通信学报 ›› 2021, Vol. 42 ›› Issue (7): 70-83.doi: 10.11959/j.issn.1000-436x.2021108
吴平, 常朝稳, 马莹莹
修回日期:
2021-03-31
出版日期:
2021-07-25
发布日期:
2021-07-01
作者简介:
吴平(1979− ),男,安徽宿松人,信息工程大学博士生,主要研究方向为SDN安全、网络安全、数据平面编程基金资助:
Ping WU, Chaowen CHANG, Yingying MA
Revised:
2021-03-31
Online:
2021-07-25
Published:
2021-07-01
Supported by:
摘要:
针对软件定义网络(SDN)现有转发验证机制因嵌入额外的分组字段所带来的通信开销大的问题,提出基于端址重载的包转发验证机制。其核心思想是入口交换机重构数据分组端口和地址信息实现端址重载,下游交换机基于重载的端址信息实现数据分组的概率验证,控制器统计路径中节点验证有效和无效的数据分组信息并定位异常;理论分析给出了恶意注入与丢弃攻击异常检测阈值;最后实现了所提机制并对其进行了评估。实验结果表明,所提机制以引入不超过10%的转发时延、低于8%的吞吐率损失实现高效转发及有效的异常定位。
中图分类号:
吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83.
Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021, 42(7): 70-83.
[1] | MCKEOWN N , ANDERSON T , BALAKRISHNA H ,et al. OpenFlow:enabling innovation in campus networks[J]. Computer Communication Review, 2008,38(2): 69-74. |
[2] | NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys & Tutorials, 2014,16(3): 1617-1634. |
[3] | 王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992. |
WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992. | |
[4] | SINGH D , SHIV A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution[J]. International Journal of Engineering and Computer Science, 2019,7(1): 884-889. |
[5] | GUDE N , KOPONEN T , PETTIT J ,et al. Nox[J]. ACM SIGCOMM Computer Communication Review, 2008,38(3): 105-110. |
[6] | PORRAS P , CHEUNG S , FONG M ,et al. Securing the software-defined network control layer[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15. |
[7] | SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2014: 78-89. |
[8] | HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15. |
[9] | ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N ,et al. Accountable Internet protocol (AIP)[C]// Proceedings of the ACM SIGCOMM 2008 conference on Data communication. New York:ACM Press, 2008: 1-8. |
[10] | PAPPAS C , REISCHUK R M , PERRIG A . FAIR:forwarding accountability for Internet reputability[C]// 2015 IEEE 23rd International Conference on Network Protocols. Piscataway:IEEE Press, 2015: 189-200. |
[11] | ZHANG X , ZHOU Z , HSIAO H C ,et al. ShortMac:efficient data-plane fault localization[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2012: 2-12. |
[12] | MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Fatih:detecting and isolating malicious routers[C]// 2005 International Conference on Dependable Systems and Networks. Piscataway:IEEE Press, 2005: 538-547. |
[13] | LIU K J , DENG J , VARSHNEY P K ,et al. An acknowledgment-based approach for the detection of routing misbehavior in MANETs[J]. IEEE Transactions on Mobile Computing, 2007,6(5): 536-550. |
[14] | ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security[C]// Proceedings of the 2008 ACM CoNEXT Conference. New York:ACM Press, 2008:24. |
[15] | PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing[J]. ACM SIGCOMM Computer Communication Review, 2003,33(1): 77-82. |
[16] | BOSSHART P , DALY D , GIBB G ,et al. P4:programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014,44(3): 87-95. |
[17] | YAO G , BI J , XIAO P Y . Source address validation solution with OpenFlow/NOX architecture[C]// 2011 19th IEEE International Conference on Network Protocols. Piscataway:IEEE Press, 2011: 7-12. |
[18] | CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 1-12. |
[19] | BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. Berkeley:USENIX Association, 2010: 1-5. |
[20] | WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. Berkeley:USENIX Association, 2011: 1-6. |
[21] | KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282. |
[22] | 周启钊, 于俊清, 李冬 . SDN环境下SAVI动态配置技术研究[J]. 通信学报, 2018,39(S1): 235-243. |
ZHOU Q Z , YU J Q , LI D . Dynamic source address validation in software defined network[J]. Journal on Communications, 2018,39(S1): 235-243. | |
[23] | 王首一, 李琦, 张云 . 轻量级的软件定义网络数据分组转发验证[J]. 计算机学报, 2019,42(1): 176-189. |
WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189. | |
[24] | DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings 2015 Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15. |
[25] | SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:forwarding accountability for the SDN data plane[C]// 2016 25th International Conference on Computer Communication and Networks. Piscataway:IEEE Press, 2016: 1-10. |
[26] | 祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18. |
ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18. | |
[27] | HESS F , . Efficient identity based signature schemes based on pairings[C]// Selected Areas in Cryptography. 2003: 310-324. |
[28] | HAGERUP T , RüB C , . A guided tour of chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308. |
[29] | LYNN B . On the implementation of pairing-based cryptosystems[D]. Stanford:Stanford University, 2007. |
[1] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[2] | 沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40. |
[3] | 燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35. |
[4] | 吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100. |
[5] | 李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT:一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142. |
[6] | 常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144. |
[7] | 周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究:检测与缓解[J]. 通信学报, 2021, 42(11): 41-53. |
[8] | 李硕朋, 方娟, 陈肯. 基于SRv6的确定性网络服务共享保护方案[J]. 通信学报, 2021, 42(10): 32-42. |
[9] | 姚蓝,兰巨龙. 基于联盟博弈的自适应SDN交换机迁移机制[J]. 通信学报, 2020, 41(8): 1-10. |
[10] | 王耀民,王霞,董易,张松海,施心陵. 基于斐波那契树优化算法的数据中心流量调度策略[J]. 通信学报, 2020, 41(6): 112-127. |
[11] | 韩珍珍,赵国锋,徐川,周文涛,周洋洋. 基于时延的LEO卫星网络SDN控制器动态放置方法[J]. 通信学报, 2020, 41(3): 126-135. |
[12] | 赖英旭,蒲叶玮,刘静. 基于最小代价路径的交换机迁移方法研究[J]. 通信学报, 2020, 41(2): 131-142. |
[13] | 柯文龙,王勇,叶苗,陈俊奇. Ceph云存储网络中一种业务优先级区分的多播流调度方法[J]. 通信学报, 2020, 41(11): 40-51. |
[14] | 张海波,王子心,贺晓帆. SDN和MEC架构下V2X卸载与资源分配[J]. 通信学报, 2020, 41(1): 114-124. |
[15] | 董芳,胡宇翔,李鸥. 基于SDN的自组织网络路由框架及构建方法[J]. 通信学报, 2019, 40(9): 33-44. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|