左志斌,
常朝稳^,,
祝现威
信息工程大学 郑州 450001
基金项目:国家自然科学基金(61572517)

详细信息

作者简介:左志斌：男，1979年生，博士生，研究方向为SDN、网络安全
常朝稳：男，1965年生，教授，博士生导师，研究方向为网络安全、态势感知
祝现威：男，1991年生，博士生，研究方向为SDN、信息安全

通讯作者:常朝稳　changchaowen5@163.com

中图分类号:TP393

计量

文章访问数:1275
HTML全文浏览量:557
PDF下载量:84
被引次数:0

出版历程

收稿日期:2019-05-24
修回日期:2019-09-28
网络出版日期:2020-01-31
刊出日期:2020-06-04

A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane

Zhibin ZUO,
Chaowen CHANG^,,
Xianwei ZHU
Information Engineering University, Zhengzhou 450001, China
Funds:The National Natural Science Foundation of China (61572517)


摘要
摘要:针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限，数据流转发缺少有效的转发验证机制等问题，该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识，将P4转发设备加入基于OpenFlow的软件定义网络，在不影响数据流正常转发的基础上，对网络业务流精确控制和采样。控制器验证采样业务报文完整性，并针对异常报文下发流规则至OpenFlow转发设备，对恶意篡改、伪造等异常数据流进行转发控制。最后，构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型，并构建仿真网络进行实验。实验结果表明，该机制能够有效检测业务报文篡改、伪造等转发异常行为，与同类验证机制相比，在安全验证处理开销保持不变的情况下，能够实现更细粒度的业务流精确控制采样和更低的转发时延。
关键词:软件定义网络/
转发验证/
数据平面可编程/
P4转发设备
Abstract:For the fixed and limited number of OpenFlow protocol matching fields, and the lack of effective forwarding verification mechanism for data packet forwarding in the Software-Defined Networking (SDN), a SDN packet forwarding verification mechanism based on programmable data plane is proposed. By adding a cipher identification to the data packet, the P4 forwarding device joins the OpenFlow-based SDN network to control accurately and sample network traffic flow without affecting the normal forwarding of the data flow. The controller verifies the integrity of the sampled packet, and sends flow rules to the OpenFlow forwarding device to control the abnormal data flow such as malicious tampering and forgery. Finally, the forwarding verification prototype and simulation network based on P4 forwarding device and Open vSwitch forwarding device are constructed and tested. The experimental results show that the mechanism can effectively detect the forwarding abnormal behaviors such as packet tampering and forgery. Compared with similar verification mechanisms, in the case of the same security verification processing overhead, it can achieve more fine-grained flow precise control sampling and lower forwarding delay.
Key words:Software-Defined Networking (SDN)/
Forwarding verification/
Programmable data plane/
P4 forwarding device



PDF全文下载地址:

https://jeit.ac.cn/article/exportPdf?id=d413fb02-35a6-4421-a135-9f60306d781d