一种快速的SDN规则冲突检测机制
|
摘要
软件定义网络架构中流表项的无意识性使攻击者可对其进行篡改,导致网络中出现规则冲突。针对现有规则冲突检测机制检测时间过长的问题,提出一种快速的规则冲突检测机制。通过压缩流表项,建立基于端口的规则拓扑,根据该拓扑计算端到端的可达性,从而快速检测网络中的规则冲突。仿真结果表明,在网络拓扑和流表项数量相同的条件下,相比现有的Netplumber检测机制,该机制的检测时间可降低约15%。
Due to the unconsciousness of the flow entry in the Software Defined Network( SDN),an attacker can tamper with the flow entry eventually causing a rule conflict in it. For the detection time of the existing rule conflict detection mechanism is too long,a fast rule conflict detection mechanism is proposed. By compressing the flow entry,the mechanism establishes a port-based rule topology and directly calculates the end-to-end reachability. Based on the topology,rule conflicts in the network can be detected quickly. Simulation results show that under the same condition of network topology and the same number of flow entny,compared with the existing Netplumber detection mechanism,the proposed mechanism can reduce the detection time by about 15%.
Due to the unconsciousness of the flow entry in the Software Defined Network( SDN),an attacker can tamper with the flow entry eventually causing a rule conflict in it. For the detection time of the existing rule conflict detection mechanism is too long,a fast rule conflict detection mechanism is proposed. By compressing the flow entry,the mechanism establishes a port-based rule topology and directly calculates the end-to-end reachability. Based on the topology,rule conflicts in the network can be detected quickly. Simulation results show that under the same condition of network topology and the same number of flow entny,compared with the existing Netplumber detection mechanism,the proposed mechanism can reduce the detection time by about 15%.
引文
[1]张朝昆,崔勇,唐翯翯,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[2]郭春梅,张如辉,毕学尧.SDN网络技术及其安全性研究[J].信息网络安全,2012(8):112-114.
[3]KLOTI R,KOTRONIS V,SMITH P.OpenFlow:a security analysis[C]//Proceedings of IEEE International Conference on Network Protocols.Washington D.C.,USA:IEEE Press,2014:1-6.
[4]薛华威,王宝生,邓文平,等.基于SDN架构的网络故障检测与修复系统[J].计算机工程,2017,44(11):40-44.
[5]PORRAS P,SHIN S,YEGNESWARAN V,et al.A security enforcement kernel for OpenFlow networks[C]//Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks.New York,USA:ACM Press,2012:121-126.
[6]NATASHA G,PFAFF B,JUSTIN P,et al.NOX:towards an operating system for networks[J].ACMSIGCOMM Computer Communication Review,2008,38(3):105-110.
[7]KHURSHID A,ZHOU W,CAESAR M,et al.Veriflow:verifying network-wide invariants in real time[J].ACMSIGCOMM Computer Communication Review,2012,42(4):467-472.
[8]王鹃,王江,焦虹阳,等.一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J].计算机学报,2015,38(4):872-883.
[9]KAZEMIAN P,VARGHESE G,MCKEOWN N.Headerspace analysis:static checking for networks[C]//Proceedings of USENIX Conference on Networked Systems Design and Implementation.San Diego,USA:USENIX Association.2012:113-126.
[10]左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013(5):1078-1097.
[11]LI Y,PATEL J M.BitWeaving:fast scans for main memory data processing[C]//Proceedings of ACMSIGMOD International Conference on Management of Data.New York,USA:ACM Press,2013:289-300.
[12]KAZEMIAN P,CHANG M,ZENG H,et al.Real time network policy checking using header space analysis[C]//Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation.San Diego,USA:USENIX Association,2013:99-112.
[13]万本庭,全小凤.基于遗传算法的移动传感节点路径规划策略研究[J].计算机工程,2017,43(8):144-150.
[14]陈文平,张兴明,张建辉,等.基于距离矢量的多下一跳路由信息协议[J].计算机工程,2010,36(2):94-96.
[15]NEJAD E S,MAJMA M R.A modern method to improve efficiency of Hadoop and MapReduce cluster using Software-Defined Networks technology[C]//Proceedings of Iranian Conference on Electrical Engineering.Washington D.C.,USA:IEEE Press,2017:1497-1502.
[2]郭春梅,张如辉,毕学尧.SDN网络技术及其安全性研究[J].信息网络安全,2012(8):112-114.
[3]KLOTI R,KOTRONIS V,SMITH P.OpenFlow:a security analysis[C]//Proceedings of IEEE International Conference on Network Protocols.Washington D.C.,USA:IEEE Press,2014:1-6.
[4]薛华威,王宝生,邓文平,等.基于SDN架构的网络故障检测与修复系统[J].计算机工程,2017,44(11):40-44.
[5]PORRAS P,SHIN S,YEGNESWARAN V,et al.A security enforcement kernel for OpenFlow networks[C]//Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks.New York,USA:ACM Press,2012:121-126.
[6]NATASHA G,PFAFF B,JUSTIN P,et al.NOX:towards an operating system for networks[J].ACMSIGCOMM Computer Communication Review,2008,38(3):105-110.
[7]KHURSHID A,ZHOU W,CAESAR M,et al.Veriflow:verifying network-wide invariants in real time[J].ACMSIGCOMM Computer Communication Review,2012,42(4):467-472.
[8]王鹃,王江,焦虹阳,等.一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J].计算机学报,2015,38(4):872-883.
[9]KAZEMIAN P,VARGHESE G,MCKEOWN N.Headerspace analysis:static checking for networks[C]//Proceedings of USENIX Conference on Networked Systems Design and Implementation.San Diego,USA:USENIX Association.2012:113-126.
[10]左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013(5):1078-1097.
[11]LI Y,PATEL J M.BitWeaving:fast scans for main memory data processing[C]//Proceedings of ACMSIGMOD International Conference on Management of Data.New York,USA:ACM Press,2013:289-300.
[12]KAZEMIAN P,CHANG M,ZENG H,et al.Real time network policy checking using header space analysis[C]//Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation.San Diego,USA:USENIX Association,2013:99-112.
[13]万本庭,全小凤.基于遗传算法的移动传感节点路径规划策略研究[J].计算机工程,2017,43(8):144-150.
[14]陈文平,张兴明,张建辉,等.基于距离矢量的多下一跳路由信息协议[J].计算机工程,2010,36(2):94-96.
[15]NEJAD E S,MAJMA M R.A modern method to improve efficiency of Hadoop and MapReduce cluster using Software-Defined Networks technology[C]//Proceedings of Iranian Conference on Electrical Engineering.Washington D.C.,USA:IEEE Press,2017:1497-1502.