CN113382008B - Flooding suppression method for ARP protocol under SDN - Google Patents
Flooding suppression method for ARP protocol under SDN Download PDFInfo
- Publication number
- CN113382008B CN113382008B CN202110663842.5A CN202110663842A CN113382008B CN 113382008 B CN113382008 B CN 113382008B CN 202110663842 A CN202110663842 A CN 202110663842A CN 113382008 B CN113382008 B CN 113382008B
- Authority
- CN
- China
- Prior art keywords
- sdn
- arp
- request packet
- arp request
- sdn switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flooding inhibition method of an ARP protocol under an SDN, which is characterized in that a buffer table of an ARP request is added in an SDN controller, and the source IP and the destination IP information of the ARP request packet and switches in which the packet is forwarded are recorded. When an ARP new request packet enters an SDN switch, the switch reports the packet to a controller, the controller refers to the table, and if the table related to the ARP packet is referred to, the ARP packet is indicated to be forwarded recently, namely not to be forwarded any more, so that the data storm problem caused by ARP flooding is inhibited.
Description
Technical Field
The invention relates to the technical field of computer network and system security, in particular to a flooding inhibition method of an ARP protocol under an SDN.
Background
Software Defined Networking (abbreviated as "SDN") is a novel network innovation architecture proposed by the university of stanford Nick McKeown professor team in america, and the core idea is to realize separation of control and forwarding, so as to improve the resource utilization rate of the whole network, and the Software Defined Networking (SDN) belongs to an intelligent network. In SDN, Address Resolution Protocol (ARP) is used to implement mapping from an IP address to a MAC address, i.e. to interrogate the MAC address corresponding to the target IP. The premise for two hosts to communicate is to know each other's MAC address. When the host receives the ARP request, it looks up the table in its ARP cache table and updates the mapping in the ARP request packet to the cache table. When the host receives the ARP reply, it updates the mapping in the ARP reply packet to its ARP cache table. When an SDN switch in a network receives an ARP request, if there is no flow table installed in advance to tell how to forward the ARP packet, the ARP packet is handed over to a controller, and the controller usually issues a forwarding command to forward the ARP packet to all ports except the interface, which is called flooding (flood). Only when the target host receives the ARP request and gives a response, the controller knows the switch under which the target IP is located, and can construct a path between the source IP and the target IP and set a flow table for the switch. In a network of a data center, redundant lines are often used to ensure reliability, and it is easy to forward an ARP from another port back to an SDN switch after the ARP is flooded from the SDN switch. If no inhibition is added, loop forwarding is easy to occur, and the network performance is greatly influenced.
Disclosure of Invention
The invention provides a flooding inhibition method of an ARP protocol under an SDN, which realizes the inhibition of a data storm problem caused by ARP flooding.
In order to solve the problems, the invention is realized by the following technical scheme:
a flooding suppression method of an ARP protocol under an SDN is characterized in that a buffer table of an ARP request is added in an SDN controller, and each record of the buffer table consists of a source IP, a destination IP, a data path number (DPID) of an SDN switch and a current timestamp; when the ARP request packet enters the SDN switch and is reported to the SDN controller, the SDN controller extracts a source IP and a destination IP of the ARP request packet and a data path number of the SDN switch, and consults a buffer table: if the matched table entry of the ARP request packet and the SDN switch is not found, namely the buffer table does not have records about the source IP and the destination IP of the ARP request packet and the data path number of the SDN switch, the ARP request packet is indicated to enter the SDN switch for the first time; at this time, the SDN controller adds a source IP and a destination IP related to the ARP request packet, a data path number of the SDN switch and a record of a current timestamp in a buffer table, issues a forwarding command to the SDN switch, and enables the SDN switch to send the ARP request packet out of all ports except an entrance port; if the matched table entry of the ARP request packet and the SDN switch is found, namely a buffer table contains a source IP and a destination IP of the ARP request packet and records of a data path number of the SDN switch, the ARP request packet is indicated to be forwarded by the SDN switch; at this point, the SDN controller ignores the ARP request packet.
As an improvement, the SDN controller periodically refers to the buffer table, and deletes a record from the buffer table once the current timestamp of the record in the buffer table exceeds a predetermined timeout threshold.
Compared with the prior art, the invention has the following characteristics:
1. the problem of flooding storm caused by ring formation in the network is avoided: even if a loop exists in the SDN, before an ARP request packet is flooded and forwarded between every SDN switch in the network, the controller firstly refers to a buffer table recorded in the SDN controller, and if a table item matched with the switch is referred to in the ARP request packet, the forwarding is not carried out any more, so that the problem of data storm caused by ARP flooding is solved.
2. Saving network bandwidth: the method has the advantages that ARP request packets of the host need to be packet-in to the SDN controller when passing through the SDN switch, and if the SDN controller looks up the buffer table and finds related table items of the ARP request packets, the ARP request packets are not forwarded any more.
3. Add more network path resources: if the data storm problem is suppressed, a Spanning Tree Protocol (STP) can be no longer used for limiting ring paths in the network, the path redundancy in the network is increased, and more available paths are provided for network functions such as congestion control, load balancing, multipath transmission and the like.
4. No modification to the ARP mechanism itself or to the ARP request packet is required.
5. The method can adapt to dynamic and static IP address allocation in the cloud network at the same time: by using the SDN technology, the main SDN controller monitors and manages the whole network, so that ARP storm attack is regularly monitored and relieved. According to the buffer table of the ARP requests recorded by the main SDN controller, which SDN switches forward the ARP requests can be known, and the safety is improved.
Drawings
Fig. 1 is a system framework diagram of a flooding suppression method for an ARP protocol under SDN.
FIG. 2 is a flow chart of buffer table recording and querying.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to specific examples.
Referring to fig. 1 and 2, a method for suppressing flooding of an ARP protocol under SDN specifically includes the following steps:
step one, preparation stage
The method comprises the steps that a system is initialized, a SDN switch forwarding control module installs default flow table items for all SDN switches, and all SDN switches report new non-flow table matching network packets to an SDN controller one by one.
Step two, buffering table recording and inquiring stage
And adding a buffer table of the ARP request in the SDN controller, wherein each record of the buffer table consists of a source IP, a destination IP, a data path number of the SDN switch and a current timestamp. By looking up the buffer table, it is known in which SDN switches the ARP request packet has been forwarded.
When the ARP request packet enters a new SDN switch, if no matched flow table item exists, the ARP packet is reported to an SDN controller, the SDN controller extracts a source IP (Internet protocol) and a destination IP of the ARP request packet and a data path number of the SDN switch, and consults a buffer table:
if the ARP request packet is not found in the relevant table entry of the new SDN switch, that is, the buffer table does not have a record of the source IP and the destination IP of the ARP request packet and the data path number of the new SDN switch: indicating that the ARP request packet enters the SDN switch for the first time within the statistical period; at this time, the source IP, the destination IP, the new SDN switch data path number, and the record of the current time of the ARP request packet are newly added in the buffer table, and a forwarding command is issued to the new SDN switch, so that the ARP request packet is sent out from all ports except the ingress port in the new SDN switch.
If the ARP request packet is found in the relevant entry of the new SDN switch, that is, the buffer table contains the record of the source IP and the destination IP of the ARP request packet and the data path number of the new SDN switch: indicating that the ARP request packet has been forwarded by the new SDN switch; at this time, the SDN controller ignores the ARP request and does not instruct the SDN switch to perform any processing.
This suppresses the data storm problem caused by ARP flooding.
Step three, overtime check phase
And deleting the record from the buffer table if the difference value between the record creating time of the record and the current checking time exceeds a preset overtime threshold. Here, the timeout threshold setting should be slightly larger (typically recommended 5 seconds) than the time required for an ARP request packet to wrap around all SDN switches in the network.
The system for realizing the flooding inhibition of the ARP protocol under the SDN comprises a buffer table recording module, a timeout checking module and an SDN switch forwarding control module. The buffer table recording module is used for adding a buffer table of the ARP request in the SDN controller, and the buffer table records which SDN switches forward which ARP requests and forward time. The buffer table recording module contains a timer (recommended to be triggered once per second) which is triggered periodically, and when the timer is triggered, the overtime checking module is executed. The timeout checking module is configured to periodically refer to the buffer table by the SDN controller, and delete a record after the current time exceeds the forwarding time of the record for several seconds (e.g., 5 seconds). The SDN switch forwarding control module is used for sending a forwarding command to the SDN switch.
The system is realized on the basis of an SDN network formed by an SDN controller and an SDN switch cluster, the SDN switch reports a new ARP request Packet to the SDN controller through a Packet-in message, the SDN controller determines whether to send a Packet-out message to the SDN switch or not through a lookup buffer table, and sends a data Packet forwarding instruction to the SDN switch.
It should be noted that, although the above-mentioned embodiments of the present invention are illustrative, the present invention is not limited thereto, and thus the present invention is not limited to the above-mentioned embodiments. Other embodiments, which can be made by those skilled in the art in light of the teachings of the present invention, are considered to be within the scope of the present invention without departing from its principles.
Claims (2)
1. A flooding suppression method of ARP protocol under SDN is characterized in that,
adding a buffer table of ARP requests in the SDN controller, wherein each record of the buffer table consists of a source IP, a destination IP, a data path number of an SDN switch and a current timestamp;
when the ARP request packet enters the SDN switch and is reported to the SDN controller, the SDN controller extracts a source IP and a destination IP of the ARP request packet and a data path number of the SDN switch, and consults a buffer table:
if the matched table entry of the ARP request packet and the SDN switch is not found, namely the buffer table does not have records about the source IP and the destination IP of the ARP request packet and the data path number of the SDN switch, the ARP request packet is indicated to enter the SDN switch for the first time; at this time, the SDN controller adds a source IP and a destination IP related to the ARP request packet, a data path number of the SDN switch and a record of a current timestamp in a buffer table, issues a forwarding command to the SDN switch, and enables the SDN switch to send the ARP request packet out of all ports except an entrance port;
if the matched table entry of the ARP request packet and the SDN switch is found, namely a buffer table contains a source IP and a destination IP of the ARP request packet and records of a data path number of the SDN switch, the ARP request packet is indicated to be forwarded by the SDN switch; at this point, the SDN controller ignores the ARP request packet.
2. The method as claimed in claim 1, wherein the SDN controller periodically refers to the buffer table, and deletes a record from the buffer table when a current timestamp of the record in the buffer table exceeds a predetermined timeout threshold.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110663842.5A CN113382008B (en) | 2021-06-16 | 2021-06-16 | Flooding suppression method for ARP protocol under SDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110663842.5A CN113382008B (en) | 2021-06-16 | 2021-06-16 | Flooding suppression method for ARP protocol under SDN |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113382008A CN113382008A (en) | 2021-09-10 |
CN113382008B true CN113382008B (en) | 2022-03-25 |
Family
ID=77574499
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110663842.5A Active CN113382008B (en) | 2021-06-16 | 2021-06-16 | Flooding suppression method for ARP protocol under SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113382008B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104168213A (en) * | 2014-08-18 | 2014-11-26 | 福建星网锐捷网络有限公司 | Data message processing method and device and network equipment in two-layer Internet |
CN108028801A (en) * | 2015-07-27 | 2018-05-11 | 华为技术有限公司 | A kind of ARP realization method and device based on SDN |
CN110752998A (en) * | 2019-09-10 | 2020-02-04 | 广州西麦科技股份有限公司 | ARP message processing method and related device |
CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10673736B2 (en) * | 2017-04-25 | 2020-06-02 | Cisco Technology, Inc. | Traffic reduction in data center fabrics |
US10831920B2 (en) * | 2018-01-05 | 2020-11-10 | Nicira, Inc. | Filter-based control information query in software-defined networking (SDN) environments |
-
2021
- 2021-06-16 CN CN202110663842.5A patent/CN113382008B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104168213A (en) * | 2014-08-18 | 2014-11-26 | 福建星网锐捷网络有限公司 | Data message processing method and device and network equipment in two-layer Internet |
CN108028801A (en) * | 2015-07-27 | 2018-05-11 | 华为技术有限公司 | A kind of ARP realization method and device based on SDN |
CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
CN110752998A (en) * | 2019-09-10 | 2020-02-04 | 广州西麦科技股份有限公司 | ARP message processing method and related device |
Non-Patent Citations (2)
Title |
---|
《FICUR_Employing_SDN_programmability_to_secure_ARP》;Ajay Nehra等;《2017 CCWC》;20170109;全文 * |
软件定义网络中资源消耗型攻击及防御综述;徐建峰等;《信息安全学报》;20200715(第04期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113382008A (en) | 2021-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3923551A1 (en) | Method and system for entrapping network threat, and forwarding device | |
US11223579B2 (en) | Data processing method, network interface card, and server | |
US9455956B2 (en) | Load balancing in a network with session information | |
US8767735B2 (en) | System and method for multi-chassis link aggregation | |
US8913489B2 (en) | System and method for virtual fabric link failure recovery | |
US9448821B2 (en) | Method and system for realizing virtual machine mobility | |
EP2060067B1 (en) | Ethernet switching | |
EP2832059B1 (en) | System and method for virtual fabric link failure recovery | |
US8345699B2 (en) | System and method for enabling a remote instance of a loop avoidance protocol | |
US20040213272A1 (en) | Layer 2 switching device | |
US9743367B2 (en) | Link layer discovery protocol (LLDP) on multiple nodes of a distributed fabric | |
WO2008080314A1 (en) | A method, forwarding engine and communication device for message acces control | |
CN113382008B (en) | Flooding suppression method for ARP protocol under SDN | |
CN113612698A (en) | Data packet sending method and device | |
CN110177060B (en) | Active defense method for time sequence side channel attack of SDN network | |
Hussain et al. | A dynamic multipath scheduling protocol (DMSP) for full performance isolation of links in software defined networking (SDN) | |
CN111884922A (en) | Local forwarding system for cross-device link aggregation | |
EP4325800A1 (en) | Packet forwarding method and apparatus | |
US10257087B2 (en) | Communication device and communication method | |
KR101914831B1 (en) | SDN to prevent an attack on the host tracking service and controller including the same | |
US11888741B2 (en) | Management of network addresses | |
KR101202702B1 (en) | Method for avoiding unicast flooding in a redundant network therfor network system | |
WO2023201125A2 (en) | Mechanism to optimize mass switching triggered by cloud dc site failures or degradation | |
Raghavan et al. | BRP: A new learning bridge for OSInet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |