本文已被:浏览 1494次 下载 2519次
Received:May 16, 2017 Revised:June 05, 2017
Received:May 16, 2017 Revised:June 05, 2017
中文摘要: 在互联网码号资源公钥证书体系(Resource Public Key Infrastructure,RPKI)中,依赖方(Relying Party,RP)负责从资料库同步并验证资源证书和签名对象(ROAs,Manifests,Ghostbusters),而后将有效的ROA处理成用于指导BGP路由的IP地址块和AS号的真实授权关系. 在当前的实现方式中,验证证书模块主要通过数据库查询递归查找待验证证书的父证书从而构建完整的证书链并由OpenSSL完成最终验证. 由于RPKI体系中证书量较大,导致基于数据库查询的方法效率不足. 结合RPKI运行机制中将计算代价由BGP路由器(用户)迁移到RP服务器(服务器)的特点和“空间换时间”的思想,可以将证书信息读取到内存中从而减少I/O的时间消耗. 本文基于上述思想基础,结合哈希表中条目查询的时间复杂度最优为O(1)的特点,设计并实现了基于哈希表的RPKI证书验证优化方法. 实验结果表明,在设计的3种实验场景中,平均时间加速比分别为99.03%、98.45%和97.48%,有效的减少了时间的消耗.
中文关键词: 互联网码号资源公钥证书体系 空间换时间 哈希表 证书验证
Abstract:In RPKI (Resource Public Key Infrastructure), RP (Relying Party) downloads and verifies certificates and signed objects (ROA, Manifest, Ghostbusters) from repository, and then processes those valid ROA objects into authorized relations between IP addresses and AS number that is used to guide the BGP routing. In the current implementation, the certificate verification module recursively finds the parent certificate of the certificate to be verified through the database query to construct the complete certificate chain and complete the final verification by OpenSSL. Because of the large number of certificates in the RPKI system, the method based on database query is inefficient. Combining the characteristic of RPKI running mechanism that transfers the calculation cost from the BGP router (user) to the RP server (server) and the idea of “space-time tradeoff”, we can read information of certificates into memory to reduce the time consumption of I/O. Based on the ideas above, combined with the characteristics of the time complexity that finding item in hash table is optimal O(1), we design and implement an optimization method of RPKI certificate validation based on hash table. The experimental results show that the average time acceleration ratio is 99.03%, 98.45%, and 97.48% in the three designed scenarios, which has effectively reduced the time consumption.
文章编号: 中图分类号: 文献标志码:
基金项目:
引用文本:
安春林,马迪,王伟,毛伟.基于哈希表的RPKI证书验证优化方法.计算机系统应用,2018,27(2):132-137
AN Chun-Lin,MA Di,WANG Wei,MAO Wei.Optimization Method of RPKI Certificate Verification Based on Hash Table.COMPUTER SYSTEMS APPLICATIONS,2018,27(2):132-137
安春林,马迪,王伟,毛伟.基于哈希表的RPKI证书验证优化方法.计算机系统应用,2018,27(2):132-137
AN Chun-Lin,MA Di,WANG Wei,MAO Wei.Optimization Method of RPKI Certificate Verification Based on Hash Table.COMPUTER SYSTEMS APPLICATIONS,2018,27(2):132-137