计算机应用 ›› 2015, Vol. 35 ›› Issue (11): 3270-3274.DOI: 10.11772/j.issn.1001-9081.2015.11.3270

• 网络与通信 • 上一篇    下一篇

面向OpenFlow网络的访问控制规则自动实施方案

刘艺1,2, 张红旗1,2, 代向东1,2, 雷程1,2   

  1. 1. 信息工程大学, 郑州 450001;
    2. 河南省信息安全重点实验室, 郑州 450001
  • 收稿日期:2015-05-29 修回日期:2015-07-02 发布日期:2015-11-13
  • 通讯作者: 刘艺(1991-),女,江西崇义人,硕士研究生,主要研究方向:信息安全、软件定义网络安全.
  • 作者简介:张红旗(1962-),男,河北唐山人,教授,博士生导师,博士,主要研究方向:网络安全、等级保护; 代向东(1977-),男,四川仁寿人,讲师,硕士,主要研究方向:安全策略管理;雷程(1989-),男,北京海淀人,硕士研究生,主要研究方向:网络与信息安全.
  • 基金资助:
    国家863计划项目(2012AA012704); 郑州市科技领军人才项目(131PLJRC644).

Automatic implementation scheme of implementing access control rules in OpenFlow network

LIU Yi1,2, ZHANG Hongqi1,2, DAI Xiangdong1,2, LEI Cheng1,2   

  1. 1. Information Engineering University, Zhengzhou Henan 450001, China;
    2. Henan Key Laboratory of Information Security, Zhengzhou Henan 450001, China
  • Received:2015-05-29 Revised:2015-07-02 Published:2015-11-13

摘要: 针对OpenFlow网络数据平面频繁改变导致网络难以实时满足访问控制策略要求的问题,提出了面向OpenFlow网络的访问控制规则自动实施方案.首先,由实时构建的转发路径获得可达空间,并通过规则集动态合成算法消除访问控制规则间的冲突;之后,采用规则空间分割算法将合成后访问控制规则的拒绝空间与可达空间比较,以检测直接和间接违反访问控制规则的非法转发路径;在此基础上,结合网络更新事件与违反检测结果灵活采取自动的违反解决方法,包括规则更新拒绝、规则序列移除、基于线性规划(LP)的近源端规则部署和末端规则部署4种;最后转换访问控制规则形式.理论分析和仿真结果表明,方案可用于控制器上运行多个安全应用程序和交换机内存受限的情况,并且基于LP的近源端规则部署方法可以降低网络中的不期望流量.

关键词: 转发路径, 线性规划, 网络数据平面, 访问控制规则, OpenFlow网络

Abstract: Focusing on the issue that OpenFlow network can't meet access control policy constantly resulted from its data plane changing frequently, an automatic implementation scheme of implementing access control rules in OpenFlow network was proposed. Firstly, reachable space was obtained by building real-time forwarding paths, and conflicts among access control rules were resolved by using dynamical synthesis algorithm. Then, denied space was extracted from synthetic set of access control rules by using rule space division algorithm, which was compared with reachable space subsequently to detect direct and indirect violations. According to network update situations and violation detection results, automatic violation resolutions were adopted flexibly, such as rejecting rule update, removing rule sequence, deploying rule near source based on Linear Programming (LP) and deploying rule terminally. Lastly, the format of access control rule was converted. The theoretical analysis and simulation results demonstrate that the proposed scheme is applicable under the condition that multiple security applications are running on the controller and memory of switch is limited, and show that deploying rule near source based on LP can minimize unwanted traffic of network.

Key words: forwarding path, Linear Programming (LP), network data plane, access control rule, OpenFlow network

中图分类号: