信息网络安全 ›› 2017, Vol. 17 ›› Issue (7): 52-58.doi: 10.3969/j.issn.1671-1122.2017.07.008

• • 上一篇    下一篇

一种抵抗路由欺骗的网络拓扑发现算法

赵一方(), 张冬梅   

  1. 北京邮电大学网络空间安全学院,北京 100876
  • 收稿日期:2017-05-11 出版日期:2017-07-20 发布日期:2020-05-12
  • 作者简介:

    作者简介: 赵一方(1992—),男,山东,硕士研究生,主要研究方向为网络信息安全;张冬梅(1972—),女,河北,副教授,博士,主要研究方向为网络安全与软件安全、传感器网络安全、应急通信。

  • 基金资助:
    国家自然科学基金[61602052]

A Network Topology Discovery Algorithm Resistant to Routing Spoofing

Yifang ZHAO(), Dongmei ZHANG   

  1. School of Cyberspace Security, Beijing University of Post and Telecommunication, Beijing 100876, China
  • Received:2017-05-11 Online:2017-07-20 Published:2020-05-12

摘要:

准确的、全面的网络拓扑信息能够直接、有效地将当前网络的结构和状态呈现给网络管理人员,因此网络拓扑结构图的真实性、完整性和准确性对网络故障管理、配置管理和安全管理至关重要。传统的基于ICMP、ARP协议的主动探测手段会在数据平面上对网络负载造成一定的影响,而现有的基于IS-IS协议的网络拓扑发现算法很难保证在遭受路由欺骗攻击的情况下真实地、准确地描述IP网络。文章提出了一种抵抗路由欺骗的网络拓扑发现算法,可以通过分析IS-IS协议报文中的LSP协议数据,获得路由器之间的链路关系等网络拓扑信息,绘制可信的完整的基础网络拓扑图,并对初始绘制完成后网络中产生的可疑的网络拓扑变化通过PSNP请求对数据真实性进行验证,从而避免因路由欺骗攻击造成的网络拓扑变化。仿真实验表明,该算法可以抵抗路由欺骗攻击,能够准确获得完整的网络拓扑结构,保证网络拓扑发现的真实性和准确性。

关键词: IS-IS协议, 拓扑发现, 数据真实性, IP网络

Abstract:

Accurate and comprehensive network topology can directly and effectively present the structure and state of the current network to network managers, so an accurate and complete network topology is an important part of network fault management, configuration management, and security management. Proactive detection based on ICMP and ARP has negative effects on the performance of network. The existing network topology discovery method based on IS-IS is difficult to ensure efficiency on describing IP network when attack based on routing protocol occurred. Then this paper proposes an algorithm for IP network topology based on IS-IS by analyzing the LSP packet, the algorithm obtains the information of network topology such as the relationship of the links between routers without making influence on network, then produce a believable, complete base network topology and request PSNP for security to avoid network topology changes caused by routing spoofing. The simulation result shows the algorithm can get a complete network topology in a routing spoofing environment which verified the feasibility of algorithm.

Key words: IS-IS protocol, topology discovery, data authenticity, IP network

中图分类号: