软件定义网络中流规则安全性研究进展

Advances in security analysis of software-defined networking flow rules

随着网络功能的日益多元化,具有集中控制与可编程性的软件定义网络(SDN)架构已在众多领域被广泛应用。然而,SDN特有的层次结构与运行机制也引入了新的安全挑战,其中,流规则作为控制平面管理决策的载体和数据平面网络行为的依据,已成为SDN网络攻防的重点。针对SDN中流规则的安全性问题,首先分析了SDN架构的特点及安全隐患。再基于SDN中的流规则机制,将针对流规则的攻击分为干扰控制平面决策和破坏数据平面执行两类,并介绍了攻击实例。对于提升流规则安全性的研究,分别从检验与增强两个方面展开分析,总结了现有的实现机制并简要分析了其存在的局限性。其中,分析探讨了基于建模检测和基于数据包探测的两种主流的检验方案,介绍讨论了基于权限控制、基于冲突解决和基于路径验证的3种具体的流规则增强思路。最后,展望了流规则安全性未来的发展方向。

With the increasing diversification of network functions,the software-defined networking(SDN)architecture,which provides centralized network control and programmability,has been deployed in various fields.However,the unique hierarchical structure and operation mechanism of SDN also introduce new security challenges,among which as the carrier of control plane management decisions and the basis of data plane network behavior,flow rules have become the focus of SDN attack and defense.Aiming at the security issues of flow rules in SDN,this paper first reviews the characteristics and security risks of the SDN architecture.Based on the mechanism of flow rules in SDN,the attacks against flow rules are systematically divided into two categories,namely,interference of control plane decision and violation in data plane implementation,with the attack examples introduced.Then,the methods for improving the security of flow rules are analyzed and classified into two categories,i.e.,checking and enhancing the security of flow rules.Furthermore,existing implementation mechanisms are summarized with their limitations briefly analyzed.In terms of flow rule security checking,two mainstream methods,i.e.,model-based checking and test-packet-based checking,are analyzed and discussed.In terms of flow rule security enhancement,three specific ideas based on permission control,conflict resolution and path verification are introduced and discussed.Finally,the future research trends of flow rule security are prospected.