CN107181720A - A kind of method and device of software definition networking SDN secure communications - Google Patents
A kind of method and device of software definition networking SDN secure communications Download PDFInfo
- Publication number
- CN107181720A CN107181720A CN201610139226.9A CN201610139226A CN107181720A CN 107181720 A CN107181720 A CN 107181720A CN 201610139226 A CN201610139226 A CN 201610139226A CN 107181720 A CN107181720 A CN 107181720A
- Authority
- CN
- China
- Prior art keywords
- user
- sdn
- request
- network
- testing result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of method and device of software definition networking SDN secure communications, is related to field of information security technology, controls SDN to calculate and storage service with the cloud security service provider for solving prior art, the problem of there is great potential safety hazard.The wherein method of software defined network SDN secure communications, applied to the first SDN controllers, wherein, the method for described software defined network SDN secure communications includes:Obtain user's request from user terminal;Send the user to ask to Cloud Server, and receive the testing result for asking progress safety detection return for the user by the Cloud Server;The testing result is handled, result is produced and sends the testing result and/or the result to the user terminal.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of software definition networking SDN safety
The method and device of communication.
Background technology
SDN (Software Defined Network, software defined network) is a kind of network architecture of opening,
Its core technology OpenFlow by the way that network equipment chain of command and data surface are separated, it is achieved thereby that
The flexible control of network traffics.
Administrative staff can check all regions of network and modification network by SDN, by checking and
Modification network changes rule in time, is that system brings more preferable security.Administrative staff can concentrate and check
Network internal ability and quick limitation capability, are then effectively changed.For example, disliking in a network
During meaning software, these flows are prevented by control plane in SDN and OpenFlow protocol suites, so as to limit
This outburst of system, without accessing multiple routers or interchanger.
With the application and development of cloud computing, cloud security service also turns into a kind of SDN service mode.Cloud
Security service is more advantageous in terms of performance, scalability, availability, fault-tolerant ability, but cloud connects
Enter that there is also certain potential safety hazard.Therefore cloud security service provider control SDN is calculated and storage service,
In the presence of great potential safety hazard.
The content of the invention
The purpose of the embodiment of the present invention be a kind of method that software definition networking SDN secure communications are provided and
Device, controls SDN to calculate and storage service, exists with the cloud security service provider for solving prior art
The problem of great potential safety hazard.
To achieve these goals, the embodiment of the present invention provides a kind of software defined network SDN secure communications
Method, applied to the first SDN controllers, wherein, described software defined network SDN secure communications
Method include:
Obtain user's request from user terminal;
Send the user to ask to Cloud Server, and receive by the Cloud Server for user request
Carry out the testing result of safety detection return;
The testing result is handled, result is produced and sends the testing result and/or described
Result is to the user terminal.
Further, user's request of the user terminal includes:The user's access request and/or tool of cloud user
Have at least one first network authorization requests of the user terminal of terminal applies, wherein, it is described at least one
One network authorization request includes:The user name of the user terminal, password corresponding with the user name and institute
State domain name where user terminal.
Further, when user's request of user terminal is user's access request of cloud user, the transmission institute
State user to ask to Cloud Server, and receive by the Cloud Server for the safe inspection of user request progress
The testing result returned is surveyed, including:
When the user's access request for detecting the cloud user is the user's access request sent first, forwarding is described
User's access request is to the Cloud Server;
Receive the detection knot for carrying out safety detection return for user's access request by the Cloud Server
Really, wherein, the testing result includes:The safety of user's access request is detected by the Cloud Server
And produce the testing result or the first SDN that accepts the interview of the first SDN controllers described in a denied access
The testing result of controller.
Further, it is described that the testing result is handled, produce result and send the detection
As a result and/or the result is to the user terminal, including:
The testing result is handled, flow table item record is produced;
Send the testing result and the flow table item is recorded to the cloud user, wherein, the flow table item note
Record includes:Mode field corresponding with user's access request.
Wherein, the method for described software defined network SDN secure communications also includes:
There is flow table item corresponding with user's access request of cloud user record in detection, determine the user
The user's access request of access request not to send first;
User's access request for the cloud user returns to the result of the cloud user, wherein, institute
Stating result includes:User's access request of the cloud user is recorded via described by the flow table item
Cloud Server detection safety simultaneously produces a testing result for accepting the interview the first SDN controllers.
Further, user terminal user request for the user terminal with terminal applies first net
During network authorization requests, the transmission user is asked to Cloud Server, and is received by the Cloud Server pin
The user is asked to carry out the testing result of safety detection return, including:
The first network authorization requests are sent to the Cloud Server;
Receive the inspection for carrying out safety detection return for the first network authorization requests by the Cloud Server
Result is surveyed, wherein, the testing result includes:Detect that the first SDN controllers whether there is and institute
State the second network authorization request of user name, password and the domain name all same of first network authorization requests.
Further, it is described that the testing result is handled, produce result and send the detection
As a result and/or the result is to the user terminal, including:
It is that the first SDN controllers are not present and the first network authorization requests in the testing result
User name, the second network authorization request of password and domain name all same when, according to the first network mandate
Request, generation and unique corresponding first token code of the first network authorization requests;
Verify the user name, the password and the domain name in the first network authorization requests, and
When being verified, generation carries the mandate target of the first network authorization requests and first token code
Object concurrency send the mandate destination object to the user terminal.
Further, it is described that the testing result is handled, produce result and send the detection
As a result and/or the result is to the user terminal, including:
It is that the first SDN controllers are present and the first network authorization requests in the testing result
During the second network authorization request of user name, password and domain name all same, obtaining second network authorization please
Unique corresponding second token code is sought, generation carries the first network authorization requests and second token
The mandate destination object of code simultaneously sends the mandate destination object to the user terminal.
Further, user terminal user request for the user terminal with terminal applies multiple first nets
During network authorization requests, the transmission user is asked to Cloud Server, and is received by the Cloud Server pin
The user is asked to carry out the testing result of safety detection return, including:
Distribute each first network authorization requests corresponding priority;
The first network authorization requests are sent to the Cloud Server according to the priority;
Receive and pacified by the Cloud Server for the first network authorization requests according to the priority
Full inspection surveys the testing result returned.
Wherein, the software defined network SDN secure communications also include:
The data format of the testing result and the number of the first SDN controllers are changed by predetermined interface
Match according to form.
Wherein, the method for described software defined network SDN secure communications also includes:
The first SDN controllers are set up to be connected with least one the 2nd SDN controller, wherein, it is described
At least one the 2nd SDN controller is in not same area with the first SDN controllers;
Obtain user's request of the user terminal in domain where the 2nd SDN controllers at least one described.
The embodiment of the present invention also provides a kind of method of software defined network SDN secure communications, applied to cloud
Server, wherein, the method for described software defined network SDN secure communications includes:
The user's request forwarded from the first SDN controllers is received, wherein, user's request is by user
Hold what is sent to the first SDN controllers;
Safety detection is carried out for user request, testing result is produced;
The testing result is sent to the first SDN controllers, by the first SDN controllers pair
The testing result is handled, and is produced result and is sent the testing result and/or the processing knot
Really to the user terminal.
Further, user's request from the forwarding of the first SDN controllers is being received, including:
Receive the user's access request sent by cloud user forwarded from the first SDN controllers.
Further, it is described to carry out safety detection for user request, testing result is produced, including:
For user's access request, detect the safety of user's access request and produce a denied access
The first SDN controllers or the first SDN controllers of accepting the interview.
Further, user's request that the reception is forwarded from the first SDN controllers, including:
Receive and sent at least by the user terminal with terminal applies from what the first SDN controllers were forwarded
One first network authorization requests, wherein, the first network authorization requests include:The user terminal
User name, password corresponding with the user name and domain name where the user terminal.
Further, it is described to carry out safety detection for user request, testing result is produced, including:
Detect the first SDN controllers whether there is with the user names of the first network authorization requests,
The second network authorization request of password and domain name all same, produces detection the first SDN controllers and deposits
The testing result asked in second network authorization or the first SDN controllers are not present described second
The testing result of network authorization request.
Wherein, the method for described software defined network SDN secure communications also includes:
The mandate destination object that the first SDN controllers are sent is received and stores, wherein, it is described to authorize
Destination object includes:The first network authorization requests and first by the first SDN controllers generation
Any token code in token code and the second token code.
Wherein, the method for described software defined network SDN secure communications also includes:
The network attack information of the first SDN controllers is detected, forbids opening and deletes the network and attack
Information is hit, wherein, the network attack information carries steal information and forwards the behavioural information of network.
The embodiment of the present invention also provides a kind of device of software defined network SDN secure communications, applied to
One SDN controllers, wherein, including:
First acquisition module, for obtaining user's request from user terminal;
Transceiver module, is asked to Cloud Server, and receive by the Cloud Server pin for sending the user
The user is asked to carry out the testing result of safety detection return;
First processing module, for handling the testing result, produces result and sends described
Testing result and/or the result are to the user terminal.
The embodiment of the present invention also provides a kind of device of software defined network SDN secure communications, applied to cloud
Server, wherein, including:
Receiving module, for receiving the user's request forwarded from the first SDN controllers, wherein, it is described
User's request is sent from user terminal to the first SDN controllers;
Generation module, for carrying out safety detection for user request, produces testing result;
Second processing module, for the testing result to be sent to the first SDN controllers, by institute
State the first SDN controllers to handle the testing result, produce result and send the detection
And/or the result is to the user terminal as a result.
The above-mentioned technical proposal of the embodiment of the present invention has the beneficial effect that:
In the scheme of the embodiment of the present invention, the first SDN controllers are connected with Cloud Server, pass through cloud service
Device carries out safety detection to user's request, can improve the cloud security of the first SDN controllers;Due to
Application service layer and data Layer in one SDN carry out data interaction with the first SDN controllers respectively,
Therefore with application service layer and data Layer interaction data, through the SDN controllers of Cloud Server safety detection the first,
The problem of having avoided the occurrence of the potential safety hazard of the first SDN controllers and storage service;Cloud clothes can also be utilized
Business device assists the processing user's request of the first SDN controllers, so as to mitigate the negative of SDN controller monitoring data
Load.
Brief description of the drawings
Fig. 1 is safe for the software defined network SDN applied to the first SDN controllers of the embodiment of the present invention
One basic procedure schematic diagram of the method for communication;
Fig. 2 shows for the detailed process of the method for the software defined network SDN secure communications of the embodiment of the present invention
It is intended to;
Fig. 3 is safe for the software defined network SDN applied to the first SDN controllers of the embodiment of the present invention
Another basic procedure schematic diagram of the method for communication;
Fig. 4 is the one of the step 12 of the method for the software defined network SDN secure communications of the embodiment of the present invention
Individual detailed process schematic diagram;
Fig. 5 is detailed for the step 13 of the method for the software defined network SDN secure communications of the embodiment of the present invention
Thin schematic flow sheet;
Fig. 6 is another for the step 12 of the method for the software defined network SDN secure communications of the embodiment of the present invention
One detailed process schematic diagram;
Fig. 7 is the token grant stream of the method for the software defined network SDN secure communications of the embodiment of the present invention
Journey schematic diagram;
Fig. 8 is the software defined network SDN secure communications applied to Cloud Server of the embodiment of the present invention
The schematic flow sheet of method;
Fig. 9 is safe for the software defined network SDN applied to the first SDN controllers of the embodiment of the present invention
The structural representation of the device of communication;
Figure 10 awards for the cross-domain token of the device of the software defined network SDN secure communications of the embodiment of the present invention
The structural representation of power;
Figure 11 is the first SDN controllers of the embodiment of the present invention and treating for the packet of data forwarding layer
Journey schematic flow sheet;
Figure 12 is the software defined network SDN secure communications applied to Cloud Server of the embodiment of the present invention
The structural representation of device;
Figure 13 is the structural representation of the practical application of the Cloud Server of the embodiment of the present invention;
Figure 14 is the first SDN controllers of the embodiment of the present invention and the basic structure of Cloud Server practical application
Schematic diagram;
Figure 15 is the first SDN controllers of the embodiment of the present invention and the detailed construction of Cloud Server practical application
Schematic diagram.
Embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attached
Figure and specific embodiment are described in detail.
As shown in figure 1, the method for the software defined network SDN secure communications of the embodiment of the present invention, application
In the first SDN controllers, wherein, the method for described software defined network SDN secure communications includes:
Step 11, user's request from user terminal is obtained.
Here user terminal can refer to the terminal of the application service layer in SDN.The application service layer,
Including order line application, webmaster application, safety applications and other various applications, wherein, the order line application
The application specifically accessed by the first SDN controller managements personnel, is reserved by the first SDN controllers
Order line, realizes and configuration, inquiry of the first SDN controllers etc. is operated, and realizes some checkings and debugs
Function;The webmaster, which is applied, is used for realizing that network manager carries out that network is various matches somebody with somebody to the first SDN controllers
Put and check network state, such as alarm, topology state;The safety applications are used for the cloud clothes accessed in network
The third-party institution of business device, provides the user the service and guarantee of secure context;The other application, for each
Plant reserved processing application, such as the first SDN controller softwares upgrading, unlatching daily record, RAM leakage inspection
Survey etc..
Step 12, send the user to ask to Cloud Server, and receive by the Cloud Server for institute
State the testing result that user's request carries out safety detection return;
Step 13, the testing result is handled, produces result and send the testing result
And/or the result is to the user terminal.
In the embodiment of the present invention, the first SDN controllers are connected with Cloud Server, by Cloud Server to
Family request carries out safety detection, can improve the cloud security of the first SDN controllers;Due to the first SDN
Application service layer and data Layer in network carry out data interaction with the first SDN controllers respectively, therefore with
Application service layer and data Layer interaction data, through the SDN controllers of Cloud Server safety detection the first, it is to avoid
The problem of occurring in that the potential safety hazard of the first SDN controllers and storage service;Cloud Server can also be utilized
The first SDN controllers are assisted to handle user's request, so as to mitigate the burden of SDN controller monitoring data.
As shown in Fig. 2 the method for the software defined network SDN secure communications of the embodiment of the present invention, described
User's request of user terminal includes:User's access request of cloud user and/or user's end with terminal applies
At least one first network authorization requests at end, wherein, at least one described first network authorization requests include:
The user name of the user terminal, password corresponding with the user name and domain name where the user terminal.
Here cloud user is the user of access cloud security service, including personal user, enterprise customer etc..
In the embodiment of the present invention, the first SDN servers can not only realize the information exchange with Cloud Server,
First SDN servers are interacted with application service layer.The first SDN controls are detected by using Cloud Server
The interactive information of device processed, and then improve the communication that the first SDN servers are interacted with application service layer
Security.
As shown in Fig. 2 the method for the software defined network SDN secure communications of the embodiment of the present invention, with
When user's request at family end is user's access request of cloud user, step 12 includes:
Step 121, when the user's access request for detecting cloud user is the user's access request sent first,
User's access request is sent to the Cloud Server;
Here Cloud Server is provided by third party, so as to realize the outsourcing of access or be separately provided, so
It is convenient that the service for connecing and feeding safety is proposed exclusively for cloud user.Cloud Server provides the user peace in the form of services
All risk insurance hinders, can be by a large amount of Cloud Server clusters together, and form special reply cloud access safety problem is
System.
Step 122, the inspection for carrying out safety detection return for user's access request by the Cloud Server is received
Result is surveyed, wherein, the testing result includes:The safety of user's access request is detected simultaneously by the Cloud Server
Produce the testing result or the first SDN controllers of accepting the interview of the SDN controllers of a denied access the first
Testing result.
It should be noted that:Cloud Server detects that the content of the security of user's access request at least includes:
Data integrity detection, Union user management and network attack detection, wherein, data integrity detection bag
Include:User name and the corresponding password of user name in user's request;The Union user management includes:Storage is used
User name and corresponding password in the request of family;Network attack detection includes:Illegal invasion in monitoring network
Wooden horse or virus.The content of at least one security is realized using Cloud Server.
In the embodiment of the present invention, the first SDN controllers can be to user's access request for sending first, profit
The security of user's access request is judged with Cloud Server, so as to ensure the security of the first SDN controllers.
As shown in Fig. 2 the method for the software defined network SDN secure communications of the embodiment of the present invention, step
13 include:
Step 131, the testing result is handled, produces flow table item record;
Here flow table item record is added to by the basic structure of the flow table to OpenFlow protocol definitions
A few status attribute (such as State states) and at least next state (such as Next_State), lay equal stress on
The new process for defining packet and flow table item record matching, makes matching not only rely only on and data frame packet header
Information, while also taking the dependence state of itself.Such as match it is unsuccessful, data forwarding layer will be to the first SDN
Controller sends an income package number PacketIn request message, and the wherein PacketIn request messages are included
The information in data frame packet header, the also status information comprising itself.First SDN controllers can be to data forwarding
Layer sends a stream group FlowMod message and to data forwarding layer addition respective record, is used as response;When
When the match is successful, by next state of the state assignment in session table for respective record in conversion flow table.
Step 132, send the testing result and the flow table item is recorded to cloud user, wherein, the flow table item
Record includes:Mode field corresponding with user's access request.
Here the purpose of mode field is to set up terminal and SDN controllers in data forwarding layer
The renewal of session table is synchronous.
In the embodiment of the present invention, by generating a flow table item, when subsequently there is identical user request, nothing
It need to be verified again, it is possible to use Cloud Server assists the processing user's request of the first SDN controllers, from
And mitigate the burden of the monitoring data of SDN controllers, also improve the detection efficiency of cloud security.
As shown in figure 3, the method for the software defined network SDN secure communications of the embodiment of the present invention is in step
After 11, when user's request of user terminal is user's access request of cloud user, software defined network SDN
The method of secure communication also includes:
Step 14, there is flow table item corresponding with user's access request of cloud user record in detection, it is determined that
The user's access request of the access request of the user not to send first.
Step 15, user's access request for cloud user returns to the result of cloud user, its
In, the result includes:User's access request of cloud user is recorded via the cloud by the flow table item
Server detection safety simultaneously produces a testing result for accepting the interview the first SDN controllers.
In the embodiment of the present invention, judging that cloud user is not that the user sent first asks, then directly by pre-
The flow table item first set up records the first SDN controllers that conduct interviews, and reduces verification process, improves and connect
The efficiency entered, and detected by Cloud Server, improve the security of user's access request.
As shown in figure 4, in the method for the software defined network SDN secure communications of the embodiment of the present invention,
When user's request of user terminal is a first network authorization requests of the user terminal with terminal applies, step
Rapid 12 include:
Step 123, the first network authorization requests are sent to the Cloud Server.
Step 124, receive by the Cloud Server for first network authorization requests progress safety detection return
Testing result, wherein, the testing result includes:Detect to whether there is in the first SDN controllers and be somebody's turn to do
The second network authorization request of the user names of first network authorization requests, password and domain name all same.
In the embodiment of the present invention, first network authorization requests are sent to the first SDN controllers, cloud is utilized
Server can assist the security of the first SDN controllers detection first network authorization requests, due to cloud clothes
Business device is stored with the data related to network authorization request, therefore can judge whether to deposit in the data of storage
In first network authorization requests, the burden of the first SDN controllers is alleviated, the first SDN controls are also improved
The security of device data interaction processed.
As shown in figure 4, in the method for the software definition networking SDN secure communications of the embodiment of the present invention, step
Rapid 13 include:
Step 133, it is that the first SDN controllers are not present and the first network mandate in the testing result
During the second network authorization request of the user name of request, password and domain name all same, according to the first network
Authorization requests, generation and unique corresponding first token code of the first network authorization requests;
Step 134, the user name, the password and domain name in the first network authorization requests are verified, and
When being verified, generation carries the first network authorization requests and the mandate target pair of first token code
As and send the mandate destination object to the user terminal.
Here the user name verified in the first network authorization requests, the specific step of the password and the domain name
Suddenly include:First, verify whether the user name, the password and the domain name are complete in the first network authorization requests
It is whole;Then, in first network authorization requests the user name, the password and the domain name it is complete after, judge
Whether the password in first network authorization requests is correct;Finally, the password in first network authorization requests is
When correct, the first network authorization requests are to be verified.First network authorization requests can so be strengthened
The accuracy of application.
Step 134 here sends the mandate mesh when sending the mandate destination object to the user terminal
Mark object is extremely stored to Cloud Server.Later stage Cloud Server is so conducive to judge that first network mandate please
The no user's request to send first of Seeking Truth, occurs to the repetitive endowment of consolidated network authorization requests to reduce
Situation.
In the embodiment of the present invention, first network authorization requests first are generated with unique corresponding first token code,
And the mandate destination object of user terminal is fed back to, it can so realize token grant, it is ensured that only give new net
Network authorization requests provide new access token code, it is to avoid duplicate the situation for providing access token code.
As shown in figure 5, in the method for the software definition networking SDN secure communications of the embodiment of the present invention, step
Rapid 13 include:
Step 135, it is that the first SDN controllers are asked in the presence of with the first network mandate in the testing result
During the second network authorization request of user name, password and the domain name all same asked, second network authorization is obtained
Unique corresponding second token code of request, generation carries the first network authorization requests and second token code
Mandate destination object and send the mandate destination object to the user terminal.
Here " first " and " second " in first network authorization requests and the second network authorization request,
It is not that the order that network authorization is asked is defined, but distinguishes currently transmitted " first for convenience
Network authorization request " and the relation of " the second network authorization request " that has stored before.Herein " first
The relation of " second network authorization request " of the network authorization request " with having stored before includes:" the first net
Network authorization requests " and the content of " the second network authorization request " that has stored before are differed and " the first net
The content of " second network authorization request " of the network authorization requests " with having stored before is identical.
Step 135 here sends the mandate mesh when sending the mandate destination object to the user terminal
Mark object is extremely stored to Cloud Server.Later stage Cloud Server is so conducive to judge that first network mandate please
The no user's request to send first of Seeking Truth, to reduce situation about occurring to the repetitive endowment of same user.It is logical
Crossing will authorize destination object to be stored in Cloud Server, facilitates later stage SDN controller to receive new network and awards
During power request, detect whether there is network authorization request using Cloud Server.
In the embodiment of the present invention, awarded by judging that the first network authorization requests are present with the first network
Power request identical second network authorization request, the first SDN controllers avoid the need for regenerating new order
Board code, it is only necessary to utilize the token code of the stored network authorization of identical second request, and current first
Network authorization request generation mandate destination object, so multiple refreshing to same first network authorization requests,
Only produce a mandate destination object, it is to avoid occur producing to repeatedly refreshing same first network authorization requests
The situation of multiple mandate destination objects, not only increases generation and authorizes the efficiency of destination object, and improve
Generation authorizes the accuracy of destination object.
As shown in fig. 6, in the method for the software definition networking SDN secure communications of the embodiment of the present invention,
When user's request of user terminal is multiple first network authorization requests of the user terminal with terminal applies, institute
Stating step 12 includes:
Step 125, distribute each first network authorization requests corresponding priority.
Here each first network authorization requests refer to the different requests of same user.Step 1310 is specific
The request type of application request in each first network authorization requests, distributes each first network mandate
Ask corresponding priority.
Step 126, the first network authorization requests are sent to the Cloud Server according to the priority.
Step 127, receive and carried out by the Cloud Server for the first network authorization requests according to the priority
The testing result that safety detection is returned.
In the embodiment of the present invention, by multiple first network authorization requests, priority being distributed, according to preferential
Level order, it is to avoid conflict, can not only complete the processing to multiple first network authorization requests, and press
Each first network authorization requests can also be effectively treated with a certain discrimination according to priority, improve the efficiency of processing.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, before step 13,
The method of described software defined network SDN secure communications also includes:The detection is changed by predetermined interface
As a result data format and the data format of the first SDN controllers match.Such first SDN controls
Device can just utilize predetermined interface, the data of Cloud Server accurately be understood, and carry out respective handling.
The predetermined interface is API (Application Programming Interface, application programming
Interface) interface, the predetermined interface includes but is not limited to this three partial function by the data lattice that issues of cloud service layer
Formula is converted to identical with the form of key-course:1. the management of network behavior, mainly responsible first SDN controls
The network behavior that Cloud Server is produced on device, is switched to the form of flow table item.The license asked according to user
Or refusal, the instruction for whether carrying out data forwarding is sent, ensures the access security of cloud user with this.In addition
The physical address relevant information of Cloud Server can also be counted, the service name that user asks is translated into correspondence
Physics relative address, complete network in using service name for dependence resource discovering;2. the selection of route,
User access request is ensured by Cloud Server, is user's choosing according to the topology information and link load of the whole network
Select optimal path;3. flow table is issued, it is ensured that the flow table issuance that the first SDN controller are produced to OpenFlow
In interchanger, allotment of data flow etc. is realized.
Api interface is the data transformation interface between cloud service layer and controller, mainly responsible cloud service layer and
The interaction of controller.Api interface can be Cloud Server to the interface of controller, other parts function policy
It can be stored in advance in the first SDN controllers, when needed, the first SDN controllers are issued to
OpenFlow interchangers.
In the embodiment of the present invention, the data format of api interface, it is possible to achieve Cloud Server and the first SDN
The data interaction of controller, api interface can control the access of cloud user to route, and reach offer access cloud clothes
The service of business device.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, before step 11,
Software defined network SDN secure communications also include:
Step 16, the first SDN controllers are set up to be connected with least one the 2nd SDN controller, its
In, at least one the 2nd SDN controller is in not same area with the SDN controllers.
Step 17, the user for obtaining the user terminal from domain where at least one the 2nd SDN controller please
Ask.
In the embodiment of the present invention, by first by the first SDN controllers and at least one the 2nd SDN controller
Connection is set up, user's request of the user terminal in domain where then obtaining at least one the 2nd SDN controller,
Realize multiple domain or the token grant of cross-domain user terminal, can so carry out token to the user terminal in not same area
Authorize and safety detection.
Second embodiment
As shown in fig. 7, the overall flow of the token grant of the embodiment of the present invention is as follows.
Step 701, user terminal sends the first user-authorization-request, and the first SDN controllers receive first
The application application of user-authorization-request and addition with priority is lined up.
Step 702, the first user-authorization-request of user terminal of the first SDN controllers to receiving is entered
Row checking.
Step 703, judge first network authorization requests path whether end address, return first network award
Power request path allows the address accessed (address includes but is not limited to IP address).Judge the IP address
Whether legal, if IP address is the address of sky etc., the path for judging first network authorization requests is to allow
The IP address of access, then perform step 704;If the address of IP address not for sky etc., judges the first net
The path of network authorization requests is not the IP address for allowing to access, then performs step 705.Above-mentioned specific judgement
The method whether path of first network authorization requests terminates be in the first network authorization requests to transmission such as
URL (Uniform Resoure Locator, uniform resource locator), RPC (Remote Procedure Call
Protocol remote procedure call protocols) address etc. access mode judged, and carry and returning
Mandate destination object message in.
Step 704, the first SDN controllers discharge token grant concurrent message to terminal user, and token is awarded
Power failure.
Step 705, the first SDN controllers create token grant, create and distribute one and first network
The unique corresponding token code of the terminal user of authorization requests.
Step 706, the first SDN controllers, which are applied for the registration of, authenticates first network authorization requests.
Step 707, user name in the first SDN controller verifications first network authorization requests, user
The corresponding password of name and domain name, if the user name, password and domain name in first network authorization requests are imperfect
Or when not pair, then step 704 is performed, if user name, password and domain name in first network authorization requests
Completely, then step 708 is performed;
Step 708, judge whether password is correct, if the password is correct, perform step 409;
Step 709, whether be password authorization mode, if not password authorization side if judging token grant type
Formula, then perform step 713;
Step 710, if password authorization mode, the user name and close in first network authorization requests is taken out
Code, and user name, password and token code are generated password authorization object.
Step 711, domain name is taken out in first network authorization requests.
Step 712, destination object, the mandate destination object are authorized using password authorization object and domain name generation
There is provided after the Username, Password, and Domain name needed for checking by authorized person.
Step 713, whether be refresh token grant mode, in this way, then perform step if judging token grant type
Rapid 714.Wherein, it is to avoid requestor's (client that server allows in preset time period to refresh token
With the time difference of service end) in send same request twice or more.
Step 714, the second network for refreshing token grant mode with first network authorization requests identical is obtained
Authorization requests.
Step 715, user name, password and the domain name generation asked using the second network authorization authorize target pair
As.
Step 716, the first SDN controllers return to the response for carrying and authorizing destination object.
In the embodiment of the present invention, using the mode of token grant, the first network of the terminal user of access is awarded
Power request is authenticated and token grant, in identity of the first SDN controllers to first network authorization requests
Verified, can subsequently utilize and authorize destination object to ask access token to the first SDN controllers.
3rd embodiment
As shown in figure 8, the method for the software defined network SDN secure communications of the embodiment of the present invention, application
In Cloud Server, including:
Step 81, the user's request forwarded from the first SDN controllers is received, wherein, the user please
Ask what is sent from user terminal to the first SDN controllers;
Wherein, the user terminal includes cloud user and terminal user, it is possible to achieve the data safety inspection of multiple terminals
Survey.
Step 82, safety detection is carried out for user request, produces testing result;
Step 83, the testing result is sent to the first SDN controllers, by the first SDN
Controller is handled the testing result, is produced result and is sent the testing result and/or institute
Result is stated to the user terminal.
In the embodiment of the present invention, access security function is provided the first SDN controllers by Cloud Server,
Safety guarantee is provided for user terminal in the form of services, being formed should specially service access safety problem,
Improve the security of the first SDN controller cloud services.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, the step 81 includes:
Receive the user's access request sent by cloud user forwarded from the first SDN controllers.
In the embodiment of the present invention, user's access request of the SDN controllers of cloud server the first forwarding,
And safety detection is carried out to user's access request, improve user's access request and access the first SDN controls
The security of device.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, the step 82 includes:
For user's access request, detect the safety of user's access request and produce described in a denied access
First SDN controllers or the first SDN controllers of accepting the interview.
In the embodiment of the present invention, after Cloud Server is to the safety detection of user's access request, the user is fed back
Whether access request can access the first SDN controllers, complete to the safety detection of user's access request
The feedback of reason.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, the step 81 includes:
Receive at least one sent by the user terminal with terminal applies forwarded from the first SDN controllers
First network authorization requests, wherein, the first network authorization requests include:The user of the user terminal
Name, password corresponding with the user name and domain name where the user terminal.
In the embodiment of the present invention, because Cloud Server stores the mandate destination object related to network authorization request,
Using cloud server and judge first network authorization requests, the negative of the first SDN controllers can be mitigated
Lotus.
In the method for the software defined network SDN secure communications of the embodiment of the present invention, the step 82 includes:
Detect the first SDN controllers with the presence or absence of the user name with the first network authorization requests, password
And the second network authorization request of domain name all same, produce detection the first SDN controllers and there is institute
Second network is not present in the testing result or the first SDN controllers for stating the second network authorization request
The testing result of authorization requests.
In the embodiment of the present invention, if first network authorization requests are not the network authorization requests sent first,
So Cloud Server will be stored with and be asked with the second network authorization of first network authorization requests identical, and first
SDN controllers just can be directly using the token code of the second network authorization request stored, to the first net
Network authorization requests carry out token grant, it is not necessary to new token code is regenerated, so as to reduce the first SDN
The flow of the token grant of controller, alleviates the load of the first SDN controllers.
The method of the software defined network SDN secure communications of the embodiment of the present invention also includes:
Step 84, the mandate destination object that the first SDN controllers are sent is received and stores, wherein,
The mandate destination object includes:The first network authorization requests and by the first SDN controllers produce
Any token code in the first raw token code and the second token code.
In the embodiment of the present invention, the mandate target pair that Cloud Server is stored with related to first network authorization requests
As, be conducive to subsequently carrying out direct authentication determination to the first network authorization requests for refreshing or resending,
The load of the first SDN controllers is alleviated, the security of data interaction is also improved.
The method of the software defined network SDN secure communications of the embodiment of the present invention also includes:
Step 85, the network attack information of the first SDN controllers is detected, forbids opening and deletes institute
Network attack information is stated, wherein, the network attack information carries steal information and forwards the behavior of network
Information.
Above-mentioned behavioural information is multiple forwarding information or the information for requiring duplicate network content.It can realize to
The shielding of the network attack information of one SDN controllers.
In the embodiment of the present invention, by Cloud Server in the form of the service of network attack information as first
SDN controllers provide safety guarantee, and multiple Cloud Servers can be put together with cluster, form special reply
The system for accessing safety problem;Cloud Server also has good autgmentability, also can overcome the disadvantages that legacy network anti-
Imperial ability, the deficiency existed in terms of response speed is slow, system scale is small etc., meet various security needs.
Fourth embodiment
As shown in figure 9, the device of the software defined network SDN secure communications of the embodiment of the present invention, application
In the first SDN controllers, the device of the software defined network SDN secure communications includes:
First acquisition module 91, for obtaining user's request from user terminal;
Transceiver module 92, is asked to Cloud Server, and receive by the cloud service for sending the user
Device asks to carry out the testing result of safety detection return for the user;
First processing module 93, for handling the testing result, produces result and sends
The testing result and/or the result are to the user terminal.
In the embodiment of the present invention, the first SDN controllers are connected with Cloud Server, by Cloud Server to
Family request carries out safety detection, can improve the cloud security of the first SDN controllers;Due to the first SDN
Application service layer and data Layer in network carry out data interaction with the first SDN controllers respectively, therefore with
Application service layer and data Layer interaction data, through the SDN controllers of Cloud Server safety detection the first, it is to avoid
The problem of occurring in that the potential safety hazard of the first SDN controllers and storage service;Cloud Server can also be utilized
The first SDN controllers are assisted to handle user's request, so as to mitigate the burden of SDN controller monitoring data.
It should be noted that the device that the present invention is provided is logical safely using above-mentioned software defined network SDN
The device of letter method, then all embodiments of above-mentioned software defined network SDN safety communicating methods are applicable
In the device, and it can reach same or analogous beneficial effect.
In the device of the software defined network SDN secure communications of further embodiment of this invention, the user terminal
User request include:User's access request of cloud user and/or the user terminal with terminal applies are extremely
Few first network authorization requests, wherein, at least one described first network authorization requests include:It is described
The user name of user terminal, password corresponding with the user name and domain name where the user terminal.
In the device of the software defined network SDN secure communications of further embodiment of this invention, in user terminal
When user's request is user's access request of cloud user, the transceiver module 92 includes:
Detection unit, for detecting that user's access request of the cloud user is that the user's access sent first is asked
When asking, user's access request is forwarded to the Cloud Server;
Receiving unit, for receiving by the Cloud Server for user's access request progress safety detection
The testing result of return, wherein, the testing result includes:Detect that the user connects by the Cloud Server
Enter the safety of request and produce the testing result of the first SDN controllers described in a denied access or accept the interview
The testing result of the first SDN controllers.
In the device of the software defined network SDN secure communications of further embodiment of this invention, at described first
Module 93 is managed, including:
Generation unit, for handling the testing result, produces flow table item record;
First transmitting element, is recorded to the cloud user for sending the testing result and the flow table item,
Wherein, the flow table item record includes:Mode field corresponding with user's access request.
The device of the software defined network SDN secure communications of further embodiment of this invention also includes:
, there is flow table item corresponding with user's access request of cloud user record for detecting in detection module,
The user's access request for determining user's access request not to send first;
Feedback module, the processing of the cloud user is returned to for user's access request for the cloud user
As a result, wherein, the result includes:The user for recording the cloud user by the flow table item accesses
Request detects safety via the Cloud Server and produces one and accepts the interview the first SDN controllers
Testing result.
In the device of the software defined network SDN secure communications of further embodiment of this invention, in user terminal
When user's request is a first network authorization requests of the user terminal with terminal applies, the transmitting-receiving mould
Block 92 includes:
Sending submodule, for sending the first network authorization requests to the Cloud Server;
Receiving submodule, is pacified for receiving by the Cloud Server for the first network authorization requests
Full inspection surveys the testing result returned, wherein, the testing result includes:Detect the first SDN controls
Device is with the presence or absence of the second network with the user name of the first network authorization requests, password and domain name all same
Authorization requests.
In the device of the software defined network SDN secure communications of further embodiment of this invention, at described first
Reason module 93 includes:
Generation unit, for being that the first SDN controllers are not present and described the in the testing result
During the second network authorization request for user name, password and the domain name all same that one network authorization is asked, according to institute
State first network authorization requests, generation and unique corresponding first token code of the first network authorization requests;
First processing units, for verifying the user name in the first network authorization requests, described close
Code and domain name, and when being verified, generation carries the first network authorization requests and described the
The mandate destination object of one token code simultaneously sends the mandate destination object to the user terminal.
In the device of the software defined network SDN secure communications of further embodiment of this invention, at described first
Reason module 93 includes:Second processing unit, for being the first SDN controllers in the testing result
Please in the presence of the second network authorization with the user name of the first network authorization requests, password and domain name all same
When asking, unique corresponding second token code of second network authorization request is obtained, generation carries described the
The mandate destination object of one network authorization request and second token code simultaneously sends the mandate destination object
To the user terminal.
In the device of the software defined network SDN secure communications of further embodiment of this invention, in user terminal
When user's request is multiple first network authorization requests of the user terminal with terminal applies, the transmitting-receiving mould
Block 92 includes:
Allocation unit, for distributing each first network authorization requests corresponding priority;
Second transmitting element, for sending the first network authorization requests to the cloud according to the priority
Server;
Transmit-Receive Unit, is awarded for being received according to the priority by the Cloud Server for the first network
Power request carries out the testing result of safety detection return.
The device of the software defined network SDN secure communications of further embodiment of this invention also includes:
Modular converter, the data format and described first for changing the testing result by predetermined interface
The data format of SDN controllers matches.
The device of the software defined network SDN secure communications of further embodiment of this invention also includes:
Module is set up, is connected for setting up the first SDN controllers with least one the 2nd SDN controller
Connect, wherein, at least one described the 2nd SDN controller is in not same area with the first SDN controllers;
Acquisition module, the user terminal for obtaining the domain where the 2nd SDN controllers at least one described
User request.
In the embodiment of the present invention, the connection of the not terminal user of same area is set up, it is possible to achieve in the case of cross-domain
Token grant.Specific cross-domain structure as shown in Figure 10, such as, the application App2 of terminal user is quilt
Authorized party, the application App3 of terminal user is resource side.If the application App2 of terminal user will be accessed
The application App3 of terminal user resource it is necessary to from the token Token of the first SDN controllers 1001 obtain
Access token.A kind of mode is that the application App2 of terminal user directly obtains the application App3 of terminal user
Authorized destination object, access token is obtained using mandate destination object from token Token;Another side
Formula is that the application App2 of terminal user network authorization request is redirect to order by the application App3 of terminal user
Board Token, passes through the application App3 of the token Token of the 2nd SDN controllers 1002 to terminal user
After certification, the application App3 of terminal user is provided to the application App2 of terminal user authorizes destination object,
The application App2 of terminal user obtains access token code using mandate destination object from token Token.
As shown in figure 11, the first SDN controllers of the embodiment of the present invention and the packet of data forwarding layer
The flow of the practical application of processing procedure is as follows.
Step 31, the header packet information extraction module of data forwarding layer is extracted in data frame packet header information data bag
Packet header key message, and packet header key message is handled and stored;
Step 32, packet header key message is compared and matched with state table 21 by data forwarding layer, if
Record in state table 21 not on this, then add relative recording, and its state is set into acquiescence
DEFAULT;
Step 33, matching result information is sent in the lump with the status information, compared with conversion flow table 22
Compared with and matching.If not having respective record in conversion flow table 22, data forwarding layer sends income package number
Connection shape of the PacketIn message to the first SDN controllers 23, the then matching of the first SDN controllers 23
State table 21 issues stream group FlowMod to data forwarding layer;
Step 34, update conversion flow table 22 according to the instruction of the first SDN controllers 23 and perform respective counts simultaneously
According to forwarding operation;
Step 35, the relevant information for converting next state in flow table 22 is write back into state table 21;
Step 36, data forwarding layer sends data mode to the first SDN controllers SDN23
DATA_STATE_IN message is updated to the state table 21 in the first SDN controllers 23.
5th embodiment
As shown in figure 12, the device of the software defined network SDN secure communications of the embodiment of the present invention, application
In Cloud Server, wherein, including:
Receiving module 1201, for receiving the user's request forwarded from the first SDN controllers, wherein,
What user's request was sent from user terminal to the first SDN controllers;
Generation module 1202, for carrying out safety detection for user request, produces testing result;
Second processing module 1203, for the testing result to be sent to the first SDN controllers,
The testing result is handled by the first SDN controllers, result is produced and sends described
Testing result and/or the result are to the user terminal.
In the embodiment of the present invention, access security function is provided the first SDN controllers by Cloud Server,
Safety guarantee is provided for user terminal in the form of services, being formed should specially service access safety problem,
Improve the security of the first SDN controller cloud services.
It should be noted that the device that the present invention is provided is logical safely using above-mentioned software defined network SDN
The device of the method for letter, then all embodiments of the method for above-mentioned software defined network SDN secure communications are equal
Suitable for the device, and it can reach same or analogous beneficial effect.
In the device of the software defined network SDN secure communications of further embodiment of this invention, the reception mould
Block 1201 includes:Receive the user's access request sent by cloud user forwarded from the first SDN controllers.
In the device of the software defined network SDN secure communications of further embodiment of this invention, the generation mould
Block 1202 includes:
For user's access request, detect the safety of user's access request and produce a denied access
The first SDN controllers or the first SDN controllers of accepting the interview.
In the device of the software defined network SDN secure communications of further embodiment of this invention, the reception mould
Block 1201 includes:Receive and sent out from what the first SDN controllers were forwarded by the user terminal with terminal applies
At least one the first network authorization requests sent, wherein, the first network authorization requests include:It is described to use
The user name of family terminal, password corresponding with the user name and domain name where the user terminal.
In the device of the software defined network SDN secure communications of further embodiment of this invention, the generation mould
Block 1202 includes:Detect that the first SDN controllers whether there is and the first network authorization requests
The second network authorization request of user name, password and domain name all same, produces detection the first SDN
The testing result or the first SDN controllers that controller has the second network authorization request are not present
The testing result of the second network authorization request.
The device of the software defined network SDN secure communications of further embodiment of this invention also includes:
Memory module is received, for receiving and storing the mandate target pair that the first SDN controllers are sent
As, wherein, the mandate destination object includes:First network authorization requests and by the first SDN
Any token code in the first token code and the second token code that controller is produced.
The device of the software defined network SDN secure communications of further embodiment of this invention also includes:
Control module is detected, the network attack information for detecting the first SDN controllers forbids beating
Open and delete the network attack information, wherein, the network attack information carries steal information and forwarding
The behavioural information of network.
As shown in figure 13, the flow of the practical application of the Cloud Server of the embodiment of the present invention is as follows.
Firstly, it is necessary to which explanation is:Cloud Server needs to be coordinated with cloud service provider, the cloud service
Provider has big data computing capability, passes through the work(such as cluster application, grid or distributed file system
Can, a large amount of various types of storage devices in network are gathered into collaborative work by application software,
The common system that data storage, processing and Operational Visit function are provided.Secondly, it is necessary to which what is illustrated is:
The access Cloud Server of cloud computing, is placed on cloud service by security service cloud (equivalent to above-mentioned Cloud Server)
Outside provider, provided by third party, it is possible to achieve the outsourcing of access, access peace is provided exclusively for cloud user
Full service, provides the user safety guarantee in the form of services.Be herein with a cloud service provider and
One security service cloud carries out application note, and practical application can also be the multiple cloud service providers of deployment and peace
Full service cloud, is no longer illustrated herein.
Step 1101:When user's access of cloud user (including personal user 451 or enterprise customer 452) please
When asking requirement progress security service, OpenFlow interchangers 43 (should according to the service type of user's access request
Service type at least includes:Data integrity detection, Union user management, network attack detection) by user
Access request is distributed to security service cloud 41 and performed.
Step 1102:Cloud service supplier 44 realizes storage and the place of the user data to user's access request
Manage and storage result is supplied to the first SDN controllers 42.
Step 1103:Security service cloud 41 handles user's access request, determines the user of user's access request
The forwardings of data, blocking or user's access or denied access, determination result is connect by API
Mouth 421 notifies the first SDN controllers 42.
Step 1104:First SDN controllers 42 generate corresponding flow table item, are handed down to OpenFlow friendships
Changing planes 43, (the OpenFlow interchangers 43 are an application entity of data forwarding layer, are only herein
Illustrate), OpenFlow interchangers 43 perform operation.When there is identical user's access request below,
The flow table item that OpenFlow interchangers 43 can be recorded according to service history performs operation, user's access request without
Need to be again by security service cloud 41.The service customized for cloud user, directly can be controlled in the first SDN
Configure correspondence flow table item on device processed to complete to specify function, the first SDN controllers 42 exchange OpenFlow
Machine 43 and cloud user, the response of terminal user 46 are sent to security service cloud 41.
As shown in Figure 14 and Figure 15, the first SDN controllers and the reality of Cloud Server of the embodiment of the present invention
Border application is as follows.
It should be noted that:In specific implementation process, SDN includes five layers, wherein five layers points
It is not:Application service layer 51 (equivalent to above-mentioned terminal user), interface supervision (the corresponding application of layer 52
Entity can be terminal display), key-course 53 (equivalent to the first above-mentioned SDN controllers), data
Forwarding 54 (corresponding application entity can be interchanger), cloud service layer 55 (take equivalent to above-mentioned cloud
Business device).
Application service layer 51 sends network authorization request to key-course 53, and key-course 53 is according to application service
The various request types of layer 51, analysis and Control 53 state of layer, formulate network authorization Request Priority, checking
What is received carrys out the digital signature of self-application carrying, network authorization request is verified, to application service layer
51 send access mandate token.
Interface supervision layer 52 is used to show the token grant information in network, token grant process, conflict point
Analyse and the result of decision, the information such as network topology, alarm, link.
Key-course 53 receives the various users request of application service layer 51, sets corresponding according to application type
Priority, passes through token grant module (equivalent to above-mentioned first processing units and/or second processing unit)
Stop authorization code to providing authorization code to user's request or providing, and used by priority analysis algorithm to each
Family request setting priority;Entered by FlowMode message and PacketIn message with data forwarding layer 54
Row communication.Key-course 53 sends the first SDN controllers-exchanger information (data forwarding 54 data of layer
Must be realized by key-course 53), the operation for controlling OpenFlow interchangers, including communication shake hands,
The configuration of interchanger flow table, modification switch status, the setting of data queue, the reading of switch status, hair
Bag method, realizes safety guarantee.
Herein below is the particular content of each layer:
Specifically, the application of above-mentioned application service layer 51 can be divided into four types according to source and function:
Order line applies 512, safety applications 513 and other application 514 using 511, webmaster, wherein,
Order line is the application accessed by controller management personnel using 511, the order reserved by controller
(non-to increase income) realize of row operates to configuration, inquiry of controller etc., realizes the function of some checkings and debugging.
Webmaster is for realizing that network manager carries out the various configurations of network to controller, and checking using 512
Network state, such as alarm, topology state.
Safety applications 513 refer to the security service cloud third-party institution accessed in network, provide the user safety
The service and guarantee of aspect.
Other application 514 refers to various reserved processing applications, such as controller software upgrading, open daily record,
Memory leak detecting etc..
Specifically, above-mentioned interface supervision layer 52 includes two modules:User interface 521, interface processing mould
Block 522, wherein,
User interface 521 is used to obtain data from interface processing module 522, and data are then switched to figure circle
Face, for webmaster personnel provide configuration window, and issue REST (Representational State Transfer,
Sign state is shifted) or HTTP (HyperText Transfer Protocolc, HTTP) associations
Send configuration is discussed to interface processing module 522.
Interface processing module 522, receives the information of feedback module 531, with REST, http protocol side
Response results are sent to user interface 521 by formula, and anti-after the instruction buffer of user interface 521, being sent to
Present module 531.
Specifically, key-course 53 includes feedback module 531, token grant module 532, Certificate Authority module
533rd, priority analysis module 534, flow table management module 535, order are issued and the synchronous mould of session table
Block 536, memory module 537 and AIP interface modules 538 (equivalent to above-mentioned modular converter), wherein,
Feedback module 531 (equivalent to feedback module), realize Certificate Authority information, priority analysis and
Decision information, feed back to webmaster personnel.
Token grant module 532 (equivalent to above-mentioned first processing units and/or second processing unit), leads to
The network authorization that application service layer 51Token services send is crossed to ask to ask access token to authorization server,
And access token is sent to Certificate Authority module 3-3.
Certificate Authority module 533 (equivalent to transceiver module), receive application service layer 51 authorization requests and
The token code of token grant module, sets each application privilege of access rank, and awarded using granting to respectively to access
Power and token code.
Priority analysis module 534 (equivalent to transceiver module), analyzes the importance of each user request,
And judge whether, in the presence of conflicting, if existing to conflict with existing stream rule in flow table management module 535, root
Alleviate according to parser and conflict, the stream rule asked user is received or refusal is operated, to flow table management module
535 are updated.Priority analysis module 534 also defines the session table of SDN controllers, is responsible for
Keep synchronous with the session table in the SDN switch of data forwarding module, received while working as
When OpenFlow interchangers send PacketIn message, the module will by header packet information and status information with
Session table or firewall rule sets under discrimination are contrasted, and distribute corresponding state, are arrived while issuing conversion flow table
In OpenFlow interchangers.
Flow table management module 535 (equivalent to first processing module), for preserving what is be currently running in network
All flow table information.The one side of flow table management module 535 is the stream rule of user's request, is priority analysis
Module 534 provides service;On the other hand be issued for order and session table synchronization module to provide stream regular,
To carry out issuing OpenFlow message to interchanger.
Order is issued and session table synchronization module 536 (equivalent to first processing module), for the
One SDN controller ends set up session table, synchronous with the state table holding in OpenFlow interchangers,
Simultaneously when receiving OpenFlow interchangers transmission PacketIn message, the module will be by OpenFlow
Header packet information and status information in interchanger are contrasted with session table or firewall rule sets under discrimination, point
With corresponding state, while issuing conversion flow table into OpenFlow interchangers.
Memory module 537 (equivalent to first processing module) is used for realizing the storage to each module data, real
The persistence of existing user authentication data, realizes storage of topology resource etc., it is ensured that after power-off, data it is extensive
It is multiple.
AIP modules 538 (equivalent to AIP interfaces) are used on the one hand realizing the interface to controller, another
Aspect realizes the interface to cloud service module, and responsible cloud service module is interacted with SDN controllers, it is ensured that
The network management strategy of Cloud Server is issued on OpenFlow interchangers, is held by OpenFlow interchangers
Row is implemented.
Specifically, data forwarding layer 54 include exchanger information extraction module 541, state table module 542,
Flow table module 543, data detection module 544, data queue's module 545, wherein,
Data forwarding layer 54 is recognized using TLS (Transport Layer Security, safe transmission layer protocol)
Card and the flow between refined net equipment end and the first SDN controllers, access control is helped using TLS
Device and the network equipment or the first SDN controllers, prevent from eavesdropping and forge south orientation communication.Pass through OpenFlow
Interchanger sends PacketIn message, the network row for the first SDN controllers to the first SDN controllers
For refreshing and switch status change, in the first SDN controllers and OpenFlow interchangers dispose
SDN fire walls, new message and addition associated status field are added in OpenFlow agreements to be realized
The deployment of SDN fire walls.
Exchanger information extraction module 541, for extracting key message in data frame packet head, described pass
Source address of the key information including packet, source port, destination address, destination interface, sequence number, confirmation number
And TCP (Transmission Control Protocol, transmission control protocol) flag bit;
State table module 542, for setting up session table in described data forwarding layer, and simultaneously will
The renewal of session table is synchronized in the first described SDN controllers, the session table of the module
Updating will be by conversion flow table by instructing control, such as SET_STATE instructions;
Flow table module 543, for sending instructions under the first SDN controllers in described data forwarding layer
It is middle to set up conversion flow table, it is responsible for state conversion process and packet forwarding operation.
Data queue's module 544, data queue and the storage queue information of message is sent for setting, such as
Hello packet, respond request, response request etc..
Data detection module 545, for being responsible for differentiating that coming described data forwarding layer data bag belongs to connection
Counter is set, the legitimacy of connection status is examined.
Session table by sending message to SDN controllers and data forwarding 54 respectively, realize this two
The synchronization of individual module, when the first SDN controllers or data forwarding layer 54 switch status table update
When, message is sent to the opposing party respectively, also orders the opposing party to update, and returns to more new state.
In the embodiment of the present invention, by the extension to OpenFlow agreements, increase mode field, make flow table
Performed according to state, realize the renewal to session table, realize the deployment in the fire wall of data forwarding layer.
The safety certification for the first SDN controllers can also be realized, north orientation provides the user access secure context
Service, by way of token grant, provide the user safety guarantee, and support cluster controller and big
The network equipment is measured, the cloud security service applied to a large amount of network equipments is supported, and in real time feed back network state
To user.First SDN controllers produce corresponding flow table item, are handed down to the execution of OpenFlow interchangers,
The allotment of data flow is realized, while the feedback information of OpenFlow interchangers is sent into the first SDN controls
Device processed or network management personnel's decision-making.
Described above is the preferred embodiment of the present invention, it is noted that for the common skill of the art
For art personnel, on the premise of principle of the present invention is not departed from, some improvements and modifications can also be made,
These improvements and modifications also should be regarded as protection scope of the present invention.
Claims (20)
1. a kind of method of software defined network SDN secure communications, applied to the first SDN controllers,
Characterized in that, the method for described software defined network SDN secure communications includes:
Obtain user's request from user terminal;
Send the user to ask to Cloud Server, and receive by the Cloud Server for user request
Carry out the testing result of safety detection return;
The testing result is handled, result is produced and sends the testing result and/or described
Result is to the user terminal.
2. the method for software defined network SDN secure communications as claimed in claim 1, it is characterised in that
User's request of the user terminal includes:User's access request of cloud user and/or with terminal applies
User terminal at least one first network authorization requests, wherein, at least one described first network mandate
Request includes:The user name of the user terminal, password corresponding with the user name and the user terminal
Place domain name.
3. the method for software defined network SDN secure communications as claimed in claim 2, it is characterised in that
When user's request of user terminal is user's access request of cloud user, transmission user's request
To Cloud Server, and receive the inspection for asking progress safety detection return for the user by the Cloud Server
Result is surveyed, including:
When the user's access request for detecting the cloud user is the user's access request sent first, forwarding is described
User's access request is to the Cloud Server;
Receive the detection knot for carrying out safety detection return for user's access request by the Cloud Server
Really, wherein, the testing result includes:The safety of user's access request is detected by the Cloud Server
And produce the testing result or the first SDN that accepts the interview of the first SDN controllers described in a denied access
The testing result of controller.
4. the method for software defined network SDN secure communications as claimed in claim 3, it is characterised in that
It is described that the testing result is handled, produce result and send the testing result and/or
The result to the user terminal, including:
The testing result is handled, flow table item record is produced;
Send the testing result and the flow table item is recorded to the cloud user, wherein, the flow table item note
Record includes:Mode field corresponding with user's access request.
5. the method for software defined network SDN secure communications as claimed in claim 2, it is characterised in that
After user request of the acquisition from user terminal, user's request of the user terminal is cloud user
User's access request when, the method for described software defined network SDN secure communications also includes:
There is flow table item corresponding with user's access request of cloud user record in detection, determine the user
The user's access request of access request not to send first;
User's access request for the cloud user returns to the result of the cloud user, wherein, institute
Stating result includes:User's access request of the cloud user is recorded via described by the flow table item
Cloud Server detection safety simultaneously produces a testing result for accepting the interview the first SDN controllers.
6. the method for software defined network SDN secure communications as claimed in claim 2, it is characterised in that
When user's request of user terminal is a first network authorization requests of the user terminal with terminal applies,
The transmission user is asked to Cloud Server, and is received by the Cloud Server for user request
The testing result of safety detection return is carried out, including:
The first network authorization requests are sent to the Cloud Server;
Receive the inspection for carrying out safety detection return for the first network authorization requests by the Cloud Server
Result is surveyed, wherein, the testing result includes:Detect that the first SDN controllers whether there is and institute
State the second network authorization request of user name, password and the domain name all same of first network authorization requests.
7. the method for software defined network SDN secure communications as claimed in claim 6, it is characterised in that
It is described that the testing result is handled, produce result and send the testing result and/or
The result to the user terminal, including:
It is that the first SDN controllers are not present and the first network authorization requests in the testing result
User name, the second network authorization request of password and domain name all same when, according to the first network mandate
Request, generation and unique corresponding first token code of the first network authorization requests;
Verify the user name, the password and the domain name in the first network authorization requests, and
When being verified, generation carries the mandate target of the first network authorization requests and first token code
Object concurrency send the mandate destination object to the user terminal.
8. the method for software defined network SDN secure communications as claimed in claim 6, it is characterised in that
It is described that the testing result is handled, produce result and send the testing result and/or
The result to the user terminal, including:
It is that the first SDN controllers are present and the first network authorization requests in the testing result
During the second network authorization request of user name, password and domain name all same, obtaining second network authorization please
Unique corresponding second token code is sought, generation carries the first network authorization requests and second token
The mandate destination object of code simultaneously sends the mandate destination object to the user terminal.
9. the method for software defined network SDN secure communications as claimed in claim 2, it is characterised in that
When user's request of user terminal is multiple first network authorization requests of the user terminal with terminal applies,
The transmission user is asked to Cloud Server, and is received by the Cloud Server for user request
The testing result of safety detection return is carried out, including:
Distribute each first network authorization requests corresponding priority;
The first network authorization requests are sent to the Cloud Server according to the priority;
Receive and pacified by the Cloud Server for the first network authorization requests according to the priority
Full inspection surveys the testing result returned.
10. the method for the software defined network SDN secure communications as described in any one of claim 1 to 9,
Characterized in that, being handled to the testing result, produce result and send the testing result
And/or before the result to the user terminal, the software defined network SDN secure communications are also wrapped
Include:
The data format of the testing result and the number of the first SDN controllers are changed by predetermined interface
Match according to form.
11. the method for the software defined network SDN secure communications as described in any one of claim 1 to 9,
Characterized in that, before the request of the user from user terminal is obtained, described software defined network SDN
The method of secure communication also includes:
The first SDN controllers are set up to be connected with least one the 2nd SDN controller, wherein, it is described
At least one the 2nd SDN controller is in not same area with the first SDN controllers;
Obtain user's request of the user terminal in domain where the 2nd SDN controllers at least one described.
12. a kind of method of software defined network SDN secure communications, applied to Cloud Server, its feature
It is, the method for described software defined network SDN secure communications includes:
The user's request forwarded from the first SDN controllers is received, wherein, user's request is by user
Hold what is sent to the first SDN controllers;
Safety detection is carried out for user request, testing result is produced;
The testing result is sent to the first SDN controllers, by the first SDN controllers pair
The testing result is handled, and is produced result and is sent the testing result and/or the processing knot
Really to the user terminal.
13. the method for software defined network SDN secure communications as claimed in claim 12, its feature exists
In, user's request that the reception is forwarded from the first SDN controllers, including:
Receive the user's access request sent by cloud user forwarded from the first SDN controllers.
14. the method for software defined network SDN secure communications as claimed in claim 13, its feature exists
In, it is described to carry out safety detection for user request, testing result is produced, including:
For user's access request, detect the safety of user's access request and produce a denied access
The first SDN controllers or the first SDN controllers of accepting the interview.
15. the method for software defined network SDN secure communications as claimed in claim 13, its feature exists
In, user's request that the reception is forwarded from the first SDN controllers, including:
Receive and sent at least by the user terminal with terminal applies from what the first SDN controllers were forwarded
One first network authorization requests, wherein, the first network authorization requests include:The user terminal
User name, password corresponding with the user name and domain name where the user terminal.
16. the method for software defined network SDN secure communications as claimed in claim 15, its feature exists
In, it is described to carry out safety detection for user request, testing result is produced, including:
Detect the first SDN controllers whether there is with the user names of the first network authorization requests,
The second network authorization request of password and domain name all same, produces detection the first SDN controllers and deposits
The testing result asked in second network authorization or the first SDN controllers are not present described second
The testing result of network authorization request.
17. the method for software defined network SDN secure communications as claimed in claim 16, its feature exists
In the method for described software defined network SDN secure communications also includes:
The mandate destination object that the first SDN controllers are sent is received and stores, wherein, it is described to authorize
Destination object includes:The first network authorization requests and first by the first SDN controllers generation
Any token code in token code and the second token code.
18. the side of the software defined network SDN secure communications as described in any one of claim 12 to 16
Method, it is characterised in that the method for described software defined network SDN secure communications also includes:
The network attack information of the first SDN controllers is detected, forbids opening and deletes the network and attack
Information is hit, wherein, the network attack information carries steal information and forwards the behavioural information of network.
19. a kind of device of software defined network SDN secure communications, applied to the first SDN controllers,
Characterized in that, the device of described software defined network SDN secure communications includes:
First acquisition module, for obtaining user's request from user terminal;
Transceiver module, is asked to Cloud Server, and receive by the Cloud Server pin for sending the user
The user is asked to carry out the testing result of safety detection return;
First processing module, for handling the testing result, produces result and sends described
Testing result and/or the result are to the user terminal.
20. a kind of device of software defined network SDN secure communications, applied to Cloud Server, its feature
It is, the device of described software defined network SDN secure communications includes:
Receiving module, for receiving the user's request forwarded from the first SDN controllers, wherein, it is described
User's request is sent from user terminal to the first SDN controllers;
Generation module, for carrying out safety detection for user request, produces testing result;
Second processing module, for the testing result to be sent to the first SDN controllers, by institute
State the first SDN controllers to handle the testing result, produce result and send the detection
And/or the result is to the user terminal as a result.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610139226.9A CN107181720B (en) | 2016-03-11 | 2016-03-11 | Software Defined Networking (SDN) secure communication method and device |
| PCT/CN2017/074331 WO2017152754A1 (en) | 2016-03-11 | 2017-02-22 | Method and apparatus for secure communication of software defined network (sdn) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610139226.9A CN107181720B (en) | 2016-03-11 | 2016-03-11 | Software Defined Networking (SDN) secure communication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107181720A true CN107181720A (en) | 2017-09-19 |
| CN107181720B CN107181720B (en) | 2021-06-15 |
Family
ID=59789977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610139226.9A Active CN107181720B (en) | 2016-03-11 | 2016-03-11 | Software Defined Networking (SDN) secure communication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107181720B (en) |
| WO (1) | WO2017152754A1 (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512699A (en) * | 2018-03-15 | 2018-09-07 | 中国联合网络通信集团有限公司 | Block chain service server data exception detection method, equipment and block catenary system |
| CN108768932A (en) * | 2018-04-09 | 2018-11-06 | 中国电信股份有限公司上海分公司 | A kind of secure connection method of lightweight SDN switch and controller |
| CN108810001A (en) * | 2018-06-20 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of security service control system and method based on SDN |
| CN108881059A (en) * | 2018-05-29 | 2018-11-23 | 新华三技术有限公司 | Controller role determines method, the network switching equipment, controller and network system |
| CN109561054A (en) * | 2017-09-26 | 2019-04-02 | 华为技术有限公司 | A kind of data transmission method, controller and access device |
| CN109743598A (en) * | 2018-12-29 | 2019-05-10 | 深圳Tcl新技术有限公司 | Third party is authorized to access method, system and the readable storage medium storing program for executing of TV |
| CN110932814A (en) * | 2019-12-05 | 2020-03-27 | 北京邮电大学 | Software-defined network time service safety protection method, device and system |
| CN111049886A (en) * | 2019-11-29 | 2020-04-21 | 紫光云(南京)数字技术有限公司 | Multi-region SDN controller data synchronization method, server and system |
| CN112217902A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
| CN114338400A (en) * | 2021-12-31 | 2022-04-12 | 中国电信股份有限公司 | SDN dynamic control method and device |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113315704B (en) * | 2021-05-20 | 2023-01-10 | 中国联合网络通信集团有限公司 | Message forwarding method, SDN controller, switch and system |
| US11722570B1 (en) * | 2022-05-13 | 2023-08-08 | Microsoft Technology Licensing, Llc | Sharing SDN policy state information between SDN appliances |
| CN114978942B (en) * | 2022-05-13 | 2024-05-24 | 深信服科技股份有限公司 | Router detection method and device, electronic equipment and storage medium |
| CN115514644B (en) * | 2022-11-15 | 2023-03-10 | 阿里云计算有限公司 | Entry consistency checking method, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
| CN103607379A (en) * | 2013-11-04 | 2014-02-26 | 中兴通讯股份有限公司 | Software definition network safety enforcement method, system and controller thereof |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
| CN104113839A (en) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Mobile data safety protection system and method based on SDN |
| CN104363203A (en) * | 2014-10-16 | 2015-02-18 | 贵州中科博智科技有限公司 | SDN-based secure cloud access method |
| CN104767696A (en) * | 2014-01-07 | 2015-07-08 | 上海贝尔股份有限公司 | Method and device for controlling user access in SDN (software defined network) access network |
| US20150304281A1 (en) * | 2014-03-14 | 2015-10-22 | Avni Networks Inc. | Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks |
| CN104219218B (en) * | 2013-06-04 | 2018-05-08 | 新华三技术有限公司 | A kind of method and device of active safety defence |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105227344B (en) * | 2015-08-21 | 2019-03-22 | 烽火通信科技股份有限公司 | Software defined network simulation system and method based on OpenStack |
-
2016
- 2016-03-11 CN CN201610139226.9A patent/CN107181720B/en active Active
-
2017
- 2017-02-22 WO PCT/CN2017/074331 patent/WO2017152754A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
| CN104219218B (en) * | 2013-06-04 | 2018-05-08 | 新华三技术有限公司 | A kind of method and device of active safety defence |
| CN103607379A (en) * | 2013-11-04 | 2014-02-26 | 中兴通讯股份有限公司 | Software definition network safety enforcement method, system and controller thereof |
| CN104767696A (en) * | 2014-01-07 | 2015-07-08 | 上海贝尔股份有限公司 | Method and device for controlling user access in SDN (software defined network) access network |
| US20150304281A1 (en) * | 2014-03-14 | 2015-10-22 | Avni Networks Inc. | Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks |
| CN104113839A (en) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Mobile data safety protection system and method based on SDN |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
| CN104363203A (en) * | 2014-10-16 | 2015-02-18 | 贵州中科博智科技有限公司 | SDN-based secure cloud access method |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109561054A (en) * | 2017-09-26 | 2019-04-02 | 华为技术有限公司 | A kind of data transmission method, controller and access device |
| CN109561054B (en) * | 2017-09-26 | 2020-12-01 | 华为技术有限公司 | Data transmission method, controller and access device |
| CN108512699B (en) * | 2018-03-15 | 2020-08-14 | 中国联合网络通信集团有限公司 | Block chain service server data anomaly detection method and equipment and block chain system |
| CN108512699A (en) * | 2018-03-15 | 2018-09-07 | 中国联合网络通信集团有限公司 | Block chain service server data exception detection method, equipment and block catenary system |
| CN108768932A (en) * | 2018-04-09 | 2018-11-06 | 中国电信股份有限公司上海分公司 | A kind of secure connection method of lightweight SDN switch and controller |
| CN108881059B (en) * | 2018-05-29 | 2022-05-24 | 新华三技术有限公司 | Controller role determination method, network switching equipment, controller and network system |
| CN108881059A (en) * | 2018-05-29 | 2018-11-23 | 新华三技术有限公司 | Controller role determines method, the network switching equipment, controller and network system |
| CN108810001A (en) * | 2018-06-20 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of security service control system and method based on SDN |
| CN109743598A (en) * | 2018-12-29 | 2019-05-10 | 深圳Tcl新技术有限公司 | Third party is authorized to access method, system and the readable storage medium storing program for executing of TV |
| CN111049886A (en) * | 2019-11-29 | 2020-04-21 | 紫光云(南京)数字技术有限公司 | Multi-region SDN controller data synchronization method, server and system |
| CN111049886B (en) * | 2019-11-29 | 2023-07-07 | 紫光云(南京)数字技术有限公司 | Multi-region SDN controller data synchronization method, server and system |
| CN110932814A (en) * | 2019-12-05 | 2020-03-27 | 北京邮电大学 | Software-defined network time service safety protection method, device and system |
| CN112217902B (en) * | 2020-10-22 | 2022-03-22 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN112217902A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
| CN112637154B (en) * | 2020-12-09 | 2022-06-21 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
| CN114338400A (en) * | 2021-12-31 | 2022-04-12 | 中国电信股份有限公司 | SDN dynamic control method and device |
| CN114338400B (en) * | 2021-12-31 | 2024-05-14 | 中国电信股份有限公司 | SDN network dynamic control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107181720B (en) | 2021-06-15 |
| WO2017152754A1 (en) | 2017-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107181720A (en) | A kind of method and device of software definition networking SDN secure communications | |
| CN109302415B (en) | A kind of authentication method, block chain node and storage medium | |
| CN103404103B (en) | System and method for combining an access control system with a traffic management system | |
| CN104718526B (en) | Safety moving frame | |
| CN105763562B (en) | Power Information Network method for establishing model and system towards electric power CPS risk assessment | |
| CN105027493B (en) | Safety moving application connection bus | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| CN109450910A (en) | Data sharing method, data sharing network and electronic equipment based on block chain | |
| CN109525671A (en) | Date storage method, electronic equipment and storage medium based on block chain | |
| CN108200146A (en) | A kind of micro services framework implementation method of lightweight | |
| CN107425983A (en) | A kind of unified identity authentication method and system platform based on WEB service | |
| CN108011862A (en) | The mandate of mirror image warehouse, access, management method and server and client side | |
| CN108154439A (en) | Asset data processing unit and method | |
| CN103973770B (en) | Information processing system | |
| US20090254968A1 (en) | Method, system, and computer program product for virtual world access control management | |
| DE112019003309T5 (en) | DEVICE FOR SECURE RECEIVING OF SHIPMENTS WITH DELEGATING CHAIN | |
| CN103489233A (en) | Electronic door control system with dynamic password | |
| CN104636678B (en) | The method and system of management and control is carried out under a kind of cloud computing environment to terminal device | |
| CN106170964A (en) | User's virtual identity based on different identity service | |
| CN107210916A (en) | Condition, which is logged in, to be promoted | |
| CN109753815A (en) | Data processing method, data processing network and electronic equipment based on block chain | |
| CN106161361B (en) | A kind of access method and device of cross-domain resource | |
| CN109446833A (en) | A kind of authorization check method and electronic equipment based on educational system | |
| CN108028840A (en) | Realize the peer to peer connection for establishing safety | |
| CN110362533A (en) | A kind of archives storage and shared system based on alliance's chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |