Research On Inter-Domain Routing System Security

As the core infrastructure of the Internet, the inter-domain routing system consists of a large number of interconnected autonomous systems (ASes), which exchange their routes using Border Gateway Protocol (BGP). Inter-domain routing security has become a significant issue for the future Internet and promoting the BGP nature security is an unavoidable problem. Most security mechanisms based on public key cryptography are far from deployment due to performance, trust model and other issues. As a complex large system, the inter-domain routing system has many essential properties different with other networks. Some novel research methods and technological approaches should be introduced.The understanding of the root of the problem has a direct impact on the inter-domain routing system design, implementation, operation and management. The existing researches have not grasped the basic law and the evolutionary trend in the inter-domain system comprehensively.In this dissertation, we provide some new techniques and mechanisms to improve the security performance of the inter-domain routing system using the complex system theory and the self-organized rules in ISPs based on the self-organization property of the inter-domain routing system itself. Our goal is to do some contribution to the continuance and healthy development of the new generation network and the process of constructing a more reliable, more faithful, more controllable and more manageable Internet.Our work expands the research in four aspects as follows:Self-organization theory based AS Alliance mechanismSelf-organization is a promising mechanism to control the complexity in large-scale and dynamic networks. On the basis of in-depth analysis in inter-domain routing self-organized patterns, the notion of AS Alliance is proposed. Some evolutionary algorithms (Including generation, merging, and decomposition) for AS Alliance are designed. We also present the mechanism of how to realize AS Alliance in BGP and describe the organization pattern of AS Alliance.An AS Alliance is a local group of clustered ASes, in which only a small number of ASes can transmit routing information to other ASes outside the group. The AS Alliance makes full use of geography characteristic of ISPs, collectivization of business benefits and union of political interests. From some view, The AS Alliance is the logical structure between Internet and AS. The AS Alliance has the ability of self-evolution and can improve the whole Internet route security through encouraging other AS to join the Alliance. Moreover, the introduction of AS Alliance has two important significances. First, an organization pattern is provided, which could be a reliable technical approach for promoting global performance through local management. Second, act as very small number of nodes in inter-domain routing system, the key nodes in AS Alliance have some special application values.The AS Alliance provides valuable technical approach for our study.AS Alliance-oriented security extended mechanism AS Alliance provides new ideas and platforms to enhance the security of inter-domain routing system. Four AS Alliance-oriented security enhanced mechanisms are proposed: 1) AS Alliance-oriented DRCM (Distributed Resource Certificate Mechanism); 2) AS Alliance-oriented TTM (Translator Trust Model); 3) AS Alliance-oriented PCDARF (Prefix Collision Detection and Resolution Framework), including UPCDR (Usedspace-based Prefix Collision Detection Rules) and T-PCRA (Three-Phase Prefix Collision Resolution Algorithm); 4) ARL-RSA (Alliance-Relation -List based Route Stabilization Algorithm).DRCM realizes distributed and registered management with resource certificate through AS Alliance structure.TTM is an intermediate state between hierarchy trust and web of trust. It simplifies the trust relation within the same Alliance and realizes the trust relation in-band transfer among different Alliances through key nodes.PCDARF can be used for prefix collision detection in DRCM and collision resolution. UPCDR builds a class model for used prefix space and collision detection rules through extended RPSL (Routing Policies Specification Language). The validity of UPCDR is verified. T-PCRA has three phases: collision orientation, collision negotiation and self-decision. It provides a complete mechanism for negotiation and decision and restrains the irresponsible nodes by reputation degree.ARL-RSA uses the Alliance relation list and cost function to restrain the WITHDRAW message during a period of time. It effectually reduces the route flapping caused by link temporary failure and significantly improves the stability in inter-domain routing system.AS Alliance-oriented security extended BGPIn order to implement AS Alliance and above-mentioned security extended mechanism, we design SE-BGP as a novel AS Alliance-oriented security extended BGP. The SE-BGP uses ROC (route of certificate) to protect the route credibility and the DRCM is used as the certificate architecture. The trust transfer between different Alliance is in-band by the using of TTM-based two signatures translation mechanism in key nodes. The routing property, algorithm and configuration are extended in SE-BGP.It is demonstrated that SE-BGP has the same security performance with S-BGP under a rational assumption. Compared with the traditional inter-domain routing protocols, SE-BGP can adapte to the evolution of network structure and has good scalability. Implementation of SE-BGPBased on Linux operating system and MRT (Multi-Threaded Routing Toolkit), a notable soft router, we finally implement SE-BGP. The SE-BGP has similar software architecture with S-BGP. Configuration, such as AS Alliance, certificates, can be loaded by automatic or manual mode. The authentication and signature algorithm in the key node is different from normal node. The testing results show that SE-BGP protects the credibility of the route and the security capability is almost equal to S-BGP. Besides, SE-BGP has good performance scalability.