通信学报 ›› 2019, Vol. 40 ›› Issue (11): 1-18.doi: 10.11959/j.issn.1000-436x.2019232

• 学术论文 •    下一篇

基于身份属性的SDN控制转发方法

祝现威,常朝稳,朱智强,秦晰   

  1. 信息工程大学密码工程学院,河南 郑州 450001
  • 修回日期:2019-10-23 出版日期:2019-11-25 发布日期:2019-12-06
  • 作者简介:祝现威(1991- ),男,河南虞城人,信息工程大学博士生,主要研究方向为 SDN安全、网络安全、云计算安全。|常朝稳(1966- ),男,河南滑县人,博士,信息工程大学教授、博士生导师,主要研究方向为移动信息安全、物联网安全。|朱智强(1961- ),男,河南信阳人,博士,信息工程大学教授、硕士生导师,主要研究方向为云计算安全、信息安全战略、可信计算。|秦晰(1978- ),女,河南焦作人,信息工程大学副教授、硕士生导师,主要研究方向为SDN安全、可信计算。
  • 基金资助:
    国家自然科学基金资助项目(61572517)

SDN control and forwarding method based on identity attribute

Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN   

  1. Department of Cryptogram Engineering,Information Engineering University,Zhengzhou 450001,China
  • Revised:2019-10-23 Online:2019-11-25 Published:2019-12-06
  • Supported by:
    The National Natural Science Foundation of China(61572517)

摘要:

针对软件定义网络中数据流转发缺少有效的转发验证机制和OpenFlow协议匹配字段数量有限的问题,提出了一种基于属性密码的转发控制架构。通过设备属性生成属性标识和属性签名,并将其封装在分组头中。当数据流离开网络时,转发设备对其进行数据验证,确保数据流的有效性。同时,将属性标识作为流表匹配字段,通过属性标识定义网络转发行为,该机制与属性签名验证共同实现细粒度的访问控制。实验结果表明,该系统能有效实现数据流的细粒度的转发认证,且转发粒度高于同类方案。

关键词: 软件定义网络, 属性标识, 转发控制机制, 属性签名, 访问控制, 流表匹配

Abstract:

Due to the lack of effective data source authentication mechanism and the limited matching fields in software defined networking (SDN),an SDN security control and forwarding method based on identity attribute was proposed.Attribute identification and attribute signature were generated by device attributes and encapsulated in the group header.When the data flow left the network,the data was verified by the forwarding device to ensure the validity of the data flow.At the same time,attribute identification was defined as a match field of flow by the framework,and the network forwarding behavior was defined based on attributeidentification.A fine-grained access control was implemented by the proposed mechanism and attribute-based signature.The proposed mechanism and attribute-based signature implemented a fine-grained access control.Experimental results demonstrate that the method can effectively implement fine-grained forwarding and flow authentication,and the forwarding granularity is higher than that of similar schemes.

Key words: software defined networking, attribute identification, forwarding control mechanism, attribute signature, access control, low matching

中图分类号: 

No Suggested Reading articles found!