Research On Reliability Of The Security Policy Of The Control Layer In SDN

Software defined network(SDN)is a new kind of network architecture.It decouples the traditional network into application plane,control plane and data plane,and has the characteristics of openness and programmability.The controller-centric SDN technology can control the network centrally,and has been used in data centers,wireless LANs,cloud computing and other fields.However,with the continuous development of SDN,its own security issues have been highlighted,and this paper focuses on the reliability of the control layer security policy.The firewall strategy based on OpenFlow protocol is closely related to the flow table policy.On one hand,the consistency of the flow table policy is the basis of constructing a reliable firewall security policy,on the other hand,the stateless performance of the OpenFlow protocol causes the failure of the SDN firewall rules,making the security policy unreliable.In this paper,the above two aspects of the problem for research and discussion.For the consistency of the flow table policy,this paper starts from the behavior consistency,and uses the path label technology to monitor the consistency between the control plane and the data plane.The failure of the data plane flow table policy can be fed back to the administrator in time,which helps to establish a logical and consistent security policy scheduling mechanism.A security policy consists of a flow table policy and a firewall policy.The attacker can use the Set-Field operation in the flow table to tamper with the packet header information to bypass the firewall security policy.In this paper,a double detection mechanism of the alias set and the path backtracking is adopted to guarantee the reliability of the security conflict detection.Finally,the experimental results verify the validity of the method of the consistency detection and the security conflict detection.It can provide some ideas and methods to construct effective and reliable control layer security policy,and also improve the monitoring ability of the controller in abnormal situation of the network security.