基于端址重载的SDN包转发验证

doi:10.11959/j.issn.1000-436x.2021108

Abstract

Abstract:

Aiming at the problem that the existing forwarding verification mechanisms in software-defined networking (SDN) incur significant communication overhead caused by embedding additional packet fields, a packet forwarding verification mechanism based on port address overloading was proposed, which key idea was the ingress switch implemented port address overloading by reconstructing port and address of packet, downstream switches executed packet probabilistic verification based on overloading port address, and the controller acquired valid and invalid packet statistics of node verification in the path and localized anomaly.Anomaly detection threshold of malicious injecting and dropping packets was presented by theoretical analysis.Finally, the proposed scheme was implemented and evaluated.Experiments demonstrate the proposed scheme achieves efficient forwarding and effective anomaly localization with less than 10% of additional forwarding delays and less than 8% of throughput degradation.

Key words: software-defined networking, path vector, port address overloading, probabilistic verification, anomaly localization

CLC Number:

TP393

Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021, 42(7): 70-83.

Figures/Tables 18

标识符	含义
R_i	交换机标识
FlowSN	流标识号
Load	网络数据分组负载
L	流路径长度
MAC_K(·)	使用密钥K的消息认证码
K(i,j)	R_i与 R_j共享密钥
H(·)	哈希函数
Padding	填充域
IP_INVAR	IP头中不变的字段域
<Q_R, S_R>	节点公私密钥对
${Cnt}_{i}^{suc} (t_{j})$	间隔 t_j内，R_i验证成功的数据分组数
${Cnt}_{i}^{fal} (t_{j})$	间隔 t_j内，R_i验证失败的数据分组数

References 29

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNA H ,et al. OpenFlow:enabling innovation in campus networks[J]. Computer Communication Review, 2008,38(2): 69-74.
[2]	NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[3]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[4]	SINGH D , SHIV A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution[J]. International Journal of Engineering and Computer Science, 2019,7(1): 884-889.
[5]	GUDE N , KOPONEN T , PETTIT J ,et al. Nox[J]. ACM SIGCOMM Computer Communication Review, 2008,38(3): 105-110.
[6]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the software-defined network control layer[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[7]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2014: 78-89.
[8]	HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[9]	ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N ,et al. Accountable Internet protocol (AIP)[C]// Proceedings of the ACM SIGCOMM 2008 conference on Data communication. New York:ACM Press, 2008: 1-8.
[10]	PAPPAS C , REISCHUK R M , PERRIG A . FAIR:forwarding accountability for Internet reputability[C]// 2015 IEEE 23rd International Conference on Network Protocols. Piscataway:IEEE Press, 2015: 189-200.
[11]	ZHANG X , ZHOU Z , HSIAO H C ,et al. ShortMac:efficient data-plane fault localization[C]// Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2012: 2-12.
[12]	MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Fatih:detecting and isolating malicious routers[C]// 2005 International Conference on Dependable Systems and Networks. Piscataway:IEEE Press, 2005: 538-547.
[13]	LIU K J , DENG J , VARSHNEY P K ,et al. An acknowledgment-based approach for the detection of routing misbehavior in MANETs[J]. IEEE Transactions on Mobile Computing, 2007,6(5): 536-550.
[14]	ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security[C]// Proceedings of the 2008 ACM CoNEXT Conference. New York:ACM Press, 2008:24.
[15]	PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing[J]. ACM SIGCOMM Computer Communication Review, 2003,33(1): 77-82.
[16]	BOSSHART P , DALY D , GIBB G ,et al. P4:programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014,44(3): 87-95.
[17]	YAO G , BI J , XIAO P Y . Source address validation solution with OpenFlow/NOX architecture[C]// 2011 19th IEEE International Conference on Network Protocols. Piscataway:IEEE Press, 2011: 7-12.
[18]	CASADO M , FREEDMAN M J , PETTIT J ,et al. Ethane[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 1-12.
[19]	BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE[C]// Internet Network Management Conference on Research on Enterprise Networking. Berkeley:USENIX Association, 2010: 1-5.
[20]	WUNDSAM A , LEVIN D , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical Conference. Berkeley:USENIX Association, 2011: 1-6.
[21]	KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282.
[22]	周启钊, 于俊清, 李冬 . SDN环境下SAVI动态配置技术研究[J]. 通信学报, 2018,39(S1): 235-243.
	ZHOU Q Z , YU J Q , LI D . Dynamic source address validation in software defined network[J]. Journal on Communications, 2018,39(S1): 235-243.
[23]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据分组转发验证[J]. 计算机学报, 2019,42(1): 176-189.
	WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189.
[24]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings 2015 Network and Distributed System Security Symposium. Piscataway:IEEE Press, 2015: 1-15.
[25]	SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:forwarding accountability for the SDN data plane[C]// 2016 25th International Conference on Computer Communication and Networks. Piscataway:IEEE Press, 2016: 1-10.
[26]	祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18.
	ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18.
[27]	HESS F , . Efficient identity based signature schemes based on pairings[C]// Selected Areas in Cryptography. 2003: 310-324.
[28]	HAGERUP T , RüB C , . A guided tour of chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308.
[29]	LYNN B . On the implementation of pairing-based cryptosystems[D]. Stanford:Stanford University, 2007.

Metrics

Recommended 0

No Suggested Reading articles found!

方案	机密性	完整性	源认证	异常定位	抗注入攻击	抗丢弃攻击	路径一致性
文献[21]	×	√	√	×	√	×	√
文献[23]	×	√	√	√	√	√	√
文献[24]	×	×	×	√	√	√	√
文献[25]	×	√	×	×	√	×	√
文献[26]	×	√	√	×	√	×	√
PAO-PFV	×	√	√	√	√	√	√
注：√表示支持，×表示不支持。

方案	源节点/终端	中间节点	目的节点/终端
文献[21]	LM	2M	LM
文献[25]	LE	M+E	M+E
文献[26]	NP	—	NP
PAO-PFV	LM	M	M

Port address overloading based packet forwarding verification in SDN

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 29

Related Articles 4

Metrics

Recommended 0

[1]	Ping WU, Chaowen CHANG, Zhibin ZUO, Yingying MA. Address overloading-based packet forwarding verification in SDN [J]. Journal on Communications, 2022, 43(3): 88-100.
[2]	Lan YAO,Julong LAN. Adaptive SDN switch migration mechanism based on coalitional game [J]. Journal on Communications, 2020, 41(8): 1-10.
[3]	Julong LAN,Xueshuai ZHANG,Yuxiang HU,Penghao SUN. Software-defined networking QoS optimization based on deep reinforcement learning [J]. Journal on Communications, 2019, 40(12): 60-67.
[4]	Qian DONG,Jun LI,Yuxiang MA,Shujun HAN. Traffic scheduling method based on segment routing in software-defined networking [J]. Journal on Communications, 2018, 39(11): 23-35.