| The significantly infrastructural situation of BGP(Border Gateway Protocol) is vividly betrayed by the key role as a standard communication protocol between ASes.Though it is prevalently employed in the Internct,BGP still faces various threats from malicious attacks or improper management,such as passive and active wiretapping,tampered or forged message, run-time error,mis-configuration,and so on.And high occurrence frequency and large scale influence of security incidents make an active research area of security mechanisms for BGP. This article encompasses four main tasks.First of all,threats encountered by BGP are illustrated,so are various security mechanisms. And their advantages and disadvantages are described.In addition,we implement MOAS-LIST mechanism,a countermeasure to the phenomenon of MOAS.Legal owners of an IP address prefix are put into UPDATEs as a list called MOAS LIST,which is used by route receivers to check route.Then we implement this mechanism on the basis of open-source routing software zebra and experiments are made.What's more,conveyed from experiments,security capability of MOAS-LIST mechanism is limited when inconsistency of MOAS LISTs occurs.As a consequence,we advance an improved mechanism named MOAS-RQ(Multiple Origin Autonomous System-Registry and Query mechanism),which enables routers to query a server when inconsistency happens.Moreover,SE-BGP is studied and implemented.It is a resolution to passive and active wiretapping,the integrity of UPDATEs and authenticity of the owner of the IP address prefix.In this mechanism,a lot of AS Alliances is constructed based on the AS topology.Then a CA center is constructed in each AS Alliance which distributes two kinds of certificates.One indicates the ownership of IP address prefix,and the other validates the ownership of AS number.Every SE-BGP enabled router signs UPDATEs using its private key,and route receivers validate its origin by IP address certificates and its PATH Attribute by AS certificates.At the same time, IPsec is employed to protect communication between BGP peers.The MOAS-RQ mechanism is a better resolution to the MOAS problem than MOAS-LIST mechanism.And the SE-BGP mechanism can solve a lot of security issues encountered by BGP routers,including providing security communication between peer BGP routers,the validation of route origin and so on.SE-BGP is a good example of integration of BGP routing software and PKI.Also SE-BGP is superior to S-BGP in most aspect.Firstly distributed PKI is established based on AS Alliances.Secondly,low overhead signature and validation algorithms are employed.And thirdly SE-BGP can be increasing-deployed. |
PDF Full Text Request