RPKI去中心化安全增强技术综述

秦超逸; 张宇; 方滨兴

doi:10.11959/j.issn.1000-436x.2024102

您当前的位置：

首页 >

文章列表页 >

RPKI去中心化安全增强技术综述

综述 | 更新时间：2024-08-09

- RPKI去中心化安全增强技术综述
- Survey on decentralized security-enhanced technologies for RPKI
- 通信学报 2024年45卷第7期页码：196-205
- 作者机构：
  
  1.哈尔滨工业大学网络空间安全学院,黑龙江哈尔滨 150001
  2.鹏城实验室,广东深圳 518055
  3.广州大学网络空间先进技术研究院,广东广州 510006
- 作者简介：
  
  [ "秦超逸（1992- ），男，黑龙江哈尔滨人，哈尔滨工业大学博士生，主要研究方向为互联网基础设施安全、资源公钥基础设施增强等。" ]
  [ "张宇（1979- ），男，河北乐亭人，博士，哈尔滨工业大学教授，主要研究方向为互联网基础设施安全、互联网体系结构、互联网测量等。" ]
  [ "方滨兴（1960- ），男，江西万年人，博士，中国工程院院士，主要研究方向为计算机体系结构、计算机网络、信息安全。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2022YFB3104800);鹏城实验室重大攻关基金资助项目(PCL2023A05)
- DOI：10.11959/j.issn.1000-436x.2024102
  中图分类号： TP393
- 收稿日期：2023-12-26，
  
  修回日期：2024-05-08，
  
  纸质出版日期：2024-07-25
- 稿件说明：
移动端阅览
秦超逸,张宇,方滨兴.RPKI去中心化安全增强技术综述[J].通信学报,2024,45(07):196-205.

QIN Chaoyi,ZHANG Yu,FANG Binxing.Survey on decentralized security-enhanced technologies for RPKI[J].Journal on Communications,2024,45(07):196-205.
秦超逸,张宇,方滨兴.RPKI去中心化安全增强技术综述[J].通信学报,2024,45(07):196-205. DOI： 10.11959/j.issn.1000-436x.2024102.

QIN Chaoyi,ZHANG Yu,FANG Binxing.Survey on decentralized security-enhanced technologies for RPKI[J].Journal on Communications,2024,45(07):196-205. DOI： 10.11959/j.issn.1000-436x.2024102.

摘要

资源公钥基础设施（RPKI）搭建了中心层级化的IP地址资源认证基础设施。在增强互联网域际路由系统安全的同时，RPKI也将中心性引入路由系统。根据证书认证中心职能，提出RPKI体系中的认证中心、操作中心和发布中心，并从3个中心对RPKI去中心化安全增强技术综述。首先，从认证、操作和发布角度细化RPKI中心化风险。其次，从3个风险角度分类RPKI去中心化安全增强技术的技术思路和解决措施。再次，从安全性、可扩展性和增量部署分析比较相关技术。最后，总结存在的问题并展望未来的研究方向。

Abstract

The resource public key infrastructure (RPKI) deploys a centralized and hierarchical infrastructure for the authorization of IP addresses. It not only enhances the security of the Internet border gateway protocol system

but also introduces centralization into the routing system. According to the functions of the certificate authorities

the authorization center

operation center

and publication center in the RPKI were proposed

and a comprehensive survey on decentralized security-enhanced technologies for the RPKI were presented based on these three centers. Firstly

RPKI centralization risks were refined from the perspective of authorization

operation and publication. Secondly

the technical ideas and solutions of decentralized security-enhanced technologies were classified into these three perspectives. Thirdly

technologies were compared in terms of security

scalability

and incremental deployment. Finally

the existing problems in current technologies were summarized and the future research directions were prospected.

关键词

Keywords

references

LEPINSKI M , KENT S . An infrastructure to support secure Internet routing [J ] . RFC , doi.org/10.17487/RFC6480, 2012 .

COOPER D , SANTESSON S , FARRELL S , et al . Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile [J ] . RFC , doi.org/10.17487/RFC5280, 2002 .

HUSTON G , MICHAELSON G , LOOMANS R . A profile for X.509 PKIX resource certificates [J ] . RFC , doi.org/10.17487/RFC6487, 2012 .

LEPINSKI M , KENT S , KONG D . A profile for route origin authorizations (ROAs) [J ] . RFC , doi.org/10.17487/RFC6482, 2012 .

CHUNG T , ABEN E , BRUIJNZEELS T , et al . RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins [C ] // Proceedings of the Internet Measurement Conference . New York : ACM Press , 2019 : 406 - 419 .

邹慧 , 马迪 , 邵晴 , 等 . 互联网码号资源公钥基础设施(RPKI)研究综述 [J ] . 计算机学报 , 2022 , 45 ( 5 ): 1100 - 1132 .

ZOU H , MA D , SHAO Q , et al . A survey of the resource public key infrastructure [J ] . Chinese Journal of Computers , 2022 , 45 ( 5 ): 1100 - 1132 .

RODDAY N , CUNHA Í , BUSH R , et al . The resource public key infrastructure (RPKI): a survey on measurements and future prospects [J ] . IEEE Transactions on Network and Service Management , 2024 , 21 ( 2 ): 2353 - 2373 .

MANDERSON T , SRIRAM K , WHITE R . Requirements for resource public key infrastructure (RPKI) relying parties [J ] . RFC , doi.org/10.17487/RFC8897, 2020 .

FRIEDEMANN P H , RODDAY N , RODOSEK G D . Assessing the RPKI validator ecosystem [C ] // Proceedings of the 2022 Thirteenth International Conference on Ubiquitous and Future Networks (ICUFN) . Piscataway : IEEE Press , 2022 : 295 - 300 .

WÄHLISCH M , MAENNEL O , SCHMIDT T C . Towards detecting BGP route hijacking using the RPKI [J ] . ACM SIGCOMM Computer Communication Review , 2012 , 42 ( 4 ): 103 - 104 .

IAMARTINO D , PELSSER C , BUSH R . Measuring BGP route origin registration and validation [C ] // International Conference on Passive and Active Network Measurement . Berlin : Springer , 2015 : 28 - 40 .

GILAD Y , COHEN A , HERZBERG A , et al . Are we there yet? on RPKI’s deployment and security [C ] // Proceedings 2017 Network and Distributed System Security Symposium . Reston : Internet Society , 2017 : 1 - 15 .

LI Y B , ZOU H , CHEN Y X , et al . The hanging ROA: a secure and scalable encoding scheme for route origin authorization [C ] // Proceedings of the IEEE INFOCOM 2022 - IEEE Conference on Computer Communications . Piscataway : IEEE Press , 2022 : 21 - 30 .

KOWALSKI M , MAZURCZYK W . Toward the mutual routing security in wide area networks: a scoping review of current threats and countermeasures [J ] . Computer Networks , 2023 , 230 : 109778 .

COOPER D , HEILMAN E , BROGLE K , et al . On the risk of misbehaving RPKI authorities [C ] // Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks . New York : ACM Press , 2013 : 1 - 7 .

KENT S , MA D . Adverse actions by a certification authority (CA) or repository manager in the resource public key infrastructure (RPKI) [J ] . RFC , doi.org/10.17487/RFC8211, 2017 .

苏莹莹 , 李丹 , 叶洪琳 . 资源公钥基础设施RPKI：现状与问题 [J ] . 电信科学 , 2021 , 37 ( 3 ): 75 - 89 .

SU Y Y , LI D , YE H L . Resource public key infrastructure RPKI: status and problems [J ] . Telecommunications Science , 2021 , 37 ( 3 ): 75 - 89 .

SU Y , WANG B S , XING Q Q , et al . Research on blockchain-based inter-domain routing authentication technology [C ] // Proceedings of the 2021 IEEE 21st International Conference on Communication Technology (ICCT) . Piscataway : IEEE Press , 2021 : 810 - 816 .

MASTILAK L , HELEBRANDT P , GALINSKI M , et al . Secure inter-domain routing based on blockchain: a comprehensive survey [J ] . Sensors , 2022 , 22 ( 4 ): 1437 .

徐恪 , 凌思通 , 李琦 , 等 . 基于区块链的网络安全体系结构与关键技术研究进展 [J ] . 计算机学报 , 2021 , 44 ( 1 ): 55 - 83 .

XU K , LING S T , LI Q , et al . Research progress of network security architecture and key technologies based on blockchain [J ] . Chinese Journal of Computers , 2021 , 44 ( 1 ): 55 - 83 .

HUSTON G , MICHAELSON G . Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs) [J ] . RFC , doi.org/10.17487/RFC6483, 2012 .

LIU X , YAN Z , GENG G , et al . RPKI deployment: risks and alternative solutions [C ] // Proceedings of the Ninth International Conference on Genetic and Evolutionary Computing . Berlin : Springer , 2016 : 299 - 310 .

BUSH R . The resource public key infrastructure (RPKI) ghostbusters record [J ] . RFC , doi.org/10.17487/RFC6493, 2012 .

MIRDITA D , SHULMAN H , VOGEL N , et al . The CURE to vulnerabilities in RPKI validation [C ] // Proceedings 2024 Network and Distributed System Security Symposium . Reston : Internet Society , 2024 : 1 - 18 .

HLAVACEK T , SHULMAN H , WAIDNER M . Smart RPKI validation: avoiding errors and preventing hijacks [C ] // European Symposium on Research in Computer Security . Berlin : Springer , 2022 : 509 - 530 .

HLAVACEK T , JEITNER P , MIRDITA D , et al . Stalloris: RPKI downgrade attack [C ] // 31st USENIX Security Symposium (USENIX Security 22) . Berkeley : USENIX Association , 2022 : 4455 - 4471 .

HOVE K V , VOS J V D H D , RIJSWIJK-DEIJ R V . Rpkiller: threat analysis of the BGP resource public key infrastructure [J ] . Digital Threats: Research and Practice , 2023 , 4 ( 4 ): 1 - 24 .

HLAVACEK T , JEITNER P , MIRDITA D , et al . Beyond limits: how to disable validators in secure networks [C ] // Proceedings of the ACM SIGCOMM 2023 Conference . New York : ACM Press , 2023 : 950 - 966 .

FRIESS J , MIRDITA D , SCHULMANN H , et al . Byzantine-secure relying party for resilient RPKI [J ] . arXiv Preprint , arXiv: 2405.00531 , 2024 .

SHRISHAK K , SHULMAN H . Limiting the power of RPKI authorities [C ] // Proceedings of the Applied Networking Research Workshop . New York : ACM Press , 2020 : 12 - 18 .

SHRISHAK K , SHULMAN H . Privacy preserving and resilient RPKI [C ] // Proceedings of the IEEE INFOCOM 2021 - IEEE Conference on Computer Communications . Piscataway : IEEE Press , 2021 : 1 - 10 .

GILAD Y , HLAVACEK T , HERZBERG A , et al . Perfect is the enemy of good: setting realistic goals for BGP security [C ] // Proceedings of the 17th ACM Workshop on Hot Topics in Networks . New York : ACM Press , 2018 : 57 - 63 .

HLAVACEK T , CUNHA I , GILAD Y , et al . DISCO: sidestepping RPKI’s deployment barriers [C ] // Proceedings 2020 Network and Distributed System Security Symposium . Reston : Internet Society , 2020 : 1 - 17 .

SAAD M , ANWAR A , AHMAD A , et al . RouteChain: towards blockchain-based secure and efficient BGP routing [J ] . Computer Networks , 2022 , 217: (9): 1- 10 .

李江 , 徐明伟 , 曹家浩 , 等 . 基于区块链技术的去中心化互联网号码资源管理系统 [J ] . 清华大学学报(自然科学版) , 2023 , 63 ( 9 ): 1366 - 1379 .

LI J , XU M W , CAO J H , et al . Decentralized Internet number resource management system based on blockchain technology [J ] . Journal of Tsinghua University (Science and Technology) , 2023 , 63 ( 9 ): 1366 - 1379 .

HE G B , SU W , GAO S , et al . ROAchain: securing route origin authorization with blockchain for inter-domain routing [J ] . IEEE Transactions on Network and Service Management , 2021 , 18 ( 2 ): 1690 - 1705 .

HEILMAN E , COOPER D , REYZIN L , et al . From the consent of the routed: improving the transparency of the RPKI [C ] // Proceedings of the 2014 ACM conference on SIGCOMM . New York : ACM Press , 2014 : 51 - 62 .

XING Q Q , WANG B S , WANG X F . BGPcoin: blockchain-based Internet number resource authority and BGP security solution [J ] . Symmetry , 2018 , 10 ( 9 ): 408 .

PAILLISSE J , MANRIQUE J , BONET G , et al . Decentralized trust in the inter-domain routing infrastructure [J ] . IEEE Access , 2019 , 7 : 166896 - 166905 .

PODILI P , CHERUPALLY S R , BOGA S , et al . Inter-domain prefix and route validation using fast and scalable DAG based distributed ledger for secure BGP routing [J ] . Journal of Network and Systems Management , 2022 , 30 ( 4 ): 55 .

MANDELBERG D , KENT S . Suspenders: a fail-safe mechanism for the RPKI [R ] . 2015 .

HARI A , LAKSHMAN T V . The Internet blockchain: a distributed, tamper-resistant transaction framework for the Internet [C ] // Proceedings of the 15th ACM Workshop on Hot Topics in Networks . New York : ACM Press , 2016 : 204 - 210 .

LU H M , TANG Y , SUN Y . DRRS-BC: decentralized routing registration system based on blockchain [J ] . IEEE/CAA Journal of Automatica Sinica , 2021 , 8 ( 12 ): 1868 - 1876 .

ANGIERI S , GARCÍA-MARTÍNEZ A , LIU B Y , et al . A distributed autonomous organization for Internet address management [J ] . IEEE Transactions on Engineering Management , 2020 , 67 ( 4 ): 1459 - 1475 .

ANGIERI S , BAGNULO M , GARCÍA-MARTÍNEZ A , et al . InBlock4: blockchain-based route origin validation [C ] // Proceedings of the IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) . Piscataway : IEEE Press , 2020 : 291 - 296 .

GARCÍA-MARTÍNEZ A , ANGIERI S , LIU B Y , et al . Design and implementation of InBlock—a distributed IP address registration system [J ] . IEEE Systems Journal , 2021 , 15 ( 3 ): 3528 - 3539 .

LIU S , YANG F , LI D D , et al . The trusted and decentralized network resource management [C ] // Proceedings of the 2020 29th International Conference on Computer Communications and Networks (ICCCN) . Piscataway : IEEE Press , 2020 : 1 - 7 .

DOUCEUR J R . The sybil attack [C ] // International Workshop on Peer-to-Peer Systems . Berlin : Springer , 2002 : 251 - 260 .

HUSTON G . The BGP instability report [R ] . 2023 .

GRIFFIN T G , PREMORE B J . An experimental analysis of BGP convergence time [C ] // Proceedings of Ninth International Conference on Network Protocols . Piscataway : IEEE Press , 2001 : 53 - 61 .

潘业达 , 陈恭亮 , 郭乃网 . 区块链吞吐率提升研究 [J ] . 通信技术 , 2019 , 52 ( 1 ): 134 - 140 .

PAN Y D , CHEN G L , GUO N W . Research on block chain throughput improvement [J ] . Communications Technology , 2019 , 52 ( 1 ): 134 - 140 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向6G的区块链物联网数据共享和存储机制

区块链技术研究综述：原理、进展与应用

面向新能源汽车能源交易系统的PoRT共识机制

基于椭圆曲线签密的跨链医疗数据共享方案

区块链数字取证：技术及架构研究