资源公钥基础设施RPKI：现状与问题

doi:10.11959/j.issn.1000-0801.2021050

Abstract

Abstract:

The BGP (border gateway protocol) did not fully consider security issues at the beginning of its design.With the rapid growth of the Internet, its security risks have become incrementally obvious.Academia and industry have proposed many solutions to the security issues faced by inter-domain routing, and what is really deployed is the RPKI (resource public key infrastructure) promoted by the IETF (the Internet Engineering Task Force).The development status and research advances of RPKI were surveyed, with emphasis on problems of RPKI, existing solutions, and related limitations.Moreover, latest achievements on RPKI function extension were introduced.Finally, future research directions were concluded.

Key words: RPKI, BGP, interdomain routing, prefix hijacking

CLC Number:

TP393

Yingying SU, Dan LI, Honglin YE. Resource public key infrastructure RPKI: status and problems[J]. Telecommunications Science, 2021, 37(3): 75-89.

Figures/Tables 11

References 61

[1]	BULTER K , FARLEY T R , MCDANIEL P ,et al. A survey of BGP security issues and solutions[J]. Proceedings of the IEEE, 2010,98(1): 100-122.
[2]	BALLANI H , FRANCIS P , ZHANG X Y . A study of prefix hijacking and interception in the Internet[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 265-276.
[3]	TOONK A . BGP hijack incident by Syrian Telecommunications Establishment[Z]. BGPMon, 2015.
[4]	TOONK A . Turkey Hijacking IP addresses for popular Global DNS providers[Z]. BGPMon, 2014.
[5]	KENT S , LYNN C , SEO K . Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected areas in Communications, 2000,18(4): 582-592.
[6]	LEPINSKI M , KENT S . An infrastructure to support secure internet routing:IETF RFC6480[S]. 2012.
[7]	BORKENHAGEN J . AT＆T/AS 7018 now drops invalid prefixes from peers[Z]. NANOG, 2019.
[8]	KHARE V , JU Q , ZHANG B C . Concurrent prefix hijacks:occurrence and impacts[C]// Proceedings of the 2012 Internet Measurement Conference.[S.l.:s.n.], 2012: 29-36.
[9]	ZHAO X L , PEI D , WANG L ,et al. An analysis of BGP multiple origin AS (MOAS) conflicts[C]// Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. New York:ACM Press, 2001: 31-35.
[10]	LAD M , MASSEY D , PEI D ,et al. PHAS:a prefix hijack alert system[C]// Proceedings of USENIX Security Symposium.[S.l.:s.n.], 2006:3.
[11]	SHI X , XIANG Y , WANG Z ,et al. Detecting prefix hijackings in the internet with argus[C]// Proceedings of the 2012 Internet Measurement Conference.[S.l.:s.n.], 2012: 15-28.
[12]	HU X , MAO Z M . Accurate real-time identification of IP prefix hijacking[C]// Proceedings of 2007 IEEE Symposium on Security and Privacy (SP'07). Piscataway:IEEE Press, 2007: 3-17.
[13]	ZHENG C , JI L , PEI D ,et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 277-288.
[14]	LI J , EHRENKRANZ T , ELLIOTT P . Buddyguard:A buddy system for fast and reliable detection of IP prefix anomalies[C]// Proceedings of 2012 20th IEEE International Conference on Network Protocols (ICNP). Piscataway:IEEE Press, 2012: 1-10.
[15]	SIGANOS G , FALOUTSOS M . Neighborhood watch for internet routing:can we improve the robustness of internet routing today?[C]// Proceedings of IEEE INFOCOM 2007-26th IEEE International Conference on Computer Communications. Piscataway:IEEE Press, 2007: 1271-1279.
[16]	KHAN A , KIM H , KWON T ,et al. A comparative study on IP prefixes and their origin ASes in BGP and the IRR[J]. ACM SIGCOMM Computer Communication Review, 2013,43(3): 16-24.
[17]	QIU S Y , MONROSE F , TERZIS A ,et al. Efficient techniques for detecting false origin advertisements in inter-domain routing[C]// Proceedings of 2006 2nd IEEE Workshop on Secure Network Protocols. Piscataway:IEEE Press, 2006: 12-19.
[18]	HIRAN R , CARLSSON N , SHAMEHRI N . Crowd-based detection of routing anomalies on the Internet[C]// Proceedings of 2015 IEEE Conference on Communications and Network Security (CNS). Piscataway:IEEE Press, 2015: 388-396.
[19]	HU Y C , PERRIG A , SIRBU M . SPV:Secure path vector routing for securing BGP[C]// Proceedings of the 2004 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications.[S.l.:s.n. ], 2004: 179-192.
[20]	ZHAO M , SMITH S W , NICOL D M . Aggregated path authentication for efficient BGP security[C]// Proceedings of the 12th ACM Conference on Computer and Communications Security. New York:ACM Press, 2005: 128-138.
[21]	WHITE R . Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review, 2003,33(5): 47-47.
[22]	OORSCHOT P C , WAN T , KRANAKIS E . On interdomain routing security and pretty secure BGP (psBGP)[J]. ACM Transactions on Information and System Security (TISSEC), 2007,10(3): 11.
[23]	BULTER K , MCDANIEL P , AIELLO W . Optimizing BGP security by exploiting path stability[C]// Proceedings of the 13th ACM Conference on Computer and Communications Security. New York:ACM Press, 2006: 298-310.
[24]	XIANG Y , SHI X G , WU J P ,et al. Sign what you really care about–Secure BGP AS-paths efficiently[J]. Computer Networks, 2013,57(10): 2250-2265.
[25]	AIELLO W , IOANNIDIS J , MCDANIEL P . Origin authentication in interdomain routing[C]// Proceedings of the 10th ACM Conference on Computer and Communications Security. New York:ACM Press, 2003: 165-178.
[26]	GOODELL G , AIELLO W , GRIFFIN T ,et al. Working around BGP:An incremental approach to improving security and accuracy in interdomain routing[C]// Proceedings of the Network and Distributed System Securityn.[S.l.:s.n.], 2003:156.
[27]	GERSCH J , MASSEY D . Rover:Route origin verification using DNS[C]// Proceedings of 2013 22nd International Conference on Computer Communication and Networks (ICCCN). Piscataway:IEEE Press, 2013: 1-9.
[28]	CHUNG T , VAN RIJSWIJK-DELI R , CHANDRASEKARAN B ,et al. A longitudinal,end-to-end view of the {DNSSEC} ecosystem[C]// Proceedings of 26th {USENIX} Security Symposium ({USENIX} Security 17).[S.l.:s.n.], 2017: 1307-1322.
[29]	LYNN C , KENT S , SEO K . X.509 extensions for IP Addresses and AS identifiers:IETF RFC3779[S]. 2004.
[30]	COOPER D , SANTESSON S , FARRELL S ,et al. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile:IETF RFC5280[S]. 2008.
[31]	HUSTON G , MICHAELSON G , LOOMANS R . A profile for X.509 PKIX resource certificates:IETF RFC6487[S]. 2012.
[32]	LEPINSKI M , KENT S , KONG D . A profile for route origin authorizations (ROAs):IETF RFC6482[S]. 2012.
[33]	LEPINSKI M , CHI A , KENT S . Signed object template for the resource public key infrastructure (RPKI):IETF RFC6488[S]. 2012.
[34]	HUSTON G , LOOMANS R , MICHAELSON G . A profile for resource certificate repository structure:IETF RFC6481[S]. 2012.
[35]	AUSTEIN R , HUSTON G , KENT S ,et al. Manifests for the resource public key infrastructure (RPKI):IETF RFC6486[S]. 2012.
[36]	TRIDGELL A , MACKERRAS P . The rsync algorithm[Z]. 1996.
[37]	BRUIJNZEELS T , MURAVSKIY O , WEBER B ,et al. The RPKI repository delta protocol (RRDP):IETF RFC8182[S]. 2017.
[38]	BUSH R , AUSTEIN R . The resource public key infrastructure (RPKI) to router protocol:IETF RFC6810[S]. 2013.
[39]	HUSTON G , MICHAELSON G . Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs):IETF RFC6483[S]. 2012.
[40]	REKHTER Y , KARRENBERG D , MOSKOWITZ B . Address allocation for private internets:IETF RFC1918[S]. 1996.
[41]	MA D , MANDELBERG D , BRUIJNZEELS T . Simplified local Internet number resource management with the RPKI:IETF RFC8416[S]. 2018.
[42]	RIPE NCC. Index of /rpki[Z]. 2020.
[43]	ROUTEVIEWS. University of oregon route views archive project[Z]. 2020.
[44]	DURAND A . Resource public key infrastructure (RPKI) technical analysis[R]. ICANN. 2020.
[45]	KENT S , MA D . Adverse actions by a certification authority (CA) or repository manager in the resource public key infrastructure (RPKI):IETF RFC8211[S]. 2017.
[46]	HEILMAN E , COOPER D , REYZIN L ,et al. From the consent of the routed:improving the transparency of the RPKI[C]// Proceedings of the 2014 ACM conference on SIGCOMM. New York:ACM Press, 2014: 51-62.
[47]	HARI A , LAKSHMAN T V . The Internet blockchain:A distributed,tamper-resistant transaction framework for the Internet[C]// Proceedings of the 15th ACM Workshop on Hot Topics in Networks. New York:ACM Press, 2016: 204-210.
[48]	ALFONSO DLRG , PAPADIMITRATOS P . Blockchain-based public key infrastructure for inter-domain secure routing[C]// Proceedings of International Workshop on OPEN Problems in Network Security (iNetSec).[S.l.:s.n.], 2017: 20-38.
[49]	PAILLISSE J , FERRIOL M , GARCIA E ,et al. IPchain:Securing IP prefix allocation and delegation with blockchain[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Piscataway:IEEE Press, 2018: 1236-1243.
[50]	XING Q , WANG B , WANG X . BGPcoin:Blockchain-based Internet number resource authority and BGP security solution[J]. Symmetry, 2018,10(9): 408.
[51]	ANGIERI S , GARCíA-MARTíNEZ A , LIU B ,et al. A distributed autonomous organization for Internet address management[J]. IEEE Transactions on Engineering Management, 2019,67(4): 1459-1475.
[52]	刘冰洋, 杨飞, 任首首 ,等. 去中心化互联网基础设施[J]. 电信科学, 2019,35(8): 74-87.
	LIU B Y , YANG F , REN S S ,et al. Decentralized internet infrastructure[J]. Telecommunications Science, 2019,35(8): 74-87.
[53]	SAAD M , ANWAR A , AHMAD A ,et al. RouteChain:towards blockchain-based secure and efficient BGP routing[C]// Proceedings of 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). Piscataway:IEEE Press, 2019: 210-218.
[54]	HE G , SU W , GAO S ,et al. ROAchain:Securing route origin authorization with blockchain for inter-domain routing[J]. IEEE Transactions on Network and Service Management, 2020
[55]	CHEN D , BA Y , QIU H ,et al. ISRchain:Achieving efficient interdomain secure routing with blockchain[J]. Computers ＆Electrical Engineering, 2020(83):106584.
[56]	GILAD Y , COHEN A , HERZBERG A ,et al. Are we there yet? On RPKI's deployment and security[C]// Proceedings of NDSS.[S.l.:s.n.], 2017.
[57]	GILAD Y , GOLDBERG S , SRIRAM K ,et al. The use of maxlength in the RPKI:draft-ietf-sidrops-rpkimaxlen-05 (work in progress)[Z]. 2020.
[58]	GILAD Y , SAGGA O , GOLDBERG S . Maxlength considered harmful to the RPKI[C]// Proceedings of the 13th International Conference on Emerging Networking Experiments and Technologies.[S.l.:s.n.], 2017: 101-107.
[59]	LEPINSKI M , SRIRAM K . BGPsec protocol specification:IETF RFC8205[S]. 2017.
[60]	LYCHEV R , GOLDBERG S , SCHAPIRA M . BGP security in partial deployment:Is the juice worth the squeeze?[C]// Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. New York:ACM Press, 2013: 171-182.
[61]	PATEL K , SNIJDERS J , HOUSLEY R . A profile for autonomous system provider authorization:draft-azimov- sidrops-aspaprofile-04[Z]. 2020.

Metrics

Recommended 0

No Suggested Reading articles found!

BGP宣告中的IP地址前缀	BGP宣告与ROA的ASN匹配	BGP宣告与ROA的ASN不匹配
与ROA无交叉	未知	未知
可以覆盖 ROA中的IP地址前缀	未知	未知
与 ROA 中的 IP地址前缀相匹配	有效	无效
比 ROA 中的 IP地址前缀更具体	无效	无效

对比项	自主管理模式	托管模式
受害CA的上层CA	通过删除、篡改、撤销发布的CA证书来影响受害CA	所有资料库及资料库对应的私钥都由五大 RIR掌管，可进行针对证书的任意恶意操作
外界攻击者	攻破了受害CA的资料库：删除、损坏证书和签名对象	攻破了受害 CA 的资料库：删除、损坏证书和签名对象
	攻破了受害CA的资料库及私钥：可进行针对证书的任意恶意操作	攻破了受害 CA 的资料库及私钥：可进行针对证书的任意恶意操作

Resource public key infrastructure RPKI: status and problems

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 61

Related Articles 7

Metrics

Recommended 0

[1]	Chaoyang YE, Chen SHEN, Mingqing HUANG, Shicong ZHANG, Yisha LIU. Architecture and practice of BGP internet routing visibility and security detection [J]. Telecommunications Science, 2021, 37(12): 110-120.
[2]	Haolun WANG. Design of backhaul routes in VRRP networks of MPLS VPN [J]. Telecommunications Science, 2020, 36(11): 165-173.
[3]	Yongjun HUANG,Xiaoming LU,Weihua CAO. Typical applications and realization of SDN in IP WAN [J]. Telecommunications Science, 2016, 32(3): 7-13.
[4]	Yujia LUO,Liang OU,Zhiwei MO,Hong TANG. Flow scheduling technology based on BGP extended protocol [J]. Telecommunications Science, 2016, 32(3): 20-27.
[5]	Jiexin ZHANG,Zhiming WU. Interconnection scheme of VxLAN based cloud datacenter networks [J]. Telecommunications Science, 2016, 32(12): 122-128.
[6]	Zheng Dong,Haijun Tang. A Static Line Redundant Backup Method Based on Routing Switching Technology [J]. Telecommunications Science, 2015, 31(10): 197-202.
[7]	Hong Zhu,Sidong Zhang,Hongke Zhang. Research of BGP/MPLS VPN Mobility over IPv6 [J]. Telecommunications Science, 2006, 22(4): 54-58.