西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (6): 172-194.doi: 10.19665/j.issn1001-2400.20230904

• 网络空间安全 • 上一篇    下一篇

软件定义网络中流规则安全性研究进展

熊婉寅1(),毛剑1(),刘子雯1(),刘文懋2(),刘建伟1()   

  1. 1.北京航空航天大学 网络空间安全学院,北京 100191
    2.绿盟科技集团股份有限公司,北京 100089
  • 收稿日期:2022-12-10 出版日期:2023-12-20 发布日期:2024-01-22
  • 通讯作者: 毛剑(1978—),女,副教授,E-mail:maojian@buaa.edu.cn
  • 作者简介:熊婉寅(1998—),女,北京航空航天大学大学硕士研究生,E-mail:wanyinxiong@buaa.edu.cn;|刘子雯(1998—),女,北京航空航天大学大学博士研究生,E-mail:liuziwen@buaa.edu.cn;|刘文懋(1983—),男,高级工程师,E-mail:liuwenmao@nsfocus.com;|刘建伟(1964—),男,教授,E-mail:liujianwei@buaa.edu.cn
  • 基金资助:
    国家自然科学基金(62172027);浙江省自然科学基金资助项目(LZ23F020013);北京市自然科学基金(6202036)

Advances in security analysis of software-defined networking flow rules

XIONG Wanyin1(),MAO Jian1(),LIU Ziwen1(),LIU Wenmao2(),LIU Jianwei1()   

  1. 1. School of Cyber Science and Technology,Beihang University,Beijing 100191,China
    2. NSFocus Inc.,Beijing 100089,China
  • Received:2022-12-10 Online:2023-12-20 Published:2024-01-22

摘要:

随着网络功能的日益多元化,具有集中控制与可编程性的软件定义网络(SDN)架构已在众多领域被广泛应用。然而,SDN特有的层次结构与运行机制也引入了新的安全挑战,其中,流规则作为控制平面管理决策的载体和数据平面网络行为的依据,已成为SDN网络攻防的重点。针对SDN中流规则的安全性问题,首先分析了SDN架构的特点及安全隐患。再基于SDN中的流规则机制,将针对流规则的攻击分为干扰控制平面决策和破坏数据平面执行两类,并介绍了攻击实例。对于提升流规则安全性的研究,分别从检验与增强两个方面展开分析,总结了现有的实现机制并简要分析了其存在的局限性。其中,分析探讨了基于建模检测和基于数据包探测的两种主流的检验方案,介绍讨论了基于权限控制、基于冲突解决和基于路径验证的3种具体的流规则增强思路。最后,展望了流规则安全性未来的发展方向。

关键词: 软件定义网络, 流规则, 网络安全, 网络验证, 网络测试

Abstract:

With the increasing diversification of network functions,the software-defined networking(SDN) architecture,which provides centralized network control and programmability,has been deployed in various fields.However,the unique hierarchical structure and operation mechanism of SDN also introduce new security challenges,among which as the carrier of control plane management decisions and the basis of data plane network behavior,flow rules have become the focus of SDN attack and defense.Aiming at the security issues of flow rules in SDN,this paper first reviews the characteristics and security risks of the SDN architecture.Based on the mechanism of flow rules in SDN,the attacks against flow rules are systematically divided into two categories,namely,interference of control plane decision and violation in data plane implementation,with the attack examples introduced.Then,the methods for improving the security of flow rules are analyzed and classified into two categories,i.e.,checking and enhancing the security of flow rules.Furthermore,existing implementation mechanisms are summarized with their limitations briefly analyzed.In terms of flow rule security checking,two mainstream methods,i.e.,model-based checking and test-packet-based checking,are analyzed and discussed.In terms of flow rule security enhancement,three specific ideas based on permission control,conflict resolution and path verification are introduced and discussed.Finally,the future research trends of flow rule security are prospected.

Key words: software-defined networking, flow rule, network security, network verification, network testing

中图分类号: 

  • TP309