研究生: |
游建豐 Chien-Feng Yu |
---|---|
論文名稱: |
強化軟體定義網路:實作控制器上的網路應用程式隔離環境 Securing Software-Defined Networks: An Implementation of Application Isolation Environments for Controllers |
指導教授: |
鄧惟中
Wei-Chung Teng |
口試委員: |
林宗男
Tsung-Nan Lin 陳俊良 Jiann-Liang Chen 邱舉明 Ge-Ming Chiu 沈上翔 Shan-Hsiang Shen |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2018 |
畢業學年度: | 106 |
語文別: | 中文 |
論文頁數: | 36 |
中文關鍵詞: | 軟體定義網路 、Docker 、應用程式獨立環境 |
外文關鍵詞: | Software-Defined Networking, Docker, Application Isolation Environments |
相關次數: | 點閱:181 下載:4 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
軟體定義網路架構(Software-Defined Networking)透過將控制平面(Control Plane)與資料平面(Data Plane)分離,使得控制平面能夠控制交換器的功能,比起傳統網路架構有著更大的彈性及方便性。然而過往的研究都注重在資料平面上的處理速度,希望其速度能夠跟上傳統網路架構的處理效能。直到最近,控制平面上的強健性才漸漸的被重視。
在近幾年的研究中,Shin等人、Banse等人以及Tseng等人均提出了如何讓控制平面更加強健的方法,而將控制平面上運行的程式隔離便是主要的因素。然而,這些研究都未說明如何實作程式的獨立運作空間,因此本研究引用了洪浩均等人~\cite{洪浩鈞2017}所提出的系統架構,利用Docker開源專案中的容器技術,提出了一個能給予程式獨立運作空間的實作方法,並在整個系統加上通訊加密、資源控制以及存取控制等機制,以增進控制平面的強健性。
實驗結果顯示,本篇論文所提出的系統架構,讓控制平面上的應用程式在運作時,相較於傳統系統損失了大約為15%的效能,但在面臨控制平面上有著惡意程式運行的情況時,能有效的阻隔惡意程式對於系統的損害。
Software-Defined Networking (SDN) allows the users to control the switches from the control plane, and provides higher flexibility and programmability than traditional network architectures. Most previous studies focused on efficiently handling data plane requests. Recently however, an increase of studies focusing on the robustness and security of control plane has been evident.
Several approaches have been proposed by Shin et al, Banse et al, and Tseng et al to make the control plane more robust.
Among their methods, Application Isolation Environments (AIE) play a critical part. However, these studies do not make the implementation details publicly available. Therefore, this research extends the system architecture proposed by Hung and Teng, and develops an approach to build AIE by adopting container technologies. Additionally, the system architecture provides communication encryption, resource control and access control to make control plane more robust.
According to the results of the conducted experiments, the applications on the control plane lost about 15\% of performance in this new architecture. However, it can effectively prevent the compromised third-party applications from damaging the control plane.
[1] S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and
B. B. Kang, “Rosemary: A Robust, Secure, and High-Performance Network Operating
System,” Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security - CCS ’14, pp. 78–89, 2014.
[2] C. Banse and S. Rangarajan, “A Secure Northbound Interface for SDN Applications,”
in Proceedings - 14th IEEE International Conference on Trust, Security and
Privacy in Computing and Communications, TrustCom 2015, vol. 1, pp. 834–839,
2015.
[3] Y. Tseng, M. Pattaranantakul, R. He, Z. Zhang, and F. Nait-Abdesselam, “Controller
DAC: Securing SDN Controller with Dynamic Access Control,” in IEEE International
Conference on Communications, 2017.
[4] 洪浩鈞、鄧惟中, “軟體定義網路架構下的模組化網路安全服務實作,” 第十三
屆無線、隨意及感測網路研討會(WASN 2017), 2017.
[5] Open Networking Foundation, “SDN Architecture Overview,” 2013.
[6] O.N.F., “Software-defined networking: The new norm for networks,” ONF White
Paper, vol. 2, pp. 2–6, 2012.
[7] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,
S. Shenker, and J. Turner, “OpenFlow: Enabling Innovation in Campus Networks,”
ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, p. 69, 2008.
[8] R. Chua, “2016 SDN Controller Landscape-Is there a Winner?,” 2016. https://
events.linuxfoundation.org/sites/events/files/slides/3 2016 ONS ONF Mkt Opp Controller
Landscape RChua Mar 14 2016.pdf.
[9] “Ryu sdn framework.” https://osrg.github.io/ryu/. (Accessed on
05/04/2018).
[10] “Home - opendaylight.” https://www.opendaylight.org/. (Accessed on
05/04/2018).
[11] “Onos - a new carrier-grade sdn network operating system designed for high availability,
performance, scale-out..” https://onosproject.org/. (Accessed on
05/04/2018).
[12] “Ryu sdn framework —ryubook 1.0 documentation.” https://osrg.github.io/
ryu-book/en/html/. (Accessed on 05/04/2018).
[13] B. Heller, “OpenFlow Switch Specification 1.0.0,” Current, vol. 0, pp. 1–36, 2009.
[14] C. Hao, Chang, and Y.-D. Lin, “OpenFlow Version Roadmap,” 2015.
[15] “Open vswitch.” https://www.openvswitch.org/. (Accessed on 05/04/2018).
[16] “Github - openvswitch/ ovs: Open vswitch.” https://github.com/
openvswitch/ovs. (Accessed on 05/04/2018).
[17] S. Shin, P. Porras, V. Yegneswaran, M. Fong, and G. Gu, “FRESCO: Modular composable
security services for Software-Defined Networks,” Network and Distributed
System Security Symposium (NDSS 2013), vol. 2, no. February, pp. 1–16, 2013.
[18] “What is a container | docker.” https://www.docker.com/what-container.
(Accessed on 05/06/2018).
[19] R. Morabito, J. Kjällman, and M. Komu, “Hypervisors vs. lightweight virtualization:
A performance comparison,” Proceedings - 2015 IEEE International Conference on
Cloud Engineering, IC2E 2015, pp. 386–393, 2015.
[20] “Docker - build, ship, and run any app, anywhere.” https://www.docker.com/.
(Accessed on 05/04/2018).
[21] “Github - philipz/ docker_practice: Learn and understand docker, with real devops
practice!.” https://github.com/philipz/docker_practice. (Accessed
on 05/06/2018).
[22] “Docker hub.” https://hub.docker.com/. (Accessed on 05/10/2018).
[23] “Github - docker/docker-py: A python library for the docker engine api.” https:
//github.com/docker/docker-py. (Accessed on 05/04/2018).
[24] “Github - coresecurity/pcapy: Pcapy is a python extension module that interfaces
with the libpcap packet capture library..” https://github.com/CoreSecurity/
pcapy. (Accessed on 05/13/2018).