CN110417739A - It is a kind of based on block chain technology safety Netowrk tape in measurement method - Google Patents
It is a kind of based on block chain technology safety Netowrk tape in measurement method Download PDFInfo
- Publication number
- CN110417739A CN110417739A CN201910566636.5A CN201910566636A CN110417739A CN 110417739 A CN110417739 A CN 110417739A CN 201910566636 A CN201910566636 A CN 201910566636A CN 110417739 A CN110417739 A CN 110417739A
- Authority
- CN
- China
- Prior art keywords
- controller
- block chain
- node
- information
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to interior measurement and block chain technical field, measurement method in a kind of Netowrk tape of safety based on block chain technology is realized, step includes: building permission block chain, and controller is registered to block chain node, and customized permission access strategy etc.;Authorization policy is saved in block chain by miner's node according to common recognition agreement, and when different controller nodes mutually access, cipher key node is according to the authorization policy saved in block chain, the identity information of access control device node;Controller node realizes that the permission of resource under different operating domain is authorized, realizes the cross-domain access of interchanger by the confirmation of identity information.Controller issues routing policy, for different interchanger distribution it is specified with interior measurement behavior.This method effectively increases the safety of controller in programmable network, while can solve the permission control problem with interchanger in interior measurement, and can be good at the behaviors such as data tampering, malicious attack in guarding network measurement.
Description
Technical field
The present invention relates to programmable network, INT (In-Band Network Telemetry) and (areas Blockchain
Block chain) technical field, realize measurement method in a kind of Netowrk tape of safety based on block chain technology.
Background technique
With the rise of Internet of Things, more equipment and new opplication constantly emerge in large numbers, and traditional network architecture can no longer meet height
The requirement of bandwidth, highly reliable and low redundancy, the diversification of hardware and software device have driven the birth of programmable network of new generation.As
The new normal form of network, programmable network not only provide open, programmable interface for hardware, while allowing administrator from higher
Abstraction hierarchy manage network service, the structure that it is separated using control plane with Forwarding plane, and allow developer from
Underlying basis framework is programmed in application program and network service.From earliest DCAN to the birth of software defined network SDN
Raw, the core concept of programmable network is to realize the separation of the network-control and data plane concentrated, but due to tradition
The south orientation agreement such as OpenFlow of SDN is usually related to target hardware, realizes and needs matched infrastructure device, pipe
Reason personnel can not the customized forwarding device function new to the processing mode of data packet and addition.The appearance of P4 language, provides
The programmability of data plane.Developer chip can be carried out based on P4 language it is customized, add new agreement or
Original protocol stack is optimized, more reasonably distribution Resources on Chip.
In traditional network monitoring technology, such as SNMP, it is typically based on the side that control plane obtains information to bottom-layer network
Formula, this mode binding character is too strong and speed is slow, similar, such as the methods of NetFlow, SFlow, Synthetic probe,
Also it does not detect due to the problem of event or microbursts etc. cause in short-term accurately, is especially being on a grand scale enough
In distributed network, the serious of services and applications is likely to result in due to lacking the metadata that can be traced and historical information
Accident.The fine granularity detection of network measure may be implemented due to that can rewrite the characteristics such as new data pack protocol in P4 language.
INT (In-Band Network Telemetry) is application practice of the P4 language in network measure, it has data plane
Ability to collect end to end, and status information can be collected in real time.Band network telemetering will pass relevant to data packet processing
Key details is added to data plane, and the transmission of data packet does not consume any host CPU resources, by adding first number in the packet
According to packet-level telemetering is enabled, the Visual retrieval of network flow is realized.
Although INT provides good solution for the monitoring of network flow data, in programmable network framework
In, network configuration, network service, access control, Network Security Service deployment etc. all concentrate on controller, to realize net
The cooperative scheduling of network resource and computing resource, storage resource.Although centralized control to network operation management band global view and
Optimal solution, but equally bring additional managing risk.Since controller connects application layer and forwarding, network is realized
The unified configuration and management of equipment, controller are both a network interferences point concentrated and a potential Single Point of Faliure source.
If not paying attention to the security strategy of controller in network deployment, it is highly prone to hacker attack, such as modification code library, is changed
Vari- able flow control filters in some network sites or conceals data, to cause great harm to network security.In addition, working as
For controller OS by the APP run in malicious attack or controller there are when security threat, controller is easily lost control, and
The comprehensive paralysis for easily causing network service influences the whole network range of controller covering;Secondly, central controlled side
Formula, so that controller is easy to be attacked by resource exhaustion type, such as DoS, DDoS;Meanwhile opening makes in programmable network
Controller need the interface that assessment is open with caution, to prevent attacker using certain interfaces progress network monitoring, network attack
Deng.
Therefore, it is directed to the raising of programmable network environmental safety at present, is mainly taken precautions against in controller level.One
As can controller inlet dispose flow cleaning equipment, prevent distributed traffic from attacking;Distribution can also be used to control more
Device scheme can solve the case where Single Controller breaks down by the automatic replacement of controller;Deployment secure agency, can
Security hardening and Hole Detection etc. are carried out to the application program on controller to realize.Safety for programmable network mentions
Height, many experts and scholars also proposed some solutions, can be with for example, the FlowVisor based on Openflow protocol development
Hardware device is virtualized into multiple networks, on the one hand improves internet security, on the other hand, is recognized by increasing software security
Card, to improve the safety of multiple virtual networks on same physical equipment;DefenseFlow is collected by the control layer of SDN and is used
In the flow information of attack detecting, only when needed by data stream guiding network, thus successfully by safety based on equipment
Scheme switchs to the security service of the whole network;SE-Noodlight is the software extensions based on open source Hoodlight controller, can
The security restriction of certification and the enhancing of based role is provided.These methods all alleviate the safety problem of controller to a certain degree.
But as dominant right effect of the manager for controller is more significant, how the permission of controller is accessed,
Security control, data encryption etc. are taken precautions against, and are the following essential steps for establishing safe programmable network environment.This meaning
Need a general safety system to cope with these threats of software defined network, and can be not influence expanding for its performance
The mode of malleability is run, encounter malicious attack can generate in time alarm and on network generate the law based on event occurred can
Audit log.Mode so as how expansible prevents malicious element from entering software defined network, and has thousands of
Imitate when element enters while refusing the entrance of single malicious element.Imagine such a solution: in programmable network
The anything of upper generation can legally audit and capture-(Blockchain) block in not modifiable log
Chain, and the addition of any control node, need to verify identity information, when most of node in block chain network is reached common understanding
Afterwards, control node could be added network and carry out relevant measurement activity.And work as the equipment in programmable network before runtime,
Block techniques can be used to be confirmed to the network equipment and be authenticated in block chain information system.In this course, must not
Equipment and technology are provided for third party, and the validity authenticated ensure that the accuracy and safety of network data.
The security maintenance of various functions depends on all nodes with security maintenance ability in the whole network in block chain network,
There is no management method between each node, is equality between node, when a node receives the data that another node transmits,
The node can verify the identity information of another node.The information received by it is broadcast to entire net if receiving successfully
Network.Since block chain and its record may be simultaneously present in thousands of places, so hacker attempts to through intrusion log clothes
Business device simultaneously changes event history to cover its trace, and the node in block chain can refuse any change in network.In this way
The behavioral activity of programmable network can be made to be immune against attacks, and can for network settings automatic, programmable rule.
Summary of the invention
Technology of the present invention mainly has: Blockchain, P4 (Programming Protocol-Independent
Packet Processors) intermediate node programming language, INT (In-band Network Telemetry) technology.
The present invention overcomes the limitation of the prior art, propose a kind of safety based on block chain technology with interior measurement
Method.The present invention realizes the routing policy with interior measurement function and customized interchanger using P4 language.By adding to data packet
Add INT metadata, it being capable of real time monitoring network state.South orientation API is generated by P4, realizes the interaction of controller and data plane
And customized forwarding strategy.Permission control is carried out between the cross-domain alternation different controllers by building permission block chain network,
Prevent network security problem caused by the addition of malice controller.In permission block chain, controller can customize the current field
Access strategy so that the centralized control behavior in software defined network is dispersed.The present invention passes through with interior measurement and block
Chain technology can effectively analyze dynamic behaviour in network, and improve the safety of distributed network.
The present invention the following steps are included:
S1, construct permission block chain: administrator creates generation block firstly the need of creation, can locally generate under normal conditions just
The essential information of block chain, including block number, timestamp, transaction letter is written in the genesis.json file of beginningization in this document
Cease list, difficulty value and previous piece hash etc..Different controller nodes is registered to block chain by different port numbers
In, each controller has an accessible identification number after registration, which is made of as follows three keys:
Keycontroller=HASH { Portcon,Keypub,Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public affairs that current controller is possessed
Key, KeypriIndicate the private key that current controller is possessed.
The mark can generate the unique address mark of the controller after carrying out Hash256 operation, represent current controller
Node has been registered as on block chain.
When constructing permission block chain, in addition to controller is registered to block chain, it is also necessary to create cipher key node and mine
Work node, cipher key node and miner's node can be deployed on native virtual machine or other servers, due to miner's node and
Cipher key node requires to save the All Activity information on block chain, therefore has higher memory requirement to server.
The customized authorization policy of controller: S2 after controller is registered to block chain, initiates T to minerpolicyTransaction, the friendship
It is easily transmitted with JSON data format, format is as follows:
Wherein, sender represents sender address, and recipient represents reciever address, and amount represents cost
Token number can be indicated with difficulty value.Telemetry, which is represented, sends data, and policy is indicated by white list, white by checking
Id mark in list, to determine the safety of requestor.
Each controller has a pair of newly-generated permission control strategy in registration and is submitted to mine as trade transactions
Work node, miner's node judges the whether qualified execution of controller by checking block chain historical trading, in addition, they can also
Judge whether the account of initiator has enough token remaining sums, token abundance can just select transaction to be submitted to block chain, together
Sample, difficulty in computation value is needed when submitting transaction to block, new authorization policy is written in block by knowing together agreement
And persistence;
S3, cipher key node access control device identity information: when some controller node is specified to other in block chain network
When controller node initiates access request, message can be broadcast to cipher key node.Cipher key node is to response controller node and sends
TcheckTransaction.Since cipher key node is Quan Jiedian, the information of entire block chain is saved, therefore, cipher key node can be from block chain
In historical trading find responder authorization policy, check authorization policy in white list whether include requesting party ID mark
Know, if be proved to be successful, cipher key node can send T to requesting partyauthWhether transaction, confirmation request node are safe;Such as it is unsatisfactory for,
Cipher key node can return to refusal information, and be broadcast to the overall situation, and notice other nodes of block chain requesting node is fly-by-night;
S4, the cross-domain permission of controller are authorized: response controller is after the identity information of checking request side, so that it may with other side
Carry out TaccessTransaction, both parties are to trust at this time.Cross-domain permission, which is authorized, to be divided into two parts: the path of actual resource
Definition and cross-domain permission are authorized.Controlled entity of the controller as software defined network has the control to interchanger under the current field
System power, is referred to as Namespace (NameSpace) for the domain of a controller here.Visit of the controller to resource under domain (interchanger)
Diameter of asking the way can be indicated with URI, such as localhost:8080/controller1/ switch_1/.* represents local 8080 ends
Actual resource-interchanger 1 under controller under mouthful.The representation of URI can allow the resource of not same area in access, more preferably
Carry out permission authorize.The permission between same area, which is not authorized, is realized by DOT (Delegation of Trust) method, former
Reason be by the URI resource path under the mark of different controllers and its domain after hash operation, be sent to requesting party, request
Side decrypts to obtain communications access voucher by symmetric encipherment algorithm.
S5, controller issue routing policy: after passing through the authorization of DOT method between controller, the exchange under different control domains
Machine resource can be in communication with each other.When carrying out with interior measurement, related letter of the exchange opportunity in the head of data packet addition interchanger
Breath includes interchanger ID, forwarding time, queue congestion state etc..Controller meeting foundation interchanger ID when issuing routing iinformation,
Specific Action-Mapping (movement-matching) mode is set, which can control going with interior measurement for different interchangers
For so that the exchange function of only specified ID is added with interior measurement metadata header, others can only match flow table and be forwarded.
Measurement method in the Netowrk tape for the safety based on block chain technology that present invention firstly provides a kind of, this method are abundant
By the advantage with block chain has been played and with interior measuring technique: for from running environment, the present invention is devised with interior measurement
It is excellent to combine the flexibility of programmable network and the safety of block chain network etc. for the interactive environment of network and block chain network
Gesture;For above programming language, the language that the present invention uses such a pair of intermediate node of P4 to program will be handled with data packet
Key detail be added to data plane without consume host resource, realize the real-time telemetry to network;Come from safety
It says, the present invention constructs permission block chain, carries out authentication to the interbehavior of different controllers, while penetrating permission granter
Method improves the safety with interior measurement under different control domains, while digital signature technology having been used to prevent the message of control authority
Path is maliciously tampered;In transmission mode, it to be the clusters such as data center that present invention uses the distributed networking modes of p2p
The transmission path of network offer efficient stable.
Detailed description of the invention
Fig. 1 is that the present invention is based on the flow charts of measurement method in the Netowrk tape of the safety of block chain technology.
Fig. 2 is that the present invention is based on the working environment schematic diagrames of measurement method in the Netowrk tape of the safety of block chain technology.
Fig. 3 is that the present invention is based on the timing diagrams of measurement method in the Netowrk tape of the safety of block chain technology.
Specific embodiment
In conjunction with example and attached drawing is implemented in detail below, the present invention is described in further detail.Implement mistake of the invention
Journey, condition, experimental method etc. are among the general principles and common general knowledge in the art in addition to what is specifically mentioned below, this
There are no special restrictions to content for invention.
As shown in Figure 1, the present invention can be divided into five main steps: 1. administrator creates permission block chain;2. controller
Customized authorization policy;3. cipher key node access control device identity information;4. the cross-domain permission of controller is authorized;5. controller issues
Routing policy.In entire invention work working environment shown in Fig. 1.It can be seen that entire measurement environment is by two from Fig. 2
It is grouped as.The permission block chain network that top half is made of controller passes through the Encryption Algorithm in block chain and the association that knows together
View ensures controller operation and realizes the authentication of controller, and lower half portion is by source end node and virtual switch unit
At with interior measurement network, whole network operates under the management of controller.It is based on block chain technology as can see from Figure 3
Safety Netowrk tape in dynamic cooperation sequence between each object in measurement method, entire method be related to administrator, controller,
Totally 5 kinds of roles, administrator are responsible for collecting and surveying data and construct permission block chain for interchanger, miner and cipher key node, control
Access control right is arranged by p2p networking, for controller node in device, miner and cipher key node processed.In addition, same area does not control
Permission giving method between device has been ensured with the safe and reliable of interior measurement network.Due to being flat by data with interior measuring technique
Real time monitoring network behavior is carried out in face, greatly improves the telemetering accuracy and timeliness of programmable network in this way.Two kinds of environment
Using controller as middleware interaction, respective mutual supplement with each other's advantages is realized.
Implementation procedure to further describe the present invention, extension illustrates the present invention based on this sentences Fig. 1.It is working
In flow chart, at the S1 of entrance, developer need to construct the environment of permission block chain.Basic step includes: permission block chain
Initialization and the registration of controller node.
S101. block chain is in initialization, it is necessary first to provide the structure of block, in general block include: index, when
Between stamp, Transaction Information, the hash value of previous block message and difficulty value, block information can save in the local database, side
Just full node checks historical information.Administrator creates generation block firstly the need of creation, can be locally generated under normal conditions initial
The essential information of block chain is written in the genesis.json file of change in this document.Then, it needs to register on block chain complete
Node, including cipher key node and miner's node.Since full node contains the historical transactional information of entire block chain,
They can help the identity information of access control device node, it can also be ensured that the privacy between controller, in addition, miner's node is also
The verification process of block can be participated in by common recognition agreement.Full node can be generally deployed on external server, be reduced local
The storage pressure of server, and maintain the load balancing between server.It is created on full node server by Flask frame
Local server node is built, and distributed storage is carried out by Progresql database.
S102. when being registered to block chain, administrator needs to open up virtual port number for each node controller node, and
Controller node is run on port, each controller node should retain the registry information of other nodes on network, convenient
Carry out p2p network communication.After controller node is registered to block chain by different port numbers, each controller is being registered
All retain an accessible identification number afterwards, which is made of as follows three keys:
Keycontroller=HASH { Portcon,Keypub,Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public affairs that current controller is possessed
Key, KeypriIndicate the private key that current controller is possessed.
The mark can generate the unique address mark of the controller after carrying out hash256 operation, represent current controller
Node has been registered as on block chain.
S2. the customized authorization policy of controller.After controller is registered to block chain, believe by searching for local registration table
Breath, the miner for being identified as miners to ID initiate TpolicyTransaction, the transaction are transmitted with JSON data format, and format is such as
Under:
Wherein, sender represents sender address, and recipient represents reciever address, and amount represents cost
Token number can be indicated with difficulty value.Address is all by KeycontrollerIt indicates, is one section of hash address code, due to hash
Algorithm is irreversible, therefore the specifying information of each node will not leak in block chain.Telemetry includes what controller was sent
Master data information, the information typically include the trust value of the id mark and node of controller.Node trust value is according to control
What the behavior of device node processed provided, commonly used to evaluate a controller to the contribution margin of block chain.When controller node is frequent
Disengaging block chain network, or from the activity for being not involved in block chain, this node can have very low trust value.Trust value
Judgement schematics use EigenTrust algorithm, and formula is as follows:
Q=(uactive+1)/(uactive+udeactivate+2)
Wherein, uactiveRepresent the liveness of controller node, udeactivateRepresent controller node disengaging block chain network
Number.In addition, the policy field in authorization policy includes a white list, there is current controller entity authentication the inside
The node ID mark of safety.Finally, newly-generated permission control strategy is submitted to miner's node, Kuang Gongjie as trade transactions
New authorization policy is written to block and persistence by common recognition agreement by point.
S3. cipher key node access control device identity information.When in block chain network some controller node to other control
When device node initiates access request, message can be broadcast to cipher key node.Cipher key node sends T to response controller nodecheckIt hands over
Easily, since cipher key node is Quan Jiedian, the information of entire block is saved, therefore, cipher key node can be from block chain historical trading
In information find responder authorization policy, check authorization policy in white list whether include requesting party ID mark, such as
Fruit is proved to be successful, and cipher key node can send T to requesting partysuthTransaction, confirmation request node is safe;It is such as unsatisfactory for, key
Node can return to refusal information, and be broadcast to the overall situation.
Controller is broadly divided into two steps when carrying out Authority Verification: firstly, cipher key node can pass through TauthWith
TaccessTransaction generates verifying token, and then, controller judges the source token to token operation rivest, shamir, adelman again
Authenticity.
S301. right access control is believed via cipher key node by transaction token information come the identity of checking request side
Breath, the formula for verifying identity information are as follows:
tokenreq={ Taccess, Psig, Pacp, identityp, authorityp}
Wherein, TaccessFor the hash value of request square controller request transaction abstract, PsigFor the number label of responder's identity
Name, PacpThe permission control strategy of block chain, identity are uploaded to for responderpFor the unique identification of responder's identity,
authoritypFor the encryption information for the node identifier that responder approves.
Cipher key node searches the T of the response controller of corresponding ID by IDcheckAffairs, and decrypt the body of responder's approval
Part mark, and T is sent to requesting partyauthAffairs transaction can be sent after the identity information certification of acquisition request side to responder
Tokenres。
Wherein, TokenresComposition it is as follows:
Tokenres={ Tauth, Rsig, idnetityr, verifyr}
Wherein, TauthThe hash value of affairs abstract, R are verified for response square controllersigFor the number label of requestor identity
Name, idnetityrFor the unique identification of requestor identity, verifyrFor the result of cipher key node checking request side identity information.
Responder is receiving Tokenres, it is decrypted using oneself local private key, the identity of checking request side.
S302. after the token for generating verifying identity information, since block chain is the distributed network structure trusted, institute
It needs to be digitally signed when being transmitted with token, endorsement method ensure that the authenticity of token sender, signer
Method follows rivest, shamir, adelman, and encryption formula indicates are as follows:
C=ne(mod N) (n=SHA (M), n≤N)
Wherein, hash value of the n for the domain-name information of responder's controller node, the digital signature information that c is, (e,
It N is) private key of signer.
The decryption formula of requesting party's controller node are as follows:
S=cd(mod N)
Wherein, (d, N) is the public key of signer, and c is the digital signature information sent, and s is confirmation message, if s is obtained with c
Information it is consistent, then be able to confirm that the correctness of message.
S4. controller needs further to carry out permission to the actual resource under control domain after identity information is mutually authenticated
It authorizes, due to mainly being measured in data plane with interior measurement, when interchanger of the data packet under not same area is forwarded,
The permission for needing to obtain controller is authorized.It includes two parts that cross-domain permission, which authorizes specific steps: the path definition of actual resource and
Cross-domain permission is authorized.
S401. administration domain of the controller due to oneself possessing oneself, referred to herein as Namespace (NameSpace).
Namespace is the domain comprising layer of structure, can be indicated with URI, and the entity of Namespace is created --- controller can be awarded
Weigh the operation of all resources in current namespace.The structure of URI is as follows: { Namespace/resourcepath=
port/localhost/controlleridentity/switchidentity}
Namespace represents the administration domain of controller, can be indicated with the port numbers where controller. resourcepath
Define the resource path of interchanger under current controller.
S402. since with different administration domains, the message transmission that unification is administered under domain does not need permission between controller
It authorizes, and cross-domain resource access needs to respond square controller after the identification information for obtaining cipher key node transmission, to hair
The permission for sending square controller to carry out resource under domain is authorized.Wherein the formula of DOT (Delegation of Trust) is as follows:
DOT=< Efrom, Eto, Permissions, Metadata, Whitelist >
Wherein, < Efrom, Eto> it is a public key mark pair, (Permissions, Metadata) indicates that reciever can add
The measurement metadata added, Whitelist identify the router list of reciever approval.Public key mark is controlled to verifying is mainly used to
The identity information of device both sides processed is accessed the resource under the current field authorization by identification Whitelist between controller,
Permissions identifies Authorization result.
S5. controller issues routing policy.After passing through the authorization of DOT method between controller, the exchange under different control domains
Machine resource can be in communication with each other.When carrying out with interior measurement, related letter of the exchange opportunity in the head of data packet addition interchanger
Breath includes interchanger ID, forwarding time, queue congestion state etc..Controller meeting foundation interchanger ID when issuing routing iinformation,
Specific Action-Mapping (movement-matching) mode is set, which can be according to interchangers different in access permission list
ID mark, notice interchanger shows specific behavior, and the interchanger of only matching relevant regulations could add corresponding band
Interior measurement metadata header, others can only be forwarded by matching flow table, which to have with interior measurement behavior controllable
Property, while improving with the internet security in interior measurement.
Real time monitoring network state is realized by using P4 language building INT, is utmostly reduced to control plane
Dependence, and enable developer's self-defining data plane forwarding operation.By building permission block chain network and across
Domain permission giving method can utmostly reduce the risk of controller single-point collapse, and due to the 51% of common recognition agreement
Pre- attack protection characteristic, external hackers are difficult to be attacked or distorted to interior measurement network.
The method of the present invention effectively increases the safety of controller in programmable network, while can solve with handing in interior measurement
The permission control problem changed planes, and can be good at the behaviors such as data tampering, malicious attack in guarding network measurement.
Protection content of the invention is not limited to the above embodiment.Without departing from the spirit and scope of the invention,
Various changes and advantages that will be apparent to those skilled in the art are all included in the present invention, and are with appended claims
Protection scope.
Claims (11)
1. measurement method in a kind of Netowrk tape of the safety based on block chain technology, which comprises the following steps:
S1, construct permission block chain: administrator creates wound generation block, and the essential information of block chain is written;Controller node passes through
Different ports is registered in block chain, and miner's node generates new block by common recognition agreement, and block chain is maintained to operate normally;
S2, the customized authorization policy of controller: the controller initiates to trade to miner, newly-generated permission control strategy conduct
Trade transactions are submitted to miner's node, and new authorization policy is written to block by agreement of knowing together and protected by miner's node
It deposits;
S3, cipher key node access control device identity information: when in block chain network some controller node to Assign Controller section
When point initiates access request, cipher key node finds the authorization policy of recipient from block chain, verifies whether initiator meets;
S4, the cross-domain permission of controller are authorized: receive square controller after the authentication information for obtaining cipher key node transmission, it can be right
It sends square controller progress permission to authorize, and oneself is controlled into the resource access right under management domain in a manner of URI Resource orientation
Authorize sender;
S5, controller issue routing policy: weighing with interior measurement comprising interchangers different under the current field in photos and sending messages under controller
Limit, forbids the self-service addition measuring head information of the interchanger of lack of competence, so as to cause the disorder of final measurement.
2. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that no
With controller node be registered in block chain by different port numbers, each controller have after registration one can be with
The identification number of access, the identification number are made of as follows three keys:
Keycontroller=HASH { Portcon, Keypub, Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public key that current controller is possessed,
KeypriIndicate the private key that current controller is possessed.
3. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that band
Interior measurement process includes permission control strategy, greatly enhances robustness and safety with interior measurement.
4. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that power
The creation for limiting block chain allows the controller of not same area independently to formulate the access control policy that Current software defines network.
5. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that across
The controller in domain carries out needing to be digitally signed when permission is authorized, it then follows rivest, shamir, adelman, encryption formula indicate are as follows:
C=ne(mod N) (n=SHA (M), n≤N)
Wherein, n is the hash value of the domain-name information of responder's controller node, and the digital signature information that c is, (e, N) is
The private key of signer;
The decryption formula of requesting party's controller node are as follows:
S=cd(mod N)
Wherein, (d, N) is the public key of signer, and c is the digital signature information sent, and s is confirmation message, if the letter that s and c are obtained
Breath is consistent, then is able to confirm that the correctness of message.
6. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist
In the access control of permission block chain difference controller node is by transaction token information by cipher key node come checking request
The identity information of side, the formula for verifying identity information are as follows:
tokenreq={ Taccess, Psig, Pacp, identityp, authorityp}
Wherein, TaccessFor the hash value for requesting the request transaction of square controller to be made a summary, PsigFor the digital signature of responder's identity,
PacpThe permission control strategy of block chain, identity are uploaded to for responderpFor the unique identification of responder's identity,
authoritypFor the encryption information for the node identifier that responder approves;
Cipher key node searches the T of the response controller of corresponding ID by IDcheckAffairs, the identity that decryption responder approves,
And T is sent to requesting partyauthAffairs transaction can be sent after the identity information certification of acquisition request side to responder
Tokenres;
Wherein, TokenresComposition it is as follows:
Tokenres={ Tauth, Rsig, idnetityr, verifyr}
Wherein, TauthThe hash value of affairs abstract, R are verified for response square controllersigFor the digital signature of requestor identity,
idnetityrFor the unique identification of requestor identity, verifyrFor the return value of cipher key node checking request side identity information;
Responder is receiving Tokenres, it is decrypted using oneself local private key, the identity of checking request side.
7. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist
In controller can distribute the interchanger of the current field specified routing policy, and routing policy is by searching for the road on white list
By device information, to determine the addition manner with interior metrical information of router;White list is included in DOT trust delegation, described
The formula of DOT is as follows:
DOT=< Efrom, Eto, Permissions, Metadata, Whitelist >
Wherein, < Efrom, Eto> is a public key mark pair, and (Permissions, Metadata) indicates that reciever can add
Measurement metadata, Whitelist identify reciever approval router list.
8. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist
In metrical information is collected and forwarded in data plane, and controller can control the measurement behavior of router, and abandons malice at any time
Routing node improves the safety of network measure.
9. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that S2
In, miner's node judges initiator's by checking that block chain historical trading judges the whether qualified execution of controller
Whether account has enough token remaining sums, and only token abundance can just select transaction to be submitted to block chain;Transaction is being submitted to arrive
Difficulty in computation value is needed when block, and new authorization policy is written in block by simultaneously persistence by common recognition agreement.
10. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that
In S3, when some controller node initiates access request to Assign Controller node in block chain network, message can be broadcast to
Cipher key node;The cipher key node is to response controller node and sends TcheckTransaction;The cipher key node is from block chain history
In transaction find responder authorization policy, check authorization policy in white list whether include requesting party ID mark, such as
Fruit is proved to be successful, and the cipher key node sends T to requesting partyauthWhether transaction, confirmation request node are safe;It is such as unsatisfactory for, institute
It states cipher key node and returns to refusal information, and be broadcast to the overall situation, notice other nodes of block chain requesting node is trustless.
11. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that
In S5, when carrying out with interior measurement, relevant information of the exchange opportunity in the head of data packet addition interchanger, comprising: interchanger
ID, forwarding time, queue congestion state;The controller can be according to interchanger ID when issuing routing iinformation, and setting is specific
Action-Mapping mode, the mode can control different interchangers with interior measurement behavior so that the friendship of only specified ID
Changing planes can add with interior measurement metadata header, other interchangers can only match flow table and be forwarded.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910566636.5A CN110417739B (en) | 2019-06-27 | 2019-06-27 | Safe network in-band measurement method based on block chain technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910566636.5A CN110417739B (en) | 2019-06-27 | 2019-06-27 | Safe network in-band measurement method based on block chain technology |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110417739A true CN110417739A (en) | 2019-11-05 |
CN110417739B CN110417739B (en) | 2021-06-25 |
Family
ID=68359926
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910566636.5A Active CN110417739B (en) | 2019-06-27 | 2019-06-27 | Safe network in-band measurement method based on block chain technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110417739B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111405005A (en) * | 2020-03-06 | 2020-07-10 | 清华大学 | Operation control method and system of block chain and controllable network terminal equipment |
CN112559608A (en) * | 2020-12-04 | 2021-03-26 | 江苏物联网研究发展中心 | Data collaboration method and system |
CN113676476A (en) * | 2021-08-18 | 2021-11-19 | 大连海事大学 | Encrypted jump method based on action programmable software defined network |
CN115114314A (en) * | 2022-08-29 | 2022-09-27 | 北京微芯区块链与边缘计算研究院 | Data probe-based data detection and extraction method and system |
CN115514691A (en) * | 2022-09-05 | 2022-12-23 | 郑州工程技术学院 | SDN inter-domain cooperative forwarding control architecture and method based on block chain |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105976231A (en) * | 2016-06-24 | 2016-09-28 | 深圳前海微众银行股份有限公司 | Asset management method based on intelligent block chain contracts and nodes |
CN106796688A (en) * | 2016-12-26 | 2017-05-31 | 深圳前海达闼云端智能科技有限公司 | Permission control method, device and system of block chain and node equipment |
CN109033143A (en) * | 2018-06-11 | 2018-12-18 | 中国科学院广州能源研究所 | Distribution based on block chain divides domain Electric Grid Data Processing System and its method |
CN109104415A (en) * | 2018-07-21 | 2018-12-28 | 江苏飞搏软件股份有限公司 | Construct the system and method for trusted node network |
CN109286623A (en) * | 2018-09-27 | 2019-01-29 | 东莞青柳新材料有限公司 | Human health detection data shared system based on block chain |
CN109639406A (en) * | 2018-12-24 | 2019-04-16 | 国泰君安证券股份有限公司 | Efficient trust solution based on block chain and IPFS |
CN109886675A (en) * | 2019-02-01 | 2019-06-14 | 杭州电子科技大学 | The distribution of resource access token based on block chain and resource use monitoring method |
-
2019
- 2019-06-27 CN CN201910566636.5A patent/CN110417739B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105976231A (en) * | 2016-06-24 | 2016-09-28 | 深圳前海微众银行股份有限公司 | Asset management method based on intelligent block chain contracts and nodes |
CN106796688A (en) * | 2016-12-26 | 2017-05-31 | 深圳前海达闼云端智能科技有限公司 | Permission control method, device and system of block chain and node equipment |
CN109033143A (en) * | 2018-06-11 | 2018-12-18 | 中国科学院广州能源研究所 | Distribution based on block chain divides domain Electric Grid Data Processing System and its method |
CN109104415A (en) * | 2018-07-21 | 2018-12-28 | 江苏飞搏软件股份有限公司 | Construct the system and method for trusted node network |
CN109286623A (en) * | 2018-09-27 | 2019-01-29 | 东莞青柳新材料有限公司 | Human health detection data shared system based on block chain |
CN109639406A (en) * | 2018-12-24 | 2019-04-16 | 国泰君安证券股份有限公司 | Efficient trust solution based on block chain and IPFS |
CN109886675A (en) * | 2019-02-01 | 2019-06-14 | 杭州电子科技大学 | The distribution of resource access token based on block chain and resource use monitoring method |
Non-Patent Citations (4)
Title |
---|
JIANWEN CHEN,KAI DUAN,RUMIN ZHANG,LIAOYUAN ZENG,WENYI WANG: "An AI Based Super Nodes Selection Algorithm in BlockChain Networks", 《IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY》 * |
RASHT, IRAN,LAHIJAN: "an efficient forensics architecture in software-defined networking-OIT using blockchain technology", 《SPECIAL SECTION ON SMART CACHING, COMMUNICATIONS, COMPUTING》 * |
WEI YANG, XIAOHONG LI,ZHIYONG FENG, JIANYE HA: "TLSsem: A TLS Security-Enhanced Mechanism against MITM Attacks in Public WiFis", 《2017 INTERNATIONAL CONFERENCE ON ENGINEERING OF COMPLEX COMPUTER SYSTEMS》 * |
YUE ZENG,YUE ZHANG: "review of research on blockchain application development method", 《JOURNAL OF PHYSICS: CONFERENCE SERIES》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111405005A (en) * | 2020-03-06 | 2020-07-10 | 清华大学 | Operation control method and system of block chain and controllable network terminal equipment |
CN112559608A (en) * | 2020-12-04 | 2021-03-26 | 江苏物联网研究发展中心 | Data collaboration method and system |
CN113676476A (en) * | 2021-08-18 | 2021-11-19 | 大连海事大学 | Encrypted jump method based on action programmable software defined network |
CN113676476B (en) * | 2021-08-18 | 2022-07-08 | 大连海事大学 | Encrypted jump method based on action programmable software defined network |
CN115114314A (en) * | 2022-08-29 | 2022-09-27 | 北京微芯区块链与边缘计算研究院 | Data probe-based data detection and extraction method and system |
CN115514691A (en) * | 2022-09-05 | 2022-12-23 | 郑州工程技术学院 | SDN inter-domain cooperative forwarding control architecture and method based on block chain |
Also Published As
Publication number | Publication date |
---|---|
CN110417739B (en) | 2021-06-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alharbi | Deployment of blockchain technology in software defined networks: A survey | |
CN110417739A (en) | It is a kind of based on block chain technology safety Netowrk tape in measurement method | |
US10601787B2 (en) | Root of trust of geolocation | |
Meng et al. | Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration | |
Puthal et al. | SEEN: A selective encryption method to ensure confidentiality for big sensing data streams | |
Chun et al. | Decentralized trust management and accountability in federated systems | |
CN110233868A (en) | A kind of edge calculations data safety and method for secret protection based on Fabric | |
CN102710605A (en) | Information security management and control method under cloud manufacturing environment | |
CN106888084A (en) | A kind of quantum fort machine system and its authentication method | |
Xiao et al. | A survey of accountability in computer networks and distributed systems | |
CN110474921B (en) | Perception layer data fidelity method for local area Internet of things | |
CN115362443A (en) | Trust management method and device in integrated network based on block chain | |
US11392615B2 (en) | Process for establishing trust between multiple autonomous systems for the purposes of command and control | |
Yao et al. | A trust management framework for software‐defined network applications | |
CN106060078A (en) | User information encryption method, user registration method and user validation method applied to cloud platform | |
CN113259135B (en) | Lightweight blockchain communication authentication device and method for detecting data tamper | |
Zheng et al. | Microthingschain: Edge computing and decentralized iot architecture based on blockchain for cross-domain data shareing | |
Wang et al. | An efficient data sharing scheme for privacy protection based on blockchain and edge intelligence in 6G-VANET | |
Duy et al. | B-DAC: a decentralized access control framework on northbound interface for securing SDN using blockchain | |
Xiao et al. | GlobalView: building global view with log files in a distributed/networked system for accountability | |
CN110945833B (en) | Method and system for multi-mode identification network privacy protection and identity management | |
Nikiforov et al. | Structure of information security subsystem in the systems of commercial energy resources accounting | |
Liu et al. | A trust chain assessment method based on blockchain for SDN network nodes | |
CN101827079A (en) | Blocking and attacking-resistant terminal connection building method and terminal access authenticating system | |
Wang et al. | Blockchain-based sdn security guarantee model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |