Research On SDN Control Plane Security Defense Based On Switch Migration

Software Defined Network(SDN)separates network forwarding and control functions,with the characteristics of network virtualization and centralized control,it is often used by the industry to solve the problem of rigid network structure.However,the flexible network structure also makes the controller more vulnerable to malicious traffic attacks.when there is a surge in traffic or other changes,the controller and the switch cannot quickly adapt to this load change.especially when deploying large-scale SDN networks,will cause unbalanced load on the control plane,and then resulting in security risks.How to protect the controller,especially the backbone controller from physical threats,and improve the security of the SDN network control plane is a very important issue.In the SDN network,according to the interaction process between the switch and the controller,when the user requests the traffic to arrive,if there is no matching flow entry in the switch's flow table,the switch will send a Packet?In packet to its main controller.Requesting routing information,this mechanism can be easily used by an attacker to launch an attack on the controller,causing the controller to overheat or even a cascade failure of the control plane,resulting in system failure.The backbone controller is the core of the SDN network.It will receive more requests from switches and process a large number of messages,which makes them easier to be identified by attackers,initiate malicious interception or be swallowed by malicious traffic.In order to protect the backbone controller,the switch migration method is used to implement active defense,and the load under the backbone controller is migrated to other controllers to reduce the possibility of the backbone controller being identified and attacked.At the same time,the load between the controllers is balanced as much as possible.Aiming at the distributed control plane security requirements,an SDN control plane security defense solution based on switch migration is proposed.While ensuring the security of the controller,it also rationally controls the cost of costs in the scheduling process.The specific content is as follows:(1)In order to reduce the possibility of the backbone controller being identified and reduce the cost of migrating the switch,this article proposes a Switch Migration Algorithm Based on Minimum Cost Path(SMCP).Obtain the minimum cost migration path through the improved Dijkstra algorithm,the optimal migration switch set is determined according to the load status of the controller and the traffic priority of the switch to be migrated.The algorithm in this paper can ensure a good balance of the control plane load after migration,reduce the possibility of the backbone controller being monitored and identified,reduce the migration cost,and ensure that important traffic is processed preferentially.(2)The SMCP migration algorithm proposed in this paper further reduces the cost of migration by reducing the number of migrations.The overload controller adopts a one-time balancing method to reduce its load.In each subsequent balancing process,the algorithm in this paper only performs one migration operation,which reduces the number of migrations,reduces the migration cost,and improves the stability of the system.(3)In order to reduce frequent migration and avoid unnecessary migration operations,a load prediction module is added to the migration model in this article.The traditional method only determines whether to migrate through the controller threshold,and once the load value is greater than the threshold,the migration is performed,which will generate a lot of migration costs and reduce the stability of the system.For example,the controller exceeds the threshold at the current moment,but the controller traffic returns to normal at the next moment.At this time,the migration is unnecessary and a corresponding unnecessary cost will be generated.The load prediction module can predict the load situation at the next moment to determine the target controller and the timing of the migration trigger,reduce unnecessary migration,and ensure system stability.(4)This article gives a solution to the problem of isolated nodes that may arise during the migration process.Migration of one or some switches may cause orphaned node issues,the switches in the isolated node will request the local and target domain controllers at the same time,which will burden the two controllers and reduce the controller performance.This paper proposes an isolated node processing algorithm to solve the problem of isolated nodes during the migration process and reduce the controller response time.