计算机科学 ›› 2021, Vol. 48 ›› Issue (3): 295-306.doi: 10.11896/jsjkx.200300119
董仕
DONG Shi
摘要: 软件定义网络是一种新型的网络体系结构,其通过OpenFlow技术来实现网络控制面与数据面的分离,从而达到对网络流量的灵活控制,目前已成为下一代互联网的研究热点。随着SDN的发展及广泛应用,其安全问题已成为亟待解决的重要研究内容。近年来,国内外学者在SDN安全研究领域取得了一定的成果,文中针对SDN的3层架构分别对各层所面临的安全问题及其解决方案进行了系统总结。首先给出了SDN的定义和3层框架;接着依次总结了数据层、控制层和应用层的安全问题以及相应的解决方案;然后分析并讨论了传统网络安全与SDN安全的异同;最后对软件定义网络安全问题未来研究可能面临的挑战进行了展望。
中图分类号:
[1]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:Enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74. [2]BOSSHART P,DALY D P,GIBB G,et al.P4:programming protocol-independent packet processors[J].ACM Special Interest Group on Data Communication,2014,44(3):87-95. [3]WANG H,SOULE R,DANG H T,et al.P4FPGA:A RapidPrototyping Framework for P4[C]//symposium on Sdn Research.2017:122-135. [4]ZUO Q Y,CHEN M,ZHAO G S,et al.Research on OpenFlow-based SDN technologies[J].Journal of Software,2013,24(5):1078-1097. [5]DONG S,ABBAS K,JAIN R.A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments[J].IEEE Access,2019,7:80813-80828. [6]YU Y,WANG Z L,BI J,et al.A survey on the languages in the northbound interface of the software defined neworking[J/OL].Journal of Software,2016.http://www.jos.org.cn/ 1000-9825/5028.htm. [7]SHIN S,PORRAS P,YEGNESWARAN V,et al.A Framework For Integrating Security Services into Software-Defined Networks[C]//Proceedings of the 2013 Open Networking Summit (Research Track poster paper).2013. [8]KREUTZ D,RAMOS F,VERISSIMO P.Towards secure and dependable software-defined networks[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:55-60. [9]HARTMAN S,WASSERMAN M,ZHANG D.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2013.https://tools.ietf.org/html/drafthartman- sdnsec-requirements-00. [10]XIE H,TSOU T,LOPEZ D,et al.Use cases for ALTO with software defined networks[J/OL].Working Draft,IETF Secretariat,Internet-Draft,2012.https://tools.ietf.org/html/draft-xie-alto-sdn-use-cases-01. [11]NAOUS J,ERICKSON D,COVINGTON G A,et al.Implementing an OpenFlow switch on the NetFPGA platform[C]//Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS ’08).2008:1-9. [12]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Modeling and performance evaluation of an OpenFlow architecture[C]//23rd International Teletraffic Congress (ITC 2011).IEEE,2011. [13]YAO G,BI J,GUO L.On the cascading failures of multi-controllers in software defined networks[C]//21st IEEE International Conference on Network Protocols (ICNP).IEEE,2014. [14]FONSECA,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//IEEE Network Operations and Management Symposium.2012:933-939. [15]SEEDORF J,BURGER E.Application-layer traffic optimization (ALTO)problem statement[OL].http://www.rfc-editor.org/rfc/rfc5693.txt. [16]NADEAU T,PAN P.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2011.https://tools.ietf.org/html/draft-nadeau-sdn-problem-statement-00. [17]BROOKS M,YANG B.A man-in-the-middle attack againstopendaylight sdn controller[C]//Proceedings of the 4th Annual ACM Conference on Research in Information Technology.ACM,2015:45-49. [18]LIN P C,LI P C,NGUYEN V L.Inferring openflow rules by active probing in software-defined networks[C]//2017 19th International Conference Advanced Communication Technology (ICACT).IEEE,2017:415-420. [19]SHIN S,YEGNESWARAN V,PORRAS P,et al.Avant-guard:Scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.2013:413-424. [20]ZHANG Y,BEHESHTI N,TATIPAMULA M.On resilience of splitarchitecture networks[C]//Proceedings of the Global Communications Conference.2011:1-6. [21]DIERKS T.The Transport Layer Security (TLS) protocol version 1.2 [EB/OL].http://tools.ietf.org/html/ rfc5246. [22]RESCORLA E,MODADUGU N.Datagram Transport LayerSecurity Version 1.2[EB/OL].http://tools.ietf.org/html/ rfc6347. [23]BENTON K,CAMP L J,SMALL C.OpenFlow vulnerability assessment[C]//Acm Sigcomm Workshop on Hot Topics in Software Defined Networking.2013:151-152. [24]LIYANAGE M,GURTOV A.Secured VPN models for LTE backhaul networks[C]//IEEE Vehicular Technology Conference (VTC Fall).2012:1-5. [25]STAESSENS D,SHARMA S,COLLE D,et al.Software defined networking:Meeting carrier grade requirements[C]//18th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).2011:1-6. [26]SHAGHAGHI A,KAAFAR M A,BUYYA R,et al.Software-Defined Network (SDN) Data Plane Security:Issues,Solutions and Future Directions[J].arXiv:1804.00262,2018. [27]ZHOU Y D,CHEN K Y,ZHANG J J,et al.Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network:Attack Model,Evaluation,and Defense[J].Security and Communication Networks,2018,2018:1-15. [28]SCOTT-HAYWARD S,NATARAJAN S,SEZER S.A Survey of Security in Software Defined Networks[J].IEEE Communications Surveys & Tutorials,2016,18(1):623-654. [29]SEZER S.Are we ready for SDN? Implementation challenges for software-defined networks[J].IEEE Communication Magazine,2013,51(7):36-43. [30]FOSTER N.Frenetic:A network programming language[J].SIGPLAN Notices,2011,46(9):279-291. [31]VOELLMY A,KIM H,FEAMSTER N.Procera:A languagefor high-level reactive network control[C]//First Workshop on Hot Topics in Software Defined Networks.2012:43-48. [32]MONSANTO C,FOSTER N,HARRISON R,et al.A compiler and run-time system for network programming languages[J].SIGPLAN Notices,2012,47(1):217-230. [33]SHIN S.FRESCO:Modular composable security services forsoftware-defined networks[C]//Proceedings of Network and Distributed Security Symposium.2013:1-16. [34]WEN X,CHEN Y,HU C,et al.Towards a secure controller platform for OpenFlow applications[C]//Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:171-172. [35]CHOWDHARY A,HUANG D,ALSHAMRANI A,et al.Trufl:Distributed trust management framework in sdn[C]//ICC 2019-2019 IEEE International Conference on Communications (ICC).IEEE,2019:1-6. [36]BECKETT R.An assertion language for debugging SDN applications[C]//Proc3rd ACM Workshop Hot Topics Software.Defined Network,2014:91-96. [37]KHURSHID A,ZOU W,ZHOU W X,et al.Veriflow:Verifying network-wide invariants in real time[C]//Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation.2013:15-28. [38]SON S,SHIN S,YEGNESWARAN V,et al.Model checkinginvariant security properties in openflow[C]//IEEE International Conference on Communications.2013:1974-1979. [39]CANINI M,KOSTIC D,REXFORD J,et al.Automating thetesting of OpenFlow applications[C]//Proceedings of the 1st International Workshop on Rigorous Protocol Engineering(WRiPE).2011:1-6. [40]HANDIGOL N,HELLER B,JEYAKUMAR V,et al.Where is the debugger for my software-defined network?[C]//Workshop Hot Topics Software.Defined Network,2012:55-60. [41]WUNDSAM A,LEVIN D,SEETHARAMAN S,et al.OFRe-wind:Enabling record and replay troubleshooting for networks[C]//Usenix Conference on Usenix Technical Conference.2011:29. [42]Security-enhanced floodlight.SDx Central,Sunnyvale,CA,USA[EB/OL].http://www.sdncentral.com/education/ towardsecure-sdn-control-layer/2013/10/. [43]SWITCH B.Developing floodlight modules.Floodlight Open-low controller[EB/OL].http://www.projectfloodlight.org/floodlight/. [44]FERNANDEZ M.Comparing openflow controller paradigmsscalability:reactive and proactive[C]//IEEE International Conference on Advanced Information Networking & Applications.2013:1009-1016. [45]VOELLMY A,WANG J.Scalable software defined networkcontrollers[J].Acm Sigcomm Computer Communication Review,2012,42(4):289-290. [46]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an ope-rating system for networks[J].ACM SIGCOMM Computer Communication Review,2008,38(3):105-110. [47]CAI Z,COX A L,EUGENE N G.Maestro:A system for scalable OpenFlow control[J/OL].Cs.rice.edu,https://scholarship.rice.edu/bitstream/handle/1911/96391/TR10-11.pdf?se-quence=1&isAllowed=y. [48]PHEMIUS K,BOUET M,LEGUAY J.DISCO:Distributedmultidomain SDN controllers[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-4. [49]PHEMIUS K,BOUET M,LEGUAY J.DISCO:DistributedSDN controllers in a multi-domain environment[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-2. [50]Advanced Message Queuing Protocol[EB/OL].http://www.amqp.org. [51]TOOTOONCHIAN A,GANJALI Y.HyperFlow:A distributed control plane for OpenFlow[C]//Internet Network Management Conference on Research on Enterprise Networking. USENIX Association,2010:3. [52]HELLER B,SHERWOOD R,MCKEOWN N.The controllerplacement problem[C]//Acm Sigcomm Workshop on Hot To-pics in Software Defined Networking.2012:7-12. [53]AHMAD I,KARUNARATHNA S N,YLIANTTILA M,et al.Load balancing in software defined mobile networks[C]//Software Defined Mobile Networks (SDMN):Beyond LTE Network Architecture.Hoboken,NJ,USA:Wiley,2015:225-245. [54]NAMAL S,AHMAD I,GURTOV A,et al.SDN based intertechnology load balancing leveraged by flow admission control[C]//IEEE SDN for Future Networks and Services(SDN4FNS).2013:1-5. [55]BRAGA R,MOTA E,PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//The 35th Annual IEEE Conference on Local Computer Networks.2010:408-415. [56]KOHONEN T.The self-organizing map[J].Neurocomputing,1998,21(1):1-6. [57]DONG S,SAREM M.DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks[J].IEEE Access,2020:5039-5048. [58]KALKAN K,ALTAY L,GÜR G,et al.JESS:Joint Entropy-Based DDoS Defense Scheme in SDN[J].IEEE Journal on Selected Areas in Communications,2018,36(10):2358-2372. [59]WU Z J,XU Q,WANG J J,et al.Low-Rate DDoS Attack Detection Based on Factorization Machine in Software Defined Network[J].IEEE Access,2020,8:17404-17418. [60]HU Y,WANG W,GONG X,et al.On reliability optimized controller placement for software-defined networks[J].China Communication,2014,11(2):38-54. [61]HU Y N,WANG W D,GONG X Y,et al.Reliability aware controller placement for software-defined networks[C]//FIP/IEEE International Symposium on Integrated Network Management.2013:672-675. [62]BARI M.Dynamic controller provisioning in software definednetworks[C]//International Conference on Network & Service Management.2013:18-25. [63]HOCK D.Pareto-optimal resilient controller placement in SDN-based core networks[C]//Proceedings of the 2013 25th International Teletraffic Congress (ITC).2013:1-9. [64]MOGUL J C.DevoFlow:Cost-effective flow management forhigh performance enterprise networks[C]//Acm Sigcomm Workshop on Hot Topics in Networks.2010:1-6. [65]GE J G,SHEN H J,PENG Y E,et al.An OpenFlow-based dynamic path adjustment algorithm for multicast spanning trees[C]//12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.2013:1478-1483. [66]KEMPF J.Scalable fault management for OpenFlow[C]//IEEE International Conference on Communications (ICC).2012:6606-6610. [67]Porras P.A security enforcement kernel for OpenFlow networks[C]//ACM SIGCOMM Workshop on Hot Topics in Software Defined Networks.2012:121-126. [68]AL-SHAER E,AL-HAJ S.FlowChecker:Configuration analysis and verification of federated openflow infrastructures[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:37-44. [69]FAN Z,XIAO Y,NAYAK A.et al.An improved network security situation assessment approach in software defined networks[J].Peer-to-Peer Networking and Applications,2019,12(2):295-309. [70]NAYAK A K,REIMERS A,FEAMSTER N,et al.Resonance:dynamic access control for enterprise networks[C]//Proc 1st ACM Workshop Res.Enterprise Network,2009:11-18. [71]KEROMYTIS A.Voice-over-IP security:Research and practice[J].IEEE Security Privacy,2010,8(2):76-78. [72]SHIN S,GU G.Attacking software-defined networks:a firstfeasibility study[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:165-166. [73]TOOTOONCHIAN A,GORBUNOV S,GANJALI Y,et al.On controller performance in software-defined networks[C]//Proc.USENIX Workshop Hot-ICE,2012:10. [74]GREENBERG A.A clean slate 4D approach to network control and management[J].Computer communication review,2005,35(5):43-54. [75]CASADO M,GARFINKEL T,AKELLA A,et al.SANE:AProtection Architecture for Enterprise Networks[C]//Confe-rence on Usenix Security Symposium.USENIX Association,2006. [76]CASADO M,FREEDMAN M J,PETTIT J,et al.ETHANE:Taking Control of the Enterprise[C]//Proceedings of the ACM SIGCOMM 2007 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications.Kyoto,Japan,2007:27-31. [77]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13. [78]LI C,WU Y,YUAN X,et al.Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN[J].International Journal of Communication Systems,2018,31(5):e3497. [79]JENNINGS B,MEER S V D,BALASUBRAMANIAM S,et al.Towards autonomic management of communications networks[J].IEEE Communication Magazine,2007,45(10):112-121. [80]HAMED H,AL-SHAER E.Taxonomy of conflicts in network security policies[J].Communications Magazine,IEEE,2006,44(3):134-141. [81]WOOL A.A quantitative study of firewall configuration errors[J].Computer,2004,37(6):62-67. [82]KIM H,FEAMSTER N.Improving network management with software defined networking[J].IEEE Communication Magazine,2013,51(2):114-119. [83]Software-defined networking:The new norm for networks[EB/OL].https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers/benefits-of-OFB-SDN. [84]KIM W,SHARMA P,LEE J,et al.Automated and ScalableQoS Control for Network Convergence[C]//Proc.Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN).2010. [85]MATTOS D M.OMNI:OpenFlow management infrastructure[C]//International Conference on the Network of the Future.2011:52-56. [86]REXFORD J,DOVROLIS C.Future internet architecture:clean-slate versus evolutionary research[J].Communications of the ACM,2010,53(9):36-40. [87]LI T.Design goals for scalable internet routing[OL].https://www.rfc-editor.org/rfc/pdfrfc/rfc6227.txt.pdf. [88]GURTOV A.Host Identity Protocol (HIP):Towards the Secure Mobile Internet[M/OL].https://onlinelibrary.wiley.com/doi/book/10.1002/9780470772898. [89]QIN X,TANG G D,CHANG C W.SDN security control and forwarding method based on cipher identification[J].Journal on Communications,2018,39(2):31-42. |
[1] | 耿海军, 王威, 尹霞. 基于混合软件定义网络的单节点故障保护方法 Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks 计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051 |
[2] | 高明, 周慧颖, 焦海, 应丽莉. 基于加权图的链路映射算法 Link Mapping Algorithm Based on Weighted Graph 计算机科学, 2021, 48(11A): 476-480. https://doi.org/10.11896/jsjkx.201200216 |
[3] | 高雅卓, 刘亚群, 张国敏, 邢长友, 王秀磊. 基于多阶段博弈的虚拟化蜜罐动态部署机制 Multi-stage Game Based Dynamic Deployment Mechanism of Virtualized Honeypots 计算机科学, 2021, 48(10): 294-300. https://doi.org/10.11896/jsjkx.210500071 |
[4] | 贾吾财, 吕光宏, 王桂芝, 宋元隆. SDN多控制器放置问题研究综述 Review on Placement of Multiple Controllers in SDN 计算机科学, 2020, 47(7): 206-212. https://doi.org/10.11896/jsjkx.200200075 |
[5] | 黄梅根, 汪涛, 刘亮, 庞瑞琴, 杜欢. 基于软件定义网络资源优化的虚拟网络功能部署策略 Virtual Network Function Deployment Strategy Based on Software Defined Network Resource Optimization 计算机科学, 2020, 47(6A): 404-408. https://doi.org/10.11896/JsJkx.191000116 |
[6] | 张举, 王浩, 罗舒婷, 耿海军, 尹霞. 基于遗传算法的混合软件定义网络路由节能算法 Hybrid Software Defined Network Energy Efficient Routing Algorithm Based on Genetic Algorithm 计算机科学, 2020, 47(6): 236-241. https://doi.org/10.11896/jsjkx.191000139 |
[7] | 谢英英, 石涧, 黄硕康, 雷凯. 面向5G的命名数据网络物联网研究综述 Survey on Internet of Things Based on Named Data Networking Facing 5G 计算机科学, 2020, 47(4): 217-225. https://doi.org/10.11896/jsjkx.191000157 |
[8] | 周建新, 张志鹏, 周宁. 基于CKSP的分段路由负载均衡技术 Load Balancing Technology of Segment Routing Based on CKSP 计算机科学, 2020, 47(4): 256-261. https://doi.org/10.11896/jsjkx.190500122 |
[9] | 高航航,赵尚弘,王翔,张晓燕. 基于系统最优的航空信息网络流量均衡方案 Traffic Balance Scheme of Aeronautical Information Network Based on System Optimal Strategy 计算机科学, 2020, 47(3): 261-266. https://doi.org/10.11896/jsjkx.190200296 |
[10] | 赵金龙, 张国敏, 邢长友, 宋丽华, 宗祎本. 一种对抗网络侦察的自适应欺骗防御机制 Self-adaptive Deception Defense Mechanism Against Network Reconnaissance 计算机科学, 2020, 47(12): 304-310. https://doi.org/10.11896/jsjkx.200900126 |
[11] | 谷晓会,章国安. SDN在车载网中的应用综述 Survey of SDN Applications in Vehicular Networks 计算机科学, 2020, 47(1): 237-244. https://doi.org/10.11896/jsjkx.190100178 |
[12] | 张钊, 李海龙, 胡磊, 董思歧. 基于SDN-SFC的服务功能负载均衡 Service Function Load Balancing Based on SDN-SFC 计算机科学, 2019, 46(9): 130-136. https://doi.org/10.11896/j.issn.1002-137X.2019.09.018 |
[13] | 窦浩铭, 姜慧, 陈思光. 基于SDN的负载均衡网络控制器算法 SDN-based Network Controller Algorithm for Load Balancing 计算机科学, 2019, 46(6A): 312-316. |
[14] | 金勇, 刘亦星, 王欣欣. 基于SDN的数据中心网络多路径流量调度算法 SDN-based Multipath Traffic Scheduling Algorithm for Data Center Network 计算机科学, 2019, 46(6): 90-94. https://doi.org/10.11896/j.issn.1002-137X.2019.06.012 |
[15] | 薛昊, 陈鸣, 钱红燕. 基于NFV的防范SDN控制器中UDP控制分组冗余的机制 NFV-based Mechanism to Guard Against UDP Control Packet Redundancy in SDN Controller 计算机科学, 2019, 46(10): 135-140. https://doi.org/10.11896/jsjkx.180901659 |
|