基于属性签名标识的SDN数据包转发验证方案

常朝稳; 金建树; 韩培胜; 祝现威

doi:10.11959/j.issn.1000-436x.2021079

您当前的位置：

首页 >

文章列表页 >

基于属性签名标识的SDN数据包转发验证方案

学术论文 | 更新时间：2024-06-05

- 基于属性签名标识的SDN数据包转发验证方案
- Software-defined network packet forwarding verification scheme based on attribute-based signatures identification
- 通信学报 2021年42卷第6期页码：131-144
- 作者机构：
  
  信息工程大学，河南郑州 450001
- 作者简介：
  
  [ "常朝稳（1966− ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全" ]
  [ "金建树（1992− ），男，辽宁锦州人，信息工程大学硕士生，主要研究方向为 SDN安全、网络安全" ]
  [ "韩培胜（1978− ），男，河北黄骅人，博士，信息工程大学教授，主要研究方向为网络安全、可信计算" ]
  [ "祝现威（1991− ），男，河南虞城人，信息工程大学博士生，主要研究方向为 SDN安全、网络安全、云计算安全" ]
- 基金信息：
  
  国家自然科学基金资助项目(61572517)
- DOI：10.11959/j.issn.1000-436x.2021079
  中图分类号： TP393
- 网络出版日期：2021-06，
  
  纸质出版日期：2021-06-25
- 稿件说明：
移动端阅览
常朝稳, 金建树, 韩培胜, 等. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021,42(6):131-144.

Chaowen CHANG, Jianshu JIN, Peisheng HAN, et al. Software-defined network packet forwarding verification scheme based on attribute-based signatures identification[J]. Journal on communications, 2021, 42(6): 131-144.
常朝稳, 金建树, 韩培胜, 等. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021,42(6):131-144. DOI： 10.11959/j.issn.1000-436x.2021079.

Chaowen CHANG, Jianshu JIN, Peisheng HAN, et al. Software-defined network packet forwarding verification scheme based on attribute-based signatures identification[J]. Journal on communications, 2021, 42(6): 131-144. DOI： 10.11959/j.issn.1000-436x.2021079.

摘要

针对软件定义网络（SDN）中数据包缺乏有效转发验证机制的问题，提出了一种基于属性签名标识的数据包转发验证方案。首先，根据用户的身份属性生成属性签名标识，并为数据包打上属性签名标识。然后，使用P4转发设备对数据包进行精确控制与采样，控制器对采样数据包进行属性签名验证，OpenFlow转发设备根据控制器下发的流表对转发异常的数据包进行处理。最后，构建了多控制器架构，避免了控制器单点失效故障。实验结果表明，所提方案实现了对数据包的精确控制与采样，能有效检测数据包篡改、伪造等异常行为，其网络时延处于可行通信时延范围内。

Abstract

Aiming at the lack of effective forwarding verification mechanism for packet in software defined network (SDN)

a data packet forwarding verification scheme based on attributed-based signatures identification was proposed.First

the attribute signature identification was generated according to the user's identity attribute

and the data packet was marked by the attribute signature identification.Then

the P4 forwarding device was used to control accurately and sample the data packet.The controller verified the attribute signature of the sampled data packet.The OpenFlow forwarding device processes the abnormal data packets according to the flow table issued by the controller.Finally

a multi-controllers architecture was constructed to avoid the single point failure of the controller.The results of the experiment indicate that the scheme can achieve accurate control and sampling of data packet

effectively detect the forwarding abnormal behaviors such as packet tampering and forgery

and the network delay is within the range of feasible communication delay.

关键词

Keywords

references

MCKEOWN N , . Software-defined networking [C ] // IEEE International Conference on Computer Communications . Piscataway:IEEE Press , 2009 : 30 - 32 .

NUNES B A A , MENDONCA M , NGUYEN X N , et al . A survey of software-defined networking:past,present,and future of programmable networks [J ] . IEEE Communications Surveys ＆ Tutorials , 2014 , 16 ( 3 ): 1617 - 1634 .

王蒙蒙 , 刘建伟 , 陈杰 , 等 . 软件定义网络:安全模型、机制及研究进展 [J ] . 软件学报 , 2016 , 27 ( 4 ): 969 - 992 .

WANG M M , LIU J W , CHEN J , et al . Software defined networking:security model,threats and mechanism [J ] . Journal of Software , 2016 , 27 ( 4 ): 969 - 992 .

GAO S , LI Z C , XIAO B , et al . Security threats in the data plane of software-defined networks [J ] . IEEE Network , 2018 , 32 ( 4 ): 108 - 113 .

DARGAHI T , CAPONI A , AMBROSIN M , et al . A survey on the security of stateful SDN data planes [J ] . IEEE Communications Surveys ＆ Tutorials , 2017 , 19 ( 3 ): 1701 - 1725 .

RANA D S , DHONDIYAL S A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution [J ] . International Journal of Computer Sciences and Engineering , 2019 , 7 ( 1 ): 884 - 889 .

GUPTA B B , PEREZ G M , AGRAWAL D P , et al . Handbook of computer networks and cyber security [M ] . Cham : Springer International Publishing , 2020 .

王首一 , 李琦 , 张云 . 轻量级的软件定义网络数据包转发验证 [J ] . 计算机学报 , 2019 , 42 ( 1 ): 176 - 189 .

WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN [J ] . Chinese Journal of Computers , 2019 , 42 ( 1 ): 176 - 189 .

SASAKI T , PAPPAS C , LEE T , et al . SDNsec:forwarding accountability for the SDN data plane [C ] // 2016 25th International Conference on Computer Communication and Networks . Piscataway:IEEE Press , 2016 : 1 - 10 .

秦晰 , 唐国栋 , 常朝稳 , 等 . 软件定义网络中基于密码标识的数据包转发验证机制 [J ] . 电子与信息学报 , 2018 , 40 ( 9 ): 2042 - 2049 .

QIN X , TANG G D , CHANG C W , et al . Packet forwarding authentication mechanism based on cipher identification in software-defined network [J ] . Journal of Electronics ＆ Information Technology , 2018 , 40 ( 9 ): 2042 - 2049 .

冯登国 , 陈成 . 属性密码学研究 [J ] . 密码学报 , 2014 , 1 ( 1 ): 1 - 12 .

FENG D G , CHEN C . Research on attribute-based cryptography [J ] . Journal of Cryptologic Research , 2014 , 1 ( 1 ): 1 - 12 .

BOSSHART P , DALY D , GIBB G , et al . P4 [J ] . ACM SIGCOMM Computer Communication Review , 2014 , 44 ( 3 ): 87 - 95 .

BOSSHART P , GIBB G , KIM H S , et al . Forwarding metamorphosis:fast programmable match-action processing in hardware for SDN [C ] // The ACM SIGCOMM 2013 Conference on SIGCOMM . New York:ACM Press , 2013 : 99 - 110 .

祝现威 , 常朝稳 , 朱智强 , 等 . 基于身份属性的SDN控制转发方法 [J ] . 通信学报 , 2019 , 40 ( 11 ): 1 - 18 .

ZHU X W , CHANG C W , ZHU Z Q , et al . SDN control and forwarding method based on identity attribute [J ] . Journal on Communications , 2019 , 40 ( 11 ): 1 - 18 .

KHADER D . Attribute based group signatures [J ] . IACR Cryptology ePrint Archive,2007 , 2007 :159.

陈剑锋 . 基于属性签名方案的研究 [D ] . 广州:中山大学 , 2010 .

CHEN J F . Research on attribute-based signatures [D ] . Guangzhou:Sun Yat-Sen University , 2010 .

GOYAL V , PANDEY O , SAHAI A , et al . Attribute-based encryption for fine-grained access control of encrypted data [C ] // The 13th ACM conference on Computer and Communications Security . New York:ACM Press , 2006 : 89 - 98 .

左志斌 , 常朝稳 , 祝现威 . 一种基于数据平面可编程的软件定义网络数据包转发验证机制 [J ] . 电子与信息学报 , 2020 , 42 ( 5 ): 1110 - 1117 .

ZUO Z B , CHANG C W , ZHU X W . A software-defined networking packet forwarding verification mechanism based on programmable data plane [J ] . Journal of Electronics ＆ Information Technology , 2020 , 42 ( 5 ): 1110 - 1117 .

林耘森箫 , 毕军 , 周禹 , 等 . 基于P4的可编程数据平面研究及其应用 [J ] . 计算机学报 , 2019 , 42 ( 11 ): 2539 - 2560 .

LIN Y , BI J , ZHOU Y , et al . Research and applications of programmable data plane based on P4 [J ] . Chinese Journal of Computers , 2019 , 42 ( 11 ): 2539 - 2560 .

YAZICI V , SUNAY M O , ERCAN A O . Controlling a software-defined network via distributed controllers [J ] . arXiv Preprint,arXiv:1401.7651 , 2014 .

田心宁 . 基于 Zookeeper 的 SDN 多控制器架构的研究与实现 [D ] . 兰州:兰州大学 , 2016 .

TIAN X N . Design and implementation of multiple SDN controllers via zookeeper [D ] . Lanzhou:Lanzhou University , 2016 .

HUNT P , KONAR M , JUNQUEIRA F P , et al . Zookeeper:wait-free coordination for internet-scale systems [C ] // USENIX Annual Technical Conference . Berkeley:USENIX Association , 2010 :9.

陈世强 . 基于多控制器的 SDN 一致性机制研究 [D ] . 北京:北京理工大学 , 2016 .

CHEN S Q . Research of consistency mechanism based on multi controllers in software-defined network [D ] . Beijing:Beijing Institute of Technology , 2016 .

CASADO M , FREEDMAN M J , PETTIT J , et al . Ethane:taking control of the enterprise [C ] // The 2007 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications . New York:ACM Press , 2007 : 27 - 31 .

浏览量

800

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于最小代价路径的交换机迁移方法研究

基于身份属性的SDN控制转发方法

SSRC：时延敏感流的数据源端速率控制算法

基于SDN的网络资源选择多目标优化算法

SDN网络中受时延和容量限制的多控制器均衡部署