隨著資訊科技的快速發展,智慧型裝置的普及,使用者對於網路服務即時處理能力及多樣化的服務需求也大幅提升,使得傳統網路服務的架構已無法滿足新興服務快速變動網路架構的需求。軟體定義網路(Software Defined Network,SDN) 及網路功能虛擬化 (Network Function Virtualization,NFV) 因此被提出,將實體複雜的網路架構轉變成虛擬、可程式化的架構,降低網路的複雜度,為傳統網路架構帶來重大的變革。軟體定義網路控制器使用開放流發現協議(OpenFlow Discovery Protocol,OFDP) 搜集網路拓撲狀態,OFDP 透過產生鏈路層發現協議 (Link Layer Discovery Protocol, LLDP) 封包探測各 OpenFlow 交換器間的鏈路,透過綜觀的網路拓撲資訊進行封包的路由及交換。然而 OFDP 並非完全安全的協議,可被攻擊者利用而進行拓撲發現插入攻擊、拓撲發現中間人攻擊以及拓撲發現洪水攻擊,進而混淆網路的拓墣狀態。 本論文提出 CTAD 機制運行於軟體定義網路控制器中,CTAD 是一個致力於拓撲發現攻擊的偵測機制,尤其是拓撲發現中間人攻擊,由於此中間人攻擊所重新導送的 LLDP 訊框實際上會經由拓撲中其他鏈路,因此本論文透過斯皮爾曼等級相關係數 (Spearman′s rank correlation) 測量鏈路間網路流量的相關性,以及分析各 LLDP 訊框往返時間的時間差,判斷網路是否存在拓撲發現中間人攻擊。本論文也在 LLDP 訊框中加入動態驗證密鑰及計數機制,避免攻擊者以拓撲發現插入攻擊產生假的鏈路以及拓撲發現洪水攻擊而造成網路路由或交換出現異常。 ;With the rapid development of information technology and the popularity of smart devices, users′ demand for instant processing of network services and diversified services has also increased significantly, making the architecture of traditional network services unable to meet the rapidly changing network architecture of emerging services Demand. Software-defined Networking (SDN) and Network Function Virtualization (NFV) have therefore been proposed to transform complex network architectures into virtual and programmable architectures to reduce network complexity, bringing about major changes to the traditional network architecture. SDN controller use OpenFlow Discovery Protocol (OFDP), which detects the links between the OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets, to collect comprehensive network topology status for the routing and switching of packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attack, topology discovery man-in-the-middle attack and topology discovery flood attack, thereby confusing the network topology.
