计算机科学

计算机科学 ›› 2019, Vol. 46 ›› Issue (10): 135-140.doi: 10.11896/jsjkx.180901659

• 信息安全 • 上一篇    下一篇

基于NFV的防范SDN控制器中UDP控制分组冗余的机制

薛昊, 陈鸣, 钱红燕   

  1. (南京航空航天大学计算机科学与技术学院 南京211106)
  • 收稿日期:2018-09-05 修回日期:2019-03-15 出版日期:2019-10-15 发布日期:2019-10-21
  • 通讯作者: 陈鸣(1956-),男,博士,教授,博士生导师,CCF高级会员,主要研究方向为网络结构、网络测量和未来网络,E-mail:mingchen@nuaa.edu.cn。
  • 作者简介:薛昊(1991-),男,硕士生,主要研究方向为软件定义网络和网络安全,E-mail:xhlcxx@163.com;钱红燕(1973-),女,博士,副教授,硕士生导师,CCF会员,主要研究方向为无线网络和信息安全。
  • 基金资助:
    本文受国家自然科学基金(61772271,61379149)资助。

NFV-based Mechanism to Guard Against UDP Control Packet Redundancy in SDN Controller

XUE Hao, CHEN Ming, QIAN Hong-yan   

  1. (College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China)
  • Received:2018-09-05 Revised:2019-03-15 Online:2019-10-15 Published:2019-10-21

PDF (PC)

662

摘要: 尽管软件定义网络(Software Defined Networking,SDN)的安全性得到了极大的关注,但SDN控制器受大流UDP冗余分组威胁的问题并没有得到有效解决。对此,基于SDN和网络功能虚拟化(Network Function Virtualization,NFV)技术的特点,结合SDN控制器处理UDP和TCP两种数据流时的负载状况,首先提出了一种新型的基于NFV的防范SDN控制器中UDP冗余分组的机制,前置于OpenFlow交换机口的检测中间盒能够有效地检测并滤除UDP流冗余分组;其次,提出了一种经济有效的基于NFV的检测中间盒的实现方法,使用Linux容器实现检测中间盒,在SDN控制器下发流表之前只允许UDP流首分组通过中间盒,保证后续UDP流分组在到达OpenFlow交换机时已经有相关的流表项存在;最后,在Linux服务器中实现了基于该机制的原型系统并进行实验。结果表明,当非首分组的时延t大于或等于控制器处理单个分组的时间时,该方法能够有效地解除UDP冗余分组的威胁。

关键词: UDP, 检测中间盒, 软件定义网络, 网络安全, 网络功能虚拟化

Abstract: Although the security of software-defined networking (SDN) obtains great attention,the threat of SDN controllers from the UDP duplicate packets in a heavy flow has not been eliminated yet.In response,based on the features of SDN and network function virtualization (NFV) technology,combining the load condition of SDN controller in handling both UDP and TCP data streams,firstly,this paper proposed a new NFV-based mechanism to guard against UDP control packet redundancy in SDN controller.The detection middlebox located in front of the OpenFlow switch interface can detect and filter UDP duplicate packets effectively.Secondly,this paper put forward a cost-effective NFV-based implementation method of detection middlebox.The detection middlebox is implemented by the Linux container and only the first UDP flow packet is allowed to pass through before a path is established by the SDN controller,ensuring that subsequent UDP flow packets already have relevant flow table entry when they reach the OpenFlow switch.Finally,this paper implemented and tested the prototype system of the mechanism in Linux server.The experimental results demonstrate that the method can effectively free from threat of the UDP redundant packets when the setting of the delay t of non-first packets is larger than or equal to the time for controller processing a single packet.

Key words: Detection middlebox, Network function virtualization, Network security, Software defined network, UDP

中图分类号: 

  • TP393
[1]MOUSAVI S M,ST-HILAIRE M.Early Detection of DDoS Attacks Against Software Defined Network Controllers[J].Journal of Network & Systems Management,2018,26(3):573-591.
[2]ABDOU A R,OORSCHOT P C V,WAN T.Comparative Ana-lysis of Control Plane Security of SDN and Conventional Networks[J].IEEE Communications Surveys & Tutorials,2018,20(4):3542-3559.
[3]DARGAHI T,CAPONI A,AMBROSIN M,et al.A Survey on the Security of Stateful SDN Data Planes[J].IEEE Communications Surveys & Tutorials,2017,19(3):1701-1725.
[4]SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:413-424.
[5]MIJUMBI R,SERRAT J,GORRICHO J L,et al.Network Function Virtualization:State-of-the-art and Research Challenges[J].IEEE Communications Surveys & Tutorials,2017,18(1):236-262.
[6]TOOTOONCHIAN A,GORBUNOV S,SHERWOOD R,et al.On controller performance in software-defined networks[C]//Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services.San Jose:USENIX Association,2012:10-10.
[7]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Mode-ling and performance evaluation of an OpenFlow architecture[C]//Teletraffic Congress.San Francisco:IEEE,2011:1-7.
[8]ZUO Q Y,CHEN M,DING K,et al.Eliminating Redundant Control Messages in OpenFlow Networks[J].Journal of Computer Research & Development,2014,51(11):2448-2457.
[9]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an operating system for networks[J].Acm Sigcomm Computer Communication Review,2008,38(3):105-110.
[10]FONSECA P,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//Network Operations and Management Symposium.Maui:IEEE,2012:933-939.
[11]HU H,CHEN M,LIU B,et al.Mechanism of eliminating UDP redundancy control packets in OpenFlow network[J].Journal on Communications,2017,38(9):167-175.
[12]JIA Y,WU C,LI Z,et al.Online Scaling of NFV Service Chains Across Geo-Distributed Datacenters[J].IEEE/ACM Transactions on Networking,2018,26(2):699-710.
[13]HOFFMANN M,JARSCHEL M,PRIES R,et al.SDN and NFV as Enabler for the Distributed Network Cloud[J].Mobile Networks & Applications,2018,23(3):521-528.
[14]GUAN J,WEI Z,YOU I.GRBC-based Network Security Functions placement scheme in SDS for 5G security[J].Journal of Network & Computer Applications,2018,114(15):48-56.
[15]BERNSTEIN D.Containers and Cloud:From LXC to Docker to Kubernetes[J].IEEE Cloud Computing,2015,1(3):81-84.
[16]QIU X,ZHANG K,REN Q.Global Flow Table:A convincing mechanism for security operations in SDN[J].Computer Networks,2017,120:56-70.
[17]FIESSLER A,LORENZ C,HAGER S,et al.HyPaFilter+:Enhanced Hybrid Packet Filtering Using Hardware Assisted Classification and Header Space Analysis[J].IEEE/ACM Transactions on Networking,2017,25(6):3655-3669.
[18]EMMERICH P,RAUMER D,GALLENMULLER S,et al. Throughput and Latency of Virtual Switching with Open vSwitch:A Quantitative Analysis[J].Journal of Network & Systems Management,2018,26(2):314-338.
[19]FLOYD S,FALL K.Promoting the use of end-to-end congestion control in the Internet[J].IEEE/ACM Transactions on Networking,1999,7(4):458-472.
[1] 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠.
基于战术关联的网络安全风险评估框架
Network Security Risk Assessment Framework Based on Tactical Correlation
计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171
[2] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[3] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[4] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[5] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[6] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[7] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[8] 耿海军, 王威, 尹霞.
基于混合软件定义网络的单节点故障保护方法
Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks
计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051
[9] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[10] 周仕承, 刘京菊, 钟晓峰, 卢灿举.
基于深度强化学习的智能化渗透测试路径发现
Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning
计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057
[11] 李贝贝, 宋佳芮, 杜卿芸, 何俊江.
DRL-IDS:基于深度强化学习的工业物联网入侵检测系统
DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things
计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021
[12] 陈海彪, 黄声勇, 蔡洁锐.
一个基于智能电网的跨层路由的信任评估协议
Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid
计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169
[13] 王金恒, 单志龙, 谭汉松, 王煜林.
基于遗传优化PNN神经网络的网络安全态势评估
Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network
计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239
[14] 张凯, 刘京菊.
基于吸收Markov链的网络入侵路径分析方法
Attack Path Analysis Method Based on Absorbing Markov Chain
计算机科学, 2021, 48(5): 294-300. https://doi.org/10.11896/jsjkx.200700108
[15] 陈明豪, 祝跃飞, 芦斌, 翟懿, 李玎.
基于Attention-CNN的加密流量应用类型识别
Classification of Application Type of Encrypted Traffic Based on Attention-CNN
计算机科学, 2021, 48(4): 325-332. https://doi.org/10.11896/jsjkx.200900155
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发