Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (8): 1543-1549    DOI: 10.3785/j.issn.1008-973X.2020.08.012
    
Security of source address validation improvement binding table in software defined network
Dong LI(),Yu LU,Jun-qing YU
Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China
Download: HTML     PDF(732KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

Address assignment mechanisms (AAM) packet validation, binding entry updating and denial of service (DoS) attack mitigation were considered to improve the safety of IPv6 source address validation improvement (SAVI) binding table in software defined network (SDN). AAM packet validating table is established in SDN controller to record switch port, MAC address and host address. AAM packet validation procedure for DHCPv6 and SLAAC is built, which sends out flow rules for router advertisement (RA) snooping to collect DHCPv6 request/reply packets and NS/NA packets, and verifies IP address in these packets based on AAM packet validating table. The monitoring and updating mechanism of binding entries is established to adapt to dynamic network, in order to detect events such as host offline and IP failure, update binding table in time and ensure consistency between SAVI binding table and actual network information. The traffic rate limiting table of switch port is set up based on the Openflow muti-level flow table to defend against DoS attack. Experimental results show that the proposed procedure can mitigate various attacks which forge AAM packets to break SAVI binding table, update SAVI binding table records in time and improve AAM packets processing efficiency.

Key wordssoftware defined network      source address validation      binding table      IPv6 security      address assignment     
Received: 18 September 2019      Published: 28 August 2020
CLC:  TP 393  
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Dong LI
Yu LU
Jun-qing YU
Cite this article:

Dong LI,Yu LU,Jun-qing YU. Security of source address validation improvement binding table in software defined network. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1543-1549.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2020.08.012     OR     http://www.zjujournals.com/eng/Y2020/V54/I8/1543


软件定义网络中源地址验证绑定表安全

为了提高软件定义网络(SDN)中IPv6源地址验证(SAVI)绑定表的安全性,从地址分配机制(AAM)消息验证、绑定项更新和拒绝服务(DoS)攻击防御三方面对绑定表进行保护. 基于SDN控制器构建AAM消息验证表,记录交换机端口、MAC地址、主机IP地址等信息;建立DHCPv6和SLAAC这2种地址配置报文的验证模型,下发流表监听路由器通告(RA)消息,获取DHCPv6 request/reply报文和NS/NA报文,基于AAM消息验证表验证报文中的地址信息;针对网络的动态变化建立绑定信息监听和更新机制,监听主机离线或者主机IP失效事件,及时更新绑定信息,保证绑定表和实际网络信息的一致性;基于OpenFlow多级流表建立交换机端口限速表,防止拒绝服务攻击. 实验结果表明,本方案能够有效防御多种针对绑定表的伪造AAM报文攻击,及时更新绑定表信息,提高AAM消息的处理效率.


关键词: 软件定义网络,  源地址验证,  绑定表,  IPv6安全,  地址分配 
报文类型 处理方法
Request 更新AAM验证表,绑定状态设为1
Decline 删除AAM验证表和绑定表对应项
Confirm 修改AAM验证表交换机端口绑定状态设为1
Tab.1 Processing action of DHCPv6 packets
Fig.1 Validation procedure of local link address
Fig.2 Procedure of binding entries updating
Fig.3 Platform of binding table security testing
消息编号 伪造消息类型 描述
1 Request/Reply 伪造MAC地址
2 Request/Reply 伪造IA选项IP地址
3 Decline 伪造IA选项IP地址为其他主机IP
4 NS 伪造MAC地址
5 NS 目标地址为本地链路地址
6 NS 目标地址为全球单播地址且前缀不匹配
7 NS 目标地址为前缀匹配的全球
单播地址且未被使用
8 NS 目标地址为其他主机IP地址
Tab.2 Types of forged AAM messages
编号 SLAAC DHCPv6
有临时地址 无临时地址 有临时地址 无临时地址
1 能/无 能/无 能/无 能/无
2 能/无 能/无 能/无 能/无
3 能/无 能/无 能/无 能/无
4 能/无 能/无 能/无 能/无
5 能/无 能/无 能/无 能/无
6 能/无 能/无 能/无 能/无
7 能/无 不能/有 能/无 能/无
8 能/无 不能/无 能/无 能/无
Tab.3 Experimental results of forged AAM packets attack
Fig.4 Original records in binding table
Fig.5 Log of binding entries updating
Fig.6 Updated binding entries
Fig.7 Results of scheme with no traffic rate limit
Fig.8 Results of scheme with traffic rate limit on switch
Fig.9 Results of scheme with traffic rate limit on switch port
[1]   SATIN A, BERNARDI P Impact of distributed denial-of-service attack on advanced metering infrastructure[J]. Wireless Personal Communications, 2015, 83 (3): 2211- 2223
doi: 10.1007/s11277-015-2510-3
[2]   WU J P, BI J, MARCELO B, et al. Source address validation improvement framework [EB/OL]. (2013-10-01). https://tools.ietf.org/html/rfc7039.
[3]   BI J, YAO G, WU J P An IPv6 source address validation testbed and prototype[J]. Journal of Networks, 2009, 4 (2): 100- 107
[4]   HU J L, WU Y S. Source address validation based ethernet switches for IPv6 network [C]// IEEE International Conference on Computer Science and Automation Engineering. Zhangjiajie: IEEE, 2012: 84–87.
[5]   BI J, YAO G, BAKER F, et al. SAVI solution for stateless address [EB/OL]. (2010-04-18). https://tools.ietf.org/html/draft-bi-savi-stateless-00.pdf.
[6]   BI J, WU J P, YAO G, et al. Source address validation improvement (SAVI) solution for DHCP [EB/OL]. (2015-05-01). https://tools.ietf.org/html/rfc7513.
[7]   BI J, YAO G, HALPERN J, et al. Source address validation improvement for mixed address assignment methods scenario [EB/OL]. (2017-02-01). https://tools.ietf.org/html/rfc8074.
[8]   BI J, LIU B Y, WU J P, et al Preventing IP source address spoofing: a two-level, state machine-based method[J]. Tsinghua Science and Technology, 2009, 14 (4): 413- 422
doi: 10.1016/S1007-0214(09)70097-5
[9]   LI J, BI J, WU J P. Towards a cooperative mechanism based distributed source address filtering [C]// 22nd International Conference on Computer Communications and Networks. Nassau: IEEE, 2013: 1-7.
[10]   JIA Y H, REN G, LIU Y, et al Review of internet inter-domain IP source address validation technology[J]. Journal of Software, 2018, 29 (1): 176- 195
[11]   NICK M, TOM A, HAIR B, et al OpenFlow: enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38 (2): 69- 74
doi: 10.1145/1355734.1355746
[12]   CHEN G L, HU G W, JIANG Y, et al. SAVSH: IP source address validation for SDN hybrid networks [C]// IEEE Symposium on Computers and Communication. Messina: IEEE, 2016: 409-414.
[13]   YAO G, BI J, XIAO P Y. Source address validation solution with OpenFlow/NOX architecture [C]// 19th IEEE International Conference on Network Protocols. Vancouver: IEEE, 2011: 7-12.
[14]   LIU B Y, BI J, ZHOU Y. Source address validation in software defined networks [C]// 16th ACM SIGCOMM Conference. Florianópolis: ACM, 2016: 595-596.
[15]   周启钊, 于俊清, 李冬 SDN环境下源地址动态验证方法研究[J]. 通信学报, 2018, 39 (Suppl. 1): 235- 243
ZHOU Qi-zhao, YU Jun-qing, LI dong Dynamic source address validation in software defined network[J]. Jounal of Communications, 2018, 39 (Suppl. 1): 235- 243
[16]   LI C L, WU Q, LI H W, et al. SDN-Ti: a general solution based on sdn to attacker traceback and identification in IPv6 networks [C]// IEEE International Conference on Communications. Shanghai: IEEE, 2019: 1550-3607.
[17]   ZHANG C Q, HU G W, CHEN G L, et al Towards a SDN-based integrated architecture for mitigating IP spoofing attack[J]. IEEE Access, 2017, (6): 22764- 22777
[18]   YAN Z H, DENG G S, WU J Y. SAVI-based IPv6 source address validation implementation of the access network [C]// International Conference on Computer Science and Service System. Nanjing: IEEE, 2011: 2530–2533.
[19]   LI X, NIU J W A robust ECC based provable secure authentication protocol with privacy protection for industrial internet of things[J]. IEEE Transactions on Industrial Informatics, 2017, 14 (8): 3599- 3609
[1] Yi-xuan ZHANG,Jian GONG. Multi-layer domain name detection and measurement based on DNS traffic[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(12): 2423-2429.
[2] Hai-xiu CHENG,Guan-lin LI,Ling ZHANG. Dynamic resource reservation algorithm for core network video business with bandwidth reduction based on time slot[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(9): 1746-1752.
[3] Qiu-yun WU,Wei DING. Analysis of Internet scanning behavior based on dynamic dark network[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1550-1556.
[4] Ping QI,Hong SHU. Task offloading strategy considering terminal mobility in medical wisdom scenario[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(6): 1126-1137.
[5] Yi-han LUO,Jie-ren CHENG,Xiang-yan TANG,Ming-wang OU,Tian WANG. Early warning model of DDoS attack situation based on adaptive threshold[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 704-711.
[6] Wei CHEN,Xue-jiao LIU,Ying-jie XIA. Multi-factor reputation evaluation model based on analytic hierarchy process in vehicle Ad-hoc networks[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 722-731.
[7] YOU Lu-jin, LU Xing-jian, HE Gao-qi. Research on sub-health in cloud environment[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(6): 1181-1189.
[8] ZHANG Xin-xin, XU Ke, ZHONG Yi-Feng, SU Hui. Evolutionary game analysis on cooperative behaviors of  internet service providers[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(6): 1214-1224.
[9] LI Jian-li, DING Ding, LI Tao. Multi-objective hybrid cloud task scheduling using twice clustering[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(6): 1233-1241.
[10] WANG Yu-xiang, LI Sheng-jie, WANG Hao, MA Jun-yi, WANG Ya-sha, ZHANG Da-qing. Survey on Wi-Fi based contactless activity recognition[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(4): 648-654.
[11] QIAN Liang-fang, ZHANG Sen-lin, LIU Mei-qin. Reservation-based MAC protocol for underwater wireless sensor networks with data train[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(4): 691-696.
[12] LI Xiao-dong, ZHU Yue-fei, LIU Sheng-li, XIAO Rui-qing. Permission-based Android application security evaluation method[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(3): 590-597.
[13] HUANG Yan, WANG Peng, XIE Gao hui, AN Jun xiu. Data center energy cost optimization in smart grid: a review[J]. Journal of ZheJiang University (Engineering Science), 2016, 50(12): 2386-2399.
[14] YU Yang,XIA Chun he,YUAN Zhi chao,LI Zhong. Trust bootstrapping model for computer network collaborative defense system[J]. Journal of ZheJiang University (Engineering Science), 2016, 50(9): 1684-1694.
[15] QI Ping, LI Long shu, LI Xue jun. Cloud resource scheduling algorithm with failure recovery mechanism[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(12): 2305-2315.