SDN中基于交换机等级划分的安全路由策略
|
摘要
软件定义网络引入了数据平面与控制平面的分离,同时也带来了比传统网络更多的攻击方式。针对软件定义网络从检测出异常到攻击防御结束过程中新流表项下发的安全性进行了研究,为交换机引入安全等级划分机制,根据交换机所处的状态,将交换机划分为三个安全等级,并将攻击检测与路由选择相结合。实验结果表明交换机等级划分的安全路由策略能够使软件定义网络面对攻击表现出动态可伸缩的能力,从而减小攻击对网络所造成的危害。
Software defined network introduces the separation between data plane and control plane,however it encounters more attacks than the traditional network. This paper introduced security hierarchies mechanism for software defined network switch based on the research on the security of new flow table entity delivery during the process from the detection of abnormal status to the completion of defense. According to the status of switches,it used three security levels to classify the switches,and combined the attack detection and routing selection. Experimental results show that the security routing strategy based on switch security levels enables software defined network to show dynamic scalable capacity when it is faced with attack,which reduces the harm caused by the attacks on the network.
Software defined network introduces the separation between data plane and control plane,however it encounters more attacks than the traditional network. This paper introduced security hierarchies mechanism for software defined network switch based on the research on the security of new flow table entity delivery during the process from the detection of abnormal status to the completion of defense. According to the status of switches,it used three security levels to classify the switches,and combined the attack detection and routing selection. Experimental results show that the security routing strategy based on switch security levels enables software defined network to show dynamic scalable capacity when it is faced with attack,which reduces the harm caused by the attacks on the network.
引文
[1]左青云,陈鸣,赵广松,等.基于Open Flow SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[2]Mc Keown N,Anderson T,Balakrishnan H,et al.Open Flow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[3]Open Networking Foundation[EB/OL].[2015-08-06].https://www.openne-tworking.org.
[4]Kandoi R,Antikainen M.Denial-of-service attacks in Open Flow SDN networks[C]//Proc of IFIP/IEEE International Symposium on Integrated Network Management.[S.l.]:IEEE Press,2015:1322-1326.
[5]Curtis A R,Mogul J C,Tourrilhes J,et al.Devo Flow:scaling flow management for high-performance networks[J].ACM SIGCOMM Computer Communication Review,2011,41(4):254-265.
[6]Katta N,Alipourfard O,Rexford J,et al.Infinite cacheflow in softwaredefined networks[C]//Proc of the 3rd Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2014:175-180.
[7]Spitznagel E,Taylor D,Turner J.Packet classification using extended TCAMs[C]//Proc of the 11th IEEE International Conference on Network Protocols.[S.l.]:IEEE Press,2003:120-131.
[8]王铭鑫,周华春,陈佳,等.一种SDN中基于熵值计算的异常流量检测方法[J].电信科学,2015,31(9):90-96.
[9]刘勇,香丽芸.基于网络异常流量判断Do S/DDo S攻击的检测算法[J].吉林大学学报:信息科学版,2008,26(3):313-319.
[10]Open Networking Foundation Open Flow switch specification version1.3.3[EB/OL].(2013-09-27)[2015-08-06].https://www.opennetworking.org/images/stories/downloads/sdn-resources/onfspecifications/openflow/openflow-spec-v1.3.3.pdf.
[11]Kreutz D,Ramos F,Verissimo P.Towards secure and dependable software-defined networks[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2013:55-60.
[12]Oktian Y E,Lee S G,Lee H.Mitigating denial of service(Do S)attacks in Open Flow networks[C]//Proc of International Conference on Information and Communication Technology Convergence.[S.l.]:IEEE Press,2014:325-330.
[13]Mousavi S M,St-Hilaire M.Early detection of DDo S attacks against SDN controllers[C]//Proc of International Conference on Computing,Networking and Communications.[S.l.]:IEEE Press,2015:77-81.
[14]Cabaj K,Wytrebowicz J,Kukliński S,et al.SDN architecture impact on network security[J].Computer Science and Information Systems,2014,3:143-148.
[15]左青云,陈鸣,王秀磊,等.一种基于SDN的在线流量异常检测方法[J].西安电子科技大学学报,2015,42(1):155-160.
[16]肖甫,马俊青,黄洵松,等.SDN环境下基于KNN的DDo S攻击检测方法[J].南京邮电大学学报:自然科学版,2015,35(1):84-88.
[17]Open Networking Foundation SDN security considerations in the data center ONF solution brief[EB/OL].(2013-10-08)[2015-08-06].https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf.
[18]Open v Switch[EB/OL].[2015-08-06].http://openvswitch.org.
[19]Wang M,Li Baochun,Li Zongpeng.s Flow:towards resource-efficient and agile service federation in service overlay networks[C]//Proc of the 24th International Conference on Distributed Computing Systems.[S.l.]:IEEE Press,2004:628-635.
[20]君子一诺.基于Mininet的网络流量监控[EB/OL].(2014-11-19)[2015-08-06].http://www.sdnlab.com/3760.html.
[21]SDNLAB君.基于s Flow流量监控的DDOS防御和队列调整[EB/OL].(2015-07-02)[2015-08-06].http://www.sdnlab.com/12333.html.
[22]Floodlight[EB/OL].[2015-08-06].http://www.projectfloodlight.org.
[23]Open Daylight[EB/OL].[2015-08-06].https://www.opendaylight.org.
[24]Dijkstra E W.A note on two problems in connexion with graphs[J].Numerische Mathematik,1959,1(1):269-271.
[25]徐涛,丁晓璐,李建伏.K最短路径算法综述[J].计算机工程与设计,2013,34(11):3900-3906.
[26]Mininet[EB/OL].[2015-08-06].http://mininet.org.
[27]Iperf[EB/OL].[2015-08-06].https://iperf.fr.
[28]董青.增强型网络路由策略研究[D].成都:电子科技大学,2013.
[2]Mc Keown N,Anderson T,Balakrishnan H,et al.Open Flow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[3]Open Networking Foundation[EB/OL].[2015-08-06].https://www.openne-tworking.org.
[4]Kandoi R,Antikainen M.Denial-of-service attacks in Open Flow SDN networks[C]//Proc of IFIP/IEEE International Symposium on Integrated Network Management.[S.l.]:IEEE Press,2015:1322-1326.
[5]Curtis A R,Mogul J C,Tourrilhes J,et al.Devo Flow:scaling flow management for high-performance networks[J].ACM SIGCOMM Computer Communication Review,2011,41(4):254-265.
[6]Katta N,Alipourfard O,Rexford J,et al.Infinite cacheflow in softwaredefined networks[C]//Proc of the 3rd Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2014:175-180.
[7]Spitznagel E,Taylor D,Turner J.Packet classification using extended TCAMs[C]//Proc of the 11th IEEE International Conference on Network Protocols.[S.l.]:IEEE Press,2003:120-131.
[8]王铭鑫,周华春,陈佳,等.一种SDN中基于熵值计算的异常流量检测方法[J].电信科学,2015,31(9):90-96.
[9]刘勇,香丽芸.基于网络异常流量判断Do S/DDo S攻击的检测算法[J].吉林大学学报:信息科学版,2008,26(3):313-319.
[10]Open Networking Foundation Open Flow switch specification version1.3.3[EB/OL].(2013-09-27)[2015-08-06].https://www.opennetworking.org/images/stories/downloads/sdn-resources/onfspecifications/openflow/openflow-spec-v1.3.3.pdf.
[11]Kreutz D,Ramos F,Verissimo P.Towards secure and dependable software-defined networks[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2013:55-60.
[12]Oktian Y E,Lee S G,Lee H.Mitigating denial of service(Do S)attacks in Open Flow networks[C]//Proc of International Conference on Information and Communication Technology Convergence.[S.l.]:IEEE Press,2014:325-330.
[13]Mousavi S M,St-Hilaire M.Early detection of DDo S attacks against SDN controllers[C]//Proc of International Conference on Computing,Networking and Communications.[S.l.]:IEEE Press,2015:77-81.
[14]Cabaj K,Wytrebowicz J,Kukliński S,et al.SDN architecture impact on network security[J].Computer Science and Information Systems,2014,3:143-148.
[15]左青云,陈鸣,王秀磊,等.一种基于SDN的在线流量异常检测方法[J].西安电子科技大学学报,2015,42(1):155-160.
[16]肖甫,马俊青,黄洵松,等.SDN环境下基于KNN的DDo S攻击检测方法[J].南京邮电大学学报:自然科学版,2015,35(1):84-88.
[17]Open Networking Foundation SDN security considerations in the data center ONF solution brief[EB/OL].(2013-10-08)[2015-08-06].https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf.
[18]Open v Switch[EB/OL].[2015-08-06].http://openvswitch.org.
[19]Wang M,Li Baochun,Li Zongpeng.s Flow:towards resource-efficient and agile service federation in service overlay networks[C]//Proc of the 24th International Conference on Distributed Computing Systems.[S.l.]:IEEE Press,2004:628-635.
[20]君子一诺.基于Mininet的网络流量监控[EB/OL].(2014-11-19)[2015-08-06].http://www.sdnlab.com/3760.html.
[21]SDNLAB君.基于s Flow流量监控的DDOS防御和队列调整[EB/OL].(2015-07-02)[2015-08-06].http://www.sdnlab.com/12333.html.
[22]Floodlight[EB/OL].[2015-08-06].http://www.projectfloodlight.org.
[23]Open Daylight[EB/OL].[2015-08-06].https://www.opendaylight.org.
[24]Dijkstra E W.A note on two problems in connexion with graphs[J].Numerische Mathematik,1959,1(1):269-271.
[25]徐涛,丁晓璐,李建伏.K最短路径算法综述[J].计算机工程与设计,2013,34(11):3900-3906.
[26]Mininet[EB/OL].[2015-08-06].http://mininet.org.
[27]Iperf[EB/OL].[2015-08-06].https://iperf.fr.
[28]董青.增强型网络路由策略研究[D].成都:电子科技大学,2013.