期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

面向OpenFlow网络的访问控制规则自动实施方案 被引量:3

Automatic implementation scheme of implementing access control rules in OpenFlow network
下载PDF
导出
摘要 针对OpenFlow网络数据平面频繁改变导致网络难以实时满足访问控制策略要求的问题,提出了面向OpenFlow网络的访问控制规则自动实施方案。首先,由实时构建的转发路径获得可达空间,并通过规则集动态合成算法消除访问控制规则间的冲突;之后,采用规则空间分割算法将合成后访问控制规则的拒绝空间与可达空间比较,以检测直接和间接违反访问控制规则的非法转发路径;在此基础上,结合网络更新事件与违反检测结果灵活采取自动的违反解决方法,包括规则更新拒绝、规则序列移除、基于线性规划(LP)的近源端规则部署和末端规则部署4种;最后转换访问控制规则形式。理论分析和仿真结果表明,方案可用于控制器上运行多个安全应用程序和交换机内存受限的情况,并且基于LP的近源端规则部署方法可以降低网络中的不期望流量。 Focusing on the issue that OpenFlow network can' t meet access control policy constantly resulted from its data plane changing frequently, an automatic implementation scheme of implementing access control rules in OpenFlow network was proposed. Firstly, reachable space was obtained by building real-time forwarding paths, and conflicts among access control rules were resolved by using dynamical synthesis algorithm. Then, denied space was extracted from synthetic set of access control rules by using rule space division algorithm, which was compared with reachable space subsequently to detect direct and indirect violations. According to network update situations and violation detection results, automatic violation resolutions were adopted flexibly, such as rejecting rule update, removing rule sequence, deploying rule near source based on Linear Programming (LP) and deploying rule terminally. Lastly, the format of access control rule was converted. The theoretical analysis and simulation results demonstrate that the proposed scheme is applicable under the condition that multiple security applications are mnning on the controller and memory of switch is limited, and show that deploying rule near source based on LP can minimize unwanted traffic of network.
作者 刘艺 张红旗 代向东 雷程
机构地区 信息工程大学 河南省信息安全重点实验室
出处 《计算机应用》 CSCD 北大核心 2015年第11期3270-3274,3307,共6页 journal of Computer Applications
基金 国家863计划项目(2012AA012704) 郑州市科技领军人才项目(131PLJRC644)
关键词 转发路径 线性规划 网络数据平面 访问控制规则 OpenFlow网络 forwarding path Linear Programming (LP) network data plane access control rule OpenFlow network
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献15

  • 1McKEOWN N. Software-defined networking[J]. International Conference on Computer Communications Keynote Talk, 2009, 17(2): 30-32.
  • 2McKEOWN N, ANDERSON T, BALAKRISHNAN H, et al.OpenFlow: enabling innovation in campus networks[J]. ACM Special Interest Group on Data Communication Computer Communication Review, 2008, 38(2): 69-74.
  • 3左青云,陈鸣,赵广松,邢长友,张国敏,蒋培成.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097. 被引量:421
  • 4OpenFlow switch consortium. OpenFlow switch specification version 1.0. 0[J/OL]. [2015-03-01]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.0.0.pdf.
  • 5PORRAS P, SHIN S, YEGNESWARAN V, et al.A security enforcement kernel for OpenFlow networks[C]// Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks. New York: ACM, 2012: 121-126.
  • 6KAZEMIAN P, CHAN M, ZENG H, et al.Real time network policy checking using header space analysis[C]// Proceedings of the 10th USENIX Symposium on Networked System Design and Implementation. Berkeley: USENIX, 2013: 99-111.
  • 7KANG N, LIU Z, REXFORD J, et al.Optimizing the one big switch abstraction in software-defined networks[C]// Proceedings of the 9th ACM Conference on Emerging Networking Experiments and Technologies. New York: ACM, 2013: 13-24.
  • 8MONSANTO C, REICH J, FOSTER N, et al.Composing software defined networks[C]// Proceedings of the 10th USENIX Symposium on Networked System Design and Implementation. Berkeley: USENIX, 2013: 1-13.
  • 9HU H, HAN W, AHN G J, et al.FLOWGUARD: building robust firewalls for software-defined networks[C]// Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014: 97-102.
  • 10AL-SHAER E, AL-HAJ S. FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures[C]// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York: ACM, 2010: 37-44.

二级参考文献65

  • 1Mckeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J. OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008,38(2):69-74. [doi: 10.1145/1355734. 1355746].
  • 2Elliott C. GENI: Opening up new classes of experiments in global networking. IEEE Internet Computing, 2010,14(1):39-42.
  • 3Gavras A, Karila A, Fdida S, May M, Potts M. Future Internet research and experimentation: The FIRE initiative. ACM SIGCOMM Computer Communication Review, 2007,37(3):89-92. [doi: 10.114511273445.1273460].
  • 4JGN2plus. 2012. http://www.jgn.nict.go.jp/english/index.html.
  • 5SOFIA. 2012. http://fi.ict.ac.cn/research/sofia_overview.htm.
  • 6Yang L, Dantu R, Anderson T, Gopal R. Forwarding and Control Element Separation (ForCES) Framework. RFC 3746, 2004. http://tools.ietf.org/html/rfc3746.
  • 7Greenberg A, Hjalmtysson G, Maltz DA, Myers A, Rexford J, Xie G, Yan H, Zhan J, Zhang H. A clean slate 4D approach to network control and management. ACM SIGCOMM Computer Communication Review, 2005,35(5):41-54. [doi: 10.1145/1096536. 1096541].
  • 8Caesar M, Caldwell D, Feamster N, Rexford J, Shaikh A, Merwe J. Design and implementation of a routing control platform. In: Proc. of the 2rd USENIX Symp. on Networked Systems Design and Implementation (NSDI). Boston: USENIX Association, 2005. 15-28.
  • 9Casado M, Garfinkel T, Akella A, Freedman MJ, Boneh D, Mckeown N, Shenker S. SANE: A protection architecture for enterprise networks. In: Proc. of the 15th Conf. on USENIX Security Symp. Vancouver: USENIX Association, 2006. 137-151.
  • 10Casado M, Freedman MJ, Pettit J, Luo J, Mckeown N, Shenker S. Ethane: Taking control of the enterprise. In: Proc. of the SIGCOMM 2007. Kyoto: ACM Press, 2007. 1-12. [doi: 10.1145/1282380.1282382].

共引文献420

同被引文献22

引证文献3

二级引证文献1

计算机应用
2015年 第11期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部