基于密码标识的SDN安全控制转发方法

doi:10.11959/j.issn.1000-436x.2018022

通信学报 ›› 2018, Vol. 39 ›› Issue (2): 31-42.doi: 10.11959/j.issn.1000-436x.2018022

基于密码标识的SDN安全控制转发方法

秦晰¹,唐国栋¹(),常朝稳^1,²

¹ 信息工程大学三院，河南郑州 450001
² 郑州信大先进技术研究院，河南郑州 450001

修回日期:2017-12-13 出版日期:2018-02-01 发布日期:2018-03-28
作者简介:秦晰（1978-），女，河南焦作人，博士，信息工程大学副教授、硕士生导师，主要研究方向为SDN安全、可信计算。|唐国栋（1992-），男，湖南永州人，信息工程大学硕士生，主要研究方向为SDN安全。|常朝稳（1966-），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全。
基金资助:
国家自然科学基金资助项目(61572517)

SDN security control and forwarding method based on cipher identification

Xi QIN¹,Guodong TANG¹(),Chaowen CHANG^1,²

¹ The Third Institute,Information Engineering University,Zhengzhou 450001,China
² Zhengzhou Xinda Advanced Technology Research Institute,Zhengzhou 450001,China

Revised:2017-12-13 Online:2018-02-01 Published:2018-03-28
Supported by:
The National Natural Science Foundation of China(61572517)

摘要/Abstract

摘要：

针对软件定义网络（SDN,software defined networking）中匹配域范围有限和缺乏有效的数据来源验证机制问题，提出基于密码标识的 SDN 安全控制转发方法。首先，根据用户身份、文件属性或业务内容等特征信息生成密码标识，为数据流打上密码标识并用基于密码标识的私钥签名。其次，在其进出网络时验证签名，确保数据的真实性，同时将密码标识设计为转发设备能识别的匹配项，基于密码标识定义网络转发行为，形成基于人、物、业务流等细粒度网络控管能力。最后，通过实验分析验证该方法的有效性。

关键词: 软件定义网络, 密码标识, 安全控制转发, 流表匹配

Abstract:

Aimed at the limited matching fields and the lack of effective data source authentication mechanism in the software defined networking (SDN),a SDN security control forwarding method based on cipher identification was proposed.First,the cipher identification was generated according to the user identity,file attributes or business content and other characteristics,and the data stream was marked by the cipher identification and signed with the private key based on the cipher identification.Then,when the data stream entered and left the network,the forwarding device verified its signature to ensure the authenticity of the data.At the same time,the cipher identification was designed as a matching item recognized by the forwarding device,and the network forwarding behavior was defined based on the cipher identification,so a fine-grained network control capability could be formed based on people,things,and business flow.Finally,the validity of the method is verified by experimental analysis.

Key words: software defined networking, cipher identification, security control and forwarding, flow table matching

中图分类号:

TP393

秦晰,唐国栋,常朝稳. 基于密码标识的SDN安全控制转发方法[J]. 通信学报, 2018, 39(2): 31-42.

Xi QIN,Guodong TANG,Chaowen CHANG. SDN security control and forwarding method based on cipher identification[J]. Journal on Communications, 2018, 39(2): 31-42.

图/表 12

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

参考文献 15

[1]	MCKEOWN N , . Software-defined networking[C]// IEEE International Conference on Computer Communications. 2009: 30-32.
[2]	左青云, 陈鸣, 赵广松 ,等. 基于 OpenFlow 的 SDN 技术研究[J]. 软件学报, 2013(5): 1078-1097.
	ZUO Q Y , CHEN M , ZHAO G S ,et al. Research on OpenFlow-based SDN technologies[J]. Journal of Software, 2013(5): 1078-1097.
[3]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[4]	LIU H H , WU X , ZHANG M ,et al. zUpdate:updating data center networks with zero loss[J]. Computer Communication Review, 2013,43(4): 411-422.
[5]	LI D , SHANG Y , CHEN C . Software defined green data center network with exclusive routing[C]// INFOCOM. 2014: 1743-1751.
[6]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Network and Distributed System Security Symposium. 2015: 1-15.
[7]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据分组转发验证[J]. 计算机学报, 2017,40(7): 9-26.
	WANG S Y , LI Q , ZHANG Y . Lightweight packet forwarding verification in SDN[J]. Journal of Computers. 2017,40(7): 9-26.
[8]	YAO G , BI J , XIAO P . Source address validation solution with OpenFlow/NOX architecture[C]// IEEE International Conference on Network Protocols. 2011: 7-12.
[9]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM SIGCOMM Conference on Applications. 2007: 1-12.
[10]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software-defined networks[C]// Network ＆ Distributed Security Symposium, 2013.
[11]	BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010:8.
[12]	WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. 2011:29.
[13]	SHIN S , GU G . CloudWatcher:network security monitoring using OpenFlow in dynamic cloud networks[C]// IEEE International Conference on Network Protocols. 2012: 1-6.
[14]	毕军 . SDN 体系结构与未来网络体系结构创新环境[J]. 电信科学, 2013,29(8): 6-15.
	BI J . SDN architecture and future network innovation environment[J]. Telecommunications Science, 2013,29(8): 6-15.
[15]	南湘浩 . CPK组合公钥体制(v8.0)[J]. 金融电子化, 2013(3): 39-41.
	NAN X H . CPK combined public key cryptosystem(v80)[J]. Financial Electronics, 2013(3): 39-41.

基于密码标识的SDN安全控制转发方法

SDN security control and forwarding method based on cipher identification

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 15

相关文章 15

Metrics

推荐阅读 0

[1]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[2]	沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40.
[3]	燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35.
[4]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[5]	李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT：一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142.
[6]	吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83.
[7]	常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144.
[8]	周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.
[9]	李硕朋, 方娟, 陈肯. 基于SRv6的确定性网络服务共享保护方案[J]. 通信学报, 2021, 42(10): 32-42.
[10]	姚蓝,兰巨龙. 基于联盟博弈的自适应SDN交换机迁移机制[J]. 通信学报, 2020, 41(8): 1-10.
[11]	王耀民,王霞,董易,张松海,施心陵. 基于斐波那契树优化算法的数据中心流量调度策略[J]. 通信学报, 2020, 41(6): 112-127.
[12]	韩珍珍,赵国锋,徐川,周文涛,周洋洋. 基于时延的LEO卫星网络SDN控制器动态放置方法[J]. 通信学报, 2020, 41(3): 126-135.
[13]	赖英旭,蒲叶玮,刘静. 基于最小代价路径的交换机迁移方法研究[J]. 通信学报, 2020, 41(2): 131-142.
[14]	柯文龙,王勇,叶苗,陈俊奇. Ceph云存储网络中一种业务优先级区分的多播流调度方法[J]. 通信学报, 2020, 41(11): 40-51.
[15]	张海波,王子心,贺晓帆. SDN和MEC架构下V2X卸载与资源分配[J]. 通信学报, 2020, 41(1): 114-124.