穿越自治系统联盟的域间路由安全机制

doi:10.3969/j.issn.1000-436x.2014.10.018

Abstract

Abstract:

Through studying and analyzing SE-BGP (security enhanced BGP),it was found that it couldn’t validate the cross-alliance AS (autonomous system) and defense the self-launched active attack.To solve the security problems,two-layer cross-alliance hierarchical structure CAHS (cross-alliance hierarchical structure) was designed.Based on CAHS,using the idea of passport visa and the features of AdHASH (additive hash),a cross-alliance BGP security mechanism SCA-BGP (secure crossing alliance for BGP) was proposed.The mechanism has higher security,which is able to effectively validate the identities and behavior authorization of the cross-alliance AS as well as the message carried by them.The experiment results show that SCA-BGP can effectively reduce the certificate scale and extra time overhead to get better scalability and convergence performance.

Key words: SE-BGP, SCA-BGP, cross-alliance AS, AdHASH

Ling-jing KONG,Hua-xin ZENG,Jun DOU,Yao LI. Inter-domain routing security mechanism for crossing autonomous system alliance[J]. Journal on Communications, 2014, 35(10): 155-164.

Figures/Tables 8

符号	描述
HA	本地联盟——发起跨联盟路由信息的AS联盟
CAA_HA	HA的跨联盟者
PassPort_No	护照号
expiry	护照或签证有效期
$P a s s P o r t_{C A A_{H A}}^{H A}$	本地联盟CAA的护照
SK_A-B	A与B的共享密钥
PassKey	通行密钥
FA	异地联盟——接收HA跨联盟路由信息的AS联盟
CAA_FA	FA的跨联盟者(CAA_HA的通信方)
Visa_No	签证号
id_A	实体A的标识符
$V i s a_{C A A_{H A}}^{F A}$	异地联盟对CAA发放的签证
h ( )x	单向散列函数

References 20

[1]	REKHTER Y , LI T , HARES S . A Border Gateway Protocol 4(BGP-4)［EB/OL］． . 2006．
[2]	KENT S , LYNN C , SEO K . Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected Areas in Communications, 2000,18(4): 582-592.
[3]	WHITE R . Securing BGP through secure origin BGP (soBGP)[J]. The Internet Protocol Journal, 2003,6(3): 15-22.
[4]	OORSCHOT P C , WAN T , KRANAKIS E . On inter-domain routing security and pretty secure BGP (psBGP)[J].ACM Transactions on Information and System Security (TISSEC),2007,10(3):11. ACM Transactions on Information and System Security (TISSEC), 2007,10(3):11.
[5]	胡湘江, 朱培栋, 龚正虎 . SE-BGP:一种 BGP 安全机制[J]. 软件学报, 2008,19(1): 167-176. HU X J , ZHU P D , GONG Z H . SE—BGP：An approach for BGP security[J].Journal of Software,2008,19 (1):167-176. Journal of Software, 2008,19(1): 167-176.
[6]	王滨, 安金梁, 吴春明 ,等. 基于分治策略的BGP安全机制[J]. 通信学报, 2012,33(5): 91-98. WANG B , AN J L , WU C M ,et al. Study of BGP secure scheme based on divide and conquer strategy[J]. Journal on Communications, 2012,33(5): 91-98.
[7]	KARLIN J , FORREST S , REXFORD J . Pretty good BGP:improving BGP by cautiously adopting routes[A]. Proceedings of the 2006 IEEE International Conference on Network Protocols[C]. Washingdon,DC,USA, 2006. 290-299.
[8]	SUBRAMANIAN L , ROTH V , STOICA I ,et al. Listen and whisper:Security mechanisms for BGP[A]. Symposium on Networked Systems Design and Implementation (NSDI 2004)[C]. 2004. 29-31.
[9]	YUN J K , BYUN C H , KIM Y . Architecture of the remote routing validation tool for BGP anomaly detection[A]. Proceedings of the 2012 ACM Research in Applied Computation Symposium[C]. CA,USA, 2012. 232-236.
[10]	GAO L . On inferring autonomous system relationships in the Internet[J]. IEEE/ACM Transactions on Networking, 2001,9(6): 733-745.
[11]	ZHOU S , MONDRAGON R J . The rich-club phenomenon in the Internet topology[J]. IEEE Communications Letters, 2004,8(3): 180-182.
[12]	AGER B , CHATZIS N , FELDMANN A ,et al. Anatomy of a large European IXP[A]. Proceedings of the ACM SIGCOMM 2012 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication[C]. 2012. 163-174.
[13]	PeeringDB[EB/OL]..2013.
[14]	GIOTSAS V , ZHOU S . Valley-free violation in Internet routing—analysis based on BGP community data[A]. IEEE International Conference on Communications (ICC)[C]. 2012. 1193-1197.
[15]	ORSINI C , GREGORI E , LENZINI L ,et al. Evolution of the Internet k-dense structure[J].arXiv preprint arXiv:1301.5938.2013. arXiv preprint arXiv:1301.5938. 2013.
[16]	LIU X , LI A , YANG X ,et al. Passport:secure and adoptable source authentication[A]. Proceedings of the 5th USTNIX Symposium on Networked Systems Design and Implementation[C]. 2008. 365-378.
[17]	ZHANG Y , YANG J , LI W ,et al. An authentication scheme for locating compromised sensor nodes in WSNs[J]. Journal of Network and Computer Applications, 2010,33(1): 50-62.
[18]	University of Oregon Route Views Project[EB/OL]..2013.
[19]	ZHAO M , SMITH S W , NICOL D M . Evaluating the performance impact of PKI on BGP security[A]. 4th Annual PKI R&D Workshop[C]. Gaithersburg,MD, 2005. 42-48.
[20]	The SSFNET Project[EB/OL]..2013.

Metrics

Recommended 0

No Suggested Reading articles found!

N		C					C_s
N	S-BGP	SE-BGP	SCA-BGP	S-BGP		SE-BGP			SCA-BGP
					CAA		Normal Nodes	CAA		Normal Nodes
44 167	1.95×10⁹	1.61×10⁷	1.35×10⁶	44 167	13 250		233	705		22

Inter-domain routing security mechanism for crossing autonomous system alliance

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 20

Related Articles 1

Metrics

Recommended 0