AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
Powered by AMiner. Clicking this button will take you away from SciOpen.
Home Journal of Tsinghua University (Science and Technology) Article
PDF (4.5 MB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Publishing Language: Chinese

Decentralized internet number resource management system based on blockchain technology

Jiang LI1Mingwei XU1,2( )Jiahao CAO1,2( )Zili MENG2Guoqiang ZHANG1
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China
Show Author Information

Abstract

Objective

Internet is an important infrastructure that has been evolving for decades. Border gateway protocol (BGP) is the de facto interdomain routing protocol on the internet and connects autonomous systems (ASes) around the world. The BGP uses internet number resources (INR), including internet protocol (IP) prefixes and autonomous system numbers for addressing and routing. However, BGP has been vulnerable to the INR misusage threat recently, which causes a common type of anomaly called prefix hijacking. In prefix hijacking, a malicious AS originates the victim AS's prefixes to blackhole or intercept the victim's data traffic. The existing security solution, called resource public key infrastructure (RPKI), provides INR ownership and prefix-to-AS mapping information through a centralized infrastructure. ASes can extract and use the information from RPKI to prevent prefix hijacking. However, this solution has three typical drawbacks. First, the centralized architecture of RPKI causes single-point failures. Second, to obtain consistent INR information from RPKI, ASes need a long convergence time owing to the disorderly distribution of information. Third, ASes incur high interaction cost for extracting real-time INR information frequently.

Methods

To solve the above mentioned shortcomings, this study proposes a decentralized internet number resource management system (DINRMS) based on blockchain technology. The proposed system adopts a hierarchical architecture consisting of an autonomy layer and an arbitration layer. DINRMS partitions all ASes on the internet into groups that form the autonomy layer. The arbitration layer comprises the Internet Assigned Numbers Authority, five Regional Internet Registries and representatives elected by each group in the autonomy layer. Each entity in DINRMS has nearly the same impact on the system and the single-point failure of an entity does not lead to a serious global breakdown. The architecture of the proposed system overcomes the poor scalability of blockchain technology, which cannot be applied to efficient global INR information management on the internet. A blockchain is maintained within each group to record the INR ownership and prefix-to-AS mapping information of the respective groups. Entities within a group use information from third parties, such as the Whois Lookup tool, to check the consistency of INR ownership information. For prefix-to-AS mapping information, entities within a group use routing data from public route collectors to check the consistency and then vote on the legitimacy of the information. Subsequently, the entities judge the legitimacy of the information according to the majority rule. The arbitration layer maintains the global INR ownership information in the form of group granularity and prefix-to-AS mapping information. This information is sourced from representatives elected by each group in the autonomy layer for mutual supervision and endorsement. The arbitration layer is responsible for arbitrating usage conflicts related to INR. The DINRMS proposes a heuristic INR information push mechanism based on the architecture and dynamics of INR information. The mechanism decides to push INR information to ASes if a long time has passed since the last information push or if many information items have not been pushed.

Results

Experiments results show that DINRMS provides secure and trusted INR information for interdomain routing. In addition, the degree of centralization of DINRMS is 60% less than that of RPKI in terms of the Gini coefficient. Moreover, DINRMS reduces the convergence time and interaction overhead by more than 50%.

Conclusions

DINRMS manages INRs based on blockchain technology using a decentralized approach. The hierarchical and grouping architecture of DINRMS improves system scalability. The efficient push mechanism based on the dynamics of INR information shortens the convergence time and reduces the interaction overhead for ASes to obtain consistent INR ownership and mapping information.

Keywords

border gateway protocolinternet number resourceinterdomain routing security
CLC number: TP393.7 Document code: A Article ID: 1000-0054(2023)09-1366-14

References

[1]
REKHTER Y, LI T, HARES S. A border gateway protocol 4 (BGP-4)[R]. San Francisco: IETF, 2006.
Crossref
[2]
MCCULLAGH D. How Pakistan knocked YouTube offline (and how to make sure it never happens again)[EB/OL]. (2008-02-25)[2023-01-04]. https://www.cnet.com/culture/how-pakistan-knocked-youtube-offline-and-how-to-make-sure-it-never-happens-again/.
[3]
SIDDIQUI A. KlaySwap-another BGP hijack targeting crypto wallets[EB/OL]. (2022-02-17)[2023-01-04]. https://www.manrs.org/2022/02/klayswap-another-bgp-hijack-tar-geting-crypto-wallets/.
[4]

KENT S, LYNN C, SEO K. Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected areas in Communications, 2000, 18(4): 582-592.
Crossref Google Scholar
[5]
KARLIN J, FORREST S, REXFORD J. Pretty good BGP: improving BGP by cautiously adopting routes[C]//Proceedings of 2006 IEEE International Conference on Network Protocols. Santa Barbara, USA: IEEE, 2006: 290-299.
Crossref
[6]
SUBRAMANIAN L, ROTH V, STOICA I, et al. Listen and whisper: Security mechanisms for BGP[C]//Proceedings of the 1st Conference on Symposium on Networked Systems Design and Implementation. San Francisco, USA: USENIX Association, 2004: 127-140.
[7]
LEPINSKI M, KENT S. An infrastructure to support secure internet routing[R]. San Francisco: IETF, 2012.
Crossref
[8]
VOHRA Q, CHEN E. BGP support for four-octet as number space[R]. San Francisco: IETF, 2007.
Crossref
[9]
DEERING S, HINDEN R. Internet protocol, version 6 (IPv6) specification[R]. San Francisco: IETF, 1998.
Crossref
[10]
ROBACHEVSKY A. 14, 000 incidents: A 2017 routing security year in review[EB/OL]. (2018-01-09)[2022-07-27]. https://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/.
[11]
KRISTOFF J, BUSH R, KANICH C, et al. On measuring RPKI relying parties[C]//Proceedings of ACM Internet Measurement Conference. Pittsburgh, USA: ACM, 2020: 484-491.
Crossref
[12]

MOHAPATRA P, SCUDDER J, WARD D, et al. BGP prefix origin validation[R]. San Francisco: IETF, 2013.
Crossref Google Scholar
[13]
COOPER D, HEILMAN E, BROGLE K, et al. On the risk of misbehaving RPKI authorities[C]//Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. College Park, USA: ACM, 2013: 16.
Crossref
[14]
SHRISHAK K, SHULMAN H. Limiting the power of RPKI authorities[C]//Proceedings of Applied Networking Research Workshop. ACM, 2020: 12-18.
Crossref
[15]

KARAARSLAN E, ADIGUZEL E. Blockchain based DNS and PKI solutions[J]. IEEE Communications Standards Magazine, 2018, 2(3): 52-57.
Crossref Google Scholar
[16]
MATSUMOTO S, REISCHUK R M. IKP: turning a PKI around with decentralized automated incentives[C]//Proceedings of 2017 IEEE Symposium on Security and Privacy. San Jose, USA: IEEE, 2017: 410-426.
Crossref
[17]
Town M. Explore the certificate transparency ecosystem[EB/OL]. [2023-03-11]. https://ct.cloudflare.com/.
[18]
BROGLE K, COOPER D, GOLDBERG S, et al. Impacting IP prefix reachability via RPKI manipulations[R]. Boston: Boston University, 2013.
[19]
HEILMAN E, COOPER D, REYZIN L, et al. From the consent of the routed: Improving the transparency of the RPKI[C]//Proceedings of 2014 ACM conference on SIGCOMM. Chicago, USA: ACM, 2014: 51-62.
Crossref
[20]
KENT S, MANDELBERG D. Suspenders: A fail-safe mechanism for the RPKI[R]. San Francisco: IETF, 2014.
[21]
REYNOLDS M, KENT S, LEPINSKI M. Local trust anchor management for the resource public key infrastructure[R]. San Francisco: IETF, 2013.
[22]
MA D, MANDELBERG D, BRUIJNZEELS T. Simplified local internet number resource management with the RPKI (SLURM)[R]. San Francisco: IETF, 2018.
Crossref
[23]
BARNES E. Resource public key infrastructure (RPKI) resource transfer protocol and transfer authorization object (TAO)[R]. San Francisco: IETF, 2014.
[24]
HUSTON G, MICHAELSON G, LOOMANS R. A profile for X. 509 PKIX resource certificates[R]. San Francisco: IETF, 2012.
Crossref
[25]
HUSTON G, MICHAELSON G, MARTÍNEZ C. Resource public key infrastructure (RPKI) validation reconsidered[R]. San Francisco: IETF, 2018.
Crossref
[26]
HUSTON G. Is rsync that bad?[EB/OL]. (2020-10-27)[2023-03-11]. https://blog.apnic.net/2020/10/27/rpki-qa-the-trouble-with-rsync/.
[27]
HLAVACEK T, JEITNER P, MIRDITA D, et al. Stalloris: RPKI downgrade attack[C]//Proceedings of the 31st USENIX Security Symposium. Boston, USA: USENIX Association, 2022: 4455-4471.
[28]
NIST. NIST RPKI monitor[EB/OL]. [2023-03-11]. https://rpki-monitor.antd.nist.gov/.
[29]
NUSENU. The RPKI observatory[EB/OL]. [2023-03-11]. https://nusenu.github.io/RPKI-Observatory/index.html.
[30]
ZDNS. RPKIVIZ[EB/OL]. [2023-03-11]. https://rpkiviz.zdns.cn/statistic.
[31]
WÄHLISCH M, SCHMIDT R, SCHMIDT T C, et al. RiPKI: The tragic story of RPKI deployment in the web ecosystem[C]//Proceedings of the 14th ACM Workshop on Hot Topics in Networks. Philadelphia, USA: ACM, 2015: 11.
Crossref
[32]
CHUNG T, ABEN E, BRUIJNZEELS T, et al. RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins[C]//Proceedings of the Internet Measurement Conference. Amsterdam, Netherlands: ACM, 2019: 406-419.
Crossref
[33]
OSTERWEIL E, MANDERSON T, WHITE R, et al. Sizing estimates for a fully deployed rpki[R]. Reston: Verisign Labs, 2012.
[34]
GILAD Y, COHEN A, HERZBERG A, et al. Are we there yet? On RPKI's deployment and security[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2017.
Crossref
[35]

REUTER A, BUSH R, CUNHA I, et al. Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering[J]. ACM SIGCOMM Computer Communication Review, 2018, 48(1): 19-27.
Crossref Google Scholar
[36]
REUTER A, BUSH R, CUNHA I, et al. ROV deployment monitor[EB/OL]. [2023-03-11]. https://rov.rpki.net/.
[37]
CHEN W Q, WANG Z L, HAN D Q, et al. ROV-MI: Large-scale, accurate and efficient measurement of ROV deployment[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2022.
Crossref
[38]
WAN T, KRANAKIS E, VAN OORSCHOT P C. Pretty secure BGP, psBGP[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2005.
[39]
HU Y C, PERRIG A, SIRBU M A. SPV: Secure path vector routing for securing BGP[C]//Proceedings of 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. Portland, USA: ACM, 2004: 179-192.
Crossref
[40]
ZHAO M Y, SMITH S W, NICOL D M. Aggregated path authentication for efficient BGP security[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria, USA: ACM, 2005: 128-138.
Crossref
[41]

XIANG Y, SHI X G, WU J P, et al. Sign what you really care about-secure BGP AS-paths efficiently[J]. Computer Networks, 2013, 57(10): 2250-2265.
Crossref Google Scholar
[42]
HU Y C, PERRIG A, JOHNSON D B. Efficient security mechanisms for routing protocolsa[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2003.
[43]
BUTLER K, MCDANIEL P, AIELLO W. Optimizing BGP security by exploiting path stability[C]//Proceedings of the 13th ACM conference on Computer and communications security. Alexandria, USA: ACM, 2006: 298-310.
Crossref
[44]

WHITE R. Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review: Hinsdale, 2003, 33(5): 47-53.
Google Scholar
[45]
GOODELL G, AIELLO W, GRIFFIN T, et al. Working around BGP: An incremental approach to improving security and accuracy in interdomain routing[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2003.
[46]
HARI A, LAKSHMAN T V. The internet blockchain: A distributed, tamper-resistant transaction framework for the internet[C]//Proceedings of the 15th ACM Workshop on Hot Topics in Networks. Atlanta, USA: ACM, 2016: 204-210.
Crossref
[47]
PAILLISSE J, FERRIOL M, GARCIA E, et al. IPchain: Securing IP prefix allocation and delegation with blockchain[C]//Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Halifax, Canada: IEEE, 2018: 1236-1243.
Crossref
[48]

XING Q Q, WANG B S, WANG X F. BGPcoin: Blockchain-based internet number resource authority and BGP security solution[J]. Symmetry, 2018, 10(9): 408.
Crossref Google Scholar
[49]

SAAD M, ANWAR A, AHMAD A, et al. RouteChain: Towards blockchain-based secure and efficient BGP routing[J]. Computer Networks, 2022, 217: 109362.
Crossref Google Scholar
[50]

CHEN D, BA Y, QIU H, et al. ISRchain: Achieving efficient interdomain secure routing with blockchain[J]. Computers & Electrical Engineering, 2020, 83: 106584.
Crossref Google Scholar
[51]

HE G B, SU W, GAO S, et al. ROAchain: Securing route origin authorization with blockchain for inter-domain routing[J]. IEEE Transactions on Network and Service Management, 2021, 18(2): 1690-1705.
Crossref Google Scholar
[52]
SENTANA I W B, IKRAM M, KAAFAR M A. BlockJack: Blocking IP prefix hijacker in inter-domain routing[C]//Proceedings of the Student Workshop. Barcelona, Spain: ACM, 2020: 1-2.
Crossref
[53]

FELDMANN A E, FOSCHINI L. Balanced partitions of trees and applications[J]. Algorithmica, 2015, 71(2): 354-376.
Crossref Google Scholar
[54]
SANDERS P, SCHULZ C. Think locally, act globally: Highly balanced graph partitioning[C]//Proceedings of the 12th International Symposium on Experimental Algorithms. Rome, Italy: Springer, 2013: 164-175.
Crossref
[55]
HLAVACEK T, CUNHA I, GILAD Y, et al. DISCO: Sidestepping RPKI's deployment barriers[C]//Proceedings of the 27th Annual Network and Distributed System Security Symposium. San Diego, USA: The Internet Society, 2020.
Crossref
[56]
ORSINI C, KING A, GIORDANO D, et al. BGPStream: A software framework for live and historical BGP data analysis[C]//Proceedings of 2016 Internet Measurement Conference. Santa Monica, USA: ACM, 2016: 429-444.
Crossref
[57]
APNIC. APNIC guidelines for IPv4 allocation and assignment requests[EB/OL]. (2005-09-01)[2022-12-19]. https://www.apnic.net/about-apnic/corporate-documents/documents/resource-guidelines/ipv4-guidelines/.
[58]
ANDROULAKI E, BARGER A, BORTNIKOV V, et al. Hyperledger fabric: A distributed operating system for permissioned blockchains[C]//Proceedings of the thirteenth EuroSys conference. Porto, Portugal: ACM, 2018: 30.
Crossref
[59]
LIN Q W, LI C, ZHAO X F, et al. Measuring decentralization in bitcoin and ethereum using multiple metrics and granularities[C]//Proceedings of the 2021 IEEE 37th International Conference on Data Engineering Workshops. Chania, Greece: IEEE, 2021: 80-87.
Crossref
Journal of Tsinghua University (Science and Technology)
Volume 63 Issue 9,
September 2023
Pages 1366-1379
DOI: 10.16511/j.cnki.qhdxxb.2023.21.016
Cite this article:
LI J, XU M, CAO J, et al. Decentralized internet number resource management system based on blockchain technology. Journal of Tsinghua University (Science and Technology), 2023, 63(9): 1366-1379. https://doi.org/10.16511/j.cnki.qhdxxb.2023.21.016

109

Views

3

Downloads

0

Crossref

2

Scopus

0

CSCD

Altmetrics
Received: 05 January 2023
Published: 15 September 2023
© Journal of Tsinghua University (Science and Technology). All rights reserved.
Return