基于前缀分配路径长度的BGP源 自治系统验证机制

 发现目前安全性得到广泛认可的BGP源自治系统验证机制(如S-BGP)会受到一种上层ISP (Internet Service Provider, Internet服务提供商)前缀劫持攻击.这些机制基于前缀的分配路径,仅能保证前缀被分配路径上的ISP授权自治系统发起,不能保证被分配路径上最后一个ISP(即前缀的拥有ISP)授权自治系统发起.只有获得前缀拥有ISP授权的自治系统才是该前缀的合法源自治系统.本文提出了一种基于前缀分配路径长度的源自治系统验证机制——LAP(the Length of Assignment Path,分配路径长度).基本思想是任一发出前缀可达路由通告的自治系统都必须提供该前缀的分配路径及证明,只有提供前缀最长有效分配路径的自治系统才是该前缀的合法源自治系统.LAP可保护域间路由系统免受有效前缀劫持、子前缀劫持、未使用前缀劫持,特别是上层ISP前缀劫持攻击,可无缝应用于BGP安全方案和一些下一代域间路由协议中.

An Origin AS Verification Mechanism Based on the Length of Prefix Assignment Path for Securing BG P

The paper found that current origin Autonomous System (AS) verification mechanisms to secure BGP which security property have been widely recognized, such as S-BGP, have the vulnerability that they are based on the assignment path of a prefix,only guarantee that a prefix is originated by the AS which is authorized by an Internet Service Provider (ISP) at the assignment path of the prefix,not guarantee that it is originated by the AS authorized by the last ISP, which owns the prefix. Only the AS authorized by the ISP owns a prefix is the prefix's legitimate origin AS. As a result, these mechanisms suffer from a ' the upper ISP' prefix hijacking.The paper proposes a novel origin AS verification mechanism based on the length of a prefix assignment path for securing BGP, called LAP (the Length of Assignment Path). The basic idea is that all Ases must provide the assignment path and attestations of their originated prefixes, and for a prefix, the AS provides the longest valid assignment path is its legitimate origin AS.LAP protect inter-domain routing system against valid prefix hijacking, sub-prefix hijacking and unused prefix hijacking, especially ' the upper ISP' prefix hijacking, and it can be seamlessly applied in current BGP secure solutions and some next generation inter-domain routing protocols.