Abstract
Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost.
Publisher
Public Library of Science (PLoS)
Reference80 articles.
1. Deering, S. and Hinden, R. “Internet protocol, version 6 (IPv6) specification”. RFC 8200, 2017.
2. https://www.vyncke.org/ipv6status/
3. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide
4. https://www.facebook.com/ipv6/
5. https://teamarin.net/2019/04/03/microsoft-works-toward-ipv6-only-single-stack-network/
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Towards a Behavioral and Privacy Analysis of ECS for IPv6 DNS Resolvers;2022 18th International Conference on Network and Service Management (CNSM);2022-10-31