A Conflict Detection Method for IPv6 Time-Based Firewall Policy

Firewalls have been a very important secure tool to protect networks against attacks, which usually filter the unauthorized traffic entering the secured network. The packet filleting based on a predefined collection of ordered rules. Along with the IPv6 protocol is widely used, and the security issues comes with it. Firewall for IPv6 network, as an important element to protect network security, it will be not able to filter packets correctly if there are conflicts that caused by the same packet matching two or more rules. In addition, a new kind of firewall with time constraint is used more and more widely by different firewall company, such as, ACLs of Cisco, Iptalbes of Linux, and the like. It is a hard work to manage the rules in IPv4 firewall policy, not to mention the rules in IPv6 time-based firewall policy. Many methods have been proposed to analyze and detect the conflicts of individual or distributed firewall policies. However, very few of them can deal with the time constraint of rules. Therefore, it is an urgent problem to detect the conflicts of the IPv6 time-based firewall policy. In order to solve this problem, we describe a method, which can analyze the IPv6 time-based firewall policy. We use a formal method to analyze the me: ' g of IPv6 time-based firewall policy. Next, we take the formal validation tool (SNIT solver 13) to detect all the possible conflicts between every two rules. Lastly, we developed an experimental system to evaluate the performance of our method.