基於OpenFlow交換機之Middlebox部署管理機制研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：10

、訪客IP：3.139.104.214

姓名

林建德(Jian-de Lin) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

基於OpenFlow交換機之Middlebox部署管理機制研究
(On the study of OpenFlow Switch-based Middlebox Deployment Management Mechanism)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著雲端網路環境的蓬勃發展，有越來越多企業採用雲端運算架構來提供服務，因此服務的安全與效能也逐漸成了重要的議題。企業為了確保提供的應用服務與內部網路的安全性，往往透過安全設備或Middlebox進行封包的處理。雖然安全需求帶來龐大商機，但隨著網路環境更趨複雜，也帶來了部署（Deployment）管理的問題。部署Middlebox往往帶來龐大的維護開銷，而傳統以人工方式管理Middlebox，容易造成不必要的設置錯誤。
為了解決部署管理問題，已有許多研究開始將現有的網路骨幹搭配史丹佛大學所開發的OpenFlow網路搭建出軟體定義網路平台，藉由其控制與資料傳輸功能解構的架構下，滿足對網路管理的需求，但平台上仍需要改善對於Middlebox控管能力的問題。本研究將基於OpenFlow交換機實現Middlebox部署管理機制（MBDM），藉由迪科斯徹（Dijkstra′s）最短路徑演算法的計算，簡化流量導向到Middlebox的複雜性，同時讓使用者能參與安全控制，滿足安全管理需求。本研究所提出的Middlebox部署管理機制（MBDM），經過實驗證明了透過軟體定義網路進行部署的可行性，並且能夠容納使用者的安全政策需求，將流量導入到正確的Middlebox處理。

摘要(英)

With the rapid development of cloud computing environment, it become more and more important for enterprises to adopt cloud computing architecture to provide services. In order to ensure security of services and enterprise network, appliances or middlebox were usually adopted to process packets. Although the security requirements bring enormous business opportunities, it also brings the deployment management issues. Because deployment of middlebox often caused huge maintenance overhead costs, and manual manage of middlebox often caused misconﬁguration error.
In order to address the deployment management issues, there are many academic literatures start to use the existing network backbone with OpenFlow switch to build a Software-Defined Networking (SDN) platform. Our study presents the Middlebox Deployment Mechanism (MBDM). MBDM could simplify redirect flow into middlebox by Dijkstra′s algorithm, while allowing users to participate in security controls to meet the security requirements.
The MBDM we proposed has been proven feasibility of deployment management by using software-defined network and be able to accommodate the user′s security policy requirements to redirect the flow into Middlebox.

關鍵字(中)

★ 軟體定義網路
★ OpenFlow
★ Middlebox
★ 迪科斯徹最短路徑演算法

關鍵字(英)

★ Software-Defined Networking
★ OpenFlow
★ Middlebox
★ Dijkstra′s algorithm

論文目次

中文摘要 i
英文摘要 ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 ix
第一章緒論 1
1-1 研究背景 1
1-2 動機與目的 5
1-3 研究貢獻 8
1-4 章節架構 8
第二章相關研究 9
2-1 OpenFlow交換機與NOX控制器 9
2-1-1 OpenFlow交換機簡介 9
2-1-2 NOX控制器 12
2-2 基於SDN架構之Middlebox部署管理 13
2-2-1 基於SDN架構之資料層設計- FLOW TAG 13
2-2-2 基於SDN架構之控制層設計- CloudWatcher 15
2-2-3 基於SDN架構之控制層設計- SIMPLE 17
2-3 相關研究之比較 19
2-4 基於控制器上之路由演算法介紹 21
第三章 Middlebox部署管理機制 22
3-1 系統架構 22
3-2 系統控制器元件設計 23
3-2-1 安全政策處理模組（Policy Handler） 23
3-2-2 部署管理模組（Middlebox Deployment Manager） 24
3-2-3 路由規則轉換模組（Rule Translator） 26
3-2-4 網路拓樸探勘 27
3-2-5 路由演算法 28
3-3 OpenFlow交換機上Middlebox State機制 32
3-4 系統運作流程 34
3-4-1 網路拓樸更新 34
3-4-2 路由規則的產生與設置 35
3-4-3 封包轉送 36
第四章實驗與討論 37
4-1 實驗環境 37
4-2 系統架設及操作 38
4-2-1 NOX控制器設置 38
4-2-2 OpenFlow交換機設置 39
4-3 實驗一：MBDM封包轉送實驗 41
4-4 實驗二：MBDM執行安全政策 44
4-5 實驗三：MBDM對於NOX控制器的效能影響 49
4-6 小結 52
第五章結論與未來研究 53
5-1 結論與研究貢獻 53
5-2 研究限制 53
5-3 未來研究 54
參考文獻 56

參考文獻

中文參考文獻
[1] 朱永彤，「基於 OpenFlow 交換機之跨雲端安全管理機制研究」，國立中央大學資訊管理學系碩士論文，2013。
[2] 許景涵，「以 NetFPGA 實作結合 NFA 及 AC 演算法之網路型入侵偵測系統」，國立中央大學資訊管理學系碩士論文，2011。
[3] 黃俊嘉，「利用 NetFPGA 建置一可虛擬化網路之研究」，國立成功大學電腦與通信工程研究所碩士論文，2011。
[4] 黃勝獅，「使用 OpenFlow Switch 分析偵測殭屍網路」，國立中央大學資訊工程研究所碩士論文，2011。
[5] 彭士家，「使用 OpenFlow 交換器偵測 Botnet 受害者與通知機制」，國立中央大學資訊工程研究所碩士論文，2010。
[6] 黃文源，胡仁維，劉德隆，「未來網路跨網域流量檢視機制研發」， TANET 2012網際網路研討會，銘傳大學，桃園，2012。
英文參考文獻
[7] “Middlebox,” Wikipedia, the free encyclopedia. 16-Feb-2014.
[8] B. Carpenter and S. Brim, “Middleboxes: Taxonomy and issues,” RFC 3234, February, 2002.
[9] J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar, “Making middleboxes someone else’s problem: network processing as a cloud service,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 42, No. 4, pp. 13–24, 2012.
[10] J. Lee, J. Tourrilhes, P. Sharma, and S. Banerjee, “No more middlebox: integrate processing into network,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 40, No. 4, pp. 459–460, 2010.
[11] A. Gember, P. Prabhu, Z. Ghadiyali, and A. Akella, “Toward software-defined middlebox networking,” in Proceedings of the 11th ACM Workshop on Hot Topics in Networks, pp. 7–12, 2012.
[12] D. A. Joseph, A. Tavakoli, and I. Stoica, “A policy-aware switching layer for data centers,” in Proceedings of ACM SIGCOMM Computer Communication Review, Vol. 38, pp. 51–62, 2008.
[13] V. Sekar, N. Egi, S. Ratnasamy, M. K. Reiter, and G. Shi, “Design and implementation of a consolidated middlebox architecture,” in Proceedings of NSDI, 2012.
[14] V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi, “The middlebox manifesto: enabling innovation in middlebox deployment,” in Proceedings of the 10th ACM Workshop on Hot Topics in Networks, 2011.
[15] G. Gibb, H. Zeng, and N. McKeown, “Initial thoughts on custom network processing via waypoint services,” in Proceedings of the 3rd Workshop on Infrastructures for Software/Hardware co-design, 2011.
[16] Z. A. Qazi, C.-C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “vSwitch,”in Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM, 2013.
[17] G. Gibb, H. Zeng, and N. McKeown, “Outsourcing network functionality,” in Proceedings of the first workshop on Hot topics in software defined networks, pp. 73–78, 2012.
[18] O. M. E. Committee, “Software-Defined Networking: The New Norm for Networks,” ONF White Pap. Palo Alto US Open Netw. Found., 2012.
[19] “Software-defined networking,” Wikipedia, the free encyclopedia. 24-Feb-2014.
[20] G. Lefebvre, E. Rubow, and R. Manghirmalani, “Chaining of inline services using software defined networking, ” Google Patents, 2012.
[21] S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, “Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags,” in Proceedings of NSDI, 2014.
[22] S. K. Fayazbakhsh, V. Sekar, M. Yu, and J. C. Mogul, “FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions,” in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 19–24, 2013.
[23] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 38, No. 2, pp. 69–74, 2008.
[24] J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and N. McKeown, “Implementing an OpenFlow switch on the NetFPGA platform,” in Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, pp. 1–9, 2008.
[25] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proceedings of Local Computer Networks (LCN), 2010 IEEE 35th Conference on, pp. 408–415, 2010.
[26] J. Jin, C. Im, and S. Y. Nam, “Mitigating HTTP GET Flooding Attacks through Modified NetFPGA Reference Router,” 2010
[27] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker, “NOX: towards an operating system for networks,” in Proceedings of ACM SIGCOMM Comput. Commun. Rev., Vol. 38, No. 3, pp. 105–110, 2008.
[28] S. Rajagopalan, D. Williams, H. Jamjoom, and A. Warfield, “Split/merge: system support for elastic execution in virtual middleboxes,” in Proceedings of USENIX conference on Networked Systems Design and Implementation (NSDI), 2013.
[29] J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat, “xOMB: Extensible open middleboxes with commodity servers,” in Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems, pp. 49–60, 2012.
[30] S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?),” in Proceedings of Network Protocols (ICNP), 2012 20th IEEE International Conference on, pp. 1–6, 2012.
[31] A. Lara, A. Kolasani, and B. Ramamurthy, “Simplifying network management using Software Defined Networking and OpenFlow,” in Proceedings of Advanced Networks and Telecommuncations Systems (ANTS), 2012 IEEE International Conference on, pp. 24–29, 2012.
[32] A. Al-Shabibi, “MultiPaths Revisited-A novel approach using OpenFlow-enabled devices,” 2011.
[33] M. Sniedovich, “Dijkstra’s algorithm revisited: the dynamic programming connexion,” Control Cybern., Vol. 35, pp. 599–620, 2006.
[34] J. Moy, “OSPF version 2,” 1997.
[35] J. Soeurt and I. Hoogendoorn, “Shortest path forwarding using OpenFlow,” Tech. rep.(February 2012), 2012.
相關網站
[36] “World Enterprise Network and Data Security Markets.” [Online]. Available: http://www.businesswire.com/news/home/20110110006441/en/Enterprise-Network-Data-Security-Spending-Shows-Remarkable#.U7EEGfmSx0w.
[37] O. S. Specification, “Version 1.0. 0.[Electronic resource],” [Online]. Available: http://www.OpenFlow.org/documents/OpenFlow-spec-v1.0.0.pdf.
[38] “NetFPGA.” [Online]. Available: http://netfpga.org/.
[39] “NOXRepo：NOX API.” [Online]. Available: http://noxrepo.org/.
[40] “IEEE 802.1AB (LLDP) Specification.” [Online]. Available: http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf.
[41] “Dijkstra’s algorithm - Representing the Graph.” [Online]. Available: http://lostincompilation.blogspot.tw/2013/04/dijkstras-algorithm-part-1-tutorial.html.
[42] “noxrepo - NOX Installation,” GitHub. [Online]. Available: https://github.com/noxrepo/nox-classic.
[43] “CentOS NetFPGA Install.” [Online]. Available: http://archive.OpenFlow.org/wk/index.php/CentOS_NetFPGA_Install.
[44] “Snort.” [Online]. Available: http://www.snort.org/.
[45] “iptables,” Wikipedia, the free encyclopedia. 16-Feb-2014.
[46] “Colasoft Packet Builder.” [Online]. Available: http://www.colasoft.com/packet_builder/.
[47] Google Sets New Internet Traffic Record. [Online]. Available: http://ddos.arbornetworks.com/2010/10/google-breaks-traffic-record/

指導教授

陳奕明(Yi-ming Chen)

審核日期

2014-7-25

推文