基于边界路由动态同步的互联网地址域内真实源地址验证方法

doi:10.11959/j.issn.1000-0801.2020289

Abstract

Abstract:

At the beginning of the design of the Internet architecture,it assumed that all network members were trusted,and did not fully consider the security threat brought by the untrusted network members.For a long time,routers only forward packets based on the destination IP address of the packet,and do not carry out any verification on the source IP address of the packet.The lack of packet level authenticity on the Internet results in the header being maliciously altered.A real source address verification mechanism with routing synchronization and dynamic filtering were proposed.This mechanism constructs the filter table based on the prefix-topology mapping synchronization,the problem of inconsistent state between the filter table and the route caused by routing asymmetry were solved,false positives and false negatives was avoided,and a low-overhead and low-latency source address verification of the IP address prefix level granularity in the address domain were realized.

Key words: source address verification, IP source address forgery, routing synchronization, dynamic filtering

CLC Number:

TN929

Dan LI,Lancheng QIN,Jianping WU,Yingying SU,Mingwei XU,Xingang SHI,Yunan GU,Tao LIN. Internet source address verification method based on synchronization and dynamic filtering in address domain[J]. Telecommunications Science, 2020, 36(10): 21-28.

Figures/Tables 6

References 17

[1]	KAUR CHAHAL J , BHANDARI A , BEHAL S . Distributed denial of service attacks:a threat or challenge[J]. New Review of Information Networking, 2019,24(1): 31-103.
[2]	IETF. A source address validation architecture (SAVA) testbed and deployment experience:RFC5210[S]. 2008.
[3]	IETF. Ingress filtering for multihomed networks.Technical report,BCP 84:RFC3704[S]. 2004.
[4]	ZHANG Y , JIANG J , XU K ,et al. BDS:anear-optimal overlay network for inter-datacenter data replication[C]// Proceedings of the ACM Thirteenth Eurosys Conference. New York:ACM Press, 2018: 10-23.
[5]	ZHANG Y , TIANI Y , WANG W ,et al. Federated routing scheme for large-scale cross domain network[C]// Proceeding of IEEE Conference on Computer Communications Workshops. Piscataway:IEEE Press, 2020: 1358-1359.
[6]	IETF. Network ingress filtering:defeating denial of service attacks which employ IP source address spoofing:RFC2827[S]. 2000.
[7]	LI J , MIRKOVIC J , WANG M ,et al. SAVE:source address validity enforcement protocol[C]// Proceedings of Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Piscataway:IEEE Press, 2002: 1557-1566.
[8]	LIU X , YANG X , WETHERALL D ,et al. Efficient and secure source authentication with packet passports[C]// Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet.New York:ACM Press. 2006.
[9]	XIAO P , BI J , FENG T . O-CPF:an openflow based intra-AS source address validation application[C]// Proceedings of the 8th CFI. New York:ACM Press, 2013.
[10]	HUANG Q , SUN H , PATRICK LEE P C ,et al. OmniMon:re-architecting network telemetry with resource efficiency and full accuracy[C]// Proceedings on ACM SIGCOMM. New York:ACM Press, 2020: 404-421.
[11]	CHEN X , HUANG Q , ZHANG D ,et al. ApproSync:approximate state synchronization for programmable networks[C]// IEEE International Conference on Network Protocols.[S.l.:s.n. ], 2020.
[12]	ZHANG C , HU G , CHEN G ,et al. Towards an SDN-based integrated architecture for mitigating ip spoofing attack[J]. IEEE Access, 2017(6): 22764-22777.
[13]	LIANG X , CHEN H . A SDN-based hierarchical authentication mechanism for IPv6 address[C]// Proceedings of 2019 IEEE International Conference on Intelligence and Security Informatics (ISI). Piscataway:IEEE Press, 2019:225.
[14]	KORCYNSKI M , NOSYK Y , QASIM L ,et al. Don’t forget to lock the front door! inferring the deployment of source address validation of inbound traffic[C]// Proceedings of International Conference on Passive and Active Network Measurement. Switzerland:Springer,Cham, 2020: 107-121.
[15]	IETF. OSPFv3 link state advertisement (LSA) extensibility:RFC8362[S]. 2018.
[16]	IETF. A policy control mechanism in IS-IS using administrative tags:RFC5130[S]. 2008.
[17]	IETF. BGP extended communities attribute:RFC4360[S]. 2006.

Metrics

Recommended 0

No Suggested Reading articles found!

	假阳性	假阴性	动态更新	可扩展性
本方案	无	无	是	仅边缘部署、可扩展高、部署代价低
S-uRPF^[2]	路径不对称下存在假阳性	可能存在假阴性	是	部署越多、代价越大、假阳性程度越高
L-uRPF^[2]	无	非常高的假阴性	是	部署越多、代价越大
F-uRPF^[2]	无法保证消除假阳性	可能存在假阴性	是	部署越多、代价越大、
				假阳性程度越高
Ingress ACL^[3]	动态路由下存在假阳性	动态路由下会有假阴性	否	部署越多、管理越麻烦、假阳性程度越高
O-CPF^[6]	无	路径计算不完整时存在假阴性	是	部署越多、代价越大、假阴性程度越小

Internet source address verification method based on synchronization and dynamic filtering in address domain

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 17

Related Articles 15

Metrics

Recommended 0

[1]	Yan WANG, Ying PENG. Research on 6G standardization of International Telecommunications Union（ITU） [J]. Telecommunications Science, 2023, 39(6): 129-138.
[2]	Chen ZHANG, Hongkai WANG, Dong MAO, Sichen PAN, Shuai ZHAO. Research and application of 5G lightweight hardware encryption module for power terminals [J]. Telecommunications Science, 2023, 39(6): 159-169.
[3]	Wei WANG, Jianping WANG, Lifang FENG, Jianli JIN. Research on integrated communication and positioning technology based on visible light [J]. Telecommunications Science, 2023, 39(5): 57-66.
[4]	Hao XU, Lin WU. Research on VoWi-Fi interoperability based on 5G network [J]. Telecommunications Science, 2023, 39(5): 144-154.
[5]	Qingfeng DING, Song WANG. Distributed IOS-SM transmission scheme with joint antenna and IOS unit selection for high-speed railway scenario [J]. Telecommunications Science, 2023, 39(4): 31-42.
[6]	Xiaoyun WANG, Wei DENG, Long ZHANG, Qi SUN. Research on multi-domain collaboration based method of TDD large-scale networking [J]. Telecommunications Science, 2023, 39(4): 43-51.
[7]	Jianbin WANG, Shuchun WANG, Shangjin LIAO, Shuyuan SHI. Research on 5G base station energy saving system based on DCNN-LSTM load prediction algorithm [J]. Telecommunications Science, 2023, 39(4): 133-141.
[8]	Le ZHANG, Hongyuan MA. Practice on edge cloud security of telecom operators [J]. Telecommunications Science, 2023, 39(4): 165-172.
[9]	Haijiang GE, Ning JIA, Kaikai CHI, Yunzhi CHEN. Secondary throughput maximization scheme for non-linear energy harvesting cognitive radio networks [J]. Telecommunications Science, 2023, 39(2): 103-117.
[10]	Jian GONG, Yu ZHANG. 5G millimeter wave UE test method and analysis [J]. Telecommunications Science, 2023, 39(2): 171-177.
[11]	Yu KANG, Yaqiong LIU, Tongyu ZHAO, Guochu SHOU. A survey on AI algorithms applied in communication and computation in Internet of vehicles [J]. Telecommunications Science, 2023, 39(1): 1-19.
[12]	Hui WANG, Qixin TAI, Liu LIU, Hong WANG, Rongfang SONG. Low-power transmission method for uplink millimeter-wave massive MIMO-NOMA system based on GSIC [J]. Telecommunications Science, 2023, 39(1): 51-59.
[13]	Chuanbing GONG, Mingshuai YANG, Song WU, Haiping GE, Shouguo ZHANG, Lei LIU, Yunshan QI, Hui XU. Research on the application of site value evaluation model [J]. Telecommunications Science, 2023, 39(1): 100-107.
[14]	Zhen YANG, Jianjun ZHAO, Yongjun HUANG, Jie LI, Nan CHEN. Study on the direction of artificial intelligence technology based on network evolution [J]. Telecommunications Science, 2022, 38(12): 27-34.
[15]	Peng ZHANG, Xiaoping JIN, Dongxiao CHEN. A genetic algorithm based method of optimizing dispersion matrix for RDSM system [J]. Telecommunications Science, 2022, 38(12): 46-55.