| With the rapid development and popularization of Internet technology, various network services(cloud computing, e-commerce, Internet, video conference etc.) and our daily work and life are closely linked, but the security mechanism of the Internet IGP routing is still not perfect. Running through the IGP router link state database synchronization to the topological structure of the network, yet the routing information in the process of synchronization protection mechanism is not enough, gives rise to the threat of tampering, forgery. The IGP protocol attack, showing a growth trend, therefore, a safe and reliable mechanism of IGP routing protocol becomes a very urgent task.This paper investigates two kinds of intra domain routing protocol, i.e., OSPF and IS-IS, from aspects of their working mechanisms, convergence, scalability and security. Drawing further on this, we summasize the advantages and disadvantages of the two protocols as follows: OSPF has more routing strategies, and more types of region, protocol data packet and circuit type; It is more suitable for small and medium-sized enterprise network and use. IS-IS is relatively simple, stable and with better scalability, in a large number of routing entries under IS-IS treatment than OSPF, more efficient, more suitable for network operators and ISP deployment. In addition, through the experiment, in the same network environment, the convergence time of OSPF is almost the same to that of IS-IS(about 5.6S). Without regard to the waiting time for the SPF calculation, the convergence time of OSPF is 10% shorter than that of IS-IS.In the aspect of routing security mechanism of OSPF protocol, on the one hand, the synchronization based on LSA digital signature and authentication technology to carry on the router link state database is adopted, to enhance the security of routing information; on the other hand, based on the I2RS(Interface to routing system, similar to SDN) network architecture, this paper proposes a centralized trusted verification framework for OSPF routing. In this framework, each router has a trusted authentication agent. The RIB(Routing Information Base) manager supplies routing information to the agent through its openning northbound interface, and the proxy writes to the OSPF routing information in the process of reading the trusted agent module operation. The routing information is transmitted to the trusted authentication server remote centralized routing by the agent, routing on credible verification data consistency verification of the routing information to all routers in the routing domain, by external intruders tampering, false routing information into the feedback to the trusted agent under the routing strategy, trusted agent module for the corresponding operation, thereby forming a closed loop control structure of routing information.Validated in the simulation network enviroement, the proposed methods in this paper can significantly improve the security of OSPF, effectively resist different kinds of routing forgery attack. |
PDF Full Text Request