CN110417739A - It is a kind of based on block chain technology safety Netowrk tape in measurement method - Google Patents

It is a kind of based on block chain technology safety Netowrk tape in measurement method Download PDF

Info

Publication number
CN110417739A
CN110417739A CN201910566636.5A CN201910566636A CN110417739A CN 110417739 A CN110417739 A CN 110417739A CN 201910566636 A CN201910566636 A CN 201910566636A CN 110417739 A CN110417739 A CN 110417739A
Authority
CN
China
Prior art keywords
controller
block chain
node
information
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910566636.5A
Other languages
Chinese (zh)
Other versions
CN110417739B (en
Inventor
章玥
曾月
蒲戈光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Industrial Control Safety Innovation Technology Co Ltd
East China Normal University
Original Assignee
Shanghai Industrial Control Safety Innovation Technology Co Ltd
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Industrial Control Safety Innovation Technology Co Ltd, East China Normal University filed Critical Shanghai Industrial Control Safety Innovation Technology Co Ltd
Priority to CN201910566636.5A priority Critical patent/CN110417739B/en
Publication of CN110417739A publication Critical patent/CN110417739A/en
Application granted granted Critical
Publication of CN110417739B publication Critical patent/CN110417739B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to interior measurement and block chain technical field, measurement method in a kind of Netowrk tape of safety based on block chain technology is realized, step includes: building permission block chain, and controller is registered to block chain node, and customized permission access strategy etc.;Authorization policy is saved in block chain by miner's node according to common recognition agreement, and when different controller nodes mutually access, cipher key node is according to the authorization policy saved in block chain, the identity information of access control device node;Controller node realizes that the permission of resource under different operating domain is authorized, realizes the cross-domain access of interchanger by the confirmation of identity information.Controller issues routing policy, for different interchanger distribution it is specified with interior measurement behavior.This method effectively increases the safety of controller in programmable network, while can solve the permission control problem with interchanger in interior measurement, and can be good at the behaviors such as data tampering, malicious attack in guarding network measurement.

Description

It is a kind of based on block chain technology safety Netowrk tape in measurement method
Technical field
The present invention relates to programmable network, INT (In-Band Network Telemetry) and (areas Blockchain Block chain) technical field, realize measurement method in a kind of Netowrk tape of safety based on block chain technology.
Background technique
With the rise of Internet of Things, more equipment and new opplication constantly emerge in large numbers, and traditional network architecture can no longer meet height The requirement of bandwidth, highly reliable and low redundancy, the diversification of hardware and software device have driven the birth of programmable network of new generation.As The new normal form of network, programmable network not only provide open, programmable interface for hardware, while allowing administrator from higher Abstraction hierarchy manage network service, the structure that it is separated using control plane with Forwarding plane, and allow developer from Underlying basis framework is programmed in application program and network service.From earliest DCAN to the birth of software defined network SDN Raw, the core concept of programmable network is to realize the separation of the network-control and data plane concentrated, but due to tradition The south orientation agreement such as OpenFlow of SDN is usually related to target hardware, realizes and needs matched infrastructure device, pipe Reason personnel can not the customized forwarding device function new to the processing mode of data packet and addition.The appearance of P4 language, provides The programmability of data plane.Developer chip can be carried out based on P4 language it is customized, add new agreement or Original protocol stack is optimized, more reasonably distribution Resources on Chip.
In traditional network monitoring technology, such as SNMP, it is typically based on the side that control plane obtains information to bottom-layer network Formula, this mode binding character is too strong and speed is slow, similar, such as the methods of NetFlow, SFlow, Synthetic probe, Also it does not detect due to the problem of event or microbursts etc. cause in short-term accurately, is especially being on a grand scale enough In distributed network, the serious of services and applications is likely to result in due to lacking the metadata that can be traced and historical information Accident.The fine granularity detection of network measure may be implemented due to that can rewrite the characteristics such as new data pack protocol in P4 language. INT (In-Band Network Telemetry) is application practice of the P4 language in network measure, it has data plane Ability to collect end to end, and status information can be collected in real time.Band network telemetering will pass relevant to data packet processing Key details is added to data plane, and the transmission of data packet does not consume any host CPU resources, by adding first number in the packet According to packet-level telemetering is enabled, the Visual retrieval of network flow is realized.
Although INT provides good solution for the monitoring of network flow data, in programmable network framework In, network configuration, network service, access control, Network Security Service deployment etc. all concentrate on controller, to realize net The cooperative scheduling of network resource and computing resource, storage resource.Although centralized control to network operation management band global view and Optimal solution, but equally bring additional managing risk.Since controller connects application layer and forwarding, network is realized The unified configuration and management of equipment, controller are both a network interferences point concentrated and a potential Single Point of Faliure source. If not paying attention to the security strategy of controller in network deployment, it is highly prone to hacker attack, such as modification code library, is changed Vari- able flow control filters in some network sites or conceals data, to cause great harm to network security.In addition, working as For controller OS by the APP run in malicious attack or controller there are when security threat, controller is easily lost control, and The comprehensive paralysis for easily causing network service influences the whole network range of controller covering;Secondly, central controlled side Formula, so that controller is easy to be attacked by resource exhaustion type, such as DoS, DDoS;Meanwhile opening makes in programmable network Controller need the interface that assessment is open with caution, to prevent attacker using certain interfaces progress network monitoring, network attack Deng.
Therefore, it is directed to the raising of programmable network environmental safety at present, is mainly taken precautions against in controller level.One As can controller inlet dispose flow cleaning equipment, prevent distributed traffic from attacking;Distribution can also be used to control more Device scheme can solve the case where Single Controller breaks down by the automatic replacement of controller;Deployment secure agency, can Security hardening and Hole Detection etc. are carried out to the application program on controller to realize.Safety for programmable network mentions Height, many experts and scholars also proposed some solutions, can be with for example, the FlowVisor based on Openflow protocol development Hardware device is virtualized into multiple networks, on the one hand improves internet security, on the other hand, is recognized by increasing software security Card, to improve the safety of multiple virtual networks on same physical equipment;DefenseFlow is collected by the control layer of SDN and is used In the flow information of attack detecting, only when needed by data stream guiding network, thus successfully by safety based on equipment Scheme switchs to the security service of the whole network;SE-Noodlight is the software extensions based on open source Hoodlight controller, can The security restriction of certification and the enhancing of based role is provided.These methods all alleviate the safety problem of controller to a certain degree.
But as dominant right effect of the manager for controller is more significant, how the permission of controller is accessed, Security control, data encryption etc. are taken precautions against, and are the following essential steps for establishing safe programmable network environment.This meaning Need a general safety system to cope with these threats of software defined network, and can be not influence expanding for its performance The mode of malleability is run, encounter malicious attack can generate in time alarm and on network generate the law based on event occurred can Audit log.Mode so as how expansible prevents malicious element from entering software defined network, and has thousands of Imitate when element enters while refusing the entrance of single malicious element.Imagine such a solution: in programmable network The anything of upper generation can legally audit and capture-(Blockchain) block in not modifiable log Chain, and the addition of any control node, need to verify identity information, when most of node in block chain network is reached common understanding Afterwards, control node could be added network and carry out relevant measurement activity.And work as the equipment in programmable network before runtime, Block techniques can be used to be confirmed to the network equipment and be authenticated in block chain information system.In this course, must not Equipment and technology are provided for third party, and the validity authenticated ensure that the accuracy and safety of network data.
The security maintenance of various functions depends on all nodes with security maintenance ability in the whole network in block chain network, There is no management method between each node, is equality between node, when a node receives the data that another node transmits, The node can verify the identity information of another node.The information received by it is broadcast to entire net if receiving successfully Network.Since block chain and its record may be simultaneously present in thousands of places, so hacker attempts to through intrusion log clothes Business device simultaneously changes event history to cover its trace, and the node in block chain can refuse any change in network.In this way The behavioral activity of programmable network can be made to be immune against attacks, and can for network settings automatic, programmable rule.
Summary of the invention
Technology of the present invention mainly has: Blockchain, P4 (Programming Protocol-Independent Packet Processors) intermediate node programming language, INT (In-band Network Telemetry) technology.
The present invention overcomes the limitation of the prior art, propose a kind of safety based on block chain technology with interior measurement Method.The present invention realizes the routing policy with interior measurement function and customized interchanger using P4 language.By adding to data packet Add INT metadata, it being capable of real time monitoring network state.South orientation API is generated by P4, realizes the interaction of controller and data plane And customized forwarding strategy.Permission control is carried out between the cross-domain alternation different controllers by building permission block chain network, Prevent network security problem caused by the addition of malice controller.In permission block chain, controller can customize the current field Access strategy so that the centralized control behavior in software defined network is dispersed.The present invention passes through with interior measurement and block Chain technology can effectively analyze dynamic behaviour in network, and improve the safety of distributed network.
The present invention the following steps are included:
S1, construct permission block chain: administrator creates generation block firstly the need of creation, can locally generate under normal conditions just The essential information of block chain, including block number, timestamp, transaction letter is written in the genesis.json file of beginningization in this document Cease list, difficulty value and previous piece hash etc..Different controller nodes is registered to block chain by different port numbers In, each controller has an accessible identification number after registration, which is made of as follows three keys:
Keycontroller=HASH { Portcon,Keypub,Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public affairs that current controller is possessed Key, KeypriIndicate the private key that current controller is possessed.
The mark can generate the unique address mark of the controller after carrying out Hash256 operation, represent current controller Node has been registered as on block chain.
When constructing permission block chain, in addition to controller is registered to block chain, it is also necessary to create cipher key node and mine Work node, cipher key node and miner's node can be deployed on native virtual machine or other servers, due to miner's node and Cipher key node requires to save the All Activity information on block chain, therefore has higher memory requirement to server.
The customized authorization policy of controller: S2 after controller is registered to block chain, initiates T to minerpolicyTransaction, the friendship It is easily transmitted with JSON data format, format is as follows:
Wherein, sender represents sender address, and recipient represents reciever address, and amount represents cost Token number can be indicated with difficulty value.Telemetry, which is represented, sends data, and policy is indicated by white list, white by checking Id mark in list, to determine the safety of requestor.
Each controller has a pair of newly-generated permission control strategy in registration and is submitted to mine as trade transactions Work node, miner's node judges the whether qualified execution of controller by checking block chain historical trading, in addition, they can also Judge whether the account of initiator has enough token remaining sums, token abundance can just select transaction to be submitted to block chain, together Sample, difficulty in computation value is needed when submitting transaction to block, new authorization policy is written in block by knowing together agreement And persistence;
S3, cipher key node access control device identity information: when some controller node is specified to other in block chain network When controller node initiates access request, message can be broadcast to cipher key node.Cipher key node is to response controller node and sends TcheckTransaction.Since cipher key node is Quan Jiedian, the information of entire block chain is saved, therefore, cipher key node can be from block chain In historical trading find responder authorization policy, check authorization policy in white list whether include requesting party ID mark Know, if be proved to be successful, cipher key node can send T to requesting partyauthWhether transaction, confirmation request node are safe;Such as it is unsatisfactory for, Cipher key node can return to refusal information, and be broadcast to the overall situation, and notice other nodes of block chain requesting node is fly-by-night;
S4, the cross-domain permission of controller are authorized: response controller is after the identity information of checking request side, so that it may with other side Carry out TaccessTransaction, both parties are to trust at this time.Cross-domain permission, which is authorized, to be divided into two parts: the path of actual resource Definition and cross-domain permission are authorized.Controlled entity of the controller as software defined network has the control to interchanger under the current field System power, is referred to as Namespace (NameSpace) for the domain of a controller here.Visit of the controller to resource under domain (interchanger) Diameter of asking the way can be indicated with URI, such as localhost:8080/controller1/ switch_1/.* represents local 8080 ends Actual resource-interchanger 1 under controller under mouthful.The representation of URI can allow the resource of not same area in access, more preferably Carry out permission authorize.The permission between same area, which is not authorized, is realized by DOT (Delegation of Trust) method, former Reason be by the URI resource path under the mark of different controllers and its domain after hash operation, be sent to requesting party, request Side decrypts to obtain communications access voucher by symmetric encipherment algorithm.
S5, controller issue routing policy: after passing through the authorization of DOT method between controller, the exchange under different control domains Machine resource can be in communication with each other.When carrying out with interior measurement, related letter of the exchange opportunity in the head of data packet addition interchanger Breath includes interchanger ID, forwarding time, queue congestion state etc..Controller meeting foundation interchanger ID when issuing routing iinformation, Specific Action-Mapping (movement-matching) mode is set, which can control going with interior measurement for different interchangers For so that the exchange function of only specified ID is added with interior measurement metadata header, others can only match flow table and be forwarded.
Measurement method in the Netowrk tape for the safety based on block chain technology that present invention firstly provides a kind of, this method are abundant By the advantage with block chain has been played and with interior measuring technique: for from running environment, the present invention is devised with interior measurement It is excellent to combine the flexibility of programmable network and the safety of block chain network etc. for the interactive environment of network and block chain network Gesture;For above programming language, the language that the present invention uses such a pair of intermediate node of P4 to program will be handled with data packet Key detail be added to data plane without consume host resource, realize the real-time telemetry to network;Come from safety It says, the present invention constructs permission block chain, carries out authentication to the interbehavior of different controllers, while penetrating permission granter Method improves the safety with interior measurement under different control domains, while digital signature technology having been used to prevent the message of control authority Path is maliciously tampered;In transmission mode, it to be the clusters such as data center that present invention uses the distributed networking modes of p2p The transmission path of network offer efficient stable.
Detailed description of the invention
Fig. 1 is that the present invention is based on the flow charts of measurement method in the Netowrk tape of the safety of block chain technology.
Fig. 2 is that the present invention is based on the working environment schematic diagrames of measurement method in the Netowrk tape of the safety of block chain technology.
Fig. 3 is that the present invention is based on the timing diagrams of measurement method in the Netowrk tape of the safety of block chain technology.
Specific embodiment
In conjunction with example and attached drawing is implemented in detail below, the present invention is described in further detail.Implement mistake of the invention Journey, condition, experimental method etc. are among the general principles and common general knowledge in the art in addition to what is specifically mentioned below, this There are no special restrictions to content for invention.
As shown in Figure 1, the present invention can be divided into five main steps: 1. administrator creates permission block chain;2. controller Customized authorization policy;3. cipher key node access control device identity information;4. the cross-domain permission of controller is authorized;5. controller issues Routing policy.In entire invention work working environment shown in Fig. 1.It can be seen that entire measurement environment is by two from Fig. 2 It is grouped as.The permission block chain network that top half is made of controller passes through the Encryption Algorithm in block chain and the association that knows together View ensures controller operation and realizes the authentication of controller, and lower half portion is by source end node and virtual switch unit At with interior measurement network, whole network operates under the management of controller.It is based on block chain technology as can see from Figure 3 Safety Netowrk tape in dynamic cooperation sequence between each object in measurement method, entire method be related to administrator, controller, Totally 5 kinds of roles, administrator are responsible for collecting and surveying data and construct permission block chain for interchanger, miner and cipher key node, control Access control right is arranged by p2p networking, for controller node in device, miner and cipher key node processed.In addition, same area does not control Permission giving method between device has been ensured with the safe and reliable of interior measurement network.Due to being flat by data with interior measuring technique Real time monitoring network behavior is carried out in face, greatly improves the telemetering accuracy and timeliness of programmable network in this way.Two kinds of environment Using controller as middleware interaction, respective mutual supplement with each other's advantages is realized.
Implementation procedure to further describe the present invention, extension illustrates the present invention based on this sentences Fig. 1.It is working In flow chart, at the S1 of entrance, developer need to construct the environment of permission block chain.Basic step includes: permission block chain Initialization and the registration of controller node.
S101. block chain is in initialization, it is necessary first to provide the structure of block, in general block include: index, when Between stamp, Transaction Information, the hash value of previous block message and difficulty value, block information can save in the local database, side Just full node checks historical information.Administrator creates generation block firstly the need of creation, can be locally generated under normal conditions initial The essential information of block chain is written in the genesis.json file of change in this document.Then, it needs to register on block chain complete Node, including cipher key node and miner's node.Since full node contains the historical transactional information of entire block chain, They can help the identity information of access control device node, it can also be ensured that the privacy between controller, in addition, miner's node is also The verification process of block can be participated in by common recognition agreement.Full node can be generally deployed on external server, be reduced local The storage pressure of server, and maintain the load balancing between server.It is created on full node server by Flask frame Local server node is built, and distributed storage is carried out by Progresql database.
S102. when being registered to block chain, administrator needs to open up virtual port number for each node controller node, and Controller node is run on port, each controller node should retain the registry information of other nodes on network, convenient Carry out p2p network communication.After controller node is registered to block chain by different port numbers, each controller is being registered All retain an accessible identification number afterwards, which is made of as follows three keys:
Keycontroller=HASH { Portcon,Keypub,Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public affairs that current controller is possessed Key, KeypriIndicate the private key that current controller is possessed.
The mark can generate the unique address mark of the controller after carrying out hash256 operation, represent current controller Node has been registered as on block chain.
S2. the customized authorization policy of controller.After controller is registered to block chain, believe by searching for local registration table Breath, the miner for being identified as miners to ID initiate TpolicyTransaction, the transaction are transmitted with JSON data format, and format is such as Under:
Wherein, sender represents sender address, and recipient represents reciever address, and amount represents cost Token number can be indicated with difficulty value.Address is all by KeycontrollerIt indicates, is one section of hash address code, due to hash Algorithm is irreversible, therefore the specifying information of each node will not leak in block chain.Telemetry includes what controller was sent Master data information, the information typically include the trust value of the id mark and node of controller.Node trust value is according to control What the behavior of device node processed provided, commonly used to evaluate a controller to the contribution margin of block chain.When controller node is frequent Disengaging block chain network, or from the activity for being not involved in block chain, this node can have very low trust value.Trust value Judgement schematics use EigenTrust algorithm, and formula is as follows:
Q=(uactive+1)/(uactive+udeactivate+2)
Wherein, uactiveRepresent the liveness of controller node, udeactivateRepresent controller node disengaging block chain network Number.In addition, the policy field in authorization policy includes a white list, there is current controller entity authentication the inside The node ID mark of safety.Finally, newly-generated permission control strategy is submitted to miner's node, Kuang Gongjie as trade transactions New authorization policy is written to block and persistence by common recognition agreement by point.
S3. cipher key node access control device identity information.When in block chain network some controller node to other control When device node initiates access request, message can be broadcast to cipher key node.Cipher key node sends T to response controller nodecheckIt hands over Easily, since cipher key node is Quan Jiedian, the information of entire block is saved, therefore, cipher key node can be from block chain historical trading In information find responder authorization policy, check authorization policy in white list whether include requesting party ID mark, such as Fruit is proved to be successful, and cipher key node can send T to requesting partysuthTransaction, confirmation request node is safe;It is such as unsatisfactory for, key Node can return to refusal information, and be broadcast to the overall situation.
Controller is broadly divided into two steps when carrying out Authority Verification: firstly, cipher key node can pass through TauthWith TaccessTransaction generates verifying token, and then, controller judges the source token to token operation rivest, shamir, adelman again Authenticity.
S301. right access control is believed via cipher key node by transaction token information come the identity of checking request side Breath, the formula for verifying identity information are as follows:
tokenreq={ Taccess, Psig, Pacp, identityp, authorityp}
Wherein, TaccessFor the hash value of request square controller request transaction abstract, PsigFor the number label of responder's identity Name, PacpThe permission control strategy of block chain, identity are uploaded to for responderpFor the unique identification of responder's identity, authoritypFor the encryption information for the node identifier that responder approves.
Cipher key node searches the T of the response controller of corresponding ID by IDcheckAffairs, and decrypt the body of responder's approval Part mark, and T is sent to requesting partyauthAffairs transaction can be sent after the identity information certification of acquisition request side to responder Tokenres
Wherein, TokenresComposition it is as follows:
Tokenres={ Tauth, Rsig, idnetityr, verifyr}
Wherein, TauthThe hash value of affairs abstract, R are verified for response square controllersigFor the number label of requestor identity Name, idnetityrFor the unique identification of requestor identity, verifyrFor the result of cipher key node checking request side identity information.
Responder is receiving Tokenres, it is decrypted using oneself local private key, the identity of checking request side.
S302. after the token for generating verifying identity information, since block chain is the distributed network structure trusted, institute It needs to be digitally signed when being transmitted with token, endorsement method ensure that the authenticity of token sender, signer Method follows rivest, shamir, adelman, and encryption formula indicates are as follows:
C=ne(mod N) (n=SHA (M), n≤N)
Wherein, hash value of the n for the domain-name information of responder's controller node, the digital signature information that c is, (e, It N is) private key of signer.
The decryption formula of requesting party's controller node are as follows:
S=cd(mod N)
Wherein, (d, N) is the public key of signer, and c is the digital signature information sent, and s is confirmation message, if s is obtained with c Information it is consistent, then be able to confirm that the correctness of message.
S4. controller needs further to carry out permission to the actual resource under control domain after identity information is mutually authenticated It authorizes, due to mainly being measured in data plane with interior measurement, when interchanger of the data packet under not same area is forwarded, The permission for needing to obtain controller is authorized.It includes two parts that cross-domain permission, which authorizes specific steps: the path definition of actual resource and Cross-domain permission is authorized.
S401. administration domain of the controller due to oneself possessing oneself, referred to herein as Namespace (NameSpace). Namespace is the domain comprising layer of structure, can be indicated with URI, and the entity of Namespace is created --- controller can be awarded Weigh the operation of all resources in current namespace.The structure of URI is as follows: { Namespace/resourcepath= port/localhost/controlleridentity/switchidentity}
Namespace represents the administration domain of controller, can be indicated with the port numbers where controller. resourcepath Define the resource path of interchanger under current controller.
S402. since with different administration domains, the message transmission that unification is administered under domain does not need permission between controller It authorizes, and cross-domain resource access needs to respond square controller after the identification information for obtaining cipher key node transmission, to hair The permission for sending square controller to carry out resource under domain is authorized.Wherein the formula of DOT (Delegation of Trust) is as follows:
DOT=< Efrom, Eto, Permissions, Metadata, Whitelist >
Wherein, < Efrom, Eto> it is a public key mark pair, (Permissions, Metadata) indicates that reciever can add The measurement metadata added, Whitelist identify the router list of reciever approval.Public key mark is controlled to verifying is mainly used to The identity information of device both sides processed is accessed the resource under the current field authorization by identification Whitelist between controller, Permissions identifies Authorization result.
S5. controller issues routing policy.After passing through the authorization of DOT method between controller, the exchange under different control domains Machine resource can be in communication with each other.When carrying out with interior measurement, related letter of the exchange opportunity in the head of data packet addition interchanger Breath includes interchanger ID, forwarding time, queue congestion state etc..Controller meeting foundation interchanger ID when issuing routing iinformation, Specific Action-Mapping (movement-matching) mode is set, which can be according to interchangers different in access permission list ID mark, notice interchanger shows specific behavior, and the interchanger of only matching relevant regulations could add corresponding band Interior measurement metadata header, others can only be forwarded by matching flow table, which to have with interior measurement behavior controllable Property, while improving with the internet security in interior measurement.
Real time monitoring network state is realized by using P4 language building INT, is utmostly reduced to control plane Dependence, and enable developer's self-defining data plane forwarding operation.By building permission block chain network and across Domain permission giving method can utmostly reduce the risk of controller single-point collapse, and due to the 51% of common recognition agreement Pre- attack protection characteristic, external hackers are difficult to be attacked or distorted to interior measurement network.
The method of the present invention effectively increases the safety of controller in programmable network, while can solve with handing in interior measurement The permission control problem changed planes, and can be good at the behaviors such as data tampering, malicious attack in guarding network measurement.
Protection content of the invention is not limited to the above embodiment.Without departing from the spirit and scope of the invention, Various changes and advantages that will be apparent to those skilled in the art are all included in the present invention, and are with appended claims Protection scope.

Claims (11)

1. measurement method in a kind of Netowrk tape of the safety based on block chain technology, which comprises the following steps:
S1, construct permission block chain: administrator creates wound generation block, and the essential information of block chain is written;Controller node passes through Different ports is registered in block chain, and miner's node generates new block by common recognition agreement, and block chain is maintained to operate normally;
S2, the customized authorization policy of controller: the controller initiates to trade to miner, newly-generated permission control strategy conduct Trade transactions are submitted to miner's node, and new authorization policy is written to block by agreement of knowing together and protected by miner's node It deposits;
S3, cipher key node access control device identity information: when in block chain network some controller node to Assign Controller section When point initiates access request, cipher key node finds the authorization policy of recipient from block chain, verifies whether initiator meets;
S4, the cross-domain permission of controller are authorized: receive square controller after the authentication information for obtaining cipher key node transmission, it can be right It sends square controller progress permission to authorize, and oneself is controlled into the resource access right under management domain in a manner of URI Resource orientation Authorize sender;
S5, controller issue routing policy: weighing with interior measurement comprising interchangers different under the current field in photos and sending messages under controller Limit, forbids the self-service addition measuring head information of the interchanger of lack of competence, so as to cause the disorder of final measurement.
2. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that no With controller node be registered in block chain by different port numbers, each controller have after registration one can be with The identification number of access, the identification number are made of as follows three keys:
Keycontroller=HASH { Portcon, Keypub, Keypri}
Wherein, PortconThe port numbers in domain, Key where indicating current controllerpubIndicate the public key that current controller is possessed, KeypriIndicate the private key that current controller is possessed.
3. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that band Interior measurement process includes permission control strategy, greatly enhances robustness and safety with interior measurement.
4. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that power The creation for limiting block chain allows the controller of not same area independently to formulate the access control policy that Current software defines network.
5. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that across The controller in domain carries out needing to be digitally signed when permission is authorized, it then follows rivest, shamir, adelman, encryption formula indicate are as follows:
C=ne(mod N) (n=SHA (M), n≤N)
Wherein, n is the hash value of the domain-name information of responder's controller node, and the digital signature information that c is, (e, N) is The private key of signer;
The decryption formula of requesting party's controller node are as follows:
S=cd(mod N)
Wherein, (d, N) is the public key of signer, and c is the digital signature information sent, and s is confirmation message, if the letter that s and c are obtained Breath is consistent, then is able to confirm that the correctness of message.
6. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist In the access control of permission block chain difference controller node is by transaction token information by cipher key node come checking request The identity information of side, the formula for verifying identity information are as follows:
tokenreq={ Taccess, Psig, Pacp, identityp, authorityp}
Wherein, TaccessFor the hash value for requesting the request transaction of square controller to be made a summary, PsigFor the digital signature of responder's identity, PacpThe permission control strategy of block chain, identity are uploaded to for responderpFor the unique identification of responder's identity, authoritypFor the encryption information for the node identifier that responder approves;
Cipher key node searches the T of the response controller of corresponding ID by IDcheckAffairs, the identity that decryption responder approves, And T is sent to requesting partyauthAffairs transaction can be sent after the identity information certification of acquisition request side to responder Tokenres
Wherein, TokenresComposition it is as follows:
Tokenres={ Tauth, Rsig, idnetityr, verifyr}
Wherein, TauthThe hash value of affairs abstract, R are verified for response square controllersigFor the digital signature of requestor identity, idnetityrFor the unique identification of requestor identity, verifyrFor the return value of cipher key node checking request side identity information;
Responder is receiving Tokenres, it is decrypted using oneself local private key, the identity of checking request side.
7. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist In controller can distribute the interchanger of the current field specified routing policy, and routing policy is by searching for the road on white list By device information, to determine the addition manner with interior metrical information of router;White list is included in DOT trust delegation, described The formula of DOT is as follows:
DOT=< Efrom, Eto, Permissions, Metadata, Whitelist >
Wherein, < Efrom, Eto> is a public key mark pair, and (Permissions, Metadata) indicates that reciever can add Measurement metadata, Whitelist identify reciever approval router list.
8. measurement method in the safely controllable Netowrk tape according to claim 1 based on block chain technology, feature exist In metrical information is collected and forwarded in data plane, and controller can control the measurement behavior of router, and abandons malice at any time Routing node improves the safety of network measure.
9. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that S2 In, miner's node judges initiator's by checking that block chain historical trading judges the whether qualified execution of controller Whether account has enough token remaining sums, and only token abundance can just select transaction to be submitted to block chain;Transaction is being submitted to arrive Difficulty in computation value is needed when block, and new authorization policy is written in block by simultaneously persistence by common recognition agreement.
10. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that In S3, when some controller node initiates access request to Assign Controller node in block chain network, message can be broadcast to Cipher key node;The cipher key node is to response controller node and sends TcheckTransaction;The cipher key node is from block chain history In transaction find responder authorization policy, check authorization policy in white list whether include requesting party ID mark, such as Fruit is proved to be successful, and the cipher key node sends T to requesting partyauthWhether transaction, confirmation request node are safe;It is such as unsatisfactory for, institute It states cipher key node and returns to refusal information, and be broadcast to the overall situation, notice other nodes of block chain requesting node is trustless.
11. measurement method in the Netowrk tape of the safety according to claim 1 based on block chain technology, which is characterized in that In S5, when carrying out with interior measurement, relevant information of the exchange opportunity in the head of data packet addition interchanger, comprising: interchanger ID, forwarding time, queue congestion state;The controller can be according to interchanger ID when issuing routing iinformation, and setting is specific Action-Mapping mode, the mode can control different interchangers with interior measurement behavior so that the friendship of only specified ID Changing planes can add with interior measurement metadata header, other interchangers can only match flow table and be forwarded.
CN201910566636.5A 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology Active CN110417739B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Publications (2)

Publication Number Publication Date
CN110417739A true CN110417739A (en) 2019-11-05
CN110417739B CN110417739B (en) 2021-06-25

Family

ID=68359926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910566636.5A Active CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Country Status (1)

Country Link
CN (1) CN110417739B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405005A (en) * 2020-03-06 2020-07-10 清华大学 Operation control method and system of block chain and controllable network terminal equipment
CN112559608A (en) * 2020-12-04 2021-03-26 江苏物联网研究发展中心 Data collaboration method and system
CN113676476A (en) * 2021-08-18 2021-11-19 大连海事大学 Encrypted jump method based on action programmable software defined network
CN115114314A (en) * 2022-08-29 2022-09-27 北京微芯区块链与边缘计算研究院 Data probe-based data detection and extraction method and system
CN115514691A (en) * 2022-09-05 2022-12-23 郑州工程技术学院 SDN inter-domain cooperative forwarding control architecture and method based on block chain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 The distribution of resource access token based on block chain and resource use monitoring method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 The distribution of resource access token based on block chain and resource use monitoring method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
JIANWEN CHEN,KAI DUAN,RUMIN ZHANG,LIAOYUAN ZENG,WENYI WANG: "An AI Based Super Nodes Selection Algorithm in BlockChain Networks", 《IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY》 *
RASHT, IRAN,LAHIJAN: "an efficient forensics architecture in software-defined networking-OIT using blockchain technology", 《SPECIAL SECTION ON SMART CACHING, COMMUNICATIONS, COMPUTING》 *
WEI YANG, XIAOHONG LI,ZHIYONG FENG, JIANYE HA: "TLSsem: A TLS Security-Enhanced Mechanism against MITM Attacks in Public WiFis", 《2017 INTERNATIONAL CONFERENCE ON ENGINEERING OF COMPLEX COMPUTER SYSTEMS》 *
YUE ZENG,YUE ZHANG: "review of research on blockchain application development method", 《JOURNAL OF PHYSICS: CONFERENCE SERIES》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405005A (en) * 2020-03-06 2020-07-10 清华大学 Operation control method and system of block chain and controllable network terminal equipment
CN112559608A (en) * 2020-12-04 2021-03-26 江苏物联网研究发展中心 Data collaboration method and system
CN113676476A (en) * 2021-08-18 2021-11-19 大连海事大学 Encrypted jump method based on action programmable software defined network
CN113676476B (en) * 2021-08-18 2022-07-08 大连海事大学 Encrypted jump method based on action programmable software defined network
CN115114314A (en) * 2022-08-29 2022-09-27 北京微芯区块链与边缘计算研究院 Data probe-based data detection and extraction method and system
CN115514691A (en) * 2022-09-05 2022-12-23 郑州工程技术学院 SDN inter-domain cooperative forwarding control architecture and method based on block chain

Also Published As

Publication number Publication date
CN110417739B (en) 2021-06-25

Similar Documents

Publication Publication Date Title
Alharbi Deployment of blockchain technology in software defined networks: A survey
CN110417739A (en) It is a kind of based on block chain technology safety Netowrk tape in measurement method
US10601787B2 (en) Root of trust of geolocation
Meng et al. Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration
Puthal et al. SEEN: A selective encryption method to ensure confidentiality for big sensing data streams
Chun et al. Decentralized trust management and accountability in federated systems
CN110233868A (en) A kind of edge calculations data safety and method for secret protection based on Fabric
CN102710605A (en) Information security management and control method under cloud manufacturing environment
CN106888084A (en) A kind of quantum fort machine system and its authentication method
Xiao et al. A survey of accountability in computer networks and distributed systems
CN110474921B (en) Perception layer data fidelity method for local area Internet of things
CN115362443A (en) Trust management method and device in integrated network based on block chain
US11392615B2 (en) Process for establishing trust between multiple autonomous systems for the purposes of command and control
Yao et al. A trust management framework for software‐defined network applications
CN106060078A (en) User information encryption method, user registration method and user validation method applied to cloud platform
CN113259135B (en) Lightweight blockchain communication authentication device and method for detecting data tamper
Zheng et al. Microthingschain: Edge computing and decentralized iot architecture based on blockchain for cross-domain data shareing
Wang et al. An efficient data sharing scheme for privacy protection based on blockchain and edge intelligence in 6G-VANET
Duy et al. B-DAC: a decentralized access control framework on northbound interface for securing SDN using blockchain
Xiao et al. GlobalView: building global view with log files in a distributed/networked system for accountability
CN110945833B (en) Method and system for multi-mode identification network privacy protection and identity management
Nikiforov et al. Structure of information security subsystem in the systems of commercial energy resources accounting
Liu et al. A trust chain assessment method based on blockchain for SDN network nodes
CN101827079A (en) Blocking and attacking-resistant terminal connection building method and terminal access authenticating system
Wang et al. Blockchain-based sdn security guarantee model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant