基于地址重载的SDN分组转发验证

doi:10.11959/j.issn.1000-436x.2022047

摘要/Abstract

摘要：

针对软件定义网络（SDN）中现有转发验证机制大多通过加入新的安全通信协议实现分组逐跳转发验证，出现通信与计算开销的问题，提出了一种基于地址重载的 SDN 分组转发验证机制。入口交换机通过重载分组地址信息将流运行时间划分为连续随机的时间间隔，各后继节点基于重载的地址信息转发分组；控制器采样间隔内流入口与出口交换机的转发分组，检测路径中的异常转发行为；最后，构建仿真网络实现了所提机制。实验结果表明，该机制以引入不超过8%的转发延迟，可有效检测异常。

关键词: 软件定义网络, 地址重载, 哈希采样, 异常检测

Abstract:

Aiming at the problem that the most existing forwarding verification mechanisms in software-defined network (SDN) verified packets hop-by-hop by incorporating new secure communication protocols, which incurred significant computation and communication overhead, an address overloading-based forwarding verification mechanism was proposed.The flow runtime was divided into consecutive random intervals by the ingress switch via overloading address fields of packet, basing on overloading address, packets were forwarded by each subsequent switch, and the controller sampled the packets forwarded by ingress and egress switch in the interval to detect abnormal behavior on the path.Finally, the proposed mechanism and simulation network was implemented and evaluated.Experiments show that the mechanism achieves efficient forwarding and effective anomaly detection with less than 8% of additional forwarding delays.

Key words: software-defined networking, address overloading, hash-based sampling, anomaly detection

中图分类号:

TP393

吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.

Ping WU, Chaowen CHANG, Zhibin ZUO, Yingying MA. Address overloading-based packet forwarding verification in SDN[J]. Journal on Communications, 2022, 43(3): 88-100.

图/表 17

表1

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

表2

图11

图12

图13

表3

表4

参考文献 20

[1]	SARASWAT S , AGARWAL V , GUPTA H P ,et al. Challenges and solutions in software defined networking:a survey[J]. Journal of Network and Computer Applications, 2019,141: 23-58.
[2]	王涛, 陈鸿昶, 程国振 . 软件定义网络及安全防御技术研究[J]. 通信学报, 2017,38(11): 133-160.
	WANG T , CHEN H C , CHENG G Z . Research on soft-ware-defined network and the security defense technology[J]. Journal on Communications, 2017,38(11): 133-160.
[3]	岳猛, 王怀远, 吴志军 ,等. 云计算中DDoS攻防技术研究综述[J]. 计算机学报, 2020,43(12): 2315-2336.
	YUE M , WANG H Y , WU Z J ,et al. A survey of DDoS attack and defense technologies in cloud computing[J]. Chinese Journal of Com-puters, 2020,43(12): 2315-2336.
[4]	MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Detecting and isolating malicious routers[J]. IEEE Transactions on Dependable and Secure Computing, 2006,3(3): 230-244.
[5]	AKHUNZADA A , GANI A , ANUAR N B ,et al. Secure and dependable software defined networks[J]. Journal of Network and Computer Applications, 2016,61: 199-221.
[6]	SHAGHAGHI A , KAAFAR M A , BUYYA R ,et al. Software-defined network (SDN) data plane security:issues,solutions,and future directions handbook of computer networks and cyber security[J]. arXiv Preprint,arXiv:1804.00262, 2018.
[7]	KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282.
[8]	WU B , XU K , LI Q ,et al. RFL:robust fault localization on unreliable communication channels[J]. Computer Networks, 2019,158: 158-174.
[9]	ZHANG P , WU H , ZHANG D ,et al. Verifying rule enforcement in software defined networks with REV[J]. IEEE/ACM Transactions on Networking, 2020,28(2): 917-929.
[10]	祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的 SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18.
	ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18.
[11]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据包转发验证[J]. 计算机学报, 2019,42(1): 176-189.
	WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forward-ing verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189.
[12]	左志斌, 常朝稳, 祝现威 . 一种基于数据平面可编程的软件定义网络报文转发验证机制[J]. 电子与信息学报, 2020,42(5): 1110-1117.
	ZUO Z B , CHANG C W , ZHU X W . A software-defined net-working packet forwarding verification mechanism based on programmable data plane[J]. Journal of Electronics ＆ Informa-tion Technology, 2020,42(5): 1110-1117.
[13]	林耘森箫, 毕军, 周禹 ,等. 基于 P4 的可编程数据平面研究及其应用[J]. 计算机学报, 2019,42(11): 2539-2560.
	LIN Y S X , BI J , ZHOU Y ,et al. Research and applications of programmable data plane based on P4[J]. Chinese Journal of Computers, 2019,42(11): 2539-2560.
[14]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings of 2015 Network and Distributed System Security Symposium. Virginia:the Internet Society, 2015: 1-15.
[15]	吴平, 常朝稳, 马莹莹 . 基于端址重载的 SDN 包转发验证[J]. 通信学报, 2021,42(7): 70-83.
	WU P , CHANG C W , MA Y Y . Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021,42(7): 70-83.
[16]	SENGUPTA S , CHOWDHARY A , SABUR A ,et al. A survey of moving target defenses for network security[J]. IEEE Communications Surveys ＆ Tutorials, 2020,22(3): 1909-1941.
[17]	JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers[M]. Berlin: Springer, 2013: 237-254.
[18]	DUFFIELD N G , GROSSGLAUSER M . Trajectory sampling for direct traffic observation[J]. IEEE/ACM Transactions on Networking, 2001,9(3): 280-292.
[19]	GOLDBERG S , XIAO D , BARAK B ,et al. Measuring path quality in the presence of adversaries:the role of cryptography in network accountability[R]. 2007.
[20]	HAGERUP T , RüB C , . A guided tour of Chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308.

方案	解决的问题	主要技术	存在的优缺点
文献[7]	分组转发、路径验证	消息验证码、哈希链	嵌入的分组头随路径长度线性增加，难以抵御恶意节点的丢弃与劫持攻击
文献[8]	分组转发、路径验证	轻量级密钥分发、采样	协议通信开销大，源节点接收中间节点回传的采样信息易受干扰
文献[9]	传输路径一致性检测	压缩消息验证码	基于流的压缩验证码减小了通信开销，分组丢失时易发生误报，嵌入的分组头随路径线性增加
文献[10]	分组转发控制	属性密码学、基于密码标签转发	计算与通信开销大，可以检测恶意的篡改/注入，不能检测丢弃/劫持攻击
文献[11]	分组转发验证	消息验证码、基于特定的标签采样	插入的标签增加了通信开销，控制器下发分组验证码实现逐跳验证
文献[12]	分组转发验证	密码标识、采样	通信开销较小，可检测篡改，不能检测丢弃/劫持
文献[14]	网络异常检测	抽象流图	难以检测丢弃并注入或篡改等复杂攻击
文献[15]	分组转发验证	消息验证码、端址重载	通信开销较小，源节点需保存流路径信息

方案	源端	中间节点	目的端	总开销
文献[7]	LH	2H	LH	4LH
文献[9]	2H	2H	2H	2LH
文献[10]	KP	—	KP	2KP
文献[11]	M	M	M	LM
文献[12]	H	—	H	3H
文献[15]	LH	H	H	2LH
AO-PFV	M	—	M	2M

方案	篡改	丢弃	注入	无额外通信协议	无分组头开销
文献[7]	√	×	√	×	×
文献[9]	√	×	√	×	×
文献[10]	√	×	√	×	×
文献[11]	√	√	√	√	×
文献[12]	√	×	√	×	×
文献[15]	√	√	√	×	√
AO-PFV	√	√	√	√	√

方案	通信开销	计算时间/μs	篡改攻击		丢弃攻击
方案	通信开销	计算时间/μs	α	漏报率	α	漏报率	误报率
文献[7]	23%	300～380	—	0	—	—	—
文献[9]	4.58%	160～190	—	0	—	—	—
文献[10]	14.4%	3 800～4 000	—	0	—	—	—
文献[11]	0.2%～0.5%	50	10%～30%	4%～10%	10%	2%	3%～4%
文献[12]	4.14%	30～36	10%	7%～10%	—	—	—
					<0.5%	> 10%
文献[15]	0	160～190	1%～4%	<1%			1%～2%
					1%～4%	< 2%
			0.02%～0.05%	5%～15%	<0.5θ	40%～90%
AO-PFV	0	10～12	0.06%～0.07%	1%	0.5 θ～θ	10%～30%	0.3%～1%
			> 0.08%	< 0.5%	>θ	<1%