Journal of Computer Applications ›› 2017, Vol. 37 ›› Issue (8): 2281-2286.DOI: 10.11772/j.issn.1001-9081.2017.08.2281

Previous Articles     Next Articles

Research of control plane' anti-attacking in software-defined network based on Byzantine fault-tolerance

GAO Jie, WU Jiangxing, HU Yuxiang, LI Junfei   

  1. China National Digital Switching System Engineering & Technological R & D Center, Zhengzhou Henan 450002, China
  • Received:2017-02-21 Revised:2017-04-28 Online:2017-08-10 Published:2017-08-12
  • Supported by:
    This work is partially supported by the National High Technology Research and Development Program of China (2015AA016102),the National Natural Science Foundation of China (61521003,61372121),the National Basic Research and Development Program of China (2016YFB0800100).

基于拜占庭容错的软件定义网络控制面的抗攻击性研究

高洁, 邬江兴, 胡宇翔, 李军飞   

  1. 国家数字交换系统工程技术研究中心, 郑州 450002
  • 通讯作者: 高洁
  • 作者简介:高洁(1992-),男,江苏宿迁人,硕士研究生,主要研究方向:新型网络体系结构;邬江兴(1953-),男,浙江嘉兴人,教授,博士生导师,主要研究方向:网络体系结构、网络安全;胡宇翔(1982-),男,河南周口人,副研究员,博士,主要研究方向:新一代信息网络;李军飞(1989-),男,河南安阳人,博士研究生,主要研究方向:集中式网络管控的主动防护。
  • 基金资助:
    国家863计划项目(2015AA016102);国家自然科学基金资助项目(61521003,61372121);国家重点研发计划项目(2016YFB0800100)。

Abstract: Great convenience has been brought by the centralized control plane of Software-Defined Network (SDN), but a lot of security risks have been introduced into it as well. In the light of single point failure, unknown vulnerabilities and back doors, static configuration and other security problems of the controller, a secure architecture for SDN based on Byzantine protocol was proposed, in which the Byzantine protocol was executed between controllers and each switching device was controlled by a controller view and control messages were decided by several controllers. Furthermore, the dynamics and heterogeneity were introduced into the proposed structure, so that the attack chain was broken and the capabilities of network active defense were enhanced; moreover, based on the quantification of the controller heterogeneity, a two-stage algorithm was designed to seek for the controller view, so that the availability of the network and the security of the controller view were ensured. Simulation results show that compared with the traditional structure, the proposed structure is more resistant to attacks.

Key words: dynamics, heterogeneity, Byzantine Fault-Tolerance (BFT), Software Defined Network (SDN), anti-attacking

摘要: 软件定义网络(SDN)的集中化控制面给网络管理带来了很大的便利,但也引入了很多安全隐患。针对控制器的单点故障、未知的漏洞和后门、静态配置等安全性问题,提出一种基于拜占庭协议的安全结构,控制器之间执行拜占庭协议,每个交换设备由一个控制器视图管理,多控制器裁决后给出控制信息。此外,将动态性、异构性引入到结构中,打破了攻击链,增强了网络的主动防御能力;通过对控制器异构性的量化,设计了两阶段控制器视图的选举算法,保证了网络的可用性和视图的安全性。仿真结果表明,与传统结构相比,所提结构的抗攻击能力更强。

关键词: 动态性, 异构性, 拜占庭容错, 软件定义网络, 抗攻击性

CLC Number: