Secure Routing
Basic Knowledges
- Delivery Scheme
- unicast: deliver msg to a single node
- broadcast: deliver msg to all nodes in network
- multicast: deliver msg to a group of nodes
- anycast: deliver msg to any one of a group
- geocast: deliver msg to a group of nodes based on geographic location
- Routing Scheme
- Intra-domain routing: inside an autonomous system
- RIP: routing infomation protocol
- OSPF: open shortest path first
- Inter-domain routing: between autonomous systems
- BGP: broder gateway protocol
Routing Attacks
- 攻击距离向量 distance-vector
- announce 0 distance to all other nodes
- 攻击连接状态 link-state
- drop links
- claim direct link to other routers
- 攻击 BGP
- announce arbitary prefix
- alter paths
Prefix Hijacking
- 方法一
- 通过声称自己的 IP 地址比攻击目标 IP 地址拥有更长的前缀匹配,以截获数据
- 可通过 RPKI 防护
- 方法二
- 通过生成自己是攻击目标的邻居,以截获数据包
- 可通过 S-BGP 防护
Secure Routing
RPKI
- Resource Public Key Infrastructure
- 算法
- 每个自治系统生成自己的公钥和私钥,将 公钥 和通过私钥加密 IP 地址获得的 数字签名 提交给 RPKI
- 其他自治系统通过访问 RPKI 得到 公钥,以验证收到的数字签名的可靠性
S-BGP
- Secure Border Gateway Protocol
- 算法
- 当一条路由被宣布时,路由器会对其进行数字签名
- 其他路由器可以使用数字证书验证其可信度
- 缺点