CN104811338B - A kind of key-course towards SDN and data Layer communication port self-configuration method and its system - Google Patents

A kind of key-course towards SDN and data Layer communication port self-configuration method and its system Download PDF

Info

Publication number
CN104811338B
CN104811338B CN201510181648.8A CN201510181648A CN104811338B CN 104811338 B CN104811338 B CN 104811338B CN 201510181648 A CN201510181648 A CN 201510181648A CN 104811338 B CN104811338 B CN 104811338B
Authority
CN
China
Prior art keywords
equipment
controller
sdn
information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201510181648.8A
Other languages
Chinese (zh)
Other versions
CN104811338A (en
Inventor
于金萍
毕经平
胡成臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201510181648.8A priority Critical patent/CN104811338B/en
Publication of CN104811338A publication Critical patent/CN104811338A/en
Application granted granted Critical
Publication of CN104811338B publication Critical patent/CN104811338B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of data Layer towards SDN and the self-configuration method of key-course communication port, pass through self-configuring management process, in SDN, based on the white list for authorizing USB flash disk generation, after completing being mutually authenticated between the controller in key-course and equipment in data Layer, the secured communication channel established between controller and equipment.

Description

A kind of key-course towards SDN and data Layer communication port self-configuration method and Its system
Technical field
The invention belongs to technical field of computer network management, is that one kind is directed to SDN (Software Defined Network, abbreviation SDN) network-based control layer and data Layer communication port the method automatically configured.
Background technology
With the fast development of the emerging services such as cloud computing, big data, the change of network is very urgent, such Under trend, the development space of SDN technologies will be more and more extensive.Because increasing enterprise and operator's selection add SDN In the network for entering them, the demand of the large scale network based on SDN structures will be continuously increased.However, build SDN early stage Cost, manpower input by (before the completion of SDN functions) will substantially hinder SDN popularization.Shoot off and carry out device upgrade (by passing Equipment of the system network equipment to SDN is supported) necessary the cost that is spent, progress SDN functional configuration, particularly SDN key-courses with The cost of labor that the configuration of the communication port of data Layer is spent can also be multiplied with the increase of network size.It is further worsened , the wrong performance for having had a strong impact on network caused by manual configuration.In order to solve manual configuration key-course and data Layer The problems such as inefficient, the high cost of communication port, low reliability, the present invention are directed to the SDN of Single Controller, propose to be based on Authorize the key-course of USB flash disk generation white list and the communication port self-configuring technology of data Layer.It is legal by the way that USB flash disk will be authorized to insert In equipment, the information of all equipment that add network is collected, forms white list, controller can is sentenced according to this list afterwards The legitimacy of disconnected equipment, decide whether to allow equipment to enter network, under normal operation, can effectively prevent adding for illegality equipment Enter, so as to ensure that the safety of network, simultaneously because without configuring every equipment one by one, whole SDN construction can be improved Efficiency, while also reduce the cost of construction network.
Software defined network (Software Defined Network, abbreviation SDN) is by Stanford Univ USA Clean A kind of new network of Emulex network innovation framework that Slate seminar proposes, its basic framework is as shown in figure 1, including three layers:The superiors are should With layer (Application Layer), it is made up of the application of the terminal user using SDN communication services;Centre is key-course (Control Layer), comprehensive network monitoring function is provided comprising one or more controllers, and operation is provided for application layer The interface of network;The bottom is facility layer (Infrastructure Layer, also referred to as data Layer), passes through communication port (one As be called escape way Secure Channel, presently mainly OpenFlow protocol realizations) interacted with key-course, it is complete Into basic MESSAGE EXCHANGE and forwarding capability.SDN core technology includes:Separated network equipment key-course and data Layer, realize Control plane centralization, PN is supported, this three technology complements each other, and finally realizes the flexible control to network, and Innovation for core network and application provides good platform.Particularly, with using cloud computing, big data as the emerging of representative The burning hot development of business, existing network framework can not meet the new demand that cloud computing, big data etc. are brought, in this trend Under, network, which is changed, has become certainty, and SDN is just the wherein most representative and the most approved innovative network architecture. Thus, increasing manufacturer (including Cisco, Huawei, VMware etc.) is put into SDN camp, also has increasing Operator's (such as telecommunications, UNICOM) attempts to be applied to SDN in their network.
The communication port of key-course and data Layer (i.e. escape way Secure Channel) is the concentration control for realizing SDN System, the key of programmable features, being will control and the basis of data separating.Although SDN cause network management become more flexibly, Quick, automation, however, these advantages could be realized after the communication port of key-course and data Layer is correctly established. And to establish the communication port of key-course and data Layer, it usually needs configured one by one in the manual equipment to data Layer, With the increase of equipment scale, workload will be multiplied, and take time and effort;Further, since manual work accuracy rate can not ensure, Network failure is easily caused, reduces the performance of network.These problems have had a strong impact on the effect of large scale network application SDN technologies Rate.Self-configuring technology is that solve the problems, such as the optimal selection of manual configuration, however, traditional IP self-configuring technical concerns is equipment The allocation problem of IP address, the self-configuring of SDN escape way is not particularly suited for, because the configuration process in escape way includes Content far more than configuration IP address of equipment, its need first complete controller and its management equipment between safety certification Work, to prevent illegality equipment from entering network, because illegal equipment can pass through ddos attack and utilization OpenFlow agreements Leak attack controller and other equipment, so as to destroy the security of whole network;Only in certification by rear, could carry out The configuration work of escape way.The letter for authorizing USB flash disk that controller can be replaced to collect legitimate device (or the equipment that add network) Breath, white list is formed, and stored into controller, because required manual operation is exactly to plug USB flash disk, without to individual device On configured, it is time saving and energy saving, can significantly improve build SDN efficiency.
It is entitled " Automatic software defined network configuring method, involves obtaining starting time of main controller and destination IP address of distribution controller by switch controller,and indicating Message by switch " (publication number CN103618621-A) in the prior art, disclose a kind of interchanger and passed through Switch controller obtain the purpose IP of allocated controller, so as to carry out the configuration of communication port, but do not account for Certification to interchanger legitimacy, being mutually authenticated to ensure the peace of communication port between device and interchanger it is not controlled yet Quan Xing.
In entitled " SDN cloud computing and virtualizing method, involves receiving agency Flow Visor information by controller,connecting open flow switcher with controller,and controlling open flow protocol transmitting Process by controller " (publication number CN103905523-A) in the prior art, disclose a kind of SDN cloud computings and The connectivity problem and OpenFlow agreements of FlowVisor information Receiver Problem, controller and interchanger under virtualized environment Propagation problem, but do not solve being mutually authenticated of in SDN process of construction key-course and data Layer, Path Setup is asked Topic.
In entitled " Network configuration method, involves sending node to master controller,so that master controller configures control rule corresponding to node type for node according to node type,and sending Control rule to node " (publication number WO2014179923-A1) in the prior art, are disclosed a kind of according to controller Load condition be interchanger dispensing controller, and in data plane configuration correspondingly control plane, so as to reach allocative efficiency Optimization, and meet the needs of network performance.However, the invention is not authenticated to the legitimacy of interchanger, in networking During initial stage and network reconnection and do not apply to.
In open source projects OpenDaylight SNBI (Secure Network Bootstrapping Infrastructure, secure network guiding infrastructure) project in the prior art, disclose a kind of towards SDN SNBI equipment is found automatically with controller, automatic IP address allocation and establishes the method that safe IP is connected automatically, but this method The situation that authentication measures are only applicable to known network device information and facility information is fixed, further, since SNBI is not provided with A kind of solution of equipment information collection, so being not fully appropriate for extensive SDN construction, particularly network reconnection During, the situation of facility information unknown (need to be collected by acquisition scheme) and dynamic change.
It is in name of document:“Silva Delgado,Mendez Penuela,Morales Medina,Rueda Rodriguez, ' Automatic network reconfiguration because of security events ', In2014IEEE Colombian Conference on Communications and Computing (COLCOM), 2014.06 " in the prior art, discloses and a kind of automatically reconfigures network using SDN technologies to tackle the side of security threat Method.However, this method only can just use after the completion of SDN is completely set up, do not solve to build in SDN In journey the problem of being mutually authenticated of key-course and data Layer, Path Setup.
The content of the invention
It is an object of the invention to provide a kind of key-course towards SDN and data Layer communication port self-configuration method And its system, for solving in current extensive SDN, manual configuration key-course and data Layer communication port take time and effort, The problem of poor reliability.
For the above-mentioned purpose, the present invention proposes a kind of key-course towards SDN and data Layer communication port autogamy Method is put, for establishing communication port between the controller in key-course and the equipment in data Layer in SDN, Methods described, including:
Self-configuring management process:Based on the white list for authorizing USB flash disk to be formed, the mutual of the controller and the equipment is completed After certification, the secured communication channel established between the controller and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the self-configuring management process, Including:
White list generation step:By the mandate USB flash disk collect the information of legitimate device of network to be added formed White list, the mandate USB flash disk arrive the signing messages storage of the controller described while legitimate device information is collected In legitimate device;
Authenticating step:Identity legitimacy certification of the controller to the equipment is completed based on the white list, is based on The signature of the controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration step:The controller and institute for having completed identity legitimacy certification in the authenticating step Equipment is stated, completes self-configuring, is established by the secured communication channel between the controller of authentication and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the self-configuring management process, Also include:
Automatically terminate channel step:Based on the facility information to be deleted collected in the mandate USB flash disk, in the controller The device id to be deleted is deleted in the white list, and releases communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the white list generation step, Including:
Information exchange step:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added Enter into the list of the white list, while the signing messages of the controller is added in the equipment;
Add information Step:The identification information of the equipment is added to by the white of the controller by the mandate USB flash disk In list, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to In the white list of the controller, and the signing messages of the controller is added in the equipment, to realize the control Certification between device and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the authenticating step, including:
Tentatively build connection step:When the equipment adds SDN for the first time, the equipment can carry out body in SDN The broadcast of part information, other equipment in network find that the controller enters backward for the identity information of the equipment by neighbours Row report;
Equipment identities authenticating step:The controller sends the message of request device credential information to the equipment, described The signature of controller described in device authentication, response credential information after being verified, the controller check that the credential information is It is no in white list, if the identity legitimacy of the equipment is verified, and otherwise, the equipment identities legitimacy is tested Card failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the passage configuration step, bag Include:
Message request forwarding step:The controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step:The invitation message that the equipment receives, the signature of the controller is verified, It is verified the rear equipment and generates public key and private key for communication, and power on request information is sent to the controller, to The controller provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer step:The controller receives the certificate, the signature of the certificate and described The public key of equipment, and start response message is sent to the equipment, the communication that the equipment establishes safety with the controller is led to Road.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the power on request information should Answer in step, the controller distributes IP address by the secured communication channel of foundation for the equipment, to realize to institute State the unique mark of equipment.
The present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, for SDN Establish communication port between the controller in key-course and the equipment in data Layer in network, using it is such as described towards The key-course of SDN and data Layer communication port self-configuration method, the system, including:
Self-configuring management module:Based on the white list for authorizing USB flash disk to be formed, the mutual of the controller and the equipment is completed After certification, the secured communication channel established between the controller and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the self-configuring management module, Including:
White list generation module:By the mandate USB flash disk collect the information of legitimate device of network to be added formed White list, the mandate USB flash disk arrive the signing messages storage of the controller described while legitimate device information is collected In legitimate device;
Authentication module:Identity legitimacy certification of the controller to the equipment is completed based on the white list, is based on The signature of the controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration module:The controller and institute for having completed identity legitimacy certification in the authenticating step Equipment is stated, completes self-configuring, is established by the secured communication channel between the controller of authentication and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the self-configuring management module, Also include:
Automatically terminate channel module:Based on the facility information to be deleted collected in the mandate USB flash disk, in the controller The device id to be deleted is deleted in the white list, and releases communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the white list generation module, Including:
Information exchange module:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added Enter into the list of the white list, while the signing messages of the controller is added in the equipment;
Add information module:The identification information of the equipment is added to by the white of the controller by the mandate USB flash disk In list, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to In the white list of the controller, and the signing messages of the controller is added in the equipment, to realize the control Certification between device and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the authentication module, including:
Tentatively build gang mould block:When the equipment adds SDN for the first time, the equipment can carry out body in SDN The broadcast of part information, other equipment in network find that the controller enters backward for the identity information of the equipment by neighbours Row report;
Equipment identities authentication module:The controller sends the message of request device credential information to the equipment, described The signature of controller described in device authentication, response credential information after being verified, the controller check that the credential information is It is no in white list, if the identity legitimacy of the equipment is verified, and otherwise, the equipment identities legitimacy is tested Card failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the passage configuration module, bag Include:
Message request sending module:The controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module:The invitation message that the equipment receives, the signature of the controller is verified, It is verified the rear equipment and generates public key and private key for communication, and power on request information is sent to the controller, to The controller provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer module:The controller receives the certificate, the signature of the certificate and described The public key of equipment, and start response message is sent to the equipment, the communication that the equipment establishes safety with the controller is led to Road.
Compared with prior art, the device have the advantages that being:Realize the logical of a kind of key-course and data Layer Believe the automatic technology scheme of passage configuration.
The present invention is by the equipment generation white list method based on mandate USB flash disk, the new equipment authentication techniques based on white list, The self-configuring technology of key-course and data Layer communication port based on white list, the key-course based on white list communicate with data Layer Passage automatically terminates the technologies such as technology, can simply and efficiently realize that the automatic of communication port of key-course and data Layer is matched somebody with somebody Work is put and automatically terminated, reduces the cost of extensive SDN construction and reconstruction so that change network topology is more flexible It is convenient.
Brief description of the drawings
Fig. 1 is prior art SDN configuration diagram;
Fig. 2 is key-course and data Layer network communication channel self-configuration method schematic flow sheet of the present invention towards SDN;
Fig. 3 is key-course of the present invention and data Layer communication port self-configuration method detailed process schematic diagram;
Fig. 4 is the inventive method specific embodiment schematic diagram of a scenario;
Fig. 5 is key-course and data Layer communication port self-configuration system structural representation of the present invention towards SDN;
Fig. 6 is key-course of the present invention and data Layer communication port self-configuration system detailed construction schematic diagram.
Wherein, reference:
1 self-configuring management module
The authentication module of 11 white list generation module 12
13 passage configuration modules 14 automatically terminate channel module
111 information exchange modules 112 add information module
121 tentatively build the equipment identities authentication module of gang mould block 122
The power on request information sending module of 131 message request sending module 132
133 power on request information answer modules
S11~S14, S111~S112, S121~S122, S131~S133:The administration step of various embodiments of the present invention
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention will be described in detail, but not as a limitation of the invention.
The present invention is used to solve in current extensive SDN, and manual configuration key-course takes with data Layer communication port Effort, the problems such as poor reliability.In view of the above-mentioned problems, the present invention propose based on authorize USB flash disk generation white list towards single control Device SDN key-course and the self-configuring technology of data Layer communication port.SDN of the technology of the invention towards only one controller Environment, the information of legitimate device is collected based on mandate USB flash disk, and form white list, help to realize key-course equipment and data Layer Equipment room is mutually authenticated;Certification passes through rear, you can is controlled the communication port self-configuring process of layer and data Layer.The technology The manual work during SDN construction (particularly network is just built and rebuild) is significantly reduced, improves network configuration work The efficiency and reliability of work.
As shown in Fig. 2 the present invention provides a kind of key-course towards SDN and data Layer communication port self-configuring side Method, it is described for establishing communication port between the controller in key-course and the equipment in data Layer in SDN Method, including:
Self-configuring management process S1:The white list formed based on mandate USB flash disk, completion controller and equipment are mutually authenticated Afterwards, the secured communication channel established between controller and equipment.
Wherein, self-configuring management process S1, including:
White list generation step S11:By authorize USB flash disk collect network to be added legitimate device information formed it is white List, USB flash disk is authorized to store the signing messages of controller into legitimate device while legitimate device information is collected;
Authenticating step S12:Identity legitimacy certification of the controller to equipment, the label based on controller are completed based on white list Name completes identity legitimacy certification of the equipment to controller;
Passage configuration step S13:Controller and equipment for having completed identity legitimacy certification in authenticating step, it is complete Into self-configuring, the secured communication channel established between the controller and equipment by authentication.
Automatically terminate channel step S14:Based on the facility information to be deleted collected in mandate USB flash disk, in the white name of controller Device id to be deleted is deleted in list, and releases communication port.
Wherein, as shown in figure 3, white list generation step S11, including:
Information exchange step S111:Authorize USB flash disk to read the identification information of equipment, and equipment identification information is added to white name In single list, while the signing messages of controller is added in the equipment;
Add information Step S112:By authorizing USB flash disk that the identification information of equipment is added in the white list of controller, when In SDN during newly added equipment, execution information interactive step, the information of newly added equipment is added in the white list of controller, And the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in figure 3, authenticating step S12, including:
It is preliminary to build connection step S121:When equipment adds SDN for the first time, equipment can carry out identity letter in SDN Breath is broadcasted, and the other equipment in network passes through after neighbours have found the identity information of discovering device to be reported to controller;
Equipment identities authenticating step S122:Controller sends the message of request device credential information, device authentication to equipment The signature of controller, response credential information after being verified, controller check credential information whether in white list, if, Then the identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in figure 3, passage configuration step S13, including:
Message request forwarding step S131:Controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step S132:The invitation message that equipment receives, the signature of access control device, checking Public key and private key for communication is generated by rear equipment, and power on request information is sent to controller, one is provided to controller The public key of individual certificate, certificate signature and equipment;
Power on request information answer step S133:Controller receives the public key of certificate, certificate signature and equipment, and to Equipment sends start response message, and equipment establishes the communication port of safety with controller;The secure communication that controller passes through foundation Passage is that equipment distributes IP address, to realize the unique mark to equipment.
With reference to the accompanying drawings and detailed description, the present invention is described further.
The present invention in actual applications, as shown in figure 4, the scene of network be a controller and it is multiple need add network Equipment.In order to realize the self-configuring of key-course and data Layer communication port, it is necessary to increase new use in controller and equipment In the module (Auto-Configuration Management) of self-configuring management, to complete the work of self-configuring.Meanwhile need A mandate USB flash disk is realized in advance, for collecting device information, for generating white list and sweep equipment, had in USB flash disk is authorized Two class methods:One kind is the program for extending white list, mainly collects the information for the equipment that add network, is added Into the white list of controller;Another kind of is the program for reducing white list, mainly collects the information of the equipment to be deleted, It will be deleted in its white list from controller.By way of authorizing USB flash disk to generate white list, without complicated key management and in advance Configuration process, while without complicated manually operated, so as to simply and efficiently realize key-course and data Layer communication port from Dynamic configuration.
The specific embodiment of the invention, white list method is generated based on the equipment of USB flash disk is authorized.In order to ensure to add setting for network Standby legitimacy, allows it to be communicated with controller, while prevents illegality equipment from entering network, and causes potential network Threaten, before networking, first form white name using the information for authorizing USB flash disk to go to collect all legitimate devices that add network It is single, allow controller to judge to add the legitimacy of equipment according to white list.
Authorize USB flash disk that there is the super-ordinate right of global network, the module with the self-configuring management in equipment can be passed through (Auto-Configuration Management) interaction, the information of equipment is read, can mainly identify the information of equipment, Such as MAC Address, the id information such as 802.1AR vouchers, and the information read is added in the list of white list;Authorize USB flash disk simultaneously The signing messages of controller is stored into the self-configuring management module in equipment.In the letter for authorizing USB flash disk to be collected into all devices After breath forms complete white list, USB flash disk inserting controller will be authorized, it is possible to which list is added in the white list of controller. In subsequent process, if necessary to add equipment into network, it is only necessary to will authorize and collect information on USB flash disk insertion new equipment, so It will authorize afterwards on USB flash disk inserting controller, the newest information being collected into is added to the white list of controller.
Being mutually authenticated for controller and equipment is completed as medium.The equipment for only authorizing USB flash disk insertion is considered as just to close Method equipment, and without doing any processing to equipment, as long as insertion authorizes USB flash disk.Afterwards, often when a new device joins the network, Will pass through verification process, completion controller and interchanger are mutually authenticated.
The specific embodiment of the invention, the new equipment authentication techniques based on white list.By above-mentioned white list method for building up, After the white list that legitimate device is stored in controller, by following steps, the certification work to new equipment can be completed.
1) after new equipment adds network, to its information of Web broadcast;
2) found by neighbours, the equipment of current network finds the equipment of new addition network, and is reported to controller;
3) controller is to its credential information of new-device request;
If 4) signature verification of controller sends credential information by, new equipment to controller, controller check this with Whether card is inside its white list, if sending Invite information to new equipment, inviting it to add network;Otherwise, send Reject information, refuse the addition request of new equipment;
The specific embodiment of the invention, the self-configuring technology of key-course and data Layer communication port based on white list.Through upper The step of stating completes the legitimacy that controller have authenticated new equipment, and now, controller and new equipment interact, and completes key-course With the configuration of data Layer communication port.The key step of its configuration process includes:
1) controller sends Invite message to the equipment newly authenticated.
2) new equipment receives Invite information, first verifies that whether the signature of controller is legal, if the verification passes, equipment The public key and private key for communication are generated, and " Boot strap request " information, to be put forward to controller is sent to controller For a PKCS10, PKCS10_signature (signature) and its public key.
3) controller receives message, and " Boot strap reply " information, wherein including controller is sent to equipment The certificate of management domain (equipment managed by controller forms), now, equipment, and can be with just into a member in this domain Controller establishes the communication port of safety, and by this passage, controller can be that equipment distribution IP carrys out unique mark equipment.
4) now, equipment can communicate with controller, according to this controller or the strategy decision of upper layer application to by this The processing operation of the network flow of equipment.
The specific embodiment of the invention, key-course and data Layer communication port based on white list automatically terminate technology. In network actual moving process, it will usually occur to delete the situation of certain equipment because of equipment fault or network topology adjustment, Now, the communication port of key-course and the data Layer of this equipment is also required to delete.Equipment under white list pattern is deleted can be with Realized using two ways:Deleted from controller end and slave unit end is deleted.
Delete, typically direct basis ID sweep equipments, i.e., stored directly by this ID from controller white from controller end Deleted in list, so it is crucial that determining physical equipment corresponding to device id.Most directly, clumsy method is using mandate The confirmation of one interchanger of USB flash disk.But this usual efficiency of method is all very low, in order to improve efficiency, can be deposited according to controller end The network topology of storage finds the position of physical equipment, then in physical layer, along network connectivity, finds corresponding physics and sets It is standby, removed, so as to release the communication port of key-course and data Layer.
Slave unit end sweep equipment, it may be possible to because the equipment failure caused by reason such as equipment fault, it is important to find and set Standby ID, and will be deleted in its white list from controller.The method of use is:The program for first being responsible for deleting in USB flash disk with authorizing In (or mandate USB flash disk of another concrete management equipment deletion) equipment to be deleted of insertion, pass through the self-configuring pipe with equipment The id information of equipment is read in module (Auto-Configuration Management) interaction of reason, is then inserted USB flash disk and is controlled Device, controller end program deleted in its white list corresponding to equipment ID.However, there may come a time when the equipment to be deleted without Method is opened, i.e., can not use the module (Auto-Configuration for the self-configuring management for authorizing USB flash disk and equipment Management) interaction obtains facility information, at this point it is possible to the information of available devices first be collected, then with controller end White list, subtract the list of the ID compositions of available devices, it is possible to the ID of disabling devices is obtained, by it from the white of controller end List deletes the communication port that can release key-course and data Layer.
In addition, the present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, use Communication port is established between the controller in key-course and the equipment in data Layer in SDN, using as above institute The key-course and data Layer communication port self-configuration method towards SDN are stated, as shown in figure 5, the system, including:
Self-configuring management module 1:Based on the white list for authorizing USB flash disk to be formed, after completing being mutually authenticated of controller and equipment, The secured communication channel established between controller and equipment.
Wherein, as shown in figure 5, self-configuring management module 1, including:
White list generation module 11:By authorize USB flash disk collect network to be added legitimate device information formed it is white List, USB flash disk is authorized to store the signing messages of controller into legitimate device while legitimate device information is collected;
Authentication module 12:Identity legitimacy certification of the controller to equipment, the label based on controller are completed based on white list Name completes identity legitimacy certification of the equipment to controller;
Passage configuration module 13:Controller and equipment for having completed identity legitimacy certification in authenticating step, it is complete Into self-configuring, the secured communication channel established between the controller and equipment by authentication.
Automatically terminate channel module 14:Based on the facility information to be deleted collected in mandate USB flash disk, in the white list of controller It is middle to delete device id to be deleted, and release communication port.
Wherein, as shown in fig. 6, white list generation module 11, including:
Information exchange module 111:Authorize USB flash disk to read the identification information of equipment, and equipment identification information is added to white name In single list, while the signing messages of controller is added in the equipment;
Add information module 112:By authorizing USB flash disk that the identification information of equipment is added in the white list of controller, when In SDN during newly added equipment, execution information interactive step, the information of newly added equipment is added in the white list of controller, And the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in fig. 6, authentication module 12, including:
Tentatively build gang mould block 121:When equipment adds SDN for the first time, equipment can carry out identity information in SDN Broadcast, the other equipment in network passes through after neighbours have found the identity information of discovering device to be reported to controller;
Equipment identities authentication module 122:Controller sends the message of request device credential information, device authentication control to equipment The signature of device processed, response credential information after being verified, controller check credential information whether in white list, if, The identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in fig. 6, passage configuration module 13, including:
Message request sending module 131:Controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module 132:The invitation message that equipment receives, the signature of access control device, checking Public key and private key for communication is generated by rear equipment, and power on request information is sent to controller, one is provided to controller The public key of individual certificate, certificate signature and equipment;
Power on request information answer module 133:Controller receives the public key of certificate, certificate signature and equipment, and to Equipment sends start response message, and equipment establishes the communication port of safety with controller;The secure communication that controller passes through foundation Passage is that equipment distributes IP address, to realize the unique mark to equipment.
In summary, the present invention authorizes USB flash disk to have collected the information of all legitimate devices and formed by simply plugging operation White list, controller can verify the legitimacy of new equipment accordingly.Simply operation simplifies the work of networking, improves The efficiency of networking;In addition, the controller of the present invention can be fully automatically real according to white list certification new equipment, whole process It is existing, participated in without artificial, it is simple, efficient, be advantageous to efficiently build SDN.Again, the present invention realizes key-course and number Automatic according to layer passage establishes process, it is not necessary to artificial participation, so as to reduce the cost of networking, while improves net The efficiency of network construction.Finally, the key-course of present device white list and automatically terminating for data Layer communication port need not be any Manual configuration, hence it is evident that improve the efficiency of the communication port contact of key-course and data Layer.
Certainly, the present invention can also have other various embodiments, ripe in the case of without departing substantially from spirit of the invention and its essence Know those skilled in the art when can be made according to the present invention it is various it is corresponding change and deformation, but these corresponding change and become Shape should all belong to the protection domain of appended claims of the invention.

Claims (13)

1. a kind of key-course towards SDN and data Layer communication port self-configuration method, in SDN in Communication port is established between the controller of key-course and equipment in data Layer, it is characterised in that methods described, including:
Self-configuring management process:Based on the white list for authorizing USB flash disk to be formed, being mutually authenticated for the controller and the equipment is completed Afterwards, the secured communication channel established between the controller and the equipment.
2. exist according to claim 1 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In, the self-configuring management process, including:
White list generation step:By the mandate USB flash disk collect the information of legitimate device of network to be added form white name Single, for the mandate USB flash disk while legitimate device information is collected, it is described legal that the signing messages storage of the controller is arrived In equipment;
Authenticating step:Identity legitimacy certification of the controller to the equipment is completed based on the white list, based on described The signature of controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration step:For having completed the controller of identity legitimacy certification in the authenticating step and described having set It is standby, self-configuring is completed, is established by the secured communication channel between the controller of authentication and the equipment.
3. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In, the self-configuring management process, in addition to:
Automatically terminate channel step:Based on the facility information to be deleted collected in the mandate USB flash disk, described in the controller The device id to be deleted is deleted in white list, and releases communication port.
4. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In, the white list generation step, including:
Information exchange step:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added to In the list of the white list, while the signing messages of the controller is added in the equipment;
Add information Step:The identification information of the equipment is added to the white list of the controller by the mandate USB flash disk In, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to described In the white list of controller, and the signing messages of the controller is added in the equipment, with realize the controller with Certification between the equipment.
5. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In, the authenticating step, including:
Tentatively build connection step:When the equipment adds SDN for the first time, the equipment can carry out identity letter in SDN Breath broadcast, other equipment in network find that the controller is reported backward for the identity information of the equipment by neighbours Accuse;
Equipment identities authenticating step:The controller sends the message of request device credential information, the equipment to the equipment Verify the signature of the controller, response credential information after being verified, the controller check the credential information whether In white list, if, the identity legitimacy of the equipment is verified, otherwise, the equipment identities legitimate verification mistake Lose.
6. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In, the passage configuration step, including:
Message request forwarding step:The controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step:The equipment receives the invitation message, verifies the signature of the controller, and checking is led to Later the equipment generates the public key and private key for communication, and sends power on request information to the controller, to the control Device processed provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer step:The controller receives the certificate, the signature of the certificate and the equipment Public key, and send start response message to the equipment, the equipment and the controller establish the communication port of safety.
7. exist according to claim 6 towards the key-course and data Layer communication port self-configuration method, its feature of SDN In in the power on request information answer step, the secured communication channel that the controller passes through foundation is the equipment IP address is distributed, to realize the unique mark to the equipment.
8. a kind of key-course towards SDN and data Layer communication port self-configuration system, in SDN in control Communication port is established between the controller of preparative layer and equipment in data Layer, using as any one of claim 1-7 Towards the key-course and data Layer communication port self-configuration method of SDN, it is characterised in that the system, including:
Self-configuring management module:Based on the white list for authorizing USB flash disk to be formed, being mutually authenticated for the controller and the equipment is completed Afterwards, the secured communication channel established between the controller and the equipment.
9. exist according to claim 8 towards the key-course and data Layer communication port self-configuration system, its feature of SDN In, the self-configuring management module, including:
White list generation module:By the mandate USB flash disk collect the information of legitimate device of network to be added form white name Single, for the mandate USB flash disk while legitimate device information is collected, it is described legal that the signing messages storage of the controller is arrived In equipment;
Authentication module:Identity legitimacy certification of the controller to the equipment is completed based on the white list, based on described The signature of controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration module:For having completed the controller of identity legitimacy certification in the authentication module and described having set It is standby, self-configuring is completed, is established by the secured communication channel between the controller of authentication and the equipment.
10. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature It is, the self-configuring management module, in addition to:
Automatically terminate channel module:Based on the facility information to be deleted collected in the mandate USB flash disk, described in the controller The device id to be deleted is deleted in white list, and releases communication port.
11. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature It is, the white list generation module, including:
Information exchange module:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added to In the list of the white list, while the signing messages of the controller is added in the equipment;
Add information module:The identification information of the equipment is added to the white list of the controller by the mandate USB flash disk In, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to described In the white list of controller, and the signing messages of the controller is added in the equipment, with realize the controller with Certification between the equipment.
12. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature It is, the authentication module, including:
Tentatively build gang mould block:When the equipment adds SDN for the first time, the equipment can carry out identity letter in SDN Breath broadcast, other equipment in network find that the controller is reported backward for the identity information of the equipment by neighbours Accuse;
Equipment identities authentication module:The controller sends the message of request device credential information, the equipment to the equipment Verify the signature of the controller, response credential information after being verified, the controller check the credential information whether In white list, if, the identity legitimacy of the equipment is verified, otherwise, the equipment identities legitimate verification mistake Lose.
13. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature It is, the passage configuration module, including:
Message request sending module:The controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module:The equipment receives the invitation message, verifies the signature of the controller, and checking is led to Later the equipment generates the public key and private key for communication, and sends power on request information to the controller, to the control Device processed provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer module:The controller receives the certificate, the signature of the certificate and the equipment Public key, and send start response message to the equipment, the equipment and the controller establish the communication port of safety.
CN201510181648.8A 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system Expired - Fee Related CN104811338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510181648.8A CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510181648.8A CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Publications (2)

Publication Number Publication Date
CN104811338A CN104811338A (en) 2015-07-29
CN104811338B true CN104811338B (en) 2018-02-06

Family

ID=53695849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510181648.8A Expired - Fee Related CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Country Status (1)

Country Link
CN (1) CN104811338B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713263B (en) * 2016-11-18 2018-07-13 上海红阵信息科技有限公司 The system and method for the on-demand dynamic authentication connection of user in LAN
CN110719301A (en) * 2019-11-19 2020-01-21 武汉思普崚技术有限公司 Attack defense method and system for flow adaptive scheduling

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077053A2 (en) * 2002-03-13 2003-09-18 M-Systems Flash Disk Pioneers Ltd. Personal portable storage medium
CN101009556A (en) * 2007-01-08 2007-08-01 中国信息安全产品测评认证中心 Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077053A2 (en) * 2002-03-13 2003-09-18 M-Systems Flash Disk Pioneers Ltd. Personal portable storage medium
CN101009556A (en) * 2007-01-08 2007-08-01 中国信息安全产品测评认证中心 Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Secure Communication Between OpenFlow Switches and Controllers;Dominik Samociuk;《AFIN 2015:The Seventh International Conference on Advances in Future Internet》;20150228;全文 *

Also Published As

Publication number Publication date
CN104811338A (en) 2015-07-29

Similar Documents

Publication Publication Date Title
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
US8577044B2 (en) Method and apparatus for automatic and secure distribution of an asymmetric key security credential in a utility computing environment
US7822982B2 (en) Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment
EP1986396A2 (en) System and implementation method of controlled multicast
CN109474508B (en) VPN networking method, VPN networking system, VPN master node equipment and VPN master node medium
CN102882758A (en) Method for accessing virtual private cloud to network, network-side equipment and data center equipment
WO2004051927A1 (en) Method and system for cluster managing of network facilities
CN101951325A (en) Network terminal configuration system based on automatic discovery and configuration method thereof
US8521863B2 (en) Method and device for operating resource on shared network element
CN102123050A (en) Network terminal management method
CN104618522B (en) The method and Ethernet access equipment that IP address of terminal automatically updates
CN112714370B (en) Service configuration method, device and system
CN104270604A (en) Method, system and device for obtaining real-time video data of IPC
CN105007164A (en) Centralized safety control method and device
CN115460613A (en) Safe application and management method for power 5G slice
CN104811338B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN104917750B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
US9118588B2 (en) Virtual console-port management
CN103841537A (en) Control system and method using family gateway to deploy WLAN metropolitan area network
CN103763119A (en) Telnet/SSH-based network terminal management method
CN105337766A (en) Network element automatic discovery method and system based on DHCP
WO2021134562A1 (en) Configuration device replacement method and apparatus, device, and storage medium
CN114884771B (en) Identity network construction method, device and system based on zero trust concept
CN114465723B (en) Quantum encryption communication system and method based on software defined network and slice
CN104639441B (en) A kind of unicast message retransmission method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180206

Termination date: 20200416