基于身份属性的SDN控制转发方法

祝现威; 常朝稳; 朱智强; 秦晰

doi:10.11959/j.issn.1000-436x.2019232

您当前的位置：

首页 >

文章列表页 >

基于身份属性的SDN控制转发方法

学术论文 | 更新时间：2024-06-05

- 基于身份属性的SDN控制转发方法
- SDN control and forwarding method based on identity attribute
- 通信学报 2019年40卷第11期页码：1-18
- 作者机构：
  
  信息工程大学密码工程学院，河南郑州 450001
- 作者简介：
  
  [ "祝现威（1991- ），男，河南虞城人，信息工程大学博士生，主要研究方向为 SDN安全、网络安全、云计算安全。" ]
  [ "常朝稳（1966- ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全。" ]
  [ "朱智强（1961- ），男，河南信阳人，博士，信息工程大学教授、硕士生导师，主要研究方向为云计算安全、信息安全战略、可信计算。" ]
  [ "秦晰（1978- ），女，河南焦作人，信息工程大学副教授、硕士生导师，主要研究方向为SDN安全、可信计算。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61572517)
- DOI：10.11959/j.issn.1000-436x.2019232
  中图分类号： TP393
- 网络出版日期：2019-11，
  
  纸质出版日期：2019-11-25
- 稿件说明：
移动端阅览
祝现威, 常朝稳, 朱智强, 等. 基于身份属性的SDN控制转发方法[J]. 通信学报, 2019,40(11):1-18.

Xianwei ZHU, Chaowen CHANG, Zhiqiang ZHU, et al. SDN control and forwarding method based on identity attribute[J]. Journal on communications, 2019, 40(11): 1-18.
祝现威, 常朝稳, 朱智强, 等. 基于身份属性的SDN控制转发方法[J]. 通信学报, 2019,40(11):1-18. DOI： 10.11959/j.issn.1000-436x.2019232.

Xianwei ZHU, Chaowen CHANG, Zhiqiang ZHU, et al. SDN control and forwarding method based on identity attribute[J]. Journal on communications, 2019, 40(11): 1-18. DOI： 10.11959/j.issn.1000-436x.2019232.

摘要

针对软件定义网络中数据流转发缺少有效的转发验证机制和OpenFlow协议匹配字段数量有限的问题，提出了一种基于属性密码的转发控制架构。通过设备属性生成属性标识和属性签名，并将其封装在分组头中。当数据流离开网络时，转发设备对其进行数据验证，确保数据流的有效性。同时，将属性标识作为流表匹配字段，通过属性标识定义网络转发行为，该机制与属性签名验证共同实现细粒度的访问控制。实验结果表明，该系统能有效实现数据流的细粒度的转发认证，且转发粒度高于同类方案。

Abstract

Due to the lack of effective data source authentication mechanism and the limited matching fields in software defined networking (SDN)

an SDN security control and forwarding method based on identity attribute was proposed.Attribute identification and attribute signature were generated by device attributes and encapsulated in the group header.When the data flow left the network

the data was verified by the forwarding device to ensure the validity of the data flow.At the same time

attribute identification was defined as a match field of flow by the framework

and the network forwarding behavior was defined based on attributeidentification.A fine-grained access control was implemented by the proposed mechanism and attribute-based signature.The proposed mechanism and attribute-based signature implemented a fine-grained access control.Experimental results demonstrate that the method can effectively implement fine-grained forwarding and flow authentication

and the forwarding granularity is higher than that of similar schemes.

关键词

Keywords

references

MCKEOWN N , . Software-defined networking [C ] // IEEE International Conference on Computer Communications . 2009 : 30 - 32 .

王蒙蒙 , 刘建伟 , 陈杰 , 等 . 软件定义网络:安全模型、机制及研究进展 [J ] . 软件学报 , 2016 , 27 ( 4 ): 969 - 992 .

WANG M M , LIU J W , CHEN J , et al . Software defined networking:security model,threats and mechanism [J ] . Journal of Software , 2016 , 27 ( 4 ): 969 - 992 .

AFOLABI I , TALEB T , SAMDANIS K , et al . Network slicing and softwarization:a survey on principles,enabling technologies,and solutions [J ] . IEEE Communications Surveys ＆ Tutorials , 2018 , 20 ( 3 ):1.

PORRAS P , SHIN S , YEGNESWARAN V , et al . A security enforcement kernel for OpenFlow networks [C ] // The First Workshop on Hot Topics in Software Defined Networks . ACM , 2012 : 121 - 126 .

冯登国 , 陈成 . 属性密码学研究 [J ] . 密码学报 , 2014 , 1 ( 1 ): 1 - 12 .

FENG D G , CHEN C . Research on attribute-based cryptography [J ] . Journal of Cryptologic Research , 2014 , 1 ( 1 ): 1 - 12 .

TAKAHASHI N , KODAIRA S , TSURU T , et al . Seismic structure and seismogenesis off Sanriku region,northeastern Japan [J ] . Geophysical Journal of the Royal Astronomical Society , 2018 , 159 ( 1 ): 129 - 145 .

PORRAS P , CHEUNG S , FONG M , et al . Securing the software-defined network control layer [C ] // Annual Network and Distributed System Security Symposium . 2015 .

SHIN S , SONG Y , LEE T , et al . Rosemary:a robust,secure,and high-performance network operating system [C ] // The 2014 ACM SIGSAC Conference on Computer and Communications Security . ACM , 2014 : 78 - 89 .

SHIN S , PORRAS P , YEGNESWARAN V , et al . FRESCO:modular composable security services for software-defined networks [J ] . Proceedings of Network ＆ Distributed Security Symposium , 2013 .

WEN X , CHEN Y , HU C , et al . Towards a secure controller platform for OpenFlow applications [C ] // The Second ACM SIGCOMM workshop on Hot Topics in Software Defined Networking . ACM , 2016 : 171 - 172 .

CASADO M , FREEDMAN M J , PETTIT J , et al . Ethane:taking control of the enterprise [C ] // ACM Sigcomm Conference on Applications . ACM , 2007 : 1 - 12 .

郑鹏 , 胡成臣 , 李昊 . 基于流量特征的 OpenFlow 南向接口开销优化技术 [J ] . 计算机研究与发展 , 2018 , 55 ( s2 ): 346 - 357 .

ZHEN P , HU C C , LI H . Reducing the southbound interface overhead for OpenFlow based on the flow volume characteristics [C ] // Journal of Computer Research and Development , 2018 55 ( s2 ): 346 - 357 .

BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE [C ] // Internet Network Management Conference on Research on Enterprise Networking . USENIX Association , 2010 :8.

WUNDSAM A , LEVIN D , SEETHARAMAN S , et al . OFRewind:enabling record and replay troubleshooting for networks [C ] // Usenix Conference on Usenix Technical Conference . USENIX Association , 2011 :29.

HALPERN E J , PIGNATARO E C . Service function chaining (SFC) architecture [C ] // Internet Engineering Task Force . 2015 .

赵志远 , 孟相如 , 苏玉泽 , 等 . 多控制器条件下区分 QoS 的虚拟SDN映射方法 [J ] . 通信学报 , 2017 , 38 ( 8 ): 101 - 110 .

ZHAO Z Y , MENG X R , SU Y Z , et al . Virtual SDN embedding with differentiated QoS under multiple controller [J ] . Journal on Communication , 2017 , 38 ( 8 ): 101 - 110 .

毕军 . SDN 体系结构与未来网络体系结构创新环境 [J ] . 电信科学 , 2013 , 29 ( 8 ): 6 - 15 .

BI J . SDN architecture and future network innovation environment [J ] . Telecommunications Science , 2013 , 29 ( 8 ): 6 - 15 .

DARGAHI T , CAPONI A , AMBROSIN M , et al . A survey on the security of stateful SDN data planes [J ] . IEEE Communications Surveys ＆ Tutorials , 2017 , 19 ( 3 ): 1701 - 1725 .

LU G , SHI Y , GUO C , et al . CAFE:a configurable packet forwarding engine for data center networks [C ] // ACM SIGCOMM 2009 Workshop on Programmable Routers for Extensible Services of Tomorrow . DBLP , 2009 : 25 - 30 .

ATTIG M , BREBNER G . 400 GB/s programmable packet parsing on a single FPGA [C ] // IEEE , 2011 : 12 - 23 .

金子晋 , 兰巨龙 , 江逸茗 , 等 . SDN环境下基于QLearning算法的业务划分路由选路机制 [J ] . 网络与信息安全学报 , 2018 , 4 ( 9 ): 17 - 22 .

JIN Z J , LAN J L , JIANG Y M , et al . QLearning based business differentiating routing mechanism in SDN architecture [J ] . Chinese Journal of Network and Information Security , 2018 , 4 ( 9 ): 17 - 22 .

PORRAS P , SHIN S , YEGNESWARAN V , et al . A security enforcement kernel for OpenFlow networks [C ] // The First Workshop on Hot Topics in Software Defined Networks . ACM , 2012 : 121 - 126 .

SHIN S W , PORRAS P , YEGNESWARA V , et al . Fresco:modular composable security services for software-defined networks [C ] // 20th Annual Network ＆ Distributed System Security Symposium . NDSS , 2013 .

周启钊 , 于俊清 , 李冬 . SDN环境下SAVI动态配置技术研究 [J ] . 通信学报 , 2018 , 39 ( S1 ): 241 - 249 .

ZHOU Q C , YU G Q , LI D . Dynamic source address validation in software defined network [J ] . Journal on Communications , 2018 , 39 ( S1 ): 241 - 249 .

KHADER D . Attribute based group signatures [J ] . IACR Cryptology ePrint Archive , 2007 , 2007 :159.

GOYAL V , PANDEY O , SAHAI A , et al . Attribute-based encryption for fine-grained access control of encrypted data [C ] // The 13th ACM Conference on Computer and Communications Security . ACM , 2006 : 89 - 98 .

CASADO M , FREEDMAN M J , PETTIT J , et al . Ethane:taking control of the enterprise [C ] // ACM SIGCOMM Computer Communication Review . ACM , 2007 , 37 ( 4 ): 1 - 12 .

CASADO M , GARFINKEL T , AKELLA A , et al . SANE:a protection architecture for enterprise networks [J ] . USENIX Security Symposium , 2006 , 49 : 137 - 151 .

PANG R , ALLMAN M , BENNETT M , et al . A first look at modern enterprise traffic [C ] // The 5th ACM SIGCOMM Conference on Internet Measurement . USENIX Association , 2005 :2.

BONEH D , BOYEN X , SHACHAM H . Short group signatures [C ] // Annual International Cryptology Conference . Springer , 2004 : 41 - 55 .

POINTCHEVAL D , STERN J . Security arguments for digital signatures and blind signatures [J ] . Journal of Cryptology , 2000 , 13 ( 3 ): 361 - 396 .

REN Y , DING N , WANG T , et al . New algorithms for verifiable out sourcing of bilinear pairings [J ] . Science China Information Sciences , 2017 , 59 ( 9 ): 99 - 103 .

WANG M , LIU J , CHEN J , et al . PERM-GUARD:authenticating the validity of flow rules in software defined networking [C ] // International Conference on Cyber Security and Cloud Computing . IEEE , 2017 : 1 - 17 .

浏览量

906

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向云存储且支持重加密的多关键词属性基可搜索加密方案

基于区块链的噪声化数据分享控制协议

雾计算中基于无配对CP-ABE可验证的访问控制方案

基于属性签名标识的SDN数据包转发验证方案

雾计算中细粒度属性更新的外包计算访问控制方案