安全附着网络中关键技术的研究和实现

发布时间：2018-04-15 20:45

  本文选题：软件定义网络 + 拟态路由　； 参考：《电子科技大学》2017年硕士论文

【摘要】：SDN技术革命性的改变了现有网络架构,适应了降低网络复杂度、云计算和大数据的需求。研究人员通常关注SDN网络本身,对网络的SDN化演进过程,传统网络设备与SDN设备将长期在实际网络中共存的现实考虑的不多。SDN技术数据面通用、简单、高效的特点,以及控制面与数据面分离的架构,也给我们在网络路由安全方面带来了新思路。同时随着网络功能的复杂化,网络受到多用户和多应用的控制,目前的开源控制器在支持多用户多应用方面还存在缺陷。为此,本文分别在SDN混合网络路由安全和SDN网络操作系统方向,进行了一些研究尝试。本文首先研究SDN网络与传统IP网络的三层路由互通问题,设计实现OpenFlow路由控制器,实现SDN网络与传统IP网络之间路由协议的交互和数据报文的正确转发,促进SDN技术在实际网络中的部署。在此基础之上,本文在多个OpenFlow路由控制器与OpenFlow交换机之间引入路由决策层,形成拟态路由系统。该系统将路由实体拟态化,增大了网络攻击者探查路由实体漏洞的难度,隔离被网络攻击者致瘫致乱的路由实体,保证网络路由的稳定与正确。但随着SDN网络的发展,网络功能越来越复杂,现有的开源控制器在北向接口的简洁性,数据持久化能力等方面显得力不从心。尤其是网络资源被虚拟化,多个用户共享网络资源,网络受到多个上层网络应用的控制。多用户与多应用可能出现相互间的网络规则冲突,造成网络管理状态的不一致,甚至被某些恶意的应用或者用户利用,故意致乱网络。拟态路由系统只能实现单一路由节点的防护,对上述情况无能为力。因此,本文随后研究了网络操作系统的实现,针对网络规则冲突检测的问题,提出了基于状态分解的规则冲突检测算法,并且在本文的网络操作系统中予以实现。通过系统测试证明,本文的拟态路由系统可以实现SDN与传统IP网络的路由交互,并且做到路由实体的拟态化,增加网络路由的安全性;本文的网络操作系统,简化了北向接口,方便上层应用的开发与部署,实现网络状态数据的持久化,其中的规则冲突检测模块可以准确高效地检测到网络规则冲突的情况。
[Abstract]:SDN technology has revolutionized the existing network architecture, adapted to reduce network complexity, cloud computing and big data's needs.The researchers usually pay attention to the SDN network itself. The traditional network equipment and the SDN equipment will coexist in the real network for a long time. The technical data surface of SDN is not common, simple and efficient, for the evolution process of the network, the traditional network equipment and the SDN equipment will coexist in the real network for a long time.The separation architecture of control surface and data surface also brings us new ideas in network routing security.At the same time, with the complexity of the network function, the network is controlled by multi-user and multi-application. At present, the open source controller has some defects in supporting multi-user and multi-application.Therefore, this paper makes some research attempts in the direction of SDN hybrid network routing security and SDN network operating system.This paper first studies the problem of three-layer routing interworking between SDN network and traditional IP network, designs and implements OpenFlow routing controller, realizes the interaction of routing protocol between SDN network and traditional IP network, and correctly forwards data packets.Facilitate the deployment of SDN technology in real networks.On this basis, this paper introduces a routing decision layer between multiple OpenFlow routing controllers and OpenFlow switches to form a pseudo routing system.The system simulates the routing entities, increases the difficulty of network attackers to explore the vulnerabilities of routing entities, isolates the routing entities that are paralyzed by network attackers, and ensures the stability and correctness of network routing.However, with the development of SDN network, the network functions are becoming more and more complex, the existing open source controller in the north interface simplicity, data persistence ability and other aspects appear to be inadequate.In particular, network resources are virtualized, multiple users share network resources, and the network is controlled by multiple upper network applications.The conflict of network rules between multi-user and multi-application may lead to the inconsistency of network management state, and even be used by some malicious applications or users to cause the network to be scrambled intentionally.The pseudo-routing system can only protect a single routing node.Therefore, the implementation of network operating system is studied in this paper. Aiming at the problem of network rule conflict detection, a rule conflict detection algorithm based on state decomposition is proposed and implemented in the network operating system of this paper.The system test shows that the pseudo routing system in this paper can realize the routing interaction between SDN and traditional IP network, and make the routing entity mimic, increase the security of network routing, the network operating system of this paper simplifies the northward interface,It is convenient for the development and deployment of the upper application to realize the persistence of network state data. The rule conflict detection module can detect the conflict of network rules accurately and efficiently.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.0

【参考文献】

中国期刊全文数据库 前1条

1 凤丹;邹敏;;Cisco IOS系统缓冲区溢出攻击研究[J];计算机工程;2007年24期

，

本文编号：1755703