基于哈希链的软件定义网络路径安全

doi:10.11772/j.issn.1001-9081.2018091857

计算机应用 ›› 2019, Vol. 39 ›› Issue (5): 1368-1373.DOI: 10.11772/j.issn.1001-9081.2018091857

基于哈希链的软件定义网络路径安全

李兆斌, 刘泽一, 魏占祯, 韩禹

北京电子科技学院电子与通信工程系, 北京 100070

收稿日期:2018-09-06 修回日期:2018-11-06 出版日期:2019-05-10 发布日期:2019-05-14
通讯作者: 刘泽一
作者简介:李兆斌(1977-),男,内蒙古锡林郭勒人,副研究员,博士,主要研究方向:网络安全;刘泽一(1994-),男,河南平顶山人,硕士研究生,主要研究方向:软件定义网络;魏占祯(1971-),男,青海西宁人,教授,硕士,主要研究方向:网络信息安全;韩禹(1993-),男,河北任丘人,硕士研究生,主要研究方向:软件定义网络。
基金资助:
国家重点研发计划项目（2017YFB0802705，2017YFGX110123）。

Software defined network path security based on Hash chain

LI Zhaobin, LIU Zeyi, WEI Zhanzhen, HAN Yu

Department of Electronics and Communication Engineering, Beijing Electronic Science and Technology Institute, Beijing 100070, China

Received:2018-09-06 Revised:2018-11-06 Online:2019-05-10 Published:2019-05-14
Supported by:
This work is partially supported by the National Key Research and Development Program of China (2017YFB0802705, 2017YFGX110123).

摘要/Abstract

摘要： 针对软件定义网络中，控制器无法保证下发的网络策略能够在转发设备上得到正确执行的安全问题，提出一种新的转发路径监控安全方案。首先以控制器的全局视图能力为基础，设计了基于OpenFlow协议的路径凭据交互处理机制；然后采用哈希链和消息验证码作为生成和处理转发路径凭据信息的关键技术；最后在此基础上，对Ryu控制器和Open vSwitch开源交换机进行深度优化，添加相应处理流程，建立轻量级的路径安全机制。测试结果表明，该机制能够有效保证数据转发路径安全，吞吐量消耗比SDN数据层可信转发方案（SDNsec）降低20%以上，更适用于路径复杂的网络环境，但时延和CPU使用率的浮动超过15%，有待进一步优化。

关键词: 软件定义网络, 哈希链, 消息验证码, 路径校验, 数据完整性

Abstract: For the security problem that the SDN (Software Defined Network) controller can not guarantee the network strategy issued by itself to be correctly executed on the forwarding devices, a new forwarding path monitoring security solution was proposed. Firstly, based on the overall view capability of the controller, a path credential interaction processing mechanism based on OpenFlow was designed. Secondly, Hash chain and message authentication code were introduced as the key technologies for generating and processing the forwarding path credential information. Thirdly, on this basis, Ryu controller and Open vSwitch open-source switch were deeply optimized,with credential processing flow added, constructing a lightweight path security mechanism. The test results show that the proposed mechanism can effectively guarantee the security of data forwarding path, and its throughput consumption is reduced by more than 20% compared with SDNsec, which means it is more suitable for the network environment with complex routes, but its fluctuates of latency and CPU usage are more than 15%, which needs further optimization.

Key words: Software Defined Network (SDN), Hash chain, message authentication code, path validation, data integrity

中图分类号:

TP393.08

李兆斌, 刘泽一, 魏占祯, 韩禹. 基于哈希链的软件定义网络路径安全[J]. 计算机应用, 2019, 39(5): 1368-1373.

LI Zhaobin, LIU Zeyi, WEI Zhanzhen, HAN Yu. Software defined network path security based on Hash chain[J]. Journal of Computer Applications, 2019, 39(5): 1368-1373.

参考文献

[1] SASAKI T, PAPPAS C, LEE T, et al. SDNsec: forwarding accountability for the SDN data plane[C]// Proceedings of the 201625th International Conference on Computer Communication and Networks. Piscataway, NJ: IEEE, 2016:1-10.
[2] 王首一,李琦,张云.轻量级的软件定义网络数据包转发验证[J].计算机学报,2019,42(1):176-187. (WANG S Y, LI Q, ZHANG Y. LPV: lightweight packet forwarding verification in SDN[J]. Chinese Journal of Computers, 2019, 42(1): 176-187.)
[3] PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks[C]// Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks. New York: ACM, 2012:121-126.
[4] SON S, SHIN S, YEGNESWARAN V, et al. Model checking invariant security properties in OpenFlow[C]// Proceedings of the 2013 IEEE International Conference on Communications. Piscataway, NJ: IEEE, 2013:1974-1979.
[5] LI G, GUO S, YANG Y, et al. Traffic load minimization in software defined wireless sensor networks[J]. IEEE Internet of Things Journal, 2018, 5(3): 1370-1378.
[6] QIU X, ZHANG K, REN Q. Global flow table: a convincing mechanism for security operations in SDN[J]. Computer Networks, 2017, 120: 56-70.
[7] XU T, GAO D, DONG P, et al. Defending against New-flow attack in SDN-based Internet of things[J]. IEEE Access, 2017, 5:3431-3443.
[8] 王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,27(4):969-992.(WANG M M, LIU J W, CHEN J, et al. Software defined networking: security model, threats and mechanism[J]. Journal of Software, 2016,27(4):969-992.)
[9] 王涛,陈鸿昶,程国振. 软件定义网络及安全防御技术研究[J]. 通信学报,2017,38(11):133-160.(WANG T, CHEN H C, CHENG G Z. Research on software-defined network and the security defense technology[J]. Journal on Communications, 2017, 38(11): 133-160.)
[10] 柳林,周建涛.软件定义网络控制平面的研究综述[J].计算机科学,2017,44(2):75-81.(LIU L, ZHOU J T. Review for research of control plane in software-defined network[J]. Computer Science, 2017,44(2):75-81.)
[11] AL-SHAER E, AL-HAJ S. FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures[C]// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York: ACM, 2010:37-44.
[12] FERGUSON A D, GUHA A, LIANG C, et al. Participatory networking: an API for application control of SDNs[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4):327-338.
[13] CHEUNG S, FONG M, PORRAS P, et al. Securing the software-defined network control layer[EB/OL].[2018-06-20]. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/10_3_2.pdf.
[14] DHAWAN M, PODDAR R, MAHAJAN K, et al. SPHINX: detecting security attacks in software-defined networks[EB/OL].[2018-06-20]. https://pdfs.semanticscholar.org/4f35/8dbee87adc305b3e983e5ff6dff1074d3cf6.pdf.
[15] WANG Y, JUN B I, ZHANG K. A tool for tracing network data plane via SDN/OpenFlow[J]. Science China(Information Sciences), 2017, 60(2):022304.
[16] WANG M, LIU J, MAO J, et al. RouteGuardian: constructing secure routing paths in software-defined networking[J]. Tsinghua Science and Technology, 2017, 22(4):400-412.
[17] WANG T, CHEN H. SGuard: a lightweight SDN safe-guard architecture for DoS attacks[J]. China Communications, 2017, 14(6): 113-125.
[18] AGARWAL K, DIXON C, DIXON C, et al. SDN traceroute: tracing SDN forwarding without changing network behavior[C]// Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014: 145-150.
[19] HEER T, MORCHON O G, WEHRLE K. ALPHA: an adaptive and lightweight protocol for hop-by-hop authentication[C]// Proceedings of the 2008 ACM CoNEXT Conference. New York: ACM, 2008: Article No. 23.
[20] BOUABANA-TEBIBEL T. Hash chains at the basis of a secure reactive routing protocol[C]// Proceedings of the 3rd International Conference on Trusted Systems. Berlin: Springer-Verlag, 2011:258-270.
[21] KIM H J, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[J].ACM SIGCOMM Computer Communication Review, 2014, 44(4): 271-282.
[22] 王月,吕光宏,曹勇.软件定义网络安全研究[J].计算机技术与发展,2018,28(4):128-132.(WANG Y, LYU G H, CAO Y. Research on software defining network security[J]. Computer Technology and Development, 2018,28(4):128-132.)
[23] 翁丽萍. 基于单向哈希链的Ad Hoc网络认证和密钥管理研究[D]. 长沙:中南大学,2010:20-24.(WENG L P. Research on authentication and key management of Ad Hoc network based on one-way Hash chain[D]. Changsha: Central South University, 2010:20-24.)
[24] LIU Y, KUANG Y, XIAO Y, et al. SDN-based data transfer security for Internet of things[J]. IEEE Internet of Things Journal, 2018, 5(1): 257-268.
[25] 李兆斌,李伟隆,魏占祯,等.SDN数据安全处理机制关键模块的研究与实现[J].计算机应用,2018,38(7):1929-1935.(LI Z B, LI W L, WEI Z Z, et al.Research and implementation of key module of SDN data security processing mechanism[J].Journal of Computer Applications,2018,38(7):1929-1935.)

基于哈希链的软件定义网络路径安全

Software defined network path security based on Hash chain

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	卿欣艺, 陈玉玲, 周正强, 涂园超, 李涛. 基于中国剩余定理的区块链存储扩展模型[J]. 计算机应用, 2021, 41(7): 1977-1982.
[2]	许红亮, 杨桂芹, 蒋占军. 基于软件定义网络的数据中心自适应多路径负载均衡算法[J]. 计算机应用, 2021, 41(4): 1160-1164.
[3]	李秀艳, 刘明曦, 史闻博, 董国芳. 面向资源受限用户的高效动态数据审计方案[J]. 计算机应用, 2021, 41(2): 422-432.
[4]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[5]	朱梦迪, 束永安. 软件定义网络中控制数据平面一致性的验证[J]. 计算机应用, 2020, 40(6): 1751-1754.
[6]	赵季红, 吴豆豆, 曲桦, 殷振宇. 基于软件定义网络的可靠性虚拟网络映射保障机制[J]. 计算机应用, 2020, 40(3): 770-776.
[7]	向雄, 田检. 基于软件定义网络的对等网传输调度优化[J]. 计算机应用, 2020, 40(3): 777-782.
[8]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[9]	贾梦瑶, 王兴伟, 张爽, 易波, 黄敏. 基于软件定义网络的卫星网络容错路由机制[J]. 计算机应用, 2019, 39(6): 1772-1779.
[10]	邹承明, 刘攀文, 唐星. 动态主机配置协议泛洪攻击在软件定义网络中的实时防御[J]. 计算机应用, 2019, 39(4): 1066-1072.
[11]	白平, 张薇, 王绪安. 云环境下基于运算电路的同态认证方案[J]. 计算机应用, 2018, 38(9): 2543-2548.
[12]	范宏伟, 胡宇翔, 兰巨龙. 两段式虚拟网络功能硬件加速资源部署机制[J]. 计算机应用, 2018, 38(9): 2575-2580.
[13]	朱晓东, 王劲林, 王玲芳. 软件定义网络中协同存储数据面快速转发[J]. 计算机应用, 2018, 38(8): 2343-2347.
[14]	李兆斌, 李伟隆, 魏占祯, 刘梦甜. SDN数据安全处理机制关键模块的研究与实现[J]. 计算机应用, 2018, 38(7): 1929-1935.
[15]	白平, 张薇, 李聪, 王绪安. 支持用户撤销的可验证密文检索方案[J]. 计算机应用, 2018, 38(6): 1640-1643.