| 摘要: | 在現代網路環境中,攻擊者能夠利用受汙染的網路設備進行竊聽和竄改攻擊,以獲取隱私資料或導致主機做出錯誤決策。為了有效監控和管理網路流量,軟體定義網路(Software Defined Network, SDN)提供了一個集中式的控制平台。然而,由於SDN在封包處理方面的靈活性不足,因此Programming Protocol-independent Packet Processors(P4)被提出,P4允許網路管理人員定義封包的標頭(Header)以及處理流程,從而實現更靈活和可定制的網路功能。
為了防止竊聽與竄改攻擊對網路環境的危害,本論文提出了Locator/Identifier Separation with Message Authentication Code(LISMAC)的機制與標頭,透過P4交換機將原始IP位址進行加密,對流量進行混淆,防止攻擊者透過竊聽攻擊和聚合封包來獲取隱私資訊。LISMAC使用定位標示分離技術作為IP位址加密後封包的路由依據,同時能夠減少中間網路節點儲存的路由表大小。此外LISMAC標頭中還包含封包的訊息鑑別碼(Message Authentication Code, MAC)值,可以透過檢驗MAC值來判斷封包在傳送過程中是否發生錯誤或被竄改。在實驗中,將LISMAC機制引入到3個中繼段(Hop)的環境中,在往返時間(Round-Trip Time, RTT)的部分,使平均RTT上升了1.19 ms,在沒有設置鏈路延遲時,平均RTT增加了53.43%,而在鏈路延遲設為1 ms時,平均RTT僅增加了1.55%,因此在真實世界存在鏈路延遲的情況下,引入LISMAC對平均RTT的上升幅度並不大。吞吐量(Throughput)部分則在引入LISMAC機制後下降了42.97%。儘管如此,在與SPINE與SR-TPP的比較中,LISMAC仍然具有較低的平均RTT和較高的throughput。
;In the modern networking environment, attackers can exploit compromised network devices for eavesdropping and tampering attacks to obtain private data or cause the host to make erroneous decisions. To effectively monitor and manage network traffic, Software Defined Networking (SDN) provides a centralized control platform. However, due to the limited flexibility in packet processing, Programming Protocol-independent Packet Processors (P4) have been proposed. P4 allows network administrators to define packet headers and processing workflows, enabling more flexible and customizable network functionalities.
To mitigate the risks of eavesdropping and tampering attacks in the network environment, this paper proposes the Locator/Identifier Separation with Message Authentication Code (LISMAC). Through P4 switches, LISMAC encrypts the original IP addresses and confuses the traffic, preventing attackers from obtaining sensitive information through eavesdropping attacks and packet aggregation. LISMAC utilizes the technique of locator/identifier separation as the routing basis for encrypted packets, while also reducing the size of routing tables stored in intermediate network nodes. Additionally, LISMAC headers include a Message Authentication Code (MAC) value, which allows the verification of packet integrity and detection of potential errors or tampering during transmission.
In the experiment, the LISMAC mechanism was introduced into a three-hop environment. Regarding Round-Trip Time (RTT), without setting any link delay, the average RTT increased by 53.43%. However, when the link delay was set to 1 ms, the average RTT only increased by 1.55%. Therefore, in real-world scenarios with existing link delays, LISMAC shows a relatively small increase in average RTT. The throughput decreased by 42.97% after introducing the LISMAC mechanism. Nevertheless, when compared to SPINE and SR-TPP, LISMAC still exhibits lower average RTT and higher throughput. |
