於軟體定義網路中使用屬性授權加密機制進行存取控制

Abstract

現今電腦網路架構由路由器、交換器、使用者、伺服器…等組成，進行流量控管或是改變事件回應規則時，需要網管人員手動進行調整，而且會受到硬體限制，增加控管成本及難度。自從軟體定義網路被提出之後，以程式控制網路成為新的研究方向，以軟體進行管理則不受限於硬體，更可以降低管理及更新的成本。但是目前在軟體定義網路中的控制器、交換器和路由器…等之間僅使用傳輸層安全協議來進行安全溝通，所以安全機制還不夠完善。在軟體定義網路裡的溝通，控制器對每一個交換器或路由器都需要分別進行傳輸層安全協議，然而交換器或路由器通常是多個且具有類似身分地位的裝置，所以傳輸層安全協議並不完全適合此情境，因此如何一次控管大量身分地位類似的交換器或路由器成為一個可以探討的議題。 針對上述議題，我們利用屬性授權加密(Attribute-based encryption)來對各裝置之間傳輸的封包進行加解密來進行存取控制，由控制器對某一群身分地位類似的交換器或路由器進行控管時，可以用相同的加密政策進行加密傳給大量身分地位類似的交換器或路由器。非符合此身份的裝置都無法存取封包內容，如此保證了封包的私密性，對大量的交換器和路由器也建立更好的控管機制。 最後在這篇論文，我們在Mininet模擬的網路環境下，利用OpenFlow協議、Openflow交換器與Nox控制器建構軟體定義網路，實作出可以進行上述加解密傳輸的功能的軟體定義網路。

The infrastructure of modern computer networking is composed of router, switch, user, host, etc. When it comes to flow controlling or changing events responding rules, the personal adjustments of network managers are needed. Moreover, such adjustments are limited by hardware, which increasing the managing cost and difficulty. Since software-defined networking (SDN) was proposed, controlling network through programs has becomes a new research topic. Using software to control the network can not only eliminate the limitation caused by hardware, but it can also lower the cost of managing and updating. But the secure communication between controller, router and switch in the software-defined networking can only be done through transport layer security (TLS), so the security mechanism is not well-established. In the communication of software-defined networking, the controller has to establish the TLS with each switch and router independently. However, switches or routers in SDN are devices that often have similar identifications, so TLS does not always fit this situation. Hence, how to control a bunch of switches or routers which has similar identification has become a research issue. According to the former issue, we use attribute-based encryption (ABE) to control the access of packet transported between devices. While controlling a group of switches or router with similar identification, we can use the same encrypt policy to encrypt the packets and transport those packets to lots of switches or routers with similar identifications. Any devices that can’t satisfy the identification cannot get the access to the packets. With ABE, the privacy of packets is guaranteed and we can also establish a better controlling mechanism to numerous of switches and routers. In this paper, we use Openflow protocol, Openflow switch and NOX controller to construct SDN under the network environment simulated by the Mininet. And in such SDN fore-mentioned encrypt/decrypt communication is available.