基于属性签名标识的SDN数据包转发验证方案

doi:10.11959/j.issn.1000-436x.2021079

Abstract

Abstract:

Aiming at the lack of effective forwarding verification mechanism for packet in software defined network (SDN), a data packet forwarding verification scheme based on attributed-based signatures identification was proposed.First, the attribute signature identification was generated according to the user's identity attribute, and the data packet was marked by the attribute signature identification.Then, the P4 forwarding device was used to control accurately and sample the data packet.The controller verified the attribute signature of the sampled data packet.The OpenFlow forwarding device processes the abnormal data packets according to the flow table issued by the controller.Finally, a multi-controllers architecture was constructed to avoid the single point failure of the controller.The results of the experiment indicate that the scheme can achieve accurate control and sampling of data packet, effectively detect the forwarding abnormal behaviors such as packet tampering and forgery, and the network delay is within the range of feasible communication delay.

Key words: software-defined network, attribute signature, forwarding verification, P4 forwarding device

CLC Number:

TP393

Chaowen CHANG, Jianshu JIN, Peisheng HAN, Xianwei ZHU. Software-defined network packet forwarding verification scheme based on attribute-based signatures identification[J]. Journal on Communications, 2021, 42(6): 131-144.

Figures/Tables 17

References 24

[1]	MCKEOWN N , . Software-defined networking[C]// IEEE International Conference on Computer Communications. Piscataway:IEEE Press, 2009: 30-32.
[2]	NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[3]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[4]	GAO S , LI Z C , XIAO B ,et al. Security threats in the data plane of software-defined networks[J]. IEEE Network, 2018,32(4): 108-113.
[5]	DARGAHI T , CAPONI A , AMBROSIN M ,et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys ＆ Tutorials, 2017,19(3): 1701-1725.
[6]	RANA D S , DHONDIYAL S A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution[J]. International Journal of Computer Sciences and Engineering, 2019,7(1): 884-889.
[7]	GUPTA B B , PEREZ G M , AGRAWAL D P ,et al. Handbook of computer networks and cyber security[M]. Cham: Springer International Publishing, 2020.
[8]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据包转发验证[J]. 计算机学报, 2019,42(1): 176-189.
	WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189.
[9]	SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:forwarding accountability for the SDN data plane[C]// 2016 25th International Conference on Computer Communication and Networks. Piscataway:IEEE Press, 2016: 1-10.
[10]	秦晰, 唐国栋, 常朝稳 ,等. 软件定义网络中基于密码标识的数据包转发验证机制[J]. 电子与信息学报, 2018,40(9): 2042-2049.
	QIN X , TANG G D , CHANG C W ,et al. Packet forwarding authentication mechanism based on cipher identification in software-defined network[J]. Journal of Electronics ＆ Information Technology, 2018,40(9): 2042-2049.
[11]	冯登国, 陈成 . 属性密码学研究[J]. 密码学报, 2014,1(1): 1-12.
	FENG D G , CHEN C . Research on attribute-based cryptography[J]. Journal of Cryptologic Research, 2014,1(1): 1-12.
[12]	BOSSHART P , DALY D , GIBB G ,et al. P4[J]. ACM SIGCOMM Computer Communication Review, 2014,44(3): 87-95.
[13]	BOSSHART P , GIBB G , KIM H S ,et al. Forwarding metamorphosis:fast programmable match-action processing in hardware for SDN[C]// The ACM SIGCOMM 2013 Conference on SIGCOMM. New York:ACM Press, 2013: 99-110.
[14]	祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的SDN控制转发方法[J]. 通信学报, 2019,40(11): 1-18.
	ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18.
[15]	KHADER D . Attribute based group signatures[J]. IACR Cryptology ePrint Archive,2007, 2007:159.
[16]	陈剑锋 . 基于属性签名方案的研究[D]. 广州:中山大学, 2010.
	CHEN J F . Research on attribute-based signatures[D]. Guangzhou:Sun Yat-Sen University, 2010.
[17]	GOYAL V , PANDEY O , SAHAI A ,et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// The 13th ACM conference on Computer and Communications Security. New York:ACM Press, 2006: 89-98.
[18]	左志斌, 常朝稳, 祝现威 . 一种基于数据平面可编程的软件定义网络数据包转发验证机制[J]. 电子与信息学报, 2020,42(5): 1110-1117.
	ZUO Z B , CHANG C W , ZHU X W . A software-defined networking packet forwarding verification mechanism based on programmable data plane[J]. Journal of Electronics ＆ Information Technology, 2020,42(5): 1110-1117.
[19]	林耘森箫, 毕军, 周禹 ,等. 基于P4的可编程数据平面研究及其应用[J]. 计算机学报, 2019,42(11): 2539-2560.
	LIN Y , BI J , ZHOU Y ,et al. Research and applications of programmable data plane based on P4[J]. Chinese Journal of Computers, 2019,42(11): 2539-2560.
[20]	YAZICI V , SUNAY M O , ERCAN A O . Controlling a software-defined network via distributed controllers[J]. arXiv Preprint,arXiv:1401.7651, 2014.
[21]	田心宁 . 基于 Zookeeper 的 SDN 多控制器架构的研究与实现[D]. 兰州:兰州大学, 2016.
	TIAN X N . Design and implementation of multiple SDN controllers via zookeeper[D]. Lanzhou:Lanzhou University, 2016.
[22]	HUNT P , KONAR M , JUNQUEIRA F P ,et al. Zookeeper:wait-free coordination for internet-scale systems[C]// USENIX Annual Technical Conference. Berkeley:USENIX Association, 2010:9.
[23]	陈世强 . 基于多控制器的 SDN 一致性机制研究[D]. 北京:北京理工大学, 2016.
	CHEN S Q . Research of consistency mechanism based on multi controllers in software-defined network[D]. Beijing:Beijing Institute of Technology, 2016.
[24]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane:taking control of the enterprise[C]// The 2007 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications. New York:ACM Press, 2007: 27-31.

Metrics

Recommended 0

No Suggested Reading articles found!

方案	签名方式及采样粒度	验证设备及开销	转发时延	实现功能	局限性分析
方案1 （文献[8]）	基于身份，OpenFlow匹配字段	控制器，0.15 ms	33.17 ms（3层树形结构，最多经5台交换机）	定位并检测伪造、篡改数据包	控制器单点失效、密钥通信开销大
方案2 （文献[10]）	基于身份，OpenFlow匹配字段	交换机，时延未知	33.65 ms（4层树形结构，最多经7台交换机）	检测伪造、篡改数据包	需要改变交换机内部构成，密钥通信开销大
方案3 （文献[18]）	基于身份，自定义匹配字段	控制器，0.19 ms	0.83 ms（自定义结构，3台OpenFlow交换机和一台P4交换机）	检测伪造、篡改数据包	控制器单点失效、密钥通信开销大
本文方案	基于属性，自定义匹配字段	控制器，约20.2 ms	30.95 ms（自定义结构，2台OpenFlow 交换机和一台P4交换机）	检测伪造、篡改数据包，用户身份可追踪	计算开销较大

Software-defined network packet forwarding verification scheme based on attribute-based signatures identification

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 24

Related Articles 11

Metrics

Recommended 0

[1]	Ping WU, Chaowen CHANG, Zhibin ZUO, Yingying MA. Address overloading-based packet forwarding verification in SDN [J]. Journal on Communications, 2022, 43(3): 88-100.
[2]	Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN [J]. Journal on Communications, 2021, 42(7): 70-83.
[3]	Lan YAO,Julong LAN. Adaptive SDN switch migration mechanism based on coalitional game [J]. Journal on Communications, 2020, 41(8): 1-10.
[4]	Yingxu LAI,Yewei PU,Jing LIU. Research on switch migration method based on minimum cost path [J]. Journal on Communications, 2020, 41(2): 131-142.
[5]	Yang YANG,Min CAO,Jiahai YANG,Rong CHE,Wei LIU. SSRC:source rate control algorithm for delay-sensitive flow in data center network [J]. Journal on Communications, 2019, 40(7): 14-26.
[6]	Nan BAO,Jiakuo ZUO,Han HU,Xu BAO. SDN based network resource selection multi-objective optimization algorithm [J]. Journal on Communications, 2019, 40(2): 51-59.
[7]	Julong LAN,Xueshuai ZHANG,Yuxiang HU,Penghao SUN. Software-defined networking QoS optimization based on deep reinforcement learning [J]. Journal on Communications, 2019, 40(12): 60-67.
[8]	Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute [J]. Journal on Communications, 2019, 40(11): 1-18.
[9]	Qian DONG,Jun LI,Yuxiang MA,Shujun HAN. Traffic scheduling method based on segment routing in software-defined networking [J]. Journal on Communications, 2018, 39(11): 23-35.
[10]	Kuang-yu QIN,Chuan-he HUANG,Cai-hua WANG,Jiao-li SHI,Di WU,Xi CHEN. Balanced multiple controllers placement with latency and capacity bound in software-defined network [J]. Journal on Communications, 2016, 37(11): 90-103.
[11]	UANTong D,ANJu-long L,HENGGuo-zhen C,UYu-xiang H. Functional composition in software-defined network based on atomic capacity [J]. Journal on Communications, 2015, 36(5): 156-166.