CN114257538B - SDN-based address random transformation method - Google Patents

SDN-based address random transformation method Download PDF

Info

Publication number
CN114257538B
CN114257538B CN202111483868.8A CN202111483868A CN114257538B CN 114257538 B CN114257538 B CN 114257538B CN 202111483868 A CN202111483868 A CN 202111483868A CN 114257538 B CN114257538 B CN 114257538B
Authority
CN
China
Prior art keywords
address
data
forwarding
network
data structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111483868.8A
Other languages
Chinese (zh)
Other versions
CN114257538A (en
Inventor
王少磊
樊永文
郭荣华
石鹏飞
秦富童
刘迎龙
鲁智勇
王震
刘喆
周超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unit 63891 Of Pla
Original Assignee
Unit 63891 Of Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unit 63891 Of Pla filed Critical Unit 63891 Of Pla
Priority to CN202111483868.8A priority Critical patent/CN114257538B/en
Publication of CN114257538A publication Critical patent/CN114257538A/en
Application granted granted Critical
Publication of CN114257538B publication Critical patent/CN114257538B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses an address random transformation method based on SDN, which comprises the following steps: a global data structure for providing various data structures in the random network address transformation process; the topology monitoring module is used for monitoring the real-time topology structure of the whole forwarding network; the route calculation module is used for calculating the route of the whole forwarding network; the network address configuration module is used for dynamically configuring the IP addresses corresponding to the hosts; the route distribution module is used for distributing relevant operation instructions of corresponding route and address random transformation in the forwarding equipment for each data stream; and the operation control instance set module is used for processing and controlling operation events or data of each forwarding device in the forwarding network. The method of the invention can effectively expand the random address conversion space of each host in the network and improve the conversion performance and the safety efficiency of the random address conversion.

Description

SDN-based address random transformation method
Technical Field
The invention relates to the technical field of information security, in particular to an address random transformation method based on SDN.
Background
The dynamic target defense is an active information safety protection technology newly proposed in recent years, a new information safety research thought is adopted, a perfect system is not pursued to be established to fight against attacks, and the attack difficulty and cost of an attacker are increased by means of a mechanism and a strategy which are constructed, evaluated and deployed in a diversified, constantly-moving and time-varying manner, so that the exposure of vulnerability and the possibility of being attacked are effectively limited, and the purpose of protecting the target is achieved.
The random address transformation is an important research direction of dynamic target defense, and the target is to improve the attack difficulty and cost of an attacker and improve the security of a host by realizing the dynamic random transformation of the IP address of the host in the communication process in the network.
The main problem of the present address random transformation technology is that the address transformation space of the host is generally limited to the subnet address space where the host is located, which results in uncertainty and unpredictability of the address random transformation, thereby limiting the security performance of the address random transformation.
Disclosure of Invention
The invention provides an address random transformation method based on SDN around the aim of improving the random transformation performance and the safety efficiency of the address from the perspective of protecting the hosts in the network, which can efficiently realize the dynamic random transformation of the IP addresses of all hosts in the network.
The invention aims at realizing the following technical scheme:
an address random transformation method based on SDN, comprising:
a global data structure for providing various data structures in the random network address transformation process;
the topology monitoring module is used for monitoring the real-time topology structure of the whole forwarding network;
the route calculation module is used for calculating the route of the whole forwarding network;
the network address configuration module is used for dynamically configuring the IP addresses corresponding to the hosts;
the route distribution module is used for distributing relevant operation instructions of corresponding route and address random transformation in the forwarding equipment for each data stream;
and the operation control instance set module is used for processing and controlling operation events or data of each forwarding device in the forwarding network.
The global data structure includes:
the end_router_direct is used for storing a data structure of router operation control instance information;
the enar_topology_direct is used for storing and forwarding a data structure of network topology information;
the enar_metric_subject is used for storing and forwarding a data structure of network link metric information;
the end_path_direct is used for storing a data structure of a forwarding path calculation result among nodes in a forwarding network;
the end_router_interface_address_direct is used for storing a data structure of IP address configuration states of all router interfaces in the forwarding network;
the address space is used for carrying out IP address configuration on the host;
the enar_cycle_counter is used for counting the data structure of the minimum address random conversion period number passed by the system;
the end_host_address_subject is used for storing a data structure of a real-time IP address configuration state and an address random conversion frequency level of a host;
the end_used_address_subject is used for storing a data structure of the use state of the configured IP address.
The topology monitoring module needs to sequentially start Discovery and lists components provided by the POX controller at the beginning of operation, and then enters a continuous event monitoring state; if a LinkEvent event is captured in the monitoring process, a new link state information is monitored, one-time reset operation is needed to be carried out on forwarding path data in a data structure enar_path_direct of a forwarding path calculation result among all nodes in a storage forwarding network, and then corresponding update is carried out on data in the data structure enar_topology_direct of the storage forwarding network topology information according to specific state information of the link.
The route calculation module adopts a shortest route searching and storing algorithm based on Floyd-Warshell algorithm, and can calculate and store the shortest forwarding route among nodes in the whole forwarding network; in the operation process, firstly, initializing shortest path data in a data structure end_path_direct of a forwarding path calculation result among nodes in a storage forwarding network according to router operation control instance data in a data structure end_router_direct of storage router operation control instance information, topology structure data in a data structure end_topology_direct of storage forwarding network topology information and link measurement data in a data structure end_link_metric_direct of storage forwarding network link measurement information; and then, calculating the shortest path of any two nodes in the forwarding network through three-cycle traversal comparison operation, and sequentially storing the shortest paths in the enar_path_section.
The network address configuration module adopts a periodic refreshing mechanism in the operation process, and can realize the differential control of random conversion frequency of each host address in the network; starting an event monitor based on a time stamp at the beginning of operation, and then entering a continuous event monitoring state; if a RefreshingtimeUp event is captured during the listening process, indicating that the minimum address random transition time interval set by the system is reached; firstly, circularly judging the mapping IP address use state of each host in a data structure end_used_address_subject storing the configured IP address use state, if a mapping IP address use route distribution module of a certain host is used for distributing corresponding route and relevant operation instruction state of random address conversion in forwarding equipment for each data stream to False, adding the corresponding IP address into an address space data structure end_host_address_space configuring the IP address of the host for recovery; then, according to the real-time statistical state of the random address conversion period of the system in the data structure enar_cycle_counter of the minimum random address conversion period of the statistical system, the IP addresses are selected from the enar_host_address_space randomly to remap the IP addresses of the hosts which have reached the configured random address conversion period, the mapped IP addresses randomly selected in each round of circulation are removed from the enar_host_address_space to avoid the problem of configuration conflict, and the mapped IP address use state corresponding to the host which stores the remapped IP address use state in the data structure enar_used_address_position is also set as False; and finally, updating the statistic state of the minimum address random transformation period which is passed by the system in the enar_cycle_counter.
The route distribution module firstly needs to judge whether the data in a data structure enar_path_direct of a forwarding path calculation result among nodes in a storage forwarding network is empty or not in the operation process, if so, the route distribution module indicates that the route calculation is not performed before, or the route calculation is performed before but the real-time topology structure of the forwarding network is changed, and the route calculation module needs to be called to perform one-round recalculation on the whole network route; then, extracting the shortest path from the forwarding source node to the forwarding terminal node from the end path-direct in a recursion circulation mode, adding a corresponding forwarding port according to real-time topology data in a data structure end_topology_direct storing forwarding network topology information to form a route between two nodes, converting the route into a corresponding flow table item according to a configured matching rule and an operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the data structure end_used_address_direct storing the configured IP address use state according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of forward route and processing logic; and then, carrying out reverse conversion on the shortest path, adding a corresponding reverse forwarding port according to real-time topology data in the end_topology_subject to form a reverse route between two nodes, converting the reverse route into a corresponding flow table item according to a configured matching rule and operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the end_used_address_subject according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of the reverse route and processing logic.
In the running process, the running control instance set module firstly starts a topology monitoring module, a network address configuration module and an event monitor in sequence, and then enters a continuous event monitoring state; if the monitor captures an access event of a certain router, an operation control instance is created and started for the router to accept and process various data processing requests of the router, then the operation control instance is initialized and configured by using relevant information of the access event, and then the relevant information of the operation control instance is added into a data structure enar_router_direct for storing operation control instance information of the router; the operation control instance starts a corresponding event monitoring component in the operation process, and then enters a continuous event monitoring state:
(1) If the operation control instance captures a packet_in event generated by the router according to the OpenFlow protocol, the event needs to be processed respectively according to the specific situation of the event; if the packet_in event is generated for the reason of OFPR_TABLE_MISS, it is indicated that a flow TABLE item capable of processing the corresponding data flow cannot be found in the flow TABLE of the corresponding router; if the data packet is a DNS query data packet, further judging the authorization status of a host submitting the DNS query, if the authorization is passed, responding to the search result in a data structure enar_host_address_direct storing the real-time IP address configuration status and the address random conversion frequency level of the host according to the queried content, and if the authorization is not passed, responding to a corresponding error message; if the data packet is a non-DNS IPV4 data packet, extracting a data flow characteristic value of the data packet in the event according to the specific definition of the data flow, and then calling a route distribution module to deploy a corresponding route for the corresponding data flow and carry out operation instructions required by random network address conversion; if the data packet is an ARP data packet, the type of the ARP data packet is further judged, if the data packet is an ARP request data packet, the MAC address of the router is used for responding, and if the data packet is an ARP response data packet, the responding MAC address and the corresponding IP address are recorded; if the packet_in event is generated for OFPR_INVALID_TTL, which indicates that the corresponding router has abnormal data Packet TTL value when processing the data Packet, the corresponding response data Packet is constructed by using the corresponding router interface IP address in the data structure of each router interface IP address configuration state in the store-and-forward network according to the specification of ICMP protocol, and then forwarded from the corresponding port;
(2) If the running control instance captures a flow_removed event generated by the router according to the OpenFlow protocol, which indicates that the Flow entry described in the event has been removed from the corresponding router Flow table due to a timeout, the source IP address and the destination IP address need to be extracted from the matching field of the Flow entry, and the corresponding count values of the two IP addresses in the data structure end_used_address_direct storing the configured IP address usage state are modified.
The invention has the beneficial effects that:
the address random transformation method of the invention efficiently realizes the dynamic random transformation of the IP addresses of all hosts in the network, greatly expands the address random transformation space of all hosts in the network, and improves the transformation performance and the safety efficiency of the address random transformation.
Drawings
FIG. 1 is a schematic diagram of the overall architecture of the method of the present invention.
FIG. 2 is a schematic diagram of an application mode of the method according to the present invention.
Detailed Description
An address random transformation method based on SDN, the whole architecture is shown in figure 1, specifically comprises:
global data structures for providing various data structures in the network address random transformation process. The global data structure list is shown in table 1:
data structure type Function of
enar_router_dict Storing router operation control instance information
enar_topology_dict Store-and-forward network topology information
enar_link_metric_dict Store-and-forward network link metric information
enar_path_dict Forwarding paths between nodes in a store-and-forward network
enar_router_interface_address_dict IP address configuration state of each router interface in store-and-forward network
enar_host_address_space Address space for IP address configuration of hosts
enar_cycle_counter Counting the number of minimum address random transform cycles that a system experiences
enar_host_address_dict Storing real-time IP address configuration status and address random transformation frequency grade of host
enar_used_address_dict Storing usage status of configured IP addresses
TABLE 1
The end_router_direct is a data structure for storing router operation control instance information; enar_topology_subject is a data structure for storing and forwarding network topology information; enar_metric_subject is a data structure for storing forwarding network link metric information; the enar_path_direct is a data structure used for storing the calculation result of forwarding paths among nodes in a forwarding network; the end_router_interface_address_direct is a data structure for storing the configuration state of each router interface IP address in the forwarding network; the enar_host_address_space is an address space for performing IP address configuration on the host; the enar_cycle_counter is a data structure for counting the number of minimum address random transformation cycles that the system experiences; the enar_host_address_subject is a data structure for storing the real-time IP address configuration state of the host and the address random transformation frequency level; the enar_used_address_subject is a data structure for storing the use status of the configured IP address.
And the topology monitoring module is used for monitoring the real-time topology structure of the whole forwarding network. The processing algorithm of the topology monitoring module is shown in table 2:
TABLE 2
The Discovery and lists components provided by the POX controller need to be started in sequence at the beginning of operation, after which a continuous event listening state is entered. If a LinkEvent event is captured in the monitoring process, a new link state information is monitored, one-time reset operation is needed to be carried out on forwarding path data in a data structure enar_path_direct of a forwarding path calculation result among all nodes in a storage forwarding network, and then corresponding update is carried out on data in the data structure enar_topology_direct of the storage forwarding network topology information according to specific state information of the link.
And the route calculation module is used for calculating the route of the whole forwarding network. The processing algorithm of the route calculation module is shown in table 3:
TABLE 3 Table 3
The shortest path searching and storing algorithm based on Floyd-Warshell algorithm is adopted, so that the shortest forwarding path among all nodes in the whole forwarding network can be calculated and stored. In the operation process, firstly, initializing shortest path data in a data structure end_path_direct of a forwarding path calculation result among nodes in a storage forwarding network according to router operation control instance data in a data structure end_router_direct of storage router operation control instance information, topology structure data in a data structure end_topology_direct of storage forwarding network topology information and link measurement data in a data structure end_link_metric_direct of storage forwarding network link measurement information. And then, calculating the shortest path of any two nodes in the forwarding network through three-cycle traversal comparison operation, and sequentially storing the shortest paths in the enar_path_section.
And the network address configuration module is used for dynamically configuring the IP addresses corresponding to the hosts. The processing algorithm of the network address configuration module is shown in table 4
TABLE 4 Table 4
In the running process, a periodic refreshing mechanism is adopted, so that the differential control of random conversion frequency of each host address in the network can be realized. A time-stamp based event listener is started at the beginning of the run, after which a continuous event listening state is entered. If a RefreshingtimeUp event is captured during the snoop, it is indicated that the minimum address random transition time interval set by the system has been reached. First, the mapping IP address usage status of each host in the data structure enar_used_address_subject storing the configured IP address usage status is cyclically determined, if the mapping IP address usage routing distribution module of a certain host is configured to allocate a corresponding routing and address random transformation related operation instruction status in forwarding equipment for each data stream as False, the corresponding IP address is added to the address space data structure enar_host_address_space configuring the IP address of the host for recovery. And then, according to the real-time statistical state of the random address conversion period of the system in the data structure enar_cycle_counter of the minimum random address conversion period of the statistical system, the IP addresses are selected from the enar_host_address_space randomly to remap the IP addresses of the hosts which have reached the configured random address conversion period, the mapped IP addresses selected randomly in each round of circulation are removed from the enar_host_address_space to avoid the problem of configuration conflict, and the mapped IP address use state corresponding to the host which stores the remapped IP address use state in the data structure enar_used_address_position is set as False. And finally, updating the statistic state of the minimum address random transformation period which is passed by the system in the enar_cycle_counter.
And the route distribution module is used for distributing relevant operation instructions of corresponding route and address random transformation in the forwarding equipment for each data stream. The processing algorithm of the route distribution module is shown in table 5:
TABLE 5
In the operation process, firstly, whether data in a data structure enar_path_direct of a forwarding path calculation result among nodes in a storage forwarding network is empty needs to be judged, if so, the fact that the routing calculation is not performed before, or the real-time topology structure of the forwarding network is changed after the routing calculation is performed before, and a routing calculation module needs to be called to perform one round of recalculation on the whole network route is indicated. And then, extracting the shortest path from the forwarding source node to the forwarding terminal node from the end path-direct in a recursion circulation mode, adding a corresponding forwarding port according to real-time topology data in a data structure end_topology_direct storing and forwarding network topology information to form a route between two nodes, converting the route into a corresponding flow table item according to a configured matching rule and an operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the data structure end_used_address_direct storing the configured IP address use state according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of forward route and processing logic. And then, carrying out reverse conversion on the shortest path, adding a corresponding reverse forwarding port according to real-time topology data in the end_topology_subject to form a reverse route between two nodes, converting the reverse route into a corresponding flow table item according to a configured matching rule and operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the end_used_address_subject according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of the reverse route and processing logic.
And the operation control instance set module is used for processing and controlling operation events or data of each forwarding device in the forwarding network. The processing algorithm for running the control instance set module is shown in table 6:
TABLE 6
In the running process, firstly, a topology monitoring module, a network address configuration module and an event monitor are started in sequence, and then a continuous event monitoring state is entered. If the monitor captures an access event of a certain router, a running control instance is created and started for the router to accept and process various data processing requests of the router, then the running control instance is initialized and configured by using relevant information of the access event, and then the relevant information of the running control instance is added into a data structure enar_router_direct storing the running control instance information of the router.
The processing algorithm for the running control example is shown in table 7:
TABLE 7
Starting a corresponding event monitoring component in the running process, and then entering a continuous event monitoring state:
if the operation control instance captures a packet_in event generated by the router according to the OpenFlow protocol, the event needs to be processed respectively according to the specific situation of the event. If the packet_in event occurs for the reason ofpr_table_miss, it indicates that a flow entry capable of processing the corresponding data flow cannot be found in the flow TABLE of the corresponding router. If the data packet is a DNS query data packet, further judging the authorization status of a host submitting the DNS query, if the authorization is passed, responding to the search result in a data structure enar_host_address_direct storing the real-time IP address configuration status and the address random conversion frequency level of the host according to the queried content, and if the authorization is not passed, responding to a corresponding error message; if the data packet is a non-DNS IPV4 data packet, extracting a data flow characteristic value of the data packet in the event according to the specific definition of the data flow, and then calling a route distribution module to deploy a corresponding route for the corresponding data flow and carry out operation instructions required by random network address conversion; if the data packet is an ARP data packet, the type of the ARP data packet needs to be further judged, if the data packet is an ARP request data packet, the MAC address of the router is used for responding, and if the data packet is an ARP response data packet, the responding MAC address and the corresponding IP address are recorded. If the packet_in event is generated for the reason of ofpr_invalid_ttl, which indicates that the corresponding router has abnormal data Packet TTL value when processing the data Packet, the corresponding response data Packet needs to be constructed by using the corresponding router interface IP address in the data structure of each router interface IP address configuration state in the store-and-forward network according to the specification of the ICMP protocol, and then forwarded from the corresponding port.
If the running control instance captures a flow_removed event generated by the router according to the OpenFlow protocol, which indicates that the Flow entry described in the event has been removed from the corresponding router Flow table due to a timeout, the source IP address and the destination IP address need to be extracted from the matching field of the Flow entry, and the corresponding count values of the two IP addresses in the data structure end_used_address_direct storing the configured IP address usage state are modified.
The address random transformation method of the invention can be applied to a complete AS, and can also be applied to a specific area in the AS, and the application mode is shown in figure 2.
In the internal network, the address random transformation method is deployed at the controller end, and forwarding equipment supporting the OpenFlow protocol is connected to the SDN controller through a corresponding port to establish a control channel, so as to form a control network for address random transformation. The forwarding equipment and the host are connected with each other to form a forwarding network with random address transformation.
The external network is a conventional TCP/IP network. If the address random transformation method is applied to a specific area of the AS, the external network is other residual areas of the AS; if the address random transformation method of the present invention is applied to a complete AS, the external network is other AS.
And the data interaction is carried out between the internal network and the external network through the deployment boundary router. If the address random transformation method is applied to a specific area of AS, the border router can be deployed with traditional TCP/IP internal routing protocols such AS RIP or OSPF; if the address random transformation method of the invention is applied to a complete AS, the border router can be deployed with the traditional TCP/IP external gateway protocols such AS EGP or BGP.
In the application process, the operation mechanism of the address random transformation method of the invention is as follows: according to specific application requirements, relevant parameters such as an address space of a terminal host, a network address configuration module and the like for controlling the address random transformation in the address random transformation method are configured and set, and the address random transformation method is deployed and started in a controller. And then, sequentially starting each forwarding device supporting the OpenFlow protocol in the forwarding network, and initiating a remote OpenFlow control channel connection establishment request from a control interface of each forwarding device to the controller. And after receiving the request, the OpenFlow control end in the controller establishes a corresponding control channel according to the processing flow of the OpenFlow protocol. After that, the address random transformation method of the invention in the controller is applied to process the data flow processing request of each forwarding device in the forwarding network, and carries out the related processing of address random transformation on the IP address of each host in the network in the communication process.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (6)

1. An address random transformation method based on SDN, which is characterized by comprising the following steps:
a global data structure for providing various data structures in the random network address transformation process;
the topology monitoring module is used for monitoring the real-time topology structure of the whole forwarding network;
the route calculation module is used for calculating the route of the whole forwarding network;
the network address configuration module is used for dynamically configuring the IP addresses corresponding to the hosts;
the route distribution module is used for distributing relevant operation instructions of corresponding route and address random transformation in the forwarding equipment for each data stream;
the operation control instance set module is used for processing and controlling operation events or data of each forwarding device in the forwarding network;
the global data structure includes:
the end_router_direct is used for storing a data structure of router operation control instance information;
the enar_topology_direct is used for storing and forwarding a data structure of network topology information;
the enar_metric_subject is used for storing and forwarding a data structure of network link metric information;
the end_path_direct is used for storing a data structure of a forwarding path calculation result among nodes in a forwarding network;
the end_router_interface_address_direct is used for storing a data structure of IP address configuration states of all router interfaces in the forwarding network;
the address space is used for carrying out IP address configuration on the host;
the enar_cycle_counter is used for counting the data structure of the minimum address random conversion period number passed by the system;
the end_host_address_subject is used for storing a data structure of a real-time IP address configuration state and an address random conversion frequency level of a host;
the end_used_address_subject is used for storing a data structure of the use state of the configured IP address.
2. The SDN-based address random transformation method of claim 1, wherein the topology monitoring module needs to start Discovery and lists components provided by a POX controller in sequence at the beginning of operation, before entering a continuous event listening state; if a LinkEvent event is captured in the monitoring process, a new link state information is monitored, one-time reset operation is needed to be carried out on forwarding path data in a data structure enar_path_direct of a forwarding path calculation result among all nodes in a storage forwarding network, and then corresponding update is carried out on data in the data structure enar_topology_direct of the storage forwarding network topology information according to specific state information of the link.
3. The SDN-based address random transformation method of claim 1, wherein the routing computation module adopts a shortest path search and storage algorithm based on a Floyd-warshall algorithm, and is capable of computing and storing a shortest forwarding path between nodes in an entire forwarding network; in the operation process, firstly, initializing shortest path data in a data structure end_path_direct of a forwarding path calculation result among nodes in a storage forwarding network according to router operation control instance data in a data structure end_router_direct of storage router operation control instance information, topology structure data in a data structure end_topology_direct of storage forwarding network topology information and link measurement data in a data structure end_link_metric_direct of storage forwarding network link measurement information; and then, calculating the shortest path of any two nodes in the forwarding network through three-cycle traversal comparison operation, and sequentially storing the shortest paths in the enar_path_section.
4. The SDN-based address random transformation method of claim 1, wherein the network address configuration module employs a periodic refresh mechanism during operation, so as to implement differential control over random transformation frequencies of host addresses in a network; starting an event monitor based on a time stamp at the beginning of operation, and then entering a continuous event monitoring state; if a RefreshingtimeUp event is captured during the listening process, indicating that the minimum address random transition time interval set by the system is reached; firstly, circularly judging the mapping IP address use state of each host in a data structure end_used_address_subject storing the configured IP address use state, if a mapping IP address use route distribution module of a certain host is used for distributing corresponding route and relevant operation instruction state of random address conversion in forwarding equipment for each data stream to False, adding the corresponding IP address into an address space data structure end_host_address_space configuring the IP address of the host for recovery; then, according to the real-time statistical state of the random address conversion period of the system in the data structure enar_cycle_counter of the minimum random address conversion period of the statistical system, the IP addresses are selected from the enar_host_address_space randomly to remap the IP addresses of the hosts which have reached the configured random address conversion period, the mapped IP addresses randomly selected in each round of circulation are removed from the enar_host_address_space to avoid the problem of configuration conflict, and the mapped IP address use state corresponding to the host which stores the remapped IP address use state in the data structure enar_used_address_position is also set as False; and finally, updating the statistic state of the minimum address random transformation period which is passed by the system in the enar_cycle_counter.
5. The SDN-based address random transformation method of claim 1, wherein in the operation process, the route distribution module needs to determine whether data in a data structure enar_path_direct storing a calculation result of a forwarding path between nodes in a forwarding network is empty, if so, it indicates that no route calculation has been performed before, or that route calculation has been performed before but a real-time topology structure of the forwarding network has changed, and needs to call the route calculation module to perform a round of recalculation on a whole network route; then, extracting the shortest path from the forwarding source node to the forwarding terminal node from the end path-direct in a recursion circulation mode, adding a corresponding forwarding port according to real-time topology data in a data structure end_topology_direct storing forwarding network topology information to form a route between two nodes, converting the route into a corresponding flow table item according to a configured matching rule and an operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the data structure end_used_address_direct storing the configured IP address use state according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of forward route and processing logic; and then, carrying out reverse conversion on the shortest path, adding a corresponding reverse forwarding port according to real-time topology data in the end_topology_subject to form a reverse route between two nodes, converting the reverse route into a corresponding flow table item according to a configured matching rule and operation required by carrying out network address random conversion, modifying a corresponding count value of a real-time mapping IP address in the end_used_address_subject according to the flow table item, and then distributing the corresponding count value to a corresponding router to finish the distribution of the reverse route and processing logic.
6. The SDN-based address random transformation method of claim 1, wherein during operation, the operation control instance set module starts a topology monitoring module, a network address configuration module and an event listener in sequence, and then enters a continuous event listening state; if the monitor captures an access event of a certain router, an operation control instance is created and started for the router to accept and process various data processing requests of the router, then the operation control instance is initialized and configured by using relevant information of the access event, and then the relevant information of the operation control instance is added into a data structure enar_router_direct for storing operation control instance information of the router; the operation control instance starts a corresponding event monitoring component in the operation process, and then enters a continuous event monitoring state:
(1) If the operation control instance captures a packet_in event generated by the router according to the OpenFlow protocol, the event needs to be processed respectively according to the specific situation of the event; if the packet_in event is generated for the reason of OFPR_TABLE_MISS, it is indicated that a flow TABLE item capable of processing the corresponding data flow cannot be found in the flow TABLE of the corresponding router; if the data packet is a DNS query data packet, further judging the authorization status of a host submitting the DNS query, if the authorization is passed, responding to the search result in a data structure enar_host_address_direct storing the real-time IP address configuration status and the address random conversion frequency level of the host according to the queried content, and if the authorization is not passed, responding to a corresponding error message; if the data packet is a non-DNS IPV4 data packet, extracting a data flow characteristic value of the data packet in the event according to the specific definition of the data flow, and then calling a route distribution module to deploy a corresponding route for the corresponding data flow and carry out operation instructions required by random network address conversion; if the data packet is an ARP data packet, the type of the ARP data packet is further judged, if the data packet is an ARP request data packet, the MAC address of the router is used for responding, and if the data packet is an ARP response data packet, the responding MAC address and the corresponding IP address are recorded; if the packet_in event is generated for OFPR_INVALID_TTL, which indicates that the corresponding router has abnormal data Packet TTL value when processing the data Packet, the corresponding response data Packet is constructed by using the corresponding router interface IP address in the data structure of each router interface IP address configuration state in the store-and-forward network according to the specification of ICMP protocol, and then forwarded from the corresponding port;
(2) If the running control instance captures a flow_removed event generated by the router according to the OpenFlow protocol, which indicates that the Flow entry described in the event has been removed from the corresponding router Flow table due to a timeout, the source IP address and the destination IP address need to be extracted from the matching field of the Flow entry, and the corresponding count values of the two IP addresses in the data structure end_used_address_direct storing the configured IP address usage state are modified.
CN202111483868.8A 2021-12-07 2021-12-07 SDN-based address random transformation method Active CN114257538B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111483868.8A CN114257538B (en) 2021-12-07 2021-12-07 SDN-based address random transformation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111483868.8A CN114257538B (en) 2021-12-07 2021-12-07 SDN-based address random transformation method

Publications (2)

Publication Number Publication Date
CN114257538A CN114257538A (en) 2022-03-29
CN114257538B true CN114257538B (en) 2023-08-25

Family

ID=80791744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111483868.8A Active CN114257538B (en) 2021-12-07 2021-12-07 SDN-based address random transformation method

Country Status (1)

Country Link
CN (1) CN114257538B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014063110A1 (en) * 2012-10-19 2014-04-24 ZanttZ, Inc. Network infrastructure obfuscation
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
CN110198270A (en) * 2019-05-10 2019-09-03 华中科技大学 A kind of active defense method in SDN network based on path and IP address jump
CN110753054A (en) * 2019-10-25 2020-02-04 电子科技大学 Anonymous communication method based on SDN
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10084756B2 (en) * 2015-12-30 2018-09-25 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. Anonymous communications in software-defined networks via route hopping and IP address randomization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014063110A1 (en) * 2012-10-19 2014-04-24 ZanttZ, Inc. Network infrastructure obfuscation
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
CN110198270A (en) * 2019-05-10 2019-09-03 华中科技大学 A kind of active defense method in SDN network based on path and IP address jump
CN110753054A (en) * 2019-10-25 2020-02-04 电子科技大学 Anonymous communication method based on SDN
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Shaolei Wang, Lei Zhang, Chaojing Tang.A new dynamic address solution for moving target defense.2016 IEEE Information Technology, Networking, Electronic and Automation Control Conference, Chongqing, China.2016,1149-1152. *

Also Published As

Publication number Publication date
CN114257538A (en) 2022-03-29

Similar Documents

Publication Publication Date Title
US9876700B2 (en) Method and system for active fabric management using unicast reachability monitoring
US9621581B2 (en) IPV6/IPV4 resolution-less forwarding up to a destination
US9253042B2 (en) Network management
US6674769B1 (en) Simultaneous searching of layer 3 policy filter and policy cache in a network switch port
EP3190755B1 (en) Identification of the paths taken through a network of interconnected devices
US9391887B2 (en) Mapping server, network system, packet forwarding method and program
CN109067758B (en) SDN network data transmission privacy protection system and method based on multiple paths
CN109714274B (en) Method for acquiring corresponding relation and routing equipment
JP6193473B2 (en) Computer-implemented method, computer program product and computer
EP1980063B1 (en) Method of operating a network
CN111049859A (en) Attack traffic shunting and blocking method based on topology analysis
AU2010286686A1 (en) Method for optimizing a route cache
US8830997B1 (en) Preventing denial-of-service attacks employing broadcast packets
JP7216120B2 (en) BGP message sending method, BGP message receiving method, and device
US9088608B2 (en) Throttling and limiting the scope of neighbor solicitation (NS) traffic
US7308619B2 (en) IP packet error handling apparatus and method using the same, and computer readable medium having computer program for executing the method recorded thereon
US10887240B2 (en) Automatic flow learning in network devices
Biradar A comparative study on routing protocols: RIP, OSPF and EIGRP and their analysis using GNS-3
CN114257538B (en) SDN-based address random transformation method
EP3242443A1 (en) Path continuity determination in an aggregate flow environment
US10742553B1 (en) Forwarding information base caching
CN111245728A (en) Data message forwarding method and system with multi-network card computing device
Chen et al. TRACK: A novel approach for defending against distributed denial-of-service attacks
CN110505176A (en) Determination, sending method and device, the route system of message priority
CN111385228B (en) Mobile target defense method based on openflow switch port confusion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant