Research On Some Issues Of Routing Protocol Security

The recent growth in use of the Internet has brought with it a corresponding increased reliance on the network infrastructure which makes it all possible. Routing (RIPv2, EIGRP, BGP, and OSPFv2) and network management (e.g., SNMPv3/ng) protocols form the very heart of this infrastructure.Routing protocols are the hot research area in the Next Generation Network infrastructure, of which the secure problem of the routing protocols is one of the research contents.The routing protocols security mainly contain how to protect the authenticity and the integrality of the routing messages, as well as how to choose a secure route. The authenticity of the routing messages mean the identity of the annouce router is valid. Specifically, the annouced routing messages are really owned to a valid router. The integrality of routing messages refers to the routing messages are not modified in the transmission procedure. That is, the received routing messages are still in accord with the orignal ones.The OSPF and BGP routing protocols are both widely used in the Internet. However threats to these two routing protocols come mainly from two sources, external and internal. External threats come from outside intruders who are non-participants in the protocol, including breaking the neighbour relationship, replay attack, masquerading attack, passive listening and traffic analysis. Internal threats come from compromised protocol participants, including generating spurious routing information, deleting or modifying the routing information packets, etc.The thesis focuses on the secure problems existing in the Open Shortest Path First (OSPF) and the Border Gateway Protocol (BGP). Our goal is to propose some secure mechanisms to the both OSPF and BGP routing protocols for their security, based on the knowledge of the trust theory and cryptography theory. In our works for the OSPF, we proposed a mechanism to deal with how to choose a secure route based on the trust theory. And a mechanism to protect the authenticity and integrality of the routing information in the LSA packet, especially for the age value, with the help of sanitizable signature scheme. In the area of BGP, we present a two-hop AS_PATH aggregate signature scheme to pretect the secure of the BGP AS_PATH, through proposed Idenitity-Based Sanitizable Aggregate Signature Scheme. The key contributions of this thesis lie in the following points.Firstly, we intergrated the status and behavior of the network entities, a new dynamic trust model of trusted network was proposed. The trust information was obtained through the associated analysis of the status and behavior of entities. The relation of trust, the status and behavior of the network entities was also studied, and a new dynamic trust measurement of trusted network was proposed. The simulation results show that the new trust model has advantages in providing real-time dynamic trust. It is highly effective in countering malicious entities regarding strategic altering behavior and malicious attack, presenting better choice in task assignment in the network, providing help to make the secure police for the network security, and enhancing trustworthily of network.Secondly, on the problem that how to choose a credential routing, we propose a new algorithm to decide a credential routing path from the start router to the end one based on the trust theory, according to the trust model which we presented above. In our algorithm, we considers the trustworthy of link, the cost of link and the trustworthy of router as the critical factors so as to utilize the principle of the grey correlation degree to obtain a credential routing path, instead of weighted mean in existed methods of trust measurement. We guarantee that packets can secure transfer under the credential routing path and identify the remote routers that are subject to attacks. Thirdly, we focus on the authenticity and the integrality of the LSA information. For this goal, we propose a novel securiting mechanism to protect the authenticity and integrality of the routing information in the LSA packets based on the sanitizable signature scheme. At first, we enhanced sanitizable signature schemes.combines with the security property of weak transperent on the sanitizable signature algorithm, protected the routing massage on the OSPF protocol, especially achieving to protect the age value. Security analysis shows, the proposed OSPF protocol can avoid to the MaxAge attack and premature MaxAge attack.Finally, our goal is to find more efficient mechanism for protecting the authenticity and the integrality of AS_PATH, we propose a novel secure mechanism for BGP routing protocol with the help of Idenitity-Based Sanitizable Aggregate Signature Scheme. We firstly using the idea of Idenitity-based signature, the Idenitity-based sanitizable aggregate signature scheme is proposed using of bilinear mapping technology and sanitizable signature proposed by Brzuska et al, in the meantime the security of the scheme is proven. Then, based on the scheme above a two-hop AS_PATH aggregate signature scheme with avoiding replay attack is proposed to protect the lack of the authenticity and the integrality for AS_PATH in BGP routing protocol.In the same network and system params, the scheme is practicality with smaller counts for aggregate signing operations and smaller time for routing update. These researches are not only enriching the theory of cryptography, but also have pratical significance.