CN116915773A - Block chain sharing co-treatment method and system based on RPKI localization management mechanism - Google Patents
Block chain sharing co-treatment method and system based on RPKI localization management mechanism Download PDFInfo
- Publication number
- CN116915773A CN116915773A CN202310800366.6A CN202310800366A CN116915773A CN 116915773 A CN116915773 A CN 116915773A CN 202310800366 A CN202310800366 A CN 202310800366A CN 116915773 A CN116915773 A CN 116915773A
- Authority
- CN
- China
- Prior art keywords
- resource
- rpki
- record
- management
- proposal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 120
- 230000007246 mechanism Effects 0.000 title claims abstract description 26
- 230000004807 localization Effects 0.000 title claims abstract description 25
- 238000011278 co-treatment Methods 0.000 title claims abstract description 16
- 238000013475 authorization Methods 0.000 claims abstract description 59
- 230000008520 organization Effects 0.000 claims abstract description 29
- 238000005516 engineering process Methods 0.000 claims abstract description 14
- 238000007726 management method Methods 0.000 claims description 130
- 230000008569 process Effects 0.000 claims description 53
- 238000012545 processing Methods 0.000 claims description 19
- 238000012795 verification Methods 0.000 claims description 16
- 238000012550 audit Methods 0.000 claims description 14
- 230000001960 triggered effect Effects 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 2
- 238000011262 co‐therapy Methods 0.000 claims description 2
- 238000002560 therapeutic procedure Methods 0.000 claims description 2
- 238000011056 performance test Methods 0.000 description 9
- 238000012360 testing method Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000001934 delay Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/466—Transaction processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A blockchain sharing co-treatment method and system based on an RPKI localization management mechanism relate to the technical field of Internet security. The invention is provided for solving the problem of RPKI data failure caused by the centralization risk of the existing RPKI system. The technical key points are as follows: the method comprises the following steps: each organization administrator agrees with the participation rights of the consensus participants; the organization manager and the RPKI resource manager reach an agreement, and the range of the resources which can be issued by the RPKI resource manager is written in the agreement; the RPKI resource manager publishes route origin authentication information. The account book storage mode provides support for an intelligent contract technology, the intelligent contract technology provides three contracts which respectively meet requirements of users on RPKI member management, RPKI resource protocol management and RPKI resource authorization management, and the three intelligent contracts are called successively, so that a blockchain sharing co-treatment method based on an RPKI localization management mechanism is realized, equal status of each participant and co-knowledge of the participant are realized.
Description
Technical Field
The invention relates to the technical field of Internet security, in particular to a blockchain sharing co-treatment method based on an RPKI localization management mechanism.
Background
Border gateway protocol (Border Gateway Protocol, BGP) is a widely adopted inter-domain routing protocol in the network layer control plane that does not take security into account at the beginning of the design, resulting in the announced routes of the respective autonomous domains (Autonomous System, AS) being accepted by neighbors by default. Due to this deficiency of the BGP protocol, malicious ases may announce false route source information or AS path information to hijack traffic of the target network.
The inter-domain routing security mechanism is mainly established on a resource public key infrastructure (Resource Public Key Infrastructure, RPKI), and the main idea is to bind each AS number with the corresponding IP address block while distributing AS number and IP address block resources, store the binding information in the corresponding site for access by a router, and the information is used AS a rationality certificate for the AS to announce a routing source.
The RPKI uses the x.509 certificate and its extension to enable internet number resource usage authorization. When an internet number allocation mechanism (such as five-large RIR) allocates a resource to an internet number resource holder, a digital certificate (certification authority, CA certificate) is issued by using a private key of the internet number resource holder, and the certificate comprises a public key of the resource holder and a corresponding internet number resource, so that the resource holder is legally authorized to use the part of number resource. After the certificate is generated, the upper layer distribution mechanism stores the issued certificate in a self database issuing point (RPKI database) for RP synchronization. When a resource owner wants to authorize an AS to announce its own IP address prefix, a terminal entity (EE) certificate is issued by its own private key, and then an ROA is issued by the private key of the EE certificate, so AS to complete the binding of the IP address prefix and the AS.
For network management and security requirements, a network operator may wish to create a local view of the RPKI route authentication data in the form of "local filtering and addition," overlay data from the global RPKI, add or subtract related route authentication data entries. This operation is referred to in the industry as the RPKI localization management mechanism (Simplified Local Internet Number Resource Management with the RPKI, SLURM). The SLURM profile format has already formed standards at the IETF.
The RP generates a route source verification entry by acquiring and verifying all the resource certificates and signature objects (collectively referred to as database objects) of the RPKI database, so that any misoperation or malicious operation on the RPKI database objects affects the verification result, thereby affecting the accuracy of BGP announcement filtering rules. Malicious operations on objects are largely divided into: deletion, suppression, corruption, tampering, revocation, injection. The upper CA may affect the validity of objects in the lower CA repository by deleting, tampering, revoked CA certificates issued by itself to the lower CA.
With the advent of the universal interconnection age, the complexity of the network is continuously expanded, the network security construction is supposed to be developed from the independent participation of different organizations at the present stage to the cooperative participation of the multiple organizations, so that the single-point trust problem is prevented, and a new solution idea is provided for the occurrence of the blockchain technology.
Disclosure of Invention
In view of the above problems, the present invention provides a blockchain sharing co-treatment method based on an RPKI localization management mechanism, which is used for solving the problem of RPKI data failure caused by the centralization risk of the existing RPKI system.
The idea of solving the technical problems is as follows:
the dependence of the RPKI verification side on the RPKI trust anchor is weakened, the two-level participants of the original RPKI are combined, the blockchain is used as a new data release platform, the consensus of the RPKI data is achieved on the platform, and the security of each party on the respective RPKI data is realized.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a block chain sharing co-treatment method based on an RPKI localization management mechanism takes a block chain as a new data release platform, achieves the consensus of RPKI data on the platform, realizes the security of each party to respective RPKI data, and at least comprises the following steps:
step one, RPKI member management: each organization administrator agrees with the participation rights of the consensus participants;
step two, RPKI resource protocol management: the organization manager and the RPKI resource manager reach an agreement, and the range of the resources which can be issued by the RPKI resource manager is written in the agreement;
Step three, RPKI resource authorization management: the RPKI resource manager publishes route origin authentication information.
The account book storage mode provides support for intelligent contract technology, the intelligent contract technology provides three contracts which respectively meet the requirements of users on RPKI member management, RPKI resource protocol management and RPKI resource authorization management,
and calling three intelligent contracts successively, namely completing the first, second and third steps, thereby realizing a block chain sharing co-treatment method based on an RPKI localization management mechanism.
Further, the specific implementation process of the first step is as follows:
step one, creating an initial member, and writing a member record of the initial member into a member account book;
step one, submitting a member update proposal transaction by an initial member, and triggering the execution of a member update proposal algorithm (algorithm 1) to introduce a new member;
thirdly, the auditor initiates a vote to the proposal in the first step and triggers the member to update the execution of the audit algorithm (algorithm 2);
step four, the proposer carries out the proposal operation to the proposal, triggers the execution of member updating proposal algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the member information is successfully updated, otherwise, the updating fails.
Further, the specific implementation process of the second step is as follows:
step two, RPKI resource manager class role members are used AS proposer, initiate resource protocol update proposal transaction, write IP prefix set and AS number set in request, trigger execution of resource protocol update proposal algorithm (algorithm 4);
secondly, an organization administrator of an organization to which the RPKI resource manager belongs initiates voting to the proposal in the first step, and triggers the execution of a resource protocol updating and auditing algorithm (algorithm 2);
step two, the proposer carries out proposal operation on the proposal, triggers the execution of a resource protocol updating proposal algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the resource protocol updating is successful, otherwise, the updating is failed.
Further, the specific implementation process of the third step is as follows:
step three, an RPKI resource manager class role member is used as a proposer to initiate a resource authorization update proposal, the request comprises the declared route origin authentication information thereof, and the execution of a resource authorization update proposal algorithm (algorithm 5) is triggered;
step three, an organization administrator of an organization to which the RPKI resource manager belongs initiates voting to the proposal in the step three, and triggers the execution of a resource authorization updating auditing algorithm (algorithm 2);
Thirdly, the proposer carries out proposal operation on the proposal, triggers the execution of a resource authorization updating proposal-setting algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the resource authorization updating is successful, otherwise, the updating is failed.
Further, the member update proposal algorithm is: taking a user request as input, performing legal verification, and after the verification request passes, writing an update request of a proposer into an update record, and creating a process record, wherein the record is used for recording voting opinions about the proposition;
the updating and auditing algorithm is as follows: verifying whether the auditor has voting rights to the corresponding proposal, and writing the voting opinion into the corresponding process record;
the updated proposal algorithm is as follows: checking the case setting authority of a case setting person, calling a case setting method of process management, and returning a case setting result as follows:
when the case result shows that the approval ticket exceeds the threshold value, creating a state record by taking the update record as the blue book, and deleting the update record;
when the result shows that the approval ticket does not exceed the threshold value, indicating that the related personnel do not agree on the proposal, and deleting the updated record;
the resource protocol update proposal algorithm is as follows: taking a user request, a legal auditing strategy of a resource protocol and a legal role of a resource protocol update proposer as inputs, firstly verifying that the request format is correct, including calling a Validate method of an interface, then verifying that a proposer ID is present as a member record of the proposer, verifying that the updating authority of the proposer is valid, namely verifying that the role of the proposer is legal, and the auditing strategy of the protocol is legal, then checking whether an updating record from the same proposer already exists or not, and not allowing a plurality of updating proposes to exist for the same record at the same time; then checking whether the proposer has signed the agreement, if so, verifying that the resource invariable information in the agreement is the same, writing the update request of the proposer into an update record after verification, and finally creating a process record which is used for recording the voting opinion about the proposal;
The resource authorization update proposal algorithm is as follows: the user request is taken as input, the correct format of the request is firstly verified, the method of Validate of the interface is called, then the proposer ID is verified, namely the existence of member records of the proposer is verified, and the update authority of the proposer is verified, namely the legality of the role of the proposer is verified; verifying the resource declaration authority, namely verifying the range of resource release, wherein the range is not more than the range marked in the resource protocol signed by the proposer; then checking whether an update record from the same proposer exists or not, and not allowing the same proposer to simultaneously exist a plurality of resource authorization update proposes; after the verification is passed, the update request of the proposer is written into an update record, and finally a process record is created, wherein the record is used for recording the voting opinion about the proposal.
Further, the storage mode of the RPKI localization management account book is as follows:
dividing the data object into a plurality of account books for storage;
each account book contains data with stronger relevance, and the latest data is called a world state; the account book comprises a plurality of records, each record is provided with a unique main key identifier, and the main keys of the records in the same account book are provided with the same prefix and different suffixes;
from the state storage function perspective, records fall into three categories: status records, update records and process records; the state record represents the latest world state and is a record which has reached consensus; the corresponding update record represents a state waiting for update, meaning that the record is in a state where consensus has not been reached; when the state record is updated, firstly writing an update request into the update record, determining whether to write the state record according to the processing result of the contract, updating the state record after the consensus is achieved, and not updating the state record when the consensus is not achieved; the process record is responsible for storing the relevant state in the processing process of the update request;
From the viewpoint of storing content types, records are classified into three types: member record, protocol record and resource record; the member record stores member attributes, the country to which the member attributes belong and role type information, and the protocol record stores an inter-member authorization and cooperation protocol, which is an additional description of member rights; the resource record stores simplified local internet resource management Slurm data published by the resource manager.
A blockchain sharing co-therapeutic system based on RPKI localization management mechanism, comprising:
RPKI member management contracts: defining role types except for an administrator role in an RPKI consensus root system, and defining an externally exposed intelligent contract interface by using a member management providing method so as to enable participants of the RPKI consensus root to achieve consensus aiming at a consensus problem;
RPKI resource agreement contracts: defining a data structure of an RPKI resource protocol, realizing an interface designed in resource protocol management, and further utilizing a method provided by the resource protocol management to enable the RPKI manager and the RPKI resource manager to agree on the range problem of resources involved in route origin authentication information issued by the RPKI resource manager;
RPKI resource authorization contracts: the method comprises the steps of defining a data structure of RPKI resource authorization, realizing an interface defined in resource authorization management, and further utilizing a method provided by the resource authorization management, so that an RPKI resource manager can issue route origin authentication information within a resource range which is not more than that defined in an RPKI resource protocol signed by the RPKI resource manager.
Further, the smart contract is specifically implemented as follows:
in the RPKI member management contract, the role of the RPKI resource manager is to publish the Slurm data in the protocol scope; while the role of the organization administrator has been defined in the membership management (middle tier), used directly in contracts.
In the RPKI resource protocol contract, defining the data structure of the RPKI resource protocol, wherein the types of partial fields need to realize interfaces designed in resource protocol management, and defining a legal role set signing the protocol as an RPKI resource manager only and defining a legal audit policy set of the protocol as an International only; thereby can be utilizedProtocol managementThe proposal, auditing and closing method is packaged into different transactions in the intelligent contract; the problem of the range of the resources involved in the route origin authentication information issued by the RPKI resource manager in the subsequent process is agreed between the organization manager and the RPKI resource manager;
in the RPKI resource authorization contract, a data structure of RPKI resource authorization is defined, and part of fields realize interfaces defined in resource authorization management, namely Validate, checkRole and checkPermission methods, which are respectively used for verifying the format of a resource record, limiting the legal role of issuing the resource record as a resource manager, and verifying that the scope of issuing the resource does not exceed the scope marked in a resource protocol signed by a proposer, so that the resource can be utilized Resource managementProposal provided forAnd the method of auditing and case setting is correspondingly packaged into three different transactions in the intelligent contract.
Further, the member management (middle layer) refers to: managing the joining, modifying and exiting of members participating in consensus, respectively corresponding to the saving, updating and deleting of member information, binding the members with roles, wherein the role of an administrator represents the highest authority of one participant, and the members of other types of roles are responsible for the members of other types of roles, namely "manager responsibility system"; the protocol management (middle layer) refers to: the agreement which is achieved for the management right problem of the digital resources in a specific range among the members for managing the roles in different types is not concerned with the digital resources and the specific semantics represented by the range, and the resource management requirements in different scenes can be met; the resource management (middle layer) refers to: the method comprises the steps of managing resource claims issued by legal resource managers, storing the resource claims to a distributed data issuing platform, and recording resource authorizers, wherein specific semantics of digital resource claims are not concerned, and various types of resource claims are allowed to be issued; the data release platform provides resource inquiry service for each participant to inquire and monitor the resources in the consensus platform.
A computer readable storage medium storing a computer program configured to implement the steps of the blockchain sharing co-therapeutic method based on RPKI localization management mechanism when invoked by a processor.
The beneficial technical effects of the invention are as follows:
the invention relates to a block chain sharing co-treatment method based on an RPKI localization management mechanism, which provides a reliable, manageable, reliable and available RPKI data source for an RPKI verification side so as to correct the existing RPKI system data and prevent the single-side operation risk of the authority of the top level of the RPKI and the single-point fault risk of a database. The invention has the main advantages and the realized functions as follows:
(1) Aiming at the problem that the speaking rights of all the participants of the existing RPKI system are unequal, a manager responsibility is put forward and applied to the consensus root to prepare a member management system, so that the equal status of all the participants and the consensus of the participating members are realized.
(2) Aiming at the risk of potential participators publishing unexamined information, a resource protocol management system is provided, the constraint of managers of all participators on lower-level personnel is realized, and the problem of publishing resource scope between the lower-level personnel and the managers is realized to achieve consensus.
(3) Aiming at the problem of restricted resource authentication in the existing RPKI system, a resource authorization management system is provided for realizing the autonomous release of prefix origin authentication information of owned resources by each participant, the resource release behavior of a resource manager is implicitly restrained by the manager of the participant, and other members have no restriction capability and tampering capability.
Drawings
The invention may be better understood by reference to the following description taken in conjunction with the accompanying drawings, which are included to provide a further illustration of the preferred embodiments of the invention and to explain the principles and advantages of the invention, together with the detailed description below.
FIG. 1 is a flow chart of a blockchain sharing co-therapy method based on an RPKI localization management mechanism;
FIG. 2 is a diagram showing changes in proposal status and the life cycle of various types of records versus various types of things;
FIG. 3 is a relationship of node size to TPS in performance testing;
FIG. 4 is a plot of node size versus average delay in performance testing;
FIG. 5 is a graph of node size versus CPU average occupancy in a performance test;
FIG. 6 is a graph of node size versus average memory occupancy in performance testing;
FIG. 7 is an inflow flow in performance test
FIG. 8 is the flow out flow in the performance test
FIG. 9 is a relationship of the number of pre-write transactions to throughput in performance testing;
FIG. 10 is a graph of the number of pre-write transactions versus average latency in a performance test;
FIG. 11 is a relationship of the number of pre-write transactions to the ingress traffic of a container in a performance test;
FIG. 12 is a relationship of the number of pre-write transactions to the outgoing traffic of a container in a performance test;
fig. 13 is a smart contract architecture such as the figure.
Detailed Description
In order that those skilled in the art will better understand the present invention, exemplary embodiments or examples of the present invention will be described below with reference to the accompanying drawings. It is apparent that the described embodiments or examples are only implementations or examples of a part of the invention, not all. All other embodiments or examples, which may be made by one of ordinary skill in the art without undue burden, are intended to be within the scope of the present invention based on the embodiments or examples herein.
The invention provides a block chain sharing co-treatment method based on an RPKI localization management mechanism, wherein the existing RPKI system has a data management mode, and the invention carries partial data to a new platform (block chain) so that the data are ensured.
The account book storage technology provides technical support for the intelligent contract technology, and the two technologies are combined together to realize the block chain sharing co-treatment method based on the RPKI localization management mechanism, so that a user is in direct contact with the intelligent contract technology. The intelligent contract technology provides three contracts which respectively meet the requirements of users on member management, protocol management and resource management, and when the method provided by the invention is used by the users, the flow is generally divided into steps of two and three, and the three steps are respectively provided with technical support by the three contracts. And calling the three intelligent contracts successively to finish the steps one, two and three, and realizing sharing co-treatment of RPKI data on the blockchain.
As shown in fig. 1 to 13, the method includes the steps of:
step one, each organization administrator agrees on participation rights of the consensus participants;
step two, the organization manager and the RPKI resource manager reach an agreement, and the range of resources which can be issued by the RPKI resource manager is written in the agreement;
step three, the RPKI resource manager issues route origin authentication information;
RPKI localized management account book storage technology
The data object is divided into several book stores.
Each book contains a class of highly relevant data, the latest data being called world state (world state). The book contains several records (records). Each record has a unique key identification, and the keys of the records in the same book have the same prefix and different suffixes.
From the state storage function perspective, records fall into three categories: state records (state records), update records (update records), and process records (procedure records). The state record represents the latest world state and is a record which has reached consensus; the corresponding update record represents a state awaiting an update, meaning that the record is in a state where a consensus has not been reached. When the status record is updated, the update request is written into the update record first, and whether the status record is written is determined according to the processing result of the contract, which means that the status record is updated only after the consensus is achieved, and the status record is not updated when the consensus is not achieved. The process record is responsible for storing relevant status, such as voting information, during the processing of the update request.
From the viewpoint of storing content types, records are classified into three types: a member record (membership record), a protocol record (agreement record) and a resource record (resource record). The member record stores information such as member attributes, the country of the member, role types and the like, and the protocol record stores an inter-member authorization and cooperation protocol, which is an additional description of member rights; the resource record stores simplified local internet resource management (Slurm) data published by the resource manager. The book and record are designed as follows (update table omitted):
● Membership book (membership ledger): are maintained together by the totality of RPKI managers. And storing basic information of the participants of the RPKI consensus system, wherein the record takes the member ID as a main key suffix.
■ Member record (membership record): the recorded content mainly includes a member ID, a certificate issuer ID, a local organization code, a role, and the like.
● Resource protocol book (agrementledger): is maintained jointly by the RPKI manager and the resource manager. And storing resource protocol related data comprising both protocols between the RPKI manager and the resource manager and corresponding resource ranges. Wherein the record is prefixed by a primary key with the ID of the resource manager of the signing party.
■ Resource protocol records (RPKI agreement record) record the protocol between an RPKI manager and a resource manager under the party, formally giving the latter the ability to act as a legitimate digital resource issuer for the party. The record content includes RPKI manager ID, resource manager ID, specified resource scope, and the like.
● Resource authorization accounting (RPKI assignment ledger): the resource manager maintains a resource authorization record issued by the resource manager, and the record takes the ID of the issuer of the resource authorization record, namely the resource manager, as a main key suffix.
■ Resource grant record (RPKI assignment record): prefix origin authentication data and filtering data between an IP address prefix and an AS number issued and managed by a resource manager are stored, and the prefix origin authentication data is issued in the form of a SLURM.
Table 1 gives the member record reference format. Table 2 gives the resource protocol record reference format and table 3 gives the resource grant record reference format.
Table 1 member records
Table 2 resource protocol records
TABLE 3 resource authorization records
RPKI localized management smart contract technology
The smart contract architecture is shown in fig. 13.
And (3) process management: all intelligent contract's non-read-only transactions have a common goal, namely, reach consensus: the RPKI member achieves a certain consensus on the proposals proposed by other members, and finally makes the proposals formally effective. Control of these processes and recording of the relevant data is done by the process management responsibility.
Member management: the members participating in consensus are managed to be added, modified and exited, and the members and roles are bound respectively corresponding to the storage, update and deletion of the member information, the role of the manager represents the highest authority of one participant, and the members of other roles are responsible for the manager, which is called as "manager responsibility system".
Resource protocol management: the agreement between members managing different types of roles is achieved on the management right problem of the digital resources in a specific range, but the digital resources and the specific semantics represented by the range are not concerned, so that the resource management requirements in different scenes can be met.
And (3) resource authorization management: the method comprises the steps of managing resource claims issued by legal resource managers, storing the resource claims to a distributed data issuing platform, and recording resource authorizers, wherein specific semantics of digital resource claims are not concerned, and various types of resource claims are allowed to be issued; the data release platform provides resource inquiry service for each participant to inquire and monitor the resources in the consensus platform.
RPKI member management contracts: and defining role types except for the roles of the administrator in the RPKI consensus root system, and defining an externally exposed intelligent contract interface by using a member management providing method so as to enable participants of the RPKI consensus root to achieve consensus aiming at the problem of consensus set.
RPKI resource agreement contracts: the method comprises the steps of defining a data structure of an RPKI resource protocol, realizing an interface designed in resource protocol management, and further utilizing a method provided by the resource protocol management to enable the RPKI manager and the RPKI resource manager to agree on the range problem of resources involved in route origin authentication information issued by the RPKI resource manager.
RPKI resource authorization contracts: the method comprises the steps of defining a data structure of RPKI resource authorization, realizing an interface defined in resource authorization management, and further utilizing a method provided by the resource authorization management, so that an RPKI resource manager can issue route origin authentication information within a resource range which is not more than that defined in an RPKI resource protocol signed by the RPKI resource manager.
2.1 Process management
The method comprises the steps of abstracting a data updating process in member management, protocol management and resource management into a common proposal-auditing-proposal three-stage process, and externally exposing three interfaces of proposal, auditing and proposal by each intelligent contract so that participants with common knowledge root can agree with different data in different scenes in an auditing voting mode by utilizing the intelligent contract interfaces.
Proposal stage: when one of the participants in the consensus tries to update a record, the proposal interface of the corresponding intelligent contract is called to initiate a proposal type transaction with the identity of the proposer. After verifying the legitimacy of the proposal operation of the proposer, the intelligent contract writes an update request of the proposer into a corresponding member/protocol/resource account book; the contract will also invoke a method of process management, creating a process record under the same account book, which will be used to record the data in the consensus achievement process, in particular to record the votes of auditors. When a proposal is submitted successfully, the auditor about the proposal has been determined. And the threshold is set to be more than half of the number of auditors.
An auditing stage: in the auditing stage, the corresponding member responsible for auditing calls the auditing interface of the corresponding intelligent contract to initiate the auditing type transaction according to the identity of the auditor. The smart contract updates the process record after verifying the validity of the auditing operation, specifically, the auditor's opinion is faithfully recorded in the process record.
A case setting stage: in the case setting stage, the case setting person calls a case setting interface of a corresponding intelligent contract to initiate a case setting type transaction according to the identity of the case setting person, and the statistics and summarization of a case setting consensus process are carried out: if the number of agreements of the process records exceeds a threshold, proposing to pass, creating a state record for the blue book by using the content of the updated record, and then deleting the process record and the updated record; otherwise, the proposal does not pass, and the process record and the update record are deleted.
When a proposal achieves consensus, i.e. a smooth passage, the change of the proposal state and the relationship between the life cycle of each record and each type of things are shown in fig. 2.
2.2 Member management
(1) Proposal transaction algorithm
And (3) a member update proposal transaction algorithm, which receives a user request as input, verifies that the user request format is legal, comprises calling a value method of a Member info interface, verifies that a proposer ID is present as a member record of a proposer, verifies the update authority of the proposer, then checks whether an update record of the Member ID already exists, does not allow a plurality of update proposals to exist for the same record at the same time, writes the update request of the proposer into the update record after the verification is passed, and finally creates a process record, wherein the record is used for recording voting comments about the proposal.
(2) Audit transaction algorithm
When a member initiates voting for a member update proposal, an audit interface is called, the member update audit algorithm is triggered to execute, the voting opinion and the auditor are the object of the voting in the request, the voting opinion and the auditor are verified by the algorithm, whether the auditor has voting rights to the corresponding proposal or not is verified, and the voting opinion is written into the corresponding process record after the verification is passed.
(3) Case setting transaction algorithm
When the voting period of a proposal has elapsed or the number of votes is agreed to exceed the proposal passing threshold, the member can submit the proposal, and trigger the member to update the proposal algorithm. The algorithm firstly checks the filing authority of a filing person, then calls a filing method of process management, returns a filing result, and when the filing result shows that the approval ticket exceeds a threshold value, takes the updated record as a blue book creation state record and deletes the updated record; when the result of the proposal shows that the approval ticket does not exceed the threshold value, the related personnel do not agree on the proposal, and the updated record is deleted. And finally, ending the algorithm and returning a case setting result.
2.3 protocol management
Protocol management can provide the function of managing the signed protocol between the resource manager and the organization manager for different decentralised resource management scenarios.
In resource protocol management, a resource changeable information interface is defined, and the interface defines a Validate method; and defines ResourcesImmutableInfo, the interface defines Validate method and Equal method, and IpResources, asResources field in table 2 implements resourcesmutatableinfo interface. The following algorithm shows the processing of user input by the intelligent contract in the process of updating a resource protocol record.
The resource protocol updating proposal algorithm takes a user request, a resource protocol legal auditing strategy and a resource protocol updating proposal person legal role as input, firstly verifies that the request format is correct, comprises a Validate method of a calling interface, then verifies that a proposer ID, namely a member record of the proposal exists, verifies that the updating authority of the proposal person, namely the role of the proposal person is legal, and the auditing strategy of the protocol is legal, then checks whether an updating record from the same proposal person exists or not, and does not allow a plurality of updating proposals to exist for the same record at the same time. And then checking whether the proposer has signed the agreement, if so, verifying that the resource immutable information in the agreement is the same, writing an update request of the proposer into an update record after verification is passed, and finally creating a process record, wherein the record is used for recording the voting opinion about the proposal.
The management right of one kind of resource should be given to specific roles, and the set of the roles is the LegalRole in the input.
The audit policy is an enumerated type, see table 4. In the process of validating the protocol of one type of resource, the auditing strategies, namely which members are to be auditors, are preset, and the legal auditing strategy set is a subset of the auditing strategies in the table 5 and is used as the LegalReviewPolicy in the input of the algorithm 4.
Table 4 protocol proposal auditing policies
/>
2.4 resource management
The resource management can provide the function of managing the resource manager to issue resource authorization/statement for different decentralized resource management scenes.
In resource management, a resource interface is defined, and the interface defines Validate, checkRole and a checkPermission method; whereas the Slurm field in table 3 implements the resource interface. The following algorithm shows the processing of user input by the intelligent contract in the process of updating a resource authorization record.
The resource authorization updating proposal algorithm takes a user request as input, firstly verifies that the request format is correct, comprises calling a Validate method of an interface, then verifies that a proposer ID, namely a member record of a proposer exists, and verifies that the updating authority of the proposer, namely the role of the proposer is legal. And verifying the resource declaration authority, namely verifying the scope of resource release, does not exceed the scope marked in the resource protocol signed by the proposer. And then checking whether an update record from the same proposer already exists, and not allowing the same proposer to simultaneously exist a plurality of resource authorized update proposals. After the verification is passed, the update request of the proposer is written into an update record, and finally a process record is created, wherein the record is used for recording the voting opinion about the proposal. Regarding who the auditor of the proposal is, the auditor is determined by the audit policy of the agreement signed by the proposer, and the correspondence between the auditor and the audit policy is shown in table 4.
/>
2.5 RPKI Security Intelligent contract based on basic digital resource management framework
In this embodiment, optionally, the specific steps of the first step include:
step one, creating an initial member, and writing a member record of the initial member into a member account book.
Step one, submitting a member update proposal transaction by an initial member, triggering the execution of a member update proposal algorithm to be introduced by a new member, and seeing an algorithm pseudo code into the algorithm 1.
Thirdly, the auditor initiates a vote to the proposal in the first step, triggers the member to update the execution of the auditing algorithm, and the algorithm pseudo code is seen in the algorithm 2.
Step four, the proposer carries out the proposal operation to the proposal, triggers the execution of member updating proposal algorithm, judges whether the approval ticket exceeds a threshold value, if so, the member information is successfully updated, otherwise, the updating fails, and the algorithm pseudo code is seen in algorithm 3.
In this embodiment, optionally, the specific steps of the second step include:
step two, the RPKI resource manager class role member is used AS a proposer to initiate a resource protocol updating proposal transaction, an IP prefix set and an AS number set are written in a request to trigger the execution of a resource protocol updating proposal algorithm, and an algorithm pseudo code is seen in algorithm 4.
And step two, an organization administrator of an organization to which the RPKI resource manager belongs initiates voting to the proposal in the step one, triggers the execution of a resource protocol updating and auditing algorithm, and the algorithm pseudo code is seen in the algorithm 2.
Step two, the proposer carries out proposal operation on the proposal, triggers the execution of the resource protocol updating proposal algorithm, judges whether the approval ticket exceeds a threshold value, if so, the resource protocol updating is successful, otherwise, the updating fails, and the algorithm pseudo code is found in algorithm 3.
In this embodiment, optionally, the specific steps of the third step include:
step three, an RPKI resource manager class role member is used as a proposer to initiate a resource authorization update proposal, the request comprises the route origin authentication information declared by the RPKI resource manager class role member, the execution of a resource authorization update proposal algorithm is triggered, and an algorithm pseudo code is seen in algorithm 5.
And step three, initiating voting on the proposal in the step one by an organization administrator of an organization to which the RPKI resource manager belongs, triggering the execution of a resource authorization update auditing algorithm, and obtaining an algorithm pseudo code from an algorithm 2.
Thirdly, the proposer carries out proposal operation on the proposal, triggers the execution of a resource authorization updating proposal-setting algorithm, judges whether the approval ticket exceeds a threshold value, if so, the resource authorization updating is successful, otherwise, the updating fails, and the algorithm pseudo code is found in algorithm 3.
Based on the book storage scheme of 'member-protocol-resource' three-layer separation, a basic digital resource management framework with universality and based on block chains is designed. Finally, as described in the intelligent contract architecture diagram, a blockchain intelligent contract is designed on the basic digital resource management framework to issue and manage the Slurm data, so that each party can save the data in the existing RPKI system.
In the RPKI member management contract, a role type, RPKI resource manager, is defined, whose responsibility is to publish the Slurm data in the scope of the protocol. While the role of the organization administrator has been defined in the underlying digital resource management framework, it is directly used in contracts. It is worth integrating that, although roles are described herein, roles are not embodied in the RPKI member management contract, and from the perspective of the contract, there is no distinction in observing various roles other than the organization administrator. The role differences of these roles will only appear in the contracts introduced later.
In the RPKI resource protocol contract, the data structure of the RPKI resource protocol is defined, the types of partial fields need to realize the interfaces designed in the resource protocol management, the legal role set signing the protocol is defined as an RPKI resource manager only, and the legal audit policy set signing the protocol is defined as an International only. And further, the proposal, auditing and setting method provided by the resource protocol management can be utilized to package different transactions in the intelligent contract. The intelligent contract has the effect that the scope problem of resources involved in route origin authentication information issued by the RPKI resource manager in the subsequent process can be agreed between the organization manager and the RPKI resource manager.
The RPKI resource authorization contract defines the data structure of RPKI resource authorization, part of fields realize interfaces defined in resource authorization management, namely Validate, checkRole and a checkPermission method, which are respectively used for verifying the format of a resource record, limiting legal roles for issuing the resource record as a resource manager, and ensuring that the scope of issuing the resource does not exceed the scope marked in a resource protocol signed by a proposer, so that proposal, audit and proposal methods provided by resource authorization management can be utilized, and the three different transactions in the intelligent contract are correspondingly packaged. The effect of the intelligent contract is that the RPKI resource manager can issue the route origin authentication information in the Slur format within the resource range defined in the RPKI resource protocol signed by the RPKI resource manager.
Experimental results and analysis
The performance test targets are to test key performance indicators of the local root chain system and find specific performance bottlenecks. The main performance test indexes are time delay (latency) of local root chain transaction processing, transaction throughput per second (Throughput Per Second, TPS) and various system resource consumption, mainly including CPU load, memory occupation and network usage.
The results of the performance test are shown below: fig. 3 shows the throughput that four transactions can achieve at different network scales. The abscissa is the network node number scale and the ordinate is the average throughput of the transaction. It can be observed that as the scale of the network node increases, the throughput of the three transactions, proposal, audit and end, overall tends to decrease from the highest 67.3tps, 89.6tps, 89.3tps to 51.0tps, 65.4tps, 64.7tps, respectively, with no apparent trend for the inquiry transaction, remaining in the [300.1tps,375.2ps ] interval. The method is characterized in that node endorsements are not needed for inquiring the transaction, one node is selected for inquiring, the number of the node endorsements needed by other three transactions along with the increase of the network scale is increased, the node endorsements involve time-consuming cryptography operations such as signature and the like, and therefore the transaction throughput is reduced.
Figure 4 shows the average transaction delay for four transactions at different network scales. The abscissa is the network node size and the ordinate is the average processing delay of the transaction. It can be observed that the average processing delay of the proposed transaction is significantly higher than other transactions, at a minimum of 0.22s, and most significantly affected by the increase in network size. The inquiry transaction does not need to be endorsed, so that the average processing time delay is most excellent and is stabilized at 10ms. The proposed transaction has the advantages that the average time delay is highest because the service logic is complex and the chain code processing is slower, and the service complexity of auditing and ending the transaction is close, so that the average processing time delay is also close and is in the 150ms and 220ms intervals.
From the above, it is clear that the proposal transaction is a performance bottleneck of the system, and fig. 5, 6, 7, 8 show analysis of system resource consumption by the node when processing the proposal transaction. FIG. 5 shows the average CPU usage of different containers at different network scales when nodes process proposal transactions, and can see that the CPU usage of the Member management chain code container and the Peer container is highest; fig. 6 shows the average memory occupation of different containers under different network scales when nodes process proposal transactions, and it can be seen that the memory occupation of the Peer container and the Order container is far superior to other containers, and the memory occupation of the member management chain code container slightly increases with the increase of the network scale.
Fig. 7 and 8 show network traffic (in/out) situations of different containers when nodes process proposal transactions, and it can be seen that the member management chain code container has a large amount of data flowing in, and the Peer container has a large amount of data flowing out. This is because there is an operation in the proposal transaction logic that scans the entire member table, which results in the member management chain code container performing the act of scanning the entire library, while the state database is within the Peer container, so that a large amount of communication is performed between the member management chain code container and the Peer container, thereby affecting throughput and latency of the proposal transaction.
To verify the impact of a large amount of communication between a member management chain code container and a Peer container on the processing performance of proposed transactions, we perform multiple rounds of testing on a fixed network scale (3 nodes), and write a specific number of transactions in advance in state data before each round of testing, so as to increase the network communication load when the member management chain code container scans the library. FIG. 9 illustrates the maximum stable transaction throughput for four transactions at different numbers of pre-written transactions, it being seen that as the number of pre-written transactions increases, the throughput of the proposed transactions drops rapidly; fig. 10 shows the average transaction processing delays of four transactions at different numbers of pre-written transactions, and it can be seen that the average processing delays of the audit, end and query transactions are not substantially affected by the increase in the number of pre-written transactions, but the processing delays of the proposed transactions are in a linearly increasing situation.
It can be seen from fig. 11 and 12 that as the number of pre-write transactions increases, the communication load of both the member management chain code container and the Peer container increases significantly, while the communication load of the other containers increases only a small amount.
Claims (10)
1. A block chain sharing co-treatment method based on an RPKI localization management mechanism is characterized in that the method takes a block chain as a new data release platform, achieves the consensus of RPKI data on the platform, and realizes the security of each party to respective RPKI data, and the method at least comprises the following steps:
Step one, RPKI member management: each organization administrator agrees with the participation rights of the consensus participants;
step two, RPKI resource protocol management: the organization manager and the RPKI resource manager reach an agreement, and the range of the resources which can be issued by the RPKI resource manager is written in the agreement;
step three, RPKI resource authorization management: the RPKI resource manager publishes route origin authentication information.
The account book storage mode provides support for intelligent contract technology, the intelligent contract technology provides three contracts which respectively meet the requirements of users on RPKI member management, RPKI resource protocol management and RPKI resource authorization management,
and calling three intelligent contracts successively, namely completing the first, second and third steps, thereby realizing a block chain sharing co-treatment method based on an RPKI localization management mechanism.
2. The method for sharing and co-curing blockchain based on the RPKI localization management mechanism of claim 1, wherein the specific implementation process of the step one is as follows:
step one, creating an initial member, and writing a member record of the initial member into a member account book;
step one, submitting a member update proposal transaction by an initial member, and triggering the execution of a member update proposal algorithm (algorithm 1) to introduce a new member;
Thirdly, the auditor initiates a vote to the proposal in the first step and triggers the member to update the execution of the audit algorithm (algorithm 2);
step four, the proposer carries out the proposal operation to the proposal, triggers the execution of member updating proposal algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the member information is successfully updated, otherwise, the updating fails.
3. The method for sharing and co-curing blockchain based on RPKI localization management mechanism according to claim 1 or 2, wherein the specific implementation process of the second step is as follows:
step two, RPKI resource manager class role members are used AS proposer, initiate resource protocol update proposal transaction, write IP prefix set and AS number set in request, trigger execution of resource protocol update proposal algorithm (algorithm 4);
secondly, an organization administrator of an organization to which the RPKI resource manager belongs initiates voting to the proposal in the first step, and triggers the execution of a resource protocol updating and auditing algorithm (algorithm 2);
step two, the proposer carries out proposal operation on the proposal, triggers the execution of a resource protocol updating proposal algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the resource protocol updating is successful, otherwise, the updating is failed.
4. The blockchain sharing co-treatment method based on the RPKI localization management mechanism as defined in claim 3, wherein the implementation process of the third step is as follows:
step three, an RPKI resource manager class role member is used as a proposer to initiate a resource authorization update proposal, the request comprises the declared route origin authentication information thereof, and the execution of a resource authorization update proposal algorithm (algorithm 5) is triggered;
step three, an organization administrator of an organization to which the RPKI resource manager belongs initiates voting to the proposal in the step three, and triggers the execution of a resource authorization updating auditing algorithm (algorithm 2);
thirdly, the proposer carries out proposal operation on the proposal, triggers the execution of a resource authorization updating proposal-setting algorithm (algorithm 3), judges whether the approval ticket exceeds a threshold value, if so, the resource authorization updating is successful, otherwise, the updating is failed.
5. The blockchain sharing co-therapeutic system of claim 6, wherein the system is configured to store the information in the shared block chain,
the member update proposal algorithm is: taking a user request as input, performing legal verification, and after the verification request passes, writing an update request of a proposer into an update record, and creating a process record, wherein the record is used for recording voting opinions about the proposition;
The updating and auditing algorithm is as follows: verifying whether the auditor has voting rights to the corresponding proposal, and writing the voting opinion into the corresponding process record;
the updated proposal algorithm is as follows: checking the case setting authority of a case setting person, calling a case setting method of process management, and returning a case setting result as follows:
when the case result shows that the approval ticket exceeds the threshold value, creating a state record by taking the update record as the blue book, and deleting the update record;
when the result shows that the approval ticket does not exceed the threshold value, indicating that the related personnel do not agree on the proposal, and deleting the updated record;
the resource protocol update proposal algorithm is as follows: taking a user request, a legal auditing strategy of a resource protocol and a legal role of a resource protocol update proposer as inputs, firstly verifying that the request format is correct, including calling a Validate method of an interface, then verifying that a proposer ID is present as a member record of the proposer, verifying that the updating authority of the proposer is valid, namely verifying that the role of the proposer is legal, and the auditing strategy of the protocol is legal, then checking whether an updating record from the same proposer already exists or not, and not allowing a plurality of updating proposes to exist for the same record at the same time; then checking whether the proposer has signed the agreement, if so, verifying that the resource invariable information in the agreement is the same, writing the update request of the proposer into an update record after verification, and finally creating a process record which is used for recording the voting opinion about the proposal;
The resource authorization update proposal algorithm is as follows: the user request is taken as input, the correct format of the request is firstly verified, the method of Validate of the interface is called, then the proposer ID is verified, namely the existence of member records of the proposer is verified, and the update authority of the proposer is verified, namely the legality of the role of the proposer is verified; verifying the resource declaration authority, namely verifying the range of resource release, wherein the range is not more than the range marked in the resource protocol signed by the proposer; then checking whether an update record from the same proposer exists or not, and not allowing the same proposer to simultaneously exist a plurality of resource authorization update proposes; after the verification is passed, the update request of the proposer is written into an update record, and finally a process record is created, wherein the record is used for recording the voting opinion about the proposal.
6. The method for sharing co-treatment of blockchain based on RPKI localization management mechanism as in claim 5, wherein the RPKI localization management account book storage method is as follows:
dividing the data object into a plurality of account books for storage;
each account book contains data with stronger relevance, and the latest data is called a world state; the account book comprises a plurality of records, each record is provided with a unique main key identifier, and the main keys of the records in the same account book are provided with the same prefix and different suffixes;
From the state storage function perspective, records fall into three categories: status records, update records and process records; the state record represents the latest world state and is a record which has reached consensus; the corresponding update record represents a state waiting for update, meaning that the record is in a state where consensus has not been reached; when the state record is updated, firstly writing an update request into the update record, determining whether to write the state record according to the processing result of the contract, updating the state record after the consensus is achieved, and not updating the state record when the consensus is not achieved; the process record is responsible for storing the relevant state in the processing process of the update request;
from the viewpoint of storing content types, records are classified into three types: member record, protocol record and resource record; the member record stores member attributes, the country to which the member attributes belong and role type information, and the protocol record stores an inter-member authorization and cooperation protocol, which is an additional description of member rights; the resource record stores simplified local internet resource management Slurm data published by the resource manager.
7. The blockchain sharing co-therapeutic system of claim 6, comprising:
RPKI member management contracts: defining role types except for an administrator role in an RPKI consensus root system, and defining an externally exposed intelligent contract interface by using a member management providing method so as to enable participants of the RPKI consensus root to achieve consensus aiming at a consensus problem;
RPKI resource agreement contracts: defining a data structure of an RPKI resource protocol, realizing an interface designed in resource protocol management, and further utilizing a method provided by the resource protocol management to enable the RPKI manager and the RPKI resource manager to agree on the range problem of resources involved in route origin authentication information issued by the RPKI resource manager;
RPKI resource authorization contracts: the method comprises the steps of defining a data structure of RPKI resource authorization, realizing an interface defined in resource authorization management, and further utilizing a method provided by the resource authorization management, so that an RPKI resource manager can issue route origin authentication information within a resource range which is not more than that defined in an RPKI resource protocol signed by the RPKI resource manager.
8. The blockchain sharing co-therapy system based on the RPKI localization management mechanism of claim 7, wherein the smart contract is specifically implemented as follows:
In the RPKI member management contract, the role of the RPKI resource manager is to publish the Slurm data in the protocol scope; while the role of the organization administrator has been defined in the membership management (middle tier), used directly in contracts.
In the RPKI resource protocol contract, defining the data structure of RPKI resource protocol, the type of partial field needs to implement the interface designed in the resource protocol management, and defining the legal role set of signing said protocol as only RPKI resourceAn administrator defines a legal audit policy set of the protocol as being only International; thereby can be utilizedProtocol managementThe proposal, auditing and closing method is packaged into different transactions in the intelligent contract; the problem of the range of the resources involved in the route origin authentication information issued by the RPKI resource manager in the subsequent process is agreed between the organization manager and the RPKI resource manager;
in the RPKI resource authorization contract, a data structure of RPKI resource authorization is defined, and part of fields realize interfaces defined in resource authorization management, namely Validate, checkRole and checkPermission methods, which are respectively used for verifying the format of a resource record, limiting the legal role of issuing the resource record as a resource manager, and verifying that the scope of issuing the resource does not exceed the scope marked in a resource protocol signed by a proposer, so that the resource can be utilized Resource managementThe proposal, auditing and closing method provided are correspondingly packaged into three different transactions in the intelligent contract.
9. The blockchain sharing co-therapeutic system of claim 8, wherein the system is configured to store the information in the shared block chain,
the member management (middle layer) refers to: the members participating in consensus are managed to be added, modified and exited, and the members and roles are bound respectively corresponding to the storage, update and deletion of the member information, the role of the manager represents the highest authority of one participant, and the members of other roles are responsible for the manager, which is called as "manager responsibility system".
The protocol management (middle layer) refers to: the agreement which is achieved for the management right problem of the digital resources in a specific range among the members for managing the roles in different types is not concerned with the digital resources and the specific semantics represented by the range, and the resource management requirements in different scenes can be met;
the resource management (middle layer) refers to: the method comprises the steps of managing resource claims issued by legal resource managers, storing the resource claims to a distributed data issuing platform, and recording resource authorizers, wherein specific semantics of digital resource claims are not concerned, and various types of resource claims are allowed to be issued; the data release platform provides resource inquiry service for each participant to inquire and monitor the resources in the consensus platform.
10. A computer-readable storage medium, characterized by: the computer readable storage medium stores a computer program configured to implement the steps of a blockchain sharing co-therapeutic method based on an RPKI localization management mechanism of any of claims 1-5 when invoked by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310800366.6A CN116915773A (en) | 2023-06-30 | 2023-06-30 | Block chain sharing co-treatment method and system based on RPKI localization management mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310800366.6A CN116915773A (en) | 2023-06-30 | 2023-06-30 | Block chain sharing co-treatment method and system based on RPKI localization management mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116915773A true CN116915773A (en) | 2023-10-20 |
Family
ID=88367567
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310800366.6A Pending CN116915773A (en) | 2023-06-30 | 2023-06-30 | Block chain sharing co-treatment method and system based on RPKI localization management mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915773A (en) |
-
2023
- 2023-06-30 CN CN202310800366.6A patent/CN116915773A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110598394B (en) | Authority verification method and device and storage medium | |
| US11575683B2 (en) | Privacy preserving validation and commit architecture | |
| US20230120854A1 (en) | Secure blockchain-based consensus | |
| Baird et al. | Hedera: A governing council & public hashgraph network | |
| JP7504344B2 (en) | Transaction Security on Distributed Ledger-Based MaaS Platforms | |
| CN110674128B (en) | On-chain governance of blockchain | |
| JP2020522796A (en) | A distributed, privately subspaced blockchain data structure that manages secure access restrictions | |
| JP2020523838A (en) | System and method for addressing security-related vulnerabilities in off-blockchain channels in the event of network failure | |
| CN109003185B (en) | Intelligent contract establishing method and device, computing equipment and storage medium | |
| US8365298B2 (en) | Comprehensive security architecture for dynamic, web service based virtual organizations | |
| JP7319961B2 (en) | Computer-implemented systems and methods related to binary blockchains forming a pair of coupled blockchains | |
| CN111488393A (en) | Virtual block chain | |
| US20220156837A1 (en) | Distributed ledger implementation for entity formation and monitoring system | |
| CN116250210A (en) | Methods, apparatus, and computer readable media for authentication and authorization of networked data transactions | |
| CN111798233A (en) | Linking of tokens | |
| KR102564106B1 (en) | System and Method for Intelligent mediating based enhanced smart contract for privacy protection | |
| Kwame et al. | V-chain: A blockchain-based car lease platform | |
| CN115705571A (en) | Protecting privacy of auditable accounts | |
| CN111915308A (en) | Transaction processing method of blockchain network and blockchain network | |
| Kinkelin et al. | Hardening x. 509 certificate issuance using distributed ledger technology | |
| Amiri et al. | Separ: A privacy-preserving blockchain-based system for regulating multi-platform crowdworking environments | |
| CN113067836B (en) | Intelligent contract system based on decentralized DNS root zone management | |
| CN115021930B (en) | Router certificate issuing method based on resource public key infrastructure block chain | |
| CN116915773A (en) | Block chain sharing co-treatment method and system based on RPKI localization management mechanism | |
| CN114679473B (en) | Financial account management system and method based on distributed digital identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |