内生安全网络架构

doi:10.11959/j.issn.1000-0801.2019215

电信科学 ›› 2019, Vol. 35 ›› Issue (9): 20-28.doi: 10.11959/j.issn.1000-0801.2019215

• 专题：数据网络协议架构创新——NewIP • 上一篇下一篇

内生安全网络架构

江伟玉,刘冰洋,王闯

华为技术有限公司，北京 100095

修回日期:2019-09-10 出版日期:2019-09-20 发布日期:2019-09-30
作者简介:江伟玉（1987- ），女，博士，华为技术有限公司 2012 实验室中央研究院网络技术实验室高级工程师，主要研究方向为网络安全架构及协议、可信身份管理、数据安全等。|刘冰洋（1985- ），男，博士，华为技术有限公司 2012 实验室中央研究院网络技术实验室主任工程师，主要研究方向包括网络架构、网络安全及可行、路由和命名解析、确定性网络等。|王闯（1975- ），男，华为技术有限公司2012实验室中央研究院网络技术实验室技术专家，主要研究方向为未来网络架构与技术探索。
基金资助:
国家重点研发计划基金资助项目(2018YFB180079)

Network architecture with intrinsic security

Weiyu JIANG,Bingyang LIU,Chuang WANG

Huawei Technologies Co.,Ltd.,Beijing 100095,China

Revised:2019-09-10 Online:2019-09-20 Published:2019-09-30
Supported by:
The National Key Research and Development Program of China(2018YFB180079)

摘要/Abstract

摘要：

IP 网络通过连接全球大量的网络设备给人类带来了便利，但网络面临持续性的安全和隐私问题令人担忧。由于网络缺乏内生安全的设计，IP地址伪造、隐私泄露、中间人攻击、分布式拒绝服务（DDoS）攻击等顽固安全问题难以根治，传统的补丁式解决方案补不胜补。在研究IP网络面临的各类安全威胁及相关安全技术的基础上，剖析了IP网络固有的安全缺陷，提出了具有内生安全特性的网络架构，包括具有内生安全的隐私ID/Loc、安全验证和审计协议、跨域联合防御机制等，能够为端到端通信保驾护航。

关键词: IP网络, 内生安全, 隐私, 可审计性, DDoS

Abstract:

IP network brings big benefits for human’s life by connecting most devices all over the world,but its security and privacy issues make people frustrating when using end to end communication.Without intrinsic security design of the network,it is difficult for patch-like solutions to cure stubborn security issues (IP spoofing,privacy leakage,MITM attack,DDoS,etc.).On the basis of surveying different kinds of security threats and related security techniques,an overview of the security weakness analysis was given,and network architecture with intrinsic security (NAIS) was presented,including dynamic ID/IP with intrinsic security,security verification and audit protocols,and cross-domain cooperation defense mechanism,which could provide security and trustworthiness for end to end communication.

Key words: IP network, intrinsic security, privacy, accountability, DDoS

中图分类号:

TN915.08

江伟玉, 刘冰洋, 王闯. 内生安全网络架构[J]. 电信科学, 2019, 35(9): 20-28.

Weiyu JIANG, Bingyang LIU, Chuang WANG. Network architecture with intrinsic security[J]. Telecommunications Science, 2019, 35(9): 20-28.

图/表 4

参考文献 24

[1]	Caida spoofer program report[R]. 2019.
[2]	ENGLEHARDT S , NARAYANAN A . Online tracking:a 1-million-site measurement and analysis[C]// the 2016 ACM SIGSAC Conference on Computer and Communications Security,Oct 12-16,2015,Denver,Colorado,USA. New York:ACM Press, 2016: 1388-1401.
[3]	FERGUSON P , SENIE D . Network ingress filtering:defeating denial of service attacks which employ IP source address spoofing:RFC 2827[S]. 2000.
[4]	DUAN Z , ·UAN X , CHANDRASHEKAR J . Constructing interdomain packet filters to control IP spoofing based on BGP updates[C]// INFOCOM,April 23-29,2006,Barcelona,Spain. Piscataway:IEEE Press, 2006.
[5]	BREMLER-BARR A , LEVY H . Spoofing prevention method[C]// IEEE INFOCOM, 2005(1): 536-547.
[6]	JIN C , WANG H , SHIN K . Hop-count filtering:an effective defense against spoofed DDoS traffic[C]// the 10th ACM Conference on Computer and Communications Security,Oct 27 - 30,Washington D.C.,USA. New York:IEEE Press, 2003.
[7]	BAKER F , SAVOLA P . Ingress filtering for multihomed networks:RFC 3704[S]. 2004.
[8]	BI J , LIU B . Problem statement of SAVI beyond the first hop,Internet Draft[R]. 2012.
[9]	LIU X , ·ANG X , WETHERALL D ,et al. Efficient and secure source authentication with packet passports[C]// 2nd conference on Steps to Reducing Unwanted Traffic on the Internet,San Jose,CA,USA. New York:ACM Press, 2006.
[10]	LIU X , ·ANG X , WETHERALL D ,et al. Passport:secure and adoptable source authentication[C]// 5th USENIX NSDI,April16-18,2008,San Francisco,California,USA. New York:ACM Press, 2008.
[11]	RAGHAVAN B , KOHNO T , SNOEREN A C ,et al. Enlisting ISP to improve online privacy:IP address mixing by default[C]// PETS '09,August 5-7,2009,Seattle,WA,USA. New York:ACM Press, 2009.
[12]	CHAUM D . Untraceable electronic mail,return address,and digital pseudonyms[J]. Communications of the ACM, 1981,24(2): 84-88.
[13]	DINGLEDINE R , MATHEWSON N , SYVERSON P F . Tor:the second-generation onion router[J]. Journal of the Franklin Institute, 2004,239(2): 135-139.
[14]	NARTEN T , DRAVES R , KRISHNAN S . Report from the IAB workshop on routing and addressing:RFC4941[S]. 2007.
[15]	GONT F . Method for generating semantically opaque interface identifiers with ipv6 stateless address autoconfiguration (slaac),RFC 7217,Internet engineering task force,request for comments[S]. 2014.
[16]	ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N ,et al. Accountable internet protocol[C]// ACM SIGCOMM 2008 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications,August 17-22,2008,Seattle,WA,USA. New York:ACM Press, 2008.
[17]	NAYLOR D , MUKERJEE M K , STEENKISTE P.Balancing accountability and privacy in the network . [J]. ACM Sigcomm Computer Communication Review, 2014,44(4).
[18]	LEE T , PAPPAS C , BARRERA D ,et al. Source accountability with domain-brokered privacy[C]// the 12th International on Conference on emerging Networking Experiments and Technologies,December 12 - 15.2016,Irvine,California,USA. New York:ACM Press, 2016.
[19]	US service provider survives the biggest recorded DDoS in history[Z]. 2018.
[20]	ANTONAKAKIS M , APRIL · , BAILEY M ,et al. Understanding the mirai botnet[C]// 26th USENIX Security.[S.l.:s.n]. 2017.
[21]	CloudFlare. Advanced DDoS attack protection[Z]. 2018.
[22]	FAYAZ S K , TOBIOKA · , SEKAR V ,et al. Bohatei:flexible and elastic DDoS defense[C]// Usenix Conference on Security Symposium,August 12 - 14,2015,Washington,D.C.,USA. New York:ACM Press, 2015.
[23]	BASESCU C , REISCHUK R M , SZALACHOWSKI P ,et al. SIBRA:Scalable internet bandwidth reservation architecture[J]. arXiv preprint arXiv:1510.02696, 2015.
[24]	李子姝, 谢人超, 孙礼 ,等. 移动边缘计算综述[J]. 电信科学, 2018,34(1): 87-101.
	LI Z S , XIE R C , SUN L ,et al. A survey of mobile edge computing[J]. Telecommunications Science, 2018,34(1): 87-101.

内生安全网络架构

Network architecture with intrinsic security

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 24

相关文章 15

Metrics

推荐阅读 0

[1]	何英杰, 李启伟, 孙涵, 郜迪, 董剑峰, 杨书华. 面向物联网轻量级隐私保护的真值发现机制[J]. 电信科学, 2021, 37(5): 124-132.
[2]	张帆, 谢光伟, 郭威, 扈红超, 张汝云, 刘文彦. 基于拟态架构的内生安全云数据中心关键技术和实现方法[J]. 电信科学, 2021, 37(3): 39-48.
[3]	李玉峰, 曹晨红, 李江涛, 王鹏. 生物免疫启发下的一种内生安全技术框架[J]. 电信科学, 2021, 37(3): 49-56.
[4]	张汝云, 李合元, 李顺斌. 有限异构资源条件下的工业控制拟态调度算法[J]. 电信科学, 2021, 37(3): 57-65.
[5]	朱泓艺, 陆肖元, 李毅. 网络空间内生安全试验场管理技术[J]. 电信科学, 2021, 37(3): 66-74.
[6]	王双星, 罗劲瑭, 帅莉莎, 张佳敏, 张敏, 阳小龙. 基于区块链的云数据匿名确定性删除方法[J]. 电信科学, 2021, 37(3): 90-104.
[7]	刘飞扬, 李坤, 宋飞, 周华春. DDoS攻击恶意行为知识库构建[J]. 电信科学, 2021, 37(11): 17-32.
[8]	黄兵, 谭斌, 罗鉴, 郭勇. 面向业务和网络协同的未来IP网络架构演进[J]. 电信科学, 2021, 37(10): 39-46.
[9]	张驰, 陆晔, 罗渝平, 孙晓凯, 祝涵珂. 一种复杂场景下的视频流人脸隐私保护技术[J]. 电信科学, 2021, 37(1): 94-101.
[10]	侯慧芳,李雪芳,潘洁,丁志刚. 5G承载网数据采集和安全管控演进思路[J]. 电信科学, 2020, 36(9): 154-159.
[11]	陈哲,蒋胜,王闯. 面向智能工业物联的灵活地址可信协议架构[J]. 电信科学, 2020, 36(7): 26-33.
[12]	彭绍亮,白亮,王力,程敏霞,王树林. 面向智慧医疗的可信边缘计算[J]. 电信科学, 2020, 36(6): 56-63.
[13]	刘姿杉,程强,吕博. 面向机器学习的隐私保护关键技术研究综述[J]. 电信科学, 2020, 36(11): 18-27.
[14]	涂哲,周华春,李坤,王玮琳. 信息网络内生恶意行为检测框架[J]. 电信科学, 2020, 36(10): 37-45.
[15]	刘杨,彭木根. 6G内生安全：体系结构与关键技术[J]. 电信科学, 2020, 36(1): 11-20.