主页期刊介绍编委会编辑部服务介绍道德声明在线审稿编委办公编辑办公English
2018-2019年专刊出版计划 微信服务介绍 最新一期:2019年第8期
     
在线出版
各期目录
纸质出版
分辑系列
论文检索
论文排行
综述文章
专刊文章
美文分享
各期封面
E-mail Alerts
RSS
旧版入口
中国科学院软件研究所
  
投稿指南 问题解答 下载区 收费标准 在线投稿
王立军.基于域间路由的分布式分组过滤有效性研究.软件学报,2012,23(8):2130-2137
基于域间路由的分布式分组过滤有效性研究
Research on the Effectiveness of Distributed Packet Filtering Based on Inter-Domain Routing
投稿时间:2011-04-14  修订日期:2011-11-02
DOI:10.3724/SP.J.1001.2012.04134
中文关键词:  域间路由  伪造分组  分布式分组过滤
英文关键词:inter-domain routing  spoofed packet  distributed packet filtering
基金项目:
作者单位E-mail
王立军 清华大学 信息网络工程研究中心,北京 100084 wanglijun@cernet.edu.cn 
摘要点击次数: 2390
全文下载次数: 2297
中文摘要:
      消除伪造源地址分组是互联网安全可信的内在要求.基于路由的分布式分组过滤具有良好的效果,但是目前对其有效性缺乏严密的理论分析.基于域间路由传播和互联网拓扑的分层特征,建立路由传播数模型和理想AS 图模型,以此为工具分析了基于域间路由的最大过滤和半最大过滤有效性.结论印证并从理论上解释了前人研究中的实验结果.最大过滤能够消除绝大多数的伪造分组,虽然无法达到100%,但可以将伪造成功的自治系统数量限制为互联网AS路径的平均长度.在理想AS图上,半最大过滤与最大过滤的有效性相同,但是存储和计算开销要小很多,为实际中部署半最大过滤提供了理论依据.理论模型分析揭示了基于域间路由的分布式分组过滤的内在优缺点,有助于设计辅助措施和在整个互联网全面而合理地部署.
英文摘要:
      Filtering the spoofed packets with a false source addresses is the inherent requirement of the trustworthy and secure Internet. Routing based distributed packet filtering is effective, but its effectiveness has no solid theory analysis. In this paper, based on the inter-domain route distribution and the hierarchy of the Internet topology, the study establishes the route distribution tree model and ideal AS graph model using these two models analyze the effectiveness of maximum filtering and semi-maximum filtering. The analysis results verify the former experimental results and figure out the theoretical explanation. Maximum filtering can filter out most spoofed packets. Though it cannot reach 100%, maximum filtering can limit the number of the successful spoofing AS to the average AS path length of the Internet. On the ideal AS graph, semi-maximum filtering has the same effectiveness as the maximum filtering and its storage and computing overhead is much lower than maximum filtering, which provides the theoretical basis to use it in practice. The model-based analysis points out the inherent features of the inter-domain routing based distributed packet filtering, which conduces to design the subsidiary mechanism and the overall deployment in the whole Internet.
HTML  下载PDF全文  查看/发表评论  下载PDF阅读器
 

京公网安备 11040202500064号

主办单位:中国科学院软件研究所 中国计算机学会 京ICP备05046678号-4
编辑部电话:+86-10-62562563 E-mail: jos@iscas.ac.cn
Copyright 中国科学院软件研究所《软件学报》版权所有 All Rights Reserved
本刊全文数据库版权所有,未经许可,不得转载,本刊保留追究法律责任的权利