基于路径可查的真实源地址验证在园区网中的实现  

作　　者：王宇亮 周耐 李宗鹏 国兴昌 李康 WANG Yu-liang;ZHOU Nai;LI Zong-peng;GUO Xing-chang;LI Kang(Quan Cheng Laboratory,Jinan 250100,China;Institute for Network Science and Cyberspace,Tsinghua University,Beijing 100084,China)

机构地区：[1]泉城实验室,山东济南250100 [2]清华大学网络科学与网络空间研究院,北京100084

出　　处：《计算机技术与发展》2025年第4期73-79,共7页Computer Technology and Development

基　　金：泉城省实验室重点项目(QCLZD202304);山东省实验室项目(SYS202201)。

摘　　要：随着通信技术和新一代网络的发展,园区网在诸多现实场景中得到了越来越广泛的应用,其安全问题也引来诸多研究者的关注和研究。缺乏对带有安全威胁的源地址进行检测和追溯,很容易使得网络主机设备遭受攻击,引发一系列网络安全问题。为此,该文提出了基于路径可查的园区网络真实源地址验证框架。该框架首先建立对主机粒度源地址验证的嗅探,然后通过最短路径优先协议实现园区网内路由和交换机设备之间的信息同步,同时告知并记录主机流量数据路径传播信息,根据不同的接口类型构建黑白名单并生成信息表项和过滤查找表。此外,基于以上验证框架设计逻辑,设计了路由器原型样机,并在公开的网络设备测试基准RFC2544上进行实验测试,实验结果均表明该验证框架具有较显著的性能。该验证框架通过路径可查的报文信息动态同步名单过滤查询表,有效地解决了源地址的验证和溯源问题,避免了无源头安全威胁,实现了低时延、多协议可支持的园区网真实源地址验证。As the development of communication technology and new generation network,campus network has been more and more widely used in many real-life scenarios,and its security problems have attracted the attention and research of many researchers.Without detecting and tracking the source address with security threats,it is easy to make the network host devices suffer from attacks,which triggers a series of network security problems.To address that,we propose a source address validation architecture framework for campus network based on path queryability,which firstly needs to establish the sniffing for host granularity source address verification,and then realizes the information synchronization between the route and switch devices in the campus network through the Open Shortest Path First protocol,meanwhile,informs and records the information about the host traffic data path propagation,constructs the black and white lists according to different interface types and generates the information table entries and the filtering.In addition,based on the above design logic of the verification framework,we design a prototype router and conducts experimental tests on the publicly available network equipment test benchmark RFC2544,and the experimental results show that the proposed verification framework has a more significant performance.The authentication framework effectively solves the problem of authentication and traceability of the source address by dynamically synchronizing the list filtering lookup table with the path-queryable message information,avoids the source-less security threat,and achieves the low-latency,multi-protocol-supportable authentication of the real source address of the campus network.

关 键 词：园区网安全 源地址验证 源地址追溯 路径可查 动态同步 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]