BGP安全研究
|
摘要
BGP是互联网的核心路由协议,互联网的域间选路通过BGP路由信息交换来完成.BGP协议设计存在重大的安全漏洞,容易导致前缀劫持、路由泄漏以及针对互联网的拒绝服务攻击.分析BGP路由传播及路由策略等主要特性,揭示BGP协议的设计缺陷;探讨BGP面临的主要安全威胁,并对路由泄漏进行建模分析和界定特征;概括现有的BGP安全防御机制并指出其不足,进而对各种增强BGP安全的技术和方案进行合理分类和详尽研究,比较其利弊、剖析其优劣;最后,对BGP安全的未来研究趋势进行展望.
BGP is a core Internet routing protocol.The Internet inter-domain routing relies on the exchange of BGP routing information.BGP has significant vulnerabilities,which have been found to cause problems such as prefix hijacking,route leak and Internet-targeted denial of service attack.First,by analyzing BGP route propagation and BGP routing policies,the fundamental flaw in the design of the protocol is revealed.The paper then discusses possible threats to BGP and presents a route leak model,which contributes to the description of its characteristics.Second,the existing defense mechanisms for BGP security are generalized,and their shortcomings are exposed.The paper then classifies various BGP security-enhancing technologies and studies them in detail to explore their advantages and disadvantages.Finally,the research trends of BGP security are discussed in this paper.
BGP is a core Internet routing protocol.The Internet inter-domain routing relies on the exchange of BGP routing information.BGP has significant vulnerabilities,which have been found to cause problems such as prefix hijacking,route leak and Internet-targeted denial of service attack.First,by analyzing BGP route propagation and BGP routing policies,the fundamental flaw in the design of the protocol is revealed.The paper then discusses possible threats to BGP and presents a route leak model,which contributes to the description of its characteristics.Second,the existing defense mechanisms for BGP security are generalized,and their shortcomings are exposed.The paper then classifies various BGP security-enhancing technologies and studies them in detail to explore their advantages and disadvantages.Finally,the research trends of BGP security are discussed in this paper.
引文
[1]Rosen EC.Exterior gateway protocol.RFC827,1982.
[2]Bono VJ.7007explanation and apology.1997.http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html
[3]Rensys Blog.Internet-Wide catastrophe-Last year.2005.http://www.renesys.com/blog/2005/12/internetwide_nearcatastrophela.shtml
[4]Rensys Blog.Pakistan hijacks YouTube.2008.http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
[5]BGPmon Blog.How the Internet in Australia went down under.2012.http://bgpmon.net/blog/?p=554
[6]Pilosov A,Kapela T.Stealing the Internet:An Internet-scale man in the middle attack.Technical Report,Las Vegas:Defcon,2008.https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
[7]Department of Homeland Security.The national strategy to secure cyberspace.Technical Report,Washington:Department of Homeland Security,2003.http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf
[8]Kuhn R,Sriram K,Montgomery D.Border gateway protocol security.Technical Report,800-54,Gaithersburg:NIST,2007.
[9]Secure BGP project(S-BGP).2004.http://www.ir.bbn.com/sbgp/
[10]Securing BGP through SecureOrigin BGP.2006.http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/securing_bgp_sobgp.html
[11]Secure inter-domain routing(sidr).2010.http://datatracker.ietf.org/wg/sidr/
[12]Gao L.On inferring autonomous system relationships in the Internet.IEEE/ACM Trans.on Networking,2001,9(6):733-745.[doi:10.1109/90.974527]
[13]Huston G.Leaking Routes.The ISP Column,2012.http://www.potaroo.net/ispcol/2012-03/leaks.html
[14]Murphy S.BGP security vulnerabilities analysis.RFC4272,2006.
[15]Nordstr?m O,Dovrolis C.Beware of BGP attacks.ACM SIGCOMM Computer Communication Review,2004,34(2):1-8.[doi:10.1145/997150.997152].
[16]BGPmon Blog.A BGP leak made in Canada.2012.http://www.bgpmon.net/a-bgp-leak-made-in-canada/
[17]Rensys Blog.Con-Ed steals the'net.2006.http://www.renesys.com/blog/2006/01/coned_steals_the_net.shtml
[18]Mahajan R,Wetherall D,Anderson T.Understanding BGP misconfiguration.In:Proc.of the SIGCOMM2002.Pittsburgh:ACM Press,2002.3-16.[doi:10.1145/633025.633027]
[19]Zhao X,Pei D,Wang L,Massey D,Mankin A,Wu SF,Zhang L.An analysis of BGP multiple origin AS(MOAS)conflicts.In:Proc.of the SIGCOMM Internet Measurement Workshop.San Francisco:ACM Press,2001.31-35.[doi:10.1145/505203.505207]
[20]BGPmon.http://bgpmon.net/
[21]Cyclops.http://cyclops.cs.ucla.edu/
[22]Dickson B.Route leaks-Definitions.Internet Draft,2012.http://tools.ietf.org/html/draft-dickson-sidr-route-leak-def-01
[23]Route views project.2005.http://www.routeviews.org/
[24]Routing information service(RIS).2011.http://www.ripe.net/data-tools/stats/ris/routing-information-service
[25]Butler K,Farley T,McDaniel P,Rexford J.A survey of BGP security issues and solutions.Proc.of the IEEE,2010,98(1):100-122.[doi:10.1109/JPROC.2009.2034031]
[26]Kuzmanovic A,Knightly EW.Low-Rate TCP-targeted denial of service attacks(the shrew vs.the mice and elephants).In:Proc.of the SIGCOMM2003.Karlsruhe:ACM Press,2003.75-86.[doi:10.1145/863965.863966]
[27]Zhang Y,Mao ZM,Wang J.Low-Rate TCP-targeted DoS attack disrupts Internet routing.In:Proc.of the14th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2007.1-15.http://www.isoc.org/isoc/conferences/ndss/07/papers/low-rate_TCP-targeted_DOS_attacks.pdf
[28]Schuchard M,Vasserman EY,Mohaisen A.Losing control of the Internet:Using the data plane to attack the control plane.In:Proc.of the18th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2011.http://www.isoc.org/isoc/conferences/ndss/11/pdf/4_1.pdf[doi:10.1145/1866307.1866411]
[29]Heffernan A.Protection of BGP sessions via the TCP MD5signature option.RFC2385,1998.
[30]Gill V,Heasley J,Meyer D.The generalized TTL security mechanism(GTSM).RFC3682,2004.
[31]Wang XY,Yu HB.How to break MD5and other hash functions.In:Proc.of the24th Annual Int'l Conf.on the Theory and Applications of Cryptographic Techniques.Aarhus:Springer-Verlag,2005.19-35.[doi:10.1007/11426639_2]
[32]MD5rainbow.http://www.md5rainbow.com/
[33]Villamizar C,Chandra R,Govindan R.BGP route flap damping.RFC2349,1998.
[34]Mao ZM,Govindan R,Varghese G,Katz RH.Route flap damping exacerbates Internet routing convergence.In:Proc.of the SIGCOMM2002.Pittsburgh:ACM Press,2002.221-233.[doi:10.1145/633046.633047]
[35]Smith P,Panigl C.RIPE routing working group recommendations on route-flap damping.Technical Report,ripe-378,Amsterdam:RIPE,2006.
[36]Caesar M,Rexford J.BGP routing policies in ISP networks.IEEE Network Magazine,2005,19(6):5-11.[doi:10.1109/MNET.2005.1541715]
[37]Durand J,Pepelnjak I,Doering G.BGP operations and security.Internet Draft,2012.http://tools.ietf.org/html/draft-jdurand-bgp-security-01
[38]CIDR report.http://www.cidr-report.org/as2.0/
[39]IRR.http://www.irr.net/index.html
[40]Alaettinoglu C,Villamizar C,Gerich E,Gerich D,Meyer D,Bates T,Karrenberg D,Terpstra M.Routing policy specification language(RPSL).RFC2622,1999.
[41]Villamizar C,Alaettinoglu C,Meyer D,Murphy S.Routing policy system security.RFC2725,1999.
[42]Liu X,Zhu PD,Peng YX.Internet registry mechanism for preventing prefix hijacks.Ruanjian Xuebao/Journal of Software,2009,20(3):620-629(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/3221.htm[doi:10.3724/SP.J.1001.2009.03221]
[43]Bates T,Bush R,Li T,Rekhter Y.DNS-Based NLRI origin AS verification in BGP.Internet Draft,1998.https://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00
[44]Goodell G,Aiello W,Griffin T,Ioannidis J,McDaniel P,Rubin A.Working around BGP:An incremental approach to improving security and accuracy of interdomain routing.In:Proc.of the10th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2003.http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/5.pdf
[45]Kent S,Lynn C,Seo K.Secure border gateway protocol(S-BGP).IEEE Journal on Selected Areas in Communications,2000,18(4):582-592.[doi:10.1109/49.839934]
[46]Lynn C,Mikkelson J,Seo K.Secure BGP(S-BGP).Internet Draft,2003.http://tools.ietf.org/html/draft-clynn-s-bgp-protocol-01
[47]Kent S,Lynn C,Mikkelson J,Seo K.Secure border gateway protocol(S-BGP)real world performance and deployment issues.In:Proc.of the Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2000.http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/045.pdf
[48]White R.Securing BGP through secure origin BGP.Internet Protocol Journal,2003,6(3):15-22.
[49]Huston G,Rossi M,Armitage G.Securing BGP-A literature survey.IEEE Communications Surveys&Tutorials,2011,13(2):199-222.[doi:10.1109/SURV.2011.041010.00041]
[50]Lepinski M,Kent S.An infrastructure to support secure Internet routing.RFC6480,2012.
[51]Lepinski M.BGPSEC protocol specification.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
[52]BGP ROVER:Route origin verification.http://rover.secure64.com/
[53]Gersch J,Massey D,Osterweil E.Reverse DNS naming convention for CIDR address blocks.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-gersch-dnsop-revdns-cidr/
[54]Gersch J,Massey D,Olschanowsky C.DNS resource records for BGP routing data.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-gersch-grow-revdns-bgp/
[55]Arends R,Austein R,Larson M,Massey D,Rose S.DNS security introduction and requirements.RFC4033,2005.
[56]Le ZJ,Xiong NX,Yang B,Zhou YZ.SC-OA:A secure and efficient scheme for origin authentication of inter-domain routing in cloud computing networks.In:Proc.of the25th IEEE Int'l Symp.on Parallel and Distributed Processing.Anchorage:IEEE Computer Society,2011.243-254.[doi:10.1109/IPDPS.2011.32]
[57]Hu YC,Perrig A,Sirbu M.SPV:Secure path vector routing for securing BGP.In:Proc.of the SIGCOMM2004.Portland:ACM Press,2004.179-192.[doi:10.1145/1015467.1015488]
[58]Butler K,McDaniel P,Aiello W.Optimizing BGP security by exploiting path stability.In:Proc.of the13th ACM Conf.on Computer and Communications Security.Alexandria:ACM Press,2006.298-310.[doi:10.1145/1180405.1180442]
[59]Oorschot PC,Wan T,Kranakis E.On interdomain routing security and pretty secure BGP(psBGP).ACM Trans.on Information and System Security,2007,10(3):11.[doi:10.1145/1266977.1266980]
[60]Hu XJ,Zhu PD,Gong ZH.SE-BGP:An approach for BGP security.Ruanjian Xuebao/Journal of Software,2008,19(1):167-176(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/19/167.htm[doi:10.3724/SP.J.1001.2008.00167]
[61]Li Q,Xu MW,Wu JP,Zhang XW,Lee P,Xu K.Enhancing the trust of Internet routing with lightweight route attestation.IEEE Trans.on Information Forensics and Security,2012,7(2):691-703.[doi:10.1109/TIFS.2011.2177822]
[62]Zhao X,Pei D,Wang L,Massey D,Mankin A,Wu S,Zhang L.Detection of invalid routing announcement in the Internet.In:Proc.of the Int'l Conf.on Dependable Systems and Networks2002.Bethesda:IEEE Computer Society,2002.59-68.[doi:10.1109/DSN.2002.1028887]
[63]Lad M,Massey D,Pei D,Wu Y,Zhang B,Zhang L.PHAS:A prefix hijack alert system.In:Proc.of the15th USENIX Security Symp.Vancouver:USENIX Press,2006.153-166.http://static.usenix.org/events/sec06/tech/full_papers/lad/lad.pdf
[64]Karlin J,Forrest S,Rexford J.Pretty good BGP:Improving BGP by cautiously adopting routes.In Proc.of the14th IEEE Int'l Conf.on Network Protocols.Santa Barbara:IEEE Computer Society,2006.290-299.[doi:10.1109/ICNP.2006.320179]
[65]Zheng C,Ji L,Pei D,Wang J,Francis P.A light-weight distributed scheme for detecting IP prefix hijacks in real-time.In:Proc.of the SIGCOMM2007.Kyoto:ACM Press,2007.277-288.[doi:10.1145/1282380.1282412]
[66]Zhang Z,Zhang Y,Hu YC,Mao ZM,Bush R.iSPY:Detecting IP prefix hijacking on my own.ACM/IEEE Trans.on Networking,2010,18(6):1815-1828.[doi:10.1109/TNET.2010.2066284]
[67]Hu X,Mao ZM.Accurate real-time identification of IP prefix hijacking.In:Proc.of the IEEE Symp.on Security and Privacy.Oakland:ACM Press,2007.3-17.[doi:10.1109/SP.2007.7]
[68]Xiang Y,Wang Z,Yin X,Wu JP.Argus:An accurate and agile system to detecting IP prefix hijacking.In:Proc.of the19th IEEE Int'l Conf.on Network Protocols.Vancouver:IEEE Computer Society,2011:43-48.[doi:10.1109/ICNP.2011.6089080]
[69]W?hlisch M,Maennel O,Schmidt TC.Towards detecting BGP route hijacking using the RPKI.In:Proc.of the SIGCOMM2012.Helsinki:ACM Press,2012.103-104.[doi:10.1145/2342356.2342381]
[70]Kent S,Chi A.Threat model for BGP path security.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-threats/
[71]SIDR.A hack for the next generation of rpki-based origin validation.2012.http://www.ietf.org/mail-archive/web/sidr/current/msg03990.html
[72]Donnerhacke L,Wijngaards W.DNSSEC protected routing announcements for BGP.Internet Draft,2008.http://tools.ietf.org/html/draft-donnerhacke-sidr-bgp-verification-dnssec-04
[73]Wang F,Dai B,Su JS.How can multipath dissemination help to detect prefix hijacking.In:Proc.of the20th Int'l Conf.on Computer Communications and Networks.Maui:IEEE Computer Society,2011.1-8.[doi:10.1109/ICCCN.2011.6005930]
[42]刘欣,朱培栋,彭宇行.防范前缀劫持的互联网注册机制.软件学报,2009,20(3):620-629.http://www.jos.org.cn/1000-9825/3221.htm[doi:10.3724/SP.J.1001.2009.03221]
[60]胡湘江,朱培栋,龚正虎.SE-BGP:一种BGP安全机制.软件学报,2008,19(1):167-176.http://www.jos.org.cn/1000-9825/19/167.htm[doi:10.3724/SP.J.1001.2008.00167]
[2]Bono VJ.7007explanation and apology.1997.http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html
[3]Rensys Blog.Internet-Wide catastrophe-Last year.2005.http://www.renesys.com/blog/2005/12/internetwide_nearcatastrophela.shtml
[4]Rensys Blog.Pakistan hijacks YouTube.2008.http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
[5]BGPmon Blog.How the Internet in Australia went down under.2012.http://bgpmon.net/blog/?p=554
[6]Pilosov A,Kapela T.Stealing the Internet:An Internet-scale man in the middle attack.Technical Report,Las Vegas:Defcon,2008.https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
[7]Department of Homeland Security.The national strategy to secure cyberspace.Technical Report,Washington:Department of Homeland Security,2003.http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf
[8]Kuhn R,Sriram K,Montgomery D.Border gateway protocol security.Technical Report,800-54,Gaithersburg:NIST,2007.
[9]Secure BGP project(S-BGP).2004.http://www.ir.bbn.com/sbgp/
[10]Securing BGP through SecureOrigin BGP.2006.http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/securing_bgp_sobgp.html
[11]Secure inter-domain routing(sidr).2010.http://datatracker.ietf.org/wg/sidr/
[12]Gao L.On inferring autonomous system relationships in the Internet.IEEE/ACM Trans.on Networking,2001,9(6):733-745.[doi:10.1109/90.974527]
[13]Huston G.Leaking Routes.The ISP Column,2012.http://www.potaroo.net/ispcol/2012-03/leaks.html
[14]Murphy S.BGP security vulnerabilities analysis.RFC4272,2006.
[15]Nordstr?m O,Dovrolis C.Beware of BGP attacks.ACM SIGCOMM Computer Communication Review,2004,34(2):1-8.[doi:10.1145/997150.997152].
[16]BGPmon Blog.A BGP leak made in Canada.2012.http://www.bgpmon.net/a-bgp-leak-made-in-canada/
[17]Rensys Blog.Con-Ed steals the'net.2006.http://www.renesys.com/blog/2006/01/coned_steals_the_net.shtml
[18]Mahajan R,Wetherall D,Anderson T.Understanding BGP misconfiguration.In:Proc.of the SIGCOMM2002.Pittsburgh:ACM Press,2002.3-16.[doi:10.1145/633025.633027]
[19]Zhao X,Pei D,Wang L,Massey D,Mankin A,Wu SF,Zhang L.An analysis of BGP multiple origin AS(MOAS)conflicts.In:Proc.of the SIGCOMM Internet Measurement Workshop.San Francisco:ACM Press,2001.31-35.[doi:10.1145/505203.505207]
[20]BGPmon.http://bgpmon.net/
[21]Cyclops.http://cyclops.cs.ucla.edu/
[22]Dickson B.Route leaks-Definitions.Internet Draft,2012.http://tools.ietf.org/html/draft-dickson-sidr-route-leak-def-01
[23]Route views project.2005.http://www.routeviews.org/
[24]Routing information service(RIS).2011.http://www.ripe.net/data-tools/stats/ris/routing-information-service
[25]Butler K,Farley T,McDaniel P,Rexford J.A survey of BGP security issues and solutions.Proc.of the IEEE,2010,98(1):100-122.[doi:10.1109/JPROC.2009.2034031]
[26]Kuzmanovic A,Knightly EW.Low-Rate TCP-targeted denial of service attacks(the shrew vs.the mice and elephants).In:Proc.of the SIGCOMM2003.Karlsruhe:ACM Press,2003.75-86.[doi:10.1145/863965.863966]
[27]Zhang Y,Mao ZM,Wang J.Low-Rate TCP-targeted DoS attack disrupts Internet routing.In:Proc.of the14th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2007.1-15.http://www.isoc.org/isoc/conferences/ndss/07/papers/low-rate_TCP-targeted_DOS_attacks.pdf
[28]Schuchard M,Vasserman EY,Mohaisen A.Losing control of the Internet:Using the data plane to attack the control plane.In:Proc.of the18th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2011.http://www.isoc.org/isoc/conferences/ndss/11/pdf/4_1.pdf[doi:10.1145/1866307.1866411]
[29]Heffernan A.Protection of BGP sessions via the TCP MD5signature option.RFC2385,1998.
[30]Gill V,Heasley J,Meyer D.The generalized TTL security mechanism(GTSM).RFC3682,2004.
[31]Wang XY,Yu HB.How to break MD5and other hash functions.In:Proc.of the24th Annual Int'l Conf.on the Theory and Applications of Cryptographic Techniques.Aarhus:Springer-Verlag,2005.19-35.[doi:10.1007/11426639_2]
[32]MD5rainbow.http://www.md5rainbow.com/
[33]Villamizar C,Chandra R,Govindan R.BGP route flap damping.RFC2349,1998.
[34]Mao ZM,Govindan R,Varghese G,Katz RH.Route flap damping exacerbates Internet routing convergence.In:Proc.of the SIGCOMM2002.Pittsburgh:ACM Press,2002.221-233.[doi:10.1145/633046.633047]
[35]Smith P,Panigl C.RIPE routing working group recommendations on route-flap damping.Technical Report,ripe-378,Amsterdam:RIPE,2006.
[36]Caesar M,Rexford J.BGP routing policies in ISP networks.IEEE Network Magazine,2005,19(6):5-11.[doi:10.1109/MNET.2005.1541715]
[37]Durand J,Pepelnjak I,Doering G.BGP operations and security.Internet Draft,2012.http://tools.ietf.org/html/draft-jdurand-bgp-security-01
[38]CIDR report.http://www.cidr-report.org/as2.0/
[39]IRR.http://www.irr.net/index.html
[40]Alaettinoglu C,Villamizar C,Gerich E,Gerich D,Meyer D,Bates T,Karrenberg D,Terpstra M.Routing policy specification language(RPSL).RFC2622,1999.
[41]Villamizar C,Alaettinoglu C,Meyer D,Murphy S.Routing policy system security.RFC2725,1999.
[42]Liu X,Zhu PD,Peng YX.Internet registry mechanism for preventing prefix hijacks.Ruanjian Xuebao/Journal of Software,2009,20(3):620-629(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/3221.htm[doi:10.3724/SP.J.1001.2009.03221]
[43]Bates T,Bush R,Li T,Rekhter Y.DNS-Based NLRI origin AS verification in BGP.Internet Draft,1998.https://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00
[44]Goodell G,Aiello W,Griffin T,Ioannidis J,McDaniel P,Rubin A.Working around BGP:An incremental approach to improving security and accuracy of interdomain routing.In:Proc.of the10th Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2003.http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/5.pdf
[45]Kent S,Lynn C,Seo K.Secure border gateway protocol(S-BGP).IEEE Journal on Selected Areas in Communications,2000,18(4):582-592.[doi:10.1109/49.839934]
[46]Lynn C,Mikkelson J,Seo K.Secure BGP(S-BGP).Internet Draft,2003.http://tools.ietf.org/html/draft-clynn-s-bgp-protocol-01
[47]Kent S,Lynn C,Mikkelson J,Seo K.Secure border gateway protocol(S-BGP)real world performance and deployment issues.In:Proc.of the Annual Network&Distributed System Security Symp.San Diego:The Internet Society,2000.http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/045.pdf
[48]White R.Securing BGP through secure origin BGP.Internet Protocol Journal,2003,6(3):15-22.
[49]Huston G,Rossi M,Armitage G.Securing BGP-A literature survey.IEEE Communications Surveys&Tutorials,2011,13(2):199-222.[doi:10.1109/SURV.2011.041010.00041]
[50]Lepinski M,Kent S.An infrastructure to support secure Internet routing.RFC6480,2012.
[51]Lepinski M.BGPSEC protocol specification.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
[52]BGP ROVER:Route origin verification.http://rover.secure64.com/
[53]Gersch J,Massey D,Osterweil E.Reverse DNS naming convention for CIDR address blocks.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-gersch-dnsop-revdns-cidr/
[54]Gersch J,Massey D,Olschanowsky C.DNS resource records for BGP routing data.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-gersch-grow-revdns-bgp/
[55]Arends R,Austein R,Larson M,Massey D,Rose S.DNS security introduction and requirements.RFC4033,2005.
[56]Le ZJ,Xiong NX,Yang B,Zhou YZ.SC-OA:A secure and efficient scheme for origin authentication of inter-domain routing in cloud computing networks.In:Proc.of the25th IEEE Int'l Symp.on Parallel and Distributed Processing.Anchorage:IEEE Computer Society,2011.243-254.[doi:10.1109/IPDPS.2011.32]
[57]Hu YC,Perrig A,Sirbu M.SPV:Secure path vector routing for securing BGP.In:Proc.of the SIGCOMM2004.Portland:ACM Press,2004.179-192.[doi:10.1145/1015467.1015488]
[58]Butler K,McDaniel P,Aiello W.Optimizing BGP security by exploiting path stability.In:Proc.of the13th ACM Conf.on Computer and Communications Security.Alexandria:ACM Press,2006.298-310.[doi:10.1145/1180405.1180442]
[59]Oorschot PC,Wan T,Kranakis E.On interdomain routing security and pretty secure BGP(psBGP).ACM Trans.on Information and System Security,2007,10(3):11.[doi:10.1145/1266977.1266980]
[60]Hu XJ,Zhu PD,Gong ZH.SE-BGP:An approach for BGP security.Ruanjian Xuebao/Journal of Software,2008,19(1):167-176(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/19/167.htm[doi:10.3724/SP.J.1001.2008.00167]
[61]Li Q,Xu MW,Wu JP,Zhang XW,Lee P,Xu K.Enhancing the trust of Internet routing with lightweight route attestation.IEEE Trans.on Information Forensics and Security,2012,7(2):691-703.[doi:10.1109/TIFS.2011.2177822]
[62]Zhao X,Pei D,Wang L,Massey D,Mankin A,Wu S,Zhang L.Detection of invalid routing announcement in the Internet.In:Proc.of the Int'l Conf.on Dependable Systems and Networks2002.Bethesda:IEEE Computer Society,2002.59-68.[doi:10.1109/DSN.2002.1028887]
[63]Lad M,Massey D,Pei D,Wu Y,Zhang B,Zhang L.PHAS:A prefix hijack alert system.In:Proc.of the15th USENIX Security Symp.Vancouver:USENIX Press,2006.153-166.http://static.usenix.org/events/sec06/tech/full_papers/lad/lad.pdf
[64]Karlin J,Forrest S,Rexford J.Pretty good BGP:Improving BGP by cautiously adopting routes.In Proc.of the14th IEEE Int'l Conf.on Network Protocols.Santa Barbara:IEEE Computer Society,2006.290-299.[doi:10.1109/ICNP.2006.320179]
[65]Zheng C,Ji L,Pei D,Wang J,Francis P.A light-weight distributed scheme for detecting IP prefix hijacks in real-time.In:Proc.of the SIGCOMM2007.Kyoto:ACM Press,2007.277-288.[doi:10.1145/1282380.1282412]
[66]Zhang Z,Zhang Y,Hu YC,Mao ZM,Bush R.iSPY:Detecting IP prefix hijacking on my own.ACM/IEEE Trans.on Networking,2010,18(6):1815-1828.[doi:10.1109/TNET.2010.2066284]
[67]Hu X,Mao ZM.Accurate real-time identification of IP prefix hijacking.In:Proc.of the IEEE Symp.on Security and Privacy.Oakland:ACM Press,2007.3-17.[doi:10.1109/SP.2007.7]
[68]Xiang Y,Wang Z,Yin X,Wu JP.Argus:An accurate and agile system to detecting IP prefix hijacking.In:Proc.of the19th IEEE Int'l Conf.on Network Protocols.Vancouver:IEEE Computer Society,2011:43-48.[doi:10.1109/ICNP.2011.6089080]
[69]W?hlisch M,Maennel O,Schmidt TC.Towards detecting BGP route hijacking using the RPKI.In:Proc.of the SIGCOMM2012.Helsinki:ACM Press,2012.103-104.[doi:10.1145/2342356.2342381]
[70]Kent S,Chi A.Threat model for BGP path security.Internet Draft,2012.https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-threats/
[71]SIDR.A hack for the next generation of rpki-based origin validation.2012.http://www.ietf.org/mail-archive/web/sidr/current/msg03990.html
[72]Donnerhacke L,Wijngaards W.DNSSEC protected routing announcements for BGP.Internet Draft,2008.http://tools.ietf.org/html/draft-donnerhacke-sidr-bgp-verification-dnssec-04
[73]Wang F,Dai B,Su JS.How can multipath dissemination help to detect prefix hijacking.In:Proc.of the20th Int'l Conf.on Computer Communications and Networks.Maui:IEEE Computer Society,2011.1-8.[doi:10.1109/ICCCN.2011.6005930]
[42]刘欣,朱培栋,彭宇行.防范前缀劫持的互联网注册机制.软件学报,2009,20(3):620-629.http://www.jos.org.cn/1000-9825/3221.htm[doi:10.3724/SP.J.1001.2009.03221]
[60]胡湘江,朱培栋,龚正虎.SE-BGP:一种BGP安全机制.软件学报,2008,19(1):167-176.http://www.jos.org.cn/1000-9825/19/167.htm[doi:10.3724/SP.J.1001.2008.00167]