SDFAC：软件定义的流接入控制机制

doi:10.11959/j.issn.1000-436x.2015299

通信学报 ›› 2015, Vol. 36 ›› Issue (Z1): 188-196.doi: 10.11959/j.issn.1000-436x.2015299

SDFAC：软件定义的流接入控制机制

王秀磊,张国敏,胡超,陈鸣,魏祥麟

解放军理工大学指挥信息系统学院，江苏南京 210007

出版日期:2015-11-25 发布日期:2015-12-29
基金资助:
国家重点基础研究发展计划基金资助项目(973计划);国家自然科学基金资助项目;国家自然科学基金资助项目;江苏省自然科学基金资助项目;江苏省自然科学基金资助项目;江苏省未来网络科技计划项目

SDFAC:software defined flow access control mechanism

Xiu-lei WANG,Guo-min ZHANG,Chao HU,Ming CHEN,Xiang-lin WEI

College of Command Information System,PLA University of Science and Technology,Nanjing 210007,China

Online:2015-11-25 Published:2015-12-29
Supported by:
The National Basic Research Program of China(973 Program);The National Natural Science Foundation of China;The National Natural Science Foundation of China;The Natural Science Foundation of Jiangsu Province;The Natural Science Foundation of Jiangsu Province;Jiangsu Future Network Innovation Institute Research Project on Future Networks

摘要/Abstract

摘要：

SDN控制平面与数据平面分离的体系架构为实现细粒度的流管理以及灵活的中心化控制提供了基础。基于此，提出了一种软件定义的流接入控制机制 SDFAC。首先从流的粒度对接入控制进行建模分析，给出了实现细粒度流接入控制所需要满足的条件；其次描述了SDFAC的基本框架和工作原理并设计了一种支持SDFAC功能的流鉴别协议；最后基于原型系统验证了SDFAC的可行性和可用性。

关键词: 接入控制机制, 软件定义网络, 流鉴别协议, OpenFlow, 安全

Abstract:

The software defined networking paradigm decouples control plane from data plane,offering flexible centralized control and fine grain flow management.Based on these advantages,a novel software defined access control mechanism SDFAC was proposed.Firstly,an analysis of the access control model was given from the flow granularity,and the precondition for the fine-grained access control was deduced from the model.Secondly,the framework and basic working process of the SDFAC was described.The flow authentication protocol was designed to support the function of SDFAC.Finally,the experiment results prove the feasibility and availability of SDFAC.

Key words: access control mechanism, software defined networking, flow authentication protocol, OpenFlow, security

王秀磊,张国敏,胡超,陈鸣,魏祥麟. SDFAC：软件定义的流接入控制机制[J]. 通信学报, 2015, 36(Z1): 188-196.

Xiu-lei WANG,Guo-min ZHANG,Chao HU,Ming CHEN,Xiang-lin WEI. SDFAC:software defined flow access control mechanism[J]. Journal on Communications, 2015, 36(Z1): 188-196.

图/表 10

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

参考文献 16

[1]	SANDHU R S , COYNE E J , FEINSTEIN H L , et al. Role-based access control models[J]. IEEE Computer, 1996,29(2): 38-47.
[2]	DANGOVAS V , KULIESIUS F . SDN-driven authentication and access control system[J]. Society of Digital Information ＆ Wireless Communication, 2014.
[3]	AHMAD I , NAMAL S , YLIANTTILA M , et al. Security in software defined networks:a survey[J]. IEEE Communications Survey ＆ Tutorials, 2015,99: 1-30.
[4]	YOON C H , PARK T J , LEE S G , et al. Enabling security functions with SDN:a feasibility study[J]. Computer Networks, 2015,(85): 19-35.
[5]	HU Z Y , WANG M G , YAN X Q , et al. A comprehensive security architecture for SDN[A]. Proceedings of the 18th International Conference on Intelligence in Next Generation Networks[C]. Paris,France, 2015. 30-37.
[6]	KERPEZ K J , CIOFFI J M , GINIS G , et al. Software-defined access networks[J]. IEEE Communication Magazine, 2014,52(9): 152-159.
[7]	MATIAS J , GARAY J , MENDIOLA A , et al. Flow NAC:flow-based network access control[A]. Proceedings of 2014 3rd European Workshop on Software Defined Networks[C]. Budapest, 2014. 79-84.
[8]	IEEE Std.802.1X-2010,Port-Based Network Access Control,[EB/OL]. .
[9]	Trusted computing group. trusted network connect architecture for Interoperability,specification version 1.5[EB/OL]. , 2012.
[10]	CHAKRABORTY S , RAY I . TrustBAC-integrating trust relationships into the RBAC model for access control in open system[A]. Proceedings of the 11th ACM symposium on Access control models and technologies[C]. New York,USA, 2006. 49-58.
[11]	CASADO M , GARFINKEL T , AKELLA A , et al. SANE:a protection architecture for enterprise networks[A]. Proceedings of USENIX Security Symposium[C]. 2006. 1-12.
[12]	CASADO M , FREEDMAN M J , PETTIT J , et al. Ethane:taking control of the enterprise[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 1-12.
[13]	ZHENG R B , YANG W L , ZHOU J . Future access architecture:software-defined access networking[A]. Proceedings of IEEE the 11th Consumer Communications and Networking Conference[C]. Las Vegas,NV, 2014. 881-886.
[14]	KLAEDTKE F , KARAME G O , BIFULCO R , et al. Towards an access control scheme for accessing flow in SDN[A]. Proceedings of the 1st IEEE Conference on Network Softwarization[C]. London, 2015. 1-6.
[15]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al. Openflow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008 38: 69-74.
[16]	MAZIERES D , KAMINSKY M , KAASHOEK M F , et al. Separating key management from file system security[J]. ACM SIGOPS Operating System Review, 1999,33(5): 124-139.

SDFAC：软件定义的流接入控制机制

SDFAC:software defined flow access control mechanism

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 16

相关文章 15

Metrics

推荐阅读 0

[1]	赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56.
[2]	刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63.
[3]	李元诚, 秦永泰. 基于深度强化学习的软件定义安全中台QoS实时优化算法[J]. 通信学报, 2023, 44(5): 181-192.
[4]	谢人超, 文雯, 唐琴琴, 刘云龙, 谢高畅, 黄韬. 轨道交通移动边缘计算网络安全综述[J]. 通信学报, 2023, 44(4): 201-215.
[5]	罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225.
[6]	余雪勇, 邱礼翔, 宋家宁, 朱洪波. 无人机辅助边缘计算中安全通信与能效优化策略[J]. 通信学报, 2023, 44(3): 45-54.
[7]	徐明, 张保俊, 伍益明, 应晨铎, 郑宁. 面向网络攻击和隐私保护的多智能体系统分布式共识算法[J]. 通信学报, 2023, 44(3): 117-127.
[8]	张艳硕, 刘宁, 袁煜淇, 杨亚涛. 基于ISRSAC数字签名算法的适配器签名方案[J]. 通信学报, 2023, 44(3): 178-185.
[9]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[10]	康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135.
[11]	刘彩霞, 季新生, 邬江兴. 移动通信网的内生安全共性问题及破解之道[J]. 通信学报, 2022, 43(9): 70-79.
[12]	沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40.
[13]	石润华, 于辉, 柯唯阳, 徐小桐. 基于BB84态的量子匿名一票否决协议[J]. 通信学报, 2022, 43(8): 109-120.
[14]	陈炜宇, 骆俊杉, 王方刚, 丁海洋, 王世练, 夏国江. 无线隐蔽通信容量限与实现技术综述[J]. 通信学报, 2022, 43(8): 203-218.
[15]	郭渊博, 李勇飞, 陈庆礼, 方晨, 胡阳阳. 融合Focal Loss的网络威胁情报实体抽取[J]. 通信学报, 2022, 43(7): 85-92.