软件定义网络:安全模型、机制及研究进展

doi:10.13328/j.cnki.jos.005020

微信服务号

微信订阅号

2025年4月17日 0:14 星期四

首页 > 过刊浏览>2016年第27卷第4期 >969-992. DOI:10.13328/j.cnki.jos.005020

PDF HTML阅读 XML下载导出引用引用提醒

软件定义网络:安全模型、机制及研究进展
DOI:
                        10.13328/j.cnki.jos.005020
                    
CSTR:
                        
                    
作者:
                        王蒙蒙王蒙蒙
北京航空航天大学 电子信息工程学院 信息与网络安全实验室, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
刘建伟刘建伟
北京航空航天大学 电子信息工程学院 信息与网络安全实验室, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
陈杰陈杰
北京航空航天大学 电子信息工程学院 信息与网络安全实验室, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
毛剑毛剑
北京航空航天大学 电子信息工程学院 信息与网络安全实验室, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找
毛可飞毛可飞
北京航空航天大学 电子信息工程学院 信息与网络安全实验室, 北京 100191
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:国家重点基础研究发展计划(973)(2012CB315905);国家自然科学基金(61272501,61402029,61370190)

Software Defined Networking:Security Model, Threats and Mechanism

Author:

WANG Meng-Meng
WANG Meng-Meng
Laboratory of Information and Network Security, School of Electronic and Information Engineering, BeiHang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
LIU Jian-Wei
LIU Jian-Wei
Laboratory of Information and Network Security, School of Electronic and Information Engineering, BeiHang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
CHEN Jie
CHEN Jie
Laboratory of Information and Network Security, School of Electronic and Information Engineering, BeiHang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
MAO Jian
MAO Jian
Laboratory of Information and Network Security, School of Electronic and Information Engineering, BeiHang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找
MAO Ke-Fei
MAO Ke-Fei
Laboratory of Information and Network Security, School of Electronic and Information Engineering, BeiHang University, Beijing 100191, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

National Key Basic Research Program (973) (2012CB315905); National Natural Science Foundation of China (61272501, 61402029, 61370190)

摘要

图/表

访问统计

参考文献 [123]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

软件定义网络(software defined networking,简称SDN)初步实现了网络控制面与数据面分离的思想,然而在提供高度开放性和可编程性的同时,网络自身也面临着诸多安全问题,从而限制了SDN在很多场景下的大规模部署和应用.首先对SDN的架构和安全模型进行分析;其次,从"SDN特有/非特有的典型安全问题"和"SDN各层/接口面临的安全威胁"两方面,对SDN中存在的典型安全威胁和安全问题进行分析和归纳;随后从6个方面对现有SDN安全问题的主要解决思路及其最新研究进展分别进行探讨,包括SDN安全控制器的开发、控制器可组合安全模块库的开发和部署、控制器DoS/DDoS攻击防御方法、流规则的合法性和一致性检测、北向接口的安全性和应用程序安全性;最后对SDN安全方面的标准化工作进行了简要分析,并对SDN安全方面未来的研究趋势进行了展望.

关键词:软件定义网络;OpenFlow;安全模型;安全威胁;控制器安全;北向接口安全协议

Abstract:

Software defined networking(SDN) facilitates rapid and open innovation by decoupling the control plane from the data plane, thus enabling high degree of openness and programmability in network protocols and applications. However, the dynamism of programmable networks also introduces new security challenges, which limit the large-scale application of SDN in many places. This paper presents a comprehensive survey on the security of SDN. First, SDN architecture and the security model of SDN are reviewed. Next, typical security threats and security issues of SDN are summarized and classified from the following two aspects:SDN specific and non-specific threats, and the security issues associated with the SDN framework. Then an in-depth analysis is provided on the latest developments in how to build a secure and dependable SDN from the following six aspects:Building a secure SDN controller or network operating system, the modular composable security services for SDN, DoS/DDoS flooding attack prevention and detection for SDN controllers, conflict resolutions and consistency resolutions for flow rules in SDN, the security of northbound application programming interface(API), and the security of applications in SDN. Finally, a brief analysis of the standardization work on SDN security is provided, along with a discussion on future research trends in building more secured SDN.

Key words:software defined networking;OpenFlow;security model;security threats;controller security;security protocol of northbound application programming interface

参考文献

[1] Yang M, Li Y, Jin D, Su L, Ma S, Zeng L. OpenRAN:A software-defined ran architecture via virtualization. In:Proc. of the ACM SIGCOMM 2013 Conf. on SIGCOMM. Hong Kong:ACM, 2013. 549-550.[doi:10.1145/2486001.2491732]

[2] Mijumbi R, Serrat J, Gorricho J, Bouten N, De Turck F, Boutaba R. Network function virtualization:State-of-the-Art and research challenges. IEEE Communications Surveys Tutorials, 2016,18(1):239-262.[doi:10.1109/COMST.2015.2477041]

[3] Kannan K, Banerjee S. Scissors:Dealing with header redundancies in data centers through SDN. In:Proc. of the 8th Int'l Conf. on Network and Service Management. Laxenburg:Int'l Federation for Information Processing, 2013. 295-301.

[4] Ghobadi M, Yeganeh SH, Ganjali Y. Rethinking end-to-end congestion control in software-defined networks. In:Proc. of the 11th ACM Workshop on Hot Topics in Networks. Washington:ACM, 2012. 61-66.[doi:10.1145/2390231.2390242]

[5] Li D, Chen GH, Ren FY, Jiang CL, Xu MW. Data center network research progress and trends. Chinese Journal of Computers, 2014,(2):259-274(in Chinese with English abstract).

[6] Suresh L, Schulz-Zander J, Merz R, Feldmann A. Demo:Programming enterprise WLANs with ODIN. ACM SIGCOMM Computer Communication Review, 2012,42(4):279-280.[doi:10.1145/2377677.2377730]

[7] Yi G, Lee S. Fully distributed handover based on SDN in heterogeneous wireless networks. In:Proc. of the 8th Int'l Conf. on Ubiquitous Information Management and Communication. ACM, 2014. 1-7.[doi:10.1145/2557977.2558047]

[8] Lee J, Uddin M, Tourrilhes J, Sen S, Banerjee S, Arndt M, Kim K, Nadeem T. meSDN:Mobile extension of SDN. In:Proc. of the 5th Int'l Workshop on Mobile Cloud Computing & Services. New Hampshire:ACM, 2014. 7-14.[doi:10.1145/2609908.2609948]

[9] Jin D, Nicol D M. Parallel simulation of software defined networks. In:Proc. of the 2013 ACM SIGSIM Conf. on Principles of Advanced Discrete Simulation. ACM, 2013. 91-102.[doi:10.1145/2486092.2486104]

[10] Jain R. OpenADN:Mobile apps on global clouds using software defined networking. In:Proc. of the 3rd ACM Workshop on Mobile Cloud Computing and Services. Lake District:ACM, 2012. 1-2.[doi:10.1145/2307849.2307851]

[11] Yang L, Dantu R, Anderson T, Gopal R. Forwarding and control element separation(ForCES) framework. 2004. https://www.rfc-editor.org/rfc/rfc3746.txt.

[12] Greenberg A, Hjalmtysson G, Maltz D A, Myers A, Rexford J, Xie G, Yan H, Zhan J, Zhang H. A clean slate 4D approach to network control and management. ACM SIGCOMM Computer Communication Review, 2005,35(3):41.[doi:10.1145/1096536. 1096541]

[13] Caesar M, Caldwell D, Feamster N, Rexford J, Shaikh A, van der Merwe J. Design and implementation of a routing control platform. In:Proc. of the 2nd Conf. on Symp. on Networked Systems Design & Implementation. Berkeley:USENIX Association, 2005. 15-28.

[14] Akella A, Boneh D, Mazieres D, McKeown N, Rosenblum M. SANE/inSANE:Designing secure networks from the ground-up. 2006. http://www.yuba.stanford.edu/sane/

[15] Casado M, Garfinkel T, Akella A, Freedman MJ, Boneh D, McKeown N, Shenker S. SANE:A protection architecture for enterprise networks. In:Proc. of the 15th Conf. on USENIX Security Symp. Berkeley:USENIX Association, 2006. 1-15.

[16] Casado M, Freedman M, Pettit J, Luo J, Gude N, McKeown N. Ethane:A security management architecture. 2006. http://yuba. stanford.edu/ethane/index.html

[17] Casado M, Freedman MJ, Pettit J, Luo J, McKeown N, Shenker S. Ethane:Taking control of the enterprise. In:Proc. of the 2007 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications. Kyoto:ACM, 2007. 1-12.[doi:10.1145/1282380.1282382]

[18] Gude N, Koponen T, Pettit J, Pfaff B, Mart, Casado N, McKeown N, Shenker S. NOX:Towards an operating system for networks. ACM SIGCOMM Computer Communication Review, 2008,38(3):105-110.[doi:10.1145/1384609.1384625]

[19] Project Floodlight. 2016. http://www.projectfloodlight.org/

[20] Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G. A security enforcement kernel for OpenFlow networks. In:Proc. of the 1st Workshop on Hot topics in Software Defined Networks. Helsinki:ACM, 2012. 121-126.[doi:10.1145/2342441.2342466]

[21] Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M. FRESCO:Modular composable security services for software-defined networks. In:Proc. of the ISOC Network and Distributed System Security Symp.(NDSS). San Diego:Internet Society, 2013. 1-16.

[22] Porras P, Cheung S, Fong M, Skinner K, Yegneswaran V. Securing the software-defined network control layer. In:Proc. of the 2015 Annual Network and Distributed System Security Symp.(NDSS 2015). San Diego:Internet Society, 2015. 1-15.

[23] Wang J, Wang J, Jiao HY, Wang Y, Chen SY, Liu SH, Hu RX. A method of openflow-based real-time conflict detection and resolution for SDN access control policies. Chinese Journal of Computers, 2015,38(4):872-883(in Chinese with Engliah abstract).

[24] Shin S, Gu G. Attacking software-defined networks:A first feasibility study. In:Proc. of the 2nd ACM SIGCOMM Workshop on Hot topics in Software Defined Networking. Hong Kong:ACM, 2013. 165-166.[doi:10.1145/2491185.2491220]

[25] Wang H, Xu L, Gu G. FloodGuard:A DoS attack prevention extension in software-defined networks. In:Proc. of the 45th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks(DSN 2015). Rio de Janeiro, 2015.[doi:10.1109/DSN.2015.27]

[26] Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In:Proc. of the 35th IEEE Conf. on Local Computer Networks(LCN). Denver, 2010. 408-415.[doi:10.1109/LCN.2010.5735752]

[27] Hong S, Xu L, Wang H, Gu G. Poisoning network visibility in software-defined networks:New attacks and countermeasures. In:Proc. of the 2015 Annual Network and Distributed System Security Symp.(NDSS 2015). San Diego:Internet Society, 2015. 1-15.

[28] Shin S, Yegneswaran V, Porras P, Gu G. AVANT-GUARD:Scalable and vigilant switch flow management in software-defined networks. In:Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security. Berlin:ACM, 2013. 413-424.[doi:10.1145/2508859.2516684]

[29] Hinden RM. SDN AND SECURITY:Why take over the hosts when you can take over the network. 2014. http://www.rsaconference. com/events/us14/agenda/sessions/1021/sdn-security-why-take-over-the-hosts-when-you-can

[30] McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J. OpenFlow:Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008,38(2):69-74.[doi:10.1145/1355734. 1355746]

[31] Clean Slate Program. 2007. http://cleanslate.stanford.edu/

[32] ETSI. Network Functions Virtualisation. 2014. http://www.etsi.org/index.php/technologies-clusters/technologies/nfv

[33] OpenDaylight:Open source network controller. 2013. http://www.opendaylight.org/

[34] ONF. Open Networking Foundation. 2013. https://www.opennetworking.org

[35] ONF. Software-Defined Networking(SDN) Definition. https://www.opennetworking.org/sdn-resources/sdn-definition

[36] ONF. OpenFlow Switch Technical Library. https://www.opennetworking.org/sdn-resources/technical-library

[37] ONF. OpenFlow Switch Specification(Version 1.5.1), ONF TS-025. 2015. https://www.opennetworking.org/images/stories/down-loads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.1.pdf

[38] RFC. The Transport Layer Security(TLS) Protocol Version 1.2. 2008. http://tools.ietf.org/html/rfc5246

[39] Porras P. Toward a more secure SDN control layer. 2013. http://sdn.wpengine.com/education/toward-secure-sdn-control-layer/2013/10/

[40] Wang H, Xu L, Gu G. OF-GUARD:A DoS attack prevention extension in software-defined networks. In:Proc. of the Poster Session of the Open Networking Summit 2014. Santa Clara:USENIX, 2014. 1-2.

[41] Lara A, Kolasani A, Ramamurthy B. Network innovation using OpenFlow:A survey. IEEE Communications Surveys & Tutorials, 2014,16(1):493-512.[doi:10.1109/SURV.2013.081313.00105]

[42] Yeganeh SH, Tootoonchian A, Ganjali Y. On scalability of software-defined networking. Communications Magazine, 2013,51(2):136-141.[doi:10.1109/MCOM.2013.6461198]

[43] Fei H, Qi H, Ke B. A survey on software-defined network and openflow:From concept to implementation. Communications Surveys & Tutorials, 2014,16(4):2181-2206.[doi:10.1109/COMST.2014.2326417]

[44] Dai B, Wang HY, Xu G, Yang J. Opportunities and threats coexist in SDN security. Application Research of Computers, 2014,(8):2254-2262(in Chinese with English abstract).[doi:10.3969/j.issn.1001-3695.2014.08.003]

[45] Zhang CK, Cui Y, Tang HY, Wu JP. State-of-the-Art survey on software-defined networking(SDN). Ruan Jian Xue Bao/Journal of Software, 2015,26(1):62-81(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4701.htm[doi:10.13328/j.cnki. jos.004701]

[46] Zuo QY, Chen M, Zhao GS, Xing CY, Zhang GM, Jiang PC. Research on OpenFlow-based SDN technologies. Ruan Jian Xue Bao/Journal of Software, 2013,24(5):1078-1097(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4390.htm[doi:10.3724/SP.J.1001.2013.04390]

[47] Klingel D, Khondoker R, Marx R, Bayarou K. Security analysis of software defined networking architectures:PCE, 4D and SANE. In:Proc. of the AINTEC 2014 on Asian Internet Engineering Conf. Chiang Mai:ACM, 2014. 15-22.[doi:10.1145/2684793. 2684796]

[48] Wang J, Wang Y, Hu H, Sun Q, Shi H, Zeng L. Towards a security-enhanced firewall application for openflow networks. In:Proc. of the 5th Int'l Symp., CSS 2013. Zhangjiajie, 2013. 92-103.[doi:10.1007/978-3-319-03584-0_8]

[49] Xia W, Wen Y, Foh CH, Niyato D, Xie H. A survey on software-defined networking. Communications Surveys & Tutorials, 2015, 17(1):27-51.[doi:10.1109/COMST.2014.2330903]

[50] Al-Shaer E, Al-Haj S. FlowChecker:Configuration analysis and verification of federated openflow infrastructures. In:Proc. of the 3rd ACM Workshop on Assurable and Usable Security Configuration. Chicago:ACM, 2010. 37-44.[doi:10.1145/1866898. 1866905]

[51] Son S, Seungwon S, Yegneswaran V, Porras P, Guofei G. Model checking invariant security properties in OpenFlow. In:Proc. of the 2013 IEEE Int'l Conf. on Communications(ICC). Budapest:IEEE, 2013. 1974-1979.[doi:10.1109/ICC.2013.6654813]

[52] Reitblatt M, Foster N, Rexford J, Walker D. Consistent updates for software-defined networks:Change you can believe in. In:Proc. of the 10th ACM Workshop on Hot Topics in Networks. Cambridge:ACM, 2011. 1-6.[doi:10.1145/2070562.2070569]

[53] Khurshid A, Zhou W, Caesar M, Godfrey PB. VeriFlow:Verifying network-wide invariants in real time. In:Proc. of the 1st Workshop on Hot Topics in Software Defined Networks. New York, 2012. 49-54.[doi:10.1145/2342441.2342452]

[54] Benton K, Camp LJ, Small C. OpenFlow vulnerability assessment. In:Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. Hong Kong:ACM, 2013. 151-152.[doi:10.1145/2491185.2491222]

[55] Kloti R, Kotronis V, Smith P. OpenFlow:A security analysis. In:Proc. of the 21st IEEE Int'l Conf. on Network Protocols(ICNP). Goettingen, 2013. 1-6.[doi:10.1109/ICNP.2013.6733671]

[56] Wasserman M, Hartman S. Security analysis of the open networking foundation(onf) openflow switch specification. IETF Documents, 2013.

[57] Kreutz D, Ramos FMV, Esteves VP, Esteve RC, Azodolmolky S, Uhlig S. Software-Defined networking:A comprehensive survey. Proc. of the IEEE, 2015,103(1):14-76.[doi:10.1109/JPROC.2014.2371999]

[58] Nunes BAA, Mendonca M, Nguyen X, Obraczka K, Turletti T. A survey of software-defined networking:Past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials, 2014,16(3):1617-1634.[doi:10.1109/SURV.2014.012214. 00180]

[59] Wen X, Chen Y, Hu C, Shi C, Wang Y. Towards a secure controller platform for openflow applications. In:Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. Hong Kong:ACM, 2013. 171-172.[doi:10.1145/2491185. 2491212]

[60] Sezer S, Scott-Hayward S, Chouhan P, Fraser B, Lake D, Finnegan J, Viljoen N, Miller M, Rao N. Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Communications Magazine, 2013,51(7):36-43.[doi:10.1109/MCOM.2013.6553676]

[61] Brazil J. The Northbound API is the key to OpenFlow's Success. 2012. https://www.sdxcentral.com/articles/contributed/the-northbound-api-is-the-key-to-openflows-success/2012/11/

[62] Scott-Hayward S, Kane C, Sezer S. OperationCheckpoint:SDN application control. In:Proc. of the 22nd Int'l Conf. on Network Protocols(ICNP). IEEE, 2014. 618-623.[doi:10.1109/ICNP.2014.98]

[63] Klaedtke F, Karame GO, Bifulco R, Cui H. Access control for SDN controllers. In:Proc. of the 3rd Workshop on Hot Topics in Software Defined Networking. Chicago:ACM, 2014. 219-220.[doi:10.1145/2620728.2620773]

[64] SRI Team, Texas A&M Team. Openflowsec.org. 2013. http://www.openflowsec.org/Technologies.html

[65] Tasch M, Khondoker R, Marx R, Bayarou K. Security analysis of security applications for software defined networks. In:Proc. of the AINTEC 2014 on Asian Internet Engineering Conf. Chiang Mai:ACM, 2014. 23-30.[doi:10.1145/2684793.2684797]

[66] Kreutz D, Ramos FMV, Verissimo P. Towards secure and dependable software-defined networks. In:Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. Hong Kong:ACM, 2013. 55-60.[doi:10.1145/2491185. 2491199]

[67] Giesen F, Kohlar F, Stebila D. On the security of TLS renegotiation. In:Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security(CCS 2013). New York:ACM, 2013. 387-398.[doi:10.1145/2508859.2516694]

[68] Das ML, Samdaria N. On the security of SSL/TLS-enabled applications. Applied Computing and Informatics, 2014,10(1-2):68-81.[doi:10.1016/j.aci.2014.02.001]

[69] ONF. OpenFlow Technical Specifications. https://www.opennetworking.org/component/content/article/42-sdn-resources/2046-technical-resources

[70] SDxCentral. What are SDN Northbound APIs? https://www.sdxcentral.com/resources/sdn/north-bound-interfaces-api/

[71] Matsumoto C. ONF Will Tackle SDN's Northbound Interface. https://www.sdxcentral.com/articles/news/onf-decides-tackle-sdns-northbound-interface/2013/10/

[72] Oktian YE, Lee S, Lee H, Lam J. Secure your Northbound SDN API. In:Proc. of the 7th Int'l Conf. on Ubiquitous and Future Networks(ICUFN). 2015. 919-920.[doi:10.1109/ICUFN.2015.7182679]

[73] ONF. Real Time Media NBI REST Specification(Version 1.0). 2015. https://www.opennetworking.org/images/stories/down-loads/sdn-resources/technical-reports/Real_Time_Media_NBI_REST_Specification.pdf

[74] Scott-Hayward S, O'Callaghan G, Sezer S. SDN security:A survey. In:Proc. of the 2013 IEEE SDN for Future Networks and Services(SDN4FNS). Trento, 2013. 1-7.[doi:10.1109/SDN4FNS.2013.6702553]

[75] Floodlight documentation. http://www.projectfloodlight.org/display/floodlightcontroller/Floodlight+Documentation

[76] POX. Python network controller. http://www.noxrepo.org/pox/about-pox/

[77] Erickson D. The beacon openflow controller. In:Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. Hong Kong:ACM, 2013. 13-18.[doi:10.1145/2491185.2491189]

[78] Cai Z, Cox AL, Ng TSE. Maestro:A system for scalable openflow control. TSEN Maestro-Technical Report, TR10-08, 2011. http://www.cs.rice.edu/~eugeneng/papers/TR10-11.pdf

[79] Banikazemi M, Olshefski D, Shaikh A, Tracey J, Wang G. Meridian:An SDN platform for cloud network services. Communications Magazine, 2013,51(2):120-127.[doi:10.1109/MCOM.2013.6461196]

[80] Saikia D, Kong S, Malik N, Kim D. OpenMuL:High Performance SDN. http://www.openmul.org/

[81] Tootoonchian A, Gorbunov S, Ganjali Y, Casado M, Sherwood R. On controller performance in software-defined networks. In:Hot-ICE 2012 Proc. of the 2nd USENIX Conf. on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services. San Jose:USENIX, 2012. 1-6.

[82] Ferguson AD, Guha A, Liang C, Fonseca R, Krishnamurthi S. Participatory networking:An API for application control of SDNs. In:Proc. of the ACM SIGCOMM 2013 Conf. on SIGCOMM. Hong Kong:ACM, 2013. 327-338.[doi:10.1145/2486001.2486003]

[83] NEC. ProgrammableFlow Controller. http://www.nec.com/en/global/prod/pflow/controller.html

[84] Shin S, Song Y, Lee T, Lee S, Chung J, Porras P, Yegneswaran V, Noh J, Kang BB. Rosemary:A robust, secure, and high-performance network operating system. In:Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale:ACM, 2014. 78-89.[doi:10.1145/2660267.2660353]

[85] Ryu SDN Framework Community. Ryu:Component-Based software defined networking framework. 2014. http://osrg.github.io/ryu/

[86] IRIS Research Group. OpenIRIS:The recursive SDN OpenFlow controller by ETRI. http://openiris.etri.re.kr/

[87] Trema:Full-Stack OpenFlow framework in Ruby and C. http://trema.github.io/trema/

[88] Koponen T, Casado M, Gude N, Stribling J, Poutievski L, Zhu M, Ramanathan R, Iwata Y, Inoue H, Hama T, Shenker S. Onix:A distributed control platform for large-scale production networks. In:Proc. of the 9th USENIX Conf. on Operating Systems Design and Implementation. Vancouver:USENIX Association, 2010. 1-6.

[89] Berde P, Gerola M, Hart J, Higuchi Y, Kobayashi M, Koide T, Lantz B, O'Connor B, Radoslavov P, Snow W, Parulkar G. ONOS:Towards an open, distributed SDN OS. In:Proc. of the 3rd Workshop on Hot Topics in Software Defined Networking. Chicago:ACM, 2014. 1-6.[doi:10.1145/2620728.2620744]

[90] Phemius K, Bouet M, Leguay J. DISCO:Distributed multi-domain SDN controllers. In:Proc. of the 2014 IEEE Network Operations and Management Symp.(NOMS). 2014. 1-4.[doi:10.1109/NOMS.2014.6838330]

[91] Matsumoto S, Hitz S, Perrig A. Fleet:Defending SDNs from malicious administrators. In:Proc. of the 3rd Workshop on Hot Topics in Software Defined Networking. Chicago:ACM, 2014. 103-108.[doi:10.1145/2620728.2620750]

[92] HP. HP SDN Controller Architecture. 2013. http://h17007.www1.hp.com/docs/networking/solutions/sdn/devcenter/06_-_HP_SDN_Controller_Architecture_TSG_v1_3013-10-01.pdf

[93] Tootoonchian A, Ganjali Y. HyperFlow:A distributed control plane for openflow. In:Proc. of the 2010 Internet Network Management Conf. on Research on Enterprise Networking. Berkeley:USENIX Association, 2010. 1-6.

[94] Yeganeh SH, Ganjali Y. Kandoo:A framework for efficient and scalable offloading of control applications. In:Proc. of the 1st Workshop on Hot Topics in Software Defined Networks. Helsinki:ACM, 2012. 19-24.[doi:10.1145/2342441.2342446]

[95] Koponen T, Amidon K, Balland P, Mart, Casado N, Chanda A, Fulton B, Ganichev I, Gross J, Gude N, Ingram P, Jackson E, Lambeth A, Lenglet R, Li S, Padmanabhan A, Pettit J, Pfaff B, Ramanathan R, Shenker S, Shieh A, Stribling J, Thakkar P, Wendlandt D, Yip A, Zhang R. Network virtualization in multi-tenant datacenters. In:Proc. of the 11th USENIX Conf. on Networked Systems Design and Implementation. Seattle:USENIX Association, 2014. 203-216.

[96] Botelho F, Bessani A, Ramos FMV, Ferreira P. On the design of practical fault-tolerant sdn controllers. In:Proc. of the 3rd European Workshop on Software Defined Networks(EWSDN). 2014. 73-78.[doi:10.1109/EWSDN.2014.25]

[97] Monaco M, Michel O, Keller E. Applying operating system principles to SDN controller design. In:Proc. of the 12th ACM Workshop on Hot Topics in Networks. College Park:ACM, 2013. 1-7.[doi:10.1145/2535771.2535789]

[98] Gu G, Porras P, Yegneswaran V, Fong M, Lee W. BotHunter:Detecting malware infection through IDS-driven dialog correlation. In:Proc. of the 16th USENIX Security Symp. on USENIX Security Symp. Berkeley:USENIX Association, 2007. 167-182.

[99] Sherwood R, Gibb G, Yap K, Appenzeller G, Casado M, McKeown N, Parulkar G. Flowvisor:A network virtualization layer. OpenFlow Switch Consortium, Technical Report, 2009.

[100] Dutertre B, de Moura L. Integrating simplex with DPPL(T). 2006. http://yices.csl.sri.com/papers/sri-csl-06-01.pdf

[101] Dutertre B, de Moura L. A fast linear-arithmetic solver for DPLL(T). Computer Aided Verification, 2006,4144:81-94.[doi:10. 1007/11817963_11]

[102] Ball T, Bj N, Rner, Gember A, Itzhaky S, Karbyshev A, Sagiv M, Schapira M, Valadarsky A. VeriCon:Towards verifying controller programs in software-defined networks. In:Proc. of the 35th ACM SIGPLAN Conf. on Programming Language Design and Implementation. Edinburgh:ACM, 2014. 282-293.[doi:10.1145/2594291.2594317]

[103] Canini M, Venzano D, Pere P, Ni, Kosti D, Rexford J. A NICE way to test openflow applications. In:Proc. of the 9th USENIX Conf. on Networked Systems Design and Implementation. San Jose:USENIX Association, 2012. 1-14.

[104] Hu H, Han W, Ahn G, Zhao Z. FLOWGUARD:Building robust firewalls for software-defined networks. In:Proc. of the 3rd Workshop on Hot Topics in Software Defined Networking. Chicago:ACM, 2014. 97-102.[doi:10.1145/2620728.2620749]

[105] Suh M, Park SH, Lee B, Yang S. Building firewall over the software-defined network controller. In:Proc. of the 16th Int'l Conf. on Advanced Communication Technology(ICACT). IEEE, 2014. 744-748.[doi:10.1109/ICACT.2014.6779061]

[106] Sherwood R, Gibb G, Yap K, Appenzeller G, Casado M, McKeown N, Parulkar G. Can the production network be the testbed. In:Proc. of the 9th USENIX Conf. on Operating Systems Design and Implementation. Vancouver:USENIX Association, 2010. 1-6.

[107] Sherwood R, Naous J, Seetharaman S, Underhill D, Yabe T, Yap K, Yiakoumis Y, Zeng H, Appenzeller G, Johari R, McKeown N, Chan M, Parulkar G, Covington A, Gibb G, Flajslik M, Handigol N, Huang T, Kazemian P, Kobayashi M. Carving research slices out of your production networks with OpenFlow. ACM SIGCOMM Computer Communication Review, 2010,40(1):129-130.[doi:10.1145/1672308.1672333]

[108] Cui JS, Guo C, Chen L, Zhang YN, Huang DJ. Establishing process-level defense-in-depth framework for software defined networks. Ruan Jian Xue Bao/Journal of Software, 2014,25(10):2251-2265(in Chinese with English abstract). http://www.jos.org. cn/1000-9825/4682.htm[doi:10. 13328/j.cnki.jos.004682]

[109] ONF. Principles and practices for securing software-defined networks. 2015. https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/Principles_and_Practices_for_Securing_Software-Defined_Networks_applied_to_OFv1.3.4_V1.0.pdf

[110] ONF. SDN security considerations in the data center(Solution Brief). 2013. https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf

[111] IETF. Policy architecture and framework for NFV infrastructures. 2015. https://tools.ietf.org/html/draft-irtf-nfvrg-nfv-policyarch-02

[112] IETF. SPRING OpenFlow interworking requirements. 2015. https://tools.ietf.org/html/draft-khc-spring-openflow-interworking-req-01

[113] IETF. Verification of NFV services:Problem statement and challenges. 2015. http://www.potaroo.net/ietf/html/ids/draft-irtf-nfvrg-service-verification-00.txt

[114] ITU. ITU Telecommunication Standardization Sector. http://www.itu.int/en/ITU-T/Pages/default.aspx

[115] European Telecommunications Standards Institute. http://www.etsi.org/

[116] China Communications Standards Association. http://www.ccsa.org.cn/

附中文参考文献:

[5] 李丹,陈贵海,任丰原,蒋长林,徐明伟.数据中心网络的研究进展与趋势.计算机学报,2014,(2):259-274.

[23] 王鹃,王江,焦虹阳,王勇,陈诗雅,刘世辉,胡宏新.一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法.计算机学报,2015,38(4):872-883.

[44] 戴彬,王航远,徐冠,杨军.SDN安全探讨:机遇与威胁并存.计算机应用研究,2014,(8):2254-2262.[doi:10.3969/j.issn.1001-3695. 2014.08.003]

[45] 张朝昆,崔勇,唐翯翯,吴建平.软件定义网络(SDN)研究进展.软件学报,2015,26(1):62-81. http://www.jos.org.cn/1000-9825/4701. htm[doi:10.13328/j.cnki.jos.004701]

[46] 左青云,陈鸣,赵广松,邢长友,张国敏,蒋培成.基于OpenFlow的SDN技术研究.软件学报,2013,24(5):1078-1097. http://www.jos. org.cn/1000-9825/4390.htm[doi:10.3724/SP.J.1001.2013.04390]

[108] 崔竞松,郭迟,陈龙,张雅娜,Dijiang Huang.创建软件定义网络中的进程级纵深防御体系结构.软件学报,2014,25(10):2251-2265. http://www.jos.org.cn/1000-9825/4682.htm[doi:10.13328/j.cnki.jos.004682]

引用本文

王蒙蒙,刘建伟,陈杰,毛剑,毛可飞.软件定义网络:安全模型、机制及研究进展.软件学报,2016,27(4):969-992

复制

文章指标

点击次数:10611
下载次数: 13403
HTML阅读次数: 4274
引用次数: 0

历史

收稿日期:2015-05-18
最后修改日期:2015-08-17
录用日期:
在线发布日期: 2016-01-07
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码