一种基于数据平面可编程的软件定义网络报文转发验证机制  被引量：7

作　　者：左志斌 常朝稳[1] 祝现威 ZUO Zhibin;CHANG Chaowen;ZHU Xianwei(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,郑州450001

出　　处：《电子与信息学报》2020年第5期1110-1117,共8页Journal of Electronics & Information Technology

基　　金：国家自然科学基金(61572517)。

摘　　要：针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。For the fixed and limited number of OpenFlow protocol matching fields, and the lack of effective forwarding verification mechanism for data packet forwarding in the Software-Defined Networking(SDN), a SDN packet forwarding verification mechanism based on programmable data plane is proposed. By adding a cipher identification to the data packet, the P4 forwarding device joins the OpenFlow-based SDN network to control accurately and sample network traffic flow without affecting the normal forwarding of the data flow.The controller verifies the integrity of the sampled packet, and sends flow rules to the OpenFlow forwarding device to control the abnormal data flow such as malicious tampering and forgery. Finally, the forwarding verification prototype and simulation network based on P4 forwarding device and Open vSwitch forwarding device are constructed and tested. The experimental results show that the mechanism can effectively detect the forwarding abnormal behaviors such as packet tampering and forgery. Compared with similar verification mechanisms, in the case of the same security verification processing overhead, it can achieve more fine-grained flow precise control sampling and lower forwarding delay.

关 键 词：软件定义网络 转发验证 数据平面可编程 P4转发设备 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]