| SDN数据安全处理机制关键模块的研究与实现 |
| |
| 引用本文: | 李兆斌,李伟隆,魏占祯,刘梦甜.SDN数据安全处理机制关键模块的研究与实现[J].计算机应用,2018,38(7):1929-1935. |
| |
| 作者姓名: | 李兆斌 李伟隆 魏占祯 刘梦甜 |
| |
| 作者单位: | 北京电子科技学院 通信工程系, 北京 100070 |
| |
| 基金项目: | 国家重点研发计划项目(2017YFB0802705);中央高校基本科研业务费专项(2017CL04)。 |
| |
| 摘 要: | 针对软件定义网络(SDN)的数据平面数据泄露问题、提出一种新的基于OpenFlow协议的数据安全处理机制。首先,重构OpenFlow协议的流表结构,设计实现包括安全匹配字段、安全动作在内的OpenFlow数据安全策略;然后,设计中心化管理控制器,通过开发的多个功能模块使控制器及时感知网络变化,有效管控全局网络,维护和下发数据加(解)密密钥、数据安全策略;其次,深度重构开放虚拟交换机OVS架构,设计实现数据安全策略匹配和数据安全处理的完整流程,编写数据净载信息提取接口,通过开发的多个功能模块使OVS能够根据数据安全策略细粒度匹配数据包,并对匹配成功的数据包进行完整数据安全处理操作;最后,搭建软硬件平台,对该机制的加解密处理结果和延时、吞吐量以及CPU使用率进行测试。实验结果表明:该机制可以准确对数据进行加解密操作,延时和吞吐量均处于正常水平;但CPU使用率在45%~60%浮动,开销较大,有待后续优化。
|
| 关 键 词: | 软件定义网络 数据传输 加解密 信息安全 数据安全处理 |
| 收稿时间: | 2017-12-21 |
| 修稿时间: | 2018-02-09 |
Research and implementation of key module of data security processing mechanism in software defined network |
| |
| LI Zhaobin,LI Weilong,WEI Zhanzhen,LIU Mengtian.Research and implementation of key module of data security processing mechanism in software defined network[J].journal of Computer Applications,2018,38(7):1929-1935. |
| |
| Authors: | LI Zhaobin LI Weilong WEI Zhanzhen LIU Mengtian |
| |
| Affiliation: | Department of Communication Engineering, Beijing Electronic Science Technology Institute, Beijing 100070, China |
| |
| Abstract: | To solve the data leakage problem of data plane in Software Defined Network (SDN), a new data security processing mechanism based on OpenFlow protocol was proposed. Firstly, the flow table structure of OpenFlow protocol was reconstructed, the OpenFlow data security policies including safe matching fields, safe actions were designed and implemented. Secondly, a centralized management controller was designed to sense changes in the network in a timely manner through the development of multiple functional modules, which effectively controlled the global network, maintained and distributed data encryption/decryption keys and data security policies. Thirdly, the open virtual switch OVS (Open vSwitch) architecture was reconstructed deeply, the complete process including data security strategy matching and data security processing was designed, and the extraction interface of data payload information was programmed. Through the development of multiple functional modules, OVS can match the data packets according to the fine-grained granularity of data security policies, and perform complete data security processing operations on matched data packets. Finally, by building the hardware and software platform, the results of the encryption and decryption mechanisms, and the time delay, throughput and CPU utilization rate were tested and compared. The experimental results show that the proposed mechanism can accurately operate data encryption and decryption. The latency and throughput of the proposed mechanism are at normal levels, but its CPU usage rate is between 45% and 60%, which indicates that it needs to be optimized furtherer. |
| |
| Keywords: | Software Defined Network (SDN) data transmission encryption and decryption information security data security processing |
|
| 点击此处可从《计算机应用》浏览原始摘要信息 |
|
点击此处可从《计算机应用》下载全文 |
|
