| Software defined network as a new type of network architecture,its core idea is to divide the traditional network into control plane and data plane,optimize the traditional network architecture,and improve the efficiency of network operation and maintenance and management.But the new network architecture brings new challenges as well as security.In particular,after the control rights of the network are highly concentrated to the control plane,the control plane has the ability to schedule and manage the data plane.It interacts with the physical forwarding device of the data plane through the southbound communication,and controls the direction of data traffic in the network by sending the flow table.The flow table becomes the most important sensitive data in the new network architecture,and is also a security researcher and attacker.The focus of attention.This paper proposes a complete set of flows by studying the security threats in each link of the flow table in the software-defined network,including from the OpenFlow controller to the transmission in the southbound communication channel and then to the OpenFlow switch.Table data protection scheme.Firstly,in view of the SDN Nanxiang communication OpenFlow protocol and equipment vendors' neglect of security,this paper draws on the Kerberos authentication idea and proposes a protection scheme for encryption at the source of communication data.This scheme not only completes the identity authentication and session key assignment of the communication parties on the unsecure channel,but also uses the efficient AES symmetric encryption algorithm to ensure that the message exists in the form of ciphertext before reaching the end point,and realizes the communication data end.End-to-end security protection.Finally,this scheme is implemented in the form of a forwarding agent,and the performance test of the Floodlight controller is performed using the CBench test tool.The results show that the source encryption scheme proposed in this paper can not only end-end encrypt the communication data,but also increase the response delay of the controller by about 8%compared with the TLS-enabled controller alone.The source encryption part only increases by about 4%.Secondly,the flow table data in the OpenFlow switch needs high speed and frequent query operations,and the flow table data is stored in the memory of the switch in plain text.This paper proposes a scheme for tamper resistance of flow table data for possible attack methods.The solution is based on the open source implementation of Open vSwitch,modifying some of its code and working with the external programs developed by itself to develop the solution.The implementation of the flow record is audited and tamper-proof.Finally,this paper researches and implements a set of SDN flow table protection prototype system,and develops identity authentication and key distribution module,source encryption and forwarding module of flow table,tamper-proof module of flow table and a complete set of status display and operation scheduling.User interface.In addition to the function of protecting the information of the flow table,the operation process of the administrator is simplified,and the work efficiency is improved. |
PDF Full Text Request