Research On The Incrementally Deployable And Integrated Mechanism For Network Accountability

Current Internet packet delivery only relies on packet's destination IP address and forwarding devices neglect the validation of packet's IP source address,plus packets are not bring their senders' identities,which makes attackers can leverage the defection and launch attacks with forged IP source address to avoid to be tracked.This poses great threat to network security and credibility.Existing studies made their effort mainly from the aspects of IP source address credibility and traceability.Even though many of them often have achieved great success in their own scenarios,they still share some shortcomings,e.g.,unsatisfied filtering accuracy,insufficient validation granularity,large implementation and deployment cost,unable to cover both intra-domain and inter-domain areas,ignoring incremental deployment requirements and etc.In order to relieve cyber-attack phenonmon,we make reasearches on the network accountability mechanism,which can make packets carry real IP source address or the creditable identity of the sender,so that the network manager can directly locate the responsible person according to the malicious packets.In detail,on the basis of management and control separation architecturewe of Software Defined Networking(SDN),we propose an incremental deployable and integrated mechanism for network accountability.Our proposal can let packets bring reliable IP source addresses within domain or their creditable senders' identities between inter-domain,which makes network authority can locate the source host or sender's identity by examining the abnormal packet merely.The whole mechnism has the merits of lower deployment cost,high efficiency of accountability,balanced security and privacy,fully coverage of intra-domain and inter-domain areas,and suitable for incremental deployment.The contributions of our paper are as follows:1.An incrementally deployable and integrated architecture is set up for network accountabilityIn an effort to realize the goal of the network accountability in both intra-domain and inter-domain areas,we firstly formulate the problem and build system model based on design requirements,then we deduce the two aspects that need to be implemented for achieving this goal.The first one is the IP source address' s credibility for domain packets,which can let authority trace back to the packet's original host.While the other one is the user identity code's credibility for inter-domain packets,which can make authority secure packet's sender.Based on this formulation,an SDN-based incrementally deployable and integrated mechanism is set up for network accountability,which includes domain IP source address valication scheme and inter-domain reliable sender identity code embedding proposal.By integerate the two schemes,we realize the purposes of packets credibility and network accountability.2.An IP source address validation scheme for domain SDN hybrid scenario is proposed.For the purpose of keep the reliability for packet IP source address and realize network accountability within Autonomous System(AS),a scheme for IP Source Address Validation by SDN Hybrid networks(SDN-ISAVS)is proposed,which achieves the goal of IP prefix level validation granularity and makes a trade-off between deployment cost and filtering effect.First of all,SAVSH calculates the deployment nodes(checkpoints)based on problem modeling and network topology.Then our scheme replaces these nodes by SDN switches and distributes delicate SDN flow control rules onto them via designed controller,so that the checkpoints can filter out packets with inappropriate IP source address.Meanwhile,in order to cope with network dynamics,SAVSH proposes a proactive and active combined rule recomputing plan.Finally,conducted experiments confirm that our proposal can achieve large filtering rates with only small deployment cost,and poessess the merit of incremental deployment as well.3.A traffic-aware rules replacement optimization algorithm for domain SDN networks is designed.For the sake of efficiency packet checking and relief the serve table-missing situation that caused by network dynamics and limited TCAM memery in SDN switches,a proactive & active combined and traffic-aware SDN rules replacement optimization algorithm named Banlancer is designed.Firstly,Banlancer logically divides the SDN switch TCAM space into two parts,i.e.,resident rules area and temporal rules area,to store resident and temporal SDN rules respectively.For the resident rules,Banlancer periodically measure their weights from the aspects of historical information,coverage space and dependency relationship,so as to keep the rules with high threshold value alwalys in SDN switches.While for temporal rules,Banlancer performs optimized rule replacement algorithm based on historical and future traffic predication,so as to reduce rule replacement frequence and effectively lower the table-missing scenarios.Compared to the proactive or active single rule update method,our proposal can keep packets in the data-plane and enhance network forwarding efficiency in great extend.4.A TCAM-saving compression model to enhance the flow table storage capacity is proposed.In order to enhance SDN-ISAVS scheme and further alleviate the problem that TCAM space in SDN switch is insufficient to accommodate the growing SDN flow table,considering the redundancy and mutual exclusion among the fields of OpenFlow flow table,we propose a TCAM flow table compression model named RETCAM to ensure the functional integrity of OpenFlow.To achieve this goal,RETCAM first analyzed the relationships between all fields in the OpenFlow specification and divided the relationships between fields into three categories: orthogonal fields(unrelated fields),evolutionary fields,and coexistence fields.After that,the model proposes three compression algorithms based on the above field relations,namely: field merging compression,field mapping compression and field intra-field compression algorithm.Without compromising the OpenFlow matching lookup flexibility and the functional integrity of the original flow table,the compressed results enable the flow table fields to merge or reduce the field width.Finally,simulation results show that for a given OpenFlow flow table,the scheme can save about 65% of TCAM space,which is better than similar schemes,and will not damage the functional integrity of OpenFlow and stability of the flow table.5.A credible user identity code embedding scheme between allied ASes is realized.To let every packet bring its own sender's identity code and realize network accountability amongs ASes,a user identity code embedding scheme amongs allied ASes is realized,which can keep packet's sender identity authenticity between allied ASes.Firstly,by setting up the peer SDN controllers between allied ASes,Allied ASes can exchange key information,such as IP prefixes,AS numbers,authentication key and etc between their controllers.Then under the SDN controller control,domain border device embeds TrueID header for the packets outbound to allied ASes.The header contains sender's credible hashed identity code,which is non-repudiation,reliability and anti-replay-attack.Prototype experiments show that the AS border switch can reach line-rate for processing TrueID header,while the storage cost is very trivial.In the meanwhile,experiments also demonstrate that our scheme has lower end-to-end verification delay than IPsec Authentication Header(AH)in terms of controllers' authentication process.Lastly,simulation experiments show that our proposal can achieve Internet range packet valication by only deploying 30% nodes of large POP AS backbone,which confirms our scheme owns excellent capability in incremental deployment.