| Up to now,the software-defined network has been in development for more than ten years,and various controllers have appeared during this period,such as POX,Flood-light and PNPL.On the one hand,through the controller's centralized network manage-ment,network operators can easily write network policies to manage network traffic us-ing the programming interface provided by the controller.However,on the other hand,centralized management also makes the network more vulnerable to attacks.There-fore,new security functions are continuously added to the controller to defend against possible attacks.As a result,the bussiness logic responsible for forwarding on the cur-rent controller is tightly coupled with the security defense function,which increases the burden on the controller and is not conducive to the evolution of the controller.In addition,most of the current southbound interfaces use the OpenFlow protocol,but the OpenFlow protocol can only match fixed format network protocols.Therefore,in order to adapt to the constantly updated network protocol,it can only continuously increase the matching field,which makes itself more and more bloated,which greatly limits the programmability of the network.In response to the above problems,this paper designs and implements a POSEC security subsystem for deep programmable networks.POSEC uses the Protocol Obliv-ious Forwarding(POF)proposed by Huawei to replace OpenFlow as the southbound protocol.The POF technology flexibly supports changing protocol formats in a triple format to achieve deep network programming.Regarding the tight coupling between the forwarding bussiness logic and the security function from the controller,this paper decouples the security function from the controller,and then places it on the security floor between the data plane and the control plane,so as to provide a common security defense mechanism for different controllers.Based on the POSEC system,we designed a lightweight control plane denial of service attack defense application.Finally,through simulation experiments,the POSEC system's availability,defense performance,addi-tional delay overhead,computation and memory overhead were tested. |
PDF Full Text Request