一種基于數(shù)據(jù)平面可編程的軟件定義網(wǎng)絡(luò)報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制
doi: 10.11999/JEIT190381
-
信息工程大學(xué) 鄭州 450001
A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane
-
Information Engineering University, Zhengzhou 450001, China
-
摘要:
針對軟件定義網(wǎng)絡(luò)(SDN)中OpenFlow協(xié)議匹配字段固定且數(shù)量有限,數(shù)據(jù)流轉(zhuǎn)發(fā)缺少有效的轉(zhuǎn)發(fā)驗(yàn)證機(jī)制等問題,該文提出一種基于數(shù)據(jù)平面可編程的軟件定義網(wǎng)絡(luò)報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制。通過為數(shù)據(jù)報文添加自定義密碼標(biāo)識,將P4轉(zhuǎn)發(fā)設(shè)備加入基于OpenFlow的軟件定義網(wǎng)絡(luò),在不影響數(shù)據(jù)流正常轉(zhuǎn)發(fā)的基礎(chǔ)上,對網(wǎng)絡(luò)業(yè)務(wù)流精確控制和采樣??刂破黩?yàn)證采樣業(yè)務(wù)報文完整性,并針對異常報文下發(fā)流規(guī)則至OpenFlow轉(zhuǎn)發(fā)設(shè)備,對惡意篡改、偽造等異常數(shù)據(jù)流進(jìn)行轉(zhuǎn)發(fā)控制。最后,構(gòu)建基于開源BMv2的P4轉(zhuǎn)發(fā)設(shè)備和基于OpenFlow的Open vSwitch轉(zhuǎn)發(fā)設(shè)備的轉(zhuǎn)發(fā)驗(yàn)證原型,并構(gòu)建仿真網(wǎng)絡(luò)進(jìn)行實(shí)驗(yàn)。實(shí)驗(yàn)結(jié)果表明,該機(jī)制能夠有效檢測業(yè)務(wù)報文篡改、偽造等轉(zhuǎn)發(fā)異常行為,與同類驗(yàn)證機(jī)制相比,在安全驗(yàn)證處理開銷保持不變的情況下,能夠?qū)崿F(xiàn)更細(xì)粒度的業(yè)務(wù)流精確控制采樣和更低的轉(zhuǎn)發(fā)時延。
-
關(guān)鍵詞:
- 軟件定義網(wǎng)絡(luò) /
- 轉(zhuǎn)發(fā)驗(yàn)證 /
- 數(shù)據(jù)平面可編程 /
- P4轉(zhuǎn)發(fā)設(shè)備
Abstract:For the fixed and limited number of OpenFlow protocol matching fields, and the lack of effective forwarding verification mechanism for data packet forwarding in the Software-Defined Networking (SDN), a SDN packet forwarding verification mechanism based on programmable data plane is proposed. By adding a cipher identification to the data packet, the P4 forwarding device joins the OpenFlow-based SDN network to control accurately and sample network traffic flow without affecting the normal forwarding of the data flow. The controller verifies the integrity of the sampled packet, and sends flow rules to the OpenFlow forwarding device to control the abnormal data flow such as malicious tampering and forgery. Finally, the forwarding verification prototype and simulation network based on P4 forwarding device and Open vSwitch forwarding device are constructed and tested. The experimental results show that the mechanism can effectively detect the forwarding abnormal behaviors such as packet tampering and forgery. Compared with similar verification mechanisms, in the case of the same security verification processing overhead, it can achieve more fine-grained flow precise control sampling and lower forwarding delay.
-
表 1 不同機(jī)制特點(diǎn)比較
機(jī)制 采樣設(shè)備及粒度 驗(yàn)證設(shè)備及驗(yàn)證開銷 轉(zhuǎn)發(fā)時延 實(shí)現(xiàn)功能 機(jī)制1(文獻(xiàn)[9]) 任意OpenFlow交換機(jī),OpenFlow匹配字段 控制器,0.15 ms 33.17 ms(3層樹形結(jié)構(gòu)) 定位并檢測偽造、篡改報文 機(jī)制2(文獻(xiàn)[12]) 任意OpenFlow交換機(jī),OpenFlow匹配字段 交換機(jī),遠(yuǎn)大于其它 33.65 ms(4層Fattree結(jié)構(gòu)) 檢測偽造、篡改報文 本文機(jī)制 P4交換機(jī),自定義匹配字段 控制器,0.19 ms 0.83 ms(3臺OpenFlow轉(zhuǎn)發(fā)設(shè)備和1臺P4轉(zhuǎn)發(fā)設(shè)備) 檢測偽造、篡改報文 下載: 導(dǎo)出CSV
-
MCKEOWN N. Software-defined networking[J]. INFOCOM Keynote Talk, 2009, 17(2): 30–32. PALIWAL M, SHRIMANKAR D, and TEMBHURNE O. Controllers in SDN: A review report[J]. IEEE Access, 2018, 6: 36256–36270. doi: 10.1109/ACCESS.2018.2846236 KARAKUS M and DURRESI A. Economic viability of Software Defined Networking (SDN)[J]. Computer Networks, 2018, 135: 81–95. doi: 10.1016/j.comnet.2018.02.015 GAO Shang, LI Zecheng, XIAO Bin, et al. Security threats in the data plane of software-defined networks[J]. IEEE Network, 2018, 32(4): 108–113. doi: 10.1109/MNET.2018.1700283 DARGAHI T, CAPONI A, AMBROSIN M, et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701–1725. doi: 10.1109/COMST.2017.2689819 RANA D S, DHONDIYAL S A, and CHAMOLI S K. Software Defined Networking (SDN) challenges, issues and solution[J]. International Journal of Computer Sciences and Engineering, 2019, 7(1): 884–889. doi: 10.26438/ijcse/v7i1.884889 SHAGHAGHI A, KAAFAR M A, BUYYA R, et al. Software-Defined Network (SDN) data plane security: Issues, solutions and future directions[EB/OL]. https://arxiv.org/pdf/1804.00262.pdf, 2018. OPEN Networking Foundation. OpenFlow switch specification version 1.4.0[EB/OL]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf, 2013. 王首一, 李琦, 張?jiān)? 輕量級的軟件定義網(wǎng)絡(luò)數(shù)據(jù)包轉(zhuǎn)發(fā)驗(yàn)證[J]. 計(jì)算機(jī)學(xué)報, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176WANG Shouyi, LI Qi, and ZHANG Yun. LPV: Lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019, 42(1): 176–189. doi: 10.11897/SP.J.1016.2019.00176 SHIN S and GU Guofei. CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?)[C]. The 20th IEEE International Conference on Network Protocols, Austin, USA, 2012: 1–6. doi: 10.1109/ICNP.2012.6459946. SASAKI T, PAPPAS C, LEE T, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. The 25th IEEE International Conference on Computer Communication and Networks, Waikoloa, USA, 2016: 1–10. doi: 10.1109/ICCCN.2016.7568569. 秦晰, 唐國棟, 常朝穩(wěn), 等. 軟件定義網(wǎng)絡(luò)中基于密碼標(biāo)識的報文轉(zhuǎn)發(fā)驗(yàn)證機(jī)制[J]. 電子與信息學(xué)報, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226QIN Xi, TANG Guodong, CHANG Chaowen, et al. Packet forwarding authentication mechanism based on cipher identification in software-defined network[J]. Journal of Electronics &Information Technology, 2018, 40(9): 2042–2049. doi: 10.11999/JEIT171226 BOSSHART P, DALY D, GIBB G, et al. P4: Programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87–95. doi: 10.1145/2656877.2656890 The P4 Language Consortium. The P4 language specification version 1.0.5[EB/OL]. https://p4lang.github.io/p4-spec/p4-14/v1.0.5/tex/p4.pdf, 2018. PRAJAPATI A, SAKADASARIYA A, and PATEL J. Software defined network: Future of networking[C]. The 2nd IEEE International Conference on Inventive Systems and Control, Coimbatore, India, 2018: 1351-1354. doi: 10.1109/ICISC.2018.8399028. Defense Advanced Research Projects Agency. RFC 791: Internet protocol[EB/OL]. http://www.faqs.org/rfcs/rfc791.html, 1981. Ryu Development Team. Ryu documentation release 4.30[EB/OL]. https://ryu.readthedocs.io/en/latest/library_packet.html, 2019. CASADO M, FREEDMAN M J, PETTIT J, et al. Ethane: Taking control of the enterprise[C]. 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, Japan, 2007: 1–12. doi: 10.1145/1282380.1282382. -