区块链在BGP路由泄露防护中的应用研究

doi:10.19678/j.issn.1000-3428.0070248

摘要/Abstract

摘要：

组成边界网关协议(BGP)的自治系统(AS)之间存在不同的利益关系和路由策略，当实际的路由宣告超出预期范围时，可能产生路由泄露，从而导致因路由重定向引起的网络安全事件。然而，在BGP路由信息传播过程中，AS会无条件信任和接受邻居AS对外宣告的路由，而每个AS自主配置本地策略且信息保密，增加了路由策略验证的难度，成为BGP安全领域一直备受关注且尚未有效解决的难题。区块链以其独有的去中心化、可溯源、防篡改、开放透明等特征，可为AS间的数字资源认证与信任建立提供基础设施保障，有望成为应对路由泄露威胁的关键技术。首先，界定了邻居AS之间以及GR(Gao-Rexford)模型与BGP路由策略之间的关系，明确了导致路由泄露的根源和防御挑战；然后，梳理了针对路由泄露的传统解决方案的研究脉络，重点分析了其优缺点以及尚未解决的问题；接着，提出了区块链技术在BGP路由泄露防护中的优势及技术思路，探讨了典型解决方案的实现原理和应用特点；最后，在阐述存在问题和挑战的基础上，对下一步研究进行了展望。

关键词: 区块链, 域间路由安全, 路由源认证, 路由泄露, IP地址前缀

Abstract:

Autonomous Systems (ASes) that constitute the Border Gateway Protocol (BGP) have different interests and route policies. When actual route announcements exceed expected boundaries, route leakages can occur, leading to network security incidents caused by route redirection. In the propagation of BGP route information, ASes unconditionally trust and accept the routes declared by neighboring ASes. Additionally, each AS independently configures its own local policies and keeps this information secret, which complicates the verification of this route policy. This has been a persistent and unresolved challenge in the field of BGP security. Blockchain technology, with its inherent characteristics of decentralization, traceability, immutability, and transparency, offers a promising infrastructure for digital resource authentication and trust among ASes, potentially serving as a key technology for addressing the threat of route leakages. This study first clearly defines the relationships between neighboring ASes, as well as between the GR (Gao-Rexford) model and BGP route policies, elucidating the root causes of route leakages and the challenges in their prevention. Additionally, it reviews the research on traditional solutions to route leakages, focusing on their strengths, weaknesses, and unresolved issues. Subsequently, it proposes the advantages and technical approaches of using blockchain technology to defend against BGP route leakages and explores the principles and application characteristics of typical solutions. Finally, it discusses the existing challenges and outlines future research directions.

Key words: blockchain, interdomain route security, Route Origin Attestation (ROA), route leakage, IP address prefix

王群, 李馥娟, 马卓. 区块链在BGP路由泄露防护中的应用研究[J]. 计算机工程, 2025, 51(8): 39-52.

WANG Qun, LI Fujuan, MA Zhuo. Research on Application of Blockchain in BGP Route Leakage Prevention[J]. Computer Engineering, 2025, 51(8): 39-52.

https://www.ecice06.com/CN/Y2025/V51/I8/39

图/表 7

图1 AS间的有效路由宣告

Fig.1 Valid route advertisement between ASes

图2 路由泄露典型示例

Fig.2 Typical examples of route leakage

图3 ISRchain中的区块链与智能合约

Fig.3 Blockchain and smart contracts in ISRchain

图4 BRVM工作示例

Fig.4 BRVM working example

图5 PRLuDA工作示例

Fig.5 Working example of PRLuDA

参考文献 71

1	GILL P , SCHAPIRA M , GOLDBERG S . A survey of interdomain routing policies. ACM SIGCOMM Computer Communication Review, 2013, 44 (1): 28- 34. doi: 10.1145/2567561.2567566
2	XIANG Q, ZHANG J X, GAO K, et al. Toward optimal software-defined interdomain routing[C]//Proceedings of the IEEE Conference on Computer Communications. Washington D.C., USA: IEEE Press, 2020: 1529-1538.
3	SHARMA A. Major BGP leak disrupts thousands of networks globally[EB/OL]. [2024-07-21]. https://www.bleepingcomputer.com/news/security/major-bgp-leak-disrupts-thousands-of-networks-globally/.
4	SIDDIQUI A. BGP route leak at angola cables slows connectivity for many Australians[EB/OL]. [2024-07-21]. https://manrs.org/2023/05/bgp-route-leak-at-angola-cables-slows-connectivity-for-many-australians/.
5	LEPINSKI M, KENT S, KONG D. A profile for Route Origin Authorizations (ROAs) (RFC 6482)[EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc6482.txt.pdf.
6	LEPINSKI M, KENT S. An infrastructure to support secure Internet routing (RFC 6480)[EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc6480.txt.pdf.
7	LEPINSKI M, SRIRAM K. BGPsec protocol specification (RFC 8025)[EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc8205.txt.pdf.
8	CRONE M. Analyzing adoptability of secure BGP routing proposals[EB/OL]. [2024-07-21]. https://maxcrone.org/assets/docs/2021-02-01-secure-bgp-adoption.pdf.
9	HARI A, LAKSHMAN T V. The Internet blockchain: a distributed, tamper-resistant transaction framework for the Internet[C]//Proceedings of the 15th ACM Workshop on Hot Topics in Networks. New York, USA: ACM Press, 2016: 204-210.
10	YUE J R, QIN Y J, GAO S, et al. A privacy-preserving route leak protection mechanism based on blockchain[C]//Proceedings of the IEEE International Conference on Information Communication and Software Engineering (ICICSE). Wahington D.C., USA: IEEE Press, 2021: 264-269.
11	刘志辉, 孙斌, 谷利泽, 等. 一种防范BGP地址前缀劫持的源认证方案. 软件学报, 2012, 23 (7): 1908- 1923.
	LIU Z H , SUN B , GU L Z , et al. Origin authentication scheme against BGP address prefix hijacking. Journal of Software, 2012, 23 (7): 1908- 1923.
12	HE G B , SU W , GAO S , et al. ROAchain: securing route origin authorization with blockchain for inter-domain routing. IEEE Transactions on Network and Service Management, 2021, 18 (2): 1690- 1705. doi: 10.1109/TNSM.2020.3015557
13	陈迪, 邱菡, 朱俊虎, 等. 基于区块链的域间路由策略符合性验证方法. 软件学报, 2023, 34 (9): 4336- 4350.
	CHEN D , QIU H , ZHU J H , et al. Blockchain-based validation method for inter-domain routing policy compliance. Journal of Software, 2023, 34 (9): 4336- 4350.
14	LIU Y P , ZHANG S , ZHU H J , et al. A novel routing verification approach based on blockchain for inter-domain routing in smart metropolitan area networks. Journal of Parallel and Distributed Computing, 2020, 142, 77- 89. doi: 10.1016/j.jpdc.2020.04.005
15	CHEN D , BA Y , QIU H , et al. ISRchain: achieving efficient interdomain secure routing with blockchain. Computers & Electrical Engineering, 2020, 83, 106584.
16	魏双, 吴旭, 张震. 工业物联网中基于区块链的跨域信任认证机制[J]. 小型微型计算机系统. 2024, 45(4): 975-983.
	WEI S, WU X, ZHANG Z. Blockchain-based cross-domain trust authentication mechanism in industrial Internet of things. Journal of Chinese Computer Systems[J]. 2024, 45(4): 975-983. (in Chinese)
17	陈迪, 邱菡, 朱俊虎, 等. 区块链技术在域间路由安全领域的应用研究. 软件学报, 2020, 31 (1): 208- 227.
	CHEN D , QIU H , ZHU J H , et al. Research on blockchain-based interdomain security solutions. Journal of Software, 2020, 31 (1): 208- 227.
18	MASTILAK L , HELEBRANDT P , GALINSKI M , et al. Secure inter-domain routing based on blockchain: a comprehensive survey. Sensors, 2022, 22 (4): 1437. doi: 10.3390/s22041437
19	LUCKIE M, HUFFAKER B, DHAMDHERE A, et al. AS relationships, customer cones, and validation[C]//Proceedings of the 2013 Conference on Internet Measurement Conference. New York, USA: ACM Press, 2013: 243-256.
20	GAO L X, REXFORD J. Stable Internet routing without global coordination[C]//Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. Washington D.C., USA: IEEE Press, 2001: 681-692.
21	GIOTSAS V, ZHOU S. Valley-free violation in Internet routing—analysis based on BGP community data[C]//Proceedings of the IEEE International Conference on Communications (ICC). Washington D.C., USA: IEEE Press, 2012: 1193-1197.
22	HUSTON G. The ISP column/leaking routes[EB/OL]. [2024-07-21]. https://www.potaroo.net/ispcol/2025-05/leak.pdf.
23	GAO L . On inferring autonomous system relationships in the Internet. IEEE/ACM Transactions on Networking, 2001, 9 (6): 733- 745. doi: 10.1109/90.974527
24	SRIRAM K, MONTGOMERY D, MCPHERSON D, et al. Problem definition and classification of BGP route leaks(RFC 7908) [EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc7908.txt.pdf.
25	SRIRAM K, MONTGOMERY D, MCPHERSON D, et al. RFC 7908: problem definition and classification of BGP route leaks[EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc7908.txt.pdf.
26	KUERBIS B , MUELLER M . Internet routing registries, data governance, and security. Journal of Cyber Policy, 2017, 2 (1): 64- 81. doi: 10.1080/23738871.2017.1295092
27	GOODELL G, AIELLO W, GRIFFIN T, et al. Working around BGP: an incremental approach to improving security and accuracy of interdomain routing[EB/OL]. [2024-07-21]. https://www.cs.purdue.edu/truselab/readings/ndss03.pdf.
28	KENT S , LYNN C , SEO K . Secure Border Gateway Protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 2002, 18 (4): 582- 592.
29	SRIRAM K, MONTGOMERY D. Methods for detection and mitigation of BGP route leaks[EB/OL]. [2024-07-21]. https://www.ietf.org/proceedings/92/slides/slides-92-idr-8.pdf.
30	REYNOLDS M, TURNER S, KENT S. A Profile for BGPsec router certificates, certificate revocation lists, and certification requests (RFC 8209) [EB/OL]. [2024-07-21]. https://www.rfc-editor.org/rfc/pdfrfc/rfc8209.txt.pdf.
31	WHITE R . Securing BGP through secure origin BGP (soBGP). Business Communications Review, 2003, 33 (5): 47- 53.
32	UMEDA N , KIMURA T , YANAI N . The juice is worth the squeeze: analysis of autonomous system provider authorization in partial deployment. IEEE Open Journal of the Communications Society, 2023, 4, 269- 306. doi: 10.1109/OJCOMS.2022.3233833
33	SIDDIQUI A. Unpacking the first route leak prevented by ASPA[EB/OL]. [2024-07-21]. https://manrs.org/2023/02/unpacking-the-first-route-leak-prevented-by-aspa/.
34	GALLO A. MANRS as fire code[EB/OL]. [2024-07-21]. https://manrs.org/2024/06/manrs-as-fire-code/.
35	HLAVACEK T, HERZBERG A, SHULMAN H, et al. Practical experience: methodologies for measuring route origin validation[C]//Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Washington D.C., USA: IEEE Press, 2018: 634-641.
36	DONNET B , BONAVENTURE O . On BGP communities. ACM SIGCOMM Computer Communication Review, 2008, 38 (2): 55- 59. doi: 10.1145/1355734.1355743
37	SPADACCINO P, BRUZZESE S, CUOMO F, et al. Analysis and emulation of BGP hijacking events[C]//Proceedings of the 2023 IEEE/IFIP Network Operations and Management Symposium. Washington D.C., USA: IEEE Press, 2023: 1-4.
38	ZHANG C W, MIAO C C, AN C Q, et al. Metis: detecting fake AS-PATHs based on link prediction[C]//Proceedings of the IEEE Symposium on Computers and Communications (ISCC). Washington D.C., USA: IEEE Press, 2023: 656-662.
39	GOLDBERG S , SCHAPIRA M , HUMMON P , et al. How secure are secure interdomain routing protocols. ACM SIGCOMM Computer Communication Review, 2010, 40 (4): 87- 98. doi: 10.1145/1851275.1851195
40	张亮, 刘百祥, 张如意, 等. 区块链技术综述. 计算机工程, 2019, 45 (5): 1- 12. doi: 10.19678/j.issn.1000-3428.0053554
	ZHANG L , LIU B X , ZHANG R Y , et al. Overview of blockchain technology. Computer Engineering, 2019, 45 (5): 1- 12. doi: 10.19678/j.issn.1000-3428.0053554
41	SAAD M , ANWAR A , AHMAD A , et al. RouteChain: towards blockchain-based secure and efficient BGP routing. Computer Networks, 2022, 217, 109362. doi: 10.1016/j.comnet.2022.109362
42	YANG Q , MA L , TU S S , et al. Towards blockchain-based secure BGP routing, challenges and future research directions. Computers, Materials & Continua, 2024, 79 (2): 2035- 2062.
43	ONGARO D, OUSTERHOUT J. The raft consensus algorithm[EB/OL]. [2024-07-21]. https://raft.github.io/slides/riconwest2013.pdf.
44	ZHAO M C , ZHOU W C , GURNEY A J T , et al. Private and verifiable interdomain routing decisions. IEEE/ACM Transactions on Networking, 2015, 24 (2): 1011- 1024.
45	SAKHO S, ZHANG J B, ESSAF F, et al. Research on an improved practical Byzantine fault tolerance algorithm[C]//Proceedings of the 2nd International Conference on Advances in Computer Technology, Information Science and Communications (CTISC). Washington D.C., USA: IEEE Press, 2020: 176-181.
46	GALMES M F, AUMATELL R C, CABELLOS-APARICIO A, et al. Preventing route leaks using a decentralized approach[C]// Proceedings of 2020 IFIP Networking Conference. Washington D.C., USA: IEEE Press, 2020: 509-513.
47	GILAD Y, COHEN A, HERZBERG A. Are we there yet? On RPKI's deployment and security[EB/OL]. [2024-07-21]. https://eprint.iacr.org/2016/1010.pdf.
48	ZENG M , LI D D , ZHANG P , et al. Federated route leak detection in inter-domain routing with privacy guarantee. ACM Transactions on Internet Technology, 2023, 23 (1): 1- 22.
49	The United States Federal Communications Commission. Safeguarding and securing the open Internet[EB/OL]. [2024-07-21]. https://docs.fcc.gov/public/attachments/DOC-401676A1.pdf.
50	MANRS. MANRS community meeting-15 May 2024[EB/OL]. [2024-07-21]. https://manrs.org/event/manrs-community-meeting-may-2024/.
51	MANIMURGAN S, ANITHA T, DIVYA G, et al. A survey on blockchain technology for network security applications[C]//Proceedings of the 2nd International Conference on Computing and Information Technology (ICCIT). Washington D.C., USA: IEEE Press, 2022: 440-445.
52	徐恪, 凌思通, 李琦, 等. 基于区块链的网络安全体系结构与关键技术研究进展. 计算机学报, 2021, 44 (1): 55- 83.
	XU K , LING S T , LI Q , et al. Research progress of network security architecture and key technologies based on blockchain. Chinese Journal of Computers, 2021, 44 (1): 55- 83.
53	FRIESS J, MIRDITA D, SCHULMANN H, et al. Byzantine-secure relying party for resilient RPKI[EB/OL]. [2024-07-21]. https://arxiv.org/pdf/2405.00531.
54	SYTA E, TAMAS I, VISHER D, et al. Keeping authorities "honest or bust" with decentralized witness cosigning[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). Washington D.C., USA: IEEE Press, 2016: 526-545.
55	WILKIE A , SMITH S S . Blockchain: speed, efficiency, decreased costs, and technical challenges. [S. l.]: Emerald Publishing Limited, 2021.
56	The BGP instability report[EB/OL]. [2024-07-21]. https://bgpupdates.potaroo.net/instability/bgpupd.html.
57	SINGH A , CLICK K , PARIZI R M , et al. Sidechain technologies in blockchain networks: an examination and state-of-the-art review. Journal of Network and Computer Applications, 2020, 149, 102471. doi: 10.1016/j.jnca.2019.102471
58	PAPADIS N , TASSIULAS L . Blockchain-based payment channel networks: challenges and recent advances. IEEE Access, 2020 (8): 227596- 227609.
59	CHOW S S M, LAI Z L, LIU C, et al. Sharding blockchain[C]//Proceedings of the IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Washington D.C., USA: IEEE Press, 2018: 1665.
60	黄华威, 孔伟, 彭肖文, 等. 区块链分片技术综述. 计算机工程, 2022, 48 (6): 1- 10. doi: 10.19678/j.issn.1000-3428.0063887
	HUANG H W , KONG W , PENG X W , et al. Survey on blockchain sharding technology. Computer Engineering, 2022, 48 (6): 1- 10. doi: 10.19678/j.issn.1000-3428.0063887
61	DELGADO-SEGURA S , PÉREZ-SOLÀ C , HERRERA-JOANCOMARTÍ J , et al. Cryptocurrency networks: a new P2P paradigm. Mobile Information Systems, 2018 (1): 2159082.
62	DAI Q Y , ZHANG B , DONG S Q . Eclipse attack detection for blockchain network layer based on deep feature extraction. Wireless Communications and Mobile Computing, 2022 (1): 1451813.
63	SAAD M, COOK V, NGUYEN L, et al. Partitioning attacks on Bitcoin: colliding space, time, and logic[C]// Proceedings of the IEEE 39th International Conference on Distributed Computing Systems (ICDCS). Washington D.C., USA: IEEE Press, 2019: 1175-1187.
64	NAYAK K, KUMAR S, MILLER A, et al. Stubborn mining: generalizing selfish mining and combining with an eclipse attack[C]//Proceedings of the IEEE European Symposium on Security and Privacy (EuroS & P). Washington D.C., USA: IEEE Press, 2016: 305-320.
65	DEIRMENTZOGLOU E , PAPAKYRIAKOPOULOS G , PATSAKIS C . A survey on long-range attacks for proof of stake protocols. IEEE Access, 2019, 7, 28712- 28725. doi: 10.1109/ACCESS.2019.2901858
66	LI W T , ANDREINA S , BOHLI J M , et al. Securing proof-of-stake blockchain protocols. Berlin, Germany: Springer International Publishing, 2017.
67	PLATT M , MCBURNEY P . Sybil in the haystack: a comprehensive review of blockchain consensus mechanisms in search of strong sybil attack resistance. Algorithms, 2023, 16 (1): 34.
68	KHAN S N , LOUKIL F , GHEDIRA-GUEGAN C , et al. Blockchain smart contracts: applications, challenges, and future trends. Peer-to-Peer Networking and Applications, 2021, 14 (5): 2901- 2925. doi: 10.1007/s12083-021-01127-0
69	CHU H T , ZHANG P C , DONG H , et al. A survey on smart contract vulnerabilities: data sources, detection and repair. Information and Software Technology, 2023, 159, 107221. doi: 10.1016/j.infsof.2023.107221
70	ALKHALIFAH A , NG A , WATTERS P A , et al. A mechanism to detect and prevent ethereum blockchain smart contract reentrancy attacks. Frontiers in Computer Science, 2021, 3, 598780.
71	OU W , HUANG S Y , ZHENG J J , et al. An overview on cross-chain: mechanism, platforms, challenges and advances. Computer Networks, 2022, 218, 109378.

[1]	赵楷, 胡煜环, 闫俊桥, 毕雪华, 张琳琳. 基于区块链的版权保护研究综述[J]. 计算机工程, 2025, 51(8): 1-15.
[2]	房永浩, 姚中原, 李敏, 斯雪明. 一种适用于分布式电力交易的安全高效区块链共识算法[J]. 计算机工程, 2025, 51(8): 250-261.
[3]	肖珂, 刘颖, 何云华, 徐刚, 王超. 基于多链的能源数据链上链下安全检索方案[J]. 计算机工程, 2025, 51(8): 238-249.
[4]	王桂兰, 张成, 周国亮. 结合FISCO BCOS与拓扑优化一致性算法的配电网多目标经济调度[J]. 计算机工程, 2025, 51(7): 348-361.
[5]	李俊吉, 张佳琦, 高改梅, 杨莉. 基于信誉机制的车联网共识算法[J]. 计算机工程, 2025, 51(4): 217-226.
[6]	蒋淇淇, 张亮, 彭凌祺, 阚海斌. 基于区块链的可问责可验证外包分层属性加密方案[J]. 计算机工程, 2025, 51(3): 24-33.
[7]	陶静怡, 彭凌祺, 阚海斌. 支持黑名单的去中心化k次匿名属性认证[J]. 计算机工程, 2025, 51(2): 159-169.
[8]	鲁明, 陈慈发, 董方敏. 基于综合积分机制的权益证明共识算法改进研究[J]. 计算机工程, 2025, 51(1): 148-155.
[9]	王奕丰, 曾诚, 全擎宇, 王娇然, 何鹏. 基于多特征融合的智能合约缺陷检测方法[J]. 计算机工程, 2024, 50(8): 133-141.
[10]	郑清安, 董建成, 陈亮, 阮英清, 李锦松, 许林彬. 分布式可信数据管理与隐私保护技术研究[J]. 计算机工程, 2024, 50(7): 174-186.
[11]	刘寅昊, 蒋文保, 孙林昆, 王勇攀. 基于路径存储表的Hashgraph共识算法优化与实现[J]. 计算机工程, 2024, 50(6): 166-178.
[12]	旋逸昭, 赵红武, 金瑜. 一种基于双链的区块链共识机制[J]. 计算机工程, 2024, 50(5): 139-148.
[13]	王栋, 王合建, 玄佳兴, 郑尚卓, 陈炳聪. 面向电力调度指令的区块链隐私可追踪存证方案[J]. 计算机工程, 2024, 50(5): 158-166.
[14]	陈纪成, 包子健, 罗敏, 何德彪. 一种面向工业物联网的远程安全指令控制方案[J]. 计算机工程, 2024, 50(3): 28-35.
[15]	李宝莹, 李志淮, 王成爱, 杨锋. 自适应节点规模的区块链分片可扩展模型[J]. 计算机工程, 2024, 50(3): 137-147.

选择文件类型/文献管理软件名称

选择包含的内容