RAMD: Route Authentication and Misdirection Detection Protocol

摘要

The internet was originally designed to be trustworthy, reliable and extensible, while its infrastructure, mainly the routing mechanisms, was not constructed with security in mind. Moreover, routers are subject to malicious attacks that can harm individual users and hinder network operations. One of the subtle attacks is that a malicious router may collaborate in the control-plane and leave routing protocols operating properly to bypass the control-plane countermeasures and then targets the data-plane. Thus, it could forward packets to routes that are inconsistent with advertised ones in the control-plane, leading to so-called "misdirection" attack. In this paper, we focus on the misdirection attack launched in data-plane phase and propose lightweight, efficient and secure route authentication and misdirection detection (RAMD) protocol to authenticate the forwarding route before delivering data, and detect malicious routers that could misdirect traffic within autonomous systems that apply link-state routing protocols (e.g. OSPF). RAMD doesn't require cryptographic operations at data-plane phase and has little communication and computation overhead. Moreover, it's able to detect and respond to both passive and active misdirection attacks. We believe our work is an important step in detecting and preventing misdirection attack.