支持域间分布式分组过滤的BGP扩展

可信任是下一代互联网的重要特征.目前,互联网的路由系统只按照分组的目的IP地址转发分组,携带虚假源IP地址的伪造分组也会被传输到目的地,这会在威胁接收方安全的同时,隐藏发送方的真实身份.可信任互联网的路由系统不仅需要能够正确地转发分组,而且能够验证分组来自正确的发送方.基于路由的域间分布式分组过滤是过滤伪造分组的有效方法.提出了BGP的路由选择通知功能扩展,为域间分组过滤提供过滤标准.在扩展的支持下,边界路由器能够鉴别进入本自治系统的分组的真实性,过滤掉伪造其他自治系统地址的分组.模拟结果表明,路由选择通知不会对BGP正常的路由功能产生负面影响,选择合理的路由选择时钟参数,可以在同时取得较小带宽开销和较快收敛速度的情况下,为域间分布式分组过滤提供支持.

BGP Extension to Support Inter-Domain Distributed Packets Filtering

To be trustworthy is an important characteristic of the next generation Internet.The routing system of the present Internet forwards packets only according to the destination IP address.Forged packets with spoofed source IP address will also be forwarded to the destination,which impairs the security of receiver and conceals the real identity of the sender.The trustworthy Internet requires the routing system not only forward packets correctly, but also validate the packets from the real sender.Inter-domain distributed packet filtering is an effective method to filter out spoofed packets.This paper proposes to extend BGP with route selection notice to provide filtering criteria. With the support,border routers can validate incoming packets and filter the spoofed packets form false autonomous systems.Simulation result indicates BGP route selection notice does not impair the routing function of BGP,and both proper design acceptable bandwidth cost and fast convergence may be achieved simultaneously.