Flow consistency in an intensive SDN security architecture with multiple controllers

doi:10.11959/j.issn.2096-109x.2017.00223

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (12): 62-78.doi: 10.11959/j.issn.2096-109x.2017.00223

• 学术论文 • 上一篇

Flow consistency in an intensive SDN security architecture with multiple controllers

LVYing-ying,GUOYun-fei,QIChao,WUQi,WANGYa-wen

National Digital Switching System Engineering＆Technological R＆D Center,Zhengzhou 450002,China

修回日期:2017-11-08 出版日期:2017-12-01 发布日期:2018-01-12
作者简介:LV Yingying (1993-),born in Jiangxi. He is working on his master degree at National Digital Switching System Engineering Technology Research Center. His research interests include cyber security and software-defined|GUO Yunfei(1963-),born in Henan. He is a Ph.D supervisor and professor at National Digital Switching System Engineering Technology Research Center. His main research interests include cloud security,telecommunication network security and cyber security.|QI Chao(1991-),born in Jiangxi.He is working on his Ph.D degree at National Digital Switching System Engineering Technology Research Center. His research interests include cyber security and software-defined network.|WU Qi (1991-),born in Jiangsu. He is working on his Ph.D degree at National Digital Switching System Engineering Technology Research Center. His research interests include cyber security and software-defined network.|WANG Yawen (1990-),born in Henan. He is working on his Ph.D degree at National Digital Switching System Engineering Technology Research Center. His research interests include cloud computing and cyber security.

Flow consistency in an intensive SDN security architecture with multiple controllers

Ying-ying LV,Yun-fei GUO,Chao QI,Qi WU,Ya-wen WANG

Revised:2017-11-08 Online:2017-12-01 Published:2018-01-12
Supported by:
The National Natural Science Foundation of China(61521003);The National Natural Science Foundation of China(61602509);The National Key R＆D Program of China(2016YFB0800100);The National Key R＆D Program of China(2016YFB0800101);The Key Technologies Research and Development of Program of Henan Province(172102210615)

摘要/Abstract

摘要：

Abstract:

As critical components in SDN,controllers are prone to suffer from a series of potential attacks which result in system crashes.To prevent the compromise caused by single failure of controller or flow-tampering attacks,Mcad-SA,an aware decision-making security architecture with multiple controllers was proposed,which coordinates heterogeneous controllers internally as an“associated”controller.This architecture extends existing control plane and takes advantage of various controllers’merits to improve the difficulty and cost of probes and attacks from attackers.In this framework,flow rules distributed to switches are no longer relying on a single controller but according to the vote results from the majority of controllers,which significantly enhances the reliability of flow rules.As to the vote process of flow rules,segmentation and grading is adopted to pick up the most trustful one from multiple flow rules and implement flow consistency.This mechanism avoids comparison between rules via bit by bit which is impractical among several controllers.Theory analysis and simulation results demonstrates the effectiveness,availability and resilience of the proposed methods and their better security gain over general SDN architectures.

Key words: multi-controller, security, Mcad-SA, flow consistency

LVYing-ying,GUOYun-fei,QIChao,WUQi,WANGYa-wen. Flow consistency in an intensive SDN security architecture with multiple controllers[J]. 网络与信息安全学报, 2017, 3(12): 62-78.

Ying-ying LV,Yun-fei GUO,Chao QI,Qi WU,Ya-wen WANG. Flow consistency in an intensive SDN security architecture with multiple controllers[J]. Chinese Journal of Network and Information Security, 2017, 3(12): 62-78.

图/表 21

Figure 1

Figure 2

Figure 3

Figure 4

Table 1

Figure 5

Figure 6

Figure 7

Figure 8

Figure 9

Table 2

Figure 10

Figure 11

Figure 12

Figure 13

Figure 14

Figure 15

Figure 16

Figure 17

Figure 18

Figure 19

参考文献 24

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(2): 69-74.
[2]	MONSANTO C , REICH J , FOSTER N ,et al. Composing software-defined networks[C]// The 10th USENIX Conference on Networked Systems Design and Implementation,USENIX Association. 2013: 1-14.
[3]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 55-60.
[4]	CABAJ K,WYTR?BOWICZ J,KUKLI?SKI S , et al . SDN architecture impact on network security[C]// Federated Conference on Computer Science and Information Systems. 2014.
[5]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys＆Tutorials, 2015,18(1): 623-654.
[6]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]//2012:121-126.　　　　　　　2012: 121-126.
[7]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the Software-Defined Network Control Layer[C]// The 2015 Network and Distributed System Security Symposium (NDSS),San Diego,California. 2015.
[8]	JAIN S , KUMAR A , MANDAL S ,et al. B4:experience with a globally-deployed software defined wan[C]// ACM SIGCOMM 2013 Conference on SIGCOMM. 2013: 3-14.
[9]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined NETWORKING. 2010: 1-6.
[10]	ELDEFRAWY K , KACZMAREK T . Byzantine fault tolerant software-defined networking (SDN) controllers[C]// Computer Software and Applications Conference. 2016: 208-213.
[11]	CELLO M , XU Y , WALID A ,et al. BalCon:a distributed elastic SDN control via efficient switch migration[C]// IEEE International Conference on Cloud Engineering. 2017.
[12]	GUO Z , XU Y , CELLO M ,et al. JumpFlow:reducing flow table usage in software-defined networks[J]. Computer Networks, 2015,(92): 300-315.
[13]	MCGEER R , . A safe,efficient update protocol for openflow networks[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 61-66.
[14]	SUKAPURAM R , BARUA G . Enhanced algorithms for consistent network updates[C]// Network Function Virtualization and Software Defined Network. 2016: 184-190.
[15]	HUSSEIN A , ELHAJJ I H , CHEHAB A ,et al. SDN verification plane for consistency establishment[C]// Computers and Communication. IEEE, 2016: 519-524.
[16]	HUA J , GE X , ZHONG S . FOUM:a flow-ordered consistent update mechanism for software-defined networking in adversarial settings[C]// The International Conference on Computer Communications. 2016: 1-9.
[17]	Reitblatt M , Foster N , Rexford J ,et al. Consistent updates for software-defined networks:change you can believe in![C]// ACM Workshop on Hot Topics in Networks. 2011:7.
[18]	Ryu SDN Framework[EB/OL]. .
[19]	FloodLight.“Open SDN controller”[EB/OL]. .
[20]	QI C , WU J , HU H ,et al. Dynamic-scheduling mechanism of controllers based on security policy in software-defined network[J]. Electronics Letters, 2016,52(23): 1918-1920.
[21]	QI C , WU J , HU H ,et al. An intensive security architecture with multi-controller for SDN[C]// Computer Communications Workshops. 2016: 401-402.
[22]	OpenDaylightConsortium[EB/OL]. .
[23]	LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks[C]// ACM Workshop on Hot Topics in Networks. 2010: 1-6.
[24]	MACHAT R , BANKS S , CALABRIA F ,et al． ISSU benchmarking methocldogy[DB/OL]. .

Field	Notations
version	The version of control protocol we take
type	The type of messages
length	The length of payload
packet_id	The unique id of message
module_id	The unique id of module operating on the controller

Application on Server	IP	CPU	Memory	Operation System
Floodlight	192.168.108.1	2.00 GHz	32 G	Ubuntu16.04
ONOS	192.168.108.2	2.00 GHz	32 G	Ubuntu16.04
ODL	192.168.108.3	2.00 GHz	32 G	Ubuntu16.04
Proxy and arbiter	192.168.108.4	2.00 GHz	32 G	Ubuntu16.04

Flow consistency in an intensive SDN security architecture with multiple controllers

Flow consistency in an intensive SDN security architecture with multiple controllers

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 21

参考文献 24

相关文章 0

Metrics

推荐阅读 0