SDN应用平面与控制平面安全交互方法

doi:10.3969/j.issn.1671-1122.2021.06.009

信息网络安全 ›› 2021, Vol. 21 ›› Issue (6): 70-79.doi: 10.3969/j.issn.1671-1122.2021.06.009

SDN应用平面与控制平面安全交互方法

范广宇¹, 王兴伟¹(), 贾杰¹, 黄敏²

1. 东北大学计算机科学与工程学院,沈阳 110169
2. 东北大学信息科学与工程学院,沈阳 110819

收稿日期:2021-01-27 出版日期:2021-06-10 发布日期:2021-07-01
通讯作者: 王兴伟 E-mail:wangxw@mail.neu.edu.cn
作者简介:范广宇（1995—）,男,辽宁,硕士研究生,主要研究方向为基于意图的网络与网络测量|王兴伟（1968—）,男,内蒙古,教授,博士,主要研究方向为未来互联网、云计算与网络空间安全;|黄敏（1968—）,女,辽宁,教授,博士,主要研究方向为智能算法设计与优化、调度理论与方法
基金资助:
国家自然科学基金(61872073);辽宁省“兴辽英才计划”(XLYC1902010)

Secure Interaction Scheme between SDN Application Plane and Control Plane

FAN Guangyu¹, WANG Xingwei¹(), JIA Jie¹, HUANG Min²

1. College of Computer Science and Engineering, Northeastern University, Shenyang 110169, China
2. College of Information Science and Engineering, Northeastern University, Shenyang 110819, China

Received:2021-01-27 Online:2021-06-10 Published:2021-07-01
Contact: WANG Xingwei E-mail:wangxw@mail.neu.edu.cn

摘要/Abstract

摘要：

软件定义网络（SDN）在推动网络创新的同时也为网络安全带来新的挑战。文章针对SDN应用平面与控制平面安全交互方法进行研究,以确保SDN提供可靠的网络服务。首先,文章提出SDN应用平面与控制平面安全交互方法总体架构;其次,利用TLS协议完成应用与控制器代理间的双向认证及安全通信,同时设计应用权限管理与应用身份信息管理,确保应用能够安全合理地访问控制器;然后,提出流规则冲突检测和消解算法,确保网络策略正确执行;最后,采用Floodlight控制器和Mininet平台实现该系统,并与已有SDN应用身份认证机制和权限管理机制进行对比。实验结果表明,文章提出的SDN应用平面与控制平面安全交互方法所引入的延迟是可以接受的。

关键词: 软件定义网络, 应用平面, 控制平面, 安全交互

Abstract:

Software defined networking (SDN) brings new challenges to network security while promoting network innovation. This paper studies the secure interaction scheme between SDN application plane and control plane to ensure that SDN can provide reliable network services. Firstly, this paper proposes the overall architecture of the secure interaction scheme between SDN application plane and control plane. Secondly, the TLS protocol is used to complete the two-way authentication and secure communication between the application and the controller agent. At the same time, application authority management and application identity information management are designed to ensure that applications can access the controller securely and reasonably. Then, flow rule conflict detection and reconciliation algorithms are proposed to ensure the correct implementation of network policies. Finally, the system is implemented based on Floodlight and Mininet and compared with the existing SDN application identity authentication mechanisms and authority management mechanisms. The experimental results show that the delay introduced by the secure interaction scheme between SDN application plane and control plane proposed in this paper is acceptable.

Key words: software defined networking, application plane, control plane, secure interaction

中图分类号:

TP309

范广宇, 王兴伟, 贾杰, 黄敏. SDN应用平面与控制平面安全交互方法[J]. 信息网络安全, 2021, 21(6): 70-79.

FAN Guangyu, WANG Xingwei, JIA Jie, HUANG Min. Secure Interaction Scheme between SDN Application Plane and Control Plane[J]. Netinfo Security, 2021, 21(6): 70-79.

图/表 7

图1

图2

图3

表1

图4

表2

图5

参考文献 22

[1]	ONF. Software-defined Networking(SDN) Definition[EB/OL]. , 2020-12-20.
[2]	DABBAGH M, HAMDAOUI B, GUIZANI M, et al. Software-defined Networking Security: Pros and Cons[J]. Communications Magazine IEEE, 2015,53(6):73-79. doi: 10.1109/MCOM.2015.7120048 URL
[3]	RAWAT D B, REDDY S R. Software Defined Networking Architecture, Security and Energy Efficiency: A Survey[J]. IEEE Communications Surveys & Tutorials, 2016,19(1):325-346.
[4]	Project Floodlight. Floodlight Controller[EB/OL]. https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/overview, 2020-12-20.
[5]	OpenDaylight. Platform Overview[EB/OL]. , 2020-12-22.
[6]	ONF. ONOS[EB/OL]. https://onosproject.org/, 2020 -12-22.
[7]	IETF. Software-defined Networking: A Perspective from within a Service Provider Environment[EB/OL].https://www.rfc-editor.org/info/rfc7149 , 2020 -12-22.
[8]	KREUTZ D, RAMOS F M V, VERISSIMO P. Towards Secure and Dependable Software-defined Networks[C]// ACM. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, August 22, 2014, Chicago, IL, USA. New York: ACM, 2014: 55-60.
[9]	AHMAD I, NAMAL S, YLIANTTILA M, et al. Security in Software Defined Networks: A Survey[J]. IEEE Communications Surveys & Tutorials, 2015,17(4):2317-2346.
[10]	SHU Zhaogang, WAN Jiafu, LI Di, et al. Security in Software-defined Networking: Threats and Countermeasures[J]. Mobile Networks and Applications, 2016,21(5):764-776. doi: 10.1007/s11036-016-0676-x URL
[11]	SCOTT-HAYWARD S, NATARAJAN S, SEZER S. A Survey of Security in Software Defined Networks[J]. IEEE Communications Surveys & Tutorials, 2016,18(1):623-654.
[12]	ONF. Principles and Practices for Securing Software-defined Networks[EB/OL]. https://opennetworking.org/wp-content/uploads/2014/10/Principles_and_Practices_for_Securing_Software-Defined_Networks_applied_to_OFv1.3.4_V1.0.pdf, 2020-12-25.
[13]	SMELIANSKY R L. SDN for Network Security [C]//IEEE. 2014 International Science and Technology Conference (Modern Networking Technologies), October 28-29, 2014, Moscow, Russia. NJ: IEEE, 2014: 1-5.
[14]	CHAUDHARY R, AUJLA G S, GARG S, et al. SDN-enabled Multi-attribute-based Secure Communication for Smart Grid in IIoT Environment[J]. IEEE Transactions on Industrial Informatics, 2018,14(6):2629-2640. doi: 10.1109/TII.9424 URL
[15]	LEE S, YOON C, SHIN S. The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment[C]// ACM. 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, March 11, 2016, New Orleans, LA, USA. New York: ACM, 2016: 23-28.
[16]	LEE C, SHIN S. SHIELD: An Automated Framework for Static Analysis of SDN Applications[C]// ACM. 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, March 11, 2016, New Orleans, LA, USA. New York: ACM, 2016: 29-34.
[17]	WANG Pengzhan, HUANG Liusheng, XU Hongli, et al. Rule Anomalies Detecting and Resolving for Software Defined Networks[C]// IEEE. GLOBECOM 2015-2015 IEEE Global Communications Conference, December 6-10, 2015, San Diego, CA, USA. NJ: IEEE, 2016: 1-6.
[18]	PISHARODY S, CHOWDHARY A, HUANG Dijiang. Security Policy Checking in Distributed SDN-based Clouds[C]// IEEE. 2016 IEEE Conference on Communications and Network Security (CNS), October 17-19, 2016, Philadelphia, PA, USA. NJ: IEEE, 2017: 19-27.
[19]	PISHARODY S, NATARAJAN J, CHOWDHARY A, et al. Brew: A Security Policy Analysis Framework for Distributed SDN-based Cloud Environments[J]. IEEE Transactions on Dependable & Secure Computing, 2017,16(6):1011-1025.
[20]	WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking[C]// IEEE. 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, November 3-5, 2015, New York, NY, USA. NJ: IEEE, 2015: 127-132.
[21]	PORRAS P, SHIN S, YEGNESWARAN V, et al. A Security Enforcement Kernel for OpenFlow Networks[EB/OL]. , 2020-12-25.
[22]	PORRAS P A, CHEUNG S, FONG M W, et al. Securing the Software Defined Network Control Layer[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.703.7607&rep=rep1&type=pdf, 2020-12-25.

	Write	Read	Event Remind
Packet In/Out	15	10	5
Controller	12	8	4
Switch	9	6	3
Host	6	4	2
Error	3	2	1

方法	认证机制	权限管理粒度	每个应用权限个数/个
SE-Floodlight	基于角色（默认3个角色）	粗粒度	无
OperationCheckpoint	无	细粒度	15
PermOF	无	细粒度	18
SDNShield	无	细粒度	无
PERM-GUARD	基于身份信息	细粒度	16
本文方法	基于身份信息	细粒度	45

SDN应用平面与控制平面安全交互方法

Secure Interaction Scheme between SDN Application Plane and Control Plane

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 22

相关文章 15

编辑推荐

Metrics

本文评价

[1]	李朝阳, 谭晶磊, 胡瑞钦, 张红旗. 基于双重地址跳变的移动目标防御方法[J]. 信息网络安全, 2021, 21(2): 24-33.
[2]	王鹃, 杨泓远, 樊成阳. 一种基于多阶段攻击响应的SDN动态蜜罐[J]. 信息网络安全, 2021, 21(1): 27-40.
[3]	冉金鹏, 王翔, 赵尚弘, 高航航. 基于果蝇优化的虚拟SDN网络映射算法[J]. 信息网络安全, 2020, 20(6): 65-74.
[4]	王健, 王语杰, 韩磊. 基于突变模型的SDN环境中DDoS攻击检测方法[J]. 信息网络安全, 2020, 20(5): 11-20.
[5]	周亚球, 任勇毛, 李琢, 周旭. 基于SDN的科学DMZ研究与实现[J]. 信息网络安全, 2019, 19(9): 134-138.
[6]	赖成喆, 王文娟. 面向车队的安全且具备隐私保护的移动性管理框架[J]. 信息网络安全, 2018, 18(7): 36-46.
[7]	石悦, 李相龙, 戴方芳. 一种基于属性基加密的增强型软件定义网络安全框架[J]. 信息网络安全, 2018, 18(1): 15-22.
[8]	李剑锋, 刘渊, 张浩, 王晓锋. 面向IaaS云平台的路由转发优化研究与实现[J]. 信息网络安全, 2017, 17(9): 10-15.
[9]	徐洋, 陈燚, 何锐, 谢晓尧. SDN中DDoS检测及多层防御方法研究[J]. 信息网络安全, 2017, 17(12): 22-28.
[10]	齐宇. SDN安全研究[J]. 信息网络安全, 2016, 16(9): 69-72.
[11]	陈颖聪, 陈广清, 陈智明, 万能. 面向智能电网SDN的二进制代码分析漏洞扫描方法研究[J]. 信息网络安全, 2016, 16(7): 35-39.
[12]	蒋宽, 杨鹏. 基于数据包回溯的软件定义网络中的故障排除[J]. 信息网络安全, 2016, 16(3): 71-76.
[13]	武泽慧, 魏强. 基于OwnShip-Proof模型的软件定义网络控制器集群故障安全恢复方法[J]. 信息网络安全, 2016, 16(12): 13-18.
[14]	王刚. 一种基于SDN技术的多区域安全云计算架构研究[J]. 信息网络安全, 2015, 15(9): 20-24.
[15]	周益周, 王斌, 谢小权. 云环境下软件定义入侵检测系统设计[J]. 信息网络安全, 2015, 15(9): 191-195.