中文摘要：

边界网关协议在安全方面存在严重的缺陷,容易导致路由劫持这一互联网安全威胁.为此,国际互联网工程任务组提出了资源公钥基础设施（Resource Public Key Infrastructure,RPKI）以防止路由劫持的发生.然而随着RPKI技术的发展及其在全球范围内的部署,与RPKI中认证权威相关的安全问题逐渐突显,并受到广泛关注.对RPKI中认证权威的资源分配过程进行研究分析,通过实验测试,验证了认证权威在资源分配的过程中资源重复分配和未获授权资源分配两种潜在的安全风险,并分析了两种风险对资源持有者可能造成的不良影响.此外,针对这两种安全风险,提出并实现了一种用于保证RPKI中认证权威资源分配安全性和准确性的＂事前控制＂机制,该机制可以有效地防止资源重复分配和未获授权资源分配两种操作风险的发生,减少了由于认证权威的错误操作所导致的故障恢复等待时间.最后,通过进一步的实验测试,验证、分析了这种＂事前控制＂机制的有效性和可行性.

英文摘要：

There are serious security vulnerabilities in BGP（Border Gateway Protocol） which may lead to route hijacking. In order to overcome these BGP security defects, RPKI（Resource Public Key Infrastructure） was proposed by IETF（Internet Engineering Task Force）. However, with the development and global deployment of RPKI, a lot of concerns about the security of certificate authority in RPKI have been raised. In this paper, it carries out experiments about two scenarios（resource reassignment and unauthorized resource assignment） on our RPKI testbed, and analyzes the security problems they may lead to, based on our research and analysis of the process of resource allocation. Besides, for these two kinds of security risks, this paper presents and implements a pre-control mechanism. Finally, it conducts further experiments on our testbed to prove that the pre-control mechanism we presented is feasible and effective to avoid the time limit for recovering from the failure caused by certificate authority＇s operational mistakes during the process of resource allocation.