National Advanced IPv6 Center, Universiti Sains Malaysia, Gelugor, Penang, Malaysia.
PLoS One. 2020 May 11;15(5):e0232574. doi: 10.1371/journal.pone.0232574. eCollection 2020.
OpenFlow makes a network highly flexible and fast-evolving by separating control and data planes. The control plane thus becomes responsive to changes in topology and load balancing requirements. OpenFlow also offers a new approach to handle security threats accurately and responsively. Therefore, it is used as an innovative firewall that acts as a first-hop security to protect networks against malicious users. However, the firewall provided by OpenFlow suffers from Internet protocol version 6 (IPv6) fragmentation, which can be used to bypass the OpenFlow firewall. The OpenFlow firewall cannot identify the message payload unless the switch implements IPv6 fragment reassembly. This study tests the IPv6 fragmented packets that can evade the OpenFlow firewall, and proposes a new mechanism to guard against attacks carried out by malicious users to exploit IPv6 fragmentation loophole in OpenFlow networks. The proposed mechanism is evaluated in a simulated environment by using six scenarios, and results exhibit that the proposed mechanism effectively fixes the loophole and successfully prevents the abuse of IPv6 fragmentation in OpenFlow networks.
OpenFlow 通过分离控制平面和数据平面,使网络变得高度灵活和快速发展。控制平面因此能够响应拓扑和负载均衡要求的变化。OpenFlow 还提供了一种新的方法来准确和快速地处理安全威胁。因此,它被用作一种创新的防火墙,作为第一道安全防线来保护网络免受恶意用户的攻击。
然而,OpenFlow 提供的防火墙存在 Internet 协议第 6 版 (IPv6) 分片问题,这可能被用来绕过 OpenFlow 防火墙。除非交换机实现 IPv6 分片重组,否则 OpenFlow 防火墙无法识别消息有效负载。本研究测试了可以逃避 OpenFlow 防火墙的 IPv6 分片数据包,并提出了一种新的机制来防范恶意用户利用 IPv6 分片漏洞在 OpenFlow 网络中发起的攻击。该机制在模拟环境中使用六个场景进行了评估,结果表明该机制有效地修复了漏洞,并成功防止了 IPv6 分片在 OpenFlow 网络中的滥用。
