一种改进的BGP路由源认证机制

资源公钥基础设施(Resource Public Key Infrastructure,RPKI)是当前用于保护互联网码号资源分配真实性的技术.作为一种支撑域间路由安全的体系,它解决了边界网关协议(Border Gateway Protocol,BGP)缺乏路由源认证的问题.然而当前RPKI体系中的依赖方(Relying Party,RP)与路由器数据同步机制可能会导致路由源授权(Route Originate Authorization,ROA)信息缺乏真实性和有效性,并且不断查询缓存列表会带给路由器很大的性能负载.据此,本文提出一种改进的BGP路由源认证方案,发送端路由器实时申请存储在RP中的ROA证书,将其附加到BGP update报文中进行传输,以待对等端路由器申请证书公钥对证书进行验证并完成路由源认证功能.该方案将原来周期性更新路由器缓存列表机制改为路由器实时申请认证机制,有效解决了RP与路由器数据同步可能导致的ROA存在错误的问题,降低路由器查询缓存列表造成的路由器运行负载.此外,本文通过Quagga仿真实验表明该方案具有可行性,并对该方案的适用情形进行了具体分析.

Improved Validation Mechanism of Route Origination in BGP

Resource public key infrastructure (RPKI) is a kind of technology which is used to protect the authenticity of Internet code number resources allocation and a kind of system of supporting inter-domain routing security which solves the problem of the lack of validation of route origination in BGP.However, it may result in the lack of authenticity and validity of ROA information due to the current data synchronism mechanism between the relying party of RPKI system and BGP routers.Meanwhile, it will bring a lot of performance load of BGP routes that query the cache lists continuingly.In this paper, we propose an improved method for route origination authentication.The sender routers real-timely apply for ROA certificates from RP and transmit them to the peer routers with the update message.Then the peer routers can apply for the public key to verify the certificates and verify the authenticity of the route originate.The verification mechanism is changed from updating the cache list periodically to real-time application for certification.It can effectively solve the problem that the ROA of the RP and the router data synchronization may be wrong, and reduce the running load of routes caused by querying the cache lists effectively.It is proved that the feasibility of the scheme using the simulation tool of Quagga and we make the detailed analysis for the applicable situation of two mechanisms.