高效安全的软件定义网络拓扑发现协议

doi:10.11959/j.issn.2096-109x.2023080

Abstract

Abstract:

The network topology discovery in OpenFlow-based software-defined networks is mainly achieved by utilizing the OpenFlow discovery protocol (OFDP).However, it has been observed in existing research that OFDP exhibits low updating efficiency and is susceptible to network topology pollution attacks.To address the efficiency and safety concerns of the network topology discovery protocol, an in-depth investigation was conducted on the mechanism and safety of OFDP network topology discovery.The characteristics of network topology establishment and updating in OFDP were analyzed, and an improved protocol named Im-OFDP (improved OpenFlow discovery protocol) based on the minimum vertex covering problem in graph theory was proposed.In Im-OFDP, the switch port table and network link table were initially established using prior information obtained from OFDP network topology discovery.Subsequently, a graph model of the network topology was constructed, and the minimum vertex covering algorithm in graph theory was employed to select specific switches for the reception and forwarding of topology discovery link layer discovery protocol (LLDP) packets.Multi-level flow tables were designed based on the network topology structure, and these flow entries were installed on the selected switches by the controller to process LLDP packets.To address security issues, dynamic check code verification in LLDP packets was employed to ensure the safety of network links.Additionally, a network equipment information maintenance mechanism was established based on known network topologies to ensure the safety of the network equipment.Experimental results demonstrate a significant reduction in the number of network topology discovery messages, bandwidth overhead, and CPU overhead through the deployment of Im-OFDP.Moreover, the response time for node failures and link recovery time after mode failure is substantially reduced.Im-OFDP also effectively mitigates various network topology pollution attacks, such as link fabrication and switch forgery attacks.Overall, Im-OFDP has the capability to enhance the efficiency and safety of SDN topology discovery.

Key words: software defined network, network topology, network security

CLC Number:

TP309

Dong LI, Junqing YU, Yongpu GU, Pengcheng ZHAO. Efficient and safe software defined network topology discovery protocol[J]. Chinese Journal of Network and Information Security, 2023, 9(6): 20-33.

Figures/Tables 19

References 50

[1]	MCKEOWN N . OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[3]	QIN Z , DENKER G , GIANNELLI C ,et al. A software defined networking architecture for the internet-of-things[C]// Proceedings of IEEE Network Operations and Management Symposium. 2014: 1-9.
[4]	AHMED N , ROY A , MONDAL A ,et al. SDN-based link recovery scheme for large-scale internet of things[C]// Proceedings of IEEE 22nd International Conference on High Performance Switching and Routing (HPSR). 2021: 1-6.
[5]	KU I , LU Y , GERLA M ,et al. Towards software-defined VANET:architecture and services[C]// Proceedings of 13th Annual Mediterranean Ad Hoc Networking Workshop. 2014: 103-110.
[6]	GUO J M , YANG L , RINCóN D , et al . SDN controller placement in LEO satellite networks based on dynamic topology[C]// Proceedings of IEEE/CIC International Conference on Communications in China (ICCC). 2021: 1083-1088.
[7]	MONTERO R , AGRAZ F , PAGES A ,et al. Dynamic topology discovery in SDN-enabled transparent optical networks[C]// Proceedings of International Conference on Optical Network Design ＆Modeling. 2017: 1-6.
[8]	TARNARAS G , HALEPLIDIS E , DENAZIS S . SDN and ForCES based optimal network topology discovery[C]// Proceedings of IEEE Conference on Network Software. 2015: 1-6.
[9]	KIPONGO J , OLWAL T O , ABU-MAHFOUZ A M . Topology discovery protocol for software defined wireless sensor network:Solutions and open issues[C]// Proceedings of 27th Internaional Symposium.Industrial Electronics. 2018: 1282-1287.
[10]	SHIN S , XU L , HONG S ,et al. Enhancing network security through software defined networking[C]// Proceedings of 25th International Conference on Computer Communication and Networks, 2016: 1-9.
[11]	ZHU K , YAO Z , HE N ,et al. Toward full virtualization of the network Topology[J]. IEEE Systems Journal, 2019,13(2): 1640-1649.
[12]	OpenFlow discovery protocol and link layer discovery protocol[EB].
[13]	DACIER M C , K?NIG H , CWALINSKI R ,et al. Security challenges and opportunities of software-defined networking[J]. IEEE Security ＆ Privacy, 2017,15(2): 96-100.
[14]	AZZOUNI A , TRANG N T M , BOUTABA R ,et al. Limitations of OpenFlow topology discovery protocol[C]// Proceedings of 16th Annual Mediterranean Ad Hoc Network Workshop. 2017: 1-3.
[15]	KHAN S , GANI A , WAHAB A W A ,et al. Topology discovery in software defined networks:threats,taxonomy,and state-ofthe-art[J]. IEEE Communications Surveys ＆ Tutorials, 2017,19(1): 303-324.
[16]	TOUFGA S , ABDELLATIF S , OWEZARSKI P ,et al. OpenFlow based topology discovery service in software defined vehicular networks:limitations and future approaches[C]// Proceedings of IEEE Vehicular Network Conference. 2018: 1-4.
[17]	SMYTH D , MCSWEENEY S , O'SHEA D , et al . Detecting link fabrication attacks in software-defined networks[C]// Proceedings of 26th International Conference on Computer Communication and Networks. 2017: 1-8.
[18]	GHANNAM R , CHUNG A . Handling malicious switches in software defined networks[C]// Proceedings of Network Operations ＆Management Symposium. 2016: 1245-1248.
[19]	OIKONOMOU N V , MARGARITI S V , STERGIOU E ,et al. Performance evaluation of software-defined networking implemented on various network topologies[C]// Proceedings of 6th South-East Europe Design Automation,Computer Engineering,Computer Networks and Social Media Conference. 2021: 1-6.
[20]	KAUR N , SINGH A K , KUMAR N ,et al. Performance impact of topology poisoning attack in SDN and its countermeasure[C]// Proceedings of the 10th International Conference on Security of Information and Networks. 2017: 179-184.
[21]	PAKZAD F , PORTMANN M , TAN W L ,et al. Efficient topology discovery in OpenFlow-based software defined networks[C]// Proceedings of 8th International Conference on Signal Processing and Communication Systems. 2014.
[22]	AZZOUNI A , BOUTABA R , TRANG N ,et al. sOFTDP:secure and efficient topology discovery protocol for SDN[C]// Proceedings of IEEE/IFIP Network Operations and Management Symposium. 2018: 1-7.
[23]	NEHRA A , TRIPATHI M , GAUR M S ,et al. SLDP:a secure and lightweight link discovery protocol for software defined networking[J]. Computer Networks, 2018,150(2): 102-116.
[24]	ZHAO X , YAO L , WU G . ESLD:an efficient and secure link discovery scheme for software-defined networking[J]. International Journal of Communication Systems, 2018,31(10): 18.
[25]	HAO D . Research and implementation of OFDP based on multi-purpose address broadcast algorithm[D]. Kunming：University of Yun Nan, 2018.
[26]	JIA Y , XU L , YANG Y ,et al. Lightweight automatic discovery protocol for OpenFlow-based software defined networking[J]. IEEE Communications Letters, 2020,24(2): 312-315.
[27]	DONG S , ZHANG A L , HUANG D Y ,et al. Optimization of link layer topology discovery in SDN based on OpenFlow[J]. Fire Control ＆ Command Control. 2020,45(305): 150-155.
[28]	WANG Z Q . Research on topology discovery and link delay measurement of SDN network[D]. Huhehaote:University of Inner Moncolia, 2020.
[29]	CHANG Y C , LIN H T , CHU H M ,et al. Efficient topology discovery for software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,(99): 1375-1388.
[30]	OCHOA-ADAY L , CERVELLó-PASTOR C , FERNNDEZ-FERNáNDEZ A . eTDP:enhanced topology discovery protocol for software-defined networks[J]. IEEE Access, 2019,7: 23471-23487.
[31]	TARNARAS G , ATHANASIOU F , DENAZIS S . An efficient topology discovery algorithm for software-defined networks[J]. IET Networks, 2017,6(6): 157-161.
[32]	OCHOA-ADAY L , CERVELLó-PASTOR C , FERNáNDEZFERNáNDEZ A . Self-healing topology discovery protocol for software defined networks[J]. IEEE Communications Letters, 2018,3(3): 1-4.
[33]	ROJAS E , ALVAREZ-HORCAJO J , MARTINEZ-YELMO I > ,et al. TEDP:an enhanced topology discovery service for software-defined networking[J]. IEEE Commun Lett, 2018,22(8): 1540-1543.
[34]	ALJERI N , BOUKERCHE A . EDiPSo:an efficient scalable topology discovery protocol for software-defined vehicular network[J]. Computer Networks, 2021:108342.
[35]	HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// The Network and Distributed System Security Symposium(NDSS). 2015: 8-11.
[36]	XIANG S , ZHU H , WU X ,et al. Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra[J]. Science of Computer Programming, 2019,187:102343.
[37]	SKOWYRA R , XU L , GU G et al . Effective topology tampering attacks and defenses in software-defined networks[C]// International Conference on Dependable Systems and Networks(DSN). 2018: 374-385.
[38]	ALIMOHAMMADIFAR A , MAJUMDAR S , MADI T ,et al. Stealthy probing-based verification (SPV):an active approach to defending software defined networks against topology poisoning attacks[C]// Proceedings of European Symposium on Research in Computer Security (ESORICS). 2018: 463-484.
[39]	MARIN E , BUCCIOL N , CONTI M . An in-depth look into SDN topology discovery mechanisms:novel attacks and practical countermeasures[C]// ACM Conference on Computer and Communications Security(CCS). 2019: 1101-1114.
[40]	DHAWAN M , PODDAR R , MAHAJAN K . SPHINX:detecting security attacks in software-defined networks[C]// Proceedings of the Network and Distributed System Security Symposium(NDSS). 2015: 1-15.
[41]	SMYTH D , MCSWEENEY S , O'SHEA D ,et al. Detecting link fabrication attacks in software-defined networks[C]// Proceedings of IEEE 26th International Conference on Computer Communication and Networks (ICCCN). 2017: 1-8.
[42]	KAMISI?SKI A , FUNG C . FlowMon:detecting malicious switches in software-defined networks[C]// Proceedings of ACM CCS workshop on Automated Decision Making for Active Cyber Defense. 2015: 39-45.
[43]	HUANG X , SHI P , LIU Y ,et al. Towards trusted and efficient SDN topology discovery:a lightweight topology verification scheme[J]. Computer Networks, 2020,170:107119.
[44]	WANG J , TAN Y , LIU J . Topology poisoning attacks and countermeasures in SDN-enabled vehicular networks[C]// Proceedings of IEEE Global Communications Conference(GLOBECOM). 2020: 1-6.
[45]	ZHENG Z , XU M W , LI Q ,et al. Defending against SDN network topology poisoning attacks[J]. Computer Research and Development. 2018,55(1): 207-215.
[46]	GU Y P , LI D , YU J Q . Im-OFDP:an improved openflow-based topology discovery protocol for software defined network[C]// Proceedings of IFIP International Conferences on Networking. 2020: 628-630.
[47]	SOLTANI S , SHOJAFAR M , MOSTAFAEI H ,et al. Real-time link verification in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2023,20(3): 3596-3611.
[48]	KONG D . Combination attacks and defenses on SDN topology discovery[J]. IEEE/ACM Transactions on Networking, 2023,31(2): 904-919.
[49]	GAO Y , XU M . Defense against software-defined network topology poisoning attacks[J]. Tsinghua Science and Technology, 2023,28(1): 39-46.
[50]	ZHANG H L , XIE Q M , LI W . Research on minimum convex covering problem[J]. China New Telecommunications, 2014,(13): 51-52.

Metrics

Recommended 0

No Suggested Reading articles found!

网络拓扑发现协议	Packet-Out	Packet-In	消息数
OFDP	H+2L	2L	H+4L
OFDPv2	N	2L	S+2L
LADP	1	2L	1+2L
OFDP-PD	H+L	L	H+2L
Im-OFDP（含校验码）	2L	2L	4L
Im-OFDP（无校验码）	N_x∈(1, N-1)	L	N_x+L

拓扑	消息数量
拓扑	OFDP	OFDPv2	LADP	OFDP-PD	Im-OFDP
Topo1	592	253	169	424	101
Topo2	312	187	125	188	83
Topo3	496	298	199	298	149
Topo4	144	84	65	80	40
Topo5	124	72	53	72	36

协议	攻击方式
协议	LLDP重放	LLDP伪造	交换机伪造	主机伪造
OFDP	×	×	×	×
OFDPv2	×	×	×	×
LADP	√	√	×	√
OFDP-PD	×	×	×	×
Im-OFDP	√	√	√	√

Efficient and safe software defined network topology discovery protocol

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 19

References 50

Related Articles 15

Metrics

Recommended 0

拓扑	拓扑结构	N	P	H	L	SN
Topo1	Tree, d=4, f=4	85	424	256	84	17
Topo2	Tree, d=6, f=2	63	188	64	62	21
Topo3	Linear, N=100	100	298	100	99	50
Topo4	FatTree, k=4	20	80	16	32	8
Topo5	随机Topo	20	72	20	26	10

[1]	Heli WANG, Qiao YAN. Selfish mining detection scheme based on the characters of transactions [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 104-114.
[2]	Dong LI, Yanni HAO, Shenghui PENG, Ruijie ZI, Ximeng LIU. Network security of the National Natural Science Foundation of China: today and prospects [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 92-101.
[3]	Fukang XING, Zheng ZHANG, Ran SUI, Sheng QU, Xinsheng JI. Qualitative modeling and analysis of attack surface for process multi-variant execution software system [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 121-128.
[4]	Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.
[5]	Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
[6]	Yang WANG, Guangming TANG, Shuo WANG, Jiang CHU. Defense mechanism of SDN application layer against DDoS attack based on API call management [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 73-87.
[7]	Weizhen HE, Fucai CHEN, Jie NIU, Jinglei TAN, Shumin HUO, Guozhen CHENG. Research progress on dynamic hopping technology for network layer [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 44-55.
[8]	Tao WANG, Hongchang CHEN. Multi-objective optimization placement strategy for SDN security controller considering Byzantine attributes [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 72-84.
[9]	Pu ZHAO, Wentao ZHAO, Zhangjie FU, Qiang LIU. SDN self-protection system based on Renyi entropy [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 85-94.
[10]	Chenglei ZHANG, Yulong FU, Hui LI, Jin CAO. Research on security scenarios and security models for 6G networking [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 28-45.
[11]	Qi WU,Hongchang CHEN. Low failure recovery cost controller placement strategy in software defined networks [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 97-104.
[12]	Fuxiang YUAN,Fenlin LIU,Chong LIU,Yan LIU,Xiangyang LUO. MLAR:large-scale network alias resolution for IP geolocation [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 77-94.
[13]	Wei HUANG, Ran LU, Cuncai LIU, Sibo QI. QoS routing algorithm based on multiple domain architecture of SDN [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 21-31.
[14]	Yang WANG,Guangming TANG,Cheng LEI,Dong HAN. Multidimensional detection and dynamic defense method for link flooding attack [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 80-90.
[15]	QIN Yuhai,LIU Luyuan,GAO Haohang,LIU Shengqiao,DONG Han. Innovative professional skills competition to create a police practice talents [J]. Chinese Journal of Network and Information Security, 2019, 5(3): 75-80.