Research On Rule Conflict Detection And Resolution Mechanism In Software-Defined Networking

Software-DefinedNetworking(SDN)is a new network architecture,which decouples the data plane with the control plane of the traditional networks.It manages and operates the network through a highly centralized control logic.Because of the high programmability and dynamic configuration function of the network,the network management is becoming more anda more flexible and convenient.At present,SDN network has been deployed in a number of scientific research institutions such as Internet2 in the United States and JGN2 plus in Japan.Some well-known universities and research institutions in China have also begun to study and deploy the test platform related to SDN.With the development of SDN architecture and the use of related devices,the SDN network also faces many new security problems.Because the OpenFlow protocol is stateless and the data plane does not have the ability to analyze the policy,the attacker can use the flow table item and let the data flow bypass the established security policy,which leads to the conflict of the rules and greatly reduces the network security performance.In SDN networks,switches and other network devices are completely trusted to the flow rules of the controller.Once the flow rules are malicious tampering by the attackers,the security performance of the entire network will face a serious threat.Attacker can rewrite data packet through flow rules,so as to achieve the purpose of circumvying security rules and carrying out malicious attacks.As far as the current research is concerned,the domestic and foreign researchers mainly focuses on graph search,HSA and other methods to detect the conflict,and the role based identity authentication strategy?adding tags to packets and rerouting strategy to solve the conflict.But there are still some following problems to be solved:(1)in the graph search algorithm,the time of the conflict detection is too long to meet the actual requirements of the network;(2)the rule conflict detection in the HSA algorithm needs to encode the rule matching domain,and there is also a large time overhead.(3)in the rule conflict resolution,role based authentication does not take the dependence between rules into account,it may leads to misinformation,misstatements,adding tags to the packets may introduce some new conflicts.Relying on the national key basic research and development(973 Plan)project,"Research on the basic network system of reconfigurable information and communication".In order to detect and solve the rules conflict in SDN,this paper focuses on the corresponding optimization and improvement strategies for the graph search algorithm,the head space analysis algorithm and the rule conflict resolution method.The research work and main contributions of this paper are as follows:1.A rule conflict detection mechanism based on Path-Tree model is proposed.This method utilize the feature of the Path-Tree,the end to end reachability verification of the data plane is concentrated into one graph index process,at the same time,it establishes a minimum equivalent graph,which greatly reduces the number of the index times.Compared with the existing detection tool Flowchecker,the proposed mechanism reduces the detection time by about 44%..2.A high efficient algorithm for flow rule conflict detection is proposed.By compressing the flow tables,the mechanism builds the rule topology based on the port,and calculates the end-to-end reachability directly according to the topology,and quickly detects the rules conflict in the network.The simulation results show that under the same condition,compared with the existing detection mechanism,the proposed mechanism reduces the detection time by about 15%.3.A conflict resolution method based on secure path rerouting is proposed.By obtaining the real-time SDN network state,some properties of the switch node are defined as characteristic values,and the node behavior is predicted by BP neural network to judge the security state of the node.Finally,the node situation is fed back to the controller in real time,and the controller selects a safer path to carry out the data weight according to the switch condition so as to avoid dangerous nodes,and to solve the purpose of rule conflicts.