Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2023, Vol. 63 Issue (9): 1366-1379    DOI: 10.16511/j.cnki.qhdxxb.2023.21.016
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
基于区块链技术的去中心化互联网号码资源管理系统
李江1, 徐明伟1,2, 曹家浩1,2, 孟子立2, 张国强1
1. 清华大学 计算机科学与技术系, 北京 100084;
2. 清华大学 网络科学与网络空间研究院, 北京 100084
Decentralized internet number resource management system based on blockchain technology
LI Jiang1, XU Mingwei1,2, CAO Jiahao1,2, MENG Zili2, ZHANG Guoqiang1
1. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China;
2. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China
全文: PDF(4583 KB)   HTML 
输出: BibTeX | EndNote (RIS)      
摘要 作为互联网唯一的域间路由协议, 边界网关协议(border gateway protocol, BGP)当前面临着互联网号码资源误用的威胁。 现有安全方案——资源公钥基础设施(resource public key infrastructure, RPKI)通过中心化的基础设施维护互联网号码资源信息, 然而该方案面临着中心化导致的单点失效风险、 收敛时间长和开销高的问题。 该文提出了基于区块链技术的去中心化互联网号码资源管理系统(decentralized internet number resource management system, DINRMS)。 为提高系统的可扩展性, 在结构上对全球自治系统(autonomous system, AS)分组分层, 并针对此结构设计了相应的工作流程。 此外, 基于上述分组分层结构提出了一种基于互联网号码资源所有权信息和映射信息产生情况的启发式数据推送机制, 缩短AS获得这些信息的收敛时间, 同时减少交互开销。 实验表明, DINRMS为域间路由提供了安全可信的互联网号码资源信息; 相比RPKI, DINRMS的中心化程度降低了60%以上, 收敛时间缩短了50%以上, 交互开销减少了50%以上。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
李江
徐明伟
曹家浩
孟子立
张国强
关键词 边界网关协议互联网号码资源域间路由安全    
Abstract:[Objective] Internet is an important infrastructure that has been evolving for decades. Border gateway protocol (BGP) is the de facto interdomain routing protocol on the internet and connects autonomous systems (ASes) around the world. The BGP uses internet number resources (INR), including internet protocol (IP) prefixes and autonomous system numbers for addressing and routing. However, BGP has been vulnerable to the INR misusage threat recently, which causes a common type of anomaly called prefix hijacking. In prefix hijacking, a malicious AS originates the victim AS's prefixes to blackhole or intercept the victim's data traffic. The existing security solution, called resource public key infrastructure (RPKI), provides INR ownership and prefix-to-AS mapping information through a centralized infrastructure. ASes can extract and use the information from RPKI to prevent prefix hijacking. However, this solution has three typical drawbacks. First, the centralized architecture of RPKI causes single-point failures. Second, to obtain consistent INR information from RPKI, ASes need a long convergence time owing to the disorderly distribution of information. Third, ASes incur high interaction cost for extracting real-time INR information frequently.[Methods] To solve the above mentioned shortcomings, this study proposes a decentralized internet number resource management system (DINRMS) based on blockchain technology. The proposed system adopts a hierarchical architecture consisting of an autonomy layer and an arbitration layer. DINRMS partitions all ASes on the internet into groups that form the autonomy layer. The arbitration layer comprises the Internet Assigned Numbers Authority, five Regional Internet Registries and representatives elected by each group in the autonomy layer. Each entity in DINRMS has nearly the same impact on the system and the single-point failure of an entity does not lead to a serious global breakdown. The architecture of the proposed system overcomes the poor scalability of blockchain technology, which cannot be applied to efficient global INR information management on the internet. A blockchain is maintained within each group to record the INR ownership and prefix-to-AS mapping information of the respective groups. Entities within a group use information from third parties, such as the Whois Lookup tool, to check the consistency of INR ownership information. For prefix-to-AS mapping information, entities within a group use routing data from public route collectors to check the consistency and then vote on the legitimacy of the information. Subsequently, the entities judge the legitimacy of the information according to the majority rule. The arbitration layer maintains the global INR ownership information in the form of group granularity and prefix-to-AS mapping information. This information is sourced from representatives elected by each group in the autonomy layer for mutual supervision and endorsement. The arbitration layer is responsible for arbitrating usage conflicts related to INR. The DINRMS proposes a heuristic INR information push mechanism based on the architecture and dynamics of INR information. The mechanism decides to push INR information to ASes if a long time has passed since the last information push or if many information items have not been pushed.[Results] Experiments results show that DINRMS provides secure and trusted INR information for interdomain routing. In addition, the degree of centralization of DINRMS is 60% less than that of RPKI in terms of the Gini coefficient. Moreover, DINRMS reduces the convergence time and interaction overhead by more than 50%.[Conclusions] DINRMS manages INRs based on blockchain technology using a decentralized approach. The hierarchical and grouping architecture of DINRMS improves system scalability. The efficient push mechanism based on the dynamics of INR information shortens the convergence time and reduces the interaction overhead for ASes to obtain consistent INR ownership and mapping information.
Key wordsborder gateway protocol    internet number resource    interdomain routing security
收稿日期: 2023-01-05      出版日期: 2023-08-19
通讯作者: 徐明伟,教授,E-mail:xmw@cernet.edu.cn;曹家浩,博士后,E-mail:caojh2021@tsinghua.edu.cn      E-mail: xmw@cernet.edu.cn;caojh2021@tsinghua.edu.cn
作者简介: 李江(1997-),男,博士研究生。
引用本文:   
李江, 徐明伟, 曹家浩, 孟子立, 张国强. 基于区块链技术的去中心化互联网号码资源管理系统[J]. 清华大学学报(自然科学版), 2023, 63(9): 1366-1379.
LI Jiang, XU Mingwei, CAO Jiahao, MENG Zili, ZHANG Guoqiang. Decentralized internet number resource management system based on blockchain technology. Journal of Tsinghua University(Science and Technology), 2023, 63(9): 1366-1379.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2023.21.016  或          http://jst.tsinghuajournals.com/CN/Y2023/V63/I9/1366
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
[1] REKHTER Y, LI T, HARES S. A border gateway protocol 4(BGP-4)[R]. San Francisco: IETF, 2006.
[2] MCCULLAGH D. How Pakistan knocked YouTube offline (and how to make sure it never happens again)[EB/OL]. (2008-02-25)[2023-01-04]. https://www.cnet.com/culture/how-pakistan-knocked-youtube-offline-and-how-to-make-sure-it-never-happens-again/.
[3] SIDDIQUI A. KlaySwap-another BGP hijack targeting crypto wallets[EB/OL]. (2022-02-17)[2023-01-04]. https://www.manrs.org/2022/02/klayswap-another-bgp-hijack-tar-geting-crypto-wallets/.
[4] KENT S, LYNN C, SEO K. Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected areas in Communications, 2000, 18(4): 582-592.
[5] KARLIN J, FORREST S, REXFORD J. Pretty good BGP: improving BGP by cautiously adopting routes[C]// Proceedings of 2006 IEEE International Conference on Network Protocols. Santa Barbara, USA: IEEE, 2006: 290-299.
[6] SUBRAMANIAN L, ROTH V, STOICA I, et al. Listen and whisper: Security mechanisms for BGP[C]// Proceedings of the 1st Conference on Symposium on Networked Systems Design and Implementation. San Francisco, USA: USENIX Association, 2004: 127-140.
[7] LEPINSKI M, KENT S. An infrastructure to support secure internet routing[R]. San Francisco: IETF, 2012.
[8] VOHRA Q, CHEN E. BGP support for four-octet as number space[R]. San Francisco: IETF, 2007.
[9] DEERING S, HINDEN R. Internet protocol, version 6(IPv6) specification[R]. San Francisco: IETF, 1998.
[10] ROBACHEVSKY A. 14, 000 incidents: A 2017 routing security year in review[EB/OL]. (2018-01-09)[2022-07-27]. https://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/.
[11] KRISTOFF J, BUSH R, KANICH C, et al. On measuring RPKI relying parties[C]// Proceedings of ACM Internet Measurement Conference. Pittsburgh, USA: ACM, 2020: 484-491.
[12] MOHAPATRA P, SCUDDER J, WARD D, et al. BGP prefix origin validation[R]. San Francisco: IETF, 2013.
[13] COOPER D, HEILMAN E, BROGLE K, et al. On the risk of misbehaving RPKI authorities[C]// Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. College Park, USA: ACM, 2013: 16.
[14] SHRISHAK K, SHULMAN H. Limiting the power of RPKI authorities[C]// Proceedings of Applied Networking Research Workshop. ACM, 2020: 12-18.
[15] KARAARSLAN E, ADIGUZEL E. Blockchain based DNS and PKI solutions[J]. IEEE Communications Standards Magazine, 2018, 2(3): 52-57.
[16] MATSUMOTO S, REISCHUK R M. IKP: turning a PKI around with decentralized automated incentives[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. San Jose, USA: IEEE, 2017: 410-426.
[17] Town M. Explore the certificate transparency ecosystem[EB/OL].[2023-03-11]. https://ct.cloudflare.com/.
[18] BROGLE K, COOPER D, GOLDBERG S, et al. Impacting IP prefix reachability via RPKI manipulations[R]. Boston: Boston University, 2013.
[19] HEILMAN E, COOPER D, REYZIN L, et al. From the consent of the routed: Improving the transparency of the RPKI[C]// Proceedings of 2014 ACM conference on SIGCOMM. Chicago, USA: ACM, 2014: 51-62.
[20] KENT S, MANDELBERG D. Suspenders: A fail-safe mechanism for the RPKI[R]. San Francisco: IETF, 2014.
[21] REYNOLDS M, KENT S, LEPINSKI M. Local trust anchor management for the resource public key infrastructure[R]. San Francisco: IETF, 2013.
[22] MA D, MANDELBERG D, BRUIJNZEELS T. Simplified local internet number resource management with the RPKI (SLURM)[R]. San Francisco: IETF, 2018.
[23] BARNES E. Resource public key infrastructure (RPKI) resource transfer protocol and transfer authorization object (TAO)[R]. San Francisco: IETF, 2014.
[24] HUSTON G, MICHAELSON G, LOOMANS R. A profile for X.509 PKIX resource certificates[R]. San Francisco: IETF, 2012.
[25] HUSTON G, MICHAELSON G, MARTÍNEZ C. Resource public key infrastructure (RPKI) validation reconsidered[R]. San Francisco: IETF, 2018.
[26] HUSTON G. Is rsync that bad?[EB/OL]. (2020-10-27)[2023-03-11]. https://blog.apnic.net/2020/10/27/rpki-qa-the-trouble-with-rsync/.
[27] HLAVACEK T, JEITNER P, MIRDITA D, et al. Stalloris: RPKI downgrade attack[C]// Proceedings of the 31st USENIX Security Symposium. Boston, USA: USENIX Association, 2022: 4455-4471.
[28] NIST. NIST RPKI monitor[EB/OL].[2023-03-11]. https://rpki-monitor.antd.nist.gov/.
[29] NUSENU. The RPKI observatory[EB/OL].[2023-03-11]. https://nusenu.github.io/RPKI-Observatory/index.html.
[30] ZDNS. RPKIVIZ[EB/OL].[2023-03-11]. https://rpkiviz.zdns.cn/statistic.
[31] WÄHLISCH M, SCHMIDT R, SCHMIDT T C, et al. RiPKI: The tragic story of RPKI deployment in the web ecosystem[C]// Proceedings of the 14th ACM Workshop on Hot Topics in Networks. Philadelphia, USA: ACM, 2015: 11.
[32] CHUNG T, ABEN E, BRUIJNZEELS T, et al. RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins[C]// Proceedings of the Internet Measurement Conference. Amsterdam, Netherlands: ACM, 2019: 406-419.
[33] OSTERWEIL E, MANDERSON T, WHITE R, et al. Sizing estimates for a fully deployed rpki[R]. Reston: Verisign Labs, 2012.
[34] GILAD Y, COHEN A, HERZBERG A, et al. Are we there yet? On RPKI's deployment and security[C]// Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2017.
[35] REUTER A, BUSH R, CUNHA I, et al. Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering[J]. ACM SIGCOMM Computer Communication Review, 2018, 48(1): 19-27.
[36] REUTER A, BUSH R, CUNHA I, et al. ROV deployment monitor[EB/OL].[2023-03-11]. https://rov.rpki.net/.
[37] CHEN W Q, WANG Z L, HAN D Q, et al. ROV-MI: Large-scale, accurate and efficient measurement of ROV deployment[C]// Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2022.
[38] WAN T, KRANAKIS E, VAN OORSCHOT P C. Pretty secure BGP, psBGP[C]// Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2005.
[39] HU Y C, PERRIG A, SIRBU M A. SPV: Secure path vector routing for securing BGP[C]// Proceedings of 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. Portland, USA: ACM, 2004: 179-192.
[40] ZHAO M Y, SMITH S W, NICOL D M. Aggregated path authentication for efficient BGP security[C]// Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria, USA: ACM, 2005: 128-138.
[41] XIANG Y, SHI X G, WU J P, et al. Sign what you really care about-secure BGP AS-paths efficiently[J]. Computer Networks, 2013, 57(10): 2250-2265.
[42] HU Y C, PERRIG A, JOHNSON D B. Efficient security mechanisms for routing protocolsa[C]// Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2003.
[43] BUTLER K, MCDANIEL P, AIELLO W. Optimizing BGP security by exploiting path stability[C]// Proceedings of the 13th ACM conference on Computer and communications security. Alexandria, USA: ACM, 2006: 298-310.
[44] WHITE R. Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review: Hinsdale, 2003, 33(5): 47-53.
[45] GOODELL G, AIELLO W, GRIFFIN T, et al. Working around BGP: An incremental approach to improving security and accuracy in interdomain routing[C]// Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2003.
[46] HARI A, LAKSHMAN T V. The internet blockchain: A distributed, tamper-resistant transaction framework for the internet[C]// Proceedings of the 15th ACM Workshop on Hot Topics in Networks. Atlanta, USA: ACM, 2016: 204-210.
[47] PAILLISSE J, FERRIOL M, GARCIA E, et al. IPchain: Securing IP prefix allocation and delegation with blockchain[C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Halifax, Canada: IEEE, 2018: 1236-1243.
[48] XING Q Q, WANG B S, WANG X F. BGPcoin: Blockchain-based internet number resource authority and BGP security solution[J]. Symmetry, 2018, 10(9): 408.
[49] SAAD M, ANWAR A, AHMAD A, et al. RouteChain: Towards blockchain-based secure and efficient BGP routing[J]. Computer Networks, 2022, 217: 109362.
[50] CHEN D, BA Y, QIU H, et al. ISRchain: Achieving efficient interdomain secure routing with blockchain[J]. Computers & Electrical Engineering, 2020, 83: 106584.
[51] HE G B, SU W, GAO S, et al. ROAchain: Securing route origin authorization with blockchain for inter-domain routing[J]. IEEE Transactions on Network and Service Management, 2021, 18(2): 1690-1705.
[52] SENTANA I W B, IKRAM M, KAAFAR M A. BlockJack: Blocking IP prefix hijacker in inter-domain routing[C]// Proceedings of the Student Workshop. Barcelona, Spain: ACM, 2020: 1-2.
[53] FELDMANN A E, FOSCHINI L. Balanced partitions of trees and applications[J]. Algorithmica, 2015, 71(2): 354-376.
[54] SANDERS P, SCHULZ C. Think locally, act globally: Highly balanced graph partitioning[C]// Proceedings of the 12th International Symposium on Experimental Algorithms. Rome, Italy: Springer, 2013: 164-175.
[55] HLAVACEK T, CUNHA I, GILAD Y, et al. DISCO: Sidestepping RPKI's deployment barriers[C]// Proceedings of the 27th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2020.
[56] ORSINI C, KING A, GIORDANO D, et al. BGPStream: A software framework for live and historical BGP data analysis[C]// Proceedings of 2016 Internet Measurement Conference. Santa Monica, USA: ACM, 2016: 429-444.
[57] APNIC. APNIC guidelines for IPv4 allocation and assignment requests[EB/OL]. (2005-09-01)[2022-12-19]. https://www.apnic.net/about-apnic/corporate-documents/documents/resource-guidelines/ipv4-guidelines/.
[58] ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger fabric: A distributed operating system for permissioned blockchains[C]// Proceedings of the thirteenth EuroSys conference. Porto, Portugal: ACM, 2018: 30.
[59] LIN Q W, LI C, ZHAO X F, et al. Measuring decentralization in bitcoin and ethereum using multiple metrics and granularities[C]// Proceedings of the 2021 IEEE 37th International Conference on Data Engineering Workshops. Chania, Greece: IEEE, 2021: 80-87.
[1] 杨家海, 焦亮, 秦董洪, 葛连升. 基于BGP路由表的域间路径特性实验研究[J]. 清华大学学报(自然科学版), 2015, 55(11): 1190-1196.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn