A Study On Authentication-based Secure Routing Architecture

With the current rapid development of the Internet, by the end of December 31, 2009, the population of Chinese netizens reached 384 million people. Internet-based e-government, e-commerce, etc, are more and more deeply come into people's daily life. However, based on the traditional TCP/IP protocol stacks, development of the Internet is more and more trapped in the security issues. During the early period of the Internet, TCP/IP protocol mainly focuses on interconnection, the link layer protocols and application layer protocols are very rich. The funnel-shaped design enables a variety of devices and applications interconnection. The initial design doesn't take into account security of interconnection. This leads to emerge many Internet secure issues, such as DoS attacks, spam, routing hijacking and so on.This paper presents an authentication-based secure routing architecture (AB-SRA) system. It aims to solve the secure problem which is unauthorized Internet traffic. The problem can be solved by authentication between the destination host and the source host. The source host can receive the token(note: the token include the signature of source address, destination address etc) only if the destination host authenticate the source host. The source host gets the token and the token will be filled in the IP packet. Then the packet with token will be routed to the destination host. The routers of AB-SRA will authenticate the token of the ingress packet, only the legitimate packets will be forwarded by router and allowed through the router. At last legal packets reach the destination host. Token signature and authentication mechanism is based on public key cryptography system. The system provides key update mechanism and dynamic updating keys to improve security of the keys. The thesis discusses the incremental deployment of the AB-SRA into existing network architecture. At last we use NS-2 network simulation software to evaluate the effectiveness of the AB-SRA. The major work includes:(1) It puts forward the AB-SRA architecture which is based on digital signature and authentication mechanism network architecture. Communication between end hosts must applied the signed token from DNS server, then packets of the host will be sent to the network carrying this token. The first hop router will first look up the routing table and authenticate the token of packets. Only the legitimate packets will be forwarded. The illegitimate packets will be discarded. Whether the packets will be forwarded or discarded depending on the result of authentication.(2)It puts forward the DNS security structure. The existing public key infrastructure (PKI) is integrated into the DNS. This enhances the security of the name resolving and DNS itself. (3)We use NS2 network simulation software to simulate the AB-SRA system. We modify the source code of NS2 software so that it can simulate the process of the signature and certification of the token of packet. We measure and analyze the performance of the AB-SRA system. The result of simulation of AB-SRA shows the effectiveness of attack of unauthorized traffic.