Research On Conflict Detection Method For IPv6 Time-based Firewall Policy

With the continuous expansion of network interconnection scale,there have been many shortcomings in the early IPv4 protocol,among which the most urgent need to be solved is the problem of IP address shortage.However,network security issues arise along with the wide usage of IPv6.Firewall is an important technology to ensure the network and information security.It implements the security management of the network through an ordered set of rules that the administrator defines in advance to detect the exchange of information between the networks.Therefore,the rules that are set in the actual firewall according to the security policy is a very important factor to ensure filtering packets correctly and to protect the network and information security.However,if there is a conflict in the firewall rule set that caused by the same packet matching two or more rules,which will lead to the contradictory rules,redundant rules and other problems.And the firewall will be not able to filter packets correctly.In addition,in recent years,there has been a new type of firewall that can deal with time-based rules,such as Cisco ACLs,Linux Iptalbes,and so on.And these firewalls have been used more and more widely.The number of rules in the firewall is very large and the relationship between rules is complex,so it is extremely difficult for the firewall administrator to manually find and resolve conflicts.Therefore,conflict detection of firewall rule sets has attracted widespread attention of researchers.At present,many researchers have proposed a variety of methods to analyze and detect conflict s in single or distributed IPv4 firewall rule sets.However,there are few studies about conflict detection of IPv6 firewall rule sets and conflict detection of time-based firewall rule sets.Therefore,the conflict detection technology of time-based IPv6 firewall rule sets needs comprehensive and in-depth research and development.In order to detect conflicts in time-based IPv6 firewall rule sets,an efficient and feasible algorithm is designed in this paper.Firstly,the structure of each rule in time-based IPv6 firewall rule sets is described.Then,because it is difficult to get the time-based IPv6 firewall rule sets in real network environment,we use the packet classification benchmark Class Benchv6 to generate the test rule sets required for experiments based on different parameter files,different Linux command adjustment parameters,and different numbers of predicates.Next,we define the type of time constraints,analyze the meaning of the time-based IPv6 firewall rule sets based on formal method.After that,we use formal validation tool(SMT solver Z3)to detect possible conflicts between every two rules in the rule sets.Finally,the feasibility and efficiency of our algorithm are evaluated by experiments.It is proved that the effectiveness of the proposed algorithm in this paper is only related to the number of decision domains and the number of rules in the rule set,and has no relation with the parameter file,the adjustment parameter value in the Linux command and other factors.The conflict detection algorithm of time-based IPv6 firewall rule sets proposed in this paper can detect the conflicts in the multifarious firewall rule sets.In addition,it also can be extended to other rule-based judgment systems,such as SDN flow table rules,IDS rules and so on.Therefore,the conflict detection algorithm proposed in this paper has a broad application prospect.