软件定义网络的安全问题及对策研究

摘要/Abstract

摘要： 近年来，软件定义网络(softwaredefined networking, SDN)一直是研究的重点.SDN可能会取代传统网络，成为下一代网络体系结构，因为它的可编程性和可拓展性为网络管理带来了新的机会.全面分析了软件定义网络(SDN)的安全隐患，对软件定义网络中自身的安全问题进行了全面深入地分析，并提出相应的对策和建议.讨论了SDN的特征和标准，并在此基础上从SDN范式的3个层面，即数据转发层、控制层和应用层出发，分别详细分析了每一层面的安全威胁和对策，并介绍了可用于预防、缓解或解决此类攻击的对策技术.

关键词: 软件定义网络(SDN), 网络, 安全, 安全威胁, 安全对策

Abstract: In recent years, softwaredefined networking (SDN) has been the focus of research. SDN may replace traditional networks and become the nextgeneration network architecture, because its programmability and scalability bring new opportunities for network management. We have comprehensively analyzed the hidden dangers of softwaredefined network (SDN), thoroughly analyzed its own security problems in softwaredefined network, and proposed corresponding countermeasures and suggestions. We discussed the characteristics and standards of SDN, and based on the three levels of the SDN paradigm, namely the data forwarding layer, the control layer, and the application layer, analyzed the security threats and countermeasures at each level in detail and introduced Countermeasure techniques that can be used to prevent, mitigate or resolve such attacks.

Key words: software-defined networking (SDN), network, security, security threat, security countermeasure

黄颖祺卢赓张宏斌杜宇李剑. 软件定义网络的安全问题及对策研究[J]. 信息安全研究, 2020, 6(3): 202-211.

参考文献

[1] Chen Min, Zhang Yin, Li Yong, et al. EMC: Emotion-aware mobile cloud computing in 5G[J]. IEEE Network,2015, 29(2):32-38 [2] Wan J, Yan H, Suo H, et al. Advances in cyber-physical systems research[J]. KSII Trans on Internet and Information System, 2019, 5(11):1891–1908 [3] Ahmad I, Namal S, Ylianttila M, et al. Security in software defined networks: A survey[J]. IEEE Communications Surveys & Tutorials, 2018,17(4):2317-2346 [4] Zhang Hongwen. A vision for cloud security[J]. Network Security, 2014(2):12-15 [5] Benton K, Camp L J, Small C. Openflow vulnerability assessment[C] // Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013: 151–152 [6] Sandra Scott-Hayward, Gemma O'Callaghan, Sakir Sezer. SDN security: A survey[C] // Proc of Future Networks and Services (SDN4FNS). Piscataway,NJ:IEEE, 2013 [7] Floodlight controller documentation for developers [OL].[2020-01-09]. http://www.projectfloodlight.org/floodlight/ [8] Gude N, Koponen T, Pettit J, et al. NOX: Towards an operating system for networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(3):105-110 [9] OpenDaylight[OL]. [2020-01-09].http://www.opendaylight.org [10] Kreutz D, Ramos FM, Esteves Verissimo P,et al. Software-defined networking: a comprehensive survey[J]. Proc of the IEEE, 2019, 103(1):14–76 [11] Lara A, Kolasani A, Ramamurthy B. Network innovation using openflow: A survey[J]. IEEE Commun Surv Tutorials, 2019 16(1): 493–512 [12] Bernardo DV. Software-defined networking and network function virtualization security architecture[OL]. Internet Engineering Task Force, [2020-01-09].https://tools.ietf.org/html/ draft-bernardo-sec-arch- sdnnvfarchitecture-00 [13] Yang M, Li Y, Jin D, et al. Software-defined and virtualized future mobile and wireless networks: A survey[J]. Mobile Networks and Applications, 2015, 20(1):4–18 [14] Yuan W, Deng P, Taleb T, et al. An unlicensed taxi identification model based on big data analysis[J]. IEEE Trans on Intell Transp Syst. 2015,17(6):1-11 [15] Jing Q, Vasilakos A, Wan J, et al. Security of the internet of things: perspectives and challenges[J]. Wirel Netw,2014, 20(8): 2481–2501 [16] Namal S, Ahmad I, Gurtov A, et al. SDN based inter-technology load balancing leveraged by flow admission control[C]//Proc of IEEE SDN for Future Networks and Services.Piscataway,NJ:IEEE,2013:1–5 [17] Dierks T. The transport layer security (TLS)protocol version 1.2 [OL]. [2020-01-09].http://tools.ietf.org/html/rfc5246 [18] Wasserman M, Hartman S. Security analysis of the open networking foundation (ONF) OpenFlow switch specification.Internet Engineering Task Force [OL]. [2020-01-09].https://tools.ietf.org/html/draft-mrw-SDNec-openflow-analysis-02 [19] Al-Shaer E, Al-Haj S. FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures[C]//Proc of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York:ACM,2010:37–44 [20] Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for OpenFlow networks[C]//Proc of the 1st Workshop on Hot Topics in SoftwareDefined Networks. 2018:121–126 [21] Khurshid A, Zhou W, Caesar M, et al. Veriflow: verifying network-wide invariants in real time[J]. ACM SIGCOMM Comput Commun Rev 2019,42(4):467–472 [22] Fonseca P, Bennesby R, Mota E, et al. A replication component for resilient OpenFlow-based networking[C]//Proc of IEEE Network Operations and Management Symp (NOMS).Piscataway,NJ:IEEE,2012:933–939 [23] Sherwood R, Gibb G, Yap K K, et al. Flowvisor: a network virtualization layer[J]. OpenFlow Switch Consortium, Tech. Rep [24] Yao G, Bi J, Xiao P. Source address validation solution with OpenFlow/NOX architecture[C]//Proc of the 23rd IEEE Int Conf on Network Protocols (ICNP).Piscataway,NJ :IEEE,2018:7–12 [25] Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]// Proc of the 35th IEEE Conf on Local Computer Networks (LCN).Piscataway,NJ:IEEE,2017:408–415 [26] Nayak A K, Reimers A, Feamster N, et al. Resonance: dynamic access control for enterprise networks[C]//Proc of the 2nd ACM Workshop on Research on Enterprise Networking.New York:ACM,2019:11–18 [27] Shin S, Yegneswaran V, Porras P. Avant-guard: scalable and vigilant switch flow management in software-defined networks[C]// Proc of the 2013 ACM SIGSAC Confe on Computer & Communications Security.Mew York:ACM，2013：413–424 [28] Wang H, Xu L, Gu G. FloodGuard: a dos attack prevention extensionin software-defined networks [C]// Proc of the 45th Annual IEEE/IFIP Int Conf on Dependable Systems and Networks (DSN).Piscataway,NJ:IEEE,2018:239–250 [29] Lim S, Ha J I, Kim H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]// Proc of the 6th IEEE Int Conf on Ubiquitous and Future Networks (ICUFN).Piscataway,NJ:IEEE,2016:63–68 [30] IETF Locator/ID Separation Protocol (LISP) [OL].[2020-01-09]. http://datatracker.ietf.org/wg/lisp/ [31] Scott-Hayward S. Design and deployment of secure, robust, and resilient SDN Controllers[C]//Proc of the 2nd IEEE Conf on Network Softwarization (NetSoft).Piscataway,NJ:IEEE,2017:1–5 [32] Li H, Li P, Guo S, et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[J].IEEE Trans on Cloud Comput ,2015, 2(4):436–447 [33] Phemius K, Bouet M, Leguay J. Disco: Distributed multi-domain sdn controllers[C]//Proc of IEEE Network Operations and Management Symp (NOMS).Piscataway,NJ:IEEE,2019:1–4 [34] Advanced message queuing protocol [OL]. [2020-01-09].http://www.amqp.org [35] Voellmy A, Wang J. Scalable software defined network controllers[C]//Proc of the ACM SIGCOMM 2012 Conf on Applications, Technologies, Architectures, and Protocols for Computer Communication.New York:ACM,2012: 289–290 [36] Liu Jiaqiang, Li Yong, Wang Huandong, et al. Leveraging software-defined networking for security policy enforcement[J]. Information Sciences, 2016, 327(C):288-299 [37] Heller B, Sherwood R, McKeown N. The controller placement problem[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2018:7–12 [38] Shin S, Porras P, Yegneswaran V, et al. FRESCO: Modular composable security services for software-defined networks [C]//Proc of Network and Distributed Security Symp. 2013:1-16 [39] Shin S, Porras P, Yegneswaran V, et al. A framework for integrating security services into software-defined networks[C]// Proc of the 2013 Open Networking Summit (Research Track poster paper) [40] Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2019:55–60 [41] Wen X, Chen Y, Hu C, Shi C, Wang Y. Towards a secure controller platform for openflow applications[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2018:171–172 [42] Canini M, Venzano D, Peresini P, et al. A NICE way to test OpenFlow applications[C]//Proc of the 9th USENIX Conf on Networked Systems Design and Implementation. Berkeley, CA: USENIX Association,2018 [43] Skowyra R, Lapets A, Bestavros A, et al. Verifiably-safe software-defined networks for CPS[C].//Proc of the 2nd ACM Int Conf on High Confidence Networked Systems.New York:ACM,2016:101–110 [44] Ball T, Bjmer N, Gember A, et al. Vericon: Towards verifying controller programs in software-defined networks[J]. ACM SIGPLAN Not ,2019, 49(6):282–293 [45] Son S, Shin S, Yegneswaran V, et al. Model checking invariant security properties in OpenFlow[C]//2013 I.E. International Conference on Communications (ICC), 2013, 1974–1979 [46] Mai H, Khurshid A, Agarwal R, et al. Debugging the data plane with anteater[J]. ACM SIGCOMM Comput Commun Rev ,2014, 41(4):290–301 [47] Kazemian P, Chan M, Zeng H, et al. Real time network policy checking using header space analysis[C]//Proc of USENIX Symp on Networked Systems Design and Implementation. Berkeley, CA: USENIX Association,2016:99–111 [48] Kazemian P, Varghese G, McKeown N. Header space analysis: Static checking for networks[C]//Proc of USENIX Symp on Networked Systems Design and Implementation NSDI. Berkeley, CA: USENIX Association,2016:113–126 [49] Wang J, Wang Y, Hu H,et al. Towards a security-enhanced firewall application for openflow networks[G]//LNCS 8300:Cyberspace Safety and Security. Berlin:Springer,2018:92–103