摘要
基于OpenFlow的软件定义网络(SDN,software defined network)控制器主要采用OFDP(OpenFlow discovery protocol)发现网络拓扑,现有研究表明,OFDP存在网络拓扑信息更新效率低、容易遭受网络拓扑污染攻击等问题,为了提高网络拓扑发现协议的效率和安全性,对OFDP的网络拓扑发现机理和安全问题进行了深入研究,详细分析了软件定义网络拓扑建立和更新阶段的特点,基于图论的最小顶点覆盖问题提出了一种改进的OpenFlow网络拓扑发现协议——Im-OFDP(improved OpenFlow discovery protocol)。Im-OFDP基于OFDP网络拓扑发现的先验信息构建端口信息表和链路信息表,然后建立网络拓扑图模型,基于最小顶点覆盖算法筛选支撑网络拓扑的交换机,再根据网络拓扑结构设计网络拓扑发现的多级流表,由控制器下发至相应交换机。控制器发出的网络拓扑发现报文经多级流表转发处理后上报给控制器,进而获取网络拓扑信息。针对安全问题,Im-OFDP一方面基于拓扑发现获取的信息在LLDP(link layer discovery protocol)报文中采用动态检验码检测链路的真实性,另一方面基于主机和交换机等网络设备的拓扑信息建立验证机制,确保网络设备可信。实验结果表明,部署Im-OFDP后,控制器在网络拓扑发现的消息数量、带宽开销、CPU资源负载显著降低,节点失效响应时间、节点失效后链路恢复时间明显较短,能够防御链路伪造、交换机伪造等多种形式的网络拓扑污染攻击。Im-OFDP能够显著提高SDN拓扑发现的效率和安全性。
The network topology discovery in OpenFlow-based software-defined networks is mainly achieved by utilizing the OpenFlow discovery protocol(OFDP).However,it has been observed in existing research that OFDP exhibits low updating efficiency and is susceptible to network topology pollution attacks.To address the efficiency and safety concerns of the network topology discovery protocol,an in-depth investigation was conducted on the mechanism and safety of OFDP network topology discovery.The characteristics of network topology establishment and updating in OFDP were analyzed,and an improved protocol named Im-OFDP(improved OpenFlow discovery protocol)based on the minimum vertex covering problem in graph theory was proposed.In Im-OFDP,the switch port table and network link table were initially established using prior information obtained from OFDP network topology discovery.Subsequently,a graph model of the network topology was constructed,and the minimum vertex covering algorithm in graph theory was employed to select specific switches for the reception and forwarding of topology discovery link layer discovery protocol(LLDP)packets.Multi-level flow tables were designed based on the network topology structure,and these flow entries were installed on the selected switches by the controller to process LLDP packets.To address security issues,dynamic check code verification in LLDP packets was employed to ensure the safety of network links.Additionally,a network equipment information maintenance mechanism was established based on known network topologies to ensure the safety of the network equipment.Experimental results demonstrate a significant reduction in the number of network topology discovery messages,bandwidth overhead,and CPU overhead through the deployment of Im-OFDP.Moreover,the response time for node failures and link recovery time after mode failure is substantially reduced.Im-OFDP also effectively mitigates various network topology pollution attacks,such as link fabrication and switch forgery attacks.Overall,Im-
作者
李冬
于俊清
谷永普
赵鹏程
LI Dong;YU Junqing;GU Yongpu;ZHAO Pengcheng(Network and Computation Center,Huazhong University of Science and Technology,Wuhan 430074,China;School of Cyber Science and Engineering,Huazhong University of Science and Technology,Wuhan 430074,China)
出处
《网络与信息安全学报》
2023年第6期20-33,共14页
Chinese Journal of Network and Information Security
基金
国家重点研发计划(2020YFB1805601)
中国高校产学研创新基金(2021FNA02005)。
关键词
软件定义网络
网络拓扑
网络安全
software defined network
network topology
network security
