摘要
借鉴IRR(Internet routing registry)机制中注册路由策略的思想,提出了前缀策略(prefix policy)的概念,并由此设计了一种防范前缀劫持的方法——E-IRR机制.在E-IRR中,参与者发布自己的前缀策略,同时利用其他自治系统已注册的前缀策略验证BGP路由,从而防范前缀劫持.提出了维护前缀策略有效性措施,评估了E-IRR机制的安全能力与性能.方法的主要优势是,其在前缀劫持的防范能力与安全机制的实际部署需求之间达到了一个较好平衡,可增量式地部署,并不需要对BGP协议进行任何安全扩展.现有方案都不同时具备这些特性,它们使得E-IRR有望实际可行地解决前缀劫持问题.
Based on the registering idea of IRR (internet routing registry), the concept of Prefix Policy is proposed, and a new Internet registry mechanism, E-IRR, is presented. E-IRR offers an efficient and defensive method to prevent hijacked routes. In E-IRR, every participant declares its prefix policies, and makes use of the others' registered prefix policies to validate BGP routes. Measures are designed to guarantee the validity of prefix policies, and evaluate its capabilities of security and performance. The major benefits of the method are the balance it reaches between the capability of preventing prefix hijacks and the security mechanism's requirements of practical deployment, the facts that the method lends itself to stepwise deployment and needs not any BGP extension for security. These properties, not shared by alternative approaches, make it an attractive and viable solution to the prefix hijacking problem.
出处
《软件学报》
EI
CSCD
北大核心
2009年第3期620-629,共10页
Journal of Software
基金
国家高技术研究发展计划(863)
国家自然科学基金
国防科学技术大学博士研究生创新基金~~