[go: up one dir, main page]

CN106209897A - A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency - Google Patents

A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency Download PDF

Info

Publication number
CN106209897A
CN106209897A CN201610614132.2A CN201610614132A CN106209897A CN 106209897 A CN106209897 A CN 106209897A CN 201610614132 A CN201610614132 A CN 201610614132A CN 106209897 A CN106209897 A CN 106209897A
Authority
CN
China
Prior art keywords
domain
controller
message
inter
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610614132.2A
Other languages
Chinese (zh)
Other versions
CN106209897B (en
Inventor
尚凤军
王文凯
付强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201610614132.2A priority Critical patent/CN106209897B/en
Publication of CN106209897A publication Critical patent/CN106209897A/en
Application granted granted Critical
Publication of CN106209897B publication Critical patent/CN106209897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,属于多域SDN网络的域间通信安全技术领域。该方法通过设计分布式多粒度安全控制器架构,包括控制器之间的消息数据包格式,利用控制器域和域间代理的连接、域间代理之间的连接建立通信隧道,完成控制器之间的邻居发现、两步身份认证和加密传输以实现多域网络控制器之间直接通信。在该通信方法中,基础设施基于安全控制器和域间代理,通过域间代理把控制平面的消息下发到数据平面传输,解决了独立控制平面之间的通信问题;同时,基于挑战响应机制和DTLS协议给出了控制器通信的两步认证方案,可以防御拒绝服务供给并完成身份认证,提高了安全性。

The invention relates to an agent-based software-defined network distributed multi-granularity controller security communication method, which belongs to the technical field of inter-domain communication security of a multi-domain SDN network. In this method, by designing a distributed multi-granularity security controller architecture, including the message packet format between the controllers, using the connection between the controller domain and the inter-domain agent, and the connection between the inter-domain agents to establish a communication tunnel, the communication between the controllers is completed. Neighbor discovery, two-step authentication, and encrypted transmission among multi-domain network controllers to achieve direct communication. In this communication method, the infrastructure is based on the security controller and the inter-domain agent, and the inter-domain agent sends the message of the control plane to the data plane for transmission, which solves the communication problem between independent control planes; at the same time, based on the challenge response mechanism The DTLS protocol provides a two-step authentication scheme for controller communication, which can prevent denial of service supply and complete identity authentication, improving security.

Description

一种基于代理的软件定义网络分布式多粒度控制器安全通信 方法An agent-based software-defined network distributed multi-granularity controller security communication method

技术领域technical field

本发明属于多域SDN网络的域间通信安全技术领域,涉及一种基于代理的软件定义网络分布式多粒度控制器安全通信方法。The invention belongs to the technical field of inter-domain communication security of a multi-domain SDN network, and relates to an agent-based software-defined network distributed multi-granularity controller security communication method.

背景技术Background technique

近几年越来越多的研究者开始着手在SDN大规模部署中存在的问题,包括控制平面中多控制器的协作、控制器管理区域的划分和负载均衡等。而在多个SDN自治域的情况下,自治域之间的路由问题也尤为受到关注。In recent years, more and more researchers have begun to address the problems in the large-scale deployment of SDN, including the cooperation of multiple controllers in the control plane, the division of controller management areas, and load balancing. In the case of multiple SDN autonomous domains, the routing problem between autonomous domains is also of particular concern.

在域内控制平面的扩展方面,有DIFANE、DevoFlow、HyperFlow、Onix等研究成果。DIFANE针对控制器在实时流表处理方面的性能瓶颈,使用主被动同时进行的方式向交换机添加流表。在DIFANE中,一部分交换机可以具有一定的流表管理权力,称为权威交换机。与权威交换机在同一区域的交换机可以向它请求流表,由于权威交换机的缓存中存储着控制器下发的高优先级流表,所以可以为控制器分担处理压力。DIFANE的交换机区域划分是根据数据流的地址、协议、端口等信息进行分类,进而形成流空间。DevoFlow考虑到了控制器与交换机之间的带宽消耗,采用带有特殊标记的流表来通配一类流量,在交换机中为流量细分流表项。并可以为通配流表项设定可能的多个流出端口,根据概率分布转发实现多路径路由。In terms of the expansion of the intra-domain control plane, there are research results such as DIFANE, DevoFlow, HyperFlow, and Onix. Aiming at the performance bottleneck of the controller in real-time flow table processing, DIFANE uses active and passive simultaneous methods to add flow tables to the switch. In DIFANE, some switches can have certain flow table management power, called authoritative switches. Switches in the same area as the authoritative switch can request flow tables from it. Since the high-priority flow tables issued by the controller are stored in the cache of the authoritative switch, it can share the processing pressure for the controller. DIFANE's switch area division is based on the data flow address, protocol, port and other information to classify, and then form the flow space. DevoFlow takes into account the bandwidth consumption between the controller and the switch, uses a flow table with a special mark to wildcard a class of traffic, and subdivides the flow table entries for the traffic in the switch. And it is possible to set multiple outbound ports for the wildcard flow entry, and implement multi-path routing according to the probability distribution forwarding.

HyperFlow和Onix从多控制器分布式控制上解决单点控制器无法逾越的性能制约。HyperFlow将交换机划分给不同的控制器管理,控制器之间共享网络拓扑信息。控制器之间的信息共享采用不定期发布的方式,消息通过不同的信道进行发送。信息的更新以分布式文件系统WheelFS的形式实现。不过HyperFlow只能实现一些实时性要求不高的非频繁信息共享。Onix设计了一种基于分布式控制的SDN架构,主要采用分布式哈希表技术作为网络信息共享和同步的基础,然后利用可靠的分发机制实现响应迅速的同步控制。HyperFlow and Onix solve the insurmountable performance constraints of single-point controllers from the perspective of multi-controller distributed control. HyperFlow divides switches into different controllers for management, and the controllers share network topology information. The information sharing between controllers adopts the method of publishing irregularly, and the messages are sent through different channels. The update of information is implemented in the form of distributed file system WheelFS. However, HyperFlow can only achieve some infrequent information sharing that does not require high real-time performance. Onix has designed an SDN architecture based on distributed control, which mainly uses distributed hash table technology as the basis for network information sharing and synchronization, and then uses a reliable distribution mechanism to achieve rapid response synchronization control.

文献Virtual routers as a service:the RouteFlow approach leveragingsoftware-defined networks提出了RouteFlow:一种SDN中的路由架构。RouteFlow在控制器中将物理交换机转换为虚拟交换机,维护一个虚拟的拓扑,使用开源的路由软件实现路由计算。文献OFBGP:A Scalable,Highly Available BGP Architecture for SDN提出了一种SD网络中扩展性强、可用性高的BGP架构OFBGP,OFBGP分为BGP协议模块和BGP决策模块。其作为控制平面的应用程序对域内和域间的路由进行管理和控制,同时通过备份实现路由故障的快速恢复。The document Virtual routers as a service: the RouteFlow approach leveraging software-defined networks proposes RouteFlow: a routing architecture in SDN. RouteFlow converts physical switches into virtual switches in the controller, maintains a virtual topology, and uses open source routing software to implement routing calculations. The document OFBGP: A Scalable, Highly Available BGP Architecture for SDN proposes OFBGP, a BGP architecture with strong scalability and high availability in SD networks. OFBGP is divided into a BGP protocol module and a BGP decision module. As an application of the control plane, it manages and controls intra-domain and inter-domain routing, and realizes rapid recovery of routing failures through backup.

文献WEBridge:west–east bridge for distributed heterogeneous SDN NOSespeering对SDN的域间互联机制进行了比较详细研究,提出了SDN中异构NOS的东西向桥接方案,并对需要交互的信息进行了设计。在该方案中,域间控制器采用点对点的通信方式,除了路由信息的交换以外,还将网络视图(拓扑)分享给其他自治域,以形成全局的视图。文献DISCO:Distributed Multi-domain SDN Controllers提出的DISCO也对控制器的东西向交互机制进行了简单的设计,用来实现多域控制器之间的协作。The document WEBridge: west–east bridge for distributed heterogeneous SDN NOSespeering conducts a detailed study on the inter-domain interconnection mechanism of SDN, proposes an east-west bridging scheme for heterogeneous NOS in SDN, and designs the information that needs to be exchanged. In this scheme, the inter-domain controller adopts a point-to-point communication method, and besides exchanging routing information, it also shares the network view (topology) with other autonomous domains to form a global view. DISCO proposed in the document DISCO: Distributed Multi-domain SDN Controllers also simply designs the east-west interaction mechanism of controllers to realize the collaboration between multi-domain controllers.

在多控制器的SDN场景下,单域的分布式控制方案已经出现了很多,也较为成熟了。而在域间互联方面,出现了一些域间路由和控制平面通信的研究成果。由于SDN的特点,域间互联基本上是通过控制器的东西向通信来实现,但是控制器之间的通信方式以及安全性还没有受到很多关注。域间安全是SDN网络的大规模部署的关键问题,所以构建域间分布式控制器的安全通信是非常必要的。In the multi-controller SDN scenario, many single-domain distributed control solutions have emerged and are relatively mature. In terms of inter-domain interconnection, there have been some research results on inter-domain routing and control plane communication. Due to the characteristics of SDN, inter-domain interconnection is basically realized through the east-west communication of controllers, but the communication method and security between controllers have not received much attention. Inter-domain security is a key issue in the large-scale deployment of SDN networks, so it is very necessary to build secure communication between inter-domain distributed controllers.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,设计分布式多粒度安全控制器架构,包括控制器之间的消息数据包格式,利用控制器域和域间代理的连接、域间代理之间的连接建立通信隧道,完成控制器之间的邻居发现、两步身份认证和加密传输以实现多域网络控制器之间直接通信。In view of this, the object of the present invention is to provide an agent-based software-defined network distributed multi-granularity controller security communication method, design a distributed multi-granularity security controller architecture, including the message packet format between the controllers, use The connection between the controller domain and the inter-domain agent, and the connection between the inter-domain agents establish a communication tunnel, complete neighbor discovery between controllers, two-step identity authentication and encrypted transmission to realize direct communication between multi-domain network controllers.

为达到上述目的,本发明提供如下技术方案:To achieve the above object, the present invention provides the following technical solutions:

一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,该方法包括以下步骤:An agent-based software-defined network distributed multi-granularity controller security communication method, the method includes the following steps:

S1:设计构建一个分布式多粒度控制器架构,使各个SDN自治域达到域间通信的目的;该架构分为基础控制块和多粒度安全定制模块以及一个增强的安全控制器,基础控制模块遵循SDN架构要求实现基本功能,多粒度安全定制模块实现在控制器中可自定义的安全功能,而增强的安全控制器是为了解决在SDN多网络的环境下域间的安全问题;S1: Design and build a distributed multi-granularity controller architecture to enable each SDN autonomous domain to achieve the purpose of inter-domain communication; the architecture is divided into a basic control block, a multi-granularity security customization module, and an enhanced security controller. The basic control module follows The SDN architecture requires the realization of basic functions. The multi-granularity security customization module realizes the security functions that can be customized in the controller, and the enhanced security controller is to solve the security problem between domains in the SDN multi-network environment;

S2:在步骤S1的架构模式下对安全通信方法中的消息格式进行设计,所有控制器间的数据传递采用专用的以太网数据包类型标识0xEFEF,载荷部分保留IP数据包格式,而传输层采用UDP协议;S2: Under the architecture mode of step S1, the message format in the secure communication method is designed, and the data transmission between all controllers adopts the dedicated Ethernet data packet type identifier 0xEFEF, and the payload part retains the IP data packet format, while the transport layer adopts UDP protocol;

S3:安全连接建立之邻居发现,邻居发现采用广播式的发现方式,每个自治域的控制器通过域间代理广播自己的信息;控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式;S3: Neighbor discovery for secure connection establishment. Neighbor discovery adopts a broadcast discovery method. The controller of each autonomous domain broadcasts its own information through the inter-domain agent; The information such as the service port number is sent to the inter-domain agent, and the inter-domain agent encapsulates it into an Ethernet packet and forwards it to the adjacent autonomous domain, customizing the format of the neighbor discovery message;

S4:安全连接建立之可信认证,在域间控制器通信时,需要保证控制器到域间代理和域间代理之间的通信安全,所以必须完成控制器之间的身份认证,控制器双方都需要明确对方是否可信,因此采用两步认证,两步认证包括域间代理认证和证书认证;S4: Trustworthy authentication for the establishment of a secure connection. When inter-domain controllers communicate, it is necessary to ensure the communication security between the controller and the inter-domain agent and between the inter-domain agents. Therefore, the identity authentication between the controllers must be completed. Both controllers It is necessary to clarify whether the other party is trustworthy, so two-step authentication is adopted, which includes inter-domain proxy authentication and certificate authentication;

S5:安全连接建立之隧道建立,SDN多域网络运行过程中,各个自治域的控制器不断广播自己的信息,其它自治域的控制器收到广播消息后,想发送消息的控制器发起连接。S5: The tunnel establishment of the secure connection establishment. During the operation of the SDN multi-domain network, the controllers of each autonomous domain continuously broadcast their own information. After the controllers of other autonomous domains receive the broadcast message, the controller that wants to send the message initiates a connection.

进一步,在步骤S1中,SDN安全控制器架构分为基础控制模块和多粒度安全定制模块,多粒度安全定制模块实现在控制器中可自定义的安全功能主要有威胁防御模块、流表管理模块、备份模块和应用管理模块;增强的安全控制器架构,其域间模块主要包括安全配置、连接管理、邻域管理和域间路由。Further, in step S1, the SDN security controller architecture is divided into a basic control module and a multi-granularity security customization module. The multi-granularity security customization module implements customizable security functions in the controller, mainly including a threat defense module and a flow table management module. , backup module and application management module; enhanced security controller architecture, its inter-domain module mainly includes security configuration, connection management, neighborhood management and inter-domain routing.

进一步,在步骤S2中,控制器域间消息的数据包格式如下:前8位为消息的类型,接着32位为消息的长度(整个UDP载荷部分,位为字节),其余部分则是具体的消息内容;消息类型分为邻居发现消息、Keepalive消息、安全隧道消息,其类型标识分别为:0x01、0x02、0x03。Further, in step S2, the packet format of the inter-domain message of the controller is as follows: the first 8 bits are the type of the message, and then 32 bits are the length of the message (the whole UDP load part, and the bits are bytes), and the remaining parts are specific message content; the message types are divided into neighbor discovery messages, keepalive messages, and secure tunnel messages, and their type identifiers are: 0x01, 0x02, and 0x03.

进一步,在步骤S3中,控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式如下:Further, in step S3, the controller sends information such as the AS number of the autonomous domain, whether it supports a secure tunnel, and the service port number of the secure tunnel to the inter-domain agent, and the inter-domain agent encapsulates it into an Ethernet packet and forwards it to the adjacent autonomous domain. domain, the format of the neighbor discovery message is customized as follows:

消息类型字段为0x01,消息长度一般为10字节,即0x000A;后面的字段为AS号(32位)、安全隧道支持(8位,0x00表示不支持,0x01表示支持)、端口号(16位,如果表示不支持则忽略此字段);The message type field is 0x01, and the message length is generally 10 bytes, that is, 0x000A; the following fields are AS number (32 bits), security tunnel support (8 bits, 0x00 means not supported, 0x01 means supported), port number (16 bits) , ignore this field if it means not supported);

在邻居发现完成后,控制器不断更新和维护相邻自治域的信息,在长时间内(Message Timeout)没有收到相邻自治域的消息时,需要发送Keepalive消息以确认邻居是否还存在;相邻自治域的控制器收到消息过也返回一条Keepalive消息,如果在一定时间内(Keepalive Timeout)没有收到返回的消息,则认为邻居已经不存在;Message Timeout和Keepalive Timeout由各个自治域根据情况自行设定;Keepalive的消息类型字段为0x02,消息长度一般为3字节,即0x0003。After the neighbor discovery is completed, the controller continuously updates and maintains the information of the adjacent autonomous domain. If it does not receive a message from the adjacent autonomous domain for a long time (Message Timeout), it needs to send a Keepalive message to confirm whether the neighbor still exists; The controller in the neighboring autonomous domain will return a Keepalive message after receiving the message. If it does not receive the returned message within a certain period of time (Keepalive Timeout), it is considered that the neighbor no longer exists; the Message Timeout and Keepalive Timeout are determined by each autonomous domain according to the situation. Set by yourself; the message type field of Keepalive is 0x02, and the message length is generally 3 bytes, that is, 0x0003.

进一步,在步骤S4中,所述两步认证的认证过程包括:域间代理在接收到发起请求的控制器的握手消息后,不会在第一时间转发到本自治域的控制器,而是先缓存起来;随后域间代理对请求端发起认证请求,用于验证请求方的非攻击意图;请求方控制器完成解答并通过验证后,域间代理才开始将数据包转发到本自治域控制器,接着进行握手过程,完成基于证书的身份认证;在DTLS协议握手过程中,控制器双方都需要明确对方是否可信,所以采用严格的双向认证。Further, in step S4, the authentication process of the two-step authentication includes: after the inter-domain agent receives the handshake message from the controller that initiates the request, it will not forward it to the controller of the autonomous domain at the first time, but First cache it; then the inter-domain agent initiates an authentication request to the requester to verify the non-attack intention of the requester; after the requester controller completes the answer and passes the verification, the inter-domain agent begins to forward the data packet to the autonomous domain controller Then, the handshake process is carried out to complete the identity authentication based on the certificate; in the DTLS protocol handshake process, both controllers need to know whether the other party is trustworthy, so strict two-way authentication is adopted.

进一步,在步骤S5中,安全通信隧道建立过程具体包括:Further, in step S5, the secure communication tunnel establishment process specifically includes:

S51:控制器构造邻居发现数据包,将自己的AS号,安全隧道的支持情况和服务端口写入数据包,随后将数据包下发到所有的域间代理,由域间代理封装为类型标识为0xEFEF的以太网帧并转发;S51: The controller constructs a neighbor discovery data packet, writes its own AS number, security tunnel support and service port into the data packet, then sends the data packet to all inter-domain agents, and the inter-domain agent encapsulates it as a type identifier The Ethernet frame of 0xEFEF is forwarded;

S52:控制器收到广播后根据对方的广播消息,解析出相邻自治域的AS号和安全隧道支持情况;如果对方不支持安全隧道,则根据安全配置采用普通UDP数据发送方式发送允许共享的信息;连接发起可以由任意一方发起,如果没有收到对方发来的连接请求就构造安全隧道握手消息,作为客户端向对方发起安全隧道连接请求;S52: After receiving the broadcast, the controller analyzes the AS number of the adjacent autonomous domain and the support of the security tunnel according to the broadcast message of the other party; if the other party does not support the security tunnel, it uses the normal UDP data transmission method according to the security configuration to send the data that is allowed to be shared. information; connection initiation can be initiated by any party, if no connection request from the other party is received, a secure tunnel handshake message is constructed, and the client initiates a secure tunnel connection request to the other party;

S53:对方作为服务端收到安全隧道握手消息后,也不再作为客户端向对方发起请求;双方基于域间代理认证和数字证书完成两步身份验证和加密协商,当双方都证实对方身份后,安全通信隧道建立完成,否则隧道建立失败,转而采用普通UDP协议;S53: After the other party receives the secure tunnel handshake message as the server, it will no longer initiate requests to the other party as the client; both parties complete two-step identity verification and encryption negotiation based on inter-domain proxy authentication and digital certificates, and when both parties confirm the identity of the other party , the secure communication tunnel is established, otherwise the tunnel establishment fails, and the normal UDP protocol is used instead;

S54:从控制器收到相邻自治域控制器的广播消息开始,将开启消息超时计时Message Timeout(即长时间未收到来自该邻居的任何消息);超时后向对方发送Keepalive消息,如果对方没有在Keepalive Timeout时限内返回Keepalive消息就认为对方已经不存在并停止维持安全隧道。S54: From the time when the controller receives the broadcast message from the neighboring autonomous domain controller, the message timeout message Timeout will be turned on (that is, no message from the neighbor has been received for a long time); after the timeout, the Keepalive message is sent to the other party, if the other party If the Keepalive message is not returned within the Keepalive Timeout time limit, it is considered that the other party does not exist and stops maintaining the secure tunnel.

本发明的有益效果在于:本发明设计了分布式多粒度控制器之间的安全通信方法,在该通信方法中,基础设施基于安全控制器和域间代理,通过域间代理把控制平面的消息下发到数据平面传输,解决了独立控制平面之间的通信问题。同时,基于挑战响应机制和DTLS协议给出了控制器通信的两步认证方案,可以防御拒绝服务供给并完成身份认证,提高了安全性。The beneficial effect of the present invention is that: the present invention designs a secure communication method between distributed multi-granularity controllers. It is sent to the data plane for transmission, which solves the communication problem between independent control planes. At the same time, based on the challenge response mechanism and DTLS protocol, a two-step authentication scheme for controller communication is given, which can prevent denial of service supply and complete identity authentication, improving security.

附图说明Description of drawings

为了使本发明的目的、技术方案和有益效果更加清楚,本发明提供如下附图进行说明:In order to make the purpose, technical scheme and beneficial effect of the present invention clearer, the present invention provides the following drawings for illustration:

图1为本发明所述方案的宏观流程图;Fig. 1 is the macro-flow chart of scheme of the present invention;

图2是分布式控制器通信架构;Figure 2 is the distributed controller communication architecture;

图3是增强的安全控制器;Figure 3 is an enhanced security controller;

图4是域间安全服务粒度划分;Figure 4 is the granularity division of inter-domain security services;

图5是控制器域间数据包格式;Fig. 5 is the controller inter-domain data packet format;

图6是邻居发现消息格式;Fig. 6 is a neighbor discovery message format;

图7是Keepalive消息格式;Figure 7 is the Keepalive message format;

图8是两步认证流程图;Figure 8 is a two-step authentication flow chart;

图9是安全隧道建立过程流程图。FIG. 9 is a flow chart of the process of establishing a secure tunnel.

具体实施方式detailed description

下面将结合附图,对本发明的优选实施例进行详细的描述。The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

图1为本发明所述方案的宏观流程图,如图所示,本发明所述的以边界交换机作为域间代理的分布式多粒度控制器安全通信方法主要包括以下四个步骤:步骤一:设计构建一个由础控制块和多粒度安全定制模块以及一个增强的安全控制器组成的分布式多粒度控制器架构,使各个SDN自治域达到域间通信的目的;步骤二:在步骤一的架构模式下对安全通信方法中的消息格式进行设计,所有控制器间的数据传递采用专用的以太网数据包类型标识0xEFEF,载荷部分保留IP数据包格式,而传输层采用UDP协议;步骤三:安全连接建立之邻居发现,控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式;步骤四:安全连接建立之可信认证:域间控制器通信时,控制器双方都需要明确对方是否可信,因此采用双向认证;步骤五:安全连接建立之隧道建立,SDN多域网络运行过程中,各个自治域的控制器不断广播自己的信息,其它自治域的控制器收到广播消息后,想发送消息的控制器发起连接。Fig. 1 is the macro-flow chart of the scheme of the present invention, as shown in the figure, the distributed multi-granularity controller security communication method of the present invention mainly includes the following four steps using the border switch as an inter-domain agent: Step 1: Design and build a distributed multi-granularity controller architecture composed of basic control blocks, multi-granularity security customization modules and an enhanced security controller, so that each SDN autonomous domain can achieve the purpose of inter-domain communication; Step 2: In the architecture of Step 1 In this mode, the message format in the secure communication method is designed, and the data transmission between all controllers adopts the dedicated Ethernet data packet type identifier 0xEFEF, the payload part retains the IP data packet format, and the transport layer adopts the UDP protocol; Step 3: Security Neighbor discovery after connection establishment, the controller sends information such as the AS number of the autonomous domain, whether it supports a secure tunnel, and the service port number of the secure tunnel to the inter-domain agent, and the inter-domain agent encapsulates it into an Ethernet packet and forwards it to the adjacent autonomous domain , customized the format of the neighbor discovery message; Step 4: Trustworthy authentication for secure connection establishment: When inter-domain controllers communicate, both controllers need to know whether the other party is trustworthy, so two-way authentication is used; Step 5: Secure connection establishment The tunnel is established. During the operation of the SDN multi-domain network, the controllers of each autonomous domain continuously broadcast their own information. After the controllers of other autonomous domains receive the broadcast message, the controller that wants to send the message initiates a connection.

图2为分布式控制器通信架构,SDN多域架构在互联方式上采用软件边界路由,将其作为控制平面中的应用程序。而连接两个SDN自治域的OpenFlow边界交换机作为域间代理,通过控制器到边界交换机的,以及边界交换机之间的连接建立来形成不同自治域的控制器间的安全通信隧道。Figure 2 shows the communication architecture of distributed controllers. The SDN multi-domain architecture adopts software boundary routing in the interconnection mode, and uses it as an application program in the control plane. The OpenFlow border switch connecting the two SDN autonomous domains acts as an inter-domain agent, and forms a secure communication tunnel between controllers in different autonomous domains through the establishment of connections from the controller to the border switch and between border switches.

根据在SDN多域网络中控制器互联的需求,在安全控制器架构基础上增加域间模块,构建了增强的安全控制器架构。域间模块主要包括安全配置、连接管理、邻域管理和域间路由。其基本架构如图3所示。图4为域间安全服务粒度划分。According to the requirements of controller interconnection in the SDN multi-domain network, the inter-domain module is added on the basis of the security controller architecture, and the enhanced security controller architecture is constructed. The inter-domain module mainly includes security configuration, connection management, neighborhood management and inter-domain routing. Its basic structure is shown in Figure 3. Figure 4 shows the granularity division of inter-domain security services.

在步骤一的架构模式下对安全通信方法中的消息格式进行设计,所有控制器间的数据传递采用专用的以太网数据包类型标识0xEFEF,载荷部分保留IP数据包格式,而传输层采用UDP协议。控制器域间数据包格式如图5所示:前8位为消息的类型,接着32位为消息的长度(整个UDP载荷部分,位为字节),其余部分则是具体的消息内容。消息类型分为邻居发现消息、Keepalive消息、安全隧道消息,其类型标识分别为:0x01、0x02、0x03。In the architecture mode of step 1, the message format in the secure communication method is designed, and the data transmission between all controllers adopts the dedicated Ethernet data packet type identifier 0xEFEF, the payload part retains the IP data packet format, and the transport layer adopts the UDP protocol . The format of the data packet between the controller domains is shown in Figure 5: the first 8 bits are the type of the message, the next 32 bits are the length of the message (the whole UDP payload part, the bits are bytes), and the rest are the specific message content. Message types are divided into neighbor discovery messages, keepalive messages, and secure tunnel messages, and their type identifiers are: 0x01, 0x02, and 0x03.

在控制器的安全通信方法中,安全连接的建立要经过邻居发现、可信认证和隧道建立三个步骤。In the secure communication method of the controller, the establishment of the secure connection goes through three steps: neighbor discovery, trusted authentication and tunnel establishment.

首先,控制器向邻居广播信息后由任意一方发起安全隧道连接,双方身份验证完成后建立起安全通信隧道。邻居发现采用广播式的发现方式,每个自治域的控制器通过域间代理广播自己的信息;控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式如图6所示:消息类型字段为0x01,消息长度一般为10字节(即0x000A)。后面的字段为AS号(32位)、安全隧道支持(8位,0x00表示不支持,0x01表示支持)、端口号(16位,如果表示不支持则忽略此字段)。在邻居发现完成后,控制器不断更新和维护相邻自治域的信息,在长时间内(Message Timeout)没有收到相邻自治域的消息时,需要发送Keepalive消息以确认邻居是否还存在。相邻自治域的控制器收到消息过也返回一条Keepalive消息,如果在一定时间内(Keepalive Timeout)没有收到返回的消息,则认为邻居已经不存在。Message Timeout和Keepalive Timeout由各个自治域根据情况自行设定。Keepalive消息只包含消息类型和长度字段,消息格式如图7。First, after the controller broadcasts information to the neighbors, any party initiates a secure tunnel connection, and a secure communication tunnel is established after the identity verification of both parties is completed. Neighbor discovery adopts the broadcast discovery method. The controller of each autonomous domain broadcasts its own information through the inter-domain agent; The inter-domain agent encapsulates the Ethernet data packet and forwards it to the adjacent autonomous domain. The format of the neighbor discovery message is customized as shown in Figure 6: the message type field is 0x01, and the message length is generally 10 bytes (that is, 0x000A ). The following fields are AS number (32 bits), security tunnel support (8 bits, 0x00 means not supported, 0x01 means supported), port number (16 bits, ignore this field if it means not supported). After the neighbor discovery is completed, the controller continuously updates and maintains the information of the adjacent autonomous domain. If it does not receive the message from the adjacent autonomous domain for a long time (Message Timeout), it needs to send a Keepalive message to confirm whether the neighbor still exists. The controllers in the adjacent autonomous domains also return a Keepalive message after receiving the message, and if they do not receive the returned message within a certain period of time (Keepalive Timeout), it is considered that the neighbor no longer exists. Message Timeout and Keepalive Timeout are set by each autonomous domain according to the situation. The Keepalive message only contains message type and length fields, and the message format is shown in Figure 7.

其次是可信认证,在本发明的域间通信架构中,基于Client Puzzle思想和DTLS给出了两步认证协议完成控制器之间的身份认证和加密传输。在域间控制器通信时,需要保证控制器到域间代理和域间代理之间的通信安全,所以必须完成控制器之间的身份认证,控制器双方都需要明确对方是否可信,因此采用两步认证。两步认证包括域间代理认证和证书认证。域间代理在接收到发起请求的控制器的握手消息后,不会在第一时间转发到本自治域的控制器,而是先缓存起来。随后域间代理对请求端发起认证请求,用于验证请求方的非攻击意图。请求方控制器完成解答并通过验证后,域间代理才开始将数据包转发到本自治域控制器,接着进行握手过程,完成基于证书的身份认证。在DTLS协议握手过程中,一般只对服务端进行身份验证,但是在本发明的架构中,控制器双方都需要明确对方是否可信,所以采用严格的双向认证。认证过程如图8所示。The second is trusted authentication. In the inter-domain communication architecture of the present invention, a two-step authentication protocol is provided based on the Client Puzzle idea and DTLS to complete identity authentication and encrypted transmission between controllers. When inter-domain controllers communicate, it is necessary to ensure the security of the communication between the controller and the inter-domain agent and between the inter-domain agents. Therefore, the identity authentication between the controllers must be completed. Both controllers need to know whether the other party is trustworthy, so use Two-step authentication. Two-step authentication includes inter-domain proxy authentication and certificate authentication. After the inter-domain agent receives the handshake message from the controller that initiates the request, it will not forward it to the controller in the autonomous domain at the first time, but cache it first. Then the inter-domain proxy initiates an authentication request to the requester to verify the non-attack intention of the requester. After the requesting controller completes the answer and passes the verification, the inter-domain agent starts to forward the data packet to the autonomous domain controller, and then performs the handshake process to complete the certificate-based identity authentication. In the handshake process of the DTLS protocol, generally only the identity verification is performed on the server, but in the framework of the present invention, both controllers need to know whether the other party is trustworthy, so strict two-way authentication is adopted. The authentication process is shown in Figure 8.

域间代理认证主要依赖三个关键问题:随机数R、难度系数D、解答A。所以本文的认证方案主要针对随机数R的产生和解答A的正确性验证。Inter-domain proxy authentication mainly relies on three key questions: random number R, difficulty coefficient D, and answer A. Therefore, the authentication scheme in this paper is mainly aimed at the generation of random number R and the correctness verification of answer A.

本方案通过单项散列函数产生随机数R,由于MD5、SHA-1的安全性受到越来越多的挑战,本发明采用SHA-256算法。随机数的产生依赖于发起请求的域间代理所在自治域的AS号ASI和网卡物理地址MACI、接收方的AS号ASR和网卡物理地址MACR,以及一个随机数M。This scheme generates a random number R through a single-item hash function. Since the security of MD5 and SHA-1 is increasingly challenged, the present invention adopts the SHA-256 algorithm. The generation of the random number depends on the AS number AS I and the physical address of the network card MAC I of the autonomous domain where the requesting inter-domain agent is located, the AS number AS R and the physical address of the network card MAC R of the receiver, and a random number M.

R=SHA-256(MACI||MACR||ASI||ASR||M) (1)R=SHA-256(MAC I ||MAC R ||AS I ||AS R ||M) (1)

应答方解决认证请求的方式为利用求解函数重复尝试,求解函数根据难度系数D、随机数R、双方AS号(ASI、ASR),以SHA-1算法不断尝试得到正确的解答A。The way for the responding party to solve the authentication request is to use the solving function to repeatedly try. The solving function uses the SHA-1 algorithm to continuously try to get the correct answer A according to the difficulty coefficient D, the random number R, and the AS numbers of both parties (AS I , AS R ).

Psolve(SHA-1(R||ASI||ASR||A),D)=0 (2)Psolve(SHA-1(R||AS I ||AS R ||A), D)=0 (2)

对于认证解答的验证,首先确认随机数R是否符合,不符合则表明不是对相应请求的应答,然后根据求解算法验证解答A的正确性。For the verification of the authentication solution, first confirm whether the random number R is consistent, if not, it indicates that it is not a response to the corresponding request, and then verify the correctness of the solution A according to the solution algorithm.

请求方生成认证请求的步骤如下:The steps for the supplicant to generate an authentication request are as follows:

1)生成难度系数D;1) Generate difficulty coefficient D;

2)从邻居列表提取应答方AS号ASR,并产生随机数M;2) Extract the answering party AS number AS R from the neighbor list, and generate a random number M;

3)根据公式1计算随机数R;3) Calculate the random number R according to formula 1;

4)将R、D填入认证请求报文,并发送到应答方。4) Fill R and D into the authentication request message and send it to the responding party.

解答认证请求的步骤如下:The steps to answer a certification request are as follows:

1)提取请求报文中的随机数R和难度系数D;1) extract the random number R and the difficulty coefficient D in the request message;

2)根据求解函数(公式2)穷举符合要求的解答A;2) According to the solution function (formula 2), exhaustively enumerate the answers A that meet the requirements;

3)将R、D、A填入认证应答报文并发送回请求方。3) Fill R, D, and A into the authentication response message and send it back to the requesting party.

验证认证解答的过程如下:The process for validating a certification answer is as follows:

1)提取应答报文中的随机数R、难度系数D和解答A;1) extract the random number R, difficulty coefficient D and answer A in the response message;

2)验证随机数R是否与发出的一致,如果不一致则忽略该响应,否则继续;2) Verify that the random number R is consistent with the one sent, if not, ignore the response, otherwise continue;

3)根据公式2验证解答A的正确性。3) Verify the correctness of answer A according to formula 2.

在控制器之间通信过程中,控制器的安全性主要依赖于两步认证方案,通过两步认证来防御针对控制器的攻击。为分析方便,将认证方法的两个阶段分别用δ和来表示。δ为域间代理认证,为证书身份认证。In the communication process between controllers, the security of the controller mainly depends on the two-step authentication scheme, and the attack on the controller is defended through the two-step authentication. For the convenience of analysis, the two stages of the authentication method are respectively denoted by δ and To represent. δ is inter-domain proxy authentication, for certificate authentication.

认证协议δ的过程描述如下:The process of authentication protocol δ is described as follows:

1)连接请求:CI向CR发送连接建立请求。1) Connection request: C I sends a connection establishment request to C R.

2)认证请求:AR收到请求后生成随机数M并计算R=SHA-256(MACI||MACR||ASI||ASR||M),根据难度D发送消息(R,D)给CI2) Authentication request: A R generates a random number M after receiving the request and calculates R=SHA-256(MAC I ||MAC R ||AS I ||AS R ||M), and sends a message according to the difficulty D (R, D) to C I .

3)认证响应:CI计算解答A,使其满足Psolve(SHA-1(R||ASI||ASR||A),D)=0,发送消息(R,D,A)给AR3) Authentication response: C I calculates the solution A to satisfy Psolve(SHA-1(R||AS I ||AS R ||A), D)=0, and sends a message (R, D, A) to A R.

4)可信验证:AR验证R和D的一致性和A的正确性。4) Credible verification: AR verifies the consistency of R and D and the correctness of A.

认证协议的过程描述如下:authentication protocol The process is described as follows:

1)证书传输:CR向CI发送数字证书CertR=(InfoR||SignR),SignR=Enc(SHA(InfoR),PriKR)。1) Certificate transmission: C R sends digital certificate Cert R =(Info R ||Sign R ), Sign R =Enc(SHA(Info R ), PriK R ) to C I.

2)身份验证:CI向CAR请求公钥PubKR,验证解密的签名Dec(SignR,PubKR)和证书散列SHA(InfoR)是否相同。2) Identity verification: C I requests the public key PubK R from CA R , and verifies whether the decrypted signature Dec(Sign R , PubK R ) is the same as the certificate hash SHA(Info R ).

3)证书传输:CI向CR发送数字证书CertI=(InfoI||SignI),SignI=Enc(SHA(InfoI),PriKI)。3) Certificate transmission: C I sends digital certificate Cert I =(Info I ||Sign I ), Sign I =Enc(SHA(Info I ), PriK I ) to C R.

4)身份验证:CR向CAI请求公钥PubKI,验证解密的签名Dec(SignI,PubKI)和证书散列SHA(InfoI)是否相同。4) Identity verification: C R requests the public key PubK I from CA I , and verifies whether the decrypted signature Dec(Sign I , PubK I ) and the certificate hash SHA(Info I ) are the same.

在协议δ中,生成随机数R的输入为ASI、MACI、ASR、MACR以及随机数M连接运算的结果。假设在IPv4环境下,ASI、MACI、ASR、MACR均为32位,而M为变化的随机N位比特串。那么(MACI||MACR||ASI||ASR||M)的二进制长度就是2×32+2×48+N=160+N位。而A的值有2D种可能,所以攻击者在采用随机破解时只有2D-(160+N)的概率成功。同时根据目前对SHA-256的安全分析,完成碰撞攻击也非常困难。因此δ满足安全性要求。In the protocol δ, the input to generate the random number R is the result of the connection operation of AS I , MAC I , AS R , MAC R and the random number M. Assume that in the IPv4 environment, AS I , MAC I , AS R , and MAC R are all 32 bits, and M is a variable random N-bit bit string. Then the binary length of (MAC I ||MAC R ||AS I ||AS R ||M) is 2×32+2×48+N=160+N bits. The value of A has 2D possibilities, so the attacker only has 2D-(160+N) probability of success when using random cracking. At the same time, according to the current security analysis of SHA-256, it is very difficult to complete the collision attack. Therefore, δ meets the security requirements.

在协议中,Cert的可靠性依赖于CA私钥PriK的保密性和加密的签名Sign。由于Sign基于非对称加密,因此可以在PriK不公开的情况下使用PubK解密Sign。攻击者证书内容恶意修改后,SHA(Info)发生变化,Dec(Sign,PubK)的结果便无法与SHA(Info)匹配,因此在PriK严格保密的情况下,的可靠性非常高。in agreement Among them, the reliability of Cert depends on the confidentiality of the CA private key PriK and the encrypted signature Sign. Since Sign is based on asymmetric encryption, PubK can be used to decrypt Sign without PriK being public. After the content of the attacker's certificate is maliciously modified, the SHA(Info) changes, and the result of Dec(Sign, PubK) cannot match the SHA(Info). Therefore, when PriK is kept strictly confidential, The reliability is very high.

综上,协议δ的抗攻击能力和协议的可靠性,不仅保证了两步认证方法的有效性,也保证了该方法的安全性。In summary, the anti-attack capability of protocol δ and the protocol The reliability not only guarantees the effectiveness of the two-step authentication method, but also ensures the security of the method.

最后是隧道的建立,SDN多域网络运行过程中,各个自治域的控制器不断广播自己的信息,其它自治域的控制器收到广播消息后,想发送消息的控制器发起连接。安全通信隧道建立过程包括:The last is the establishment of the tunnel. During the operation of the SDN multi-domain network, the controllers of each autonomous domain continuously broadcast their own information. After the controllers of other autonomous domains receive the broadcast message, the controller that wants to send the message initiates a connection. The process of establishing a secure communication tunnel includes:

1)控制器构造邻居发现数据包,将自己的AS号,安全隧道的支持情况和服务端口写入数据包,随后将数据包下发到所有的域间代理,由域间代理封装为类型标识为0xEFEF的以太网帧并转发。1) The controller constructs a neighbor discovery data packet, writes its own AS number, security tunnel support and service port into the data packet, then sends the data packet to all inter-domain agents, and the inter-domain agent encapsulates it as a type identifier Ethernet frame with 0xEFEF and forwarded.

2)控制器收到广播后根据对方的广播消息,解析出相邻自治域的AS号和安全隧道支持情况。如果对方不支持安全隧道,则根据安全配置采用普通UDP数据发送方式发送允许共享的信息。连接发起可以由任意一方发起,如果没有收到对方发来的连接请求就构造安全隧道握手消息,作为客户端向对方发起安全隧道连接请求。2) After receiving the broadcast, the controller analyzes the AS number of the adjacent autonomous domain and the security tunnel support situation according to the broadcast message of the other party. If the other party does not support the security tunnel, the common UDP data transmission method will be used to send the information that is allowed to be shared according to the security configuration. Connection initiation can be initiated by any party. If no connection request is received from the other party, a secure tunnel handshake message will be constructed, and the client will initiate a secure tunnel connection request to the other party.

3)对方作为服务端收到安全隧道握手消息后,也不再作为客户端向对方发起请求。双方基于域间代理认证和数字证书完成两步身份验证和加密协商,当双方都证实对方身份后,安全通信隧道建立完成,否则隧道建立失败,转而采用普通UDP协议。3) After receiving the secure tunnel handshake message as the server, the other party no longer initiates requests to the other party as the client. The two parties complete two-step identity verification and encryption negotiation based on inter-domain proxy authentication and digital certificates. When both parties confirm the identity of the other party, the secure communication tunnel is established. Otherwise, the tunnel establishment fails and the ordinary UDP protocol is used instead.

4)从制器受到相邻自治域控制器的广播消息开始,将开启消息超时计时MessageTimeout(即长时间未收到来自该邻居的任何消息)。超时后向对方发送Keepalive消息,如果对方没有在Keepalive Timeout时限内返回Keepalive消息就认为对方已经不存在并停止维持安全隧道。4) When the slave controller receives the broadcast message from the adjacent autonomous domain controller, it will start the message timeout MessageTimeout (that is, it has not received any message from the neighbor for a long time). After the timeout, send a Keepalive message to the other party. If the other party does not return a Keepalive message within the Keepalive Timeout time limit, it will consider that the other party does not exist and stop maintaining the secure tunnel.

安全隧道的建立过程如图9所示。The establishment process of the secure tunnel is shown in FIG. 9 .

最后说明的是,以上优选实施例仅用以说明本发明的技术方案而非限制,尽管通过上述优选实施例已经对本发明进行了详细的描述,但本领域技术人员应当理解,可以在形式上和细节上对其作出各种各样的改变,而不偏离本发明权利要求书所限定的范围。Finally, it should be noted that the above preferred embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail through the above preferred embodiments, those skilled in the art should understand that it can be described in terms of form and Various changes may be made in the details without departing from the scope of the invention defined by the claims.

Claims (6)

1.一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:该方法包括以下步骤:1. An agent-based software-defined network distributed multi-granularity controller security communication method, characterized in that: the method comprises the following steps: S1:设计构建一个分布式多粒度控制器架构,使各个SDN自治域达到域间通信的目的;该架构分为基础控制块和多粒度安全定制模块以及一个增强的安全控制器,基础控制模块遵循SDN架构要求实现基本功能,多粒度安全定制模块实现在控制器中可自定义的安全功能,而增强的安全控制器是为了解决在SDN多网络的环境下域间的安全问题;S1: Design and build a distributed multi-granularity controller architecture to enable each SDN autonomous domain to achieve the purpose of inter-domain communication; the architecture is divided into a basic control block, a multi-granularity security customization module, and an enhanced security controller. The basic control module follows The SDN architecture requires the realization of basic functions. The multi-granularity security customization module realizes the security functions that can be customized in the controller, and the enhanced security controller is to solve the security problem between domains in the SDN multi-network environment; S2:在步骤S1的架构模式下对安全通信方法中的消息格式进行设计,所有控制器间的数据传递采用专用的以太网数据包类型标识0xEFEF,载荷部分保留IP数据包格式,而传输层采用UDP协议;S2: Under the architecture mode of step S1, the message format in the secure communication method is designed, and the data transmission between all controllers adopts the dedicated Ethernet data packet type identifier 0xEFEF, and the payload part retains the IP data packet format, while the transport layer adopts UDP protocol; S3:安全连接建立之邻居发现,邻居发现采用广播式的发现方式,每个自治域的控制器通过域间代理广播自己的信息;控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式;S3: Neighbor discovery for secure connection establishment. Neighbor discovery adopts a broadcast discovery method. The controller of each autonomous domain broadcasts its own information through the inter-domain agent; The information such as the service port number is sent to the inter-domain agent, and the inter-domain agent encapsulates it into an Ethernet packet and forwards it to the adjacent autonomous domain, customizing the format of the neighbor discovery message; S4:安全连接建立之可信认证,在域间控制器通信时,需要保证控制器到域间代理和域间代理之间的通信安全,所以必须完成控制器之间的身份认证,控制器双方都需要明确对方是否可信,因此采用两步认证,两步认证包括域间代理认证和证书认证;S4: Trustworthy authentication for the establishment of a secure connection. When inter-domain controllers communicate, it is necessary to ensure the communication security between the controller and the inter-domain agent and between the inter-domain agents. Therefore, the identity authentication between the controllers must be completed. Both controllers It is necessary to clarify whether the other party is trustworthy, so two-step authentication is adopted, which includes inter-domain proxy authentication and certificate authentication; S5:安全连接建立之隧道建立,SDN多域网络运行过程中,各个自治域的控制器不断广播自己的信息,其它自治域的控制器收到广播消息后,想发送消息的控制器发起连接。S5: The tunnel establishment of the secure connection establishment. During the operation of the SDN multi-domain network, the controllers of each autonomous domain continuously broadcast their own information. After the controllers of other autonomous domains receive the broadcast message, the controller that wants to send the message initiates a connection. 2.根据权利要求1所述的一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:在步骤S1中,SDN安全控制器架构分为基础控制模块和多粒度安全定制模块,多粒度安全定制模块实现在控制器中可自定义的安全功能主要有威胁防御模块、流表管理模块、备份模块和应用管理模块;增强的安全控制器架构,其域间模块主要包括安全配置、连接管理、邻域管理和域间路由。2. A kind of proxy-based software-defined network distributed multi-granularity controller secure communication method according to claim 1, characterized in that: in step S1, the SDN security controller architecture is divided into a basic control module and a multi-granularity security Customized module, multi-granularity security customized module implements customizable security functions in the controller, mainly including threat defense module, flow table management module, backup module and application management module; enhanced security controller architecture, its inter-domain modules mainly include Security configuration, connection management, neighborhood management, and interdomain routing. 3.根据权利要求1所述的一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:在步骤S2中,控制器域间消息的数据包格式如下:前8位为消息的类型,接着32位为消息的长度(整个UDP载荷部分,位为字节),其余部分则是具体的消息内容;消息类型分为邻居发现消息、Keepalive消息、安全隧道消息,其类型标识分别为:0x01、0x02、0x03。3. A kind of proxy-based software-defined network distributed multi-granularity controller secure communication method according to claim 1, characterized in that: in step S2, the packet format of the controller inter-domain message is as follows: the first 8 bits is the type of the message, followed by 32 bits for the length of the message (the entire UDP payload part, the bits are bytes), and the rest is the specific message content; the message types are divided into neighbor discovery messages, keepalive messages, and secure tunnel messages. The identifiers are: 0x01, 0x02, 0x03. 4.根据权利要求1所述的一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:在步骤S3中,控制器将自治域的AS号、是否支持安全隧道和安全隧道服务端口号等信息下发给域间代理,域间代理封装成以太网数据包后转发给相邻自治域,自定义了邻居发现消息的格式如下:4. A kind of proxy-based software-defined network distributed multi-granularity controller secure communication method according to claim 1, characterized in that: in step S3, the controller sends the AS number of the autonomous domain, whether it supports secure tunnels and The information such as the security tunnel service port number is sent to the inter-domain agent, and the inter-domain agent encapsulates it into an Ethernet packet and forwards it to the adjacent autonomous domain. The format of the neighbor discovery message is customized as follows: 消息类型字段为0x01,消息长度一般为10字节,即0x000A;后面的字段为AS号(32位)、安全隧道支持(8位,0x00表示不支持,0x01表示支持)、端口号(16位,如果表示不支持则忽略此字段);The message type field is 0x01, and the message length is generally 10 bytes, that is, 0x000A; the following fields are AS number (32 bits), security tunnel support (8 bits, 0x00 means not supported, 0x01 means supported), port number (16 bits) , ignore this field if it means not supported); 在邻居发现完成后,控制器不断更新和维护相邻自治域的信息,在长时间内(MessageTimeout)没有收到相邻自治域的消息时,需要发送Keepalive消息以确认邻居是否还存在;相邻自治域的控制器收到消息过也返回一条Keepalive消息,如果在一定时间内(Keepalive Timeout)没有收到返回的消息,则认为邻居已经不存在;Message Timeout和Keepalive Timeout由各个自治域根据情况自行设定;Keepalive的消息类型字段为0x02,消息长度一般为3字节,即0x0003。After the neighbor discovery is completed, the controller continuously updates and maintains the information of the adjacent autonomous domain. If it does not receive the message of the adjacent autonomous domain for a long time (MessageTimeout), it needs to send a Keepalive message to confirm whether the neighbor still exists; The controller of the autonomous domain returns a Keepalive message after receiving the message. If it does not receive the returned message within a certain period of time (Keepalive Timeout), it considers that the neighbor no longer exists; the Message Timeout and Keepalive Timeout are determined by each autonomous domain according to the situation. Setting; the message type field of Keepalive is 0x02, and the message length is generally 3 bytes, namely 0x0003. 5.根据权利要求1所述的一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:在步骤S4中,所述两步认证的认证过程包括:域间代理在接收到发起请求的控制器的握手消息后,不会在第一时间转发到本自治域的控制器,而是先缓存起来;随后域间代理对请求端发起认证请求,用于验证请求方的非攻击意图;请求方控制器完成解答并通过验证后,域间代理才开始将数据包转发到本自治域控制器,接着进行握手过程,完成基于证书的身份认证;在DTLS协议握手过程中,控制器双方都需要明确对方是否可信,所以采用严格的双向认证。5. An agent-based software-defined network distributed multi-granularity controller security communication method according to claim 1, characterized in that: in step S4, the authentication process of the two-step authentication includes: the inter-domain agent in After receiving the handshake message from the controller that initiated the request, it will not be forwarded to the controller in the autonomous domain at the first time, but will be cached first; then the inter-domain agent will initiate an authentication request to the requester to verify the requester's Non-attack intent; after the requesting controller completes the answer and passes the verification, the inter-domain agent starts to forward the data packet to the autonomous domain controller, and then performs the handshake process to complete the certificate-based identity authentication; in the DTLS protocol handshake process, Both sides of the controller need to know whether the other party is trustworthy, so strict two-way authentication is adopted. 6.根据权利要求1所述的一种基于代理的软件定义网络分布式多粒度控制器安全通信方法,其特征在于:在步骤S5中,安全通信隧道建立过程具体包括:6. A kind of proxy-based software-defined network distributed multi-granularity controller secure communication method according to claim 1, characterized in that: in step S5, the secure communication tunnel establishment process specifically includes: S51:控制器构造邻居发现数据包,将自己的AS号,安全隧道的支持情况和服务端口写入数据包,随后将数据包下发到所有的域间代理,由域间代理封装为类型标识为0xEFEF的以太网帧并转发;S51: The controller constructs a neighbor discovery data packet, writes its own AS number, security tunnel support and service port into the data packet, then sends the data packet to all inter-domain agents, and the inter-domain agent encapsulates it as a type identifier The Ethernet frame of 0xEFEF is forwarded; S52:控制器收到广播后根据对方的广播消息,解析出相邻自治域的AS号和安全隧道支持情况;如果对方不支持安全隧道,则根据安全配置采用普通UDP数据发送方式发送允许共享的信息;连接发起可以由任意一方发起,如果没有收到对方发来的连接请求就构造安全隧道握手消息,作为客户端向对方发起安全隧道连接请求;S52: After receiving the broadcast, the controller analyzes the AS number of the adjacent autonomous domain and the support of the security tunnel according to the broadcast message of the other party; if the other party does not support the security tunnel, it uses the normal UDP data transmission method according to the security configuration to send the data that is allowed to be shared. information; connection initiation can be initiated by any party, if no connection request from the other party is received, a secure tunnel handshake message is constructed, and the client initiates a secure tunnel connection request to the other party; S53:对方作为服务端收到安全隧道握手消息后,也不再作为客户端向对方发起请求;双方基于域间代理认证和数字证书完成两步身份验证和加密协商,当双方都证实对方身份后,安全通信隧道建立完成,否则隧道建立失败,转而采用普通UDP协议;S53: After the other party receives the secure tunnel handshake message as the server, it will no longer initiate requests to the other party as the client; both parties complete two-step identity verification and encryption negotiation based on inter-domain proxy authentication and digital certificates, and when both parties confirm the identity of the other party , the secure communication tunnel is established, otherwise the tunnel establishment fails, and the normal UDP protocol is used instead; S54:从控制器收到相邻自治域控制器的广播消息开始,将开启消息超时计时MessageTimeout(即长时间未收到来自该邻居的任何消息);超时后向对方发送Keepalive消息,如果对方没有在Keepalive Timeout时限内返回Keepalive消息就认为对方已经不存在并停止维持安全隧道。S54: From the time the controller receives the broadcast message from the adjacent autonomous domain controller, it will start message timeout MessageTimeout (that is, it has not received any message from the neighbor for a long time); after the timeout, it will send a Keepalive message to the other party, if the other party does not If the Keepalive message is returned within the Keepalive Timeout time limit, it is considered that the other party does not exist and stops maintaining the secure tunnel.
CN201610614132.2A 2016-07-28 2016-07-28 Agent-based secure communication method for distributed multi-granularity controller of software defined network Active CN106209897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610614132.2A CN106209897B (en) 2016-07-28 2016-07-28 Agent-based secure communication method for distributed multi-granularity controller of software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610614132.2A CN106209897B (en) 2016-07-28 2016-07-28 Agent-based secure communication method for distributed multi-granularity controller of software defined network

Publications (2)

Publication Number Publication Date
CN106209897A true CN106209897A (en) 2016-12-07
CN106209897B CN106209897B (en) 2020-04-07

Family

ID=57497487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610614132.2A Active CN106209897B (en) 2016-07-28 2016-07-28 Agent-based secure communication method for distributed multi-granularity controller of software defined network

Country Status (1)

Country Link
CN (1) CN106209897B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911573A (en) * 2017-02-28 2017-06-30 郑州云海信息技术有限公司 A kind for the treatment of method and apparatus of forwarding flow table
CN108881131A (en) * 2017-06-23 2018-11-23 中国人民解放军理工大学 The efficient handover mechanism of host identities authentication information under a kind of SDN multiple domain mobile network environment
CN109450794A (en) * 2018-12-11 2019-03-08 上海云轴信息科技有限公司 A kind of communication means and equipment based on SDN network
CN110380963A (en) * 2019-01-17 2019-10-25 重庆邮电大学 A kind of neighbours' discovery scheme of efficient rapid convergence
CN110417758A (en) * 2019-07-15 2019-11-05 中国人民解放军战略支援部队信息工程大学 Security Neighbor Discovery Operation Mode Detection Method Based on Certificate Request
CN110839037A (en) * 2019-11-19 2020-02-25 武汉思普崚技术有限公司 Attack scene mining method and system for SDN network
CN110839036A (en) * 2019-11-19 2020-02-25 武汉思普崚技术有限公司 Attack detection method and system for SDN (software defined network)
CN108173827B (en) * 2017-12-22 2020-09-08 南京邮电大学 Block chain thinking-based distributed SDN control plane security authentication method
WO2020233430A1 (en) * 2019-05-20 2020-11-26 华为技术有限公司 Method, apparatus and system for communication between controllers in tsn
CN113364729A (en) * 2021-04-07 2021-09-07 苏州瑞立思科技有限公司 User authentication method based on UDP proxy protocol
CN115051984A (en) * 2021-11-22 2022-09-13 厦门大学 Distributed data plane verification method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075498A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
CN103718519A (en) * 2011-08-11 2014-04-09 瑞典爱立信有限公司 Implementing OSPF in split architecture networks
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN
CN104243496A (en) * 2014-10-11 2014-12-24 北京邮电大学 Software defined network cross-domain security agent method and software defined network cross-domain security agent system
CN104468633A (en) * 2014-12-31 2015-03-25 蓝盾信息安全技术股份有限公司 SDN southing security proxy product
CN104869021A (en) * 2015-05-22 2015-08-26 清华大学 Multi-granularity multi-domain heterogeneous optical network resource allocation method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103718519A (en) * 2011-08-11 2014-04-09 瑞典爱立信有限公司 Implementing OSPF in split architecture networks
US20140075498A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN
CN104243496A (en) * 2014-10-11 2014-12-24 北京邮电大学 Software defined network cross-domain security agent method and software defined network cross-domain security agent system
CN104468633A (en) * 2014-12-31 2015-03-25 蓝盾信息安全技术股份有限公司 SDN southing security proxy product
CN104869021A (en) * 2015-05-22 2015-08-26 清华大学 Multi-granularity multi-domain heterogeneous optical network resource allocation method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FENGJUN SHANG 等: "A Software-Defined Networking Security Controller Architecture", 《4TH INTERNATIONAL CONFERENCE ON MACHINERY, MATERIALS AND COMPUTING TECHNOLOGY (ICMMCT 2016)》 *
KÉVIN PHEMIUS 等: "DISCO:Distributed Multi-Domain SDN Controllers", 《ARXIV:1308.6138V2 [CS.NI]》 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911573A (en) * 2017-02-28 2017-06-30 郑州云海信息技术有限公司 A kind for the treatment of method and apparatus of forwarding flow table
CN108881131A (en) * 2017-06-23 2018-11-23 中国人民解放军理工大学 The efficient handover mechanism of host identities authentication information under a kind of SDN multiple domain mobile network environment
CN108881131B (en) * 2017-06-23 2021-01-08 中国人民解放军理工大学 Efficient Handover Mechanism of Host Identity Authentication Information in SDN Multi-Domain Mobile Network Environment
CN108173827B (en) * 2017-12-22 2020-09-08 南京邮电大学 Block chain thinking-based distributed SDN control plane security authentication method
CN109450794B (en) * 2018-12-11 2021-02-23 上海云轴信息科技有限公司 Communication method and device based on SDN network
CN109450794A (en) * 2018-12-11 2019-03-08 上海云轴信息科技有限公司 A kind of communication means and equipment based on SDN network
CN110380963A (en) * 2019-01-17 2019-10-25 重庆邮电大学 A kind of neighbours' discovery scheme of efficient rapid convergence
CN110380963B (en) * 2019-01-17 2021-07-06 重庆邮电大学 An Efficient and Fast Convergence Neighbor Discovery Method
US11811511B2 (en) 2019-05-20 2023-11-07 Huawei Technologies Co., Ltd. Method, apparatus, and system for communication between controllers in TSN
WO2020233430A1 (en) * 2019-05-20 2020-11-26 华为技术有限公司 Method, apparatus and system for communication between controllers in tsn
CN110417758A (en) * 2019-07-15 2019-11-05 中国人民解放军战略支援部队信息工程大学 Security Neighbor Discovery Operation Mode Detection Method Based on Certificate Request
CN110839036A (en) * 2019-11-19 2020-02-25 武汉思普崚技术有限公司 Attack detection method and system for SDN (software defined network)
CN110839036B (en) * 2019-11-19 2021-09-03 武汉思普崚技术有限公司 Attack detection method and system for SDN (software defined network)
CN110839037A (en) * 2019-11-19 2020-02-25 武汉思普崚技术有限公司 Attack scene mining method and system for SDN network
CN113364729A (en) * 2021-04-07 2021-09-07 苏州瑞立思科技有限公司 User authentication method based on UDP proxy protocol
CN113364729B (en) * 2021-04-07 2023-11-21 苏州瑞立思科技有限公司 User authentication method based on UDP proxy protocol
CN115051984A (en) * 2021-11-22 2022-09-13 厦门大学 Distributed data plane verification method

Also Published As

Publication number Publication date
CN106209897B (en) 2020-04-07

Similar Documents

Publication Publication Date Title
CN106209897B (en) Agent-based secure communication method for distributed multi-granularity controller of software defined network
Hummen et al. Towards viable certificate-based authentication for the internet of things
US20230014894A1 (en) Quantum resistant secure key distribution in various protocols and technologies
Karpijoki Security in ad hoc networks
CN103701700B (en) Node discovery method in a kind of communication network and system
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN101515896B (en) Safe socket character layer protocol message forwarding method, device, system and exchange
JP2011514032A (en) Wireless multi-hop network authentication access method, apparatus and system based on ID
WO2018176961A1 (en) Load balancing system, method, and device
WO2008083628A1 (en) A authentication server and a method,a system,a device for bi-authenticating in a mesh network
WO2009012670A1 (en) Method, device and system for realizing a new group member registration in the multicast key management
CN107493570A (en) A kind of the PMIPV6 anonymous access authentication systems and method of identity-based group label
Liyanage et al. A scalable and secure VPLS architecture for provider provisioned networks
WO2004045133A1 (en) Key distribution across networks
CN112235318B (en) Metropolitan area network system for realizing quantum security encryption
CN112261650B (en) Network access switching method, device, electronic device and storage medium
CN114186213A (en) Data transmission method, device, equipment and medium based on federal learning
CN103731819A (en) Authentication method of wireless sensor network nodes
WO2016134631A1 (en) Processing method for openflow message, and network element
CN112887278A (en) Interconnection system and method of private cloud and public cloud
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
CN119788426B (en) A distributed privacy computing network node management method and system
CN109981534B (en) Authentication method, equipment and system
Latah et al. DPSec: A blockchain-based data plane authentication protocol for SDNs
Wang et al. T-IP: A self-trustworthy and secure Internet protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant