摘要
软件定义网络(Software Defined Network,SDN)引入控制层与转发层分离简化了网络管理和功能部署,近年来得到了广泛的关注.然而,SDN无法检测由于网络攻击或者转发规则的错误实施导致的数据包被错误转发.例如,SDN中转发的数据包会被异常的规则或攻击者丢弃、篡改或注入虚假数据包.此外,由于处于数据层的SDN交换机仅提供了简化的数据转发功能,因此作者无法简单地部署传统IP网络中的数据转发验证方案.因此,作者需要提出一个适用于SDN的有效数据转发验证方案以确保数据包的正确转发.已有SDN转发验证的方案通常通过逐跳验证或者对比全部流的统计信息,这会带来巨大的计算和通信开销.文中基于OpenFlow协议提出了一个轻量级的SDN数据包转发验证方案LPV(Lightweight Packet Forwarding Verification).由于LPV利用SDN本身提供的Packet-in消息机制以及组表读取转发结点的流转发统计值,在检测转发异常行为以及定位异常行为结点的同时,避免了大量读取转发结点状态而引入的计算和通信开销.LPV利用流表规则对入口和出口交换机进行采样,将采样信息的消息验证码MAC(Message Authentication Code)值和相应的流统计信息上报给控制器.由此,控制器可以通过对比包的MAC值和统计信息来检测网络中的异常转发行为.与此同时,LPV可以通过分析收集的信息找出篡改或丢弃包的结点以定位异常行为的结点.通过基于随机化采样的转发验证机制,LPV有效降低控制器和交换机中引入的处理和通信开销.同时,随机化采样实现了交换机转发状态的一致性检测,任何攻击者都无法通过推断采样来绕过LPV的检测.作者在开源Floodlight控制器和ofsoftware13软件交换机中实现了LPV并在Mininet中进行了仿真实验,实验结果表明LPV能够检测及定位数据包篡改、流量劫持等转发异常行为,同时仅引入了大约10%的平均转发延迟和小于10%的通信开销.
Software-Defined Networking(SDN)simplifies network management by separating control and data planes,and has been received much attention recently.However,SDN cannot ensure correctness of packet forwarding in the networks,e.g.,the packets in SDN can be dropped,tampered with,or faked,which may be incurred by false forwarding rule enforcement or attacks.SDN has a simple packet forwarding mechanism in its data plane so that the forwarding verification techniques in the traditional IP networks cannot be applied in SDN.Therefore,it is challenging to verify packet forwarding and ensure correctness of packet forwarding in SDN.The existing studies verify packet forwarding in SDN by verifying packets hop-by-hop or periodically comparing flow statistics of all flows,which incurs significant computation and communication overhead.In this paper,we present LPV(Lightweight Packet Forwarding Verification),a system provides the ability of verifying SDN data plane forwarding.The goal of LPV is to provide a reliable and practical mechanism to detect and defend against wrong packet forwarding.To this end,we develop a lightweight forwarding verification approach to detecting forwarding anomalies and locating malicious switches by leveraging the Packet-in mechanism and the flow statistics maintained in switches.LPV samples packets delivered by ingress and egress switches according to dedicated flow rules,and reports the message authentication code(MAC)values of packets and the statistics of the corresponding flows by Packet-in messages.Thereby,the controllers can detect malicious forwarding behaviors by comparing the MAC values of the packets and the statistics of the flows.Moreover,LPV can locate the switches that perform the malicious packet forwarding behaviors,e.g.,malicious packet modification and packet dropping,by analyzing the correlations of the information,i.e.,the Packet-in messages and flow statistics.By enforcing the sample mechanism,LPV significantly reduces the computation cost,and communication and storage overheads,which incurred by packet processing in switches and controllers.In particular,by randomly sampling packets according to the flow rules,LPV ensures the consistency of packet processing performed by different switches.Adversaries cannot easily infer which packets are sampled so that they cannot interfere with the verification.We implement a prototype of LPV with open source OpenFlow controllers,i.e.,Floodlight,and open source OpenFlow switches,i.e.,ofsoftware13,and evaluate the performance by Mininet experiments.The experimental results show that LPV detects various forwarding anomalies,while introducing negligible overhead,i.e.,around10%average delays in packet forwarding and less than10%communication overhead.
作者
王首一
李琦
张云
WANG Shou-Yi;LI Qi;ZHANG Yun(Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055;Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
出处
《计算机学报》
EI
CSCD
北大核心
2019年第1期176-189,共14页
Chinese Journal of Computers
基金
国家重点研发计划专项(2016YFB0800102)
国家自然科学基金(61572278)资助~~
关键词
软件定义网络
轻量级转发检测
一致性检测
异常定位
software - defined networking
packet forwarding anomalies
consistency verification
localization
