SDN Based Research On Source Address Validation Methods

Source address spoofing refers forged source IP address to impersonation other’s identity for network communications, attackers often used for such as IP Spoofing, SYN Floods and other Distributed Denial of Service attack, not only great harm, but also achieve the purpose of hiding themselves, such attacks have become one of the biggest security threat on the Internet today. Source address validation is the most effective way to defense IP address spoofing attack. Domestic and foreign researchers have proposed a variety of source address validation programs, However, in the conventional network conditions, the source address validation will face many difficulties. Software Defined Networking is a new network architecture proposed in recent years, the control function separate from the network device and integrated operating system, flexible implementation of different network policies, down through the southbound interface unified management of network devices. This network architecture increases network flexibility, scalability, become a hot concept, and to explore new source address validation methods offers an opportunity. This article will present two methods for SDN source a ddress validation on the basis of the real source address validation system.The thesis first introduces the research background and the current situation, by analyzing the source address validation technology, based on a different principle, the source address validation methods is divided into three categories, and describes its theory and disadvantages. Thanks to SDN network brings innovation and provide a convenient programmable interface and improved traditional MAC,IP binding method and the calculati ng path forwarding algorithm, using the programmable controller to its secondary development, implement two SDN based source address validation programs: Option I binding the source IP address, MAC address and switch port connected to host and generating the form <MAC, IP, PORT> triples flow table as filter criteria; Option II use within SDN controller topology information collected through centralized path computation to generate the form <IPsrc, IPdst, in_PORT, out_PORT> the quad stream table as filter cr iteria, then the next will be sent to the corresponding flow table packet switch source address validation. In this paper, the virtual network topology Mininet simulation platform to carry out experimental tests, the experimental results showed that both t he source address validation method for SDN, and can source address spoofing packets for rapid response, and has a good filtering effect. Finally the paper shortage exists and prospects the follow-up works.