標題: 以入侵防禦之案例探討將加值服務對應到延伸軟體定義網路架構
An Extended SDN Architecture for Value-added Services with a Case Study on Intrusion Prevention
作者: 葉治宏
Yeh, Chih-Hung
林盈達
Lin, Ying-Dar
網路工程研究所
關鍵字: 軟體定義網路;流量分類;加值服務;網路服務;服務串接;入侵防禦系統;software-defined networking;SDN;OpenFlow;traffic classification;value-added service;network service;service chaining;intrusion prevention system;IPS
公開日期: 2013
摘要: 在現有的OpenFlow-based 軟體定義網路(SDN)架構下,由於資料層之交換器功能過於簡化,若欲提供額外的網路安全加值服務與服務串接,流量分類的工作勢必完全仰賴控制器。這將造成交換器傳送大量OpenFlow訊息之流量至控制器處理。為了減輕此問題,我們提出一個從OpenFlow-based SDN延伸之架構,並在其控制層與資料層中設計相應機制。我們於資料層設計了兩層流量分類機制,並透過延伸原有的OpenFlow協定設計新的訊息類別與格式。透過此一設計,網路事件於資料層就可分析,不必再轉送至控制層。此一設計可減少了在OpenFlow-based SDN下以網路加值服務實現入侵防禦系統時,轉送至控制器的流量。我們也探討在此延伸架構下產生至各個結點的流量比例。同時透過校園網路流量應用在此架構下之結果來驗證設計。
Providing value-added services under current OpenFlow-based SDN architecture makes huge traffic of OpenFlow message be generated to the controller for traffic classification because the simplicity of the switches in the data plane. For relieving this problem, we proposed an architecture which is extended from OpenFlow-based SDN and design the corresponding mechanism in this architecture. We design the two-layer traffic classification mechanism in the data plane. Also, we extended the OpenFlow protocol message types and formats. By our design, network events can be analyzed in data plane but control plane. In the case of the implementation of the intrusion prevention system using value-added services, we reduced the traffic generated to the controller under the OpenFlow-based SDN. We also discuss the ratio of the traffic generated to particular network nodes of the extended architecture designed. We qualify our design by the results from the campus network traffic.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070156545
http://hdl.handle.net/11536/74812
Appears in Collections:Thesis