基于区块链的SDN数据平面错误流规则检测

False flow rule detection in SDN data plane based on blockchain

由于软件定义网络(SDN)的数据平面只负责流量转发,并不具备识别流规则是否正确的功能,使得攻击者可通过恶意向数据平面注入错误流规则,造成网络拥塞和信息泄露,甚至是网络瘫痪等严重后果.鉴于区块链的可追溯、不可篡改等特性,提出了一个在控制平面运行的基于区块链的错误流规则检测(FFRD-BC)机制,当控制器向数据平面下发流规则的同时将其存储到区块链中,通过随机选择数据平面中的流规则并验证其是否存在于区块链中,来检测出数据平面中第三方行动者注入的错误流规则.其次,在FFRD-BC的流规则检测阶段,引入基于实用拜占庭容错共识算法的投票验证策略,避免由于区块链节点一致性不稳定而导致的误检情况.实验结果表明:随着检测次数的增加,提出的FFRD-BC机制能够有效检测数据平面中第三方行动者注入的错误流规则,并且与自主验证策略相比有效降低了误检率.

The data plane of Software-Defined Networking(SDN)is only responsible for traffic forwarding and does not have the function of identifying whether flow rules are true or not.Therefore,attackers can maliciously inject false flow rules into the data plane to cause network congestion,information leakage,and even network breakdown.Considering the traceable and tamper-proofing characteristics of blockchain,a false flow rule detection mechanism based on blockchain(FFRD-BC)is proposed and running on the control plane.The SDN controllers in the control plane send flow rules to the data plane and store them in the blockchain.By randomly selecting flow rules from the data plane and verifying whether they are in the blockchain,the false flow rules injected by the third man can be detected.Furthermore,the vote-verification strategy based on the Practical Byzantine Fault Tolerance consensus algorithm is introduced in the flow rule detection stage of FFRD-BC to avoid the false detection caused by the unstable consistency of blockchain nodes.Experimental results show that,with the detection times increasing,the proposed FFRD-BC mechanism can detect the false flow rules injected into the data plane by the third man effectively.Moreover,compared with the self-verification strategy,it effectively reduces the false detection rate.