Optimization Method of RPKI Certificate Verification Based on Hash Table
CSTR:
Author:
  • Article
  • | |
  • Metrics
  • |
  • Reference [9]
  • |
  • Related [20]
  • | | |
  • Comments
    Abstract:

    In RPKI (Resource Public Key Infrastructure), RP (Relying Party) downloads and verifies certificates and signed objects (ROA, Manifest, Ghostbusters) from repository, and then processes those valid ROA objects into authorized relations between IP addresses and AS number that is used to guide the BGP routing. In the current implementation, the certificate verification module recursively finds the parent certificate of the certificate to be verified through the database query to construct the complete certificate chain and complete the final verification by OpenSSL. Because of the large number of certificates in the RPKI system, the method based on database query is inefficient. Combining the characteristic of RPKI running mechanism that transfers the calculation cost from the BGP router (user) to the RP server (server) and the idea of “space-time tradeoff”, we can read information of certificates into memory to reduce the time consumption of I/O. Based on the ideas above, combined with the characteristics of the time complexity that finding item in hash table is optimal O(1), we design and implement an optimization method of RPKI certificate validation based on hash table. The experimental results show that the average time acceleration ratio is 99.03%, 98.45%, and 97.48% in the three designed scenarios, which has effectively reduced the time consumption.

    Reference
    [1] Phokeer AD. Interdomain routing security: Motivation and challenges of RPKI. Timss Technical Report RHUL-MA-2014-14, Egham, UK: Royal Holloway, University of London, 2014.
    [2] 马迪. RPKI概览. 电信网技术, 2012, (9): 30-33.
    [3] Lepinski M, Kent S, Kong D. RFC 6482: A profile for route origin authorizations (ROAs). IETF, 2012.
    [4] Austein R, Huston G, Kent S, et al. RFC 6486: Manifests for the resource public key infrastructure (RPKI). IETF, 2012.
    [5] Bush R. RFC 6493: The resource public key infrastructure (RPKI) ghostbusters record. IETF, 2012.
    [6] Huston G, Loomans R, Michaelson G. RFC 6481: A profile for resource certificate repository structure. IETF, 2012.
    [7] 许圣明, 马迪, 毛伟, 等. 基于有序哈希树的RPKI资料库数据同步方法. 计算机系统应用, 2016, 25(6): 141-146. [DOI:10.15888/j.cnki.csa.005203]
    [8] Bruijnzeels T, Muravskiy O, Weber B, et al. Draft-ietf-sidr-delta-protocol, 2014.
    [9] Reynolds MC, Kent S. A high performance software architecture for a secure internet routing PKI. Proceedings of Cybersecurity Applications & Technology Conference for Homeland Security. Washington, DC, USA. 2009. 49-53.
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

安春林,马迪,王伟,毛伟.基于哈希表的RPKI证书验证优化方法.计算机系统应用,2018,27(2):132-137

Copy
Share
Article Metrics
  • Abstract:1561
  • PDF: 2700
  • HTML: 1075
  • Cited by: 0
History
  • Received:May 16,2017
  • Revised:June 05,2017
  • Online: February 05,2018
Article QR Code
You are the first990374Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-3
Address:4# South Fourth Street, Zhongguancun,Haidian, Beijing,Postal Code:100190
Phone:010-62661041 Fax: Email:csa (a) iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063