Research And Implementation Of Detection Mechanism For SDN Flow Rules' Legality

Software-Defined Networking(SDN)decouples the control plane from the forwarding plane and provides a high degree of flexibility and programmability.SDN facilitates network management while also facing new security threats.At present,the northbound interface of the SDN controller lacks common security services such as encryption and authorization management.Secondly,when multiple applications are present at the SDN application layer,the flow rules of different applications are different because the functions and logics of the applications are different,and there may be direct conflicts between them.In addition,the flow rules of common applications may indirectly collide with existing firewall flow rules,causing firewall rules to fail,thereby threatening the security of the entire network.In view of the above SDN security threats,this paper designs a comprehensive detection mechanism for multi-application flow rules'conflicts.The main work completed by the thesis is divided into the following four aspects:?.Design a security protection scheme of the SDN northbound interface.When the users of the SDN application layer invoke the northbound interface to deliver the flow rules,the users will be authenticated,authorized,and performs security audited first,and the flow rules will be gived the application priority which provides a basis for the flow rules' detection.Secondly,analyze the characteristics of flow rules in the OpenFlow switch,establish a general model for formal representation of the flow rules,and establish a relationship judgment model between flow rules to provide a theoretical basis for the detection and conflict resolution of flow rules.Third,design a comprehensive legality detection scheme of the flow rules.Before the flow rule is actually deployed to the network,static flow detection and dynamic conflict detection are performed on the flow rule to be delivered,and if there is a dynamic conflict,the application priority is based on Automated dynamic conflict resolution based on the relationship model between flow rules.In view of the conflict-dependent security threats,this paper improves the alias set algorithm in the classic FortNox security kernel,establishes an undirected graph through the network topology,and simulates the packet forwarding for secondary detection,eliminating the false positives of the alias set algorithm,and improve the accuracy of detection.4.Integrate the northbound interface security protection module and the flow rules' legality detection module into the open source RYU controller,and use the Mininet to build the simulated SDN network to test the system function and performance,and verify the correctness of the flow rules' conflict detection function.And under the premise of improved network security,the throughput of the controller northbound interface drops by about 20%.