面向软件定义网络的入侵容忍控制器架构及实现

doi:10.11772/j.issn.1001-9081.2015.12.3429

计算机应用 ›› 2015, Vol. 35 ›› Issue (12): 3429-3436.DOI: 10.11772/j.issn.1001-9081.2015.12.3429

面向软件定义网络的入侵容忍控制器架构及实现

黄亮^1,2, 姜帆^1,2, 荀浩^1,2, 马多贺^1,2, 王利明^1,2

1. 中国科学院信息工程研究所, 北京 100093;
2. 信息安全国家重点实验室, 北京 100093

收稿日期:2015-05-25 修回日期:2015-07-26 出版日期:2015-12-10 发布日期:2015-12-10
通讯作者: 姜帆(1991-),女,湖南长沙人,硕士研究生,主要研究方向:网络安全
作者简介:黄亮(1982-),男,河北隆化人,助理研究员,硕士,主要研究方向:网络安全、软件定义网络;荀浩(1990-),男,山西霍州人,助理工程师,CCF会员,主要研究方向:网络安全、软件定义网络;马多贺(1982-),男,安徽六安人,助理研究员,博士,CCF会员,主要研究方向:网络与系统安全;王利明(1978-),男,内蒙古赤峰人,副研究员,博士,CCF会员,主要研究方向:下一代互联网、可信网络。
基金资助:
中国科学院信息工程研究所所内创新项目(Y4Z0034102)。

Software-defined networking-oriented intrusion tolerance controller architecture and its implementation

HUANG Liang^1,2, JIANG Fan^1,2, XUN Hao^1,2, MA Duohe^1,2, WANG Liming^1,2

1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
2. State Key Laboratory of Information Security, Beijing 100093, China

Received:2015-05-25 Revised:2015-07-26 Online:2015-12-10 Published:2015-12-10

摘要/Abstract

摘要： 针对软件定义网络(SDN)这一集中式网络控制环境中控制平面存在单点失效问题,提出一种基于入侵容忍思想的控制器架构,通过冗余、多样的中央控制器平台来提高网络可用性与可靠性。该架构利用一种控制器消息的比对方法来检测被入侵的控制器。首先,规定了需比对的关键消息类型和字段;其次,运用一致性裁决算法对不同控制器消息进行比对;最后,将消息异常的控制器进行网络隔离并重启恢复。基于Mininet的入侵容忍可靠性测试表明,该入侵容忍控制器架构可检测并过滤异常控制器消息。基于Mininet的控制器响应延迟测试表明,当容忍度设置为1和3时,下层网络请求延时分别增加16%和42%。基于Cbench的控制器响应延迟和吞吐量测试表明,该入侵容忍控制器性能处在各个子控制器(Ryu,Floodlight)性能水平之间,且向性能高的子控制器趋近。在实际应用中,可根据应用场景的安全级别配置子控制器的数量和类型,以满足对响应速度和入侵容忍度的要求。

关键词: 软件定义网络, 入侵容忍, 控制器, 一致性检测, 消息比对

Abstract: In the centralized network control environment of Software-Defined Network (SDN), the problem of a single point of failure exists in the controlling plane. In order to solve the problem, a kind of controller architecture was proposed based on intrusion tolerance ideology to improve the availability and reliability of network by using the redundant and diverse central controller platform. In the proposed architecture, the intruded controllers were detected by comparing their messages. Firstly, the key message types and fields needing to be compared were defined. Then, different controller messages were compared using a consistency judgement algorithm. Finally, the controllers with abnormal messages would be isolated and restored. The Mininet-based intrusion tolerance reliability test demonstrated that the controller architecture based on intrusion tolerance could detect and filter the abnormal controller messages. The Mininet-based response-delay test showed that the requirement-delay of underlying network increased by 16% and 42% while the tolerance degree was 1 and 3 respectively. In addition, the Cbench-based response-delay and throughput tests showed that the performance of the intrusion tolerance controller lay among the subsidiary controllers, such as Ryu and Floodlight, and approached the advanced one. In practical application, the quantity and type of the subsidiary controllers can be configured according to the security level of application scenarios, and the proposed intrusion tolerance controller can satisfy the application requirements of response rate and intrusion tolerance degree.

Key words: Software-Defined Network (SDN), intrusion tolerance, controller, consistency test, comparison message

中图分类号:

TP393.0

黄亮, 姜帆, 荀浩, 马多贺, 王利明. 面向软件定义网络的入侵容忍控制器架构及实现[J]. 计算机应用, 2015, 35(12): 3429-3436.

HUANG Liang, JIANG Fan, XUN Hao, MA Duohe, WANG Liming. Software-defined networking-oriented intrusion tolerance controller architecture and its implementation[J]. Journal of Computer Applications, 2015, 35(12): 3429-3436.

参考文献

[1] Open Network Foundation. Software-defined networking:the new norm for networks[EB/OL].[2015-04-13]. https://www.opennetworking.org/images/stories/downloads/sdn-resourres/white-papers/wp-sdn-newnorm.pdf.
[2] MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2):69-74.
[3] FIELDING R T. Architectural styles and the design of network-based software architectures[D]. Irvine:University of California, 2000:76-85.
[4] SEZER S, SCOTTHAYWARD S, CHOUHAN P K, et al. Are we ready for SDN? Implementation challenges for software-defined networks[J]. IEEE Communications Magazine, 2013, 51(7):36-43.
[5] KREUTZ D, RAMOS F M, VERISSIMO P. Towards secure and dependable software-defined networks[C]//Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York:ACM, 2013:55-60.
[6] HAN W, HU H, AHN G-J. LPM:layered policy management for software-defined networks[C]//DBSEC 2014:Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, LNCS 8556. Berlin:Springer, 2014:356-363.
[7] CHEN X, ZHAO B, MA S, et al. Leveraging master-slave OpenFlow controller arrangement to improve control plane resiliency in SD-EONs[J]. Optics Express, 2015, 23(6):7550-7558.
[8] SHIN S, SONG Y, LEE T, et al. Rosemary:a robust, secure, and high-performance network operating system[C]//CCS 2014:Proceedings of the 2014 ACM SIGSAC Conference on Computer Communications Security. New York:ACM, 2014:78-89.
[9] SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO:Modular composable security services for software-defined networks[C/OL]//Proceedings of the 2013 ISOC Network and Distributed Security Symposium. San Diego:Internet Society, 2013.[2015-05-01]. http://www.dnssec-test-dyn.com/sites/default/files/07_2_0.pdf.
[10] PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks[C]//Proceedings of the 1st ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York:ACM, 2012:121-126.
[11] PORRAS P, CHEUNG S, FONG M, et al. Securing the software-defined network control layer[C/OL]//Proceedings of the 2015 Network and Distributed System Security Symposium. San Diego:Internet Society, 2015.[2015-05-01]. http://www.internetsociety.org/sites/default/files/10_3_2.pdf.
[12] JASSON CASEY C J, SUTTON A, DOS REIS G, et al. Eliminating network protocol vulnerabilities through abstraction and systems language design[C]//Proceedings of the 201321st IEEE International Conference on Network Protocols. Piscataway:IEEE, 2013:1-6.
[13] Open Network Foundation. SDN security considerations in the data center[EB/OL].[2015-04-05]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf.
[14] PANKAJ B,MATTEO G,JONATHAN H, et al. ONOS:towards an open, distributed SDN OS[C]//HotSDN 2014:Proceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking. New York:ACM, 2014:1-6.
[15] KOPONEN T, CASADO M, GUDE N, et al. Onix:a distributed control platform for large-scale production networks[C]//Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Berkley:USENIX Association, 2010:1-6.
[16] YAZICI V, SUNAY M O, ERCAN A O. Controlling a software-defined network via distributed controllers[C]//Proceedings of the 2012 NEM Summit. Istanbul:[s.n.], 2014:16-20.
[17] ADELSBACH A, ALESSANDRI D, CACHIN C, et al. Conceptual model and architecture of MAFTIA[EB/OL].[2015-05-02]. http://www.researchgate.net/publication/243775799_Conceptual_Model_and_Architecture_of_MAFTIA.
[18] PAL P, WEBBER F, SCHANTZ R. The DPASA survivable JBI-a high-water mark in intrusion tolerant systems[C/OL]//Proceedings of the 2007 Workshop on Recent Advances in Intrusion Tolerant Systems. New York:ACM, 2007.[2015-05-06]. http://wraits07.di.fc.ul.pt/4.pdf.
[19] LI H, LI P, GUO S, et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[J]. IEEE Transactions on Cloud Computation, 2014, 2(4):436-447.
[20] KIM H, SANTOS J R, TURNER Y, et al.CORONET:Fault tolerance for software defined networks[C]//Proceedings of the 20th IEEE International Conference on Network Protocols. Piscataway:IEEE, 2012:1-2.
[21] BEHESHTI N,ZHANG Y. Fast failover for control traffic in software-defined networks[C]//Proceedings of the 2012 IEEE Global Communications Conference. Piscataway:IEEE, 2665-2670.
[22] SAIDANE A, NICOMETTE V, DESWARTE Y. The design of a generic intrusion-tolerant architecture for web servers[J]. IEEE Transactions on Dependable and Secure Computing, 2009, 6(1):45-58.
[23] BRAY R, CID D. OSSEC host-based intrusion detection guide[M]. Burlington:Syngress, 2008:305-307.
[24] SHERWOOD R, GIBB G, YAP K-K, et al. FlowVisor:a network virtualization layer, OPENFLOW-TR-2009-1[R/OL].[2015-05-01]. http://archive.openflow.org/downloads/technicalreports/openflow-tr-2009-1-flowvisor.pdf.
[25] LEVY J, SAIDI H, URIBE T E. Combining monitors for runtime system verification[J]. Elsevier Science Electronic Notes in Theoretical Computer Science, 2002, 70(4):112-127.

面向软件定义网络的入侵容忍控制器架构及实现

Software-defined networking-oriented intrusion tolerance controller architecture and its implementation

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	许红亮, 杨桂芹, 蒋占军. 基于软件定义网络的数据中心自适应多路径负载均衡算法[J]. 计算机应用, 2021, 41(4): 1160-1164.
[2]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[3]	安鑫, 夏近伟, 杨海娇, 欧阳一鸣, 任福继. 基于离散控制器合成的异构多核系统资源管理方法[J]. 计算机应用, 2020, 40(6): 1698-1706.
[4]	朱梦迪, 束永安. 软件定义网络中控制数据平面一致性的验证[J]. 计算机应用, 2020, 40(6): 1751-1754.
[5]	赵季红, 吴豆豆, 曲桦, 殷振宇. 基于软件定义网络的可靠性虚拟网络映射保障机制[J]. 计算机应用, 2020, 40(3): 770-776.
[6]	向雄, 田检. 基于软件定义网络的对等网传输调度优化[J]. 计算机应用, 2020, 40(3): 777-782.
[7]	张家奇, 牟永敏, 张志华. 基于控制流的软件设计与实现一致性分析方法[J]. 计算机应用, 2020, 40(10): 3025-3033.
[8]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[9]	苏振宇, 宋桂香, 刘雁鸣, 赵媛. 服务器管理控制系统威胁建模与应用[J]. 计算机应用, 2019, 39(7): 1991-1996.
[10]	贾梦瑶, 王兴伟, 张爽, 易波, 黄敏. 基于软件定义网络的卫星网络容错路由机制[J]. 计算机应用, 2019, 39(6): 1772-1779.
[11]	李兆斌, 刘泽一, 魏占祯, 韩禹. 基于哈希链的软件定义网络路径安全[J]. 计算机应用, 2019, 39(5): 1368-1373.
[12]	邹承明, 刘攀文, 唐星. 动态主机配置协议泛洪攻击在软件定义网络中的实时防御[J]. 计算机应用, 2019, 39(4): 1066-1072.
[13]	金滔, 董秀成, 李亦宁, 任磊, 范佩佩. 改进的粒子群优化算法优化分数阶PID控制器参数[J]. 计算机应用, 2019, 39(3): 796-801.
[14]	郭烜成, 林晖, 叶秀彩, 许传丰. 软件定义广域网中控制器部署与交换机动态迁移策略[J]. 计算机应用, 2019, 39(2): 453-457.
[15]	范宏伟, 胡宇翔, 兰巨龙. 两段式虚拟网络功能硬件加速资源部署机制[J]. 计算机应用, 2018, 38(9): 2575-2580.