域间路由系统自治域 (ASes)间具有不同的商业关系和路由策略. 违反自治域间出站策略协定的路由传播可能引发路由泄露, 进而导致网络中断、流量窃听、链路过载等严重后果. 路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要. 但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度, 使其一直是域间路由安全领域尚未妥善解决的难点问题. 提出一种基于区块链的域间路由策略符合性验证方法. 该方法以区块链和密码学技术作为信任背书, 使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望, 通过生成对应路由更新的路由证明, 保证路由传播过程的真实性, 从而以多方协同的方式完成路由策略符合性验证. 通过实现原型系统并基于真实路由数据开展实验与分析, 结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证, 以合理的开销有效抑制策略违规路由传播, 在局部部署情况下也具有显著的策略违规路由抑制能力.
Various business relationships and routing policies exist among the autonomous systems (ASes) in an inter-domain routing system. Routing propagation violating the export policy agreements among the ASes is likely to cause route leaks, ultimately leading to serious consequences such as network interruption, traffic eavesdropping, and link overload. Verifying routing policy compliance is thus essential for ensuring the security and stability of the inter-domain routing system. However, the dual requirements of ASes for the autonomous configuration and privacy protection of local routing policies increase the difficulty in verifying routing policy compliance and consequently pose a hard problem that remains to be settled properly in the field of inter-domain routing security. This study proposes a blockchain-based verification method for inter-domain routing policy compliance. With blockchain and the cryptographic technology as trust endorsements, this method enables ASes to publish, interact, verify, and execute routing policy expectations in a safe and private manner. The authenticity of the routing propagation process is ensured by generating route attestations corresponding to routing updates. Thus, the verification of routing policy compliance is completed by multi-domain cooperation. A prototype system is implemented, and experiments and analyses are carried out on real routing data. The results show that the proposed method offers traceable verification of export policy compliance of routing propagation without leaking the business relationships and local routing policies among ASes, suppresses policy-violating routing propagation effectively with reasonable overhead, and maintains a remarkable ability to suppress policy-violating routing even in partial deployment scenarios.