基于信誉的域间路由选择机制的研究与实现

doi:10.11959/j.issn.1000-436x.2023114

摘要/Abstract

摘要：

为了解决边界网关协议（BGP）缺乏对路由更新消息验证的问题，提出一种由信誉评估机制和基于信誉的BGP路由选择算法两部分组成的域间路由选择机制。信誉评估机制采用分布式自治系统（AS）联盟架构，详细划分节点路由行为，以服务域和观测权重为指标量化节点行为带来的影响，通过设计反馈机制让信誉不仅能反映节点善恶，还能反映节点对恶意攻击的抵抗能力；基于信誉的 BGP 路由选择算法在现有路由选择算法中加入一条“安全”策略：过滤包含低信誉节点的路由，并从高信誉的路由中选择最佳路由。实验结果表明，所提机制不仅抑制非法路由传播，还避开易受污染的路径，相比于现有的信誉评估机制更适用于域间路由系统，提供更加安全的域间路由环境。

关键词: 边界网关协议, 信誉机制, 路由选择机制, 网络安全

Abstract:

To solve the problem of lack of validation for exchanging messages in BGP, a inter-domain routing mechanism, which consisted of a reputation evaluation mechanism and a reputation-based BGP optimal routing algorithm, was proposed.The reputation evaluation mechanism used a distributed autonomous system (AS) alliance architecture, which divided node routing behavior in detail.The service domain and observation weight were used as indicators to quantify the impact of node behavior.By designing a feedback mechanism, the reputation value not only reflected the good and bad of nodes, but also reflected the node’s resistance to malicious attacks.The reputation-based BGP routing selection algorithm adds a “security” policy to the existing routing selection algorithm by filtering routes containing low-reputation nodes and selecting the best route among high reputation routes.The experimental results show that the proposed mechanism outperform most existing reputation mechanisms by avoiding routes with vulnerable nodes and restraining the propagation of illegal routes, thereby providing a more secure inter-domain routing environment.

Key words: border gateway protocol, reputation mechanism, routing selection mechanism, network security

中图分类号:

TP393

赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56.

Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism[J]. Journal on Communications, 2023, 44(6): 47-56.

图/表 12

图1

图2

图3

图4

表1

图5

表2

图6

图7

图8

图9

表3

参考文献 24

[1]	REKHTER Y , LI T , HARES S . A border gateway protocol 4(BGP-4)[S]. Internet Engineering Task Force (IETF) RFC 4271, 2006.
[2]	王娜, 杜学绘, 王文娟 ,等. 边界网关协议安全研究综述[J]. 计算机学报, 2017,40(7): 1626-1648.
	WANG N , DU X H , WANG W J ,et al. A survey of the border gateway protocol security[J. Chinese Journal of Computers, 2017,40(7): 1626-1648.
[3]	HUDAIB A A Z , HUDAIB E A Z . DNS advanced attacks and analysis[J]. International Journal of Computer Science and Security (IJCSS), 2014,8(2): 63.
[4]	MIRKOVIC J , REIHER P . A taxonomy of DDoS attack and DDoS defense mechanisms[J]. ACM SIGCOMM Computer Communication Review, 2004,34(2): 39-53.
[5]	CONTI M , DRAGONI N , LESYK V . A survey of man in the middle attacks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(3): 2027-2051.
[6]	HUSTON G , MICHAELSON G . Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs)[S]. Internet Engineering Task Force (IETF) RFC 6483, 2012.
[7]	KENT S , LYNN C , SEO K . Secure border gateway protocol (S-BGP)[C]// Proceedings of IEEE Journal on Selected Areas in Communications. Piscataway:IEEE Press, 2002: 582-592.
[8]	WHITE R . Architecture and deployment considerations for secure origin BGP (soBGP)[R]. 2006.
[9]	WHITE R . Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review, 2003,33(5): 47.
[10]	LEPINSKI M , SRIRAM K . BGPsec protocol specification[S]. Internet Engineering Task Force (IETF) RFC 8205, 2017.
[11]	LYCHEV R , GOLDBERG S , SCHAPIRA M . BGP security in partial deployment[J]. ACM SIGCOMM Computer Communication Review, 2013,43(4): 171-182.
[12]	CHUNG T , ABEN E , BRUIJNZEELS T ,et al. RPKI is coming of age:a longitudinal study of RPKI deployment and invalid route origins[C]// Proceedings of the Internet Measurement Conference. New York:ACM Press, 2019: 406-419.
[13]	GILAD Y , COHEN A , HERZBERG A ,et al. Are we there yet? on RPKI’s deployment and security[C]// Proceedings of 2017 Network and Distributed System Security Symposium. Reston:Internet Society, 2017: 1-16.
[14]	BATTISTA G D , REFICE T , RIMONDINI M . How to extract BGP peering information from the Internet routing registry[C]// Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data. New York:ACM Press, 2006: 317-322.
[15]	GOODELL G , AIELLO W , GRIFFIN T ,et al. Working around BGP:an incremental approach to improving security and accuracy in interdomain routing[C]// Proceedings of the Network and Distributed System Security Symposium. Saarland:DBLP, 2003: 1-11.
[16]	MITSEVA A , PANCHENKO A , ENGEL T . The state of affairs in BGP security:a survey of attacks and defenses[J]. Computer Communications, 2018,124: 45-60.
[17]	刘湘辉, 殷建平, 唐乐乐 ,等. 网络流量的有效测量方法分析[J]. 软件学报, 2003,14(2): 300-304.
	LIU X H , YIN J P , TANG L L ,et al. Analysis of efficient monitoring method for the network flow[J. Journal of Software, 2003,14(2): 300-304.
[18]	WANG N , WANG B Q . A reputation-based method to secure inter-domain routing[C]// Proceedings of 2013 IEEE 10th International Conference on High Performance Computing and Communications ＆2013 IEEE International Conference on Embedded and Ubiquitous Computing. Piscataway:IEEE Press, 2014: 1424-1429.
[19]	HU N , ZHU P D , ZOU P . Reputation mechanism for inter-domain routing security management[C]// Proceedings of 2009 Ninth IEEE International Conference on Computer and Information Technology. Piscataway:IEEE Press, 2009: 98-103.
[20]	LEE J Y , OH J C . Applications of social media and social network analysis[M]. Germany: Springer International Publishing, 2015.
[21]	NU X , WEI L , YOU L ,et al. A trust model for the inter-domain routing system[J]. Journal of Computer Research and Development, 2016,53(4): 845.
[22]	陈迪, 邱菡, 祝凯捷 ,等. 基于自治域协同的域间路由信誉模型[J]. 中国科学(信息科学), 2021,51(9): 1540-1558.
	CHEN D , QIU H , ZHU K J ,et al. An inter-domain routing reputation model based on autonomous domain collaboration[J. Scientia Sinica (Informationis), 2021,51(9): 1540-1558.
[23]	KONTE M , PERDISCI R , FEAMSTER N . ASwatch:an AS reputation system to expose bulletproof hosting ASes[C]// Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. New York:ACM Press, 2015: 625-638.
[24]	FILSFILS C , MICHIELSEN K , TALAULIKAR K . Segment routing详解 (第一卷)[M]. 苏远超,蒋治春,译. 北京: 人民邮电出版社, 2017.
	FILSFILS C , MICHIELSEN K , TALAULIKAR K . Segment routing part I[M. Translated by SU Y C,JIANG Z C. Beijing: Posts ＆ Telecom Press, 2017.

行为模式	定义
合法路由宣告	节点宣告了属于本自治域的前缀
前缀劫持	节点宣告了不属于本自治域的前缀
路径劫持	节点通过篡改路由更新报文的 AS_PATH 属性伪造了路由，并将伪造的路由转发给了其他节点
非法路由转发	节点转发了来自攻击者的路由，如转发了被劫持前缀的路由，或转发了伪造的路由
合法路由转发	节点进行了路由转发，且路由并不来自攻击者

参数	值
α	0.5
β	0.5
γ	1.0
ρ	2.0
ω	1.0
τ	1.0
σ	0.367 9
初始全局信誉	0.800 0

路由选择机制	非法路由占比	感染路径占比
机制1	3.075‰	8.543‰
机制2	2.571‰	4.307‰