软件定义网络中基于密码标识的报文转发验证机制

针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题，该文提出基于密码标识的报文转发验证机制。首先，建立基于密码标识的报文转发验证模型，将密码标识作为IP报文进出网络的通行证。其次，设计SDN批量匿名认证协议，将SDN控制器的验证功能下放给SDN交换机，由SDN交换机进行用户身份验证和密码标识验证，快速过滤伪造、篡改等非法报文，提高SDN控制器统一认证与管理效率，同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案，任何攻击者无法通过推断采样来绕过报文检测，确保报文的真实性的同时降低其处理延迟。最后，进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击，但同时引入了大约9.6%的转发延迟和低于10%的通信开销。

Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network

To deal with the lack of a secure and efficient data source authentication mechanism in Software-Defined Network (SDN), a packet forwarding authentication mechanism based on cipher identification is proposed. Firstly, a packet forwarding authentication model based on cipher identification is established, where the cipher identification is identified as a passport of IP packets entering and leaving the network. Secondly, the SDN batch anonymous authentication protocol is designed to decentralize the authentication function of the SDN controller to the SDN switch. The SDN switch performs user authentication and cipher identification verification, and quickly filters forgery, falsification, and other illegal packets to improve the unified authentication and management efficiency of the SDN controller, while providing users with the conditions of privacy protection. Thirdly, a scheme for sampling and verifying packets based on cipher identification in any node is proposed, where any attacker can not bypass the packet detection by inferring the sample, to ensure the authenticity of the packet while reducing its processing delay. Finally, safety analysis and performance evaluation are conducted. The results show that this mechanism can quickly detect packet falsification and tampering and resist ID analysis attacks, but at the same time it introduces about 9.6% forwarding delay and less than 10% communication overhead.