拟态防御体系OSPF协议研究及分析

计算机工程与科学 ›› 2023, Vol. 45 ›› Issue (02): 204-214.

拟态防御体系OSPF协议研究及分析

朱绪全1，江逸茗2，马海龙2，包婉宁1，张进1

（1.紫金山实验室，江苏南京 210000;2.国家数字交换系统工程技术研究中心,河南郑州 450000)

收稿日期:2021-12-07 修回日期:2022-03-07 接受日期:2023-02-25 出版日期:2023-02-25 发布日期:2023-02-15

Research and analysis of OSPF protocol in mimic defense system

ZHU Xu-quan1，JIANG Yi-ming2，MA Hai-long2，BAO Wan-ning1，ZHANG Jin1

(1.Purple Mountain Laboratories，Nanjing 210000;
2.National Digital Switching System Engineering and Technology Research Center,Zhengzhou 450000,China)

Received:2021-12-07 Revised:2022-03-07 Accepted:2023-02-25 Online:2023-02-25 Published:2023-02-15

摘要/Abstract

摘要： 网络空间拟态防御技术是一种基于动态异构冗余的新型主动防御技术，通过引入多个异构冗余的执行体，增强广义鲁棒性，通过对多个执行体的策略或者周期性调度，对外呈现特征的不确定性变化，增强安全性。路由协议安全是网络安全的重要组成部分，OSPF协议作为网络空间中部署最广泛、实现最复杂的路由协议，如何实现各异构执行体OSPF协议功能的等价，是支持拟态防御的网络设备亟需解决的问题。首先，科学阐述了拟态防御的设计思想，详细描述了支持拟态防御的路由器的体系结构，论述了OSPF协议在拟态防御体系结构中的处理方法，通过引入OSPF协议代理实现各异构执行体OSPF协议功能的等价，在支持拟态防御的路由器原型样机中验证了该方法的可行性和高性能。最后，结合几种经典的OSPF路由攻击产生的路由器安全风险进行了具体说明及实验验证，实验表明该方法能够有效提高其应对OSPF网络攻击的能力。

关键词: 拟态防御, 路由器, OSPF协议, 异构

Abstract: The mimic defense technology in cyberspace is a new active defense technology based on dynamic heterogeneous redundancy. By introducing multiple heterogeneous redundant executants, the generalized robustness is enhanced. By implementing policies or periodic scheduling for multiple executants, the uncertain changes of characteristics are presented externally to enhance security. The security of routing protocol is an important part of network security. OSPF protocol is the most widely deployed and most complex routing protocol in the real network world. The most urgent problem for network devices that supports mimic defense is how to realize the equivalence of OSPF protocol functions among various heterogeneous implementations. Firstly, the design of mimic defense is described scientifically, the architecture of router supporting mimic defense is described in detail, and the processing method of OSPF protocol in the mimic defense architecture is discussed in depth. The OSPF protocol proxy is introduced to realize the equivalence of OSPF protocol functions among various heterogeneous implementations. The feasibility and effectiveness of this method are verified in a router prototype that supports mimic defense. Finally, the security risks of routers under the conditions of two classic OSPF routing attacks are specifically explained and verified by experiments, which effectively improves the ability to deal with OSPF network attacks.

Key words: mimic defense, router, OSPF protocol, heterogeneous

朱绪全, 江逸茗, 马海龙, 包婉宁, 张进. 拟态防御体系OSPF协议研究及分析[J]. 计算机工程与科学, 2023, 45(02): 204-214.

ZHU Xu-quan, JIANG Yi-ming, MA Hai-long, BAO Wan-ning, ZHANG Jin. Research and analysis of OSPF protocol in mimic defense system[J]. Computer Engineering & Science, 2023, 45(02): 204-214.

[1]	施得君, 李宏亮, 胡舒凯. 基于Clos网络的高阶路由器结构[J]. 计算机工程与科学, 2023, 45(12): 2099-2112.
[2]	梁崇山, 戴艺, 徐炜遐. 一种基于Chiplet集成技术的超高阶路由器设计[J]. 计算机工程与科学, 2022, 44(02): 207-213.
[3]	路文斌，宋新亮，卢宏生，丁亚军. 一种高阶混合互连网络拓扑结构[J]. 计算机工程与科学, 2017, 39(10): 1781-1787.
[4]	杨文祥，董德尊，李存禄，雷斐，孙凯旋，吴际. 一种多级无缓存高阶路由器的设计与实现[J]. 计算机工程与科学, 2017, 39(02): 245-251.
[5]	曹杨，王宝生，张晓哲. 一种虚拟路由器资源映射算法研究[J]. 计算机工程与科学, 2016, 38(10): 1994-2000.
[6]	杨文祥，董德尊，雷斐，李存禄，吴际，孙凯旋. 高阶路由器结构研究综述[J]. 计算机工程与科学, 2016, 38(08): 1517-1523.
[7]	朱成阳，柴燕涛，董德尊，张鹤颖，庞征斌. 一种新的基于预约的拥塞避免机制[J]. J4, 2016, 38(02): 240-248.
[8]	张华南1,2，李石君2，金红2. 无线传感器网络分簇路由节能研究[J]. J4, 2015, 37(10): 1869-1876.
[9]	雷斐,董德尊,廖湘科. SuperStar:一种可扩展高阶互连拓扑结构[J]. J4, 2014, 36(06): 1034-1041.
[10]	史湘君,嵩天. 节能路由器的动态调频策略研究[J]. J4, 2014, 36(03): 433-440.
[11]	肖灿文,戴泽福,张民选. 新型适应性路由器微体系结构研究[J]. J4, 2013, 35(11): 22-26.
[12]	王永庆1,王克非1,肖立权1,刘路1，庞征斌2. 非对称交叉开关优化与设计[J]. J4, 2013, 35(11): 42-47.
[13]	雷斐，董德尊，柴燕涛，王克非，李存禄. 高阶互连网络拓扑结构性能分析与研究[J]. J4, 2013, 35(11): 111-118.
[14]	刘郑，蔡明. 层次型移动IPv6优化方案[J]. J4, 2010, 32(7): 27-29.
[15]	关瑞东, 孙文胜. 支持动态负载均衡的虚拟路由器冗余技术研究与实现[J]. J4, 2010, 32(1): 13-17.