The Research Of Security Mechanism And Technology For Software-defined Networking

There are four stages with the research of the telecommunication networks:analog communication,digital communication,internet communication and software defined network.The existing network architecture is by no mean perfect.The main shortcoming lies on the following facts.Firstly,the network consists of a large number of special equipment with single function.Secondly,network element uses a closed architecture with vertical integration of software and hardware.Thirdly,new service or new function needs to develop new equipment and new communication protocol.This will increase the types of equipment and the number of network.Lastly,special equipment or systems of different manufacturers and different types are of poor compatibility.This increases the costs of operation and maintenance.SDN,as new network innovation architecture,is designed to change the existing network infrastructure and overcome the shortcomings of evolutionary process.SDN separates the control plane and the forwarding plane.The control plane can manage multiple network devices.The centralized control structure is obviously different from distributed control of current network architecture.According to existing researches and practice results,SDN has advantages in openness and centralization.However,it also introduce many problems that do not exist in traditional network,such as,the lack of a clear definition processing structure of switching devices,the contradiction between the fast processing and complex functions with flow table,the implement of high-available controller,the balance between centralized control and distributed control,the bottleneck and security of southbound interface.The security problems and solutions are different for SDN and the traditional network.The paper studies three aspects:network security,survivability and controllability of network services.A set of methods and structures for enhancing the security of SDN are presented.They can improve the security of the network by modifying network access,authentication and authorization,topology management,migration of control rights,monitoring and early warning.The main contributions of the paper include the following.(1)In order to enhance the security of cyberspace,especially against denial of service attacks,the paper proposes an access authentication method based on trust token.According to the proof of work,the method introduces two kinds of trust tokens.It uses the mechanism of trust to enhance the trust level of the two communication sides step by step.A stateless prejudgment unit is designed to generate and verify the trust token based on a small amount of global information.An extra cache structure is added to help the application service defend against replay attack within a short time.In the method,the update and delay period are proposed,which can control the access window of application services from the source by adjusting the proportion and length of the two cycles.The method can protect the application or service to resist the network attack,and realize the strong authentication support of the communication both sides.Protocol analysis and experimental results prove that the proposed method and system can guarantee the communication security of the communication and mutual proof,realize that the access responder processes all of the connection requests,and improve the attacking difficulty.(2)For the security of SDN network,according to the access authentication method based on trust token,a SDN access authentication method based on trust transfer and a topology discovery method based on trust device are proposed.The SDN access authentication method standardizes the network access process of SDN network elements.Considering trust domains,the method defines the relationship between network,controller,switch and host in the form of quadruples.In the process of role upgrading and trust transfer,the resource costs of access authentication are scattered to the data plane.It improves the security of control plane,reduces the computing needs of control plane in establishing a secure channel,network access,authentication and authorization.The topology discovery methods integrates the advantages of SNMP topology discovery in traditional network and LLDP topology discovery in current SDN,overcomes the shortcomings of existing topology discovery.It achieves strong authentication of neighbor relationship,reduces resource requirements of the controller and the southbound interface and ensures the safety of topology discovery.The experimental data show that the two methods are reliable and fast.The resource consumption is low.The tow methods are helpful to improve the controller's survival ability.They provide supports for fast migration of control and fast reconstruction of controller.(3)Oriented SDN service survivability,the paper studies the existing main technology to ensure the continuity of services(service migration and roaming technology),proposes a shift method of control right.Based on trust transfer process,the method reduces the resources reliance of controller and improves the handover performance of network control.It realizes that the network could be controlled at any location,and ultimately improves the survival ability of the network.The method includes hard shift and soft shift.For SDN controller,regardless of the business migration technology or the use of node roaming technology,the security of network control movement and the continuity of network service are ensured.With the increase of the network size,the dependence on the resource is very different for SDN controller using different topology discovery methods.The paper compares the proposed method with the way based on SSL,floating IP mode,V2V mode and the methods based on mobility management(HIP and MIPv6),counts the number of packets of southbound interface and the time of control shift.Simulation results show the effectiveness and advantages of the proposed method.The method provides a guarantee for the fast recovery of the network service.(4)For network service controllability of SDN,a pre-programmed data plane processing structure and the improvement of the security policy is proposed.SDN architecture separates the control plane and the data plane,realizes the centralized control,and guarantees the real-time and complex network management.The proposed structure and policy is used to overcome the contradiction between the fast processing of the flow table and the complex function.The paper designs unique processing model for data plane,includes pre-programmed parallel structure and integrated structure.Parallel processing and integrated computing architecture takes in the advantages of ASIC and NP.The design which takes advantage of the variability of flow table in the shared space is compatible with the processing mode of serial flow table.With the control strategy of control plane,data flow management and behavior prediction are carried out in the whole network.The monitoring,early warning and evaluation of the network behavior are realized.According to the current operating state of the system,the characteristics of the network behavior and the consequences evaluation of behavior,the method can adopt a loose or strict control strategy.The structure improves the overall control of the network service with the adaptive control strategy.The simulation results accord with the design of the processing structure of data plane and the operation method of control plane.It can significantly reduce the pressure from the network attack and protect the safety of the established connection of normal node.