摘要
针对现有软件定义网络源地址验证机制存在的网络转发性能降低问题,设计并实现了能适应网络状态变化的动态源地址验证系统。首先通过动态流表验证规则的设计与交换机统计信息的数据挖掘,筛选和定位网络中存在的源地址伪造行为。然后,设计流表规则与主机状态集合动态部署模块,将优化规则部署到接入层交换机,在维护源地址安全性基础上保障了网络的转发性能。实验表明,该方法能合理地配置交换机中常驻的流表规则数量,并且降低了数据分组转发的时延,保持了源地址验证系统探测伪造信息的及时性和准确性,有效减少了因源地址验证而对底层网络转发性能产生的负面影响。
Aiming at the distributed denial of service attacks based on forged source addresses problem in software defined network(SDN),the static source address validation improvement(SAVI)can effectively filter forged packets but increases the cost of forwarding normal packet and has a negative impact on forwarding performance of device in large traffic environments.A dynamic source address validation improvement systemis designed and implemented for the network performance issue,including validation preprocessing,source address forgery host detection,and dynamic rule deployment.The experiment results demonstrate the reasonability of flow table rules allocation,thereduction of time delay in packet forwarding andaccuracy in forge address information detection of dynamic SAVI.The system indeed reduces the negative impact of static SAVI on the forwarding performance of the network.
作者
周启钊
于俊清
李冬
ZHOU Qizhao;YU Junqing;LI Dong(College of Computer Science and Technology,Huazhong University of Science and Technology information,Wuhan 430074,China;Network and Computation Center,Huazhong University of Science and Technology information,Wuhan 430074,China)
出处
《通信学报》
EI
CSCD
北大核心
2018年第A01期235-243,共9页
Journal on Communications
基金
赛尔网络下一代互联网技术创新基金资助项目(No.NGII20170408)
国家网络空间安全专项基金资助项目(No.2017YFB0801700)~~
关键词
软件定义网络
源地址验证
动态源地址验证
服务质量
software defined network
source address validation improvement
dynamic source address validation
quality of service
