Extended Security Policy Of The Control Plane In Sofeware-Defined Networks

With the increasing number of security problems, network operators solve specific problems that mainly use the tool such as ping, traceroute, SNMP, tcpdump and so on. The key to finding the location of the fault is the experience and capability, for inexperienced operators that may cause a secondary damage to network services. However, the configuration of general-purpose tools and framework tools is not only sophisticated but also not flexible enough. This paper presents two network security policies, intentional packet traceback and classifying troubleshooting.Packet traceback application that based on backward policy runs on the control plane, for the problem that people cannot use abstract information of packets, this paper presents the policy of intentional traceback, which mapping IP addresses and port numbers or other low-level features with abstractions to intents such as some high-level features, like people, applications and devices, which is managed by a control application component and called by the interface when used. The run-time environment is responsible for the interpretation of the intentional traceback policy, as well as the transformation and the maintenance.Path query can return upstream or downstream information of captured packets, for uncertain existing of fault event, this paper presents a way of fault detection based on path query, in order to confirm the existence of fault as soon as possible. Combined with the troubleshooting algorithm, calculating the link weight, which is on the path of fault and analyzing the weight of the link to get the most possible position of the root cause, thus above way provides the basis for the next step of fault recovery, which is tested in an experimental environment.From the results, the policies of intentional traceback and classifying troubleshooting complement existing SDN security policies well. The policy of intentional tracetrack is used to meet the needs of the user for tracing packet back according to different intents, and the policy of classifying troubleshooting may help network operators detect the fault as soon as possible, analyze thoroughly of the fault and accumulate experience.