基于RPKI协议的路由过滤子系统的设计与实现

发布时间：2018-05-13 22:13

本文选题：BGP协议 + 前缀劫持　；参考：《哈尔滨工业大学》2017年硕士论文

【摘要】：在日益复杂的网络环境中,BGP协议作为唯一一个域间路由协议,能够妥善处理好不相关路由域间的多路连接。与其他的BGP系统交换网络可达信息是BGP协议的主要功能,但是BGP协议本身没有提供任何安全机制保障互联网域间路由系统的安全,因此前缀劫持等攻击行为成了互联网BGP域间路由系统中的首要安全威胁。在此背景下,本论文通过分析路由前缀劫持产生的具体原因,从网络安全的角度,提出了基于RPKI协议的路由过滤的验证方法,以减少前缀劫持对网络的危害。本文的主要创新性研究工作包括:首先,针对路由前缀劫持问题提出了基于RPKI协议的路由源验证的方案,即验证路由信息中IP地址前缀和AS号码绑定关系的合法性。通过验证处理过程,得知路由信息是否完整和正确,根据验证结果优选验证结果为有效的路径转发流量,避免了路由前缀劫持事件的误导和影响。第二,本系统设计了命令行、会话连接、报文处理、ROA信息处理、路由信息处理以及高可靠性保障这六大模块,由这六大模块完成本系统的RPKI路由源验证功能。在本方案中,对会话连接过程的处理采用了MD5签名验证,并采用Radix树数据结构形式存储ROA信息,在路由源验证结果分发处理的信息记录方面,提出了动态扩展BIT-MAP数据结构,进一步节省了存储空间。第三,搭建了C/S架构模式的RPKI路由源验证演示系统,通过演示系统可验证经命令行配置使能路由源验证功能后,路由信息是否合法,查看路由信息的显示结果依据源验证结果优先级排序。最后,经实验测试表明,本系统在功能使用方面满足企业级使用要求,并且经过系统程序调优和设备联调,本系统已投入实际网络环境中使用运行。
[Abstract]:As the only inter-domain routing protocol in the increasingly complex network environment, BGP protocol can handle the multiplex connections between unrelated routing domains properly. Exchanging network reachable information with other BGP systems is the main function of BGP protocol, but the BGP protocol itself does not provide any security mechanism to ensure the security of Internet inter-domain routing system. Therefore, prefix hijacking and other attacks have become the primary security threat in Internet BGP inter-domain routing systems. In this context, this paper analyzes the specific reasons of routing prefix hijacking, from the point of view of network security, proposes a verification method of routing filtering based on RPKI protocol to reduce the harm of prefix hijacking to the network. The main innovative research work in this paper includes: firstly, a scheme of routing source verification based on RPKI protocol is proposed to solve the problem of routing prefix hijacking, that is, to verify the legitimacy of the binding relationship between IP address prefix and as number in routing information. Through the verification process, we know whether the routing information is complete and correct, and select the effective route forwarding traffic according to the verification result, thus avoiding the misdirection and influence of the route prefix hijacking event. Secondly, the system designed six modules: command line, session connection, message processing, routing information processing and high reliability guarantee. The six modules completed the RPKI routing source verification function of the system. In this scheme, the process of session connection is verified by MD5 signature, and the ROA information is stored in the form of Radix tree data structure. In the aspect of information record of routing source verification result distribution processing, a dynamic extended BIT-MAP data structure is proposed. Further save storage space. Thirdly, a C / S architecture RPKI routing source verification demonstration system is built. The demonstration system can verify whether the routing information is legal after the command line configuration can enable the routing source verification function. The display results of viewing routing information are sorted according to the priority of the source validation results. Finally, the experimental results show that the system can meet the requirements of the enterprise in function use, and the system has been put into use and run in the actual network environment after the system program optimization and equipment tuning.
【学位授予单位】：哈尔滨工业大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.0

【参考文献】