跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 林建德
Jian-de Lin
論文名稱: 基於OpenFlow交換機之Middlebox部署管理機制研究
On the study of OpenFlow Switch-based Middlebox Deployment Management Mechanism
指導教授: 陳奕明
Yi-ming Chen
口試委員:
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理學系
Department of Information Management
論文出版年: 2014
畢業學年度: 102
語文別: 中文
論文頁數: 73
中文關鍵詞: 軟體定義網路OpenFlowMiddlebox迪科斯徹最短路徑演算法
外文關鍵詞: Software-Defined Networking, OpenFlow, Middlebox, Dijkstra's algorithm
相關次數: 點閱:8下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著雲端網路環境的蓬勃發展,有越來越多企業採用雲端運算架構來提供服務,因此服務的安全與效能也逐漸成了重要的議題。企業為了確保提供的應用服務與內部網路的安全性,往往透過安全設備或Middlebox進行封包的處理。雖然安全需求帶來龐大商機,但隨著網路環境更趨複雜,也帶來了部署(Deployment)管理的問題。部署Middlebox往往帶來龐大的維護開銷,而傳統以人工方式管理Middlebox,容易造成不必要的設置錯誤。
    為了解決部署管理問題,已有許多研究開始將現有的網路骨幹搭配史丹佛大學所開發的OpenFlow網路搭建出軟體定義網路平台,藉由其控制與資料傳輸功能解構的架構下,滿足對網路管理的需求,但平台上仍需要改善對於Middlebox控管能力的問題。本研究將基於OpenFlow交換機實現Middlebox部署管理機制(MBDM),藉由迪科斯徹(Dijkstra's)最短路徑演算法的計算,簡化流量導向到Middlebox的複雜性,同時讓使用者能參與安全控制,滿足安全管理需求。本研究所提出的Middlebox部署管理機制(MBDM),經過實驗證明了透過軟體定義網路進行部署的可行性,並且能夠容納使用者的安全政策需求,將流量導入到正確的Middlebox處理。

    With the rapid development of cloud computing environment, it become more and more important for enterprises to adopt cloud computing architecture to provide services. In order to ensure security of services and enterprise network, appliances or middlebox were usually adopted to process packets. Although the security requirements bring enormous business opportunities, it also brings the deployment management issues. Because deployment of middlebox often caused huge maintenance overhead costs, and manual manage of middlebox often caused misconfiguration error.
    In order to address the deployment management issues, there are many academic literatures start to use the existing network backbone with OpenFlow switch to build a Software-Defined Networking (SDN) platform. Our study presents the Middlebox Deployment Mechanism (MBDM). MBDM could simplify redirect flow into middlebox by Dijkstra's algorithm, while allowing users to participate in security controls to meet the security requirements.
    The MBDM we proposed has been proven feasibility of deployment management by using software-defined network and be able to accommodate the user's security policy requirements to redirect the flow into Middlebox.

    中文摘要 i 英文摘要 ii 誌謝 iii 目錄 iv 圖目錄 vi 表目錄 ix 第一章 緒論 1 1-1 研究背景 1 1-2 動機與目的 5 1-3 研究貢獻 8 1-4 章節架構 8 第二章 相關研究 9 2-1 OpenFlow交換機與NOX控制器 9 2-1-1 OpenFlow交換機簡介 9 2-1-2 NOX控制器 12 2-2 基於SDN架構之Middlebox部署管理 13 2-2-1 基於SDN架構之資料層設計- FLOW TAG 13 2-2-2 基於SDN架構之控制層設計- CloudWatcher 15 2-2-3 基於SDN架構之控制層設計- SIMPLE 17 2-3 相關研究之比較 19 2-4 基於控制器上之路由演算法介紹 21 第三章 Middlebox部署管理機制 22 3-1 系統架構 22 3-2 系統控制器元件設計 23 3-2-1 安全政策處理模組(Policy Handler) 23 3-2-2 部署管理模組(Middlebox Deployment Manager) 24 3-2-3 路由規則轉換模組(Rule Translator) 26 3-2-4 網路拓樸探勘 27 3-2-5 路由演算法 28 3-3 OpenFlow交換機上Middlebox State機制 32 3-4 系統運作流程 34 3-4-1 網路拓樸更新 34 3-4-2 路由規則的產生與設置 35 3-4-3 封包轉送 36 第四章 實驗與討論 37 4-1 實驗環境 37 4-2 系統架設及操作 38 4-2-1 NOX控制器設置 38 4-2-2 OpenFlow交換機設置 39 4-3 實驗一:MBDM封包轉送實驗 41 4-4 實驗二:MBDM執行安全政策 44 4-5 實驗三:MBDM對於NOX控制器的效能影響 49 4-6 小結 52 第五章 結論與未來研究 53 5-1 結論與研究貢獻 53 5-2 研究限制 53 5-3 未來研究 54 參考文獻 56

    中文參考文獻
    [1] 朱永彤,「基於 OpenFlow 交換機之跨雲端安全管理機制研究」,國立中央大學資訊管理學系碩士論文,2013。
    [2] 許景涵,「以 NetFPGA 實作結合 NFA 及 AC 演算法之網路型入侵偵測系統」,國立中央大學資訊管理學系碩士論文,2011。
    [3] 黃俊嘉,「利用 NetFPGA 建置一可虛擬化網路之研究」,國立成功大學電腦與通信工程研究所碩士論文,2011。
    [4] 黃勝獅,「使用 OpenFlow Switch 分析偵測殭屍網路」,國立中央大學資訊工程研究所碩士論文,2011。
    [5] 彭士家,「使用 OpenFlow 交換器偵測 Botnet 受害者與通知機制」,國立中央大學資訊工程研究所碩士論文,2010。
    [6] 黃文源,胡仁維,劉德隆,「未來網路跨網域流量檢視機制研發」, TANET 2012網際網路研討會,銘傳大學,桃園,2012。
    英文參考文獻
    [7] “Middlebox,” Wikipedia, the free encyclopedia. 16-Feb-2014.
    [8] B. Carpenter and S. Brim, “Middleboxes: Taxonomy and issues,” RFC 3234, February, 2002.
    [9] J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar, “Making middleboxes someone else’s problem: network processing as a cloud service,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 42, No. 4, pp. 13–24, 2012.
    [10] J. Lee, J. Tourrilhes, P. Sharma, and S. Banerjee, “No more middlebox: integrate processing into network,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 40, No. 4, pp. 459–460, 2010.
    [11] A. Gember, P. Prabhu, Z. Ghadiyali, and A. Akella, “Toward software-defined middlebox networking,” in Proceedings of the 11th ACM Workshop on Hot Topics in Networks, pp. 7–12, 2012.
    [12] D. A. Joseph, A. Tavakoli, and I. Stoica, “A policy-aware switching layer for data centers,” in Proceedings of ACM SIGCOMM Computer Communication Review, Vol. 38, pp. 51–62, 2008.
    [13] V. Sekar, N. Egi, S. Ratnasamy, M. K. Reiter, and G. Shi, “Design and implementation of a consolidated middlebox architecture,” in Proceedings of NSDI, 2012.
    [14] V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi, “The middlebox manifesto: enabling innovation in middlebox deployment,” in Proceedings of the 10th ACM Workshop on Hot Topics in Networks, 2011.
    [15] G. Gibb, H. Zeng, and N. McKeown, “Initial thoughts on custom network processing via waypoint services,” in Proceedings of the 3rd Workshop on Infrastructures for Software/Hardware co-design, 2011.
    [16] Z. A. Qazi, C.-C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “vSwitch,”in Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM, 2013.
    [17] G. Gibb, H. Zeng, and N. McKeown, “Outsourcing network functionality,” in Proceedings of the first workshop on Hot topics in software defined networks, pp. 73–78, 2012.
    [18] O. M. E. Committee, “Software-Defined Networking: The New Norm for Networks,” ONF White Pap. Palo Alto US Open Netw. Found., 2012.
    [19] “Software-defined networking,” Wikipedia, the free encyclopedia. 24-Feb-2014.
    [20] G. Lefebvre, E. Rubow, and R. Manghirmalani, “Chaining of inline services using software defined networking, ” Google Patents, 2012.
    [21] S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, “Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags,” in Proceedings of NSDI, 2014.
    [22] S. K. Fayazbakhsh, V. Sekar, M. Yu, and J. C. Mogul, “FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions,” in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 19–24, 2013.
    [23] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 38, No. 2, pp. 69–74, 2008.
    [24] J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and N. McKeown, “Implementing an OpenFlow switch on the NetFPGA platform,” in Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, pp. 1–9, 2008.
    [25] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proceedings of Local Computer Networks (LCN), 2010 IEEE 35th Conference on, pp. 408–415, 2010.
    [26] J. Jin, C. Im, and S. Y. Nam, “Mitigating HTTP GET Flooding Attacks through Modified NetFPGA Reference Router,” 2010
    [27] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker, “NOX: towards an operating system for networks,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 38, No. 3, pp. 105–110, 2008.
    [28] S. Rajagopalan, D. Williams, H. Jamjoom, and A. Warfield, “Split/merge: system support for elastic execution in virtual middleboxes,” in Proceedings of USENIX conference on Networked Systems Design and Implementation (NSDI), 2013.
    [29] J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat, “xOMB: Extensible open middleboxes with commodity servers,” in Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems, pp. 49–60, 2012.
    [30] S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?),” in Proceedings of Network Protocols (ICNP), 2012 20th IEEE International Conference on, pp. 1–6, 2012.
    [31] A. Lara, A. Kolasani, and B. Ramamurthy, “Simplifying network management using Software Defined Networking and OpenFlow,” in Proceedings of Advanced Networks and Telecommuncations Systems (ANTS), 2012 IEEE International Conference on, pp. 24–29, 2012.
    [32] A. Al-Shabibi, “MultiPaths Revisited-A novel approach using OpenFlow-enabled devices,” 2011.
    [33] M. Sniedovich, “Dijkstra’s algorithm revisited: the dynamic programming connexion,” Control Cybern., Vol. 35, pp. 599–620, 2006.
    [34] J. Moy, “OSPF version 2,” 1997.
    [35] J. Soeurt and I. Hoogendoorn, “Shortest path forwarding using OpenFlow,” Tech. rep.(February 2012), 2012.
    相關網站
    [36] “World Enterprise Network and Data Security Markets.” [Online]. Available: http://www.businesswire.com/news/home/20110110006441/en/Enterprise-Network-Data-Security-Spending-Shows-Remarkable#.U7EEGfmSx0w.
    [37] O. S. Specification, “Version 1.0. 0.[Electronic resource],” [Online]. Available: http://www.OpenFlow.org/documents/OpenFlow-spec-v1.0.0.pdf.
    [38] “NetFPGA.” [Online]. Available: http://netfpga.org/.
    [39] “NOXRepo:NOX API.” [Online]. Available: http://noxrepo.org/.
    [40] “IEEE 802.1AB (LLDP) Specification.” [Online]. Available: http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf.
    [41] “Dijkstra’s algorithm - Representing the Graph.” [Online]. Available: http://lostincompilation.blogspot.tw/2013/04/dijkstras-algorithm-part-1-tutorial.html.
    [42] “noxrepo - NOX Installation,” GitHub. [Online]. Available: https://github.com/noxrepo/nox-classic.
    [43] “CentOS NetFPGA Install.” [Online]. Available: http://archive.OpenFlow.org/wk/index.php/CentOS_NetFPGA_Install.
    [44] “Snort.” [Online]. Available: http://www.snort.org/.
    [45] “iptables,” Wikipedia, the free encyclopedia. 16-Feb-2014.
    [46] “Colasoft Packet Builder.” [Online]. Available: http://www.colasoft.com/packet_builder/.
    [47] Google Sets New Internet Traffic Record. [Online]. Available: http://ddos.arbornetworks.com/2010/10/google-breaks-traffic-record/

    QR CODE
    :::