Research And Implementation Of Multi-granularity Security Architecture Of Software-Defined Networking

Software Defined Networking separates out the control function of the network from the basic forwarding equipment. SDN can control and manage the network in the form of software definition. SDN provides a new idea for the future network development under the condition of that there are a lot of deficiencies in the traditional network structure. Since the architecture got a dramatic change, it brings not only some advantages but also some new security issues. At the same time, in large-scale SDN network, the communication between autonomous domains is also the hotspot of SDN wide-ranging application research. In SDN multi-domain network, the different controllers cannot directly communicate because the distance between the different control planes, so the exchange of information between domains are unsafe. For maximum benefit, such as the wide range of application of SDN, so the safety issues are inevitable. The main work of this masteral thesis includes two parts.First, this masteral thesis analyzes security of SDN based on OpenFlow protocol, include security threats of NorthBound Interface, SouthBound Interface and flow table. And design a multi-granularity security controller architecture which can be divided into the basic control module and the multi-granularity security custom modules. Basic control module follow SDN architecture requirement to realize the basic functions, and multigranularity security custom module implements customizable security functions in the controller. Multi-granularity security management generate security services based on granular computing theory. Security controller monitor and filter the network flow, and unified manage the flow table, at the same time provide protection for north interface, in order to provide domain security protection for SDN network.Second, this masteral thesis studies the inter-domain communication mode of largescale multi-domain SDN network, proposes the distribute controller secure communication mechanism and implement a prototype of this mechanism. This mechanism uses the border switch as inter-domain agent, controller use special packet to communicate with each other through secure tunnel. Inter-domain agent and digital certificate provide a two step authentication of controller. Inter-domain agent can defense attack by using challengeresponse mode, the legal identity of the controller can be verified by a digital certificate.The experimental test shows that security controller architecture can be effectively improve the safety of SDN domain, and the network performance degradation caused by security functions is not much. The distribute controller security communication mechanism can also provide the trusted authentication of the inter-domain controller and secure exchange of information.