CN117793128A - RPKI relying party cache emergency synchronization method and device based on online cooperation - Google Patents
RPKI relying party cache emergency synchronization method and device based on online cooperation Download PDFInfo
- Publication number
- CN117793128A CN117793128A CN202311831629.6A CN202311831629A CN117793128A CN 117793128 A CN117793128 A CN 117793128A CN 202311831629 A CN202311831629 A CN 202311831629A CN 117793128 A CN117793128 A CN 117793128A
- Authority
- CN
- China
- Prior art keywords
- relying party
- rpki
- resource library
- roa
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an RPKI relying party caching emergency synchronization method and device based on online cooperation, and belongs to the field of router research. According to the method, an online cooperation mechanism is created between the relying parties in the same autonomous domain, a main relying party which is good in ROA information synchronization with a resource library is selected from the autonomous domain, the main relying party stores the ROA information acquired from the resource library into a localized ROA information file, the problem relying party can request the main relying party to acquire the localized ROA information file, update the ROA information cache of the problem relying party and issue the ROA information cache to a router governed by the problem relying party, and finally the function of updating the local cache by using the latest ROA information under the condition of disconnecting the ROA information from the resource library is realized. The invention solves the problem that the router cannot acquire the ROA information to verify the authenticity of the routing information, so that the network cannot reach the fault.
Description
Technical Field
The invention relates to an RPKI relying party caching emergency synchronization method and device based on online cooperation, and belongs to the field of router research.
Background
BGP (Border Gateway Protocol ) is a standard protocol that supports the communication of various ases (Autonomous System, autonomous systems) in the internet. However, since BGP protocol itself does not provide any security guarantees, each AS can announce any route to other ases and need not verify whether the route is correct, which mechanism makes BGP extremely vulnerable to various malicious attacks like prefix hijacking. In order to solve the potential network security hazards caused by route hijacking, the IETF (Internet Engineering Task Force ) developed and standardized RPKI (Resource Public Key Infrastructure ) aimed at providing a secure and reliable authentication system for route exchange between ases.
The RPKI is a hierarchical authentication system designed for coping with route prefix hijacking, and has become a technical consensus for solving the current internet domain route security problem by realizing the allocation and verification of the ownership of INR (Internet number resource, internet code number resource). At present, RPKI is not only the only standardized route prefix hijacking solution so far, but also a prerequisite for important route security mechanisms such as BGPsec. The RPKI architecture can be largely divided into a certificate issuing architecture, an RPKI repository, and a relying party. The certificate issuing system is responsible for issuing certificates to identify the stepwise allocation relation of INRs, and issuing ROAs (Route Origin Authorizations, route source authorization) to authorize an AS to initiate route origin advertisements to its own IP prefixes; the RPKI resource library is used for storing various authorization certificates and ROAs issued by the certificate issuing system; in the routing system of the Internet, the routing information exchange among the autonomous systems is mainly realized through a border gateway protocol BGP, and the BGP protocol can use the ASN to identify each autonomous system) to extract and generate a routing filter table, and the routing filter table is issued to a BGP router through an RTR protocol [ RTR ] to guide the BGP to carry out routing source verification. It can be seen that the relying party plays a very important role in the data transmission process of the RPKI system, once the relying party is disconnected from the resource library, the BGP router connected with the RP cannot acquire the route filtering table for route source verification. Along with the gradual deployment and deployment of the RPKI in the world, the corresponding data transmission scale is rapidly increased, and the stable operation of the RPKI data transmission is ensured to have very important significance.
The relying party can periodically synchronize related certificates and ROA information from the RPKI database and verify the related certificates and the ROA information, the ROA information passing verification is stored in a local cache, and verification data are distributed to a router to guide BGP to perform route source verification, so that a plurality of relying parties are often deployed in the same autonomous domain, and load sharing is realized. Before that, the RPKI resource library will first synchronize data to the relying party, and most of the two use the mainstream rsync (Remote Synchronize, remote synchronization) protocol for data transmission. The rsync transmission protocol has the advantages of high synchronization speed, full synchronization support and increment synchronization support, and is very suitable for data synchronization between a resource library and a relying party. However, this protocol transmission manner may easily cause the relying party to suffer from malicious attack, such as denial of service attack, so that the relying party cannot obtain data from the repository, and even disconnect from the repository. In addition, there are also factors such as expiration of certificates that can cause the relying party to lose connection with the repository. Once a relying party disconnects from the repository, all BGP routers that connect the relying party will no longer initiate verification of the authenticity of the routing information, resulting in the network that passes through the router also becoming unreachable.
How to consider that the complete ROA information can still be effectively obtained in real time under the condition that a relying party is attacked by maliciously or disconnected with an RPKI database is a key problem of preventing network unreachable faults caused by the fact that a BGP router cannot obtain the ROA information to carry out route information authenticity verification.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an RPKI relying party caching emergency synchronization method and device based on online cooperation, and an online cooperation mechanism is adopted to provide an economical and efficient method for effectively acquiring ROA information in real time for a relying party disconnected from an RPKI resource library for various reasons. According to the method, an online cooperation mechanism is created among the relying parties in the same autonomous domain, a primary relying party and a secondary relying party which are good in ROA information synchronization with an RPKI resource library are selected from the relying parties in the domain, the primary relying party and the secondary relying party can store the ROA information acquired from the RPKI resource library and store the localized ROA information file, when the relying party in the domain cannot normally acquire information from the RPKI resource library becomes a problem relying party, the primary relying party requests to acquire the localized ROA information file of the relying party, the problem relying party acquires the localized ROA information file to update the ROA information cache of the router under the control of the router, and finally the function of updating the local cache by using the latest ROA information under the condition of disconnection from the RPKI resource library is realized. The invention realizes that the relying party disconnected with the RPKI resource library acquires the latest ROA information in real time in an emergency synchronous mode with the intra-domain relying party, thereby avoiding the problem of network unreachable faults caused by the fact that the BGP router cannot acquire the ROA information to carry out the authenticity verification of the routing information.
The invention adopts the following technical scheme:
an RPKI relying party caching emergency synchronization method based on online cooperation comprises the following steps:
s100: after each relying party program is started, creating a relying party condition table in an autonomous domain and configuring an initial value;
s200: the relying party program establishes an RPFI resource library monitoring table in each relying party and configures an initial value;
s300: scanning a relying party condition table in an autonomous domain, taking out the IP address of the relying party, and sending a main relying party election message to relying parties except the relying party;
s400: creating a network socket, monitoring network data, and preparing to receive a message;
network sockets play a very important role in computer networks, being endpoint communication components in computer networks. The system is an endpoint for bidirectional communication between application processes on different hosts in a network, and provides a mechanism for application layer processes to exchange data by using a network protocol. It allows programmers to implement network communications in applications so that two computers can be connected together via a network and exchange data. A web socket is the end of a network where processes communicate, providing a mechanism for application layer processes to exchange data using a network protocol. The method is connected with an application process in an upper mode and connected with a network protocol stack in a lower mode, and is an interface for an application program to communicate through a network protocol and an interface for the application program to interact with the network protocol stack. In socket programming in general, a socket corresponds to an endpoint of both parties of a communication through which data to be sent may be transferred. In the TCP protocol, the server needs to actively monitor the connection request from the client. Thus, the network socket may listen to the network data to enable the server side to receive and process client connection requests.
S500: the relying party receives the main relying party election message sent by S300, compares the ROA information time stamp of the message with the ROA information time stamp of the RPFI monitoring table in the receiving message relying party, and if the value of the ROA information time stamp of the RPFI monitoring table of the receiving message relying party is larger than the value of the time stamp of the message, the S501 is entered; otherwise, the selected report message information is ignored and returned to S400;
s501: scanning a relying party condition table in an autonomous domain, finding a table entry record under the same relying party IP address as the relying party IP address of the selective report received in S500, assigning a time stamp in the table entry record as a time stamp value of ROA information obtained from an RPKI resource library for the last time of the selective report received in S500, and adding 1 to a counter of the table entry record; the method comprises the steps of utilizing a relying party IP address field extracted from a message in step S500 to scan a relying party situation table in an autonomous domain, finding a table entry record matched with the relying party IP address in the relying party situation table in the autonomous domain, utilizing a latest update ROA information timestamp extracted from the message in step S500 to update a timestamp field in the table entry record, and adding 1 to a counter field in the record;
s502: scanning a relying party situation table in an autonomous domain (each table entry of the relying party situation table in the autonomous domain corresponds to one relying party situation, namely, all relying party type marks of the relying party situation table in which a relying party program is currently executed are set to 0), setting the values of the type marks of all table entries to 0, recording a relying party record in the autonomous domain, the timestamp of which is closest to the current time, after scanning is completed, setting the value of the type mark of the record to 1, namely, determining the record as a main relying party, and returning to S400;
s600: the relying party program of all relying party sends a message for requesting to acquire ROA information to the RPKI resource library, scans the RPKI resource library monitoring table to acquire the RPKI resource library monitoring table information, sets a timer for 5 seconds, takes out the ROA information in the message if the ROA information sent by the RPKI resource library is received before the timer expires, executes step S601, and executes step S602 if the message is not received after the timer expires;
s601: taking out a time stamp field by using the RPKI resource library monitoring table record obtained in the step S600, setting the value of the time stamp field as the current system time, taking out a disconnection warning threshold value field, adding 1 to the value (namely adding 1 to the disconnection warning threshold value), updating the relying party local cache of the ROA information taken out in the step S600, and storing a cost localization ROA information file;
s602: taking out the disconnection warning threshold value field by using the RPKI resource library monitoring table record obtained in the step S600, and subtracting 1 from the value of the disconnection warning threshold value field (namely subtracting 1 from the disconnection warning threshold value);
s700: taking out the value of the disconnection warning threshold value field by utilizing the record of the RPKI resource library monitoring table recorded in the step S600, if the disconnection warning threshold value is smaller than or equal to 0, the step S701 is executed if the relying party corresponding to the record is the problem relying party, and if the relying party is larger than zero, the step S702 is executed;
s701: scanning the relying party situation table in the autonomous domain, taking out a record with a type mark field of 1, namely a record of a main relying party, taking out an IP address of the main relying party, sending a request message for acquiring the localization ROA information file stored in the step S601 by taking the IP address as a destination address, and returning to the step S400 to continue to execute;
s702: setting a 5-second timer, and returning to S600 according to the equation sequence after the timer expires;
s800: if the relying party program receives a response message for obtaining the localized ROA information stored in step S601, the relying party program extracts the main relying party IP address and the localized ROA information from the message, scans the relying party case table in the autonomous domain by using the main relying party IP address, if the record is found and the type flag field value in the record is 1, then step S801 is executed, otherwise step S802 is executed;
s801: updating the local ROA cache of the relying party by using the localized ROA information acquired in the step S800;
s802: ignoring the received response message for acquiring the localized ROA information;
s900: a timer of 5 seconds is set, and after the timer expires, the process returns to step S600 to continue execution.
In the invention, the purpose of step S600 to step S700 is to find out the problem relying party, and step S700 to step S800 are the process of performing emergency synchronization on the problem relying party, but step S800 operates independently even if there is no problem relying party.
Preferably, in step S100, the intra-autonomous domain relying party case table includes a relying party IP address, a timestamp, a counter, and a type flag, where the relying party IP address is a host IP address of running relying party software in the autonomous domain, the timestamp is a time of last communication between the current relying party and the RPKI resource pool, the counter is a number of times of communication with the current relying party, the type flag is a type to which the current relying party belongs, and 1 indicates that the relying party is a main relying party;
the initial relying party program creates an autonomous domain relying party condition table for each relying party in an autonomous domain, the IP address initialization of the relying party is set to the IP address of the relying party in the autonomous domain, the time stamp of the last update ROA information is initialized to 0, the counter is initialized to 0, the type mark initializes the first record to 1, and other records are initialized to 0.
Preferably, in step S200, the RPFI repository monitoring table includes a timestamp and a disconnection alarm threshold, where the timestamp is a last communication time between the current relying party and the RPKI repository, and the disconnection alarm threshold is a maximum value of connection failures of the current relying party in attempting to connect with the RPKI repository;
when an initial value is configured, a time stamp is initialized to 0, a disconnection alarm threshold value is initialized to 5, and if a relying party program can keep connection with an RPKI resource library, an RPFI resource library monitoring table is visible; otherwise, all fields in the RPFI resource library monitoring table are initialized.
Preferably, in step S300, the primary relying party election message includes an IP address of the relying party sending the election message and timestamp information of ROA information obtained from the RPKI resource pool by the relying party sending the election message last time.
An RPKI relying party buffer emergency synchronization device based on online cooperation comprises an RPKI resource library, a relying party and a router, wherein the relying party is used for executing the RPKI relying party buffer emergency synchronization method based on online cooperation, a main relying party is used for storing ROA information acquired from the RPKI resource library into a localized ROA information file, when the relying party in the same autonomous domain cannot normally acquire information from the RPKI resource library to become a problem relying party, the problem relying party can request to acquire the localized ROA information file from the main relying party, update the ROA information buffer of the local ROA information file and issue the ROA information file to the router under the control of the main relying party.
The invention is not exhaustive and can be seen in the prior art.
The beneficial effects of the invention are as follows:
according to the invention, an online cooperation mechanism is created between the relying parties in the same autonomous domain, a main relying party which is good in ROA information synchronization with the RPKI resource library is selected from the relying parties in the domain, the main relying party stores the ROA information acquired from the RPKI resource library into a localized ROA information file, when the relying party in the domain cannot normally acquire information from the RPKI resource library becomes a problem relying party, the main relying party requests to acquire the localized ROA information file, the problem relying party acquires the localized ROA information file to update the ROA information cache, and the problem relying party issues the localized ROA information file to a router under the jurisdiction of the router, so that the function of updating the local cache by using the latest ROA information under the condition of disconnection with the RPKI resource library is finally realized. The invention realizes that the relying party disconnected with the RPKI resource library acquires the latest ROA information in real time in an emergency synchronous mode with the intra-domain relying party, thereby avoiding the problem of network unreachable faults caused by the fact that the BGP router cannot acquire the ROA information to carry out the authenticity verification of the routing information.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application.
FIG. 1 is a schematic diagram of an RPKI relying party caching emergency synchronization method and device topology based on online collaboration;
FIG. 2 is a schematic diagram of a relying party case entry within an autonomous domain;
FIG. 3 is a schematic diagram of an RPKI repository monitoring table;
FIG. 4 is a schematic diagram of a primary relying party selection report;
FIG. 5 is a message diagram of obtaining ROA information from an RPKI repository;
FIG. 6 is a schematic diagram of a request message for obtaining localized ROA information;
FIG. 7 is a flowchart of a relying party program.
Detailed Description
In order to better understand the technical solutions in the present specification, the following description will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the drawings in the implementation of the present specification, but not limited thereto, and the present invention is not fully described and is according to the conventional technology in the art.
The topology diagram of the RPKI relying party cache emergency synchronization method and device based on online cooperation is shown in figure 1, the application scene diagram of the invention is shown in figure, and the left side of the figure is an Internet number resource allocation framework for marking the action position of the invention in the framework; the right side of the figure is the process of the invention actually acting on each router in the autonomous domain, and each relying party program in the autonomous domain acquires authentication information data from the RPKI resource library and sends the authentication information data to each router in the autonomous domain.
The IANA on the left side of the figure is an abbreviation for Internet Assigned Numbers Authority and is an internet digital distribution agency. Is responsible for global allocation of IP addresses and ASNs, management of DNS root zones, and protocol allocation.
RIPE NCC stands for European network coordination center, and RIPE NCC is English shorthand of "Reseaux IP Europeens Network Coordination Centre" and means "European network coordination center".
AFRNIC stands for african network information center.
The APNIC is a sub-Ethernet information center.
Lacnc represents latin america and caribbean network information centers in computer networks. Lacnc is an international non-government organization established in yerba mate 2002. It is the number of internet resources (IPv 4, IPv 6), autonomous system numbers (Autonomous System Numbers), reverse resolution (Reverse Resolution) and other resources responsible for allocating and managing latin america and caribbean regions.
ARIN stands for the United states Internet digital registry, which is a registry responsible for managing IP addresses and Autonomous System Number (ASN) in North America and Caribbean coastal regions.
LIR is a local internet registry, which is an abbreviation of local internet registry, and is responsible for managing and assigning IP addresses and AS numbers to local Internet Service Providers (ISPs). Under RIR, LIR is generally responsible for assigning IP addresses and AS numbers to ISPs and assisting ISPs in address registration and updating.
NIR is the network information registry. NIR is a non-governmental organization responsible for managing the assignment of IP addresses and AS numbers to local area Internet service providers. NIR generally cooperates with the RIR to ensure reasonable allocation and management of IP addresses and AS numbers.
The ISP under the LIR local internet registry is an internet service provider. ISP is an abbreviation for Internet Service Provider, the Internet service provider. The system can provide services such as dial-up networking service, online browsing, file downloading, email receiving and sending, and the like, and is an entrance and bridge for a network end user to enter the Internet.
The schematic diagram of the condition table entry of the relying party in the autonomous domain is shown in fig. 2: the table entries are shown in the figure, each piece of relying party information in the table occupies one table entry independently, and each table entry is composed of a relying party IP address occupying 32 bits, timestamp information of ROA information acquired by the own relying party occupying 32 bits from the RPKI resource library for the last time, a counter occupying 16 bits and a type mark occupying 1 bit.
The schematic diagram of the monitoring table item of the RPKI resource library is shown in FIG. 3, and the monitoring table item is shown in the figure, and consists of two fields, namely a time stamp information field occupying 32 bits of last communication between the current relying party and the RPKI resource library and a disconnection alarm threshold value field occupying 8 bits.
The main relying party election message schematic diagram is shown in fig. 4, and the election message list item is shown as the figure, and consists of a time stamp field occupying 32 bits and a time stamp information field occupying 32 bits of last communication between the current relying party and the RPKI resource library.
The message schematic diagram of acquiring ROA information from the RPKI resource library is shown in FIG. 5, and the message schematic diagram is respectively composed of two fields, namely main relying party IP address information occupying 32 bits and localized ROA information fields occupying 32 bits.
The schematic diagram of a request message for obtaining localized ROA information is shown in fig. 6, and the request message is respectively composed of a message header and a data portion, wherein the message header is exemplified by an IPv4 message header which occupies 20 bytes in common, and the message is marked that the type of the request message for requesting the localized ROA information message occupies 2 bits.
Example 1
An RPKI relying party cache emergency synchronization method based on online cooperation, as shown in FIG. 7, comprises the following steps:
s100: after each relying party program is started, creating a relying party condition table in an autonomous domain and configuring an initial value;
s200: the relying party program establishes an RPFI resource library monitoring table in each relying party and configures an initial value;
s300: scanning a relying party condition table in an autonomous domain, taking out the IP address of the relying party, and sending a main relying party election message to relying parties except the relying party;
s400: creating a network socket, monitoring network data, and preparing to receive a message;
network sockets play a very important role in computer networks, being endpoint communication components in computer networks. The system is an endpoint for bidirectional communication between application processes on different hosts in a network, and provides a mechanism for application layer processes to exchange data by using a network protocol. It allows programmers to implement network communications in applications so that two computers can be connected together via a network and exchange data. A web socket is the end of a network where processes communicate, providing a mechanism for application layer processes to exchange data using a network protocol. The method is connected with an application process in an upper mode and connected with a network protocol stack in a lower mode, and is an interface for an application program to communicate through a network protocol and an interface for the application program to interact with the network protocol stack. In socket programming in general, a socket corresponds to an endpoint of both parties of a communication through which data to be sent may be transferred. In the TCP protocol, the server needs to actively monitor the connection request from the client. Thus, the network socket may listen to the network data to enable the server side to receive and process client connection requests.
S500: the relying party receives the main relying party election message sent by S300, compares the ROA information time stamp of the message with the ROA information time stamp of the RPFI monitoring table in the receiving message relying party, and if the value of the ROA information time stamp of the RPFI monitoring table of the receiving message relying party is larger than the value of the time stamp of the message, the S501 is entered; otherwise, the selected report message information is ignored and returned to S400;
s501: scanning a relying party condition table in an autonomous domain, finding a table entry record under the same relying party IP address as the relying party IP address of the selective report received in S500, assigning a time stamp in the table entry record as a time stamp value of ROA information obtained from an RPKI resource library for the last time of the selective report received in S500, and adding 1 to a counter of the table entry record; the method comprises the steps of utilizing a relying party IP address field extracted from a message in step S500 to scan a relying party situation table in an autonomous domain, finding a table entry record matched with the relying party IP address in the relying party situation table in the autonomous domain, utilizing a latest update ROA information timestamp extracted from the message in step S500 to update a timestamp field in the table entry record, and adding 1 to a counter field in the record;
s502: scanning a relying party situation table in an autonomous domain (each table entry of the relying party situation table in the autonomous domain corresponds to one relying party situation, namely, all relying party type marks of the relying party situation table in which a relying party program is currently executed are set to 0), setting the values of the type marks of all table entries to 0, recording a relying party record in the autonomous domain, the timestamp of which is closest to the current time, after scanning is completed, setting the value of the type mark of the record to 1, namely, determining the record as a main relying party, and returning to S400;
the relying party program runs in each relying party and each relying party program performs steps S500-S502 and follows the flow of fig. 7, with no definite order for comparing and updating the relying parties.
S600: the relying party program of all relying party sends a message for requesting to acquire ROA information to the RPKI resource library, scans the RPKI resource library monitoring table to acquire the RPKI resource library monitoring table information, sets a timer for 5 seconds, takes out the ROA information in the message if the ROA information sent by the RPKI resource library is received before the timer expires, executes step S601, and executes step S602 if the message is not received after the timer expires;
s601: taking out a time stamp field by using the RPKI resource library monitoring table record obtained in the step S600, setting the value of the time stamp field as the current system time, taking out a disconnection warning threshold value field, adding 1 to the value (namely adding 1 to the disconnection warning threshold value), updating the relying party local cache of the ROA information taken out in the step S600, and storing a cost localization ROA information file;
s602: taking out the disconnection warning threshold value field by using the RPKI resource library monitoring table record obtained in the step S600, and subtracting 1 from the value of the disconnection warning threshold value field (namely subtracting 1 from the disconnection warning threshold value);
s700: taking out the value of the disconnection warning threshold value field by utilizing the record of the RPKI resource library monitoring table recorded in the step S600, if the disconnection warning threshold value is smaller than or equal to 0, the step S701 is executed if the relying party corresponding to the record is the problem relying party, and if the relying party is larger than zero, the step S702 is executed;
s701: scanning the relying party situation table in the autonomous domain, taking out a record with a type mark field of 1, namely a record of a main relying party, taking out an IP address of the main relying party, sending a request message for acquiring the localization ROA information file stored in the step S601 by taking the IP address as a destination address, and returning to the step S400 to continue to execute;
s702: setting a 5-second timer, and returning to S600 according to the equation sequence after the timer expires;
s800: if the relying party program receives a response message for obtaining the localized ROA information stored in step S601, the relying party program extracts the main relying party IP address and the localized ROA information from the message, scans the relying party case table in the autonomous domain by using the main relying party IP address, if the record is found and the type flag field value in the record is 1, then step S801 is executed, otherwise step S802 is executed;
s801: updating the local ROA cache of the relying party by using the localized ROA information acquired in the step S800;
s802: ignoring the received response message for acquiring the localized ROA information;
s900: a timer of 5 seconds is set, and after the timer expires, the process returns to step S600 to continue execution.
As shown in fig. 7, the relying party program starts, and proceeds step by step in the execution order of the flowchart. Wherein S500, S600, S800 are programs executed in parallel after S400; as long as no unexpected interruption objective factors (program programming loopholes such as power failure, memory leakage and the like cause crashes and the like) exist, the program is always pushed according to the program shown in the flow chart, and as can be seen from FIG. 7, the program is a loop, and finally, the loop is returned to S400 for circular execution for emergency synchronization of the cache.
Example 2
An RPKI relying party buffer emergency synchronization device based on online cooperation comprises an RPKI resource library, a relying party and a router, wherein the relying party is used for executing the RPKI relying party buffer emergency synchronization method based on online cooperation of the embodiment 1, a main relying party is used for saving ROA information acquired from the RPKI resource library into a localized ROA information file, when a relying party in the same autonomous domain cannot normally acquire information from the RPKI resource library to become a problem relying party, the problem relying party can request to acquire the localized ROA information file of the main relying party, update the ROA information buffer of the main relying party and issue the ROA information to the router under the control of the main relying party.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (5)
1. An RPKI relying party caching emergency synchronization method based on online cooperation is characterized by comprising the following steps:
s100: after each relying party program is started, creating a relying party condition table in an autonomous domain and configuring an initial value;
s200: the relying party program establishes an RPFI resource library monitoring table in each relying party and configures an initial value;
s300: scanning a relying party condition table in an autonomous domain, taking out the IP address of the relying party, and sending a main relying party election message to relying parties except the relying party;
s400: creating a network socket, monitoring network data, and preparing to receive a message;
s500: the relying party receives the main relying party election message sent by S300, compares the ROA information time stamp of the message with the ROA information time stamp of the RPFI monitoring table in the receiving message relying party, and if the value of the ROA information time stamp of the RPFI monitoring table of the receiving message relying party is larger than the value of the time stamp of the message, the S501 is entered; otherwise, the selected report message information is ignored and returned to S400;
s501: scanning a relying party condition table in an autonomous domain, finding a table entry record under the same relying party IP address as the relying party IP address of the selective report received in S500, assigning a time stamp in the table entry record as a time stamp value of ROA information obtained from an RPKI resource library for the last time of the selective report received in S500, and adding 1 to a counter of the table entry record;
s502: scanning an autonomous domain relying party condition table, setting the values of the type marks of all table items to be 0, recording the relying party record in the autonomous domain with the timestamp closest to the current time after the scanning is completed, setting the value of the type mark of the record to be 1, namely determining the relying party as a main relying party, and returning to S400;
s600: the relying party program of all relying party sends a message for requesting to acquire ROA information to the RPKI resource library, scans the RPKI resource library monitoring table to acquire the RPKI resource library monitoring table information, sets a timer for 5 seconds, takes out the ROA information in the message if the ROA information sent by the RPKI resource library is received before the timer expires, executes step S601, and executes step S602 if the message is not received after the timer expires;
s601: taking out a time stamp field by utilizing the RPKI resource library monitoring table record obtained in the step S600, setting the value of the time stamp field as the current system time, taking out a disconnection alarm threshold value field, adding 1 to the value of the disconnection alarm threshold value field, updating the local cache of the relying party by the ROA information taken out in the step S600, and storing a localized ROA information file;
s602: taking out the disconnection warning threshold value field by utilizing the RPKI resource library monitoring table record obtained in the step S600, and subtracting 1 from the value of the disconnection warning threshold value field;
s700: taking out the value of the disconnection warning threshold value field by utilizing the record of the RPKI resource library monitoring table recorded in the step S600, if the disconnection warning threshold value is smaller than or equal to 0, the step S701 is executed if the relying party corresponding to the record is the problem relying party, and if the relying party is larger than zero, the step S702 is executed;
s701: scanning the relying party situation table in the autonomous domain, taking out a record with a type mark field of 1, namely a record of a main relying party, taking out an IP address of the main relying party, sending a request message for acquiring the localization ROA information file stored in the step S601 by taking the IP address as a destination address, and returning to the step S400 to continue to execute;
s702: setting a 5-second timer, and returning to S600 according to the equation sequence after the timer expires;
s800: if the relying party program receives a response message for obtaining the localized ROA information stored in step S601, the relying party program extracts the main relying party IP address and the localized ROA information from the message, scans the relying party case table in the autonomous domain by using the main relying party IP address, if the record is found and the type flag field value in the record is 1, then step S801 is executed, otherwise step S802 is executed;
s801: updating the local ROA cache of the relying party by using the localized ROA information acquired in the step S800;
s802: ignoring the received response message for acquiring the localized ROA information;
s900: a timer of 5 seconds is set, and after the timer expires, the process returns to step S600 to continue execution.
2. The RPKI relying party caching emergency synchronization method based on online cooperation according to claim 1, wherein in step S100, the intra-autonomous domain relying party situation table includes a relying party IP address, a timestamp, a counter and a type flag, wherein the relying party IP address is a host IP address of running relying party software in the autonomous domain, the timestamp is a last time the current relying party communicates with the RPKI resource pool, the counter is a number of times the current relying party communicates, the type flag is a type to which the current relying party belongs, and 1 indicates that the relying party is a main relying party;
the initial relying party program creates an autonomous domain relying party condition table for each relying party in an autonomous domain, the IP address initialization of the relying party is set to the IP address of the relying party in the autonomous domain, the time stamp of the last update ROA information is initialized to 0, the counter is initialized to 0, the type mark initializes the first record to 1, and other records are initialized to 0.
3. The RPKI relying party cache emergency synchronization method based on online cooperation of claim 2, wherein in step S200, the RPFI resource library monitoring table includes a time stamp and a disconnection alarm threshold, wherein the time stamp is a time of last communication between the current relying party and the RPKI resource library, and the disconnection alarm threshold is a maximum value of a failure of the current relying party to attempt to connect with the RPKI resource library;
when an initial value is configured, a time stamp is initialized to 0, a disconnection alarm threshold value is initialized to 5, and if a relying party program can keep connection with an RPKI resource library, an RPFI resource library monitoring table is visible; otherwise, all fields in the RPFI resource library monitoring table are initialized.
4. The RPKI relying party caching emergency synchronization method based on online cooperation of claim 3, wherein in step S300, the primary relying party election message includes a relying party IP address for sending the election message and timestamp information of ROA information obtained from the RPKI resource library by the relying party for sending the election message last time.
5. The RPKI relying party buffer emergency synchronization device based on online cooperation is characterized by comprising an RPKI resource library, a relying party and a router, wherein the relying party is used for executing the RPKI relying party buffer emergency synchronization method based on online cooperation as claimed in claim 1, the main relying party is used for storing ROA information acquired from the RPKI resource library into a localized ROA information file, when a relying party in the same autonomous domain cannot normally acquire information from the RPKI resource library to be a problem relying party, the problem relying party can request to acquire the localized ROA information file of the main relying party and update the ROA information buffer of the main relying party and issue the ROA information file to the router under the control of the main relying party.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311831629.6A CN117793128A (en) | 2023-12-28 | 2023-12-28 | RPKI relying party cache emergency synchronization method and device based on online cooperation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311831629.6A CN117793128A (en) | 2023-12-28 | 2023-12-28 | RPKI relying party cache emergency synchronization method and device based on online cooperation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117793128A true CN117793128A (en) | 2024-03-29 |
Family
ID=90383240
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311831629.6A Pending CN117793128A (en) | 2023-12-28 | 2023-12-28 | RPKI relying party cache emergency synchronization method and device based on online cooperation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117793128A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118101323A (en) * | 2024-04-12 | 2024-05-28 | 泉城省实验室 | Network attack dynamic defense method based on RPKI route management and control |
-
2023
- 2023-12-28 CN CN202311831629.6A patent/CN117793128A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118101323A (en) * | 2024-04-12 | 2024-05-28 | 泉城省实验室 | Network attack dynamic defense method based on RPKI route management and control |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1985470B (en) | System, network entities for configuration management of a dynamic host configuration protocol framework | |
| US7831697B2 (en) | Mapping notification system for relating static identifier to dynamic address | |
| US7734745B2 (en) | Method and apparatus for maintaining internet domain name data | |
| US7991836B2 (en) | Approach for managing state information by a group of servers that services a group of clients | |
| JP5318111B2 (en) | Various methods and apparatus for a central management station for automatically distributing configuration information to remote devices | |
| US7519721B2 (en) | Computer program products for security processing inbound communications in a cluster computing environment | |
| US6931016B1 (en) | Virtual private network management system | |
| JP3581589B2 (en) | Communication network system and service management method in communication network system | |
| McPherson et al. | Architectural considerations of IP anycast | |
| US9654482B2 (en) | Overcoming circular dependencies when bootstrapping an RPKI site | |
| US20050108432A1 (en) | Automatic address management method | |
| US20120297087A1 (en) | Method And Apparatus For Message Distribution In A Device Management System | |
| CN101217482A (en) | A method for issuing policies through NAT and a communication device | |
| US11743099B2 (en) | Systems, methods and devices for networked media distribution | |
| US7107350B2 (en) | Methods, systems and computer program products for security processing outbound communications in a cluster computing environment | |
| JP2008072180A (en) | Managing method for information and information processor | |
| CN117793128A (en) | RPKI relying party cache emergency synchronization method and device based on online cooperation | |
| JP2012527794A (en) | Method and system for host identity tag acquisition | |
| Cisco | Configuring the Cisco SIP Proxy Server (CSPS) | |
| Morera et al. | Adapting DNS to dynamic ad hoc networks | |
| CN117424928B (en) | Network equipment and resource sharing method | |
| Bjarnason | RFC 8994: An autonomic control plane (ACP) | |
| Crowcroft et al. | Network time protocol (ntp) over the OSI remote operations service | |
| Thaler et al. | Internet Architecture Board (IAB) D. McPherson Request for Comments: 7094 Verisign, Inc. Category: Informational D. Oran | |
| Crabbe et al. | Optimizations of Label Switched Path State Synchronization Procedures for a Stateful PCE |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |