CN107911339B - Information maintenance method and device - Google Patents

Information maintenance method and device Download PDF

Info

Publication number
CN107911339B
CN107911339B CN201710984944.0A CN201710984944A CN107911339B CN 107911339 B CN107911339 B CN 107911339B CN 201710984944 A CN201710984944 A CN 201710984944A CN 107911339 B CN107911339 B CN 107911339B
Authority
CN
China
Prior art keywords
information
roa
bgp
function
rpki
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710984944.0A
Other languages
Chinese (zh)
Other versions
CN107911339A (en
Inventor
苏平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201710984944.0A priority Critical patent/CN107911339B/en
Publication of CN107911339A publication Critical patent/CN107911339A/en
Application granted granted Critical
Publication of CN107911339B publication Critical patent/CN107911339B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The disclosure relates to an information maintenance method and device. The method comprises the following steps: sending an ROA information maintenance request to an RPKI server, wherein the ROA information maintenance request comprises identity authentication information corresponding to the BGP equipment; under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP equipment, the system has an ROA information maintenance function, wherein the ROA information maintenance function comprises an ROA information generation function and/or an agent releasing ROA information function; and maintaining the ROA information according to the ROA information maintenance function. The information maintenance method and the device can enrich the generation method and the maintenance method of the ROA information and ensure the effective operation of a source AS verification system.

Description

Information maintenance method and device
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an information maintenance method and apparatus.
Background
In the related art, in an RPKI BGP networking, a BGP (Border Gateway Protocol) device serves as an RPKI (Resource Public Key Infrastructure) client to request a designated RPKI server to acquire ROA (Route organization association establishment) information. The ROA information includes a Network Prefix (Network-Prefix), a Mask Range (Mask-Range), a route source AS number (origin-AS), and the like, and may describe an AS (Autonomous System) to which a certain Network Prefix belongs. After acquiring the ROA information, the BGP device may perform route source AS verification on the locally learned network prefix.
Fig. 1 shows a schematic diagram of RPKI BGP networking in the related art. As shown in fig. 1, R1 requests the RPKI server for ROA information for verifying the authenticity of the network prefix learned locally by R1 to prevent route hijacking. The ROA information in the RPKI server needs to be manually imported and maintained, and the maintenance cost is high when a large number of network prefixes in the network need to be subjected to security verification. When the network changes, the ROA information is required to be updated and maintained in time, and the requirements are difficult to meet through manual import and maintenance. In addition, in the RPKI BGP networking in the related art, if connection between the BGP device and the RPKI server is interrupted, ROA information is aged and deleted, and the RPKI mechanism is disabled, so that a network prefix that originally does not pass verification is issued to the network, resulting in a serious consequence.
Disclosure of Invention
In view of this, the present disclosure provides an information maintenance method and apparatus, so as to solve the problem of higher maintenance cost caused by manually importing and maintaining ROA information in an RPKI server in the related art.
According to an aspect of the present disclosure, there is provided an information maintenance method for an RPKI server, including:
receiving a ROA information maintenance request from BGP equipment, wherein the ROA information maintenance request comprises identity authentication information corresponding to the BGP equipment;
judging whether the BGP equipment is authorized to have an ROA information maintenance function according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generation function and/or an ROA information agent issuing function;
and under the condition that the BGP equipment is authorized to have the ROA information maintenance function, transmitting authorization information for allowing the BGP equipment to have the ROA information maintenance function to the BGP equipment.
According to another aspect of the present disclosure, there is provided an information maintenance method for a BGP device, including:
sending an ROA information maintenance request to an RPKI server, wherein the ROA information maintenance request comprises identity authentication information corresponding to the BGP equipment;
under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP equipment, the system has an ROA information maintenance function, wherein the ROA information maintenance function comprises an ROA information generation function and/or an agent releasing ROA information function;
and maintaining the ROA information according to the ROA information maintenance function.
According to another aspect of the present disclosure, there is provided an information maintenance apparatus for an RPKI server, including:
a request receiving module, configured to receive an ROA information maintenance request from a BGP device, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device;
the authorization judging module is used for judging whether the BGP equipment is authorized to have an ROA information maintenance function according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generating function and/or an agent releasing ROA information function;
and the authorization information sending module is used for sending authorization information for allowing the BGP equipment to have the ROA information maintenance function to the BGP equipment under the condition that the BGP equipment is authorized to have the ROA information maintenance function.
According to another aspect of the present disclosure, there is provided an information maintenance apparatus for a BGP device, including:
a request sending module, configured to send an ROA information maintenance request to an RPKI server, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device;
the function setting module is used for having an ROA information maintenance function under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generation function and/or an agent releasing ROA information function;
and the information maintenance module is used for maintaining the ROA information according to the ROA information maintenance function.
According to another aspect of the present disclosure, there is provided an information maintenance apparatus including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to perform the above method.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having computer program instructions stored thereon, wherein the computer program instructions, when executed by a processor, implement the above-described method.
The information maintenance method and the device can enrich the generation method and the maintenance method of the ROA information and ensure the effective operation of a source AS verification system. The ROA information on the RPKI server can be manually imported, and can also be generated by BGP equipment according to the local network prefix and the local AS information, so that the maintenance complexity of the ROA information in the RPKI server can be reduced, and the cost is reduced. In addition, ROA information in the RPKI server can be refreshed more rapidly and more timely, and is synchronized with each BGP device corresponding to the RPKI server, so that the efficiency is improved. The RPKI server and all the registered ROA proxy devices can issue ROA information, so that under the condition that the connection between other BGP devices and the RPKI server is interrupted, other BGP devices can initiate query and synchronization to the ROA proxy devices, and the source AS verification system is still operated after the RPKI server is offline.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features, and aspects of the disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 shows a schematic diagram of RPKI BGP networking in the related art.
Fig. 2 shows a flow chart of an information maintenance method according to an embodiment of the present disclosure.
Fig. 3 shows a flow chart of an information maintenance method according to an embodiment of the present disclosure.
Fig. 4 shows a schematic diagram of RPKI BGP networking according to an embodiment of the present disclosure.
FIG. 5 shows a block diagram of an information maintenance device according to an embodiment of the present disclosure.
FIG. 6 shows a block diagram of an information maintenance device according to an embodiment of the present disclosure.
Fig. 7 is a block diagram illustrating an apparatus 900 for information maintenance according to an example embodiment.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
In the related technology, after configuring the address of the RPKI server and the port number establishing connection with the RPKI server on the BGP device, the BGP device automatically establishes an RPKI connection with the RPKI server for interacting ROA information. After the BGP equipment is configured with the RPKI function, when the BGP equipment receives a BGP route, the RPKI verification is carried out on an IP address (network segment) and a route source AS number. The following three verification results are available: not-found, which indicates that no entry containing the IP address (network segment) exists in the ROA database. Valid indicates that at least one entry containing the IP address (network segment) exists in the ROA database, and the AS number in the entry is the same AS the received route source AS number. Invaid, which indicates that at least one entry containing the IP address (network segment) exists in the ROA database, but the AS number in the entry is different from the received route source AS number. The RPKI verification result will participate in the routing preference. When BGP selects a route, firstly, the route which can Not be reached by the next hop is discarded, then, the route optimization is carried out according to the verification result of RPKI, namely, for a plurality of BGP routes which go to the same IP address (network segment), the route with the highest priority is the optimal route according to the sequence of Valid from high to low, Not found to Invalid according to the verification result of RPKI. And when the route without the RPKI verification result and the route with the verification result jointly participate in route optimization, processing the route according to the Not-found verification result.
Fig. 2 shows a flow chart of an information maintenance method according to an embodiment of the present disclosure. The method may be used in an RPKI server. As shown in fig. 2, the method includes steps S21 through S23.
In step S21, a ROA information maintenance request is received from a BGP device, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device.
In step S22, it is determined whether the BGP device is authorized to have the ROA information maintenance function according to the identity authentication information corresponding to the BGP device, where the ROA information maintenance function includes an ROA information generation function and/or an agent publishing ROA information function.
In step S23, in a case where it is determined that the BGP device is authorized to have the ROA information maintenance function, authorization information for allowing the BGP device to have the ROA information maintenance function is transmitted to the BGP device.
In one implementation, the ROA information maintenance request may be provided with a flag, and the RPKI server determines the request content of the BGP device according to the flag. For example, in the case that the flag bit in the ROA information maintenance request is 1, the RPKI server determines that the BGP device request has the function of generating ROA information; in the case that the flag bit in the ROA information maintenance request is 2, the RPKI server determines that the BGP device request has the function of issuing ROA information by the agent.
In another implementation, the ROA information maintenance request may include both generating an ROA information authorization request and issuing an ROA information authorization request by a proxy. And the RPKI server determines the request content of the BGP equipment according to the request type. For example, in the case of receiving an authorization request for generating ROA information, the RPKI server determines that the BGP device request has a function of generating ROA information; and under the condition that the authorization request for releasing the ROA information by the agency is received, the RPKI server determines that the BGP equipment request has the function of releasing the ROA information by the agency.
As one example, the RPKI server receives a generate ROA information authorization request from a first BGP device, the generate ROA information authorization request including authentication information corresponding to the first BGP device. And the RPKI server judges whether the first BGP equipment is authorized to have the function of generating ROA information according to the identity authentication information corresponding to the first BGP equipment. And under the condition that the RPKI server determines that the first BGP device is authorized to have the function of generating the ROA information, the RPKI server sends authorization information for allowing the first BGP device to have the function of generating the ROA information to the first BGP device.
For example, a generation request packet and a first response packet of a PDU (Protocol Data Unit) type may be newly defined. The generation request message is used for indicating the generation of the ROA information authorization request, and the first response message is used for responding to the generation of the ROA information authorization request. The generation request message may include identification information and identity authentication information of the first BGP device. For example, the first BGP device is a Router, and the generation request packet may include a Router identifier (Router ID) and a digital certificate (Authentication). The authorized first BGP device may authenticate with the identity using the digital certificate of the RPKI server.
The first BGP device is a ROA self-generating device, namely the first BGP device can generate ROA information according to the local network prefix and the local AS information after being authorized by the RPKI server. The BGP device may be a device running the BGP protocol, such as a BGP router or the like. In the RPKI BGP networking, BGP equipment serves as an RPKI client to request the RPKI server to acquire ROA information. The home network prefix may refer to a network prefix in a home originating route, e.g., 128.14.35.7/20, etc., and the home AS information may refer to a home AS number, e.g., AS100, etc., without limitation of this disclosure.
The identity authentication information may be a digital certificate acquired after the BGP device is authenticated by a CA/RA authority. For example, the BGP device may apply for the digital Certificate from the CA authority through information such as the local public key, and after the application is successful, the RA authority acquires the relevant information of the RPKI server, the digital certificates of other BGP devices, the CRL (Certificate revocation list) of the CA/RA authority, and so on. The BGP device may perform authentication with the RPKI server and other BGP devices through the obtained information, which is not limited in this disclosure.
It should be noted that, although the identity authentication information is described above by taking a digital certificate acquired after being authenticated by a CA/RA authority as an example, those skilled in the art will understand that the present disclosure should not be limited thereto. Those skilled in the art can flexibly set the identity authentication information according to the actual application scenario.
In one implementation, if the RPKI server determines that the first BGP device requests to have the function of generating ROA information according to the maintenance request, after sending authorization information for allowing the first BGP device to have the function of generating ROA information to the first BGP device, the method further includes: the RPKI server receives and stores ROA information from the first BGP device, the ROA information generated by the first BGP device based on the local network prefix and the local AS information.
In one implementation, the receiving and storing, by the RPKI server, the ROA information from the first BGP device may include: ROA information from a first BGP device is received and stored along with source information and a sequence number for the ROA information. The source information of the ROA information may be producer information of the ROA information, such as identification information of the first BGP device, and the serial number may be an ordered number of the ROA information. The RPKI server or the ROA proxy device may perform subsequent maintenance on the ROA information based on the source information and the serial number of the ROA information.
In one implementation, the ROA information packet of PDU type may be newly defined. The ROA information message is used for representing a message which is sent by the first BGP device to the RPKI server or the ROA proxy device and comprises ROA information. The ROA information message may include ROA information generated by the first BGP device, and source information and a sequence number of the ROA information. For example, the first BGP device is a Router, and the ROA information packet may include a network Prefix (IPv4/IPv6Prefix), an AS Number (AS Number), a Router identifier (Router ID), and a Serial Number (Serial Number).
In one implementation, the RPKI server may store the manually imported ROA information in a static ROA database and all ROA information generated by ROAs from production devices in a dynamic ROA database. The static ROA database and the dynamic ROA database together form an ROA database. And the RPKI server issues the ROA information according to the ROA database. In addition, the RPKI server can age and delete the ROA information in the dynamic ROA database at regular time so as to ensure that the dynamic ROA database occupies a smaller memory.
As an example, the first BGP device, after acquiring the digital certificate issued by the CA/RA organization, applies to the RPKI server for authorization to generate ROA information. The RPKI server receives a generate ROA information authorization request from the first BGP device, the generate ROA information authorization request including a digital certificate of the first BGP device. And the RPKI server determines whether the first BGP equipment is authorized to have the function of generating ROA information according to the digital certificate of the first BGP equipment, the CRL acquired from the CA/RA mechanism and a policy of the RPKI server. In a case where it is determined that the first BGP device is authorized to have the function of generating ROA information, the RPKI server transmits authorization information for allowing the first BGP device to have the function of generating ROA information to the first BGP device. The first BGP device is thereby able to generate ROA information from the local network prefix and the local AS information.
According to the information maintenance method, the ROA information on the RPKI server can be manually imported, and can also be generated by the BGP equipment according to the local network prefix and the local AS information, so that the complexity of ROA information maintenance in the RPKI server can be reduced, and the cost is reduced. In addition, ROA information in the RPKI server can be refreshed more rapidly and more timely, and is synchronized with each BGP device corresponding to the RPKI server, so that the efficiency is improved.
As one example, the RPKI server receives a proxy-issued ROA information authorization request from the second BGP device, the proxy-issued ROA information authorization request including corresponding authentication information for the second BGP device. And the RPKI server judges whether the second BGP equipment is authorized to have the function of releasing the ROA information by the agency according to the identity authentication information corresponding to the second BGP equipment. And the RPKI server sends the ROA information to the second BGP equipment under the condition that the second BGP equipment is authorized to have the function of releasing the ROA information by the agency, so that the second BGP equipment can release the ROA information according to the received ROA information.
For example, a proxy request message and a second response message of the PDU type may be newly defined. The agent request message is used for representing that the agent issues the ROA information authorization request, and the second response message is used for responding to the agent issuing the ROA information authorization request. The proxy request message may include identification information and authentication information of the second BGP device. For example, the second BGP device is a Router, and the proxy request packet may include a Router identifier (Router ID) and a digital certificate (Authentication). The authorized second BGP device may use the digital certificate of the RPKI server for authentication.
The second BGP device is an ROA agent device, that is, the second BGP device can issue ROA information according to the stored ROA information after being authorized by the RPKI server. And if the first BGP equipment does not exist in the RPKI BGP networking, the ROA database received by the second BGP equipment from the RPKI server is a static ROA database. And if the first BGP equipment exists in the RPKI BGP networking, the ROA database received by the second BGP equipment from the RPKI server is a static ROA database and a dynamic ROA database.
In one implementation, if the RPKI server determines that the second BGP device requests to have the function of proxy publishing ROA information according to the maintenance request, after determining that the second BGP device is authorized to have the function of proxy publishing ROA information, the method further includes: and the RPKI server respectively sends the agent equipment information to each corresponding BGP equipment, and the agent equipment information comprises the related information of the second BGP equipment.
In one implementation manner, the sending, by the RPKI server, the proxy device information to each corresponding BGP device may include: and respectively sending proxy device information corresponding to all registered and passed ROA proxy devices to each BGP device corresponding to the RPKI server. The agent device information may include Address information (Address) and Port number information (Port) of the ROA agent device.
As an example, the second BGP device, after obtaining the digital certificate issued by the CA/RA organization, applies for an agent-issued ROA information authorization to the RPKI server. The RPKI server receives a proxy-issued ROA information authorization request from the second BGP device, the proxy-issued ROA information authorization request including a digital certificate of the second BGP device. And the RPKI server determines whether to authorize the second BGP equipment to have the function of issuing ROA information by proxy or not according to the digital certificate of the second BGP equipment, the CRL acquired from the CA/RA mechanism and the policy of the RPKI server. And in the case that the second BGP device is determined to be authorized to have the function of publishing ROA information by the agent, the RPKI server sends the ROA information to the second BGP device. And the RPKI server records the address information and the port number information of the second BGP equipment, generates proxy equipment information corresponding to the second BGP equipment, and respectively sends the proxy equipment information to each BGP equipment corresponding to the RPKI server. Therefore, the second BGP equipment can carry out ROA information publishing according to the stored ROA information, and respond to ROA information inquiry and synchronization of other BGP equipment.
According to the information maintenance method, the RPKI server and all the registered ROA proxy devices can issue ROA information, so that under the condition that the connection between other BGP devices and the RPKI server is interrupted, other BGP devices can initiate query and synchronization to the ROA proxy devices, and the source AS verification system is still operated after the RPKI server is offline.
Fig. 3 shows a flow chart of an information maintenance method according to an embodiment of the present disclosure. The method may be used in a BGP device. As shown in fig. 3, the method includes steps S31 through S33.
In step S31, a ROA information maintenance request is sent to the RPKI server, where the ROA information maintenance request includes the identity authentication information corresponding to the BGP device.
In step S32, when receiving the authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP device, the RPKI server has an ROA information maintenance function, where the ROA information maintenance function includes an ROA information generation function and/or an agent publishing ROA information function.
In step S33, ROA information maintenance is performed according to the ROA information maintenance function provided.
In one implementation manner, a first BGP device sends a request for generating ROA information authorization to an RPKI server, where the request for generating ROA information authorization includes identity authentication information corresponding to the first BGP device. And the first BGP equipment generates ROA information according to the local network prefix and the local AS information of the first BGP equipment under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the first BGP equipment. The first BGP device transmits the generated ROA information to the RPKI server.
In one implementation, a first BGP device receives proxy device information from an RPKI server, the proxy device information including information related to a second BGP device. And the first BGP equipment generates ROA information according to the local network prefix and the local AS information and sends the generated ROA information to the second BGP equipment.
In one implementation, the first BGP device deletes the received ROA information from the RPKI server in the event that a connection with the RPKI server is detected to be broken. The first BGP equipment sends an ROA information acquisition request to the second BGP equipment. The first BGP device receives and stores ROA information from the second BGP device.
After the connection between the BGP equipment and the RPKI server is interrupted (the connection interruption caused by the fact that a user executes a Shutdown command to close an interface is not included), the BGP equipment tries to reestablish the connection with the RPKI server, and sets ROA information acquired from the RPKI server as an aging state, and the BGP equipment executes the following operations: and if the BGP equipment is connected with the RPKI server again within the aging time, the aging state of the ROA information is removed. And if the BGP device and the RPKI server still cannot establish connection again until the aging time is over, deleting the ROA information. The value range corresponding to the aging time of the ROA information can be 30-360 seconds.
In one implementation manner, the second BGP device sends an agent-issued ROA information authorization request to the RPKI server, where the agent-issued ROA information authorization request includes identity authentication information corresponding to the second BGP device. The second BGP device receives and stores ROA information from the RPKI server. And the second BGP equipment issues the ROA information according to the stored ROA information.
In one implementation, the second BGP device sends the stored ROA information to the third BGP device when receiving an ROA information acquisition request from the third BGP device; and the third BGP equipment is disconnected with the RPKI server.
The third BGP device may be a BGP device that has an interrupted connection with the RPKI server. In other words, the present disclosure only limits the connection state of the third BGP device to the RPKI server, and does not limit the type of the third BGP device, which may be a ROA self-generating device, a ROA proxy device, or a normal BGP device.
In one implementation, the second BGP device receives and stores ROA information from the first BGP device, the ROA information generated by the first BGP device based on the local network prefix and the local AS information. And under the condition that the second BGP equipment detects that the connection with the RPKI server is interrupted, deleting the received ROA information from the RPKI server, and publishing the ROA information according to the stored ROA information from the first BGP equipment.
Fig. 4 shows a schematic diagram of RPKI BGP networking according to an embodiment of the present disclosure. In this case, the BGP devices can be divided into 3 types: ordinary BGP devices, ROA self-generating devices, and ROA proxy devices. As shown in fig. 4, R1 is a ROA self-generating device and a ROA proxy device, R4 is a ROA self-generating device, and R2/R3 is a common BGP device, and the following steps describe the whole synchronization process:
1. R1/R4 is used as a terminal PKI (public Key Infrastructure) entity to apply for a digital certificate from a CA/RA organization
And the R1/R4 applies for the digital certificate from the CA organization through information such as a local public key, and acquires the related information of the RPKI server, the digital certificates of other BGP equipment and the CRL of the CA/RA organization after the application is successful, wherein the CRL records the information such as the serial number, the revoking date and the like of the digital certificate revoked by the CA organization.
2. R1/R4 registers ROA information self-generating function with RPKI server, R1 also registers ROA information agency issuing function
R1/R4 applies for ROA information self-generating function to an RPKI server, a digital certificate issued by a CA/RA organization is required to be held when the ROA information self-generating function is applied, and the RPKI server verifies the digital certificate of R1/R4 according to CRL and determines whether to authorize or not according to own policy. In addition, R1 applies for the ROA information agent issuing function to the RPKI server, and also needs to hold the digital certificate issued by the CA/RA organization when applying for the ROA information agent issuing function, the RPKI server verifies the digital certificate of R1 according to the CRL and determines whether to authorize according to the policy of the RPKI server, and records the address information and the port number information of R1.
3. R1/R4 synchronizes the self-generated ROA information to the RPKI server and R1
After R1/R4 registers ROA information self-generating function with the RPKI server, R1/R4 generates ROA information after binding the network prefix in the local originating route with the local AS number, and advertises the ROA information to the RPKI server. R1/R4 can also be aggregated or subjected to a strategy to form the final ROA information. R1/R4 announces the ROA information that is generated by itself and needs to carry the source information and serial number of the ROA information. Further, R4 advertises the self-generated ROA information to the ROA proxy device R1 in addition to the RPKI server. R1 synchronizes the dynamic ROA database with the RPKI server when the RPKI server is reachable, and refreshes synchronously based on the sequence number to keep the ROA information consistent. When the RPKI server is not reachable, R1 deletes the static ROA database announced by the RPKI server and announces the ROA according to the ROA information in the local dynamic ROA database. In addition, the ROA information uploading process needs to adopt digital certificates of both sides for encryption and signature to ensure the correctness and integrity of the ROA information, and the RPKI server and the R1 manage and maintain the dynamic ROA database after receiving the generated ROA information. The RPKI server would then synchronize all locally valid ROA information with all BGP devices R1/R2/R3/R4.
4. The RPKI server synchronizes ROA information to all BGP devices R1/R2/R3/R4 and sends proxy device information
The RPKI server synchronizes the ROA information to all BGP devices R1/R2/R3/R4. In addition, the RPKI server will also send proxy device information to BGP devices R2/R3/R4 other than ROA proxy devices: address information and port number information of R1. The RPKI server and R1 also need to carry the source information and serial number of the ROA information when synchronizing the self-generated ROA information, so as to ensure that the ROA information between R1 and the RPKI server can be correctly synchronized, and do not need to be carried when synchronizing to a BGP device other than the ROA proxy device.
The source of ROA information on the RPKI server is: static ROA, manual import; dynamic ROA, advertised by ROA's self-generating device. After collecting all ROA information generated by ROA self-generation equipment on the RPKI server, a dynamic ROA database needs to be maintained, and the ROA database is distinguished according to the source information of the ROA information and needs to be mutually maintained between the RPKI server and the ROA proxy equipment to keep the ROA information consistent.
Therefore, the whole ROA self-generation, ROA synchronization and information push of the ROA agent all complete deployment and whole network synchronization, and the following describes the processing conditions of common BGP equipment, ROA agent equipment and ROA self-generation equipment in several RPKI server failure scenes to illustrate the effectiveness of the scheme:
scene one:
as shown in fig. 4, when the TCP connection of the general BGP device R2 with the RPKI server is interrupted due to an abnormality of the RPKI server or a network failure, R2 ages all ROA information advertised by the RPKI server and initiates ROA information synchronization to the ROA proxy device R1. In addition, R2 polls the running timer whether the original RPKI server connection is normal, and continues to keep connecting with R1 when the original RPKI server connection is not normal; and if the connection is successful, actively breaking the connection with the R1, aging the ROA information issued by the R1 and synchronizing the ROA information announced by the RPKI server. Scenario one may be used in the case where the RPKI server on the ordinary BGP device R2 fails or is unreachable, R2 requests ROA information from the ROA proxy device R1.
Scene two:
as shown in fig. 4, when an abnormality of the RPKI server or a network failure causes the interruption of the TCP connection of the ROA self-generating device R4 with the RPKI server, R4 ages all ROA information advertised by the RPKI server, including ROA information previously advertised to the RPKI server by itself, and initiates ROA information synchronization to the ROA proxy device R1. In addition, R4 polls the original RPKI server whether the connection is normal or not by the running timer, and when the connection is not successful, the original RPKI server continues to be connected with R1 to exchange ROA information, including the ROA information on R1 and informing the ROA information generated by the R1; and if the connection is successful, actively breaking the connection with the R1, aging the ROA information issued by the R1 and synchronizing the ROA information announced by the RPKI server. When the R4 advertises the self-generated ROA information to the R1, both sides of the ROA information need to be encrypted and signed by using digital certificates, so that the correctness and integrity of the ROA information are guaranteed. Scenario two may be used in the case where the ROA self-generating device R4 has failed or is unreachable from the RPKI server, R4 requests ROA information from ROA proxy device R1.
Scene three:
as shown in fig. 4, when the RPKI server is abnormal or a network failure causes the interruption of the TCP connection of the ROA proxy device R1 with the RPKI server, R1 ages all ROA information advertised by the RPKI server, retains only locally self-generated ROA information and ROA information actively advertised by other ROA self-generated devices, and subsequently waits for other BGP devices to poll and run a timer to poll whether the original RPKI server connection is normal: r1 synchronizes all locally valid ROA information to other BGP devices if they poll in. If other ROA self-generating devices upload ROA information to R1, the digital certificates of the two sides are used for encryption and signature to verify the ROA information self-generated by the other ROA self-generating devices and update the local ROA database. If R1 changes from the locally generated ROA information, then the local ROA database is updated if the RPKI server is not reachable. If the R1 and the RPKI server are connected again, the two servers mutually announce the ROA information generated by the RPKI server to carry the source information and the serial number of the ROA information, so as to ensure that the ROA information is updated correctly. For example, if the self-generated ROA information on R4 changes, since the connection failure is not notified to the RPKI server but is notified to R1, R1 notifies the RPKI server that the sequence number corresponding to the self-generated ROA information of R4 is definitely better than the sequence number corresponding to the self-generated ROA information of R4 locally existing in the RPKI server, and at this time, the RPKI server performs ROA information refresh processing. If R4 and the RPKI server are recovered to be normal, the ROA information updated and generated by R4 is not sent to R1, and when R1 interacts with the RPKI server at the moment, the serial number of the ROA information generated by R4 can be acquired to judge whether the update processing is needed. In summary, in the case where the RPKI server and ROA proxy device are reachable, the ROA information on the RPKI server and ROA information on the ROA proxy device need to be kept consistent. Scenario three may be used in the case where the RPKI server on the ROA proxy device R1 fails or is unreachable.
Scene four:
as shown in fig. 4, after the RPKI server is disconnected from the ROA self-generating device, the RPKI server performs aging deletion processing on the ROA information running timer, and actively notifies the corresponding BGP device of the change of the ROA information. And the fourth scenario can be used for maintaining and processing the ROA information on the RPKI server after the RPKI server is disconnected from the ROA self-generating device.
FIG. 5 shows a block diagram of an information maintenance device according to an embodiment of the present disclosure. The apparatus may be used in an RPKI server. As shown in fig. 5, the apparatus includes:
a request receiving module 51, configured to receive an ROA information maintenance request from a BGP device, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device; the authorization judging module 52 is configured to judge, according to the identity authentication information corresponding to the BGP device, whether the BGP device is authorized to have an ROA information maintenance function, where the ROA information maintenance function includes an ROA information generation function and/or an agent publishing ROA information function; an authorization information sending module 53, configured to send, to the BGP device, authorization information for allowing the BGP device to have the ROA information maintenance function, when it is determined that the BGP device is authorized to have the ROA information maintenance function.
In one implementation, if it is determined that the BGP device request has a function of generating ROA information according to the maintenance request, the apparatus further includes: and a ROA information receiving module 54, configured to receive and store ROA information from the BGP device, where the ROA information is generated by the BGP device according to the local network prefix and the local AS information.
In one implementation, if it is determined that the BGP device request has a function of issuing ROA information by proxy according to the maintenance request, the apparatus further includes: a ROA information sending module 55, configured to send ROA information to the BGP device, so that the BGP device issues the ROA information according to the received ROA information; and the agent device information sending module 56 is configured to send agent device information to each BGP device corresponding to the RPKI server, where the agent device information includes information related to the BGP device.
According to the information maintenance device, the ROA information on the RPKI server can be manually imported, and can also be generated by BGP equipment according to the local network prefix and the local AS information, so that the complexity of ROA information maintenance in the RPKI server can be reduced, and the cost is reduced. In addition, ROA information in the RPKI server can be refreshed more rapidly and more timely, and is synchronized with each BGP device corresponding to the RPKI server, so that the efficiency is improved.
FIG. 6 shows a block diagram of an information maintenance device according to an embodiment of the present disclosure. The apparatus may be used in a BGP device. As shown in fig. 6, the apparatus includes:
a request sending module 61, configured to send an ROA information maintenance request to an RPKI server, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device; the function setting module 62 is configured to, in a case that authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP device is received, have an ROA information maintenance function, where the ROA information maintenance function includes a function of generating ROA information and/or a function of issuing ROA information by an agent; and the information maintenance module 63 is configured to perform ROA information maintenance according to the ROA information maintenance function.
In one implementation, if the function of generating ROA information is provided according to the authorization information, the information maintenance module 63 is further configured to: generating ROA information according to the local network prefix and the local AS information of the BGP equipment; and sending the generated ROA information to the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency, so that the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency can release the ROA information according to the received ROA information.
In one implementation, if the function of issuing ROA information by proxy is provided according to the authorization information, the information maintenance module 63 is further configured to: receiving and storing ROA information from the RPKI server and/or BGP equipment with a function of generating ROA information; under the condition of receiving ROA information acquisition requests from other BGP equipment, sending the stored ROA information to the other BGP equipment; wherein the other BGP devices are disconnected from the RPKI server.
According to the information maintenance device, the RPKI server and all the ROA proxy devices which pass the registration can issue the ROA information, so that under the condition that the connection between other BGP devices and the RPKI server is interrupted, other BGP devices can initiate query and synchronization to the ROA proxy devices, and the fact that the RPKI server is offline and the source AS verification system is still operated is guaranteed.
Fig. 7 is a block diagram illustrating an apparatus 900 for information maintenance according to an example embodiment. Referring to fig. 7, the apparatus 900 may include a processor 901, a machine-readable storage medium 902 having stored thereon machine-executable instructions. The processor 901 and the machine-readable storage medium 902 may communicate via a system bus 903. Also, the processor 901 performs the information maintenance method described above by reading machine-executable instructions in the machine-readable storage medium 902 corresponding to the information maintenance logic. For a specific maintenance method, reference may be made to the methods shown in fig. 2 and fig. 3 and the above specific embodiments, which are not described again in this embodiment.
The machine-readable storage medium 902 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: RAM (random Access Memory), volatile Memory, non-volatile Memory, flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, dvd, etc.), or similar storage medium, or a combination thereof.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (12)

1. An information maintenance method for an RPKI server, comprising:
receiving a ROA information maintenance request from BGP equipment, wherein the ROA information maintenance request comprises identity authentication information corresponding to the BGP equipment;
judging whether the BGP equipment is authorized to have an ROA information maintenance function according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generation function and/or an ROA information agent issuing function;
and under the condition that the BGP equipment is authorized to have the ROA information maintenance function, transmitting authorization information for allowing the BGP equipment to have the ROA information maintenance function to the BGP equipment.
2. The method according to claim 1, wherein if it is determined from the maintenance request that the BGP device has a function of generating ROA information, the method further comprises:
and receiving and storing ROA information from the BGP equipment, wherein the ROA information is generated by the BGP equipment according to the local network prefix and the local AS information.
3. The method of claim 1, wherein if it is determined from the maintenance request that the BGP device has a proxy-publishing ROA information function, the method further comprises:
transmitting ROA information to the BGP equipment so that the BGP equipment can issue the ROA information according to the received ROA information;
and respectively sending agent equipment information to each BGP equipment corresponding to the RPKI server, wherein the agent equipment information comprises the related information of the BGP equipment.
4. An information maintenance method, used for a BGP device, comprising:
sending an ROA information maintenance request to an RPKI server, wherein the ROA information maintenance request comprises identity authentication information corresponding to the BGP equipment;
under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP equipment, the system has an ROA information maintenance function, wherein the ROA information maintenance function comprises an ROA information generation function and/or an agent releasing ROA information function;
and maintaining the ROA information according to the ROA information maintenance function.
5. The method according to claim 4, wherein if the function of generating ROA information is provided according to the authorization information, performing ROA information maintenance according to the provided ROA information maintenance function includes:
generating ROA information according to the local network prefix and the local AS information of the BGP equipment;
and sending the generated ROA information to the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency, so that the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency can release the ROA information according to the received ROA information.
6. The method of claim 4, wherein if the function of issuing ROA information by proxy is available according to the authorization information, performing ROA information maintenance according to the available ROA information maintenance function includes:
receiving and storing ROA information from the RPKI server and/or BGP equipment with a function of generating ROA information;
under the condition of receiving ROA information acquisition requests from other BGP equipment, sending the stored ROA information to the other BGP equipment; wherein the other BGP devices are disconnected from the RPKI server.
7. An information maintenance apparatus for an RPKI server, comprising:
a request receiving module, configured to receive an ROA information maintenance request from a BGP device, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device;
the authorization judging module is used for judging whether the BGP equipment is authorized to have an ROA information maintenance function according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generating function and/or an agent releasing ROA information function;
and the authorization information sending module is used for sending authorization information for allowing the BGP equipment to have the ROA information maintenance function to the BGP equipment under the condition that the BGP equipment is authorized to have the ROA information maintenance function.
8. The apparatus of claim 7, wherein if it is determined from the maintenance request that the BGP device has a function of generating ROA information, the apparatus further comprises:
and the ROA information receiving module is used for receiving and storing ROA information from the BGP equipment, and the ROA information is generated by the BGP equipment according to the local network prefix and the local AS information.
9. The apparatus of claim 7, wherein if it is determined from the maintenance request that the BGP device has a function of proxypeering ROA information, the apparatus further comprises:
the ROA information sending module is used for sending ROA information to the BGP equipment so that the BGP equipment can issue the ROA information according to the received ROA information;
and the agent equipment information sending module is used for respectively sending agent equipment information to each BGP equipment corresponding to the RPKI server, wherein the agent equipment information comprises the related information of the BGP equipment.
10. An information maintenance apparatus, for a BGP device, comprising:
a request sending module, configured to send an ROA information maintenance request to an RPKI server, where the ROA information maintenance request includes identity authentication information corresponding to the BGP device;
the function setting module is used for having an ROA information maintenance function under the condition of receiving authorization information returned by the RPKI server according to the identity authentication information corresponding to the BGP equipment, wherein the ROA information maintenance function comprises an ROA information generation function and/or an agent releasing ROA information function;
and the information maintenance module is used for maintaining the ROA information according to the ROA information maintenance function.
11. The apparatus of claim 10, wherein if the function of generating ROA information is available according to the authorization information, the information maintenance module is further configured to:
generating ROA information according to the local network prefix and the local AS information of the BGP equipment;
and sending the generated ROA information to the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency, so that the RPKI server and/or the BGP equipment with the function of releasing the ROA information by the agency can release the ROA information according to the received ROA information.
12. The apparatus of claim 10, wherein if the apparatus has a function of issuing ROA information by proxy according to the authorization information, the information maintenance module is further configured to:
receiving and storing ROA information from the RPKI server and/or BGP equipment with a function of generating ROA information;
under the condition of receiving ROA information acquisition requests from other BGP equipment, sending the stored ROA information to the other BGP equipment; wherein the other BGP devices are disconnected from the RPKI server.
CN201710984944.0A 2017-10-20 2017-10-20 Information maintenance method and device Active CN107911339B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710984944.0A CN107911339B (en) 2017-10-20 2017-10-20 Information maintenance method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710984944.0A CN107911339B (en) 2017-10-20 2017-10-20 Information maintenance method and device

Publications (2)

Publication Number Publication Date
CN107911339A CN107911339A (en) 2018-04-13
CN107911339B true CN107911339B (en) 2020-08-11

Family

ID=61840777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710984944.0A Active CN107911339B (en) 2017-10-20 2017-10-20 Information maintenance method and device

Country Status (1)

Country Link
CN (1) CN107911339B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111106940B (en) * 2019-11-25 2022-11-04 广州大学 Certificate transaction verification method of resource public key infrastructure based on block chain
CN111314285B (en) * 2019-12-18 2021-04-06 北京邮电大学 Method and device for detecting route prefix attack

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763377A (en) * 2009-12-15 2012-10-31 电话有限公司 Method for distributing routing information for redundant connections
WO2016096005A1 (en) * 2014-12-18 2016-06-23 Nokia Solutions And Networks Oy Trusted routing between communication network systems
US9479475B1 (en) * 2014-03-17 2016-10-25 Michael E. Mazarick System and method for IPv4 to IPv6 transition rather than an outage
CN106453651A (en) * 2016-11-30 2017-02-22 中国互联网络信息中心 RPKI (resource public key infrastructure) database and data synchronization method
US9654482B2 (en) * 2014-01-22 2017-05-16 Cisco Technology, Inc. Overcoming circular dependencies when bootstrapping an RPKI site

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763377A (en) * 2009-12-15 2012-10-31 电话有限公司 Method for distributing routing information for redundant connections
US9654482B2 (en) * 2014-01-22 2017-05-16 Cisco Technology, Inc. Overcoming circular dependencies when bootstrapping an RPKI site
US9479475B1 (en) * 2014-03-17 2016-10-25 Michael E. Mazarick System and method for IPv4 to IPv6 transition rather than an outage
WO2016096005A1 (en) * 2014-12-18 2016-06-23 Nokia Solutions And Networks Oy Trusted routing between communication network systems
CN107251509A (en) * 2014-12-18 2017-10-13 诺基亚通信公司 Credible route between communications network system
CN106453651A (en) * 2016-11-30 2017-02-22 中国互联网络信息中心 RPKI (resource public key infrastructure) database and data synchronization method

Also Published As

Publication number Publication date
CN107911339A (en) 2018-04-13

Similar Documents

Publication Publication Date Title
US8037514B2 (en) Method and apparatus for securely disseminating security server contact information in a network
JP5975594B2 (en) Communication terminal and communication system
US8312263B2 (en) System and method for installing trust anchors in an endpoint
US10897710B2 (en) Disjoint security in wireless networks with multiple managers or access points
US20160036794A1 (en) Determining whether to use a local authentication server
US20060047951A1 (en) Continuing public key infrastructure operation while regenerating a new certification authority keypair and certificate
CN102624744B (en) Authentication method, device and system of network device and network device
CN108718282B (en) Method and device for determining message sequence number
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
CN107534556A (en) Use CRL following certificate revocation
CN107911339B (en) Information maintenance method and device
US9374371B2 (en) Authentication apparatus and method thereof, and computer program
US9049012B2 (en) Secured cryptographic communication system
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
CN113852483A (en) Network slice connection management method, terminal and computer readable storage medium
US9065692B2 (en) Information notification apparatus, method, and program product
CN110933112A (en) Network access authentication method, device and storage medium
CN113141257A (en) Revocation list updating method and storage medium
US11936633B2 (en) Centralized management of private networks
CN108123943B (en) Information verification method and device
CN116388998A (en) Audit processing method and device based on white list
CN115987660A (en) VPN device communication method, device and storage medium
WO2014030669A1 (en) Authentication system, management device, and authentication method
CN113949730A (en) Communication method and device of equipment
CN107835196B (en) HDLC-based secure communication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant