研究了SE-BGP的安全性,通过分析发现该机制存在安全漏洞,无法抵御合法用户发起的主动攻击.为了克服SE-BGP存在的安全漏洞,基于AS联盟的思想,使用基于RSA的聚合签名算法设计了一种新的BGP安全机制:SA-BGP,该机制具有更高的安全性,可以有效地验证AS宣告的网络层可达信息(NLRI)的正确性和AS宣告的路径属性的真实性,还可以大规模地减少网络证书规模和单个节点存储的证书数量,通过仿真实验得到SA-BGP和同级别的安全机制相比对网络的影响较小,收敛速度更快.%A new approach was studied for BGP security: SE-BGP. By analyzing the security of SE-BGP, was found it had some secure leaks which couldn't resist active attack. To solve these secure problems of SE-BGP, an AS-alliance-based secure BGP scheme : SA-BGP was proposed, which used the aggregate signatures algorithm based on RSA. The SA-BGP has strong ability of security that can effectively verify the propriety of IP prefix origination and verifies the validity of an AS to announce network layer reachability information (NLRI). SA-BGP can large-scale reduced the number of the used certificates. Performance evaluation results show that SA-BGP can be implemented efficiently and the incurred overhead, in terms of time and space, is acceptable in practice.
展开▼