基于区块链技术的去中心化互联网号码资源管理系统  被引量：3

作　　者：李江[1] 徐明伟[1,2] 曹家浩 孟子立 张国强 LI Jiang;XU Mingwei;CAO Jiahao;MENG Zili;ZHANG Guoqiang(Department of Computer Science and Technology,Tsinghua University,Beijing 100084,China;Institute for Network Sciences and Cyberspace,Tsinghua University,Beijing 100084,China)

机构地区：[1]清华大学计算机科学与技术系,北京100084 [2]清华大学网络科学与网络空间研究院,北京100084

出　　处：《清华大学学报（自然科学版）》2023年第9期1366-1379,共14页Journal of Tsinghua University(Science and Technology)

摘　　要：作为互联网唯一的域间路由协议,边界网关协议(border gateway protocol,BGP)当前面临着互联网号码资源误用的威胁。现有安全方案———资源公钥基础设施(resource public key infrastructure,RPKI)通过中心化的基础设施维护互联网号码资源信息,然而该方案面临着中心化导致的单点失效风险、收敛时间长和开销高的问题。该文提出了基于区块链技术的去中心化互联网号码资源管理系统(decentralized internet number resource management system,DINRMS)。为提高系统的可扩展性,在结构上对全球自治系统(autonomous system,AS)分组分层,并针对此结构设计了相应的工作流程。此外,基于上述分组分层结构提出了一种基于互联网号码资源所有权信息和映射信息产生情况的启发式数据推送机制,缩短AS获得这些信息的收敛时间,同时减少交互开销。实验表明,DINRMS为域间路由提供了安全可信的互联网号码资源信息;相比RPKI,DINRMS的中心化程度降低了60%以上,收敛时间缩短了50%以上,交互开销减少了50%以上。[Objective]Internet is an important infrastructure that has been evolving for decades.Border gateway protocol(BGP)is the de facto interdomain routing protocol on the internet and connects autonomous systems(ASes)around the world.The BGP uses internet number resources(INR),including internet protocol(IP)prefixes and autonomous system numbers for addressing and routing.However,BGP has been vulnerable to the INR misusage threat recently,which causes a common type of anomaly called prefix hijacking.In prefix hijacking,a malicious AS originates the victim AS’s prefixes to blackhole or intercept the victim’s data traffic.The existing security solution,called resource public key infrastructure(RPKI),provides INR ownership and prefix-to-AS mapping information through a centralized infrastructure.ASes can extract and use the information from RPKI to prevent prefix hijacking.However,this solution has three typical drawbacks.First,the centralized architecture of RPKI causes single-point failures.Second,to obtain consistent INR information from RPKI,ASes need a long convergence time owing to the disorderly distribution of information.Third,ASes incur high interaction cost for extracting real-time INR information frequently.[Methods]To solve the above mentioned shortcomings,this study proposes a decentralized internet number resource management system(DINRMS)based on blockchain technology.The proposed system adopts a hierarchical architecture consisting of an autonomy layer and an arbitration layer.DINRMS partitions all ASes on the internet into groups that form the autonomy layer.The arbitration layer comprises the Internet Assigned Numbers Authority,five Regional Internet Registries and representatives elected by each group in the autonomy layer.Each entity in DINRMS has nearly the same impact on the system and the single-point failure of an entity does not lead to a serious global breakdown.The architecture of the proposed system overcomes the poor scalability of blockchain technology,which cannot be applied to efficie

关 键 词：边界网关协议 互联网号码资源 域间路由安全 

分 类 号：TP393.7[自动化与计算机技术—计算机应用技术]