基于SDN的组播安全机制  

作　　者：李旭阳 郜帅[1] 国兴昌 刘宁春 LI Xu-yang;GAO Shuai;GUO Xing-chang;LIU Ning-chun(National Engineering Laboratory for NGI Interconnection Devices,School of Electronic Information and Engineering,Beijing Jiaotong University,Beijing 100044,China)

机构地区：[1]北京交通大学电子信息工程学院下一代互联网互联设备国家工程实验室,北京100044

出　　处：《计算机技术与发展》2020年第10期111-116,共6页Computer Technology and Development

基　　金：国家重点研发计划(2019YFB1802503);装备预先研究项目(JZX2017-1000/Y312-01)。

摘　　要：传统IP组播在安全方面存在身份认证、消息加密困难的问题,SDN(software defined networking,软件定义网络)的出现使得这些安全问题有了新的解决思路。在深入分析现有SDN组播安全研究进展的基础上,提出了一种基于SDN的安全组播机制,该机制通过SDN控制器进行组播安全方案的部署,主要包括组播源和组播接收者的身份认证,以及组播会话密钥管理两方面内容。设计了一种可以结合身份认证和组播加入退出的报文,实现了基于数字证书的身份认证方式,以及组播会话密钥的生成、分配和更新功能,弥补了现有方案在组播源认证和SDN加密组播方面的缺失。仿真结果表明,该机制能够通过发放数字证书实现组播源和接收者的身份认证,拒绝非法组播接收者进入组播组,并实现了加密的SDN组播通信,提高了组播的安全性。性能测试结果表明,该机制的部署在显著提升了组播安全的基础上未对性能造成较大影响。Traditional IP multicast has difficulties in identity authentication and message encryption in terms of security.The emergence of SDN(software defined networking)makes these security problems have new solutions.Based on in-depth analysis of the current research development of SDN multicast security,a secure multicast mechanism based on SDN is proposed.This mechanism deploys a multicast security scheme through an SDN controller,which mainly includes the identity authentication of the multicast source and receiver,and the management of the multicast session key.A message that can be combined with identity authentication and multicast joining and exiting is designed to realize the authentication mode based on digital certificate and the function of generation,distribution and update of multicast session key,which makes up for the lack of existing schemes in multicast source authentication and SDN encryption multicast.Simulation shows that the mechanism can realize the identity authentication of the multicast source and receiver by issuing digital certificates,deny illegal multicast receivers from entering the multicast group,and implement encrypted SDN multicast communication,which improves the security of multicast.Performance test shows that the deployment of this mechanism does not significantly affect performance on the basis of significantly improving multicast security.

关 键 词：组播 软件定义网络 数字证书 身份认证 会话密钥 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]