Please wait a minute...
浙江大学学报(工学版)  2020, Vol. 54 Issue (8): 1543-1549    DOI: 10.3785/j.issn.1008-973X.2020.08.012
计算机技术     
软件定义网络中源地址验证绑定表安全
李冬(),鲁喻,于俊清
华中科技大学 网络与计算中心,湖北 武汉 430074
Security of source address validation improvement binding table in software defined network
Dong LI(),Yu LU,Jun-qing YU
Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China
 全文: PDF(732 KB)   HTML
摘要:

为了提高软件定义网络(SDN)中IPv6源地址验证(SAVI)绑定表的安全性,从地址分配机制(AAM)消息验证、绑定项更新和拒绝服务(DoS)攻击防御三方面对绑定表进行保护. 基于SDN控制器构建AAM消息验证表,记录交换机端口、MAC地址、主机IP地址等信息;建立DHCPv6和SLAAC这2种地址配置报文的验证模型,下发流表监听路由器通告(RA)消息,获取DHCPv6 request/reply报文和NS/NA报文,基于AAM消息验证表验证报文中的地址信息;针对网络的动态变化建立绑定信息监听和更新机制,监听主机离线或者主机IP失效事件,及时更新绑定信息,保证绑定表和实际网络信息的一致性;基于OpenFlow多级流表建立交换机端口限速表,防止拒绝服务攻击. 实验结果表明,本方案能够有效防御多种针对绑定表的伪造AAM报文攻击,及时更新绑定表信息,提高AAM消息的处理效率.

关键词: 软件定义网络源地址验证绑定表IPv6安全地址分配    
Abstract:

Address assignment mechanisms (AAM) packet validation, binding entry updating and denial of service (DoS) attack mitigation were considered to improve the safety of IPv6 source address validation improvement (SAVI) binding table in software defined network (SDN). AAM packet validating table is established in SDN controller to record switch port, MAC address and host address. AAM packet validation procedure for DHCPv6 and SLAAC is built, which sends out flow rules for router advertisement (RA) snooping to collect DHCPv6 request/reply packets and NS/NA packets, and verifies IP address in these packets based on AAM packet validating table. The monitoring and updating mechanism of binding entries is established to adapt to dynamic network, in order to detect events such as host offline and IP failure, update binding table in time and ensure consistency between SAVI binding table and actual network information. The traffic rate limiting table of switch port is set up based on the Openflow muti-level flow table to defend against DoS attack. Experimental results show that the proposed procedure can mitigate various attacks which forge AAM packets to break SAVI binding table, update SAVI binding table records in time and improve AAM packets processing efficiency.

Key words: software defined network    source address validation    binding table    IPv6 security    address assignment
收稿日期: 2019-09-18 出版日期: 2020-08-28
CLC:  TP 393  
基金资助: 国家重点研发计划资助项目(2017YFB0801703);赛尔网络下一代互联网技术创新资助项目(NGII20170408)
作者简介: 李冬(1979—),男,讲师,从事计算机网络和网络安全研究. orcid.org/0000-0001-6431-8980. E-mail: lidong@hust.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
李冬
鲁喻
于俊清

引用本文:

李冬,鲁喻,于俊清. 软件定义网络中源地址验证绑定表安全[J]. 浙江大学学报(工学版), 2020, 54(8): 1543-1549.

Dong LI,Yu LU,Jun-qing YU. Security of source address validation improvement binding table in software defined network. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1543-1549.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.08.012        http://www.zjujournals.com/eng/CN/Y2020/V54/I8/1543

报文类型 处理方法
Request 更新AAM验证表,绑定状态设为1
Decline 删除AAM验证表和绑定表对应项
Confirm 修改AAM验证表交换机端口绑定状态设为1
表 1  DHCPv6报文处理方法
图 1  本地链路地址验证流程
图 2  绑定表项更新流程
图 3  绑定表安全实验测试平台
消息编号 伪造消息类型 描述
1 Request/Reply 伪造MAC地址
2 Request/Reply 伪造IA选项IP地址
3 Decline 伪造IA选项IP地址为其他主机IP
4 NS 伪造MAC地址
5 NS 目标地址为本地链路地址
6 NS 目标地址为全球单播地址且前缀不匹配
7 NS 目标地址为前缀匹配的全球
单播地址且未被使用
8 NS 目标地址为其他主机IP地址
表 2  AAM伪造消息类型
编号 SLAAC DHCPv6
有临时地址 无临时地址 有临时地址 无临时地址
1 能/无 能/无 能/无 能/无
2 能/无 能/无 能/无 能/无
3 能/无 能/无 能/无 能/无
4 能/无 能/无 能/无 能/无
5 能/无 能/无 能/无 能/无
6 能/无 能/无 能/无 能/无
7 能/无 不能/有 能/无 能/无
8 能/无 不能/无 能/无 能/无
表 3  AAM报文伪造攻击实验测试结果
图 4  绑定表原始记录
图 5  绑定表消息更新日志
图 6  绑定表更新后记录
图 7  无限速方案测试结果
图 8  交换机限速方案测试结果
图 9  交换机端口限速方案测试结果
1 SATIN A, BERNARDI P Impact of distributed denial-of-service attack on advanced metering infrastructure[J]. Wireless Personal Communications, 2015, 83 (3): 2211- 2223
doi: 10.1007/s11277-015-2510-3
2 WU J P, BI J, MARCELO B, et al. Source address validation improvement framework [EB/OL]. (2013-10-01). https://tools.ietf.org/html/rfc7039.
3 BI J, YAO G, WU J P An IPv6 source address validation testbed and prototype[J]. Journal of Networks, 2009, 4 (2): 100- 107
4 HU J L, WU Y S. Source address validation based ethernet switches for IPv6 network [C]// IEEE International Conference on Computer Science and Automation Engineering. Zhangjiajie: IEEE, 2012: 84–87.
5 BI J, YAO G, BAKER F, et al. SAVI solution for stateless address [EB/OL]. (2010-04-18). https://tools.ietf.org/html/draft-bi-savi-stateless-00.pdf.
6 BI J, WU J P, YAO G, et al. Source address validation improvement (SAVI) solution for DHCP [EB/OL]. (2015-05-01). https://tools.ietf.org/html/rfc7513.
7 BI J, YAO G, HALPERN J, et al. Source address validation improvement for mixed address assignment methods scenario [EB/OL]. (2017-02-01). https://tools.ietf.org/html/rfc8074.
8 BI J, LIU B Y, WU J P, et al Preventing IP source address spoofing: a two-level, state machine-based method[J]. Tsinghua Science and Technology, 2009, 14 (4): 413- 422
doi: 10.1016/S1007-0214(09)70097-5
9 LI J, BI J, WU J P. Towards a cooperative mechanism based distributed source address filtering [C]// 22nd International Conference on Computer Communications and Networks. Nassau: IEEE, 2013: 1-7.
10 JIA Y H, REN G, LIU Y, et al Review of internet inter-domain IP source address validation technology[J]. Journal of Software, 2018, 29 (1): 176- 195
11 NICK M, TOM A, HAIR B, et al OpenFlow: enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38 (2): 69- 74
doi: 10.1145/1355734.1355746
12 CHEN G L, HU G W, JIANG Y, et al. SAVSH: IP source address validation for SDN hybrid networks [C]// IEEE Symposium on Computers and Communication. Messina: IEEE, 2016: 409-414.
13 YAO G, BI J, XIAO P Y. Source address validation solution with OpenFlow/NOX architecture [C]// 19th IEEE International Conference on Network Protocols. Vancouver: IEEE, 2011: 7-12.
14 LIU B Y, BI J, ZHOU Y. Source address validation in software defined networks [C]// 16th ACM SIGCOMM Conference. Florianópolis: ACM, 2016: 595-596.
15 周启钊, 于俊清, 李冬 SDN环境下源地址动态验证方法研究[J]. 通信学报, 2018, 39 (Suppl. 1): 235- 243
ZHOU Qi-zhao, YU Jun-qing, LI dong Dynamic source address validation in software defined network[J]. Jounal of Communications, 2018, 39 (Suppl. 1): 235- 243
16 LI C L, WU Q, LI H W, et al. SDN-Ti: a general solution based on sdn to attacker traceback and identification in IPv6 networks [C]// IEEE International Conference on Communications. Shanghai: IEEE, 2019: 1550-3607.
17 ZHANG C Q, HU G W, CHEN G L, et al Towards a SDN-based integrated architecture for mitigating IP spoofing attack[J]. IEEE Access, 2017, (6): 22764- 22777
18 YAN Z H, DENG G S, WU J Y. SAVI-based IPv6 source address validation implementation of the access network [C]// International Conference on Computer Science and Service System. Nanjing: IEEE, 2011: 2530–2533.
19 LI X, NIU J W A robust ECC based provable secure authentication protocol with privacy protection for industrial internet of things[J]. IEEE Transactions on Industrial Informatics, 2017, 14 (8): 3599- 3609
[1] 张伊璇,龚俭. 基于DNS流量的多层多域名检测与测量[J]. 浙江大学学报(工学版), 2020, 54(12): 2423-2429.
[2] 成海秀,李冠霖,张凌. 基于时间槽的可降带宽核心网视频业务动态资源预约算法[J]. 浙江大学学报(工学版), 2020, 54(9): 1746-1752.
[3] 武秋韵,丁伟. 基于动态暗网的互联网扫描行为分析[J]. 浙江大学学报(工学版), 2020, 54(8): 1550-1556.
[4] 齐平,束红. 智慧医疗场景下考虑终端移动性的任务卸载策略[J]. 浙江大学学报(工学版), 2020, 54(6): 1126-1137.
[5] 罗逸涵,程杰仁,唐湘滟,欧明望,王天. 基于自适应阈值的DDoS攻击态势预警模型[J]. 浙江大学学报(工学版), 2020, 54(4): 704-711.
[6] 陈蔚,刘雪娇,夏莹杰. 基于层次分析法的车联网多因素信誉评价模型[J]. 浙江大学学报(工学版), 2020, 54(4): 722-731.
[7] 游录金, 卢兴见, 何高奇. 云环境亚健康研究[J]. 浙江大学学报(工学版), 2017, 51(6): 1181-1189.
[8] 张欣欣, 徐恪, 钟宜峰, 苏辉. 网络服务提供商合作行为的演化博弈分析[J]. 浙江大学学报(工学版), 2017, 51(6): 1214-1224.
[9] 李建丽, 丁丁, 李涛. 基于二次聚类的多目标混合云任务调度算法[J]. 浙江大学学报(工学版), 2017, 51(6): 1233-1241.
[10] 王钰翔, 李晟洁, 王皓, 马钧轶, 王亚沙, 张大庆. 基于Wi-Fi的非接触式行为识别研究综述[J]. 浙江大学学报(工学版), 2017, 51(4): 648-654.
[11] 钱良芳, 张森林, 刘妹琴. 基于预约的数据队列水下无线传感器网络MAC协议[J]. 浙江大学学报(工学版), 2017, 51(4): 691-696.
[12] 李晓东, 祝跃飞, 刘胜利, 肖睿卿. 基于权限的Android应用程序安全审计方法[J]. 浙江大学学报(工学版), 2017, 51(3): 590-597.
[13] 黄焱, 王鹏, 谢高辉, 安俊秀. 智能电网下数据中心能耗费用优化综述[J]. 浙江大学学报(工学版), 2016, 50(12): 2386-2399.
[14] 余洋,夏春和,原志超,李忠. 计算机网络协同防御系统信任启动模型[J]. 浙江大学学报(工学版), 2016, 50(9): 1684-1694.
[15] 齐平, 李龙澍, 李学俊. 具有失效恢复机制的云资源调度算法[J]. 浙江大学学报(工学版), 2015, 49(12): 2305-2315.