RISP: An RPKI-based inter-AS source protection mechanism

Jia, Yihao; Liu, Ying; Ren, Gang; He, Lin

doi:10.26599/tst.2018.9010025

Cited by 3 publications

(3 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…TrueNet mechanism deploys trusted computing module (TCB) in each node of the network, and determines malicious links through multi-node security information negotiation [18] centralization of control SDN architecture is usually adopted, such as VeriDP algorithm, which verifies whether the data is transmitted normally through control plane policy, thus improving the accuracy of network behavior detection [19]. DFL mechanism collects the verification information of nodes in the transmission path in a centralized way, but it is difficult to avoid a single point of failure [20] collaborative filtering RISP uses RPKI to protect the inter-domain communication of source address, and completes traffic filtering through the cooperation of server, alliance center and AS border router [21] New technology Using blockchain to build a distributed trust framework can be used for inter-domain routing protocol to realize IP address prefix authentication [22] 2…”

Section: Identification Inspectionmentioning

confidence: 99%

ZbSR: A Data Plane Security Model of SR-BE/TE based on Zero-Trust Architecture

Wang

et al. 2022

Preprint

View full text Add to dashboard Cite

Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE(Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR(ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north-south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east-west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios.

show abstract

Section: Identification Inspectionmentioning

confidence: 99%

ZbSR: A Data Plane Security Model of SR-BE/TE based on Zero-Trust Architecture

Wang

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…RPKI uses digital signature and certificate to authenticate routing source, which can effectively prevent route hijacking 16 ; due to the limited deployment of RPKI infrastructure, Tomas and others put forward DISCO, which is based on distributed trust architecture to authenticate routing 17 Trusted hardware TrueNet mechanism deploys TCB(Trusted Computing Base) in each node of the network, and determines malicious links through multi-node security information negotiation 18 Centralization of control SDN architecture is usually adopted, such as VeriDP algorithm, which verifies whether the data is transmitted normally through control plane policy, thus improving the accuracy of network behavior detection 19 . DFL mechanism collects the verification information of nodes in the transmission path in a centralized way, but it is difficult to avoid a single point of failure 20 Collaborative filtering RISP uses RPKI to protect the inter-domain communication of source address, and completes traffic filtering through the cooperation of server, alliance center and AS border router 21 New technology Using blockchain to build a distributed trust framework can be used for inter-domain routing protocol to realize IP address prefix authentication 22 …”

Section: Related Workmentioning

confidence: 99%

“…Literature [12][13][14][15][16][17][18][19][20][21][22] puts forward a variety of mainstream routing security mechanisms, summarized into 6 categories in this paper, as shown in Table 2. These mechanisms did not consider the label and source routing characteristics of the SR network, and could not directly migrate to the SR scene, nor did they consider and deal with the threats they faced as a whole, so their universality was limited.…”

Section: Related Workmentioning

confidence: 99%

A data plane security model of SR-BE/TE based on zero-trust architecture

Wang

et al. 2022

Sci Rep

View full text Add to dashboard Cite

Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE (Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR (ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north–south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east–west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios.

show abstract

TAP: A Traffic-Aware Probabilistic Packet Marking for Collaborative DDoS Mitigation

Liu

et al. 2021

2021 17th International Conference on Mobility, Sensing and Networking (MSN)

View full text Add to dashboard Cite

RISP: An RPKI-based inter-AS source protection mechanism

Cited by 3 publications

References 21 publications

ZbSR: A Data Plane Security Model of SR-BE/TE based on Zero-Trust Architecture

ZbSR: A Data Plane Security Model of SR-BE/TE based on Zero-Trust Architecture

A data plane security model of SR-BE/TE based on zero-trust architecture

TAP: A Traffic-Aware Probabilistic Packet Marking for Collaborative DDoS Mitigation

Contact Info

Product

Resources

About