SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

SDN提高了网络的灵活性和可编程性。但是，由潜在的漏洞和后门造成的恶意攻击很容易导致网络中的数据和规则篡改。为了解决这个问题，本文提出了一种基于多路径弹性路由（MRR）的内生安全SDN网络框架。MRR包括多路径比较转发，多路径加权转发和多路径随机转发。该框架通过动态比较一定时期内多异构路径数据的一致性，确保流规则和数据内容的正确性，并且多路径还可以通过加权转发实现负载均衡。在MRR框架中，我们还提出了一种基于加密身份验证的中间信息反馈机制，并提供了一个数学模型对其进行评估。该机制可以准确识别并动态修复恶意交换机。仿真评估和原型系统测试表明，该框架可以实现高精度的流量传输和系统的高可用性。同时，多路径比较转发将带来一些性能成本，例如在初始和攻击时间的延迟，带宽和抖动。However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can在原型系统中带宽要求为250 M时，保证25％的多路径比较转发。仿真评估和原型系统测试表明，该框架可以实现高精度的流量传输和系统的高可用性。同时，多路径比较转发将带来一些性能成本，例如在初始和攻击时间的延迟，带宽和抖动。However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can在原型系统中带宽要求为250 M时，保证25％的多路径比较转发。仿真评估和原型系统测试表明，该框架可以实现高精度的流量传输和系统的高可用性。同时，多路径比较转发将带来一些性能成本，例如在初始和攻击时间的延迟，带宽和抖动。However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can在原型系统中带宽要求为250 M时，保证25％的多路径比较转发。多路径比较转发将在初始和攻击时间带来一些性能成本，例如延迟，带宽和抖动。However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can在原型系统中带宽要求为250 M时，保证25％的多路径比较转发。多路径比较转发将在初始和攻击时间带来一些性能成本，例如延迟，带宽和抖动。However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can在原型系统中带宽要求为250 M时，保证25％的多路径比较转发。