摘要
IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.
The validation of source IP addresses becomes the key technique for devising a trustworthy network. However, inter-domain IP spoofing preventions based on source-destination labels and end-hosts IP authentications based on source labels both adopt end to end mode to solve the problem, which ignores the flooding of spoofing packets on middle networks. To address this problem, an enhancing mechanism for the inter-domain IP spoofing prevention service, ESP (enhanced spoofing prevention), is proposed. Via integrating path labels into source labels, ESP reduces the collision of source labels at destination networks and enables filtering IP spoofing packets toward other nodes in middle networks, thus prevents flooding attacks in advance and extends the protected domain of the spoofing prevention. Based on BGP (border gateway protocol) update ESP develops the validation of prefix security to restrict the scope of the propagation of labels, thus decreases the cost of computing and storing of labels. The abilities of IP spoofing prevention and filtering spoofing packets in advance are demonstrated in the topology, which is constructed based on RIB (routing information base) provided by Routeview.
出处
《软件学报》
EI
CSCD
北大核心
2010年第7期1704-1716,共13页
Journal of Software
基金
国家重点基础研究发展计划(973)Nos.2005CB321801
2009CB320503~~
