信息网络安全 ›› 2014, Vol. 14 ›› Issue (9): 6-6.doi: 10.3969/j.issn.1671-1122.2014.09.002

• 优秀论文 • 上一篇    下一篇

分布式SDN控制器的规则冲突解决方案

王鑫1, 2, 3, 高能1, 2, 马存庆1, 2, 薛聪1, 2, 3   

  1. 1.中国科学院信息工程研究所,北京 100093;
    2.信息安全国家重点实验室,北京 100093;
    3.中国科学院大学,北京 100049
  • 收稿日期:2014-08-06 出版日期:2014-09-01
  • 作者简介:王鑫(1989-),男,山东,博士研究生,主要研究方向:网络安全;高能(1976-),女,陕西,副研究员,博士,主要研究方向:网络与信息系统安全;马存庆(1984-)男,青海,助理研究员,博士,主要研究方向:网络与系统安全;薛聪(1990-)女,河北,硕士研究生,主要研究方向:网络与系统安全。
  • 基金资助:
    国家高技术研究发展计划(863计划)[2013AA01A214]、中国科学院战略性先导科技专项[XDA06010702]

Solution for Rule Conflict under Distributed SDN Controller System

WANG Xin1, 2, 3, GAO Neng1, 2, MA Cun-qing1, 2, XUE Cong1, 2, 3   

  1. 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    2.State Key Laboratory of Information Security, Beijing 100093, China;
    3. University of Chinese Academy of Sciences, Beijing 100049, China
  • Received:2014-08-06 Online:2014-09-01

摘要: 分布式SDN控制器系统已经成为当下研究热点,但分布式的架构也给SDN带来了许多新的安全挑战,其中一个严峻的挑战就是如何在分布式的架构下有效地检测和解决由动态应用产生的潜在的规则冲突。文章通过对传统单控制器下的规则冲突解决方案FortNox的研究,提出了一种分布式SDN控制器系统下的规则冲突解决方案。该方案通过将FortNox扩展到分布式系统中,并添加基于端到端路径的控制器规则冲突解决机制,同时增加新控制器的自举过程,从而解决分布式系统中的规则冲突。仿真实验结果表明,该方案不但可以在分布式系统中实时检测规则冲突,而且当控制器上的恶意程序试图通过插入规则的方式绕开安全应用的规则时,该方案也可以将其有效阻止。

关键词: SDN, 规则冲突, 分布式SDN控制器系统

Abstract: The distributed SDN controller system has become the research focus, but the distributed architecture also introduces new security challenges, one of which is how to efficiently detect and reconcile the potential conflicting flow rules imposed by dynamic applications. By researching the conflict solution strategy FortNox with SDN single controller, in this paper we propose one kind of conflict resolution mechanism for the distributed SDN controller system. The scheme extends FortNox into distributed system, and adds controller rule conflict resolution mechanism based on end-to-end path and adds the bootstrap process of new controller so as to determine the conflict of flow rules in the distributed system. Our simulations show that it can not only check flow rule conflict in real time under distributed system, but is also effective to stop adversarial application inserting flow rules to bypass the security flow rules.

Key words: SDN, rule conflict, distributed SDN controller system