一种基于SDP组件的SDN安全架构模型  被引量：2

作　　者：王亮[1,2] 马海龙 江逸茗[1] 雷靖玮[1] 毛明 WANG Liang;MA Hailong;JIANG Yiming;LEI Jingwei;MAO Ming(Information Engineering University,Zhengzhou 45001,China;Unit 66135,Beijing 100043,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]66135部队,北京100043

出　　处：《信息工程大学学报》2022年第4期478-484,共7页Journal of Information Engineering University

基　　金：国家重点研发计划资助项目(2020YFB1804803)。

摘　　要：SDN为网络引入了开放式的可编程性和层次化的解耦模型,带来管控便利和性能飞跃的同时,也为攻击者降低了入侵门槛。针对SDN面临的安全问题,提出1种基于SDP组件的SDN安全架构SbSDN(SDP based SDN)。通过将SDP控制器基于现有SDN控制器集成部署,及利用SDN中OpenFlow协议的packet-in和packet-out报文消息封装SDP中的SPA消息,实现了SDP与SDN在数据平面和控制平面的良性耦合;面向应用网关在SDN数据平面的部署实现,提出1种应用网关分配算法;面向模型中SDP组件的协同验证,提出1种SbSDN会话建立算法。经安全性能和安全开销测试,所提架构以相比原SDN网络增加约10秒一次性启用时延的开销,减少了约56.3%的DoS攻击流量并可维持主机正常通信,还可抵御端口扫描攻击,有效提升了SDN网络安全性能。SDN introduces open programmability and hierarchical decoupling model to the network,which not only brings convenience in management and control and a leap in performance,but also lowers the threshold for attackers.To address such security problems faced by SDN,an SbSDN( SDP based SDN) security architecture based on SDP components is proposed.By integrating and deploying the SDP controller based on existing SDN controller,and using packet-in and packet-out packet messages of OpenFlow protocol in SDN to encapsulate SPA messages in SDP,the benign coupling between SDP and SDN in data plane and control plane is realized.For the deployment of the application gateway in the SDN data plane,an allocation algorithm is proposed;for the SDP component in the model for collaborative verification,an SbSDN session establishment algorithm is proposed.Security performance and security overhead testing shows that compared with the original SDN network,the proposed architecture increases the overhead of a one-time activation delay by about 10 seconds.Further,it reduces DoS attack traffic by about 56.3% while keeping normal host communication,and resists port scanning,thus effectively improving the security performance of SDN networks.

关 键 词：SDN SDP 应用网关 交换机 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]