基于行为透明性的RPKI撤销检测机制  

作　　者：邹慧 李彦彪 于晨晖 马迪[1,3] 毛伟 ZOU Hui;LI Yanbiao;YU Chenhui;MA Di;MAO Wei(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100083,China;University of Chinese Academy of Sciences,Beijing 100049,China;ZDNS,Beijing 100190,China)

机构地区：[1]中国科学院计算机网络信息中心,北京100083 [2]中国科学院大学,北京100049 [3]互联网域名系统北京市工程研究中心,北京100190

出　　处：《数据与计算发展前沿》2022年第3期90-109,共20页Frontiers of Data & Computing

摘　　要：【目的】为应对当前互联网码号资源公钥基础设施(Resource Public Key Infrastructure,RPKI)层级式认证机制下因单边撤销导致的资源失效问题,本文提出了一种基于行为透明性(Behavior Transparency,BT)的单边撤销检测机制,并通过实验验证了该机制的效果和性能。【方法】本文详细分析了当前RPKI架构下的单边撤销问题和由此导致的下级认证权威(Certificate Authority,CA)资源失效风险,通过部署日志服务器记录CA签发行为来提高CA签发行为的透明性,并以此为基础设计了高效的单边撤销实时监测和应急处置机制。【结果】实验结果表明,在部署有日志服务器且日志服务器足够安全可控的前提下,该机制的检测效率能满足当前架构性能需求,且准确率达到100%,传输开销可忽略不计。【局限】该机制在面向未来的RPKI大规模部署环境下的效率、准确率和可扩展性还有待进一步验证。【结论】本文所提基于行为透明性的RPKI撤销检测在当前RPKI实际部署环境下新引入的开销较小,能有效实现检测目的,支持CA实时监测其自持有资源有效性以及针对其的单边撤销行为。[Objective]In response to the issue of resource failure caused by the unilateral revocation in the current Resource Public Key Infrastructure(RPKI),this paper proposes a novel scheme based on Behavior Transparency(BT)to detect unilateral revocations,and demonstrates its effect and performance via extensive experiments.[Methods]This paper first analyzes in detail the issue of unilateral revocation,as well as the risk of resource failures resulting from it,and then proposes to monitor and handle unilateral revocations with the help of a log server that records issuance behaviors of CAs.[Results]According to the experimental results,the efficiency of the proposed scheme satisfies the performance demand posed by the current RPKI system,and its accuracy in detecting unilateral revocations can reach 100%as long as a credible and fully controllable log server is deployed.Moreover,additional transmission overhead resulting from communicating with the log server is negligible.[Limitations]The accuracy,performance,and scalability of the proposed scheme need to be further evaluated in large-scale RPKI systems to verify its value in case that RPKI is fully or near-fully deployed in the future.[Conclusions]In the current RPKI systems,the proposed scheme can effectively detect unilateral revocations with negligible overhead,enabling CAs to monitor the effectiveness of their resources and the revocations to the issuances.

关 键 词：IP地址 AS号 域间路由安全 互联网码号资源公钥基础设施 透明性 

分 类 号：TN918.4[电子电信—通信与信息系统]