软件定义网络及安全防御技术研究

doi:10.11959/j.issn.1000-436x.2017221

摘要/Abstract

摘要：

软件定义网络（SDN,software-defined networking）将传统网络控制平面与转发平面分离，形成集中式的控制器，开放了网络编程接口，简化网络管理，促进网络创新，优化网络运行。然而，SDN的“三层两接口” 架构增加了网络攻击表面，导致诸多新的安全问题。首先，介绍 SDN 发展、特点及其工作原理，继而从应用层、北向接口、控制层、南向接口、数据层等5个层次归纳存在的安全问题，分析产生的原因；其次，针对各类安全问题讨论最新研究进展及现有解决方案；最后，总结SDN当前和未来的安全挑战，并展望未来SDN安全发展方向。

关键词: 软件定义网络, OpenFlow, 网络安全, SDN安全

Abstract:

Software-defined network (SDN) separated the traditional control plane from the data plane,formed a centralized controller,opened up the network programming interface,simplified network management,promoted network innovation and optimized network operation.However,SDN's “three-layer two-interface” architecture increased the network attack surface,resulting in many new security issues.The development,characteristics and working principle of SDN were first introduced,and the existing security problems from the application layer,the northbound interface,the control plane,the southbound interface,the data plane were summarized respectively.Secondly,the latest research progress and existing solutions were discussed.Finally,SDN current and future security challenges were summarized,and the future SDN security development direction was looked forward to.

Key words: SDN, OpenFlow, network security, SDN security

中图分类号:

TP309

王涛,陈鸿昶,程国振. 软件定义网络及安全防御技术研究[J]. 通信学报, 2017, 38(11): 133-160.

Tao WANG,Hong-chang CHEN,Guo-zhen CHENG. Research on software-defined network and the security defense technology[J]. Journal on Communications, 2017, 38(11): 133-160.

图/表 23

图1

图2

图3

图4

图5

图6

图8

图7

表1

图9

图10

图11

图12

图13

图14

图15

图16

图17

图18

图19

图20

图21

表2

SDN安全问题解决方案分类总结"

SDN安全问题	相关研究	研究目标	研究内容	涉及层面
授权认证	安全分布式控制，拜占庭弹性SDN	提高控制层对授权认证方	分布式签名算法设计	C、S
		面安全问题弹性	拜占庭式冗余设计	C、S
	弹性认证	提高SDN架构弹性	控制器分层设计	C
	PermOF	权限设置	权限系统设计	A、N
	OperationCheckpoint	控制器行为检测	接口检测系统设计	A、N、C
	AuthFlow	授权接入控制	基于证书的认证系统	A、C、S、D
	FortNOX	授权认证综合架构	复合认证检测系统	A、N、C、S、D
数据安全	SE-Floodlight	架构组件间安全通信	认证及安全约束技术	A、N、C、S
恶意应用	ROSEMARY	复合安全功能内核	应用隔离及弹性策略	A、C
恶意应用	LegoSDN	提高控制器弹性	容错机制	A、C
拒绝服务攻击	Avant-Guard	数据平面代理	连接迁移、执行触发	C、S、D
	FloodGuard	控制器分析模块	流量迁移，主动流规则分析	A、C、S、D
	CPRecovery	冗余备份设计	主从控制器无缝切换	C、S
	Delegate Network Security	管理协议扩展	Iden++协议	S、D
	VAVE	DoS伴随攻击IP/MAC欺骗	基于SDN的源地址认证	C、D
配置问题	NICE
	FlowChecker	检测网络内部冲突	网络行为建模模型检查	A、C、S
	Flover
	Anteater
	VeriFlow
	NetPlumbe	实时策略检查	实时冲突检测解决算法	A、C、S、D
	FlowGuard
	Frenetic	语义识别检测	高级语言冲突判断	A、N、C、S
	Flow-Based Policy
	Splendid Isolation、VeriCon	形式化验证方法	形式化工具建模分析	N、C、S
	Verificare、Machine-verified SDN
系统级安全	Debugger for SDN	简化SDN调试	SDN原型网络调试器	A、S
	OFHIP、Secure-SDMN	提升SDN移动安全性	扩展安全加强版通信协议	S
	FRESCO、CMD	提升系统整体安全型	模块组合、拟态防御	A、N、C、S、D

表2

参考文献 103

[1]	FELDMANN A . Internet clean-slate design:what and why?[J]. Acm Sigcomm Computer Communication Review, 2007,37(3): 59-64
[2]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(2): 69-74.
[3]	SIMONITE T . MIT Technology Review Announces 10 Breakthrough Technologies[J]. ACM Sigcomm Computer Communication Review, 2015.
[4]	JAIN S , KUMAR A , MANDAL S ,et al. B4:experience with a globally-deployed software defined WAN[J]. ACM Sigcomm Computer Communication Review, 2013,43(4): 3-14.
[5]	SEZER S , SCOTT-HAYWARD S , CHOUHAN P K ,et al. Are we ready for SDN? Implementation challenges for software-defined networks[J]. IEEE Communications Magazine, 2013,51(7): 36-43.
[6]	LI Y , PHAN L T X , LOO B T . Network functions virtualization with soft real-time guarantees[C]// IEEE International Conference on Computer Communications. 2016: 1-9.
[7]	JAIN R , . Internet 3.0:ten problems with current internet architecture and solutions for the next generation[C]// IEEE Conference on Military Communications. Boston,MA, 2006: 1-9.
[8]	NUNES A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[9]	TENNENHOUSE D L , WETHERALL D J . Towards an active network architecture[C]// DARPA Active Networks Conference and Exposition. 2002: 5-18.
[10]	GREENBERG A , HJALMTYSSON G , MALTZ D A ,et al. A clean slate 4D approach to network control and management[J]. ACM Sigcomm Computer Communication Review, 2005,35(5): 41-54.
[11]	ROWSHANRAD S , NAMVARASL S , ABDI V ,et al. A survey on SDN,the future of networking[J]. Journal of Advanced Computer Science ＆Technology, 2014,3(2): 232-248.
[12]	MEDVED J , VARGA R , TKACIK A ,et al. OpenDaylight:Towards a Model-Driven SDN Controller architecture[C]// IEEE International Symposium on A World of Wireless,Mobile and Multimedia Networks. IEEE, 2014: 1-6.
[13]	SHIN M K , NAM K H , KIM H J . Software-defined networking(SDN):a reference architecture and open APIS[C]// International Conference on ICT Convergence. 2012: 360-361.
[14]	LI H , MELNIKOV A . Safe configuration of TLS connections[C]// Communications and Network Security. IEEE, 2013: 415-422.
[15]	TENNENHOUSE D L , SMITH J M , SINCOSKIE W D ,et al. A survey of active network research[J]. IEEE Communications Magazine, 1997,35(1): 80-86.
[16]	LIU Z , CAMPBELL R H , MICKUNAS M D . Active security support for active networks[J]. IEEE Transactions on Systems Man ＆ Cybernetics Part C Applications ＆ Reviews, 2003,33(4): 432-445.
[17]	MURPHY S , LEWIS E , PUGA R ,et al. Strong security for active networks[C]// Open Architectures and Network Programming Proceedings. 2001: 63-70.
[18]	CASADO M , GARFINKEL T , AKELLA A ,et al. Sane:a protection architecture for enterprise networks[C]// Conference on Usenix Security Symposium. 2006.
[19]	CASADO M , FREEDMAn M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM Sigcomm Conference on Applications.ACM. 2007: 1-12.
[20]	LEE , SEUNGSOO , ,et al. DELTA:a security assessment framework for software-defined networks[C]// Network and Distributed System Security Symposium, 2017.
[21]	SCOTTHAYWARD S , KANE C , SEZER S . Operation checkpoint:SDN application control[C]// IEEE,International Conference on Network Protocols. 2014: 618-623.
[22]	OKTIAN Y E , LEE S G , LEE H J ,et al. Secure your northbound SDN API[C]// Seventh International Conference on Ubiquitous and Future Networks. 2015: 919-920.
[23]	FERGUSON A D , GUHA A , LIANG C ,et al. Participatory networking:an API for application control of SDNs[J]. Computer Communication Review, 2013,43(4): 327-338.
[24]	JARSCHEL M , OECHSNER S , SCHLOSSER D ,et al. Modeling and performance evaluation of an OpenFlow architecture[C]// InternationalTeletraffic Congress. 2011: 1-7.
[25]	SHIN S , YEGNESWARAN V , PORRAS P ,et al. AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 413-424.
[26]	YAO G , BI J , GUO L . On the cascading failures of multi-controllers in software defined networks[C]// IEEE International Conference on Network Protocols. 2013: 1-2.
[27]	AL-SHAER E,AL-HAJ S , AL-HAJ S . FlowChecker:configuration analysis and verification of federated openflow infrastructures[J]. Proceedings of ACM Workshop on Assurable ＆ Usable Security Configuration Safeconfig’, 2010: 37-44.
[28]	BREMKE M , GEDEON H , WINDFUHR J P ,et al. Application-layer traffic optimization (ALTO) problem Statement[C]// EGU General Assembly Conference Abstracts. 2009: 711-716.
[29]	NADEAU T . Software driven networks problem statement[J]. Network Working Group Internet-Draft, 2011.
[30]	GIESEN F , KOHLAR F , STEBILA D . On the security of TLS renegotiation[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 387-398.
[31]	DAS M L , SAMDARIA N . On the security of SSL/TLS-enabled applications[J]. Applied Computing ＆ Informatics, 2014,10(1-2): 68-81.
[32]	BENTON K , CAMP L J , SMALL C . OpenFlow vulnerability assessment[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 151-152.
[33]	ZHANG Y , BEHESHTI N , TATIPAMULA M . On resilience of split-architecture networks[C]// Global Communications Conference,GLOBECOM. 2011: 1-6.
[34]	BERDE P , GEROLA M , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2014: 1-6.
[35]	KOPONEN T , CASADO M , GUDE N ,et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Symposium on Operating Systems Design and Implementation. 2010: 351-364.
[36]	TOOTOONCHIAN A , GANJALI Y . HyperFlow:a distributed control plane for OpenFlow[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010.
[37]	HASSAS Y S , GANJALI Y . Kandoo:a framework for efficient and scalable offloading of control applications[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 19-24.
[38]	SONCHACK J , AVIV A J , KELLER E . Timing SDN control planes to infer network configurations[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2016: 19-22.
[39]	CUI H , KARAME G O , KLAEDTKE F ,et al. On the fingerprinting of software-defined networks[J]. IEEE Transactions on Information Forensics ＆ Security, 2016,11(10): 2160-2173.
[40]	SHIN S , GU G . Attacking software-defined networks:a first feasibility study[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013
[41]	RISTENPART T , TROMER E , SHACHAM H ,et al. Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds[C]// ACM Conference on Computer and Communications Security. 2009: 199-212.
[42]	NATARAJAN S , RAMAIAH A , MATHEN M . A Software defined cloud-gateway automation system using OpenFlow[C]// IEEE International Conference on Cloud Networking. 2013: 219-226.
[43]	AZODOLMOLKY S , NEJABATI R . Optical flowvisor:an openflow-based optical network virtualization approach[C]// IEEE Optical Fiber Communication Conference and Exposition. 2012: 1-3.
[44]	AL-SHABIBI A , DE LEENHEER M , GEROLA M ,et al. OpenVirteX:make your virtual SDNs programmable[C]// The Workshop on Hot Topics in Software Defined Networking. 2014: 25-30.
[45]	DRUTSKOY D , KELLER E , REXFORD J . Scalable network virtualization in software-defined networks[J]. IEEE Internet Computing, 2013,17(2): 20-27.
[46]	MM O , OKAMURA K . Securing distributed control of software defined networks[J]. International Journal of Computer Science ＆ Network Security, 2013,13(9): 60-67
[47]	LI H , LI P , GUO S ,et al. Byzantine-resilient secure software-defined networks with multiple controllers[C]// IEEE International Conference on Communications. 2014, 695-700
[48]	YU D , MOORE A W , HALL C ,et al. Authentication for resilience:the case of SDN[M]. Security Protocols XXI. Springer Berlin Heidelberg, 2013: 39-44.
[49]	WEN X , CHEN Y , HU C ,et al. Towards a secure controller platform for openflow applications[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 171-172.
[50]	MATTOS D M F , DUARTE O C M B . AuthFlow:authentication and access control mechanism for software defined networking[J]. Annals of Telecommunications, 2014: 1-9.
[51]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// In Proc.of the 1st Workshop on Hot topics in Software Defined Networks. 2012: 121-126
[52]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the software defined network control layer[C]// Network and Distributed System Security Symposium. 2015.
[53]	SHIN S , SONG Y , LEE T . Rosemary:a robust,secure,and high-performance network operating system[C]// 22nd ACM SIGSAC Conference on Computer and Communications Security. 2014: 78-89.
[54]	CHANDRASEKARAN B , BENSON T . Tolerating SDN application failures with LegoSDN[C]// The Workshop on Hot Topics in Software Defined Networking. 2014: 235-236.
[55]	KIM M S , KONG H J , HONG S C ,et al. A flow-based method for abnormal network traffic detection[C]// IEEE/IFIP Network Operations and Management Symposium. 2004: 599-612.
[56]	WATERS B , JUELS A , HALDERMAN J A ,et al. New client puzzle outsourcing techniques for DoS resistance[C]// ACM Conference on Computer and Communications Security. 2004: 246-256.
[57]	MICHALAS A , KOMNINOS N , PRASAD N R ,et al. New client puzzle approach for DoS resistance in ad hoc networks[C]// IEEE International Conference on Information Theory and Information Security. 2010: 568-573.
[58]	WANG H , XU L , GU G . FloodGuard:A DoS attack prevention extension in software-defined networks[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 239-250.
[59]	FONSECA P , BENNESBY R , MOTA E ,et al. A replication component for resilient OpenFlow-based networking[C]// IEEE Network Operations and Management Symposium. 2012: 933-939.
[60]	NAOUS , STUTSMAN , RYAN ,et al. Delegating network security with more information[C]// ACM Sigcomm Workshop on Research on Enterprise Networking. 2009: 19-26.
[61]	YU J , KIM E , KIM H ,et al. A framework for detecting mac and ip spoofing attacks with network characteristics[C]// International Conference on Software Security and Assurance. 2016: 49-53.
[62]	YAO G , BI J , XIAO P . Source address validation solution with OpenFlow/NOX architecture[C]// IEEE International Conference on Network Protocols. 2011: 7-12.
[63]	CANINI M , VENZANO D , PERENI P ,et al. A nice way to test openflow applications[C]// Usenix Symposium on Networked Systems Design ＆ Implementation, 2012.
[64]	AL-SHAER S , AL-HAJ S , . FlowChecker:configuration analysis and verification of federated openflow infrastructures[C]// Workshop on Assurable ＆ Usable Security Configuration Safeconfig’, 2010.
[65]	SON S , SHIN S , YEGNESWARAN V ,et al. Model checking invariant security properties in OpenFlow[C]// IEEE International Conference on Communications. 2013: 1974-1979.
[66]	MAI H , KHURSHID A , AGARWAL R ,et al. Debugging the data plane with anteater[C]// ACM SIGCOMM Conference. 2011: 290-301.
[67]	KHURSHID A , ZHOU W , CAESAR M ,et al. Veriflow:verifying network-wide invariants in real time[J]. ACM Sigcomm Computer Communication Review, 2012,42(4): 467-472.
[68]	KAZEMIAN P , CHANG M , ZENG H ,et al. Real time network policy checking using header space analysis[C]// Usenix Conference on Networked Systems Design and Implementation. 2013: 99-112.
[69]	WANG J , WANG Y , HU H ,et al. Towards a security-enhanced firewall application for openflow networks[C]// The 5th International Symposium on Cyberspace Safety and Security. 2013: 92-103.
[70]	HU H , AHN G J , HAN W ,et al. Towards a reliable SDN firewall[C]// Open Networking Summit Research Track. 2014.
[71]	HU H , HAN W , AHN G J ,et al. FLOWGUARD:building robust firewalls for software-defined networks[C]// The Workshop on Hot Topics in Software Defined Networking. 2014: 97-102.
[72]	KAZEMIAN P , VARGHESE G , MCKEOWN N . Header space analysis:static checking for networks[C]// Usenix Conference on Networked Systems Design and Implementation, 2012.
[73]	WALKER D . FRENETIC:A network programming language[J]. ACM Sigplan Notices, 2012,46(9): 279-291.
[74]	HINRICHS T , GUDE N , SHENKER S . Expressing and enforcing flow-based network security policies[J]. Computer Networks, 2008,12(1): 1-20.
[75]	GUTZ S , STORY A , SCHLESINGER C ,et al. Splendid isolation:a slice abstraction for software-defined networks[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 79-84.
[76]	SKOWYRA R W , LAPETS A , BESTAVROS A ,et al. Verifiably-safe software-defined networks for CPS[C]// ACM International Conference on High Confidence Networked Systems. 2013: 101-110.
[77]	GUHA A , REITBLATT M , FOSTER N . Machine-verified network controllers[C]// ACM Sigplan Conference on Programming Language Design and Implementation. 2013. 483-494.
[78]	BALL T , BJRNER N , GEMBER A ,et al. VeriCon:towards verifying controller programs in software-defined networks[J]. ACM Sigplan Notices, 2014,49(6): 282-293.
[79]	HANDIGOL N , HELLER B , JEYAKUMAR V ,et al. Where is the debugger for my software-defined network?[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 55-60.
[80]	NAMAL S , AHMAD I , GURTOV A ,et al. Enabling secure mobility with OpenFlow[C]// IEEE Software Defined Networks for Future Networks and Services. 2013: 1-5.
[81]	AL-SHRAIDEH F , . Host identity protocol[C]// International Conference on Networking and the International Conference on Systems. 2006.
[82]	LIYANAGE M , YLIANTTILA M , GURTOV A . Securing the control channel of software-defined mobile networks[C]// IEEE World of Wireless,Mobile and Multimedia Networks. 2014: 1-6.
[83]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software defined networks[C]// Proceedings of Network ＆ Distributed Security Symposium. 2013.
[84]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[85]	YAO G , BI J , LI Y ,et al. On the capacitated controller placement problem in software defined networks[J]. Communications Letters IEEE, 2014,18(8): 1339-1342.
[86]	ROS F J , RUIZ P M . Five nines of southbound reliability in software-defined networks[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2014: 31-36.
[87]	NGUYENTUONG A , EVANS D , KNIGHT J C ,et al. Security through redundant data diversity[C]// IEEE International Conference on Dependable Systems and Networks with FTCS and DCC. 2008: 187-196.
[88]	PETKAC M , BADGER L , MORRISON W . Security agility for dynamic execution environments[C]// IEEE DARPA Information Survivability Conference and Exposition. 2000: 377-390.
[89]	COX B , EVANS D , FILIPI A ,et al. N-variant systems:a secretless framework for security through diversity[C]// Conference on Usenix Security Symposium, 2006.
[90]	QI C , WU J , HU H ,et al. Dynamic-scheduling mechanism of controllers based on security policy in software-defined network[J]. Electronics Letters, 2016,52(23): 1918-1920.
[91]	DEPREN O , TOPALLAR M , ANARIM E ,et al. An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks[J]. Expert Systems with Applications, 2005,29(4): 713-722.
[92]	XING T , HUANG D , XU L ,et al. SnortFlow:a OpenFlow-based intrusion prevention system in cloud environment[C]// IEEE Research and Educational Experiment Workshop. 2013: 89-92.
[93]	ANWER B , BENSON T , FEAMSTER N ,et al. A slick control plane for network middleboxes[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 147-148.
[94]	FAYAZBAKHSH S K , SEKAR V , YU M ,et al. FlowTags:enforcing network-wide policies in the presence of dynamic middlebox actions[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, 2013: 19-24.
[95]	QAZI Z A , TU C C , CHIANG L ,et al. SIMPLE-fying middlebox policy enforcement using SDN[C]// ACM SIGCOMM 2013 Conference on SIGCOMM. 2013: 27-38.
[96]	JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[97]	KRYLOV V , KRAVTSOV K . IP fast hopping protocol design[C]// Central and Eastern European Software Engineering Conference in Russia. 2014.
[98]	BRAGA R B , MOTA E M , PASSITO A P . Lightweight DDoS flooding attack detection using NOX/OpenFlow[J]. Journal of Nuclear Cardiology, 2010,8(1): 408-415.
[99]	BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010.
[100]	SHIN S , GU G . CloudWatcher:network security monitoring using OpenFlow in dynamic cloud networks (or:How to provide security monitoring as a service in clouds?)[C]// IEEE International Conference on Network Protocols. 2012: 1-6.
[101]	SKOWYRA R , BAHARGAM S , BESTAVROS A . Software-defined IDS for securing embedded mobile devices[C]// IEEE High Performance Extreme Computing Conference. 2013: 1-7.
[102]	GOODNEY A , . Pattern based packet filtering using NetFPGA in DETER infrastructure[C]// Asia NetFPGA Developers Workshop. 2010: 271-286.
[103]	MEHDI S A , KHALID J , KHAYAM S A . Revisiting traffic anomaly detection using software defined networking[C]// Recent Advances in Intrusion Detection. 2011: 161-180.

SDN安全问题	安全问题类型	影响层面	问题描述及难点
授权认证问题	未经授权的控制器访问	C、S、D	1) 缺乏有效的信任评估和信任管理机制
	未经身份认证的应用	A、N、C	2) 验证网络设备是否安全的技术和验证应用程序是否安全的技术并不相同
	数据泄露	D	1) 侧信道攻击探测流规则
数据安全问题			2) 分组处理时序分析发现转发策略
	数据篡改	C、S、D	3) 恶意修改流规则
	虚假规则注入	A、N、C、D	1) 由非法用户或设备产生，如伪造的流规则等
恶意应用问题	控制器劫持	C、S	2) 恶意应用程序可以轻易地被开发，已授权的合法应用程序也可能被篡改，并应用于控制器上
			3) SDN 控制器受到最严重的威胁、故障或恶意的控制器可使整个SDN 受到威胁
	控制器泛洪攻击	C
拒绝服务攻击	控制/数据通路泛洪攻击	C、S、D	1) 逻辑中心化控制器计算资源及交换机流表资源有限性
	交换机流表泛洪攻击	D	2) 资源管理机制不完善，无法区分攻击者与正常用户，提供不同服务质量
	缺少TLS机制	C、S、D	1) 不同控制器、不同应用程序间缺乏有效、安全流规则同步方案，无法避免相互竞争、彼此冲突和覆盖情况
配置问题	策略/流规则合法性及一致性	A、N、C	2) 缺少安全配置机制
	架构缺陷	A、N、C、S、D	1) 系统架构无法从设计角度达到完美
系统级安全问题	系统漏洞	A、N、C、S、D	2) 系统实现时无法避免引入系统漏洞，并为攻击者所利用
	缺少状态可视化	A、C	3) 系统无法对网络状态（安全、连接状态）可视化