基于身份属性的SDN控制转发方法

doi:10.11959/j.issn.1000-436x.2019232

摘要/Abstract

摘要：

针对软件定义网络中数据流转发缺少有效的转发验证机制和OpenFlow协议匹配字段数量有限的问题，提出了一种基于属性密码的转发控制架构。通过设备属性生成属性标识和属性签名，并将其封装在分组头中。当数据流离开网络时，转发设备对其进行数据验证，确保数据流的有效性。同时，将属性标识作为流表匹配字段，通过属性标识定义网络转发行为，该机制与属性签名验证共同实现细粒度的访问控制。实验结果表明，该系统能有效实现数据流的细粒度的转发认证，且转发粒度高于同类方案。

关键词: 软件定义网络, 属性标识, 转发控制机制, 属性签名, 访问控制, 流表匹配

Abstract:

Due to the lack of effective data source authentication mechanism and the limited matching fields in software defined networking (SDN),an SDN security control and forwarding method based on identity attribute was proposed.Attribute identification and attribute signature were generated by device attributes and encapsulated in the group header.When the data flow left the network,the data was verified by the forwarding device to ensure the validity of the data flow.At the same time,attribute identification was defined as a match field of flow by the framework,and the network forwarding behavior was defined based on attributeidentification.A fine-grained access control was implemented by the proposed mechanism and attribute-based signature.The proposed mechanism and attribute-based signature implemented a fine-grained access control.Experimental results demonstrate that the method can effectively implement fine-grained forwarding and flow authentication,and the forwarding granularity is higher than that of similar schemes.

Key words: software defined networking, attribute identification, forwarding control mechanism, attribute signature, access control, low matching

中图分类号:

TP393

祝现威,常朝稳,朱智强,秦晰. 基于身份属性的SDN控制转发方法[J]. 通信学报, 2019, 40(11): 1-18.

Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019, 40(11): 1-18.

图/表 29

图1

图2

图3

图4

表1

图5

图6

图7

图8

图9

图10

图11

表2

图12

图13

图14

图15

图16

图17

表3

图18

图19

图20

表4

图21

图22

图23

图24

图25

参考文献 33

[1]	MCKEOWN N , . Software-defined networking[C]// IEEE International Conference on Computer Communications. 2009: 30-32.
[2]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[3]	AFOLABI I , TALEB T , SAMDANIS K ,et al. Network slicing and softwarization:a survey on principles,enabling technologies,and solutions[J]. IEEE Communications Surveys ＆ Tutorials, 2018,20(3):1.
[4]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 121-126.
[5]	冯登国, 陈成 . 属性密码学研究[J]. 密码学报, 2014,1(1): 1-12.
	FENG D G , CHEN C . Research on attribute-based cryptography[J]. Journal of Cryptologic Research, 2014,1(1): 1-12.
[6]	TAKAHASHI N , KODAIRA S , TSURU T ,et al. Seismic structure and seismogenesis off Sanriku region,northeastern Japan[J]. Geophysical Journal of the Royal Astronomical Society, 2018,159(1): 129-145.
[7]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the software-defined network control layer[C]// Annual Network and Distributed System Security Symposium. 2015.
[8]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014: 78-89.
[9]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software-defined networks[J]. Proceedings of Network ＆ Distributed Security Symposium, 2013.
[10]	WEN X , CHEN Y , HU C ,et al. Towards a secure controller platform for OpenFlow applications[C]// The Second ACM SIGCOMM workshop on Hot Topics in Software Defined Networking. ACM, 2016: 171-172.
[11]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM Sigcomm Conference on Applications. ACM, 2007: 1-12.
[12]	郑鹏, 胡成臣, 李昊 . 基于流量特征的 OpenFlow 南向接口开销优化技术[J]. 计算机研究与发展, 2018,55(s2): 346-357.
	ZHEN P , HU C C , LI H . Reducing the southbound interface overhead for OpenFlow based on the flow volume characteristics[C]// Journal of Computer Research and Development, 201855(s2): 346-357.
[13]	BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. USENIX Association, 2010:8.
[14]	WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. USENIX Association, 2011:29.
[15]	HALPERN E J , PIGNATARO E C . Service function chaining (SFC) architecture[C]// Internet Engineering Task Force. 2015.
[16]	赵志远, 孟相如, 苏玉泽 ,等. 多控制器条件下区分 QoS 的虚拟SDN映射方法[J]. 通信学报, 2017,38(8): 101-110.
	ZHAO Z Y , MENG X R , SU Y Z ,et al. Virtual SDN embedding with differentiated QoS under multiple controller[J]. Journal on Communication, 2017,38(8): 101-110.
[17]	毕军 . SDN 体系结构与未来网络体系结构创新环境[J]. 电信科学, 2013,29(8): 6-15.
	BI J . SDN architecture and future network innovation environment[J]. Telecommunications Science, 2013,29(8): 6-15.
[18]	DARGAHI T , CAPONI A , AMBROSIN M ,et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys ＆ Tutorials, 2017,19(3): 1701-1725.
[19]	LU G , SHI Y , GUO C ,et al. CAFE:a configurable packet forwarding engine for data center networks[C]// ACM SIGCOMM 2009 Workshop on Programmable Routers for Extensible Services of Tomorrow. DBLP, 2009: 25-30.
[20]	ATTIG M , BREBNER G . 400 GB/s programmable packet parsing on a single FPGA[C]// IEEE, 2011: 12-23.
[21]	金子晋, 兰巨龙, 江逸茗 ,等. SDN环境下基于QLearning算法的业务划分路由选路机制[J]. 网络与信息安全学报, 2018,4(9): 17-22.
	JIN Z J , LAN J L , JIANG Y M ,et al. QLearning based business differentiating routing mechanism in SDN architecture[J]. Chinese Journal of Network and Information Security, 2018,4(9): 17-22.
[22]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 121-126.
[23]	SHIN S W , PORRAS P , YEGNESWARA V ,et al. Fresco:modular composable security services for software-defined networks[C]// 20th Annual Network ＆ Distributed System Security Symposium. NDSS, 2013.
[24]	周启钊, 于俊清, 李冬 . SDN环境下SAVI动态配置技术研究[J]. 通信学报, 2018,39(S1): 241-249.
	ZHOU Q C , YU G Q , LI D . Dynamic source address validation in software defined network[J]. Journal on Communications, 2018,39(S1): 241-249.
[25]	KHADER D . Attribute based group signatures[J]. IACR Cryptology ePrint Archive, 2007,2007:159.
[26]	GOYAL V , PANDEY O , SAHAI A ,et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// The 13th ACM Conference on Computer and Communications Security. ACM, 2006: 89-98.
[27]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM SIGCOMM Computer Communication Review. ACM, 2007,37(4): 1-12.
[28]	CASADO M , GARFINKEL T , AKELLA A ,et al. SANE:a protection architecture for enterprise networks[J]. USENIX Security Symposium, 2006,49: 137-151.
[29]	PANG R , ALLMAN M , BENNETT M ,et al. A first look at modern enterprise traffic[C]// The 5th ACM SIGCOMM Conference on Internet Measurement. USENIX Association, 2005:2.
[30]	BONEH D , BOYEN X , SHACHAM H . Short group signatures[C]// Annual International Cryptology Conference. Springer, 2004: 41-55.
[31]	POINTCHEVAL D , STERN J . Security arguments for digital signatures and blind signatures[J]. Journal of Cryptology, 2000,13(3): 361-396.
[32]	REN Y , DING N , WANG T ,et al. New algorithms for verifiable out sourcing of bilinear pairings[J]. Science China Information Sciences, 2017,59(9): 99-103.
[33]	WANG M , LIU J , CHEN J ,et al. PERM-GUARD:authenticating the validity of flow rules in software defined networking[C]// International Conference on Cyber Security and Cloud Computing. IEEE, 2017: 1-17.

分组项	数据长度/bit
版本号	4
次协议	8
长度	8
保留	12
序列号	32
属性标识	64
元数据	128

主机功能	数量	配置
控制器	1	CPU i7-8400，内存16 GB，网卡4个
认证交换机	3	CPU i7-8400，内存16 GB，网卡6个
终端	6	CPU i5-8400，内存8 GB，网卡2个

方案	签名方式	权限管理	身份认证粒度
SE-Floodlight	基于角色	基于角色	3个角色
RoseMary	基于角色	基于角色	3个角色
FRESCO	基于角色	基于角色	3个角色
FortNOX	基于角色	基于角色	3个角色
PERM-GUARD	基于身份	身份认证，访问列表	16个权限
PermOF	未使用	访问控制列表和PKI	18个权限
ACFlow	基于属性	属性认证	自定义访问结构数量

方案	网络规模	平均每秒转发数据分组数/(MB.s^-1)
文献[7]	4个主机	196
文献[27]	超过300名用户	246
文献[28]	22 000名用户	497
文献[29]	8 000名用户	356
文献[33]	100个主机	320