软件定义网络中基于密码标识的报文转发验证机制

秦晰; 唐国栋; 常朝稳; 王瑞云

doi:10.11999/JEIT171226

软件定义网络中基于密码标识的报文转发验证机制

doi: 10.11999/JEIT171226

信息工程大学郑州 450001

基金项目: 国家自然科学基金(61572517)

详细信息

作者简介:
秦晰：女，1978年生，副教授，硕士生导师，研究方向为SDN安全、可信计算

唐国栋：男，1992年生，硕士生，研究方向为SDN安全

常朝稳：男，1965年生，教授，博士生导师，研究方向为网络安全、态势感知

王瑞云：女，1992年生，硕士生，研究方向为协议形式化验证

通讯作者:
唐国栋　 tgdhooping@163.com

中图分类号: TP393
计量
- 文章访问数: 2051
- HTML全文浏览量: 706
- PDF下载量: 69
- 被引次数: 0
出版历程
- 收稿日期: 2017-12-26
- 修回日期: 2018-06-01
- 网络出版日期: 2018-07-12
- 刊出日期: 2018-09-01

Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network

Information Engineering University, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China (61572517)

摘要

摘要: 针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题，该文提出基于密码标识的报文转发验证机制。首先，建立基于密码标识的报文转发验证模型，将密码标识作为IP报文进出网络的通行证。其次，设计SDN批量匿名认证协议，将SDN控制器的验证功能下放给SDN交换机，由SDN交换机进行用户身份验证和密码标识验证，快速过滤伪造、篡改等非法报文，提高SDN控制器统一认证与管理效率，同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案，任何攻击者无法通过推断采样来绕过报文检测，确保报文的真实性的同时降低其处理延迟。最后，进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击，但同时引入了大约9.6%的转发延迟和低于10%的通信开销。
- 软件定义网络 /
- 密码标识 /
- 数据来源验证 /
- 条件隐私性
Abstract: To deal with the lack of a secure and efficient data source authentication mechanism in Software-Defined Network (SDN), a packet forwarding authentication mechanism based on cipher identification is proposed. Firstly, a packet forwarding authentication model based on cipher identification is established, where the cipher identification is identified as a passport of IP packets entering and leaving the network. Secondly, the SDN batch anonymous authentication protocol is designed to decentralize the authentication function of the SDN controller to the SDN switch. The SDN switch performs user authentication and cipher identification verification, and quickly filters forgery, falsification, and other illegal packets to improve the unified authentication and management efficiency of the SDN controller, while providing users with the conditions of privacy protection. Thirdly, a scheme for sampling and verifying packets based on cipher identification in any node is proposed, where any attacker can not bypass the packet detection by inferring the sample, to ensure the authenticity of the packet while reducing its processing delay. Finally, safety analysis and performance evaluation are conducted. The results show that this mechanism can quickly detect packet falsification and tampering and resist ID analysis attacks, but at the same time it introduces about 9.6% forwarding delay and less than 10% communication overhead.
- Software-Defined Network (SDN) /
- Cipher identification /
- Data source authentication /
- Conditional privacy

HTML全文

图 1 基于密码标识的报文转发验证模型

下载: 全尺寸图片幻灯片

图 2 生成身份基

下载: 全尺寸图片幻灯片

图 3 SDN批量匿名认证

下载: 全尺寸图片幻灯片

图 4 不同的检测因子h下的网络吞吐量

下载: 全尺寸图片幻灯片

图 5 检测准确率

下载: 全尺寸图片幻灯片

图 6 转发延迟CDF

下载: 全尺寸图片幻灯片

表 1 任意节点报文抽样验证流表项生成算法

算法1　任意节点报文抽样验证流表项生成算法
输入：未匹配报文 ${P_i}$；检测因子h
输出：流表项；组表项；共享密钥 ${k_i}$
(1)　 ${\rm{PID}}_i \leftarrow {\rm{getPID}}\left( {{P_i}} \right)$;
(2) ${\rm{SwitchID}} \leftarrow {\rm{getSwitchID}}\left( {{P_i}} \right)$;
(3) ${\rm{SrcIP}}_i \leftarrow {\rm{getSrcIP}}\left( {{P_i}} \right)$;
(4) ${\rm{RID}}_i \leftarrow {\rm{PID}}_i \oplus {H_0}\left( {b{W_i}} \right)$;
(5) get ${\rm{Lifetime}}_i,{k_i}$ by querying ${L_c}$ according to ${\rm{RID}}_i$;
(6) $\alpha = {\rm{ValidityCheck}}\left( {{\rm{Lifetime}}_i} \right)$;
(7) if $\alpha = = 0$ /* ${\rm{RID}}_i$失效*/
(8)　setFlowEntry (SwitchID; SrcIP_i; drop);
(9) else /* ${\rm{RID}}_i$有效*/
(10)　select an optimized ${{\rm Path}_i}$ for unmatched packet ${P_i}$;
(11)　 ${L_i} \leftarrow {\rm{getLength}}\left( {{\rm{Path}}_i} \right)$;
(12)　randomly select $x \in Z_q^ * $;
(13)　 $k \leftarrow x\bmod {L_i}$;
(14)　for $j = {1_{}}{;_{}}j \le {L_i}_{}{;_{}}j + + $
(15)　　SwitchID $ \leftarrow {\rm{getSwitchID}}\left( {{\rm{Path}}\left( j \right)} \right)$;
(16)　　if $j \ne k$
(17)　　　setFlowEntry(SwitchID; C_i; Forward);/* ${C_i}$为匹配域 */
(18)　　else
(19)　　　SwitchID $ \leftarrow {\rm{getSwitchID}}\left( {{\rm{Path}}\left( k \right)} \right)$;
(20)　　　setFlowEntry(SwitchID; C_i; Group);/* ${C_i}$为匹配域*/
(21)　　　setGroupTable(SwitchID; select; h; Forward,Verify- MAC);
(22)　　　send ${k_i}$ to SwitchID by TLS;
(23)　　end if
(24)end if

下载: 导出CSV

表 2 交换机与主机数目表

网络符号	说明
网络拓扑结构	Fattree
核心交换机数目	64
聚集交换机数目	128
边界交换机数目	128
主机数目	512

下载: 导出CSV

表 3 认证开销

方案	参与方数量	通信开销	用户计算开销	SDN控制器(服务器)计算开销	SDN交换机计算开销
文献[18]	2	3\|G\|+4\|ID\|+2 $\|Z_q^*\|$	7 ${T_{\rm em}}$+2 ${T_{\rm ea}}$	5 ${T_{\rm em}}$+2 ${T_{\rm ea}}$	$\left( {3n + 1} \right){T_{\rm em}}$+ $\left( {4n - 1} \right){T_{\rm ea}}$
文献[19]	2	2\|G\|+4\|ID\|+4 $\|Z_q^*\|$	7 ${T_{\rm em}}$+ ${T_{\rm ea}}$	7 ${T_{\rm em}}$+ ${T_{\rm ea}}$	–
本文方案	3	5\|G\|+3\|ID\|+2 $\|Z_q^*\|$	5 ${T_{\rm em}}$+ ${T_{\rm ea}}$	2 ${T_{\rm em}}$	–
注：“–”表示不存在该项，n为单位时间SDN交换机收到用户数目

下载: 导出CSV

参考文献(19)

MCKEOWN N. Software-defined networking[C]. IEEE International Conference on Computer Communications, Rio de Janeiro, Brazil, 2009: 30–32.

NUNES B, MENDONCA M, NGUYEN X, et al. A survey of software-defined networking: Past, present, and future of programmable networks[J]. IEEE Communications Surveys&Tutorials, 2014, 16(3): 1617–1634 doi: 10.1109/SURV.2014.012214.00180

王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络: 安全模型、机制及研究进展[J]. 软件学报, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020

WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software defined networking: Security model, threats and mechanism[J]. Journal of Software, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020

LIU Hongqiang, WU Xin, ZHANG Ming, et al. zUpdate: Updating data center networks with zero loss[J]. Computer Communication Review, 2013, 43(4): 411–422 doi: 10.1145/2486001.2486005

LI Dan, SHANG Yunfei, and CHEN Congjie. Software defined green data center network with exclusive routing[C]. IEEE International Conference on Computer Communications, Toronto, Canada, 2014: 1743–1751.

DHAWAN M, PODDAR R, MAHAJAN K, et al. SPHINX: Detecting security attacks in software-defined networks[C]. Network and Distributed System Security Symposium, San Diego, USA, 2015: 1–15.

李杰, 吴建平, 徐恪, 等. Hidasav: 一种层次化的域间真实源地址验证方法[J]. 计算机学报, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085

LI Jie, WU Jianping, XU Ke, et al. An hierarchical inter-domain authenticated source address validation solution[J]. Chinese Journal of Computers, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085

YAO Guang, BI Jun, and XIAO Peiyao. Source address validation solution with OpenFlow/NOX architecture[C]. IEEE International Conference on Network Protocols, Vancouver, Canada, 2011: 7–12.

孙鹏. 面向SDN的源地址验证方法研究[J]. 电光与控制, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012

SUN Peng. Source address validation methods based on SDN[J]. Electronics Optics&Control, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012

LIU Bingyang, BI Jun, and ZHOU Yu. Source address validation in software defined networks[C]. ACM Conference on SIGCOMM, Florianópolis, Brazil, 2016: 595–596.

KIM H, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[C]. ACM Conference on SIGCOMM, Chicago, USA, 2014: 271–282.

TAKAYUKI S, CHRISTOS P, TAEHO L, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. International Conference on Computer Communication and Networks, Hawaii, USA, 2016: 1–10.

陈越, 贾洪勇, 谭鹏许, 等. 基于流认证的IPv6接入子网主机源地址验证[J]. 通信学报, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019

CHEN Yue, JIA Hongyong, TAN Pengxu, et al. Host’s source address verification based on stream authentication in the IPv6 access subnet[J]. Journal of Communications, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019

董平, 秦雅娟, 张宏科. 支持普适服务的一体化网络研究[J]. 电子学报, 2007, 35(4): 599–606

DONG Ping, QIN Yajuan, and ZHANG Hongke. Research on universal network supporting pervasive services[J]. Acta Electronica Sinica, 2007, 35(4): 599–606

FARINACCI D, MEYER D, ZWIEBEL J, et al. The locator/id separation protocol (LISP) for multicast environments[S]. Internet Draft, draft-farinacci-lisp-15.txt, 2011.

许芷岩, 吴黎兵, 李莉, 等. 无线漫游认证中可证安全的无证书聚合签名方案[J]. 通信学报, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152

XU Zhiyan, WU Libing, LI Li, et al. Provably secure certificateless aggregate signature scheme in wireless roaming authentication[J]. Journal of Communications, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152

HORNG S, TZENG S, PAN Y, et al. b-SPECS+: batch verification for secure pseudonymous authentication in VANET[J]. IEEE Transactions on Information Forensics&Security, 2013, 8(11): 1860–1875 doi: 10.1109/TIFS.2013.2277471

谢永, 吴黎兵, 张宇波, 等. 面向车联网的多服务器架构的匿名双向认证与密钥协商协议[J]. 计算机研究与发展, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428

XIE Yong, WU Libing, ZHANG Yubo, et al. Anonymous mutual authentication and key agreement protocol in multi-server architecture for VANETs[J]. Journal of Computer Research and Development, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428

周彦伟, 杨波, 张文政. 一种改进的无证书两方认证密钥协商协议[J]. 计算机学报, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181

ZHOU Yanwei, YANG Bo, and ZHANG Wenzheng. An improved two-party authenticated certificateless key agreement protocol[J]. Chinese Journal of Computers, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181

施引文献

资源附件(0)

访问统计