摘要
随着模块化可编程路由器越来越普遍,路由器面临的安全问题也越来越严峻。该文提出范式路由器,通过对模块化的数据层进行编码和预组合,达到对路由器数据层的动态监控和规范。该文对每个数据层行为标记一个行为标识(action identifier,AID),同时将合法AID预先存入范式表(regulated action table,RAT)。在路由器运行时,所有动态行为都被RAT校验,保证行为可信。该文用Click路由器和数据层开发包(data plane development kit,DPDK)路由器分别部署了范式路由器。实验结果表明:范式路由器仅占用了2 MB的空间和10%以下的带宽性能,同时捕获了所有数据层的恶意行为。
Router security has become more important with the increasing number of programmable routers.This paper presents a pattern router that codes the modularized dataplane and pre-combines the result to monitor and regulate the dynamic actions in the dataplane.This method uses an action identifier(AID)for each action in the dataplane and puts the normal AID into a regulated action table(RAT)before running the router.When the router is working,all the dynamic actions are verified by the RAT to secure the honesty of each action.The pattern router was implemented in a Click router and in a data plane development kit(DPDK)router with tests showing that the pattern router occupies only 2 MB and uses less than 10% of the bandwidth to capture all the abnormal actions in the dataplane.
作者
徐磊
徐恪
XU Lei;XU Ke(Tsinghua National Laboratory for Information Science and Technology Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China)
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2018年第8期693-697,共5页
Journal of Tsinghua University(Science and Technology)
