SDN南向安全性及关键技术研究

发布时间：2018-05-26 18:47

本文选题：软件定义网络 + OpenFlow协议　；参考：《北京邮电大学》2017年硕士论文

【摘要】：当前网络发展过程中面临着各种各样的机遇与挑战,SDN(Software-Defined Networking,软件定义网络)技术通过将网络控制与流量转发相互分离,为网络创新提供了良好的平台。随着SDN技术不断发展,基于SDN的应用场景不断增多,同时也给SDN带来了一些凸显的问题,其中SDN南向安全性问题已经成为了制约SDN产业发展的关键性问题之一。一方面,目前SDN南向通道建立过程中存在安全问题,在SDN南向通道建立过程中,攻击者利用交换机并使用普通TCP连接方式很容易进行虚假接入,使得南向接口易于受到攻击而降低整个网络的可用性和完整性;另一方面,在数据转发层中,通过使用OpenFlow协议,可以有效检测和处理现有TCP/IP网络架构下诸如DDoS(Distributed Denial of Service,分布式拒绝服务攻击)攻击等各种网络攻击行为,然而目前OpenFlow的流表并没有提供足够的协议无关性以支持对异构网络模型的转发与策略部署,同时也无法支持数据转发层中异构网络的安全策略。本文基于上述安全问题做了深入研究,具体包括以下内容:(1)从南向通道建立机制以及OpenFlow南向协议入手,通过拓展OpenFlow消息体,提出在普通TCP连接方式下基于AES(AdvancedEncryption Standard,高级加密标准)算法的安全准入模型,提高SDN南向接口安全性。(2)基于OpenFlow协议,拓展OpenFlow在数据转发层的协议无关特性,在兼容现有网络体系架构的基础上,提出基于OpenFlow的内容路由网络模型,增强数据转发层的安全性。(3 )通过上述基于OpenFlow的内容路由网络模型,提出一种针对该网络模型中存在的兴趣包泛洪攻击检测与防御机制,提高基于OpenFlow内容路由网络的安全特性。
[Abstract]:At present, there are various opportunities and challenges in the process of network development. SDN (Software-Defined Networking, software defined network) technology provides a good platform for network innovation by separating network control from traffic forwarding. With the continuous development of SDN technology, the application scenes based on SDN are increasing, and at the same time, SDN is brought to the same time. There are some prominent problems, among which the security problem of SDN south direction has become one of the key problems that restrict the development of SDN industry. On the one hand, there is a security problem in the process of establishing the south channel of SDN. In the process of building the SDN south channel, the attacker uses the switch and makes it easy to make false access with the common TCP connection. On the other hand, the use of OpenFlow protocol in the data forwarding layer can effectively detect and deal with various network attacks such as DDoS (Distributed Denial of Service, distributed denial of service attack) attacks in the data forwarding layer. However, the current OpenFlow flow table does not provide sufficient protocol independence to support the forwarding and policy deployment of heterogeneous network models. At the same time, it can not support the security strategy of heterogeneous networks in the data forwarding layer. This paper is based on the above security issues, including the following contents: (1) the establishment of a mechanism from the south channel. And OpenFlow south direction protocol, by expanding OpenFlow message body, the security access model based on AES (AdvancedEncryption Standard, advanced encryption standard) algorithm under common TCP connection is proposed, and the security of SDN south to interface is improved. (2) based on OpenFlow protocol, the protocol independent characteristics of OpenFlow in data forwarding layer are extended and compatible. On the basis of the existing network architecture, the content routing network model based on OpenFlow is proposed to enhance the security of data forwarding layer. (3) through the OpenFlow based content routing network model, this paper proposes a detection and defense mechanism for flooding attack in this network model, and improves the content routing based on OpenFlow. The security features of the network.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.02

【相似文献】