基于OpenFlow的SDN网络安全分析与研究

doi:10.3969/j.issn.1671-1122.2015.02.005

摘要/Abstract

摘要： 基于OpenFlow的SDN技术将网络的数据平面和控制平面相分离,通过部署中央控制器来实现对网络的管控,为未来网络的发展提供了一种新的解决思路。然而,这种新型网络管控方法与传统网络在分布式控制平面上通过封闭网络设备进行管控的方法有着根本区别,因而在实现集中化管理的同时将引入新的管理和安全问题。文章首先介绍了其三层架构的自身缺陷和可能存在的安全问题,并从SDN架构的基础设施层、南向接口、控制层、北向接口和应用层等几个方面分别进行分析,总结出SDN不同层次存在安全问题的原因;随后,文章从认证机制、控制层的备份和恢复、网络异常识别和防御机制、应用隔离和权限管理等四个方面总结了当前的相关研究进展和研究思路,并提出了可行的解决方案;最后,对全文进行总结和展望。

关键词: OpenFlow网络, 软件定义网络, 控制层, 认证, 备份

Abstract: OpenFlow-based SDN technology separates the data and control planes of network, deploys central controller to manage and control the network, and provides a new solution for the development of future network. However, this new method of network management and control differs essentially from traditional network management method using close network equipment with distributed control plane currently, which would introduce new management and security problems when achieving centralized management. In this paper, we firstly introduce the defects of the three-layer architecture itself and the possible security issues, and analyze these issues from infrastructure layer, southbound interface, control layer, northbound interface and application layer respectively. Then, we summarize current related research status and research methods, and provide feasible solutions from four aspects including authentication mechanisms, backup and recovery of control layer, network anomaly detection and defense mechanisms, application isolation and permission management. After the discussion, we conclude the paper and point out the research direction.

Key words: OpenFlow network, software defined networking, control layer, authentication, backup

中图分类号:

TP309

左青云, 张海粟. 基于OpenFlow的SDN网络安全分析与研究[J]. 信息网络安全, 2015, 15(2): 26-32.

ZUO Qing-yun, ZHANG Hai-su. Analysis and Research on Network Security for OpenFlow-based SDN[J]. 信息网络安全, 2015, 15(2): 26-32.

参考文献

[1] Mckeown N, Anderson T, Balakrishnan H, et al. OpenFlow: Enabling Innovation in Campus Networks[J]. ACM SIGCOMM Computer Communication Review 2008, 38(2): 69-74.
[2] Kreutz D, Ramos F, Verissimo P. Towards Secure and Dependable Software-Defined Networks[C]// HotSDN. 2013: 55-60.
[3] Benton K, Camp L, Small C. OpenFlow Vulnerability Assessment[C]// HotSDN. 2013: 151-152.
[4] Shin S, Gu G. Attacking Software-Defined Networks: A First Feasibility Study[C]//HotSDN. 2013: 165-166.
[5] Koponen T, Casado M, Gude N, et al. Onix: A Distributed Control Platform for Large-scale Production Networks[C]//Proc. of the 9th USENIX conference on Operating Systems Design and Implementation (OSDI). Vancouver: USENIX Association, 2010: 1-6.
[6] Open Networking Foundation[EB/OL]. https://www.opennetworking.org, 2014-03-10.
[7] Gude N, Koponen T, Pettit J, et al. Nox: Towards an operating system for networks[J]. ACM Computer Communication Review, 2008, 38(3):105-110.
[8] Sharma S, Staessens D, Colle D, et al. OpenFlow: Meeting carrier-grade recovery requirements[J]. Computer communications. 2012, 36(6):656-665.
[9] Kuzniar M, Peresini P, Vasic N, et al. Automatic Failure Recovery for Software-Defined Networks[C]//HotSDN. 2013:159-160.
[10] Kozat U, Liang G, Kokten K. Verifying Forwarding Plane Connectivity and Locating Link Failures using Static Rules in Software Defined Networks[C]//HotSDN. 2013:157-158.
[11] Tootoonchian A, Ganjali Y. HyperFlow: A Distributed Control Plane for OpenFlow[C]//Proceeding of Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), 2010:3-3.
[12] Yeganeh S, Ganjali Y. Kandoo: A Framework for Efficient and Scalable Offloading of Control Applications[C]//HotSDN, 2012: 19-24.
[13] Dixit A, Hao F, Mukherjee S, et al. Towards an Elastic Distributed SDN Controller[C]//HotSDN. 2013:7-12.
[14] Pfaff B, Pettit J, Koponen T, Amidon K, Casado M, Shenker S. Extending Networking into the Virtualization Layer[C]//Proc. of the 7th ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), 2009.
[15] Mehdi S, Khalid J, Khayam S. Revisiting Traffic Anomaly Detection Using Software Defined Networking[C]//Proc of the 14th International Conference on Recent Advances in Intrusion Detection (RAID), 2011:161-180.
[16] Shin S, Porras P, Yegneswaran V, et al. FRESCO: Modular Composable Security Services for Software-Defined Networks[C]// NDSS, 2013.
[17] Jose L, Yu M, Rexford J. Online Measurement of Large Traffic Aggregates on Commodity Switches[C]//Proc of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE), 2011:13-13.
[18] Braga R, Mota E, Passito A. Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow[C]//IEEE 35th Conference on Local Computer Networks (LCN), 2010:408-415.
[19] Shahreza S, Ganjali Y. FleXam: Flexible Sampling Extension for Monitoring and Security Applications in OpenFlow[C]//HotSDN. 2013:167-168.
[20] Canini M, Venzano D, Peresini P, et al. A NICE way to test OpenFlow applications[C]//Proc. of the 9th USENIX Symp. on Networked Systems Design and Implementation (NSDI), 2012:10.
[21] Sherwood R, Gibb G, Yap K, et al. Can the production network be the testbed?[C]//Proc. of the 9th USENIX Conf. on Operating Systems Design and Implementation (OSDI), 2010:1-6.
[22] Porras P, Shin S, Yegneswaran V. A Security Enforcement Kernel for OpenFlow Networks[C]//HotSDN, 2012:121-126.
[23] Wen X, Chen Y, Hu C. Towards a Secure Controller Platform for OpenFlow Applications[C]//HotSDN, 2013:171-172.
[24] Foster N, Guha A, Reitblatt M, et al. Languages for Software-Defined Networks[J]. IEEE communications magazine. 2013, 51(2):128-134.