IPSec VPN安全性漏洞分析及验证

doi:10.19678/j.issn.1000-3428.0058383

摘要/Abstract

摘要： 网络边界是提供访问服务的主要通道，而IPSec VPN作为网络边界防护中的关键技术，对于保障网络整体安全至关重要。分析IPSec VPN中IKE协议激进模式和OSPF路由选择协议的安全性漏洞，研究三种常规OSPF路由欺骗方式在IPSec VPN中间人攻击中的性能表现，构建IPSec VPN流量劫持模型及攻击数据包，设计IPSec VPN流量劫持算法与KEYMAT密钥获取算法。通过搭建仿真环境并选取双LSA注入路由欺骗攻击方式，实现跨网段IPSec VPN中间人攻击并验证了IPSec VPN协议的脆弱性，该结论对于网络边界设备防护、骨干网络流量保护具有重要作用。

关键词: IPSec VPN技术, IKE协议, 中间人攻击, OSPF协议, 路由欺骗攻击

Abstract: Network boundary is the necessary channel for providing access services. As a key technique widely used in network boundary protection, IPSec VPN has a significant influence on the overall security of network. This paper analyzes the security vulnerabilities of the radical mode of the IKE protocol and the OSPF routing protocol in IPSec VPN. Then three commonly used OSPF routing deception methods are studied for their performance in the man-in-the-middle attacks on IPSec VPN. On this basis, the traffic hijacking model for IPSec VPN and the attack data packet are constructed. The traffic hijacking algorithm for IPSec VPN and KEYMAT key acquisition algorithm are also designed. Finally, a simulation environment is built to verify the security vulnerabilities of IPSec VPN. By employing the dual LSA injection route spoofing attack method, the experiment realizes the cross-network-segment man-in-the-middle attacks on IPSec VPN. The result of the study is of great importance to the protection of network boundary devices and backbone network traffic.

Key words: IPSec VPN technology, IKE protocol, man-in-the-middle attack, OSPF protocol, routing spoofing attack

中图分类号:

TP309.2

周益旻, 刘方正, 杜镇宇, 张凯. IPSec VPN安全性漏洞分析及验证[J]. 计算机工程, 2021, 47(6): 142-151.

ZHOU Yimin, LIU Fangzheng, DU Zhenyu, ZHANG Kai. Analysis and Verification of IPSec VPN Security Vulnerability[J]. Computer Engineering, 2021, 47(6): 142-151.

http://www.ecice06.com/CN/Y2021/V47/I6/142

图/表 19

20210618183455

20210618183458

20210618183501

20210618183505

20210618183508

20210618183511

20210618183515

20210618183518

20210618183522

20210618183526

20210618183530

20210618183533

20210618183536

20210618183540

20210618183544

20210618183548

20210618183552

20210618183603

20210618183607

参考文献

[1] WANG Fengling.Study on application of VPN technology based on IPSec[J].Computer Technology and Development,2012,22(9):250-252.(in Chinese)王凤领.基于IPSec的VPN技术的应用研究[J].计算机技术与发展,2012,22(9):250-252.
[2] XU Min.VPN technology overview and application[J].Information Communication,2013(10):260-261.(in Chinese)许敏.VPN技术综述及应用[J].信息通信,2013(10):260-261.
[3] XU Xijie.Research on key technology in the VRN penetrate-defense[D].Harbin:Harbin Engineering University,2012.(in Chinese)徐希杰.基于中间人的VPN穿透对抗关键技术研究[D].哈尔滨:哈尔滨工程大学,2012.
[4] SCHILLER J.Cryptographic algorithms for use in the Internet Key Exchange version 2(IKEv2):RFC 4307[S].Massachusetts Institute of Technology,2005:1-5.
[5] FELSCH D,GROTHE M,JÖRG S,et al.The dangers of key reuse:practical attacks on IPsec IKE[C]//Proceedings of USENIX Security Symposium.[S.l.]:USENIX Press,2018:567-583.
[6] LIU Dongxi,ZHANG Long,BAI Yingcai.Two modifications on IKE protocol with pre-shared key authentication[J].Journal of Shanghai Jiaotong University,2003,E-8(2):142-145.
[7] PATERSON K G.A cryptographic tour of the IPsec standards[J].Information Security Technical Report,2006,11(2):72-81.
[8] ZHAO Erfan,XIONG Gang.Reflective denial-of-service based on IKEv2 protocol[J].Communications Technology,2019,52(2):444-448. 赵尔凡,熊刚.基于IKEv2反射式拒绝服务研究[J].通信技术,2019,52(2):444-448.
[9] ZHOU Meng,BAI Jianrong.Analysis to man-in-the-middle attack for IKEvl on the aggressive mode[J].Journal of University of Electronic Science and Technology of China,2010,39(1):97-100,151.(in Chinese)周梦,白建荣.激进模式下对IKEv1的中间人攻击分析[J].电子科技大学学报,2010,39(1):97-100,151.
[10] ZHANG Weile,YU Yang,TANG Jun,et al.Analyses of security flaws of IKE and test[J].Computer Engineering and Design,2007,28(12):2811-2813.(in Chinese)张卫乐,余洋,汤隽,等.IKE协议安全隐患分析与验证[J].计算机工程与设计,2007,28(12):2811-2813.
[11] KANG B H,BALITANAS M O.Vulnerabilities of VPN using IPSec and defensive measures[J].International Journal of ADVANCED SCIENCE and Technology,2009,8(7):9-18.
[12] MAGNANI D B,CARVALHO I A,NORONHA T F.Robust optimization for OSPF routing[J].IFAC Papers on Line,2016,49(12):461-466.
[13] CARIA M,JUKAN A.Link capacity planning for fault tolerant operation in hybrid SDN/OSPF networks[EB/OL].[2020-04-02].https://arxiv.org/abs/1604.05534.
[14] XIA Yunfeng.Analysis of routing spoofing based on OSPF routing protocol[D].Nanjing:Southeast University,2014.(in Chinese)夏云峰.基于OSPF路由协议的路由欺骗分析[D].南京:东南大学,2014
[15] GUO Weixing,LIU Xu,WU Hao.MITM attack detection method based on ARP cache overtime[J].Computer Engineering,2008,34(13):133-135.(in Chinese)郭卫兴,刘旭,吴灏.基于ARP缓存超时的中间人攻击检测方法[J].计算机工程,2008,34(13):133-135.
[16] KONG Zheng,JIANG Xiuzhu.DNS spoofing principle and its defense scheme[J].Computer Engineering,2010,36(3):125-127.(in Chinese)孔政,姜秀柱.DNS欺骗原理及其防御方案[J].计算机工程,2010,36(3):125-127.
[17] QIN Zunying,LI Guodong,LI Wei.Design and implemen-tation of OSPF protocol vulnerability analysis and detection system[J].Journal of Communications,2013,34(S2):58-63.(in Chinese)覃遵颖,李国栋,李卫.OSPF协议脆弱性分析与检测系统的设计和实现[J].通信学报,2013,34(S2):58-63.
[18] LI Pengfei,CHEN Ming,QIAN Hongyan.ARSAO:a general detection and defense mechanism against routing spoofing attacks on OSPF protocol[J].Computer Technology and Development,2019,29(10):120-126.(in Chinese)李鹏飞,陈鸣,钱红燕.ARSAO:一种通用的检测与防御OSPF路由欺骗的机制[J].计算机技术与发展,2019,29(10):120-126.
[19] NAKIBLY G,KIRSHON A,GONIKMAN D,et al.Persistent OSPF attacks[EB/OL].[2020-04-02].https://www.docin.com/p-717369563.html.
[20] LI Zhaobin,MAO Fangyi,WANG Yaojun,et al.The application of Scapy in network equipment security test[J].Journal of Beijing Institute of Electronic Science and Technology,2016,24(4):73-77.(in Chinese)李兆斌,茅方毅,王瑶君,等.Scapy在网络设备安全性测试中的应用[J].北京电子科技学院学报,2016,24(4):73-77.
[21] HAO Xianyun.Simulation of RIP routing based on GNS3[J].Research and Exploration in Laboratory,2019,38(7):124-129,166.(in Chinese)郝贤云.基于GNS3的RIP路由协议仿真[J].实验室研究与探索,2019,38(7):124-129,166.

选择文件类型/文献管理软件名称

选择包含的内容