拟态防御体系OSPF协议研究及分析

摘要/Abstract

摘要： 网络空间拟态防御技术是一种基于动态异构冗余的新型主动防御技术，通过引入多个异构冗余的执行体，增强广义鲁棒性，通过对多个执行体的策略或者周期性调度，对外呈现特征的不确定性变化，增强安全性。路由协议安全是网络安全的重要组成部分，OSPF协议作为网络空间中部署最广泛、实现最复杂的路由协议，如何实现各异构执行体OSPF协议功能的等价，是支持拟态防御的网络设备亟需解决的问题。首先，科学阐述了拟态防御的设计思想，详细描述了支持拟态防御的路由器的体系结构，论述了OSPF协议在拟态防御体系结构中的处理方法，通过引入OSPF协议代理实现各异构执行体OSPF协议功能的等价，在支持拟态防御的路由器原型样机中验证了该方法的可行性和高性能。最后，结合几种经典的OSPF路由攻击产生的路由器安全风险进行了具体说明及实验验证，实验表明该方法能够有效提高其应对OSPF网络攻击的能力。

关键词: 拟态防御, 路由器, OSPF协议, 异构

Abstract: The mimic defense technology in cyberspace is a new active defense technology based on dynamic heterogeneous redundancy. By introducing multiple heterogeneous redundant executants, the generalized robustness is enhanced. By implementing policies or periodic scheduling for multiple executants, the uncertain changes of characteristics are presented externally to enhance security. The security of routing protocol is an important part of network security. OSPF protocol is the most widely deployed and most complex routing protocol in the real network world. The most urgent problem for network devices that supports mimic defense is how to realize the equivalence of OSPF protocol functions among various heterogeneous implementations. Firstly, the design of mimic defense is described scientifically, the architecture of router supporting mimic defense is described in detail, and the processing method of OSPF protocol in the mimic defense architecture is discussed in depth. The OSPF protocol proxy is introduced to realize the equivalence of OSPF protocol functions among various heterogeneous implementations. The feasibility and effectiveness of this method are verified in a router prototype that supports mimic defense. Finally, the security risks of routers under the conditions of two classic OSPF routing attacks are specifically explained and verified by experiments, which effectively improves the ability to deal with OSPF network attacks.

Key words: mimic defense, router, OSPF protocol, heterogeneous

朱绪全, 江逸茗, 马海龙, 包婉宁, 张进. 拟态防御体系OSPF协议研究及分析[J]. 计算机工程与科学, 2023, 45(02): 204-214.

ZHU Xu-quan, JIANG Yi-ming, MA Hai-long, BAO Wan-ning, ZHANG Jin. Research and analysis of OSPF protocol in mimic defense system[J]. Computer Engineering & Science, 2023, 45(02): 204-214.

参考文献［20］

［1］	Wu Jiang-xing. Introduction to cyberspace mimic defense［M］.Beijing:Science Press,2017.(in Chinese)
［2］	Pietro R D, Mancini L V. Intrusion detection systems［M］. Berlin:Springer Science & Business Media，2008.
［3］	Panda B K,Pradhan M,Pradhan S K.Intrusion prevention system［M］∥Network Security Attacks and Countermea- sures.Hershey:IGI Global，2016：245-258.
［4］	Oppliger R. Internet security:Firewalls and beyond ［J］.Communications of the ACM，1997，40（5）：92-102.
［5］	Reis C, Barth A, Pizano C. Browser security:Lessons from Google Chrome［J］.Communications of the ACM, 2009,52(8):45-49.
［6］	Perdisci R,Dagon D,Lee W,et al.Misleading worm signature generators using deliberate noise injection［C］∥Proc of IEEE Symposium on Security & Privacy，2006:17-31.
［7］	Shen Chang-xiang, Zhang Da-wei,Liu Ji-qiang,et al.The strategy of TC 3.0:A revolutionary evolution in trusted computing［J］.Strategic Study of Chinese Academy of Engineering,2016,18(6):53-57.(in Chinese)
［8］	Shen Chang-xiang,Chen Xing-shu.Construction of the information security infrastructure based on trusted computing［J］. Journal of Sichuan University(Engineering Sciences Edition)，2014，46（1）：1-7.(in Chinese)
［9］	Jafarian J H,Alshaer E,Duan Q,et al.An effective address mutation approach for disrupting reconnaissance attacks ［J］.IEEE Transactions on Information Forensics and Security，2015，10（12）：2562-2577.
［10］	Jafarian J H,Alshaer E,Duan Q,et al.Adversary-aware IP address randomization for proactive agility against sophisticated attackers［C］∥Proc of International Conference on Computer Communications，2015：738-746.
［11］	Luo Y,Wang B,Cai G,et al.Effectiveness of port hopping as a moving target defense［C］∥Proc of International Workshop on Security，2014：7-10.
［12］	Azab M,Eltoweissy M.ChameleonSoft:Software behavior encryption for moving target defense［J］.Mobile Networks and Applications，2013，18（2）：271-292.
［13］	Ma Hai-long,Jiang Yi-ming,Bai Bing,et al.Tests and analyses for mimic defense ability of routers［J］.Journal of Cyber Security，2017，2（1）：43-53.(in Chinese)
［14］	Song Ke,Liu Qin-rang,Wei Shuai,et al.Endogenous security architecture of Ethernet switch based on mimic defense［J］.Journal on Communications，2020，41（5）：18-26. (in Chinese)
［15］	Sakic E,Deric N,Kellerer W,et al.MORPH:An adaptive framework for efficient and Byzantine fault-tolerant SDN control plane［J］.IEEE Journal on Selected Areas in Communications，2018，36（10）：2158-2174.
［16］	Wu Jiang-xing.Research on cyber mimic defense［J］.Journal of Cyber Security，2016，1（4）：1-10.(in Chinese)
［17］	Wu Jiang-xing. Meaning and vision of mimic computing and mimic security defense［J］.Telecommunications Science,2014,30(7):2-7.(in Chinese)
［18］	Ma Hai-long,Yi Peng,Jiang Yi-ming,et al.Dynamic hete- rogeneous redundancy based router architecture with mimic defenses［J］.Journal of Cyber Security,2017,2(1):29-42.(in Chinese)
［19］	Fan Shuang-jiao.The research of topology discovery and attack detection technology based on OSPF protocol［D］.Beijing:Beijing University of Posts and Telecommunications,2015.(in Chinese)
［20］	Yang Xiao-dong,Liu Yu-zhen,Zhang Huan-guo,et al. Ana- lysis of authentication of OSPF routing protocol［J］.Computer Engineering and Design,2005,26(1):18-21.(in Chinese)
［21］	Moy J. OSPF version 2:RFC 2328［S］.1998-04.
［22］	Nakibly G,Menahem E,Waizel A,et al.Owning the routing table:part II ［C］∥Proc of Black Hat 2013, 2013：1-19.
	附中文参考文献：
［1］	邬江兴.网络空间拟态防御导论（上册）［M］.北京：科学出版社，2017.
［7］	沈昌祥,张大伟,刘吉强,等.可信3.0战略:可信计算的革命性演变［J］.中国工程科学，2016，18（6）：53-57.
［8］	沈昌祥,陈兴蜀.基于可信计算构建纵深防御的信息安全保障体系［J］.四川大学学报(工程科学版),2014,46(1):1-7.
［13］	马海龙,江逸茗,白冰,等.路由器拟态防御能力测试与分析［J］.信息安全学报，2017，2（1）：43-53.
［14］	宋克,刘勤让,魏帅,等.基于拟态防御的以太网交换机内生安全体系结构［J］.通信学报,2020,41(5):18-26.
［16］	邬江兴.网络空间拟态防御研究［J］.信息安全学报，2016，1（4）：1-10.
［17］	邬江兴.拟态计算与拟态安全防御的原意和愿景［J］.电信科学,2014,30(7):2-7.
［18］	马海龙,伊鹏,江逸茗,等.基于动态异构冗余机制的路由器拟态防御体系结构［J］.信息安全学报,2017,2(1):29-42.
［19］	范双娇.基于OSPF协议的拓扑发现与攻击检测技术研究［D］.北京:北京邮电大学,2015.
［20］	杨晓东,刘玉珍,张焕国,等.OSPF路由协议的认证分析［J］.计算机工程与设计,2005,26(1):18-21

[1]	梁崇山, 戴艺, 徐炜遐. 一种基于Chiplet集成技术的超高阶路由器设计[J]. 计算机工程与科学, 2022, 44(02): 207-213.
[2]	路文斌，宋新亮，卢宏生，丁亚军. 一种高阶混合互连网络拓扑结构[J]. 计算机工程与科学, 2017, 39(10): 1781-1787.
[3]	杨文祥，董德尊，李存禄，雷斐，孙凯旋，吴际. 一种多级无缓存高阶路由器的设计与实现[J]. 计算机工程与科学, 2017, 39(02): 245-251.
[4]	曹杨，王宝生，张晓哲. 一种虚拟路由器资源映射算法研究[J]. 计算机工程与科学, 2016, 38(10): 1994-2000.
[5]	杨文祥，董德尊，雷斐，李存禄，吴际，孙凯旋. 高阶路由器结构研究综述[J]. 计算机工程与科学, 2016, 38(08): 1517-1523.
[6]	朱成阳，柴燕涛，董德尊，张鹤颖，庞征斌. 一种新的基于预约的拥塞避免机制[J]. J4, 2016, 38(02): 240-248.
[7]	张华南1,2，李石君2，金红2. 无线传感器网络分簇路由节能研究[J]. J4, 2015, 37(10): 1869-1876.
[8]	雷斐,董德尊,廖湘科. SuperStar:一种可扩展高阶互连拓扑结构[J]. J4, 2014, 36(06): 1034-1041.
[9]	史湘君,嵩天. 节能路由器的动态调频策略研究[J]. J4, 2014, 36(03): 433-440.
[10]	肖灿文,戴泽福,张民选. 新型适应性路由器微体系结构研究[J]. J4, 2013, 35(11): 22-26.
[11]	王永庆1,王克非1,肖立权1,刘路1，庞征斌2. 非对称交叉开关优化与设计[J]. J4, 2013, 35(11): 42-47.
[12]	雷斐，董德尊，柴燕涛，王克非，李存禄. 高阶互连网络拓扑结构性能分析与研究[J]. J4, 2013, 35(11): 111-118.
[13]	刘郑，蔡明. 层次型移动IPv6优化方案[J]. J4, 2010, 32(7): 27-29.
[14]	关瑞东, 孙文胜. 支持动态负载均衡的虚拟路由器冗余技术研究与实现[J]. J4, 2010, 32(1): 13-17.
[15]	吕高锋, 孙志刚, 龚正虎, 杨科. 基于HCM的可扩展路由器体系结构MER[J]. J4, 2009, 31(12): 1-4.