|
|
Security of source address validation improvement binding table in software defined network |
Dong LI(),Yu LU,Jun-qing YU |
Network and Computation Center, Huazhong University of Science and Technology, Wuhan 430074, China |
|
|
Abstract Address assignment mechanisms (AAM) packet validation, binding entry updating and denial of service (DoS) attack mitigation were considered to improve the safety of IPv6 source address validation improvement (SAVI) binding table in software defined network (SDN). AAM packet validating table is established in SDN controller to record switch port, MAC address and host address. AAM packet validation procedure for DHCPv6 and SLAAC is built, which sends out flow rules for router advertisement (RA) snooping to collect DHCPv6 request/reply packets and NS/NA packets, and verifies IP address in these packets based on AAM packet validating table. The monitoring and updating mechanism of binding entries is established to adapt to dynamic network, in order to detect events such as host offline and IP failure, update binding table in time and ensure consistency between SAVI binding table and actual network information. The traffic rate limiting table of switch port is set up based on the Openflow muti-level flow table to defend against DoS attack. Experimental results show that the proposed procedure can mitigate various attacks which forge AAM packets to break SAVI binding table, update SAVI binding table records in time and improve AAM packets processing efficiency.
|
Received: 18 September 2019
Published: 28 August 2020
|
|
软件定义网络中源地址验证绑定表安全
为了提高软件定义网络(SDN)中IPv6源地址验证(SAVI)绑定表的安全性,从地址分配机制(AAM)消息验证、绑定项更新和拒绝服务(DoS)攻击防御三方面对绑定表进行保护. 基于SDN控制器构建AAM消息验证表,记录交换机端口、MAC地址、主机IP地址等信息;建立DHCPv6和SLAAC这2种地址配置报文的验证模型,下发流表监听路由器通告(RA)消息,获取DHCPv6 request/reply报文和NS/NA报文,基于AAM消息验证表验证报文中的地址信息;针对网络的动态变化建立绑定信息监听和更新机制,监听主机离线或者主机IP失效事件,及时更新绑定信息,保证绑定表和实际网络信息的一致性;基于OpenFlow多级流表建立交换机端口限速表,防止拒绝服务攻击. 实验结果表明,本方案能够有效防御多种针对绑定表的伪造AAM报文攻击,及时更新绑定表信息,提高AAM消息的处理效率.
关键词:
软件定义网络,
源地址验证,
绑定表,
IPv6安全,
地址分配
|
|
[1] |
SATIN A, BERNARDI P Impact of distributed denial-of-service attack on advanced metering infrastructure[J]. Wireless Personal Communications, 2015, 83 (3): 2211- 2223
doi: 10.1007/s11277-015-2510-3
|
|
|
[2] |
WU J P, BI J, MARCELO B, et al. Source address validation improvement framework [EB/OL]. (2013-10-01). https://tools.ietf.org/html/rfc7039.
|
|
|
[3] |
BI J, YAO G, WU J P An IPv6 source address validation testbed and prototype[J]. Journal of Networks, 2009, 4 (2): 100- 107
|
|
|
[4] |
HU J L, WU Y S. Source address validation based ethernet switches for IPv6 network [C]// IEEE International Conference on Computer Science and Automation Engineering. Zhangjiajie: IEEE, 2012: 84–87.
|
|
|
[5] |
BI J, YAO G, BAKER F, et al. SAVI solution for stateless address [EB/OL]. (2010-04-18). https://tools.ietf.org/html/draft-bi-savi-stateless-00.pdf.
|
|
|
[6] |
BI J, WU J P, YAO G, et al. Source address validation improvement (SAVI) solution for DHCP [EB/OL]. (2015-05-01). https://tools.ietf.org/html/rfc7513.
|
|
|
[7] |
BI J, YAO G, HALPERN J, et al. Source address validation improvement for mixed address assignment methods scenario [EB/OL]. (2017-02-01). https://tools.ietf.org/html/rfc8074.
|
|
|
[8] |
BI J, LIU B Y, WU J P, et al Preventing IP source address spoofing: a two-level, state machine-based method[J]. Tsinghua Science and Technology, 2009, 14 (4): 413- 422
doi: 10.1016/S1007-0214(09)70097-5
|
|
|
[9] |
LI J, BI J, WU J P. Towards a cooperative mechanism based distributed source address filtering [C]// 22nd International Conference on Computer Communications and Networks. Nassau: IEEE, 2013: 1-7.
|
|
|
[10] |
JIA Y H, REN G, LIU Y, et al Review of internet inter-domain IP source address validation technology[J]. Journal of Software, 2018, 29 (1): 176- 195
|
|
|
[11] |
NICK M, TOM A, HAIR B, et al OpenFlow: enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38 (2): 69- 74
doi: 10.1145/1355734.1355746
|
|
|
[12] |
CHEN G L, HU G W, JIANG Y, et al. SAVSH: IP source address validation for SDN hybrid networks [C]// IEEE Symposium on Computers and Communication. Messina: IEEE, 2016: 409-414.
|
|
|
[13] |
YAO G, BI J, XIAO P Y. Source address validation solution with OpenFlow/NOX architecture [C]// 19th IEEE International Conference on Network Protocols. Vancouver: IEEE, 2011: 7-12.
|
|
|
[14] |
LIU B Y, BI J, ZHOU Y. Source address validation in software defined networks [C]// 16th ACM SIGCOMM Conference. Florianópolis: ACM, 2016: 595-596.
|
|
|
[15] |
周启钊, 于俊清, 李冬 SDN环境下源地址动态验证方法研究[J]. 通信学报, 2018, 39 (Suppl. 1): 235- 243 ZHOU Qi-zhao, YU Jun-qing, LI dong Dynamic source address validation in software defined network[J]. Jounal of Communications, 2018, 39 (Suppl. 1): 235- 243
|
|
|
[16] |
LI C L, WU Q, LI H W, et al. SDN-Ti: a general solution based on sdn to attacker traceback and identification in IPv6 networks [C]// IEEE International Conference on Communications. Shanghai: IEEE, 2019: 1550-3607.
|
|
|
[17] |
ZHANG C Q, HU G W, CHEN G L, et al Towards a SDN-based integrated architecture for mitigating IP spoofing attack[J]. IEEE Access, 2017, (6): 22764- 22777
|
|
|
[18] |
YAN Z H, DENG G S, WU J Y. SAVI-based IPv6 source address validation implementation of the access network [C]// International Conference on Computer Science and Service System. Nanjing: IEEE, 2011: 2530–2533.
|
|
|
[19] |
LI X, NIU J W A robust ECC based provable secure authentication protocol with privacy protection for industrial internet of things[J]. IEEE Transactions on Industrial Informatics, 2017, 14 (8): 3599- 3609
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|