| The Software-Defined Networking proposes an architecture that separates the control plane and the data plane,which improves the flexibility of network management.Different network applications are unaware of each other.The flow rules issued to network devices may cause conflict in the data plane,resulting in destroying network security attributes and affecting the normal transmission of data packets in the network,which seriously threats the security and availability of network services.The flow rule in SDN will cause the network security attributes to be violated.The paper studies the the existing security policy conflict handling technology and proposes the security policy conflict handling technology based on the trie.The SDN security policy conflict handling system is designed and implemented in this paper.The approach can highly improve the efficiency of flow rule detection,and enables the detection of flow rules which contains the modification actions of match fields.Thus,a more refined security policy conflict resolution mechanism can be utilized to ensure that the network security attributes are not violated by flow rules issued by the application.The main research contents and contributions of the paper are as follows:This paper proposes a security policy conflict handling technology based on trie.First,based on the security policy conflict detection algorithm of the trie,it preprocesses the flow rule issued by the application and adds it to the trie.The flow rule is traversed in the trie to divide the equivalence classes.The equivalence classes that match the same flow rule are merged.Next,it constructs a forwarding graph for each equivalence class,and every forwarding graph is incrementally updated.Then,it traverses forward and reverse path in the forwarding graph to track the path traversed by the equivalence class and the change of the field value.Finally,the security policy conflict resolution algorithm based on the conflict domain,according to the type of conflict,executes the corresponding security policy conflict resolution solution to ensure that the SDN network services are not affected.Experimental results show that the algorithm can effectively detect and resolve the conflicts between flow rules and security policies in a short time.This paper designs and implements an SDN security policy conflict handling system and management system.The security policy conflict handling system includes a network state information collection module,a flow rule monitoring and analysis module,a trie construct module,a equivalence class calculation module,a forwarding graph generation module,a security policy conflict detection and resolution module.The management system includes a flow rule query issuing module,a flow rule query and a topology query module.Finally,the effectiveness of the system function is verified by experiment. |
PDF Full Text Request