Linux内核HWMP序列号机制的研究与改进

为了提高混合无线网状网协议(hybrid wireless mesh protocol,HWMP)在工程应用中的鲁棒性,研究了Linux内核中的HWMP序列号机制.发现了由于“序列号有效”域在路由更新流程中处理不当引起的路径请求(path request,PREQ)死锁环问题,提出了删除“序列号有效”域的解决方案.该方案改变了HWMP的路由更新流程,消除了PREQ错误转发,进而消除了PREQ死锁环.在Linux内核中实现了该方案并进行了长时间的测试,表明了该方案的可行性和有效性.     

基于可信度的域间路由机制

当前的域间路由系统缺乏对路径真实性的验证,可能导致虚假路径信息大量传播,带来大规模的网络失效.为了提高路由抑制虚假路径的能力,文中将信任机制引入到域间路由中,采用可信度表示路径的真实可信程度,提出了基于可信度的域间路由机制,其主要思想为在路径选择时考虑路径的可信度,选取可信度高的路径作为最优路径.在该机制下,构建了一个Chord环进行信任信息的发布与获取,部署了虚假路径检测措施的AS根据检测结果在Chord环中发布信任信息,没有部署虚假路径检测措施的AS从Chord环中获取信任信息来计算候选路径的可信度,基于可信度进行路径选择.实验结果表明基于可信度的域间路由机制能够快速抑制虚假路径,在一定程度上解决路由机制的不可信问题.     

域间多路径路由协议

边界网关协议(border gateway protocol,简称BGP)是当前互联网的核心协议,但是由于BGP是一种单路径路由协议,所以仍存在可靠性差、无法有效使用次优路径以及负载均衡支持较弱等问题.域间多路径路由可以通过发挥底层网络的AS级路径多样性,提高域间路由的可靠性、报文分组转发的总体性能和整个网络资源的利用率.因此,域间多路径路由是解决上述BGP问题的一种有效手段,符合互联网应用不断深入、促进路由技术发展的需求.主要综述域间多路径协议,并将其分为3类:单径通告多路转发协议、多径通告多路转发协议和新型域间多路径路由体系结构提出路径多样性、控制平面和数据平面开销、无环路特性等8项主要路由系统性能指标,并比较、分析了域间多路径路由协议.最后,指出域间多路径路由协议面临的主要挑战和未来的研究方向.     

基于分簇的拓扑自适应的无人机蜂群OLSR路由协议

针对无人机群网络中的路由问题,优化链路状态路由协议采用固定周期的方式通告Hello和拓扑更新(TC)消息,用于维护网络拓扑信息。但是在网络结构频繁变化的情况下,这种周期性的通告不能对网络拓扑变化及时作出响应,网络性能会大幅衰减。文中提出一种新的基于簇群的OLSR路由协议(CB-OLSR),由簇内路由和簇间路由组成,分别采用簇内两跳短距离传输和高性能簇头间远程传输。簇成员不运行完整的路由协议,仅仅完成邻居节点检测,传递Hello消息即可。该协议根据网络拓扑变化情况动态调整Hello等控制消息的广播周期,及时更新网络状况,以提高网络性能,同时对簇内短直连路径进行优化。内部簇成员以及两域相邻簇成员间,如果源节点和目标节点是两跳以内的邻居,则忽略层次结构,使用"旁路捷径"直接转发消息,以减轻簇头的负载,延长簇头寿命。EXata仿真平台上的仿真实验表明,CB-OLSR在数据丢包率和吞吐量等方面明显优于OLSR,更适用于无人机蜂群网络。     

基于导出策略的路由配置错误检测方法

针对域间路由中易出现的路由配置疏忽,避免因不恰当配置引起域间路由不稳定事件,提出一种有效的路由配置错误检测方法.通过应用推断的域间路由导出策略,对路由宣告的前缀进行分析,检测出源配置错误和导出配置错误的潜在性,其间考虑选性路由对前缀宣告造成的影响,从而减少误判的可能性.实验结果表明,该方法利用较少的局部路由信息,可快速有效的检测出潜在的路由配置错误并辅助提升网络性能.     

带路径探索检测的RCN路由抖动抑制算法

路由抖动抑制机制在稳定Internet路由方面扮演着重要角色。针对路由原因通告(RCN)路由抖动抑制算法没有控制无效路径探索而产生大量更新消息量的问题,利用RCN表和路径探索路由特点提出了一种带路径探索检测的RCN路由抖动抑制算法,该算法正确区分路由抖动和路径探索并对无效路径探索进行控制。实验结果表明,该算法大量减少了更新消息量,提高了算法性能。     

一种按需域间路径构建方法

在域间路由中,BGP的最优路径转发规则使得节点无法控制自身能够收到哪些路径。针对该问题,提出了一种按需的域间路径构建方法,其主要特点为上游节点可以对其下游节点的选路过程施加影响,根据自身需求定制路径。首先对BGP进行扩展,提出了一种支持在路径通告中嵌入更多策略信息的域间路由协议P-BGP,嵌入在路径通告中的策略能够指导中间节点如何选路。在P-BGP的基础上,进一步提出了支持按需的域间路径构建方法OIPBM,OIPBM以BGP保证源端与目的端的可达性,需要构建特殊路径的源端将路径构建的需求信息发送至目的端,由目的端协助其发起一个带策略的P-BGP收敛过程获取满足需求的路径。在理论分析的基础上,通过实验验证了OIPBM具有较好的性能。     

基于可修改区块链的互联网码号资源管理方案

为加强IP地址、自治域号等国际互联网码号资源的管理和控制,国际互联网工程任务组提出了互联网码号资源公钥基础设施,近年来有效解决路由劫持、路径篡改等问题,为保证域间路由稳定运行发挥了巨大作用.然而,它在互联网码号资源管理模式中存在的安全问题也逐渐突显,如单点故障、资源分配异常、证书撤销数据同步不及时造成验证失效等.本文针...     

基于区块链的域间路由策略符合性验证方法

域间路由系统自治域(ASes)间具有不同的商业关系和路由策略.违反自治域间出站策略协定的路由传播可能引发路由泄露,进而导致网络中断、流量窃听、链路过载等严重后果.路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要.但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度,使其一直是域间路由安全领域尚未妥善解决的难点问题.提出一种基于区块链的域间路由策略符合性验证方法.该方法以区块链和密码学技术作为信任背书,使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望,通过生成对应路由更新的路由证明,保证路由传播过程的真实性,从而以多方协同的方式完成路由策略符合性验证.通过实现原型系统并基于真实路由数据开展实验与分析,结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证,以合理的开销有效抑制策略违规路由传播,在局部部署情况下也具有显著的策略违规路由抑制能力.     

P2P网络环境下的一种高效搜索算法:Multilayer Light-Gossip

由于现有非结构化P2P网络路由协议均在应用层实现,缺乏缓存机制和对Internet底层通信子网路由资源的利用,存在可扩展性差和效率不高的问题·在基于层域结构的RLP2P网络环境下,将路由空间分为域间和域内两层,结合泛洪和生成树搜索方式的优点,提出并实现了一种Multilayer Light-Gossip分级搜索算法和域间基于正六边形的蜂窝路由探测策略,把网络中的搜索消息分为域间和域内扩散两类分级扩散,以一定的消息冗余保持网络的稳健性和搜索的有效性,使定位某种服务的工作量和查询范围从网络中的所有结点数降到域内的节点数·运用预测评估方法对级间路由消息进行预分组,使消息能够自适应地沿着一条在时间度量上距离尽量短的路径前进·实验结果表明,Multilayer Light-Gossip算法大幅提高搜索效率和减少冗余消息,在广域环境下具有良好的搜索性能和扩展性·     

Black Hole Attack Detection and Performance Improvement in Mobile Ad-Hoc Network

ABSTRACT

Security is an essential service for mobile network communications. Routing plays an important role in the security of mobile ad-hoc networks (MANETs). A wide variety of attacks targets the weakness of MANETs. By attacking the routing protocols, attackers can absorb network traffic, injecting themselves into the path between the source and destination. The black hole attack is one of the routing attacks where a malicious node advertise itself as having the shortest path to all nodes in the network by sending fake route reply. In this paper, a defense scheme for detecting black hole node is proposed. The detection is based on the timing information and destination sequence numbers maintained in the Neighborhood Route Monitoring Table. The table maintains the record of time of Reply. A black hole node will send a route reply message without checking the routing table as the legitimate node normally does. This reduced reply time is used to detect the black hole node. To improve the security further, the destination sequence number is checked with the threshold value, which is dynamically updated. The simulation results demonstrate that the protocol not only detects black hole attack but also improves the overall performance.     

WSN中基于多项式的安全密钥建立方案

针对分层WSN节点的更新,使用二元对称多项式,提出一种安全的建立通信双方会话密钥方案。该方案可保证传输消息的秘密性和完整性,能有效地抵御攻击者对消息的非法篡改、替换和重放。此外,该方案支持通信双方更新会话密钥和增加对节点身份的认证,防止非法节点的欺骗攻击。通过分析可知,该方案和现有方案相比,具有更高的安全性,以及成本和效率的合理性。     

Persistent route oscillations in inter-domain routing

Hop-by-hop inter-domain routing protocols, such as border gateway protocol (BGP) and inter-domain routing protocol (IDRP), use independent route selection to realize domains' local policies. A domain chooses its routes based on path attributes present in a route. It is widely believed that these inter-domain routing protocols always converge. We show that there exist domain policies that cause BGP/IDRP to exhibit persistent oscillations. In these oscillations, each domain repeatedly chooses a sequence of routes to a destination. Complex oscillation patterns can occur even in very simple topologies. We analyze the conditions for persistent route oscillations in a simple class of inter-domain topologies and policies. Using this analysis, we evaluate ways to prevent or avoid persistent oscillations in general topologies. We conclude that if a hop-by-hop inter-domain routing protocol allows unconstrained route selection at a domain, the protocol may be susceptible to route oscillations. Constraining route selection to a provably “safe” procedure (such as shortest path) can reduce the number of realizable policies. Alternatively, a routing policy registry can help detect unsafe policies.     

一种改进的BGP路由源认证机制

资源公钥基础设施(Resource Public Key Infrastructure,RPKI)是当前用于保护互联网码号资源分配真实性的技术.作为一种支撑域间路由安全的体系,它解决了边界网关协议(Border Gateway Protocol,BGP)缺乏路由源认证的问题.然而当前RPKI体系中的依赖方(Relying Party,RP)与路由器数据同步机制可能会导致路由源授权(Route Originate Authorization,ROA)信息缺乏真实性和有效性,并且不断查询缓存列表会带给路由器很大的性能负载.据此,本文提出一种改进的BGP路由源认证方案,发送端路由器实时申请存储在RP中的ROA证书,将其附加到BGP update报文中进行传输,以待对等端路由器申请证书公钥对证书进行验证并完成路由源认证功能.该方案将原来周期性更新路由器缓存列表机制改为路由器实时申请认证机制,有效解决了RP与路由器数据同步可能导致的ROA存在错误的问题,降低路由器查询缓存列表造成的路由器运行负载.此外,本文通过Quagga仿真实验表明该方案具有可行性,并对该方案的适用情形进行了具体分析.     

An immune-theory-based model for monitoring inter-domain routing system

The inter-domain routing system faces many serious security threats because the border gateway protocol(BGP) lacks effective security mechanisms.However,there is no solution that satisfies the requirements of a real environment.To address this problem,we propose a new model based on immune theory to monitor the inter-domain routing system.We introduce the dynamic evolution models for the "self" and detection cells,and construct washout and update mechanisms for the memory detection cells.Furthermore,borrowing an idea from immune network theory,we present a new coordinative method to identify anomalous nodes in the inter-domain routing system.In this way,the more nodes working with their own information that join the coordinative network,the greater is the ability of the system to identify anomalous nodes through evaluation between nodes.Because it is not necessary to modify the BGP,the ITMM is easy to deploy and inexpensive to implement.The experimental results confirm the method’s ability to detect abnormal routes and identify anomalous nodes in the inter-domain routing system.     

A survey on the recent efforts of the Internet Standardization Body for securing inter-domain routing

The Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet, thus it plays a crucial role in current communications. Unfortunately, it was conceived without any internal security mechanism, and hence is prone to a number of vulnerabilities and attacks that can result in large scale outages in the Internet. In light of this, securing BGP has been an active research area since its adoption. Several security strategies, ranging from a complete replacement of the protocol up to the addition of new features in it were proposed, but only minor tweaks have found the pathway to be adopted. More recently, the IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) has put forward several recommendations to secure BGP. In this paper, we survey the efforts of the SIDR WG including, the Resource Public Key Infrastructure (RPKI), Route Origin Authorizations (ROAs), and BGP Security (BGPSEC), for securing the BGP protocol. We also discuss the post SIDR inter-domain routing unresolved security challenges along with the deployment and adoption challenges of SIDR’s proposals. Furthermore, we shed light on future research directions in managing the broader security issues in inter-domain routing. The paper is targeted to readers from the academic and industrial communities that are not only interested in an updated article accounting for the recent developments made by the Internet standardization body toward securing BGP (i.e., by the IETF), but also for an analytical discussion about their pros and cons, including promising research lines as well.     

Adaptive fuzzy tracking control for a class of uncertain MIMO nonlinear systems using disturbance observer

In this paper,the adaptive fuzzy tracking control is proposed for a class of multi-input and multioutput(MIMO)nonlinear systems in the presence of system uncertainties,unknown non-symmetric input saturation and external disturbances.Fuzzy logic systems(FLS)are used to approximate the system uncertainty of MIMO nonlinear systems.Then,the compound disturbance containing the approximation error and the timevarying external disturbance that cannot be directly measured are estimated via a disturbance observer.By appropriately choosing the gain matrix,the disturbance observer can approximate the compound disturbance well and the estimate error converges to a compact set.This control strategy is further extended to develop adaptive fuzzy tracking control for MIMO nonlinear systems by coping with practical issues in engineering applications,in particular unknown non-symmetric input saturation and control singularity.Within this setting,the disturbance observer technique is combined with the FLS approximation technique to compensate for the efects of unknown input saturation and control singularity.Lyapunov approach based analysis shows that semi-global uniform boundedness of the closed-loop signals is guaranteed under the proposed tracking control techniques.Numerical simulation results are presented to illustrate the efectiveness of the proposed tracking control schemes.     

A secure routing model based on distance vector routing algorithm

Distance vector routing protocols have been widely adopted as an efcient routing mechanism in current Internet,and many wireless networks.However,as is well-known,the existing distance vector routing protocols are insecure as it lacks of efective authorization mechanisms and routing updates aggregated from other routers.As a result,the network routing-based attacks become a critical issue which could lead to a more deteriorate performance than other general network attacks.To efciently address this issue,this paper,through analyzing the routing model and its security aspect,and presents a novel approach on guaranteeing the routing security.Based on the model,we present the security mechanism including the message exchange and update message security authentication mechanism.The suggested approach shows that the security mechanism can efectively verify the integrity and validate the freshness of routing update messages received from neighbor nodes.In comparison with exiting mechanisms(SDV,S-RIP etc),the proposed model provides enhanced security without introducing significant network overheads and complexity.     

基于SPVP协议的BGP路由收敛算法

针对Internet域间路由慢收敛问题,提出基于简单路径向量协议(SPVP)的BGP路由收敛算法。分析该算法在4种全接连网络拓扑中的Tdown收敛边界值得出,通过检测域间失效链路的根源节点能有效减少路由收敛时间和更新消息开销。SSFNet仿真结果表明,该算法收敛时间上限为O(d)。     

下一代互联网域间路由安全：威胁与对策

基于BGP的域间路由系统是下一代互联网的关键基础设施.本文系统地分析了下一代互联网域间路由系统的脆弱性,建立了下一代互联网域间路由的攻击模型对各种攻击目标和攻击方式进行描述,并从多个层次对BGP-4和BGP4＋的安全能力进行分析与比较.此外,我们给出了路由攻击检测系统方案,该方法可有效实现域间路由系统的安全控制