摘要
为解决SDN(software defined networks)网络面临的网络安全问题,提出了基于集中控制思想的访问控制策略,将访问控制规则下发到源交换机,由此可以在源头上抑制无效的数据流。通过采用区间值起止点的最大公共前缀作为构建LE-Trie的基本元素,解决了IP地址和端口的区间无法在树中进行构造的问题。在此基础上,提出了基于多区域LE-Trie(multi-area-domain LE-Trie MADLT)的规则检测和匹配方法。该算法将对规则的顺序匹配转化为对多域的匹配,减少了匹配次数,从而提高了访问控制服务器的工作效率。对比实验结果表明,在进行冲突检测时,MADLT在时间性能上较顺序算法平均提高2.97倍,较传统Trie算法平均提高30.4%;在进行规则匹配时,MADLT在时间性能上较顺序算法平均提高2.3倍,较传统Trie算法平均提高16.3%。由此证明,本文提出的集中访问控制策略可以有效地实现SDN网络中的数据访问控制。
In order to solve the network security problems facing SDN network,This paper proposes an access control strategy based on the centralized idea. The access control rules are deployed to source switches,so as to control the invalid dataflow from its source nodes. The maximum public prefix value of interval's starting and ending point is used to build LE-Trie as basic element,which solves the problem that the IP and port range cannot be constructed in the tree. On this basis,this paper proposes detection and matching algorithm of rule named multi-area-domain LE-Trie( MADLT). It changes the method of sequence matching into Multi-domain matching and reduces the number of matching,so as to improve the working efficiency of the access control server. Contrast experimental results demonstrate that,in collision rules detection,the MADLT algorithm is 2. 97 times than that of sequence algorithm in time performance,and increased by 30. 4% than that of traditional Trie algorithm in collision detection. In rule matching,MADLT is 2. 3 times higher on average than sequence algorithm and increased by 16. 3% than that of traditional Trie algorithm in time performance. Thus,the centralized access control strategy in this paper can effectively realize the data access control of SDN network.
出处
《重庆邮电大学学报(自然科学版)》
CSCD
北大核心
2015年第5期674-682,共9页
Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition)
基金
国家自然科学基金项目(61370139)
网络文化与数字传播北京市重点实验室资助项目(ICDD201309)
北京市属高等学校创新团队建设与教师职业发展计划项目(IDHT20130519)~~
