软件定义网络体系架构安全问题研究

doi:10.12267/j.issn.2096-5931.2023.02.006

摘要/Abstract

摘要：

软件定义网络实现了控制与转发分离,可以满足不断变化的计算和存储需求,近年来被广泛应用于新兴技术领域。随着软件定义网络的不断发展和部署,其面临的安全威胁和风险也越来越大,软件定义网络安全问题成为当前网络安全领域的一个重要研究方向。从软件定义网络三层架构入手,在分析和总结软件定义网络所面临主要安全问题的基础上,探讨了目前针对安全问题所采取的主要措施,重点介绍了防御DDoS攻击的研究成果,并对下一步研究工作方向进行了展望。

关键词: 软件定义网络, 集中控制, 安全风险, 应对措施, 分布式拒绝服务

Abstract:

SDN network realizes the separation of control and forwarding, and meets the requirements of computing and storage that change continuous, so it is widely used in new technologies in recent years. With the continuous development and deployment of SDN network, it faces more and more security threats and risks. SDN security has become an important research direction in the field of network security. This paper starts with the SDN three-tier architecture, analyzes and summarizes the main security problems faced by the SDN network, discusses the current main measures for security problems, mainly introduces the research results of DDoS attack prevention, and looks forward to the next research direction.

Key words: software defined network, centralized control, security risk, countermeasures, distributed denial of service

中图分类号:

TN929.11

张健, 曹珩, 王哲. 软件定义网络体系架构安全问题研究[J]. 信息通信技术与政策, 2023, 49(2): 35-42.

ZHANG Jian, CAO Heng, WANG Zhe. Research on the security of software defined network architecture[J]. Information and Communications Technology and Policy, 2023, 49(2): 35-42.

导出引用管理器 EndNote|Ris|BibTeX

链接本文:

http://ictp.caict.ac.cn/CN/10.12267/j.issn.2096-5931.2023.02.006

http://ictp.caict.ac.cn/CN/Y2023/V49/I2/35

图/表 4

参考文献 44

[1]	Stanford University. Clean slate program[R], 2006.
[2]	MCKEOWN N. Software-Defined metworking[C]. In Proc. of the INFOCOM Key Note, 2009.
[3]	Software-Defined Networking (SDN) definition-open networking foundation[R], 2018.
[4]	ALHAZMI A, SHAMI, REFAEY A. Optimized provisioning of SDN enabled virtual networks in geo-distributed cloud computing datacenters[J]. Commun. Netw, 2017, 19(4): 402-415.
[5]	MARíA B, JIMéNEZ F, JORGE E, et al. A Survey of the main security issues and solutions for the SDN architecture[J]. IEEE Access, 2021(9):122016-122038.
[6]	RAHOUTI M, XIONG K, XIN Y, et al. SDN security review: threat taxonomy, implications, and open challenges[J]. IEEE Access, 2022(10):45820-45854.
[7]	MUBARAKALI A, ALQAHTANI A S. A survey: security threats and countermeasures in software defined networking[C]. IEEE 2nd International Con. on Information and Computer Technologies, 2019:180-185.
[8]	VAUGHAN-NICHOLS S. OpenFlow: the next generation of the network[J]. Computer, 2011, 44(8): 13-15.
[9]	FEAMSTER N, REXFORD J, ZEGURA E. The road to SDN: an intellectual history of programmable networks[J]. ACM Comput, Commun, 2014, 44(2): 87-98.
[10]	DING A, CROWCROFT J, TARKOMA S, et al. Software defined networking for security enhancement in wireless mobile networks[J]. Computer Networks, 2014(66): 94-101.
[11]	SCOTT-HAYWARD S, O’CALLAGHAN G. SDN security: a survey[C]. in Proc. SDN4FNS Workshop Softw. Defined Netw. Future Netw. Services, 2013:1-7.
[12]	ON Foundation. SDN architecture[R], 2014.
[13]	Danping A, Pourzandi M, Scott-Hayward S, et al. Threat analysis for the SDN architecture[R], 2018.
[14]	LIU Y, ZHAO B, ZHAO P, et al. A survey: typical security issues of software-defined networking[J]. China Communications, 2019, 16(7):13-31.
[15]	NAGARATHNA R, SHALINIE S. SLAMHHA: a supervised learning approach to mitigate host location hijacking attack on SDN controllers[C]// in Proc. 4th Int. Conf. Signal Process.,Commun. Netw, 2017: 1-7.
[16]	SMYTH D, MCSWEENEY S, O’SHEA D, et al. Detecting link fabrication attacks in software-defined networks[C]// in Proc. 26th Int. Conf. Comput. Commun. Netw. (ICCCN), 2017: 1-8.
[17]	BROOKS M, YANG B. A man-in-the-middle attack against OpenDay light SDN controller[C]// in Proc. 4th Annu. ACM Conf. Res. Inf. Technol., 2015:45-49.
[18]	JERO S, KOCH W, SKOWYRA R, et al. Identifier binding attacks and defenses in software-defined networks[C]// in Proc. of 26th USENIX Security Symposium, 2017: 415-432.
[19]	MARIN E, BUCCIOL N, CONTI M. An in-depth look into SDN topology discovery mechanisms: novel attacks and practical countermeasures[C]// in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2019: 1101-1114.
[20]	PRADHAN A, MATHEW R. Solutions to vulnerabilities and threats in software defined networking (SDN)[C]// in Proc. Comput. Sci., 2020(171): 2581-2589.
[21]	SALLAM A, REFAEY A, SHAMI A. On the security of SDN: a completed secure and scalable framework using the software-defined perimeter[J]. IEEE Access, 2019(7): 146577-146587.
[22]	WANG M, LIU J, Chen J, et al. Perm-guard: authenticating the validity of flow rules in software defined networking[J]. Signal Process. Syst., 2017, 86(2-3): 157-173.
[23]	XIA J, CAI Z, HU G, et al. An active defense solution for ARP spoofing in OpenFlow network[J]. Chin. J. Electron., 2019, 28(1): 172-178. doi: 10.1049/cje.v28.1 URL
[24]	CAO J, LI Q, XIE R, et al. The crosspath attack: disrupting the SDN control channel via shared links[C]. Proc. 28th USENIX Secur. Symp., 2019:19-36.
[25]	THIMMARAJU K, SCHIFF L, SCHMID S. Outsmarting network security with SDN teleportation[C]// IEEE Eur. Symp. Secur. Privacy, 2017: 563-578.
[26]	KLOTI R. OpenFlow: a security analysis[D]. M.S. thesis, Dept. Inf. Tech. Elec. Eng., Swiss Fed. Inst. Technol.Zurich (ETH), Zurich, Switzerland, 2013.
[27]	SKOWYRA P, XU L, GU G, et al. Effective topology tampering attacks and defenses in software-defined networks[C]// in 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2018: 374-385.
[28]	HONG S, XU L, WANG H, et al. Poisoning network visibility in software-defined networks: new attacks and countermeasures[C]// in Proc. Netw. Distrib. Syst. Secur. Symp. (NDSS), 2015(15):8-11.
[29]	MAITY P, SAXENA S, SRIVASTAVA S, et al. An effective probabilistic technique for DDoS detection in OpenFlow controller[J]. IEEE Syetems Journal, 2022, 16(1):1345-1354.
[30]	CAO Y, JIANG H, DENG Y, et al. Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(6):3855-3872. doi: 10.1109/TDSC.2021.3108782 URL
[31]	Feb. Security-Enhanced Floodlight[R], 2022.
[32]	Feb. Floodlight Controller[R], 2022.
[33]	FERNANDEZ M. Comparing OpenFlow controller paradigms scalability: Reactive and proactive[C]// in Proc. IEEE 27th Int. Conf. Adv. Inf. Netw.Appl., pp. 1009-1016, Mar. 2013.
[34]	Al-SHAER E, Al-HAJ S. FlowChecker: configuration analysis and verification of federated openflow infrastructures[C]// in Proc. 3rd ACM Workshop Assurable Usable Secur. Configuration, 2010: 37-44.
[35]	KHURSHID A, ZHOU W, CAESAR M, et al. VeriFlow: verifying network-wide invariants in real time[C]// in Proc. 1st Workshop Hot Topics Softw. Defined Netw., 2012: 49-54.
[36]	PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks[C]// in Proc. 1st ACM Workshop Hot Hot Topics Softw. Defined Netw., 2012:121-126.
[37]	WEN X, CHEN Y, HU C, et al. Towards a secure controller platform for OpenFlow applications[C]// in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013: 171-172.
[38]	BECKETT R, ZOU X K, ZHANG S, et al. An assertion language for debugging SDN applications[C]// in Proc.3rd ACM Workshop Hot Topics Softw. Defined Netw., 2014: 91-96.
[39]	Business Wire. Global software-defined networking market (2020 to 2025)-software-defined networking for 5G presents opportunities[R], 2020.
[40]	GOUD K, GIDITURI S. Security challenges and related solutions in software defined networks: a survey[J]. International Journal of Computer Networks and Applications, 2022(9): 22-37.
[41]	MALEH Y, QASMAOUI Y, GHOLAMI K, Y. et al. A comprehensive survey on SDN security: threats, mitigations, and future directions[J]. J. Reliable Intell. Environ., 2022: 1-39.
[42]	AHMAD A, Harjula E, Ylianttila M, et al. Evaluation of machine learning techniques for security in SDN[C]. IEEE Globecom Workshops, 2020.
[43]	ALSHRA, ABDULLAH S, Ahmad F, et al. Deep learning algorithms for detecting denial of service attacks in software-defined networks[J]. Procedia Computer Science, 2021(91): 254-263.
[44]	VARHESE J, MUNIYAL B. An efficient IDS framework for DDoS attacks in SDN environment[J]. IEEE Access, 2021(19): 69680-69699.