通信学报 ›› 2019, Vol. 40 ›› Issue (11): 1-18.doi: 10.11959/j.issn.1000-436x.2019232
• 学术论文 • 下一篇
祝现威,常朝稳,朱智强,秦晰
修回日期:
2019-10-23
出版日期:
2019-11-25
发布日期:
2019-12-06
作者简介:
祝现威(1991- ),男,河南虞城人,信息工程大学博士生,主要研究方向为 SDN安全、网络安全、云计算安全。|常朝稳(1966- ),男,河南滑县人,博士,信息工程大学教授、博士生导师,主要研究方向为移动信息安全、物联网安全。|朱智强(1961- ),男,河南信阳人,博士,信息工程大学教授、硕士生导师,主要研究方向为云计算安全、信息安全战略、可信计算。|秦晰(1978- ),女,河南焦作人,信息工程大学副教授、硕士生导师,主要研究方向为SDN安全、可信计算。
基金资助:
Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN
Revised:
2019-10-23
Online:
2019-11-25
Published:
2019-12-06
Supported by:
摘要:
针对软件定义网络中数据流转发缺少有效的转发验证机制和OpenFlow协议匹配字段数量有限的问题,提出了一种基于属性密码的转发控制架构。通过设备属性生成属性标识和属性签名,并将其封装在分组头中。当数据流离开网络时,转发设备对其进行数据验证,确保数据流的有效性。同时,将属性标识作为流表匹配字段,通过属性标识定义网络转发行为,该机制与属性签名验证共同实现细粒度的访问控制。实验结果表明,该系统能有效实现数据流的细粒度的转发认证,且转发粒度高于同类方案。
中图分类号:
祝现威,常朝稳,朱智强,秦晰. 基于身份属性的SDN控制转发方法[J]. 通信学报, 2019, 40(11): 1-18.
Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019, 40(11): 1-18.
[1] | MCKEOWN N , . Software-defined networking[C]// IEEE International Conference on Computer Communications. 2009: 30-32. |
[2] | 王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992. |
WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992. | |
[3] | AFOLABI I , TALEB T , SAMDANIS K ,et al. Network slicing and softwarization:a survey on principles,enabling technologies,and solutions[J]. IEEE Communications Surveys & Tutorials, 2018,20(3):1. |
[4] | PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 121-126. |
[5] | 冯登国, 陈成 . 属性密码学研究[J]. 密码学报, 2014,1(1): 1-12. |
FENG D G , CHEN C . Research on attribute-based cryptography[J]. Journal of Cryptologic Research, 2014,1(1): 1-12. | |
[6] | TAKAHASHI N , KODAIRA S , TSURU T ,et al. Seismic structure and seismogenesis off Sanriku region,northeastern Japan[J]. Geophysical Journal of the Royal Astronomical Society, 2018,159(1): 129-145. |
[7] | PORRAS P , CHEUNG S , FONG M ,et al. Securing the software-defined network control layer[C]// Annual Network and Distributed System Security Symposium. 2015. |
[8] | SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014: 78-89. |
[9] | SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software-defined networks[J]. Proceedings of Network & Distributed Security Symposium, 2013. |
[10] | WEN X , CHEN Y , HU C ,et al. Towards a secure controller platform for OpenFlow applications[C]// The Second ACM SIGCOMM workshop on Hot Topics in Software Defined Networking. ACM, 2016: 171-172. |
[11] | CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM Sigcomm Conference on Applications. ACM, 2007: 1-12. |
[12] | 郑鹏, 胡成臣, 李昊 . 基于流量特征的 OpenFlow 南向接口开销优化技术[J]. 计算机研究与发展, 2018,55(s2): 346-357. |
ZHEN P , HU C C , LI H . Reducing the southbound interface overhead for OpenFlow based on the flow volume characteristics[C]// Journal of Computer Research and Development, 201855(s2): 346-357. | |
[13] | BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. USENIX Association, 2010:8. |
[14] | WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. USENIX Association, 2011:29. |
[15] | HALPERN E J , PIGNATARO E C . Service function chaining (SFC) architecture[C]// Internet Engineering Task Force. 2015. |
[16] | 赵志远, 孟相如, 苏玉泽 ,等. 多控制器条件下区分 QoS 的虚拟SDN映射方法[J]. 通信学报, 2017,38(8): 101-110. |
ZHAO Z Y , MENG X R , SU Y Z ,et al. Virtual SDN embedding with differentiated QoS under multiple controller[J]. Journal on Communication, 2017,38(8): 101-110. | |
[17] | 毕军 . SDN 体系结构与未来网络体系结构创新环境[J]. 电信科学, 2013,29(8): 6-15. |
BI J . SDN architecture and future network innovation environment[J]. Telecommunications Science, 2013,29(8): 6-15. | |
[18] | DARGAHI T , CAPONI A , AMBROSIN M ,et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017,19(3): 1701-1725. |
[19] | LU G , SHI Y , GUO C ,et al. CAFE:a configurable packet forwarding engine for data center networks[C]// ACM SIGCOMM 2009 Workshop on Programmable Routers for Extensible Services of Tomorrow. DBLP, 2009: 25-30. |
[20] | ATTIG M , BREBNER G . 400 GB/s programmable packet parsing on a single FPGA[C]// IEEE, 2011: 12-23. |
[21] | 金子晋, 兰巨龙, 江逸茗 ,等. SDN环境下基于QLearning算法的业务划分路由选路机制[J]. 网络与信息安全学报, 2018,4(9): 17-22. |
JIN Z J , LAN J L , JIANG Y M ,et al. QLearning based business differentiating routing mechanism in SDN architecture[J]. Chinese Journal of Network and Information Security, 2018,4(9): 17-22. | |
[22] | PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 121-126. |
[23] | SHIN S W , PORRAS P , YEGNESWARA V ,et al. Fresco:modular composable security services for software-defined networks[C]// 20th Annual Network & Distributed System Security Symposium. NDSS, 2013. |
[24] | 周启钊, 于俊清, 李冬 . SDN环境下SAVI动态配置技术研究[J]. 通信学报, 2018,39(S1): 241-249. |
ZHOU Q C , YU G Q , LI D . Dynamic source address validation in software defined network[J]. Journal on Communications, 2018,39(S1): 241-249. | |
[25] | KHADER D . Attribute based group signatures[J]. IACR Cryptology ePrint Archive, 2007,2007:159. |
[26] | GOYAL V , PANDEY O , SAHAI A ,et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// The 13th ACM Conference on Computer and Communications Security. ACM, 2006: 89-98. |
[27] | CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// ACM SIGCOMM Computer Communication Review. ACM, 2007,37(4): 1-12. |
[28] | CASADO M , GARFINKEL T , AKELLA A ,et al. SANE:a protection architecture for enterprise networks[J]. USENIX Security Symposium, 2006,49: 137-151. |
[29] | PANG R , ALLMAN M , BENNETT M ,et al. A first look at modern enterprise traffic[C]// The 5th ACM SIGCOMM Conference on Internet Measurement. USENIX Association, 2005:2. |
[30] | BONEH D , BOYEN X , SHACHAM H . Short group signatures[C]// Annual International Cryptology Conference. Springer, 2004: 41-55. |
[31] | POINTCHEVAL D , STERN J . Security arguments for digital signatures and blind signatures[J]. Journal of Cryptology, 2000,13(3): 361-396. |
[32] | REN Y , DING N , WANG T ,et al. New algorithms for verifiable out sourcing of bilinear pairings[J]. Science China Information Sciences, 2017,59(9): 99-103. |
[33] | WANG M , LIU J , CHEN J ,et al. PERM-GUARD:authenticating the validity of flow rules in software defined networking[C]// International Conference on Cyber Security and Cloud Computing. IEEE, 2017: 1-17. |
[1] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[2] | 金伟, 李凤华, 余铭洁, 郭云川, 周紫妍, 房梁. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022, 43(9): 27-41. |
[3] | 沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40. |
[4] | 燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35. |
[5] | 吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100. |
[6] | 李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT:一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142. |
[7] | 梁晓艳, 杜瑞忠. IoT下CapBAC规则语义表示及其时间间隔粗糙性分析[J]. 通信学报, 2021, 42(9): 43-53. |
[8] | 董江涛, 闫沛文, 杜瑞忠. 雾计算中基于无配对CP-ABE可验证的访问控制方案[J]. 通信学报, 2021, 42(8): 139-150. |
[9] | 吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83. |
[10] | 常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144. |
[11] | 彭长根, 彭宗凤, 丁红发, 田有亮, 刘荣飞. 具有可撤销功能的属性协同访问控制方案[J]. 通信学报, 2021, 42(5): 75-86. |
[12] | 应作斌, 斯元平, 马建峰, 刘西蒙. 基于区块链的分布式EHR细粒度可追溯方案[J]. 通信学报, 2021, 42(5): 205-215. |
[13] | 杜瑞忠, 闫沛文, 刘妍. 雾计算中细粒度属性更新的外包计算访问控制方案[J]. 通信学报, 2021, 42(3): 160-170. |
[14] | 周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究:检测与缓解[J]. 通信学报, 2021, 42(11): 41-53. |
[15] | 贺蕾, 马建峰, 魏大卫. 面向无人机网络的属性代理签名方案[J]. 通信学报, 2021, 42(11): 87-96. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|