自治系统间的安全路由协议GesBGP  被引量：13

作　　者：李琦[1] 吴建平[1] 徐明伟[1] 徐恪[1] 张新文 

机构地区：[1]清华大学计算机科学与技术系,北京100084 [2]Samsung Information Systems America, San Jose, CA, USA

出　　处：《计算机学报》2009年第3期506-515,共10页Chinese Journal of Computers

基　　金：国家自然科学基金(90604024);国家“八六三”高技术研究发展计划项目基金(2007AA01Z2A2);教育部科学技术研究重点项目(106012);新世纪优秀人才计划的资助~~

摘　　要：域间路由协议BGP的安全性直接影响着互联网路由的可用性.虽然现有很多改进的BGP安全方案可以解决这些安全问题,但这类方案存在很多设计缺陷(例如,路由资源消耗问题).在文中,作者充分考虑了安全BGP的目标并提出了一个Good-Enough-Security BGP(GesBGP)协议.GesBGP在可信计算技术的基础上使用基于身份的密钥(IBS)算法确保BGP协议中身份的真实性.IBS算法的引入有效地消除了传统安全BGP协议中部署集中公钥基础设施(PKI)以及公钥证书的分发和储存问题.此外,GesBGP不单纯依赖于安全密钥算法,基于可信计算技术的BGP可信服务从路由器系统本身防止了系统配置的非法篡改,消除了路由消息的多重累积签名.在提出的优化GesBGP协议中,通过部署BGP的安全规则建立AS之间强制信任关系,进一步消除了BGP通告消息中的累积签名.安全分析和性能评价表明,优化的GesBGP在确保BGP安全性的同时有效地改进了GesBGP的性能.Inter-domain routing （BGP） directly influences availability of Internet routing which may be disrupted by misconfigured or malicious BGP updates. Although several secure solutions have been proposed to resolve the BGP security problem, they have many design drawbacks （e. g. , large router resource consumption）. Considered the design and performance of secure BGP, this paper proposes a Good-Enough-Security BGP （GesBGP）. Identity-based signature （IBS） algorithm presented in GesBGP guarantees the authenticity of BGP routes in the help of Trusted Computing （TC） technology. The presented IBS can effectively eliminate the centralized public key infrastructure （PKI） and resolve the problem of public key certificate distribution and restoration. Furthermore, GesBGP does not only rely on cryptography functions provided by IBS. BGP attestation service integrated in GesBGP prevents router from malicious change radically and thus builds strong trust relationship between different routers. In the optimized GesBGP, BGP security rules are enforced and the cumulated signature in original GesBGP is eliminated. The security analysis and performance study show that the optimized GesBGP improves the performance of GesBGP while achieving the goal of BGP security at the same time.

关 键 词：域间路由协议 BGP 安全BGP GesBGP 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]