摘要
源地址验证对网络安全、管理和计量都有重要意义.清华大学提出包括接入子网、域内和域间三个层次的源地址验证体系结构.其中域内用到一种基于集中计算路径的方法,但在传统网络环境限制下,其实现遇到很多问题.本文将利用软件定义网络对网络革新的便捷支持,基于OpenFlow网络对域内源地址验证方法进行重新设计与实现,并提出两种方案.一种是在已有路由表的基础上计算出域内任意两个子前缀间的路径并生成源地址前缀、目的地址前缀和入接口三元组作为过滤规则;另一种方案是重新设计新的路由算法,生成同时具有路由功能和验证源地址功能的四元组(源地址前缀、目的地址前缀、入接口和出接口)流表.并分别对两种方案做出对比,给出实验结果.
Filtering out traffic with forged source IP address can greatly help improve the security, manageability and accountability of network. Tsinghua university proposed a source address validation architecture, dividing it into three levels: local suhnet, intra-AS and inter-AS. In the intra-AS, a method of calculating the path is used. But due to the limitations of current network equipment, the implementation of the method comes across a lot of difficulties. In this paper, with the solid basis provided by software defined net- work for network innovation, we re-design the intra-AS source address validation method based on OpenFlow network and introduce two programs. In the first program, we use existing routing table to calculate the path of any pair of subnet prefix and generate triples of source prefix, destination prefix and ingress interface as filtering rules. In the other program, we design a new routing algorithm to calculate quadruples of source address, destination address, ingress interface and outgoing interface that guarantee both routing and source address validation function. Besides, we show the experiment results of the two programs.
出处
《小型微型计算机系统》
CSCD
北大核心
2013年第9期1999-2003,共5页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(61073172)资助
高等学校博士学科点专项科研基金项目(200800030034)资助
