###
DOI:
Journal of Software:2007.18(12):3048-3059

支持域间分布式分组过滤的BGP扩展
王立军,吴建平,徐恪
(清华大学,计算机科学与技术系,北京,100084)
BGP Extension to Support Inter-Domain Distributed Packets Filtering
WANG Li-Jun,WU Jian-Ping,XU Ke
()
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 3521   Download 3167
Received:July 15, 2006    Revised:October 10, 2006
> 中文摘要: 可信任是下一代互联网的重要特征.目前,互联网的路由系统只按照分组的目的IP地址转发分组,携带虚假源IP地址的伪造分组也会被传输到目的地,这会在威胁接收方安全的同时,隐藏发送方的真实身份.可信任互联网的路由系统不仅需要能够正确地转发分组,而且能够验证分组来自正确的发送方.基于路由的域间分布式分组过滤是过滤伪造分组的有效方法.提出了BGP的路由选择通知功能扩展,为域间分组过滤提供过滤标准.在扩展的支持下,边界路由器能够鉴别进入本自治系统的分组的真实性,过滤掉伪造其他自治系统地址的分组.模拟结果表明,路由选择通知不会对BGP正常的路由功能产生负面影响,选择合理的路由选择时钟参数,可以在同时取得较小带宽开销和较快收敛速度的情况下,为域间分布式分组过滤提供支持.
Abstract:To be trustworthy is an important characteristic of the next generation Internet.The routing system of the present Internet forwards packets only according to the destination IP address.Forged packets with spoofed source IP address will also be forwarded to the destination,which impairs the security of receiver and conceals the real identity of the sender.The trustworthy Internet requires the routing system not only forward packets correctly, but also validate the packets from the real sender.Inter-domain distributed packet filtering is an effective method to filter out spoofed packets.This paper proposes to extend BGP with route selection notice to provide filtering criteria. With the support,border routers can validate incoming packets and filter the spoofed packets form false autonomous systems.Simulation result indicates BGP route selection notice does not impair the routing function of BGP,and both proper design acceptable bandwidth cost and fast convergence may be achieved simultaneously.
文章编号:     中图分类号:    文献标志码:
基金项目:Supported by the National Natural Science Foundation of China under Grant No.60473082 (国家自然科学基金); the National Basic Research Program of China under Grant No.2003CB314801 (国家重点基础研究发展计划(973)) Supported by the National Natural Science Foundation of China under Grant No.60473082 (国家自然科学基金); the National Basic Research Program of China under Grant No.2003CB314801 (国家重点基础研究发展计划(973))
Foundation items:
Reference text:

王立军,吴建平,徐恪.支持域间分布式分组过滤的BGP扩展.软件学报,2007,18(12):3048-3059

WANG Li-Jun,WU Jian-Ping,XU Ke.BGP Extension to Support Inter-Domain Distributed Packets Filtering.Journal of Software,2007,18(12):3048-3059