【作者】 刘欣；

【导师】 彭宇行；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2008， 博士

【摘要】 如今,互联网在国家经济和社会发展中的作用已变得举足轻重,大量的关键应用正在互联网上如火如荼地展开,比如电子金融、电子商务、电子政务和远程医疗等。然而,作为互联网关键基础设施重要组成的BGP路由系统却缺乏必要的安全机制,使得恶意的自治系统网络管理员能够随意宣告、拦截或篡改BGP路由。因此,当前的互联网路由系统正面临着严重的安全威胁。近年来,BGP路由系统中发生了多起路由安全事件,特别是前缀劫持事件。这些事件促使工业界和学术界关注BGP路由系统的安全问题,并提出了多种基于BGP协议安全扩展的解决方案。到目前为止,还没有一种BGP协议安全扩展方案被广泛应用和实际部署。在这种情况下,BGP安全监测是一种能真正发挥实际效用的技术。然而,鉴于BGP协议的安全问题与BGP安全监测技术自身存在的诸多特点,BGP路由安全监测中的许多问题极具挑战性。本文深入研究了BGP安全监测领域的关键技术,主要包括BGP路由接收方验证路由有效性的方法、BGP路由宣告方检测前缀劫持的方法以及评估BGP路由安全态势的方法等。本文工作的主要贡献和创新总结如下:针对BGP路由接收方在当前难于验证路由有效性的问题,提出一种基于前缀策略的BGP路由验证方法――E-IRR。该方法借鉴互联网路由注册机制中登记路由策略的思想,利用前缀策略刻画自治系统网络管理员使用IP地址空间的方式,并采用“抢占式注册”方式确保前缀策略的有效性,构造全局可信的所有前缀的所有权信息,从而可帮助自治系统网络管理员对所接收BGP路由的有效性进行验证。与现有的BGP路由验证方案相比,本文提出的E-IRR方法具有以下三个优势:①通过扩展的路由策略规范语言(RPSL)表达前缀策略,可确保在较高的层面上刻画自治系统拥有的地址空间及使用方式,而又不泄露内部私密信息;②越多的网络运营商通过E-IRR发布前缀策略,就会吸引越多的网络运营商使用,而越多的网络运营商利用E-IRR得到前缀策略,越多的网络运营商也就乐于发布,进而可保证前缀策略的有效性;③由于不需对BGP协议进行安全扩展,E-IRR可在路由安全能力与实际部署需求之间取得平衡。针对BGP路由宣告方在当前难于发现前缀被劫持的问题,提出一种基于多自治系统协作的前缀劫持检测方法――Co-Monitor。该方法能够充分利用BGP路由系统的自治特性,把每个自治系统对本地BGP路由域的前缀监测能力视为一种资源并激励所有参与自治系统贡献这种资源以协作地监测前缀,可在不泄漏任何参与自治系统私密路由信息的情况下,自组地扩展单个参与者的BGP路由监测范围,从而可帮助自治系统网络管理员及时发现关于自身前缀的劫持事件。与基于现有BGP监测系统的前缀劫持检测方法相比,本文提出Co-Monitor方法具有以下两个主要优势:①可保证每个参与的自治系统拥有更广泛的BGP路由监测范围,采集的BGP路由具有更丰富的路由多样性,因而能显著地降低检测前缀劫持的漏检率;②不要求被监测BGP路由器对外贡献路由更新,各参与者之间交换的信息中也只含有相关BGP路由的前缀源的变化信息,都不涉及具体的BGP路由,因而不会泄漏任何参与自治系统的私密路由信息。针对当前的BGP安全监测系统缺乏有效的路由安全态势评估方法的问题,提出一个基于路由状态的路由安全态势评估方法――SEM。该方法能够应用于BGP安全监测系统中,以给网络管理员提供直观的、不同粒度的路由安全态势曲线。该方法的基本思想是:基于BGP路由系统的层次特性构造路由状态树,准确地刻画BGP路由系统中各路由实体之间的层次关系,存储和表达每个实体的路由安全状态;并根据所检测的异常路由计算每个实体的路由安全状态。实验测试表明,本方法能够在BGP路由器、自治系统和BGP路由系统等三个层次上评估路由的安全威胁态势。针对国家骨干网络的BGP安全监测需求,设计并实现互联网路由安全监测与态势可视化系统——RouSSeau。该系统采用层次化、模块化设计,实现了本文所提出的三个方法,可为国内骨干网的BGP路由系统提供路由安全态势分析。综上所述,本文研究了互联网域间路由的安全问题与BGP路由安全监测技术,对BGP路由验证、前缀劫持检测和安全态势评估等关键问题提出了有效的解决方案,对于推进BGP安全问题的研究和BGP安全监测技术的实用化具有一定的理论意义和应用价值。更多还原

【Abstract】 Nowadays, the Internet has become vital in national economic and social development, and a great number of critical applications are currently flourishing on it, such as e-finance, e-commerce, e-government, tele-medicine, and so on. However, as an important component of the critical Internet infrastructure, the BGP routing system lacks necessary security mechanisms, and malicious autonomous system (AS) operators may arbitrarily announce, intercept or tamper BGP routes. As a result, the routing system of the Internet is confronted with serious security threats.In recent years, the BGP routing system has suffered several routing security accidents, especially prefix hijacking. These events have caused great attention in both industry and academia to security issues in the BGP routing system, and several security extensions for BGP have been proposed. And, so far, none of them has been widely deployed. In this situation, BGP security monitoring is a really effective technical approach. In view of the characteristics existing in the security problems of the BGP protocol and BGP security monitoring technologies, there are many challenging research issues in BGP security monitoring.In this thesis, we have studied some key technologies in the field of BGP security monitoring, mainly including the methods used to verify the validity of routes on the part of BGP receivers, to detect prefix hijacking on the part of BGP announcers, and to evaluate the security situations in the BGP routing system. Our major contributions and innovations are followed:Considering the difficulties for BGP route receivers in validating the received routes, we propose the E-IRR method, which based on prefix policies to validate BGP routes. Drawing on the principle of registering routing policy used in Internet Routing Registry (IRR) mechanism, E-IRR utilizes prefix policies to represent the IP address spaces usage of AS operators. Furthermore, the method adopts“Preemptive Registering”to ensure the effectivity of prefix policies and aims to build global, reliable information for the ownership of all the prefixes; thereby it can help Internet operators to validate the received routes. Compared with current route-validating methods on BGP, E-IRR owns the following three advantages. First, as a result of extending Routing Policy Specification Language (RPSL) to describe prefix policies, E-IRR can describe the IP address space held by ASes and the usage modes at a higher level without revealing any privacy. Second,the more ISPs who publish their prefix policies through E-IRR, the more ISPs who are attracted to use it, and vice versa. In this way, the validity of the registered prefix policies can be guaranteed. Third, without any security extensions on BGP, E-IRR can balance well between the ability to secure BGP routing and practical needs when deployed. To solve the current difficulties for BGP route announcers in detecting prefix hijacks, we propose the Co-Monitor scheme, a new method based on the cooperation of multiple ASes to detect prefix hijacking. Whereas the BGP routing system is autonomous, the method regards the ability that every AS can monitor its local BGP routing domain as a type of resource, and encourages all participating ASes to provide these resources in order to monitor their prefixes cooperatively; so it can enlarge the monitoring scope of single participant without leaking any private routing information, and help participants to discover prefix hijacks towards them in real time. In comparison with the current hijacking detection approaches, Co-Monitor performs better than them in two aspects at least. First, Co-Monitor can provide all joined ASes a wider monitoring range of BGP routing and capture more BGP route diversity, so that it can help to reduce false negative ratio in prefix hijacking detection. Second, Co-Monitor doesn’t require the monitored BGP routers to publish their private routes, and the information every participant exchanges among each other only contains BGP origin changes. Because all the exchanged information in Co-Monitor does not refer any concrete BGP routes, the privacy of participants wouldn’t be revealed.To evaluate security threat situations in the BGP routing system, we propose the SEM method based on route status. The method can provide Internet operators intuitive state curves for routing security in various granularities. Based on the route status tree exploited from hierarchical characteristics implicated in the BGP routing system, SEM can describe the hierarchical relationship of various routing entities in it, store and record the security states of routes for every routing entity. Finally, the method can compute the routing security state of every entity according to the detected anomalous BGP routes. Our experiments show that SEM can evaluate security threat situations in three levels: BGP routers, ASes and the whole BGP routing system.To satisfy BGP security monitoring requirement of national backbone networks, we design and implement the RouSSeau, which stands for Routing Security Situation Awareness, Assessment, and Visualization. The system is designed modularizedly and layeredly, and is implemented with the above three methods. It can provide the security threat situation analysis for the BGP routing system of the national backbone networks.According to what we have stated above, we not only have studied the security problems on Internet inter-domain routing and BGP security monitoring technologies, but also have proposed some effective solutions to verify BGP routes, to detect prefix hijacks, to evaluate security threat situations, and so on. They are of great significance in both theory and practice to promote the research on the security issues in BGP and the technology practicality on BGP security monitoring.更多还原