• Journal of Internet Computing and Services
• /
• v.16 no.2
• /
• pp.27-40
• /
• 2015

Inferring firewall policy is to discover firewall policy by analyzing response packets as results of active probing without any prior information. However, a brute-force approach for generating probing packets is unavailable because the probing packets may be regarded as attack traffic and blocked by attack detection threshold of a firewall. In this paper, we propose a firewall policy inference method using an efficient probing algorithm which considers the number of source IP addresses, maximum probing packets per second and interval size of adjacent sweep lines as inference parameters to avoid detection. We then verify whether the generated probing packets are classified as network attack patterns by a firewall, and present the result of evaluation of the correctness by comparing original firewall policy with inferred firewall policy.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.5 no.7
• /
• pp.1230-1251
• /
• 2011

This document specifies a new IPv6 deployment protocol called CHANC, which stands for Configuring Hosts to Auto-detect (IPv6, IPv6-in-IPv4, or IPv4) Network Connectivity. The main part is an application level tunneling protocol that allows Internet Service Providers (ISPs) to rapidly start deploying IPv6 service to their subscribers whom connected to the Internet via IPv4-only access networks. It carries IPv6 packets over HTTP protocol to be transmitted across IPv4-only network infrastructure. The key aspects of this protocol are: offers IPv6 connectivity via IPv4-only access networks, stateless operation, economical solution, assures most firewall traversal, and requires simple installation and automatic configuration at customers' hosts. All data packets and routing information of the IPv6 protocol will be carried over the IPv4 network infrastructure. A simple application and a pseudo network driver must be installed at the end-user's hosts to make them able to work with this protocol. Such hosts will be able to auto-detect the ISP available connectivity in the following precedence: native IPv6, IPv6-in-IPv4, or no IPv6 connectivity. Because the protocol does not require changing or upgrading customer edges, a minimal cost in the deployment to IPv6 service should be expected. The simulation analysis showed that the performance of CHANC is pretty near to those of native IPv6, 6rd, and IPv4 protocols. Also, the performance of CHANC is much better than that of D6across4 protocol.