###
计算机系统应用英文版:2016,25(8):16-22
本文二维码信息
码上扫一扫!
RPKI中CA资源分配风险及防护技术
(1.中国科学院大学 计算机网络信息中心, 北京 100190;2.中国互联网络信息中心 互联网域名管理技术国家工程实验室, 北京 100190)
Resource Allocation Risks by CAs in RPKI and Feasible Solutions
(1.Computer Network Information Center, University of Chinese Academy of Sciences, Beijing 100190, China;2.National Engineering Laboratory for Naming and Addressing, China Internet Network Information Center, Beijing 100190, China)
摘要
图/表
参考文献
相似文献
本文已被:浏览 1713次   下载 2922
Received:December 15, 2015    Revised:January 28, 2016
中文摘要: 边界网关协议在安全方面存在严重的缺陷,容易导致路由劫持这一互联网安全威胁. 为此,国际互联网工程任务组提出了资源公钥基础设施(Resource Public Key Infrastructure,RPKI)以防止路由劫持的发生. 然而随着RPKI技术的发展及其在全球范围内的部署,与RPKI中认证权威相关的安全问题逐渐突显,并受到广泛关注. 对RPKI中认证权威的资源分配过程进行研究分析,通过实验测试,验证了认证权威在资源分配的过程中资源重复分配和未获授权资源分配两种潜在的安全风险,并分析了两种风险对资源持有者可能造成的不良影响. 此外,针对这两种安全风险,提出并实现了一种用于保证RPKI中认证权威资源分配安全性和准确性的“事前控制”机制,该机制可以有效地防止资源重复分配和未获授权资源分配两种操作风险的发生,减少了由于认证权威的错误操作所导致的故障恢复等待时间. 最后,通过进一步的实验测试,验证、分析了这种“事前控制”机制的有效性和可行性.
Abstract:There are serious security vulnerabilities in BGP (Border Gateway Protocol) which may lead to route hijacking. In order to overcome these BGP security defects, RPKI (Resource Public Key Infrastructure) was proposed by IETF (Internet Engineering Task Force). However, with the development and global deployment of RPKI, a lot of concerns about the security of certificate authority in RPKI have been raised. In this paper, it carries out experiments about two scenarios (resource reassignment and unauthorized resource assignment) on our RPKI testbed, and analyzes the security problems they may lead to, based on our research and analysis of the process of resource allocation. Besides, for these two kinds of security risks, this paper presents and implements a pre-control mechanism. Finally, it conducts further experiments on our testbed to prove that the pre-control mechanism we presented is feasible and effective to avoid the time limit for recovering from the failure caused by certificate authority's operational mistakes during the process of resource allocation.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61272433)
引用文本:
刘晓伟,延志伟,耿光刚,李晓东.RPKI中CA资源分配风险及防护技术.计算机系统应用,2016,25(8):16-22
LIU Xiao-Wei,YAN Zhi-Wei,GENG Guang-Gang,LI Xiao-Dong.Resource Allocation Risks by CAs in RPKI and Feasible Solutions.COMPUTER SYSTEMS APPLICATIONS,2016,25(8):16-22