CN111211976B - BGP routing information verification method and device - Google Patents
BGP routing information verification method and device Download PDFInfo
- Publication number
- CN111211976B CN111211976B CN202010136548.4A CN202010136548A CN111211976B CN 111211976 B CN111211976 B CN 111211976B CN 202010136548 A CN202010136548 A CN 202010136548A CN 111211976 B CN111211976 B CN 111211976B
- Authority
- CN
- China
- Prior art keywords
- verification
- routing information
- information
- autonomous domain
- bgp routing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 156
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008520 organization Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a BGP routing information verification method and a BGP routing information verification device, wherein the method comprises the following steps: determining BGP routing information of any autonomous domain except the autonomous domain; generating an IPv6 address to be verified based on BGP routing information of any autonomous domain; accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified; and verifying the BGP routing information based on the verification information. According to the method and the device provided by the embodiment of the invention, the BGP routing information is verified by accessing the IPv6 address to be verified and according to the verification information provided by the credible website corresponding to the IPv6 address to be verified, and the massive address space provided by the IPv6 protocol is fully utilized, so that the double verification of the BGP routing information is realized, the authenticity of the BGP routing information is ensured, and the danger and the loss caused by the hijacking of the BGP routing are avoided.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a BGP routing information verification method and a BGP routing information verification device.
Background
Border Gateway Protocol (BGP) is an important Protocol used to exchange routes between autonomous domains. Through BGP, routing information can be mutually transmitted among different autonomous domains, so that the autonomous domains in the world can mutually communicate with each other to realize the global accessibility of the Internet. Through BGP, the autonomous domain can also perform route optimization, avoid loops and perform route transmission more efficiently.
However, the BGP design initially assumes that global internet participants are well-intentioned and do not take security into account, which results in the current BGP framework that routes to the internet may be hijacked by illegitimate persons with relevant addresses for malicious or misconfiguration.
How to verify the authenticity of BGP routing information and avoid the danger and loss caused by BGP routing hijacking is a problem to be urgently solved by technical personnel in the field.
Disclosure of Invention
The embodiment of the invention provides a BGP routing information verification method and a BGP routing information verification device, which are used for solving the problem that BGP routing is possible to be hijacked.
In a first aspect, an embodiment of the present invention provides a BGP routing information verification method, including:
determining BGP routing information of any autonomous domain except the autonomous domain;
generating an IPv6 address to be verified based on BGP routing information of any autonomous domain;
accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified;
and verifying the BGP routing information based on the verification information.
Preferably, the BGP routing information includes a first routing prefix, a first legal autonomous domain number, and a first routing prefix length of the any autonomous domain;
the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the BGP routing information.
Preferably, the generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain specifically includes:
taking the first routing prefix of any autonomous domain as the prefix of the IPv6 address to be verified;
generating a suffix of the IPv6 address to be verified based on the first legal autonomous domain number and the first routing prefix length of any autonomous domain;
and obtaining the IPv6 address to be verified based on the prefix and the suffix of the IPv6 address to be verified.
Preferably, the verification information includes a second routing prefix, a second legal autonomous domain number, and a second routing prefix length of the arbitrary autonomous domain;
the second routing prefix, the second legal autonomous domain number and the second routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the verification information.
Preferably, the verifying the BGP routing information based on the verification information specifically includes:
if the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively consistent with the second routing prefix, the second legal autonomous domain number and the second routing prefix length, determining that the BGP routing information passes verification;
otherwise, determining that the BGP routing information fails to verify.
Preferably, the method further comprises the following steps:
generating an IPv6 address of verification service based on BGP routing information of the autonomous domain;
and obtaining the certificate of the trusted website of the verification service corresponding to the IPv6 address of the verification service through a third party organization, and providing verification information corresponding to the BGP routing information of the autonomous domain based on the trusted website of the verification service.
Preferably, the generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain further includes:
and if the IPv6 address to be verified fails to be accessed, determining that the BGP routing information verification fails.
In a second aspect, an embodiment of the present invention provides a BGP routing information verification apparatus, including:
a BGP route determining unit, configured to determine BGP route information of any autonomous domain other than the autonomous domain;
the to-be-verified address generating unit is used for generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain;
the verification information acquisition unit is used for accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified;
and the BGP verifying unit is used for verifying the BGP routing information based on the verification information.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a bus, where the processor and the communication interface, the memory complete mutual communication through the bus, and the processor may call a logic command in the memory to perform the steps of the method provided in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the BGP routing information verification method and device provided by the embodiment of the invention, the IPv6 address to be verified is generated based on the BGP routing information of any autonomous domain, the IPv6 address to be verified is accessed, the BGP routing information is verified according to the verification information provided by the credible website corresponding to the IPv6 address to be verified, the massive address space provided by the IPv6 protocol is fully utilized, and the double verification of the BGP routing information is realized, so that the authenticity of the BGP routing information is ensured, and the danger and the loss caused by the hijacking of the BGP routing are avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a BGP routing information verification method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a BGP routing information verification apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For the problem of route hijacking, the solution proposed at present is RPKI (resource public key infrastructure) technology. The RPKI technology is a technology for verifying the resource distribution relationship between the autonomous domain and the P address by signing the resource certificate through a PKI system. However, since RPKI is a trust anchor chain with five rirs (regional Internet registry) as certificates around the world, it has a highly centralized nature and cannot perform limited authentication in case of network partial disruption. In view of the above, an embodiment of the present invention provides a BGP routing information verification method. Fig. 1 is a schematic flow chart of a BGP routing information verification method according to an embodiment of the present invention, and as shown in fig. 1, an execution main body of the method may be a server dedicated to verifying BGP routing information in the autonomous domain, or may be any border router or the like that needs to use BGP routing information to communicate with the outside in the autonomous domain. The method comprises the following steps:
in step 110, BGP routing information of any autonomous domain other than the autonomous domain is determined.
Specifically, the BGP routing information of any autonomous domain outside the autonomous domain may be obtained and sent by a border router of the autonomous domain, where the BGP routing information of the autonomous domain has a risk of being hijacked and needs to be verified.
And step 120, generating an IPv6 address to be verified based on the BGP routing information of the autonomous domain.
And step 130, accessing the IPv6 address to be verified to obtain verification information provided by the trusted website corresponding to the IPv6 address to be verified.
Specifically, for any autonomous domain, the autonomous domain applies a preset rule in advance, generates IPv6 addresses providing verification services for the other autonomous domains based on information included in BGP routing information of the autonomous domain, and mounts verification information on a trusted website corresponding to the IPv6 address, so that the other autonomous domains acquire the verification information to verify the BGP routing information. The rule for generating the IPv6 address is known in advance by each autonomous domain. In addition, the credentials of a trusted web site are issued via a third party trusted authority.
For BGP routing information needing to be verified, the same rule can be applied to generate an IPv6 address to be verified. Here, if the BGP routing information to be verified is true and secure, the IPv6 address to be verified is consistent with the IPv6 addresses of the other autonomous domains that are generated by the autonomous domain and that provide verification services, and if the BGP address to be verified is hijacked, the IPv6 address to be verified may be consistent with or different from the IPv6 addresses of the other autonomous domains that are generated by the autonomous domain and that provide verification services.
By accessing the IPv6 address to be verified, it can be determined whether the IPv6 address to be verified provides an IPv6 address of a verification service for the remaining autonomous domains generated by the autonomous domain. When the IPv6 address to be verified is successfully accessed, the verification information provided by the trusted website corresponding to the IPv6 address to be verified, namely the verification information mounted on the trusted website providing the verification service in the autonomous domain, can be obtained.
And step 140, verifying the BGP routing information based on the verification information.
Specifically, after the verification information is obtained, the BGP routing information may be verified based on the verification information, so as to determine whether the BGP routing information is true and secure.
The method provided by the embodiment of the invention generates the IPv6 address to be verified based on the BGP routing information of any autonomous domain, and realizes double verification of the BGP routing information by accessing the IPv6 address to be verified and verifying the BGP routing information according to the verification information provided by the credible website corresponding to the IPv6 address to be verified and fully utilizing the massive address space provided by the IPv6 protocol, thereby ensuring the authenticity of the BGP routing information and avoiding the danger and loss caused by the hijacking of the BGP routing.
Based on the above embodiment, the BGP routing information includes the first routing prefix, the first legal autonomous domain number, and the first routing prefix length of the autonomous domain.
Here, "first" is only used to indicate that the routing prefix, the legal autonomous domain number, and the routing prefix length are all extracted from BGP routing information to be verified.
Correspondingly, step 120 specifically includes: taking the first routing prefix of the autonomous domain as the prefix of the IPv6 address to be verified; generating a suffix of the IPv6 address to be verified based on the first legal autonomous domain number of the autonomous domain and the first routing prefix length; and obtaining the IPv6 address to be verified based on the prefix and the suffix of the IPv6 address to be verified.
Specifically, a method for generating suffixes of IPv6 addresses to be verified based on a first legal autonomous domain number and a first routing prefix length is specifically set, and is consistent with a method for generating suffixes of IPv6 addresses that provide verification services for the remaining autonomous domains by the autonomous domain. The IPv6 address to be verified obtained through the method is composed of a first routing prefix and a suffix generated based on the first legal autonomous domain number and the first routing prefix length.
In the method provided by the embodiment of the present invention, BGP routing information includes a first routing prefix, a first legal autonomous domain number, and a first routing prefix length, and the information is consistent with information applied by an RPKI. However, in the method provided by the embodiment of the invention, the issuing organization of the trusted website certificate for verifying the service is optional, so that the method has better flexibility and autonomy.
Based on any of the above embodiments, the verification information includes the second routing prefix, the second legal autonomous domain number, and the second routing prefix length of the autonomous domain.
Here, "second" is used only to indicate that the above-mentioned routing prefix, legal autonomous domain number, and routing prefix length are all extracted from the authentication information so as to be distinguished from the routing prefix, legal autonomous domain number, and routing prefix length extracted from the BGP routing information to be authenticated.
Based on any of the above embodiments, step 140 specifically includes: if the lengths of the first routing prefix, the first legal autonomous domain number and the first routing prefix are respectively consistent with the lengths of the second routing prefix, the second legal autonomous domain number and the second routing prefix, determining that the BGP routing information passes the verification; otherwise, determining that the BGP routing information fails to be verified.
Specifically, various information contained in the BGP routing information to be verified may be respectively compared with various information contained in the verification information, and only in the case that the various information are consistent, it is determined that the BGP routing information passes verification, and the BGP routing information is true and safe; otherwise, it is determined that the BGP routing information fails to verify and may be hijacked.
Based on any of the above embodiments, the method further comprises: generating an IPv6 address of verification service based on BGP routing information of the autonomous domain; and obtaining the certificate of the trusted website of the verification service corresponding to the IPv6 address of the verification service through a third party organization, and providing verification information corresponding to the BGP routing information of the autonomous domain based on the trusted website of the verification service.
Specifically, while the method provided in the foregoing embodiment is executed to verify BGP routing information of any autonomous domain other than the autonomous domain, a verification service IPv6 address may be generated based on the BGP routing information of the autonomous domain, that is, an IPv6 address of the BGP routing information verification service of the autonomous domain is provided for the remaining autonomous domains, a certificate of a trusted website of the verification service corresponding to the verification service IPv6 address is issued by a third-party trusted authority, and verification information corresponding to the BGP routing information of the autonomous domain is provided to all users accessing the trusted website of the verification service through an HTTPs protocol.
It should be noted that, the method for generating the verification service IPv6 address in the embodiment of the present invention is consistent with the method for generating the to-be-verified IPv6 address in any one of the above embodiments, and details are not described here.
Based on any of the above embodiments, step 120 further includes: and if the IPv6 address to be verified fails to be accessed, determining that the BGP routing information verification fails.
Specifically, after obtaining the IPv6 address to be verified, the IPv6 address to be verified needs to be accessed, and if the access is successful, the verification information provided by the trusted website corresponding to the IPv6 address to be verified can be obtained, so that the BGP routing information is verified based on the verification information; if the access fails, it is indicated that the IPv6 address to be verified is not consistent with the verification service IPv6 address of the autonomous domain, and the BGP routing information is determined to fail to be verified due to being hijacked.
Based on any of the above embodiments, a BGP routing information verification method includes the following steps:
aiming at any Internet autonomous domain serving as a source for publishing routing information, an IPv6 server is configured in the autonomous domain, and services are provided for the Internet through HTTPs. And a cache server is deployed at the same time, and the cache server can communicate with the autonomous domain boundary router by using a third-party protocol.
The IPv6 server can configure the verification service IPv6 address in the following way:
taking the routing prefix of the autonomous domain as the prefix of the verification service IPv6 address; generating a suffix of the verification service IPv6 address based on the legal autonomous domain number and the routing prefix length of the autonomous domain; and combining the prefix and the suffix of the verification service IPv6 address to obtain a verification service IPv6 address.
Subsequently, the IPv6 server obtains the certificate of the trusted website of the authentication service corresponding to the authentication service IPv6 address issued by the third party trusted authority, and provides, through an HTTPs protocol, authentication information including the routing prefix, the legal autonomous domain number, and the routing prefix length of the autonomous domain to all users accessing the IPv6 server.
The cache server is configured to verify authenticity of BGP routing information of the other autonomous domains received by the border router of the autonomous domain, and is specifically implemented in the following manner:
and the cache server applies the method same as the generation method of the verification service IPv6 address to generate the IPv6 address to be verified corresponding to the BGP routing information.
The cache server accesses the IPv6 address to be verified through the HTTPs protocol to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified, the verification information is compared with BGP routing information to be verified, if the verification information is consistent with the BGP routing information to be verified, the BGP routing information is proved to be real and effective, and the cache server informs the border router to perform normal communication.
The method provided by the embodiment of the invention adopts the verification information consistent with the RPKI, so that the method has the same safety. Different from RPKI, the embodiment of the invention can select the certificate issuing organization of HTTPs, and has better autonomy and flexibility. In addition, embodiments of the present invention may also be used in combination with an RPKI. Through the steps, the authenticity of the BGP routing information can be verified efficiently, the method is convenient and quick, the deployment is easy, and the danger and the loss caused by the BGP routing hijacking are avoided.
Based on any of the above embodiments, a BGP routing information verification method includes the following steps:
for any internet autonomous domain serving as a source for publishing routing information, the BGP routing information of the autonomous domain is assumed to comprise:
the routing information prefix is 2001: da8: c337:
prefix length of 48
Autonomous region number 23910
An IPv6 server is configured in the autonomous domain, and an authentication service IPv6 address is configured in the following way:
taking the routing prefix 2001: da8: c337 of the autonomous domain as the prefix of the verification service IPv6 address; the autonomous domain number is 96-128 bits of a suffix of an IPv6 address of a verification service, and is 0000:5d66 in the embodiment of the invention, namely 16-system digits of 23910; the prefix length is used as 89-96 bits of the suffix of the authentication service IPv6 address, which is 30 in the embodiment of the invention, namely, 16-system digits of 48, and 49-88 bits of the suffix of the authentication service IPv6 address are set as 0.
It should be noted that the suffix generation method generally requires that the prefix length is not longer than 88 bits. The route length, typically in BGP advertisements, meets this requirement; if the requirement is exceeded, the number of the autonomous domain and the prefix length can be abstracted to form a suffix.
Therefore, the suffix 0000:0000:0030:0000:5d66 of the verification service IPv6 address is obtained, and the prefix and the suffix of the verification service IPv6 address are combined to obtain the verification service IPv6 address as follows:
2001:da8:c337:0000:0000:0030:0000:5d66
subsequently, the IPv6 server acquires the certificate of the trusted website of the verification service corresponding to the verification service IPv6 address issued by the third party trusted authority, and provides verification information to all users accessing the IPv6 server through an HTTPs protocol, wherein the verification information comprises:
the routing information prefix is 2001: da8: c337:
prefix length of 48
Autonomous region number 23910
When the border routers of other autonomous domains receive the BGP routing information, the authenticity of the BGP routing information may be verified by:
and generating an IPv6 address to be verified by applying the mode of generating the verification service IPv6 address based on the BGP routing information. Then, the IPv6 address to be verified is accessed through HTTPs. If the BGP routing information is true and effective, the autonomous domain sending the BGP routing notification is configured with a server in the autonomous domain by a verification service address, and the server can normally access and provide the following verification information:
the routing information prefix is 2001: da8: c337:
prefix length of 48
Autonomous region number 23910
And the border router compares the verification information with the received BGP routing information, and if the verification is consistent, the BGP routing information is determined to be real and effective.
If the routing hijacking condition occurs, the autonomous domain of the hijacking routing does not have the legal certificate of the website operated by the address, legal HTTPs service cannot be provided, and the verification fails.
Based on any of the foregoing embodiments, fig. 2 is a schematic structural diagram of a BGP routing information verification apparatus according to an embodiment of the present invention, and as shown in fig. 2, the BGP routing information verification apparatus includes a BGP routing determining unit 210, an address generating unit to be verified 220, a verification information obtaining unit 230, and a BGP verification unit 240;
the BGP route determining unit 210 is configured to determine BGP route information of any autonomous domain other than the local autonomous domain;
the to-be-verified address generating unit 220 is configured to generate an IPv6 address to be verified based on the BGP routing information of any autonomous domain;
the verification information obtaining unit 230 is configured to access the IPv6 address to be verified, and obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified;
the BGP verifying unit 240 is configured to verify the BGP routing information based on the verification information.
The device provided by the embodiment of the invention generates the IPv6 address to be verified based on the BGP routing information of any autonomous domain, and realizes double verification of the BGP routing information by accessing the IPv6 address to be verified and verifying the BGP routing information according to the verification information provided by the credible website corresponding to the IPv6 address to be verified and fully utilizing the massive address space provided by the IPv6 protocol, thereby ensuring the authenticity of the BGP routing information and avoiding the danger and loss caused by the hijacking of the BGP routing.
Based on any of the above embodiments, the BGP routing information includes a first routing prefix, a first legal autonomous domain number, and a first routing prefix length of the any autonomous domain;
the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the BGP routing information.
Based on any of the above embodiments, the to-be-verified address generating unit 220 is specifically configured to:
taking the first routing prefix of any autonomous domain as the prefix of the IPv6 address to be verified;
generating a suffix of the IPv6 address to be verified based on the first legal autonomous domain number and the first routing prefix length of any autonomous domain;
and obtaining the IPv6 address to be verified based on the prefix and the suffix of the IPv6 address to be verified.
Based on any of the above embodiments, the verification information includes a second routing prefix, a second legal autonomous domain number, and a second routing prefix length of the arbitrary autonomous domain;
the second routing prefix, the second legal autonomous domain number and the second routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the verification information.
Based on any of the above embodiments, the BGP validation unit 240 is specifically configured to:
if the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively consistent with the second routing prefix, the second legal autonomous domain number and the second routing prefix length, determining that the BGP routing information passes verification;
otherwise, determining that the BGP routing information fails to verify.
According to any of the above embodiments, the apparatus further comprises an authentication service unit; the authentication service unit is configured to:
generating an IPv6 address of verification service based on BGP routing information of the autonomous domain;
and obtaining the certificate of the trusted website of the verification service corresponding to the IPv6 address of the verification service through a third party organization, and providing verification information corresponding to the BGP routing information of the autonomous domain based on the trusted website of the verification service.
According to any of the above embodiments, the apparatus further comprises a verification failure unit; the verification failure unit is used for:
and if the IPv6 address to be verified fails to be accessed, determining that the BGP routing information verification fails.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor)310, a communication Interface (communication Interface)320, a memory (memory)330 and a communication bus 340, wherein the processor 310, the communication Interface 320 and the memory 330 communicate with each other via the communication bus 340. The processor 310 may call logical commands in the memory 330 to perform the following method: determining BGP routing information of any autonomous domain except the autonomous domain; generating an IPv6 address to be verified based on BGP routing information of any autonomous domain; accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified; and verifying the BGP routing information based on the verification information.
In addition, the logic commands in the memory 330 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic commands are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes a plurality of commands for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the method provided in the foregoing embodiments when executed by a processor, and the method includes: determining BGP routing information of any autonomous domain except the autonomous domain; generating an IPv6 address to be verified based on BGP routing information of any autonomous domain; accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified; and verifying the BGP routing information based on the verification information.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes commands for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A BGP routing information verification method is characterized by comprising the following steps:
determining BGP routing information of any autonomous domain except the autonomous domain;
generating an IPv6 address to be verified based on BGP routing information of any autonomous domain;
accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified;
verifying the BGP routing information based on the verification information;
each autonomous domain applies preset rules in advance, generates IPv6 addresses for providing verification services for other autonomous domains based on information contained in own BGP routing information, and mounts verification information on a trusted website corresponding to the IPv6 address, so that the other autonomous domains can acquire the verification information to realize the verification of the BGP routing information;
generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain, wherein the method comprises the following steps:
and based on the BGP routing information of any autonomous domain, applying the set rule to generate an IPv6 address to be verified.
2. The BGP routing information verification method according to claim 1, wherein the BGP routing information includes a first routing prefix, a first legal autonomous domain number, and a first routing prefix length of the any autonomous domain;
the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the BGP routing information.
3. The BGP routing information verification method according to claim 2, wherein the generating an IPv6 address to be verified based on the BGP routing information of the any autonomous domain specifically includes:
taking the first routing prefix of any autonomous domain as the prefix of the IPv6 address to be verified;
generating a suffix of the IPv6 address to be verified based on the first legal autonomous domain number and the first routing prefix length of any autonomous domain;
and obtaining the IPv6 address to be verified based on the prefix and the suffix of the IPv6 address to be verified.
4. The BGP routing information verification method of claim 2, wherein the verification information includes a second routing prefix, a second legitimate autonomous-domain number, and a second routing prefix length of the any autonomous domain;
the second routing prefix, the second legal autonomous domain number and the second routing prefix length are respectively the routing prefix, the legal autonomous domain number and the routing prefix length extracted from the verification information.
5. The BGP routing information verification method according to claim 4, wherein the verifying the BGP routing information based on the verification information specifically includes:
if the first routing prefix, the first legal autonomous domain number and the first routing prefix length are respectively consistent with the second routing prefix, the second legal autonomous domain number and the second routing prefix length, determining that the BGP routing information passes verification;
otherwise, determining that the BGP routing information fails to verify.
6. The BGP routing information verification method of any of claims 1-5, further comprising:
generating an IPv6 address of verification service based on BGP routing information of the autonomous domain;
and obtaining the certificate of the trusted website of the verification service corresponding to the IPv6 address of the verification service through a third party organization, and providing verification information corresponding to the BGP routing information of the autonomous domain based on the trusted website of the verification service.
7. The BGP routing information verification method according to any of claims 1 to 5, wherein the generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain further comprises:
and if the IPv6 address to be verified fails to be accessed, determining that the BGP routing information verification fails.
8. A BGP routing information verification apparatus, comprising:
a BGP route determining unit, configured to determine BGP route information of any autonomous domain other than the autonomous domain;
the to-be-verified address generating unit is used for generating an IPv6 address to be verified based on the BGP routing information of any autonomous domain;
the verification information acquisition unit is used for accessing the IPv6 address to be verified to obtain verification information provided by a trusted website corresponding to the IPv6 address to be verified;
a BGP verifying unit, configured to verify the BGP routing information based on the verification information;
each autonomous domain applies preset rules in advance, generates IPv6 addresses for providing verification services for other autonomous domains based on information contained in own BGP routing information, and mounts verification information on a trusted website corresponding to the IPv6 address, so that the other autonomous domains can acquire the verification information to realize the verification of the BGP routing information;
the to-be-verified address generating unit is specifically configured to:
and based on the BGP routing information of any autonomous domain, applying the set rule to generate an IPv6 address to be verified.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the steps of the BGP routing information verification method according to any of claims 1 to 7 are implemented by the processor when executing the program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, performs the steps of the BGP routing information verification method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010136548.4A CN111211976B (en) | 2020-03-02 | 2020-03-02 | BGP routing information verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010136548.4A CN111211976B (en) | 2020-03-02 | 2020-03-02 | BGP routing information verification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111211976A CN111211976A (en) | 2020-05-29 |
| CN111211976B true CN111211976B (en) | 2021-03-19 |
Family
ID=70789757
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010136548.4A Active CN111211976B (en) | 2020-03-02 | 2020-03-02 | BGP routing information verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111211976B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115883088B (en) * | 2023-01-10 | 2023-05-12 | 中国人民解放军61660部队 | BGP route-based autonomous domain security parameter updating method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921394A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Actual IPv6 source address verification method based on autonomy system interconnecting relation |
| CN101902474A (en) * | 2010-07-21 | 2010-12-01 | 清华大学 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
| CN102158497A (en) * | 2011-05-11 | 2011-08-17 | 中国人民解放军国防科学技术大学 | IP address filtering method and device |
| CN104333615A (en) * | 2014-11-05 | 2015-02-04 | 中国联合网络通信集团有限公司 | Method and device for tracing address source |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8451750B2 (en) * | 2008-10-01 | 2013-05-28 | Cisco Technology, Inc. | Validation of routes advertised by border gateway protocol |
| CN105376230B (en) * | 2015-11-16 | 2018-05-04 | 东北大学 | A kind of HMIPv6 network bi-directional access authentication methods of oriented multilayer MAP |
-
2020
- 2020-03-02 CN CN202010136548.4A patent/CN111211976B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921394A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Actual IPv6 source address verification method based on autonomy system interconnecting relation |
| CN101902474A (en) * | 2010-07-21 | 2010-12-01 | 清华大学 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
| CN102158497A (en) * | 2011-05-11 | 2011-08-17 | 中国人民解放军国防科学技术大学 | IP address filtering method and device |
| CN104333615A (en) * | 2014-11-05 | 2015-02-04 | 中国联合网络通信集团有限公司 | Method and device for tracing address source |
Non-Patent Citations (4)
| Title |
|---|
| BGP安全研究;黎松,诸葛建伟,李星;《软件学报》;20130131;全文 * |
| L. Colitti;G. Di Battista;M. Patrignani;M. Pizzonia;M. R.Investigating Prefix Propagation through Active BGP Probing.《11th IEEE Symposium on Computers and Communications (ISCC"06)》.2006, * |
| Wenjie Xu;Deliang Chang;Xing Li.On the classification and false alarm of invalid prefixes in RPKI based BGP route origin validation.《2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)》.2019, * |
| 基于IPv6的下一代互联网技术与实践;刘莹,任罡,包丛笑,李贺武;《信息通信技术》;20171231;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111211976A (en) | 2020-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6612358B2 (en) | Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point | |
| US11095635B2 (en) | Server authentication using multiple authentication chains | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| US20170118029A1 (en) | Method and a system for verifying the authenticity of a certificate in a web browser using the ssl/tls protocol in an encrypted internet connection to an https website | |
| EP2770662A1 (en) | Centralized security management method and system for third party application and corresponding communication system | |
| CN106452782A (en) | Method and system for producing a secure communication channel for terminals | |
| WO2013177069A1 (en) | System and method for enabling unconfigured devices to join an autonomic network in a secure manner | |
| CN108880822A (en) | A kind of identity identifying method, device, system and a kind of intelligent wireless device | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN111639327A (en) | Authentication method and device for open platform | |
| CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| CN109842626B (en) | Method and apparatus for distributing secure enclave access credentials | |
| JP2015194879A (en) | Authentication system, method, and provision device | |
| CN107786515A (en) | A kind of method and apparatus of certificate verification | |
| CN114500120A (en) | Public cloud expansion method, device, system and storage medium | |
| CN114553480B (en) | Cross-domain single sign-on method and device, electronic equipment and readable storage medium | |
| CN111211976B (en) | BGP routing information verification method and device | |
| US10931662B1 (en) | Methods for ephemeral authentication screening and devices thereof | |
| CN111404884B (en) | Secure communication method, client and non-public server | |
| CN110311785B (en) | Intranet access method and related device | |
| CN112261103A (en) | Node access method and related equipment | |
| KR102224454B1 (en) | Method, apparatus, system and computer program for controlling network traffic | |
| CN114500074B (en) | Single-point system security access method and device and related equipment | |
| US11570163B2 (en) | User authentication system | |
| Cisco | Multiple RSA Key Pair Support |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |