| Many studies reveal that Internet inter-domain routing system is facing serious scaling problem, which represents that inflated global routing table and frequent routing update. The dissertation finds that the ultimate cause leading to the inflated global routing table is the too wider identifying range of IP address, IP address is exploited to identify host's identity and location, subnet and autonomous system's location, but practically number of IP prefixes to identify autonomous system's location is uncontrollable; the ultimate cause resulting in frequent routing update is the flat inter-domain routing architecture, which conduce to instability of the edge network routing directly influencing the stability of the core network routing. Based on these, the dissertation proposes a new inter-domain routing system—Hierarchical inter-domain routing system (Hidros). The kernel of Hidros is hierarchical routing: routers in―more stable‖core networks run an inter-domain routing protocol to keep the reachability between them; in the―less stable‖edge, a mapping service is introduced to keep the reachability between the edge and core. Hidros divides the inter-domain routing into two layers: a low-rank mapping layer and a high-rank routing layer. The low-rank mapping layer is used to maintain the reachability between stub and transit autonomous systems; the high-rank routing layer is used to maintain the reachability between transit autonomous systems. Hidros consists of mapping table establishment and management protocol, routing table distribution protocol, high-rank inter-domain routing protocol and path maintenance protocol. Hidros introduces an inter-domain routing identifier—Locator identifier (LID), to identify transit autonomous system's location and shorten the identifying range of IP address. For separating network edge and core, evaluation results indicate that in Hidros network, high-rank inter-domain routing updates are observably decreased, the stability of core network routing is enhanced.To deploy and apply Hidros in practice, the dissertation does an in-depth research on problems about LID's format, high-rank inter-domain routing security and how to bind IP prefix and its origin autonomous system.Based on the conclusion that if LID adopts the topology aggregatable IPv4 address format, global routing table inflation problem will still exist and may be more worsen, the dissertation designs a novel address format as LID's format, which comprise autonomous system number and a locator, the locator is uniquely determined by transit autonomous system and its provider autonomous system. The novel address format brings about number of LID identifying a transit autonomous system's location correlating with number of the transit autonomous system's providers. Evaluation results indicate that Hidros network global routing table is observably reduced, and grows linearly and controllably.BGP which can be used as the high-rank inter-domain routing protocol does not validate the authenticity of AS_PATH path attribute in an update message, and then suffers from an AS_PATH forgery attack. The attack will results in serious consequences, such as network unreachability, traffic blackholing and subversion, etc. And as long as connectivity is preserved, it is very difficult to detect the attack for a network carrier. Current solutions can't be implemented and deployed in the real world, because of heavy and complicated PKI key management and large amounts of memory cost. The dissertation brings in the identity-based cryptography to secure inter-domain routing for the first time, presents a high-rank inter-domain secure routing protocol—Identity-Based Aggregate Path Verification protocol (IBAPV). IBAPV adopts a more efficient and easily deployed identity-based aggregate signature scheme instead of certificate-based scheme, which leads to performance and deployment matters of current solutions, to protect AS_PATH. Moreover, in order to solve the inherent key escrow problem of the identity-based cryptographic scheme, a Distributed and Hierarchical Key Issuing protocol (DHKI) is proposed to make securing routing protocol with the identity-based cryptographic scheme possible.To accurately establish the mapping between IP prefix and inter-domain routing identifier, and make Hidros network being against prefix hijacking, binding IP prefix and its origin autonomous system is necessary. BGP origin AS authentication mechanism can be used to do this. However, it is found that current centralized origin AS authentication mechanisms are vulnerable to a prefix hijacking called―upper-class ISP‖. The dissertation presents a novel method to bind IP prefix and its origin autonomous system—Allocation Track (AT). The basic idea of AT is that for a prefix, the AS which provides the longest valid allocation path is its origin AS. When being used to secure BGP, AT is against valid prefix hijacking, sub-prefix hijacking and unused prefix hijacking, especially―upper-class ISP‖prefixes hijacking.The main works in the dissertation are outlined in the following.1. The dissertation studies the scalability problem of Internet inter-domain routing system;2. The dissertation studies the address format of inter-domain routing identifier which identifies the autonomous system's location in the network;3. The dissertation studies the inter-domain routing secure problem and the inherent key escrow problem of identity-based cryptographic scheme;4. The dissertation studies how to bind IP prefix and its origin autonomous system.The main contributions in the dissertation are outlined as follows.1. The dissertation proposes a hierarchical inter-domain routing system Hidros, which enhances the scalability of inter-domain routing system;2. The dissertation designs a novel inter-domain routing identifier, which decreases the size of global routing table;3. The dissertation brings in the identity-based cryptography to secure inter-domain routing for the first time, presents an Identity-Based Aggregate Path Verification protocol, which enhances the security of inter-domain routing protocol;4. The dissertation proposes a Distributed and Hierarchical Key Issuing protocol, which make applying the identity-based cryptographic scheme in practice possible.5. The dissertation presents a novel method AT based on the length of IP prefix allocation path, which addresses the prefix hijacking.This research comes from the National Grand Fundamental Research 973 Program of China―Research on universal trusted network and pervasive service architecture‖. The works in the dissertation have laid an important foundation for the further in-depth study of this project.
|
PDF Full Text Request