Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2018, Vol. 58 Issue (8): 693-697    DOI: 10.16511/j.cnki.qhdxxb.2018.21.019
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
范式路由器:规范路由器数据层的动态行为
徐磊, 徐恪
清华大学 计算机科学与技术系, 信息科学与技术国家实验室, 北京 100084
Pattern router to regulate dynamic actions in the router dataplane
XU Lei, XU Ke
Tsinghua National Laboratory for Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
全文: PDF(1606 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 随着模块化可编程路由器越来越普遍,路由器面临的安全问题也越来越严峻。该文提出范式路由器,通过对模块化的数据层进行编码和预组合,达到对路由器数据层的动态监控和规范。该文对每个数据层行为标记一个行为标识(action identifier,AID),同时将合法AID预先存入范式表(regulated action table,RAT)。在路由器运行时,所有动态行为都被RAT校验,保证行为可信。该文用Click路由器和数据层开发包(data plane development kit,DPDK)路由器分别部署了范式路由器。实验结果表明:范式路由器仅占用了2 MB的空间和10%以下的带宽性能,同时捕获了所有数据层的恶意行为。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
徐磊
徐恪
关键词 路由器安全范式路由器路由器行为    
Abstract:Router security has become more important with the increasing number of programmable routers. This paper presents a pattern router that codes the modularized dataplane and pre-combines the result to monitor and regulate the dynamic actions in the dataplane. This method uses an action identifier (AID) for each action in the dataplane and puts the normal AID into a regulated action table (RAT) before running the router. When the router is working, all the dynamic actions are verified by the RAT to secure the honesty of each action. The pattern router was implemented in a Click router and in a data plane development kit (DPDK) router with tests showing that the pattern router occupies only 2 MB and uses less than 10% of the bandwidth to capture all the abnormal actions in the dataplane.
Key wordsrouter security    pattern router    router action
收稿日期: 2018-03-10      出版日期: 2018-08-15
通讯作者: 徐恪,教授,E-mail:xuke@tsinghua.edu.cn     E-mail: xuke@tsinghua.edu.cn
引用本文:   
徐磊, 徐恪. 范式路由器:规范路由器数据层的动态行为[J]. 清华大学学报(自然科学版), 2018, 58(8): 693-697.
XU Lei, XU Ke. Pattern router to regulate dynamic actions in the router dataplane. Journal of Tsinghua University(Science and Technology), 2018, 58(8): 693-697.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.21.019  或          http://jst.tsinghuajournals.com/CN/Y2018/V58/I8/693
  图1 CTAG和 WAID格式
  图2 权重的一般性证明
  图3 范式路由器结构
  图4 初始化 RAT
  图5 行为时间点
  图6 范式路由器随恶意行为增多时的性能
[1] YANG T, XIE G G, LI Y B, et al. Guarantee IP lookup performance with FIB explosion[C]//Proceedings of the 2014 ACM SIGCOMM Conference. Chicago, USA:ACM, 2014:39-50.
[2] APPENZELLER G, KESLASSY I, MCKEOWN N. Sizing router buffers[C]//Proceedings of the 2004 ACM SIGCOMM Conference. Portland, USA:ACM, 2004:281-292.
[3] MALTZ D A, XIE G, ZHAN J, et al. Routing design in operational networks:A look from the inside[C]//Proceedings of the 2004 ACM SIGCOMM Conference. Portland, USA:ACM, 2004:27-40.
[4] PAXSON V. End-to-end routing behavior in the Internet[J]. IEEE/ACM Transactions on Networking, 1997, 5(5):601-615.
[5] XU K, CHEN W L, LIN C, et al. Towards practical reconfigurable router:A software component development approach[J]. IEEE Network, 2014, 28(5):74-80.
[6] NSA/CSSM 1-52. Prism project[Z/OL].[2018-01-15]. https://nsa.gov1.info/dni/prism.html.
[7] MALTZ D A, ZHAN J, XIE G, et al. Structure preserving anonymization of router configuration data[C]//Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. Taormina:ACM, 2004:239-244.
[8] ZHANG Y, PAXSON V. Detecting backdoors[C]//Proceedings of the 9th Conference on USENIX Security Symposium. Denver:USENIX Association Berkeley, 2000:12-12.
[9] SPARKS S, EMBLETON S, ZOU C C. A chipset level network backdoor:Bypassing host-based firewall & IDS[C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. Sydney:ACM, 2009:125-134.
[10] MOJO66. Backdoor found in arcadyan-based Wi-Fi routers[Z/OL].[2018-01-15]. http://it.slashdot.org/story/12/04/26/1411229/backdoor-found-in-arcadyan-based-wifi-routers.
[11] JC. RuggedCom-backdoor accounts in my SCADA network? you don't say…[Z/OL].[2018-01-15]. http://seclists.org/fulldisclosure/2012/Apr/277.
[12] COSTIN A, ZADDACH J, FRANCILLON A, et al. A Large-scale analysis of the security of embedded firmwares[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. San Diego:USENIX Association Berkeley, 2014:95-110.
[13] GOODIN D. Malicious cisco router backdoor found on 79 more devices, 25 in the US[Z/OL].[2018-01-15]. https://arstechnica.com/information-technology/2015/09/malicious-cisco-router-backdoor-found-on-79-more-devices-25-in-the-us/.
[14] GOODIN D. Cisco routers in at least 4 countries infected by highly stealthy backdoor[Z/OL].[2018-01-15]. https://arstechnica.com/information-technology/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/.
[15] HIGGINS P, KRISHNAN R. DEFCON router hacking contest reveals 15 major vulnerabilities[Z/OL].[2018-01-15]. https://www.eff.org/ru/node/82002.
[16] DOBRESCU M, ARGYRAKI K. Software dataplane verification[C]//Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation. Seattle:USENIX Association Berkeley, 2014:101-114.
[17] KIM T H, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[C]//ACM SIGCOMM. Chicago:ACM New York, 2014:271-282.
[18] Spirent. Spirent packet generator[Z/OL].[2018-01-15]. http://www.spirent.com/Products/TestCenter.
[19] DUGA J, ELLIOTT S, MAH B A, et al. Iperf[Z/OL].[2018-01-15]. https://iperf.fr/.
[20] ABADI M, BUDIU M, ERLINGSSON U, et al. Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria:ACM New York, 2005:340-353.
No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn