计算机应用 ›› 2018, Vol. 38 ›› Issue (7): 1929-1935.DOI: 10.11772/j.issn.1001-9081.2017123007

• 网络空间安全 • 上一篇    下一篇

SDN数据安全处理机制关键模块的研究与实现

李兆斌, 李伟隆, 魏占祯, 刘梦甜   

  1. 北京电子科技学院 通信工程系, 北京 100070
  • 收稿日期:2017-12-21 修回日期:2018-02-09 出版日期:2018-07-10 发布日期:2018-07-12
  • 通讯作者: 李伟隆
  • 作者简介:李兆斌(1977-),男,内蒙古锡林郭勒人,副研究员,博士,主要研究方向:网络安全;李伟隆(1992-),男,辽宁大连人,硕士研究生,主要研究方向:软件定义网络;魏占祯(1971-),男,青海西宁人,教授,硕士,主要研究方向:网络信息安全;刘梦甜(1992-),女,河北保定人,硕士研究生,主要研究方向:软件定义网络。
  • 基金资助:
    国家重点研发计划项目(2017YFB0802705);中央高校基本科研业务费专项(2017CL04)。

Research and implementation of key module of data security processing mechanism in software defined network

LI Zhaobin, LI Weilong, WEI Zhanzhen, LIU Mengtian   

  1. Department of Communication Engineering, Beijing Electronic Science Technology Institute, Beijing 100070, China
  • Received:2017-12-21 Revised:2018-02-09 Online:2018-07-10 Published:2018-07-12
  • Supported by:
    This work is partially supported by the National Key Research and Development Program of China (2017YFB0802705), the Fundamental Research Funds for the Central Universities (2017CL04).

摘要: 针对软件定义网络(SDN)的数据平面数据泄露问题、提出一种新的基于OpenFlow协议的数据安全处理机制。首先,重构OpenFlow协议的流表结构,设计实现包括安全匹配字段、安全动作在内的OpenFlow数据安全策略;然后,设计中心化管理控制器,通过开发的多个功能模块使控制器及时感知网络变化,有效管控全局网络,维护和下发数据加(解)密密钥、数据安全策略;其次,深度重构开放虚拟交换机OVS架构,设计实现数据安全策略匹配和数据安全处理的完整流程,编写数据净载信息提取接口,通过开发的多个功能模块使OVS能够根据数据安全策略细粒度匹配数据包,并对匹配成功的数据包进行完整数据安全处理操作;最后,搭建软硬件平台,对该机制的加解密处理结果和延时、吞吐量以及CPU使用率进行测试。实验结果表明:该机制可以准确对数据进行加解密操作,延时和吞吐量均处于正常水平;但CPU使用率在45%~60%浮动,开销较大,有待后续优化。

关键词: 软件定义网络, 数据传输, 加解密, 信息安全, 数据安全处理

Abstract: To solve the data leakage problem of data plane in Software Defined Network (SDN), a new data security processing mechanism based on OpenFlow protocol was proposed. Firstly, the flow table structure of OpenFlow protocol was reconstructed, the OpenFlow data security policies including safe matching fields, safe actions were designed and implemented. Secondly, a centralized management controller was designed to sense changes in the network in a timely manner through the development of multiple functional modules, which effectively controlled the global network, maintained and distributed data encryption/decryption keys and data security policies. Thirdly, the open virtual switch OVS (Open vSwitch) architecture was reconstructed deeply, the complete process including data security strategy matching and data security processing was designed, and the extraction interface of data payload information was programmed. Through the development of multiple functional modules, OVS can match the data packets according to the fine-grained granularity of data security policies, and perform complete data security processing operations on matched data packets. Finally, by building the hardware and software platform, the results of the encryption and decryption mechanisms, and the time delay, throughput and CPU utilization rate were tested and compared. The experimental results show that the proposed mechanism can accurately operate data encryption and decryption. The latency and throughput of the proposed mechanism are at normal levels, but its CPU usage rate is between 45% and 60%, which indicates that it needs to be optimized furtherer.

Key words: Software Defined Network (SDN), data transmission, encryption and decryption, information security, data security processing

中图分类号: