高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种基于数据平面可编程的软件定义网络报文转发验证机制

左志斌 常朝稳 祝现威

左志斌, 常朝稳, 祝现威. 一种基于数据平面可编程的软件定义网络报文转发验证机制[J]. 电子与信息学报, 2020, 42(5): 1110-1117. doi: 10.11999/JEIT190381
引用本文: 左志斌, 常朝稳, 祝现威. 一种基于数据平面可编程的软件定义网络报文转发验证机制[J]. 电子与信息学报, 2020, 42(5): 1110-1117. doi: 10.11999/JEIT190381
Zhibin ZUO, Chaowen CHANG, Xianwei ZHU. A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane[J]. Journal of Electronics & Information Technology, 2020, 42(5): 1110-1117. doi: 10.11999/JEIT190381
Citation: Zhibin ZUO, Chaowen CHANG, Xianwei ZHU. A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane[J]. Journal of Electronics & Information Technology, 2020, 42(5): 1110-1117. doi: 10.11999/JEIT190381

一种基于数据平面可编程的软件定义网络报文转发验证机制

doi: 10.11999/JEIT190381
基金项目: 国家自然科学基金(61572517)
详细信息
    作者简介:

    左志斌:男,1979年生,博士生,研究方向为SDN、网络安全

    常朝稳:男,1965年生,教授,博士生导师,研究方向为网络安全、态势感知

    祝现威:男,1991年生,博士生,研究方向为SDN、信息安全

    通讯作者:

    常朝稳 changchaowen5@163.com

  • 中图分类号: TP393

A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane

Funds: The National Natural Science Foundation of China (61572517)
  • 摘要:

    针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。

  • 图  1  体系结构

    图  2  密码标识结构图

    图  3  转发验证过程

    图  4  控制程序流程图

    图  5  转发处理模块处理过程

    图  6  实验拓扑图

    图  7  转发延迟CDF

    图  8  检测漏报率

    图  9  控制器处理时间

    表  1  不同机制特点比较

    机制采样设备及粒度验证设备及验证开销转发时延实现功能
    机制1(文献[9])任意OpenFlow交换机,OpenFlow匹配字段控制器,0.15 ms33.17 ms(3层树形结构)定位并检测伪造、篡改报文
    机制2(文献[12])任意OpenFlow交换机,OpenFlow匹配字段交换机,远大于其它33.65 ms(4层Fattree结构)检测伪造、篡改报文
    本文机制P4交换机,自定义匹配字段控制器,0.19 ms0.83 ms(3台OpenFlow转发设备和1台P4转发设备)检测伪造、篡改报文
    下载: 导出CSV
  • MCKEOWN N. Software-defined networking[J]. INFOCOM Keynote Talk, 2009, 17(2): 30–32.
    PALIWAL M, SHRIMANKAR D, and TEMBHURNE O. Controllers in SDN: A review report[J]. IEEE Access, 2018, 6: 36256–36270. doi: 10.1109/ACCESS.2018.2846236
    KARAKUS M and DURRESI A. Economic viability of Software Defined Networking (SDN)[J]. Computer Networks, 2018, 135: 81–95. doi: 10.1016/j.comnet.2018.02.015
    GAO Shang, LI Zecheng, XIAO Bin, et al. Security threats in the data plane of software-defined networks[J]. IEEE Network, 2018, 32(4): 108–113. doi: 10.1109/MNET.2018.1700283
    DARGAHI T, CAPONI A, AMBROSIN M, et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701–1725. doi: 10.1109/COMST.2017.2689819
    RANA D S, DHONDIYAL S A, and CHAMOLI S K. Software Defined Networking (SDN) challenges, issues and solution[J]. International Journal of Computer Sciences and Engineering, 2019, 7(1): 884–889. doi: 10.26438/ijcse/v7i1.884889
    SHAGHAGHI A, KAAFAR M A, BUYYA R, et al. Software-Defined Network (SDN) data plane security: Issues, solutions and future directions[EB/OL]. https://arxiv.org/pdf/1804.00262.pdf, 2018.
    OPEN Networking Foundation. OpenFlow switch specification version 1.4.0[EB/OL]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf, 2013.
    王首一, 李琦, 张云. 轻量级的软件定义网络数据包转发验证[J]. 计算机学报, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176

    WANG Shouyi, LI Qi, and ZHANG Yun. LPV: Lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176
    SHIN S and GU Guofei. CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?)[C]. The 20th IEEE International Conference on Network Protocols, Austin, USA, 2012: 1–6. doi: 10.1109/ICNP.2012.6459946.
    SASAKI T, PAPPAS C, LEE T, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. The 25th IEEE International Conference on Computer Communication and Networks, Waikoloa, USA, 2016: 1–10. doi: 10.1109/ICCCN.2016.7568569.
    秦晰, 唐国栋, 常朝稳, 等. 软件定义网络中基于密码标识的报文转发验证机制[J]. 电子与信息学报, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226

    QIN Xi, TANG Guodong, CHANG Chaowen, et al. Packet forwarding authentication mechanism based on cipher identification in software-defined network[J]. Journal of Electronics &Information Technology, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226
    BOSSHART P, DALY D, GIBB G, et al. P4: Programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87–95. doi: 10.1145/2656877.2656890
    The P4 Language Consortium. The P4 language specification version 1.0.5[EB/OL]. https://p4lang.github.io/p4-spec/p4-14/v1.0.5/tex/p4.pdf, 2018.
    PRAJAPATI A, SAKADASARIYA A, and PATEL J. Software defined network: Future of networking[C]. The 2nd IEEE International Conference on Inventive Systems and Control, Coimbatore, India, 2018: 1351-1354. doi: 10.1109/ICISC.2018.8399028.
    Defense Advanced Research Projects Agency. RFC 791: Internet protocol[EB/OL]. http://www.faqs.org/rfcs/rfc791.html, 1981.
    Ryu Development Team. Ryu documentation release 4.30[EB/OL]. https://ryu.readthedocs.io/en/latest/library_packet.html, 2019.
    CASADO M, FREEDMAN M J, PETTIT J, et al. Ethane: Taking control of the enterprise[C]. 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, Japan, 2007: 1–12. doi: 10.1145/1282380.1282382.
  • 加载中
图(9) / 表(1)
计量
  • 文章访问数:  2325
  • HTML全文浏览量:  1023
  • PDF下载量:  136
  • 被引次数: 0
出版历程
  • 收稿日期:  2019-05-24
  • 修回日期:  2019-09-28
  • 网络出版日期:  2020-01-31
  • 刊出日期:  2020-06-04

目录

    /

    返回文章
    返回