Automatic signing and issuing method and device for routing origin authorization

Abstract

The invention relates to an automatic signing and issuing method and device for routing origin authorization. The method comprises the steps of dividing IP prefixes into a plurality of different prefix sets; checking the plurality of prefix sets according to a preset use strategy; and after the verification is passed, signing and issuing corresponding routing origin authorization or resource certificates for the IP prefixes in each prefix set according to different prefix sets. According to the scheme, based on an INR use strategy, whether an IP prefix meets the INR use strategy or not and whether INR distribution and authorization conflicts exist or not are checked; and after the check is passed, a corresponding resource certificate and routing origin authorization are automatically signed and issued according to the willingness of the INR holder so as to prevent repeated INR allocation and repeated INR authorization caused by manual operation from being unable to be detected by an RPKI relying party.

Description

technical field [0001] The present application relates to the technical field of routing security, in particular to a method and device for automatically issuing routing origin authorization. Background technique [0002] The Internet is divided into many smaller autonomous systems (Autonomous Systems, AS), and currently, the routing protocol between the autonomous systems is the Border Gateway Protocol (Border Gateway Protocol, BGP). BGP will connect a large number of ASs with different topologies and sizes and exchange routing information with each other. [0003] As a path vector protocol, BGP uses Update messages to carry path information when propagating routes. Path information is used to indicate the network topology to reach the route, and is also used for route selection. The path information propagated by BGP mainly includes network layer reachability information (Network Layer Reachability Information, NLRI for short) and path attribute (PathAttribute). NLRI co...

AI Technical Summary

Problems solved by technology

However, INR holders may misconfigure the maxLength field or issue ROA incorrectly, resulting in the abnormal situation of INR re-allocation and reuse. For example, INR holders allocate the same IP prefix to their customers and reserve it for For your own use, it means that the client’s resource certificate contains the IP prefix, and the ROA issued by it contains the IP prefix, or the INR holder not only reserves the same IP prefix for future use, but also authorizes it to the autonomous system, which is manifested as For the same IP prefix, both AS0 ROA and ASα(α≠0)ROA exist

[0016] In related technologies, there are many ROAs in the RPKI database. Although some ROAs can be considered valid through the verification process of the RP, because the verification process of the RP does not perform the "horizontal INR inclusion relationship" check, that is, whether the INR holder Duplicate allocation and duplicate authorization of the INR it holds. Therefore, after these ROAs are used by BGP border routers, they will still pose a threat to the inter-domain routing system.

Images