中文摘要：

隧道是IPv4向IPv6过渡的主要方式之一，它通过附加外层包头方式解决了IPv4或IPv6孤岛的通信问题．文中对隧道流量进行了分析，指出其具有层次和类型不确定性，提出了广义隧道的概念．研究了网络协议解析设备上传统双栈对广义隧道的解析过程，指出恶意隧道流量会引发隧道干扰和多层分片攻击两类安全问题，并提出隧道流标记和后移重组两个关键技术予以解决．实验表明：隧道流标记代价较小，每层至多增加1％的计算时间，而后移重组平均每层减少7．5％的计算时间，增强了应对恶意隧道流量的能力．

英文摘要：

Tunnel is one of the main transition mechanisms from IPv4 to IPv6, which solves the communication problems of IPv4 or IPv6 islands by appending extern headers ahead of the origi- nal packet. By analyzing tunnel traffic, this paper points out the uncertainty character of tunnel in number of IP headers and differences in IP types （IPv4 or IPv6）, and presents the concept of Wide-Tunnel to cover more tunnels besides 6to4/ISATAP/Teredo and to show the prevalent and common existence of these un-standard tunnels. Also, this paper studied traditional analyzing process of Wide-Tunnel traffic on network inception devices. Two security issues, Tunnel-Inter- ference and Multi-Layer Fragments Reassemble, are pointed out as a result of malicious attacks to the dual-stack analyzing process. And two methods named Tunnel-Flow-Label and Delay-Reas- semble are presented to prevent these security issues and solve these problems, while Tunnel- Flow-Label is used to eliminate the influence of Tunnel-Interference and Delay-Reassemble is used to effectively reassemble Multi-Layer Fragments under attacking process. Experimental results show, for each layer in a tunnel, Tunnel-Flow-Label cost little computing resources and increased less than 1% in time consuming, while Delay-Reassemble reduced 7.5 % computing time, which improves dual-stack＇s capability to handle malicious tunnel attacks.