软件定义网络安全问题研究综述

doi:10.11896/jsjkx.200300119

摘要/Abstract

摘要： 软件定义网络是一种新型的网络体系结构,其通过OpenFlow技术来实现网络控制面与数据面的分离,从而达到对网络流量的灵活控制,目前已成为下一代互联网的研究热点。随着SDN的发展及广泛应用,其安全问题已成为亟待解决的重要研究内容。近年来,国内外学者在SDN安全研究领域取得了一定的成果,文中针对SDN的3层架构分别对各层所面临的安全问题及其解决方案进行了系统总结。首先给出了SDN的定义和3层框架;接着依次总结了数据层、控制层和应用层的安全问题以及相应的解决方案;然后分析并讨论了传统网络安全与SDN安全的异同;最后对软件定义网络安全问题未来研究可能面临的挑战进行了展望。

关键词: OpenFlow, 控制层, 软件定义网络, 数据层, 应用层

Abstract: Software-defined networks(SDN) is a new network architecture,which enables separate network control plane from data planes through OpenFlow technology,thus the network traffic can be flexible controlled.SDN has become a hot topic in the next generation of Internet.With the development and wide application of SDN,its security problem has become an important research topic and some achievements have been made by the domestic and foreign scholars in recent years.Based on three-layer architecture of SDN,the security problems and solutions of each layer are summarized.Firstly,the definition and three frameworks of SDN are presented;then security issues and corresponding solutions are outlined under the data layer,the control layer and application layer;in next,the security of similarities and differences between traditional network and SDN are discussed;and finally,the research challenges in future are prposed.

Key words: Application plane, Control plane, Data plane, OpenFlow, Software defined networks

中图分类号:

TP391

董仕. 软件定义网络安全问题研究综述[J]. 计算机科学, 2021, 48(3): 295-306. https://doi.org/10.11896/jsjkx.200300119

DONG Shi. Survey on Software Defined Networks Security[J]. Computer Science, 2021, 48(3): 295-306. https://doi.org/10.11896/jsjkx.200300119

参考文献

[1]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:Enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[2]BOSSHART P,DALY D P,GIBB G,et al.P4:programming protocol-independent packet processors[J].ACM Special Interest Group on Data Communication,2014,44(3):87-95.
[3]WANG H,SOULE R,DANG H T,et al.P4FPGA:A RapidPrototyping Framework for P4[C]//symposium on Sdn Research.2017:122-135.
[4]ZUO Q Y,CHEN M,ZHAO G S,et al.Research on OpenFlow-based SDN technologies[J].Journal of Software,2013,24(5):1078-1097.
[5]DONG S,ABBAS K,JAIN R.A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments[J].IEEE Access,2019,7:80813-80828.
[6]YU Y,WANG Z L,BI J,et al.A survey on the languages in the northbound interface of the software defined neworking[J/OL].Journal of Software,2016.http://www.jos.org.cn/ 1000-9825/5028.htm.
[7]SHIN S,PORRAS P,YEGNESWARAN V,et al.A Framework For Integrating Security Services into Software-Defined Networks[C]//Proceedings of the 2013 Open Networking Summit (Research Track poster paper).2013.
[8]KREUTZ D,RAMOS F,VERISSIMO P.Towards secure and dependable software-defined networks[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:55-60.
[9]HARTMAN S,WASSERMAN M,ZHANG D.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2013.https://tools.ietf.org/html/drafthartman- sdnsec-requirements-00.
[10]XIE H,TSOU T,LOPEZ D,et al.Use cases for ALTO with software defined networks[J/OL].Working Draft,IETF Secretariat,Internet-Draft,2012.https://tools.ietf.org/html/draft-xie-alto-sdn-use-cases-01.
[11]NAOUS J,ERICKSON D,COVINGTON G A,et al.Implementing an OpenFlow switch on the NetFPGA platform[C]//Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS ’08).2008:1-9.
[12]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Modeling and performance evaluation of an OpenFlow architecture[C]//23rd International Teletraffic Congress (ITC 2011).IEEE,2011.
[13]YAO G,BI J,GUO L.On the cascading failures of multi-controllers in software defined networks[C]//21st IEEE International Conference on Network Protocols (ICNP).IEEE,2014.
[14]FONSECA,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//IEEE Network Operations and Management Symposium.2012:933-939.
[15]SEEDORF J,BURGER E.Application-layer traffic optimization (ALTO)problem statement[OL].http://www.rfc-editor.org/rfc/rfc5693.txt.
[16]NADEAU T,PAN P.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2011.https://tools.ietf.org/html/draft-nadeau-sdn-problem-statement-00.
[17]BROOKS M,YANG B.A man-in-the-middle attack againstopendaylight sdn controller[C]//Proceedings of the 4th Annual ACM Conference on Research in Information Technology.ACM,2015:45-49.
[18]LIN P C,LI P C,NGUYEN V L.Inferring openflow rules by active probing in software-defined networks[C]//2017 19th International Conference Advanced Communication Technology (ICACT).IEEE,2017:415-420.
[19]SHIN S,YEGNESWARAN V,PORRAS P,et al.Avant-guard:Scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.2013:413-424.
[20]ZHANG Y,BEHESHTI N,TATIPAMULA M.On resilience of splitarchitecture networks[C]//Proceedings of the Global Communications Conference.2011:1-6.
[21]DIERKS T.The Transport Layer Security (TLS) protocol version 1.2 [EB/OL].http://tools.ietf.org/html/ rfc5246.
[22]RESCORLA E,MODADUGU N.Datagram Transport LayerSecurity Version 1.2[EB/OL].http://tools.ietf.org/html/ rfc6347.
[23]BENTON K,CAMP L J,SMALL C.OpenFlow vulnerability assessment[C]//Acm Sigcomm Workshop on Hot Topics in Software Defined Networking.2013:151-152.
[24]LIYANAGE M,GURTOV A.Secured VPN models for LTE backhaul networks[C]//IEEE Vehicular Technology Conference (VTC Fall).2012:1-5.
[25]STAESSENS D,SHARMA S,COLLE D,et al.Software defined networking:Meeting carrier grade requirements[C]//18th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).2011:1-6.
[26]SHAGHAGHI A,KAAFAR M A,BUYYA R,et al.Software-Defined Network (SDN) Data Plane Security:Issues,Solutions and Future Directions[J].arXiv:1804.00262,2018.
[27]ZHOU Y D,CHEN K Y,ZHANG J J,et al.Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network:Attack Model,Evaluation,and Defense[J].Security and Communication Networks,2018,2018:1-15.
[28]SCOTT-HAYWARD S,NATARAJAN S,SEZER S.A Survey of Security in Software Defined Networks[J].IEEE Communications Surveys & Tutorials,2016,18(1):623-654.
[29]SEZER S.Are we ready for SDN? Implementation challenges for software-defined networks[J].IEEE Communication Magazine,2013,51(7):36-43.
[30]FOSTER N.Frenetic:A network programming language[J].SIGPLAN Notices,2011,46(9):279-291.
[31]VOELLMY A,KIM H,FEAMSTER N.Procera:A languagefor high-level reactive network control[C]//First Workshop on Hot Topics in Software Defined Networks.2012:43-48.
[32]MONSANTO C,FOSTER N,HARRISON R,et al.A compiler and run-time system for network programming languages[J].SIGPLAN Notices,2012,47(1):217-230.
[33]SHIN S.FRESCO:Modular composable security services forsoftware-defined networks[C]//Proceedings of Network and Distributed Security Symposium.2013:1-16.
[34]WEN X,CHEN Y,HU C,et al.Towards a secure controller platform for OpenFlow applications[C]//Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:171-172.
[35]CHOWDHARY A,HUANG D,ALSHAMRANI A,et al.Trufl:Distributed trust management framework in sdn[C]//ICC 2019－2019 IEEE International Conference on Communications (ICC).IEEE,2019:1-6.
[36]BECKETT R.An assertion language for debugging SDN applications[C]//Proc3rd ACM Workshop Hot Topics Software.Defined Network,2014:91-96.
[37]KHURSHID A,ZOU W,ZHOU W X,et al.Veriflow:Verifying network-wide invariants in real time[C]//Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation.2013:15-28.
[38]SON S,SHIN S,YEGNESWARAN V,et al.Model checkinginvariant security properties in openflow[C]//IEEE International Conference on Communications.2013:1974-1979.
[39]CANINI M,KOSTIC D,REXFORD J,et al.Automating thetesting of OpenFlow applications[C]//Proceedings of the 1st International Workshop on Rigorous Protocol Engineering(WRiPE).2011:1-6.
[40]HANDIGOL N,HELLER B,JEYAKUMAR V,et al.Where is the debugger for my software-defined network?[C]//Workshop Hot Topics Software.Defined Network,2012:55-60.
[41]WUNDSAM A,LEVIN D,SEETHARAMAN S,et al.OFRe-wind:Enabling record and replay troubleshooting for networks[C]//Usenix Conference on Usenix Technical Conference.2011:29.
[42]Security-enhanced floodlight.SDx Central,Sunnyvale,CA,USA[EB/OL].http://www.sdncentral.com/education/ towardsecure-sdn-control-layer/2013/10/.
[43]SWITCH B.Developing floodlight modules.Floodlight Open-low controller[EB/OL].http://www.projectfloodlight.org/floodlight/.
[44]FERNANDEZ M.Comparing openflow controller paradigmsscalability:reactive and proactive[C]//IEEE International Conference on Advanced Information Networking & Applications.2013:1009-1016.
[45]VOELLMY A,WANG J.Scalable software defined networkcontrollers[J].Acm Sigcomm Computer Communication Review,2012,42(4):289-290.
[46]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an ope-rating system for networks[J].ACM SIGCOMM Computer Communication Review,2008,38(3):105-110.
[47]CAI Z,COX A L,EUGENE N G.Maestro:A system for scalable OpenFlow control[J/OL].Cs.rice.edu,https://scholarship.rice.edu/bitstream/handle/1911/96391/TR10-11.pdf?se-quence=1&isAllowed=y.
[48]PHEMIUS K,BOUET M,LEGUAY J.DISCO:Distributedmultidomain SDN controllers[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-4.
[49]PHEMIUS K,BOUET M,LEGUAY J.DISCO:DistributedSDN controllers in a multi-domain environment[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-2.
[50]Advanced Message Queuing Protocol[EB/OL].http://www.amqp.org.
[51]TOOTOONCHIAN A,GANJALI Y.HyperFlow:A distributed control plane for OpenFlow[C]//Internet Network Management Conference on Research on Enterprise Networking. USENIX Association,2010:3.
[52]HELLER B,SHERWOOD R,MCKEOWN N.The controllerplacement problem[C]//Acm Sigcomm Workshop on Hot To-pics in Software Defined Networking.2012:7-12.
[53]AHMAD I,KARUNARATHNA S N,YLIANTTILA M,et al.Load balancing in software defined mobile networks[C]//Software Defined Mobile Networks (SDMN):Beyond LTE Network Architecture.Hoboken,NJ,USA:Wiley,2015:225-245.
[54]NAMAL S,AHMAD I,GURTOV A,et al.SDN based intertechnology load balancing leveraged by flow admission control[C]//IEEE SDN for Future Networks and Services(SDN4FNS).2013:1-5.
[55]BRAGA R,MOTA E,PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//The 35th Annual IEEE Conference on Local Computer Networks.2010:408-415.
[56]KOHONEN T.The self-organizing map[J].Neurocomputing,1998,21(1):1-6.
[57]DONG S,SAREM M.DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks[J].IEEE Access,2020:5039-5048.
[58]KALKAN K,ALTAY L,GÜR G,et al.JESS:Joint Entropy-Based DDoS Defense Scheme in SDN[J].IEEE Journal on Selected Areas in Communications,2018,36(10):2358-2372.
[59]WU Z J,XU Q,WANG J J,et al.Low-Rate DDoS Attack Detection Based on Factorization Machine in Software Defined Network[J].IEEE Access,2020,8:17404-17418.
[60]HU Y,WANG W,GONG X,et al.On reliability optimized controller placement for software-defined networks[J].China Communication,2014,11(2):38-54.
[61]HU Y N,WANG W D,GONG X Y,et al.Reliability aware controller placement for software-defined networks[C]//FIP/IEEE International Symposium on Integrated Network Management.2013:672-675.
[62]BARI M.Dynamic controller provisioning in software definednetworks[C]//International Conference on Network & Service Management.2013:18-25.
[63]HOCK D.Pareto-optimal resilient controller placement in SDN-based core networks[C]//Proceedings of the 2013 25th International Teletraffic Congress (ITC).2013:1-9.
[64]MOGUL J C.DevoFlow:Cost-effective flow management forhigh performance enterprise networks[C]//Acm Sigcomm Workshop on Hot Topics in Networks.2010:1-6.
[65]GE J G,SHEN H J,PENG Y E,et al.An OpenFlow-based dynamic path adjustment algorithm for multicast spanning trees[C]//12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.2013:1478-1483.
[66]KEMPF J.Scalable fault management for OpenFlow[C]//IEEE International Conference on Communications (ICC).2012:6606-6610.
[67]Porras P.A security enforcement kernel for OpenFlow networks[C]//ACM SIGCOMM Workshop on Hot Topics in Software Defined Networks.2012:121-126.
[68]AL-SHAER E,AL-HAJ S.FlowChecker:Configuration analysis and verification of federated openflow infrastructures[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:37-44.
[69]FAN Z,XIAO Y,NAYAK A.et al.An improved network security situation assessment approach in software defined networks[J].Peer-to-Peer Networking and Applications,2019,12(2):295-309.
[70]NAYAK A K,REIMERS A,FEAMSTER N,et al.Resonance:dynamic access control for enterprise networks[C]//Proc 1st ACM Workshop Res.Enterprise Network,2009:11-18.
[71]KEROMYTIS A.Voice-over-IP security:Research and practice[J].IEEE Security Privacy,2010,8(2):76-78.
[72]SHIN S,GU G.Attacking software-defined networks:a firstfeasibility study[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:165-166.
[73]TOOTOONCHIAN A,GORBUNOV S,GANJALI Y,et al.On controller performance in software-defined networks[C]//Proc.USENIX Workshop Hot-ICE,2012:10.
[74]GREENBERG A.A clean slate 4D approach to network control and management[J].Computer communication review,2005,35(5):43-54.
[75]CASADO M,GARFINKEL T,AKELLA A,et al.SANE:AProtection Architecture for Enterprise Networks[C]//Confe-rence on Usenix Security Symposium.USENIX Association,2006.
[76]CASADO M,FREEDMAN M J,PETTIT J,et al.ETHANE:Taking Control of the Enterprise[C]//Proceedings of the ACM SIGCOMM 2007 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications.Kyoto,Japan,2007:27-31.
[77]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13.
[78]LI C,WU Y,YUAN X,et al.Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN[J].International Journal of Communication Systems,2018,31(5):e3497.
[79]JENNINGS B,MEER S V D,BALASUBRAMANIAM S,et al.Towards autonomic management of communications networks[J].IEEE Communication Magazine,2007,45(10):112-121.
[80]HAMED H,AL-SHAER E.Taxonomy of conflicts in network security policies[J].Communications Magazine,IEEE,2006,44(3):134-141.
[81]WOOL A.A quantitative study of firewall configuration errors[J].Computer,2004,37(6):62-67.
[82]KIM H,FEAMSTER N.Improving network management with software defined networking[J].IEEE Communication Magazine,2013,51(2):114-119.
[83]Software-defined networking:The new norm for networks[EB/OL].https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers/benefits-of-OFB-SDN.
[84]KIM W,SHARMA P,LEE J,et al.Automated and ScalableQoS Control for Network Convergence[C]//Proc.Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN).2010.
[85]MATTOS D M.OMNI:OpenFlow management infrastructure[C]//International Conference on the Network of the Future.2011:52-56.
[86]REXFORD J,DOVROLIS C.Future internet architecture:clean-slate versus evolutionary research[J].Communications of the ACM,2010,53(9):36-40.
[87]LI T.Design goals for scalable internet routing[OL].https://www.rfc-editor.org/rfc/pdfrfc/rfc6227.txt.pdf.
[88]GURTOV A.Host Identity Protocol (HIP):Towards the Secure Mobile Internet[M/OL].https://onlinelibrary.wiley.com/doi/book/10.1002/9780470772898.
[89]QIN X,TANG G D,CHANG C W.SDN security control and forwarding method based on cipher identification[J].Journal on Communications,2018,39(2):31-42.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed