基于OpenFlow的SDN终端接入控制研究

doi:10.3969/j.issn.1671-1122.2018.04.004

摘要/Abstract

摘要：

为了解决基于OpenFlow的SDN终端安全接入问题,通过对现有SDN中针对终端安全接入解决方案的深入研究,文章提出一种基于OpenFlow的SDN终端接入控制系统。该系统将传统终端接入控制技术与基于OpenFlow的SDN新型网络相结合,主要实现了SDN环境下的用户身份认证、终端安全状态评估、用户服务授权和QoS控制等功能,并且对系统的安全性进行了详细分析。文章在Mininet中结合二次开发的RYU控制器进行网络仿真,完成了接入控制功能和通信时延性能的实验。实验结果表明,基于OpenFlow的SDN终端接入控制系统具有灵活的接入控制安全策略,能够检测SDN中不安全终端接入带来的威胁,不仅实现了用户的身份认证,而且能够保证接入终端的安全,实现不同安全状态终端的访问授权。性能测试结果表明,基于OpenFlow的SDN终端接入控制系统在身份认证时延、平台评估时延和通信时延等方面都能满足实际需要。

关键词: SDN, OpenFlow, 终端接入控制, 身份认证, 服务授权

Abstract:

In order to solve the security access problem of SDN terminal based on OpenFlow, an in-depth study of terminal secure access solutions in existing SDN networks is conducted, this paper proposes an network terminal access control system for SDN based on OpenFlow. The system drew on the traditional access control technology combined with the new SDN network based on OpenFlow. It mainly realized the functions of user identity authentication, terminal security status evaluation, authorized services for the user and different QoS control for authorized users in SDN networked environment and analyzed the security of the design system in detail. The network simulation is carried out in Mininet with the second developed RYU controller, and the experiments of access control function test and communication delay performance are carried out. The results showed that this mechanism had a flexible network access control security policy to detect and solved the security threats posed by unsafe terminal access in SDN, which not only realized the user identity authentication but also ensured the security of access terminal and achieved different security status of the terminal’s access authorization. Moreover, the performance test results shows that the OpenFlow-based SDN network terminal access control system can meet the actual needs in terms of authentication delay, platform evaluation delay and communication delay.

Key words: SDN, OpenFlow, terminal access control, authentication, service authorization

中图分类号:

TP309

魏占祯, 王守融, 李兆斌, 李伟隆. 基于OpenFlow的SDN终端接入控制研究[J]. 信息网络安全, 2018, 18(4): 23-31.

Zhanzhen WEI, Shourong WANG, Zhaobin LI, Weilong LI. Research on SDN Terminal Access Control Based on OpenFlow[J]. Netinfo Security, 2018, 18(4): 23-31.

图/表 11

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

参考文献 21

[1]	ZHANG Chaokun, CUI Yong, TANG Heyi, et al.State-of-the-Art Survey on Software-defined Networking (SDN)[J]. Journal of Software, 2015, 26(1): 62-81.
	张朝昆,崔勇,唐翯祎,等. 软件定义网络(SDN)研究进展[J]. 软件学报,2015,26(1):62-81.
[2]	ONF. OpenFlow1.3.0 specification[EB/OL]., 2017-12-21.
[3]	ONF. Software-Defined Networking: The New Norm for Networks[EB/OL]. , 2017-12-21.
[4]	YAMASAKI Y, MIYAMOTO Y, YAMATO J, et al.Flexible Access Management System for Campus VLAN Based on OpenFlow[C]//IEEE. 2011 IEEE/IPSJ 11th International Symposium on Applications and the Internet, July 18-21, 2011, Munich, Bavaria, Germany. New Jersey: IEEE, 2011: 347-351.
[5]	KINOSHITA S, WATANABE T, YAMATO J, et al.Implementation and Evaluation of an OpenFlow-based Access Control System for Wireless LAN Roaming[C]//IEEE. 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops, July 16-20, 2012, Izmir, Turkey. New Jersey: IEEE, 2012: 82-87.
[6]	ZUO Qingyun, CHEN Ming, ZHAO Guangsong, et al.Research on OpenFlow-based SDN Technologies[J]. Journal of Software, 2013, 24(5): 1078-1097.
	左青云,陈鸣,赵广松,等. 基于OpenFlow的SDN技术研究[J]. 软件学报,2013,24(5):1078-1097.
[7]	SCOTT-HAYWARD S, NATARAJAN S, SEZER S.A Survey of Security in Software Defined Networks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(1): 623-654.
[8]	BENTON K, CAMP L J, SMALL C.OpenFlow Vulnerability Assessment[C]//ACM. 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, August 16, 2013, Hong Kong, China. New York: ACM, 2013: 151-152.
[9]	KULIESIUS F, DANGOVAS V.SDN Enhanced Campus Network Authentication and Access Control System[C]//IEEE. 8th International Conference on Ubiquitous and Future Networks, July 5-8, 2016, Vienna, Austria. New Jersey: IEEE, 2016: 894-899.
[10]	DANGOVAS V, KULIESIUS F. SDN-Driven Authentication and Access Control System[EB/OL]. , 2017-12-23.
[11]	LOU Hengyue, DOU Jun.Research on DoS Attacks Against Control Level in OpenFlow-based SDN[J]. Computer Science, 2015, 42(11A): 341-344.
	楼恒越,窦军. 一种针对基于OpenFlow的SDN网络中控制层面的DoS攻击研究[J]. 计算机科学,2015,42(11A):341-344.
[12]	ZUO Qingyun, ZHANG Haisu.Analysis and Research on Network Security for OpenFlow-based SDN[J]. Netinfo Security, 2015(2): 26-32.
	左青云,张海粟. 基于OpenFlow的SDN网络安全分析与研究[J]. 信息网络安全,2015(2):26-32.
[13]	MATIAS J, GARAY J, MENDIOLA A, et al.FlowNAC: Flow-based Network Access Control[C]//IEEE. 3rd European Workshop on Software Defined Networks, September 1-3, 2014, London, UK. New Jersey: IEEE, 2014: 79-84.
[14]	BENZEKKI K, EL FERGOUGUI A, ABDELBAKI E B E A. Devolving IEEE 802.1X Authentication Capability to Data Plane in Software-defined Networking (SDN) Architecture[J]. Security & Communication Networks, 2016, 9(17): 4369-4377.
[15]	MATTOS D M F, DUARTE O C M B. AuthFlow: Authentication and Access Control Mechanism for Software Defined Networking[J]. Annals of Telecommunications, 2014, 71(11-12): 1-9.
[16]	HESHAM A, SARDIS F, WONG S, et al.A Simplified Network Access Control Design and Implementation for M2M Communication Using SDN[C]//IEEE. 2017 IEEE Wireless Communications and Networking Conference Workshops, March 19-22, 2017, San Francisco, CA, USA. New Jersey: IEEE, 2017: 1-5.
[17]	WU Quanfeng, CHEN Ming, XING Changyou, et al.Design and Implementation of A Flow Access Security System Based on SDN[J]. Journal of Jiangsu University (Natural Science Edition), 2016, 37(2): 201-208.
	吴泉峰,陈鸣,邢长友,等.一种基于SDN的流接入安全系统的设计与实现[J].江苏大学学报(自然科学版),2016,37(2):201-208.
[18]	LIANG Haoming, CHEN Chunlin, LIU Xi, et al.Design and Research on Malicious Web Sites Prevention Model Based on OpenFlow[J]. Netinfo Security, 2017(1): 77-83.
	梁昊鸣,陈春林,刘锡,等. 基于OpenFlow的恶意网站防范模型设计与研究[J]. 信息网络安全,2017(1):77-83.
[19]	YAKASAI S T, GUY C G.FlowIdentity: Software-defined Network Access Control[C]//IEEE. 2015 IEEE Conference on Network Function Virtualization and Software Defined Network, November 18-21, 2015, San Francisco, CA, USA. New Jersey: IEEE, 2016: 115-120.
[20]	KLAEDTKE F, KARAME G O, BIFULCO R, et al.Towards an Access Control Scheme for Accessing Flows in SDN[C]//IEEE. 2015 1st IEEE Conference on Network Softwarization, April 13-17, 2015, London, UK. New Jersey: IEEE, 2015: 1-6.
[21]	QI Yu.Research on the Security of SDN[J]. Netinfo Security, 2016(9): 69-72.
	齐宇. SDN安全研究[J]. 信息网络安全,2016(9):69-72.