SDN安全通信架构关键技术研究

发布时间：2018-03-09 09:42

本文选题：软件定义网络　切入点：安全架构　出处：《电子科技大学》2016年硕士论文　论文类型：学位论文

【摘要】：云计算、移动互联网、物联网等技术的迅猛发展,带来了新一轮的IT技术变革,迫切需要一种可伸缩、易管理且安全的网络管理办法。SDN(软件定义网络)的控制与转发分离的机制针对这一难题展示出其独特优势,但SDN架构存在的安全问题,使其应用受到阻碍。论文分析了现有SDN架构的特点和弱点。针对现有SDN架构中设备、应用、控制器三者认证缺失的问题,提出SDN安全通信架构。结合此架构给出了应用隔离的解决方案,并提出“网络结构进化”的观点。新架构极大增强了SDN安全实施的灵活性。以下为本论文主要的研究内容:第一,网络实体合法性的保障。针对SDN架构的特点以及架构存在的安全问题。提出动态密码实体认证的方案,并将此方案实施到SDN南北向接口中,解决SDN网络中控制器与交换设备,控制器与应用的身份认证的难题;第二,多控制器的实施。单控制器是SDN网络架构的最初原型,在这种情形下,控制层容易受到网络攻击,使控制器单点失效,以至网络的全局瘫痪。针对这个弊端,本论文结合前人的研究成果,提出了代理机制的控制器管理方案。用代理的方式来分配控制器给交换机,减缓这种攻击的可能。同时这种方案也为多控制器的研究提供一种全新的视角;第三,网络应用的标识和分类分隔。网络的应用相当于SDN网络的“思维”,它们的安全至关重要,直接关乎网络的整体安全。本论文提出的SDN安全通信架构可以满足应用的分类隔离和应用的权限管理。在此架构下,应用层是灵活的,不同类别的应用拥有不同的权限等级,且权限被限制在可控的权限域内。如果把应用直观地分为业务应用和安全应用时,两种应用彼此分隔,且安全应用的权限比业务应用的高。SDN安全通信架构,可以满足应用层的权限灵活部署。最后,设计了SDN安全通信架构的三种应用示例,引出“网络结构进化”的概念。
[Abstract]:With the rapid development of cloud computing, mobile Internet, Internet of things and other technologies, it has brought a new round of IT technological changes, and it urgently needs a kind of scalability. The mechanism of separating control and forwarding of SDN (Software defined Network) shows its unique advantages in view of this difficult problem, but the security problems exist in the SDN architecture. This paper analyzes the characteristics and weaknesses of the existing SDN architecture, aiming at the lack of authentication among the equipment, application and controller in the existing SDN architecture. The SDN security communication architecture is proposed, and the solution of application isolation is given. The new architecture greatly enhances the flexibility of SDN security implementation. The following are the main contents of this thesis: first, Aiming at the characteristics of SDN architecture and the security problems existing in the architecture, this paper puts forward a scheme of dynamic cryptographic entity authentication, and implements this scheme in the interface of SDN from south to north to solve the controller and switch equipment in SDN network. Second, the implementation of multi-controller. Single controller is the original prototype of SDN network architecture. In this case, the control layer is vulnerable to network attack and makes the controller single point failure. In order to solve this problem, this paper proposes an agent mechanism controller management scheme, which is used to distribute the controller to the switch in the way of agent. At the same time, this scheme also provides a new perspective for the study of multi-controller. Third, the identification and classification of network applications are separated. Network applications are equivalent to the "thinking" of SDN networks, and their security is crucial. The SDN security communication architecture proposed in this paper can satisfy the application classification isolation and application authority management. Under this framework, the application layer is flexible, and different classes of applications have different privilege levels. If the applications are divided intuitively into business applications and secure applications, the two applications are separated from each other, and the security applications have higher permissions than the security applications of the. SDN security communication architecture. Finally, three application examples of SDN secure communication architecture are designed, leading to the concept of "network structure evolution".
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP393.02

【相似文献】