設計與實作基於驗證路由資訊一致性之自動化 BGP 路由 過濾策略與安全機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：60

、訪客IP：3.14.6.194

姓名

徐郁齊(Yu-Chi Hsu) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

設計與實作基於驗證路由資訊一致性之自動化 BGP 路由過濾策略與安全機制
(Design and Implementation of an Automated BGP Routing Filtering Strategy and Security Mechanism based on Validation of Route Information Consistency)

相關論文

★ 於軟體定義網路環境中基於信任度演算法實現可信工控物聯網之建置	★ 設計與實作結合Kubernetes應用之多執行緒連線負載平衡器
★ 設計與實作基於Zabbix網路監控平台之自動化路由黑洞機制	★ 智慧共同照護之實現: 以資料驅動為基礎之 AI 糖尿病個案管理模式

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2028-7-31以後開放)

摘要(中)

網路的快速發展，已派發的自治系統及 IP 地址數量龐大，其中，自治系統之間的關係錯綜複雜，而自治系統之間藉由 BGP 協定交換路由資訊，BGP 協定本身並無附帶之安全機制，於是迄今為止，出現許多惡意、非惡意的路由宣告，造成網際網路中發生許多路由洩漏以及路由劫持，然而，陸續有許多防範 BGPHijack 的框架及方法，其中最熱門、相較之下也最被廣為採用的即為 RPKI 框架，但時至今日，RPKI 的部署以及 ROA 的創建，在全球的路由之中仍然尚未到達半數以上，即代表網路中，多數路由之 ROV 結果，仍然為 NotFound，若將網路安全性作為第一優先考量，強硬地在邊界路由器上設定只接收 RPKI-valid 之路由，則會大幅影響網路的連接性以及可達性。因此本研究基於網路的連接性、可達性以及安全性之考量，設計並實作一套基於驗證路由資訊一致性之自動化佈署 BGP 路由過濾策略的系統，持續監聽網路介面，過濾 BGP 封包，並解析封包內容，並根據所收到的 BGPUpdateMessage，查詢 InternetRoutingRegistry 資料庫，根據該路由於分散式資料庫中的資訊，產生路由過濾策略，並將路由過濾策略部署至自治系統內的邊界路由器，企圖在 RPKI-NotFound 之路由當中進一步過濾潛在的惡意路由，避免將惡意路由收進路由表中，加以散播惡意路由資訊，以此提升自治系統及整體網路安全性。

摘要(英)

With the rapid development of the network, a large number of autonomous systems and IP addresses have been distributed. Among them, the relationship between the autonomous systems is intricate, and the routing information is exchanged between the autonomous systems through the BGP protocol. Today, the establishment of ROA has not yet reached more than half of the routes in the world, which means that most routes in the network have not yet registered ROA. Considering network security, if the border router is set to only accept RPKI-valid routes, it will greatly affect the connectivity and reachability of the network. Therefore, based on the consideration of network connectivity, reachability and security, this research designs and implements a set of automatic deployment BGP routing filtering policy system based on verifying the consistency of routing information. It continuously monitors the network interface, filters BGP packets, and analyzes the packet content. Leveraging data acquired from BGP neighbors, the system proficiently liaises with the IRR database. Proactively, it meticulously filters potential malicious routes, forestalling their entry into the routing table and inhibiting further propagation. This astute tactic significantly fortifies the security of autonomous systems, thus reinforcing the overall network′s robustness.

關鍵字(中)

★ BGP
★ 路由過濾
★ 軟體定義網路
★ 自動化

關鍵字(英)

★ BGP
★ Route Filtering
★ Softwared-Defined Network
★ Automation

論文目次

一、緒論 1
1.1. 研究背景 1
1.2. 研究動機與目的 2
1.3. 研究貢獻 3
1.4. 章節架構 4
二、相關研究 5
2.1. SDN 5
2.2. BGP Routing Policy 6
2.3. 路由過濾 11
2.4. BGP Hijack 12
2.5. 常見之路由過濾、技術框架及其依據 13
2.6. 討論 17
三、系統設計 22
3.1. 系統架構 24
3.2. 系統模組 27
3.2.1. Monitor 模組 27
3.2.2. BGP Message Parser 模組 27
3.2.3. 路由檢查模組 29
3.2.4. Routing Policy Generator 模組 30
3.2.5. Policy Deployment 模組 31
3.3. 系統運作流程說明 31
3.4. 初始路由策略 36
3.5. 適用場域 37
四、實驗與評估 38
4.1. 實驗環境 38
4.2. 實驗目的 41
4.3. 實驗設計:路由過濾與採用策略 42
4.4. 實驗資料分析 43
4.4.1. 只採用 RPKI-ROV 的結果為 valid 的路由 43
4.4.2. 採用 RPKI-ROV 為 valid 的路由，以及結果為 Not-Found，但可以通過常見的 Bogon Filter 之路由 44
4.4.3. 採用 RPKI-ROV 為 valid 的路由，以及結果為 Not-Found，但可以通過本系統所提出的方法過濾之路由 45
4.4.4. 實驗比較 52
4.4.5. 系統效能評估 53
4.4.5.1. Automated Routing Policy Generator 效能評估 53
4.4.5.2. Border Router 效能評估 57
4.5. 實驗總結 61
4.6. 研究限制與缺點 62
五、結論 63
參考文獻 66

參考文獻

[1] B. Hinden and S. E. Deering, "Internet Protocol, Version 6 (IPv6) Specification," Internet Engineering Task Force (IETF), 1998.
[2] J. A. Hawkinson and T. J. Bates, "Guidelines for creation, selection, and registration of an Autonomous System (AS)," IETF, March 1996.
[3] Q. Vohra et al., "BGP Support for Four-Octet Autonomous System (AS) Number Space," Internet Engineering Task Force (IETF), 2012.
[4] M. Caesar and J. Rexford, "BGP Routing Policies in ISP Networks," IEEE Network, vol. Volume: 19, no. 6, pp. 5-11, 2005.
[5] S. Vissicchio et al., "On iBGP Routing Policies," IEEE/ACM Transactions on Networking, vol. 23, no. 1, pp. 227-240, Feb. 2015.
[6] Y. Rekhter et al., "A Border Gateway Protocol 4 (BGP-4)," Internet Engineering Task Force (IETF), 2006.
[7] C. Hedrick, "Routing Information Protocol," Internet Engineering Task Force (IETF), June 1998.
[8] G. S. Malkin, "RIP Version 2," Internet Engineering Task Force (IETF), November 1998.
[9] J. Moy, "OSPF Version 2," Internet Engineering Task Force (IETF), April 1998.
[10] R. Callon, "Use of OSI IS-IS for Routing in TCP/IP and Dual Environments," Internet Engineering Task Force (IETF), December 1990.
[11] M. Wu and Z. Zhuo, "Digital content access control for end-users," in proceedings of the International Conference on Software Intelligence Technologies and Applications & International Conference on Frontiers of Internet of Things, pp. 39-42, 2014.
[12] A. M. Roffarello, "End User Development in the IoT: A Semantic Approach," in proceedings of the International Conference on Intelligent Environments, pp. 107-110, 2018.
[13] A. Abdullahi et al., "A Review of Scalability Issues in Software-Defined Exchange Point (SDX) Approaches: State-of-the-Art," IEEE Access, vol. 9, pp. 74499-74509, 2021.
[14] P. L. Ventre et al., "GEANT SDX - SDN based Open eXchange Point," in proceedings of the IEEE NetSoft Conference and Workshops, pp. 345-346, 2016.
[15] H. Kumar et al., "Enhancing Security Management at Software-Defined Exchange Points," IEEE Transactions on Network and Service Management, vol. 16, no. 4, pp. 1479-1492, 2019.
[16] A. Rego et al., "Software defined networks for traffic management in emergency situations," in proceedings of the Fifth International Conference on Software Defined Systems, pp. 45-51, 2018.
[17] L. Wang et al., "Research on Security Service Model of Software Defined Network," in proceedings of the International Symposium on Computer Science and Intelligent Control, pp. 347-351, 2022.
[18] P. W. Tsai et al., "Design, Development, and Operation of a SDN-Based BGP Playground for Networkers," in proceedings of the Asia-Pacific Network Operations and Management Symposium, pp. 1-4, 2022.
[19] P. Amaral et al., "Multipath policy routing for the inter-domain scenario," in proceedings of the IEEE International Conference on Communications, pp. 3215-3221, 2014.
[20] J. Li et al., "Performance Analysis of Multipath BGP," in proceedings of the IEEE Conference on Computer Communications Workshops, pp. 1-6, 2021.
[21] H. Fujinoki, "Multi-path BGP (MBGP): A solution for improving network bandwidth utilization and defense against link failures in inter-domain routing," IEEE International Conference on Networks, pp. 1-6, 2008.
[22] J. Li et al., "BGP-Multipath Routing in the Internet," IEEE Transactions on Network and
Service Management, vol. 19, no. 3, pp. 2812-2826, 2022.
[23] C. Labovitz et al., "Internet routing instability," IEEE/ACM Transactions on Networking,
vol. 6, no. 5, pp. 512-528, 1998.
[24] C. Labovitz et al., "The impact of Internet policy and topology on delayed routing convergence," in proceedings of the Twentieth Annual Joint Conference of the IEEE Computer and Communications Society, pp. 537-546, 2001.
[25] L. Cittadini et al., "Wheel + Ring = Reel: The Impact of Route Filtering on the Stability of Policy Routing," IEEE/ACM Transactions on Networking, vol. 19, no. 4, pp. 1085- 1096, 2011.
[26] R. Khosla et al., "On the Impact of Filters on Analyzing Prefix Reachability in the Internet," in proceedings of the International Conference on Computer Communications and Networks, pp. 1-8, 2009.
[27] J. Bhatia et al., "Software Defined Networking: From Theory to Practice," in proceedings of the International Conference on Parallel, Distributed and Grid Computing (PDGC), pp. 789-794, 2018.
[28] D. Kreutz et al., "Software-Defined Networking: A Comprehensive Survey," in Proceedings of the IEEE, vol. 103, no. 1, pp. 14-76, 2015.
[29] V. S et al., "Network management and performance monitoring using Software Defined Networks," in proceedings of the International Conference on Advanced Computing and Communications (ADCOM), pp. 29-31, 2015.
[30] Y. Wang et al., "Design for configurability: rethinking interdomain routing policies from the ground up," IEEE Journal on Selected Areas in Communications, vol. 27, no. 3, pp.336-348, 2009.
[31] C.Huadmai, "Verification of routing policies by using model checking technique,," in proceedings of the IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems, pp. 711-716, 2011.
[32] W. Liang et al., "RPIM: Inferring BGP Routing Policies in ISP Networks," in proceedings of the IEEE Global Telecommunications Conference - GLOBECOM, pp. 1-6, 2011.
[33] Y. Rekhter et al., “A Border Gateway Protocol 4 (BGP-4),” Internet Engineering Task Force (IETF), 1995.
[34] R. K. C. Chang and M. Lo, "Inbound traffic engineering for multi-homed ASes using AS path prepending," in proceedings of the IEEE/IFIP Network Operations and Management Symposium, pp. 89-102, 2004.
[35] Y. Zhang and M. Tatipamula, "Characterization and design of effective BGP AS-path prepending," in proceedings of the IEEE International Conference on Network Protocols, pp. 59-68, 2011.
[36] N. Feamster et al., "Implications of Autonomy for the Expressiveness of Policy Routing," IEEE/ACM Transactions on Networking, vol. 15, no. 6, pp. 1266-1279, 2007.
[37] L. Yujing et al., "Research on AS path betweenness based filtering policy against BGP prefix hijacking," in proceedings of the International Conference on Information Science and Engineering, pp. 4659-4662, 2010.
[38] P. -A. Vervier et al., "Malicious BGP hijacks: Appearances can be deceiving," in proceedings of the IEEE International Conference on Communications, pp. 884-889, 2014.
[39] M. Apostolaki et al., "Hijacking Bitcoin: Routing Attacks on Cryptocurrencies," in proceedings of the IEEE Symposium on Security and Privacy, pp. 375-392, 2017.
[40] P. Sermpezis et al., "Estimating the Impact of BGP Prefix Hijacking," in proceedings of the IFIP Networking Conference, pp. 1-10, 2021.
[41] S. Cho et al., "BGP hijacking classification," in proceedings of the Network Traffic Measurement and Analysis Conference, pp. 25-32, 2019.
[42] N. H. Hammood and B. Al-Musawi, "Using BGP Features Towards Identifying Type of BGP Anomaly," in proceedings of the International Congress of Advanced Technology and Engineering, pp. 1-10, 2021.
[43] Q. Li et al., "BGP with BGPsec: Attacks and Countermeasures," IEEE Network, vol. 33, no. 4, pp. 194-200, 2019.
[44] G. Chang et al., "Using resource public key infrastructure for secure border gateway protocol," in proceedings of the IEEE Canadian Conference on Electrical and Computer Engineering, pp. 1-6, 2016.
[45] P. H. Friedemann et al., "Assessing the RPKI Validator Ecosystem," in proceedings of the International Conference on Ubiquitous and Future Networks, pp. 295-300, 2022.
[46] R. Moskowitz et al., "Address Allocation for Private Internets," Internet Engineering Task Force (IETF), 1996.
[47] R. Vaidyanathan et al., "On the use of Enhanced Bogon Lists (EBLs) to detect malicious traffic," in proceedings of the International Conference on Computing, Networking and Communications, pp. 1-6, 2012.
[48] D. BV, "IRR EXPLORER," [Online]. Available: https://irrexplorer.nlnog.net/. [Accessed 5 June 2023].
[49] Spamhaus®, "SPAMHAUS," [Online]. Available: https://www.spamhaus.org/. [Accessed 5 June 2023].
[50]R. Hat, "Ansible is Simple IT Automation," Red Hat, [Online]. Available: https://www.ansible.com/. [Accessed 5 6 2023].
[51]Cisco Systems Inc., "ThousandEyes," Cisco Systems, [Online]. Available: https://www.thousandeyes.com/. [Accessed 5 June 2023].
[52]K. Ishiguro et al., "FRRouting User Guide," FRR, [Online]. Available: https://docs.frrouting.org/en/latest/index.html. [Accessed 5 June 2023].
[53] Feela, "The BIRD Internet Routing Daemon," [Online]. Available: https://bird.network.cz/. [Accessed 5 June 2023].
[54] Arista, "Arista EOS," Arista, [Online]. Available: https://www.arista.com/en/products/eos. [Accessed 5 June 2023].
[55] N. I. o. S. a. T. (NIST), "NIST RPKI Monitor," [Online]. Available: https://rpki- monitor.antd.nist.gov/. [Accessed 5 June 2023].
[56] N. I. o. S. a. T. (NIST), "NIST RPKI Monitor," [Online]. Available: https://rpki- monitor.antd.nist.gov/. [Accessed 5 June 2024].
[57] G. developers, "GeoPandas," [Online]. Available: https://geopandas.org/en/stable/. [Accessed 5 June 2023].
[58] T. M. d. team, "Matplotlib," [Online]. Available: https://matplotlib.org/. [Accessed 5 June 2023].

指導教授

蔡邦維(Pang-Wei Tsai)

審核日期

2023-8-17

推文