基于事实所有权的RPKI缓存更新冲突检测机制

doi:10.15888/j.cnki.csa.008389

AIPUB归智期刊联盟

微信公众号

网站二维码

2025年4月23日 18:25 星期三

首页 > 过刊浏览>2022年第31卷第2期 >366-375. DOI:10.15888/j.cnki.csa.008389

PDF HTML阅读 XML下载导出引用引用提醒

基于事实所有权的RPKI缓存更新冲突检测机制
DOI:
                        10.15888/j.cnki.csa.008389
                    
CSTR:
                        
                    
作者:
                        肖文龙肖文龙
中国科学院 计算机网络信息中心, 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找
马迪马迪
中国科学院 计算机网络信息中心, 北京 100190;中国科学院大学, 北京 100049;互联网域名系统国家地方联合工程研究中心, 北京, 100190
在期刊界中查找
在百度中查找
在本站中查找
毛伟毛伟
中国科学院大学, 北京 100049;互联网域名系统国家地方联合工程研究中心, 北京, 100190
在期刊界中查找
在百度中查找
在本站中查找
邵晴邵晴
互联网域名系统国家地方联合工程研究中心, 北京, 100190
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:

Fact Ownership-based Conflict Detection Scheme for RPKI Cache Update

Author:

XIAO Wen-Long
XIAO Wen-Long
Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找
MA Di
MA Di
Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China;Internet Domain Name System Beijing Engineering Research Center, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
MAO Wei
MAO Wei
University of Chinese Academy of Sciences, Beijing 100049, China;Internet Domain Name System Beijing Engineering Research Center, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
SHAO Qing
SHAO Qing
Internet Domain Name System Beijing Engineering Research Center, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [16]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

随着RPKI覆盖的域间网络的范围不断扩大, RPKI在实际部署中的数据同步一致性的问题, 运维失误和权威机构权力滥用的风险已成为影响RPKI全面部署的主要障碍. 本文提出了一种基于事实所有权的RPKI缓存更新冲突检测机制. 该机制利用反向RTR协议与RPKI数据层级分发架构进行事实路由起源信息的采集与同步, 并通过比较事实路由起源信息与RPKI缓存更新数据检测出冲突的RPKI缓存更新数据, 保护了RPKI缓存的真实有效. 最后, 本文就该机制的数据同步时间效率和检测性能同其他方案进行了对比, 实验结果表明本方案有一定的检出优势.

关键词:资源公钥基础设施;事实所有权;路由起源信息;冲突检测;缓存更新

Abstract:

As the resource public key infrastructure (RPKI) coverage of the inter-domain network expands, the consistency of RPKI data synchronization in the actual deployment, the risk of operational errors and abuse of authority power have become major obstacles to the full deployment of RPKI. This study presents a scheme for detecting conflicts of updating RPKI cache based on fact ownership of route origin. This scheme uses reverse RTR protocol and multi-layer transmission architecture of RPKI data to collect and synchronize fact route origin information. Then, it compares fact route origin information and RPKI cache update data to detect conflicting data of RPKI cache update, which ensures authenticity and effectiveness of RPKI cache. Finally, the data synchronization efficiency and detection performance of this scheme are compared with those of other schemes. The experimental results show that this scheme has some detection advantages.

Key words:resource public key infrastructure (RPKI);fact ownership;route origin information;conflict detection;cache update

参考文献

[1] Rekhter Y, Li T, Hares S, et al. A border gateway protocol 4 (BGP-4). RFC 4271, 2006.

[2] Lepinski M, Kent S. An infrastructure to support secure internet routing. RFC 6480, 2012.

[3] 马迪. RPKI概览. 电信网技术, 2012, (9): 30–33

[4] Durand A. Resource public key infrastructure (RPKI) technical analysis. OCTO-014. California: ICANN Office of the Chief Technology Officer, 2020. 15–24.

[5] Kristoff J, Bush R, Kanich C, et al. On measuring RPKI relying parties. Proceedings of the ACM Internet Measurement Conference. New York: ACM, 2020. 484–491.

[6] Cooper D, Heilman E, Brogle K, et al. On the risk of misbehaving RPKI authorities. Proceedings of the 12th ACM Workshop on Hot Topics in Networks. College Park: ACM, 2013. 16.

[7] 刘晓伟, 延志伟, 耿光刚, 等. RPKI中CA资源分配风险及防护技术. 计算机系统应用, 2016, 25(8): 16–22. [doi: 10.15888/j.cnki.csa.005313

[8] Xing QQ, Wang BS, Wang XF. POSTER: BGPcoin: A trustworthy blockchain-based resource management solution for BGP security. Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas: ACM, 2017: 2591–2593. [doi: 10.1145/3133956.3138828

[9] Xing QQ, Wang BS, Wang XF. BGPcoin: Blockchain-based Internet number resource authority and BGP security solution. Symmetry, 2018, 10(9): 408. [doi: 10.3390/sym10090408

[10] Shrishak K, Shulman H. Limiting the power of RPKI authorities. Proceedings of Applied Networking Research Workshop. Virtual Event: ACM, 2020. 12–18.

[11] Kent S, Ma D. Adverse actions by a certification authority (CA) or repository manager in the resource public key infrastructure (RPKI). RFC 8211, 2015.

[12] Heilman E, Cooper D, Reyzin L, et al. From the consent of the routed: Improving the transparency of the RPKI. ACM SIGCOMM Computer Communication Review, 2015, 44(4): 51–62. [doi: 10.1145/2740070.2626293

[13] Hlavacek T, Cunha I, Gilad Y, et al. DISCO: Sidestepping RPKI’s deployment barriers. Proceedings of Network and Distributed Systems Security (NDSS) Symposium. San Diego, 2020. 1–17.

[14] 耿新杰, 马迪, 毛伟, 等. 基于HTTPS的RPKI缓存更新机制. 计算机系统应用, 2019, 28(9): 72–80.

[15] Bush R, Austein R. The resource public key infrastructure (RPKI) to router protocol. RFC 6810. 2013.

[16] Asturiano V. The shape of a BGP update. https://labs.ripe.net/author/vastur/the-shape-of-a-bgp-update/. [2021-06-30].

引用本文

肖文龙,马迪,毛伟,邵晴.基于事实所有权的RPKI缓存更新冲突检测机制.计算机系统应用,2022,31(2):366-375

复制

文章指标

点击次数:
下载次数:
HTML阅读次数:
引用次数:

历史

收稿日期:2021-04-19
最后修改日期:2021-05-19
录用日期:
在线发布日期: 2022-01-28
出版日期:

微信公众号

网站二维码

引用本文

分享

文章指标

历史

文章二维码

微信公众号

网站二维码

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码