CN113726665B

CN113726665B - Updating method of border gateway route based on block chain

Info

Publication number: CN113726665B
Application number: CN202110995814.3A
Authority: CN
Inventors: 毕可骏; 李强
Original assignee: Sichuan Qiruike Technology Co Ltd
Current assignee: Sichuan Qiruike Technology Co Ltd
Priority date: 2021-08-27
Filing date: 2021-08-27
Publication date: 2022-10-18
Anticipated expiration: 2041-08-27
Also published as: CN113726665A

Abstract

The invention discloses a block chain-based border gateway routing updating method, which comprises the steps of constructing a block chain network infrastructure comprising IR nodes, ABR nodes, ER nodes, ASBR nodes, RIR nodes and CA nodes; realizing basic components in a block chain network infrastructure, and constructing and deploying a decentralized alliance chain platform; establishing channels among a plurality of virtual peer nodes on a alliance chain platform according to a routing rule, and establishing a private chain platform; each virtual peer node joins in a channel and deploys a chain code in the channel; initializing a channel, and receiving a routing request and performing routing verification by each node in the channel; and forwarding the new routing information passing the route verification and submitting the transaction to the channel. A decentralized immutable database based on the AS consensus participating in the autonomous system is established to construct a block chain, verification is carried out according to the content of a distributed database of the block chain when the update of each border gateway route is received, and the safety risk is reduced.

Description

Updating method of border gateway route based on block chain

Technical Field

The invention relates to the technical field of block chains, in particular to a block chain-based border gateway routing updating method.

Background

The block chain is a decentralized shared database, and data or information stored in the database has the characteristics of being unforgeable, traceable in the whole process, traceable, transparent in public, maintained in a collective mode and the like. Based on these characteristics, the blockchain technology lays a solid trust foundation and creates a reliable cooperation mechanism, so the blockchain technology is generally used for solving the trust problem caused by centralization. According to the different centralization degree of the block chain network, the block chain can be divided into three types as a whole: public, federation, and private chains, in which authorized nodes are allowed to join a network, can view information under permission, are often used in inter-or intra-industry blockchains, referred to as federation or industry chains. And all nodes in the network are held in one organization, which is called a private chain. The federation chain and private chain are also collectively referred to as the license chain, and the public chain is referred to as the non-license chain.

The Border Gateway Protocol BGP (Border Gateway Protocol) is a routing Protocol of an autonomous system running on TCP, is the only network Protocol for handling internet scale levels, and is also the only Protocol capable of properly handling multiple connections between unrelated routing domains. BGP builds on the experience of the external Gateway Protocol (EGP for short). The primary function of the BGP system is to exchange network reachability information with other BGP systems. The network reachability information includes information for listed Autonomous Systems (AS), which effectively constructs a topology map of Autonomous System AS interconnections and thereby clears routing loops, while policy decisions may be implemented at the AS level. The Internet consists of a plurality of AS nodes which are independently operated and maintained. BGP is actually the controller of the packet forwarding paths between these AS nodes, and its security and reliability have a very important impact on whether the entire internet is operating reliably.

In the storage and update of border gateway routing data, existing solutions all utilize a centralized database, and a centralized Public Key Infrastructure (PKI) and some conventional PGP (Pretty Good Privacy) encryption variants as security mechanisms. These solutions are all likely to be compromised in the face of existing hacking techniques and typically use an established database to verify updates to the routing data when updating border gateway routing data, without an appropriate method to verify the data stored in the database. There are certain risk points for this database authentication mechanism of border gateway routers.

The prior art does not utilize the block chain technology to solve and realize the problem of storing and updating the border gateway routing data.

Disclosure of Invention

The invention aims to provide a block chain-based border gateway routing updating method, which is used for solving the problem that the existing border gateway routing data updating in the prior art usually uses an established database to verify the updating of routing data, but does not verify the data stored in the database, so that the security risk exists.

The invention solves the problems through the following technical scheme:

a method for updating border gateway routing based on block chains comprises the following steps:

step S100, constructing a block chain network infrastructure, wherein the block chain network infrastructure comprises a routing node, a Regional Internet Registry (RIR) node and a CA Certificate Authority (CA) node; the routing nodes comprise an Internal Router (IR) node, an Area Border Router (ABR) node, an Edge Router (ER) node, an Autonomous System Border Router (ASBR) node and a Backbone Router node (BR);

step S200, all necessary basic components are realized on the block chain network infrastructure, and a decentralized alliance chain platform is constructed and deployed;

step S300, constructing a channel vChannel among a plurality of virtual peer nodes vPeer on the alliance chain platform according to a routing rule, and constructing a private chain platform;

step S400, each virtual peer node vPeer is added into a channel vChannel, and a chain code is deployed in the channel vChannel;

step S500, initializing a channel vChannel, and receiving a routing request and performing routing verification by each node in the channel vChannel;

and step S600, forwarding the new routing information passing the routing verification and submitting the transaction to the channel.

A decentralized immutable database based on consensus of participating autonomous systems AS is created to build this block chain. The AS peer of the autonomous system verifies according to the content of the block chain distributed database when receiving the update of each border gateway route so AS to detect the update of the forged path and the source information and reduce the security risk.

In the step S100, all interfaces of the internal router node are in the same area, belong to the same virtual peer node vPeer and have the same ledger copy of the link information; the area border router nodes are positioned in one or more OSPF areas and used for connecting the OSPF areas to a backbone network, and the area border router nodes have a backbone network topology routing table and an OSPF area topology routing table; the nodes of the area boundary router belonging to the same channel vChannel have the same ledger copy; the border router node is used for accessing the local area network into the wide area network and forwarding an IP message between the local area network and the wide area network, and the border router nodes belonging to the same channel vChannel have the same ledger copy; the autonomous system boundary router node is positioned between an OSPF autonomous system and a non-OPSF network, runs an RIP protocol or an OSPF protocol, is used for exchanging routing information with other protocol routers, and has the same ledger copy with the autonomous system boundary router node belonging to the same channel vChannel; at least one interface of the backbone router node is connected with the backbone area; the regional Internet registration mechanism is used for providing IP addresses and AS number distribution for each node; the CA certificate authority node is a self-building node in the block chain network and is used for issuing and managing digital certificates to each node; the other nodes except the regional Internet registration authority node need to verify the identity through the CA certificate authority node to obtain the self CA certificate; alliance chain daemon process software is installed on the internal router nodes, the regional boundary router nodes, the autonomous system boundary router nodes, the regional internet registration authority nodes and the CA certificate authority nodes and is used for achieving a blockchain network infrastructure; the alliance chain daemon process software is a communication application program containing real-time message communication and is used for running on an operating system of a node in a background service mode.

The step S200 specifically includes:

the method comprises the steps of constructing virtual peer nodes vPeer required by a alliance chain platform, and dividing internal router nodes, regional border router nodes, border router nodes and autonomous system border router nodes into different virtual peer nodes vPeer according to the regional attributes and the attribution attributes of the nodes; the virtual peer node vPeer is used for managing the operation of the internal node thereof;

each virtual peer node vPeer comprises a wallet component vWallet of a multiple signature key, and the wallet component vWallet is used for realizing access to a alliance chain platform, managing a private key and an address, tracking account information of the vPeer node and creating and signing a transaction;

each virtual peer node vPeer has a ledger synchronization service and a ledger copy; the ledger copy is used for realizing the synchronization of the ledger data in the channel vChannel by using the ledger synchronization service.

In step S300, one or more area border router nodes or autonomous system border router nodes designated by the first virtual peer node vPeer node in each channel serve as a CA service component of the channel; a ledger component is constructed in each channel, and the ledger component consists of a block chain and a state database; constructing a sequencing service in each channel, wherein the sequencing service is acted by one or more regional boundary router nodes or autonomous system boundary router nodes designated by a first vPeer node in each channel; and constructing member services in each channel, wherein the member services are played by one or more regional boundary router nodes or autonomous system boundary router nodes appointed by a first virtual peer node vPeer node in each channel, and are used for realizing the functions of adding, deleting, modifying and inquiring the virtual peer node vPeer node in the channel.

The chain code refers to an intelligent contract program which is arranged on a routing node in a channel and is used for specifying a method for accessing and modifying the transaction.

Compared with the prior art, the invention has the following advantages and beneficial effects:

(1) The invention creates a decentralized immutable database based on the consensus of Autonomous Systems (AS) to construct a block chain. The autonomous system AS peer will verify according to the contents of the blockchain distributed database when receiving updates for each border gateway route for detecting updates with forged path and source information. The problem that the data stored in the database are not verified in the prior art, so that safety risks exist is solved, and the safety risks are reduced.

(2) Since the frequency or rate of change of data stored in the distributed ledger is much lower than the blockchain transaction rate, the present invention is not limited by the throughput and scalability associated with blockchains, and does not affect the performance of the entire blockchain network as well as the internet.

(3) Compared with the existing updating method of the border gateway routing, the method is safer and more reliable, has no attenuation and loss in performance, and has almost the same cost as the traditional solution.

(4) The invention eliminates the centralized PKI root trust node, and the autonomous system AS can detect and relieve the IP prefix hijacking attack in real time without outsourcing the service to a third party.

(5) When the regional network fails, the problem of large-scale routing recalculation does not exist; the invention has very ordered management and organization to each router node, is also suitable for the larger network scale; there is no routing anti-loop annoyance.

Drawings

FIG. 1 is a flow chart of the present invention;

FIG. 2 is a schematic diagram of the networking of the router nodes in the present invention;

fig. 3 is a schematic diagram of the composition of the channel private chain according to the present invention.

Detailed Description

The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.

The embodiment is as follows:

referring to fig. 1, fig. 2 and fig. 3, a method for updating a border gateway route based on a block chain includes the steps of:

step 101, a blockchain network infrastructure comprising IR nodes (internal router nodes), ABR nodes (area border router nodes), ER nodes (border router border nodes), ASBR nodes (autonomous system border router nodes), BR nodes (backbone router nodes), RIR nodes (regional internet registration authority nodes), and CA nodes (CA certificate authority nodes) is constructed.

All interfaces of the IR nodes are in the same area, all the IR nodes in the same area belong to the same virtual peer node (denoted by vPeer), and the IR nodes in the same area have the same ledger copy of the link information;

the ABR nodes are positioned in one or more OSPF areas and are used for connecting the areas to a backbone network; the ABR nodes have topology routing tables of backbone topology and other areas, and the ABR nodes belonging to the same channel (represented by vChannel) have the same ledger copy;

the ER node is responsible for accessing local area networks of enterprises, schools and families to a wide area network and forwarding IP messages between the local area network and the wide area network. The ER node usually executes Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). RIP is a gateway protocol based on shortest distance (hop count), while OSPF is a routing protocol based on shortest path first. The ER router establishes a routing table according to a routing protocol, maintains routes reaching other networks, and has the same ledger copy in the ER router belonging to the same vChannel channel;

the ASBR node is positioned between the OSPF autonomous system and the non-OSPF network, and exchanges the router of the routing information with the router of other protocol. The ASBR router can also run RIP protocol or OSPF protocol, and ASBR routers belonging to the same vChannel channel have the same classified account copy;

BR node refers to a router having at least one interface connected to a backbone area. In some scenarios, the ABR router may also assume the functionality of a BR router and thus be considered a BR router.

The RIR node is responsible for providing IP (IPv 4 and IPv 6) addresses and AS (autonomous system) number distribution for each routing node, and can directly use a national registration mechanism, namely a China Internet information center (CNNIC).

The CA node is a self-established node in the block chain network and is responsible for issuing and managing digital certificates to each routing node. Preferably, the CA node may be replaced by a routing node having CA functionality. In particular embodiments, a CA service may include one or more CA nodes, which, if multiple CA nodes are present, are in a cluster state and have a common access portal. One CA service is typically located in one vChannel channel.

All the nodes except the RIR node need to verify the identity through the CA node to obtain the CA certificate of the node.

The IR node, the ABR node, the ER node, the ASBR node, the RIR node and the CA node are all provided with alliance chain daemon process software, and therefore the block chain network infrastructure is achieved. The federation link daemon software is a communication application program containing real-time message communication and runs on the operating system of the node in the manner of background service.

And 102, implementing all necessary basic components in the blockchain network, and constructing and deploying a decentralized alliance chain platform. To build and deploy a federation chain intelligent contract platform, the following steps are required:

constructing a vPeer node required by a alliance chain intelligent contract platform: and according to the area attribute and the attribution attribute of each router, dividing each IR node, each ABR node, each ER node and each ASBR node into different vPeer nodes. Depending on the complexity of the actual networking scenario, a vPeer node may contain 1 to multiple IR nodes, 0 to multiple ABR nodes, 0 to multiple ER nodes, 0 to multiple ASBR nodes, 0 to multiple BR nodes.

The vPeer node is responsible for managing IR nodes, ABR nodes, ER nodes and ASBR nodes in the vPeer node, and can perform operations such as addition and deletion on the nodes.

Each vPeer node needs to have a wallet component containing multiple signing keys, and the wallet component (denoted as vWallet) of the multiple signing keys is a software service and can be acted by one to multiple ABR nodes or ER nodes or ASBR nodes designated in the vPeer node, and if the number of nodes is multiple, the nodes form a cluster and provide a uniform entrance of the wallet service. The vWallet component realizes the functions of accessing the alliance chain network, managing private keys and addresses, tracking account information of the vPeer node, creating and signing transactions and the like. The multi-signature key means that each vPeer node participating in the blockchain solution of the transaction proposal employs and uses a more secure Multisig wallet to store the multi-signature key. All vPeer nodes must be configured with vWallet components to participate in transaction processing in the vChannel channel.

Each vPeer node needs to have a ledger synchronization service, the ledger synchronization service is served by one to a plurality of designated ABR nodes or ER nodes or ASBR nodes in the vPeer node, and if the nodes are a plurality of nodes, the nodes form a cluster to provide a unified entrance of the ledger synchronization service. Each vPeer node will hold a copy of the ledger that requires the use of a ledger synchronization service to achieve synchronization of ledger data in the vChannel channel.

And 103, constructing channels among the plurality of virtual peer nodes on the alliance chain platform according to the routing rule, and constructing a private chain platform. Wherein:

the routing rule is that whether the vPeer node belongs to the same channel or not is determined according to different routing protocols, such as a RIP protocol or an OSPF protocol, and the like, as well as the distribution of inter-domain routes and the distribution of intra-domain routes.

The vChannel channel is a logic concept, is a communication network which comprises a plurality of vPeer nodes and realizes the private chain function, and realizes data isolation and confidentiality among the vChannel channels. One vChannel channel is a private block chain. One vChannel channel contains a plurality of vcheer nodes, and the same vcheer node may belong to a plurality of vChannel channels, that is, the same vcheer node may participate in transaction processing of a plurality of private block chains. One vChannel channel needs to implement the following component modules:

the CA service components required for constructing the channel, the CA service components in one vChannel channel are acted by one or more ABR nodes or ER nodes or ASBR nodes designated by the first vPeer node in the channel.

The ledger component required for constructing the channel (denoted by vlidger) is composed of two parts: a blockchain and a state database. The blockchain is used to store a history log of routing information, and the record is immutable and only a new record can be added. That is, a block, once added to the chain, cannot be changed any more. In contrast, the state database is used to store the latest routing information, which contains the current values of the key-value pairs of the routing information, which can be added, modified or deleted by the transaction sets in the blockchain, and which all need to be authenticated, confirmed and endorsed.

The ordering service required to build a channel, the ordering service in one vChannel channel (denoted as vOrder) is served by one or more ABR or ER or ASBR nodes specified by the first vPeer node within the channel. If the number of the nodes is multiple, the nodes are in a cluster state, and a public vOrder service access inlet is arranged. The vOrder service is responsible for ordering transactions within a cycle into a block, and then distributing the block to all vPeer nodes in the vChannel channel for verification and validation. To determine the order of transactions, embodiments of transaction ordering are typically implemented using a First Come First served FCFS (First Come First Server) Algorithm or a Deterministic Consensus Algorithm (DCA for short). The period may be a fixed time interval or a fixed data size. The vPeer node receives the block information, carries out verification and confirmation operation, and returns confirmed information once confirmation is carried out. One Channel is managed by the vOrder service.

The member services required to construct a channel, the member services in one vChannel channel are typically served by one or more ABR or ER or ASBR nodes specified by the first vPeer node within the channel, and if there are multiple nodes, these nodes are in the cluster state with a common port for vroder service access. The member service in one vChannel channel realizes the functions of adding, deleting, modifying and inquiring vPeer nodes in the channel.

And step 104, each vPeer node is added into a channel, and a chain code is deployed in the channel.

Because one vChannel channel contains the CA certificate service, and each vceer node added into the channel carries the CA certificate issued by the certificate service, after each vceer node is verified, the whole vChannel channel forms a credible private chain block chain network. Chain code refers to an intelligent contract program deployed on each routing node within a channel that specifies the method of access and modification of transactions. For each routing node, the existing routing information is fixed and rarely changed, and each piece of routing information needing to be updated is regarded as a transaction and submitted to a virtual channel for processing. Each vPeer node in the channel can share the same vLedger account book, namely, each vPeer node can respectively hold a copy of the account book, and the data of the account book is completed by nodes with the account book synchronization function.

Step 105, initializing the channel, and receiving, processing and verifying the routing request by each node in the channel.

After a virtual channel is initialized, a private block chain network formed by the whole channel starts to work, when each vPeer node in the channel receives a routing request, whether the routing request is new routing information or not is judged, and if the routing information can be retrieved from a vLedger account book copy, the request is directly routed and forwarded; if the routing information is not retrieved, the routing information is considered to be a piece of new routing information, the new routing information needs to be verified, and two pieces of information need to be verified logically:

the first part of information includes an AS number and IP prefix information. The AS number and the IP prefix information constitute a mapping table. Wherein, the AS number is distributed by the regional Internet registration management mechanism RIR. The first part verifies the authenticity of each border routing gateway advertising routing IP prefix information. The border gateway routing advertisement information is then passed to the second portion for further validation.

The second part of information comprises the AS number and the AS number directly connected with the AS number. Similarly, the AS numbers and the AS numbers directly connected to the AS numbers form a mapping table, and a many-to-many relationship exists between the AS numbers and the AS numbers. The second part verifies the authenticity of the AS path information of the border gateway route advertisement.

And if any part of the two-part verification is verified to be false or the results of the two verification processes are both false, the announcement information is regarded as the IP prefix hijacking attack of malicious attempt. The announcement information is then logged.

And step 106, completing the processing through the transaction by the verified new routing information.

And after passing the route verification, the new route information is treated as a new transaction while routing the forwarding request, and the transaction is submitted to the vChannel channel.

The vOrder ordering service manages the vChannel channel and distributes the transaction to all vPeer nodes in the channel for processing. Each vPeer node needs to confirm and endorse the transaction and return confirmation and endorsement information to the vroder ordering service. After a period, the vOrder ordering service orders and packages all transaction information which is confirmed and endorsed by the channel vPeer node into a new block, and stores the new block into the vLedger ledger. The ledger synchronization service of each vPeer node synchronizes the data of the new chunk into its own ledger copy.

Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.

Claims

1. A method for updating border gateway routing based on block chain is characterized by comprising the following steps:

step S100, building a blockchain network infrastructure, wherein the blockchain network infrastructure comprises routing nodes, regional Internet registration agency nodes and CA certificate authority nodes; the routing nodes comprise internal router nodes, area boundary router nodes, autonomous system boundary router nodes and backbone router nodes;

step S600, forwarding the new routing information passing the routing verification and submitting the transaction to a channel;

in the step S100, all interfaces of the internal router node are in the same area, belong to the same virtual peer node vPeer and have the same ledger copy of the link information; the area border router node is positioned in one or more OSPF areas and is used for connecting the OSPF area to a backbone network, and the area border router node is provided with a backbone network topology routing table and an OSPF area topology routing table; the nodes of the area boundary router belonging to the same channel vChannel have the same ledger copy; the border router node is used for accessing the local area network into the wide area network and forwarding an IP message between the local area network and the wide area network, and the border router nodes belonging to the same channel vChannel have the same ledger copy; the autonomous system boundary router node is positioned between an OSPF autonomous system and a non-OPSF network, runs an RIP protocol or an OSPF protocol, is used for exchanging routing information with other protocol routers, and has the same ledger copy with the autonomous system boundary router node belonging to the same channel vChannel; at least one interface of the backbone router node is connected with the backbone area; the regional Internet registration mechanism is used for providing IP addresses and AS number distribution for each node; the CA certificate authority node is a self-building node in the block chain network and is used for issuing and managing digital certificates to each node; the other nodes except the regional Internet registration authority node need to verify the identity through the CA certificate authority node to obtain the self CA certificate; alliance chain daemon process software is installed on the internal router nodes, the regional boundary router nodes, the autonomous system boundary router nodes, the regional internet registration authority nodes and the CA certificate authority nodes and is used for achieving a blockchain network infrastructure; the alliance chain daemon process software is a communication application program containing real-time message communication and is used for running on an operating system of a node in a background service mode.

2. The method for updating a border gateway route based on a block chain according to claim 1, wherein the step S200 specifically comprises:

the method comprises the steps of constructing virtual peer nodes vPeer required by a alliance chain platform, and dividing internal router nodes, area border router nodes, border router nodes and autonomous system border router nodes into different virtual peer nodes vPeer according to the area attribute and the attribution attribute of the nodes; the virtual peer node vPeer is used for managing the operation of the internal node thereof;

each virtual peer node vPeer comprises a wallet component vWallet with multiple signing keys, and the wallet component vWallet is used for realizing access to a alliance chain platform, managing private keys and addresses, tracking account information of the vPeer node and creating and signing transactions;

3. The method for updating border gateway route based on block chain according to claim 2, wherein one or more area border router nodes or autonomous system border router nodes designated by the first virtual peer node vPeer node in each channel in step S300 serve as CA service components of the channel; a ledger component is constructed in each channel, and the ledger component consists of a block chain and a state database; constructing a sequencing service in each channel, wherein the sequencing service is acted by one or more regional boundary router nodes or autonomous system boundary router nodes designated by a first vPeer node in each channel; and constructing member services in each channel, wherein the member services are played by one or more regional boundary router nodes or autonomous system boundary router nodes appointed by a first virtual peer node vPeer node in each channel, and are used for realizing the functions of adding, deleting, modifying and inquiring the virtual peer node vPeer node in the channel.

4. The method for updating border gateway routing based on blockchain as claimed in claim 1, wherein the chain code refers to an intelligent contract program deployed on a routing node in a channel, and the intelligent contract program is used for specifying a method for accessing and modifying a transaction.