Computer Science

Computer Science ›› 2019, Vol. 46 ›› Issue (10): 135-140.doi: 10.11896/jsjkx.180901659

• Information Security • Previous Articles     Next Articles

NFV-based Mechanism to Guard Against UDP Control Packet Redundancy in SDN Controller

XUE Hao, CHEN Ming, QIAN Hong-yan   

  1. (College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China)
  • Received:2018-09-05 Revised:2019-03-15 Online:2019-10-15 Published:2019-10-21

PDF (PC)

662

Abstract: Although the security of software-defined networking (SDN) obtains great attention,the threat of SDN controllers from the UDP duplicate packets in a heavy flow has not been eliminated yet.In response,based on the features of SDN and network function virtualization (NFV) technology,combining the load condition of SDN controller in handling both UDP and TCP data streams,firstly,this paper proposed a new NFV-based mechanism to guard against UDP control packet redundancy in SDN controller.The detection middlebox located in front of the OpenFlow switch interface can detect and filter UDP duplicate packets effectively.Secondly,this paper put forward a cost-effective NFV-based implementation method of detection middlebox.The detection middlebox is implemented by the Linux container and only the first UDP flow packet is allowed to pass through before a path is established by the SDN controller,ensuring that subsequent UDP flow packets already have relevant flow table entry when they reach the OpenFlow switch.Finally,this paper implemented and tested the prototype system of the mechanism in Linux server.The experimental results demonstrate that the method can effectively free from threat of the UDP redundant packets when the setting of the delay t of non-first packets is larger than or equal to the time for controller processing a single packet.

Key words: Detection middlebox, Network function virtualization, Network security, Software defined network, UDP

CLC Number: 

  • TP393
[1]MOUSAVI S M,ST-HILAIRE M.Early Detection of DDoS Attacks Against Software Defined Network Controllers[J].Journal of Network & Systems Management,2018,26(3):573-591.
[2]ABDOU A R,OORSCHOT P C V,WAN T.Comparative Ana-lysis of Control Plane Security of SDN and Conventional Networks[J].IEEE Communications Surveys & Tutorials,2018,20(4):3542-3559.
[3]DARGAHI T,CAPONI A,AMBROSIN M,et al.A Survey on the Security of Stateful SDN Data Planes[J].IEEE Communications Surveys & Tutorials,2017,19(3):1701-1725.
[4]SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:413-424.
[5]MIJUMBI R,SERRAT J,GORRICHO J L,et al.Network Function Virtualization:State-of-the-art and Research Challenges[J].IEEE Communications Surveys & Tutorials,2017,18(1):236-262.
[6]TOOTOONCHIAN A,GORBUNOV S,SHERWOOD R,et al.On controller performance in software-defined networks[C]//Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services.San Jose:USENIX Association,2012:10-10.
[7]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Mode-ling and performance evaluation of an OpenFlow architecture[C]//Teletraffic Congress.San Francisco:IEEE,2011:1-7.
[8]ZUO Q Y,CHEN M,DING K,et al.Eliminating Redundant Control Messages in OpenFlow Networks[J].Journal of Computer Research & Development,2014,51(11):2448-2457.
[9]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an operating system for networks[J].Acm Sigcomm Computer Communication Review,2008,38(3):105-110.
[10]FONSECA P,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//Network Operations and Management Symposium.Maui:IEEE,2012:933-939.
[11]HU H,CHEN M,LIU B,et al.Mechanism of eliminating UDP redundancy control packets in OpenFlow network[J].Journal on Communications,2017,38(9):167-175.
[12]JIA Y,WU C,LI Z,et al.Online Scaling of NFV Service Chains Across Geo-Distributed Datacenters[J].IEEE/ACM Transactions on Networking,2018,26(2):699-710.
[13]HOFFMANN M,JARSCHEL M,PRIES R,et al.SDN and NFV as Enabler for the Distributed Network Cloud[J].Mobile Networks & Applications,2018,23(3):521-528.
[14]GUAN J,WEI Z,YOU I.GRBC-based Network Security Functions placement scheme in SDS for 5G security[J].Journal of Network & Computer Applications,2018,114(15):48-56.
[15]BERNSTEIN D.Containers and Cloud:From LXC to Docker to Kubernetes[J].IEEE Cloud Computing,2015,1(3):81-84.
[16]QIU X,ZHANG K,REN Q.Global Flow Table:A convincing mechanism for security operations in SDN[J].Computer Networks,2017,120:56-70.
[17]FIESSLER A,LORENZ C,HAGER S,et al.HyPaFilter+:Enhanced Hybrid Packet Filtering Using Hardware Assisted Classification and Header Space Analysis[J].IEEE/ACM Transactions on Networking,2017,25(6):3655-3669.
[18]EMMERICH P,RAUMER D,GALLENMULLER S,et al. Throughput and Latency of Virtual Switching with Open vSwitch:A Quantitative Analysis[J].Journal of Network & Systems Management,2018,26(2):314-338.
[19]FLOYD S,FALL K.Promoting the use of end-to-end congestion control in the Internet[J].IEEE/ACM Transactions on Networking,1999,7(4):458-472.
[1] LIU Jie-ling, LING Xiao-bo, ZHANG Lei, WANG Bo, WANG Zhi-liang, LI Zi-mu, ZHANG Hui, YANG Jia-hai, WU Cheng-nan. Network Security Risk Assessment Framework Based on Tactical Correlation [J]. Computer Science, 2022, 49(9): 306-311.
[2] ZHAO Dong-mei, WU Ya-xing, ZHANG Hong-bin. Network Security Situation Prediction Based on IPSO-BiLSTM [J]. Computer Science, 2022, 49(7): 357-362.
[3] DENG Kai, YANG Pin, LI Yi-zhou, YANG Xing, ZENG Fan-rui, ZHANG Zhen-yu. Fast and Transmissible Domain Knowledge Graph Construction Method [J]. Computer Science, 2022, 49(6A): 100-108.
[4] DU Hong-yi, YANG Hua, LIU Yan-hong, YANG Hong-peng. Nonlinear Dynamics Information Dissemination Model Based on Network Media [J]. Computer Science, 2022, 49(6A): 280-284.
[5] LYU Peng-peng, WANG Shao-ying, ZHOU Wen-fang, LIAN Yang-yang, GAO Li-fang. Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network [J]. Computer Science, 2022, 49(6A): 588-593.
[6] GENG Hai-jun, WANG Wei, YIN Xia. Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks [J]. Computer Science, 2022, 49(2): 329-335.
[7] ZHANG Geng-qiang, XIE Jun, YANG Zhang-lin. Accelerating Forwarding Rules Issuance with Fast-Deployed-Segment-Routing(FDSR) in SD-MANET [J]. Computer Science, 2022, 49(2): 377-382.
[8] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[9] CHEN Hai-biao, HUANG Sheng-yong, CAI Jie-rui. Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid [J]. Computer Science, 2021, 48(6A): 491-497.
[10] WANG Jin-heng, SHAN Zhi-long, TAN Han-song, WANG Yu-lin. Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network [J]. Computer Science, 2021, 48(6): 338-342.
[11] ZHANG Kai, LIU Jing-ju. Attack Path Analysis Method Based on Absorbing Markov Chain [J]. Computer Science, 2021, 48(5): 294-300.
[12] DONG Shi. Survey on Software Defined Networks Security [J]. Computer Science, 2021, 48(3): 295-306.
[13] LIU Quan-ming, LI Yin-nan, GUO Ting, LI Yan-wei. Intrusion Detection Method Based on Borderline-SMOTE and Double Attention [J]. Computer Science, 2021, 48(3): 327-332.
[14] JIANG Jian-feng, SUN Jin-xia, YOU Lan-tao. Security Clustering Strategy Based on Particle Swarm Optimization Algorithm in Wireless Sensor Network [J]. Computer Science, 2021, 48(11A): 452-455.
[15] WANG Yu-chen, QI Wen-hui, XU Li-zhen. Security Cooperation of UAV Swarm Based on Blockchain [J]. Computer Science, 2021, 48(11A): 528-532.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.