利用生成測試封包偵測軟體定義網路資料平面上的IP前綴不符

Shu-Po Tung; 董書博

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80139

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Shu-Po Tung	en
dc.contributor.author	董書博	zh_TW
dc.date.accessioned	2022-11-23T09:28:17Z	-
dc.date.available	2021-07-08
dc.date.available	2022-11-23T09:28:17Z	-
dc.date.copyright	2021-07-08
dc.date.issued	2021
dc.date.submitted	2021-07-01
dc.identifier.citation	Mininet. http://mininet.org/. Open vswitch. http://www.openvswitch.org/. Openflow switch specification. https://opennetworking.org/. Picosat. http://fmv.jku.at/picosat. Rfc 4632. https://datatracker.ietf.org/doc/html/rfc4632. Ryu framework. https://ryu-sdn.org/. J. Cao, R. Xie, K. Sun, q. li, G. Gu, and M. Xu. When match fields do not need to match: Buffered packets hijacking in sdn. Network and Distributed System Security Symposium, 2020. M. Dhawan, R. Poddar, K. Mahajan, and V. Mann. SPHINX: detecting security attacks in software-defined networks. 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015, 2015. A. Kamisiński and C. Fung. Flowmon: Detecting malicious switches in software defined networks. Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense, page 39–45, 2015. P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Realtime network policy checking using header space analysis. Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, page 99–112, 2013. P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: Static checking for networks. 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12), pages 113–126, 2012. Y. Ke, H. Hsiao, and T. H. Kim. Sdnprobe: Lightweight fault localization in the error-prone environment. 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pages 489–499, 2018. A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: Verifying networkwide invariants in real time. Proceedings of the First Workshop on Hot Topics in Software Defined Networks, page 49–54, 2012. M. Kuźniar, P. Perešíni, and D. Kostić. What you need to know about sdn flow tables. Passive and Active Measurement, pages 347–359, 2015. J. Matoušek, G. Antichi, A. Lučanský, A. W. Moore, and J. Kořenek. Classbench-ng: Recasting classbench after a decade of network evolution. Proceedings of the Symposium on Architectures for Networking and Communications Systems, page 204–216, 2017. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: Enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 38(2):69–74, 2008. H. Pan, Z. Li, P. Zhang, K. Salamatian, and G. Xie. Misconfiguration checking for sdn: Data structure, theory and algorithms. 2020 IEEE 28th International Conference on Network Protocols (ICNP), pages 1–11, 2020. P. Peresini, M. Kuzniar, and D. Kostic. Dynamic, fine-grained data plane monitoring with monocle. IEEE/ACM Trans. Netw., 26(1):534–547, 2018. G. Pickett. Staying persistent in software defined networks. Black Hat Briefings, 2015. Po-Wen Chi, Chien-Ting Kuo, Jing-Wei Guo, and Chin-Laung Lei. How to detect a compromised sdn switch. Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft), pages 1–6, 2015. T. Sasaki, C. Pappas, T. Lee, T. Hoefler, and A. Perrig. Sdnsec: Forwarding accountability for the sdn data plane. 2016 25th International Conference on Computer Communication and Networks (ICCCN), pages 1–10, 2016. D. E. Taylor and J. S. Turner. Classbench: A packet classification benchmark. IEEE/ACM Transactions on Networking, pages 499–511, 2007. X. Wen, K. Bu, B. Yang, Y. Chen, L. E. Li, X. Chen, J. Yang, and X. Leng. Rulescope: Inspecting forwarding faults for software-defined networking. IEEE/ACM Transactions on Networking, 25(4):2347–2360, 2017. H. Yang and S. S. Lam. Real-time verification of network properties using atomic predicates. 2013 21st IEEE International Conference on Network Protocols (ICNP), pages 1–11, 2013. H. Zeng, P. Kazemian, G. Varghese, and N. McKeown. Automatic test packet generation. Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies, page 241–252, 2012. P. Zhang, H. Wu, D. Zhang, and Q. Li. Verifying rule enforcement in software defined networks with rev. IEEE/ACM Transactions on Networking, 28(2):917–929, 2020. P. Zhang, S. Xu, Z. Yang, H. Li, Q. Li, H. Wang, and C. Hu. Foces: Detecting forwarding anomalies in software defined networks. 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pages 830–840, 2018. P. Zhang, C. Zhang, and C. Hu. Fast testing network data plane with rulechecker. 2017 IEEE 25th International Conference on Network Protocols (ICNP), pages 1–10, 2017. Y. Zhao, H. Wang, X. Lin, T. Yu, and C. Qian. Pronto: Efficient test packet generation for dynamic network data planes. 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pages 13–22, 2017.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/80139	-
dc.description.abstract	軟體定義網路將資料平面與控制平面分開到不同的設備上以集中管理網路。然而，配置錯誤、硬體上的錯誤或攻擊者都可能導致封包在資料平面上的實際行為和控制平面所定義的規則不同。過去提出的方法透過傳送測試封包來檢驗資料平面是否正確。但他們通常致力於減少測試封包的數量或生成封包的時間以提高效能，因此只假設了簡單的轉發錯誤。本論文識別一個新的錯誤叫做IP前綴不符，這個錯誤沒有辦法被過去提出的工具完全檢測到。我們提出了一個封包生成演算法，並且證明我們的方法在最壞的情況下依然可以在每輪的檢測中找到至少一個前綴不符。因此，只要不斷檢測並修復這些錯誤，最終所有錯誤都可以被發現。此外，我們實驗顯示我們的方法有著較好的性能：即使一個交換機包含50%的錯誤規則，我們的方法也可以在平均兩輪檢測中找到所有前綴不符。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-23T09:28:17Z (GMT). No. of bitstreams: 1 U0001-0107202115545300.pdf: 703355 bytes, checksum: ba040ec227f894379bb52e732a3061e4 (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	口試委員會審定書 iii 誌謝 v Acknowledgements vii 摘要 ix Abstract xi 1 Introduction 1 2 Background 5 2.1 Software Defined Network 5 2.2 Probe-based Fault Detection Schemes 6 3 Problem Definition 9 3.1 Threat Model 9 3.2 Prefix Mismatch Examples 10 3.3 Benign Cases 12 3.4 Desired Properties 13 4 System Design 15 4.1 Detection Method 15 4.1.1 Prefix expansion 15 4.1.2 Prefix shrinkage 16 4.2 System Overview 17 4.3 Preprocessing 18 4.4 Rule Installation Verification 20 4.5 Multiple Errors 21 5 Evaluation 23 5.1 Implementation 23 5.2 Comparison with Prior Schemes 24 5.3 Performance Evaluation 26 6 Discussion 29 6.1 Optimization 29 6.2 Other Errors 30 6.2.1 Forwarding action errors 30 6.2.2 Priority reordering rule missing 31 6.2.3 Other match field errors 31 6.2.4 Additional rules 32 6.2.5 More complex settings 32 7 Related Work 33 8 Conclusion 35 Bibliography 37
dc.language.iso	en
dc.subject	IP前綴	zh_TW
dc.subject	軟體定義網路	zh_TW
dc.subject	資料平面安全	zh_TW
dc.subject	測試封包生成	zh_TW
dc.subject	匹配欄位錯誤	zh_TW
dc.subject	Data Plane Security	en
dc.subject	IP Prefix	en
dc.subject	Match Field Error	en
dc.subject	Test Packet Generation	en
dc.subject	Software Defined Network	en
dc.title	利用生成測試封包偵測軟體定義網路資料平面上的IP前綴不符	zh_TW
dc.title	Detecting IP Prefix Mismatches on SDN Data Plane by Test Packet Generation	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	林忠緯(Hsin-Tsai Liu),鄭欣明(Chih-Yang Tseng)
dc.subject.keyword	軟體定義網路,資料平面安全,測試封包生成,匹配欄位錯誤,IP前綴,	zh_TW
dc.subject.keyword	Software Defined Network,Data Plane Security,Test Packet Generation,Match Field Error,IP Prefix,	en
dc.relation.page	40
dc.identifier.doi	10.6342/NTU202101229
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2021-07-02
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-0107202115545300.pdf	686.87 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。