多控制器环境下SDN北向安全问题研究与应用

发布时间：2018-05-31 01:36

本文选题：软件定义网络 + 北向安全　；参考：《电子科技大学》2017年硕士论文

【摘要】：SDN(软件定义网络)解耦了传统网络中的控制平面和数据平面,但传统网络中的一些威胁在SDN中依旧存在。随着网络需求的不断多样化,个性化,尚未出现标准化的北向接口协议,而SDN北向上的应用将逐渐变得个性化,更加注重细节管理。应用的来源往往来自第三方厂商,对于应用的安全性考证是亟待解决的问题之一。而应用的认证,授权,访问控制及问责机制是SDN北向安全威胁来源的主要构成。同时控制器能力的限制可能带来单点故障,为了解决控制器的单点故障,提出多控制器的使用。针对以上内容,本文重点研究多控制器下SDN北向的安全问题,提出一套SDN北向安全问题解决方案以及设计实现其相应架构,其主要研究内容如下:首先,研究前人对于SDN北向安全问题的研究现状,针对主要的应用的身份认证、授权、权限、问责问题,以及单点失效问题,做出分析。接着,本文针对已有的各种安全问题以及前人研究不够完善之处,提出需求与改进想法,设计出初步的SDN北向安全问题解决方案及框架;提出自定义的编码规则,用于管理应用以及控制器的状态等。研究权限划分,提出新的更细的更个性化的划分,并与自定义的编码规则结合,在故障处理以及日常管理时发挥作用,为新的SDN网络架构提供更好的便利性与更强的安全性。然后,在细节上完善方案中所给架构,改进现有控制器,添加辅助模块;设计代理控制器具体细节,用于应用,权限,控制器相关表单的管理。本文再从解决控制器单点失效问题出发,利用zookeeper的最终一致性等特性与floodlight结合,构想构建出多控制器环境,由改进的控制器与代理控制器组成新的多控制器网络。在多控制器网络环境下,搭建实现基础框架,在框架中预留出可以自定义的相关算法接口,在提高安全性的同时注重可扩展性的考虑。最后,对于设计出的安全架构与floodlight控制器初始架构进行功能,系统性能等比较,做出安全性能评估,完成SDN北向安全问题解决方案的所有设计。
[Abstract]:SDN (Software defined Network) decouples the control plane and data plane in the traditional network, but some threats in the traditional network still exist in SDN. With the diversification of network requirements and individuation, there is no standardized northward interface protocol, and the application of SDN northward will gradually become personalized and pay more attention to detail management. The source of application often comes from third-party manufacturer, and it is one of the problems to be solved urgently to verify the security of application. Application authentication, authorization, access control and accountability are the main sources of SDN security threat. At the same time, the limitation of controller's ability may lead to single point fault. In order to solve the single point fault of controller, the use of multi-controller is proposed. In view of the above, this paper focuses on the security of SDN under multi-controller, and puts forward a set of SDN northward security solution and its corresponding framework. The main research contents are as follows: first of all, This paper studies the research status of SDN northward security, and analyzes the main applications of identity authentication, authorization, authority, accountability, and single point failure. Then, aiming at all kinds of existing security problems and the imperfections of previous researches, this paper puts forward the idea of requirement and improvement, designs a preliminary solution and framework of SDN northward security problem, and proposes a self-defined coding rule. Used to manage applications and the state of controllers, etc. This paper studies the division of permissions, proposes a new, more detailed and more personalized partition, and combines with the custom coding rules to play a role in fault handling and daily management, which provides better convenience and stronger security for the new SDN network architecture. Then, we improve the architecture in detail, improve the existing controller, add auxiliary module, and design the specific details of agent controller for application, permissions, controller related form management. In order to solve the single point failure problem of the controller and combine the final consistency of zookeeper with floodlight, this paper constructs a multi-controller environment, which is composed of improved controller and agent controller. In the multi-controller network environment, the basic implementation framework is built, and the relevant algorithm interface can be defined in the framework, which can improve the security while paying attention to the scalability considerations. Finally, the security architecture is compared with the initial architecture of floodlight controller, the system performance is compared, and the security performance evaluation is made to complete all the design of SDN northward security problem solution.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.0

【参考文献】