01 logo

[original practice] upgrade and renovation scheme of IPv6, a district government portal

by Ron Burrows 3 months ago in cybersecurity
Report Story

Information security

The situation of District Government Portal

The server of the district government website is located in the local computer room, which supports the operation and management of the portal. The traditional IPv4 network structure is shown in the following figure.

Upgrade requirements and objectives

The upgrade and transformation of the district government portal IPv6 is based on the existing IPv4 network and connects to the IPv6 network to ensure that IPv6 netizens can access the district government website without obstacles. The upgrade objectives are:

1. Access ability. Netizens from IPv6 network can access the website smoothly, and the user experience is not lower than that of netizens on traditional IPv4 network.

two。 Security. The system transformation does not introduce any additional security risks and does not affect the reduction of the original level of protection.

3. Normative. The new IPv6 channel system should meet the global next generation Internet technology standards, and the software and hardware technologies used can meet the requirements of relevant laws and regulations on intellectual property rights.

5. Scalability. The new IPv6 channel system has good scalability, which can expand the bandwidth and performance with the increase of IPv6 netizens, and can be stacked to improve performance if necessary.

6. Timeliness. The transformation of the system can be completed quickly in a short period of time and within the time limit required by the country.

7. Cost-effective. Achieve the above goals with the lowest cost.

Thoughts on upgrading and Transformation of IPv6

In order to upgrade the network and support the access of IPv6 users, this scheme adopts translation conversion technology and provides special IPv4/IPv6 protocol conversion services to achieve the access of district government portals to IPv6 users. The support rate of secondary and tertiary links is 100%.

Introduction to Translation conversion Technology

There are two translation technologies that meet the global Internet standards: stateless translation technology (IVI) and stateful translation technology (NAT64). In addition, there is a non-standard application layer proxy technology, also known as reverse proxy technology. The comparison of different translation techniques is shown in the table below.

Comparison of project IVI stateless translation scheme NAT64 and other translation schemes

Network security violation risk support static mapping accurate traceability, support IPv4/IPv6 protocol conversion log recording function, log storage and query for more than 180 days, fully meet the requirements of the network security law, do not meet the requirements of the network security law, the network police can give warnings and fines to the unit and the responsible person according to the network security law, and bear criminal responsibility if the circumstances are serious

Hacker intrusion risk does not introduce any security risks, the highest security, do not give hackers any opportunity hidden dangers and loopholes emerge one after another, a little inadvertently will be attacked, there are a large number of negative cases

The performance-to-price ratio of the initial investment is large, and the initial investment is small for continuous use within 5 years without expansion. With the increase in the flow of IPv6 users across the country, the capacity will be expanded every year, and the long-term cost is extremely high.

Final solution

Add one or two (two-way mutual backup) IVI stateless translation devices to the network entrance equipment or firewall in the central computer room of the district government, translate the visiting IPV6 traffic into IPV4 traffic and then return to the original path of IPV4 to enter the internal network, and the original IPV4 protection system continues to be effective to protect the network system. This is shown in the following figure.

Solution advantages:

1. In the scheme, translation technology is used to provide IPv6 network environment through operators; the user Internet keeps the IPv4 unchanged and the application system keeps the IPv4 unchanged.

two。 The high reliable design of IVI stateless translation system is adopted, and the routing of the original IPv4 traffic remains unchanged. The new IPv6 traffic and IPv4/IPv6 interworking traffic are translated with high performance and reliability through the IVI translation system.

3. There is no need to host HTTPS certificates on the translation platform, so the risk of certificate disclosure caused by certificate hosting to the translation platform is avoided.

4. The translation platform does not cache any origin server content, so it avoids the risk of cache attacks and cache contamination caused by content caching.

5. The translation platform does not cache the content of any third-party websites, so it avoids the copyright disputes of piracy and content infringement caused by content cache.

6. It has excellent security protection capability, and the translation platform itself has the ability to resist DDoS attacks.

7. The translation platform does not change the IP address characteristics of IPv6 visitors, does not need the origin server firewall devices, anti-DDoS devices, WAF and other security devices to open special release policies, will not destroy the security protection system of the origin server due to the release of IPv6 traffic, and will not become a new channel for hackers to access IPv6.

8. The translation platform supports precise traceability, can uniquely correspond to the translated IPv4 address to the IPv6 address, and supports the origin server to implement access control for a certain IP address (such as blocking the access permission of a certain IP address) for simple and rapid upgrades. The original IPv4 website does not need to be modified and does not affect the normal operation of the original business.

9. Set aside expansion space and interfaces for smooth upgrade of intranet IPv6 in the future.

Specific implementation plan:

In order to ensure that the tasks are completed on time, the overall work will be arranged according to the availability of network conditions in the implementation process, in accordance with the principles of step-by-step implementation, separate acceptance and unified verification, to ensure the completion of IPv6 transformation in quality and quantity on time. The specific tasks are broken down as shown in the following table.

Content description quantity unit

The scheme confirms the optimization and finally determines the technical solution of irregular static data backup.

Equipment prepares stateless IPv4/IPv6 translator for occasional static data backup

The implementation system of the scheme has entered the trial operation stage of irregular static data backup.

The trial operation corrects the problems in the trial operation phase, and the irregular static data backup is officially launched.

Quality assurance maintenance continuously track the operation of the system, perform the necessary corrections, real-time update and dynamic data backup

Acceptance method:

1. Whether you can visit the web page normally in a pure IPv6 environment. Use full inspection or random inspection to verify whether you have the ability to access IPv6.

two。 The national IPv6 development monitoring platform (https://www.china-ipv6.cn) was used for testing. The district government website passed the test of the national IPv6 development monitoring platform, and ensured that the IPv6 support rate of the home page, secondary and tertiary links of the website reached 100%.

Scan code subscription ~ ~

cybersecurity

About the author

Ron Burrows

Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights

Comments (1)

Sign in to comment
  • test2 months ago

    Good writing

Find us on social media

Miscellaneous links

  • Explore
  • Contact
  • Privacy Policy
  • Terms of Use
  • Support

© 2022 Creatd, Inc. All Rights Reserved.