计算机工程 ›› 2019, Vol. 45 ›› Issue (2): 139-143.doi: 10.19678/j.issn.1000-3428.0049918

• 安全技术 • 上一篇    下一篇

一种快速的SDN规则冲突检测机制

郝巍,伊鹏,江逸茗   

  1. 国家数字交换系统工程技术研究中心,郑州 450001
  • 收稿日期:2017-12-29 出版日期:2019-02-15 发布日期:2019-02-15
  • 作者简介:郝巍(1990—),男,硕士研究生,主研方向为网络安全;伊鹏,研究员、博士;江逸茗,讲师、博士。
  • 基金项目:

    国家自然科学基金(61521003,61572519,61502530);国家高技术研究发展计划(2015AA016102);国家重点研发计划(2017YFB0803201);上海市科学技术委员会科研计划(16DZ1120503);河南省科技攻关计划(162102210034)。

A Fast SDN Rule Conflict Detection Mechanism

HAO Wei,YI Peng,JIANG Yiming   

  1. National Digital Switching System Engineering and Technological Research Center,Zhengzhou 450001,China
  • Received:2017-12-29 Online:2019-02-15 Published:2019-02-15

摘要:

软件定义网络架构中流表项的无意识性使攻击者可对其进行篡改,导致网络中出现规则冲突。针对现有规则冲突检测机制检测时间过长的问题,提出一种快速的规则冲突检测机制。通过压缩流表项,建立基于端口的规则拓扑,根据该拓扑计算端到端的可达性,从而快速检测网络中的规则冲突。仿真结果表明,在网络拓扑和流表项数量相同的条件下,相比现有的Netplumber检测机制,该机制的检测时间可降低约15%。

关键词: 软件定义网络, 流表项, 规则冲突, 编码压缩, 冲突检测

Abstract:

Due to the unconsciousness of the flow entry in the Software Defined Network(SDN),an attacker can tamper with the flow entry eventually causing a rule conflict in it.For the detection time of the existing rule conflict detection mechanism is too long,a fast rule conflict detection mechanism is proposed.By compressing the flow entry,the mechanism establishes a port-based rule topology and directly calculates the end-to-end reachability.Based on the topology,rule conflicts in the network can be detected quickly.Simulation results show that under the same condition of network topology and the same number of flow entny,compared with the existing Netplumber detection mechanism,the proposed mechanism can reduce the detection time by about 15%.

Key words: Software Defined Network(SDN), flow entry, rule conflict, coding compression, conflict detection

中图分类号: