CN106790219A - The access control method and system of a kind of SDN controllers - Google Patents
The access control method and system of a kind of SDN controllers Download PDFInfo
- Publication number
- CN106790219A CN106790219A CN201710018099.1A CN201710018099A CN106790219A CN 106790219 A CN106790219 A CN 106790219A CN 201710018099 A CN201710018099 A CN 201710018099A CN 106790219 A CN106790219 A CN 106790219A
- Authority
- CN
- China
- Prior art keywords
- user
- north orientation
- application
- data
- datum plane
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the access control method and system of a kind of SDN controllers.The system includes SDN controllers, interchanger and at least one north orientation application;North orientation application is divided into three kinds of level of securitys:Keeper's classification, network configuration classification and class of subscriber;Wherein, keeper's classification allows the device data read and write in datum plane;The north orientation application of network configuration classification allows to read and write the control data for managing forwarding packet in datum plane, and the control data for the forwarding of control data bag in datum plane;Class of subscriber allows the forwarding data read and write in datum plane;Be sorted in user in the level of security to applying by the north orientation application;And user profile and access request are sent to corresponding base application in SDN controllers;The base application determines whether the user has the access rights to asking access data according to the level of security of user, and conduct interviews control.The present invention improves the confidentiality of the network information in SDN.
Description
Technical field
The invention belongs to SDN security fields, it is related to the access control method and system of a kind of SDN controllers, to protect SDN
The confidentiality of the network information in network, improves the reliability of controller in SDN, for SDN provides safety assurance.
Background technology
SDN (Software Defined Network, software defined network) is a kind of new network of Emulex network innovation framework,
Its core technology OpenFlow is separated by by network equipment chain of command and data surface, it is achieved thereby that the spirit of network traffics
Control living.Compared with legacy network, the essential characteristic of SDN has at 3 points:One is control and forward separating, Forwarding plane by
The equipment composition of controlled forwarding, pass-through mode and service logic apply institute by the control operated on the chain of command separated
Control;The second is the open interface between control plane and Forwarding plane, SDN provides open programmable interface for control plane,
In this way, control application is only needed to pay close attention to inherent logic, and details is more realized without concern bottom;The third is
Centralized Control in logic, the control plane concentrated in logic can control multiple forwarding surface equipment, that is, control whole thing
Reason network, thus the network state view of the overall situation can be obtained, and according to the global network state view realization to the excellent of network
Change control.
Because in SDN, controller plane provides open programmable interface, in this way, controller end
North orientation application can issue management instruction to controller, be led to by the openflow agreements between interchanger and controller
Letter, this causes that the north orientation application of network controller turns into the actual management module of SDN, while the also peace as SDN
Pan focus, the access control of north orientation application and its delineation of power are directly connected to the security of whole network.In existing portion
Under administration's pattern and security means, the network information of whole system can be obtained due to north orientation application, the network information turns into a public affairs
The data opened, it is difficult to ensure the confidentiality of the network information in SDN.
The data of the controller end storage that has its source in of above mentioned problem do not have rational access control rule, and SDN is controlled
The data of device storage are fully described for bottom-layer network tool, so attacker needs only to acquisition northbound interface and can just obtain
All information of whole network are taken, the security that bag wedding just can guarantee that SDN controllers, Cai Nengbao are carried out only for this data
Demonstrate,prove the security at whole networking.
The content of the invention
For the defect in existing SDN controllers north orientation application, the invention provides a kind of access control of SDN controllers
Method and system, are used to improve the confidentiality of the network information in SDN, improve the reliability of SDN controllers, are SDN
Safety assurance is provided.
To achieve the above object, the present invention is adopted the following technical scheme that:
A kind of access control method of SDN controllers, wherein, the north orientation application in SDN is divided into three kinds of level of securitys:
Keeper's classification, network configuration classification and class of subscriber;The north orientation application of keeper's classification allows to read and write setting in datum plane
Standby data, but the forwarding data that cannot be read and write in datum plane;The north orientation application of network configuration classification allows to read and write datum plane
In for manage forwarding packet control data, and in datum plane for control data bag forwarding control number
According to, but the device data read and write in datum plane is not allowed;The north orientation application of class of subscriber is allowed in read-write datum plane
Forwarding data, but control forwarding data and the device data read and write in datum plane are not allowed;Its step is:
1) user sends resource request to north orientation application, and the resource request includes that the authentication information of user, user are asked
The north orientation application URL and resource class for asking;
2) authentication information of the north orientation application in the resource request is authenticated to the user;After certification passes through, should
North orientation application obtains the ID and level of security of the user, and ID, level of security, user resources request is corresponding
North orientation application ID and access request be sent to corresponding base application in SDN controllers;
3) base application determines that the user asks the data category for accessing according to ID, then according to the peace of user
Full rank determines whether the user has the access rights to asking access data;If there are access rights, according to north
The north orientation application, otherwise denied access is returned to application ID and resource request generation response data.
Further, the base application is according to the method for north orientation application ID and resource request generation response data:Should
Base application initiates inquiry request according to north orientation application ID and resource request to SDN controllers, and SDN controllers are to the user's
Inquiry request is verified that the inquiry request is transmitted into SDN controllers basic module after being verified obtains response data;Its
In, basic module provide northbound interface comprising user identity information, and with SDN controllers in base application information one by one
Correspondence.
Further, the authentication information includes user name and password.
Further, an authority corresponding table, the authority corresponding table record north orientation application and basis are provided with SDN controllers
Using the one-to-one relationship on subscriber identity information.
A kind of access control system of SDN controllers, it is characterised in that including SDN controllers, interchanger and at least one
North orientation application;The north orientation application is divided into three kinds of level of securitys:Keeper's classification, network configuration classification and class of subscriber;Wherein,
Keeper's classification allows the device data read and write in datum plane, but the forwarding data that cannot be read and write in datum plane;Network is matched somebody with somebody
Put the control data for managing forwarding packet that the north orientation application of classification is allowed to read and write in datum plane, and datum plane
In for control data bag forwarding control data, but do not allow read and write datum plane in device data;Class of subscriber
The forwarding data read and write in datum plane are allowed, but does not allow control forwarding data and the number of devices read and write in datum plane
According to;
The north orientation application, according to the authentication information that user provides, the level of security to applying is sorted in by user
In;And ask corresponding north orientation application ID and access request to send the ID of user, level of security, the user resources
To corresponding base application in SDN controllers;The base application determines that the user asks the data class for accessing according to ID
Not, the level of security then according to user determines whether the user has the access rights to asking access data;If tool
There are access rights, then the north orientation application is returned to according to north orientation application ID and resource request generation response data, otherwise refuse
Access.
Access control system of the invention, including SDN controllers, interchanger and at least one north orientation application;The north orientation
Using, it is responsible that network control instruction is handed down to controller, and obtain the related letter of the partial information and this application of controller
Breath.
North orientation application is divided into three kinds of level of securitys in the present invention:Keeper's classification, network configuration classification and class of subscriber.
Keeper's classification allows the device data read and write in datum plane, and such north orientation application can enter to SDN equipment in itself
Row management, but the forwarding data (packet for forwarding) that cannot be read and write in datum plane;Network configuration classification allows to read and write number
According in plane for managing the control data of the packet of forwarding, such as:It is used for control data bag in flow table, and datum plane
The control data of forwarding, but the device data read and write in datum plane is not allowed;Class of subscriber is allowed in read-write datum plane
Forwarding data, but do not allow read and write remaining two class data:Control forwarding data and device data in datum plane.
Basic module in keeper's classification includes as described in accompanying drawing 1:Equipment control, module management, memory management
And Topology Discovery;Network configuration classification includes that flow table issuance and flow table are detected;Class of subscriber is gathered including packet data.
Due to being multi-user environment in SDN, user needs to show identity information, in being used to determine SDN controllers
Whether data are its affiliated data.
North orientation application is authenticated according to the authentication information that user provides to user, and after certification passes through, north orientation should
With the level of security for obtaining ID and user, and ask the corresponding north orientation should ID, level of security, the user resources
Base application is sent to ID and access request.The northbound interface that basic module is provided includes the identity information of user simultaneously,
And corresponded with the base application information in SDN controllers., it is necessary to pass through north orientation application during user calls data
Authentication.
When north orientation application to the request initiated by after certification, it is necessary to sorted users information, and by subscriber identity information
And its security class is handed down to base application, after being authenticated by base application, determine whether it has permission to access control
Corresponding data in device.
The north orientation application access control method based on SDN controllers using said system of the invention, its step includes:
1) user sends resource request, request include the north orientation application URL that user asked, resource class, user name with
And password;
2) north orientation application is authenticated to user;
3) after certification passes through, north orientation application obtains the level of security of ID and user, and by ID, safe level
Not, the user resources ask corresponding north orientation application ID and access request to be sent to corresponding base application in SDN controllers.
4) base application determines that user asks the data category for accessing according to ID, and the level of security according to user is true
It is fixed whether to there are access rights, if having access rights, initiated to controller according to north orientation application ID and resource request
Inquiry request;Otherwise denied access.
5) the north orientation application ID that basic module sends according to base application carries out the checking of north orientation application, if checking is logical
Cross, then the return information of request is obtained from controller, otherwise send refusal request to base application.
6) request data and solicited status result that base application replys controller basic module give north orientation application.
Basic function of the present invention based on SDN is divided controller module in SDN, proposes base application with north
To the division methods of application, north orientation application permission checking is carried out between controller basic module and base application, for verifying
Using whether the network information can be obtained;Authentication is carried out between base application and north orientation application, whether certification user may be used
Instructed with obtaining the network information or issuing controller.
Compared with showing with technology, the positive effect of the present invention is:
Data in controller and module are split, and northbound interface is categorized as three kinds of ranks, there is provided to north orientation
Using, the data in SDN are categorized as device data, control forwarding data and forwarding data are easy to north orientation application to many
The access rights of data and access content are managed under user situation.The present invention can be realized for SDN controller north orientations
The protection of interface, by being managed collectively SDN northbound interfaces, the confidentiality of the network information in protection SDN increases SDN controls
The reliability of device processed.
Brief description of the drawings
Fig. 1 is the SDN controller north orientation AMS schematic diagrames based on access control of the invention.
Fig. 2 is system user, the schematic diagram of access control method between north orientation application and control modules.
Specific embodiment
Below, with reference to specific embodiment and accompanying drawing, the present invention is described in detail.
The three class level of securitys for whole system make three kinds of instantiations respectively:The interchanger of increase data plane,
Issue the three kinds of examples of IP address in the forwarding of flow table control data plane data and acquisition packet.Every kind of example includes two groups
User (wherein, example answer for a pair user's group include A1, A2, example two correspondence user's group include B1, B2, the corresponding user of example three
Group includes C1, C2), every group of user is explained with two kinds of authorities.Table 1 is two kinds of authorities of two users in different level of securitys
Under authority corresponding table.
Table 1 is authority corresponding table of the two kinds of authorities of two users under different level of securitys
North orientation application is corresponded with the identity information on user in base application in table 1, but north orientation application is responsible for
Packet control is carried out to data owning user, whether identifying user has data access authority;Base application is to performed by user
Operation whether possess authority and be controlled.
Claims (8)
1. a kind of access control method of SDN controllers, wherein, the north orientation application in SDN is divided into three kinds of level of securitys:Pipe
Reason person's classification, network configuration classification and class of subscriber;The north orientation application of keeper's classification allows the equipment read and write in datum plane
Data, but the forwarding data that cannot be read and write in datum plane;The north orientation application of network configuration classification is allowed in read-write datum plane
For manage forwarding packet control data, and in datum plane for control data bag forwarding control data,
But do not allow the device data read and write in datum plane;The north orientation application of class of subscriber allows the forwarding read and write in datum plane
Data, but control forwarding data and the device data read and write in datum plane are not allowed;Its step is:
1) user sends resource request to north orientation application, and the resource request includes that the authentication information of user, user are asked
North orientation application URL and resource class;
2) authentication information of the north orientation application in the resource request is authenticated to the user;After certification passes through, the north orientation
Using the ID and level of security that obtain the user, and ID, level of security, the user resources are asked into corresponding north
Corresponding base application in SDN controllers is sent to application ID and access request;
3) base application determines that the user asks the data category for accessing according to ID, then according to the safe level of user
Do not determine whether the user has the access rights to asking access data;If having access rights, should according to north orientation
Response data is generated with ID and resource request return to the north orientation application, otherwise denied access.
2. the method for claim 1, it is characterised in that the base application is given birth to according to north orientation application ID and resource request
Method into response data is:The base application initiates inquiry according to north orientation application ID and resource request to SDN controllers please
Ask, SDN controllers are verified to the inquiry request of the user, the inquiry request is transmitted to SDN controllers after being verified
Basic module obtains response data;Wherein, identity information of the northbound interface comprising user that basic module is provided, and controlled with SDN
Base application information in device processed is corresponded.
3. method as claimed in claim 1 or 2, it is characterised in that the authentication information includes user name and password.
4. method as claimed in claim 1 or 2, it is characterised in that an authority corresponding table, the power are provided with SDN controllers
The record north orientation application of limit corresponding table and one-to-one relationship of the base application on subscriber identity information.
5. a kind of access control system of SDN controllers, it is characterised in that including SDN controllers, interchanger and at least one north
To application;The north orientation application is divided into three kinds of level of securitys:Keeper's classification, network configuration classification and class of subscriber;Wherein, manage
Reason person's classification allows the device data read and write in datum plane, but the forwarding data that cannot be read and write in datum plane;Network configuration
The north orientation application of classification allows to read and write the control data for managing forwarding packet in datum plane, and in datum plane
For control data bag forwarding control data, but do not allow read and write datum plane in device data;Class of subscriber is permitted
Perhaps the forwarding data read and write in datum plane, but control forwarding data and the device data read and write in datum plane are not allowed;
The north orientation application, according to the authentication information that user provides, user is sorted in the level of security to applying;With
And ask corresponding north orientation application ID and access request to be sent to SDN the ID of user, level of security, the user resources
Corresponding base application in controller;The base application determines that the user asks the data category for accessing according to ID, so
The level of security according to user determines whether the user has the access rights to asking access data afterwards;If have accessed
Authority, then return to the north orientation application, otherwise denied access according to north orientation application ID and resource request generation response data.
6. system as claimed in claim 5, it is characterised in that the resource request includes the authentication information of user, Yong Husuo
The north orientation application URL and resource class of request.
7. system as claimed in claim 5, it is characterised in that the base application according to north orientation application ID and resource request to
SDN controllers initiate inquiry request, and SDN controllers are verified to the inquiry request of the user, inquire about this after being verified
Request is transmitted to SDN controllers basic module and obtains response data;Wherein, the northbound interface that basic module is provided includes user's
Identity information, and corresponded with the base application information in SDN controllers.
8. the system as described in claim 5 or 6 or 7, it is characterised in that an authority corresponding table is provided with SDN controllers, it is described
Authority corresponding table records north orientation application and one-to-one relationship of the base application on subscriber identity information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710018099.1A CN106790219B (en) | 2017-01-10 | 2017-01-10 | A kind of access control method and system of SDN controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710018099.1A CN106790219B (en) | 2017-01-10 | 2017-01-10 | A kind of access control method and system of SDN controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790219A true CN106790219A (en) | 2017-05-31 |
| CN106790219B CN106790219B (en) | 2019-11-26 |
Family
ID=58949086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710018099.1A Active CN106790219B (en) | 2017-01-10 | 2017-01-10 | A kind of access control method and system of SDN controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790219B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108366068A (en) * | 2018-02-26 | 2018-08-03 | 浙江大学 | Cloud network resource management control system based on policy language under a kind of software defined network |
| CN110392033A (en) * | 2018-04-23 | 2019-10-29 | 北京华为数字技术有限公司 | A kind of cipher management method and device |
| CN112968880A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | SDN architecture-based permission control method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621401A (en) * | 2008-06-30 | 2010-01-06 | 华为技术有限公司 | Network management configuration method based on northbound interface and device |
| CN104935604A (en) * | 2015-06-29 | 2015-09-23 | 南京邮电大学 | Open Flow protocol-based SDN firewall system and method |
-
2017
- 2017-01-10 CN CN201710018099.1A patent/CN106790219B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621401A (en) * | 2008-06-30 | 2010-01-06 | 华为技术有限公司 | Network management configuration method based on northbound interface and device |
| CN104935604A (en) * | 2015-06-29 | 2015-09-23 | 南京邮电大学 | Open Flow protocol-based SDN firewall system and method |
Non-Patent Citations (1)
| Title |
|---|
| 王蒙蒙: "软件定义网络:安全模型、机制及研究进展", 《软件学报》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108366068A (en) * | 2018-02-26 | 2018-08-03 | 浙江大学 | Cloud network resource management control system based on policy language under a kind of software defined network |
| CN108366068B (en) * | 2018-02-26 | 2020-10-13 | 浙江大学 | Policy language-based cloud network resource management control system in software defined network |
| CN110392033A (en) * | 2018-04-23 | 2019-10-29 | 北京华为数字技术有限公司 | A kind of cipher management method and device |
| CN110392033B (en) * | 2018-04-23 | 2022-01-04 | 北京华为数字技术有限公司 | Password management method and device |
| CN112968880A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | SDN architecture-based permission control method and system |
| CN112968880B (en) * | 2021-02-01 | 2022-07-12 | 浪潮思科网络科技有限公司 | SDN architecture-based permission control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790219B (en) | 2019-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101512510B (en) | It is intended to provide the method and system of network management based on definition and application network management | |
| CN106411857B (en) | A kind of private clound GIS service access control method based on virtual isolation mech isolation test | |
| CN105991734B (en) | A kind of cloud platform management method and system | |
| CN104660578B (en) | A kind of system and method for realizing data safety storage and data access control | |
| DE69233708T2 (en) | Device and method for creating network security | |
| CN109413065A (en) | A kind of cluster safety management method based on container | |
| CN107426152B (en) | Multitask security isolation system and method under cloud platform actual situation Interconnection Environment | |
| CN107547480A (en) | A kind of method, apparatus and virtual desktop management system of virtual desktop security control | |
| CN111865943B (en) | Multi-level tenant authentication method and device based on micro-service | |
| CN106412896A (en) | Authorization management method and system of wireless router | |
| CN108134764A (en) | A kind of Distributed data share exchange method and system | |
| CN101453357B (en) | Network management control method and network management control system | |
| CN101166173A (en) | A single-node login system, device and method | |
| CN106790219A (en) | The access control method and system of a kind of SDN controllers | |
| CN107026825A (en) | A kind of method and system for accessing big data system | |
| CN103684922A (en) | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method | |
| US20130304920A1 (en) | Controlling Access to Managed Objects in Networked Devices | |
| Lu et al. | A model for multilevel security in computer networks | |
| CN107689949A (en) | Data base authority management method and system | |
| CN108966216A (en) | A kind of method of mobile communication and device applied to power distribution network | |
| KR20170086495A (en) | Method for accessing switch external memory from control plane and data plane | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| CN111818053B (en) | Numerical control machine tool safety system with identity authentication and safety communication gateway and method | |
| CN109495514A (en) | Mutual role help system and method based on edge termination | |
| CN109903046A (en) | User data management and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |