【作者】 赵宸；

【导师】 杨义先；

【作者基本信息】 北京邮电大学 ， 信息安全， 2013， 博士

【摘要】 当前,伴随着互联网日新月异地发展,它像衣食住行一样,已经和我们的日常生活无法分割。路由是网络的结构基石,在划分不同自治系统AS(Autonomous System)的基础上,路由可分为“域内路由”和“域间路由”两个层面。边界网关协议BGP(Border Gateway Protocol)作为唯一的域间路由协议标准,用于在自治系统之间交换网络可达性信息,其安全性对整个互联网有着至关重要的意义。BGP协议的设计是建立在网络高度可信的基础之上的,没有考虑任何相关的安全机制,在互联网环境日益复杂的今天,已经不能满足网络的要求。近年来,频发的域间路由安全事件更是预示着增强域间路由协议的安全已经迫在眉睫。针对BGP协议所暴露的安全问题,学术界和工业界纷纷提出多种安全方案,如国外的S-BGP,soBGP和psBGP,国内的SE-BGP等,但是提出的方案由于安全性不足,验证模型过于复杂和过多的资源消耗等原因未能部署。捉出新颖有效的、轻量化的安全方案,提高方案的性能与实用性是BGP安全机制能够实现部署的关键。本文从路由信息的安全和路由行为的安全两个方面详细分析了BGP协议存在的安全缺陷,总结了已提出的安全方案存在的主要问题,深入研究了BGP协议安全相关的关键技术。在路由信息的安全方面,主要研究了路径信息的保护以及前缀地址的起源认证；在路由行为的安全方面,主要研究了路由转发中不作为行为的检测与防范。提出了增强域间路由协议安全性的新机制与新方法,减少了安全方案的复杂度,简化了验证的过程,降低了路由资源的开销,更好地支持安全方案的部署,为实现可信、可控以及可管的下一代网络提供了新的途径。本文的贡献和创新工作主要体现在以下几个部分：(1)针对SE-BGP方案存在的不足,提出了一种改进的BGP安全机制,引入代理重签名机制,解决了关键节点在联盟间交叉认证的问题。SE-BGP方案存在较为严重的缺陷,会泄露运营商的私有信息,且节点仍需维护大量的证书,造成巨大的存储与管理开销,无法实现真正的分布式认证。基于代理重签名机制,修改了AS联盟的结构,改进了TTM信任模型,避免了关键节点的交叉认证,并给出了新的源地址认证和路径认证算法。通过安全分析证明了方案的安全能力与原方案相同,性能分析表明,相比原方案,显著减少了证书的规模以及验证的代价,具有更加良好的可扩展性。(2)改进了代理重签名机制的路径验证方案,提出了一种基于代理重签名的BGP路径验证机制,提高了路径验证的效率。代理重签名机制的重要应用之一就是进行网络路径验证,将代理重签名机制引入到BGP中,结合BGP协议,分析了代理重签名实际应用时的问题,并将其改进,将其中委托者等角色在BGP场景中进行合理地分配,提出了相应的路径更新与验证算法。分析表明在保证路径信息安全的同时,该方案使得代理重签名减少证书和签名的数量的优点得到了充分地发挥,降低了路径验证所需的各种资源开销,扩展性好。(3)将可净化签名引入到路径验证中,提出了基于可净化签名的BGP路径验证机制,解决了无法限制净化者修改行为的问题,减少了路径验证的开销。可净化签名可用于安全路由中,使用较少的签名与证书就可以完成验证过程。基于限制下一跳节点修改行为的思想,克服了其实际应用的缺陷,在路径中合理地分配签名者与净化者等角色,提出了新的路径认证模型与认证算法,限制了净化者的修改行为。安全与性能分析表明,与传统方案相比,该方案在保证路径信息安全的同时,减少了路径验证所需的各种资源,可扩展性良好。(4)基于人类社会中排队列的思想,提出了一种轻量化的BGP路径验证方案,简化了路径验证的过程和所需的系统资源。虽然已经提出了多种BGP路径验证方案,但复杂的验证过程和过多的证书存储开销制约了方案的可部署性。基于对AS_PATH的分析,结合BGP的工作原理,借鉴了排队列的思想,每个路由消息携带路径属性中前两个自治系统AS的签名信息,通过验证这两个签名来为路径信息提供保护。系统仿真结果显示,在不降低安全能力的条件下,有效地减少了签名的数量,签名信息不会随着路径的增加而累积,同时显著降低了证书规模,操作性强,具有良好的实用性。(5)路由行为安全方面,将反馈机制引入到BGP路由通告过程中,提出了一种安全方案用于检测与防范路由转发中的不作为行为。基于对异常转发行为的分析,发现缺少针对自治系统没有转发本该继续通告的路由信息这种不作为行为的研究。分析了不作为行为产生的原因,对其进行了合理准确地定义。基于两跳距离内AS间的关系,提出判断算法判断邻居的后续转发过程,通过在BGP路由通告过程中引入反馈机制来检测不作为行为。基于BGP的选路规则,设计了惩罚机制,确保选取路径的安全,有效地减少不作为行为的发生。系统仿真结果表明该方案提高了域间路由系统整体的安全性,带来的系统负担比较小,易于扩展实现。综上所述,本论文研究了域间路由协议BGP存在的安全问题,主要从路由信息的安全性与路由行为的安全性两个角度,提出了五个方面的主要研究内容,针对BGP协议的前缀起源认证和路径信息认证,以及路由转发中的不作为行为等问题给出了相应的解决方案。与已有的方案相比,提高了BGP安全方案的性能,减少了方案的复杂度与资源开销,对推进BGP安全方案的研究以及可部署性起到了一定的理论意义和实际应用的价值。更多还原

【Abstract】 With the rapid development of Internet, it has become an indivisible part of our daily life like the four essential requirements of the people at present. Routing is the cornerstone of network. Based on the division of various autonomous systems (AS), routing system has been classified into two different levels which are intra-domain routing and inter-domain routing. As the only de facto routing protocol used for inter-domain routing, the Border Gateway Protocol (BGP) is used to exchange routing information between ASes and its security has great significance for the whole Internet.BGP is designed on the basis of hypothesis that the network environment is trust and reliable initially. Due to the lack of necessary security mechanisms, BGP cannot satisfy the security requirements of ever-deteriorating Internet environment currently. In the past few years, high frequency of inter-domain routing accidents indicates that it is urgent to enhance the security of BGP. Many secure protocols have been proposed for BGP exposed security issues by researchers in academic circles and industrial community, such as S-BGP, soBGP, psBGP, SE-BGP and so on. However, none of proposed methods has been deployed so far due to lack of security, too complex verification model and excess routing resources consumption. The key to deploy the BGP security mechanisms is to propose new, simple and lightweight solutions and improve their performance and practicality importantly.This thesis analyses security BGP vulnerabilities from two aspects which are routing information security and routing behavior security. This article summarizes the major defects of existing methods for the further research on key technology of safe BGP protocol and designs novel and high-efficiency security mechanisms. From the perspective of keeping routing information safe, the research focuses on security of path information and IP address prefix origin authentication. From the perspective of keeping routing behavior safe, the research focuses on detecting and preventing nonfeasance action on inter-domain routing forwarding. The presented schemes increase security for inter-domain routing system and reduce the complexity and resource cost of solutions with the simplification of verifying process. They provide better support for technology deployment and new approaches for implementing next generation IP network with measurable, controllable and manageable.The main innovations and contributions of the present thesis are as follows:(1) For the defects of SE-BGP mechanism, an improved BGP security mechanism is proposed for solving the problem of cross-certification of key nodes between AS alliances with introduction of the proxy re-signature. There are some relatively serious defects in the SE-BGP security mechanism. These defects will leakage Internet Service Provider (ISP) information and waste large cost of storage and management of certificates because of maintenance of lots of additional certificates. Therefore the SE-BGP is not a real distributed certificate authority method. Based on the proxy re-signature, the AS alliance is modified and the TTM trust model is improved in this thesis. It is designed for solving the problem of cross-certification of key nodes with novel algorithms for original authentication and path verification. Security analysis demonstrates the scheme has the similar security capability to the SE-BGP. It is showed that this mechanism has better scalability to reduce the cost of certificates storage and information verification compared with SE-BGP in performance evaluation.(2) This thesis improves the scheme of path verification application in proxy re-signature. A new security mechanism is proposed for BGP path verification based on proxy re-signature to improve the efficiency of path verification. One of the most applications in proxy re-signature is for the network path verification. Therefore, proxy re-signature is firstly introduced into BGP protocol. Combining with BGP protocol characteristics, this thesis gives detailed analysis of existing problems on proxy re-signature practical applications for path verification. It improves original path verification methods and allocates the roles such as delegator into BGP environments reasonably. Corresponding algorithms are proposes for the BGP path update and verification. Security analysis and performance evaluation demonstrate characteristics that the fewer signatures and certificates used in proxy re-signature verification gets well developed with strong ability of security in this mechanism. It can reduce the route resource expense and has high scalability.(3) Sanitizable signature is introduced into BGP path verification, a security mechanism is proposed based on sanitizable signature. It decreases the cost for path verification and solves the problem that is the modification behavior of sanitizer cannot be restricted. The sanitizable signature can be used for securing routing and consume fewer signatures and certificates in verification process. Based on idea of restriction the modification behavior of next-hop node, it overcomes the defects of application and allocates the roles such as sanitizer into BGP environments reasonably. The novel path authentication model and algorithms have been presented to constrain the behavior of sanitizer. Security analysis and performance evaluation show that the scheme can reduce the routing resource consumption with good security capability and scalability.(4) Refers to thoughts of line up phenomenon in human society, a lightweight method is designed for BGP path verification. This method is simplified to the process of path verification with less resource consumption. Many security mechanisms have been proposed for BGP path verification. However, none has been widely accepted at present because the high computational overhead and excess storage cost for certificates. Based on analysis of AS_PATH attribute and basic principles of BGP with reference to line up phenomenon in human society, first two ASes’signatures have been taken in every route updates and the two signatures can provide protection for path information without any illegal modification. System simulation results show that this mechanism can reduce the number of signatures, which will not grow with increasing path distance. It also reduces the number of used certificates with strong ability of security and makes the system more simple and efficient to deploy with great practicality.(5) On the aspect of security of routing behavior, a security mechanism is designed for detecting nonfeasance through introducing feedback approach into the process of BGP route announcements. According to the analysis of anomaly forwarding in inter-domain routing, the existing research is short of nonfeasance behavior which means the autonomous system does not transfer routing information to its peers, which was supposed to do. An accurate definition has been made for nonfeasance behavior in inter-domain routing forwarding on analysis of reasons for nonfeasance. Based on AS relationships between two-hop distance neighbors, it designs algorithms to determine the subsequent forwarding process of neighbor nodes. Feedback approach is introduced into the process of BGP route announcements for detecting nonfeasance behavior. Combined of BGP route selection, this scheme offers an efficient penalty algorithm to keep the selected path safe to lessen the risk of nonfeasance routing behavior. System simulation results show that it improves the overall security of inter-domain routing system and reduces the burden on the system with good scalability to deploy easily.In summary, this thesis mainly researches on BGP security vulnerabilities inter-domain routing system, and proposes five major research fields from two perspectives that are the security of routing information and routing behavior. It presents the corresponding solutions for prefix original authentication, path verification and nonfeasance behavior detection. Compared with proposed solutions, the schemes in present thesis increase the performance and practicality of security mechanisms by reducing the verification and validation complexity and resource expense. They have great significance in both theory and practice to promote the research on security issues of BGP and deployment of security mechanisms in the future.更多还原