Research On Binding Table's Security Problems Of IPv6 Source Address Validation In SDN

IPv6 can effectively solve the shortage problem of IPv4 network address.The large subnet address space makes it more difficult to defend the fake source address attack.The source address validation can fundamentally solve the problem of more forged source address.Although there are different ways to implement source address validation in various heterogeneous networks,most of them are implemented by recording the binding relationship between IP and trust anchor in binding table.How to ensure the security of the binding talbe is the core of the source address validation.The actual experiment shows that the binding table of source address validation in SDN(Software Defined Network)is easily damaged by the forged AAM(Address Assignment Mechanism)packet,binding table has no update mechanism,and the packet monitoring mechanism is vulnerable.Aiming at the binding table's security problems of the source address validation in the SDN,this paper designs and implements the binding table security guarantee scheme,which mainly includes three modules: AAM packet validation and processing,binding table's update and AAM packet monitoring optimization.The AAM packet validation and processing module constructs an AAM packet validation table based on the host information.The module verifies the AAM packet through the validation table and route advertisement message,and uses First Come First Serve(FCFS)strategy and controller auxiliary response method to process messages.The update module sets,updates,and periodically checks the IP valid lifetime.At the same time,it monitors the port status and detects whether the host is offline to update the binding table.The monitoring optimization module designs a threelevel flow table structure and uses meter to implement speed limit on port to solve the vulnerability of the monitoring mechanism.The experiment is based on the Floodlight controller and the Mininet network simulation software to build the SDN experimental platform,which reproduces the pollution and damage to the binding table caused by the forged AAM message,and demonstrates the effectiveness of the validation module through defense experiments.We designed the expiredd IP address and the host offline scenario to demonstrates the effectiveness of the update method.The superiority of the monitoring optimization method is illustrated by comparative experiments under different schemes.