CN104378298A

CN104378298A - Flow table entry generating method and corresponding device

Info

Publication number: CN104378298A
Application number: CN201310359664.2A
Authority: CN
Inventors: 梁乾灯; 范亮; 尤建洁; 韩杰
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2013-08-16
Filing date: 2013-08-16
Publication date: 2015-02-25
Also published as: WO2014177097A1

Abstract

The invention discloses a flow table entry generating method and a corresponding device. The flow table entry generating method is applied to an Openflow forwarding device and comprises the steps that a guide flow table entry and a flow table template sent by an Openflow controller are received, wherein Action information of the guide flow table entry comprises preset flow table template ID; after a data message is received, if the data message is matched with and hits the guide flow table entry, a corresponding flow table template is searched for according to the preset flow table template ID in the Action information of the guide flow table entry, and a flow table entry is generated according to the flow table entry defined by the corresponding flow table template and key field information of the data message. By means of the flow table entry generating method and the corresponding device, the safety of an Openflow protocol is enhanced, meanwhile, the application scene of an Openflow/SDN network is expanded, and practicability is improved.

Description

A kind of stream table clause generation method and relevant device

Technical field

The present invention relates to the communications field, in particular to one stream table clause generation method and relevant device.

Background technology

Based on TCP(Transmission Control Protocol, transmission control protocol) the current Internet(the Internet of/IP) development through four more than ten years obtained huge success, closely bound up with people, become one of work, the requisite infrastructure of studying and living.The Internet of TCP/IP formula, because of the division of labor and the organizational principle of " gateway/network equipment carries out simple process, host side/side is given in complicated process " at the beginning of its design, define current internet architecture present situation: the application layer protocol of host computer side can be modified easily, neatly and dispose, therefore application layer software obtains and by leaps and bounds develops, and therefore the function of application layer obtains abundant greatly, what form with it sharp contrast is network layer, although the design of network layer protocol is simple, but extensibility is not by force and not easily revise, cause: on the one hand, the many fatal leak that Internet aspect exposes is difficult to be repaired and improve for a long time, and the quality of service requirement being difficult to dispose, network security problem is day by day serious, forwarding strategy that is that do one's best can not meet user as network management, multicast are difficult to dispose and application etc., on the other hand, New Deal, new opplication is difficult to accomplished owing to proposing to change requirement to network layer, as the difficulty from IPv4 to IPv6 transition, access device day by day presents ubiquitous mobility and challenges to network reliability and Differentiated Services ability with heterogeneous, in large scale network situation, route faces scalability problem, the application such as cloud computing and contents distribution proposes new demand to forwarded efficiency, the father Vinton G.Cerf of TCP/IP also points out should to do better in the Internet in network security and network reliability, and (" safety and reliability is the most basic two thresholds of Future Internet of marching toward, otherwise this framework cannot be survived ") etc.Therefore the Internet define at present one " application layer is flexible and changeable, a hundred flowers blossom, network layer stiff difficulty become, filled with flaws " difficult situation.The Internet will solve current institute's problems faced and difficult situation, needs to inquire into from the carrying out of the aspect such as network architecture, control profound level, study and reform, the opportunity that could comprehensively meet 21st century new and huge challenge.

For how solving current internet institute's problems faced and challenge, domestic and international research institution has carried out a large amount of positive exploration and research from internet architecture aspect.Mainly experienced by the development in two stages, two class modes can be divided into the improvement of the Internet: evolved is improved and revolutionary improvement.

For many years, for many problems that traditional IP exposes in quality of service guarantee, mobile support, high efficient and reliable and safety assurance etc., research field generally adopts and designs repairing method targetedly and address these problems respectively, just improve immediately once the weakness or mistake that find the network run, such as, in legacy interconnect network architecture, add new agreement and functional unit etc.The improved procedure of this " repair-> pinpoint the problems-> revise again " is based on existing the Internet TCP/IP architecture, carrying out progressively evolution and development to add the mode that new function and characteristic solve current problems faced to existing network, is a kind of Evolution(evolved) improved procedure.The advantage of this improved procedure is to be easy to dispose and implement, and is conducive to the existing input protected in existing Internet Construction.But its defect is: (1) certain repairing just solves the problem of local among a small circle; (2) existing improvement may introduce short-term yield, then has destructive as NAT(Network Address Translation in the long run, network address translation), or local income has destructiveness to entirety; (3) certain repairing may be not easy " compatibility " following continuation amendment; (4) through repeatedly repairing, the Internet becomes more and more " thick and heavy ", complicated, dumb, beyond the ability to bear of simple architecture designing Internet originally; (5) some the intrinsic problems in legacy interconnect network architecture are difficult to the solution obtaining essence.From 2005, research field defines another kind of viewpoint gradually, only have redesign network architecture fundamentally could solve IP network institute problems faced, and current internet architecture " Clean-Slate " (starting from scratch) just carries out the inning of thoroughly change comprehensively, give up existing internet architecture completely, design a kind of completely newly, the next generation internet architecture that merges multiple design object.This scheme is intended to fundamentally to solve the various problems that existing internet architecture exists, and is that a kind of Revolution(is revolutionary) improvement project.The advantage of this scheme is: (1) can break away from the constraint of TPC/IP architecture, jumps out its constraint and framework, to solve the Internet for many years because of remaining challenges that architecture causes; (2) can carry out again, comprehensively designing to the Internet, the problems of overall solution the Internet, the realization of many new demands of overall arrangement the Internet.But the defect of this scheme is: (1) due to brand-new network may not compatible existing the Internet, need the infrastructure of replacing legacy network completely, the problem that therefore there is network design He seamlessly transit; (2) how to set up new architecture and establish new architecture and whether can solve current and future network institute problems faced and also there is great risk; (3) need the experimental network rebuilding applicable brand-new architecture, evolution cost is high.

In order to solve current the Internet Problems existing, realize disposing fast, flexibly new procotol, open programmable network is suggested.Open programmable network refers to and allows network research person and be not equipment vendors, carries out on network devices programming and manage its network architecture or procotol.Open programmable formula thinking is one of representative achievements of revolutionary improvement project, substantially may be summarized to be: by multiple functional networks original and deposit, overall, complicated MAN(Metropolitan Area Network, metropolitan area network)/WAN(Wide Area Network, wide area network) network or the network equipment divide by function, such as, be divided into data retransmission part and logic control part or system core part and user function part etc.Interface between each several part is open with standard.Open and standardized interface based on this, each part can self-evolution and improvement and do not need notice or affect other parts, and whole like this network or the network equipment also will realize independence, smooth evolution and improvement.Open programmable formula thinking facing challenges is: (1) network hierarchy needs to possess certain reasonability, science and extensibility; (2) interface of science, extendible point of interlayer is defined; (3) if control plane takes centralized management mode, then need to consider connection, extensibility (as expanding to the whole world) etc. between territory.

In the research of open programmable network, Berkeley(Berkeley) the SDN(Software Defined Networking that proposes of the people such as Scott Shenker of university, software defined network) technology, Stanford(Stamford) the OpenFlow(open flows agreement of university) etc. technology be the representative achievements of network opening Journal of Sex Research.Fig. 1 is the hierarchical model schematic diagram of SDN/OpenFlow technology, comprises: infrastructure layer, network control layer and application layer three levels.Infrastructure layer in SDN/OpenFlow network is made up of the forwarding unit of more than 1, forwarding unit is more simple relative to structure the router in current network, switch and all kinds of gateway, do not have complicated Control Plane(chain of command), main work is the forwarding carrying out data flow.Capital equipment in network control layer is network operating system (or claiming SDN/OpenFlow controller), network operating system is controlled multiple stage forwarding unit by standardized interface simultaneously, instead of originally independent of the chain of command in each forwarding unit, even current network management system, can realize network management and end to end data flow rule issue (namely to the multiple stage forwarding unit on forward-path issue stream rule), network operating system is by API(ApplicationProgramming Interface simultaneously, application programming interface) carry out alternately with application layer.Application layer is made up of different application, applies network management and the controlling functions that directly can be called network control layer by api interface.

The same with the deployment of other revolutionary improvement opportunity, carrier network certainly will run into the problem of each side in the process to SDN/OpenFlow architecture evolution, if fail safe is exactly wherein one of sixty-four dollar question.In addition, be also the important indicator whether measurement new technology meets trend of network development to the suitability of various existing network technology.As shown in Figure 2, in the SDN/OpenFlow network of reality, undertaken (as OpenFlow agreement) alternately by IP address-based communication protocol message between network control layer equipment (as SDN/OpenFlow controller) and infrastructure layer equipment (i.e. forwarding unit), between the network terminal, between the network terminal and application server, data traffic between application server and application server is forwarded by stream table between forwarding unit, the stream table of every bar stream generates by SDN/OpenFlow controller and is handed down to forwarding unit, inquiry and generation that SDN/OpenFlow controller carries out stream table is given on the data message of forwarding unit to the stream table not hitting the current storage of this forwarding unit is unified, forwarding unit needs to wait for that SDN/OpenFlow controller issues new stream table and just can forward this data message.The forward mode of this data message brings following problem:

One, safety issue: for forwarding the attack SDN/OpenFlow controller that attack source, face (as malicious peer) sends or the message attacking application server, all attack messages can be sent to SDN/OpenFlow controller by forwarding unit before receiving stream table, if the transmission frequency of attack message is larger, the path congestion between forwarding unit and SDN/OpenFlow controller may be caused, other control message affected between normal forwarding unit and control appliance (is inquired about as flowed table, configuration distributing etc.) transmission efficiency, and current stream table issuing mechanism cannot realize application server before attack message arrives at application server protects, namely find attack and send security strategy by the interface between application layer and SDN/OpenFlow controller at application server, SDN/OpenFlow controller is formed before new stream table is handed down to forwarding unit again, attack source all will be sent to application server for all attack messages of application server,

Two, suitability problem: for business scenarios such as NAT, current flow send, to flow that table clause generates, stream table clause issues the control flow of pattern longer, on Forwarding Delay and efficiency impact larger.Such as under NAT scene, after forwarding unit receives the data message that user private network terminal sends, for the message not hitting the stream table clause that this forwarding unit stores, need first to send to SDN/OpenFlow controller, the appointment of public network address and port numbers is completed by SDN/OpenFlow controller, the generation of matching addresses relation and corresponding stream table clause and issuing of stream table clause, there is scene that high-volume conversation frequently generates and discharge (as P2P(Peer to Peer current each user simultaneously, peer-to-peer network) application) forward efficiency is lower, in following IPv4/IPv6 long-term co-existence, in the network that private network IPv4 address exists for a long time in a large number, this forward mode needs to be optimized.

Summary of the invention

The invention provides a kind of stream table clause generation method and relevant device, to promote the ageing of message repeating pattern and suitability under the prerequisite promoting SDN/Openflow internet security.

For solving the problem, the invention provides a kind of stream table clause generation method, being applied to open flows (Openflow) forwarding unit, comprising:

The guiding stream table clause that reception Openflow controller is sent and stream table template; Wherein, described action (Action) information of stream table clause that guides comprises the described stream table template ID pre-seted;

After receiving data message, if guide stream table clause described in described data message match hit, then search corresponding stream table template according to the described described stream table template ID pre-seted in the Action information of stream table clause that guides, and generate stream table clause according to the stream table clause create-rule of the stream table template definition of described correspondence and the critical field information of described data message.

Further, described method also comprises:

The described stream table clause generated is added message by the stream entry of expansion and sends to described Openflow controller.

Further,

Describedly the described stream table clause generated added message by described stream entry send to described Openflow controller, specifically comprise:

Described Openflow forwarding unit adds message in real time or flow the information of table clause described in Batch sending by described stream entry.

Further, described method also comprises:

According to the described stream table clause generated, processing forward is carried out to described data message.

Further,

The described matched rule of stream table clause that guides comprises: destination address is the IP address of protected equipment;

Guide stream table clause described in described data message match hit, specifically comprise:

The destination address of described data message is the IP address of described protected equipment.

Further,

The stream table clause create-rule of described stream table template definition is carry out speed limit to the message that arbitrary source IP address sends to described protected equipment;

Described generation according to the described stream table clause create-rule of stream table template definition and the critical field information of described data message flows table clause, specifically comprises:

Generate described stream table clause; Wherein, the matched rule of described stream table clause comprises: the IP address that the source IP address that source IP address is described data message, object IP address are described protected equipment, and Action information is to the data message that described protected equipment sends and this matched rule matches and utilizes meter entry to limit transmission rate.

Further,

The described matched rule of stream table clause that guides comprises the private net address network segment that source address is a class user;

The source address of described data message is one in the described private net address network segment.

Further,

The stream table clause create-rule of described stream table template definition is the address translation rule of the message being mail to network side by user side;

Generate described stream table clause; Wherein, the matched rule of described stream table clause comprises: the private net address of described data message, and Actions comprises the public network address described private net address being converted to distribution, and sends the message after conversion by corresponding outgoing interface.

Further, described method also comprises:

Receive the second table template that described Openflow controller is sent; Wherein, described second table template and described stream show template cascade, and the stream table clause create-rule of described second table template definition is the address translation rule of the message being mail to described user side by network side.

Further, described method also comprises:

According to the described stream table clause generated, in conjunction with second table clause described in described second table template generation;

Wherein, the matched rule of described second table clause comprises: the public network address of described distribution, and Action information is described public network address is converted to corresponding private net address, and sends the message after conversion by corresponding outgoing interface.

Further,

Described private net address comprises: private network IP address;

Described public network address comprises: public network IP address, or, public network IP address and port information.

Further, described method also comprises:

The described second table clause generated is added message by stream entry and sends to described Openflow controller.

In addition, present invention also offers a kind of stream table clause generation method, be applied to open flows (Openflow) controller, comprise:

Send to Openflow forwarding unit and guide stream table clause and stream table template; Wherein, described action (Action) information of stream table clause that guides comprises the described stream table template ID pre-seted.

Further,

The described matched rule of stream table clause that guides comprises: destination address is the IP address of protected equipment; And/or,

The stream table clause create-rule of described stream table template definition is carry out speed limit to the message that arbitrary source IP address sends to described protected equipment.

Further, described method also comprises:

Receiving after described Openflow forwarding unit adds the stream table clause sent of message by stream entry,

Described Openflow controller is not replied described stream entry and is added message, represents and accepts the described this locality stream table clause of described Openflow forwarding unit according to described stream table template generation; Or,

Described Openflow controller sends refuse information to described Openflow forwarding unit, requires that described Openflow forwarding unit deletes the described stream table clause according to described stream table template generation; Or,

Described Openflow controller sends the stream table clause of higher priority to described Openflow forwarding unit.

Further,

The described matched rule of stream table clause that guides comprises the private net address network segment that source address is user; And/or,

The stream table clause create-rule of described stream table template definition is the address translation rule of the message being mail to network side by user side.

Further,

The described private net address network segment comprises: private network IP address.

Further, described method also comprises:

Second table template is sent to described Openflow forwarding unit; Wherein, described second table template and described stream show template cascade, and the stream table clause create-rule of described second table template definition is the address translation rule of the message being mail to described user side by network side.

Correspondingly, present invention also offers a kind of open flows (Openflow) forwarding unit, comprising:

Receiver module, for receiving the guiding stream table clause and stream table template that Openflow controller sends; Wherein, described action (Action) information of stream table clause that guides comprises the described stream table template ID pre-seted; Also for receiving data message;

Generation module, for after described receiver module receives described data message, if the described guiding stream table clause that receiver module described in described data message match hit receives, then search corresponding stream table template according to the described described stream table template ID pre-seted in the Action information of stream table clause that guides, and generate stream table clause according to the stream table clause create-rule of the stream table template definition of described correspondence and the critical field information of described data message.

Further, described equipment also comprises:

Sending module, the described stream table clause for being generated by described generation module adds message by the stream entry of expansion and sends to described Openflow controller.

Further, described equipment also comprises:

Sending module, carries out processing forward for the described stream table clause generated according to institute's generation module to described data message.

Further,

Described generation module is used for generating stream table clause according to the described stream table clause create-rule of stream table template definition and the critical field information of described data message, specifically comprises:

Described generation module is for generating described stream table clause; Wherein, the matched rule of described stream table clause comprises: the IP address that the source IP address that source IP address is described data message, object IP address are described protected equipment, and Action information is to the data message that described protected equipment sends and this matched rule matches and utilizes meter entry to limit transmission rate.

Further,

Described generation module is for generating described stream table clause; Wherein, the matched rule of described stream table clause comprises: the private net address of described data message, and Actions comprises the public network address described private net address being converted to distribution, and sends the message after conversion by corresponding outgoing interface.

Further,

Described receiver module is also for receiving the second table template that described Openflow controller is sent;

Wherein, described second table template and described stream show template cascade, and the stream table clause create-rule of described second table template definition is the address translation rule of the message being mail to described user side by network side.

Further,

Described generation module also for according to generate described stream table clause, in conjunction with second table clause described in described second table template generation;

Further,

Described private net address comprises: private network IP address;

Further,

Described sending module also sends to described Openflow controller for the described second table clause generated is added message by stream entry.

Correspondingly, present invention also offers a kind of open flows (Openflow) controller, comprising:

Memory module, for preserving pre-configured guiding stream table clause and stream table template; Wherein, described action (Action) information of stream table clause that guides comprises the described stream table template ID pre-seted;

Sending module, table clause and stream table template are flowed in the described guiding of preserving for sending described memory module to Openflow forwarding unit.

Further,

Further, described controller also comprises:

Receiver module, for receiving the stream table clause that described Openflow forwarding unit is sent by stream entry interpolation message;

Described sending module, also for after receive described stream table clause at receiver module, sends refuse information to described Openflow forwarding unit, requires that described Openflow forwarding unit deletes the described stream table clause according to described stream table template generation; Or, also for after receive described stream table clause at receiver module, send the stream table clause of higher priority to described Openflow forwarding unit.

Further,

Described sending module is also for sending second table template to described Openflow forwarding unit; Wherein, described second table template and described stream show template cascade, and the stream table clause create-rule of described second table template definition is the address translation rule of the message being mail to described user side by network side.

Present invention achieves the function according to stream table clause template generation stream table clause on Openflow forwarding unit, enhance the fail safe of Openflow agreement, extend application scenarios and the practicality of Openflow/SDN network simultaneously.

Accompanying drawing explanation

Fig. 1 is the topological schematic diagram of SDN/OpenFlow network in prior art;

Fig. 2 is a kind of network topology schematic diagram of prior art;

Fig. 3 flows table clause to generate method flow schematic diagram in the embodiment of the present invention;

Fig. 4 is the topological schematic diagram of the first embodiment of the present invention;

Fig. 5 is the flow chart of the first embodiment of the present invention;

Fig. 6 is the topological schematic diagram of the second embodiment of the present invention;

Fig. 7 is the flow chart of the second embodiment of the present invention;

Fig. 8 is the topological schematic diagram of the third embodiment of the present invention;

Fig. 9 is the flow chart of the third embodiment of the present invention;

Embodiment

For making the object, technical solutions and advantages of the present invention clearly understand, hereinafter will be described in detail to embodiments of the invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.

In the present embodiment, a kind of stream table clause generation method, is applied to Openflow forwarding unit, as shown in Figure 3, comprises:

The guiding stream table clause that reception Openflow controller is sent and stream table template; Wherein, the described Action information of stream table clause that guides comprises the described stream table template ID pre-seted;

Preferably, described method also comprises:

Preferably,

Preferably, described method also comprises:

Preferably,

Preferably, described method also comprises:

Preferably,

Described private net address comprises: private network IP address;

Preferably, described method also comprises:

Preferably,

Preferably, described method also comprises:

Preferably,

Preferably, described method also comprises:

Method described in the present embodiment does not support the safe RA(RandomAccess of IPv6 at two-layer network device, Stochastic accessing) characteristic when, can realize sending to IPv6 host malicious the strick precaution that RA message causes gateway deceptive practices.

Introduce three embodiments of the present invention under different application scene below respectively.

Embodiment one

Be combined as example with the hardware structure of the attack-defending of Openflow controller, Openflow forwarding unit with ASIC Forwarding plane and CPU control plane, networking schematic diagram is see Fig. 4, and detailed process as shown in Figure 5, comprising:

Step 101:Openflow controller configuration local security policy, takes precautions against TCP half-connection and attacks;

Step 102:Openflow controller sends guiding stream table clause X1 and stream table template Y1 according to local security policy to each Openflow forwarding unit.

Preferably, guide that address for the purpose of the matched rule of stream table clause X1 is the IP address of Openflow controller, type of message is TCP or TCP SYN(synchronize, synchronously), guide the Action(action of stream table clause) for inquiring about the speed that the stream table clause create-rule flowing table template Y1, stream table template Y1 definition is TCP or the TCP SYN message that the arbitrary source IP address of restriction sends to Openflow controller.

Preferably, after described Openflow forwarding unit receives described guiding stream table clause X1 and stream table template Y1, guiding stream table clause X1 is issued to ASIC Forwarding plane, stream is shown template Y1 and be kept at CPU control plane.

Step 103: attack source A1 sends TCP SYN message with given pace to Openflow controller, forms the network attack of TCP half-connection type;

After step 104:Openflow forwarding unit receives first TCP SYN message of attack source A1 transmission, after the hit of coupling stream table guides stream table clause X1, according to the Action Action query stream table template Y1 of X1, generate stream table clause Z1 according to the stream table clause create-rule of Y1 definition and the source IP address of described attack message;

Preferably, after the ASIC Forwarding plane hit described guiding stream table clause X1 of described Openflow forwarding unit, on CPU control plane, give the ID of this message and this stream table template Y1, CPU control plane is handed down to ASIC Forwarding plane according to above-mentioned information inquiry stream table template, according to the generate rule stream table clause Z1 of stream table template definition.

Preferably, the matched rule of stream table clause Z1 comprises: the IP address that the source IP address that source IP address is above-mentioned TCP SYN message, object IP address are Openflow controller, type of message are TCP or TCP SYN, Action action is send to Openflow controller the message the transmission rate limiting message that mate this matched rule.

The TCP SYN message that described attack source A1 sends according to stream table clause Z1 by step 105:Openflow forwarding unit sends to Openflow controller and limits the transmission rate of this message, and send stream entry interpolation message to Openflow controller, the stream table clause create-rule that Z1 defines is informed to Openflow controller.

Preferably, if the transmission rate of attack source is higher than the limiting speed of stream table clause Z1, Openflow forwarding unit carries out buffer memory to the message exceeding speed or abandons;

Preferably, Openflow controller is after receiving described TCP SYN message, if judge, it is attack message, the stream table clause of higher priority is then sent to Openflow forwarding unit, the matched rule of this stream table clause comprises: the IP address that the source IP address that source IP address is above-mentioned TCP SYN message, object IP address are Openflow controller, type of message are TCP, Action action is the message abandoning this matched rule of coupling; Openflow forwarding unit is receiving this stream table clause, can preferentially adopt the stream table clause of this higher priority to mate to the follow-up message received.

In addition, the stream table clause create-rule that the Z1 wherein carried defines, after receiving above-mentioned stream entry interpolation message, is preserved, and may be handed down to other Openflow forwarding units by Openflow controller.

Preferably, the form of stream table template is slightly distinguished according to the version difference of Openflow agreement, and the example format of reference is as shown in table 1.

Table 1 flows table template basic format

Wherein, Flow Template Identifier represents the ID of stream table template, and its value is unique; FlowTemplate Description is the stream table clause create-rule of stream table template definition; Counters is counter, often according to this stream table template generation stream table clause, the current count value of this counter can be added 1.

Embodiment two

The attack-defending of application server, the hardware structure of Openflow forwarding unit is for multiple nuclear CPU framework (control core and forward core and deposit).Networking schematic diagram is see Fig. 6, and detailed process as shown in Figure 7, comprising:

Step 201: application server passes through the NBI(North BoundInterface of Openflow controller, northbound interface) send demand for security to Openflow controller; Wherein, can be, but not limited in this demand for security comprise following a few category information: the traffic identifier of a class behavior feature, such as TCP link building messages, TTL(Time To Live, life span) be 0 message; The characteristic arranged is needed, such as basic speed limit etc. for this kind of stream;

The demand for security that step 202:Openflow controller is sent according to application server sends guiding stream table clause X2 and stream table template Y2 to each Openflow forwarding unit;

Preferably, for the purpose of the matched rule guiding stream table clause X2, address is application server address, type of message is TCP or TCP SYN, guide the Action action of stream table clause for inquiry stream table template, the stream table clause create-rule that stream table template Y2 defines is the speed of TCP or the TCP SYN message that the arbitrary source IP address of restriction sends to application server.

Preferably, after described Openflow forwarding unit receives described guiding stream table clause X2 and stream table template Y2, described guiding stream table clause X2 is issued to forwarding core, described stream table template Y2 is kept at control core.

Step 203: terminal use A2 sends TCP message with given pace to application server;

Step 204:Openflow forwarding unit is after first TCP message receiving A2 transmission, after the hit of coupling stream table guides stream table clause X2, according to the Action Action query stream table template Y2 of X2, generate stream table clause Z2 according to the stream table clause create-rule of Y2 definition and the source IP address of described TCP message;

Preferably, after the forwarding core hit described guiding stream table clause X2 of described Openflow forwarding unit, send query messages to described control core and carry the ID of described message and described stream table template Y2, described control core according to above-mentioned information inquiry stream table template Y2, generate described stream table clause Z2 and be handed down to described forwarding core accordingly.

Preferably, the matched rule of described stream table clause Z2 comprises: the IP address that the source IP address that source IP address is above-mentioned TCP message, object IP address are application server, type of message are TCP or TCPSYN, Action action is send by corresponding outgoing interface the message the transmission rate limiting message that mate described matched rule;

The TCP message that described terminal use sends according to stream table clause Z2 by step 205:Openflow forwarding unit is sent by corresponding outgoing interface and is limited the transmission rate of this message, and send stream entry interpolation message to described Openflow controller, wherein carry the information of described stream table clause Z2.

Preferably, if the transmission rate of attack source is higher than the restriction transmission rate of stream table clause Z2, Openflow forwarding unit carries out buffer memory/to the message exceeding speed or abandons.

Preferably, have multiple stage Openflow forwarding unit between described terminal use and described application server, then other Openflow forwarding units accurate stream table clause that or Openflow controller identical with step 201 ~ 205 sends priority higher when predicting attack source to the repeating process of described TCP message carrys out speed limit.

Step 206, after application server receives the described TCP message that described terminal use sends, what judge that this terminal use sends is general T CP message or attack message and/or the identity information judging described terminal use.

Preferably, carry out between application server and terminal use in the message interaction process of authentication, the data message that application server is sent to terminal use's transmission forwards according to the stream table information of Openflow pipeline, sends corresponding stream table clause by Openflow controller to Openflow forwarding unit on the way.

Step 207, application server sends authorization message according to described TCP message type and/or to the authenticating result of described terminal use to described Openflow controller.If application server judges that described TCP message is general T CP message and/or judge that described terminal use is for validated user, then require the rate limit that described Openflow controller is cancelled or relaxed described TCP message; If judge, described TCP message is TCP half-connection attack message, then require that described Openflow controller issues stream table clause requirement Openflow forwarding unit punitive and abandons the TCP message that described terminal use sends to described application server;

Step 208, described Openflow controller transmits control message to described Openflow forwarding unit according to the authorization message of described application server, requires that described Openflow forwarding unit is deleted the stream table clause Z2 of above-mentioned generation or sends the stream table clause of higher priority to described Openflow forwarding unit;

Step 209, described Openflow forwarding unit carries out the operation of stream table clause and traffic forwarding according to the control message that described Openflow controller sends.

Preferably, according to the difference of the authorization message of application server, the stream table clause of described higher priority comprises the transmission rate not limiting described TCP message and the speed limit parameter revising the transmission rate to described TCP message as required.

Embodiment three

The quick generation of network address translation conversational list, the hardware structure of Openflow forwarding unit is with the abbreviation of OF(Openflow) forward face and OF-Agent(agency) be combined as example.Networking schematic diagram is see Fig. 8, and detailed process as shown in Figure 9, comprising:

Step 301:Openflow controller is according to the NAT public network address pond of local configuration rule or application demand configure user, port numbers section and matched rule;

Preferably, described application demand comprises: the public network address conversion requirements of user private network main frame and/or matched rule demand, and the northbound interface that user applies to Openflow controller by specific NAT sends described demand;

Step 302:Openflow controller sends guiding stream table clause X3 according to the Openflow forwarding unit of the demand for security of application server to correspondence and flows table template Y3-0 and Y3-1(wherein, Y3-0 and Y3-1 cascade);

Preferably, the matched rule of stream table clause X3 is guided to comprise the private net address or the network segment and user side interface information that source address is user, guide the Action action of stream table clause for inquiry stream table template, the stream table clause create-rule that stream table template Y3-0 defines comprises: the NAT public network address pond of user and distribution one the stream table (representing that user mails to the address translation rule of the message of network side address) for described user, the stream table clause create-rule that stream table template Y3-1 defines comprises: for described user distributes another stream table clause (representing the address translation rule being sent message by network side address to user),

Preferably, after described Openflow forwarding unit receives described guiding stream table clause X3 and stream table template Y3-0, Y3-1, described guiding stream table clause X3 is issued to OF and forwards face, described stream table template Y3-0, Y3-1 are kept at OF-Agent;

Step 303: private network host A 3 sends UDP(UserDatagram Protocol with given pace to network equipment, User Datagram Protoco (UDP)) message;

After step 304:Openflow forwarding unit receives first UDP message of A3 transmission, after the hit of coupling stream table guides stream table clause X3, according to the Action Action query stream table template Y3-0 of X3, according to the stream table clause create-rule of Y3-0 definition and described message information for this private network host A 3 distributes a public network IP address or a public network IP address and port numbers, and generate the message address transformation rule that stream table clause Z31(respective user mails to network side address).Because Y3-0 cascade stream table template Y3-1, Y3-0, be filled with the metadata(metadata that Y3-0, Y3-1 arrange form while generating Z31), after generating Z31, message is continued transfer to Y3-1 process.According to the stream table clause create-rule of Y3-1 definition and the message address transformation rule of described message information and described metadata generation address, Z32(map network side transmission user).

Preferably, after the OF forwarding face hit described guiding stream table clause X3 of described Openflow forwarding unit, send query messages to described OF-Agent and carry the ID of described message and described stream table template Y3-0, described OF-Agent flow according to above-mentioned information inquiry table template and/or cascade stream table template, distribute public network IP address or distribute public network IP address and port numbers, and generate described stream table clause Z31 and Z32 and send to described OF to forward face.

Preferably, the matched rule of described stream table clause Z31 comprises: source IP address, source port number, type of message, Action action is public network IP address source IP address being converted to distribution, also likely source port is converted to the port numbers of distribution, and sends the message after conversion by corresponding outgoing interface.

Preferably, the matched rule of described stream table clause Z32 comprises: object IP address, destination slogan, type of message, Action action is be the public network IP address distributed by object IP address transition, also likely just destination interface is converted to the port numbers of distribution, and sends the message after conversion by corresponding outgoing interface.

TCP/UDP message between A3 and network equipment is performed NAT action according to stream table clause Z31 and Z32 and is also forwarded by the outgoing interface of correspondence by step 305:Openflow forwarding unit, and adds the information of message to described Openflow control appliance transmission Z31 and Z32 by flowing entry.

Preferably, after described stream table clause Z31 and Z32 is aging, Openflow forwarding unit reclaims corresponding public network address and/or port numbers.

Preferably, for generating 2 with the situation of upper reaches table clause simultaneously, the mode of optional employing stream table template cascade realizes, and generates the meta data between cascade stream table template, be mainly used in the process during template cascade of stream table while generating stream table clause.

Preferably, the describing mode of stream table template is had any different according to the difference of the means of description, for XML, is example at the NAT application scenarios of the present embodiment, if expansion realizes in OpenFlow agreement, needs to convert corresponding data structure to.

In the examples described above, the id of flow-template-entry is the ID mark of stream table template; Table-id represents that this stream table template is that the stream table that this Table I D identifies generates entry; Cascade-template-id represents the stream table template of this stream table template cascade assigned I D; Out-meta/In-mate represents the formal definition of the intermediate data that two stream table templates of cascade are transmitted

The hardware structure of Openflow forwarding unit of the present invention and the application scenarios of each embodiment can need independent assortment according to actual environment, and described hardware structure is saved from damage but is not limited to the several types in above-described embodiment.

Correspondingly, in the present embodiment, a kind of open flows (Openflow) forwarding unit, comprising:

Preferably, described equipment also comprises:

Preferably,

Described private net address comprises: private network IP address;

Preferably,

Correspondingly, a kind of open flows (Openflow) controller, comprising:

Preferably,

Preferably, described controller also comprises:

Preferably,

The all or part of step that one of ordinary skill in the art will appreciate that in said method is carried out instruction related hardware by program and is completed, and described program can be stored in computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can use one or more integrated circuit to realize.Correspondingly, each module/unit in above-described embodiment can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.

The foregoing is only the preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.According to summary of the invention of the present invention; also can there be other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention; within the spirit and principles in the present invention all; any amendment of doing, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims

1. a stream table clause generation method, is applied to open flows (Openflow) forwarding unit, comprises:

2. the method for claim 1, is characterized in that, also comprises:

3. method as claimed in claim 2, is characterized in that:

4. as the method in claims 1 to 3 as described in any one, it is characterized in that, also comprise:

5., as the method in claims 1 to 3 as described in any one, it is characterized in that:

6. method as claimed in claim 5, is characterized in that:

7., as the method in claims 1 to 3 as described in any one, it is characterized in that:

8. method as claimed in claim 7, is characterized in that:

9. method as claimed in claim 8, is characterized in that, also comprise:

10. method as claimed in claim 9, is characterized in that, also comprise:

11. methods as described in claim 7,8 or 10, is characterized in that:

Described private net address comprises: private network IP address;

12. methods as claimed in claim 10, is characterized in that, also comprise:

13. 1 kinds of stream table clause generation methods, are applied to open flows (Openflow) controller, comprise:

14. methods as claimed in claim 13, is characterized in that:

15. methods as claimed in claim 13, is characterized in that, also comprise:

16. methods as claimed in claim 13, is characterized in that:

17. methods as claimed in claim 16, is characterized in that:

18. methods as claimed in claim 16, is characterized in that, also comprise:

19. 1 kinds of open flows (Openflow) forwarding units, comprising:

20. equipment as claimed in claim 19, is characterized in that, also comprise:

21. equipment as described in claim 19 or 20, is characterized in that, also comprise:

22. equipment as described in claim 19 or 20, is characterized in that:

23. equipment as claimed in claim 22, is characterized in that:

24. equipment as described in claim 19 or 20, is characterized in that:

25. equipment as claimed in claim 24, is characterized in that:

26. equipment as claimed in claim 25, is characterized in that:

27. equipment as claimed in claim 26, is characterized in that:

28. equipment as described in claim 24,25 or 27, is characterized in that:

Described private net address comprises: private network IP address;

29. equipment as claimed in claim 28, is characterized in that:

30. 1 kinds of open flows (Openflow) controllers, comprising:

31. controllers as claimed in claim 30, is characterized in that:

32. controllers as claimed in claim 30, is characterized in that, also comprise:

33. controllers as claimed in claim 30, is characterized in that:

34. controllers as claimed in claim 33, is characterized in that:

35. controllers as claimed in claim 33, is characterized in that: