A topology protection method for software-defined network

Abstract

The invention discloses a topology protection method for a software defined network (SDN). The method comprises steps: the port information of each survival switch port is initialized and maintained;according to a gathered Packet-in message, host state detection is carried out, and according to a host state detection result and the maintained port information, LLDP (Link Layer Discovery Protocol)packets are classified; in view of different classes of LLDP packets, a corresponding attack detection method is adopted for attack detection; if an attack packet is detected, the packet rule of theattack packet is recorded in a filter rule of a controller in real time, and attack defense is further realized through a packet rule filter mode; Packet-in messages on a data plane are gathered continuously, the maintained port information is updated according to the gathered Packet-in messages, and steps of attack detection and defense are executed repeatedly. Four classes of topology pollutionattacks can be detected and defended effectively and comprehensively, and the performance of the SDN is also ensured.

Description

technical field [0001] The invention belongs to the field of software-defined network security, and more specifically relates to a topology protection method of software-defined network. Background technique [0002] Software Defined Network (SDN) can achieve centralized network management and traffic scheduling by decoupling network control and data forwarding functions, so it has been widely used. Network topology discovery is the basis for centralized management of software-defined networks. In a multi-tenant cloud data center network, network units such as access terminals and switches are gradually virtualized. The means control resources such as access terminals and switches, and then launch network topology pollution attacks to paralyze the entire network. [0003] All current SDN controller link discovery adopts the OFDP (OpenFlow Discovery Protocol, OpenFlow topology discovery protocol) protocol, and the bottom layer of OFDP realizes data exchange based on the link...

AI Technical Summary

Problems solved by technology

Among them, improving the current LLDP protocol, adding HMAC (Hash-based Message Authentication Code) to verify the integrity of LLDP messages can detect packet forgery attacks, but cannot detect packet replay attacks, and the detection object is too single, which has certain limitations; proposed The new protocol types such as sOFTDP can avoid the security loopholes of the topology discovery mechanism in design, but at the cost of changing the standard of the SDN topology discovery agreement, both the controller and the switch need to make corresponding changes for the new protocol, and the compatibility is poor ; Designing and implementing the corresponding topology protection application only needs to modify the control plane, which has good compatibility and does not need to modify the protocol type. The data detection packet is sent, which violates the original design intention of the separation of SDN forwarding and control. The other one lacks a corresponding security mechanism for the link after the host is dormant, and has a large security hole. Moreover, these two schemes have no effect on launching attacks on the switch. any precautions

Images