| Summary: | 碩士 === 國立成功大學 === 電腦與通信工程研究所 === 106 === With the development of the network and the cloud applications, the number of network devices is increasing. Devices management and configuration becomes a problem. Therefore, Software Defined Networking has become the trend. The difference between a SDN network and a tradition network is that the data plane and the forwarding plane are separated in the SDN network. The forwarding plane is primarily an SDN controller that follows the rules from the controller to process incoming packets. The control plane is a centralized controller which can send the rules and actions to each switch via the SDN southbound protocol such as OpenFlow. The advantage of the separated architecture is that the controller can collect network conditions immediately and send corresponded countermeasures to the switch. In order to get network information, we must first create a global view. In most SDN controllers, it uses OFDP (OpenFlow Discovery Protocol) to discover the network topology. In OFDP, LLDP (Link Layer Discovery Protocol) is used to discover the links between two switches. However, LLDP lacks a good authentication. It will let an attacker poison the network topology via launch fake LLDP injection attack or LLDP relay attack. Therefore, this thesis proposes a mechanism to authenticate packet integrity and routing. For LLDP relay attack, this thesis uses the differences between benign links and forged links to detect the attack. At last, the result shows that either in a simulated environment or a real environment, proposed method can effectively detect the attack.
|
|---|
