Software defined network path security based on Hash chain

LI Zhaobin, LIU Zeyi, WEI Zhanzhen, HAN Yu   

  1. Department of Electronics and Communication Engineering, Beijing Electronic Science and Technology Institute, Beijing 100070, China
  • Received:2018-09-06 Revised:2018-11-06 Online:2019-05-14 Published:2019-05-10
  • Supported by:
    This work is partially supported by the National Key Research and Development Program of China (2017YFB0802705, 2017YFGX110123).


李兆斌, 刘泽一, 魏占祯, 韩禹   

  1. 北京电子科技学院 电子与通信工程系, 北京 100070
  • 通讯作者: 刘泽一
  • 作者简介:李兆斌(1977-),男,内蒙古锡林郭勒人,副研究员,博士,主要研究方向:网络安全;刘泽一(1994-),男,河南平顶山人,硕士研究生,主要研究方向:软件定义网络;魏占祯(1971-),男,青海西宁人,教授,硕士,主要研究方向:网络信息安全;韩禹(1993-),男,河北任丘人,硕士研究生,主要研究方向:软件定义网络。
  • 基金资助:

Abstract: For the security problem that the SDN (Software Defined Network) controller can not guarantee the network strategy issued by itself to be correctly executed on the forwarding devices, a new forwarding path monitoring security solution was proposed. Firstly, based on the overall view capability of the controller, a path credential interaction processing mechanism based on OpenFlow was designed. Secondly, Hash chain and message authentication code were introduced as the key technologies for generating and processing the forwarding path credential information. Thirdly, on this basis, Ryu controller and Open vSwitch open-source switch were deeply optimized,with credential processing flow added, constructing a lightweight path security mechanism. The test results show that the proposed mechanism can effectively guarantee the security of data forwarding path, and its throughput consumption is reduced by more than 20% compared with SDNsec, which means it is more suitable for the network environment with complex routes, but its fluctuates of latency and CPU usage are more than 15%, which needs further optimization.

Key words: Software Defined Network (SDN), Hash chain, message authentication code, path validation, data integrity

摘要: 针对软件定义网络中,控制器无法保证下发的网络策略能够在转发设备上得到正确执行的安全问题,提出一种新的转发路径监控安全方案。首先以控制器的全局视图能力为基础,设计了基于OpenFlow协议的路径凭据交互处理机制;然后采用哈希链和消息验证码作为生成和处理转发路径凭据信息的关键技术;最后在此基础上,对Ryu控制器和Open vSwitch开源交换机进行深度优化,添加相应处理流程,建立轻量级的路径安全机制。测试结果表明,该机制能够有效保证数据转发路径安全,吞吐量消耗比SDN数据层可信转发方案(SDNsec)降低20%以上,更适用于路径复杂的网络环境,但时延和CPU使用率的浮动超过15%,有待进一步优化。

关键词: 软件定义网络, 哈希链, 消息验证码, 路径校验, 数据完整性

