CN110417739B - Safe network in-band measurement method based on block chain technology - Google Patents

Safe network in-band measurement method based on block chain technology Download PDF

Info

Publication number
CN110417739B
CN110417739B CN201910566636.5A CN201910566636A CN110417739B CN 110417739 B CN110417739 B CN 110417739B CN 201910566636 A CN201910566636 A CN 201910566636A CN 110417739 B CN110417739 B CN 110417739B
Authority
CN
China
Prior art keywords
controller
node
authority
block chain
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910566636.5A
Other languages
Chinese (zh)
Other versions
CN110417739A (en
Inventor
章玥
曾月
蒲戈光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Industrial Control Safety Innovation Technology Co ltd
East China Normal University
Original Assignee
Shanghai Industrial Control Safety Innovation Technology Co ltd
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Industrial Control Safety Innovation Technology Co ltd, East China Normal University filed Critical Shanghai Industrial Control Safety Innovation Technology Co ltd
Priority to CN201910566636.5A priority Critical patent/CN110417739B/en
Publication of CN110417739A publication Critical patent/CN110417739A/en
Application granted granted Critical
Publication of CN110417739B publication Critical patent/CN110417739B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of in-band measurement and block chain, and realizes a safe network in-band measurement method based on the block chain technology, which comprises the steps of constructing an authority block chain, registering a controller to a block chain node, customizing an authority access strategy and the like; the miner node stores the authority strategy into the block chain according to the consensus protocol, and when different controller nodes access each other, the key node verifies the identity information of the controller nodes according to the authority strategy stored in the block chain; and the controller node realizes the authorization of resources under different working domains through the confirmation of the identity information, and realizes the cross-domain access of the switch. And the controller issues a routing strategy and allocates specified in-band measurement behaviors for different switches. The method effectively improves the safety of the controller in the programmable network, can solve the problem of authority control of the switch in-band measurement, and can well prevent data tampering, malicious attack and other behaviors in network measurement.

Description

Safe network in-band measurement method based on block chain technology
Technical Field
The invention relates to the technical field of programmable networks, INT (In-Band Network Telemetry) and Blockchain, and realizes a safe Network In-Band measurement method based on the Blockchain technology.
Background
With the rise of the internet of things, multiple devices and new applications are continuously emerging, the traditional network architecture cannot meet the requirements of high bandwidth, high reliability and low redundancy, and the diversification of software and hardware devices drives the emergence of a new generation of programmable network. As a new paradigm for networks, programmable networks provide not only an open, programmable interface to hardware, but also allow administrators to manage network services from a higher level of abstraction, adopt a structure with a separate control plane and forwarding plane, and allow developers to program the underlying infrastructure from applications and network services. From the earliest DCAN to the birth of Software Defined Networking (SDN), the core idea of the programmable network is to implement centralized network control and separation of data planes, but since the southbound protocol of the conventional SDN, such as OpenFlow, is usually related to target hardware, its implementation needs a matched basic device, and the administrator cannot customize the processing mode of the forwarding device on the data packet and add new functions. The advent of the P4 language provides programmability of the data plane. Developers can customize the chip based on the P4 language, add new protocols or optimize the original protocol stack, and more reasonably distribute on-chip resources.
In the conventional network monitoring technology, such as SNMP, generally based on the way of acquiring information from the control plane to the underlying network, the way is too restrictive and slow, and similarly, methods such as NetFlow, SFlow, Synthetic probe, etc. are not accurate enough to detect problems caused by short-time events or microbursts, etc., especially in a large-scale distributed network, serious accidents of services and applications may be caused by the lack of traceable metadata and historical information. The P4 language can implement fine-grained detection of network measurement due to characteristics of rewriting new packet protocols and the like. INT (In-Band Network instrumentation) is application practice of P4 language In Network measurement, and enables a data plane to have end-to-end collection capability and collect status information In real time. The in-band network telemetry adds key details related to packet processing to the data plane, the transmission of packets does not consume any host CPU resources, and the packet-level telemetry is enabled by adding metadata in the packets, thereby realizing the visual detection of network traffic.
Although INT provides a good solution for monitoring network traffic data, in a programmable network architecture, network configuration, network services, access control, network security service deployment, and the like are all centralized on a controller, thereby implementing coordinated scheduling of network resources, computing resources, and storage resources. Centralized control, while bringing a global view and optimization solution to network operations management, also brings additional management risks. Because the controller is connected with the application layer and the forwarding layer, the unified configuration and management of the network equipment are realized, and the controller is a centralized network interference point and a potential single-point fault source. If the security policy of the controller is not noticed in the network deployment, it is very vulnerable to hacking attacks, such as modifying codebase, changing flow control, filtering or hiding data at some network locations, which can greatly compromise the network security. In addition, when the controller OS is attacked maliciously or the APP running on the controller has security threat, the controller is easy to lose the control right and easily causes the omnibearing paralysis of the network service to influence the whole network range covered by the controller; secondly, the controller is easily attacked by resource depletion type, such as DoS, DDoS and the like, by a centralized control mode; at the same time, the openness makes the controller in the programmable network need to carefully evaluate the open interfaces to prevent an attacker from using some interfaces to perform network monitoring, network attack, and the like.
Therefore, currently, for improving the security of the programmable network environment, the precaution is mainly performed on the controller level. Generally, flow cleaning equipment can be arranged at an entrance of a controller to prevent distributed flow attack; a distributed multi-controller scheme can be adopted, and the problem that a single controller fails can be solved through automatic replacement of the controller; and the deployment of the security agent can realize security reinforcement, vulnerability detection and the like of the application program on the controller. For the security improvement of a programmable network, many expert and scholars also provide solutions, for example, a FlowVisor developed based on an Openflow protocol can virtualize hardware equipment into a plurality of networks, so that on one hand, the network security is improved, and on the other hand, the security of a plurality of virtual networks on the same physical equipment is improved by adding software security authentication; the method comprises the steps that a DefenseFlow collects flow information for attack detection through a control layer of an SDN, and data flow is guided into a network only when needed, so that a device-based security scheme is successfully converted into a whole-network security service; SE-NoodLight is an open source HoodLight controller based software extension that can provide role-based authentication and enhanced security restrictions. These approaches all alleviate the safety issues of the controller to some extent.
However, as the dominance of the administrator on the controller becomes more remarkable, how to prevent the controller from the aspects of authority access, security control, data encryption and the like is an important step for establishing a secure programmable network environment in the future. This means that an overall security system is needed to cope with these threats to the software defined network and to be able to operate in a scalable way without affecting its performance, generating timely alerts in the event of malicious attacks and generating legally auditable logs on the network based on the events that occur. How to prevent malicious elements from entering the software defined network in an extensible manner and to simultaneously deny entry of a single malicious element when thousands of valid elements enter. Imagine one such solution: anything that happens on a programmable network can capture the (Blockchain) Blockchain in a legally auditable and unalterable log, and the identity information needs to be verified for the joining of any control node, which can join the network and perform relevant measurement activities after most nodes in the Blockchain network have agreed. The blockchain information system may use blockchain techniques to validate and authenticate network devices before they are operational. In the process, equipment and technology do not need to be provided for a third party, and the accuracy and the safety of network data are ensured due to the validity of authentication.
The safety maintenance of each function in the block chain network depends on all nodes with safety maintenance capability in the whole network, a management method is not arranged among the nodes, the nodes are equal, and when one node receives data transmitted by the other node, the node can verify the identity information of the other node. If the acceptance is successful, it broadcasts the information it receives to the entire network. Since blockchains and their records may exist in thousands of places at the same time, hackers no longer try to mask their traces by hacking into the log server and changing the event history, and nodes in blockchains can reject any changes in the network. This may protect the behavior of the programmable network from attacks and may set automatic, programmable rules for the network.
Disclosure of Invention
The technology related by the invention mainly comprises Block chain, P4(Programming Protocol-Independent Packet Processors) intermediate node Programming language and INT (In-band Network Telemetry) technology.
The invention overcomes the limitation of the prior art and provides a safe in-band measurement method based on a block chain technology. The invention uses P4 language to realize the in-band measurement function and self-define the route strategy of the exchanger. By adding INT metadata to the data packets, the network state can be monitored in real time. And a southbound API is generated through the P4, so that the interaction of the controller and the data plane is realized, and the forwarding strategy is customized. The cross-domain interaction among different controllers is subjected to authority control by constructing an authority block chain network, so that the network security problem caused by the addition of a malicious controller is prevented. In the permission block chain, the controller can customize the access strategy of the current domain, so that the centralized control behavior in the software defined network is dispersed. The invention can effectively analyze the dynamic behavior in the network through the in-band measurement and the block chain technology, and improves the safety of the distributed network.
The invention comprises the following steps:
s1, constructing an authority block chain: json file is generated locally, and basic information of a block chain is written in the file, including a block number, a time stamp, a transaction information list, a difficulty value, a hash of a previous block and the like. Different controller nodes register in the block chain through different port numbers, each controller has an accessible identification number after registration, and the identification number consists of three keys as follows:
Keycontroller=HASH{Portcon,Keypub,Keypri}
wherein, PortconPort number, Key, indicating the domain in which the current controller is locatedpubIndicating the current public Key, Key, owned by the controllerpriRepresenting the private key that the controller currently owns.
After the Hash256 operation is performed on the identifier, a unique address identifier of the controller is generated, which represents that the current controller is registered as a node on the block chain.
When an authority block chain is constructed, besides registering a controller to the block chain, a key node and a miner node need to be created, the key node and the miner node can be deployed on a local virtual machine or other servers, and the miner node and the key node need to store all transaction information on the block chain, so that higher storage requirements are imposed on the servers.
S2, the controller self-defines the authority strategy: after the controller registers to the block chain, T is initiated to the minerspolicyA transaction, the transaction transmitted in a JSON data format, the format being as follows:
Figure GDA0002969480350000041
wherein, sender represents the sender address, recipient represents the receiver address, and amount represents the number of tokens spent, which can be expressed by a difficulty value. Telemeasure stands for sending data and policy is represented by a white list, and the security of the requester is determined by checking the id identification in the white list.
Each controller has a pair of newly generated authority control strategies as transaction transactions to be submitted to miner nodes when registering, the miner nodes judge whether the controllers are qualified to execute by checking block chain historical transactions, in addition, the miner nodes also judge whether an account of an initiator has enough token balance, the token is sufficient to select the transaction to be submitted to the block chain, and similarly, when the transaction is submitted to the block, the difficulty value needs to be calculated, and the new authority strategies are written into the block through a consensus protocol and are permanently stored;
s3, the key node verifies the controller identity information: when a controller node in a blockchain network initiates an access request to other designated controller nodes, a message is broadcast to the key node. The key node sends T to the responding controller nodecheckAnd (6) trading. Because the key node is a full node and stores the information of the whole block chain, the key node can search the authority strategy of a responder from the block chain historical transaction, check whether a white list in the authority strategy contains the ID identification of the requester, and send T to the requester if the verification is successfulauthTrading, namely confirming whether the request node is safe or not; if not, the key node returns rejection information, broadcasts the rejection information to the global, and informs other nodes of the block chain that the requesting node is untrustworthy;
s4, the controller grants the cross-domain authority: after the response controller verifies the identity information of the requester, the response controller can perform T with the other partyaccessA transaction, when both parties to the transaction are trusted. The cross-domain rights grant can be divided into two parts: path definition and cross-domain rights granting of entity resources. The controller, as a control entity of the software defined network, has control over the switches under the current domain, and the domain of one controller is referred to herein as Namespace. The access path of the controller to a resource (switch) under the domain can be represented by a URI, such as localhost: 8080/controller1The/switch _1/. represents the physical resource under the controller under the local 8080 port, switch 1. The URI representation mode can enable resources of different domains to be better granted with permission when being accessed. The authority grant between different domains is realized by a DOT (permission of trust) method, the principle is that after hash operation is carried out on identifiers of different controllers and URI resource paths under the domains, the identifiers and the URI resource paths are sent to a request party, and the request party decrypts through a symmetric encryption algorithm to obtain a communication access certificate.
S5, the controller issues a routing strategy: after the controllers are authorized by the DOT method, the switch resources under different control domains can communicate with each other. When the in-band measurement is carried out, the switch will add relevant information of the switch at the head of the data packet, including switch ID, forwarding time, queue congestion state and the like. When the controller sends the routing information, a specific Action-Mapping mode can be set according to the ID of the switch, and the Action-Mapping mode can control the in-band measurement behaviors of different switches, so that only the switch with the specified ID can add an in-band measurement metadata header, and other switches can only be matched with the flow table for forwarding.
The invention provides a safe network in-band measurement method based on the block chain technology for the first time, which fully utilizes and exerts the advantages of the block chain and in-band measurement technology: in terms of operation environment, the invention designs an interaction environment of an in-band measurement network and a block chain network, and combines the advantages of the flexibility of a programmable network, the safety of the block chain network and the like; from the programming language, the invention uses a language P4 for programming the intermediate node, adds the key details of data packet processing to the data plane without consuming host resources, and realizes the real-time remote measurement of the network; in terms of safety, the invention constructs an authority block chain, carries out identity verification on the interaction behaviors of different controllers, improves the safety of in-band measurement under different control domains through an authority granting method, and prevents the malicious tampering of the message path of the control authority by using a digital signature technology; in the transmission mode, the invention uses the distributed networking mode of p2p to provide an efficient and stable transmission path for cluster networks such as data centers and the like.
Drawings
Fig. 1 is a flowchart of a secure in-band network measurement method based on the blockchain technique according to the present invention.
Fig. 2 is a schematic diagram of a working environment of the method for secure in-band measurement of a network based on the blockchain technique according to the present invention.
Fig. 3 is a timing diagram illustrating a method for secure in-band measurement of a network based on a blockchain technique according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
As shown in FIG. 1, the present invention can be divided into five major steps of (i) an administrator creates a permission block chain; secondly, the controller self-defines the authority strategy; verifying the identity information of the controller by the key node; fourthly, the controller grants the cross-domain authority; the controller issues a routing strategy. The entire invention operates in the operating environment shown in fig. 1. From fig. 2 it can be seen that the entire measuring environment consists of two parts. The upper half part is an authority block chain network consisting of controllers, the controllers are guaranteed to operate and identity authentication of the controllers is achieved through an encryption algorithm and a consensus protocol in the block chain, the lower half part is an in-band measurement network consisting of a source end node and a virtual switch, and the whole network operates under the management of the controllers. From fig. 3, it can be seen that the dynamic collaboration sequence among objects in the secure network in-band measurement method based on the blockchain technology is provided, the entire method involves 5 roles of an administrator, a controller, a switch, a miner, and a key node, the administrator is responsible for collecting analysis data and constructing an authority blockchain, and the controller, the miner, and the key node are networked by p2p to set an access control authority for the controller node. In addition, the permission granting method among the controllers in different domains ensures the safety and reliability of the in-band measurement network. The in-band measurement technology monitors the network behavior in real time through a data plane, so that the accuracy and timeliness of the telemetering of the programmable network are greatly improved. The two environments use the controller as middleware to interact, and respective advantage complementation is realized.
To further describe the implementation of the present invention, the present invention is described in an expanded manner based on FIG. 1. In the workflow diagram, at entry point S1, the developer needs to build an environment for the privilege block chain. The method comprises the following basic steps: initialization of the permission block chain and registration of the controller node.
S101, when initializing a block chain, first, a structure of a block needs to be specified, and generally, the block includes: the index, the timestamp, the transaction information, the hash value and the difficulty value of the previous block of information, and the block information can be stored in a local database, so that the historical information can be conveniently checked by the whole node. The administrator first needs to create a created block and can typically generate an initialized genesis json file locally in which the basic information of the blockchain is written. Then, it is necessary to register the full nodes, including the key node and the miner node, on the blockchain. Because the whole nodes contain the historical transaction information of the whole block chain, the whole nodes can help verify the identity information of the controller nodes, the privacy among the controllers can be ensured, and in addition, the miner nodes can also participate in the verification process of the blocks through a consensus protocol. The full nodes can be generally deployed on external servers, reduce the storage pressure of the local servers, and maintain load balance among the servers. And creating local server nodes on the full-node server through a flash framework, and performing distributed storage through a Progresql database.
S102, when the controller nodes are registered in the block chain, an administrator needs to set a virtual port number for each node and operate the controller nodes on the ports, and each controller node should keep registry information of other nodes on the network, so that p2p network communication is facilitated. After the controller nodes register to the blockchain through different port numbers, each controller keeps an accessible identification number after registration, and the identification number is composed of three keys as follows:
Keycontroller=HASH{Portcon,Keypub,Keypri}
wherein, PortconPort number, Key, indicating the domain in which the current controller is locatedpubIndicating the current public Key, Key, owned by the controllerpriRepresenting the private key that the controller currently owns.
After the hash256 operation is performed on the identifier, a unique address identifier of the controller is generated, which represents that the current controller is registered as a node on the block chain.
And S2, self-defining the authority strategy by the controller. After the controller registers to the block chain, T is initiated to miners with IDs being miners by searching local registry informationpolicyA transaction, the transaction being ofThe JSON data format is transmitted, and the format is as follows:
Figure GDA0002969480350000071
wherein, sender represents the sender address, recipient represents the receiver address, and amount represents the number of tokens spent, which can be expressed by a difficulty value. Addresses are all by KeycontrollerThe representation is a segment of hash address code, and since the hash algorithm is irreversible, the specific information of each node in the block chain cannot be leaked. The telemetric contains basic data information sent by the controller, which typically contains the id of the controller and the trust value of the node. Node trust values are given based on the behavior of the controller nodes and are typically used to assess the value of a controller's contribution to the blockchain. When a controller node frequently enters and exits the blockchain network, or never participates in the blockchain activity, such a node may have a low trust value. The evaluation formula of the trust value adopts EigenTrust algorithm, and the formula is as follows:
q=(uactive+1)/(uactive+udeactivate+2)
wherein u isactiveRepresenting the activity of the controller node, udeactivateRepresenting the number of times the controller node enters and exits the blockchain network. In addition, the policy field in the authority policy contains a white list in which the safe node ID of the current controller node authentication is stored. And finally, the newly generated authority control strategy is submitted to the miner node as a transaction, and the miner node writes the new authority strategy into the block through a consensus protocol and permanently stores the new authority strategy.
And S3, verifying the identity information of the controller by the key node. When a controller node in a blockchain network initiates an access request to other controller nodes, a message is broadcast to the key node. The key node sends T to the responding controller nodecheckIn the transaction, as the key node is a full node and stores the information of the whole block, the key node can search the authority strategy of a responder from the block chain historical transaction information and check the white name in the authority strategyIf the list contains the ID identification of the requester, if the verification is successful, the key node sends T to the requesterauthTransacting, confirming that the requesting node is secure; if not, the key node returns rejection information and broadcasts to the global.
When the controller carries out authority verification, the method mainly comprises the following two steps: first, the key node will pass through TauthAnd TaccessAnd generating a verification token by the transaction, and then operating an asymmetric encryption algorithm on the token by the controller to judge the authenticity of the token source.
S301, authority access control, namely verifying identity information of a requester through transaction token information by a key node, wherein the formula for verifying the identity information is as follows:
tokenreq={Taccess,Psig,Pacp,identityp,authorityp}
wherein, TaccessRequest a hash value, P, of a transaction digest for a requestor controllersigBeing a digital signature of the identity of the responder, PacpIdentity, an entitlement control policy that is uploaded to the blockchain for a responderpBeing a unique identification of the identity of the responder, authoritypEncrypted information of node identifiers approved by the responder.
The key node searches T of the response controller corresponding to the ID through the IDcheckThe transaction, and decrypts the identity approved by the responder, and sends T to the requesterauthThe transaction, after obtaining the identity information authentication of the requesting party, will send Token to the responding partyres
Wherein, TokenresThe composition of (A) is as follows:
Tokenres={Tauth,Rsig,idnetityr,verifyr}
wherein, TauthValidating a hash value, R, of a transaction digest for a responder controllersigDigital signature for identity of requesting partyrBeing a unique identification of the identity of the requesting party, verifyrThe result of verifying the identity information of the requestor for the key node.
The responder is receiving TokenresAnd decrypting by using the local private key of the user, and verifying the identity of the requester.
S302, after the token for verifying the identity information is generated, as the block chain is a distrusted distributed network structure, digital signature is required to be carried out on the token during transmission, the signature method ensures the authenticity of a token sender, the signature method follows an asymmetric encryption algorithm, and the encryption formula is represented as follows:
c=ne(mod N)(n=SHA(M),n≤N)
wherein N is the hash value of the domain name information of the responder controller node, c is the result obtained by the asymmetric encryption algorithm, and (e, N) is the private key of the signer
The decryption formula of the requester controller node is:
s=cd(mod N)
wherein, (d, N) is the public key of the signer, c is the result obtained by the asymmetric cryptographic algorithm, and s is the confirmation information, and if s is consistent with the information obtained by c, the correctness of the message can be confirmed.
And S4, after the controllers verify the identity information mutually, authorization is required to be further granted to entity resources under the control domain, and because the in-band measurement is mainly carried out on the data plane, the authorization of the controllers is required to be granted when the data packets are forwarded by the switches under different domains. The specific steps of the cross-domain authority grant include two parts: path definition and cross-domain rights granting of entity resources.
S401. the controller is called Namespace because it has its own jurisdiction. Namespace is a domain containing a hierarchy of structures, which may be represented by a URI, and the entity that creates the Namespace- -the controller may authorize the operation of all resources within the current Namespace. The structure of the URI is as follows:
{Namespace/resourcepath=port/localhost/controlleridentity/switchidentity}
namespace represents the administration domain of the controller and can be represented by the port number of the controller. resourcepathDefine the current controlResource path of the switch under the device.
S402, because the controllers have different administration domains, the message transmission under the unified administration domain does not need permission grant, and cross-domain resource access needs to respond to the controller and grant permission of resources under the domain to the sender controller after the identity confirmation information sent by the key node is obtained. Wherein the formula of DOT (deletion of Trust) is as follows:
DOT=<Efrom,Eto,Permissions,Metadata,Whitelist>
wherein < Efrom,EtoIs a public key identification pair, (Permissions, Metadata) represents measurement Metadata that the recipient can add, and Whitelist identifies the list of routers that the recipient approves. The public key identification pair is mainly used for verifying the identity information of two parties of the controllers, the controllers carry out access authorization on resources in the current domain by identifying Whitelist, and Permissions identify an authorization result.
And S5, the controller issues a routing strategy. After the controllers are authorized by the DOT method, the switch resources under different control domains can communicate with each other. When the in-band measurement is carried out, the switch will add relevant information of the switch at the head of the data packet, including switch ID, forwarding time, queue congestion state and the like. The controller sets a specific Action-Mapping mode according to the ID of the switch when routing information is sent, the Action-Mapping mode informs the switch to show a specific behavior according to the ID identification of different switches in the access permission list, only the switch matched with relevant regulations can add a corresponding in-band measurement metadata header, and other switches can only forward through matching a flow table.
The INT is constructed by using the P4 language, so that the real-time monitoring of the network state is realized, the dependence on a control plane is reduced to the greatest extent, and developers can customize the forwarding operation of the data plane. By constructing the block chain network of authority and the cross-domain authority granting method, the risk of single-point crash of the controller can be reduced to the greatest extent, and due to the 51% attack prevention characteristic of the consensus protocol, an external hacker can hardly attack or tamper the in-band measurement network.
The method of the invention effectively improves the security of the controller in the programmable network, simultaneously solves the problem of authority control of the switch in-band measurement, and can well prevent data tampering, malicious attack and other behaviors in network measurement.
The protection of the invention is not limited to the above embodiment examples. Variations and advantages that may occur to those skilled in the art may be incorporated into the invention without departing from the spirit and scope of the inventive concept, and the scope of the appended claims is intended to be protected.

Claims (11)

1. A safe network in-band measurement method based on a block chain technology is characterized by comprising the following steps:
s1, constructing an authority block chain: creating a created block by an administrator, and writing basic information of a block chain; the controller node is registered in the block chain through different ports, and the miner node generates a new block through a consensus protocol to maintain normal operation of the block chain;
s2, the controller self-defines the authority strategy: the controller initiates a transaction to a miner, the newly generated authority control strategy is submitted to a miner node as a transaction, and the miner node writes the new authority strategy into the block through a consensus protocol and stores the new authority strategy;
s3, the key node verifies the controller identity information: when a certain controller node in the blockchain network initiates an access request to a designated controller node, a key node searches for an authority strategy of a receiver from the blockchain and verifies whether the initiator meets the authority strategy;
s4, the controller grants the cross-domain authority: after obtaining the identity authentication information sent by the key node, the receiver controller grants the authority to the sender controller and grants the resource access right under the control management domain of the receiver controller to the sender in a URI resource positioning mode;
s5, the controller issues a routing strategy: the controller issued information contains the in-band measurement authority of different switches in the current domain, and the switch without the authority is prohibited from adding the measurement head information by self, so that the final measurement result is disordered.
2. The method as claimed in claim 1, wherein different controller nodes register in the blockchain through different port numbers, each controller has an access identification number after registration, and the identification number is composed of three keys as follows:
Figure DEST_PATH_IMAGE002AAA
wherein,
Figure 451915DEST_PATH_IMAGE003
a port number indicating a domain where the controller is currently located,
Figure 156566DEST_PATH_IMAGE004
indicating the public key that the controller currently owns,
Figure 432826DEST_PATH_IMAGE005
representing the private key that the controller currently owns.
3. The method as claimed in claim 1, wherein the inband measurement process includes an authority control strategy, which greatly enhances robustness and security of the inband measurement.
4. The method of claim 1, wherein the creation of the block chain of authority enables controllers of different domains to autonomously develop access control policies of a current software-defined network.
5. The method as claimed in claim 1, wherein the controller across domains is required to perform digital signature when performing the authority grant, and the encryption formula is expressed as follows according to an asymmetric encryption algorithm:
Figure 931941DEST_PATH_IMAGE006
wherein N is a hash value of domain name information of a responder controller node and is less than or equal to N, c is a result obtained by an asymmetric encryption algorithm, and (e, N) is a private key of a signer;
the decryption formula of the requester controller node is:
Figure 309964DEST_PATH_IMAGE007
wherein, (d, N) is the public key of the signer, c is the result obtained by the asymmetric cryptographic algorithm, and s is the confirmation information, and if s is consistent with the information obtained by c, the correctness of the message can be confirmed.
6. The method as claimed in claim 1, wherein the access control of different controller nodes of the block chain of authority is performed by the key node to verify the identity information of the requesting party through the transaction token information, and the formula for verifying the identity information is as follows:
Figure 287147DEST_PATH_IMAGE008
wherein,
Figure 683493DEST_PATH_IMAGE009
for the hash value of the requesting transaction digest of the requesting controller,
Figure 87930DEST_PATH_IMAGE010
is a digital signature of the identity of the responding party,
Figure 202516DEST_PATH_IMAGE011
for the responder to upload to the block chain's entitlement control policy,
Figure 468544DEST_PATH_IMAGE012
is a unique identification of the identity of the responding party,
Figure 984976DEST_PATH_IMAGE013
encryption information of a node identifier approved by a responder;
the key node looks up the response controller corresponding to the ID by the ID
Figure 825893DEST_PATH_IMAGE014
The transaction, decrypting the identity approved by the responder, and sending it to the requester
Figure 162196DEST_PATH_IMAGE015
The transaction is sent to the responder after obtaining the identity information authentication of the requester
Figure 746761DEST_PATH_IMAGE016
Wherein,
Figure 602853DEST_PATH_IMAGE016
the composition of (A) is as follows:
Figure 349092DEST_PATH_IMAGE017
wherein,
Figure 172691DEST_PATH_IMAGE016
to validate the hash value of the transaction digest by the responder controller,
Figure 560947DEST_PATH_IMAGE018
is a digital signature of the identity of the requesting party,
Figure 786392DEST_PATH_IMAGE019
is a unique identification of the identity of the requesting party,
Figure 454265DEST_PATH_IMAGE020
verifying a return value of the requestor identity information for the key node;
the responder receives
Figure 30740DEST_PATH_IMAGE016
And decrypting by using the local private key of the user, and verifying the identity of the requester.
7. The method of claim 1, wherein the controller assigns a specific routing policy to the switch in the current domain, and the routing policy determines the adding manner of the in-band measurement information of the router by looking up the router information on the white list; the white list is included in the DOT trust proxy, the formula of the DOT is as follows:
Figure 691529DEST_PATH_IMAGE021
wherein,
Figure 771480DEST_PATH_IMAGE022
for a public key identification pair (a)
Figure 390680DEST_PATH_IMAGE023
) Represents the measurement metadata added by the recipient,
Figure 674025DEST_PATH_IMAGE024
a list of routers approved by the recipient is identified.
8. The method as claimed in claim 1, wherein the measurement information is collected and forwarded at a data plane, and the controller can control the measurement behavior of the router and discard the malicious routing nodes at any time, thereby improving the security of the network measurement.
9. The method according to claim 1, wherein in S2, the mineworker node determines whether the controller is qualified to execute by checking the blockchain historical transactions, determines whether the account of the initiator has a sufficient token balance, and selects a transaction to submit to the blockchain only if the token is sufficient; when the transaction is submitted to the block, the difficulty value needs to be calculated, and a new authority strategy is written into the block through a consensus protocol and is permanently stored.
10. The method of claim 1, wherein in step S3, when a controller node in the blockchain network initiates an access request to a specific controller node, a message is broadcasted to the key node; the key node sends to the responding controller node
Figure 404084DEST_PATH_IMAGE014
Trading; the key node searches the authority strategy of a responder from the block chain historical transaction, checks whether a white list in the authority strategy contains the ID identification of the requester, and if the verification is successful, the key node sends the ID identification of the requester to the requester
Figure 72962DEST_PATH_IMAGE015
Trading, namely confirming whether the request node is safe or not; if not, the key node returns rejection information and broadcasts to the global, and other nodes of the blockchain are informed that the requesting node is not trusted.
11. The method of claim 1, wherein in S5, when performing the in-band measurement, the switch adds information about the switch to a header of the packet, including: switch ID, forwarding time, queue congestion status; the controller sets a specific Action-Mapping mode according to the ID of the switch when routing information is sent, and the Action-Mapping mode controls the in-band measurement behaviors of different switches, so that only the switch with the specified ID can add an in-band measurement metadata header, and other switches can only be matched with the flow table for forwarding.
CN201910566636.5A 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology Active CN110417739B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910566636.5A CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Publications (2)

Publication Number Publication Date
CN110417739A CN110417739A (en) 2019-11-05
CN110417739B true CN110417739B (en) 2021-06-25

Family

ID=68359926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910566636.5A Active CN110417739B (en) 2019-06-27 2019-06-27 Safe network in-band measurement method based on block chain technology

Country Status (1)

Country Link
CN (1) CN110417739B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111405005B (en) * 2020-03-06 2021-06-15 清华大学 Operation control method and system of block chain and controllable network terminal equipment
CN112559608A (en) * 2020-12-04 2021-03-26 江苏物联网研究发展中心 Data collaboration method and system
CN113676476B (en) * 2021-08-18 2022-07-08 大连海事大学 Encrypted jump method based on action programmable software defined network
CN115114314A (en) * 2022-08-29 2022-09-27 北京微芯区块链与边缘计算研究院 Data probe-based data detection and extraction method and system
CN115514691B (en) * 2022-09-05 2023-06-27 郑州工程技术学院 SDN inter-domain cooperative forwarding control system and method based on block chain
CN118413498B (en) * 2024-06-28 2024-10-01 苏州元脑智能科技有限公司 Data transmission method, device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 The distribution of resource access token based on block chain and resource use monitoring method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976231A (en) * 2016-06-24 2016-09-28 深圳前海微众银行股份有限公司 Asset management method based on intelligent block chain contracts and nodes
CN106796688A (en) * 2016-12-26 2017-05-31 深圳前海达闼云端智能科技有限公司 Permission control method, device and system of block chain and node equipment
CN109033143A (en) * 2018-06-11 2018-12-18 中国科学院广州能源研究所 Distribution based on block chain divides domain Electric Grid Data Processing System and its method
CN109104415A (en) * 2018-07-21 2018-12-28 江苏飞搏软件股份有限公司 Construct the system and method for trusted node network
CN109286623A (en) * 2018-09-27 2019-01-29 东莞青柳新材料有限公司 Human health detection data shared system based on block chain
CN109639406A (en) * 2018-12-24 2019-04-16 国泰君安证券股份有限公司 Efficient trust solution based on block chain and IPFS
CN109886675A (en) * 2019-02-01 2019-06-14 杭州电子科技大学 The distribution of resource access token based on block chain and resource use monitoring method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
An AI Based Super Nodes Selection Algorithm in BlockChain Networks;Jianwen Chen,Kai Duan,Rumin Zhang,Liaoyuan Zeng,Wenyi Wang;《IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY》;20190130;全文 *
an efficient forensics architecture in software-defined networking-OIT using blockchain technology;Rasht, Iran,Lahijan;《SPECIAL SECTION ON SMART CACHING, COMMUNICATIONS, COMPUTING》;20190330;全文 *
review of research on blockchain application development method;Yue Zeng,Yue Zhang;《Journal of Physics: Conference Series》;20190228;全文 *
TLSsem: A TLS Security-Enhanced Mechanism against MITM Attacks in Public WiFis;Wei Yang, Xiaohong Li,Zhiyong Feng, Jianye Ha;《2017 International Conference on Engineering of Complex Computer Systems》;20171231;全文 *

Also Published As

Publication number Publication date
CN110417739A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
CN110417739B (en) Safe network in-band measurement method based on block chain technology
Alharbi Deployment of blockchain technology in software defined networks: A survey
Liu et al. A survey: Typical security issues of software-defined networking
Chun et al. Decentralized trust management and accountability in federated systems
Meng et al. Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration
EP3472994B1 (en) Software defined networking system
Puthal et al. SEEN: A selective encryption method to ensure confidentiality for big sensing data streams
US9043589B2 (en) System and method for safeguarding and processing confidential information
Hussein et al. Software-Defined Networking (SDN): the security review
Yao et al. A trust management framework for software‐defined network applications
WO2020023109A1 (en) Process and system for establishing unidirectional trusted messaging via heterogeneous and hierarchical computing platforms
Bian et al. A survey on software-defined networking security
Wehbe et al. A security assessment of HTTP/2 usage in 5G service-based architecture
Duy et al. B-DAC: a decentralized access control framework on northbound interface for securing SDN using blockchain
CN114024767B (en) Method for constructing password definition network security system, system architecture and data forwarding method
Pandya et al. Framework for securing SDN southbound communication
Xiao et al. GlobalView: building global view with log files in a distributed/networked system for accountability
Wang et al. A data plane security model of SR-BE/TE based on zero-trust architecture
Tseng et al. A comprehensive 3‐dimensional security analysis of a controller in software‐defined networking
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
Green et al. Grid-enabled virtual organization based dynamic firewall
Noor et al. Decentralized Access Control using Blockchain Technology for Application in Smart Farming
Nikiforov et al. Structure of information security subsystem in the systems of commercial energy resources accounting
Benzidane et al. Application-based authentication on an inter-VM traffic in a cloud environment
Karmakar Techniques for securing software defined networks and survices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant