Research On Secure Sharing Mechanism Of Dynamically Hierarchical Network Services

With the rapid development of the network technology,the shortages of traditional network architecture have been gradually exposed,and it cannot meet the ever-expanding traffic demand.In order to explore new network architecture,SDN decouples the control plane and the data forwarding plane,which brings unprecedented improvement in the control capability and scalability of the network,and introduces new ideas and vitality to the network architecture.On the other hand,NFV is designed to decouple the traditional network function devices hardware and software so as to improve the deployment and maintenance efficiency.Besides,the tendency of integrating SDN and NFV introduces a new problem about permission management for open interfaces of both SDN and NFV,and secure sharing of network services provided by SDN/NFV.The dynamic hierarchical fine-grained permission management framework is designed to reduce API abuse to protect the controller and secure the network services sharing.The framework proposes a network partitioning mechanism,which takes network device assignment as the core and is closely relevant to user permission,to meet the dynamic network requirements of users.The framework proposes a permission policy language,which provides a three-level permission abstraction named device permission,API permission and field permission to define user behavior boundary at an appropriate granularity.There are two core components in the framework: permission manager and runtime access intermediary.The permission manager provides interfaces for dynamical and accurate permission configuration,and checks the connectivity of user granted networks.The runtime access intermediary intercepts all API calls to ensure the validity and maintains user network topology view.A prototype of the framework is implemented on top of the RYU controller.Extensive experiments show that the fine-grained permission management framework can ensure that all API calls meet the permission requirements,thus effectively protecting the network controller,and only introduces 3ms extra startup time and core API processing latency of less than 0.1ms,which is negligible.