一種基于數(shù)據(jù)平面可編程的軟件定義網(wǎng)絡(luò)報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制

左志斌; 常朝穩(wěn); 祝現(xiàn)威

doi:10.11999/JEIT190381

一種基于數(shù)據(jù)平面可編程的軟件定義網(wǎng)絡(luò)報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制

doi: 10.11999/JEIT190381

信息工程大學(xué) 鄭州 450001

基金項(xiàng)目: 國家自然科學(xué)基金(61572517)

詳細(xì)信息

作者簡介:
左志斌：男，1979年生，博士生，研究方向?yàn)镾DN、網(wǎng)絡(luò)安全

常朝穩(wěn)：男，1965年生，教授，博士生導(dǎo)師，研究方向?yàn)榫W(wǎng)絡(luò)安全、態(tài)勢感知

?，F(xiàn)威：男，1991年生，博士生，研究方向?yàn)镾DN、信息安全

通訊作者:
常朝穩(wěn)　changchaowen5@163.com

中圖分類號: TP393
計(jì)量
- 文章訪問數(shù): 2377
- HTML全文瀏覽量: 1050
- PDF下載量: 138
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-05-24
- 修回日期: 2019-09-28
- 網(wǎng)絡(luò)出版日期: 2020-01-31
- 刊出日期: 2020-06-04

A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane

Information Engineering University, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China (61572517)

摘要

摘要:
針對軟件定義網(wǎng)絡(luò)(SDN)中OpenFlow協(xié)議匹配字段固定且數(shù)量有限，數(shù)據(jù)流轉(zhuǎn)發(fā)缺少有效的轉(zhuǎn)發(fā)驗(yàn)證機(jī)制等問題，該文提出一種基于數(shù)據(jù)平面可編程的軟件定義網(wǎng)絡(luò)報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制。通過為數(shù)據(jù)報文添加自定義密碼標(biāo)識，將P4轉(zhuǎn)發(fā)設(shè)備加入基于OpenFlow的軟件定義網(wǎng)絡(luò)，在不影響數(shù)據(jù)流正常轉(zhuǎn)發(fā)的基礎(chǔ)上，對網(wǎng)絡(luò)業(yè)務(wù)流精確控制和采樣?？刂破黩?yàn)證采樣業(yè)務(wù)報文完整性，并針對異常報文下發(fā)流規(guī)則至OpenFlow轉(zhuǎn)發(fā)設(shè)備，對惡意篡改、偽造等異常數(shù)據(jù)流進(jìn)行轉(zhuǎn)發(fā)控制。最后，構(gòu)建基于開源BMv2的P4轉(zhuǎn)發(fā)設(shè)備和基于OpenFlow的Open vSwitch轉(zhuǎn)發(fā)設(shè)備的轉(zhuǎn)發(fā)驗(yàn)證原型，并構(gòu)建仿真網(wǎng)絡(luò)進(jìn)行實(shí)驗(yàn)。實(shí)驗(yàn)結(jié)果表明，該機(jī)制能夠有效檢測業(yè)務(wù)報文篡改、偽造等轉(zhuǎn)發(fā)異常行為，與同類驗(yàn)證機(jī)制相比，在安全驗(yàn)證處理開銷保持不變的情況下，能夠?qū)崿F(xiàn)更細(xì)粒度的業(yè)務(wù)流精確控制采樣和更低的轉(zhuǎn)發(fā)時延。
- 軟件定義網(wǎng)絡(luò) /
- 轉(zhuǎn)發(fā)驗(yàn)證 /
- 數(shù)據(jù)平面可編程 /
- P4轉(zhuǎn)發(fā)設(shè)備
Abstract:
For the fixed and limited number of OpenFlow protocol matching fields, and the lack of effective forwarding verification mechanism for data packet forwarding in the Software-Defined Networking (SDN), a SDN packet forwarding verification mechanism based on programmable data plane is proposed. By adding a cipher identification to the data packet, the P4 forwarding device joins the OpenFlow-based SDN network to control accurately and sample network traffic flow without affecting the normal forwarding of the data flow. The controller verifies the integrity of the sampled packet, and sends flow rules to the OpenFlow forwarding device to control the abnormal data flow such as malicious tampering and forgery. Finally, the forwarding verification prototype and simulation network based on P4 forwarding device and Open vSwitch forwarding device are constructed and tested. The experimental results show that the mechanism can effectively detect the forwarding abnormal behaviors such as packet tampering and forgery. Compared with similar verification mechanisms, in the case of the same security verification processing overhead, it can achieve more fine-grained flow precise control sampling and lower forwarding delay.
- Software-Defined Networking (SDN) /
- Forwarding verification /
- Programmable data plane /
- P4 forwarding device

HTML全文

圖 1 體系結(jié)構(gòu)

下載: 全尺寸圖片幻燈片

圖 2 密碼標(biāo)識結(jié)構(gòu)圖

下載: 全尺寸圖片幻燈片

圖 3 轉(zhuǎn)發(fā)驗(yàn)證過程

下載: 全尺寸圖片幻燈片

圖 4 控制程序流程圖

下載: 全尺寸圖片幻燈片

圖 5 轉(zhuǎn)發(fā)處理模塊處理過程

下載: 全尺寸圖片幻燈片

圖 6 實(shí)驗(yàn)拓?fù)鋱D

下載: 全尺寸圖片幻燈片

圖 7 轉(zhuǎn)發(fā)延遲CDF

下載: 全尺寸圖片幻燈片

圖 8 檢測漏報率

下載: 全尺寸圖片幻燈片

圖 9 控制器處理時間

下載: 全尺寸圖片幻燈片

表 1 不同機(jī)制特點(diǎn)比較

機(jī)制	采樣設(shè)備及粒度	驗(yàn)證設(shè)備及驗(yàn)證開銷	轉(zhuǎn)發(fā)時延	實(shí)現(xiàn)功能
機(jī)制1(文獻(xiàn)[9])	任意OpenFlow交換機(jī)，OpenFlow匹配字段	控制器，0.15 ms	33.17 ms(3層樹形結(jié)構(gòu))	定位并檢測偽造、篡改報文
機(jī)制2(文獻(xiàn)[12])	任意OpenFlow交換機(jī)，OpenFlow匹配字段	交換機(jī)，遠(yuǎn)大于其它	33.65 ms(4層Fattree結(jié)構(gòu))	檢測偽造、篡改報文
本文機(jī)制	P4交換機(jī)，自定義匹配字段	控制器，0.19 ms	0.83 ms(3臺OpenFlow轉(zhuǎn)發(fā)設(shè)備和1臺P4轉(zhuǎn)發(fā)設(shè)備)	檢測偽造、篡改報文

下載: 導(dǎo)出CSV

參考文獻(xiàn)(18)

MCKEOWN N. Software-defined networking[J]. INFOCOM Keynote Talk, 2009, 17(2): 30–32.

PALIWAL M, SHRIMANKAR D, and TEMBHURNE O. Controllers in SDN: A review report[J]. IEEE Access, 2018, 6: 36256–36270. doi: 10.1109/ACCESS.2018.2846236

KARAKUS M and DURRESI A. Economic viability of Software Defined Networking (SDN)[J]. Computer Networks, 2018, 135: 81–95. doi: 10.1016/j.comnet.2018.02.015

GAO Shang, LI Zecheng, XIAO Bin, et al. Security threats in the data plane of software-defined networks[J]. IEEE Network, 2018, 32(4): 108–113. doi: 10.1109/MNET.2018.1700283

DARGAHI T, CAPONI A, AMBROSIN M, et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701–1725. doi: 10.1109/COMST.2017.2689819

RANA D S, DHONDIYAL S A, and CHAMOLI S K. Software Defined Networking (SDN) challenges, issues and solution[J]. International Journal of Computer Sciences and Engineering, 2019, 7(1): 884–889. doi: 10.26438/ijcse/v7i1.884889

SHAGHAGHI A, KAAFAR M A, BUYYA R, et al. Software-Defined Network (SDN) data plane security: Issues, solutions and future directions[EB/OL]. https://arxiv.org/pdf/1804.00262.pdf, 2018.

OPEN Networking Foundation. OpenFlow switch specification version 1.4.0[EB/OL]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf, 2013.

王首一, 李琦, 張?jiān)? 輕量級的軟件定義網(wǎng)絡(luò)數(shù)據(jù)包轉(zhuǎn)發(fā)驗(yàn)證[J]. 計(jì)算機(jī)學(xué)報, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176

WANG Shouyi, LI Qi, and ZHANG Yun. LPV: Lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176

SHIN S and GU Guofei. CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?)[C]. The 20th IEEE International Conference on Network Protocols, Austin, USA, 2012: 1–6. doi: 10.1109/ICNP.2012.6459946.

SASAKI T, PAPPAS C, LEE T, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. The 25th IEEE International Conference on Computer Communication and Networks, Waikoloa, USA, 2016: 1–10. doi: 10.1109/ICCCN.2016.7568569.

秦晰, 唐國棟, 常朝穩(wěn), 等. 軟件定義網(wǎng)絡(luò)中基于密碼標(biāo)識的報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制[J]. 電子與信息學(xué)報, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226

QIN Xi, TANG Guodong, CHANG Chaowen, et al. Packet forwarding authentication mechanism based on cipher identification in software-defined network[J]. Journal of Electronics &Information Technology, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226

BOSSHART P, DALY D, GIBB G, et al. P4: Programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87–95. doi: 10.1145/2656877.2656890

The P4 Language Consortium. The P4 language specification version 1.0.5[EB/OL]. https://p4lang.github.io/p4-spec/p4-14/v1.0.5/tex/p4.pdf, 2018.

PRAJAPATI A, SAKADASARIYA A, and PATEL J. Software defined network: Future of networking[C]. The 2nd IEEE International Conference on Inventive Systems and Control, Coimbatore, India, 2018: 1351-1354. doi: 10.1109/ICISC.2018.8399028.

Defense Advanced Research Projects Agency. RFC 791: Internet protocol[EB/OL]. http://www.faqs.org/rfcs/rfc791.html, 1981.

Ryu Development Team. Ryu documentation release 4.30[EB/OL]. https://ryu.readthedocs.io/en/latest/library_packet.html, 2019.

CASADO M, FREEDMAN M J, PETTIT J, et al. Ethane: Taking control of the enterprise[C]. 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, Japan, 2007: 1–12. doi: 10.1145/1282380.1282382.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)