隨資料流的OpenFlow控制訊息機制

Data Flow Aware OpenFlow Control Signaling System

沈上翔(Shan-Hsiang Shen)

資安通訊 ； 軟體定義網路 ； 控制層 ； Security ； Software-defined networking ； Control plane

資訊安全通訊

24卷1期（2018 / 01 / 01）

73 - 90

繁體中文

在未來的5G網路之中，軟體定義網路將被廣泛地運用。然而，軟體定義網路仰賴中央控制器去對網路交換機下達命令來更新其轉發規則。在更新的過程之中，網路還是會有正在運行的封包。規則更新在不同交換機被應用的時間點和順序，會對這些正在運行的封包造成不同的影響。也可能造成不同於我們預期的結果而出現安全上的問題，因此如何確保每個封包被正確的交換機規則處理變成軟體定義網路中很重要的問題。本篇論文中提出了一個隨資料流路徑做規則更新的機制。更新規則的控制封包將延著資料封包的路徑跟資料封包一起做轉發，並對延途的交換機做規則的更新。我們方法可以確保封包全程使用新的規則或是全程使用舊的規則，來保證其正確性以避免造成網路安全性問題。本篇論文中，也設計藉由交換機規則的安排，達到控制封包隨著資料封包的路徑做更新的目的。

In the next generation 5G networks, software-defined networking will be widely used to manage ISP networks. The new SDN architecture arises new network security issues. To apply new policies, a central controller sends control messages to switches to update their forwarding rules. During the rule updates, there are on-going packets in switches, so the sequence of new rules applied in the switches is crucial for policy correctness. However, the varying transmission latency between the controller and switches makes it difficult to guarantee all packets follow either a new policy or an old policy. To address this issue, we propose a novel data flow aware OpenFlow control signaling system (DOC). In DOC, SDN control messages for rule updates are forwarded with the same route as data packets and update rules in the sequence of the switches along the path. DOC can guarantee the policy correctness to avoid security issues during policy updates.

1. http://www.topology-zoo.org/
2. Gheorghe, G.,Avanesov, T.,Palattella, M.,Engel, T.,Popoviciu, C.(2015).SDN-RADAR: Network troubleshooting combining user experience and SDN capabilities.Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft)
3. Jin, X.,Liu, H.,Gandhi, R.,Kandula, S.,Mahajan, R.,Zhang, M.,Rexford, J.,Wattenhofer, R.(2014).Dynamic scheduling of network updates.Proceedings of the 2014 ACM conference on SIGCOMM
4. Katta, N.,Rexford, J.,Walker, D.(2013).Incremental consistent updates.Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
5. Kazemian, P.(2012).Header Space Analysis: Static Checking for Networks.Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
6. Ludwig, A.,Rost, M.,Foucard, D.,Schmid, S.(2014).Good Network Updates for Bad Packets: Waypoint Enforcement Beyond Destination-Based Routing Policies.Proceedings of the 13th ACM Workshop on Hot Topics in Networks
7. May, R.,El-Hassany, A.,Vanbever, L.,Vechev, M.(2017).BigBug: Practical Concurrency Analysis for SDN.Proceedings of the Symposium on SDN Research
8. McClurg, J.,Hojjat, H.,Foster, N.(2015).Efficient synthesis of network updates.Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation
9. Miserez, J.,Bielik, P.,El-Hassany, A.,Vanbever, L.,Vechev, M.(2015).SDNRacer: detecting concurrency violations in software-defined networks.Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research
10. Reitblatt, M.,Foster, N.,Rexford, J.,Schlesinger, C.,Walker, D.(2012).Abstractions for network update.Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
11. Sun, X.,Agarwal, A.,Ng, T.(2015).Controlling Race Conditions in OpenFlow to Accelerate Application Verification and Packet Forwarding.IEEE Transactions on Network and Service Management,12(2),263-277.
12. Vissicchio, S.,Cittadini, L.(2016).FLIP the (Flow) table: Fast lightweight policy-preserving SDN updates.The 35th Annual IEEE International Conference on Computer Communications
13. Wundsam, A.,Levin, D.,Seetharaman, S.,Feldmann, A.(2011).OFRewind: Enabling Record and Replay Troubleshooting for Networks.USENIX Annual Technical Conference
14. Zhi, Q.,Xu, W.(2016).MED: The Monitor-Emulator-Debugger for Software-Defined Networks.The 35th Annual IEEE International Conference on Computer Communications