確保合法使用IP位址之IP管理機制的設計與實作

Abstract

為確保使用者在IP網路中合法使用 IP Address的權益，本論文提出一套IP管理機制。由於IP網路上是使用IP Address當作是網路設備的識別，因此每個網路設備需要一個唯一的IP Address，以便能跟網路上的其他網路設備做溝通。當同個網域內有多個網路設備使用相同的IP Address時，會造成IP Address衝突的問題，可能導致合法擁有IP Address的網路設備無法使用IP網路。因此，我們提出一套能管理網域內全部的IP Address並且控制每個IP Address使用權的IP管理機制，來解決IP Address衝突的問題，本機制不僅保證合法使用者存取IP網路的權利，對非法使用的IP Address也會進行封鎖；並且允許在事先沒有註冊IP Address使用的情況下，可以使用手動或動態的方式設定網路設備的IP Address。 本機制基本概念是動態地綁定使用者帳號、IP Address、MAC Address和Port Number，以便即使IP Address沒有之前綁定的資訊，也可以管理全部的IP Address和控制每個IP Address的使用權。並且為了解決IP Address衝突的問題，本機制會利用Authenticator將非法使用者封鎖，此Authenticator可以是Ethernet switch，或是無線環境下的Access Point。 本機制使用IP Management Server來管理所有的IP Address，並且利用Authenticator來限制只有使用正確IP Address的合法使用者的traffic可以通過。在Authenticator和IP Management Server之間透過延伸Dynamic Host Control Protocol (DHCP)做溝通，來提供使用IP Address的最大彈性。 IP Management Server會將IP Address和使用者帳號、MAC Address做綁定，並紀錄在IP Management Server的IP Address Assignment Table中，IP Address和使用者帳號的綁定可以是手動或動態的，即使用者可以事先註冊固定使用的IP Address，或是當需要使用IP Address時，動態地取得IP Address；另一方面，IP Address和MAC Address的綁定是動態的，當IP Management Server收到合法使用者的IP Assignment request時，會將MAC Address和分配給使用者使用的IP Address，動態的綁定在IP Address Assignment Table中。 不同於802.1X中的Authenticator，本機制的Authenticator會將使用者帳號和IP Address、MAC Address和Port Number做綁定，並紀錄在Authenticator的Supplicant State Table中，透過Supplicant State Table的使用，Authenticator可以確保IP Address合法的被使用，並且能夠保障合法使用者，以及封鎖非法使用者。 最後我們透過實作來驗證本機制的可行性，實作結果顯示本機制確實可以在最大的彈性下，確保合法的使用IP Address。

In this thesis, we propose an IP management scheme to enforce the legal use of IP addresses in the IP network. The IP network uses IP addresses as the identities of network devices. Therefore, each device needs a unique IP address so that devices can communicate with one another in the network. When two or more devices use the same IP address in the same network domain, an IP Conflict problem occurs and the host with a legal IP address may not be able to access the IP network. Therefore, we propose an IP management scheme that can resolve the IP Conflict problem by managing all IP addresses and controlling the use of each IP address. As a consequence, it can not only assure the access right of legal users but also block the illegal use of IP addresses. Furthermore, it allows a device to configure its IP address either statically or dynamically without registering the address beforehand. The basic idea of the proposed scheme is to bind users, IP addresses, MAC addresses and port numbers dynamically so that we can manage all IP addresses and control the use of each IP address without a priori information on the bindings. Furthermore, in order to resolve the IP conflict problem the proposed scheme will also block illegal users at network entry points, namely Authenticators, which could be situated at Ethernet switches or wireless access points. The proposed scheme employs an IP Management Server to management all IP addresses and augments Authenticators to allow only the traffic from legal users with correct IP addresses. Furthermore, the proposed scheme also adopts an extended Dynamic Host Control Protocol (DHCP) for Authenticators to communicate with the IP Management Server to offer the maximum flexibility in using IP addresses. The IP Management Server records the bindings of IP addresses with both user accounts and MAC addresses in an IP Address Assignment Table. The bindings between IP address and user accounts could be statically or dynamically; that is, a user could either pre-subscribe permanently or acquire dynamically an IP address when needs. On the other hand, the binding between an IP address and a MAC address is done dynamically by the IP Management Server when the server receives an IP Assignment request from the MAC address used by a legal user. Different from the Authenticator in 802.1X, the Authenticator in our scheme bind user accounts to IP addresses, MAC addresses and Port numbers in their Supplicant State Tables. With Supplicant State Tables, Authenticators can ensure legal use of IP addresses, protecting legal users but blocking illegal users. We have implemented the proposed scheme to verify its effectiveness. The experimental results show that the proposed scheme indeed can enforce legal use of IP addresses with maximum flexibility.