Identity-Based Secure Inter-Domain Routing Protocol

微信服务号

微信订阅号

2025-4-24- 16

Home > Archive>Volume 20, Issue 12, 2009 >3223-3239

Identity-Based Secure Inter-Domain Routing Protocol
DOI:
                        
                    
Author:
                        WANG NaWANG Na

Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
ZHI Ying-JianZHI Ying-Jian

Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
ZHANG Jian-HuiZHANG Jian-Hui

Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
CHENG Dong-NianCHENG Dong-Nian

Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
WANG Bin-QiangWANG Bin-Qiang

Find this author on CNKI
Find this author on BaiDu
Search for this author on this site

                    
Affiliation:
Clc Number:
Fund Project:

Article

Figures

Metrics

Reference [42]

Cited by

Materials

Comments

Abstract:

The paper proposes a secure inter-domain routing protocol which adopts identity-based cryptographic system—id²r (identity-based inter-domain routing). id²r consists of a key management mechanism, an origin AS verification mechanism LAP (the longest assignment path), and an AS_PATH authenticity verification mechanism IDAPV (Identity-based Aggregate Path Verification). The key management mechanism adopts a distributed and hierarchical key issuing protocol DHKI (distributed and hierarchical key issuing) to solve the inherent key escrow problem in the identity-based cryptographic system. The basic idea of LAP is that all ASes must provide the assignment path and attestations of their announced prefixes, and for a prefix, the AS which provides the longest valid assignment path is its legitimate origin AS. With identity-based aggregate signature scheme, IDAPV generates a route aggregate attestation to guarantee the authenticity of AS_PATH. Performance evaluation results indicate that based on RouteViews data on December 7, 2007, an id2r router only consumes 1.71Mbytes additional memory, which is 38% of S-BGP router; id2r has shorter UPDATE message than S-BGP; convergence time of id2r with hardware implementation of cryptographic algorithm approximately equals BGP.

Key words:BGP; security; identity-based; prefix hijacking

Reference

[1] Rekhter Y, Li T, Hares S. A border gateway protocol 4 (BGP-4). RFC4271, 2006.

[2] Murphy S. BGP security vulnerabilities analysis. RFC4272, 2006.

[3] Wow, AS7007! 1997. http://www.merit.edu/mail.archives/nanog/1997-04/msg00340.html

[4] Popescu AC, Premore BJ, Underwood T. Anatomy of a leak: AS9121. 2005. http://nanog.org/mtg-0505/underwood.html

[5] Karlin J, Forrest S, Rexford J. Pretty good BGP: Improving BGP by cautiously adopting routes. In: David L, ed. Proc. of the IEEE Int’l Conf. on Network Protocols. Washington: IEEE Computer Society Press , 2006. 290-299.

[6] Karlin J. A fun hijack: 1/8, 2/8, 3/8, 4/8, 5/8, 7/8, 8/8, 12/8 briefly announced by AS 23520 (today). 2006. http://www.merit.edu/ mail.archives/nanog/2006-06/msg00082.html

[7] Con-Ed steals the net. 2006. http://www.renesys.com/blog/2006/01/coned steals the net.shtml

[8] Wan T, Oorschot C. Analysis of BGP prefix origins during Google’s May 2005 outage. In: Spirakis P, ed. Proc. of the Security in Systems and Networks. Washington: IEEE Computer Society Press, 2006. 8-15.

[9] Boothe P, Hiebert J, Bush R. Short-Lived prefix hijacking on the Internet. In: Proc. of the NANOG 36 Meeting. 2006. http://www.nanog.org/mtg-0602/pdf/boothe.pdf

[10] Karlin J. As 8437 announced a quarter of the net for half of an hour. 2006. http://www.merit.edu/mail.archives/nanog/2006-8/ msg00366.html

[11] Lad M, Oliveira R, Zhang B, Zhang L. Understanding resiliency of Internet topology against prefix hijack attacks. In: Anderson T, ed. Proc. of the Dependable Systems and Networks (DSN). Washington: IEEE Computer Society Press, 2007. 368-377.

[12] Pakistan hijacks youtube. 2008. http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml

[13] Ramachandran A, Feamster N. Understanding the network-level behavior of spammers. In: Christophe D, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2006. 291-302.

[14] Sauver JS. Route injection and spam. In: Proc. of the Messaging Anti-Abuse Working Group (MAAWG) 8th General Meeting. 2006. http://www.uoregon.edu/～joe/maawg8/maawg8.pdf

[15] Nordstrom O, Dovrolis C. Beware of BGP attack. ACM Computer Communications Review, 2004,34(2):1-8.

[16] Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the Internet. In: Jun M, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2007. 265-276.

[17] Kent S, Lynn C, Seo K. Secure border gateway protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 2000,18(4): 582-592.

[18] White R. Securing BGP through secure origin BGP (soBGP). The Internet Protocol Journal, 2003,6(3):15-22.

[19] Wan T, Kranakis E, Oorschot C. On interdomain routing security and pretty secure BGP (psBGP). ACM Trans. on Information and System Security, 2007,10(3):11.

[20] Hu C, Perrig A, Sirbu M. SPV: Secure path vector routing for securing BGP. In: Yavatkar R, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2004. 179-192.

[21] Lad M, Massey M, Pei D, Wu Y, Zhang B, Zhang LX. PHAS: A prefix hijack alert system. In: Angelos K, ed. Proc. of the USENIX Security Symp. 2006. Berkeley: USENIX Assciation, 2006. 153-166.

[22] Krugel C, Mutz D, Robertson K, Valeur F. Topology-Based detection of anomalous BGP messages. In: John M, ed. Proc. of the RAID. Berlin: Springer-Verlag, 2003. 17-35.

[23] Hu X, Mao M. Accurate real-time identification of IP prefix hijacking. In: Deborah S, ed. Proc. of the IEEE Security and Privacy. Washington: IEEE Computer Society Press, 2007. 3-17.

[24] Zhao X, Pei D, Wang L, Massey D, Mankin A, Wu F, Zhang LX. Detection of invalid routing announcement in the Internet. In: Farnam J, ed. Proc. of the DSN. Washington: IEEE Computer Society Press, 2002. 59-68.

[25] Zheng C, Ji L, Pei D, Wang J, Francis P. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In: Jun M, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2007. 277-288.

[26] Huston G. Auto-Detecting hijacked prefixes? In: Proc. of the RIPE 50 meeting. 2005. http://www.ripe.net/ripe/meetings/ripe-50/ resentations/index.html

[27] Qiu J, Gao L, Ranjan S, Nucci A. Detecting bogus BGP route information: Going beyond prefix hijacking. In: Bruno C, ed. Proc. of the Securecomm. Washington: IEEE Computer Society Press, 2007. 381-390.

[28] Chan H, Dash D, Perrig A, Zhang H. Modeling adoptability of secure BGP protocols. In: Luigi R, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2006. 279-290.

[29] Raghavan B, Panjwani S, Mityagin A. Analysis of the SPV secure routing protocol: Weaknesses and lessons. ACM SIGCOMM Computer Communication Review, 2007,37:29-38.

[30] Shamir A. Identity-Based cyrptosystems and signature schemes. In: Blakely R, ed. Proc. of the Advances in Cryptolog-CRYPTO’84. Berlin: Springer-Verlag, 1984. 47-53.

[31] Beuchat JL, Shirase M, Takagi T, Okamoto E. An algorithm for the hT pairing calculation in characteristic three and its hardware implementation. 2006. http://eprint.iacr.org/2006/327

[32] Pan J, Cai L, Shen X. Promoting identity-based key management in wireless ad hoc networks. In: Yang X, ed. Proc. of the Wireless/Mobile Network Security-Springer Series on Signals and Communication Technology. Berlin: Springer-Verlag, 2007. 83-102.

[33] Boneh D, Lynn B, Shacham H. Short signature from the Weil pairing. In: Proc. of the Advances in Cryptology—AsiaCrypt 2001. 2001. 514-532.

[34] Cheon J, Kim Y, Yoon H. A new ID-based signature with batch verification. 2004. http://eprint.iacr.org/2004/131

[35] Shamir A. How to share a secret. Communications of the ACM, 1979,24:612-613.

[36] Oliveira R, Zhang B, Zhang L. Observing the evolution of Internet AS topology. In: Proc. of the ACM SIGCOMM. 2007. 313-324.

[37] McDaniel P, Aiello W, Butler K, Ioannidis J. Origin authentication in interdomain routing. Computer Networks: The Int’l Journal of Computer and Telecommunications Networking, 2006,50(16):2953-2980.

[38] http://www.routeviews.org/, 2007.

[39] The SSFNET project. 2007. http://www.ssfnet.org

[40] Paulo SL, Berreto M. A note on efficient computation of cube roots in characteristic 3. 2004. http://eprint.iacr.org/2004/305

[41] Zhao M, Smith SW, Nicol D. Aggregated path authentication for efficient BGP security. In: Atluri V, ed. Proc. of the ACM CCS 2005. Washington: ACM Press, 2005. 128-138.

[42] Subramanian L, Caesar M, Ee CT, Handley M, Mao M, Shenker S, Stoica I. HLP: A next generation interdomain routing potocol. In: Roch G, ed. Proc. of the ACM SIGCOMM. Washington: ACM Press, 2005. 13-24.

Get Citation

王娜,智英建,张建辉,程东年,汪斌强.一个基于身份的安全域间路由协议.软件学报,2009,20(12):3223-3239

Copy

Article Metrics

Abstract:
PDF:
HTML:
Cited by:

History

Received:December 21,2007
Revised:May 19,2008
Adopted:
Online:
Published:

You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address：4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code：100190
Phone：010-62562563 Fax：010-62562533 Email：jos@iscas.ac.cn
Technical Support：Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063

微信服务号

微信订阅号

Get Citation

Share

微信扫一扫：分享

Article Metrics

History