CN110417739B - A secure network in-band measurement method based on blockchain technology - Google Patents

A secure network in-band measurement method based on blockchain technology Download PDF

Info

Publication number
CN110417739B
CN110417739B CN201910566636.5A CN201910566636A CN110417739B CN 110417739 B CN110417739 B CN 110417739B CN 201910566636 A CN201910566636 A CN 201910566636A CN 110417739 B CN110417739 B CN 110417739B
Authority
CN
China
Prior art keywords
controller
node
blockchain
network
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910566636.5A
Other languages
Chinese (zh)
Other versions
CN110417739A (en
Inventor
章玥
曾月
蒲戈光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Industrial Control Safety Innovation Technology Co ltd
East China Normal University
Original Assignee
Shanghai Industrial Control Safety Innovation Technology Co ltd
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Industrial Control Safety Innovation Technology Co ltd, East China Normal University filed Critical Shanghai Industrial Control Safety Innovation Technology Co ltd
Priority to CN201910566636.5A priority Critical patent/CN110417739B/en
Publication of CN110417739A publication Critical patent/CN110417739A/en
Application granted granted Critical
Publication of CN110417739B publication Critical patent/CN110417739B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及带内测量以及区块链技术领域,实现了一种基于区块链技术的安全的网络带内测量方法,其步骤包括:构建权限区块链,控制器注册到区块链节点,并自定义权限访问策略等;矿工节点依据共识协议将权限策略保存到区块链中,当不同控制器节点相互访问时,密钥节点依据区块链中保存的权限策略,验证控制器节点的身份信息;控制器节点通过身份信息的确认,实现不同工作域下资源的权限授予,实现交换机的跨域访问。控制器下发路由策略,为不同的交换机分配指定的带内测量行为。该方法有效提高了可编程网络中控制器的安全性,同时能解决带内测量中交换机的权限控制问题,并且能够很好的防范网络测量中数据篡改、恶意攻击等行为。

Figure 201910566636

The invention relates to the technical fields of in-band measurement and blockchain technology, and realizes a secure network in-band measurement method based on blockchain technology. And customize the permission access strategy, etc.; the miner node saves the permission strategy in the blockchain according to the consensus protocol. When different controller nodes access each other, the key node verifies the controller node according to the permission strategy saved in the blockchain. Identity information: The controller node can grant permissions to resources in different working domains through the confirmation of identity information, and realize cross-domain access of switches. The controller issues routing policies and assigns specified in-band measurement behaviors to different switches. The method effectively improves the security of the controller in the programmable network, and at the same time solves the problem of the authority control of the switch in the in-band measurement, and can well prevent the behaviors such as data tampering and malicious attack in the network measurement.

Figure 201910566636

Description

Safe network in-band measurement method based on block chain technology
Technical Field
The invention relates to the technical field of programmable networks, INT (In-Band Network Telemetry) and Blockchain, and realizes a safe Network In-Band measurement method based on the Blockchain technology.
Background
With the rise of the internet of things, multiple devices and new applications are continuously emerging, the traditional network architecture cannot meet the requirements of high bandwidth, high reliability and low redundancy, and the diversification of software and hardware devices drives the emergence of a new generation of programmable network. As a new paradigm for networks, programmable networks provide not only an open, programmable interface to hardware, but also allow administrators to manage network services from a higher level of abstraction, adopt a structure with a separate control plane and forwarding plane, and allow developers to program the underlying infrastructure from applications and network services. From the earliest DCAN to the birth of Software Defined Networking (SDN), the core idea of the programmable network is to implement centralized network control and separation of data planes, but since the southbound protocol of the conventional SDN, such as OpenFlow, is usually related to target hardware, its implementation needs a matched basic device, and the administrator cannot customize the processing mode of the forwarding device on the data packet and add new functions. The advent of the P4 language provides programmability of the data plane. Developers can customize the chip based on the P4 language, add new protocols or optimize the original protocol stack, and more reasonably distribute on-chip resources.
In the conventional network monitoring technology, such as SNMP, generally based on the way of acquiring information from the control plane to the underlying network, the way is too restrictive and slow, and similarly, methods such as NetFlow, SFlow, Synthetic probe, etc. are not accurate enough to detect problems caused by short-time events or microbursts, etc., especially in a large-scale distributed network, serious accidents of services and applications may be caused by the lack of traceable metadata and historical information. The P4 language can implement fine-grained detection of network measurement due to characteristics of rewriting new packet protocols and the like. INT (In-Band Network instrumentation) is application practice of P4 language In Network measurement, and enables a data plane to have end-to-end collection capability and collect status information In real time. The in-band network telemetry adds key details related to packet processing to the data plane, the transmission of packets does not consume any host CPU resources, and the packet-level telemetry is enabled by adding metadata in the packets, thereby realizing the visual detection of network traffic.
Although INT provides a good solution for monitoring network traffic data, in a programmable network architecture, network configuration, network services, access control, network security service deployment, and the like are all centralized on a controller, thereby implementing coordinated scheduling of network resources, computing resources, and storage resources. Centralized control, while bringing a global view and optimization solution to network operations management, also brings additional management risks. Because the controller is connected with the application layer and the forwarding layer, the unified configuration and management of the network equipment are realized, and the controller is a centralized network interference point and a potential single-point fault source. If the security policy of the controller is not noticed in the network deployment, it is very vulnerable to hacking attacks, such as modifying codebase, changing flow control, filtering or hiding data at some network locations, which can greatly compromise the network security. In addition, when the controller OS is attacked maliciously or the APP running on the controller has security threat, the controller is easy to lose the control right and easily causes the omnibearing paralysis of the network service to influence the whole network range covered by the controller; secondly, the controller is easily attacked by resource depletion type, such as DoS, DDoS and the like, by a centralized control mode; at the same time, the openness makes the controller in the programmable network need to carefully evaluate the open interfaces to prevent an attacker from using some interfaces to perform network monitoring, network attack, and the like.
Therefore, currently, for improving the security of the programmable network environment, the precaution is mainly performed on the controller level. Generally, flow cleaning equipment can be arranged at an entrance of a controller to prevent distributed flow attack; a distributed multi-controller scheme can be adopted, and the problem that a single controller fails can be solved through automatic replacement of the controller; and the deployment of the security agent can realize security reinforcement, vulnerability detection and the like of the application program on the controller. For the security improvement of a programmable network, many expert and scholars also provide solutions, for example, a FlowVisor developed based on an Openflow protocol can virtualize hardware equipment into a plurality of networks, so that on one hand, the network security is improved, and on the other hand, the security of a plurality of virtual networks on the same physical equipment is improved by adding software security authentication; the method comprises the steps that a DefenseFlow collects flow information for attack detection through a control layer of an SDN, and data flow is guided into a network only when needed, so that a device-based security scheme is successfully converted into a whole-network security service; SE-NoodLight is an open source HoodLight controller based software extension that can provide role-based authentication and enhanced security restrictions. These approaches all alleviate the safety issues of the controller to some extent.
However, as the dominance of the administrator on the controller becomes more remarkable, how to prevent the controller from the aspects of authority access, security control, data encryption and the like is an important step for establishing a secure programmable network environment in the future. This means that an overall security system is needed to cope with these threats to the software defined network and to be able to operate in a scalable way without affecting its performance, generating timely alerts in the event of malicious attacks and generating legally auditable logs on the network based on the events that occur. How to prevent malicious elements from entering the software defined network in an extensible manner and to simultaneously deny entry of a single malicious element when thousands of valid elements enter. Imagine one such solution: anything that happens on a programmable network can capture the (Blockchain) Blockchain in a legally auditable and unalterable log, and the identity information needs to be verified for the joining of any control node, which can join the network and perform relevant measurement activities after most nodes in the Blockchain network have agreed. The blockchain information system may use blockchain techniques to validate and authenticate network devices before they are operational. In the process, equipment and technology do not need to be provided for a third party, and the accuracy and the safety of network data are ensured due to the validity of authentication.
The safety maintenance of each function in the block chain network depends on all nodes with safety maintenance capability in the whole network, a management method is not arranged among the nodes, the nodes are equal, and when one node receives data transmitted by the other node, the node can verify the identity information of the other node. If the acceptance is successful, it broadcasts the information it receives to the entire network. Since blockchains and their records may exist in thousands of places at the same time, hackers no longer try to mask their traces by hacking into the log server and changing the event history, and nodes in blockchains can reject any changes in the network. This may protect the behavior of the programmable network from attacks and may set automatic, programmable rules for the network.
Disclosure of Invention
The technology related by the invention mainly comprises Block chain, P4(Programming Protocol-Independent Packet Processors) intermediate node Programming language and INT (In-band Network Telemetry) technology.
The invention overcomes the limitation of the prior art and provides a safe in-band measurement method based on a block chain technology. The invention uses P4 language to realize the in-band measurement function and self-define the route strategy of the exchanger. By adding INT metadata to the data packets, the network state can be monitored in real time. And a southbound API is generated through the P4, so that the interaction of the controller and the data plane is realized, and the forwarding strategy is customized. The cross-domain interaction among different controllers is subjected to authority control by constructing an authority block chain network, so that the network security problem caused by the addition of a malicious controller is prevented. In the permission block chain, the controller can customize the access strategy of the current domain, so that the centralized control behavior in the software defined network is dispersed. The invention can effectively analyze the dynamic behavior in the network through the in-band measurement and the block chain technology, and improves the safety of the distributed network.
The invention comprises the following steps:
s1, constructing an authority block chain: json file is generated locally, and basic information of a block chain is written in the file, including a block number, a time stamp, a transaction information list, a difficulty value, a hash of a previous block and the like. Different controller nodes register in the block chain through different port numbers, each controller has an accessible identification number after registration, and the identification number consists of three keys as follows:
Keycontroller=HASH{Portcon,Keypub,Keypri}
wherein, PortconPort number, Key, indicating the domain in which the current controller is locatedpubIndicating the current public Key, Key, owned by the controllerpriRepresenting the private key that the controller currently owns.
After the Hash256 operation is performed on the identifier, a unique address identifier of the controller is generated, which represents that the current controller is registered as a node on the block chain.
When an authority block chain is constructed, besides registering a controller to the block chain, a key node and a miner node need to be created, the key node and the miner node can be deployed on a local virtual machine or other servers, and the miner node and the key node need to store all transaction information on the block chain, so that higher storage requirements are imposed on the servers.
S2, the controller self-defines the authority strategy: after the controller registers to the block chain, T is initiated to the minerspolicyA transaction, the transaction transmitted in a JSON data format, the format being as follows:
Figure GDA0002969480350000041
wherein, sender represents the sender address, recipient represents the receiver address, and amount represents the number of tokens spent, which can be expressed by a difficulty value. Telemeasure stands for sending data and policy is represented by a white list, and the security of the requester is determined by checking the id identification in the white list.
Each controller has a pair of newly generated authority control strategies as transaction transactions to be submitted to miner nodes when registering, the miner nodes judge whether the controllers are qualified to execute by checking block chain historical transactions, in addition, the miner nodes also judge whether an account of an initiator has enough token balance, the token is sufficient to select the transaction to be submitted to the block chain, and similarly, when the transaction is submitted to the block, the difficulty value needs to be calculated, and the new authority strategies are written into the block through a consensus protocol and are permanently stored;
s3, the key node verifies the controller identity information: when a controller node in a blockchain network initiates an access request to other designated controller nodes, a message is broadcast to the key node. The key node sends T to the responding controller nodecheckAnd (6) trading. Because the key node is a full node and stores the information of the whole block chain, the key node can search the authority strategy of a responder from the block chain historical transaction, check whether a white list in the authority strategy contains the ID identification of the requester, and send T to the requester if the verification is successfulauthTrading, namely confirming whether the request node is safe or not; if not, the key node returns rejection information, broadcasts the rejection information to the global, and informs other nodes of the block chain that the requesting node is untrustworthy;
s4, the controller grants the cross-domain authority: after the response controller verifies the identity information of the requester, the response controller can perform T with the other partyaccessA transaction, when both parties to the transaction are trusted. The cross-domain rights grant can be divided into two parts: path definition and cross-domain rights granting of entity resources. The controller, as a control entity of the software defined network, has control over the switches under the current domain, and the domain of one controller is referred to herein as Namespace. The access path of the controller to a resource (switch) under the domain can be represented by a URI, such as localhost: 8080/controller1The/switch _1/. represents the physical resource under the controller under the local 8080 port, switch 1. The URI representation mode can enable resources of different domains to be better granted with permission when being accessed. The authority grant between different domains is realized by a DOT (permission of trust) method, the principle is that after hash operation is carried out on identifiers of different controllers and URI resource paths under the domains, the identifiers and the URI resource paths are sent to a request party, and the request party decrypts through a symmetric encryption algorithm to obtain a communication access certificate.
S5, the controller issues a routing strategy: after the controllers are authorized by the DOT method, the switch resources under different control domains can communicate with each other. When the in-band measurement is carried out, the switch will add relevant information of the switch at the head of the data packet, including switch ID, forwarding time, queue congestion state and the like. When the controller sends the routing information, a specific Action-Mapping mode can be set according to the ID of the switch, and the Action-Mapping mode can control the in-band measurement behaviors of different switches, so that only the switch with the specified ID can add an in-band measurement metadata header, and other switches can only be matched with the flow table for forwarding.
The invention provides a safe network in-band measurement method based on the block chain technology for the first time, which fully utilizes and exerts the advantages of the block chain and in-band measurement technology: in terms of operation environment, the invention designs an interaction environment of an in-band measurement network and a block chain network, and combines the advantages of the flexibility of a programmable network, the safety of the block chain network and the like; from the programming language, the invention uses a language P4 for programming the intermediate node, adds the key details of data packet processing to the data plane without consuming host resources, and realizes the real-time remote measurement of the network; in terms of safety, the invention constructs an authority block chain, carries out identity verification on the interaction behaviors of different controllers, improves the safety of in-band measurement under different control domains through an authority granting method, and prevents the malicious tampering of the message path of the control authority by using a digital signature technology; in the transmission mode, the invention uses the distributed networking mode of p2p to provide an efficient and stable transmission path for cluster networks such as data centers and the like.
Drawings
Fig. 1 is a flowchart of a secure in-band network measurement method based on the blockchain technique according to the present invention.
Fig. 2 is a schematic diagram of a working environment of the method for secure in-band measurement of a network based on the blockchain technique according to the present invention.
Fig. 3 is a timing diagram illustrating a method for secure in-band measurement of a network based on a blockchain technique according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
As shown in FIG. 1, the present invention can be divided into five major steps of (i) an administrator creates a permission block chain; secondly, the controller self-defines the authority strategy; verifying the identity information of the controller by the key node; fourthly, the controller grants the cross-domain authority; the controller issues a routing strategy. The entire invention operates in the operating environment shown in fig. 1. From fig. 2 it can be seen that the entire measuring environment consists of two parts. The upper half part is an authority block chain network consisting of controllers, the controllers are guaranteed to operate and identity authentication of the controllers is achieved through an encryption algorithm and a consensus protocol in the block chain, the lower half part is an in-band measurement network consisting of a source end node and a virtual switch, and the whole network operates under the management of the controllers. From fig. 3, it can be seen that the dynamic collaboration sequence among objects in the secure network in-band measurement method based on the blockchain technology is provided, the entire method involves 5 roles of an administrator, a controller, a switch, a miner, and a key node, the administrator is responsible for collecting analysis data and constructing an authority blockchain, and the controller, the miner, and the key node are networked by p2p to set an access control authority for the controller node. In addition, the permission granting method among the controllers in different domains ensures the safety and reliability of the in-band measurement network. The in-band measurement technology monitors the network behavior in real time through a data plane, so that the accuracy and timeliness of the telemetering of the programmable network are greatly improved. The two environments use the controller as middleware to interact, and respective advantage complementation is realized.
To further describe the implementation of the present invention, the present invention is described in an expanded manner based on FIG. 1. In the workflow diagram, at entry point S1, the developer needs to build an environment for the privilege block chain. The method comprises the following basic steps: initialization of the permission block chain and registration of the controller node.
S101, when initializing a block chain, first, a structure of a block needs to be specified, and generally, the block includes: the index, the timestamp, the transaction information, the hash value and the difficulty value of the previous block of information, and the block information can be stored in a local database, so that the historical information can be conveniently checked by the whole node. The administrator first needs to create a created block and can typically generate an initialized genesis json file locally in which the basic information of the blockchain is written. Then, it is necessary to register the full nodes, including the key node and the miner node, on the blockchain. Because the whole nodes contain the historical transaction information of the whole block chain, the whole nodes can help verify the identity information of the controller nodes, the privacy among the controllers can be ensured, and in addition, the miner nodes can also participate in the verification process of the blocks through a consensus protocol. The full nodes can be generally deployed on external servers, reduce the storage pressure of the local servers, and maintain load balance among the servers. And creating local server nodes on the full-node server through a flash framework, and performing distributed storage through a Progresql database.
S102, when the controller nodes are registered in the block chain, an administrator needs to set a virtual port number for each node and operate the controller nodes on the ports, and each controller node should keep registry information of other nodes on the network, so that p2p network communication is facilitated. After the controller nodes register to the blockchain through different port numbers, each controller keeps an accessible identification number after registration, and the identification number is composed of three keys as follows:
Keycontroller=HASH{Portcon,Keypub,Keypri}
wherein, PortconPort number, Key, indicating the domain in which the current controller is locatedpubIndicating the current public Key, Key, owned by the controllerpriRepresenting the private key that the controller currently owns.
After the hash256 operation is performed on the identifier, a unique address identifier of the controller is generated, which represents that the current controller is registered as a node on the block chain.
And S2, self-defining the authority strategy by the controller. After the controller registers to the block chain, T is initiated to miners with IDs being miners by searching local registry informationpolicyA transaction, the transaction being ofThe JSON data format is transmitted, and the format is as follows:
Figure GDA0002969480350000071
wherein, sender represents the sender address, recipient represents the receiver address, and amount represents the number of tokens spent, which can be expressed by a difficulty value. Addresses are all by KeycontrollerThe representation is a segment of hash address code, and since the hash algorithm is irreversible, the specific information of each node in the block chain cannot be leaked. The telemetric contains basic data information sent by the controller, which typically contains the id of the controller and the trust value of the node. Node trust values are given based on the behavior of the controller nodes and are typically used to assess the value of a controller's contribution to the blockchain. When a controller node frequently enters and exits the blockchain network, or never participates in the blockchain activity, such a node may have a low trust value. The evaluation formula of the trust value adopts EigenTrust algorithm, and the formula is as follows:
q=(uactive+1)/(uactive+udeactivate+2)
wherein u isactiveRepresenting the activity of the controller node, udeactivateRepresenting the number of times the controller node enters and exits the blockchain network. In addition, the policy field in the authority policy contains a white list in which the safe node ID of the current controller node authentication is stored. And finally, the newly generated authority control strategy is submitted to the miner node as a transaction, and the miner node writes the new authority strategy into the block through a consensus protocol and permanently stores the new authority strategy.
And S3, verifying the identity information of the controller by the key node. When a controller node in a blockchain network initiates an access request to other controller nodes, a message is broadcast to the key node. The key node sends T to the responding controller nodecheckIn the transaction, as the key node is a full node and stores the information of the whole block, the key node can search the authority strategy of a responder from the block chain historical transaction information and check the white name in the authority strategyIf the list contains the ID identification of the requester, if the verification is successful, the key node sends T to the requesterauthTransacting, confirming that the requesting node is secure; if not, the key node returns rejection information and broadcasts to the global.
When the controller carries out authority verification, the method mainly comprises the following two steps: first, the key node will pass through TauthAnd TaccessAnd generating a verification token by the transaction, and then operating an asymmetric encryption algorithm on the token by the controller to judge the authenticity of the token source.
S301, authority access control, namely verifying identity information of a requester through transaction token information by a key node, wherein the formula for verifying the identity information is as follows:
tokenreq={Taccess,Psig,Pacp,identityp,authorityp}
wherein, TaccessRequest a hash value, P, of a transaction digest for a requestor controllersigBeing a digital signature of the identity of the responder, PacpIdentity, an entitlement control policy that is uploaded to the blockchain for a responderpBeing a unique identification of the identity of the responder, authoritypEncrypted information of node identifiers approved by the responder.
The key node searches T of the response controller corresponding to the ID through the IDcheckThe transaction, and decrypts the identity approved by the responder, and sends T to the requesterauthThe transaction, after obtaining the identity information authentication of the requesting party, will send Token to the responding partyres
Wherein, TokenresThe composition of (A) is as follows:
Tokenres={Tauth,Rsig,idnetityr,verifyr}
wherein, TauthValidating a hash value, R, of a transaction digest for a responder controllersigDigital signature for identity of requesting partyrBeing a unique identification of the identity of the requesting party, verifyrThe result of verifying the identity information of the requestor for the key node.
The responder is receiving TokenresAnd decrypting by using the local private key of the user, and verifying the identity of the requester.
S302, after the token for verifying the identity information is generated, as the block chain is a distrusted distributed network structure, digital signature is required to be carried out on the token during transmission, the signature method ensures the authenticity of a token sender, the signature method follows an asymmetric encryption algorithm, and the encryption formula is represented as follows:
c=ne(mod N)(n=SHA(M),n≤N)
wherein N is the hash value of the domain name information of the responder controller node, c is the result obtained by the asymmetric encryption algorithm, and (e, N) is the private key of the signer
The decryption formula of the requester controller node is:
s=cd(mod N)
wherein, (d, N) is the public key of the signer, c is the result obtained by the asymmetric cryptographic algorithm, and s is the confirmation information, and if s is consistent with the information obtained by c, the correctness of the message can be confirmed.
And S4, after the controllers verify the identity information mutually, authorization is required to be further granted to entity resources under the control domain, and because the in-band measurement is mainly carried out on the data plane, the authorization of the controllers is required to be granted when the data packets are forwarded by the switches under different domains. The specific steps of the cross-domain authority grant include two parts: path definition and cross-domain rights granting of entity resources.
S401. the controller is called Namespace because it has its own jurisdiction. Namespace is a domain containing a hierarchy of structures, which may be represented by a URI, and the entity that creates the Namespace- -the controller may authorize the operation of all resources within the current Namespace. The structure of the URI is as follows:
{Namespace/resourcepath=port/localhost/controlleridentity/switchidentity}
namespace represents the administration domain of the controller and can be represented by the port number of the controller. resourcepathDefine the current controlResource path of the switch under the device.
S402, because the controllers have different administration domains, the message transmission under the unified administration domain does not need permission grant, and cross-domain resource access needs to respond to the controller and grant permission of resources under the domain to the sender controller after the identity confirmation information sent by the key node is obtained. Wherein the formula of DOT (deletion of Trust) is as follows:
DOT=<Efrom,Eto,Permissions,Metadata,Whitelist>
wherein < Efrom,EtoIs a public key identification pair, (Permissions, Metadata) represents measurement Metadata that the recipient can add, and Whitelist identifies the list of routers that the recipient approves. The public key identification pair is mainly used for verifying the identity information of two parties of the controllers, the controllers carry out access authorization on resources in the current domain by identifying Whitelist, and Permissions identify an authorization result.
And S5, the controller issues a routing strategy. After the controllers are authorized by the DOT method, the switch resources under different control domains can communicate with each other. When the in-band measurement is carried out, the switch will add relevant information of the switch at the head of the data packet, including switch ID, forwarding time, queue congestion state and the like. The controller sets a specific Action-Mapping mode according to the ID of the switch when routing information is sent, the Action-Mapping mode informs the switch to show a specific behavior according to the ID identification of different switches in the access permission list, only the switch matched with relevant regulations can add a corresponding in-band measurement metadata header, and other switches can only forward through matching a flow table.
The INT is constructed by using the P4 language, so that the real-time monitoring of the network state is realized, the dependence on a control plane is reduced to the greatest extent, and developers can customize the forwarding operation of the data plane. By constructing the block chain network of authority and the cross-domain authority granting method, the risk of single-point crash of the controller can be reduced to the greatest extent, and due to the 51% attack prevention characteristic of the consensus protocol, an external hacker can hardly attack or tamper the in-band measurement network.
The method of the invention effectively improves the security of the controller in the programmable network, simultaneously solves the problem of authority control of the switch in-band measurement, and can well prevent data tampering, malicious attack and other behaviors in network measurement.
The protection of the invention is not limited to the above embodiment examples. Variations and advantages that may occur to those skilled in the art may be incorporated into the invention without departing from the spirit and scope of the inventive concept, and the scope of the appended claims is intended to be protected.

Claims (11)

1.一种基于区块链技术的安全的网络带内测量方法,其特征在于,包括以下步骤:1. a secure network in-band measurement method based on block chain technology, is characterized in that, comprises the following steps: S1,构建权限区块链:管理员创建创世区块,写入区块链的基本信息;控制器节点通过不同的端口注册到区块链中,矿工节点通过共识协议生成新块,维持区块链正常运行;S1, build a permissioned blockchain: the administrator creates the genesis block and writes the basic information of the blockchain; the controller node registers into the blockchain through different ports, and the miner node generates a new block through the consensus protocol to maintain the blockchain The blockchain is functioning normally; S2,控制器自定义权限策略:所述控制器向矿工发起交易,新生成的权限控制策略作为交易事务被提交给矿工节点,所述矿工节点通过共识协议将新的权限策略写入到区块并保存;S2, the controller customizes the permission policy: the controller initiates a transaction to the miner, the newly generated permission control policy is submitted to the miner node as a transaction transaction, and the miner node writes the new permission policy into the block through the consensus protocol and save; S3,密钥节点验证控制器身份信息:当区块链网络中某个控制器节点向指定控制器节点发起访问请求时,密钥节点从区块链中寻找接收方的权限策略,验证发起方是否满足;S3, the key node verifies the identity information of the controller: when a controller node in the blockchain network initiates an access request to the designated controller node, the key node finds the receiver's permission policy from the blockchain and verifies the initiator whether it is satisfied; S4,控制器跨域权限授予:接受方控制器在得到密钥节点发送的身份验证信息后,会对发送方控制器进行权限授予,并以URI资源定位的方式将自己控制管理域下的资源访问权授予发送方;S4, controller cross-domain authority grant: After the receiver controller obtains the authentication information sent by the key node, it will grant authority to the sender controller, and control the resources under the management domain by URI resource location. The right of access is granted to the sender; S5,控制器下发路由策略:控制器下发信息中包含当前域下不同交换机的带内测量权限,禁止无权限的交换机自助添加测量头信息,从而导致最终测量结果的紊乱。S5, the controller delivers a routing policy: the information delivered by the controller includes the in-band measurement authority of different switches in the current domain, and it is prohibited for switches without authority to add measurement header information by themselves, which leads to confusion in the final measurement result. 2.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,不同的控制器节点通过不同的端口号注册到区块链中,每一个控制器在注册后均有一个访问的标识号,该标识号由三个密钥组成如下:2. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein different controller nodes are registered in the blockchain through different port numbers, and each controller is registered in the blockchain. followed by an access identification number, which consists of three keys as follows:
Figure DEST_PATH_IMAGE002AAA
Figure DEST_PATH_IMAGE002AAA
 其中,
Figure 451915DEST_PATH_IMAGE003
表示当前控制器所在域的端口号,
Figure 156566DEST_PATH_IMAGE004
表示当前控制器所拥有的公钥,
Figure 432826DEST_PATH_IMAGE005
表示当前控制器所拥有的私钥。in,
Figure 451915DEST_PATH_IMAGE003
Indicates the port number of the domain where the current controller resides,
Figure 156566DEST_PATH_IMAGE004
Indicates the public key owned by the current controller,
Figure 432826DEST_PATH_IMAGE005
Represents the private key owned by the current controller. 3.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,带内测量过程包含权限控制策略,极大增强了带内测量的鲁棒性以及安全性。3. the safe network in-band measurement method based on block chain technology according to claim 1, is characterized in that, in-band measurement process comprises authority control strategy, greatly enhances the robustness and security of in-band measurement . 4.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,权限区块链的创建,使得不同域的控制器自主制定当前软件定义网络的访问控制策略。4. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein the creation of the authority blockchain enables controllers of different domains to independently formulate the access control strategy of the current software-defined network . 5.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,跨域的控制器进行权限授予时需要进行数字签名,遵循非对称加密算法,其加密公式表示为:5. The safe network in-band measurement method based on block chain technology according to claim 1, is characterized in that, digital signature is required when the cross-domain controller performs authority granting, following asymmetric encryption algorithm, its encryption formula Expressed as:
Figure 931941DEST_PATH_IMAGE006
Figure 931941DEST_PATH_IMAGE006
; 其中,n为响应方控制器节点的域名信息的hash值且小于等于N,c为非对称加密算法得到的结果,(e, N)为签名者的私钥;Among them, n is the hash value of the domain name information of the responder controller node and is less than or equal to N, c is the result obtained by the asymmetric encryption algorithm, (e, N) is the private key of the signer; 请求方控制器节点的解密公式为:The decryption formula for the requester controller node is:
Figure 309964DEST_PATH_IMAGE007
Figure 309964DEST_PATH_IMAGE007
 其中,(d, N)为签名者的公钥,c为非对称加密算法得到的结果,s为确认信息,若s与c得到的信息一致,则能够确认消息的正确性。Among them, (d, N) is the public key of the signer, c is the result obtained by the asymmetric encryption algorithm, and s is the confirmation information. If the information obtained by s and c is consistent, the correctness of the message can be confirmed. 6.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,权限区块链不同控制器节点的访问控制,是由密钥节点通过交易token信息来验证请求方的身份信息,其验证身份信息的公式如下:6. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein the access control of different controller nodes of the authority blockchain is verified by the key node through transaction token information The identity information of the requester, and the formula for verifying identity information is as follows:
Figure 287147DEST_PATH_IMAGE008
Figure 287147DEST_PATH_IMAGE008
 其中,
Figure 683493DEST_PATH_IMAGE009
为请求方控制器的请求事务摘要的hash值,
Figure 87930DEST_PATH_IMAGE010
为响应方身份的数字签名,
Figure 202516DEST_PATH_IMAGE011
为响应方上传到区块链的权限控制策略,
Figure 468544DEST_PATH_IMAGE012
为响应方身份的唯一标识,
Figure 984976DEST_PATH_IMAGE013
为响应方认可的节点标识符的加密信息;in,
Figure 683493DEST_PATH_IMAGE009
is the hash value of the request transaction summary of the requester controller,
Figure 87930DEST_PATH_IMAGE010
a digital signature for the identity of the responder,
Figure 202516DEST_PATH_IMAGE011
The permission control policy uploaded to the blockchain for the responder,
Figure 468544DEST_PATH_IMAGE012
is a unique identifier for the identity of the responder,
Figure 984976DEST_PATH_IMAGE013
Encrypted information for the node identifier recognized by the responder; 密钥节点通过ID,查找对应ID的响应控制器的
Figure 825893DEST_PATH_IMAGE014
事务,解密响应方认可的身份标识,并向请求方发送
Figure 162196DEST_PATH_IMAGE015
事务交易,在获取请求方的身份信息认证后,会向响应方发送
Figure 746761DEST_PATH_IMAGE016
The key node finds the corresponding ID of the response controller through the ID
Figure 825893DEST_PATH_IMAGE014
transaction, decrypts the identity recognized by the responder, and sends it to the requester
Figure 162196DEST_PATH_IMAGE015
Transaction transaction, after obtaining the identity information authentication of the requester, it will be sent to the responder
Figure 746761DEST_PATH_IMAGE016
; 其中,
Figure 602853DEST_PATH_IMAGE016
的组成如下所示:in,
Figure 602853DEST_PATH_IMAGE016
The composition is as follows:
Figure 349092DEST_PATH_IMAGE017
Figure 349092DEST_PATH_IMAGE017
 其中,
Figure 172691DEST_PATH_IMAGE016
为响应方控制器验证事务摘要的hash值,
Figure 560947DEST_PATH_IMAGE018
为请求方身份的数字签名,
Figure 786392DEST_PATH_IMAGE019
为请求方身份的唯一标识,
Figure 454265DEST_PATH_IMAGE020
为密钥节点验证请求方身份信息的返回值;in,
Figure 172691DEST_PATH_IMAGE016
Validate the hash of the transaction digest for the responder controller,
Figure 560947DEST_PATH_IMAGE018
a digital signature for the identity of the requesting party,
Figure 786392DEST_PATH_IMAGE019
is a unique identifier for the identity of the requester,
Figure 454265DEST_PATH_IMAGE020
Validate the return value of the requester's identity information for the key node; 响应方在接收到
Figure 30740DEST_PATH_IMAGE016
,使用自己本地私钥进行解密,验证请求方的身份。The responder is receiving
Figure 30740DEST_PATH_IMAGE016
, decrypt with your own local private key, and verify the identity of the requester. 7.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,控制器对当前域的交换机分配指定的路由策略,路由策略通过查找白名单上的路由器信息,来决定路由器的带内测量信息的添加方式;白名单包含在DOT信任委托中,所述DOT的公式如下:7. The safe network in-band measurement method based on block chain technology according to claim 1, is characterized in that, the controller assigns the specified routing strategy to the switch of the current domain, and the routing strategy searches the router information on the white list by searching , to determine how the router's in-band measurement information is added; the whitelist is included in the DOT trust delegation, and the DOT formula is as follows:
Figure 691529DEST_PATH_IMAGE021
Figure 691529DEST_PATH_IMAGE021
 其中,
Figure 771480DEST_PATH_IMAGE022
为一个公钥标识对,(
Figure 390680DEST_PATH_IMAGE023
)表示接受方添加的测量元数据,
Figure 674025DEST_PATH_IMAGE024
标识了接受方认可的路由器名单。in,
Figure 771480DEST_PATH_IMAGE022
is a public key identification pair, (
Figure 390680DEST_PATH_IMAGE023
) represents the measurement metadata added by the receiver,
Figure 674025DEST_PATH_IMAGE024
Identifies the list of routers recognized by the recipient. 8.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,测量信息在数据层面收集并转发,且控制器能控制路由器的测量行为,并随时摒弃恶意路由节点,提高网络测量的安全性。8. The safe network in-band measurement method based on blockchain technology according to claim 1, wherein the measurement information is collected and forwarded at the data level, and the controller can control the measurement behavior of the router, and abandon maliciousness at any time Routing nodes to improve the security of network measurements. 9.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,S2中,所述矿工节点通过检查区块链历史交易判断控制器是否有资格执行,并判断发起方的账户是否具有足够的token余额,仅token充足才会选择交易提交到区块链;在提交交易到区块时需要计算难度值,通过共识协议将新的权限策略写入到区块中并永久保存。9. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein in S2, the miner node judges whether the controller is qualified to execute by checking the historical transaction of the blockchain, and It is judged whether the account of the initiator has enough token balance, and the transaction will be submitted to the blockchain only if the token is sufficient; the difficulty value needs to be calculated when the transaction is submitted to the block, and the new permission policy will be written into the block through the consensus protocol and save it permanently. 10.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,S3中,当区块链网络中某个控制器节点向指定控制器节点发起访问请求时,消息会广播到密钥节点;所述密钥节点向响应控制器节点并发送
Figure 404084DEST_PATH_IMAGE014
交易;所述密钥节点从区块链历史交易中寻找响应方的权限策略,检查权限策略中的白名单是否包含有请求方的ID标识,如果验证成功,所述密钥节点向请求方发送
Figure 72962DEST_PATH_IMAGE015
交易,确认请求节点是否安全;如不满足,所述密钥节点返回拒绝信息,并广播到全局,通知区块链其他节点该请求节点不可信任。10. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein in S3, when a certain controller node in the blockchain network initiates an access request to a designated controller node , the message will be broadcast to the key node; the key node will respond to the controller node and send
Figure 404084DEST_PATH_IMAGE014
Transaction; the key node finds the responder's authority policy from the historical transactions of the blockchain, checks whether the whitelist in the authority policy contains the ID of the requester, and if the verification is successful, the key node sends a message to the requester
Figure 72962DEST_PATH_IMAGE015
The transaction confirms whether the requesting node is safe; if not, the key node returns a rejection message and broadcasts it to the world, notifying other nodes in the blockchain that the requesting node cannot be trusted. 11.根据权利要求1所述的基于区块链技术的安全的网络带内测量方法,其特征在于,S5中,在进行带内测量时,交换机会在数据包的头部添加交换机的相关信息,包括:交换机ID、转发时间、队列拥塞状态;所述控制器在下发路由信息时会依据交换机ID,设定具体的Action-Mapping模式,该Action-Mapping模式控制不同交换机的带内测量行为,使得只有指定ID的交换机能添加带内测量元数据头,其他交换机只能匹配流表进行转发。11. The secure network in-band measurement method based on blockchain technology according to claim 1, wherein, in S5, when performing in-band measurement, the switch will add the relevant information of the switch in the header of the data packet , including: switch ID, forwarding time, queue congestion status; the controller will set a specific Action-Mapping mode according to the switch ID when delivering routing information, and the Action-Mapping mode controls the in-band measurement behavior of different switches, Only the switch with the specified ID can add the in-band measurement metadata header, and other switches can only match the flow table for forwarding.
CN201910566636.5A 2019-06-27 2019-06-27 A secure network in-band measurement method based on blockchain technology Active CN110417739B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 A secure network in-band measurement method based on blockchain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 A secure network in-band measurement method based on blockchain technology

Publications (2)

Publication Number Publication Date
CN110417739A CN110417739A (en) 2019-11-05
CN110417739B true CN110417739B (en) 2021-06-25

Family

ID=68359926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910566636.5A Active CN110417739B (en) 2019-06-27 2019-06-27 A secure network in-band measurement method based on blockchain technology

Country Status (1)

Country Link
CN (1) CN110417739B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405005B (en) * 2020-03-06 2021-06-15 清华大学 Block chain operation management method, system and controllable network terminal equipment
CN112559608A (en) * 2020-12-04 2021-03-26 江苏物联网研究发展中心 Data collaboration method and system
CN115618321A (en) * 2021-07-16 2023-01-17 中移物联网有限公司 Access control method and device, electronic device, storage medium
CN113676476B (en) * 2021-08-18 2022-07-08 大连海事大学 An Encryption Hopping Method Based on Action Programmable Software-Defined Networking
CN115114314A (en) * 2022-08-29 2022-09-27 北京微芯区块链与边缘计算研究院 Data probe-based data detection and extraction method and system
CN115514691B (en) * 2022-09-05 2023-06-27 郑州工程技术学院 Blockchain-based SDN inter-domain cooperative forwarding control system and method
CN118413498B (en) * 2024-06-28 2024-10-01 苏州元脑智能科技有限公司 Data transmission method, device, electronic equipment and storage medium
CN118890140B (en) * 2024-07-24 2025-01-24 中国标准化研究院 Method and system for secure storage of agency data based on blockchain technology

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 Blockchain-based resource access token distribution and resource usage monitoring method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 Blockchain-based resource access token distribution and resource usage monitoring method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
An AI Based Super Nodes Selection Algorithm in BlockChain Networks;Jianwen Chen,Kai Duan,Rumin Zhang,Liaoyuan Zeng,Wenyi Wang;《IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY》;20190130;全文 *
an efficient forensics architecture in software-defined networking-OIT using blockchain technology;Rasht, Iran,Lahijan;《SPECIAL SECTION ON SMART CACHING, COMMUNICATIONS, COMPUTING》;20190330;全文 *
review of research on blockchain application development method;Yue Zeng,Yue Zhang;《Journal of Physics: Conference Series》;20190228;全文 *
TLSsem: A TLS Security-Enhanced Mechanism against MITM Attacks in Public WiFis;Wei Yang, Xiaohong Li,Zhiyong Feng, Jianye Ha;《2017 International Conference on Engineering of Complex Computer Systems》;20171231;全文 *

Also Published As

Publication number Publication date
CN110417739A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
CN110417739B (en) A secure network in-band measurement method based on blockchain technology
Liu et al. A survey: Typical security issues of software-defined networking
Alharbi Deployment of blockchain technology in software defined networks: A survey
Chun et al. Decentralized trust management and accountability in federated systems
Meng et al. Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration
US10412067B2 (en) Filtering TLS connection requests using TLS extension and federated TLS tickets
Puthal et al. SEEN: A selective encryption method to ensure confidentiality for big sensing data streams
US9043589B2 (en) System and method for safeguarding and processing confidential information
Wang et al. Perm-guard: Authenticating the validity of flow rules in software defined networking
Hussein et al. Software-Defined Networking (SDN): the security review
Yao et al. A trust management framework for software‐defined network applications
Li et al. Enhancing the trust of internet routing with lightweight route attestation
Duy et al. B-DAC: a decentralized access control framework on northbound interface for securing SDN using blockchain
Al Salti et al. LINK-GUARD: An effective and scalable security framework for link discovery in SDN networks
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
Liu et al. Securing cyber-physical systems from hardware trojan collusion
Pandya et al. Framework for securing SDN southbound communication
Tseng et al. A comprehensive 3‐dimensional security analysis of a controller in software‐defined networking
Xiao et al. GlobalView: building global view with log files in a distributed/networked system for accountability
Neu et al. An approach for detecting encrypted insider attacks on OpenFlow SDN Networks
CN114024767A (en) Password-defined network security system construction method, system architecture and data forwarding method
Zhao et al. SINT: Toward a Blockchain-Based Secure In-Band Network Telemetry Architecture
Kumar Possible solutions on security and privacy issues in fog computing
Kwon et al. Mondrian: Comprehensive Inter-domain Network Zoning Architecture.
Benzidane et al. Application-based authentication on an inter-VM traffic in a cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant