SDN/NFV網路測試平台建置管理與佈署:   以DDoS網路攻防為例

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：11

、訪客IP：3.134.78.106

姓名

陳奕勳(Yi-Shun Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

SDN/NFV網路測試平台建置管理與佈署: 以DDoS網路攻防為例
(Deployment and Management of SDN/NFV Network Testbed: A Case Study of DDoS Attacks)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

軟體定義網路(Software Defined Network, SDN)與網路功能虛擬化(Network Functions Virtualization, NFV)的概念被提出後，學界與產業界都爭相投入，但要製作一個具有SDN/NFV實驗環境，是相當需要成本的，因此目前存在許多網路測試平台。網路測試平台內其中一項重要的資源就是Computation node，讓使用者可以作為計算的節點或是做為主機，由於舊有的網路測試平台都是以Hypervisor製作VM來作為Computation node，這樣的虛擬化技術必須載入Guest OS使得每次建立一個虛擬網路都需要很大耗費時間與空間的成本，效率也不佳。

因此本論文提出以Docker為基礎的Openflow網路測試平台(Docker-based Openflow Network Testbed, DONT)，Docker製作Docket container，當作Computation node的資源，而Docket container與前者的VM最大的差別在於，不用再載入Guest OS這樣使得開啟時的效能大幅提升，且執行的效能也比VM來的快速。DONT加入Open vSwitch支援SDN的網路架構，同時也使用Vlan ID隔離各個Slice的資源，且Docker所製作的Docket container同時也能夠當作NFV的一般伺服器，將虛擬化網路功能安裝在上面，例如Apache、Firewall等，因此DONT同時支援SDN與NFV兩個網路技術概念。

DONT不僅改善了Computation node的製作方式，同時也透過瀏覽器與使用者互動，讓使用者可以繪製拓樸及監控Slice的資源，DONT有別於以往的網路測試平台不同在於，使用者可以直接以圖形化的方式指定每個Slice的資源做操控，加上DONT擁有預約配置Slice與錄製及回放封包的功能，這些功能能夠讓使用者更容易的在DONT上製作實驗，且錄製回放的機制更能讓使用者以不同的面向觀察Slice的資源狀態，以作出不同的決策方式應對，同時以DDoS作為DONT完成之後的測試範例，以驗證本系統能夠承受使用者的網路實驗。

摘要(英)

After the concept of SDN (Software Defined Network) and NFV (Network Functions Virtualization) are proposed in the world. Researchers begin to study SDN/NFV but the experiment of SDN/NFV needs many costs of devices so there are many network testbeds proposed literature, currently. The Compute node (CN) is an important resource in network testbed. In the past, network testbed usually makes CN by VM. The VM must loads guest OS but let cost and performance, poorly.

This paper proposed DONT (Docker-based Openflow Network Testbed, DONT) The CN use Docker Container, Docker Container is different VM, because of it does not load guest OS. Docker Container has good efficiency. DONT use Open vSwitch connects CN and Openflow Controller so DONT can support SDN, Docker Container can be commonly server of NFV. It can install VNF (Virtual Network Function) so DONT can support NFV. In order to user can make experiment easily, DONT support the functions of deployment, interaction and replay.

關鍵字(中)

關鍵字(英)

★ SDN
★ NFV
★ Network Testbed
★ Slice

論文目次

摘要 i

Abstract ii

誌謝 iii

目錄 iv

圖目錄 viii

表目錄 xiii

第一章緒論 1

1.1 概要 1

1.2 研究動機 3

1.3 研究目的 4

1.4 章節架構 5

第二章背景知識與相關研究 6

2.1 軟體定義網路SDN 與 OpenFlow Protocol 6

2.2 網路功能虛擬化NFV 11

2.3 Docker虛擬化技術 14

2.4 DDoS分散式阻斷服務攻擊 19

2.5 網路模擬軟體與網路測試平台 22

2.6 相關研究與比較 27

第三章研究方法 30

3.1 平台架構與設計 30

3.1.1 DONT Website模組 34

3.1.1.1 Authentication模組 34

3.1.1.2 GUI Operation模組 34

3.1.1.3 Monitor and Statistic Chart模組 37

3.1.1.4 Error Detection模組 38

3.1.1.5 Topology Conversion模組 38

3.1.1.6 Operation Record模組 38

3.1.2 Resource Management模組 39

3.1.2.1 Slice Deployment模組 39

3.1.2.2 Error Detection模組 39

3.1.2.3 Aggegation Monitor模組 40

3.1.2.4 Online Scheduling模組 40

3.1.2.5 Slice Managements模組 40

3.1.3 Resource Pool模組 41

3.1.3.6 Monitor Agent模組 42

3.1.3.7 Physical Components模組 42

3.1.3.8 Docker Enginr模組 43

3.1.3.9 Open vSwitch模組 43

3.1.4 DONT Database模組 44

3.1.4.10 Configuration File 45

3.1.4.11 Replay File 46

3.1.4.12 Account Table 47

3.1.4.13 Slice Table 47

3.1.4.14 Infrastructure_Node Table 48

3.1.4.15 Components Table 49

3.1.4.16 HostOS Table 50

3.1.4.17 ControllerSoft Table 50

3.1.4.18 SwitchVersion Table 51

3.1.4.19 Bucket Table 53

3.1.4.20 Link Table 54

3.1.4.21 Monitor Table 55

3.1.4.22 Replay Table 56

3.1.4.23 Record Table 56

3.2 系統運作流程與機制設計 57

3.2.1 資料符號表 57

3.2.2 系統定義與假設 60

3.2.3 測試平台DONT功能運作與流程 60

3.2.3.1 註冊流程 61

3.2.3.2 登入流程 61

3.2.3.3 拓樸繪製流程 62

3.2.3.4 儲存Configuration file流程 63

3.2.3.5 載入Configuration file流程 64

3.2.3.6 配置流程 64

3.2.3.7 排程配置流程 66

3.2.3.8 監測流程 67

3.2.3.9 資源操作流程 68

3.2.3.10 錄製流程 69

3.2.3.11 回放流程 70

3.2.3.12 資源回收流程 70

3.3 系統實作 71

第四章實驗與討論 78

4.1 情境一:DONT 功能操作 78

4.1.1 實驗一：使用者註冊DONT帳戶 78

4.1.2 實驗二：使用者登入DONT 79

4.1.3 實驗三：DDoS拓樸繪製 81

4.1.4 實驗四：DDoS繪製元件儲存 84

4.1.5 實驗五：載入Configuration file 86

4.1.6 實驗六：配置Slice 87

4.1.7 實驗七：預約配置排程 91

4.1.8 實驗八：Slice資源監測 93

4.1.9 實驗九：Slice資源操作 94

4.1.10 實驗十：透過Slice的資源下載NFV軟體 96

4.1.11 實驗十一：Slice資源錄製封包 98

4.1.12 實驗十二：回放錄製檔案 100

4.1.13 實驗十三：Slice資源回收 102

4.2 情境二:DDoS攻防模擬 104

4.2.1 實驗十四：單一Slice中模擬DDoS攻擊造成的延遲 104

4.2.2 實驗十五：真實環境下之DDoS攻擊 107

4.2.3 實驗十六：單一Slice中模擬DDoS攻擊之防禦方式 109

4.2.4 實驗十七：DDoS攻擊之攻擊模式 111

4.3 情境三：多個使用者的Slice操作情境 112

4.3.1 實驗十八：兩個使用者之slice資源操作 112

4.4 情境四：DONT基礎設施的效率測試 114

4.4.1 實驗十九：Docket container開啟延遲時間 114

4.4.2 實驗二十：Open Vswitch 開啟延遲時間 115

4.4.3 實驗二十一：內網的頻寬上限與各實驗平台之比較 117

4.4.4 實驗二十二：外網之頻寬上限 118

4.4.5 實驗二十三：OVS流量限制 119

第五章結論與未來研究方向 121

5.1 結論 121

5.2 未來研究 123

參考文獻 125

參考文獻

[1] networkcomputing.com, http://www.networkcomputing.com/networking/searching-for-an-sdn-definition-what-is-software-defined-networking/a/d-id/1233625.

[2] Xinguard, http://www.xinguard.com/en/content.aspx?id=74

[3] Openflow Switch Specification Version 1.5, https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.0.noipr.pdf.

[4] perspectives.mvdirona, http://perspectives.mvdirona.com/2011/05/software-load-balancing-using-software-defined-networking/

[5] Sezer, Sakir, et al.“Are we ready for SDN? Implementation challenges for software-defined networks. ”Communications Magazine, IEEE 51.7 (2013): 36-43.

[6] Lara, Adrian, Anisha Kolasani, and Byrav Ramamurthy. “Network innovation using openflow: A survey.”Communications Surveys & Tutorials, IEEE 16.1 (2014): 493-512.

[7] Tourrilhes, Jean, et al. “SDN and Openflow Evolution: A Standards Perspective.”Computer 11 (2014): 22-29.

[8] Ali-Ahmad, Hassan, et al.“An SDN-based network architecture for extremely dense wireless networks.”Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. IEEE, 2013.

[9] Banikazemi, Mohammad, et al.“Meridian: an SDN platform for cloud network services.” Communications Magazine, IEEE 51.2 (2013): 120-127.

[10] Qin, Zhijing, et al.“A Software Defined Networking Architecture for the Internet-of-Things.”Network Operations and Management Symposium (NOMS), 2014 IEEE. IEEE, 2014.

[11] Ku, Ian, et al.“Towards software-defined VANET: Architecture and services. ”Ad Hoc Networking Workshop (MED-HOC-NET), 2014 13th Annual Mediterranean. IEEE, 2014.

[12] Ali-Ahmad, Hassan, et al.“An SDN-based network architecture for extremely dense wireless networks.”Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. IEEE, 2013.

[13] Bueno, Iris, et al.“An opennaas based sdn framework for dynamic qos control.”Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. IEEE, 2013.

[14] ICCLAB, http://blog.zhaw.ch/icclab/category/projects/

[15] Kempf, James, et al.“Fostering rapid, cross-domain service innovation in operator networks through Service Provider SDN.”Communications (ICC), 2014 IEEE International Conference on. IEEE, 2014.

[16] MONTELEONE, Giuseppe; PAGLIERANI, Pietro. Session Border Controller Virtualization Towards" Service-Defined" Networks Based on NFV and SDN. In:Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. IEEE, 2013. p. 1-7.D. Mcdysan, "Software defined networking opportunities for transport," Communications Magazine, IEEE , vol.51, no.3, pp.28-31, March.2013

[17] Shen, W., Yoshida, M., Kawabata, T., Minato, K., & Imajuku, W. (2014, September). vConductor: An NFV management solution for realizing end-to-end virtual network services. In Network Operations and Management Symposium (APNOMS), 2014 16th Asia-Pacific (pp. 1-6). IEEE.

[18] Open vSwitch,http://Open Vswitch.org/.

[19] Docker, https://www.docker.com/whatisdocker.

[20] cisco , http://blogs.cisco.com/enterprise/what-the-heck-is-a-service-container

[21] IBM developerWork, https://www.ibm.com/developerworks/cn/linux/1404_caojh_lxc/

[22] Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., & Bowman, M. (2003). Planetlab: an overlay testbed for broad-coverage services.ACM SIGCOMM Computer Communication Review, 33(3), 3-12.

[23] Shookr.com,http://www.shookr.com/opinions/548-docker

[24] SiliconANGLE,http://siliconangle.com/blog/2015/01/13/gartner-docker-not-ready-for-enterprise-prime-time-quite-yet/

[25] KVM and Docker LXC Benchmarking with OpenStack http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack

[26] Bernstein, David. "Containers and Cloud: From LXC to Docker to Kubernetes."IEEE Cloud Computing 3 (2014): 81-84.

[27] Worm, Tony, and Kenneth Chiu. "Scaling up Prioritized Grammar Enumeration for scientific discovery in the cloud." Big Data (Big Data), 2014 IEEE International Conference on. IEEE, 2014.

[28] Gerlach, Wolfgang, et al. "Skyport: container-based execution environment management for multi-cloud scientific workflows." Proceedings of the 5th International Workshop on Data-Intensive Computing in the Clouds. IEEE Press, 2014.

[29] Wikipedia: Denial-of-service attack, https://en.wikipedia.org/wiki/Denial-of-service_attack

[30] Cloudflare, https://www.cloudflare.com/googl

[31] ONO, Yasumasa; HAYASHI, Yukio. Robustness of the internet at the AS level by DDoS attack. In: Information and Telecommunication Technologies (APSITT), 2010 8th Asia-Pacific Symposium on. IEEE, 2010. p. 1-5.

[32] OKTIAN, Yustus Eko; LEE, SangGon; LEE, Hoonjae. Mitigating Denial of Service (DoS) attacks in Openflow networks. In: Information and Communication Technology Convergence (ICTC), 2014 International Conference on. IEEE, 2014. p. 325-330.

[33] OZCELIK, Ilker; FU, Yu; BROOKS, Richard R. DoS Detection is Easier Now. In: 2013 Second GENI Research and Educational Experiment Workshop. IEEE, 2013. p. 50-55.

[34] Wikipedia Information revolution, https://en.wikipedia.org/wiki/Information_revolution

[35] LANTZ, Bob; HELLER, Brandon; MCKEOWN, Nick. A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010. p. 19.

[36] Handigol, N., Heller, B., Jeyakumar, V., Lantz, B., & McKeown, N. (2012, December). Reproducible network experiments using container-based emulation. In Proceedings of the 8th international conference on Emerging networking experiments and technologies (pp. 253-264). ACM.

[37] GAO, Haihui, et al. Techniques and Research Trends of Network Testbed. In:Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2014 Tenth International Conference on. IEEE, 2014. p. 537-541.

[38] Yu, M., Yi, Y., Rexford, J., & Chiang, M. (2008). Rethinking virtual network embedding: substrate support for path splitting and migration. ACM SIGCOMM Computer Communication Review, 38(2), 17-29.

[39] 曾志華, “Placement of Virtual Network Functions on SDN-Based Network Testbed”, Jul. 2014

[40] Wikipedia :ajax https://zh.wikipedia.org/wiki/AJAX

[41] 黃柏勝, 林冠圻, “Openflow暨OpenStack之多重Controller環境監測系統”, Jul. 2014

[42] 張德勤. NetFPGA 上基於 Openflow 的跨雲端動態資源調配機制之設計與實作.中央大學資訊工程學系學位論文, 2012, 1-141.

指導教授

周立德(Li-Der Chou)

審核日期

2015-8-28

推文