面向SDN/NFV环境的网络功能策略验证

doi:10.11959/j.issn.2096-109x.2021035

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (3): 59-71.doi: 10.11959/j.issn.2096-109x.2021035

• 专栏Ⅱ：SDN与云计算安全 • 上一篇下一篇

面向SDN/NFV环境的网络功能策略验证

陈浩宇¹^,²^,³, 邹德清¹^,²^,⁴, 金海¹^,²^,³

¹ 大数据技术与系统国家地方联合工程研究中心，华中科技大学计算机学院，湖北武汉 430074
² 服务计算技术与系统教育部重点实验室，华中科技大学计算机学院，湖北武汉 430074
³ 集群与网格计算湖北省重点实验室，华中科技大学计算机学院，湖北武汉 430074
⁴ 大数据安全湖北省工程研究中心，华中科技大学网络空间安全学院，湖北武汉 430074

修回日期:2021-01-21 出版日期:2021-06-15 发布日期:2021-06-01
作者简介:陈浩宇（1992- ），男，江苏扬州人，华中科技大学博士生，主要研究方向为网络安全测试、网络模糊测试、软件定义网络、网络功能虚拟化、软件定义网络安全
邹德清（1975- )，男，湖南长沙人，华中科技大学教授、博士生导师，主要研究方向为虚拟化安全与云安全、网络攻防与漏洞检测、大数据安全、容错计算
金海（1966- ）男，上海人，华中科技大学教授、博士生导师，主要研究方向为计算机体系结构、虚拟化技术、集群计算与云计算、P2P 计算、网络存储以及网络安全
基金资助:
国家重点研发计划(2019YFB2101700);广州市未来产业关键技术研发专题项目(201902020016)

Verification on policies for network functions in SDN/NFV-based environment

Haoyu CHEN¹^,²^,³, Deqing ZOU¹^,²^,⁴, Hai JIN¹^,²^,³

¹ National Engineering Research Center for Big Data Technology and System, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
² Services Computing Technology and System Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
³ Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
⁴ Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China

Revised:2021-01-21 Online:2021-06-15 Published:2021-06-01
Supported by:
The National Key R＆D Program of China(2019YFB2101700);The Science and Technology Program of Guangzhou(201902020016)

摘要/Abstract

摘要：

SDN与NFV技术带来了网络管理的灵活性与便捷性，但SDN的动态转发策略可能导致网络功能策略失效，同时不同网络功能的策略可能互相影响，引起冲突问题。为了在基于SDN/NFV的云网络中对网络功能的策略进行验证，分析了网络功能与 SDN 设备之间、跨网络功能之间的策略冲突，建立了统一策略表达进行策略解析，设计策略验证方案、框架并进行原型实现，检验不同场景下的虚拟网络功能策略的正确性，并与现有策略冲突验证方案对比，用实验进行了有效性与性能分析。

关键词: 策略验证, 云网络, 软件定义网络, 网络功能虚拟化

Abstract:

Although the newly introduced SDN and NFV technologies bring flexibility and convenience in network management, the dynamic forwarding policies introduced by SDN may cause invalidation in the network function policies, and the policies in different network functions may also cause conflicts due to their own behaviors.In order to verify the policies in SDN/NFV-based cloud network, the verification on policies between the network function and the SDN device, as well as across the network functions were considered.A unified policy expression for analysis was summarized, and policy verification scheme, framework and prototype implementation were proposed to verify the correctness of polices in different scenarios, then experiments were conducted to justify the effectiveness and performance

Key words: policy verification, cloud network, software-defined networking, network function virtualization

中图分类号:

TP393

陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.

Haoyu CHEN, Deqing ZOU, Hai JIN. Verification on policies for network functions in SDN/NFV-based environment[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 59-71.

图/表 17

表1

图1

表2

图2

图3

图4

图5

图6

图7

表3

表4

图8

表5

图9

图10

表6

图11

参考文献 22

[1]	MANAR J , TARANPREET S , ABDALLAH S ,et al. Software defined networking:state of the art and research challenges[J]. Computer Networks, 2014,72: 74-98.
[2]	Software-defined network[J].
[3]	RASHID M , JOAN S , JUAN-LUIS G ,et al. Network function virtualization:state-of-the-art and research challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 236-262.
[4]	饶少阳, 陈运清, 冯明 . 基于 SDN 的云数据中心网络[J]. 电信科学, 2014(8): 33-41.
	RAO S Y , CHEN Y Q , FENG M . cloud data center based on SDN[J]. Telecommunications Science, 2014(8): 33-41.
[5]	安琪, 刘艳萍, 孙茜 ,等. 基于SDN与NFV的网络切片架构[J]. 电信科学, 2016(11): 119-126.
	ANQ , LIU Y P , SUN Q ,et al. Network slicing architecture based on SDN and NFV[J]. Telecommunications Science. 2016(11): 119-126.
[6]	SDN ＆ NFV use cases defined[EB].
[7]	WANG Y , LI Z , XIE G , KAVE S . Enabling automatic composition and verification of service function chain[C]// IEEE/ACM International Symposium on Quality of Service (IWQoS’17). 2017: 1-5.
[8]	PANDA A , ARGYRAKI K , SAGIV M ,et al. New directions for network verification[C]// LIPIcs-Leibniz International Proceedings in Informatics, 2015: 209-220
[9]	STOENESCU R , POPOVICI M , NEGREANU L ,et al. Symnet:scalable symbolic execution for modern networks[C]// Proceedings of the 2016 ACM SIGCOMM Conference (SIGCOMM’16). 2016: 314-327.
[10]	HORN A , KHERADMAND A , PRASAD M R . Delta-net:real-time network verification using atoms[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI’17). 2017: 735-749
[11]	KHURSHID A , ZHOU W , CAESAR M ,et al. Veriflow:verifying network-wide invariants in real time[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). 2013: 15-27.
[12]	SHERRY J , HASAN S , SCOTT C ,et al. Making middleboxes someone else's problem:network processing as a cloud service[J]. ACM SIGCOMM Computer Communication Review, 2012,42(4): 13-24.
[13]	PANDA A , LAHAV O , ARGYRAKI K ,et al. Verifying isolation properties in the presence of middleboxes[J]. arXiv preprint,2014,arXiv:1409. 7687.
[14]	HU H , AHN G J , KULKARNI K . Detecting and resolving firewall policy anomalies[J]. IEEE Transactions on Dependable ＆ Secure Computing(TDSC’12), 2012,9(3): 318-331.
[15]	DENG J , LI H . On the safety and efficiency of virtual firewall elasticity control[C]// 24th Network and Distributed System Security Symposium (NDSS’17). 2017.
[16]	MALDONADO-LOPEZ F A , CALLE E , DONOSO Y . Detection and prevention of firewall-rule conflicts on software-defined networking[C]// 7th IEEE international Workshop on Reliable Networks Design and Modeling (RNDM’15). 2015: 259-265.
[17]	邱松, 焦健, 张东阳 . 面向防火墙和IDS/IPS协同防御的策略冲突检测算法[J]. 系统仿真学报, 2015,27(11): 2770-2777.
	QIU S , JIAO J , ZHANG D Y . Policy conflicts verification algorithm towards collaborative defense with firewalls and IDS/IPS[J]. Journal of System Simulation, 2015,27(11): 2770-2777.
[18]	PANDA A , LAHAV O , ARGYRAKI K ,et al. Verifying reachability in networks with mutable datapaths[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI’17). 2017: 699-718.
[19]	WU W , ZHANG Y , BANERJEE S . Automatic synthesis of NF models by program analysis[C]// ACM Workshop on Hot Topics in Networks (HotNets’16). 2016: 29-35.
[20]	FAYAZ S K , YU T , TOBIOKA Y , CHAKI S , SEKAR V . BUZZ:testing context-dependent policies in stateful networks[C]// 13th USENIX Conference on Networked Systems Design and Implementation (NSDI’16). 2016: 275-289.
[21]	PRABHU S , CHOU K Y , KHERADMAND A ,et al. Plankton:Scalable network configuration verification through model checking[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI’20). 2020: 953-967.
[22]	YUAN Y , MOON S J , UPPAL S ,et al. NetSMC:a custom symbolic model checker for stateful network verification[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI’20). 2020: 181-200.

验证工具	网络转发策略验证	网络功能策略验证	SDN交换机与网络功能策略验证	跨网络功能策略验证
Veriflow	●	○	○	○
Delta-net	●	○	○	○
Symnet	●	○	●	○
FAME	○	◎	○	◎
VFW	○	◎	●	◎
Plankton	●	◎	●	◎
NetSMC	○	●	○	●
注：● 表示支持，◎ 表示部分/单一支持，○ 表示不支持

域名	说明
priority	策略的匹配优先级
match	数据包头部匹配，一般包含网络流五元组
other	不同设备中特有的策略字段，如包载荷匹配
action	对匹配到的数据包进行的操作

交换机设备号	目的地址	动作
1	15	转发到2
1	16	镜像到2、3
2	15	转发到15
2	16	镜像到5、16
3	16	转发到16
5	16	转发到16

index	proto	src_ip	src_port	dest_ip	dest_port	action
1	tcp	7	24	16	any	deny
2	tcp	7	24	15	any	accept
3	udp	7	27	16	512	deny

proto	src_ip	src_port	dest_ip	dest_port	action
tcp	10.12.5.109	any	12.25.1.1	any	deny
tcp	192.39.1.0	any	31.73.244.5	any	deny
udp	5.2.14.66	any	19.48.5.182	any	accept

面向SDN/NFV环境的网络功能策略验证

Verification on policies for network functions in SDN/NFV-based environment

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 17

参考文献 22

相关文章 15

Metrics

推荐阅读 0

m/条	n/条	mn/条 ²	用时/ms
10	10	100	2
20	20	400	38
30	30	900	77
40	40	1600	129
50	50	2500	324

[1]	王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.
[2]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[3]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[4]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[5]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[6]	张青青, 汤红波, 游伟, 李英乐. 基于免疫算法的网络功能异构冗余部署方法[J]. 网络与信息安全学报, 2021, 7(1): 46-56.
[7]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[8]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[9]	海梅生,伊鹏,江逸茗,谢记超. 网络功能虚拟化环境中大规模资源状态监测策略[J]. 网络与信息安全学报, 2019, 5(6): 42-49.
[10]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[11]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.
[12]	许传丰,林晖,郭烜成,汪晓丁. 基于NFV的新的协作式DDoS防御技术[J]. 网络与信息安全学报, 2019, 5(2): 66-76.
[13]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[14]	谢记超,伊鹏,张震,张传浩,谷允捷. 基于异构备份与重映射的服务功能链部署方案[J]. 网络与信息安全学报, 2018, 4(6): 23-35.
[15]	郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12.