Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network

Xi QIN; Guodong TANG; Chaowen CHANG; Ruiyun WANG

doi:10.11999/JEIT171226

Volume 40 Issue 9

Aug. 2018

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2018 > 40(9): 2042-2049

Xi QIN, Guodong TANG, Chaowen CHANG, Ruiyun WANG. Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network[J]. Journal of Electronics & Information Technology, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226

Citation:

Xi QIN, Guodong TANG, Chaowen CHANG, Ruiyun WANG. Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network[J]. Journal of Electronics & Information Technology, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226

Citation:

PDF( 1349 KB)

Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network

doi: 10.11999/JEIT171226

Information Engineering University, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China (61572517)

Received Date: 2017-12-26
Rev Recd Date: 2018-06-01

Available Online: 2018-07-12

Publish Date: 2018-09-01

Abstract

Abstract

To deal with the lack of a secure and efficient data source authentication mechanism in Software-Defined Network (SDN), a packet forwarding authentication mechanism based on cipher identification is proposed. Firstly, a packet forwarding authentication model based on cipher identification is established, where the cipher identification is identified as a passport of IP packets entering and leaving the network. Secondly, the SDN batch anonymous authentication protocol is designed to decentralize the authentication function of the SDN controller to the SDN switch. The SDN switch performs user authentication and cipher identification verification, and quickly filters forgery, falsification, and other illegal packets to improve the unified authentication and management efficiency of the SDN controller, while providing users with the conditions of privacy protection. Thirdly, a scheme for sampling and verifying packets based on cipher identification in any node is proposed, where any attacker can not bypass the packet detection by inferring the sample, to ensure the authenticity of the packet while reducing its processing delay. Finally, safety analysis and performance evaluation are conducted. The results show that this mechanism can quickly detect packet falsification and tampering and resist ID analysis attacks, but at the same time it introduces about 9.6% forwarding delay and less than 10% communication overhead.
- Software-Defined Network (SDN),
- Cipher identification,
- Data source authentication,
- Conditional privacy

FullText(HTML)

References(19)

References

MCKEOWN N. Software-defined networking[C]. IEEE International Conference on Computer Communications, Rio de Janeiro, Brazil, 2009: 30–32.

NUNES B, MENDONCA M, NGUYEN X, et al. A survey of software-defined networking: Past, present, and future of programmable networks[J]. IEEE Communications Surveys&Tutorials, 2014, 16(3): 1617–1634 doi: 10.1109/SURV.2014.012214.00180

王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络: 安全模型、机制及研究进展[J]. 软件学报, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020

WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software defined networking: Security model, threats and mechanism[J]. Journal of Software, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020

LIU Hongqiang, WU Xin, ZHANG Ming, et al. zUpdate: Updating data center networks with zero loss[J]. Computer Communication Review, 2013, 43(4): 411–422 doi: 10.1145/2486001.2486005

LI Dan, SHANG Yunfei, and CHEN Congjie. Software defined green data center network with exclusive routing[C]. IEEE International Conference on Computer Communications, Toronto, Canada, 2014: 1743–1751.

DHAWAN M, PODDAR R, MAHAJAN K, et al. SPHINX: Detecting security attacks in software-defined networks[C]. Network and Distributed System Security Symposium, San Diego, USA, 2015: 1–15.

李杰, 吴建平, 徐恪, 等. Hidasav: 一种层次化的域间真实源地址验证方法[J]. 计算机学报, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085

LI Jie, WU Jianping, XU Ke, et al. An hierarchical inter-domain authenticated source address validation solution[J]. Chinese Journal of Computers, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085

YAO Guang, BI Jun, and XIAO Peiyao. Source address validation solution with OpenFlow/NOX architecture[C]. IEEE International Conference on Network Protocols, Vancouver, Canada, 2011: 7–12.

孙鹏. 面向SDN的源地址验证方法研究[J]. 电光与控制, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012

SUN Peng. Source address validation methods based on SDN[J]. Electronics Optics&Control, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012

LIU Bingyang, BI Jun, and ZHOU Yu. Source address validation in software defined networks[C]. ACM Conference on SIGCOMM, Florianópolis, Brazil, 2016: 595–596.

KIM H, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[C]. ACM Conference on SIGCOMM, Chicago, USA, 2014: 271–282.

TAKAYUKI S, CHRISTOS P, TAEHO L, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. International Conference on Computer Communication and Networks, Hawaii, USA, 2016: 1–10.

陈越, 贾洪勇, 谭鹏许, 等. 基于流认证的IPv6接入子网主机源地址验证[J]. 通信学报, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019

CHEN Yue, JIA Hongyong, TAN Pengxu, et al. Host’s source address verification based on stream authentication in the IPv6 access subnet[J]. Journal of Communications, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019

董平, 秦雅娟, 张宏科. 支持普适服务的一体化网络研究[J]. 电子学报, 2007, 35(4): 599–606

DONG Ping, QIN Yajuan, and ZHANG Hongke. Research on universal network supporting pervasive services[J]. Acta Electronica Sinica, 2007, 35(4): 599–606

FARINACCI D, MEYER D, ZWIEBEL J, et al. The locator/id separation protocol (LISP) for multicast environments[S]. Internet Draft, draft-farinacci-lisp-15.txt, 2011.

许芷岩, 吴黎兵, 李莉, 等. 无线漫游认证中可证安全的无证书聚合签名方案[J]. 通信学报, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152

XU Zhiyan, WU Libing, LI Li, et al. Provably secure certificateless aggregate signature scheme in wireless roaming authentication[J]. Journal of Communications, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152

HORNG S, TZENG S, PAN Y, et al. b-SPECS+: batch verification for secure pseudonymous authentication in VANET[J]. IEEE Transactions on Information Forensics&Security, 2013, 8(11): 1860–1875 doi: 10.1109/TIFS.2013.2277471

谢永, 吴黎兵, 张宇波, 等. 面向车联网的多服务器架构的匿名双向认证与密钥协商协议[J]. 计算机研究与发展, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428

XIE Yong, WU Libing, ZHANG Yubo, et al. Anonymous mutual authentication and key agreement protocol in multi-server architecture for VANETs[J]. Journal of Computer Research and Development, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428

周彦伟, 杨波, 张文政. 一种改进的无证书两方认证密钥协商协议[J]. 计算机学报, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181

ZHOU Yanwei, YANG Bo, and ZHANG Wenzheng. An improved two-party authenticated certificateless key agreement protocol[J]. Chinese Journal of Computers, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181

Relative Articles

Supplements(0)

Cited By

Proportional views