Research On SDN Controller Security And Flow Rule Conflict Detection

As an emerging network architecture,software-defined networking provides a new solution to the problems in traditional networks by decoupling the control plane and data plane.The main function of the control plane is concentrated on the controller.The security of the controller is the basis for the stable operation of the entire network.However,due to the centralized control and open programming interface of the SDN network architecture,new security issues are also brought about.This thesis deeply analyzes the security problems existing in the control plane,uses the active scanning method to test the known security problems,and uses the fuzzy test to find the unknown security problems.Aiming at the problem of flow rule conflict detection in multiple applications co-existing,a conflict detection algorithm based on Hash-Trie is proposed to assist the controller in security detection.At the same time,this thesis also implements the SDN controller security and flow rule conflict detection platform for security testing of the controller.The main work of this thesis is as follows:(1)In-depth analysis of the security problems of the controller,using the combination of known security problem testing and unknown security problem detection to discover the security problems of the controller.The known security problems are tested by means of active scanning,and specific test schemes are designed for access control,identity authentication,flow rule consistency detection,secure communication,DoS/DDoS attacks,and OpenFlow protocol legality detection.The fuzzy test method is used to discover the unknown security problem of the controller.The test case is generated by randomizing the OpenFlow packet,and the execution of the test case is completed by performing packet loss,delay,repetition,and redirection operations on the packet transmission process.Security issues are identified by monitoring and analyzing abnormal conditions.(2)A detection algorithm based on Hash-Trie is designed for the conflict of flow rules when multiple applications existing in the controller.Algorithm normalizes flow rules as priority,matching domain,and action domain.The refactoring storage structure of the flow rule is composed of five layers: switch dpid,flow table table_id,priority,matching domain,and flow_id set.Use the combination of hash table and Trie tree to speed up the matching process of flow rules.The set operation is used to quickly determine the conflicting flow rules,and the conflict relationship between the flow rules is further determined.Three kinds of data sets are designed to simulate the performance of the algorithm.Compared with the comparison algorithm,the algorithm proposed in this thesis is better in running time.(3)In order to carry out comprehensive safety test on the controller,this thesis designs and implements the controller safety and conflict detection platform.The SDN controller security detection platform consists of five parts: front-end interface,system management module,controller and application module,intermediate layer module and network simulation module.This detection platform constructs an SDN network environment,constructs various test scenarios and performs a test process,and collects network state information to determine whether the test is successful.At the same time,this platform implements the test scheme of various known security problems,fuzzy test schemes and flow rule conflict detection algorithms proposed in this thesis,and provides a convenient front-end interface to display the execution logs of each module and test results.