基于地址重载的SDN分组转发验证

吴平; 常朝稳; 左志斌; 马莹莹

doi:10.11959/j.issn.1000-436x.2022047

您当前的位置：

首页 >

文章列表页 >

基于地址重载的SDN分组转发验证

学术论文 | 更新时间：2024-06-05

- 基于地址重载的SDN分组转发验证
- Address overloading-based packet forwarding verification in SDN
- 通信学报 2022年43卷第3期页码：88-100
- 作者机构：
  
  1. 信息工程大学密码工程学院，河南郑州 450004
  2. 河南工业大学信息科学与工程学院，河南郑州 450001
- 作者简介：
  
  [ "吴平（1979- ），男，安徽宿松人，信息工程大学博士生，主要研究方向为SDN安全、网络安全、数据平面编程" ]
  [ "常朝稳（1966- ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全" ]
  [ "左志斌（1979- ），男，河南滑县人，博士，河南工业大学讲师，主要研究方向为网络安全" ]
  [ "马莹莹（1988- ），女，河南漯河人，信息工程大学博士生，主要研究方向为SDN安全、网络安全" ]
- 基金信息：
  
  国家自然科学基金资助项目(61572517);河南省科技攻关基金资助项目(222102210070)
- DOI：10.11959/j.issn.1000-436x.2022047
  中图分类号： TP393
- 网络出版日期：2022-03，
  
  纸质出版日期：2022-03-25
- 稿件说明：
移动端阅览
吴平, 常朝稳, 左志斌, 等. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022,43(3):88-100.

Ping WU, Chaowen CHANG, Zhibin ZUO, et al. Address overloading-based packet forwarding verification in SDN[J]. Journal on communications, 2022, 43(3): 88-100.
吴平, 常朝稳, 左志斌, 等. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022,43(3):88-100. DOI： 10.11959/j.issn.1000-436x.2022047.

Ping WU, Chaowen CHANG, Zhibin ZUO, et al. Address overloading-based packet forwarding verification in SDN[J]. Journal on communications, 2022, 43(3): 88-100. DOI： 10.11959/j.issn.1000-436x.2022047.

摘要

针对软件定义网络（SDN）中现有转发验证机制大多通过加入新的安全通信协议实现分组逐跳转发验证，出现通信与计算开销的问题，提出了一种基于地址重载的 SDN 分组转发验证机制。入口交换机通过重载分组地址信息将流运行时间划分为连续随机的时间间隔，各后继节点基于重载的地址信息转发分组；控制器采样间隔内流入口与出口交换机的转发分组，检测路径中的异常转发行为；最后，构建仿真网络实现了所提机制。实验结果表明，该机制以引入不超过8%的转发延迟，可有效检测异常。

Abstract

Aiming at the problem that the most existing forwarding verification mechanisms in software-defined network (SDN) verified packets hop-by-hop by incorporating new secure communication protocols

which incurred significant computation and communication overhead

an address overloading-based forwarding verification mechanism was proposed.The flow runtime was divided into consecutive random intervals by the ingress switch via overloading address fields of packet

basing on overloading address

packets were forwarded by each subsequent switch

and the controller sampled the packets forwarded by ingress and egress switch in the interval to detect abnormal behavior on the path.Finally

the proposed mechanism and simulation network was implemented and evaluated.Experiments show that the mechanism achieves efficient forwarding and effective anomaly detection with less than 8% of additional forwarding delays.

关键词

Keywords

references

SARASWAT S , AGARWAL V , GUPTA H P , et al . Challenges and solutions in software defined networking:a survey [J ] . Journal of Network and Computer Applications , 2019 , 141 : 23 - 58 .

王涛 , 陈鸿昶 , 程国振 . 软件定义网络及安全防御技术研究 [J ] . 通信学报 , 2017 , 38 ( 11 ): 133 - 160 .

WANG T , CHEN H C , CHENG G Z . Research on soft-ware-defined network and the security defense technology [J ] . Journal on Communications , 2017 , 38 ( 11 ): 133 - 160 .

岳猛 , 王怀远 , 吴志军 , 等 . 云计算中DDoS攻防技术研究综述 [J ] . 计算机学报 , 2020 , 43 ( 12 ): 2315 - 2336 .

YUE M , WANG H Y , WU Z J , et al . A survey of DDoS attack and defense technologies in cloud computing [J ] . Chinese Journal of Com-puters , 2020 , 43 ( 12 ): 2315 - 2336 .

MIZRAK A T , CHENG Y C , MARZULLO K , et al . Detecting and isolating malicious routers [J ] . IEEE Transactions on Dependable and Secure Computing , 2006 , 3 ( 3 ): 230 - 244 .

AKHUNZADA A , GANI A , ANUAR N B , et al . Secure and dependable software defined networks [J ] . Journal of Network and Computer Applications , 2016 , 61 : 199 - 221 .

SHAGHAGHI A , KAAFAR M A , BUYYA R , et al . Software-defined network (SDN) data plane security:issues,solutions,and future directions handbook of computer networks and cyber security [J ] . arXiv Preprint,arXiv:1804.00262 , 2018 .

KIM T H J , BASESCU C , JIA L M , et al . Lightweight source authentication and path validation [J ] . ACM SIGCOMM Computer Communication Review , 2015 , 44 ( 4 ): 271 - 282 .

WU B , XU K , LI Q , et al . RFL:robust fault localization on unreliable communication channels [J ] . Computer Networks , 2019 , 158 : 158 - 174 .

ZHANG P , WU H , ZHANG D , et al . Verifying rule enforcement in software defined networks with REV [J ] . IEEE/ACM Transactions on Networking , 2020 , 28 ( 2 ): 917 - 929 .

祝现威 , 常朝稳 , 朱智强 , 等 . 基于身份属性的 SDN 控制转发方法 [J ] . 通信学报 , 2019 , 40 ( 11 ): 1 - 18 .

ZHU X W , CHANG C W , ZHU Z Q , et al . SDN control and forwarding method based on identity attribute [J ] . Journal on Communications , 2019 , 40 ( 11 ): 1 - 18 .

王首一 , 李琦 , 张云 . 轻量级的软件定义网络数据包转发验证 [J ] . 计算机学报 , 2019 , 42 ( 1 ): 176 - 189 .

WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forward-ing verification in SDN [J ] . Chinese Journal of Computers , 2019 , 42 ( 1 ): 176 - 189 .

左志斌 , 常朝稳 , 祝现威 . 一种基于数据平面可编程的软件定义网络报文转发验证机制 [J ] . 电子与信息学报 , 2020 , 42 ( 5 ): 1110 - 1117 .

ZUO Z B , CHANG C W , ZHU X W . A software-defined net-working packet forwarding verification mechanism based on programmable data plane [J ] . Journal of Electronics ＆ Informa-tion Technology , 2020 , 42 ( 5 ): 1110 - 1117 .

林耘森箫 , 毕军 , 周禹 , 等 . 基于 P4 的可编程数据平面研究及其应用 [J ] . 计算机学报 , 2019 , 42 ( 11 ): 2539 - 2560 .

LIN Y S X , BI J , ZHOU Y , et al . Research and applications of programmable data plane based on P4 [J ] . Chinese Journal of Computers , 2019 , 42 ( 11 ): 2539 - 2560 .

DHAWAN M , PODDAR R , MAHAJAN K , et al . SPHINX:detecting security attacks in software-defined networks [C ] // Proceedings of 2015 Network and Distributed System Security Symposium . Virginia:the Internet Society , 2015 : 1 - 15 .

吴平 , 常朝稳 , 马莹莹 . 基于端址重载的 SDN 包转发验证 [J ] . 通信学报 , 2021 , 42 ( 7 ): 70 - 83 .

WU P , CHANG C W , MA Y Y . Port address overloading based packet forwarding verification in SDN [J ] . Journal on Communications , 2021 , 42 ( 7 ): 70 - 83 .

SENGUPTA S , CHOWDHARY A , SABUR A , et al . A survey of moving target defenses for network security [J ] . IEEE Communications Surveys ＆ Tutorials , 2020 , 22 ( 3 ): 1909 - 1941 .

JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers [M ] . Berlin : Springer , 2013 : 237 - 254 .

DUFFIELD N G , GROSSGLAUSER M . Trajectory sampling for direct traffic observation [J ] . IEEE/ACM Transactions on Networking , 2001 , 9 ( 3 ): 280 - 292 .

GOLDBERG S , XIAO D , BARAK B , et al . Measuring path quality in the presence of adversaries:the role of cryptography in network accountability [R ] . 2007 .

HAGERUP T , RÜB C , . A guided tour of Chernoff bounds [J ] . Information Processing Letters , 1990 , 33 ( 6 ): 305 - 308 .

浏览量

459

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

网络异常检测中的流量表示研究

基于SDN的物联网边缘节点间数据流零信任管理

基于数字孪生的工业互联网安全检测与响应研究

基于内存增强自编码器的轻量级无人机网络异常检测模型

基于随机Transformer的多维时间序列异常检测模型