Design And Implementation Of Route Filtering Subsystem Based On RPKI Protocol

In the increasingly complex network environment,BGP is the only inter-domain routing protocol that can handle multiple connections between unrelated routing domains.It plays a key role on exchanging information with other BGP systems.However,the BGP protocol does not provide any security mechanism to ensure the security of Internet inter-domain routing system.That lead to the security of Internet BGP inter-domain routing system threatened by the prefix hijacking and other attacks.Based on this,our objective is to(i)find out the reasons for routing prefix hijacking;(ii)propose routing origin authorization based on RPKI protocol to minimize the threat of prefix hijacking in the network.The main innovative research in this paper includes:First of all,a scheme based on RPKI protocol is proposed to verify the legitimacy of binding relationship between IP address prefix and AS number in routing information.Through the verifying process,whether the routing information is complete and correct is known.According to the verification result,the valid result is the effective route forwarding traffic,which avoids the misleading and influence of the route prefix hijacking event.Second,the system designs six module: command line,session,message transmission,ROA information,routing information processing and high reliability protection.The six modules of the system complete the RPKI routing origin authentication function.In the proposed program,the MD5 encryption method is adopted to conduct the session connection,and the ROA information is stored in the form of Radix tree data structure.The dynamic expansion BIT-MAP data structure is proposed in the information record of the route origin authentication result distribution.The storage space is further saved.Thirdly,the RPKI route origin authentication sets up demonstration system of C/S architecture.After enabling the command,it can be seen that the legitimacy of routing information is verified.The display of routing information is adjusted according to authorization results when view the routing information.Finally,the experimental test shows that the system meet the requirements of enterprise-level in the use function,and through the system program tuning and equipment debugging,the system has been put into the actual use of the network environment.