Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address

doi:10.3969/j.issn.1671-1122.2024.01.011

Abstract

Abstract:

Cloud networking can rapidly deploy and configure virtual network resource on cloud platform according to different business scenarios, which is an important guarantee for performance and security in modern data center. However, traditional cloud network cannot make transparent end-to-end transmission due to the limitation of IPv4. The multi-tenant feature makes it difficult for cloud manager to constrain traffic on tenant subnets, and external security solutions lack of traceability of traffic from different tenants, making it impossible to restrict attack at the source. IPv6 has large address space, strong addressing ability, and high security. Guided by the endogenous security concept and centered on IPv6 address driven, this article proposed an IPv6 address driven cloud network endogenous security hierarchy architecture, including address generation layer, address verification layer, and address utilization layer.At the address generation layer, the tenant identity was embedded into the last 64 bits of IPv6 address using symmetric encryption algorithm, and the DHCPv6 address allocation strategy was modified. The implementation was based on Openstack Neutron. At the address verification layer, a dynamic source address verification method was designed and implemented for cloud networks. Specific transition methods and security policies were designed for different port status sets. At the address utilization layer, based on the characteristics of real IPv6 address, a packet tracing mechanism and an access control policy based on IPv6 addresses were implemented.

Key words: cloud network, endogenous security, source address validation, address generation, IPv6

CLC Number:

TP309

ZHANG Bowen, LI Dong, ZHAO Yizhu, YU Junqing. Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address[J]. Netinfo Security, 2024, 24(1): 113-120.

Figures/Tables 9

References 25

[1]	TABRIZCHI H, RAFSANJANI M K. A Survey on Security Challenges in Cloud Computing: Issues, Threats, and Solutions[J]. The Journal of Supercomputing, 2020, 76(12): 9493-9532. doi: 10.1007/s11227-020-03213-1
[2]	SINGH V, PANDEY S K. Revisiting Cloud Security Threats: IP Spoofing[C]//Springer. The International Conference on Soft Computing:Theories and Applications. Heidelberg: Springer, 2020: 225-236.
[3]	YU Quan, REN Jing, ZHANG Jiyan, et al. An Immunology-Inspired Network Security Architecture[J]. IEEE Wireless Communications, 2020, 27(5): 168-173. doi: 10.1109/MWC.7742 URL
[4]	WU Jiangxing. Mimic Defense Technology Constructs National Information Cyberspace Endogenous Safety and Security[J]. Information and Communications Technologies, 2019, 13(6): 4-6.
	邬江兴. 拟态防御技术构建国家信息网络空间内生安全[J]. 信息通信技术, 2019, 13(6):4-6.
[5]	JIANG Weiyu, LIU Bingyang, WANG Chuang, et al. Security-Oriented Network Architecture[J]. Security and Communication Networks, 2021(10): 1-16.
[6]	LI Lingshu. Research on Key Technologies of Mimic SaaS Cloud Security Architecture[D]. Zhengzhou: Information Engineering University of PLA, 2021.
	李凌书. 拟态SaaS云安全架构及关键技术研究[D]. 郑州: 战略支援部队信息工程大学, 2021.
[7]	GUO Junli, XU Mingyang, YUAN Haoyu, et al. Introduction of Endogenous Security of Zero Trust Model[J]. Journal of Zhengzhou University(Natural Science Edition), 2022, 54(6): 51-58.
	郭军利, 许明洋, 原浩宇, 等. 引入内生安全的零信任模型[J]. 郑州大学学报(自然科学版), 2022, 54(6):51-58.
[8]	OSANAIYE O A. Short Paper: IP Spoofing Detection for Preventing DDoS Attack in Cloud Computing[C]// IEEE. 18th International Conference on Intelligence in Next Generation Networks. New York: IEEE, 2015: 139-141.
[9]	MAHESHWARI A, MEHRAJ B, KHAN M S, et al. An Optimized Weighted Voting Based Ensemble Model for DDoS Attack Detection and Mitigation in SDN Environment[EB/OL]. [2023-09-11]. https://www.sciencedirect.com/science/article/abs/pii/S0141933121005585.
[10]	KAUTISH S, REYANA A, VIDYARTHI A. SDMTA: Attack Detection and Mitigation Mechanism for DDoS Vulnerabilities in Hybrid Cloud Environment[J]. IEEE Transactions on Industrial Informatics, 2022, 18(9): 6455-6463. doi: 10.1109/TII.2022.3146290 URL
[11]	XU Ke, FU Songtao, LI Qi, et. al. The Research Progress on Intrinsic Internet Security Architecture[J]. Chinese Journal of Computers, 2021, 44(11): 2149-2172.
	徐恪, 付松涛, 李琦, 等. 互联网内生安全体系结构研究进展[J]. 计算机学报, 2021, 44(11):2149-2172.
[12]	LIU Ying, REN Gang, WU Jianping, et al. Building an IPv6 Address Generation and Traceback System with NIDTGA in Address Driven Network[J]. SCIENCE CHINA Information Sciences, 2015, 58(12): 1-14.
[13]	WU Jianping, BI Jun, BAGNULO M, et al. RFC 7039: Source Address Validation Improvement (SAVI) Framework[EB/OL]. [2023-09-10]. http://ftp.otenet.gr/doc/rfc/rfc7039.txt.pdf.
[14]	HU Jinlong, WU Yisheng. Source Address Validation Based Ethernet Switches for IPv6 Network[C]// IEEE. 2012 IEEE International Conference on Computer Science and Automation Engineering(CSAE). New York: IEEE, 2012: 84-87.
[15]	LIU Bingyang, BI Jun, ZHOU Yu. Source Address Validation in Software Defined Networks[C]// ACM. The 2016 ACM SIGCOMM Conference. New York: ACM, 2016: 595-596.
[16]	CHEN Guolong, HU Guangwu, JIANG Yong, et al. SAVSH: IP Source Address Validation for SDN Hybrid Networks[C]// IEEE. 2016 IEEE Symposium on Computers and Communication(ISCC). New York: IEEE, 2016: 409-414.
[17]	ZHOU Qizhao. Research on Security Optimization Technologies of Flow Table in Software Defined Data Center Networks[D]. Wuhan: Huazhong University of Science and Technology, 2021.
	周启钊. 软件定义的数据中心网络流表安全保护性能优化方法研究[D]. 武汉: 华中科技大学, 2021.
[18]	CHEN Qing. Research on Optimization of Source Address Dynamic Validation Method in Software Defined Network[D]. Wuhan: Huazhong University of Science and Technology, 2019.
	陈清. 软件定义网络中源地址动态验证方法优化研究[D]. 武汉: 华中科技大学, 2019.
[19]	WANG Changping, CAI Yueping. Classified Flow Routing Scheme for Data Center Networks[J]. Journal of Chinese Computer Systems, 2016, 37(11): 2488-2492.
	王昌平, 蔡岳平. 数据中心网络流量分类路由机制研究[J]. 小型微型计算机系统, 2016, 37(11):2488-2492.
[20]	BEHAL S, KUMAR K. Detection of DDoS Attacks and Flash Events Using Novel Information Theory Metrics[J]. Computer Networks, 2017, 116: 96-110. doi: 10.1016/j.comnet.2017.02.015 URL
[21]	NG A. Sparse Autoencoder[J]. CS294A Lecture Notes, 2011, 72: 1-19.
[22]	BREIMAN L. Random Forests[J]. Machine Learning, 2001, 45: 5-32. doi: 10.1023/A:1010933404324 URL
[23]	ELSAYED M S, LE-KHAC N A, JURCUT A D. InSDN: A Novel SDN Intrusion Dataset[J]. IEEE Access, 2020, 8: 165263-165284. doi: 10.1109/Access.6287639 URL
[24]	WANG Zhihao, JIANG Dingde, HUO Liuwei, et al. An Efficient Network Intrusion Detection Approach Based on Deep Learning[EB/OL]. (2021-07-03) [2023-09-20]. https://link.springer.com/article/10.1007/s11276-021-02698-9.
[25]	ZANG Shiping, ZHAO Dongyan, HU Yi, et al. A High Speed SM3 Algorithm Implementation for Security Chip[C]// IEEE. 5th Advanced Information Technology, Electronic and Automation Control Conference(IAEAC). New York: IEEE, 2021: 915-919.