网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (11): 1-12.doi: 10.11959/j.issn.2096-109x.2018087
• 综述 • 下一篇
郭中孚1,张兴明1,赵博1,王苏南2
修回日期:
2018-09-10
出版日期:
2018-11-15
发布日期:
2019-01-03
作者简介:
郭中孚(1994-),男,辽宁大连人,国家数字交换系统工程技术研究中心硕士生,主要研究方向为 SDN 网络、DDoS 攻击防御。|张兴明(1963-),男,河南新乡人,国家数字交换系统工程技术研究中心教授、硕士生导师,主要研究方向为新型网络体系结构。|赵博(1981-),男,吉林公主岭人,博士,国家数字交换系统工程技术研究中心助理研究员,主要研究方向拟态防御架构。|王苏南(1984-),男,河南洛阳人,博士,深圳职业技术学院副教授,主要研究方向为网络信息安全、数据流分析。
基金资助:
Zhongfu GUO1,Xingming ZHANG1,Bo ZHAO1,Sunan WANG2
Revised:
2018-09-10
Online:
2018-11-15
Published:
2019-01-03
Supported by:
摘要:
软件定义网络将数据平面与控制平面解耦,旨在更快地引入网络创新,并从根本上实现大型网络的自动化管理。架构创新带来了挑战与机遇,安全问题限制了软件定义网络的广泛采用。针对数据平面的攻击可能会损毁整个软件定义网络,首先介绍了数据平面结构与发展趋势;然后分析了数据平面安全风险,指出漏洞,确定潜在的攻击场景,并给出2种具体解决方案,讨论其意义与局限性;最后展望未来的安全研究方向。
中图分类号:
郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12.
Zhongfu GUO, Xingming ZHANG, Bo ZHAO, Sunan WANG. Survey of software-defined networking data plane security[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 1-12.
[1] | MEDVED J , VARGA R , TKACIK A ,et al. Opendaylight:towards a model-driven sdn controller architecture[C]// 2014 IEEE 15th International Symposium on. IEEE, 2014: 1-6. |
[2] | BERDE P , GEROLA M , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Third Workshop on Hot topics in Software Defined Networking. 2014: 1-6. |
[3] | TOOTOONCHIAN A , GANJALI Y . HYPERFLOW:a distributed control plane for openflow[C]// 2010 Internet Network Management Conference on Research on Enterprise Networking. 2010:3. |
[4] | Heller B. . Openflow switch specification,version 1.0.0[J]. Wire, 2009,12. |
[5] | FUNDATION O N . The benefits of multiple flow tables and ttps[R]. 2015. |
[6] | BOSSHART P , GIBB G , KIM H S ,et al. Forwarding metamorphosis:fast programmable match-action processing in hardware for SDN[C]// ACM sigcomm Computer Communication Review. 2013 99-110. |
[7] | ZAL M , KLEBAN J . Performance evaluation of OpenFlow devices[J]. 2014. |
[8] | BAKTIR A C , OZGOVDE A , ERSOY C . Implementing service-centric model with P4:a fully-programmable approach[C]// IEEE/IFIP Network Operations and Management Symposium. 2018: 1-6. |
[9] | SONG H , . Protocol-oblivious forwarding:unleash the power of SDN through a future-proof forwarding plane[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 127-132. |
[10] | BIANCHI G , BONOLA M , CAPONE A ,et al. OpenState:programming platform-independent stateful openflow applications inside the switch[J]. ACM sigcomm Computer Communication Review, 2014,44(2): 44-51. |
[11] | BIANCHI G , BONOLA M , PONTARELLI S ,et al. Open packet processor:a programmable architecture for wire speed platformindependent stateful in-network processing[R]. 2016. |
[12] | MOSHREF M , BHARGAVA A , GUPTA A ,et al. Flow-level state transition as a new switch primitive for SDN[C]// The third WorkShop on Hot Topics in Software Defined Networking. 2014: 61-66. |
[13] | ZHU S , BI J , SUN C ,et al. Sdpa:enhancing stateful forwarding for software-defined networking[C]// IEEE 23rd International Conference on Network Protocols(ICNP). 2015: 323-333. |
[14] | HU H , HAN W , AHN G J ,et al. FLOWGUARD:building robust firewalls for software-defined networks[C]// The Third Workshop on Hot Topics in Software Defined Networking. 2014: 97-102. |
[15] | CHANG Y , LIN T . Cloud-clustered firewall with distributed SDN devices[C]// IEEE Wireless Communications and Networking Conference(WCNC). 2018: 1-5. |
[16] | KIRAVUO T , SARELA M , MANNER J . A survey of Ethernet LAN security[J]. IEEE Communications Surveys & Tutorials, 2013,15(3): 1477-1491. |
[17] | AHLGREN B , DANNEWITZ C , IMBRENDA C ,et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012,50(7). |
[18] | ZIER L , FISCHER W , BROCKNERS F . Ethernet-based public communication services:challenge and opportunity[J]. IEEE Communications Magazine, 2004,42(3): 88-95. |
[19] | OLIVIER F , CARLOS G , FLORENT N . New security architecture for IoT network[J]. Procedia Computer Science, 2015,52: 1028-1033. |
[20] | KHAN S , GANI A , WAHAB A W A ,et al. Software-defined network forensics:motivation,potential locations,requirements,and challenges[J]. IEEE Network, 2016,30(6): 6-13. |
[21] | CHOWDHARY A , PISHARODY S , HUANG D . SDN based scalable mtd solution in cloud network[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. ACM, 2016: 27-36. |
[22] | YAN Q , YU F R , GONG Q ,et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges[J]. IEEE Communications Surveys & Tutorials, 2016,18(1): 602-622. |
[23] | CAPONE A , CASCONE C , NGUYEN A Q T ,et al. Detour planning for fast and reliable failure recovery in SDN with OpenState[C]// 2015 11th International Conference on the Design of Reliable Communication Networks (DRCN), 2015: 25-32. |
[24] | KATTA N , HIRA M , KIM C ,et al. Hula:scalable load balancing using programmable data planes[C]// The Symposium on SDN Research. 2016:10. |
[25] | BIANCHI G , BONOLA M , CAPONE A ,et al. OpenState:programming platform-independent stateful openflow applications inside the switch[J]. ACM sigcomm Computer Communication Review, 2014,44(2): 44-51. |
[26] | ARASHLOO M T , KORAL Y , GREENBERG M ,et al. SNAP:stateful network-wide abstractions for packet processing[C]// The 2016 ACM SIGCOMM Conference. ACM, 2016: 29-43. |
[27] | ARASHLOO M T , KORAL Y , GREENBERG M ,et al. SNAP:stateful network-wide abstractions for packet processing[C]// The 2016 ACM SIGCOMM Conference. ACM, 2016: 29-43. |
[28] | DARGAHI T , CAPONI A , AMBROSIN M ,et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017,19(3): 1701-1725. |
[29] | LEVIN D , WUNDSAM A , HELLER B ,et al. Logically centralized? state distribution trade-offs in software defined networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 1-6. |
[30] | PERE?í , Ni P , KUZNIAr M , KOSTI? D . Rule-level data plane monitoring with monocle[C]// ACM sigcomm Computer Communication Review. 2015,45(4): 595-596. |
[31] | KU? , NIAR M , PERE?íNi P , KOSTI? D , . What you need to know about SDN flow tables[C]// International Conference on Passive and Active Network Measurement. 2015: 347-359. |
[32] | ZHANG Y , BEHESHTI N , TATIPAMULA M . On resilience of split-architecture networks[C]// Global Communications Conference,GLOBECOM. 2011: 1-6. |
[33] | ZHOU Y , CHEN K , ZHANG J ,et al. Exploiting the vulnerability of flow table overflow in software-defined network:attack model,evaluation,and defense[J]. Security and Communication Networks, 2018,2018. |
[34] | KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// 2013 21st IEEE International Conference on Network Protocols (ICNP), 2013: 1-6. |
[35] | YOON C , LEE S , KANG H ,et al. Flow wars:systemizing the attack surface and defenses in software-defined networks[J]. IEEE/ACM Transactions on Networking, 2017,25(6): 3514-3530. |
[36] | SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys & Tutorials, 2016,18(1): 623-654. |
[37] | BENTON K , CAMP L J,SMALL,C . Openflow vulnerability assessment[C]// The Second ACM SIGCOMM Workshop on Hot topics in Software Defined Networking ACM, 2013: 151-152. |
[38] | LIN P C , LI P C , NGUYEN V L . Inferring OpenFlow rules by active probing in software-defined networks[C]// 2017 19th International Conference on Advanced Communication Technology (ICACT), 2017: 415-420. |
[39] | NIST:CVE-2014-9295 Detail[EB/OL]. , 2014. |
[40] | KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// IEEE International Conference on In Network Protocols (ICNP), 2013: 1-6. |
[41] | KREUTZ D , RAMOS F , VERISSIMO P . Towards secure and dependable software-defined networks[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 55-60. |
[42] | MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74. |
[43] | KIM T H J , BASESCU C , JIA L ,et al. Lightweight source authentication and path validation[C]// ACM sigcomm Computer Communication Review. 2014,44(4): 271-282. |
[44] | KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013,56(9): 16-19. |
[45] | KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// IEEE International Conference on Network Protocols(ICNP). 2013: 1-6. |
[46] | SHAGHAGHI A , KAAFAR M A , JHA S . Wedgetail:an intrusion prevention system for the data plane of software defined networks[C]// 2017 ACM on Asia Conference on Computer and Communications Security. 2017: 849-861. |
[47] | DHAWAN M , PODDAR R , MAHAJAN K ,et al. Sphinx:detecting security attacks in software-defined networks[C]// NDSS. 2015. |
[48] | KAZEMIAN P , CHAN M , ZENG H ,et al. Real time network policy checking using header space analysis[C]// NSDI. 2013: 99-111. |
[49] | KAZEMIAN P , VARGHESE G , MCKEOWN N . Header space analysis:static checking for networks[C]// NSDI. 2012: 113-126. |
[50] | KHURSHID A , ZHOU W , CAESAR M ,et al. Veriflow:Verifying network-wide invariants in real time[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 49-54. |
[51] | MAI H , KHURSHID A , AGARWAl R ,et al. Debugging the data plane with anteater[C]// ACM SIGCOMM Computer Communication Review. 2011,41(4): 290-301. |
[52] | KIM T H J , BASESCU C , JIA L ,et al. Lightweight source authentication and path validation[C]// ACM SIGCOMM Computer Communication Review. ACM, 2014,44(4): 271-282. |
[53] | LIU X , LI A , YANG X ,et al. Passport:secure and adoptable source authentication[C]// NSDI. 2008,8: 365-378. |
[54] | NAOUS J , WALFISH M , NICOLOSI A ,et al. Verifying and enforcing network paths with icing[C]// The Seventh Conference on Emerging Networking Experiments and Technologies. 2011:30. |
[55] | SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:Forwarding accountability for the SDN data plane[C]// 25th International Conference on Computer Communication and Networks (ICCCN). 2016: 1-10. |
[56] | ZHANG X , ZHOU Z , HSIAO H C ,et al. ShortMAC:efficient Data-Plane Fault Localization[C]// NDSS. 2012. |
[57] | AVRAMOPOULOS I , KOBAYASHI H , WANG R ,et al. Highly secure and efficient routing[C]// Twentythird Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, 2004,1. |
[58] | MAHAJAN R , RODRIG M , WETHERALL D ,et al. Sustaining cooperation in multi-hop wireless networks[C]// The 2nd Conference on Symposium on Networked Systems Design & Implementation-Volume 2. 2005: 231-244. |
[59] | AGARWAL K , ROZNER E , DIXON C ,et al. SDN traceroute:Tracing SDN forwarding without changing network behavior[C]// The third Workshop on Hot Topics in Software Defined Networking. ACM, 2014: 145-150. |
[60] | AWERBUCH B , CURTMOLA R , HOLMER D ,et al. ODSBR:an on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks[J]. ACM Transactions on Information and System Security (TISSEC), 2008,10(4): 6-1. |
[61] | PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing[J]. ACM SIGCOMM Computer Communication Review, 2003,33(1): 77-82. |
[62] | LIU K , DENG J , VARSHNEY P K ,et al. An ackno-wledgmentbased approach for the detection of routing misbehavior in MANETs[J]. IEEE Transactions on Mobile Computing, 2007,6(5): 536-550. |
[63] | MARTI S , GIULI T J , LAI K ,et al. Mitigating routing misbehavior in mobile ad hoc networks[C]// The 6th Annual International Conference on Mobile Computing and Networking. 2000: 255-265. |
[64] | ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security[C]// 2008 ACM CoNEXT Conference. ACM, 2008:24. |
[65] | PELEKIS N , KOPANAKIS I , PANAGIOTAKIS C ,et al. Unsupervised trajectory sampling[J]. Machine Learning and Knowledge Discovery in Databases, 2010: 17-33. |
[66] | HANDIGOL N , HELLER B , JEYAKUMAR V ,et al. I know what your packet did last hop:using packet histories to troubleshoot networks[C]// NSDI. 2014,14: 71-85. |
[67] | KAZEMIAN P , CHANG M , ZENG H ,et al. Real time network policy checking using header space analysis[C]// The 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). 2013: 99-111. |
[68] | KAZEMIAN P , VARGHESE G , MCKEOWN N . Header space analysis:Static checking for networks[C]// The 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). 2012: 113-126. |
[69] | KHURSHID A , ZOU X , ZHOU W ,et al. Veriflow:Verifying network-wide invariants in real time[C]// The 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). 2013: 15-27. |
[70] | MAI H , KHURSHID A , AGARWAL R ,et al. Debugging the data plane with anteater[C]// ACM SIGCOMM Computer Communication Review. 2011: 290-301. |
[71] | THIMMARAJU K , SCHIFF L , SCHMID S . Outsmarting network security with SDN teleportation[C]// IEEE European Symposium on Security and Privacy (EuroS&P). 2017: 563-578. |
[72] | HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// NDSS. 2015: 8-11. |
[73] | XIA W , WEN Y , FOH C H ,et al. A survey on software-defined networking[J]. IEEE Communications Surveys & Tutorials, 2015,17(1): 27-51. |
[74] | JACOBSON V , SMETTERS D K , THORNTON J D ,et al. Networking named content[C]// The 5th International Conference on Emerging Networking Experiments and Technologies. 2009: 1-12. |
[75] | AHLGREN B , DANNEWITZ C , IMBRENDA C ,et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012,50(7). |
[76] | ABDALLAH E G , HASSANEIN H S , ZULKERNINE M . A survey of security attacks in information-centric networking[J]. IEEE Communications Surveys & Tutorials, 2015,17(3): 1441-1454. |
[77] | COMPAGNO A , CONTI M , GASTI P ,et al. Poseidon:mitigating interest flooding DDoS attacks in named data networking[C]// 2013 IEEE 38th Conference on Local Computer Networks (LCN). 2013: 630-638. |
[1] | 王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181. |
[2] | 王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87. |
[3] | 何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55. |
[4] | 陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71. |
[5] | 王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84. |
[6] | 赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94. |
[7] | 吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104. |
[8] | 李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157. |
[9] | 黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31. |
[10] | 王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90. |
[11] | 谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12. |
[12] | 吴奇,陈鸿昶,陈福才. 异构容错控制平面的安全性分析[J]. 网络与信息安全学报, 2018, 4(11): 32-39. |
[13] | 卢振平,陈福才,程国振. 软件定义网络中控制器调度时间机制设计与实现[J]. 网络与信息安全学报, 2018, 4(1): 36-44. |
[14] | 施江勇,杨岳湘,李文华,王森. 基于SDN的云安全应用研究综述[J]. 网络与信息安全学报, 2017, 3(5): 10-25. |
[15] | 卢振平,陈福才,程国振. 基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型[J]. 网络与信息安全学报, 2017, 3(11): 40-49. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|