CN113542116B - ASPA (advanced application platform Power) improvement-based path verification method - Google Patents
ASPA (advanced application platform Power) improvement-based path verification method Download PDFInfo
- Publication number
- CN113542116B CN113542116B CN202110216570.4A CN202110216570A CN113542116B CN 113542116 B CN113542116 B CN 113542116B CN 202110216570 A CN202110216570 A CN 202110216570A CN 113542116 B CN113542116 B CN 113542116B
- Authority
- CN
- China
- Prior art keywords
- path
- signature
- route
- aspa
- verification method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
The invention discloses a route verification method based on ASPA improvement, which utilizes ASPA binary group to introduce signature to AS route in even order in route attribute in route notice to enhance protection strength to route attribute AS _ PATH, at the same time, signature buffer queue of 2 units is used in signature transmission, when router receives data packet in each hop, only first signature of queue is needed to be taken to carry out signature verification once, on the basis of safety guarantee, load size of BGP notice data packet and signature verification times are reduced, and CPU burden is also reduced.
Description
Technical Field
The invention relates to the technical field of internet domain names, in particular to an ASPA (advanced application platform) based improved path verification method.
Background
At present, RPKI (Internet number resource public key certificate system) is based on a PKI system, ip prefix resource holders sign ip authorization relations in batches in a format of signature objects, a relying party RP server pulls, analyzes and verifies a signature file warehouse, and finally pushes an AS number and an ip binary group which pass verification to a router, and the router utilizes a data source to identify identity when receiving a route notice.
Based on the RPKI system, the IETF proposes a draft ASPA to verify the AS _ PATH attribute in the BGP routing advertisement. Wherein each AS resource holder issues the AS number set of the upstream provider in batch. Acting AS a customer on behalf of the AS, a route advertisement is sent to all ases in the provider set. After the router acquires global ASPA data, PATH validity verification with a sliding window of 2 can be performed on AS _ PATH in BGP advertisement.
Fig. 1 is a schematic diagram of an ASPA signature object. The inter-domain relationship mainly comprises three roles, namely customer, provider and peer, and the forwarding relationship mainly comprises C2P, P2C, P P. ASPA is based on a "valley-free network" considering that:
1. the propagation direction of the route advertisement is always up and down or no down, namely starting from C2P and ending from P2C or C2P.
2. In the BGP route advertisement propagation process, propagation in the upstream direction needs to be protected in an important way to avoid large-scale traffic hijacking of provider. When each router receives the data packet, it needs to check the validity of the transfer relationship in the AS _ PATH information.
3. When the BGP packet starts to propagate downstream, it needs to be verified whether there is a second C2P transfer. The advertisement is discarded AS soon AS it is found that there is a second up-propagation in the AS _ PATH attribute.
The ASPA detects the AS _ PATH attribute by using the authorization relation of the data packet transmitted between the neighbors and does not carry out tamper-proof protection on the whole AS _ PATH attribute. An attacker can still directly forge the AS _ PATH attribute which can pass through the verification by using the ASPA data, so that the flow hijacking is caused.
The AS _ PATH attribute in BGP is a key attribute in PATH selection, the AS _ PATH length is a factor in routing optimization, and AS _ PATH is also used to detect loops. But absent cryptographic signature protection, path attributes are easily forged or tampered with. The ASPA verifies the forwarding relation of the AS _ PATH so AS to check the PATH attribute and limit the possibility of PATH tampering. The BGP notification is verified on the basis of AS granularity on the whole, but in the process of real-time notification propagation and forwarding, a data packet arrives at another AS from one AS, multiple PATHs may exist and can pass the verification of ASPA data, and through the decision of a complex routing strategy, the multiple PATHs only select one optimal PATH to transmit finally, an attacker can still influence the notification PATH decision by forging the PATH, so that the purpose of traffic hijacking is achieved, and the ASPA cannot protect the AS _ PATH at the ip granularity level.
Therefore, on the basis of the existing data of the ASPA, how to improve the defects of the ASPA and the performance of the ASPA is superior to that of other path verification schemes under an RPKI system become the technical problem to be solved urgently at present.
Disclosure of Invention
The invention aims to provide an improved path verification method based on ASPA (application specific authentication algorithm) to solve the problem of low safety performance caused by the lack of path verification in the original RPKI system.
Therefore, the invention provides an ASPA-based improved path verification method, which comprises the following steps:
during the process of transferring the route advertisement by the BGP router, the AS PATH where the AS _ PATH is located is signed every other AS route.
Further, the content of the signature is AS _ PATH information including the AS number of the forwarding-standby neighbor.
Further, the signing is performed for even-order AS routes, and the routers in odd-order forward only the AS _ PATH signature information without performing the signing of the PATH information.
Further, the effective radius of signing the AS path is two AS units.
Further, during the broadcast process, the BGP route advertisement continuously performs logical dequeue and enqueue operations, and always maintains the buffer queues of the two AS units.
Furthermore, AS the odd-ordered AS is an inter-neighbor, when receiving the route advertisement, it needs to verify the validity of the signature within an effective radius from the even-ordered AS route.
Further, when the subsequent even-order AS receives the route advertisement, the validity of the route advertisement plaintext AS _ PATH information is verified through the PATH signature information authentication of the previous even-order AS.
Further, when a router receives the route advertisement, the signature information of two previous effective radius ranges is controlled to be listed, and the signature information of one next effective radius range is controlled to be listed.
Further, verification that the first two AS routes with sequence numbers 1 and 2 do not need to be signed is set.
Compared with the prior art, the improved path verification method based on the ASPA disclosed by the invention achieves the following technical effects:
1. in the RPKI system, the ASPA binary group can be used for verifying the transmission relationship in the route announcement, and on the basis, the invention also introduces a signature to the route attribute to enhance the protection of the route attribute AS _ PATH.
2. The number of signatures adopted by the invention is reduced, and the path information does not need to be signed and separated at each hop of router.
3. The signature cache queue of 2 units is used during signature transmission, when a router receives a data packet at each hop, only the first signature of the queue needs to be taken for signature verification once, and compared with a BGPSec path protection scheme of hop-by-hop signatures like the RPKI system, the BGP notification data packet greatly reduces the load size and signature verification times, and reduces the burden of a CPU on the basis of safety guarantee.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an ASPA signature object.
Fig. 2 is a schematic diagram of alternate hop signatures in an embodiment of the present invention.
Fig. 3 is a schematic diagram of a signature buffer queue in an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings, but the present invention is not limited thereto.
In the prior art, a data packet arrives at another AS from one AS, multiple PATHs may exist, and can be verified through the ASPA data, and through the decision of a complex routing strategy, only one preferred PATH is finally selected for transmission by multiple PATHs, and an attacker can still influence the decision of the announced PATH through the forged PATH, so AS to achieve the purpose of traffic hijacking, and the ASPA cannot protect the AS _ PATH at the ip granularity level.
The invention aims to protect the path attribute and reduce the signature times by adopting a mode of hop-by-hop signature (equivalent to one AS at every interval) on the basis of the existing ASPA data, and reduce the load size of a BGP (Border gateway protocol) advertisement data packet by adopting a mode of signature cache queue.
The embodiment of the invention discloses an improved path verification method based on ASPA, which mainly comprises two modes of alternate hop signature and signature buffer queue.
The above two modes will be described in detail below.
1. Jump signature
In the process of broadcasting BGP route announcements according to the queue sequence, the AS PATH where the AS _ PATH is located is signed every other AS route.
In the internet, an Autonomous System (AS) is a small network unit, referred to hereinafter AS an AS autonomous domain for convenience, which may be a simple network or a group of networks controlled by one or more common network administrators, and is a single manageable network element (e.g., a university, an enterprise, or a corporate individual) that has the authority to autonomously determine what routing protocols should be used in the system. An autonomous system is sometimes referred to as a routing domain. An autonomous system will assign a globally unique 16-digit number called the autonomous system number, which may also be referred to AS an AS number or ASN.
In order to ensure that the PATH attribute is not tampered, the PATH attribute needs to be digitally signed and transmitted in the route announcement, the signature format includes both the previous PATH information and the AS _ PATH information of the next AS number, and since the ASPA provides a legal transmission relationship between the ASs, the effective radius of the PATH signature is 2 AS units. Since the first AS route generates the broadcast, it is usually signed from the second router, so that after one more AS route, it goes to the fourth AS route, and so on. In the route transmission process, each transmitter judges whether the transmitter is in an even order according to the position serial number of the transmitter, so as to carry out path information signature according to the requirement, and places the signature information into a data packet to be transmitted to the next router in sequence.
In the route forwarding process, the even-numbered AS signs the PATH containing the next AS, the signature content can cover the AS of all PATHs passing from the previous AS to the next AS, and each AS number in the AS _ PATH can be protected by the signature. However, the odd-order AS does not need to perform the signature, and the odd-order AS only needs to forward the signature of the previous even-order adjacent to the odd-order to the number of the next even-order adjacent to the odd-order AS, and the signature is verified by the next even-order AS.
Referring to fig. 2, assuming that a route advertisement converges from origination to global, in a route of 6 AS autonomous domains, in a path AS1- > AS2- > AS3- > AS4- > AS5- > AS6, AS1 generates an advertisement, AS2 receives the advertisement sent from AS1, checks the advertisement and decides to forward the advertisement to a neighboring AS3, AS2 generates a signature (1- >2- > 3) Sig2, then loads the signature information into the route advertisement, and forwards the route advertisement to AS3. Since the ASPA can prove that the AS3 to the AS4 are valid, the valid range of the signature of the AS2 can reach the AS3 and the AS4, that is, the signature generated by the AS2 can provide path information verification for the two ASs of the subsequent propagators AS3 and AS4, the path information in the route advertisement is not tampered by verifying the two ASs, the AS3 does not need to carry out the signature, the signature of the AS2 is directly transmitted to the AS4, the AS4 carries out the verification, and similarly, the AS5 directly transmits to the AS6 without carrying out the signature after receiving the route advertisement transmitted by the AS4 for verification.
According to the rule, in the above example path, AS1 generates ip prefix advertisement, until AS6 receives the advertisement, the midway signer only includes even-numbered AS2 and AS4, AS3 and AS5 only forwards the advertisement, and does not need to sign again. The scheme for signing by one AS route at each interval combines the data characteristics of ASPA, reduces half of signature times compared with another path protection solution BGPSec signature in an RPKI system, and improves communication efficiency on the premise of ensuring data transmission safety.
2. Caching queues using signatures
When each AS route (excluding the first two AS routes) receives the route advertisement, the signature of the AS _ PATH needs to be verified to verify that the advertised AS _ PATH has indeed not been tampered with. The invention adopts a scheme of interval hop signature caching, information of AS routes in odd order is signed and issued by a previous AS route, AS routes in even order are used AS an issuer, and signing and issuing contents also need to be identified, namely, the AS routes in even order need to carry out validity verification on the signature, so that two units of cache queues need to be arranged in a BGP notification broadcasting process.
The issuer path validity verification requires signature authentication of the issuer within a protection radius of the AS route. When the AS route between two even-order issuers is used AS a neighbor, and the neighbor receives route advertisement broadcast from the previous AS route AS the issuer, the AS number with signature in a valid radius range before the AS route is validated, namely, the neighbor in an odd-order validates the path information issued by the issuer three AS units (corresponding to the distance of three hops) before the AS route. And after the neighbor sends the route announcement broadcast to the next even-order AS route, the PATH attribute signature is not carried out in the period, and the validity verification of the route announcement plaintext AS _ PATH information by the next even-order AS is identified by retrieving the neighbor relation binary group of the ASPA.
For example, even 1- > neighbor- > even 2, which is a delivery order, i.e. the neighbor receives only the packet of 1 and not the packet of 2 in reverse, and the routing declaration of the neighbor is authenticated by the path signature information of even 1.
Even 2 routing declaration behavior is authenticated by even 1 signatures and neighbor to even 2 ASPA data. Likewise, even 1's route announcement information is authenticated by the last even sequence AS path signature information.
For example, in the advertisement propagation path AS1- > AS2- > AS3- > AS4- > AS5- > AS6, the even-numbered order AS4 is used AS an issuer to broadcast the route advertisement to the neighbor AS5, the AS5 receives the advertisement sent by the AS4, the signature (1- >2- > 3) Sig2 of the AS2 needs to be verified, and the validity of the part AS3- > AS4 can be verified by retrieving the ASPA neighbor binary group. Since the ASPA inter-neighbor binary group imposes fundamental limitation on the AS _ PATH forgery, the AS4 can indeed receive the notification sent by the AS3, and the AS _ PATH information of the distance between one hop cannot be forged. The only parts of the AS _ PATH that may be tampered with by AS4 are AS1 and AS2, and AS3 of one hop range cannot be modified.
During the propagation process of the route advertisement, logical dequeue and enqueue operations are continuously carried out, and two units of cache units are always kept. When a route advertisement forwarded before is received by a certain AS route, the signatory in two effective radius ranges (equivalent to four hops) before the AS route is controlled to be listed, and the signatory in one effective radius range after the AS route is controlled to be listed, namely, a two-hop sequence before and after the router with the current signature is positioned in the current cache queue, so that two units of cache units are kept.
Referring to fig. 3, for example, in a route advertisement, there are 8 AS autonomous domains, in a path AS1- > AS2- > AS3- > AS4- > AS5- > AS6- > AS7- > AS8, route 1 initiates the route advertisement, AS2, AS3, AS4, AS5, AS6, and AS7 continue to broadcast to the outside in sequence, and finally AS8 receives the route advertisement. In the whole process, even-order sequences of AS2, AS4 and AS6 generate signatures, and queue and dequeue operations are carried out on the cache queue at the same time.
Since AS1 will issue and publish the neighbor AS in the form of list when deploying native ASPA, meaning that AS1 will broadcast its own advertisement to the neighbors in the list, AS2 will receive the packet with a hop distance, obviously AS1 does not need to make a fake, so AS to AS2 retrieve the cached ASPA data that has been pulled, find that they really exist (AS 1, AS 2), and can prove that they are really neighbors, the verification here is the most original verification process of ASPA. So packets are sent out from ip source AS1, one unit distance without using a signature. Similarly, when AS3 gets the advertisement from AS2, it retrieves (AS 1, AS 2) AS well, proving that AS2 is indeed a neighbor of AS1 and that AS1 would like to send the advertisement directly to AS2. The verification can be done using the ASPA native data as well, and no signature verification is needed at this time. From the AS3 perspective, it is true AS long AS it can be verified by native ASPA. I.e. AS2 can indeed receive the packet according to the presented path, AS2 does not have to lie. For the first two ASs's speaking, only ASPA data verification is needed, and no signature verification is necessary. But AS the distance from the source AS1 gets longer, verification of the head-of-line signature is required from the utterance of AS3.
AS1 sends out a notice, the notice is transmitted to AS2, AS2 generates a signature (1- >2- > 3) Sig2 to identify the path information of AS3 and AS4, and then the notice is transmitted to AS4; for convenience of explanation, the propagation path of the AS route is represented by a digital arrow. Sig represents the signature generated by the autonomous domain AS by using a private key, and the digital corner marks represent the serial numbers of the autonomous domains in one-to-one correspondence, for example, sig2 is the signature generated by AS2, and Sig6 is the signature generated by AS6.
The AS4 generates a new path signature (1- >2- >3- >4- > 5) Sig4, and the router puts the signature information at the tail of the cache queue and transmits the signature information to the AS5 along with BGP notification;
the AS5 verifies that the 1- >2- >3- >4 information sent by the router AS4 is not tampered by using the (1- >2- > 3) Sig2 and the ASPA (3:4) binary group;
after the AS5 passes the verification, the signature of (1- >2- >3- >4- > 5) Sig4 is transmitted to the AS6, and the AS5 does not lie by itself;
when the AS6 receives the notice transmitted from the AS5, the ASPA information is firstly utilized to carry out native ASPA verification, and the signature queue is dequeued and enqueued. At this time, sig2 of the cache queue is dequeued, sig6 is enqueued, and a new signature (1- >2- >3- >4- >5- >6- > 7) Sig6 is generated, at this time, the queue has two signatures of Sig4 and Sig6 in total, the first of the queue is signature (1- >2- >3- >4- > 5) Sig4 of AS4, the last of the queue is (1- >2- >3- >4- >5- > 6-) Sig6, the cache queue of two units is maintained, and the verification process of signature protection is analogized AS above.
When the AS6 verifies, the certificate symbol SKI4 is used for finding out the certificate of the AS4 to extract the public key, the Sig4 signature of the AS4 is verified (the plaintext information of the signature is directly AS _ PATH), and the verification is successful, namely that the PATH attribute of 1- >2- >3- >4- >5 is not changed, which indicates that the packet is really sent to the AS5 by the AS4, and the AS5 does not tamper with the AS _ PATH information.
It should be noted that, since the protection radius of one signature is two AS units, in the case of even-order signatures, there is signature information for each actually-routed utterance of the AS a duplicate. The propagation of each AS route thereafter needs to be verified, except for the first two AS routes, but the signature only occurs in even-numbered sequences.
For example, when the signatures are generated in the PATHs 1-2-3-4-5-6,2 and 4 and the 3,4,5,6 receives the data packet, it is required to verify that the last AS route has not been tampered with the AS _ PATH information according to the two signatures, that is, 4 is to check 3,5 and 4, and so on. Therefore, after the AS3, signature verification is required to be performed once, and the signature at the head of the queue is used for verification, and whether the AS _ PATH information is tampered by the last AS is mainly verified.
In the RPKI system, the embodiment of the invention can verify the transmission relationship in the route announcement by utilizing ASPA binary group, and introduces a signature to the route attribute on the basis of verifying the transmission relationship, thereby enhancing the protection strength of the AS _ PATH of the route attribute. And the number of signatures is also reduced, and the path information does not need to be signed for each AS route. When the signature is transmitted, signature cache queues of 2 AS units are used, when each AS router receives a data packet, only the head signature of the current cache queue is needed to be taken for signature verification once, compared with a BGPSec hop-by-hop signature path protection scheme under an RPKI system, the BGP notification data packet greatly reduces the load size and signature verification times, and reduces the burden of a CPU on the basis of safety guarantee.
Although the present invention has been described in connection with preferred embodiments, it will be understood by those skilled in the art that the methods and systems of the present invention are not limited to the embodiments described in the detailed description, and various modifications, additions, and substitutions are possible, without departing from the spirit and scope of the invention as defined in the accompanying claims.
Claims (6)
1. An ASPA-based improved path verification method, the method comprising:
during the process of transmitting the route advertisement by the BGP router, signing the AS PATH where the AS _ PATH is located by every other AS route;
the signature is carried out aiming at the AS route in the even order, and the router in the odd order only forwards the AS _ PATH signature information without carrying out the signature of the PATH information;
as the odd-order AS serves AS the neighbor, when receiving the route notice, the validity of a signature within an effective radius range from the previous even-order AS route needs to be verified; and when the AS in the next even order receives the route advertisement, the validity of the route advertisement plaintext AS _ PATH information is verified to pass the PATH signature information authentication of the AS in the previous even order.
2. The PATH verification method according to claim 1, wherein the content of the signature is AS _ PATH information containing the AS number of the forwarding-imminent neighbor.
3. The path verification method according to claim 2, wherein the effective radius of signing the AS path is two AS units.
4. The path verification method according to claim 3, wherein the BGP route advertisement is continuously logically dequeued and enqueued during the broadcasting process, and the buffer queues of the two AS units are always maintained.
5. The path verification method according to claim 4, wherein when a router receives the route advertisement, the signature information for controlling two previous valid radius ranges is listed, and the signature information for controlling one next valid radius range is listed.
6. The path verification method according to claim 5, wherein verification that the first two AS routes with sequence numbers 1 and 2 do not need to be signed is set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110216570.4A CN113542116B (en) | 2021-02-26 | 2021-02-26 | ASPA (advanced application platform Power) improvement-based path verification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110216570.4A CN113542116B (en) | 2021-02-26 | 2021-02-26 | ASPA (advanced application platform Power) improvement-based path verification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113542116A CN113542116A (en) | 2021-10-22 |
| CN113542116B true CN113542116B (en) | 2023-02-21 |
Family
ID=78094405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110216570.4A Active CN113542116B (en) | 2021-02-26 | 2021-02-26 | ASPA (advanced application platform Power) improvement-based path verification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113542116B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001245A (en) * | 2006-01-10 | 2007-07-18 | 华为技术有限公司 | Correction method for updated information in boundary gateway protocol |
| CN102035831A (en) * | 2010-11-26 | 2011-04-27 | 北京邮电大学 | Double bounce restoration-based BGP (Border Gateway Protocol) normalizing method |
| CN102148832A (en) * | 2011-04-07 | 2011-08-10 | 清华大学 | High-efficiency method for identifying border gateway routing protocol path |
| CN104468349A (en) * | 2014-11-27 | 2015-03-25 | 中国科学院计算机网络信息中心 | BGP route authentication method based on hop-by-hop supervision |
| CN106060014A (en) * | 2016-05-18 | 2016-10-26 | 中国互联网络信息中心 | Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks |
| CN107251509A (en) * | 2014-12-18 | 2017-10-13 | 诺基亚通信公司 | Credible route between communications network system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9722919B2 (en) * | 2014-01-22 | 2017-08-01 | Cisco Technology, Inc. | Tying data plane paths to a secure control plane |
-
2021
- 2021-02-26 CN CN202110216570.4A patent/CN113542116B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001245A (en) * | 2006-01-10 | 2007-07-18 | 华为技术有限公司 | Correction method for updated information in boundary gateway protocol |
| CN102035831A (en) * | 2010-11-26 | 2011-04-27 | 北京邮电大学 | Double bounce restoration-based BGP (Border Gateway Protocol) normalizing method |
| CN102148832A (en) * | 2011-04-07 | 2011-08-10 | 清华大学 | High-efficiency method for identifying border gateway routing protocol path |
| CN104468349A (en) * | 2014-11-27 | 2015-03-25 | 中国科学院计算机网络信息中心 | BGP route authentication method based on hop-by-hop supervision |
| CN107251509A (en) * | 2014-12-18 | 2017-10-13 | 诺基亚通信公司 | Credible route between communications network system |
| CN106060014A (en) * | 2016-05-18 | 2016-10-26 | 中国互联网络信息中心 | Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks |
Non-Patent Citations (2)
| Title |
|---|
| 《Trigger Based Authentication: A Naive Approach For Attendance Monitoring》;Priya Matta 等;《IEEE》;20210220;全文 * |
| 《标准模型下可证明安全的BGP路由属性保护机制》;李道丰 等;《计算机学报》;20150430;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113542116A (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Murphy et al. | Digital signature protection of the OSPF routing protocol | |
| CN105376098B (en) | A kind of route source and path double verification method | |
| Studer et al. | Flexible, extensible, and efficient VANET authentication | |
| Papadimitratos et al. | Securing the internet routing infrastructure | |
| CN105099695B (en) | Method, system, and medium for distributing packets | |
| KR20100126783A (en) | Ip address delegation | |
| EP2294784B1 (en) | Traffic control within a network architecture providing many-to-one transmission with denial-of service protection | |
| Biswas et al. | Proxy signature-based RSU message broadcasting in VANETs | |
| WO2021174237A9 (en) | Extending border gateway protocol (bgp) flowspec origination authorization using path attributes | |
| Xiang et al. | Sign what you really care about–Secure BGP AS-paths efficiently | |
| Sriram | BGPSEC design choices and summary of supporting discussions | |
| CN113542116B (en) | ASPA (advanced application platform Power) improvement-based path verification method | |
| Li et al. | Secure routing in wired networks and wireless ad hoc networks | |
| Jasinska et al. | Internet exchange bgp route server | |
| Biswas et al. | Deploying proxy signature in VANETs | |
| Parno et al. | SNAPP: Stateless network-authenticated path pinning | |
| Bush | BGPSEC operational considerations | |
| Shibasaki et al. | An AODV-based communication-efficient secure routing protocol for large scale ad-hoc networks | |
| Xie et al. | TRIP: A tussle-resistant internet pricing mechanism | |
| Jasinska et al. | RFC 7947: Internet Exchange BGP Route Server | |
| Palmieri et al. | Enhanced Security Strategies for MPLS Signaling. | |
| CN115883088B (en) | BGP route-based autonomous domain security parameter updating method | |
| Palmieri et al. | Securing the MPLS control plane | |
| Tsudik | Access Control and Policy Enforcement in Internetworks | |
| Bittl et al. | Feasibility of Verify-on-Demand in VANETs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |