边界网关协议安全研究综述  被引量：17

作　　者：王娜[1,2] 杜学绘[1,2] 王文娟[1,2] 刘敖迪 

机构地区：[1]解放军信息工程大学,郑州450001 [2]数学工程与先进计算国家重点实验室,郑州450001

出　　处：《计算机学报》2017年第7期1626-1648,共23页Chinese Journal of Computers

基　　金：国家"八六三"高技术研究发展计划项目基金(2015AA011705);河南省自然科学基金项目(No.162300410334)资助~~

摘　　要：边界网关协议(the Border Gateway Protocol,BGP)是互联网事实上的域间路由标准协议.因BGP的安全脆弱性,互联网路由基础设施易受到攻击,破坏了互联网的网络可达性.从而,安全BGP对于整个互联网的可靠稳定运行具有重要意义.该文对近年来的BGP安全研究现状进行了梳理.首先,清晰界定了BGP威胁模型,从路由信息非真和路由传播非法的角度,将BGP面临的异常路由通告攻击分为前缀劫持、路径伪造和路由泄露这3类,阐述了攻击原理,给出了攻击实例;然后,梳理了BGP安全研究脉络,主要分为BGP安全防护和BGP异常检测两个研究方向,BGP安全防护的研究内容主要包括针对前缀劫持与路径伪造的安全扩展和安全外包技术、路由泄露防护技术,BGP异常检测的研究内容主要包括前缀劫持、路径伪造与路由泄露检测技术、主动响应技术、异常检测系统和BGP可视化工具.该文对上述研究点的主要思想、关键和难点问题、具体机制或方案的原理以及存在的不足等内容进行了深入、翔实的阐述和全面地分析、比较.最后,探讨了BGP安全研究面临的挑战,指出在安全防护、异常检测、域间路由信任和域间路由系统测量等4个方面需要深入研究的内容.该文研究可为相关研究人员和网络安全专家提供参考和借鉴,有助于BGP安全问题的理解和研究的深入.The Border Gateway Protocol （BGP） is the de facto interdomain routing protocol of the Internet. For the lack of effective security measures in BGP, the routing infrastructure of the Internet is vulnerable to various forms of attack, which will lead to disruption to network reachability on Internet. As a result it is highly important for Internet to secure BGP. The paper reviews recent research progress on BGP security. Firstly, the paper defines BGP threat model, where abnormal routing announcement attack to BGP is divided into prefix hijacking, path forging and routing leak, from the perspective of forged routing information and illegally route propogating, and describes attack principles, gives typical living examples. And then, the paper hackles research directions on BGP security, which mainly consists of security protection and anomaly detection, and the main research contents of BGP security protection include security extension and outsourcing techniques to defend prefix hijacking and path forging, and security protection techniques to defend routing leaking, the main research contents of BGP anomaly detection include detection techniques to prefix hijacking, path forging and routing leaking, active response techniques, anomaly detectionsystems and BGP visualization tools. The paper does thoroughly and detailedly expounding, and comprehensively analysis and comparison on main ideas, key and difficult issues, the principles and shortcomings of specific mechanisms or solutions of these research points. Finally, the paper discusses and analyses research challenges on BGP security, and points out some future works to be done in terms of security protection, anomaly detection, interdomain routing trust and interdomain routing system measurement. This survey provides the basis and reference for relevant researchers and network security experts to understand BGP security problems and promote in-depth research on BGP security.

关 键 词：BGP安全 域间路由安全 前缀劫持 路由泄露 异常检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]