由于IPv4公网地址变得更加稀缺,NAT的多个层将需要维持互联网几年来。用于Large Scale NAT(LSN)由服务提供商系统将导致许多应用程序的问题。今天,有使用公共IPv4地址的列表,以确定在互联网上“不受欢迎”的主机许多安全过滤系统。随着越来越多的互联网服务供应商部署LSN系统中,这些过滤的IPv4系统的有效性会减弱。
Can Large Scale NAT Save IPv4?
在因特网主机的曙光建立合法的主机列表。计算机使用他们的/ etc / hosts文件中的公用IPv4地址的静态列表,使IP通信。你可以把这些作为自己时代的第一个“白名单”。当DNS服务器进行了介绍和许多主机添加到它使人们几乎不可能知道所有的有效主机上网。甚至没有圣诞老人有一个列表足够大的跟踪所有的调皮和漂亮的IPv4地址。然而,我的儿子假定今天圣诞老人使用定制软件和优化的数据库来跟踪全世界的儿童。
一些“坏行” Internet主机的第一个列出的是那个被转发电子邮件为自己以外的域的电子邮件服务器的列表。这被用作垃圾邮件中继这些服务器被放置在列表其他电子邮件服务器将用来帮助检测和阻止垃圾邮件。如果你的公司的电子邮件服务器的IP地址在这些列表中的一个有可能不能够发送电子邮件,它可能需要一些努力,让从列表中删除您的IP地址。这些早期的黑名单演化成DNS-based BlackLists(DNSBLs),其中一台主机将执行DNS查询来确定是否邮件服务器作为垃圾邮件中继。
这些解决方案打造的“知坏人”的IPv4地址的列表,以及谁使用这些列表来阻止入站到这些互联网系统或出站连接的客户提供这些作为订阅服务。有什么能想出一个数值几种不同的方法reputation score的公网IP地址。
思科的声誉算法创建使用-10.0 +10.0和之间的比分战胜“200个聚集和加权参数”。TrustedSource由CipherTrust的/迈克菲,使用复杂的算法和实时数据对网站的信任度。其他算法通过分析网站长寿,清洁,公司稳定性,DNSSEC,社区输入创建的声誉数值分数,搜索引擎评级,其他值之一。信誉订阅的客户可以配置基于信誉分数,地理,协议类型,OSI层8和9的信息(政治/宗教/货币/偏好)政策。
There are many reputation filtering vendors on the market and more being offered every quarter. CiscoIronPortusesreputation filters过滤电子邮件和客户端web请求。CiscoIPSs可以使用信誉过滤器来检测和阻止连接。思科僵尸网络流量过滤器on their ASA firewalls uses a list to determine public IP addresses of botnet command-and-control systems. HP TippingPointDigital Vaccineuses their own reputation system. Traditional AV suite vendors (赛门铁克,McAfee,趋势科技,AVG,Sophos和其他人)也使用信誉得分在他们的软件。微软的Forefront Threat Management Gateway(TMG)2010使用信誉过滤器为好。
一般讲,这些信誉过滤系统作一个假设,一个IP地址是一个单一的终端系统。实际上,多个网站都可以在一个单一的Web服务器的IP地址托管。这可能与发生虚拟主机配置,使用反向代理服务器,一个服务器负载均衡(SLB) system or aNAT。这些系统崩溃时,运行在不同的TCP端口号多个网页一个网页服务器。一个网站可能是完全合法的,其他网站可以与恶意软件的等待百出感染任何访客。如果任何恶意软件只托管在合法网站只有一部分那么整个网站的IP地址,然后添加到坏口碑榜。如果单个IP地址走上一个块列表,然后合法网站将受到影响。恶意软件通常检测并删除之前它只是在网站上几个小时举行。然而,IP地址可以出现在很多天誉过滤器。这可能会导致无论是意外或故意DoS攻击,如果你的服务器的IP地址的不良声誉名单上获得。如果你的服务器使用IPv4或IPv6是这种情况可能存在。
Recent news about the IPv4 global address pool depletion have quickened the pulse of Internet service providers around the globe. Service providers realize that they will need to support IPv4 for decades to come and one of the methods they could use is Large Scale NAT (LSN). Customers would not be issues public IPv4 addresses but rather private IPv4 addresses and the carrier's backbone would use these private IPv4 addresses. The Large Scale NAT system would translate these private IPv4 addresses used by subscribers into a pool of public IPv4 addresses that could communicate with the Internet (i.e. NAT444). However, when a service provider deploys a LSN it will cause problems for many of its customers. The customers that are behind a LSN system will experience higher latency due to the fact that all their traffic will be back-hauled through the LSN device. Any application with an embedded IPv4 address could experience significant difficulties. It would be impossible for content providers to performgeolocationand could make Geographical Server Load Balancing (GSLB) less functional.
The use of LSN will cause significant problems for the reputation filters. If a single IPv4 address from a LSN public address pool makes its way onto a bad reputation filter list then this would mean that any organization using that reputation system could have their legitimate communications blocked. Therefore, IPv4 reputation filtering becomes less effective with multiple layers of NAT. Depending on when the larger ISPs deploy their LSN systems will dictate the longevity of these IPv4 reputation filtering systems. Reputation filtering systems can start to use IPv6 addresses and keep track of legitimate and malicious node's IPv6 addresses. Because IPv6 was intended to function without any NAT and all hosts would use public IPv6 addresses then reputation filtering won't suffer these LSN problems if they use IPv6.
斯科特