基于行为透明性的RPKI撤销检测机制

doi:10.11871/jfdc.issn.2096-742X.2022.03.007

数据与计算发展前沿 ›› 2022, Vol. 4 ›› Issue (3): 90-109.

CSTR: 32002.14.jfdc.CN10-1649/TP.2022.03.007

doi: 10.11871/jfdc.issn.2096-742X.2022.03.007

基于行为透明性的RPKI撤销检测机制

邹慧^1,^2,^3,^*(),李彦彪^1,²(),于晨晖^1,²(),马迪^1,³(),毛伟^1,³()

1.中国科学院计算机网络信息中心, 北京 100083
2.中国科学院大学,北京 100049
3.互联网域名系统北京市工程研究中心,北京 100190

收稿日期:2021-10-20 出版日期:2022-06-20 发布日期:2022-06-20
通讯作者: 邹慧
作者简介:邹慧,中国科学院计算机网络信息中心,博士研究生,主要研究方向为域间路由安全与互联网基础设施。
本文承担工作为：BT机制及其部署方案的设计,安全问题的分析,实验方案的规划。
ZOU Hui is a Ph.D. candidate at th Computer Network Infor-mation Center of Chinese Academy of Sciences (CNIC). Her main research interests are secure inter-domain routing and the Internet infrastructure.
In this paper, she undertakes the following tasks: the design of the BT mechanism and deployment plans, the analysis of security threats, and the planning of the experimental scheme.
E-mail: zouhui@cnic.cn|李彦彪,中国科学院计算机网络信息中心,副研究员,主要研究方向为云网融合系统架构及关键技术,路由安全防护与治理。
本文承担工作为：BT机制的整体架构设计。
LI Yanbiao is an associate professor of the Computer Network Information Center of Chinese Academy of Sciences (CNIC). His main research interests are cloud network architecture and routing security and governance.
In this paper, he undertakes the following tasks: the architecture design of the BT mechanism.
E-mail: lybmath@cnic.cn|于晨晖,中国科学院计算机网络信息中心,硕士研究生,主要研究方向为域间路由安全和网络仿真。
本文承担工作为：实验平台的搭建与实验代码的编写。
YU Chenhui is a graduate student at the Computer Network Information Center of Chinese Academy of Sciences (CNIC). His main research interests are inter-domain routing security and network simulation.
In this paper, he undertakes the following tasks: the construc-tion of experimental platforms and the implementation of exper-imental codes.
E-mail: yuchenhui21@mails.ucas.ac.cn|马迪,互联网域名系统北京市工程研究中心,高级工程师,主要研究方向为资源的命名和寻址、互联网码号资源管理。
本文承担工作为：BT机制的需求分析。
MA Di is an senior engineer at the ZD-NS. His main research interests are resource naming and addressing and Internet number resource management.
In this paper, he undertakes the following tasks: demand anal-ysis of the BT mechanism.
E-mail: madi@zdns.cn|毛伟,互联网域名系统北京市工程研究中心,研究员,主要研究方向为下一代互联网和资源的命名和寻址。
本文承担工作为：研究指导。
MAO Wei is a professor at the ZDNS His main research interests are the nextgen-eration Internet and resource naming and addressing.
In this paper, he undertakes the following task: research gui-dance.
E-mail: mao@zdns.cn

A Revocation Detection Mechanism in RPKI Based on Behavior Transparency

ZOU Hui^1,^2,^3,^*(),LI Yanbiao^1,²(),YU Chenhui^1,²(),MA Di^1,³(),MAO Wei^1,³()

1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100083, China
2. University of Chinese Academy of Sciences, Beijing 100049, China
3. ZDNS, Beijing 100190, China

Received:2021-10-20 Online:2022-06-20 Published:2022-06-20
Contact: ZOU Hui

摘要/Abstract

摘要：

【目的】为应对当前互联网码号资源公钥基础设施（Resource Public Key Infrastructure, RPKI）层级式认证机制下因单边撤销导致的资源失效问题,本文提出了一种基于行为透明性（Behavior Transparency, BT）的单边撤销检测机制,并通过实验验证了该机制的效果和性能。【方法】本文详细分析了当前RPKI架构下的单边撤销问题和由此导致的下级认证权威（Certificate Authority, CA）资源失效风险,通过部署日志服务器记录CA签发行为来提高CA签发行为的透明性,并以此为基础设计了高效的单边撤销实时监测和应急处置机制。【结果】实验结果表明,在部署有日志服务器且日志服务器足够安全可控的前提下,该机制的检测效率能满足当前架构性能需求,且准确率达到100%,传输开销可忽略不计。【局限】该机制在面向未来的RPKI大规模部署环境下的效率、准确率和可扩展性还有待进一步验证。【结论】本文所提基于行为透明性的RPKI撤销检测在当前RPKI实际部署环境下新引入的开销较小,能有效实现检测目的,支持CA实时监测其自持有资源有效性以及针对其的单边撤销行为。

关键词: IP地址, AS号, 域间路由安全, 互联网码号资源公钥基础设施, 透明性

Abstract:

[Objective] In response to the issue of resource failure caused by the unilateral revocation in the current Resource Public Key Infrastructure (RPKI), this paper proposes a novel scheme based on Behavior Transparency (BT) to detect unilateral revocations, and demonstrates its effect and performance via extensive experiments. [Methods] This paper first analyzes in detail the issue of unilateral revocation, as well as the risk of resource failures resulting from it, and then proposes to monitor and handle unilateral revocations with the help of a log server that records issuance behaviors of CAs. [Results] According to the experimental results, the efficiency of the proposed scheme satisfies the performance demand posed by the current RPKI system, and its accuracy in detecting unilateral revocations can reach 100% as long as a credible and fully controllable log server is deployed. Moreover, additional transmission overhead resulting from communicating with the log server is negligible. [Limitations] The accuracy, performance, and scalability of the proposed scheme need to be further evaluated in large-scale RPKI systems to verify its value in case that RPKI is fully or near-fully deployed in the future. [Conclusions] In the current RPKI systems, the proposed scheme can effectively detect unilateral revocations with negligible overhead, enabling CAs to monitor the effectiveness of their resources and the revocations to the issuances.

Key words: IP address, AS number, secure inter-domain routing, resource public key infrastructure, transparency

邹慧,李彦彪,于晨晖,马迪,毛伟. 基于行为透明性的RPKI撤销检测机制[J]. 数据与计算发展前沿, 2022, 4(3): 90-109.

ZOU Hui,LI Yanbiao,YU Chenhui,MA Di,MAO Wei. A Revocation Detection Mechanism in RPKI Based on Behavior Transparency[J]. Frontiers of Data and Computing, 2022, 4(3): 90-109, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2022.03.007.

图/表 16

表 1

图 1

图 2

图 3

图 4

图 5

图 6

图 7

图 8

图9

图 10

表2

图 11

表 3

图 12

图 13

参考文献 24

[1]	RFC 6480. An Infrastructure to Support Secure Internet Routing[S].
[2]	Cooper D, Heilman E, Brogle K, et al. On the risk of misbehaving RPKI authorities[C]// In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks.Co-llege Park, MD, USA: ACM, 2013: 1-7.
[3]	Brogle K, Cooper D, Goldberg S, et al. Impacting IP prefix reachability via RPKI manipulations[R]. USAUSA: Com-puter Science Department, Boston University, 2013.
[4]	RFC8211. Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)[S].
[5]	Kuerbis B, Mueller M. Negotiating a new governance hierarchy: An analysis of the conflicting incentives to se-cure internet routing[J]. Communications and Strate-gies, 2011(81):125-142.
[6]	Heilman E, Cooper D, Reyzin L, et al. From the Consent of the Routed: Improving the Transparency of the RPKI[C]// In Proceedings of the 2014 ACM conference on SI-GCOMM.Chicago, IL, USA: ACM, 2014: 51-62.
[7]	draft-kent-sidr-suspenders-01. Suspenders: A Fail-safe Mechanism for the RPKI[S].
[8]	Shrishak K, Shulman H. Limiting the power of RPKI authorities[C]// In Proceedings of the Applied Network-ing Research Workshop.Online (Meetecho), Spain: ACM, 2020:12-18.
[9]	draft-ietf-sidr-ltamgmt-08. Local Trust Anchor Manag-ement for the Resource Public Key Infrastructure[S].
[10]	RFC 8416. Simplified Local Internet Number Resource Management with the RPKI (SLURM)[S].
[11]	Xing Q, Wang B, Wang X. Bgpcoin: Blockchain-based internet number resource authority and bgp security solu-tion[J]. Symmetry, 2018, 10(9):408. doi: 10.3390/sym10090408
[12]	Paillisse J, Ferriol M, Garcia E, et al. IPchain: Securing IP prefix allocation and delegation with blockchain[C]// 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communica-tions (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (Smart-Data), IEEE, 2018: 1236-1243.
[13]	García-Martínez A, Angieri S, Liu B, et al. Design and Implementation of InBlock-A Distributed IP Add-ress Registration System[J]. IEEE Systems Journal, 2021, 15(3): 3528-3539. doi: 10.1109/JSYST.2020.3003526
[14]	RFC 6962. Certificate Transparency[S].
[15]	RFC 6481. A Profile for Resource Certificate Repository Structure[S].
[16]	RFC 6486. Manifests for the Resource Public Key Infra-structure (RPKI)[S].
[17]	draft-ietf-sidrops-6486bis-06. Manifests for the Resource Public Key Infrastructure (RPKI)[S].
[18]	RFC 8210. The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1[S].
[19]	draft-michaelson-rpki-rta-02. A profile for Resource Tag-ged Attestations (RTAs)[S].
[20]	NLnet Labs. Krill[CP/OL]. [2021. 09. 25]. https://github.com/NLnetLabs/krill.
[21]	NLnet Labs. Routinator[CP/OL]. [2021. 09. 25]. .
[22]	dotCloud Docker[CP/OL]. [2021. 09. 25]. https://github.com/docker.
[23]	RFC 8183. An Out-of-Band Setup Protocol for Resource Public Key Infrastructure (RPKI) Production Services[S].
[24]	RFC 6492. A Protocol for Provisioning Resource Certifi-cates[S].

针对资源证书的操作类型		表现形式
删除		✧ Manifest ✧ CRL ✧ PP
撤销	撤销一张资源证书（撤销所有资源）	✧ Manifest ♦ CRL ✧ PP
撤销	修改一张资源证书（撤销部分资源）	✧ Manifest ♦ CRL ✧ PP
延迟		✧ Manifest ✧ CRL ♦ PP

实体类型	硬件平台			软件实现
实体类型	CPU	内存/GB	操作系统	软件实现
CA	AMD EPYC 7742 64-Core Processor	629	CentOS Linux release 7.8.2003 (Core)	Krill^[20]
RP	AMD EPYC 7742 64-Core Processor	629	CentOS Linux release 7.8.2003 (Core)	Routinator^[21]
Log	Intel(R) Xeon(R) Platinum 8255C CPU @2.50GHz	4	Ubuntu 20.04 LTS	N/A

CA 类型	CA 数量	子CA的数量	自持有资源证书的数量	签发的资源证书的数量
level-1 CA	1	10	1	10
level-2 CA	10	10	1	100
level-3 CA	100	0	10	0

基于行为透明性的RPKI撤销检测机制

A Revocation Detection Mechanism in RPKI Based on Behavior Transparency

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 16

参考文献 24

相关文章 1

编辑推荐

Metrics

本文评价