本文選題：軟件定義網(wǎng)絡(luò)　切入點(diǎn)：安全架構(gòu)　出處：《電子科技大學(xué)》2016年碩士論文　論文類型：學(xué)位論文

【摘要】：云計(jì)算、移動(dòng)互聯(lián)網(wǎng)、物聯(lián)網(wǎng)等技術(shù)的迅猛發(fā)展,帶來(lái)了新一輪的IT技術(shù)變革,迫切需要一種可伸縮、易管理且安全的網(wǎng)絡(luò)管理辦法。SDN(軟件定義網(wǎng)絡(luò))的控制與轉(zhuǎn)發(fā)分離的機(jī)制針對(duì)這一難題展示出其獨(dú)特優(yōu)勢(shì),但SDN架構(gòu)存在的安全問題,使其應(yīng)用受到阻礙。論文分析了現(xiàn)有SDN架構(gòu)的特點(diǎn)和弱點(diǎn)。針對(duì)現(xiàn)有SDN架構(gòu)中設(shè)備、應(yīng)用、控制器三者認(rèn)證缺失的問題,提出SDN安全通信架構(gòu)。結(jié)合此架構(gòu)給出了應(yīng)用隔離的解決方案,并提出“網(wǎng)絡(luò)結(jié)構(gòu)進(jìn)化”的觀點(diǎn)。新架構(gòu)極大增強(qiáng)了SDN安全實(shí)施的靈活性。以下為本論文主要的研究?jī)?nèi)容:第一,網(wǎng)絡(luò)實(shí)體合法性的保障。針對(duì)SDN架構(gòu)的特點(diǎn)以及架構(gòu)存在的安全問題。提出動(dòng)態(tài)密碼實(shí)體認(rèn)證的方案,并將此方案實(shí)施到SDN南北向接口中,解決SDN網(wǎng)絡(luò)中控制器與交換設(shè)備,控制器與應(yīng)用的身份認(rèn)證的難題;第二,多控制器的實(shí)施。單控制器是SDN網(wǎng)絡(luò)架構(gòu)的最初原型,在這種情形下,控制層容易受到網(wǎng)絡(luò)攻擊,使控制器單點(diǎn)失效,以至網(wǎng)絡(luò)的全局癱瘓。針對(duì)這個(gè)弊端,本論文結(jié)合前人的研究成果,提出了代理機(jī)制的控制器管理方案。用代理的方式來(lái)分配控制器給交換機(jī),減緩這種攻擊的可能。同時(shí)這種方案也為多控制器的研究提供一種全新的視角;第三,網(wǎng)絡(luò)應(yīng)用的標(biāo)識(shí)和分類分隔。網(wǎng)絡(luò)的應(yīng)用相當(dāng)于SDN網(wǎng)絡(luò)的“思維”,它們的安全至關(guān)重要,直接關(guān)乎網(wǎng)絡(luò)的整體安全。本論文提出的SDN安全通信架構(gòu)可以滿足應(yīng)用的分類隔離和應(yīng)用的權(quán)限管理。在此架構(gòu)下,應(yīng)用層是靈活的,不同類別的應(yīng)用擁有不同的權(quán)限等級(jí),且權(quán)限被限制在可控的權(quán)限域內(nèi)。如果把應(yīng)用直觀地分為業(yè)務(wù)應(yīng)用和安全應(yīng)用時(shí),兩種應(yīng)用彼此分隔,且安全應(yīng)用的權(quán)限比業(yè)務(wù)應(yīng)用的高。SDN安全通信架構(gòu),可以滿足應(yīng)用層的權(quán)限靈活部署。最后,設(shè)計(jì)了SDN安全通信架構(gòu)的三種應(yīng)用示例,引出“網(wǎng)絡(luò)結(jié)構(gòu)進(jìn)化”的概念。
[Abstract]:With the rapid development of cloud computing, mobile Internet, Internet of things and other technologies, it has brought a new round of IT technological changes, and it urgently needs a kind of scalability. The mechanism of separating control and forwarding of SDN (Software defined Network) shows its unique advantages in view of this difficult problem, but the security problems exist in the SDN architecture. This paper analyzes the characteristics and weaknesses of the existing SDN architecture, aiming at the lack of authentication among the equipment, application and controller in the existing SDN architecture. The SDN security communication architecture is proposed, and the solution of application isolation is given. The new architecture greatly enhances the flexibility of SDN security implementation. The following are the main contents of this thesis: first, Aiming at the characteristics of SDN architecture and the security problems existing in the architecture, this paper puts forward a scheme of dynamic cryptographic entity authentication, and implements this scheme in the interface of SDN from south to north to solve the controller and switch equipment in SDN network. Second, the implementation of multi-controller. Single controller is the original prototype of SDN network architecture. In this case, the control layer is vulnerable to network attack and makes the controller single point failure. In order to solve this problem, this paper proposes an agent mechanism controller management scheme, which is used to distribute the controller to the switch in the way of agent. At the same time, this scheme also provides a new perspective for the study of multi-controller. Third, the identification and classification of network applications are separated. Network applications are equivalent to the "thinking" of SDN networks, and their security is crucial. The SDN security communication architecture proposed in this paper can satisfy the application classification isolation and application authority management. Under this framework, the application layer is flexible, and different classes of applications have different privilege levels. If the applications are divided intuitively into business applications and secure applications, the two applications are separated from each other, and the security applications have higher permissions than the security applications of the. SDN security communication architecture. Finally, three application examples of SDN secure communication architecture are designed, leading to the concept of "network structure evolution".
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP393.02

【相似文獻(xiàn)】

相關(guān)期刊論文 前7條

1 焦?jié)櫤?王景兵;林碧英;;配電網(wǎng)高級(jí)應(yīng)用分布式計(jì)算平臺(tái)通信架構(gòu)設(shè)計(jì)[J];電力系統(tǒng)自動(dòng)化;2013年22期

2 楊毅;;現(xiàn)代配電網(wǎng)通信架構(gòu)探討[J];信息通信;2013年09期

3 章軍,高曙;PLC與DCS集成的通信架構(gòu)及關(guān)鍵技術(shù)淺析[J];通信電源技術(shù);2005年02期

4 王玉國(guó);羅建軍;;基于PKI的軍用實(shí)時(shí)信息通信架構(gòu)[J];艦船電子工程;2007年02期

5 宋忠雷;肖利民;;分布式VMM通信架構(gòu)的研究與原型實(shí)現(xiàn)[J];計(jì)算機(jī)工程;2010年08期

6 馬一丁;;性能和功耗無(wú)需折衷的高性能新型多核DSP[J];中國(guó)電子商情(基礎(chǔ)電子);2009年12期

7 ;[J];;年期

相關(guān)會(huì)議論文 前1條

1 王立;郭威;聶靖松;邸瑞華;;一種輕量級(jí)跨平臺(tái)通信架構(gòu)的設(shè)計(jì)與實(shí)現(xiàn)[A];2006年全國(guó)開放式分布與并行計(jì)算機(jī)學(xué)術(shù)會(huì)議論文集（三）[C];2006年

相關(guān)碩士學(xué)位論文 前2條

1 劉洋;SDN安全通信架構(gòu)關(guān)鍵技術(shù)研究[D];電子科技大學(xué);2016年

2 俞海霞;3×3 NoC通信架構(gòu)設(shè)計(jì)與驗(yàn)證[D];西安電子科技大學(xué);2010年

，

本文編號(hào)：1587986