IPv6 Taekyoung Kwon Courtesy of
Download
Report
Transcript IPv6 Taekyoung Kwon Courtesy of
IPv6
Taekyoung Kwon
[email protected]
Courtesy of
Jeff Doyle, [email protected]
김용운, Initech Co.
outline
• Limitation of IPv4
• Features of IPv6
– ICMPv6
– Neighbor Discovery
– Autoconfiguration
•
•
•
•
Addressing
Transition
IPv6 proponent
IPv6 opponent
Limitations of IPv4
• The current version of IP (IPv4)
– RFC 791, which was published in 1981
– Proven to be robust, easily implemented and interoperable.
• Universal addressing
• Best effort service
– 32-bit address space : 4,294,967,296 addresses (232)
– Allocate addresses by classes
• A, B, C, and D class
• Growth of applications and User
• IPv4 did not anticipate
– Exhaustion of IPv4 address space
– Backbone routers maintain large routing tables
• Routinely over 85,000
– The need for simpler configuration
– User requirements for mobility, security and QoS
Temporary IPv4 Solution
• CIDR (Classless Inter-Domain Routing)
– 기존 IPv4 주소 공간을 효율적으로 재구성
• DHCP (Dynamic Host Configuration Protocol)
– IPv4 주소의 동적 할당
• NAT (Network Address Translator)
Host
Web Server
192.168.0.10
NAT
131.107.47.119
Internet
157.60.13.9
NATs
• Network address translation = local, LAN-specific
address space translated to small number of
globally routable IP addresses
• Motivation:
– scarce address space
– prevent home broadband users from running servers at
home
– security: prevent unsolicited inbound requests
– avoid renumbering if provider changes
• most small/mid-sized LANs inherit address space from ISP
Prevalence of NATs
• Claim: 50% of broadband users are behind NATs
• All Linksys/D-Link/Netgear home routers are NATs
• Measurement: for Quake III users, about 17-25%
using NAT (May/June 2001)
NAT types
• All use net-10/8 (10.*.*.*) or 192.168/16
(172.16/12 also available)
• Address translation
• Address-and-port translation (NAPT)
– most common form today, still called NAT
– one external (global) IP address
NAT Causes Problems
•
•
•
•
•
•
•
•
•
Breaks globally unique address model
Breaks address stability
Breaks always-on model
Breaks peer-to-peer model
Breaks some applications
Breaks some security protocols
Breaks some QoS functions
Introduces a false sense of security
Introduces hidden costs
IPv6 = plentiful, global addresses = no NAT
On next generations: starter for IPv6
IPv6 Major changes
IPv6 advantages
• Increased address space
– 2128 = 67 billion billion addresses per cm2 of the planet surface
• Hierarchical address architecture
– Improved address aggregation
• More efficient header architecture
– Improved routing efficiency, in some cases
• Neighbor discovery and autoconfiguration
– Improved operational efficiency
– Easier network changes and renumbering
• Multiple network prefixes: “make-before-break”
• Integrated security, mobility features
• QoS
– Traffic class
– Flow management (flow label)
• Peer-to-peer applications
IPv6 basic header
IPv6 – extension headers
IPv6 – Extension Headers (Cont’d)
New Services
Version
Class
Payload Length
Flow Label
Hop Limit
N. H.
Source Address
Router Alert
= 1 (RSVP)
= 2 (AN)
= 0 (MLD)
QoS
Active Network
Multicast
Destination Address
Optimizing
MAC Layer
Hop-by-hop Options Extension Header
(Jumbo Payload Length Option)
(Router Alert Option)
Destination Options Header
(With ICMPv6)
Routing Header
Route Optimize
Fragment Header
Binding Update
(Piggybacking)
Authentication Header
ESP Header
Destination Options Header
Plug-n-Play
Mobility
Security
Routing header
IPv6 Control Protocols
• ICMPv6
– Change from ICMP for IPv4
• NDP
– Neighbor Discovery on the same link
• MLD
– Multicast
Listener Discovery
- Same as IGMP
for IPv4
ICMPv6 – RFC 2463
(Internet Control Messaging Protocol for IPv6)
• Change from ICMP for IPv4 (RFC 792)
• ICMPv6 (ICMP for IPv6)
– The purpose is to provide feedback about problems in the
communication environment, not to make IP reliable
• ICMPv6 Message Class
ICMPv6 (Cont’d)
Path MTU Discovery
• The path MTU is the minimum link MTU of all links on a path
between a source and a destination.
– IPv6 packets with a maximum size of the path MTU do not
require fragmentation
– To discover the path MTU, the sending node uses the receipt of
ICMP Packet Too Big messages.
– IPv6 minimum link MTU : 1280 octets
Multicast Listener Discovery
• Purpose of MLD
– Used by an IPv6 router to discover the presence of multicast
listener on its directly attached links,
– And discover specifically which multicast addresses are of
interest to those neighboring nodes
• Two kinds of entities
– Multicast listener
– Multicast router
• IPv6 Router Alert option in a Hop-by-Hop Options header
• Messages
– Multicast listener query: link-local all-node or mcast-addressspecific
– Multicast listener report
– Multicast listener done
NDP
(Neighbor Discovery Protocol)
• Replaces ARP, ICMP router discovery, and
the ICMP Redirect message used in IPv4
– To discover each other’s presence,
– To determine each other’s link-layer addresses,
– To find routers and to maintain reachability information
about the path to active neighbors
• ICMP types defined
–
–
–
–
–
Router Solicitation
Router Advertisement
Neighbor Solicitation
Neighbor Advertisement
Redirect
NDP (Cont’d)
• Router Solicitation (RS)
– Sent by IPv6 host to discover the presence of IPv6 routers on the link to
prompt IPv6 routers to respond immediately
• Router Advertisement (RA)
– IPv6 routers send the RA pseudo-periodically and in response to the
receipt of a RS message.
– Contains the information
• Link prefixes, link MTU, specific routers, and duration
• Neighbor Solicitation (NS)
– Sent by IPv6 host to discover the link-layer address of an on-link IPv6
node.
– And for duplicate address detection (DAD)
• Neighbor Advertisement (NA)
– IPv6 node sends the NA in response to a NS and sends unsolicited NA to
inform neighboring nodes of link-layer addresses
– And for DAD
• Redirect
– Sent by an IPv6 router to inform an originating host of a better first-hop
address for a specific destination
IPv6 Addressing
• 128bits address scheme
– x:x:x:x:x:x:x:x
– ‘x’s are the hexadecimal values of the eight 16bits pieces
of the address
– ‘::’ indicates multiple groups of 16 bits of zeros. Used
only once
• 3ffe:2e01:0:0:0:31:0:21 -> 3ffe:2e01::31:0:21
– Ipv6-address/prefix-length
• 3ffe:0000:0000:cd30:0000:0000:0000:0000/64
• 3ffe::cd30:0:0:0:0/64
• 3ffe:0:0:cd30::/64
IPv6 Addressing (Cont’d)
• IPv6 address structure
– Formed from a combination of the :
Prefix
3FFF:0301:DEC1::
Interface ID
0A00:2BFF:FE36:701E
– Prefix representation 3FFF:0301:DEC1::/64
• Separation of “who you are” from “where you are
are connected do”
– Routing prefix : Routing topology
– Node identification : interface Identifier
IPv6 Addressing (Cont’d)
• Basic Address Types
– Unicast
• An identifier for a single interface
• A packet sent to a unicast address is delivered to the interface
identified by that address
– Anycast
• An identifier for a set of interfaces
• A packet sent to an anycast address is delivered to one of the
interfaces identified by that address
• Router only
– Multicast
• An identifier for a set of interfaces
• A packet sent to a multicast address is delivered to all
interfaces identified by that address
U
A
A
A
M
M
M
Address Type Representation
Address Type Binary prefix
IPv6 notation
Unspecified
0 0 . . . 0 (128 bits)
::/128
Loopback
0 0 . . . 1 (128 bits)
::1/128
Multicast
11111111
FF00::/8
Link-local unicast
1111111010
FE80::/10
Site-local unicast
1111111011
FECO::/10
Global unicast
(everything else)
Site-local address is likely to be deprecated
Global Unicast Addresses
n bit
global routing prefix
m bits
subnet ID
128-n-m bits
interface ID
• Global routing prefix: typically hierarchically-structured
• if prefix doesn’t start with 000, n+m = 64 bits
- Then interface ID is 64 bits, too
• if prefix starts with 000, no constraint in boundary
- embedded IPv4 address
* Two kinds
Unicast Address
• IPv6 Address with Embedded IPv4 addresses
– IPv4-compatible IPv6 address
• For hosts and routers to dynamically tunnel IPv6 packets over IPv4
routing infrastructure
• ::147.46.216.57
– IPv4-mapped IPv6 address
• To represent the addresses of IPv4-only nodes as IPv6 addresses
• ::FFFF:147.46.216.57
• Local-use IPv6 Unicast Addresses
– Link local address
• Fe80::/10
– Site local address
• Fec0::/10
Unicast Address (Cont’d)
• Stateful: DHCP
• Autoconfiguration address
– IEEE EUI-64 Identifiers from 48 bits MAC
– 128 bits Address Autoconfiguration
• Subnet prefix + Interface ID
IPv6 unicast (Cont’d)
• Address Zone and Scopes
Link
…
Site
Link
…
Link
Link
…
Site
Link
Link
Link
…
…
Site
Link
The global
Internet
…
Link
Zone Boundaries
Anycast
• Expected Use
– To identify the set of routers belonging to an organization
providing internet service
– To identify the set of routers attached to a particular subnet, or
the set of routers providing entry into a particular routing
domain
• Subnet Anycast Addresses
– Packet send to the Subnet-Router anycast address will be
delivered to one router on the subnet
Multicast
• Addressing Type
• Flag is a set of 4 flag bits
– T = 0 permanent (well-known) assignment, IANA
– T = 1 temporary assignment
• Scope is a 4-bit multicast scope value
–
–
–
–
–
–
1
2
4
5
8
E
:
:
:
:
:
:
interface-local scope
link-local scope
admin-local
site-local scope
organization-local scope
global scope
Multicast (Cont’d)
• Solicited-node multicast address
24 bits
– Made from the IPv6 unicast address (rightmost 24 bits)
• IPv4 Broadcast address is replaced by
– Link-local scope all-nodes multicast
IPv6 – A lot of Address
• Multiple unicast addresses can be assigned to
interface
– Different Reachability Scope
• Link-local/Site-local/Global
– Privacy Considerations
• Public/temporary
– Mobility
• HoA/CoA
– Multi-Homing situation
– Dual stack situation
• IPv4 addresses
Back to NDP
FF
Address Resolution
x
Address Resolution (Cont’d)
Duplicate Address Detection
FF
x
00
DAD (Cont’d)
Router Discovery
Router Discovery (Cont’d)
Autoconfiguration
• Stateful Mechanism
– Obtain interface address and configuration information
from DHCP server
– A site requires tighter control over exact address
assignments.
• Stateless Mechanism
– Allows a host to generate its own address using a
combination information advertisement by routers
– A site is not concerned with the exact address hosts use
• Both mechanism may be used simultaneously
Stateless Autoconfiguration
• Several steps
–
–
–
–
Link-local address creation
Duplicate address detection
Discover the routers on-link
Configure hosts addresses (and other parameters)
Source Address Selection
• Selecting IPv6 source for IPv6 destination
–
–
–
–
–
–
–
–
1.
2.
3.
4.
5.
6.
7.
8.
Prefer same address (for loopback)
Prefer appropriate scope
Avoid deprecated address
Prefer home address over care-of addresses
Prefer source assigned to originating interface.
Prefer matching label from policy table.
Prefer public addresses.
Use longest-matching-prefix.
Destination Address Ordering
• Select best source for each destination, IPv6 and
IPv4
–
–
–
–
–
–
–
–
–
1.
2.
3.
4.
5.
6.
7.
8.
9.
Avoid unusable destinations.
Prefer matching scope.
Avoid deprecated source addresses.
Prefer home source addresses.
Prefer matching label from policy table.
Prefer destinations with higher precedence.
Prefer smaller scope destinations.
Use longest-matching-prefix.
Otherwise, leave order from DNS unchanged
Transition Assumptions
• No “Flag Day”
– Last Internet transition was 1983 (NCP TCP)
• Transition will be incremental
– Possibly over several years
• No IPv4/IPv6 barriers at any time
• No transition dependencies
– No requirement of node X before node Y
• Must be easy for end user
– Transition from IPv4 to dual stack must not break anything
• IPv6 is designed with transition in mind
– Assumption of IPv4/IPv6 coexistence
• Many different transition technologies are A Good Thing™
– “Transition toolbox” to apply to myriad unique situations
IPv6 proponent
Myth
We do not need IPv6
2016-05-23
Juniper Networks Proprietary &
Confidential
54
Reality
• IPv4 addresses are becoming increasingly scarce
– North America: 74% of allotted addresses
– Europe: 17% of allotted addresses
– Asia: 9% of allotted addresses
• A little arithmetic:
–
–
–
–
Population of People’s Republic of China = 1.3 billion
Usable global IPv4 addresses = 3.7 billion
~65% of global IPv4 addresses already allotted
Remaining 35% (1.3 billion) could be depleted by this single
country!
Source: Wired.com
2016-05-23
Juniper Networks Proprietary &
Confidential
55
Myth
IPv4 addresses will soon be
depleted
2016-05-23
Juniper Networks Proprietary &
Confidential
56
Reality
• 35% of IPv4 addresses still available
• IPv4 will never be depleted
• But, acquiring them will become increasingly
difficult/expensive
2016-05-23
Juniper Networks Proprietary &
Confidential
57
Myth
The Internet is secure enough
2016-05-23
Juniper Networks Proprietary &
Confidential
58
Reality
• Security? What security?
– 70% of WiFi access points run without encryption
– 86% of consumers keep sensitive health, financial, or personal
information on their computers*
– 91% of users have spyware on their home computers*
– Very few users understand security risks and how to alleviate
them
– NAT is not a security solution
– Modern firewalls look like Swiss Cheese
• IPv6 offers the opportunity for true end-to-end security
*Source: National Cyber Security Alliance
2016-05-23
Juniper Networks Proprietary &
Confidential
59
Myth
The Internet is stable enough
2016-05-23
Juniper Networks Proprietary &
Confidential
60
Reality
• Stability on the Internet is terrible
– Primary cause is a long history of poor IPv4 multihoming
practices
• IPv6 offers the opportunity of implementing and
enforcing intelligent multihoming
2016-05-23
Juniper Networks Proprietary &
Confidential
61
Myth
IPv6 needs a “killer app”
2016-05-23
Juniper Networks Proprietary &
Confidential
62
Reality
• We need enough addresses for the applications we
already have
• Adoption of IPv6 will precede the advent of new
kinds of applications
• Elimination of NAT creates a fertile environment
for innovation
2016-05-23
Juniper Networks Proprietary &
Confidential
63
Peer-to-Peer Networking:
A Fertile Field
P2P: The sharing of computer resources and services
by direct exchange between systems.*
* P2P Working Group
…this is one of the characteristics of the early Internet
2016-05-23
Juniper Networks Proprietary &
Confidential
64
Peer-to-Peer Networking:
Growing Possibilities
• Content sharing
– Napster was a wake-up call
– Kazaa, Morpheus, FreeNet,
Grokster, Gnutella, many more…
• Distributed data processing (grid computing)
–
–
–
–
SETI@home
Folding@home
Popular Power
United Devices
• Business collaboration systems
– Serverless groupware
– Multimedia conferencing
• Distributed applications
– Black-hat hackers already appreciate this (DDoS)
• Online gaming
2016-05-23
Juniper Networks Proprietary &
Confidential
65
Myth
Adoption of IPv6 means
turning off IPv4 first
2016-05-23
Juniper Networks Proprietary &
Confidential
66
Reality
• Transition to IPv6 will be incremental and cautious
• IPv6 is designed to coexist with IPv4
2016-05-23
Juniper Networks Proprietary &
Confidential
67
Myth
Transition to IPv6 will be
complicated and expensive
2016-05-23
Juniper Networks Proprietary &
Confidential
68
Reality
•
•
It doesn’t have to be
IPv6 will be operationally cheaper
–
–
–
–
–
No NAT = cheaper operations, cheaper applications
IPv6 addresses easier to acquire
IPv6 addressing designs much simpler
IPv6 address integration much easier
Easier re-addressing
Majority of transition costs:
Initial operational adjustments
IPv6 Transition
•Systems management
•Education
•Integration
Network Operational Costs (no NAT)
2016-05-23
Juniper Networks Proprietary &
Confidential
69
Myth
There is not yet enough vendor
support for IPv6
2016-05-23
Juniper Networks Proprietary &
Confidential
70
Reality
• Operating systems supporting IPv6:
Microsoft (XP, Windows Server 2003), Apple (MAC OS X), Solaris, Linux,
BSD, HP-UX, AIX, SCO, Solaris…
• Routing platforms supporting IPv6:
6Wind, Cisco, Ericsson Telebit, Extreme, Foundry, Fujitsu, Hitachi,
IPInfusion, Juniper, NEC, Nortel, Procket, Sumimoto Electric, Zebra…
• IPv6 applications and utilities:
Chat, DNS, firewalls, FTP, games, IPSec, Java, mail, monitoring,
videoconferencing, web servers…
(See www.ipv6forum.org for details)
2016-05-23
Juniper Networks Proprietary &
Confidential
71
Myth
There are too many issues still to
be solved
2016-05-23
Juniper Networks Proprietary &
Confidential
72
Reality
• A rich suite of transition tools are available
– Dual stacks
– Tunnels
• Configured
• Automatic
– Translators
• Network Layer
• Transport Layer
• Application Layer
2016-05-23
Juniper Networks Proprietary &
Confidential
73
Call to Action
• IPv6 is imperative for the continued evolution of
network services
• IPv6 is happening now!
• Present focus must be on applications,
applications, and more applications
2016-05-23
Juniper Networks Proprietary &
Confidential
74
IPv6 opponent
• The Internet is quickly running out of addresses?
IP 주소 관리는 IANA (Internet Assigned Numbers
Authority)가 관리하고 있으며, 필요에 따라 RIRs
(Regional Internet Registrars)에게 주소 할당을 해주
고 있음
최근 소진되는 비율대로라면 IP 주소가 소진되는 시점은
약 20년 후가 될 것이며, 혹시 소진율이 증가한다 해도
NAT 기술을 사용하여 IP 주소의 필요성을 대폭 경감시킬
수 있음
IPv6 opponent
• Routing table size?
• 사실 더 큰 문제는 IP 주소 부족이 아니라 라우팅 테이블
의 규모를 어떻게 수용하고 다룰 것인가 하는 것임.
• 즉, IPv6 주소의 활용과 이에 따라 생겨나는 수많은 IPv6
서브넷들은 인터넷 백본 라우터에서의 route
aggregation 문제를 매우 복잡하게 만들 것이며, ISP들
이 IPv6 서브넷에게 경로 정보를 알리지 않게 만들거나
무시하게 만들 수 있음
IPv6 opponent
• NAT is bad, and IPv6 eliminates the need for it?
공인 IP 주소 부족의 경우에 대책으로 NAT를 쓰고 있는데,
end-to-end 통신 모델을 위배하는 문제가 있음
NAT는 NAT 라우터 외부에 있는 호스트가 내부에 있는 호스트에게
통신을 먼저 시도할 수 없게 하므로 서버를 두기 어려움.
이에 대한 대책으로 포트 변환 기술을 이용하여 해결할 수는 있으나
하나의 포트에 하나의 서버만 대응시킬 수가 있음
그럼에도 불구하고, NAT는 외부 도메인에 대해 내부 호스트들을 숨
길 수 있는 방어막의 역할을 하고 있어 보안상의 목적으로 이용하기
도 하므로, NAT의 대안으로 IPv6를 도입하는 것은 보안성을 떨어뜨
리는 결과를 초래할 것임
IPv6 opponent
• NAT (cont’d)
• NAT는 가정내 사용자와 ISP 사이에 힘의 균형에 영향을 미칠 수가
있음. ISP는 추가적인 IP 주소 할당에 요금을 받고 있으며,
동적 IP를 쓰느냐 고정 IP를 쓰느냐에 따라서도 다른 요금을 적용하
고 있음. 따라서 이론적으로는 ISP가 IPv6 로 전환한다고 할 때 사
용자가 더 많은 주소를 씀에 따라 더 수익을 얻을 수 있을 것임.
그러나 사용자는 IPv6 NAT를 사용하여 피해 갈려고 할 것이므로
ISP에게는 IPv6로 전환해도 실익이 없음
Always-on 네트워크 장치들은 더 많은 IP 주소를 필요로 하고,
이것이 NAT를 배제시킬 것이며, 임시적인 IP 주소보다는 영구적인
고정 IP 주소를 필요로 하고 있다고 여기고 있음.
그러나, NAT는 고정 IP 주소의 필요성을 줄어들게 하고
고정 IP를 필요로 하는 응용은 별로 없음
IPv6 opponent
• Peer-to-peer applications will require IPv6?
IPv6가 필요한 근거로서 IP-telephony, 인터넷 게임, 화상회의,
또는 다른 P2P 응용들이 NAT 환경에서는 동작하지 않는다는 것인데,
이것은 사용자의 위치를 파악하기 위해서는 (to locate users)
영구적 고정 IP가 필요하고, NAT는 양방향 통신이나 NAT 외부에서
클라이언트가 내부 서버로 통신을 시도하는 것을 불가능하게 만든다는
잘못된 가정 아래 이루어진 것임
실제로 SIP나 H.323 IP 전화기들은 NAT 라우터 내부망에서도 잘
동작하고 있는데, 이는 처음에 전원을 켤 때 사용자 관리 서버
(public servers)에 자신을 등록하기 때문이며, 일단 등록 과정이
끝나고난 후에는 양방향 통신이 가능해짐. 마이크로소프트의 Xbox
Live 서비스도 NAT와 함께 잘 동작하고 있는데, Xbox는 초기에 마이
크로소프트의 게임 서버에 자신을 먼저 등록시키고 있음
거의 모든 P2P 응용들은 client/server 응용 형태를 보이고 있는데, 하
나의 서버가 P2P 사용자 endpoints 사이에 중재 역할을 하고 있으며,
세션의 생성, 모니터링, 또는 종료 과정에서 주선자로서 역할을 하고
있음. IPv6는 이러한 응용들에 있어 별다른 이점을 제공해주지 못 함
IPv6 opponent
• End-to-end must be deemed important?
NAT에 비해 IPv6가 제공할 수 있는 end-to-end 인터넷 서비스 모델
은 이제 더 이상 현실적이지 않으며 유용하지도 않는데, 이는 NAT 라
우터가 존재하고 있기 때문은 아님.
기업들은 중개 역할을 하는, 대부분 NAT를 내장한 방화벽이나 웹프락
시 서버를 설치하고 있고, 대부분의 IP 음성 또는 멀티미디어 세션들
이 통신상의 중개 역할을 위해 SIP 프락시 서버를 쓰고 있는 실정임.
이러한 중개 장치들을 통해 ISP는 단순히 IP 대역폭을 통한 인터넷
접속 서비스를 해주는 것에서 벗어나 부가가치를 제공하면서
수익성을 확대하고자 하고 있음
IPv6 opponent
• In order to support IPv6, how must businesses change their
networks?
시간의 흐름에 따라 회사들은 IPv6와 호환되는 스위치, 라우터, 및
PC나 서버의 운영체제들로 전환해갈 것이다.
회사들이 IPv6로 전환할 때 H/W나 S/W에 대한 비용은 그리 많이
들지 않겠지만, 진짜 비용은 관리 및 운영에 들게 된다. 같은 물리적
통신망에 IPv4와 IPv6가 겹쳐져 운영될 때 매우 복잡한
통신망 환경이 나타나게 되고, 문제 해결도 매우 힘들게 될 것이다.
또한 호스트에 탑재될 IPv4 및 IPv6 이중 스택도 관리와 운영,
그리고 문제 해결을 복잡하게 만들 것이다.
IPv6 opponent
• Better security?
• 사람들은 IPv6가 IPsec을 기본으로 내장하고 있으므로 보안성이 좋
다고 말하고 있는데, 더 이상이 특장점이라 말할 수 없다.
기업들은 이미 IPsec이나 SSL VPN을 쓰고 있는 상태다.
NAT를 버리고 싶지 않다면, IPv6를 통해 얻을 수 있는 장점은 그리
많지 않을 것이다. NAT를 통해 기업들이 방화벽 뒤에서 자신들의 IP
주소를 숨길 수 있고 이를 통해 공격당하지 않을 수 있어 매우 좋아하
고 있다.
• IPv6에 IPsec이 기본 탑재되어 있어 더욱 안전하다고 주장하고 있으
나, 정보 절취에 대한 보안상의 위협보다는 새로운 IPv6 DNS, 웹 서
버, 웹 브라우저, 등이 IPv6를 지원하기 위해 새로운 코드 부분을 포
함하여야 하며 바로 이곳에서 보안 취약점을 가지고 있을 수 있어 위
험 요인이 됨