporary identifier and the normal packet, the encapsulated packet including a header, a payload, and the sender temporary identifier; and
And transmitting the encapsulated packet to the receiving side security device.
According to claim 9,
The list is newly created each time a new destination terminal address is acquired;
The second algorithm generates a new sender temporary identifier using at least one of all or part of the address of the called terminal and current time information when the list of addresses of the called terminal is empty, and the list is empty. If not, generate a new sender temporary identifier using at least one of all or some of the sender temporary identifiers already stored in the list and current time information.
According to claim 9 or 10,
The step of generating and storing at least one temporary identifier of the sending side in the list is configured to continuously generate at least a third critical number or more temporary identifiers and store them in the list;
Wherein the step is configured to be repeatedly executed whenever the number of temporary identifiers stored in the list becomes equal to or less than a fourth threshold due to the operation of deleting the sender's temporary identifier from the list.
According to claim 9,
The second information set is configured to correspond to any one of the components of the first information set, the encapsulated packet processing method.
According to claim 12,
The second information set is equivalent to the first information set (G1=G2) or a subset (G1⊇G2).
According to claim 9,
The generating of the encapsulated packet includes a procedure of dividing and inserting one normal packet into a payload of one or more encapsulated packets.
According to claim 9,
The sender temporary identifier,
1) the front of the encapsulated packet;
2) before or inside the header of the encapsulated packet;
3) before or inside the payload of the encapsulated packet;
4) end of the encapsulated packet;
Characterized in that it is inserted in any one position of the, encapsulated packet processing method.
According to claim 9,
The first security device and the second security device are packet relay devices utilizing MTD (Moving Target Defense), the encapsulated packet corresponds to the MTD-based tunneling packet protocol, and the receiving terminal address is An IPv6 address, and at least one of the encapsulated packet and the normal packet is an IPv6 packet.
A receiving security device in a network including a sending security device, a receiving security device, and at least one receiving terminal, comprising:
a network management unit acquiring a receiving terminal address for the at least one receiving terminal;
a temporary identifier generating unit generating at least one temporary identifier belonging to the first information set;
a storage unit for storing a list of at least one recipient side temporary identifier;
a reception unit for receiving at least one encapsulated packet from the transmission-side security device, the encapsulated packet including a header, a payload, and a transmission-side temporary identifier belonging to a second information set;
It is determined whether the sender-side temporary identifier corresponds to any one of the receiver-side temporary identifiers stored in the storage unit, and if the sender-side temporary identifier corresponds to any one of the receiver-side temporary identifiers stored in the storage unit, the encapsulated a processing unit for obtaining a general packet including an address of a receiving terminal from the packet and deleting the corresponding temporary identifier of the receiving side from the list of the storage unit; and
and a transmitter configured to transmit the normal packet to a receiving terminal based on the address of the receiving terminal.
A receiving side security device in a network comprising at least one sending terminal, a sending side security device, and a receiving side security device,
a temporary identifier generating unit generating at least one temporary identifier belonging to the second information set;
a storage unit for storing a list of at least one temporary identifier of the sender;
a receiver configured to receive at least one general packet including an address of a receiving terminal from the transmitting terminal;
Select one sender temporary identifier in order from the list of the storage unit, delete the selected sender temporary identifier from the list, and generate at least one encapsulated packet from the selected sender temporary identifier and the normal packet. a processing unit for processing, wherein the encapsulated packet includes a header, a payload, and the temporary identifier of the sender; and
and a transmitter configured to transmit the encapsulated packet to the receiving side security device.
A network system comprising a sending terminal, a sending security device, a receiving side security device, and at least one receiving terminal,
The sender-side security device generates and stores at least one sender-side temporary identifier in a list, receives a normal packet including a receiver terminal address from a sender terminal, and converts the normal packet to the sender-side temporary identifier. And converting the included encapsulated packet into an encapsulated packet, deleting the included sending side temporary identifier from the list, and transmitting the encapsulated packet to a receiving side security device;
The encapsulated packet includes a header, at least one payload, and at least one sender temporary identifier;
The receiving-side security device generates and stores at least one receiving-side temporary identifier in a list, receives the encapsulated packet from the sending-side security device, and determines that the sending-side temporary identifier included in the encapsulated packet is the determining whether it corresponds to at least one of the temporary identifiers of the receiving side in the list, and only when it is determined that the temporary identifier of the receiving side corresponds to, deleting the temporary identifier of the receiving side determined to correspond from the list, and converting the encapsulated packet into a normal packet; , configured to transmit the general packet to the receiving terminal based on the receiving terminal address,
The sender-side temporary identifier is information belonging to a second information set generated by a second algorithm in the sender-side security device, and the reception-side security device generated in the first information set by a first algorithm. It has a corresponding relationship with the temporary identifier of the receiving side, and the corresponding relationship between any temporary identifier of the sending side and the temporary identifier of the receiving side is configured to be determined by the receiving side security device,
The temporary identifier of the transmitting side is inserted at any one of the following positions: 1) at the very front, 2) at the front or inside of the header, 3) at the front or inside of the payload, and 4) at the back of the encapsulated packet. , network system.
According to claim 19,
The first algorithm and the second algorithm are the same temporary identifier generation algorithm, the second information set is equivalent to the first information set (G1=G2) or a subset (G1⊇G2),
The method of determining the correspondence between the temporary identifier of the sender and the temporary identifier of the receiver includes a step of determining whether the temporary identifier of the sender and the temporary identifier of the receiver are the same. Doing, network system.