基于端址重载的SDN包转发验证

doi:10.11959/j.issn.1000-436x.2021108

摘要/Abstract

摘要：

针对软件定义网络（SDN）现有转发验证机制因嵌入额外的分组字段所带来的通信开销大的问题，提出基于端址重载的包转发验证机制。其核心思想是入口交换机重构数据分组端口和地址信息实现端址重载，下游交换机基于重载的端址信息实现数据分组的概率验证，控制器统计路径中节点验证有效和无效的数据分组信息并定位异常；理论分析给出了恶意注入与丢弃攻击异常检测阈值；最后实现了所提机制并对其进行了评估。实验结果表明，所提机制以引入不超过10%的转发时延、低于8%的吞吐率损失实现高效转发及有效的异常定位。

关键词: 软件定义网络, 路径向量, 端址重载, 概率验证, 异常定位

Abstract:

Aiming at the problem that the existing forwarding verification mechanisms in software-defined networking (SDN) incur significant communication overhead caused by embedding additional packet fields, a packet forwarding verification mechanism based on port address overloading was proposed, which key idea was the ingress switch implemented port address overloading by reconstructing port and address of packet, downstream switches executed packet probabilistic verification based on overloading port address, and the controller acquired valid and invalid packet statistics of node verification in the path and localized anomaly.Anomaly detection threshold of malicious injecting and dropping packets was presented by theoretical analysis.Finally, the proposed scheme was implemented and evaluated.Experiments demonstrate the proposed scheme achieves efficient forwarding and effective anomaly localization with less than 10% of additional forwarding delays and less than 8% of throughput degradation.

Key words: software-defined networking, path vector, port address overloading, probabilistic verification, anomaly localization

中图分类号:

TP393

吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83.

Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021, 42(7): 70-83.

图/表 18

图1

表1

PAO-PFV部分标识符及含义"

标识符	含义
R_i	交换机标识
FlowSN	流标识号
Load	网络数据分组负载
L	流路径长度
MAC_K(·)	使用密钥K的消息认证码
K(i,j)	R_i与 R_j共享密钥
H(·)	哈希函数
Padding	填充域
IP_INVAR	IP头中不变的字段域
<Q_R, S_R>	节点公私密钥对
${Cnt}_{i}^{suc} (t_{j})$	间隔 t_j内，R_i验证成功的数据分组数
${Cnt}_{i}^{fal} (t_{j})$	间隔 t_j内，R_i验证失败的数据分组数

表1

图2

图3

图4

图5

图6

表2

表3

图7

图8

图9

图10

图11

图12

图13

图14

图15

参考文献 29

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNA H ,et al. OpenFlow:enabling innovation in campus networks[J]. Computer Communication Review, 2008,38(2): 69-74.
[2]	NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[3]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[4]	SINGH D , SHIV A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution[J]. International Journal of Engineering and Computer Science, 2019,7(1): 884-889.
[5]	GUDE N , KOPONEN T , PETTIT J ,et al. Nox[J]. ACM SIGCOMM Computer Communication Review, 2008,38(3): 105-110.
[6]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the software-defined network control layer[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[7]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2014: 78-89.
[8]	HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[9]	ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N ,et al. Accountable Internet protocol (AIP)[C]// Proceedings of the ACM SIGCOMM 2008 conference on Data communication. New York:ACM Press, 2008: 1-8.
[10]	PAPPAS C , REISCHUK R M , PERRIG A . FAIR:forwarding accountability for Internet reputability[C]// 2015 IEEE 23rd International Conference on Network Protocols. Piscataway:IEEE Press, 2015: 189-200.
[11]	ZHANG X , ZHOU Z , HSIAO H C ,et al. ShortMac:efficient data-plane fault localization[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2012: 2-12.
[12]	MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Fatih:detecting and isolating malicious routers[C]// 2005 International Conference on Dependable Systems and Networks. Piscataway:IEEE Press, 2005: 538-547.
[13]	LIU K J , DENG J , VARSHNEY P K ,et al. An acknowledgment-based approach for the detection of routing misbehavior in MANETs[J]. IEEE Transactions on Mobile Computing, 2007,6(5): 536-550.
[14]	ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security[C]// Proceedings of the 2008 ACM CoNEXT Conference. New York:ACM Press, 2008:24.
[15]	PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing[J]. ACM SIGCOMM Computer Communication Review, 2003,33(1): 77-82.
[16]	BOSSHART P , DALY D , GIBB G ,et al. P4:programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014,44(3): 87-95.
[17]	YAO G , BI J , XIAO P Y . Source address validation solution with OpenFlow/NOX architecture[C]// 2011 19th IEEE International Conference on Network Protocols. Piscataway:IEEE Press, 2011: 7-12.
[18]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 1-12.
[19]	BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. Berkeley:USENIX Association, 2010: 1-5.
[20]	WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. Berkeley:USENIX Association, 2011: 1-6.
[21]	KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282.
[22]	周启钊, 于俊清, 李冬 . SDN环境下SAVI动态配置技术研究[J]. 通信学报, 2018,39(S1): 235-243.
	ZHOU Q Z , YU J Q , LI D . Dynamic source address validation in software defined network[J]. Journal on Communications, 2018,39(S1): 235-243.
[23]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据分组转发验证[J]. 计算机学报, 2019,42(1): 176-189.
	WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189.
[24]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings 2015 Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[25]	SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:forwarding accountability for the SDN data plane[C]// 2016 25th International Conference on Computer Communication and Networks. Piscataway:IEEE Press, 2016: 1-10.
[26]	祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18.
	ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18.
[27]	HESS F , . Efficient identity based signature schemes based on pairings[C]// Selected Areas in Cryptography. 2003: 310-324.
[28]	HAGERUP T , RüB C , . A guided tour of chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308.
[29]	LYNN B . On the implementation of pairing-based cryptosystems[D]. Stanford:Stanford University, 2007.

方案	机密性	完整性	源认证	异常定位	抗注入攻击	抗丢弃攻击	路径一致性
文献[21]	×	√	√	×	√	×	√
文献[23]	×	√	√	√	√	√	√
文献[24]	×	×	×	√	√	√	√
文献[25]	×	√	×	×	√	×	√
文献[26]	×	√	√	×	√	×	√
PAO-PFV	×	√	√	√	√	√	√
注：√表示支持，×表示不支持。

方案	源节点/终端	中间节点	目的节点/终端
文献[21]	LM	2M	LM
文献[25]	LE	M+E	M+E
文献[26]	NP	—	NP
PAO-PFV	LM	M	M