面向SDN/NFV环境的网络功能策略验证

doi:10.11959/j.issn.2096-109x.2021035

Abstract

Abstract:

Although the newly introduced SDN and NFV technologies bring flexibility and convenience in network management, the dynamic forwarding policies introduced by SDN may cause invalidation in the network function policies, and the policies in different network functions may also cause conflicts due to their own behaviors.In order to verify the policies in SDN/NFV-based cloud network, the verification on policies between the network function and the SDN device, as well as across the network functions were considered.A unified policy expression for analysis was summarized, and policy verification scheme, framework and prototype implementation were proposed to verify the correctness of polices in different scenarios, then experiments were conducted to justify the effectiveness and performance

Key words: policy verification, cloud network, software-defined networking, network function virtualization

CLC Number:

TP393

Haoyu CHEN, Deqing ZOU, Hai JIN. Verification on policies for network functions in SDN/NFV-based environment[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 59-71.

Figures/Tables 17

References 22

[1]	MANAR J , TARANPREET S , ABDALLAH S ,et al. Software defined networking:state of the art and research challenges[J]. Computer Networks, 2014,72: 74-98.
[2]	Software-defined network[J].
[3]	RASHID M , JOAN S , JUAN-LUIS G ,et al. Network function virtualization:state-of-the-art and research challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 236-262.
[4]	饶少阳, 陈运清, 冯明 . 基于 SDN 的云数据中心网络[J]. 电信科学, 2014(8): 33-41.
	RAO S Y , CHEN Y Q , FENG M . cloud data center based on SDN[J]. Telecommunications Science, 2014(8): 33-41.
[5]	安琪, 刘艳萍, 孙茜 ,等. 基于SDN与NFV的网络切片架构[J]. 电信科学, 2016(11): 119-126.
	ANQ , LIU Y P , SUN Q ,et al. Network slicing architecture based on SDN and NFV[J]. Telecommunications Science. 2016(11): 119-126.
[6]	SDN ＆ NFV use cases defined[EB].
[7]	WANG Y , LI Z , XIE G , KAVE S . Enabling automatic composition and verification of service function chain[C]// IEEE/ACM International Symposium on Quality of Service (IWQoS’17). 2017: 1-5.
[8]	PANDA A , ARGYRAKI K , SAGIV M ,et al. New directions for network verification[C]// LIPIcs-Leibniz International Proceedings in Informatics, 2015: 209-220
[9]	STOENESCU R , POPOVICI M , NEGREANU L ,et al. Symnet:scalable symbolic execution for modern networks[C]// Proceedings of the 2016 ACM SIGCOMM Conference (SIGCOMM’16). 2016: 314-327.
[10]	HORN A , KHERADMAND A , PRASAD M R . Delta-net:real-time network verification using atoms[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI’17). 2017: 735-749
[11]	KHURSHID A , ZHOU W , CAESAR M ,et al. Veriflow:verifying network-wide invariants in real time[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). 2013: 15-27.
[12]	SHERRY J , HASAN S , SCOTT C ,et al. Making middleboxes someone else's problem:network processing as a cloud service[J]. ACM SIGCOMM Computer Communication Review, 2012,42(4): 13-24.
[13]	PANDA A , LAHAV O , ARGYRAKI K ,et al. Verifying isolation properties in the presence of middleboxes[J]. arXiv preprint,2014,arXiv:1409. 7687.
[14]	HU H , AHN G J , KULKARNI K . Detecting and resolving firewall policy anomalies[J]. IEEE Transactions on Dependable ＆ Secure Computing(TDSC’12), 2012,9(3): 318-331.
[15]	DENG J , LI H . On the safety and efficiency of virtual firewall elasticity control[C]// 24th Network and Distributed System Security Symposium (NDSS’17). 2017.
[16]	MALDONADO-LOPEZ F A , CALLE E , DONOSO Y . Detection and prevention of firewall-rule conflicts on software-defined networking[C]// 7th IEEE international Workshop on Reliable Networks Design and Modeling (RNDM’15). 2015: 259-265.
[17]	邱松, 焦健, 张东阳 . 面向防火墙和IDS/IPS协同防御的策略冲突检测算法[J]. 系统仿真学报, 2015,27(11): 2770-2777.
	QIU S , JIAO J , ZHANG D Y . Policy conflicts verification algorithm towards collaborative defense with firewalls and IDS/IPS[J]. Journal of System Simulation, 2015,27(11): 2770-2777.
[18]	PANDA A , LAHAV O , ARGYRAKI K ,et al. Verifying reachability in networks with mutable datapaths[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI’17). 2017: 699-718.
[19]	WU W , ZHANG Y , BANERJEE S . Automatic synthesis of NF models by program analysis[C]// ACM Workshop on Hot Topics in Networks (HotNets’16). 2016: 29-35.
[20]	FAYAZ S K , YU T , TOBIOKA Y , CHAKI S , SEKAR V . BUZZ:testing context-dependent policies in stateful networks[C]// 13th USENIX Conference on Networked Systems Design and Implementation (NSDI’16). 2016: 275-289.
[21]	PRABHU S , CHOU K Y , KHERADMAND A ,et al. Plankton:Scalable network configuration verification through model checking[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI’20). 2020: 953-967.
[22]	YUAN Y , MOON S J , UPPAL S ,et al. NetSMC:a custom symbolic model checker for stateful network verification[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI’20). 2020: 181-200.

Metrics

Recommended 0

No Suggested Reading articles found!

验证工具	网络转发策略验证	网络功能策略验证	SDN交换机与网络功能策略验证	跨网络功能策略验证
Veriflow	●	○	○	○
Delta-net	●	○	○	○
Symnet	●	○	●	○
FAME	○	◎	○	◎
VFW	○	◎	●	◎
Plankton	●	◎	●	◎
NetSMC	○	●	○	●
注：● 表示支持，◎ 表示部分/单一支持，○ 表示不支持

域名	说明
priority	策略的匹配优先级
match	数据包头部匹配，一般包含网络流五元组
other	不同设备中特有的策略字段，如包载荷匹配
action	对匹配到的数据包进行的操作

交换机设备号	目的地址	动作
1	15	转发到2
1	16	镜像到2、3
2	15	转发到15
2	16	镜像到5、16
3	16	转发到16
5	16	转发到16

index	proto	src_ip	src_port	dest_ip	dest_port	action
1	tcp	7	24	16	any	deny
2	tcp	7	24	15	any	accept
3	udp	7	27	16	512	deny

proto	src_ip	src_port	dest_ip	dest_port	action
tcp	10.12.5.109	any	12.25.1.1	any	deny
tcp	192.39.1.0	any	31.73.244.5	any	deny
udp	5.2.14.66	any	19.48.5.182	any	accept

Verification on policies for network functions in SDN/NFV-based environment

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 22

Related Articles 4

Metrics

Recommended 0

m/条	n/条	mn/条 ²	用时/ms
10	10	100	2
20	20	400	38
30	30	900	77
40	40	1600	129
50	50	2500	324

[1]	Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.
[2]	Qingqing ZHANG, Hongbo TANG, Wei YOU, Yingle LI. Network function heterogeneous redundancy deployment method based on immune algorithm [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 46-56.
[3]	Meisheng HAI,Peng YI,Yiming JIANG,Jichao XIE. Large-scale resource state monitoring strategy in network function virtualization environment [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 42-49.
[4]	Chuanfeng XU,Hui LIN,Xuancheng GUO,Xiaoding WANG. New collaborative DDoS defense technology based on NFV [J]. Chinese Journal of Network and Information Security, 2019, 5(2): 66-76.