CN108173980B - Duplicate address detection method in SDN environment - Google Patents

Duplicate address detection method in SDN environment Download PDF

Info

Publication number
CN108173980B
CN108173980B CN201810048587.1A CN201810048587A CN108173980B CN 108173980 B CN108173980 B CN 108173980B CN 201810048587 A CN201810048587 A CN 201810048587A CN 108173980 B CN108173980 B CN 108173980B
Authority
CN
China
Prior art keywords
address
switch
time
blacklist
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810048587.1A
Other languages
Chinese (zh)
Other versions
CN108173980A (en
Inventor
宋广佳
安仲立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiyang College of Zhejiang A&F University
Original Assignee
Jiyang College of Zhejiang A&F University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiyang College of Zhejiang A&F University filed Critical Jiyang College of Zhejiang A&F University
Priority to CN201810048587.1A priority Critical patent/CN108173980B/en
Publication of CN108173980A publication Critical patent/CN108173980A/en
Application granted granted Critical
Publication of CN108173980B publication Critical patent/CN108173980B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Abstract

The invention relates to a method for detecting a repeated address in an SDN environment, wherein NS broadcasting is carried out after host generates a new encryption address CGAx, wherein the broadcast is T1, and the broadcast is T2 when response NA is received; and checking the MAC address, and performing CGA verification to detect the repeatability of the address. The feedback mechanism adopted by the invention utilizes the centralized control of OC and discriminates the authenticity of the MAC address through polling Switch, so that the feedback mechanism is realized in a Software Defined Network (SDN) and used for preventing denial of service (DoS) attack in the process of detecting the DAD by repeated addresses and reducing the resource consumption of a host CPU.

Description

Duplicate address detection method in SDN environment
[ technical field ] A method for producing a semiconductor device
The invention relates to a computer network technology, in particular to a duplicate address detection method in an SDN environment.
[ background of the invention ]
For complex network communication, a layered method is generally used to simplify the design and implementation of a computer network, and both a four-layer structure of TCP/IP and a seven-layer structure of OSI (Open System Interconnection) are embodiments of a modular concept. To simplify the design of each layer of a computer network, each layer uses different and independent communication attributes (or called communication addresses and network identifiers). Typically, three layers use IP addresses as communication attributes of the data packets, and two layers use MAC (Media Access Control) addresses as communication attributes to forward data frames.
There are two problems that need to be solved: one is how each network entity gets a communication address, and how to guarantee that the address is unique; the other is how to determine the correspondence relationship of the communication attributes between the n +1 layer and the n layer when the data is forwarded to the lower layer (n layer) for encapsulation after the n +1 layer is encapsulated. Such as when three layers encapsulate data using IP addresses and forward to the data link layer, how the link layer determines what MAC address to encapsulate.
There are currently two main protocols for solving the two problems mentioned above: ARP (Address Resolution Protocol) and NDP (Neighbor Discovery Protocol). The ARP protocol is a protocol for solving the correspondence between IP and MAC addresses in the internet protocol fourth version IPv4 system. In the internet protocol sixth version IPv6 architecture, NDP is used to accomplish the same function. Of course, the NDP protocol functionally extends the ARP, and it includes new functions such as Address duplicate detection dad (duplicate Address detection), neighbor Unreachable detection nud (neighbor Unreachable detection), stateless Address auto-configuration slaac (stateless Address auto-configuration), etc. However, many of the problems in ARP are not properly solved, and still exist in NDP, such as DoS (Denial of service attack) for duplicate address detection.
DAD attacks always exist in either ARP or NDP. When a node accesses a local area network, it must have a local area network address to begin network communication. A node must perform duplicate address detection before using a new address to ensure that the address is unique. So a malicious node can use this to attack, declaring that the address is already occupied, or to perform a duplicate address detection, the detected destination address also being IPx. Both of these approaches may result in the node considering the address as already occupied and only selecting other addresses to redo the DAD. If the attack of the malicious node continues, no address is available to the node victim, as shown in FIG. 1.
To prevent address spoofing, the internet engineering task force IETF proposes the SEND protocol. The SEND protocol is used as an enhanced mechanism of NDP, and uses methods such as Cryptographic Generated Address (CGA), digital signature, and timestamp to protect NDP messages and prevent IP Address theft. The CGA is the specific address format of the SEND protocol, the generation method is that a proper Modifier value is found through multiple hash operations by a Subnet Prefix (Subnet Prefix), a Public Key (Public Key), a Collision number (Collision Count) and a Modifier (adjusting parameter), then the secondary hash operation is carried out, then the first 59 bits of the 160-bit hash value are taken, and a Sec (Security Level) value and other parameters are combined to form a final address, and the calculation process of the CGA is shown in FIG. 2.
Although the SEND protocol uses encryption technology, it also faces many problems because the CGA encryption process requires a lot of computation and the communication bandwidth increases due to the increase of the volume of the encrypted NDP message. In addition, the address generation time of CGA is related to the value of Sec bit, the larger the Sec value is, the longer the Sec value is, the more 1 Sec is added, the calculation time is increased by about 216Multiple, and duplicate addresses are also needed after address generationAnd (6) detecting.
The CGA validation process is shown in fig. 3 and described as follows:
(1) whether the collision count is equal to 0, 1 and 2, if not, the CGA verification fails; if yes, entering the step (2);
(2) whether the subnet prefix is consistent with the subnet prefix in the network interface identifier in the message or not, and if the subnet prefix is not consistent with the subnet prefix, the CGA verification fails; if the two are consistent, entering the step (3);
(3) computing a hash1, comparing hash1 with iid (neglecting left 1, 2, 3 bits, 6, 7 bits), if not consistent, CGA fails; otherwise, turning to the step (4);
(4) a hash2 is calculated, in combination with the sec parameter, if the 16 sec bits in hash2 equal zero, the validation passed, otherwise the CGA validation failed.
The CGA needs to be discarded after verification of the wrong parameters. Therefore, malicious nodes can send a large amount of false NAs (Neighbor Advertisement messages), and the NAs with wrong parameters are used for consuming computing resources of a target node, so that DoS is formed, and therefore how to prevent DoS attacks and reduce host CPU resource consumption are a major challenge faced by CGA.
Therefore, in order to avoid consuming CPU resources by verifying meaningless CGA parameters, the present inventors designed a duplicate address detection method, referred to as FB-DAD for short, in an SDN (Software Defined Network) environment, and the present application is made based on this.
[ summary of the invention ]
In order to solve the above problems, an object of the present invention is to provide a duplicate address detection method in an SDN environment, where the algorithm is used in a Software Defined Network (SDN) for preventing a denial of service (DoS) attack in a Duplicate Address Detection (DAD) process and reducing host CPU resource consumption.
In order to achieve the purpose, the invention adopts the technical scheme that:
a duplicate address detection method in an SDN environment relates to three main bodies: the method comprises the following steps that a host, a controller OC and an Openflow Switch carry out the following steps:
step one, after a host generates a new encryption address CGAx, NS (Neighbor Solicitation) broadcasting is firstly carried out for repeated address detection, and the time T1 when the DAD (digital Address detection) starts is recorded;
step two, in the specified time, if a response neighbor advertisement message NA to the neighbor solicitation message NS is received, recording the current time T2; checking the media access control MAC address in the Options field, if the MAC address is not accordant with the media access control MAC address at the head of the neighbor advertisement message NA frame, discarding the MAC address, and repeating the second step; if the two are consistent, performing a third step;
step three, searching the Switch identity Switch _ ID and Port number Port No. of the source of the response neighbor advertisement message NA to the controller OC, if the Switch identity Switch _ ID and Port number Port No. are in the blacklist of the host, discarding the neighbor advertisement message NA, otherwise, performing the step four;
step four, searching whether the media access control MAC is newly added in T2-T1 from the controller OC; if yes, performing the step five, otherwise, performing the step six;
and step five, adding the Switch identity Switch _ ID and the Port number Port No. into a blacklist, marking as suspect, then performing encryption address generation CGA verification, if the CGA verification is passed, removing the Switch _ ID and the Port No. from the blacklist, and simultaneously repeating the address detection DAD failure, namely CGAx conflict.
Step six, carrying out encryption address generation CGA verification, if the verification is not passed, searching whether an entry corresponding to the source MAC address field of the NA exists in a blacklist, if not, adding the MAC, the Switch _ ID and the Port No. into the blacklist, if so, updating the flag bit of the blacklist to be T, discarding the NA, and returning to the step two; if the encrypted address generation CGA is validated successfully, the duplicate address detection DAD fails, the CGAx conflicts, and if there is an entry in the blacklist corresponding to the MAC address in NA, it is removed.
The specific steps in the invention are further set as follows:
in the second step, the predetermined time is 1 to 3 seconds.
In the fifth step, when each piece of data is created, an Idle time field (Idle _ time field) is added, and the format of the black list is shown in the following table:
MAC address Switch_ID Port No. Idle_time Flag
The Idle _ time field is used to record the free time of the entry, the value of Idle _ time per second is added with 1, if the entry is not matched within 3 minutes, the entry is removed from the blacklist, and the Idle _ time field is cleared each time the entry is matched.
In the sixth step, an Idle _ time field is added when each piece of data is created, and the format of the blacklist is shown in the following table:
MAC address Switch_ID Port No. Idle_time Flag
The Idle _ time field is used to record the free time of the entry, the value of Idle _ time per second is added with 1, if the entry is not matched within 3 minutes, the entry is removed from the blacklist, and the Idle _ time field is cleared each time the entry is matched.
Compared with the prior art, the invention has the following beneficial effects: the feedback mechanism we employ. The feedback mechanism uses centralized control of the OC to discern the authenticity of the MAC address through polling of the Switch.
[ description of the drawings ]
FIG. 1 is a prior art DAD attack process of the present invention;
FIG. 2 is a prior art CGA calculation process of the present invention;
FIG. 3 is a prior art CGA validation process of the present invention;
FIG. 4 is a flowchart of the operation of the preferred embodiment of the present invention;
fig. 5 shows the interaction process among Switch, OC, host according to the preferred embodiment of the present invention.
[ detailed description ] embodiments
Referring to fig. 4 and 5 in the description, the duplicate address detection method in an SDN environment according to the present invention,
a duplicate address detection method in an SDN environment relates to three main bodies: the method comprises the following steps of a host, a controller OC and an Openflow Switch, wherein hostA, hostB and hostC are taken as examples in the embodiment:
firstly, generating a new encryption address CGAx on hostA, sending a duplicate address detection NS, and recording the sending time as T1. Response to NS, NA, is received at hostA within a specified time, typically 1-3 seconds, which is recorded as T2.
If hostA receives hostB response NA, a MAC address query data flow is initiated to OC via Switch. Retrieve Switch identity ID and Port number Port No. of responding NA source hostB to OC.
If the identity of hostB is in the hostB blacklist, the hostB NA is discarded, and if the identity of hostB is not in the blacklist, the check is continued to determine whether the hostB MAC address is newly added in T2-T1.
The MAC address of hostB is newly added in T2-T1, the Switch ID and Port number Port No. of hostB are added into the blacklist, the blacklist is marked as suspect, and CGA authentication is carried out. If CGA verifies, the Switch identity ID and Port No. of hostB are removed from the blacklist, and DAD fails, i.e. CGAx conflicts.
And if the MAC address of the hostB is not newly added in T2-T1, CGA verification is carried out, if the verification is not passed, information such as the MAC address of the hostB is added into a blacklist, the NA is discarded, and the steps return to the previous step to continue waiting for the NA. If the CGA verification passes, the DAD fails, the CGAx conflicts, and if there is an entry in the blacklist that corresponds to the MAC address in NA, it is removed.
In the CGA verification step, in order to prevent the black list from being too long and reduce the consumption of storage space, an Idle _ time field is added at the time of creation of each piece of data, as shown in the following table,
MAC address Switch_ID Port No. Idle_time Flag
If the address MAC _ B of host B, the switch ID to which host is connected, and the information about the specific port to which host is connected are added to the blacklist and marked as suspected F, the blacklist is specified as table 1 initially.
The value of Idle _ time increases by 1 every second, and if no information corresponding to MAC _ B is matched after 15 seconds, table 1 evolves to the style of table 2.
TABLE 1
MAC address Switch_ID Port No. Idle_time Flag
MAC_B
1 10 0 F
MAC_C
2 20 85 T
TABLE 2
MAC address Switch_ID Port No. Idle_time Flag
MAC_B
1 10 15 F
MAC_C
2 20 100 T
Idle _ time is used to record the free time of the entry, and if the entry is not matched within 3 minutes, the entry is removed from the blacklist, and the Idle _ time field is cleared each time the entry is matched.
Algorithm program specific on computer: the OC inquires each OpenFlow Switch, whether the MAC is newly added within the latest T2-T1 seconds is returned by searching the flow table of each Switch, and because the two-layer Switch has the MAC learning function, when a host starts a new MAC address, the MAC can form forwarding paths on a plurality of switches, and the Switch needs to find the Switch and the corresponding port with the earliest MAC adding time, so the port y of Switch x is the port accessed by the host.
Inputting: MAC address MACx
And (3) outputting: true, switch ID and port No.; or False
Figure GDA0002806875880000091
Figure GDA0002806875880000101
The above embodiments are merely preferred embodiments of the present disclosure, which are not intended to limit the present disclosure, and any modifications, equivalents, improvements and the like, which are within the spirit and principle of the present disclosure, should be included in the scope of the present disclosure.

Claims (2)

1. A method for detecting duplicate addresses in an SDN environment is characterized in that: comprises three main bodies: the method comprises the following steps that a host, a controller OC and an Openflow Switch carry out the following steps:
step one, after a host generates a new encryption address CGAx, firstly, a neighbor request message NS is broadcasted to carry out repeated address detection, and the time T1 when the repeated address detection DAD starts is recorded;
step two, in the specified time, if a response neighbor advertisement message NA to the neighbor solicitation message NS is received, recording the current time T2; checking the media access control MAC address in the Options field, if the MAC address is not accordant with the media access control MAC address at the head of the neighbor advertisement message NA frame, discarding the MAC address, and repeating the second step; if the two are consistent, performing a third step;
step three, searching the Switch identity Switch _ ID and Port number Port No. of the source of the response neighbor advertisement message NA to the controller OC, if the Switch identity Switch _ ID and Port number Port No. are in the blacklist of the host, discarding the neighbor advertisement message NA, otherwise, performing the step four;
step four, searching whether the media access control MAC is newly added in T2-T1 or not from the controller OC; if yes, performing the step five, otherwise, performing the step six;
step five, adding the Switch identity Switch _ ID and the Port number Port No. into a blacklist, marking as suspect, then performing encryption address generation CGA verification, if the encryption address generation CGA verification is passed, removing the Switch identity Switch _ ID and the Port number Port No. from the blacklist, and simultaneously repeating the address detection DAD failure, namely CGAx conflict;
step six, carrying out encryption address generation CGA verification, if the verification is not passed, searching whether an entry corresponding to a source MAC address field of the NA exists in a blacklist, if not, adding a media access control MAC, a Switch identity Switch _ ID and a Port number Port No. into the blacklist, if so, updating a flag bit of the blacklist to be T, discarding the neighbor advertisement message NA, and returning to the step two; if the verification of the encrypted address generation CGA is passed, the repeated address detection DAD is failed, the CGAx conflicts, and if an entry corresponding to the media access control MAC address in the neighbor advertisement message NA exists in the blacklist, the entry is removed;
in the fifth step and the sixth step, in the verification process of generating the CGA by the encrypted address, when each piece of data is created, an Idle time Idle _ time field is added, and a blacklist records host information for sending a neighbor advertisement message NA message to attack, and the host information includes 5 fields: the MAC address field of media access control represents the MAC address of the host, the Switch identity Switch _ ID field represents the ID number of the Switch accessed by the host, the Port number Port _ No. field represents the Port number of the Switch connected with the host, the Idle time Idle _ time represents the Idle time of the entry, the Flag field is a Flag bit, F represents that the attack is suspected, and T represents that the attack is actually initiated;
the free time Idle _ time field is used for recording the free time of the entry, the value of the free time Idle _ time per second is added with 1, if the entry is not matched within 3 minutes, the entry is removed from the blacklist, and the free time Idle _ time field is cleared each time the entry is matched.
2. The method of claim 1, wherein the duplicate address detection method in an SDN environment comprises: in the second step, the predetermined time is 1 to 3 seconds.
CN201810048587.1A 2018-01-18 2018-01-18 Duplicate address detection method in SDN environment Active CN108173980B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810048587.1A CN108173980B (en) 2018-01-18 2018-01-18 Duplicate address detection method in SDN environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810048587.1A CN108173980B (en) 2018-01-18 2018-01-18 Duplicate address detection method in SDN environment

Publications (2)

Publication Number Publication Date
CN108173980A CN108173980A (en) 2018-06-15
CN108173980B true CN108173980B (en) 2021-02-19

Family

ID=62514833

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810048587.1A Active CN108173980B (en) 2018-01-18 2018-01-18 Duplicate address detection method in SDN environment

Country Status (1)

Country Link
CN (1) CN108173980B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741820A (en) * 2008-11-13 2010-06-16 华为技术有限公司 Method, system and device for recognizing and determining color graphic adapter (CGA) public key
CN105991655A (en) * 2015-03-16 2016-10-05 思科技术公司 Mitigating neighbor discovery-based denial of service attacks

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2413462A (en) * 2004-04-23 2005-10-26 Matsushita Electric Ind Co Ltd Duplicate Address Detection Optimisation
CN102246461B (en) * 2009-11-17 2013-08-28 华为技术有限公司 Method, apparatus and system for duplicate address detection proxy
CN102347903B (en) * 2011-10-13 2014-07-02 北京星网锐捷网络技术有限公司 Data message forwarding method as well as device and system
CN104753793B (en) * 2013-12-26 2018-03-30 联芯科技有限公司 The method of stateful management access terminal under stateless IPv6 configurations
CN107547510B (en) * 2017-07-04 2020-03-06 新华三技术有限公司 Neighbor discovery protocol security table item processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741820A (en) * 2008-11-13 2010-06-16 华为技术有限公司 Method, system and device for recognizing and determining color graphic adapter (CGA) public key
CN105991655A (en) * 2015-03-16 2016-10-05 思科技术公司 Mitigating neighbor discovery-based denial of service attacks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向数据链路层的自主地址解析协议安全机制研究;宋广佳;《中国博士学位论文全文数据库 信息科技辑》;20161215;第1.5.1节,5.3节,第5.4.2节 *

Also Published As

Publication number Publication date
CN108173980A (en) 2018-06-15

Similar Documents

Publication Publication Date Title
EP3923551A1 (en) Method and system for entrapping network threat, and forwarding device
US8984112B2 (en) Internet address information processing method, apparatus, and internet system
CN105991655B (en) Method and apparatus for mitigating neighbor discovery-based denial of service attacks
EP2469787B1 (en) Method and device for preventing network attacks
CN107547510B (en) Neighbor discovery protocol security table item processing method and device
WO2009012663A1 (en) Method, communication system and device for arp packet processing
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
Ma et al. Bayes-based ARP attack detection algorithm for cloud centers
CN101827138A (en) Optimized method and device for processing IPV6 filter rule
Lu et al. An SDN-based authentication mechanism for securing neighbor discovery protocol in IPv6
Ataullah et al. ES-ARP: an efficient and secure address resolution protocol
Song et al. Novel duplicate address detection with hash function
CN112929200A (en) SDN multi-controller oriented anomaly detection method
US8893271B1 (en) End node discovery and tracking in layer-2 of an internet protocol version 6 network
US10938721B2 (en) Hash collision mitigation system
CN108173980B (en) Duplicate address detection method in SDN environment
Song et al. Using FDAD to prevent DAD attack in secure neighbor discovery protocol
CN116388998A (en) Audit processing method and device based on white list
Song et al. A novel frame switching model based on virtual MAC in SDN
CN108848087B (en) DAD process malicious NA message suppression method suitable for SEND protocol
CN1822565A (en) Network with MAC table overflow protection
Guangjia et al. Using multi‐address generation and duplicate address detection to prevent DoS in IPv6
JP2006013732A (en) Routing device and authentication method of information processor
CN110401646B (en) CGA parameter detection method and device in IPv6 secure neighbor discovery transition environment
El Ksimi et al. A new IPv6 security approach for a local network

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant