基于哈希表的RPKI证书验证优化方法

在互联网码号资源公钥证书体系（Resource Public Key Infrastructure,RPKI）中,依赖方（Relying Party,RP）负责从资料库同步并验证资源证书和签名对象（ROAs,Manifests,Ghostbusters）,而后将有效的ROA处理成用于指导BGP路由的IP地址块和AS号的真实授权关系. 在当前的实现方式中,验证证书模块主要通过数据库查询递归查找待验证证书的父证书从而构建完整的证书链并由OpenSSL完成最终验证. 由于RPKI体系中证书量较大,导致基于数据库查询的方法效率不足. 结合RPKI运行机制中将计算代价由BGP路由器（用户）迁移到RP服务器（服务器）的特点和“空间换时间”的思想,可以将证书信息读取到内存中从而减少I/O的时间消耗. 本文基于上述思想基础,结合哈希表中条目查询的时间复杂度最优为O（1）的特点,设计并实现了基于哈希表的RPKI证书验证优化方法. 实验结果表明,在设计的3种实验场景中,平均时间加速比分别为99.03%、98.45%和97.48%,有效的减少了时间的消耗.     

基于有序哈希树的RPKI资料库数据同步方法

RPKI(Resource Public Key Infrastructure,互联网码号资源公钥证书体系)中的签名对象由RP(Relying Party,依赖方)端同步下载后处理成IP地址块与AS(Autonomous System,自治域)号的真实授权关系,用于指导BGP路由.当前的RP使用软件rsync(Remote Sync)来同步,而rsync的同步算法并未考虑RPKI中文件(目录)的特点,导致同步效率并不理想.通过分析并结合RPKI中文件(目录)的特点,设计并实现了一种基于有序哈希树的RPKI资料库同步工具htsync.实验结果表明,与rsync相比较,htsync在同步时的数据传输量较少,同步时间较短.在设计的3种实验场景下,同步时间平均加速比分别为38.70%、30.13%和3.63%,有效地减少了同步时的时间和资源的消耗.     

互联网码号资源公钥基础设施(RPKI)研究综述

由于缺乏内建安全认证机制,边界网关协议(Border Gateway Protocol,BGP)容易遭受前缀劫持、路径伪造和路由泄露等异常路由攻击.互联网码号资源公钥基础设施(Resource Public Key Infrastructure,RPKI)正是针对BGP协议这一缺陷而提出的安全解决方案,其技术框架的标准...     

自治系统间的安全路由协议GesBGP

域间路由协议BGP的安全性直接影响着互联网路由的可用性.虽然现有很多改进的BGP安全方案可以解决这些安全问题,但这类方案存在很多设计缺陷(例如,路由资源消耗问题).在文中,作者充分考虑了安全BGP的目标并提出了一个Good-Enough-Security BGP(GesBGP)协议.GesBGP在可信计算技术的基础上使用基于身份的密钥(IBS)算法确保BGP协议中身份的真实性.IBS算法的引入有效地消除了传统安全BGP协议中部署集中公钥基础设施(PKI)以及公钥证书的分发和储存问题.此外,GesBGP不单纯依赖于安全密钥算法,基于可信计算技术的BGP可信服务从路由器系统本身防止了系统配置的非法篡改,消除了路由消息的多重累积签名.在提出的优化GesBGP协议中,通过部署BGP的安全规则建立AS之间强制信任关系,进一步消除了BGP通告消息中的累积签名.安全分析和性能评价表明,优化的GesBGP在确保BGP安全性的同时有效地改进了GesBGP的性能.     

基于事实所有权的RPKI缓存更新冲突检测机制

随着RPKI覆盖的域间网络的范围不断扩大,RPKI在实际部署中的数据同步一致性的问题,运维失误和权威机构权力滥用的风险已成为影响RPKI全面部署的主要障碍.本文提出了一种基于事实所有权的RPKI缓存更新冲突检测机制.该机制利用反向RTR协议与RPKI数据层级分发架构进行事实路由起源信息的采集与同步,并通过比较事实路由起...     

轻量级目录访问协议在证书库中的应用

轻量级目录访问协议(LDAP)是互联网中的一门新技术,目录服务作为数字证书系统、统一认证和授权管理系统的核心基础设施,为公钥数字证书和公钥属性证书提供查询、证书废止列表查询.探讨了LDAP目录服务PKI/PMI中的应用方案,着重论述了如何建立证书库的应用.     

基于静态路由的ISP负载均衡解决方案

传统的ISP负载均衡方法主要有2种,一是使用开启BGP协议的高端防火墙;二是使用专业负载均衡设备.本论文建立了1套新型的基于静态路由的ISP负载均衡解决方案.本文首先通过Whois协议获得ISP的AS号码,在公网BGP路由器数据库中根据这个AS号码查询属于不同ISP的全部BGP路由条目;之后将不同ISP(例如中国电信和中国联通)的路由条目导入园区网边界防火墙,使得用户访问实现负载分担和路由备份.本方案适用于大中型企业和大型居民小区园区网,相比传统的负载均衡方法,本方案能够节省大量设备投资.     

域间IP欺骗防御服务增强机制

IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.     

域间IP欺骗防御服务增强机制

IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.     

利用RFD实现BGP路由摆动源检测的方法

提出一种发现BGP路由摆动源的方法,该方法通过分布在网络上的服务器和客户机(运行BGP协议的边界路由器)实现。客户机除具有BGP路由器的功能外,还记录路由变化事件,利用RFD发现BGP路由摆动,向服务器提出查找振荡源请求。服务器通过查询路由变化事件发现BGP路由摆动源,并向网络管理员通告检测结果。最后通过实验证明了所给方法的正确性和可行性。     

Catching popular prefixes at AS border routers with a prediction based method

Modern Internet routers require powerful forwarding facilities to cope with extremely high rate Forwarding Information Base (FIB) lookups. In general, the FIB is constrained to a small highly efficient but expensive memory. Unfortunately, the BGP route table (RIB) keeps increasing, and this subsequently results in severe FIB inflation at BGP routers. What if we only load a small portion of the RIB into the FIB? Recently the route caching mechanism has been revisited. With such a route caching mechanism, the optimal method is to load in a FIB with popular prefixes which contribute major traffic loads. We propose a prediction based method to catch those popular prefixes with a limited cache size. In this paper, the dynamics of popular prefixes has been studied based on real traffic traces from different ISPs. On applying a GM(1,1) model which is widely applied in grey system control and prediction, we propose a traffic prediction-based route caching method which attempts to bias the cache dump strategy with a range of history to ameliorate the effects of bursts from non-popular prefixes. We also suggest applying FIB aggregation techniques, e.g. Optimal Routing Table Constructor (ORTC) algorithm, to suppress the number of non-popular sub-prefixes of the popular prefixes on route updates. The evaluation of our method is based on simulation over real traffic traces. The simulation shows our prediction-based cache replacement strategy outperforms other cache strategies and matches Internet traffic dynamics very well.     

Fixing BGP might be difficult - or not so tough

The predominant worry about BGP (Border Gateway Protocol) is that attackers could figure out a way to take advantage of the implicit trust relationship between peer routers by mounting a man-in-the-middle attack and injecting false information into routing updates. As of yet, that has not happened; however, an accidentally misconfigured BGP router incident in 1997 illustrated that a falsely advertised route could pull immense amounts of traffic from other routes into paths for which it was never intended and cause severe slowdowns or shutdowns. The networking community has stepped up its effort to address BGP security. In the longer term, the most mature method to address BGP security is Secure BGP (S-BGP), developed by researchers at BBN Technologies under a DARPA. However, adopting a BGP security standard is still in its infancy.     

基于HTTPS的RPKI缓存更新机制

RPKI作为解决路由劫持等网络安全问题的重要网络架构,其传输结构主要有两方面构成：供给侧和依赖方的数据同步,以及依赖方和需求侧的数据传输.目前国内外研究内容主要集中在供给侧和依赖方的数据同步环节.依赖方和需求侧的数据传输仍处于初步探究状态.本文针对当前RPKI理论架构难以适应实际部署需求的缺陷,设计并利用JSON化的RPKI缓存数据,实现了一种基于HTTPS的RPKI缓存更新架构.实验结果表明,该分发架构传输稳定.与当前RPKI理论架构相比能够适应多层传输和大量数据传输的需要.     

Toward a practical approach for BGP stability with root cause check

The instability issues of the Border Gateway Protocol (BGP), such as route oscillations and path explorations, can decrease the performance of packet forwarding and place heavy workload on routers. While BGP instability has been extensively studied, existing solutions mainly solve individual instances of BGP instability. Thus, with the existing solutions, the route selection processes of ASes or routers may not realize the actual root cause of BGP instability and hence cannot effectively solve the BGP instability problem. In this paper, we propose a simple, integrated solution called stable BGP (stableBGP) that practically solve a general class of BGP instability issues, including route oscillations and path explorations. stableBGP seeks to adapt the route selection process to best address the root cause of route changes so that the route selection process can quickly stabilize. We formally prove that stableBGP can achieve BGP stability. Extensive simulation results show that in the link failure scenario, stableBGP significantly reduces the number of route changes, the convergence time, and the number of route update messages when compared to prior solutions. We also analyze the performance of stableBGP when it is partially deployed. Our work provides insights into developing a practical solution that addresses the BGP instability problem.     

RPKI中CA资源分配风险及防护技术

边界网关协议在安全方面存在严重的缺陷,容易导致路由劫持这一互联网安全威胁. 为此,国际互联网工程任务组提出了资源公钥基础设施（Resource Public Key Infrastructure,RPKI）以防止路由劫持的发生. 然而随着RPKI技术的发展及其在全球范围内的部署,与RPKI中认证权威相关的安全问题逐渐突显,并受到广泛关注. 对RPKI中认证权威的资源分配过程进行研究分析,通过实验测试,验证了认证权威在资源分配的过程中资源重复分配和未获授权资源分配两种潜在的安全风险,并分析了两种风险对资源持有者可能造成的不良影响. 此外,针对这两种安全风险,提出并实现了一种用于保证RPKI中认证权威资源分配安全性和准确性的“事前控制”机制,该机制可以有效地防止资源重复分配和未获授权资源分配两种操作风险的发生,减少了由于认证权威的错误操作所导致的故障恢复等待时间. 最后,通过进一步的实验测试,验证、分析了这种“事前控制”机制的有效性和可行性.     

BGP/MPLS VPN实现细节探讨

在骨干网中,BGP/MPLSVPN使用MPLS进行包转发,用BGP进行路由信息的分发,是设计未来虚拟专网的必然趋势。论文主要分析了BGP对VPN路由的分发过程,并针对在CISCO路由器上进行MP-BGP测试时所发现的欠妥之处,深入探讨了实现和配置时需要注意的问题。     

Providing scalable NH-diverse iBGP route re-distribution to achieve sub-second switch-over time

The role of BGP inside an AS is to disseminate the routes learned from external peers to all routers of the AS. A straightforward, but not scalable, solution, is to resort to a full-mesh of iBGP sessions between the routers of the domain. Achieving scalability in the number of iBGP sessions is possible by using Route Reflectors (RR). Relying on a sparse iBGP graph using RRs however has a negative impact on routers’ ability to quickly switch to an alternate route in case of a failure. This stems from the fact that routers do not often know routes towards distinct next-hops, for any given prefix.In this paper, we propose a solution to build sparse iBGP topologies, where each BGP router learns two routes with distinct next-hops (NH) for each prefix. We qualify such iBGP topologies as NH-diverse. We propose to leverage the “best-external” option available on routers. By activating this option, and adding a limited number of iBGP sessions to the existing iBGP topology, we obtain NH-diverse iBGP topologies that scale, both in number of sessions and routing table sizes. We show that NH diversity enables to achieve sub-second switch-over time upon the failure of an ASBR or interdomain link. The scalability of our approach is confirmed by an evaluation on a research and a Service Provider network.     

基于RPKI-ASPA改进的BGP路径保护机制

BGP协议明文传输,攻击者易对前缀与路径信息进行伪造,进而引发危害巨大的前缀劫持攻击.其中,AS路径信息保护问题主要涉及两个方面:路径防篡改与非法内容验证.RPKI作为解决路由劫持的重要安全体系,目前其体系下的路径验证解决方案主要包括BGPSec、ASPA与Path-End,其中BGPSec主要解决的是路径篡改问题,A...