第六章 总结与展望
6.1 论文工作总结
本文主要在 SDN 的环境中,探讨如何使用数据包回溯和故障排除技术增强网络可靠性,改善现有方法的操作复杂并且维护困难的缺点,提出一种安全策略的扩展方法,结合意向策略和基于路径的分类策略,能够提高管理效率,合理解决网络故障。撰写本文前,主要在如下几个方面进行了研究和实验工作:
(1)基于 SDN 的数据包回溯技术和路径跟踪技术的研究,明确传统 IP 回溯技术与 SDN回溯的不同,结合现有基于 SDN 的意向应用方案,提出意向回溯策略,对用户不同类型的意向区别对待,分别定义带有应用特征、控制器特征、移动设备特征的用户意向特征。开发意向回溯接口,通过实验验证得出意向回溯策略得到完整数据包路径。
(2)基于策略层的故障回溯策略不需要交换机固件或者代理软件等其他附加条件,本文提出结合基于路径查询的分类策略能够发现网络中的是否存在故障,结合故障排除算法定位链路故障和扩大故障排除的范围,能够有效检测流规则冲突和规则丢失这两类事件,是对来源回溯方案的重要补充。
(3)逆向策略需要在数据层获取数据包进行回溯,而故障排除策略从网络管理员解决故障的角度获取数据包。提出基于路径查询的故障排除框架包括发现、定位、测试故障过程,发现过程通过分析链路处于故障路径上的比例,定位过程对链路进行权重计算得到最大可能性发生故障的位置,然后通过测试环境来验证故障修复的结果。
6.2 下一步工作展望
本文基于 SDN 的安全策略扩展,完成了意向接口定义,故障类型分类,但是在应用层策略集成、组件间消息传递、系统优化方面还存在不足之处,下一步工作可以继续完善的地方重点将集中在如下四个方面:
(1)事件回溯与意向性结合。
意向需要用户自己根据网络地址集合进行定义,带有随意性。将检测到的恶意流量由控制器应用自动归类进行回溯,控制器具有学习功能的组件可以更好的帮助用户完成意向的定义,简单的意向可以根据用户的需要能够通过模块化的组件自动完成创建,用户仅需要简单的操作步骤进行调整即可。
(2)建立意向回溯系统。
不仅能够实现简单的意向回溯策略,还要能够实现更复杂的意向回溯功能,如“对恶意流量进行回溯”,则需要恶意流量检测组件的联合使用。当用户的需求发生变化后,如何保障新增加的意向与前面定义的意向协同工作。有效的意向冲突检测机制可以帮助用户解决意向添加问题,因此更多的意向管理功能还需要逐步添加到意向回溯系统中。
(3)瞬时故障问题。
虽然瞬时故障在大部分故障检测系统中并没有引起重视,但是对于实时性和可靠性要求都较高的通信系统中,瞬时故障的症状可能因为频繁出现而引起误报警,所以如何解决瞬时问题或由于过于敏感故障检测机制而产生的不准确的故障发现结果,当发生虚假的症状时,管理系统可能无法确认所观察到的警报,从而难以实现故障定位的过程。
(4)建立自动化测试环境。
丢包测试中存在自动化程度不高的事实,对于故障之间复杂的相关性和因为无关故障的存在,难以在很短的时间内构造自动化的测试过程。测试中需要将故障管理系统尽可能地隔离,在保护故障现场的前提下,才能保证在一个很短的时间内每次故障测试都测试的是同样的故障问题,而不会产生重复告警。
参考文献
[1] Fonseca R, Porter G, Katz R H, et al. X-trace: A pervasive network tracing framework[C]. Proceedings of the4th USENIX conference on Networked systems design & implementation. USENIX Association, 2007: 1-14.
[2] Anand A, Akella A. Netreplay: a new network primitive[J]. ACM SIGMETRICS Performance EvaluationReview, 2010, 37(3): 14-19.
[3] Tennenhouse D L, Smith J M, Sincoskie W D, et al. A survey of active network research[J]. CommunicationsMagazine, IEEE, 1997, 35(1): 80-86.
[4] Yang L, Dantu R, Anderson T, et al. Forwarding and control element separation (ForCES) framework[R].RFC 3746, April, 2004.
[5] McKeown N. Software-defined networking[J]. INFOCOM keynote talk, 2009, 17(2): 30-32.
[6] McKeown N, Anderson T, Balakrishnan H, et al. OpenFlow: enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69-74.
[7] ONF, “Open networking foundation,” 2016. [Online]. Available:
[8]OpenDaylight, “OpenDaylight: A Linux Foundation Collaborative Project,” 2016. [Online]. Available:
[9] Casado M, Garfinkel T, Akella A, et al. SANE: A Protection Architecture for Enterprise Networks[C].Usenix Security. 2006:137-151.
[10] Casado M, Freedman M J, Pettit J, et al. Ethane: taking control of the enterprise[J]. ACM SIGCOMMComputer Communication Review. ACM, 2007, 37(4): 1-12.
[11] Greenberg A, Hjalmtysson G, Maltz D A, et al. A clean slate 4D approach to network control andmanagement[J]. ACM SIGCOMM Computer Communication Review, 2005, 35(5): 41-54.
[12] Shin S, Gu G. CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or:
How to provide security monitoring as a service in clouds?)[C]. 2012 20th IEEE International Conference onNetwork Protocols (ICNP), 2012: 1-6.
[13] Shin S, Porras P A, Yegneswaran V, et al. FRESCO: Modular Composable Security Services forSoftware-Defined Networks[C]. NDSS. 2013:1-16.
[14] Kumar S, Kumar T, Singh G, et al. Open flow switch with intrusion detection system[J]. International J.Schientific Research Engineering & Techonology (IJSRET), 2012(1): 1-4.
[15] 胡章丰, 郭春梅, 毕学尧。 云计算及 SDN 与安全技术研究[J]. 信息网络安全, 2013 (10): 40-43.
[16] Yao G, Bi J, Xiao P. Source address validation solution with OpenFlow/NOX architecture[C]. 2011 19thIEEE International Conference on Network Protocols (ICNP), 2011: 7-12.
[17] Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]. 2010IEEE 35th Conference on Local Computer Networks (LCN), 2010: 408-415.
[18] Hand R, Ton M, Keller E. Active security[C]. Proceedings of the Twelfth ACM Workshop on Hot Topics inNetworks. ACM, 2013: 1-7.
[19] Bierman A, Bjorklund M, Watsen K, et al. RESTCONF protocol[J]. IETF draft, work in progress, 2014.
[20] Nelson T, Ferguson A D, Scheer M J G, et al. Tierless programming and reasoning for software-definednetworks[C]. 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14)。2014: 519-531.
[21] Jafarian J H, Al-Shaer E, Duan Q. Openflow random host mutation: transparent moving target defense usingsoftware defined networking[C]. Proceedings of the first workshop on Hot topics in software definednetworks. ACM, 2012: 127-132.
[22] John W, Pentikousis K, Agapiou G, et al. Research directions in network service chaining[C]. 2013 IEEESDN for Future Networks and Services (SDN4FNS), 2013: 1-7.
[23] Savage S, Wetherall D, Karlin A, et al. Practical network support for IP traceback[C]. ACM SIGCOMMComputer Communication Review. ACM, 2000, 30(4): 295-306.
[24] Snoeren A C, Partridge C, Sanchez L A, et al. Hash-based IP traceback[C]. ACM SIGCOMM ComputerCommunication Review. ACM, 2001, 31(4): 3-14.
[25] Suzuki K, Sonoda K, Tomizawa N, et al. A survey on OpenFlow technologies[J]. IEICE Transactions onCommunications, 2014, 97(2): 375-386.
[26] Zhang H, Lumezanu C, Rhee J, et al. Enabling layer 2 pathlet tracing through context encoding insoftware-defined networking[C]. Proceedings of the third workshop on Hot topics in software definednetworking. ACM, 2014: 169-174.
[27] 董玲, 陈一民。 使用带认证的入口包标记追踪IP源地址[J].计算机工程与科学,2004,26(4): 11-14.
[28] Kihong Park, Heejo Lee. On the effectiveness of route-based packet filtering for distributed DOS attackprevention in power-law internets[J]. Computer Communication Review, 2001,31(4):15-26.
[29] 李勇辉。 IP 网络中基于数据包标记的溯源方法研究[D]. 北京邮电大学, 2011.
[30] 李国剑, 许福永, 马阿宁, 等。 基于神经网络的主动 IP 回溯[J]. 计算机工程与设计, 2007, 28(17):4105-4107.
[31] Stone R. CenterTrack: An IP Overlay Network for Tracking DoS Floods[C]. USENIX Security Symposium.2000, 21: 114.
[32] Hilgenstieler E, Duarte E P, Mansfield-Keeni G, et al. Extensions to the source path isolation engine forprecise and efficient log-based IP traceback[J]. computers & security, 2010, 29(4): 383-392.
[33] Suh J, Kwon T T, Dixon C, et al. OpenSample: A low-latency, sampling-based measurement platform forcommodity SDN[C]. 2014 IEEE 34th International Conference on Distributed Computing Systems (ICDCS),2014: 228-237.
[34] sFlow.org Forum, “sFlow,” 2016. [Online]. Available:
[35] Agarwal K, Rozner E, Dixon C, et al. SDN traceroute: Tracing SDN forwarding without changing networkbehavior[C]. Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014:145-150.
[36] ?gorzata Steinder M, Sethi A S. A survey of fault localization techniques in computer networks[J]. Scienceof computer programming, 2004, 53(2): 165-194.
[37] Handigol N, Heller B, Jeyakumar V, et al. I know what your packet did last hop: Using packet histories totroubleshoot networks[C]. 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14)。 2014: 71-85.
[38] Mahajan R, Spring N, Wetherall D, et al. User-level internet path diagnosis[J]. ACM SIGOPS OperatingSystems Review, 2003, 37(5): 106-119.
[39] Motiwala M, Lychev R, O'Neill A, et al. In-Band Network Fault Localization[J].
[40] Barak B, Goldberg S, Xiao D. Protocols and lower bounds for failure localization in the Internet[M]. BerlinHeidelberg:Springer, 2008: 341-360.
[41] Argyraki K, Maniatis P, Irzak O, et al. Loss and delay accountability for the Internet[C]. IEEE InternationalConference on ICNP, 2007: 194-205.
[42] Wundsam A, Levin D, Seetharaman S, et al. OFRewind: Enabling Record and Replay Troubleshooting forNetworks[C]. USENIX Annual Technical Conference. 2011:1-14.
[43] Handigol N, Heller B, Jeyakumar V, et al. Where is the debugger for my software-defined network?[C].Proceedings of the first workshop on Hot topics in software defined networks. ACM, 2012: 55-60.
[44] Gheorghe G, Avanesov T, Palattella M R, et al. SDN-RADAR: Network troubleshooting combining userexperience and SDN capabilities[C]. 2015 1st IEEE Conference on Network Softwarization (NetSoft), 2015:1-5.
[45] Loo B T, Condie T, Garofalakis M, et al. Declarative networking[J]. Communications of the ACM, 2009,52(11): 87-95.
[46] Wu Y, Zhao M, Haeberlen A, et al. Diagnosing missing events in distributed systems with negativeprovenance[J]. ACM SIGCOMM Computer Communication Review, 2015, 44(4): 383-394.
[47] Zeng H, Kazemian P, Varghese G, et al. Automatic test packet generation[C]. Proceedings of the 8thinternational conference on Emerging networking experiments and technologies. ACM, 2012: 241-252.
[48] Scott C, Wundsam A, Raghavan B, et al. Troubleshooting blackbox SDN control software with minimalcausal sequences[C]. ACM SIGCOMM Computer Communication Review. ACM, 2014, 44(4): 395-406.
[49] Zhang H, Reich J, REXFORD J E N N. Packet traceback for software-defined networks[J]. Dept. Comput.
Sci., Princeton University, Princeton, NJ, USA, Tech. Rep. TR-978-15, 2015.
[50] Narayana S, Rexford J, Walker D. Compiling path queries in software-defined networks[C]. Proceedings ofthe third workshop on Hot topics in software defined networking. ACM, 2014: 181-186.
[51] Heller B, Scott C, McKeown N, et al. Leveraging SDN layering to systematically troubleshoot networks[C].Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM,2013: 37-42.
[52] Donovan S, Feamster N. Intentional Network Monitoring: Finding the Needle Without Capturing theHaystack[C]. Proceedings of the 13th ACM Workshop on Hot Topics in Networks. ACM, 2014: 5.
[53] Monsanto C, Reich J, Foster N, et al. Composing software defined networks[C]. Presented as part of the10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13)。 2013: 1-13.
[54] Lantz B, Heller B, McKeown N. A network in a laptop: rapid prototyping for software-defined networks[C].
Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010: 19.
[55] Anderson C J, Foster N, Guha A, et al. NetKAT: Semantic foundations for networks[J]. ACM SIGPLANNotices, 2014, 49(1): 113-126.
[56] Zeng H, Kazemian P, Varghese G, et al. A survey on network troubleshooting[R]. Technical ReportStanford/TR12-HPNG-061012, Stanford University, 2012.
[57] Espinet F, Joumblatt D, Rossi D. Zen and the Art of Network Troubleshooting: A Hands on ExperimentalStudy[M]. International Publishing:Springer, 2015: 31-45.
[58] Katzela I, Schwartz M. Schemes for fault identification in communication networks[J]. Networking,IEEE/ACM Transactions on, 1995, 3(6): 753-764.
[59] Al-Fares M, Loukissas A, Vahdat A. A scalable, commodity data center network architecture[J]. ACMSIGCOMM Computer Communication Review, 2008, 38(4): 63-74.
致谢
时光荏苒,研究生生涯即将画上句号,感谢所有对我提供过帮助的老师、同学、家人和朋友。感谢我的导师陈云芳副教授对我孜孜不倦的教诲,从他身上我受益良多,从参与项目研究到申请国家自然基金项目期间,陈老师严谨认真的态度给我很大的触动,让我明白不管做任何事都要全力以赴,做到最好!感谢张伟教授在我研究生期间提供的帮助,让我明白自身还存在很大的不足,还需要继续努力,争取更大的进步!
感谢教研室的兄弟姐妹们,和你们一起学习,一起进步是最美好的事。感谢学六 703 的三位室友和研究生期间认识的同学们,和你们一起生活,一起娱乐是最幸福的事。
感谢父母对我的养育和栽培,在今后的生活中我会更加坚定的向前走,不再害怕,不再迷茫,因为你们说过:办法总比困难多!
最后,感谢各位老师在百忙之中审阅我的论文,今后我会更加努力的学习,争取有朝一日登上梦想的巅峰!