内生安全网络架构

江伟玉; 刘冰洋; 王闯

doi:10.11959/j.issn.1000-0801.2019215

您当前的位置：

首页 >

文章列表页 >

内生安全网络架构

专题：数据网络协议架构创新——NewIP | 更新时间：2024-06-05

- 内生安全网络架构
- Network architecture with intrinsic security
- 电信科学 2019年35卷第9期页码：20-28
- 作者机构：
- 作者简介：
  
  [ "江伟玉（1987- ），女，博士，华为技术有限公司 2012 实验室中央研究院网络技术实验室高级工程师，主要研究方向为网络安全架构及协议、可信身份管理、数据安全等。" ]
  [ "刘冰洋（1985- ），男，博士，华为技术有限公司 2012 实验室中央研究院网络技术实验室主任工程师，主要研究方向包括网络架构、网络安全及可行、路由和命名解析、确定性网络等。" ]
  [ "王闯（1975- ），男，华为技术有限公司2012实验室中央研究院网络技术实验室技术专家，主要研究方向为未来网络架构与技术探索。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目;The National Key Research and Development Program of China(2018YFB180079)
- DOI：10.11959/j.issn.1000-0801.2019215
  中图分类号： TN915.08
- 网络出版日期：2019-09，
  
  纸质出版日期：2019-09-20
- 稿件说明：
移动端阅览
江伟玉, 刘冰洋, 王闯. 内生安全网络架构[J]. 电信科学, 2019,35(9):20-28.

Weiyu JIANG, Bingyang LIU, Chuang WANG. Network architecture with intrinsic security[J]. Telecommunications science, 2019, 35(9): 20-28.
江伟玉, 刘冰洋, 王闯. 内生安全网络架构[J]. 电信科学, 2019,35(9):20-28. DOI： 10.11959/j.issn.1000-0801.2019215.

Weiyu JIANG, Bingyang LIU, Chuang WANG. Network architecture with intrinsic security[J]. Telecommunications science, 2019, 35(9): 20-28. DOI： 10.11959/j.issn.1000-0801.2019215.

摘要

IP 网络通过连接全球大量的网络设备给人类带来了便利，但网络面临持续性的安全和隐私问题令人担忧。由于网络缺乏内生安全的设计，IP地址伪造、隐私泄露、中间人攻击、分布式拒绝服务（DDoS）攻击等顽固安全问题难以根治，传统的补丁式解决方案补不胜补。在研究IP网络面临的各类安全威胁及相关安全技术的基础上，剖析了IP网络固有的安全缺陷，提出了具有内生安全特性的网络架构，包括具有内生安全的隐私ID/Loc、安全验证和审计协议、跨域联合防御机制等，能够为端到端通信保驾护航。

Abstract

IP network brings big benefits for human’s life by connecting most devices all over the world

but its security and privacy issues make people frustrating when using end to end communication.Without intrinsic security design of the network

it is difficult for patch-like solutions to cure stubborn security issues (IP spoofing

privacy leakage

MITM attack

DDoS

etc.).On the basis of surveying different kinds of security threats and related security techniques

an overview of the security weakness analysis was given

and network architecture with intrinsic security (NAIS) was presented

including dynamic ID/IP with intrinsic security

security verification and audit protocols

and cross-domain cooperation defense mechanism

which could provide security and trustworthiness for end to end communication.

关键词

Keywords

references

Caida spoofer program report [R ] . 2019 .

ENGLEHARDT S , NARAYANAN A . Online tracking:a 1-million-site measurement and analysis [C ] // the 2016 ACM SIGSAC Conference on Computer and Communications Security,Oct 12-16,2015,Denver,Colorado,USA . New York:ACM Press , 2016 : 1388 - 1401 .

FERGUSON P , SENIE D . Network ingress filtering:defeating denial of service attacks which employ IP source address spoofing:RFC 2827 [S ] . 2000 .

DUAN Z , ·UAN X , CHANDRASHEKAR J . Constructing interdomain packet filters to control IP spoofing based on BGP updates [C ] // INFOCOM,April 23-29,2006,Barcelona,Spain . Piscataway:IEEE Press , 2006 .

BREMLER-BARR A , LEVY H . Spoofing prevention method [C ] // IEEE INFOCOM , 2005 ( 1 ): 536 - 547 .

JIN C , WANG H , SHIN K . Hop-count filtering:an effective defense against spoofed DDoS traffic [C ] // the 10th ACM Conference on Computer and Communications Security,Oct 27 - 30,Washington D.C.,USA . New York:IEEE Press , 2003 .

BAKER F , SAVOLA P . Ingress filtering for multihomed networks:RFC 3704 [S ] . 2004 .

BI J , LIU B . Problem statement of SAVI beyond the first hop,Internet Draft [R ] . 2012 .

LIU X , ·ANG X , WETHERALL D , et al . Efficient and secure source authentication with packet passports [C ] // 2nd conference on Steps to Reducing Unwanted Traffic on the Internet,San Jose,CA,USA . New York:ACM Press , 2006 .

LIU X , ·ANG X , WETHERALL D , et al . Passport:secure and adoptable source authentication [C ] // 5th USENIX NSDI,April16-18,2008,San Francisco,California,USA . New York:ACM Press , 2008 .

RAGHAVAN B , KOHNO T , SNOEREN A C , et al . Enlisting ISP to improve online privacy:IP address mixing by default [C ] // PETS '09,August 5-7,2009,Seattle,WA,USA . New York:ACM Press , 2009 .

CHAUM D . Untraceable electronic mail,return address,and digital pseudonyms [J ] . Communications of the ACM , 1981 , 24 ( 2 ): 84 - 88 .

DINGLEDINE R , MATHEWSON N , SYVERSON P F . Tor:the second-generation onion router [J ] . Journal of the Franklin Institute , 2004 , 239 ( 2 ): 135 - 139 .

NARTEN T , DRAVES R , KRISHNAN S . Report from the IAB workshop on routing and addressing:RFC4941 [S ] . 2007 .

GONT F . Method for generating semantically opaque interface identifiers with ipv6 stateless address autoconfiguration (slaac),RFC 7217,Internet engineering task force,request for comments [S ] . 2014 .

ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N , et al . Accountable internet protocol [C ] // ACM SIGCOMM 2008 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications,August 17-22,2008,Seattle,WA,USA . New York:ACM Press , 2008 .

NAYLOR D , MUKERJEE M K , STEENKISTE P.Balancing accountability and privacy in the network . [J ] . ACM Sigcomm Computer Communication Review , 2014 , 44 ( 4 ).

LEE T , PAPPAS C , BARRERA D , et al . Source accountability with domain-brokered privacy [C ] // the 12th International on Conference on emerging Networking Experiments and Technologies,December 12 - 15.2016,Irvine,California,USA . New York:ACM Press , 2016 .

US service provider survives the biggest recorded DDoS in history [Z ] . 2018 .

ANTONAKAKIS M , APRIL · , BAILEY M , et al . Understanding the mirai botnet [C ] // 26th USENIX Security.[S.l.:s.n] . 2017 .

CloudFlare . Advanced DDoS attack protection [Z ] . 2018 .

FAYAZ S K , TOBIOKA · , SEKAR V , et al . Bohatei:flexible and elastic DDoS defense [C ] // Usenix Conference on Security Symposium,August 12 - 14,2015,Washington,D.C.,USA . New York:ACM Press , 2015 .

BASESCU C , REISCHUK R M , SZALACHOWSKI P , et al . SIBRA:Scalable internet bandwidth reservation architecture [J ] . arXiv preprint arXiv:1510.02696 , 2015 .

李子姝 , 谢人超 , 孙礼 , 等 . 移动边缘计算综述 [J ] . 电信科学 , 2018 , 34 ( 1 ): 87 - 101 .

LI Z S , XIE R C , SUN L , et al . A survey of mobile edge computing [J ] . Telecommunications Science , 2018 , 34 ( 1 ): 87 - 101 .

浏览量

2771

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

DDoS攻击恶意行为知识库构建

5G承载网数据采集和安全管控演进思路

NewIP：开拓未来数据网络的新连接和新能力

未来数据网络需求分析

物联网DDoS僵尸网络C＆C通信流量检测分析研究