Page 483 - 《软件学报》2026年第1期

P. 483

480 软件学报 2026 年第 37 卷第 1 期

的数据质量虽然在不断改善 [42] , 但总体进展较为缓慢. 已有的 RPKI 部署中也存在一些问题: RPKI 组件部署集中、
安全性较差, 一些关键组件例如资料库服务器和依赖方服务器, 或集中在单一 AS, 或依赖单一其他组件, 存在单点
故障隐患; 此外, RPKI 组件本身未部署 DNSSEC 和 RPKI, 难以提供可靠服务. 虽然 RPKI 存在一些问题, 但 RPKI
无疑是目前解决路由劫持的最佳方案, 显著增强了域间路由安全 [72,94] .
在可预见的未来, RPKI 将会在技术完善和部署安全上做出努力, 其应用范围也会不断扩大, RPKI 测量研究仍
会是网络测量领域的一个重要方向. 未来的 RPKI 测量工作可从以下两个方面展开.
● RPKI 应用的测量: RPKI 的应用场景不断增加, 例如, RPKI 签名清单 (RPKI signed checklist, RSC) [95] 使得资
源拥有者可以使用互联网码号资源签名任意数字对象; 映射源授权 (mapping origin authorization, MOA) [96] 用于验
证 IPv6 单栈网络中地址映射规则的安全性, 保证 IPv6 单栈网络中 IPv4 业务的正常运行. 未来对于新的 RPKI 应
用的测量值得研究.
● RPKI 异常识别: 人工失误、上级 CA 的单边操作等会导致 CA、ROA 的数据异常, 影响路由的起源验证结
果, 且难以与正常数据区分. 未来可结合机器学习技术, 实现 RPKI 异常的快速、准确的识别.

References
[1] Lepinski M, Kent S. RFC 6480: An infrastructure to support secure Internet routing. 2012. https://www.rfc-editor.org/rfc/pdfrfc/rfc6480.
txt.pdf [doi: 10.17487/RFC6480]
[2] Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk W. RFC 5280: Internet X.509 public key infrastructure certificate and
certificate revocation list (CRL) profile. 2008. https://www.rfc-editor.org/rfc/pdfrfc/rfc5280.txt.pdf [doi: 10.17487/RFC5280]
[3] Huston G, Michaelson G, Loomans R. RFC 6487: A profile for X.509 PKIX resource certificates. 2012. https://www.rfc-editor.org/rfc/
pdfrfc/rfc6487.txt.pdf [doi: 10.17487/RFC6487]
[4] Lepinski M, Kent S, Kong D. RFC 6482: A profile for route origin authorizations (ROAs). 2012. https://www.rfc-editor.org/rfc/pdfrfc/
rfc6482.txt.pdf [doi: 10.17487/RFC6482]
[5] Huston G, Michaelson G. RFC 6483: Validation of route origination using the resource certificate public key infrastructure (PKI) and
route origin authorizations (ROAs). 2012. https://www.rfc-editor.org/rfc/rfc6483 [doi: 10.17487/RFC6483]
[6] Su YY, Li D, Ye HL. Resource public key infrastructure RPKI: Status and problems. Telecommunications Science, 2021, 37(3): 75–89
(in Chinese with English abstract). [doi: 10.11959/j.issn.1000-0801.2021050]
[7] Zou H, Ma D, Shao Q, Mao W. A survey of the resource public key infrastructure. Chinese Journal of Computers, 2022, 45(5):
1100–1132 (in Chinese with English abstract). [doi: 10.11897/SP.J.1016.2022.01100]
[8] Rodday N, Cunha Í, Bush R, Katz-Bassett E, Rodosek GD, Schmidt TC, Wählisch M. The resource public key infrastructure (RPKI): A
survey on measurements and future prospects. IEEE Trans. on Network and Service Management, 2024, 21(2): 2353–2373. [doi: 10.1109/
TNSM.2023.3327455]
[9] Rekhter Y, Li T, Hares S. RFC 4271: A border gateway protocol 4 (BGP-4). 2006. https://www.rfc-editor.org/rfc/pdfrfc/rfc4271.txt.pdf
[doi: 10.17487/RFC4271]
[10] Butler K, Farley TR, McDaniel P, Rexford J. A survey of BGP security issues and solutions. Proc. of the IEEE, 2010, 98(1): 100–122.
[doi: 10.1109/JPROC.2009.2034031]
[11] Al-Musawi B, Branch P, Armitage G. BGP anomaly detection techniques: A survey. IEEE Communications Surveys & Tutorials, 2017,
19(1): 377–396. [doi: 10.1109/COMST.2016.2622240]
[12] Heilman E, Cooper D, Reyzin L, Goldberg S. From the consent of the routed: Improving the transparency of the RPKI. ACM SIGCOMM
Computer Communication Review, 2014, 44(4): 51–62. [doi: 10.1145/2740070.2626293]
[13] Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: A case study of the China Telecom incident. In: Proc. of the
14th Int’l Conf. on Passive and Active Measurement. Hong Kong: Springer, 2013. 229–238. [doi: 10.1007/978-3-642-36516-4_23]
[14] Siddiqui A. KlaySwap-another BGP hijack targeting crypto wallets. 2022. https://manrs.org/2022/02/klayswap-another-bgp-hijack-
targeting-crypto-wallets/
[15] Bryton H, Mingwei Z, Tanner R. Cloudflare 1.1.1.1 incident on June 27, 2024 —The Cloudflare blog. 2024. https://www.resource.
dnsafrica.org/2025/01/14/cloudflare-1-1-1-1-incident-on-june-27-2024-the-cloudflare-blog/
[16] Lad M, Massey D, Pei D, Wu YG, Zhang BC, Zhang LX. PHAS: A prefix hijack alert system. In: Proc. of the 15th Conf. on USENIX
Security Symp. Vancouver: USENIX Association, 2006. 11.

478 479 480 481 482 483 484 485 486 487 488