本文選題：軟件定義網(wǎng)絡 + 擬態(tài)路由��； 參考：《電子科技大學》2017年碩士論文

【摘要】：SDN技術(shù)革命性的改變了現(xiàn)有網(wǎng)絡架構(gòu),適應了降低網(wǎng)絡復雜度、云計算和大數(shù)據(jù)的需求。研究人員通常關注SDN網(wǎng)絡本身,對網(wǎng)絡的SDN化演進過程,傳統(tǒng)網(wǎng)絡設備與SDN設備將長期在實際網(wǎng)絡中共存的現(xiàn)實考慮的不多。SDN技術(shù)數(shù)據(jù)面通用、簡單、高效的特點,以及控制面與數(shù)據(jù)面分離的架構(gòu),也給我們在網(wǎng)絡路由安全方面帶來了新思路。同時隨著網(wǎng)絡功能的復雜化,網(wǎng)絡受到多用戶和多應用的控制,目前的開源控制器在支持多用戶多應用方面還存在缺陷。為此,本文分別在SDN混合網(wǎng)絡路由安全和SDN網(wǎng)絡操作系統(tǒng)方向,進行了一些研究嘗試。本文首先研究SDN網(wǎng)絡與傳統(tǒng)IP網(wǎng)絡的三層路由互通問題,設計實現(xiàn)OpenFlow路由控制器,實現(xiàn)SDN網(wǎng)絡與傳統(tǒng)IP網(wǎng)絡之間路由協(xié)議的交互和數(shù)據(jù)報文的正確轉(zhuǎn)發(fā),促進SDN技術(shù)在實際網(wǎng)絡中的部署。在此基礎之上,本文在多個OpenFlow路由控制器與OpenFlow交換機之間引入路由決策層,形成擬態(tài)路由系統(tǒng)。該系統(tǒng)將路由實體擬態(tài)化,增大了網(wǎng)絡攻擊者探查路由實體漏洞的難度,隔離被網(wǎng)絡攻擊者致癱致亂的路由實體,保證網(wǎng)絡路由的穩(wěn)定與正確。但隨著SDN網(wǎng)絡的發(fā)展,網(wǎng)絡功能越來越復雜,現(xiàn)有的開源控制器在北向接口的簡潔性,數(shù)據(jù)持久化能力等方面顯得力不從心。尤其是網(wǎng)絡資源被虛擬化,多個用戶共享網(wǎng)絡資源,網(wǎng)絡受到多個上層網(wǎng)絡應用的控制。多用戶與多應用可能出現(xiàn)相互間的網(wǎng)絡規(guī)則沖突,造成網(wǎng)絡管理狀態(tài)的不一致,甚至被某些惡意的應用或者用戶利用,故意致亂網(wǎng)絡。擬態(tài)路由系統(tǒng)只能實現(xiàn)單一路由節(jié)點的防護,對上述情況無能為力。因此,本文隨后研究了網(wǎng)絡操作系統(tǒng)的實現(xiàn),針對網(wǎng)絡規(guī)則沖突檢測的問題,提出了基于狀態(tài)分解的規(guī)則沖突檢測算法,并且在本文的網(wǎng)絡操作系統(tǒng)中予以實現(xiàn)。通過系統(tǒng)測試證明,本文的擬態(tài)路由系統(tǒng)可以實現(xiàn)SDN與傳統(tǒng)IP網(wǎng)絡的路由交互,并且做到路由實體的擬態(tài)化,增加網(wǎng)絡路由的安全性;本文的網(wǎng)絡操作系統(tǒng),簡化了北向接口,方便上層應用的開發(fā)與部署,實現(xiàn)網(wǎng)絡狀態(tài)數(shù)據(jù)的持久化,其中的規(guī)則沖突檢測模塊可以準確高效地檢測到網(wǎng)絡規(guī)則沖突的情況。
[Abstract]:SDN technology has revolutionized the existing network architecture, adapted to reduce network complexity, cloud computing and big data's needs.The researchers usually pay attention to the SDN network itself. The traditional network equipment and the SDN equipment will coexist in the real network for a long time. The technical data surface of SDN is not common, simple and efficient, for the evolution process of the network, the traditional network equipment and the SDN equipment will coexist in the real network for a long time.The separation architecture of control surface and data surface also brings us new ideas in network routing security.At the same time, with the complexity of the network function, the network is controlled by multi-user and multi-application. At present, the open source controller has some defects in supporting multi-user and multi-application.Therefore, this paper makes some research attempts in the direction of SDN hybrid network routing security and SDN network operating system.This paper first studies the problem of three-layer routing interworking between SDN network and traditional IP network, designs and implements OpenFlow routing controller, realizes the interaction of routing protocol between SDN network and traditional IP network, and correctly forwards data packets.Facilitate the deployment of SDN technology in real networks.On this basis, this paper introduces a routing decision layer between multiple OpenFlow routing controllers and OpenFlow switches to form a pseudo routing system.The system simulates the routing entities, increases the difficulty of network attackers to explore the vulnerabilities of routing entities, isolates the routing entities that are paralyzed by network attackers, and ensures the stability and correctness of network routing.However, with the development of SDN network, the network functions are becoming more and more complex, the existing open source controller in the north interface simplicity, data persistence ability and other aspects appear to be inadequate.In particular, network resources are virtualized, multiple users share network resources, and the network is controlled by multiple upper network applications.The conflict of network rules between multi-user and multi-application may lead to the inconsistency of network management state, and even be used by some malicious applications or users to cause the network to be scrambled intentionally.The pseudo-routing system can only protect a single routing node.Therefore, the implementation of network operating system is studied in this paper. Aiming at the problem of network rule conflict detection, a rule conflict detection algorithm based on state decomposition is proposed and implemented in the network operating system of this paper.The system test shows that the pseudo routing system in this paper can realize the routing interaction between SDN and traditional IP network, and make the routing entity mimic, increase the security of network routing, the network operating system of this paper simplifies the northward interface,It is convenient for the development and deployment of the upper application to realize the persistence of network state data. The rule conflict detection module can detect the conflict of network rules accurately and efficiently.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.0

【參考文獻】

中國期刊全文數(shù)據(jù)庫 前1條

1 鳳丹;鄒敏;;Cisco IOS系統(tǒng)緩沖區(qū)溢出攻擊研究[J];計算機工程;2007年24期

，

本文編號：1755703