APNIC_IPv6 Deployment Update in the Asia Pacific

第 22卷第 4期2023年 4月Vol.22 No.4Apr.2023软件导刊Software GuideIPv6安全风险与防范方案胡南1，周宇2，伍传丽2，邯子皓1，向剑文2，张家琦3，邢燕祯3（1.中央广播电视总台，北京100020；2.武汉理工大学计算机与人工智能学院，湖北武汉430070；3.国家计算机网络应急技术处理协调中心，北京100029）摘要：随着逐步展开IPv6网络规模部署，IPv6网络攻击数量不断增加，在系统、应用、硬件和协议等层面均存在安全漏洞。

为此，从IPv6与IPv4相同的安全风险、IPv6新特性引发的特有安全风险及IPv4/IPv6过渡期安全风险3个方面综述IPv6的安全风险，总结防范方案。

首先，针对与IPv4相同的网络攻击，研究IPv6网络攻击防护技术。

然后，相较于IPv4，IPv6报头新增流标签字段、扩展报头、地址空间变大，有状态地址配置DHCP升级为DHCPv6，新增无状态地址配置，ICMP升级为ICMPv6，新增邻居发现协议等新特性，讨论其新特性引发的特有安全风险与防范方案。

最后，针对IPv6部署过程中使用的双栈、隧道、翻译等过渡机制的安全风险，研究安全防护方案，为发现未知攻击、有力抵御网络攻击提供理论与技术支持。

关键词：IPv6；IPv4；过渡机制；安全风险；防范方案；网络安全DOI：10.11907/rjdk.221381开放科学（资源服务）标识码（OSID）：中图分类号：G642 文献标识码：A文章编号：1672-7800（2023）004-0118-10IPv6 Security Threats and Prevention SchemeHU Nan1， ZHOU Yu2， WU Chuan-li2， HAN Zi-hao1， XIANG Jian-wen2， ZHANG Jia-qi3， XING Yan-zhen3（1.China Media Group， Beijing 100020， China；2.School of Computer Science and Artificial Intelligence， Wuhan University of Technology， Wuhan 430070， China；3.National Internet Emergency Center， Beijing 100029， China）Abstract：With the gradual deployment of IPv6 network scale， the number of IPv6 network attacks continues to increase， and there are secu‐rity vulnerabilities at the system， application， hardware and protocol levels. To this end， the security risks of IPv6 are summarized from three aspects： the same security risks of IPv6 and IPv4， the unique security risks caused by the new features of IPv6， and the security risks in the transition period of IPv4/IPv6， and the prevention schemes are summarized. First， aiming at the same network attack as IPv4， the IPv6 net‐work attack protection technology is studied. Then， compared to IPv4， IPv6 headers add flow label fields， extended headers， have larger ad‐dress space，stateful address configuration DHCP upgraded to DHCPv6，stateless address configuration ICMP upgraded to ICMPv6，add Neighbor Discovery Protocol， etc.， and the unique security risks and prevention schemes caused by the new features are discussed. Finally，aiming at the security risks of transition mechanisms such as dual-stack， tunnel and translation used in IPv6 deployment， the security protec‐tion scheme is studied to provide theoretical and technical support for discovering unknown attacks and effectively resisting network attacks. Key Words：IPv6； IPv4； transition mechanisms； security threat； prevention scheme； network security收稿日期：2022-04-07作者简介：胡南（1978-），女，CCF会员，中央广播电视总台工程师，研究方向为网络安全；周宇（1999-），女，CCF会员，武汉理工大学计算机与人工智能学院硕士研究生，研究方向为网络安全；伍传丽（1998-），女，武汉理工大学计算机与人工智能学院硕士研究生，研究方向为可靠性工程；邯子皓（1988-），男，中央广播电视总台工程师，研究方向为网络安全；向剑文（1975-），男，博士，CCF会员，武汉理工大学计算机与人工智能学院教授、博士生导师，研究方向为可靠性工程、网络安全；张家琦（1985-），女，博士，国家计算机网络应急技术处理协调中心高级工程师，研究方向为物联网网络安全；邢燕祯（1992-），女，国家计算机网络应急技术处理协调中心工程师，研究方向为物联网网络安全。

deployment滚动更新原理Deployment滚动更新是Kubernetes中一种常用的更新策略，它可以在不中断服务的情况下对应用程序进行升级。

具体来说，Deployment滚动更新原理如下：1. Deployment控制器会创建一个ReplicaSet，用于管理Pod的数量和版本。

2. 当需要更新应用程序时，可以通过修改Deployment的spec.template来指定新版本的镜像或其他配置信息。

3. Deployment控制器会逐步地将新版本的Pod逐个替换旧版本的Pod。

这个过程称为滚动更新。

4. 在滚动更新期间，Deployment控制器会保证最少有一个旧版本的Pod和一个新版本的Pod同时运行，以确保应用程序不会中断服务。

5. 如果在滚动更新期间出现问题，例如新版本无法启动或者出现异常错误，Deployment控制器会自动回滚到旧版本，并发送事件通知管理员。

6. 一旦所有旧版本的Pod都被替换成新版本后，Deployment控制器会自动删除旧版本的ReplicaSet，并将新版本设置为当前状态。

需要注意的是，在进行滚动更新时，可以通过修改Deployment.spec.strategy字段来指定不同的策略。

例如：- RollingUpdate：默认策略，按照一定比例逐步替换旧版Pod。

- Recreate：先删除所有旧版Pod，再创建所有新版Pod。

- Custom：自定义策略，可以通过修改Deployment.spec.strategy 字段来指定自定义的滚动更新策略。

总之，Deployment滚动更新是一种非常灵活和可靠的应用程序更新方式，可以帮助管理员实现快速、安全和无中断地升级应用程序。

专题：IPv6技术与应用基于种子地址的IPv6地址探测技术综述李果伍,何林込宋光磊12,王之梁％杨家海迅李子木伍（1.清华大学网络科学与网络空间研究院，北京100084;2.北京信息科学与技术国家研究中心，北京100084）摘要:现有的扫描技术能够在非常短的时间内对整个IPv4空间完成扫描,但是这些方法都不适合庞大的IPv6网络空间。

因此近年来，许多研究学者提出了各种启发式的IPv6地址探测算法。

这些算法使用收集的IPv6种子地址作为输入，输出最可能活跃的IPv6地址列表作为扫描目标，大大缩小了活跃地址区域的扫描范围。

对这些基于种子地址的技术进行了分类、梳理和总结，然后详细分析了各个算法的优缺点，并且讨论了这些技术面临的多种挑战。

从参考文献公开的IPv6数据集和中国教育科研计算机网的北京节点两个来源收集了总共7300万种子地址。

通过实验，比较了4种基于种子地址的地址探测算法的命中率和时间性能。

最后给出了对本领域的思考和未来研究方向。

关键词：IPv6；种子地址；网络扫描；生成算法中图分类号：TP393文献标识码：Adoi:10.11959/j.issn.l000-0801.2019296Survey on IPv6address scanning technology based on seed sourcesLI Guo1,2,HE Lin1'2,SONG Guanglei1-2,WANG Zhiliang1'2,YANG Jiahai1'2,LI Zimu1,21.Institute for Network Sciences and Cyberspace,Tsinghua University,Beijing100084,China2.Beijing National Research Center for Information Science and Technology,Beijing100084,ChinaAbstract:Nowadays,the state-of-the-art technologies can spend a very short time to scan the whole IPv4space,but these methods cannot be applied to the huge IPv6space easily.Therefore,many researchers propose different heuris・tic algorithms for the sake of IPv6scanning.The common way of these algorithms is to input collected IPv6seed ad­dresses and output new most likely active IPv6addresses as candidates for later scanning.These methods greatlyduce the scanning range of the active address area.These technologies based on seed addresses were classified,ana­lyzed and summarized,and detailed analysis of the advantages and disadvantages of each method was given.And the several challenges faced by the methods were discussed.73M seed addresses were collected in total from two sources, including published IPv6datasets in papers and Beijing Node of China Education and Research Network.Through the proposed experiments,time performance and hit rate of four IPv6address scanning technologies based on seed addresses was compared.Finally,the own thoughts on this field and some future research directions were proposed.Key words:IPv6,seed address,network scanning,generation algorithm收稿日期：2019-11-19；修回日期：2019-12-10通信作者：杨家海，yang@基金项目："十三五”国家重点研发计划资助项目(NO.2017YFB0803004)Foundation Item:The National Key Research and Development Program during the13th Five-year Plan Period(No.2017YFB0803004)2019296-1・25・电信科学2019年第12期1引言无论是在安全研究、拓扑发现还是网络诊断方面，互联网扫描都有着非常重要的意义。

ContentsRouter Login (2)UPnP (3)Parental control (4)LAN clients (5)Wi-Fi name (SSID) and password change (5)Security modes of Wi-Fi (8)Creating new SSID (9)Changing Wi-Fi channel (10)Deleting existing SSID (12)WPS (13)Wi-Fi associated clients (14)Change of admin credentials (14)Factory reset and Restart of the router (15)Access to USB flash drive attached to router (16)Change of DNS (21)Port forwarding (23)DMZ (28)DHCP binding (29)IPv6 port filtering (30)Public IPv4 address block in LAN network (33)Router LoginTo log into your router, open a web browser (for example, Google Chrome, Microsoft Edge, Mozilla Firefox etc.). Type 192.168.1.1 in the address bar of the browser. You should then see a login page (Image 1). In the Username field, type “admin”. In the Password field, type the password shown on the sticker on the back of your router. Once all fields are populated, press Login.Image 1. Router HG2381 login screenUPnPUPnP service can be used for easier and more convenient router configuration. To configure your router using UPnP desktop applications (e.g. PortMapper Windows), please log into your router (page 2) and navigate to Advanced > Connection settings > UPnP. See Image 2. If you’re not using UPnP applications, UPnP should be set to Off (the default UPnP setting is Off).Image 2. Setting up UPnP serviceSelect options as in image 2, tick Enabled and click Create. Once this is done, click Save settings in the upper right side of the screen. You should see confirmation as per image 3.Image 3. Confirmation of UPnP settingsParental controlParental control can be used to restrict access to sites. To enable parental control, please log into your router (page 2) and navigate to Advanced > LAN settings > LAN clients. Select the device which needs to be blocked and click Apply. This part of the process will create static DHCP binding for certain MAC address (LAN client). See Image 4.If clicked on IPv6 button, IPv6 address of LAN client will be displayed.Image 4. Defining which LAN client will be blockedOnce completed, navigate to Advanced > LAN settings > Schedule blocking. Select the day and time you would like to restrict access and click Apply. Then click Save settings. See Image 5.Image 5. Defining blocking time & day per week basisLAN clientsThe number of LAN (Local Area Network) clients, their MAC addresses and associated IPv4 addresses can be checked once you’re logged into your router (see page 2). Navigate to Advanced > LAN settings > LAN clients. The connection type will be listed for every LAN client (see Image 6), and you’ll be able to see all the devices that are using your router’s LAN.Image 6. Overview of LAN clientsWi-Fi name (SSID) and password changeTo change your wifi name or password for 2.4 GHz or 5 GHz bands, log into your router (see page 2) and navigate to Wireless. To change the parameters of your wifi connection, click on the SSID in the Existing SSIDs section. Configuration changes are the same for 2.4 GHz and for 5 GHz. See Im age 7, where we’ve used 2.4 GHz for demonstration purposes.Image 7. Overview of existing Wi-Fi SSIDsTo change name of your wifi connection, navigate to Wireless > SSID > Configuration. Provide your desired connection name and then click Apply and Save settings. See Image 8.Image 8. Change of 2.4GHz connection nameTo change your wifi password, navigate to SSID > Security. See Image 9. Please use passwords containing upper and lower-case letters and numbers, with a minimum of 12 characters in length. Once you’ve decided on a password, click Apply and Save settings.Image 9. Wi-Fi password changeSecurity modes of Wi-FiTo change authentication setting for Wi-Fi, navigate to section Wireless. Click on either the 2.4GHz or 5GHz connection. Configuration is identical for both connections (see Image 10 for 2.4GHz example). Protocol WPA2 or WPA2/WPA can be selected. After the protocol change, click Apply and Save settings. By default, advanced encryption algorithm is used.Image 10. Change of Wi-Fi security protocolsCreating new SSIDTo create a new SSID, please log into your router (page 2) and navigate to Wireless. Under New SSID, use any name (e.g. New_2.4GHz), select 2.4 GHz or 5GHz radio port and select lan0 LAN group. Click Create. See Image 11. If a new 5GHz network is needed, select 5 GHz radio port from the drop-down menu. The configuration steps for 2.4GHz SSID and 5GHz SSID are the same.Image 11. Creating new SSIDOnce your new SSID (in this case 2.4GHz) is created, you can change the passphrase of the SSID. Click Apply and Save settings in the upper right corner of the web page (see Image 12).Image 12. Defining password for new SSIDChanging Wi-Fi channelTo minimise interference, we highly recommend leaving your wifi channel selection on its default settings. If you’d like to change your channel selection, however, you can do so by logging into your router (see page 2) and navigating to Wireless > Setup. Select either 2.4GHz or 5GHz frequency band. Once selected, refer to Channel. Select Manual configuration and choose one of the listed channels from the drop-down menu. Click Apply and Save settings. See Image 13 and Image 14.Note: please avoid using channel 11 for 2.4GHz networks.Image 13. Setting channel for 2.GHz networkImage 14. Setting channel for 5GHz networkDeleting existing SSIDTo delete an existing SSID, please log into your router (page 2) and navigate to Wireless. Tick Delete on the network you’d like to delet e. Click Apply and Save settings (see Image 15).Image 15. Deleting existing SSIDWPSTo connect to wifi without a password, please log in to your router (see page 2) and navigate to Wireless. Click on the desired SSID and go to SSID > WPS. See Image 16. Click Add device. Wait a few seconds and then click the WPS button on the desired LAN client. A wifi connection will then be made.Image 16. WPS button and access methodWi-Fi associated clientsFor each SSID, the number of LAN clients can be checked. To check LAN Wi-Fi clients, navigate to Wireless. Click on the 2.4GHz or 5GHz connection. Under SSID > Associated clients, the MAC address of every LAN user is listed. See image 16.Image 16. Wi-Fi 2.4GHz LAN clientsChange of admin credentialsYour default admin credentials can be found on the router itself. If you’d like to make changes to these credentials, please contact Customer Support.Factory reset and Restart of the router (admin account)You can reboot your router via the web. Once you’ve logged in (see page 2), navigate to Tools > Maintenance > Restart system. Click on Restart system. See Image 17.Image 17. Restart of routerTo restore factory settings, navigate to Tools > Configuration > Restore defaults. Click on Restore factory defaults. See Image 18.Please note, factory reset isn’t recommended as it can shorten the life of a router if used often. Also, factory reset will delete any user-made configuration, such as wifi SSID, wifi password, port forwarding rules, etc.Image 18. Switching to factory router configurationAccess to USB flash drive attached to routerYou can access the USB storage port on your router in a few ways. To access via HTTP protocol, please log into your router (page 2) and navigate to Storage > General > Setup. Click Storage enabled and Enabled under Access via HTTP. Click Apply and Save settings. To connect to flash drive type http://ip_address/nas into the browser. Router configuration is shown in Image 21. Router configuration is shown in image 19. Remote access is shown in image 20. Your router’s USB port with attached flash drive can be used as additional storage, linked with LAN.Image 19. Flash drive access via HTTPImage 20. Remote access to USB drive via httpTo connect via SMB, click Enabled in the section Access via SMB. See Image 21. Once enabled, click Apply and Save settings. See Image 22 for SMB access.Image 21. Access to flash drive via SMBImage 22. LAN access via SMB (type \\192.168.1.1 in browser search)See Image 23 for access via DLNA Media server. Click to serve lan0 group. Click Enabled and then Apply.Image 23. Access to DLNA Media serverSee Image 24 for access to flash drive via PC application e.g. VLC, Windows Media Player.Photo 24. Access to USB flash drive DLNA ServerChange of DNS (admin account)To change your DNS, please log into your router (page 2) and navigate to Setup > LAN Setup > LAN configuration. Click View/edit all parameters (see Image 25). By default, the router uses two Hyperoptic DNS servers which provide redundancy and address resolution. These servers communicate directly with the WAN ethernet router port and provide means for swift browsing.Image 25. Navigating to DHCP LAN settingsIn the “Static Address” section, look for DHCP fields as shown in Image 16. Configure the public DNS as per your choice. To enable the use of an arbitrary DNS, please disable DHCPv6 server. See Image 26.Image 26. DNS section of LAN configurationPort forwarding (admin account)Port forwarding is currently only being used for IPv4 addresses. Tilgin is developing firmware which will allow usage of IP Filtering for IPv6 addresses. Port forwarding can be used to establish home-based FTP server, web server or similar kind of a server.To change your port forwarding parameters, connect your personal computer via ethernet cable or via wifi to the router. Open a web browser and type 192.168.1.1 in the search line of the browser. You should then see a login page, as below (Image 27).Image 27. Login page of the routerIn the Username field, type “admin”. You’ll be able to find the password associated with your router written on the back of the router itself. Once identified, type this into the Password field.Once logged in, navigate to Advanced > Port forwarding, as illustrated in Image 28.Image 28. Port forwarding section of the router web UIAt the bottom of this page, refer to the section Custom forwarding. Name the port forwarding rule and associate WAN connection to it. The connection type should be dhcp-over-eth. An example of the creation of a port forwarding rule for local web server is illustrated in Image 29. Once the Name and Connection type are set, click Add.Image 29. Creating web server port forwarding ruleImage 30 illustrates the main parameter configuration of port forwarding rules.First, click on Enabled field to make the port forwarding rule active.Check your personal computer’s private IPv4 address and type it in the Destination IP address field. List whic h ports need to pass the router’s firewall. In the example illustrated in Image 30, the TCP port 8080 which will serve local Web server placed in LAN.If the web server needs to be seen from any public IPv4 address, type 0.0.0.0 in the Source IP address and list 0 as prefix length. Otherwise, if the web server needs to be accessed from just one IPv4 address, list that one address as illustrated in Image 30.Image 30. Configuring port forwarding rulesOnce all parameters are entered, click Apply. Save the router configuration by clicking Save settings in the upper right corner of the screen.A list of commonly used ports is illustrated in Image 31.Please also note that ports 80 and 443 should never be used on WAN side, as these ports are reserved for Hyperoptic Ltd. remote management. If you would like to use these ports on your server in a LAN, then you can use different ports on WAN side as shown on Image 32 (e.g. you can use ports on WAN side 12000, 12001 and map them to LAN ports 80, 443 respectively). For additional help on port numbers and TCP/UDP, please refer to https:///wiki/List_of_TCP_and_UDP_port_numbersImage 31. List of commonly used portsAlternatively, it’s possible to allow a certain range of WAN ports that will all be translated into one L AN port. This kind of configuration is illustrated in Image 32. In this case, a local web server placed in LAN is listening for connections on port 8080. The router will forward all connection requests that come to WAN router port 12001 to this local server.Image 32. Port forwarding with port mapping from WAN to LAN sideDMZ (admin account)Please be aware that devices placed in DMZ will not be affected by a router’s firewall. Placing LAN devices in DMZ can therefore pose an IT security risk and this action should be taken with caution. If a LAN device needs to be placed in a demilitarized zone, log into your router (page 2) and go to Advanced > DMZ (see image 33)Image 33. DMZ section of routerClick on the Name of the connection –dhcp-over-eth. You should then be presented with Image 34. List the IPv4 address of the LAN device and click Apply.Save settings in the upper right corner of the screen.Image 34. List LAN device which needs to be placed in DMZDHCP binding (using User account)Specific LAN client can have same IPv4 address all the time. To define which LAN client will have which IPv4 address, configuration of binding must be completed. This is described in photo 35. Navigate to section Advanced > LAN settings > LAN clients.Photo 35. DHCP host bindingUse arbitrary Hostname, List wanted IPv4 address and list MAC address of LAN client. Valid range of IPv4 addresses is 192.168.1.100 to 192.168.1.254 . After the configuration is made click Save settings.IPv6 port filtering (AKA Port forwarding)Allowing some services (equivalent of ports TCP/UDP) to pass through router from WAN side to LAN side can be configured using port forwarding feature of a router. To set this up, please navigate to Advanced > Port forwarding > Custom forwarding / New rule. See image 36. Name of a rule can be arbitrary but for IPv6, connection must be ipv6-over-eth. Once this is selected, click Add button.Image 36. Selecting IPv6 connection for Port forwarding router featureIn the new menu (see image 37), tick Enabled to allow this rule. Source IP address is the range or single address from which access to router is made. In case that from any location service must be available, state “::” as source address. Destination address is the public IPv6 address of LAN client machine. As last step, list ports that need to be allowed to pass through router (e.g. TCP port 80), then click Apply and Save settings.Image 37. Configuration of IPv6 port filteringYou’ll see c onfirmation of setup in image 38.Image 38. Confirmation of IPv6 port filtering rulePublic IPv4 address block in LAN networkNavigate to section Setup > LAN Setup > LAN configuration. Click on the View/edit all parameters. See image 39.Image 39. LAN settings of HG2381New screen opens as described in image 40. Focus on the part of Static address. Define IP address / prefix length field. Example is shown for public block 137.220.108.0/29. Enter valid Start IP address and End IP address. Click on Save button at the bottom of the page.Image 40. DHCP setting of HG2381Return to section Setup > LAN Setup > Firewall/NAT services. Untick option of Enable NAT service. Click Apply and Save settings. This is illustrated in image 41.Image 41. Disabling NAT service。

运营商IPv4至IPv6过渡技术方案探讨王明明【摘要】本文阐明了IPv4/v6过渡的必要性，对现有的基本过渡技术进行综述和比较。

根据运营商实际网络环境分析已有的双栈技术和NAT444技术相结合的过渡技术，并在此基础上根据不同的场景分析不同的过渡技术，最终根据运营商的案例分析了部署CGN的过渡技术方案。

%This paper summarizes the existing basic transition techniques, and clarifi es the need of the transition from IPv4 to IPv6. Then analyses the transition technology of the Dual IP Stack and NAT444 based on the operator’s actual network environment. According to the operators case and compare with other different transition technologies, the CGN deployment transition technology is discussed.【期刊名称】《电信工程技术与标准化》【年(卷),期】2016(029)011【总页数】6页(P65-70)【关键词】IPV4/IPV6;双栈技术;NAT444;CGN;地址空间【作者】王明明【作者单位】上海邮电设计咨询研究院有限公司，上海 200009【正文语种】中文【中图分类】TN914全球地址分配机构（IANA）于2011年2月3日正式宣布，将其最后的468万个IPv4地址平均分配到全球5个地区的互联网络信息中心，亚太互联网信息中心（APNIC）于2011年4月15日宣布，正常可分配的IPv4地址告罄[1～2]。

在当前IPv4地址逐渐枯竭的关键时期，IPv4向IPv6的全面过渡更加紧迫。