本文選題：BGP協(xié)議 + 前綴劫持��； 參考：《哈爾濱工業(yè)大學(xué)》2017年碩士論文

【摘要】：在日益復(fù)雜的網(wǎng)絡(luò)環(huán)境中,BGP協(xié)議作為唯一一個(gè)域間路由協(xié)議,能夠妥善處理好不相關(guān)路由域間的多路連接。與其他的BGP系統(tǒng)交換網(wǎng)絡(luò)可達(dá)信息是BGP協(xié)議的主要功能,但是BGP協(xié)議本身沒(méi)有提供任何安全機(jī)制保障互聯(lián)網(wǎng)域間路由系統(tǒng)的安全,因此前綴劫持等攻擊行為成了互聯(lián)網(wǎng)BGP域間路由系統(tǒng)中的首要安全威脅。在此背景下,本論文通過(guò)分析路由前綴劫持產(chǎn)生的具體原因,從網(wǎng)絡(luò)安全的角度,提出了基于RPKI協(xié)議的路由過(guò)濾的驗(yàn)證方法,以減少前綴劫持對(duì)網(wǎng)絡(luò)的危害。本文的主要?jiǎng)?chuàng)新性研究工作包括:首先,針對(duì)路由前綴劫持問(wèn)題提出了基于RPKI協(xié)議的路由源驗(yàn)證的方案,即驗(yàn)證路由信息中IP地址前綴和AS號(hào)碼綁定關(guān)系的合法性。通過(guò)驗(yàn)證處理過(guò)程,得知路由信息是否完整和正確,根據(jù)驗(yàn)證結(jié)果優(yōu)選驗(yàn)證結(jié)果為有效的路徑轉(zhuǎn)發(fā)流量,避免了路由前綴劫持事件的誤導(dǎo)和影響。第二,本系統(tǒng)設(shè)計(jì)了命令行、會(huì)話連接、報(bào)文處理、ROA信息處理、路由信息處理以及高可靠性保障這六大模塊,由這六大模塊完成本系統(tǒng)的RPKI路由源驗(yàn)證功能。在本方案中,對(duì)會(huì)話連接過(guò)程的處理采用了MD5簽名驗(yàn)證,并采用Radix樹(shù)數(shù)據(jù)結(jié)構(gòu)形式存儲(chǔ)ROA信息,在路由源驗(yàn)證結(jié)果分發(fā)處理的信息記錄方面,提出了動(dòng)態(tài)擴(kuò)展BIT-MAP數(shù)據(jù)結(jié)構(gòu),進(jìn)一步節(jié)省了存儲(chǔ)空間。第三,搭建了C/S架構(gòu)模式的RPKI路由源驗(yàn)證演示系統(tǒng),通過(guò)演示系統(tǒng)可驗(yàn)證經(jīng)命令行配置使能路由源驗(yàn)證功能后,路由信息是否合法,查看路由信息的顯示結(jié)果依據(jù)源驗(yàn)證結(jié)果優(yōu)先級(jí)排序。最后,經(jīng)實(shí)驗(yàn)測(cè)試表明,本系統(tǒng)在功能使用方面滿足企業(yè)級(jí)使用要求,并且經(jīng)過(guò)系統(tǒng)程序調(diào)優(yōu)和設(shè)備聯(lián)調(diào),本系統(tǒng)已投入實(shí)際網(wǎng)絡(luò)環(huán)境中使用運(yùn)行。
[Abstract]:As the only inter-domain routing protocol in the increasingly complex network environment, BGP protocol can handle the multiplex connections between unrelated routing domains properly. Exchanging network reachable information with other BGP systems is the main function of BGP protocol, but the BGP protocol itself does not provide any security mechanism to ensure the security of Internet inter-domain routing system. Therefore, prefix hijacking and other attacks have become the primary security threat in Internet BGP inter-domain routing systems. In this context, this paper analyzes the specific reasons of routing prefix hijacking, from the point of view of network security, proposes a verification method of routing filtering based on RPKI protocol to reduce the harm of prefix hijacking to the network. The main innovative research work in this paper includes: firstly, a scheme of routing source verification based on RPKI protocol is proposed to solve the problem of routing prefix hijacking, that is, to verify the legitimacy of the binding relationship between IP address prefix and as number in routing information. Through the verification process, we know whether the routing information is complete and correct, and select the effective route forwarding traffic according to the verification result, thus avoiding the misdirection and influence of the route prefix hijacking event. Secondly, the system designed six modules: command line, session connection, message processing, routing information processing and high reliability guarantee. The six modules completed the RPKI routing source verification function of the system. In this scheme, the process of session connection is verified by MD5 signature, and the ROA information is stored in the form of Radix tree data structure. In the aspect of information record of routing source verification result distribution processing, a dynamic extended BIT-MAP data structure is proposed. Further save storage space. Thirdly, a C / S architecture RPKI routing source verification demonstration system is built. The demonstration system can verify whether the routing information is legal after the command line configuration can enable the routing source verification function. The display results of viewing routing information are sorted according to the priority of the source validation results. Finally, the experimental results show that the system can meet the requirements of the enterprise in function use, and the system has been put into use and run in the actual network environment after the system program optimization and equipment tuning.
【學(xué)位授予單位】：哈爾濱工業(yè)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.0

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 許圣明;馬迪;毛偉;王偉;;基于有序哈希樹(shù)的RPKI資料庫(kù)數(shù)據(jù)同步方法[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2016年06期

2 王勇;蔡國(guó)永;;基于隨機(jī)函數(shù)的哈希函數(shù)[J];計(jì)算機(jī)工程與設(shè)計(jì);2015年10期

3 蔣健;李偉;羅軍舟;陸悠;夏怒;;基于路由證據(jù)的域間路由不一致路徑惡意自治系統(tǒng)檢測(cè)機(jī)制[J];計(jì)算機(jī)學(xué)報(bào);2016年06期

4 劉芬;王芳;田昊;;基于Zookeeper的分布式鎖服務(wù)及性能優(yōu)化[J];計(jì)算機(jī)研究與發(fā)展;2014年S1期

5 胡紹立;;企業(yè)網(wǎng)絡(luò)交換機(jī)配置文件的批量備份[J];計(jì)算機(jī)與網(wǎng)絡(luò);2014年21期

6 劉斌;;基于linux系統(tǒng)的文件實(shí)時(shí)備份系統(tǒng)[J];電腦與電信;2014年06期

7 王小強(qiáng);朱培棟;盧錫城;;防范路由劫持的協(xié)同監(jiān)測(cè)方法[J];軟件學(xué)報(bào);2014年03期

8 黃秋蘭;程耀東;陳剛;;分布式存儲(chǔ)系統(tǒng)的哈希算法研究[J];計(jì)算機(jī)工程與應(yīng)用;2014年01期

9 馬迪;沈爍;;基于本地信任錨點(diǎn)管理的RPKI安全運(yùn)行機(jī)制研究[J];電信科學(xué);2013年09期

10 姚敦紅;石元泉;;基于動(dòng)態(tài)命令樹(shù)算法的路由器仿真軟件設(shè)計(jì)[J];計(jì)算機(jī)仿真;2013年04期

相關(guān)碩士學(xué)位論文 前3條

1 陳龍剛;壓縮全文自索引算法的研究[D];西安電子科技大學(xué);2014年

2 胡繼雷;OSPF不間斷路由技術(shù)研究及實(shí)現(xiàn)[D];西安電子科技大學(xué);2011年

3 陳俊;嵌入式網(wǎng)絡(luò)設(shè)備配置管理系統(tǒng)的研究[D];北京交通大學(xué);2007年

，

本文編號(hào)：1885038