共查询到19条相似文献,搜索用时 125 毫秒
1.
针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。 相似文献
2.
3.
网络时间协议用于互联网主机时间同步,能够提供高精度的时间校准服务.基于对称加密和非对称加密两种认证机制,针对伪造服务器破坏对网络时间协议的脆弱性展开研究.提出伪造服务器破坏方法,通过ARP欺骗将客户端的同步请求报文转发到伪造服务器,由伪造服务器构造并发送响应报文,客户端接收响应报文并将时间同步到伪造服务器.实验结果表明,该方法能够实现客户端时间与伪造服务器时间的同步,达到篡改客户端时间的目的. 相似文献
4.
摘要:软件定义网络(software defined networking,SDN)是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。 相似文献
5.
针对拒绝服务攻击导致软件定义网络交换机有限的流表空间溢出、正常的网络报文无法被安装流表规则、报文转发时延、丢包等情况,提出了抗拒绝服务攻击的软件定义网络流表溢出防护技术Flood Mitigation,采用基于流表可用空间的限速流规则安装管理,限制出现拒绝服务攻击的交换机端口的流规则最大安装速度和占用的流表空间数量,避免了流表溢出。此外,采用基于可用流表空间的路径选择,在多条转发路径的交换机间均衡流表利用率,避免转发网络报文过程中出现网络新流汇聚导致的再次拒绝服务攻击。实验结果表明,Flood Mitigation在防止交换机流表溢出、避免网络报文丢失、降低控制器资源消耗、确保网络报文转发时延等方面能够有效地缓解拒绝服务攻击的危害。 相似文献
6.
鉴于软件定义网络(Software Defined Network,SDN)中带外控制方式的代价及成本较高,基于带内连接网络拓扑,提出了一种SDN带内控制连接建立方法。该方法首先通过链路层发现协议(Link Layer Discovery Protocol,LLDP)完成SDN控制器IP分发和SDN交换机IP分配,其中SDN交换机IP分配采用基于可变长子网掩码(Variable Length Subnet Mask,VLSM)的全自动IP分配技术来实现;之后,基于无类别域间路由(Classless Inter domain Routing,CIDR)的路由聚合技术实现带内路由自动构建。实验结果表明,该方法能够实现SDN交换机与SDN控制器带内控制连接的自动建立,减小了SDN网络的配置复杂度和部署难度,同时使SDN交换机路由表条目数量得到控制,降低了带内路由构建的复杂性,为SDN控制平面与转发平面控制信道的建立提供了设计参考。 相似文献
7.
针对软件定义网络(SDN)分布式控制平面中由于网络分域管理所引发的控制扩张问题,该文提出了一种基于流量工程的SDN控制资源优化(TERO)机制。首先基于数据流的路径特征对流请求的控制资源消耗进行分析,指出通过调整控制器和交换机的关联关系可以降低控制资源消耗。然后将控制器关联过程分为两个阶段:先设计了最小集合覆盖算法来快速求解大规模网络中控制器关联问题;在此基础上,引入联合博弈策略来优化控制器和交换机的关联关系以减少控制资源消耗和控制流量开销。仿真结果表明,与现有的控制器和交换机就近关联机制相比,该文机制能在保证较低控制流量开销的前提下,节省约28%的控制资源消耗。 相似文献
8.
9.
针对工业控制网络通信信息安全与稳定问题,设计一种基于SDN和集成学习的工业控制网络安全防护系统。该系统采用SDN技术,分为物理层、现场层、转发层、控制层和应用层等5个层次。物理层包含现场终端设备;现场层通过控制模块与操作员站实现对现场终端的控制;转发层使用SDN交换机进行通信数据传输,并将数据镜像传输至应用层进行安全分析;控制层中的SDN控制器管理和控制SDN交换机,并执行应用层下发的安全防护策略;应用层利用集成学习算法对工业控制网络进行入侵行为检测,通过安全响应模块分析入侵信息并选择相应的防御机制。实验结果表明,所设计系统满足工业控制网络通信的实时性要求,能准确地实施入侵检测,从而保障工业控制网络的安全性和正常通信。 相似文献
10.
11.
Aimed at the limited matching fields and the lack of effective data source authentication mechanism in the software defined networking (SDN),a SDN security control forwarding method based on cipher identification was proposed.First,the cipher identification was generated according to the user identity,file attributes or business content and other characteristics,and the data stream was marked by the cipher identification and signed with the private key based on the cipher identification.Then,when the data stream entered and left the network,the forwarding device verified its signature to ensure the authenticity of the data.At the same time,the cipher identification was designed as a matching item recognized by the forwarding device,and the network forwarding behavior was defined based on the cipher identification,so a fine-grained network control capability could be formed based on people,things,and business flow.Finally,the validity of the method is verified by experimental analysis. 相似文献
12.
Due to the lack of effective data source authentication mechanism and the limited matching fields in software defined networking (SDN),an SDN security control and forwarding method based on identity attribute was proposed.Attribute identification and attribute signature were generated by device attributes and encapsulated in the group header.When the data flow left the network,the data was verified by the forwarding device to ensure the validity of the data flow.At the same time,attribute identification was defined as a match field of flow by the framework,and the network forwarding behavior was defined based on attributeidentification.A fine-grained access control was implemented by the proposed mechanism and attribute-based signature.The proposed mechanism and attribute-based signature implemented a fine-grained access control.Experimental results demonstrate that the method can effectively implement fine-grained forwarding and flow authentication,and the forwarding granularity is higher than that of similar schemes. 相似文献
13.
This paper presents the design and development of a new network virtualization scheme to support multitenant datacenter networking (MT‐DCN) based on software‐defined networking (SDN) technologies. Effective multitenancy supports are essential and challenging for datacenter networking designs. In this study, we propose a new network virtualization architecture framework for efficient packet forwarding in MT‐DCN. Traditionally, an internet host uses IP addresses for both host identification and location information, which causes mobile IP problems whenever the host is moved from one IP subnet to another. Unfortunately, virtual machine (VM) mobility is inevitable for cloud computing in datacenters for reasons such as server consolidation and network traffic flow optimization. To solve the problems, we decouple VM identification and location information with two independent values neither by IP addresses. We redefine the semantics of Ethernet MAC address to embed tenant ID information to the MAC address field without violating its original functionality. We also replace traditional Layer2/Layer3 two‐stage routing schemes (MAC/IP) with an all‐Layer2 packet forwarding mechanism that combines MAC addresses (for VM identification and forwarding in local server groups under an edge switch gateway) and multiprotocol label switching (MPLS) labels (for packet transportation between edge switch gateways across the core label switching network connecting all the edge gateways). To accommodate conventional IP packet architecture in a multitenant environment, SDN (OpenFlow) technology is used to handle all this complex network traffics. We verified the design concepts by a simple system prototype in which all the major system components were implemented. Based on the prototype system, we evaluated packet forwarding efficiency under the proposed network architecture and compared it with conventional IP subnet routing approaches. We also evaluated the incurred packet processing overhead caused by each of the packet routing components. 相似文献
14.
Software‐defined networking (SDN) is a network concept that brings significant benefits for the mobile cellular operators. In an SDN‐based core network, the average service time of an OpenFlow switch is highly influenced by the total capacity and type of the output buffer, which is used for temporary storage of the incoming packets. In this work, the main goal is to model the handover delay due to the exchange of OpenFlow‐related messages in mobile SDN networks. The handover delay is defined as the overall delay experienced by the mobile node within the handover procedure, when reestablishing an ongoing session from the switch in the source eNodeB to the switch in the destination eNodeB. We propose a new analytical model, and we compare two systems with different SDN switch designs that model a continuous time Markov process by using quasi‐birth–death processes: (1) single shared buffer without priority (model SFB), used for all output ports for both control and user traffic, and (2) two isolated buffers with priority (model priority finite buffering [PFB]), one for control and the other for user plane traffic, where the control traffic is always prioritized. The two proposed systems are compared in terms of total handover delay and minimal buffer capacity needed to satisfy a certain packet error ratio imposed by the link. The mathematical modeling is verified via extensive simulations. In terms of handover delay, the results show that the model PFB outperforms the model SFB, especially for networks with high number of users and high probability of packet‐in messages. As for the buffer dimensioning analysis, for lower arrival rates, low number of users, and low probability of packet‐in messages, the model SFB has the advantage of requiring a smaller buffer size. 相似文献
15.
软件定义网络(Software-Defined Networking,SDN)作为一种数据转发与控制逻辑相解耦、并开放底层编程接口的创新网络架构,为降低核心网的部署运营成本、提升应用业务性能提供了全新的解决思路.然而,在SDN架构下,逻辑上集中的控制平面容易出现性能瓶颈,进而加大分组转发时延,因此有必要理解其分组转发性能特性.为此,本文首先介绍了软件定义核心网的典型部署场景,分析了控制平面的Packet-in消息到达过程和数据平面的分组到达过程,进而应用M/M/n/m和M/M/1/m排队模型分别刻画控制器集群的Packet-in消息处理过程和OpenFlow交换机的分组处理过程.在此基础上,建立OpenFlow分组转发优先制排队模型,进而推导出不同优先级的分组转发时延及其累积分布函数CDF.最后,借助控制器性能测量工具OFsuite_Performance进行实验评估,结果表明:与现有模型相比,本文所提的M/M/n/m模型更能准确估计控制器集群的实际性能.同时,采用数值分析的方法对比了多种情况下不同优先级的分组转发时延及CDF曲线,为软件定义核心网的实际应用部署提供有效参考. 相似文献
16.
DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers. 相似文献
17.
Schroeder M.D. Birrell A.D. Burrows M. Murray H. Needham R.M. Rodeheffer T.L. Satterthwaite E.H. Thacker C.P. 《Selected Areas in Communications, IEEE Journal on》1991,9(8):1318-1335
Autonet is a self-configuring local area network composed of switches interconnected by 100 Mb/s, full-duplex, point-to-point links. The switches contain 12 ports that are internally connected by a full crossbar. Switches use cut-through to achieve a packet forwarding latency as low as 2 ms/switch. Any switch port can be cabled to any other switch port or to a host network controller. A processor in each switch monitors the network's physical configuration. A distributed algorithm running on the switch processor computes the routes packets are to follow and fills in the packet forwarding table in each switch. With Autonet, distinct paths through the set of network links can carry packets in parallel, allowing many pairs of hosts to communicate simultaneously at full link bandwidth. A 30-switch network with more than 100 hosts has been the service network for Digital's Systems Research Center since February 1990 相似文献
18.