CN104811338B - A kind of key-course towards SDN and data Layer communication port self-configuration method and its system - Google Patents
A kind of key-course towards SDN and data Layer communication port self-configuration method and its system Download PDFInfo
- Publication number
- CN104811338B CN104811338B CN201510181648.8A CN201510181648A CN104811338B CN 104811338 B CN104811338 B CN 104811338B CN 201510181648 A CN201510181648 A CN 201510181648A CN 104811338 B CN104811338 B CN 104811338B
- Authority
- CN
- China
- Prior art keywords
- equipment
- controller
- sdn
- information
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of data Layer towards SDN and the self-configuration method of key-course communication port, pass through self-configuring management process, in SDN, based on the white list for authorizing USB flash disk generation, after completing being mutually authenticated between the controller in key-course and equipment in data Layer, the secured communication channel established between controller and equipment.
Description
Technical field
The invention belongs to technical field of computer network management, is that one kind is directed to SDN (Software Defined
Network, abbreviation SDN) network-based control layer and data Layer communication port the method automatically configured.
Background technology
With the fast development of the emerging services such as cloud computing, big data, the change of network is very urgent, such
Under trend, the development space of SDN technologies will be more and more extensive.Because increasing enterprise and operator's selection add SDN
In the network for entering them, the demand of the large scale network based on SDN structures will be continuously increased.However, build SDN early stage
Cost, manpower input by (before the completion of SDN functions) will substantially hinder SDN popularization.Shoot off and carry out device upgrade (by passing
Equipment of the system network equipment to SDN is supported) necessary the cost that is spent, progress SDN functional configuration, particularly SDN key-courses with
The cost of labor that the configuration of the communication port of data Layer is spent can also be multiplied with the increase of network size.It is further worsened
, the wrong performance for having had a strong impact on network caused by manual configuration.In order to solve manual configuration key-course and data Layer
The problems such as inefficient, the high cost of communication port, low reliability, the present invention are directed to the SDN of Single Controller, propose to be based on
Authorize the key-course of USB flash disk generation white list and the communication port self-configuring technology of data Layer.It is legal by the way that USB flash disk will be authorized to insert
In equipment, the information of all equipment that add network is collected, forms white list, controller can is sentenced according to this list afterwards
The legitimacy of disconnected equipment, decide whether to allow equipment to enter network, under normal operation, can effectively prevent adding for illegality equipment
Enter, so as to ensure that the safety of network, simultaneously because without configuring every equipment one by one, whole SDN construction can be improved
Efficiency, while also reduce the cost of construction network.
Software defined network (Software Defined Network, abbreviation SDN) is by Stanford Univ USA Clean
A kind of new network of Emulex network innovation framework that Slate seminar proposes, its basic framework is as shown in figure 1, including three layers:The superiors are should
With layer (Application Layer), it is made up of the application of the terminal user using SDN communication services;Centre is key-course
(Control Layer), comprehensive network monitoring function is provided comprising one or more controllers, and operation is provided for application layer
The interface of network;The bottom is facility layer (Infrastructure Layer, also referred to as data Layer), passes through communication port (one
As be called escape way Secure Channel, presently mainly OpenFlow protocol realizations) interacted with key-course, it is complete
Into basic MESSAGE EXCHANGE and forwarding capability.SDN core technology includes:Separated network equipment key-course and data Layer, realize
Control plane centralization, PN is supported, this three technology complements each other, and finally realizes the flexible control to network, and
Innovation for core network and application provides good platform.Particularly, with using cloud computing, big data as the emerging of representative
The burning hot development of business, existing network framework can not meet the new demand that cloud computing, big data etc. are brought, in this trend
Under, network, which is changed, has become certainty, and SDN is just the wherein most representative and the most approved innovative network architecture.
Thus, increasing manufacturer (including Cisco, Huawei, VMware etc.) is put into SDN camp, also has increasing
Operator's (such as telecommunications, UNICOM) attempts to be applied to SDN in their network.
The communication port of key-course and data Layer (i.e. escape way Secure Channel) is the concentration control for realizing SDN
System, the key of programmable features, being will control and the basis of data separating.Although SDN cause network management become more flexibly,
Quick, automation, however, these advantages could be realized after the communication port of key-course and data Layer is correctly established.
And to establish the communication port of key-course and data Layer, it usually needs configured one by one in the manual equipment to data Layer,
With the increase of equipment scale, workload will be multiplied, and take time and effort;Further, since manual work accuracy rate can not ensure,
Network failure is easily caused, reduces the performance of network.These problems have had a strong impact on the effect of large scale network application SDN technologies
Rate.Self-configuring technology is that solve the problems, such as the optimal selection of manual configuration, however, traditional IP self-configuring technical concerns is equipment
The allocation problem of IP address, the self-configuring of SDN escape way is not particularly suited for, because the configuration process in escape way includes
Content far more than configuration IP address of equipment, its need first complete controller and its management equipment between safety certification
Work, to prevent illegality equipment from entering network, because illegal equipment can pass through ddos attack and utilization OpenFlow agreements
Leak attack controller and other equipment, so as to destroy the security of whole network;Only in certification by rear, could carry out
The configuration work of escape way.The letter for authorizing USB flash disk that controller can be replaced to collect legitimate device (or the equipment that add network)
Breath, white list is formed, and stored into controller, because required manual operation is exactly to plug USB flash disk, without to individual device
On configured, it is time saving and energy saving, can significantly improve build SDN efficiency.
It is entitled " Automatic software defined network configuring method,
involves obtaining starting time of main controller and destination IP
address of distribution controller by switch controller,and indicating
Message by switch " (publication number CN103618621-A) in the prior art, disclose a kind of interchanger and passed through
Switch controller obtain the purpose IP of allocated controller, so as to carry out the configuration of communication port, but do not account for
Certification to interchanger legitimacy, being mutually authenticated to ensure the peace of communication port between device and interchanger it is not controlled yet
Quan Xing.
In entitled " SDN cloud computing and virtualizing method, involves
receiving agency Flow Visor information by controller,connecting open flow
switcher with controller,and controlling open flow protocol transmitting
Process by controller " (publication number CN103905523-A) in the prior art, disclose a kind of SDN cloud computings and
The connectivity problem and OpenFlow agreements of FlowVisor information Receiver Problem, controller and interchanger under virtualized environment
Propagation problem, but do not solve being mutually authenticated of in SDN process of construction key-course and data Layer, Path Setup is asked
Topic.
In entitled " Network configuration method, involves sending node to
master controller,so that master controller configures control rule
corresponding to node type for node according to node type,and sending
Control rule to node " (publication number WO2014179923-A1) in the prior art, are disclosed a kind of according to controller
Load condition be interchanger dispensing controller, and in data plane configuration correspondingly control plane, so as to reach allocative efficiency
Optimization, and meet the needs of network performance.However, the invention is not authenticated to the legitimacy of interchanger, in networking
During initial stage and network reconnection and do not apply to.
In open source projects OpenDaylight SNBI (Secure Network Bootstrapping
Infrastructure, secure network guiding infrastructure) project in the prior art, disclose a kind of towards SDN
SNBI equipment is found automatically with controller, automatic IP address allocation and establishes the method that safe IP is connected automatically, but this method
The situation that authentication measures are only applicable to known network device information and facility information is fixed, further, since SNBI is not provided with
A kind of solution of equipment information collection, so being not fully appropriate for extensive SDN construction, particularly network reconnection
During, the situation of facility information unknown (need to be collected by acquisition scheme) and dynamic change.
It is in name of document:“Silva Delgado,Mendez Penuela,Morales Medina,Rueda
Rodriguez, ' Automatic network reconfiguration because of security events ',
In2014IEEE Colombian Conference on Communications and Computing (COLCOM),
2014.06 " in the prior art, discloses and a kind of automatically reconfigures network using SDN technologies to tackle the side of security threat
Method.However, this method only can just use after the completion of SDN is completely set up, do not solve to build in SDN
In journey the problem of being mutually authenticated of key-course and data Layer, Path Setup.
The content of the invention
It is an object of the invention to provide a kind of key-course towards SDN and data Layer communication port self-configuration method
And its system, for solving in current extensive SDN, manual configuration key-course and data Layer communication port take time and effort,
The problem of poor reliability.
For the above-mentioned purpose, the present invention proposes a kind of key-course towards SDN and data Layer communication port autogamy
Method is put, for establishing communication port between the controller in key-course and the equipment in data Layer in SDN,
Methods described, including:
Self-configuring management process:Based on the white list for authorizing USB flash disk to be formed, the mutual of the controller and the equipment is completed
After certification, the secured communication channel established between the controller and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the self-configuring management process,
Including:
White list generation step:By the mandate USB flash disk collect the information of legitimate device of network to be added formed
White list, the mandate USB flash disk arrive the signing messages storage of the controller described while legitimate device information is collected
In legitimate device;
Authenticating step:Identity legitimacy certification of the controller to the equipment is completed based on the white list, is based on
The signature of the controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration step:The controller and institute for having completed identity legitimacy certification in the authenticating step
Equipment is stated, completes self-configuring, is established by the secured communication channel between the controller of authentication and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the self-configuring management process,
Also include:
Automatically terminate channel step:Based on the facility information to be deleted collected in the mandate USB flash disk, in the controller
The device id to be deleted is deleted in the white list, and releases communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the white list generation step,
Including:
Information exchange step:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added
Enter into the list of the white list, while the signing messages of the controller is added in the equipment;
Add information Step:The identification information of the equipment is added to by the white of the controller by the mandate USB flash disk
In list, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to
In the white list of the controller, and the signing messages of the controller is added in the equipment, to realize the control
Certification between device and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the authenticating step, including:
Tentatively build connection step:When the equipment adds SDN for the first time, the equipment can carry out body in SDN
The broadcast of part information, other equipment in network find that the controller enters backward for the identity information of the equipment by neighbours
Row report;
Equipment identities authenticating step:The controller sends the message of request device credential information to the equipment, described
The signature of controller described in device authentication, response credential information after being verified, the controller check that the credential information is
It is no in white list, if the identity legitimacy of the equipment is verified, and otherwise, the equipment identities legitimacy is tested
Card failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the passage configuration step, bag
Include:
Message request forwarding step:The controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step:The invitation message that the equipment receives, the signature of the controller is verified,
It is verified the rear equipment and generates public key and private key for communication, and power on request information is sent to the controller, to
The controller provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer step:The controller receives the certificate, the signature of the certificate and described
The public key of equipment, and start response message is sent to the equipment, the communication that the equipment establishes safety with the controller is led to
Road.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, the power on request information should
Answer in step, the controller distributes IP address by the secured communication channel of foundation for the equipment, to realize to institute
State the unique mark of equipment.
The present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, for SDN
Establish communication port between the controller in key-course and the equipment in data Layer in network, using it is such as described towards
The key-course of SDN and data Layer communication port self-configuration method, the system, including:
Self-configuring management module:Based on the white list for authorizing USB flash disk to be formed, the mutual of the controller and the equipment is completed
After certification, the secured communication channel established between the controller and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the self-configuring management module,
Including:
White list generation module:By the mandate USB flash disk collect the information of legitimate device of network to be added formed
White list, the mandate USB flash disk arrive the signing messages storage of the controller described while legitimate device information is collected
In legitimate device;
Authentication module:Identity legitimacy certification of the controller to the equipment is completed based on the white list, is based on
The signature of the controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration module:The controller and institute for having completed identity legitimacy certification in the authenticating step
Equipment is stated, completes self-configuring, is established by the secured communication channel between the controller of authentication and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the self-configuring management module,
Also include:
Automatically terminate channel module:Based on the facility information to be deleted collected in the mandate USB flash disk, in the controller
The device id to be deleted is deleted in the white list, and releases communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the white list generation module,
Including:
Information exchange module:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added
Enter into the list of the white list, while the signing messages of the controller is added in the equipment;
Add information module:The identification information of the equipment is added to by the white of the controller by the mandate USB flash disk
In list, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to
In the white list of the controller, and the signing messages of the controller is added in the equipment, to realize the control
Certification between device and the equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the authentication module, including:
Tentatively build gang mould block:When the equipment adds SDN for the first time, the equipment can carry out body in SDN
The broadcast of part information, other equipment in network find that the controller enters backward for the identity information of the equipment by neighbours
Row report;
Equipment identities authentication module:The controller sends the message of request device credential information to the equipment, described
The signature of controller described in device authentication, response credential information after being verified, the controller check that the credential information is
It is no in white list, if the identity legitimacy of the equipment is verified, and otherwise, the equipment identities legitimacy is tested
Card failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, the passage configuration module, bag
Include:
Message request sending module:The controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module:The invitation message that the equipment receives, the signature of the controller is verified,
It is verified the rear equipment and generates public key and private key for communication, and power on request information is sent to the controller, to
The controller provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer module:The controller receives the certificate, the signature of the certificate and described
The public key of equipment, and start response message is sent to the equipment, the communication that the equipment establishes safety with the controller is led to
Road.
Compared with prior art, the device have the advantages that being:Realize the logical of a kind of key-course and data Layer
Believe the automatic technology scheme of passage configuration.
The present invention is by the equipment generation white list method based on mandate USB flash disk, the new equipment authentication techniques based on white list,
The self-configuring technology of key-course and data Layer communication port based on white list, the key-course based on white list communicate with data Layer
Passage automatically terminates the technologies such as technology, can simply and efficiently realize that the automatic of communication port of key-course and data Layer is matched somebody with somebody
Work is put and automatically terminated, reduces the cost of extensive SDN construction and reconstruction so that change network topology is more flexible
It is convenient.
Brief description of the drawings
Fig. 1 is prior art SDN configuration diagram;
Fig. 2 is key-course and data Layer network communication channel self-configuration method schematic flow sheet of the present invention towards SDN;
Fig. 3 is key-course of the present invention and data Layer communication port self-configuration method detailed process schematic diagram;
Fig. 4 is the inventive method specific embodiment schematic diagram of a scenario;
Fig. 5 is key-course and data Layer communication port self-configuration system structural representation of the present invention towards SDN;
Fig. 6 is key-course of the present invention and data Layer communication port self-configuration system detailed construction schematic diagram.
Wherein, reference:
1 self-configuring management module
The authentication module of 11 white list generation module 12
13 passage configuration modules 14 automatically terminate channel module
111 information exchange modules 112 add information module
121 tentatively build the equipment identities authentication module of gang mould block 122
The power on request information sending module of 131 message request sending module 132
133 power on request information answer modules
S11~S14, S111~S112, S121~S122, S131~S133:The administration step of various embodiments of the present invention
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention will be described in detail, but not as a limitation of the invention.
The present invention is used to solve in current extensive SDN, and manual configuration key-course takes with data Layer communication port
Effort, the problems such as poor reliability.In view of the above-mentioned problems, the present invention propose based on authorize USB flash disk generation white list towards single control
Device SDN key-course and the self-configuring technology of data Layer communication port.SDN of the technology of the invention towards only one controller
Environment, the information of legitimate device is collected based on mandate USB flash disk, and form white list, help to realize key-course equipment and data Layer
Equipment room is mutually authenticated;Certification passes through rear, you can is controlled the communication port self-configuring process of layer and data Layer.The technology
The manual work during SDN construction (particularly network is just built and rebuild) is significantly reduced, improves network configuration work
The efficiency and reliability of work.
As shown in Fig. 2 the present invention provides a kind of key-course towards SDN and data Layer communication port self-configuring side
Method, it is described for establishing communication port between the controller in key-course and the equipment in data Layer in SDN
Method, including:
Self-configuring management process S1:The white list formed based on mandate USB flash disk, completion controller and equipment are mutually authenticated
Afterwards, the secured communication channel established between controller and equipment.
Wherein, self-configuring management process S1, including:
White list generation step S11:By authorize USB flash disk collect network to be added legitimate device information formed it is white
List, USB flash disk is authorized to store the signing messages of controller into legitimate device while legitimate device information is collected;
Authenticating step S12:Identity legitimacy certification of the controller to equipment, the label based on controller are completed based on white list
Name completes identity legitimacy certification of the equipment to controller;
Passage configuration step S13:Controller and equipment for having completed identity legitimacy certification in authenticating step, it is complete
Into self-configuring, the secured communication channel established between the controller and equipment by authentication.
Automatically terminate channel step S14:Based on the facility information to be deleted collected in mandate USB flash disk, in the white name of controller
Device id to be deleted is deleted in list, and releases communication port.
Wherein, as shown in figure 3, white list generation step S11, including:
Information exchange step S111:Authorize USB flash disk to read the identification information of equipment, and equipment identification information is added to white name
In single list, while the signing messages of controller is added in the equipment;
Add information Step S112:By authorizing USB flash disk that the identification information of equipment is added in the white list of controller, when
In SDN during newly added equipment, execution information interactive step, the information of newly added equipment is added in the white list of controller,
And the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in figure 3, authenticating step S12, including:
It is preliminary to build connection step S121:When equipment adds SDN for the first time, equipment can carry out identity letter in SDN
Breath is broadcasted, and the other equipment in network passes through after neighbours have found the identity information of discovering device to be reported to controller;
Equipment identities authenticating step S122:Controller sends the message of request device credential information, device authentication to equipment
The signature of controller, response credential information after being verified, controller check credential information whether in white list, if,
Then the identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in figure 3, passage configuration step S13, including:
Message request forwarding step S131:Controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step S132:The invitation message that equipment receives, the signature of access control device, checking
Public key and private key for communication is generated by rear equipment, and power on request information is sent to controller, one is provided to controller
The public key of individual certificate, certificate signature and equipment;
Power on request information answer step S133:Controller receives the public key of certificate, certificate signature and equipment, and to
Equipment sends start response message, and equipment establishes the communication port of safety with controller;The secure communication that controller passes through foundation
Passage is that equipment distributes IP address, to realize the unique mark to equipment.
With reference to the accompanying drawings and detailed description, the present invention is described further.
The present invention in actual applications, as shown in figure 4, the scene of network be a controller and it is multiple need add network
Equipment.In order to realize the self-configuring of key-course and data Layer communication port, it is necessary to increase new use in controller and equipment
In the module (Auto-Configuration Management) of self-configuring management, to complete the work of self-configuring.Meanwhile need
A mandate USB flash disk is realized in advance, for collecting device information, for generating white list and sweep equipment, had in USB flash disk is authorized
Two class methods:One kind is the program for extending white list, mainly collects the information for the equipment that add network, is added
Into the white list of controller;Another kind of is the program for reducing white list, mainly collects the information of the equipment to be deleted,
It will be deleted in its white list from controller.By way of authorizing USB flash disk to generate white list, without complicated key management and in advance
Configuration process, while without complicated manually operated, so as to simply and efficiently realize key-course and data Layer communication port from
Dynamic configuration.
The specific embodiment of the invention, white list method is generated based on the equipment of USB flash disk is authorized.In order to ensure to add setting for network
Standby legitimacy, allows it to be communicated with controller, while prevents illegality equipment from entering network, and causes potential network
Threaten, before networking, first form white name using the information for authorizing USB flash disk to go to collect all legitimate devices that add network
It is single, allow controller to judge to add the legitimacy of equipment according to white list.
Authorize USB flash disk that there is the super-ordinate right of global network, the module with the self-configuring management in equipment can be passed through
(Auto-Configuration Management) interaction, the information of equipment is read, can mainly identify the information of equipment,
Such as MAC Address, the id information such as 802.1AR vouchers, and the information read is added in the list of white list;Authorize USB flash disk simultaneously
The signing messages of controller is stored into the self-configuring management module in equipment.In the letter for authorizing USB flash disk to be collected into all devices
After breath forms complete white list, USB flash disk inserting controller will be authorized, it is possible to which list is added in the white list of controller.
In subsequent process, if necessary to add equipment into network, it is only necessary to will authorize and collect information on USB flash disk insertion new equipment, so
It will authorize afterwards on USB flash disk inserting controller, the newest information being collected into is added to the white list of controller.
Being mutually authenticated for controller and equipment is completed as medium.The equipment for only authorizing USB flash disk insertion is considered as just to close
Method equipment, and without doing any processing to equipment, as long as insertion authorizes USB flash disk.Afterwards, often when a new device joins the network,
Will pass through verification process, completion controller and interchanger are mutually authenticated.
The specific embodiment of the invention, the new equipment authentication techniques based on white list.By above-mentioned white list method for building up,
After the white list that legitimate device is stored in controller, by following steps, the certification work to new equipment can be completed.
1) after new equipment adds network, to its information of Web broadcast;
2) found by neighbours, the equipment of current network finds the equipment of new addition network, and is reported to controller;
3) controller is to its credential information of new-device request;
If 4) signature verification of controller sends credential information by, new equipment to controller, controller check this with
Whether card is inside its white list, if sending Invite information to new equipment, inviting it to add network;Otherwise, send
Reject information, refuse the addition request of new equipment;
The specific embodiment of the invention, the self-configuring technology of key-course and data Layer communication port based on white list.Through upper
The step of stating completes the legitimacy that controller have authenticated new equipment, and now, controller and new equipment interact, and completes key-course
With the configuration of data Layer communication port.The key step of its configuration process includes:
1) controller sends Invite message to the equipment newly authenticated.
2) new equipment receives Invite information, first verifies that whether the signature of controller is legal, if the verification passes, equipment
The public key and private key for communication are generated, and " Boot strap request " information, to be put forward to controller is sent to controller
For a PKCS10, PKCS10_signature (signature) and its public key.
3) controller receives message, and " Boot strap reply " information, wherein including controller is sent to equipment
The certificate of management domain (equipment managed by controller forms), now, equipment, and can be with just into a member in this domain
Controller establishes the communication port of safety, and by this passage, controller can be that equipment distribution IP carrys out unique mark equipment.
4) now, equipment can communicate with controller, according to this controller or the strategy decision of upper layer application to by this
The processing operation of the network flow of equipment.
The specific embodiment of the invention, key-course and data Layer communication port based on white list automatically terminate technology.
In network actual moving process, it will usually occur to delete the situation of certain equipment because of equipment fault or network topology adjustment,
Now, the communication port of key-course and the data Layer of this equipment is also required to delete.Equipment under white list pattern is deleted can be with
Realized using two ways:Deleted from controller end and slave unit end is deleted.
Delete, typically direct basis ID sweep equipments, i.e., stored directly by this ID from controller white from controller end
Deleted in list, so it is crucial that determining physical equipment corresponding to device id.Most directly, clumsy method is using mandate
The confirmation of one interchanger of USB flash disk.But this usual efficiency of method is all very low, in order to improve efficiency, can be deposited according to controller end
The network topology of storage finds the position of physical equipment, then in physical layer, along network connectivity, finds corresponding physics and sets
It is standby, removed, so as to release the communication port of key-course and data Layer.
Slave unit end sweep equipment, it may be possible to because the equipment failure caused by reason such as equipment fault, it is important to find and set
Standby ID, and will be deleted in its white list from controller.The method of use is:The program for first being responsible for deleting in USB flash disk with authorizing
In (or mandate USB flash disk of another concrete management equipment deletion) equipment to be deleted of insertion, pass through the self-configuring pipe with equipment
The id information of equipment is read in module (Auto-Configuration Management) interaction of reason, is then inserted USB flash disk and is controlled
Device, controller end program deleted in its white list corresponding to equipment ID.However, there may come a time when the equipment to be deleted without
Method is opened, i.e., can not use the module (Auto-Configuration for the self-configuring management for authorizing USB flash disk and equipment
Management) interaction obtains facility information, at this point it is possible to the information of available devices first be collected, then with controller end
White list, subtract the list of the ID compositions of available devices, it is possible to the ID of disabling devices is obtained, by it from the white of controller end
List deletes the communication port that can release key-course and data Layer.
In addition, the present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, use
Communication port is established between the controller in key-course and the equipment in data Layer in SDN, using as above institute
The key-course and data Layer communication port self-configuration method towards SDN are stated, as shown in figure 5, the system, including:
Self-configuring management module 1:Based on the white list for authorizing USB flash disk to be formed, after completing being mutually authenticated of controller and equipment,
The secured communication channel established between controller and equipment.
Wherein, as shown in figure 5, self-configuring management module 1, including:
White list generation module 11:By authorize USB flash disk collect network to be added legitimate device information formed it is white
List, USB flash disk is authorized to store the signing messages of controller into legitimate device while legitimate device information is collected;
Authentication module 12:Identity legitimacy certification of the controller to equipment, the label based on controller are completed based on white list
Name completes identity legitimacy certification of the equipment to controller;
Passage configuration module 13:Controller and equipment for having completed identity legitimacy certification in authenticating step, it is complete
Into self-configuring, the secured communication channel established between the controller and equipment by authentication.
Automatically terminate channel module 14:Based on the facility information to be deleted collected in mandate USB flash disk, in the white list of controller
It is middle to delete device id to be deleted, and release communication port.
Wherein, as shown in fig. 6, white list generation module 11, including:
Information exchange module 111:Authorize USB flash disk to read the identification information of equipment, and equipment identification information is added to white name
In single list, while the signing messages of controller is added in the equipment;
Add information module 112:By authorizing USB flash disk that the identification information of equipment is added in the white list of controller, when
In SDN during newly added equipment, execution information interactive step, the information of newly added equipment is added in the white list of controller,
And the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in fig. 6, authentication module 12, including:
Tentatively build gang mould block 121:When equipment adds SDN for the first time, equipment can carry out identity information in SDN
Broadcast, the other equipment in network passes through after neighbours have found the identity information of discovering device to be reported to controller;
Equipment identities authentication module 122:Controller sends the message of request device credential information, device authentication control to equipment
The signature of device processed, response credential information after being verified, controller check credential information whether in white list, if,
The identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in fig. 6, passage configuration module 13, including:
Message request sending module 131:Controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module 132:The invitation message that equipment receives, the signature of access control device, checking
Public key and private key for communication is generated by rear equipment, and power on request information is sent to controller, one is provided to controller
The public key of individual certificate, certificate signature and equipment;
Power on request information answer module 133:Controller receives the public key of certificate, certificate signature and equipment, and to
Equipment sends start response message, and equipment establishes the communication port of safety with controller;The secure communication that controller passes through foundation
Passage is that equipment distributes IP address, to realize the unique mark to equipment.
In summary, the present invention authorizes USB flash disk to have collected the information of all legitimate devices and formed by simply plugging operation
White list, controller can verify the legitimacy of new equipment accordingly.Simply operation simplifies the work of networking, improves
The efficiency of networking;In addition, the controller of the present invention can be fully automatically real according to white list certification new equipment, whole process
It is existing, participated in without artificial, it is simple, efficient, be advantageous to efficiently build SDN.Again, the present invention realizes key-course and number
Automatic according to layer passage establishes process, it is not necessary to artificial participation, so as to reduce the cost of networking, while improves net
The efficiency of network construction.Finally, the key-course of present device white list and automatically terminating for data Layer communication port need not be any
Manual configuration, hence it is evident that improve the efficiency of the communication port contact of key-course and data Layer.
Certainly, the present invention can also have other various embodiments, ripe in the case of without departing substantially from spirit of the invention and its essence
Know those skilled in the art when can be made according to the present invention it is various it is corresponding change and deformation, but these corresponding change and become
Shape should all belong to the protection domain of appended claims of the invention.
Claims (13)
1. a kind of key-course towards SDN and data Layer communication port self-configuration method, in SDN in
Communication port is established between the controller of key-course and equipment in data Layer, it is characterised in that methods described, including:
Self-configuring management process:Based on the white list for authorizing USB flash disk to be formed, being mutually authenticated for the controller and the equipment is completed
Afterwards, the secured communication channel established between the controller and the equipment.
2. exist according to claim 1 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In, the self-configuring management process, including:
White list generation step:By the mandate USB flash disk collect the information of legitimate device of network to be added form white name
Single, for the mandate USB flash disk while legitimate device information is collected, it is described legal that the signing messages storage of the controller is arrived
In equipment;
Authenticating step:Identity legitimacy certification of the controller to the equipment is completed based on the white list, based on described
The signature of controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration step:For having completed the controller of identity legitimacy certification in the authenticating step and described having set
It is standby, self-configuring is completed, is established by the secured communication channel between the controller of authentication and the equipment.
3. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In, the self-configuring management process, in addition to:
Automatically terminate channel step:Based on the facility information to be deleted collected in the mandate USB flash disk, described in the controller
The device id to be deleted is deleted in white list, and releases communication port.
4. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In, the white list generation step, including:
Information exchange step:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added to
In the list of the white list, while the signing messages of the controller is added in the equipment;
Add information Step:The identification information of the equipment is added to the white list of the controller by the mandate USB flash disk
In, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to described
In the white list of controller, and the signing messages of the controller is added in the equipment, with realize the controller with
Certification between the equipment.
5. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In, the authenticating step, including:
Tentatively build connection step:When the equipment adds SDN for the first time, the equipment can carry out identity letter in SDN
Breath broadcast, other equipment in network find that the controller is reported backward for the identity information of the equipment by neighbours
Accuse;
Equipment identities authenticating step:The controller sends the message of request device credential information, the equipment to the equipment
Verify the signature of the controller, response credential information after being verified, the controller check the credential information whether
In white list, if, the identity legitimacy of the equipment is verified, otherwise, the equipment identities legitimate verification mistake
Lose.
6. exist according to claim 2 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In, the passage configuration step, including:
Message request forwarding step:The controller sends invitation message to the equipment that authentication passes through;
Power on request information forwarding step:The equipment receives the invitation message, verifies the signature of the controller, and checking is led to
Later the equipment generates the public key and private key for communication, and sends power on request information to the controller, to the control
Device processed provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer step:The controller receives the certificate, the signature of the certificate and the equipment
Public key, and send start response message to the equipment, the equipment and the controller establish the communication port of safety.
7. exist according to claim 6 towards the key-course and data Layer communication port self-configuration method, its feature of SDN
In in the power on request information answer step, the secured communication channel that the controller passes through foundation is the equipment
IP address is distributed, to realize the unique mark to the equipment.
8. a kind of key-course towards SDN and data Layer communication port self-configuration system, in SDN in control
Communication port is established between the controller of preparative layer and equipment in data Layer, using as any one of claim 1-7
Towards the key-course and data Layer communication port self-configuration method of SDN, it is characterised in that the system, including:
Self-configuring management module:Based on the white list for authorizing USB flash disk to be formed, being mutually authenticated for the controller and the equipment is completed
Afterwards, the secured communication channel established between the controller and the equipment.
9. exist according to claim 8 towards the key-course and data Layer communication port self-configuration system, its feature of SDN
In, the self-configuring management module, including:
White list generation module:By the mandate USB flash disk collect the information of legitimate device of network to be added form white name
Single, for the mandate USB flash disk while legitimate device information is collected, it is described legal that the signing messages storage of the controller is arrived
In equipment;
Authentication module:Identity legitimacy certification of the controller to the equipment is completed based on the white list, based on described
The signature of controller completes identity legitimacy certification of the equipment to the controller;
Passage configuration module:For having completed the controller of identity legitimacy certification in the authentication module and described having set
It is standby, self-configuring is completed, is established by the secured communication channel between the controller of authentication and the equipment.
10. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature
It is, the self-configuring management module, in addition to:
Automatically terminate channel module:Based on the facility information to be deleted collected in the mandate USB flash disk, described in the controller
The device id to be deleted is deleted in white list, and releases communication port.
11. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature
It is, the white list generation module, including:
Information exchange module:It is described to authorize USB flash disk to read the identification information of the equipment, and the equipment identification information is added to
In the list of the white list, while the signing messages of the controller is added in the equipment;
Add information module:The identification information of the equipment is added to the white list of the controller by the mandate USB flash disk
In, when newly added equipment in SDN, described information interactive step is performed, the information of the newly added equipment is added to described
In the white list of controller, and the signing messages of the controller is added in the equipment, with realize the controller with
Certification between the equipment.
12. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature
It is, the authentication module, including:
Tentatively build gang mould block:When the equipment adds SDN for the first time, the equipment can carry out identity letter in SDN
Breath broadcast, other equipment in network find that the controller is reported backward for the identity information of the equipment by neighbours
Accuse;
Equipment identities authentication module:The controller sends the message of request device credential information, the equipment to the equipment
Verify the signature of the controller, response credential information after being verified, the controller check the credential information whether
In white list, if, the identity legitimacy of the equipment is verified, otherwise, the equipment identities legitimate verification mistake
Lose.
13. according to claim 9 towards the key-course and data Layer communication port self-configuration system of SDN, its feature
It is, the passage configuration module, including:
Message request sending module:The controller sends invitation message to the equipment that authentication passes through;
Power on request information sending module:The equipment receives the invitation message, verifies the signature of the controller, and checking is led to
Later the equipment generates the public key and private key for communication, and sends power on request information to the controller, to the control
Device processed provides a certificate, the signature of the certificate and the public key of the equipment;
Power on request information answer module:The controller receives the certificate, the signature of the certificate and the equipment
Public key, and send start response message to the equipment, the equipment and the controller establish the communication port of safety.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510181648.8A CN104811338B (en) | 2015-04-16 | 2015-04-16 | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510181648.8A CN104811338B (en) | 2015-04-16 | 2015-04-16 | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104811338A CN104811338A (en) | 2015-07-29 |
CN104811338B true CN104811338B (en) | 2018-02-06 |
Family
ID=53695849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510181648.8A Expired - Fee Related CN104811338B (en) | 2015-04-16 | 2015-04-16 | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104811338B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106713263B (en) * | 2016-11-18 | 2018-07-13 | 上海红阵信息科技有限公司 | The system and method for the on-demand dynamic authentication connection of user in LAN |
CN110719301A (en) * | 2019-11-19 | 2020-01-21 | 武汉思普崚技术有限公司 | Attack defense method and system for flow adaptive scheduling |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003077053A2 (en) * | 2002-03-13 | 2003-09-18 | M-Systems Flash Disk Pioneers Ltd. | Personal portable storage medium |
CN101009556A (en) * | 2007-01-08 | 2007-08-01 | 中国信息安全产品测评认证中心 | Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism |
CN103200176A (en) * | 2013-02-27 | 2013-07-10 | 中国工商银行股份有限公司 | Identification method, identification device and identification system based on bank independent communication channel |
CN103428771A (en) * | 2013-09-05 | 2013-12-04 | 迈普通信技术股份有限公司 | Communication method, software defined network SDN switch and communication system |
-
2015
- 2015-04-16 CN CN201510181648.8A patent/CN104811338B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003077053A2 (en) * | 2002-03-13 | 2003-09-18 | M-Systems Flash Disk Pioneers Ltd. | Personal portable storage medium |
CN101009556A (en) * | 2007-01-08 | 2007-08-01 | 中国信息安全产品测评认证中心 | Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism |
CN103200176A (en) * | 2013-02-27 | 2013-07-10 | 中国工商银行股份有限公司 | Identification method, identification device and identification system based on bank independent communication channel |
CN103428771A (en) * | 2013-09-05 | 2013-12-04 | 迈普通信技术股份有限公司 | Communication method, software defined network SDN switch and communication system |
Non-Patent Citations (1)
Title |
---|
Secure Communication Between OpenFlow Switches and Controllers;Dominik Samociuk;《AFIN 2015:The Seventh International Conference on Advances in Future Internet》;20150228;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN104811338A (en) | 2015-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104780069B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
US8577044B2 (en) | Method and apparatus for automatic and secure distribution of an asymmetric key security credential in a utility computing environment | |
US7822982B2 (en) | Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment | |
EP1986396A2 (en) | System and implementation method of controlled multicast | |
CN109474508B (en) | VPN networking method, VPN networking system, VPN master node equipment and VPN master node medium | |
CN102882758A (en) | Method for accessing virtual private cloud to network, network-side equipment and data center equipment | |
WO2004051927A1 (en) | Method and system for cluster managing of network facilities | |
CN101951325A (en) | Network terminal configuration system based on automatic discovery and configuration method thereof | |
US8521863B2 (en) | Method and device for operating resource on shared network element | |
CN102123050A (en) | Network terminal management method | |
CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
CN112714370B (en) | Service configuration method, device and system | |
CN104270604A (en) | Method, system and device for obtaining real-time video data of IPC | |
CN105007164A (en) | Centralized safety control method and device | |
CN115460613A (en) | Safe application and management method for power 5G slice | |
CN104811338B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
CN104917750B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
US9118588B2 (en) | Virtual console-port management | |
CN103841537A (en) | Control system and method using family gateway to deploy WLAN metropolitan area network | |
CN103763119A (en) | Telnet/SSH-based network terminal management method | |
CN105337766A (en) | Network element automatic discovery method and system based on DHCP | |
WO2021134562A1 (en) | Configuration device replacement method and apparatus, device, and storage medium | |
CN114884771B (en) | Identity network construction method, device and system based on zero trust concept | |
CN114465723B (en) | Quantum encryption communication system and method based on software defined network and slice | |
CN104639441B (en) | A kind of unicast message retransmission method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180206 Termination date: 20200416 |