电信科学 ›› 2021, Vol. 37 ›› Issue (3): 75-89.doi: 10.11959/j.issn.1000-0801.2021050
苏莹莹1, 李丹1,2, 叶洪琳1
修回日期:
2021-03-15
出版日期:
2021-03-20
发布日期:
2021-03-01
作者简介:
苏莹莹(1997- ),女,清华大学计算机科学与技术系博士生,主要研究方向为互联网体系结构及其安全。基金资助:
Yingying SU1, Dan LI1,2, Honglin YE1
Revised:
2021-03-15
Online:
2021-03-20
Published:
2021-03-01
Supported by:
摘要:
BGP(border gateway protocol,边界网关协议)在设计之初并没有充分考虑安全问题,随着互联网规模的日益壮大,其安全风险也暴露得愈加明显。学术界和工业界提出了诸多方案解决域间路由面临的安全问题,目前真正得以部署的是IETF(the Internet Engineering Task Force,互联网工程任务组)推动的资源公钥基础设施(resource public key infrastructure,RPKI)。综述了RPKI的技术现状和研究进展,重点分析了RPKI存在的问题、现有的解决方案以及不足之处,介绍了RPKI功能扩展的相关研究,最后指出了未来有潜力的研究方向。
中图分类号:
苏莹莹, 李丹, 叶洪琳. 资源公钥基础设施RPKI:现状与问题[J]. 电信科学, 2021, 37(3): 75-89.
Yingying SU, Dan LI, Honglin YE. Resource public key infrastructure RPKI: status and problems[J]. Telecommunications Science, 2021, 37(3): 75-89.
[1] | BULTER K , FARLEY T R , MCDANIEL P ,et al. A survey of BGP security issues and solutions[J]. Proceedings of the IEEE, 2010,98(1): 100-122. |
[2] | BALLANI H , FRANCIS P , ZHANG X Y . A study of prefix hijacking and interception in the Internet[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 265-276. |
[3] | TOONK A . BGP hijack incident by Syrian Telecommunications Establishment[Z]. BGPMon, 2015. |
[4] | TOONK A . Turkey Hijacking IP addresses for popular Global DNS providers[Z]. BGPMon, 2014. |
[5] | KENT S , LYNN C , SEO K . Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected areas in Communications, 2000,18(4): 582-592. |
[6] | LEPINSKI M , KENT S . An infrastructure to support secure internet routing:IETF RFC6480[S]. 2012. |
[7] | BORKENHAGEN J . AT&T/AS 7018 now drops invalid prefixes from peers[Z]. NANOG, 2019. |
[8] | KHARE V , JU Q , ZHANG B C . Concurrent prefix hijacks:occurrence and impacts[C]// Proceedings of the 2012 Internet Measurement Conference.[S.l.:s.n.], 2012: 29-36. |
[9] | ZHAO X L , PEI D , WANG L ,et al. An analysis of BGP multiple origin AS (MOAS) conflicts[C]// Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. New York:ACM Press, 2001: 31-35. |
[10] | LAD M , MASSEY D , PEI D ,et al. PHAS:a prefix hijack alert system[C]// Proceedings of USENIX Security Symposium.[S.l.:s.n.], 2006:3. |
[11] | SHI X , XIANG Y , WANG Z ,et al. Detecting prefix hijackings in the internet with argus[C]// Proceedings of the 2012 Internet Measurement Conference.[S.l.:s.n.], 2012: 15-28. |
[12] | HU X , MAO Z M . Accurate real-time identification of IP prefix hijacking[C]// Proceedings of 2007 IEEE Symposium on Security and Privacy (SP'07). Piscataway:IEEE Press, 2007: 3-17. |
[13] | ZHENG C , JI L , PEI D ,et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 277-288. |
[14] | LI J , EHRENKRANZ T , ELLIOTT P . Buddyguard:A buddy system for fast and reliable detection of IP prefix anomalies[C]// Proceedings of 2012 20th IEEE International Conference on Network Protocols (ICNP). Piscataway:IEEE Press, 2012: 1-10. |
[15] | SIGANOS G , FALOUTSOS M . Neighborhood watch for internet routing:can we improve the robustness of internet routing today?[C]// Proceedings of IEEE INFOCOM 2007-26th IEEE International Conference on Computer Communications. Piscataway:IEEE Press, 2007: 1271-1279. |
[16] | KHAN A , KIM H , KWON T ,et al. A comparative study on IP prefixes and their origin ASes in BGP and the IRR[J]. ACM SIGCOMM Computer Communication Review, 2013,43(3): 16-24. |
[17] | QIU S Y , MONROSE F , TERZIS A ,et al. Efficient techniques for detecting false origin advertisements in inter-domain routing[C]// Proceedings of 2006 2nd IEEE Workshop on Secure Network Protocols. Piscataway:IEEE Press, 2006: 12-19. |
[18] | HIRAN R , CARLSSON N , SHAMEHRI N . Crowd-based detection of routing anomalies on the Internet[C]// Proceedings of 2015 IEEE Conference on Communications and Network Security (CNS). Piscataway:IEEE Press, 2015: 388-396. |
[19] | HU Y C , PERRIG A , SIRBU M . SPV:Secure path vector routing for securing BGP[C]// Proceedings of the 2004 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications.[S.l.:s.n. ], 2004: 179-192. |
[20] | ZHAO M , SMITH S W , NICOL D M . Aggregated path authentication for efficient BGP security[C]// Proceedings of the 12th ACM Conference on Computer and Communications Security. New York:ACM Press, 2005: 128-138. |
[21] | WHITE R . Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review, 2003,33(5): 47-47. |
[22] | OORSCHOT P C , WAN T , KRANAKIS E . On interdomain routing security and pretty secure BGP (psBGP)[J]. ACM Transactions on Information and System Security (TISSEC), 2007,10(3): 11. |
[23] | BULTER K , MCDANIEL P , AIELLO W . Optimizing BGP security by exploiting path stability[C]// Proceedings of the 13th ACM Conference on Computer and Communications Security. New York:ACM Press, 2006: 298-310. |
[24] | XIANG Y , SHI X G , WU J P ,et al. Sign what you really care about–Secure BGP AS-paths efficiently[J]. Computer Networks, 2013,57(10): 2250-2265. |
[25] | AIELLO W , IOANNIDIS J , MCDANIEL P . Origin authentication in interdomain routing[C]// Proceedings of the 10th ACM Conference on Computer and Communications Security. New York:ACM Press, 2003: 165-178. |
[26] | GOODELL G , AIELLO W , GRIFFIN T ,et al. Working around BGP:An incremental approach to improving security and accuracy in interdomain routing[C]// Proceedings of the Network and Distributed System Securityn.[S.l.:s.n.], 2003:156. |
[27] | GERSCH J , MASSEY D . Rover:Route origin verification using DNS[C]// Proceedings of 2013 22nd International Conference on Computer Communication and Networks (ICCCN). Piscataway:IEEE Press, 2013: 1-9. |
[28] | CHUNG T , VAN RIJSWIJK-DELI R , CHANDRASEKARAN B ,et al. A longitudinal,end-to-end view of the {DNSSEC} ecosystem[C]// Proceedings of 26th {USENIX} Security Symposium ({USENIX} Security 17).[S.l.:s.n.], 2017: 1307-1322. |
[29] | LYNN C , KENT S , SEO K . X.509 extensions for IP Addresses and AS identifiers:IETF RFC3779[S]. 2004. |
[30] | COOPER D , SANTESSON S , FARRELL S ,et al. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile:IETF RFC5280[S]. 2008. |
[31] | HUSTON G , MICHAELSON G , LOOMANS R . A profile for X.509 PKIX resource certificates:IETF RFC6487[S]. 2012. |
[32] | LEPINSKI M , KENT S , KONG D . A profile for route origin authorizations (ROAs):IETF RFC6482[S]. 2012. |
[33] | LEPINSKI M , CHI A , KENT S . Signed object template for the resource public key infrastructure (RPKI):IETF RFC6488[S]. 2012. |
[34] | HUSTON G , LOOMANS R , MICHAELSON G . A profile for resource certificate repository structure:IETF RFC6481[S]. 2012. |
[35] | AUSTEIN R , HUSTON G , KENT S ,et al. Manifests for the resource public key infrastructure (RPKI):IETF RFC6486[S]. 2012. |
[36] | TRIDGELL A , MACKERRAS P . The rsync algorithm[Z]. 1996. |
[37] | BRUIJNZEELS T , MURAVSKIY O , WEBER B ,et al. The RPKI repository delta protocol (RRDP):IETF RFC8182[S]. 2017. |
[38] | BUSH R , AUSTEIN R . The resource public key infrastructure (RPKI) to router protocol:IETF RFC6810[S]. 2013. |
[39] | HUSTON G , MICHAELSON G . Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs):IETF RFC6483[S]. 2012. |
[40] | REKHTER Y , KARRENBERG D , MOSKOWITZ B . Address allocation for private internets:IETF RFC1918[S]. 1996. |
[41] | MA D , MANDELBERG D , BRUIJNZEELS T . Simplified local Internet number resource management with the RPKI:IETF RFC8416[S]. 2018. |
[42] | RIPE NCC. Index of /rpki[Z]. 2020. |
[43] | ROUTEVIEWS. University of oregon route views archive project[Z]. 2020. |
[44] | DURAND A . Resource public key infrastructure (RPKI) technical analysis[R]. ICANN. 2020. |
[45] | KENT S , MA D . Adverse actions by a certification authority (CA) or repository manager in the resource public key infrastructure (RPKI):IETF RFC8211[S]. 2017. |
[46] | HEILMAN E , COOPER D , REYZIN L ,et al. From the consent of the routed:improving the transparency of the RPKI[C]// Proceedings of the 2014 ACM conference on SIGCOMM. New York:ACM Press, 2014: 51-62. |
[47] | HARI A , LAKSHMAN T V . The Internet blockchain:A distributed,tamper-resistant transaction framework for the Internet[C]// Proceedings of the 15th ACM Workshop on Hot Topics in Networks. New York:ACM Press, 2016: 204-210. |
[48] | ALFONSO DLRG , PAPADIMITRATOS P . Blockchain-based public key infrastructure for inter-domain secure routing[C]// Proceedings of International Workshop on OPEN Problems in Network Security (iNetSec).[S.l.:s.n.], 2017: 20-38. |
[49] | PAILLISSE J , FERRIOL M , GARCIA E ,et al. IPchain:Securing IP prefix allocation and delegation with blockchain[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Piscataway:IEEE Press, 2018: 1236-1243. |
[50] | XING Q , WANG B , WANG X . BGPcoin:Blockchain-based Internet number resource authority and BGP security solution[J]. Symmetry, 2018,10(9): 408. |
[51] | ANGIERI S , GARCíA-MARTíNEZ A , LIU B ,et al. A distributed autonomous organization for Internet address management[J]. IEEE Transactions on Engineering Management, 2019,67(4): 1459-1475. |
[52] | 刘冰洋, 杨飞, 任首首 ,等. 去中心化互联网基础设施[J]. 电信科学, 2019,35(8): 74-87. |
LIU B Y , YANG F , REN S S ,et al. Decentralized internet infrastructure[J]. Telecommunications Science, 2019,35(8): 74-87. | |
[53] | SAAD M , ANWAR A , AHMAD A ,et al. RouteChain:towards blockchain-based secure and efficient BGP routing[C]// Proceedings of 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). Piscataway:IEEE Press, 2019: 210-218. |
[54] | HE G , SU W , GAO S ,et al. ROAchain:Securing route origin authorization with blockchain for inter-domain routing[J]. IEEE Transactions on Network and Service Management, 2020 |
[55] | CHEN D , BA Y , QIU H ,et al. ISRchain:Achieving efficient interdomain secure routing with blockchain[J]. Computers &Electrical Engineering, 2020(83):106584. |
[56] | GILAD Y , COHEN A , HERZBERG A ,et al. Are we there yet? On RPKI's deployment and security[C]// Proceedings of NDSS.[S.l.:s.n.], 2017. |
[57] | GILAD Y , GOLDBERG S , SRIRAM K ,et al. The use of maxlength in the RPKI:draft-ietf-sidrops-rpkimaxlen-05 (work in progress)[Z]. 2020. |
[58] | GILAD Y , SAGGA O , GOLDBERG S . Maxlength considered harmful to the RPKI[C]// Proceedings of the 13th International Conference on Emerging Networking Experiments and Technologies.[S.l.:s.n.], 2017: 101-107. |
[59] | LEPINSKI M , SRIRAM K . BGPsec protocol specification:IETF RFC8205[S]. 2017. |
[60] | LYCHEV R , GOLDBERG S , SCHAPIRA M . BGP security in partial deployment:Is the juice worth the squeeze?[C]// Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. New York:ACM Press, 2013: 171-182. |
[61] | PATEL K , SNIJDERS J , HOUSLEY R . A profile for autonomous system provider authorization:draft-azimov- sidrops-aspaprofile-04[Z]. 2020. |
[1] | 叶朝阳, 沈辰, 黄明庆, 张士聪, 刘伊莎. 互联网BGP路由可视及安全检测技术架构与实践[J]. 电信科学, 2021, 37(12): 110-120. |
[2] | 王皓轮. MPLS VPN业务VRRP回程路由设计[J]. 电信科学, 2020, 36(11): 165-173. |
[3] | 黄勇军,陆小铭,曹维华. SDN在IP广域网的典型应用与实现[J]. 电信科学, 2016, 32(3): 7-13. |
[4] | 罗雨佳,欧亮,莫志威,唐宏. 基于BGP增强的流量调度技术[J]. 电信科学, 2016, 32(3): 20-27. |
[5] | 张届新,吴志明. 基于VxLAN组网的云数据中心互联方案[J]. 电信科学, 2016, 32(12): 122-128. |
[6] | 董铮,唐海军. 基于路由交换技术的静态专线冗余备份方法[J]. 电信科学, 2015, 31(10): 197-202. |
[7] | 马迪,沈烁. 基于本地信任锚点管理的RPKI安全运行机制研究[J]. 电信科学, 2013, 29(9): 55-59. |
[8] | 朱红,张思东,张宏科. 基于IPv6的BGP/MPLS VPN的移动性研究[J]. 电信科学, 2006, 22(4): 54-58. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|