基于端址重载的SDN包转发验证

吴平; 常朝稳; 马莹莹

doi:10.11959/j.issn.1000-436x.2021108

您当前的位置：

首页 >

文章列表页 >

基于端址重载的SDN包转发验证

学术论文 | 更新时间：2024-06-05

- 基于端址重载的SDN包转发验证
- Port address overloading based packet forwarding verification in SDN
- 通信学报 2021年42卷第7期页码：70-83
- 作者机构：
  
  信息工程大学密码工程学院，河南郑州 450004
- 作者简介：
  
  [ "吴平（1979− ），男，安徽宿松人，信息工程大学博士生，主要研究方向为SDN安全、网络安全、数据平面编程" ]
  [ "常朝稳（1966− ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全" ]
  [ "马莹莹（1988− ），女，河南漯河人，信息工程大学博士生，主要研究方向为SDN安全、网络安全" ]
- 基金信息：
  
  国家自然科学基金资助项目(61572517)
- DOI：10.11959/j.issn.1000-436x.2021108
  中图分类号： TP393
- 网络出版日期：2021-07，
  
  纸质出版日期：2021-07-25
- 稿件说明：
移动端阅览
吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021,42(7):70-83.

Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN[J]. Journal on communications, 2021, 42(7): 70-83.
吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021,42(7):70-83. DOI： 10.11959/j.issn.1000-436x.2021108.

Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN[J]. Journal on communications, 2021, 42(7): 70-83. DOI： 10.11959/j.issn.1000-436x.2021108.

摘要

针对软件定义网络（SDN）现有转发验证机制因嵌入额外的分组字段所带来的通信开销大的问题，提出基于端址重载的包转发验证机制。其核心思想是入口交换机重构数据分组端口和地址信息实现端址重载，下游交换机基于重载的端址信息实现数据分组的概率验证，控制器统计路径中节点验证有效和无效的数据分组信息并定位异常；理论分析给出了恶意注入与丢弃攻击异常检测阈值；最后实现了所提机制并对其进行了评估。实验结果表明，所提机制以引入不超过10%的转发时延、低于8%的吞吐率损失实现高效转发及有效的异常定位。

Abstract

Aiming at the problem that the existing forwarding verification mechanisms in software-defined networking (SDN) incur significant communication overhead caused by embedding additional packet fields

a packet forwarding verification mechanism based on port address overloading was proposed

which key idea was the ingress switch implemented port address overloading by reconstructing port and address of packet

downstream switches executed packet probabilistic verification based on overloading port address

and the controller acquired valid and invalid packet statistics of node verification in the path and localized anomaly.Anomaly detection threshold of malicious injecting and dropping packets was presented by theoretical analysis.Finally

the proposed scheme was implemented and evaluated.Experiments demonstrate the proposed scheme achieves efficient forwarding and effective anomaly localization with less than 10% of additional forwarding delays and less than 8% of throughput degradation.

关键词

Keywords

references

MCKEOWN N , ANDERSON T , BALAKRISHNA H , et al . OpenFlow:enabling innovation in campus networks [J ] . Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .

NUNES B A A , MENDONCA M , NGUYEN X N , et al . A survey of software-defined networking:past,present,and future of programmable networks [J ] . IEEE Communications Surveys ＆ Tutorials , 2014 , 16 ( 3 ): 1617 - 1634 .

王蒙蒙 , 刘建伟 , 陈杰 , 等 . 软件定义网络:安全模型、机制及研究进展 [J ] . 软件学报 , 2016 , 27 ( 4 ): 969 - 992 .

WANG M M , LIU J W , CHEN J , et al . Software defined networking:security model,threats and mechanism [J ] . Journal of Software , 2016 , 27 ( 4 ): 969 - 992 .

SINGH D , SHIV A , CHAMOLI S K . Software defined networking (SDN) challenges,issues and solution [J ] . International Journal of Engineering and Computer Science , 2019 , 7 ( 1 ): 884 - 889 .

GUDE N , KOPONEN T , PETTIT J , et al . Nox [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 3 ): 105 - 110 .

PORRAS P , CHEUNG S , FONG M , et al . Securing the software-defined network control layer [C ] // Network and Distributed System Security Symposium . Piscataway:IEEE Press , 2015 : 1 - 15 .

SHIN S , SONG Y , LEE T , et al . Rosemary:a robust,secure,and high-performance network operating system [C ] // Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2014 : 78 - 89 .

HONG S , XU L , WANG H , et al . Poisoning network visibility in software-defined networks:new attacks and countermeasures [C ] // Network and Distributed System Security Symposium . Piscataway:IEEE Press , 2015 : 1 - 15 .

ANDERSEN D G , BALAKRISHNAN H , FEAMSTER N , et al . Accountable Internet protocol (AIP) [C ] // Proceedings of the ACM SIGCOMM 2008 conference on Data communication . New York:ACM Press , 2008 : 1 - 8 .

PAPPAS C , REISCHUK R M , PERRIG A . FAIR:forwarding accountability for Internet reputability [C ] // 2015 IEEE 23rd International Conference on Network Protocols . Piscataway:IEEE Press , 2015 : 189 - 200 .

ZHANG X , ZHOU Z , HSIAO H C , et al . ShortMac:efficient data-plane fault localization [C ] // Network and Distributed System Security Symposium . Piscataway:IEEE Press , 2012 : 2 - 12 .

MIZRAK A T , CHENG Y C , MARZULLO K , et al . Fatih:detecting and isolating malicious routers [C ] // 2005 International Conference on Dependable Systems and Networks . Piscataway:IEEE Press , 2005 : 538 - 547 .

LIU K J , DENG J , VARSHNEY P K , et al . An acknowledgment-based approach for the detection of routing misbehavior in MANETs [J ] . IEEE Transactions on Mobile Computing , 2007 , 6 ( 5 ): 536 - 550 .

ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security [C ] // Proceedings of the 2008 ACM CoNEXT Conference . New York:ACM Press , 2008 :24.

PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing [J ] . ACM SIGCOMM Computer Communication Review , 2003 , 33 ( 1 ): 77 - 82 .

BOSSHART P , DALY D , GIBB G , et al . P4:programming protocol-independent packet processors [J ] . ACM SIGCOMM Computer Communication Review , 2014 , 44 ( 3 ): 87 - 95 .

YAO G , BI J , XIAO P Y . Source address validation solution with OpenFlow/NOX architecture [C ] // 2011 19th IEEE International Conference on Network Protocols . Piscataway:IEEE Press , 2011 : 7 - 12 .

CASADO M , FREEDMAN M J , PETTIT J , et al . Ethane [J ] . ACM SIGCOMM Computer Communication Review , 2007 , 37 ( 4 ): 1 - 12 .

BALLARD J R , RAE I , AKELLA A . Extensible and scalable network monitoring using OpenSAFE [C ] // Internet Network Management Conference on Research on Enterprise Networking . Berkeley:USENIX Association , 2010 : 1 - 5 .

WUNDSAM A , LEVIN D , SEETHARAMAN S , et al . OFRewind:enabling record and replay troubleshooting for networks [C ] // Usenix Conference on Usenix Technical Conference . Berkeley:USENIX Association , 2011 : 1 - 6 .

KIM T H J , BASESCU C , JIA L M , et al . Lightweight source authentication and path validation [J ] . ACM SIGCOMM Computer Communication Review , 2015 , 44 ( 4 ): 271 - 282 .

周启钊 , 于俊清 , 李冬 . SDN环境下SAVI动态配置技术研究 [J ] . 通信学报 , 2018 , 39 ( S1 ): 235 - 243 .

ZHOU Q Z , YU J Q , LI D . Dynamic source address validation in software defined network [J ] . Journal on Communications , 2018 , 39 ( S1 ): 235 - 243 .

王首一 , 李琦 , 张云 . 轻量级的软件定义网络数据分组转发验证 [J ] . 计算机学报 , 2019 , 42 ( 1 ): 176 - 189 .

WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forwarding verification in SDN [J ] . Chinese Journal of Computers , 2019 , 42 ( 1 ): 176 - 189 .

DHAWAN M , PODDAR R , MAHAJAN K , et al . SPHINX:detecting security attacks in software-defined networks [C ] // Proceedings 2015 Network and Distributed System Security Symposium . Piscataway:IEEE Press , 2015 : 1 - 15 .

SASAKI T , PAPPAS C , LEE T , et al . SDNsec:forwarding accountability for the SDN data plane [C ] // 2016 25th International Conference on Computer Communication and Networks . Piscataway:IEEE Press , 2016 : 1 - 10 .

祝现威 , 常朝稳 , 朱智强 , 等 . 基于身份属性的SDN 控制转发方法 [J ] . 通信学报 , 2019 , 40 ( 11 ): 1 - 18 .

ZHU X W , CHANG C W , ZHU Z Q , et al . SDN control and forwarding method based on identity attribute [J ] . Journal on Communications , 2019 , 40 ( 11 ): 1 - 18 .

HESS F , . Efficient identity based signature schemes based on pairings [C ] // Selected Areas in Cryptography . 2003 : 310 - 324 .

HAGERUP T , RÜB C , . A guided tour of chernoff bounds [J ] . Information Processing Letters , 1990 , 33 ( 6 ): 305 - 308 .

LYNN B . On the implementation of pairing-based cryptosystems [D ] . Stanford:Stanford University , 2007 .

浏览量

631

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于地址重载的SDN分组转发验证

基于联盟博弈的自适应SDN交换机迁移机制

基于深度强化学习的软件定义网络QoS优化

软件定义网络中基于分段路由的流量调度方法