微信服务号

微信订阅号

2025-4-8- 4
Home > Archive>Volume 25, Issue 1, 2014 >78-97. DOI:10.13328/j.cnki.jos.004509
PDF HTML XML Export Cite reminder
Architecture and Key Technologies of Internet Address Security
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [52]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    Forged source address and routing address prefix hijacking have caused great threats since there are no source address validation mechanisms on the current Internet. Solving the address security problem and constructing a reliable Internet environment have become a critical issue. The foundation of a trustworthy Internet is the authenticated IP addresses. Therefore, researchers have proposed many solutions from different perspectives on these problems. This paper first introduces the notion of address and the current situation of address spoofing, then gives an analysis to the meaning of the address security. The paper analyzes and compares these security solutions in three dimensions: The architecture, the mechanism and the key technical means. Their performances are also summarized and evaluated. Finally, the study provides a proposal of constructing a general experimental platform for network addresses which enables different address schemes to be deployed and experimented.

    Reference
    [1] NewArch Project. Future—Generation Internet architecture. 2003. http://www.isi.edu/newarch/
    [2] Postel J. Internet protocol—DARPA Internet program protocol specification. RFC 791, 1981. http://tools.ietf.org/html/rfc791
    [3] Chun W, Lee TH, Choi T. YANAIL: Yet another definition on names, addresses, identifiers, and locators. In: Proc. of the CFI 2011. Seoul: ACM Press, 2011. 8-12. [doi: 10.1145/2002396.2002399]
    [4] Wang JH, Wang Y, Xu MW, Yang JH. Separating identifier from locator with extended DNS. In: Proc. of the ICC 2012. IEEE, 2012. 2747-2751. [doi: 10.1109/ICC.2012.6363725]
    [5] Steiner P. On the Internet, nobody knows you''re a dog. 2013. http://en.wikipedia.org/wiki/Internet_Dog
    [6] Manoj R, Tripti C. An effective approach to detect DDOS attack. In: Meghanathan N, ed. Advances in Computing and Information Technology. Berlin, Heidelberg: Springer-Verlag, 2013. 339-345. [doi: 10.1007/978-3-642-31600-5_33]
    [7] Gilad Y, Herzberg A. LOT: A defense against IP spoofing and flooding attacks. ACM Trans. on Information and System Security (TISSEC), 2012,15(2):1-30. [doi:10.1145/2240276.2240277]
    [8] Kumar S. Smurf-Based distributed denial of service (DDoS) attack amplification in Internet. In: Proc. of the ICIMP 2007. Washington: IEEE Computer Society, 2007. 25-35. [doi: 10.1109/ICIMP.2007.42]
    [9] Li S, Zhuge JW, Li X. Study on BGP security. Ruan Jian Xue Bao/Journal of Software, 2013,24(1):121-138 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4346.htm [doi: 10.3724/SP.J.1001.2013.04346]
    [10] Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: A case study of the china telecom incident. In: Roughan M, Chang R, eds. Proc. of the Passive and Active Measurement. Berlin, Heidelberg: Springer-Verlag, 2013. 229-238. [doi: 10. 1007/978-3-642-36516-4_23]
    [11] Bangera P, Gorinsky S. Impact of prefix hijacking on payments of providers. In: Proc. of the 2011 3rd Int''l Conf. on Communication Systems and Networks (COMSNETS). IEEE, 2011. 1-10. [doi: 10.1109/COMSNETS.2011.5716486]
    [12] MIT ANA spoofer project. 2013. http://spoofer.csail.mit.edu/
    [13] Spoofer project: State of IP spoofing. 2013. http://spoofer.cmand.org/summary.php
    [14] Beverly R, Berger A, Hyun Y. Understanding the efficacy of deployed internet source address validation filtering. In: Proc. of the ACM SIGCOMM 2009. Chicago: ACM Press, 2009. 356-369. [doi: 10.1145/1644893.1644936]
    [15] YouTube hijacking: A RIPE NCC RIS case study. 2008. http://www.ripe.net/news/study-youtube-hijacking.html
    [16] Kováčik M, Kajan M, Žádník M. Detecting IP spoofing by modelling history of IP address entry points. In: Doyen G, ed. Proc. of the Emerging Management Mechanisms for the Future Internet. Berlin, Heidelberg: Springer-Verlag, 2013. 73-83. [doi: 10.1007/978-3-642-38998-6_9]
    [17] Wu JP, Wu Q, Xu K. Research and exploration of next-generation Internet architecture. Chinese Journal of Computers, 2008,31(9): 1536-1548 (in Chinese with English abstract).
    [18] Bellovin SM. A look back at “Security problems in the TCP/IP protocol suite”. In: Proc. of the ACSAC 2004. Washington: ACM Press, 2004. 229-249. [doi: 10.1109/CSAC.2004.3]
    [19] Dovrolis C, Streelman JT. Evolvable network architectures: What can we learn from biology? ACM SIGCOMM Computer Communication Review, 2010,40(2):72-77. [doi: 10.1145/1764873.1764886]
    [20] Biersack E, Jacquemart Q, Fischer F, Fuchs J, Thonnard O, Theodoridis G, Tzovaras D, Vervier P-A. Visual analytics for BGP monitoring and prefix hijacking identification. IEEE Trans. on Network, 2012,26(6):33-39. [doi: 10.1109/MNET.2012.6375891]
    [21] Feldmann A. Internet clean-slate design: What and why? ACM SIGCOMM Computer Communication Review, 2007,37(3):59-64. [doi: 10.1145/1273445.1273453]
    [22] Kafle VP, Inoue M. Introducing multi-ID and multi-locator into network architecture. IEEE Trans. on Communications Magazine, 2012,50(3):104-110. [doi: 10.1109/MCOM.2012.6163588]
    [23] Burness L, Eardley P, Jiang S, Xu XH. A pragmatic comparison of locator ID split solutions for routing system scalability. In: Proc. of the 3rd Int''l Conf. on ChinaCom 2008. 2008. 1024-1028. [doi: 10.1109/CHINACOM.2008.4685199]
    [24] Mazières D, Kaminsky M, Kaashoek MF, Witchel E. Separating key management from file system security. In: Proc. of the 17th ACM SOSP. Charleston: ACM Press, 1999. 124-139. [doi: 10.1145/319344.319160]
    [25] Rafiee H, Loewis MV, Meinel C. Transaction SIGnature (TSIG) using CGA algorithm in IPv6. Internet draft, 2013.
    [26] Schridde C, Smith M, Freisleben B. TrueIP: Prevention of IP spoofing attacks using identity-based cryptography. In: Proc. of the SIN 2009. New York: ACM Press, 2009. 128-137. [doi: 10.1145/1626195.1626229]
    [27] Andersen DG, Balakrishnan H, Feamster N, Koponen T, Moon D, Shenker S. Accountable Internet protocol (AIP). In: Proc. of the SIGCOMM 2008. New York: ACM Press, 2008. 339-350. [doi: 10.1145/1402946.1402997]
    [28] Liu ZH, Sun B, Gu LZ, Yang YX. Origin authentication scheme against BGP address prefix hijacking. Ruan Jian Xue Bao/Journal of Software, 2012,23(7):1908-1923 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4125.htm [doi: 10.3724/SP.J.1001.2012.04125]
    [29] Kent S, Lynn C, Seo K. Secure border gateway protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 2000,18(4): 582-592. [doi: 10.1109/49.839934]
    [30] White R. Securing BGP through secure origin BGP. Business Communications Review, 2003,33(5):47-53.
    [31] Hu XJ, Zhu PD, Gong ZH. SE-BGP: An approach for BGP security. Ruan Jian Xue Bao/Journal of Software, 2008,19(1):167-176 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/19/167.htm [doi: 10.3724/SP.J.1001.2008.00167]
    [32] van Oorschot PC, Wan T, Kranakis E. On interdomain routing security and pretty secure BGP (psBGP). ACM Trans. on Information and System Security (TISSEC), 2007,10(3):1094-9224. [doi: 10.1145/1266977.1266980]
    [33] Baker F, Savola P. Ingress filtering for multihomed networks. RFC 3704, 2004.
    [34] Wijnands IJ, Boers A, Rosen E. The reverse path forwarding (RPF) vector TLV. RFC 5496, 2009.
    [35] Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proc. of the ACM SIGCOMM 2001. New York: ACM Press, 2001. 15-26. [doi: 10.1145/383059.383061]
    [36] Li J, Mirkovic J, Wang MQ, Reiher P, Zhang LX. SAVE: Source address validity enforcement protocol. In: Proc. of the InfoCom 2002. New York: IEEE, 2002. 1557-1566. [doi: 10.1109/INFCOM.2002.1019407]
    [37] Nordmark E, Bagnulo M. FCFS SAVI: First-Come, first-served source address validation improvement for locally assigned IPv6 addresses. RFC 6620, 2012.
    [38] Bremler-Barr A, Levy H. Brief announcement: Spoofing prevention method. In: Proc. of the PODC 2004. Newfoundland: ACM Press, 2004. 375-375. [doi: 10.1145/1011767.1011832]
    [39] Jin C, Wang HN, Shin KG. Hop-Count filtering: An effective defense against spoofed DDoS traffic. In: Proc. of the CCS 2003. New York: ACM Press, 2003. 30-41. [doi: 10.1145/948109.948116]
    [40] Liu X, Li A, Yang XW, Wetherall D. Passport: Secure and adoptable source authentication. In: Proc. of the NSDI 2008. San Francisco: USENIX Association, 2008. 365-378. https://www.usenix.org/legacy/events/nsdi08/tech/full_papers/liu_xin/liu_xin.pdf
    [41] Yaar A, Perrif A, Song D. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal on Selected Areas in Communications, 2006,24(10):1853-1863. [doi: 10.1109/JSAC.2006.877138]
    [42] Yang MH, Yang MC. RIHT: A novel hybrid IP traceback scheme. IEEE Trans. on Information Forensics and Security, 2012,7(2): 789-797. [doi: 10.1109/TIFS.2011.2169960]
    [43] Saurabh S, Saira敭瀠慁灓攮爠?捩潮湥瑡敲渠瑡?????????扤牥?嬠??嵣?塥畴????婫桩畮?????甠????匠?噐??牲敡煣略楢牡散浫攮渠瑉獮?愠湐摲?獣漮氠畯瑦椠潴湨獥?晃潏牍??卅偔??倲瘰?′愮挠捂敡獮獧?湬敯瑲睥漺爠歉????ㄠ有??栲琮琠瀱猭???摛慤瑯慩琺爠愱挰欮攱爱?椹支瑃晏?潓牎杅?摓漮挲?搱爲愮昶琱?猱栳椱??猼慢癲椾?愴挴捝攠獒獉??戮爠?孯??嵩???塩畮?????畴?????楥????塥町????呓桮攠?特敳煴略業爮攠洲攰渱琳献?慨湴摴?琺支港瑷慷瑷椮癲敩?獥漮汮略瑴椯潤湡獴?昭潴牯?卬?嘯??楡湴??偲癩???偯癵??瑮牧愭湩獮楦瑯楲潭湡???の????桶瑩瑣灥猼???摛愴琵慝琠牌慡捤欠敍爬?楍敡瑳晳??漠牄本?摐潥捩?摄爬愠晗瑵?獙桇椬?獚慨癡楮?愠捂捃攬猠獚??扮牧?孌??崠??畁牓愺?呁???牥祦灩瑸漠杨物慪灡档楫挠慡汬汥祲?朠敳湹敳牴慥瑭攮搠?慮携搠牐敲獯獣攮猠???????‵剴??????????づっ???扴特?孓??嵰??潖敡灮散牯?????漠湕杓?????潐潲瑥獳瑳爬愠瀲瀰椰渶朮?猱攵挳甭爱椶琶礮?楨湴?浰漺戯椯汳整?慴摩?栮潵捳?湮敩瑸眮潯牲歧猯?當獥楮湴杳?楳摥散渰琶椯瑴祥?扨愯獬敡摤?獨捴桭敬洼敢獲 ̄睛椴琶桝?歌敩祵?牘攬瘠潚捨慵琠楐潄測??呥敮捧栠湙楘挮愠汃?刭敍灯潮物瑴?????副??ちぢ??ち????攠湭瑯牮敩?景潲物??瀠灭汥楣敨摡??牳祭瀠瑦潯杲爠慤灥桴楥捣?剩敮獧攠慰牲捥桦??唠湨楩癪敡牣獫楳琮礠?潵晡?圠慊瑩敡牮氠潘潵???慡湯愯摊慯???ちぬ???ㄠ?????桡瑲瑥瀬???挱椰琬攲猱攨攱爰砩?′椸猵琴?瀲猵甹?攠搨畩?瘠楃敨睩摮潥捳?搠潷睩湴汨漠慅摮?摬潩楳?ㄠち?????????????扰爺?嬯??嵷??慯湳挮楯湲楧??噮??匰瀰漰札渹愸爲搵椯″???匮潨牴業攠湛瑤敯????嘰椮氳氷愲渴椯????刮攱氰椰攱瘮攲‰?渰琮攰爳渶攵琷?爼潢畲琾楛渴朷?猠攠挠畚牨楡瑮祧?潚昬?灚畨扡汮楧挠?欬攠祈?椠湙晃爬愠獍瑡牯甠捚瑍甬爠敂???渠??倠牉潳捰??漠晄?瑴桥散???獧琠??渠瑰?汥??潸渠晨??潡湣??潮浧瀠畯瑮攠牭??????丠??????????ひ????ㄠ????孥摴潷楯??????????????为?㈱??特??劳??金??嵤?扩爺?嬱??崱?地??????栮氲椰猱挰栮′????愸攴湝渼敢汲 ̄佛??卝挠栠洠楌摩瑵?呙???呓潵眠慊牓搬猠?摨敡瑮敧挠瑒楋湃朮???偃?爠潄略瑴敥?桴楩橮慧挠歂楇湐朠?畲獥楦湩杸?瑨桩敪?剣偫????????卯???佤????潩浢灵畴瑩敯牮??潨浡浮畧湥椮挠慉瑮椺漠湐?副散瘮椠敯睦???づㄠ有??有?????????と???孴搧潬椠???ち???????????????????つ㈠嵐?扯牣?孳?ど嵮?删慓楹浭慰朮椠慗????卨楯湰杳栠…卡????瑐牨畄猠瑆敯摲?捭攮渠瑉牅慅汅椬稠攲搰?瀲甮戠氱椱挹?欭攱礲‰琳漮?獛敤捯畩爺攠?戰漮爱搱攰爹?杉慐瑄敐睓慗礮′瀰爱漲琮漠挱漴氷??????刴??㈠ず????????㈠????????扥物?孄?ㄠ嵗??楧?兊??塆畲??坣??圠畐??偁??婩桧慨湴札?塥坩???攠敤?偳側???塵畴?????湨桥慭湥挠楦湯杲?瑤桥整?瑣牴畩獮瑧?潉晐?楰湲瑥敦物湸攠瑨?牪潡畣瑫楳渠杩?眠楲瑥桡?氭楴杩桭瑥眮攠楉杮栺琠???湣??偯牦漠捴??漠晓?瑇桃敏??匠????匮??べ?????潁湃杍??潲湥杳?????‰倷爮攠猲猷??有?????????????嬱搱漴椵???????????????????????日?崠?扩牡?孧??崬?婗桡慮湧朠?奌??偙潩畮爠穘愬渠摗極????匠瑁畲摧祵楳渺朠?楮洠灡慣捣瑵獲?潴晥?灡牮敤映楡硧?楬湥琠敳特捳整灥瑭椠潴湯?慤瑥瑴慥捣歴?扮祧?敩硰瀠汰潲牥楦湩杸???偪??卫?偮?吮??灮爺攠灐敲湯摣椮渠杯???湨??偉牃潎捐?′漰昱?琮栠敂??な?????????水渠搲‰?渱琮?水″?漴游昮??潤湯?????匮???????????日???????????嬼摢潲椾?‵?そ??????????匠???ㄠ休???嵲?扴牥?孲??嵬??敩牭来甠獩潤湥?側??卩散湡楴敩????书攠瑉睐漠牰歲?楦湩杸爠敨獩獪?晣楫汩瑮敧爮椠湉杮??剐???金??????づ?ぉ??扅爠?孹??崮?塯畮????婵桲畩?????楤渠?????湣瑹攮爠湏敡瑫?慡牮捤栺椠瑁敃瑍甠牐敲?敳癳愬氠甲愰琰椷漮渠″洭漱搷攮氠獛??浩攺挠栱愰渮椱猱洰猹?慓湐搮′洰攰琷栮漷摝猼???桛椵渲敝猠敘??潘甮爠湒慯汵?潩普??潡浲灣畨瑩整牥獣???づㄠ??????づ?????????づひ???楯湮??桮楴湥敲獮敥?眠椨瑒桁??湉朩氮椠猲栰‰愹戮猠瑨牴慴捰琺???孯摯潬楳???ぴ??????卩偤????て????????で????崲?扴牸?嬼??崾??椳汝氠?偨??卧挠桗慔瀬椠牂慡?????漠汌摩戠敘爮朠?卥???敲瑣?琠桡敮?洠慣牯歭数瑡?摩牳楯癮攠?摮攠灴汨潥礠浉敄港瑬????獯瑲爠慳瑥数条祲?晴潩牯?琠牮慥湴獷楯瑲楫漠湡楲湣杨?瑴潥???偲?献攠捉畮爺椠瑐祲???渠??倠牴潨捥?′潮晤?瑉桮整?卬???佮????のㄠ???呎潥牴漠渲琰漱??㈠ぉ????ㄠ??㈱???嬱搱漹椸??????ㄠ???????????日??????嵥?戮爲?嬱??崶′??丰???格瑢瑲瀾???睝眠睋?杦敬湥椠?湐攬琠Li RD, Inoue D, Harai H. An integrated security scheme for ID/locator split architecture of future network. In: Proc. of the 2012 IEEE Int''l Conf. on Communications (ICC). IEEE, 2012. 5866-5871. [doi: 10.1109/ICC.2012.6364739]
    [55] Kanemaru S, Yonemura K, Teraoka F. ZNP: A new generation network layer protocol based on ID/locator split considering practical operation. In: Proc. of the 2011 IEEE Int''l Conf. on Communications (ICC). 2011. 1-6. [doi: 10.1109/icc.2011.5963378]
    [56] Moskowitz R, Hirschmann V, Jokela P, Henderson T. Host identity protocol version 2 (HIPv2). 2013. https://datatracker.ietf.org/doc/draft-ietf-hip-rfc5201-bis/
    [57] Farinacci D, Fuller V. The locator/ID separation protocol (LISP). RFC 6830, 2012.
    [58] Rodríguez A, Ruiz R. A study on the effect of the asymmetry on real capacitated vehicle routing problems. Computers & Operations Research, 2012,39(9):2142-2151. [doi: 10.1016/j.cor.2011.10.023]
    [59] Duan ZH, Yuan X, Chandrashekar J. Constructing inter-domain packet filters to control IP spoofing based on BGP updates. In: Proc. of the InfoCom 2006. Barcelona: IEEE, 2006. 1-12. [doi: 10.1109/INFOCOM.2006.128]
    [60] Velmayil G, Pannirselvam S. Defending of IP spoofing by ingress filter in extended-inter domain packet key marking system. Int''l Journal of Computer Network and Information Security (IJCNIS), 2013,5(5):47-54. [doi: 10.5815/ijcnis.2013.05.06]
    [61] Abhang TA, Kulkarni UV. An integrated approach to detect and limit IP spoofing. Int''l Journal of Computer Science and Mobile Computing, 2013,7(2):59-65. http://www.ijcsmc.com/docs/papers/July2013/V2I7201326.pdf
    [62] Wu J, Bi J, Li X, Xu K, Williams M. A source address validation architecture (SAVA) testbed and deployment experience. RFC 5210, 2008.
    [63] Liu BY, Bi J. SMA: State machine based anti-spoofing. 2013. http://www.paper.edu.cn/en_releas??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

徐恪,朱亮,朱敏.互联网地址安全体系与关键技术.软件学报,2014,25(1):78-97

Copy
Share
Article Metrics
  • Abstract:7847
  • PDF: 9400
  • HTML: 3309
  • Cited by: 0
History
  • Received:January 08,2013
  • Revised:July 30,2013
  • Online: November 21,2013
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2033794Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063