
浏览全部资源
扫码关注微信
1. 清华大学,北京 100084
2. 华为技术有限公司,北京 100095
3. 新华三技术有限公司,北京 100102
Published Online:2020-10,
Published:20 October 2020
移动端阅览
Dan LI, Lancheng QIN, Jianping WU, et al. Internet source address verification method based on synchronization and dynamic filtering in address domain[J]. Telecommunications science, 2020, 36(10): 21-28.
Dan LI, Lancheng QIN, Jianping WU, et al. Internet source address verification method based on synchronization and dynamic filtering in address domain[J]. Telecommunications science, 2020, 36(10): 21-28. DOI: 10.11959/j.issn.1000-0801.2020289.
互联网架构设计之初,假设所有网络成员都是可信的,并没有充分考虑不可信网络成员带来的安全威胁。在很长一段时间内,路由器只根据报文的目的IP地址转发消息,不对报文的源IP地址的真实性进行验证。数据分组真实性验证的缺乏会导致报文头部信息被恶意篡改。提出了基于边界路由动态同步的互联网地址域内真实源地址验证方法。该机制基于前缀拓扑信息同步的方法构建过滤表,解决了路由不对称导致过滤表和实际路由状态不一致的问题,避免了验证过程中的假阳性和假阴性,实现了低开销、低时延的地址域内IP地址前缀级粒度的真实源地址验证。
At the beginning of the design of the Internet architecture
it assumed that all network members were trusted
and did not fully consider the security threat brought by the untrusted network members.For a long time
routers only forward packets based on the destination IP address of the packet
and do not carry out any verification on the source IP address of the packet.The lack of packet level authenticity on the Internet results in the header being maliciously altered.A real source address verification mechanism with routing synchronization and dynamic filtering were proposed.This mechanism constructs the filter table based on the prefix-topology mapping synchronization
the problem of inconsistent state between the filter table and the route caused by routing asymmetry were solved
false positives and false negatives was avoided
and a low-overhead and low-latency source address verification of the IP address prefix level granularity in the address domain were realized.
KAUR CHAHAL J , BHANDARI A , BEHAL S . Distributed denial of service attacks:a threat or challenge [J ] . New Review of Information Networking , 2019 , 24 ( 1 ): 31 - 103 .
IETF . A source address validation architecture (SAVA) testbed and deployment experience:RFC5210 [S ] . 2008 .
IETF . Ingress filtering for multihomed networks.Technical report,BCP 84:RFC3704 [S ] . 2004 .
ZHANG Y , JIANG J , XU K , et al . BDS:anear-optimal overlay network for inter-datacenter data replication [C ] // Proceedings of the ACM Thirteenth Eurosys Conference . New York:ACM Press , 2018 : 10 - 23 .
ZHANG Y , TIANI Y , WANG W , et al . Federated routing scheme for large-scale cross domain network [C ] // Proceeding of IEEE Conference on Computer Communications Workshops . Piscataway:IEEE Press , 2020 : 1358 - 1359 .
IETF . Network ingress filtering:defeating denial of service attacks which employ IP source address spoofing:RFC2827 [S ] . 2000 .
LI J , MIRKOVIC J , WANG M , et al . SAVE:source address validity enforcement protocol [C ] // Proceedings of Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies . Piscataway:IEEE Press , 2002 : 1557 - 1566 .
LIU X , YANG X , WETHERALL D , et al . Efficient and secure source authentication with packet passports [C ] // Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet.New York:ACM Press . 2006 .
XIAO P , BI J , FENG T . O-CPF:an openflow based intra-AS source address validation application [C ] // Proceedings of the 8th CFI . New York:ACM Press , 2013 .
HUANG Q , SUN H , PATRICK LEE P C , et al . OmniMon:re-architecting network telemetry with resource efficiency and full accuracy [C ] // Proceedings on ACM SIGCOMM . New York:ACM Press , 2020 : 404 - 421 .
CHEN X , HUANG Q , ZHANG D , et al . ApproSync:approximate state synchronization for programmable networks [C ] // IEEE International Conference on Network Protocols.[S.l.:s.n . ] , 2020 .
ZHANG C , HU G , CHEN G , et al . Towards an SDN-based integrated architecture for mitigating ip spoofing attack [J ] . IEEE Access , 2017 ( 6 ): 22764 - 22777 .
LIANG X , CHEN H . A SDN-based hierarchical authentication mechanism for IPv6 address [C ] // Proceedings of 2019 IEEE International Conference on Intelligence and Security Informatics (ISI) . Piscataway:IEEE Press , 2019 :225.
KORCYNSKI M , NOSYK Y , QASIM L , et al . Don’t forget to lock the front door! inferring the deployment of source address validation of inbound traffic [C ] // Proceedings of International Conference on Passive and Active Network Measurement . Switzerland:Springer,Cham , 2020 : 107 - 121 .
IETF . OSPFv3 link state advertisement (LSA) extensibility:RFC8362 [S ] . 2018 .
IETF . A policy control mechanism in IS-IS using administrative tags:RFC5130 [S ] . 2008 .
IETF . BGP extended communities attribute:RFC4360 [S ] . 2006 .
0
Views
403
下载量
0
CSCD
Publicity Resources
Related Articles
Related Author
Related Institution
京公网安备11010802024621