CN115499392A

CN115499392A - Tenant isolation service method and device, and electronic equipment

Info

Publication number: CN115499392A
Application number: CN202211009618.5A
Authority: CN
Inventors: 李明; 郭民; 盖鹏鹏; 施志龙
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-08-22
Filing date: 2022-08-22
Publication date: 2022-12-20

Abstract

The application discloses a tenant isolation service method and device, and belongs to the technical field of communication. The method comprises the following steps: analyzing the received SRv6 protocol message by the access network element, and acquiring SID carried in a message header and Qinq information in the message as tenant identification information; and querying a pre-configured message forwarding table by taking the tenant identification information as an index key, determining a virtualized terminal equipment network element matched with the tenant identification information, transmitting the analyzed message body and the tenant identification information to the virtualized terminal equipment network element, searching the tenant configuration information matched with the tenant identification information according to the tenant identification information, and then executing network service matched with the message body for the corresponding tenant according to the searched tenant configuration information. According to the method, the message forwarding table and the tenant configuration information are isolated, stored and retrieved by taking the SID information and the Qinq information as tenant identification information, so that the tenant data and service are effectively isolated.

Description

Tenant isolation service method and device, and electronic equipment

Technical Field

The present application relates to the field of communications technologies, and in particular, to a tenant isolation service method and apparatus, and an electronic device and a computer-readable storage medium.

Background

The network virtual switching system scheme is that a local area network in a user room is extended to a cloud end through a cloud gateway channel, all internet traffic is converged to a cloud gateway to realize traffic forwarding and control, and fixed-point drainage is realized according to related requirements of users, such as cloud security, cloud entertainment, cloud storage, cloud internet of things and other smart home services. The network virtual switching system transfers the cloud network access capability into a software service capability, moves the routing and switching capability of the original optical modem to the network virtual switching system, provides a routing network access mode for each broadband user through the virtualization capability of the computing processing equipment, and has the flexibility exceeding a physical gateway. The network virtual switching system implemented through virtualization needs to have a network service function of the optical modem part, for example, the network virtual switching system needs to process data traffic from different users. How to realize multi-tenant isolation in a network virtual switching system is a technical difficulty of virtualization. Moreover, different tenant isolation service methods need to be provided for different access protocols.

In the prior art, a method for simultaneously implementing tenant isolation on a WAN (Wide Area Network) side and a LAN (Local Area Network) side in an SRv6 protocol access scenario is not found.

Disclosure of Invention

The embodiment of the application provides a tenant isolation service method and device, which can simultaneously realize multi-tenant isolation service on a WAN side and a LAN side aiming at a scene of accessing an SRv6 protocol.

In a first aspect, an embodiment of the present application provides a tenant isolation service method, which is applied to a network virtual switching system, where the network virtual switching system includes: an access network element and a virtualized terminal equipment network element, the method comprising:

the access network element analyzes the received SRv6 protocol message to obtain tenant identification information, wherein the tenant identification information comprises the information which is planned for the tenant in advance: SID and Qinq information, the SID comprising: LAN-side SID or WAN-side SID;

the access network element takes the tenant identification information as an index key, inquires a pre-configured message forwarding table, and determines a virtualized terminal equipment network element matched with the tenant identification information;

the access network element transmits a message body corresponding to the SRv6 protocol message and the tenant identification information to the determined virtualized terminal equipment network element;

the virtual terminal equipment network element searches tenant configuration information matched with the tenant identification information according to the tenant identification information;

and the network element of the virtualization terminal equipment executes network service matched with the message body aiming at the corresponding tenant identification information according to the found tenant configuration information.

Optionally, the analyzing, by the access network element, the received SRv6 protocol packet to obtain tenant identification information includes:

the access network element analyzes the last hop IP address of the message header of the received SRv6 protocol message to obtain SID, and analyzes the original message of the SRv6 protocol message to obtain a tenant private network VLAN identifier and an operator network VLAN identifier;

and using the SID, the VLAN identifier of the tenant private network and the VLAN identifier of the operator network as tenant identification information carried in the SRv6 protocol message.

Optionally, the analyzing, by the access network element, a last hop IP address of a header of the received SRv6 protocol packet to obtain the SID includes any one of the following methods:

the access network element analyzes a message header of a received SRv6 protocol message, and takes a last hop IP address carried in the message header as SID;

the access network element analyzes a message header of a received SRv6 protocol message, and takes a Function field of a last hop IP address carried in the message header as an SID;

the access network element analyzes a message header of a received SRv6 protocol message, and addresses an address bit obtained by a preset network identifier of a tenant in a Function field in a last hop IP address carried in the message header as SID.

Optionally, the transmitting, by the access network element, the message body and the tenant identification information corresponding to the SRv6 protocol packet to the determined virtualized terminal device network element includes:

and the access network element carries the tenant identification information through a message extension space, encapsulates the message comprising the message body corresponding to the SRv6 protocol message, and transmits the message obtained by encapsulation to the determined network element of the virtualization terminal equipment.

Optionally, before the analyzing, by the access network element, the received SRv6 protocol packet to obtain the tenant identification information, the method further includes:

storing a message forwarding table in the access network element, wherein an index key of the message forwarding table is: the LAN side SID or WAN side SID of the corresponding tenant, and Qinq information, the value is: a message forwarding mechanism carrying a network element identifier of the virtualization terminal equipment;

storing a tenant configuration information table in the virtualized terminal equipment network element, wherein an index key of the tenant configuration information table is: the LAN side SID and WAN side SID of the corresponding tenant, and Qinq information have the values: tenant configuration information of the corresponding tenant.

Optionally, the searching, by the virtualized terminal device network element, tenant configuration information matched with the tenant identification information according to the tenant identification information includes:

and the virtual terminal equipment network element determines an index key according to the tenant identification information, inquires a pre-configured tenant configuration information table and determines tenant configuration information matched with the tenant identification information.

Optionally, the determining, by the virtualized terminal device network element, an index key according to the tenant identification information, querying a preconfigured tenant configuration information table, and determining tenant configuration information matching the tenant identification information includes:

in response to the SRv6 protocol message being a control message, the virtualized terminal device network element queries a pre-configured tenant configuration information table by taking the tenant identification information as an index key, and determines tenant configuration information;

in response to the SRv6 protocol message being a data message sent by the LAN side, the virtualized terminal device network element converts the SID in the tenant identification information into a WAN side SID according to a tenant configuration information table stored in advance, and queries the tenant configuration information table by using the tenant identification information obtained after conversion as an index key to determine tenant configuration information;

and in response to the SRv6 protocol message being a data message sent by a WAN side, the virtualized terminal equipment network element converts the SID in the tenant identification information into the SID on the LAN side according to a prestored tenant configuration information table, and queries the tenant configuration information table by using the tenant identification information obtained after conversion as an index key to determine the tenant configuration information.

Optionally, the executing, by the virtualized terminal device network element, the network service matching the packet body for the corresponding tenant identification information according to the found tenant configuration information includes:

responding to the SID obtained by analysis as the SID on the LAN side, and carrying out uplink flow statistics on the basis of the SID on the virtualization terminal equipment network element;

and responding to the SID obtained by analysis as the WAN side SID, and carrying out downlink flow statistics on the network element of the virtualization terminal equipment based on the WAN side SID.

In a second aspect, an embodiment of the present application provides a tenant isolation service apparatus, which is applied to a network virtual switching system, where the network virtual switching system includes: an access network element and a virtualized terminal equipment network element, the apparatus comprising:

the tenant identification information acquisition module is configured to analyze the received SRv6 protocol packet through the access network element to obtain tenant identification information, where the tenant identification information includes information that is planned for a tenant in advance: SID and Qinq information, the SID comprising: LAN side SID or WAN side SID;

a virtualized terminal device network element determining module, configured to query a preconfigured message forwarding table by using the tenant identification information as an index key through the access network element, and determine a virtualized terminal device network element matched with the tenant identification information;

an information transmission module, configured to transmit, to the determined virtualized terminal device network element, a message body and the tenant identification information corresponding to the SRv6 protocol message through the access network element;

the tenant configuration information searching module is used for searching tenant configuration information matched with the tenant identification information according to the tenant identification information through the virtualized terminal equipment network element;

and the tenant isolation service module is used for executing network service matched with the message body aiming at corresponding tenant identification information according to the found tenant configuration information through the virtual terminal equipment network element.

Optionally, the tenant identification information obtaining module is further configured to:

the access network element analyzes a message header of a received SRv6 protocol message, and takes a last hop IP address carried by the message header as an SID;

the access network element analyzes a message header of a received SRv6 protocol message, and takes a Function field of a last hop IP address carried by the message header as an SID;

the access network element analyzes a message header of a received SRv6 protocol message, and addresses an address bit obtained by a Function field of a tenant in a last-hop IP address carried by the message header by using a preset network identifier of the tenant to serve as an SID.

Optionally, the information transmission module is further configured to:

Optionally, the apparatus further comprises: a configuration module for configuring the operation of the mobile terminal,

the configuration module is configured to store a packet forwarding table in the access network element, where an index key of the packet forwarding table is: the LAN side SID or WAN side SID of the corresponding tenant, and Qinq information, the value is: a message forwarding mechanism carrying a network element identifier of the virtualized terminal equipment;

the configuration module is further configured to store a tenant configuration information table in the virtualized terminal device network element, where an index key of the tenant configuration information table is: the LAN side SID and WAN side SID of the corresponding tenant, and Qinq information have the values: tenant configuration information of the corresponding tenant.

Optionally, the tenant configuration information searching module is further configured to:

Optionally, the determining, by the network element of the virtualized terminal device, an index key according to the tenant identification information, querying a preconfigured tenant configuration information table, and determining tenant configuration information matched with the tenant identification information includes:

in response to the SRv6 protocol message being a control message, the virtualized terminal equipment network element queries a pre-configured tenant configuration information table by taking the tenant identification information as an index key to determine tenant configuration information;

responding to the data message sent by the LAN side by the SRv6 protocol message, converting the SID in the tenant identification information into the WAN side SID by the network element of the virtualization terminal equipment according to a prestored tenant configuration information table, and inquiring the tenant configuration information table by taking the tenant identification information obtained after conversion as an index key to determine the tenant configuration information;

responding to the data message sent by the WAN side by the SRv6 protocol message, the network element of the virtualization terminal equipment converts the SID in the tenant identification information into the SID on the LAN side according to a tenant configuration information table stored in advance, and queries the tenant configuration information table by taking the tenant identification information obtained after conversion as an index key to determine the tenant configuration information.

Optionally, the tenant isolation service module is further configured to:

In a third aspect, an embodiment of the present application further discloses an electronic device, which includes a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, and when the processor executes the computer program, the tenant isolation service method according to the embodiment of the present application is implemented.

In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor, and the program includes steps of the tenant isolation service method disclosed in the embodiment of the present application.

The tenant isolation service method disclosed by the embodiment of the application is applied to a network virtual switching system, and the network virtual switching system comprises the following steps: the method comprises the steps that a network element and a virtual terminal equipment network element are accessed, SID and Qinq information are used as tenant identification information, and the SID is addressed in a message header of an SRv6 protocol message, so that the access network element analyzes the received SRv6 protocol message, obtains the SID carried in the SRV6 protocol message header and the Qinq information in the message, and obtains the tenant identification information; then, further using the tenant identification information as an index key, querying a pre-configured message forwarding table, determining a virtualized terminal device network element matched with the tenant identification information, transmitting a message body corresponding to the SRv6 protocol message and the tenant identification information to the determined virtualized terminal device network element, searching tenant configuration information matched with the tenant identification information by the virtualized terminal device network element according to the tenant identification information, and then executing a network service matched with the message body for a corresponding tenant according to the found tenant configuration information, thereby effectively realizing tenant isolation service under an access SRv6 protocol scene.

The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.

Drawings

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

Fig. 1 is one of flowcharts of a tenant isolation service method in an embodiment of the present application;

FIG. 2 is a schematic diagram of an application system architecture of a tenant isolation service method in an embodiment of the present application;

FIG. 3 is a second flowchart of a tenant isolation service method in the embodiment of the present application;

fig. 4 is one of schematic structural diagrams of a tenant isolation service apparatus in an embodiment of the present application;

fig. 5 is a second schematic structural diagram of a tenant isolation service device in the embodiment of the present application;

FIG. 6 schematically shows a block diagram of an electronic device for performing a method according to the present application; and

fig. 7 schematically shows a storage unit for holding or carrying program code implementing a method according to the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, of the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

As shown in fig. 1, a tenant isolation service method disclosed in the embodiment of the present application is applied to a network virtual switching system, and the method includes: step 110 to step 150.

Referring to fig. 2, the network virtual switching system includes: an access network element (i.e., vSwitch) 210 and at least one virtualized end-device network element 220 (hereinafter "vCPE"). Wherein each virtualized end device network element 220 may handle network service related network functions for several tenants. During the operation of the network virtual switching system, the access network element 210 is configured to receive and send an SRv6 packet, and forward the packet.

A specific implementation of the tenant isolation service method disclosed in the embodiment of the present application is described below with reference to the network virtual switching system shown in fig. 2.

Step 110, the access network element analyzes the received SRv6 protocol packet to obtain tenant identification information.

The tenant identification information comprises the following information planned for the tenant in advance: SID and Qinq information, the SID comprising: LAN side SID or WAN side SID.

Before the tenant broadband is opened, network management personnel plan according to the network environment of a tenant cell, plan out the usable LAN side SID and WAN side SID of the tenant, the tenant private network VLAN identification, the operator network VLAN identification and the like, and configure tenant configuration information for guaranteeing the user to access network service for the tenant.

The network virtual switching system is a channel for network communication between a tenant (namely a network service user) and a cloud server, when the tenant accesses internet service through terminal equipment, the terminal equipment can generate a corresponding request and send the request to the network virtual switching system, the network virtual switching system generates a message according to a preset protocol and a link layer, and then the network virtual switching system sends the generated message to a specified server and transmits the message at the cloud. Meanwhile, the network virtual switching system also processes the received message, and enables the terminal equipment of the tenant to receive the message fed back or pushed by the cloud service by analyzing and distributing the received message. In the process, the network virtual switching system can access different protocols, and the tenant isolation service method executed by the network virtual switching system is described in the application aiming at the scene that the network virtual switching system accesses the SRv6 protocol.

In some embodiments of the present application, the analyzing, by the access network element, the received SRv6 protocol packet to obtain tenant identification information includes: the access network element analyzes the last hop IP address of the message header of the received SRv6 protocol message to obtain SID, and analyzes the original message of the SRv6 protocol message to obtain a tenant private network VLAN identifier and an operator network VLAN identifier; and using the SID, the VLAN identifier of the tenant private network and the VLAN identifier of the operator network as tenant identification information carried in the SRv6 protocol message.

In order to identify a network session, a message exchanged between a terminal device of a tenant and a network server needs to carry tenant identification information for distinguishing different tenants. In the embodiment of the application, the SID of the tenant is carried in the message header of the SRv6, and the Qinq information of the tenant is carried in the original message, so that the tenant identification information is carried in the message.

The SRv6 technology is a technology that uses the existing IPv6 forwarding technology to implement the processing similar to label forwarding by extending the header field of the IPv6 packet. In the SRv6, each Segment is identified by SID (Segment ID), which is a special IPv6 address and has both routing capability of ordinary IPv6 address and behavior capability specific to SRv 6. Each SRv6 node maintains a SID table (actually part of the routing table) consisting of a number of 128-bit SIDs in the following standard format: locator + Function (Args). In some embodiments of the present application, when a packet is generated, the SID of a tenant is compiled into a last hop destination address of a packet header of an SRv6 protocol packet, so as to transmit the SID of the tenant in a network.

As known in the prior art, in the IPv6 with SRH (Segment Routing Header), i.e. SR Header, the SRH encapsulates the IPv6 address of each hop, which is used to control the packet forwarding path. In the embodiment of the present application, the IP address of the tenant, that is, the destination address of the packet, may be wholly encapsulated in the last hop IP address of the SRH as the SID of the tenant. In other embodiments of the present application, a preset network identifier of the tenant (a unique identity identifier of the tenant in the WAN network, such as a VxLAND ID) may also be addressed to a specified address bit (such as the previous 28 bits) of a Function field in the last hop IP address of the SRH, so as to implement transmission of the tenant identification information in the message. In some embodiments of the present application, other unique identifiers of tenants may also be addressed in the entire Function field.

Correspondingly, after a message is received, the SRv6 protocol message needs to be analyzed according to an analysis mode corresponding to the SID compilation method, so as to obtain the last hop destination address of the message header, thereby obtaining the SID of the tenant.

In some embodiments of the present application, the analyzing, by the access network element, a last hop IP address of a header of a received SRv6 protocol packet to obtain an SID includes any one of the following methods: the access network element analyzes a message header of a received SRv6 protocol message, and takes a last hop IP address carried by the message header as SID; the access network element analyzes a message header of a received SRv6 protocol message, and takes a Function field of a last hop IP address carried by the message header as SID; the access network element analyzes a message header of a received SRv6 protocol message, and takes an address bit (such as the first 28 bits of the Function field) which is obtained by addressing a Function field of a tenant in the Function field in a last hop IP address carried by the message header as SID. The method for analyzing the message header of the SRv6 protocol message to obtain the SID corresponds to the SID addressing method of the last hop in the message header, and the method for analyzing the message header refers to the foregoing addressing method, which is not described herein again.

According to the method, the SID carried in the message header can be obtained. If the message is from the WAN side, the SID carried in the message header is the WAN side SID of the corresponding tenant, and if the message is from the LAN side, the SID carried in the message header is the LAN side SID of the corresponding tenant.

Further, by further decapsulating the packet, qinq information carried in the original packet, that is, the tenant private network VLAN identifier PVLAN _ ID and the operator network VLAN identifier CVLAN _ ID, can be obtained through parsing.

In the embodiment of the application, SID and Qinq information obtained by parsing a message are used as tenant identification information for distinguishing tenants.

And step 120, the access network element queries a pre-configured message forwarding table by using the tenant identification information as an index key, and determines a virtualized terminal equipment network element matched with the tenant identification information.

As described above, before the tenant broadband is opened, the network administrator of the operator plans according to the tenant cell network environment, plans the LAN side SID and the WAN side SID available to the tenant, and the Qinq information (for example, the tenant private network VLAN identifier, i.e., PVLAN _ ID, and the operator network VLAN identifier, i.e., CVLAN _ ID), and configures tenant configuration information for guaranteeing the user access to the network service for the tenant. For subsequent query use in the stages of message forwarding and network service processing.

As shown in fig. 3, before the access network element parses the received SRv6 protocol packet to obtain the tenant identification information, the method further includes: step 100.

Step 100, storing a message forwarding table in the access network element, wherein an index key of the message forwarding table is: the LAN side SID or WAN side SID of the corresponding tenant, and Qinq information, the value is: and a message forwarding mechanism carrying the network element identifier of the virtualization terminal equipment.

For example, before the tenant broadband is opened, network management personnel plan according to the network environment of the tenant cell, and plan out the usable SID of the LAN side, the SID of the WAN side, and Qinq information. Wherein the Qinq information includes: an operator network VLAN identification, i.e. CVLAN _ ID, and a tenant private network VLAN identification, i.e. PVLAN _ ID.

The QinQ technique encapsulates the VLAN Tag of the previous operator network before the user packet enters the operator network, and uses the original VLAN Tag in the user packet as data, so that the packet carries two layers of VLAN tags to traverse the operator network. In the embodiment of the present application, SID + Qinq information is used as tenant identification information.

Network management personnel can configure the access network element by issuing a configuration signaling or in a command line mode so as to trigger the access network element to store a message forwarding table comprising a plurality of table entries in a local data storage unit.

The message forwarding table uses SID + Qinq information (including SID, operator network VLAN ID CVLAN _ ID, and tenant private network VLAN ID PVLAN _ ID) as an index key, and uses a message forwarding mechanism as a value. The message forwarding mechanism at least comprises a network element identifier which needs to forward the message to the vCPE network element for processing.

In the embodiment of the application, the message forwarding table comprises an uplink message forwarding table and a downlink message forwarding table. In the uplink message forwarding table, the SID is the WAN side SID of the tenant, and in the downlink message forwarding table, the SID is the LAN side SID of the tenant.

In some embodiments of the present application, a network virtual switching system provides a fast query interface for a packet forwarding table. The quick query interface is a KEY, namely a VALUE quick search algorithm, the KEY is composed of tenant identification information SID + Qinq information, and the VALUE is an index of a forwarding table. The message forwarding table is used for inquiring the forwarding table of the message through the tenant identification information, so that the message forwarding is guided according to the forwarding table.

In the message interaction process, for a message received from the WAN side, the access network element 310 parses tenant identification information carried in the message, and then schedules traffic according to a pre-configured message forwarding table, for example, repackages the message and forwards the repackaged message to the designated virtualized terminal device network element 320. Then, the virtualized terminal device network element 320 completes network function processing of tenant traffic according to the message sent by the access network element 310. For another example, for a message received from the LAN side, the access network element 310 encapsulates the message, and then performs message sending according to the link address specified in the message.

After acquiring the tenant identification information by analyzing the message, the access network element further queries a preconfigured message forwarding table based on the tenant identification information to determine a virtualized terminal device network element matched with the tenant identification information. For example, a fast query interface of a message forwarding table may be provided through a network virtual switching system, and the obtained tenant identification information is used as a KEY to query a corresponding VALUE, that is, an index of the forwarding table. Further, the message forwarding mechanism of the corresponding tenant is obtained through the index of the forwarding table. In some embodiments of the present application, the message forwarding mechanism at least includes an identifier of the vCPE, and is configured to direct the access network element to send the message information to a corresponding vCPE network element (that is, a virtualized terminal device network element) for processing.

Step 130, the access network element transmits the message body corresponding to the SRv6 protocol message and the tenant identification information to the determined virtualized terminal equipment network element.

After the target virtualized terminal equipment network element for message forwarding is determined, the access network element further sends a message body obtained by decapsulating the SRv6 protocol message and tenant identification information to the determined virtualized terminal equipment network element, and the virtualized terminal equipment network element executes subsequent network service function processing.

In some embodiments of the present application, the transmitting, by the access network element, the message body and the tenant identification information corresponding to the SRv6 protocol packet to the determined virtualized terminal device network element includes: and the access network element carries the tenant identification information through a message extension space, encapsulates the message comprising the message body corresponding to the SRv6 protocol message, and transmits the message obtained by encapsulation to the determined network element of the virtualization terminal equipment.

In the embodiment of the application, the access network element and the vCPE network element can be connected by using a high-speed virtual interface realized by using a shared memory, a message received by the vCPE network element does not carry an SRv6 header any more, the vCPE needs to acquire a tenant SID, and meanwhile, the access network element also needs to acquire the SID of the vCPE after the conversion of the LAN side and the WAN side. In order to transmit the SID between the network elements, in some embodiments of the present application, a message extension means is used to transmit tenant identification information such as the SID. For example, the tenant identification information may be extended to a payload tail of the packet, so as to implement information transfer between two network elements.

In this way, the packet body obtained by parsing the packet according to the SRv6 protocol and the tenant identification information may be transmitted to the designated vCPE network element through a high-speed virtual interface connection (such as a shared memory, or referred to as "packet cache").

In some embodiments of the present application, information transmission between network elements (such as an access network element and a vCPE network element) in a network virtual switching system may also be implemented in other manners, which is not illustrated in this embodiment.

Step 140, the virtualized terminal device network element searches for the tenant configuration information matched with the tenant identification information according to the tenant identification information.

The vCPE network element may obtain the message through the high-speed virtual interface connection (such as a shared memory, i.e., a message cache), and obtain the tenant identification information through a message extension space in the message. And then, further taking the tenant identification information as a KEY, inquiring a tenant configuration information table entry, acquiring a table entry matched with the KEY (namely the tenant identification information), and acquiring tenant configuration information in the table entry.

The tenant configuration information table entry is pre-configured by network management personnel of an operator and is stored in a network element of the virtualization terminal equipment.

In some embodiments of the present application, as shown in fig. 3, before the access network element analyzes the received SRv6 protocol packet to obtain the tenant identification information, the method further includes: and step 102.

Step 102, storing a tenant configuration information table in the virtualized terminal equipment network element, wherein an index key of the tenant configuration information table is: the LAN side SID and WAN side SID of the corresponding tenant, and Qinq information have the values: tenant configuration information of the corresponding tenant.

In some embodiments of the present application, a network administrator may configure a virtualized terminal device network element by issuing a configuration signaling or in a form of a command line, so as to trigger the virtualized terminal device network element to store a tenant configuration information table including a plurality of entries in a local data storage unit. Each entry corresponds to tenant configuration information related to a network service of a tenant, and the tenant configuration information includes but is not limited to: the operation parameters and the operation environment of each network service function module.

For example, before the tenant broadband is opened, the network administrator will also create a tenant account for the tenant in the network communication system. The tenant account refers to a dial-up account of the tenant. Then, the network administrator further configures a series of configuration information capable of ensuring that the tenant normally surfs the internet for the tenant account, such as PPPOE, DHCP, NAT, message forwarding table, SRv6 strategy, and the like, and then stores the tenant account and the tenant configuration information to the network virtual switching system through signaling.

In some embodiments of the present application, in the network virtual switching system, a tenant configuration information entry corresponding to a corresponding tenant is generated according to tenant configuration information configured by network management staff, and is stored in a data storage unit of a network element of a virtualized terminal device. The tenant configuration information entry correspondingly records the association between the LAN side SID and the WAN side SID of the tenant and the tenant account of the tenant. For example, one of the entries is as follows: the tenant account is a hash table entry of the KEY, and the other table entry is: SID and Qinq (i.e. PVLAN _ ID and CVLAN _ ID) are used as bihash entries of KEY. The VALUE (VALUE) of the entry corresponds to tenant configuration information of each network service node. The tenant configuration information is stored in two hash table entries according to account uniqueness and tenant identification information (namely SID, PVLAN _ ID (PVLAN, namely Private VLAN) and CVLAN _ ID uniqueness), thereby realizing the isolation storage of the tenant configuration information.

In some embodiments of the present application, the searching, by the virtualized terminal device network element, for tenant configuration information matched with the tenant identification information according to the tenant identification information includes: and the virtualized terminal equipment network element determines an index key according to the tenant identification information, inquires a preset tenant configuration information table and determines tenant configuration information matched with the tenant identification information.

As described above, the tenant identification information is carried through a packet extension domain, and accordingly, the virtualized terminal device network element needs to obtain the tenant identification information from a private field of a packet cache. The message cache may be a shared cache for each network element in the network virtual switching system to transmit a message, or other high-speed virtual interface connections. For example, the virtualized terminal device network element may obtain the tenant identification information through a payload tail of the packet.

After the tenant identification information is acquired, the virtualized terminal equipment network element vCPE may further acquire tenant configuration information of a corresponding tenant based on the tenant identification information, thereby executing subsequent network service function processing.

In some embodiments of the present application, the determining, by the virtualized terminal device network element, an index key according to the tenant identification information, querying a preconfigured tenant configuration information table, and determining tenant configuration information matched with the tenant identification information includes: in response to the SRv6 protocol message being a control message, the virtualized terminal device network element queries a pre-configured tenant configuration information table by taking the tenant identification information as an index key, and determines tenant configuration information; responding to the data message sent by the LAN side by the SRv6 protocol message, converting the SID in the tenant identification information into the WAN side SID by the network element of the virtualization terminal equipment according to a prestored tenant configuration information table, and inquiring the tenant configuration information table by taking the tenant identification information obtained after conversion as an index key to determine the tenant configuration information; and in response to the SRv6 protocol message being a data message sent by a WAN side, the virtualized terminal equipment network element converts the SID in the tenant identification information into the SID on the LAN side according to a prestored tenant configuration information table, and queries the tenant configuration information table by using the tenant identification information obtained after conversion as an index key to determine the tenant configuration information.

In specific implementation, the message transmitted by the access network element to the virtualized terminal device network element may be a message from a wide area network (i.e., a WAN network) or a message from a local area network (i.e., a LAN network). As described above, the SIDs carried in the packets from different network environments are different, that is, the packet from the WAN network carries the WAN side SID of the tenant, the packet from the LAN network carries the LAN side SID of the tenant, and the virtualized terminal device network element needs to convert the SID carried in the packet according to the source of the packet and the type of the packet, convert the SID in the packet into the SID that can be identified by the next node, and then send the SID to the next node for further processing.

For example, when the packet is a data packet from a WAN side, the virtualized terminal device network element converts the SID in the tenant identification information into a LAN side SID according to a tenant configuration information entry stored in advance; then, the converted Qinq information in the LAN side SID and the tenant identification information is used as the converted tenant identification information; then, the converted tenant identification information is used as a KEY, a preset tenant configuration information table entry is searched, and tenant configuration information is obtained.

For another example, when the packet is a data packet from a LAN side, the virtualized terminal device network element converts the SID in the tenant identification information into a WAN side SID according to a tenant configuration information entry stored in advance; then, the converted Qinq information in the SID at the WAN side is used as the converted tenant identification information; then, the converted tenant identification information is used as a KEY, a preset tenant configuration information table entry is searched, and tenant configuration information is obtained.

And when the message is a control message, SID conversion is not needed.

Step 150, the virtualized terminal equipment network element executes the network service matched with the message body aiming at the corresponding tenant identification information according to the found tenant configuration information.

And then, the network element of the virtualization terminal equipment calls a corresponding network service function module according to the message type matched with the message body, and the network service function module executes the network service matched with the message body of the corresponding tenant according to the searched tenant configuration information.

In some embodiments of the present application, when receiving a control packet, the virtualized terminal device network element forwards the control packet to a corresponding node for processing according to the found tenant configuration information and packet type, and simultaneously transmits tenant identification information to the corresponding node. And the corresponding node executes the network service aiming at the tenant identification information and matched with the message body.

In some embodiments of the application, the network service comprises one or more of: PPPOE dialing service, DHCP service, and ARP list management service.

In some embodiments of the present application, virtualizing the terminal device network element further may include: the system comprises a data I/O unit, a data forwarding unit, a service processing unit, a data storage unit and a signaling unit. Wherein the data I/O unit is responsible for receiving and transmitting data; the data forwarding unit is connected with the data I/O unit; the service processing unit is connected with the data forwarding unit; the data storage unit is connected with the signaling unit; the service processing unit can access or write into the data storage unit.

Further, the data storage unit is configured to isolate and store the data set of the multi-tenant account entry, and provide a fast query interface when the service processing unit distinguishes between multiple tenants. When the tenant broadband is installed, the network environment of the tenant is planned and determined at the moment; and the SID and Qinq information of the tenant, i.e. the tenant identification information, and the tenant identification information does not change during the network use process of the tenant. In the data storage unit, the tenant account number or the tenant identification information can be bound with the tenant configuration information in a way of storing a KEY-VALUE pair, so that one KEY-VALUE pair is maintained for each tenant with a broadband, and therefore isolation and storage of the tenant configuration information items of different tenant accounts are achieved. And, the data storage unit may perform isolation maintenance on the tenant configuration information entry based on KEY (i.e., tenant identification information).

The data forwarding unit is used for scheduling processing of the multi-tenant data stream, and the messages are scheduled to the corresponding service processing units according to different message protocol types. The service processing unit comprises DHCP servers such as a DHCPv4 server, a DHCPv6 server and the like, a PPPOE dialing server, an ARP table entry management service and other LAN side function modules.

And the service processing unit inquires the terminal state in the multi-tenant account table entry and guides subsequent service processing. When the terminal equipment of the tenant needs response processing, the terminal equipment applies for a response message and forwards the response message through the data forwarding unit, then the service processing unit acquires tenant identification information from the message as a key, inquires a tenant configuration information table entry to find a VALUE VALUE, and then performs differentiated message processing according to the tenant configuration information in the table entry, thereby realizing the isolation processing of different tenant messages.

For example, the DHCPv4 server performs IP4 address allocation on the terminal device of the tenant, and maintains information such as state identification and change of the terminal device of the tenant; the DHCPv6 server performs IP6 address allocation on the terminal equipment of the tenant, and information maintenance such as tenant terminal state identification and change is performed; the ARP service module performs ARP learning of the tenant terminal equipment through the PPPOE interface, and sends an ARP response message to the user by using the MAC address of the LAN-side gateway.

In some embodiments of the present application, the step of executing, by the virtualized terminal device network element, a network service matching the packet body for the corresponding tenant identification information according to the found tenant configuration information includes: responding to the SID obtained by analysis as the SID on the LAN side, and carrying out uplink flow statistics on the basis of the SID on the virtualization terminal equipment network element; and responding to the SID obtained by analysis as the WAN side SID, and carrying out downlink flow statistics on the network element of the virtualization terminal equipment based on the WAN side SID. For example, for a received message from the WAN side, the virtualized terminal device network element may identify a tenant according to the WAN side SID and Qinq obtained by parsing the message, and perform statistics on the downlink traffic of the tenant. For another example, for a message sent to the WAN side, the virtualized terminal device network element may identify a tenant according to the LAN side SID and Qinq obtained by analysis in the message, and perform statistics on an uplink traffic of the tenant.

In some embodiments of the present application, the traffic statistics may be performed by a data forwarding unit in a virtualized terminal equipment network element.

The tenant isolation service method disclosed by the embodiment of the application is applied to a network virtual switching system, and the network virtual switching system comprises the following steps: the method comprises the steps that an access network element and a virtual terminal equipment network element are used, SID and Qinq information are used as tenant identification information, and the SID is addressed in a message header of an SRv6 protocol message, so that the access network element analyzes the received SRv6 protocol message, obtains the SID carried in the SRv6 protocol message header and the Qinq information in the message, and obtains the tenant identification information; then, further using the tenant identification information as an index key, querying a preconfigured message forwarding table, determining a virtualized terminal equipment network element matched with the tenant identification information, transmitting a message body corresponding to the SRv6 protocol message and the tenant identification information to the determined virtualized terminal equipment network element, searching tenant configuration information matched with the tenant identification information by the virtualized terminal equipment network element according to the tenant identification information, and then executing a network service matched with the message body for a corresponding tenant according to the found tenant configuration information, thereby effectively realizing tenant isolation service under an SRv6 protocol scene.

According to the tenant isolation service method disclosed by the embodiment of the application, each network service function module in a virtualized terminal equipment network element distinguishes different tenants based on tenant identification information formed by SID and Qinq information, and the tenant identification information is used as an index, tenant configuration information is stored, tenant flow distribution and statistics are carried out, tenant states are maintained, a data storage unit is searched, and the like, so that multi-tenant data storage isolation, data processing isolation and flow statistics isolation are achieved.

By planning the WAN side SID and the LAN side SID for the tenant and combining Qinq as tenant identification information, the uplink traffic and the downlink traffic of the tenant can be further counted independently.

The tenant isolation service apparatus disclosed in the embodiment of the present application is applied to a network virtual switching system as shown in fig. 2, where the network virtual switching system includes: an access network element and a virtualized terminal equipment network element. As shown in fig. 4, the apparatus includes:

a tenant identification information obtaining module 410, configured to analyze the received SRv6 protocol packet through the access network element to obtain tenant identification information, where the tenant identification information includes information planned for a tenant in advance: SID and Qinq information, the SID comprising: LAN-side SID or WAN-side SID;

a virtualized terminal device network element determining module 420, configured to query a preconfigured message forwarding table by using the tenant identification information as an index key through the access network element, and determine a virtualized terminal device network element matched with the tenant identification information;

an information transmission module 430, configured to transmit the message body and the tenant identification information corresponding to the SRv6 protocol message to the determined virtualized terminal device network element through the access network element;

a tenant configuration information searching module 440, configured to search, according to the tenant identification information, tenant configuration information matched with the tenant identification information through the virtualized terminal device network element;

the tenant isolation service module 450 is configured to execute, by the virtualized terminal device network element, a network service that is matched with the packet body and is for the corresponding tenant identification information according to the found tenant configuration information.

In some embodiments of the present application, the tenant identification information acquisition module 410 is further configured to:

In some embodiments of the present application, the analyzing, by the access network element, a last hop IP address of a header of a received SRv6 protocol packet to obtain an SID includes any one of the following methods:

the access network element analyzes a message header of a received SRv6 protocol message, and takes a last hop IP address carried by the message header as SID;

In some embodiments of the present application, the information transmission module 430 is further configured to:

In some embodiments of the present application, as shown in fig. 5, the apparatus further comprises: the configuration of the module 400 is performed by,

the configuration module 400 is configured to store a packet forwarding table in the access network element, where an index key of the packet forwarding table is: the LAN side SID or WAN side SID of the corresponding tenant, and Qinq information, the value is: a message forwarding mechanism carrying a network element identifier of the virtualization terminal equipment;

the configuration module 400 is further configured to store a tenant configuration information table in the virtualized terminal device network element, where an index key of the tenant configuration information table is: the LAN side SID and WAN side SID of the corresponding tenant, and Qinq information have the values: tenant configuration information of the corresponding tenant.

In some embodiments of the present application, the tenant configuration information search module 440 is further configured to:

and the virtualized terminal equipment network element determines an index key according to the tenant identification information, inquires a preset tenant configuration information table and determines tenant configuration information matched with the tenant identification information.

In some embodiments of the present application, the determining, by the virtualized terminal device network element, an index key according to the tenant identification information, querying a preconfigured tenant configuration information table, and determining tenant configuration information matching the tenant identification information includes:

In some embodiments of the present application, the tenant isolation service module 450 is further configured to:

The tenant isolation service device disclosed in the embodiment of the present application is used for implementing the tenant isolation service method described in the embodiment of the present application, and specific implementation manners of each module of the device are not described again, and reference may be made to specific implementation manners of corresponding steps in method embodiments.

The embodiment of the application discloses a tenant isolation service device, which is applied to a network virtual switching system, wherein the network virtual switching system comprises: the device addresses SID in the message header of SRv6 protocol message by using SID and Qinq information as tenant identification information, thus, the access network element analyzes the received SRv6 protocol message, acquires the SID carried in the SRv6 protocol message header and the Qinq information in the message, and obtains the tenant identification information; then, further using the tenant identification information as an index key, querying a preconfigured message forwarding table, determining a virtualized terminal equipment network element matched with the tenant identification information, transmitting a message body corresponding to the SRv6 protocol message and the tenant identification information to the determined virtualized terminal equipment network element, searching tenant configuration information matched with the tenant identification information by the virtualized terminal equipment network element according to the tenant identification information, and then executing a network service matched with the message body for a corresponding tenant according to the found tenant configuration information, thereby effectively realizing tenant isolation service under an SRv6 protocol scene.

According to the tenant isolation service device disclosed by the embodiment of the application, each network service function module in a virtualized terminal equipment network element distinguishes different tenants based on tenant identification information formed by SID and Qinq information, and the tenant identification information is used as an index to store tenant configuration information, perform tenant traffic distribution and statistics, maintain tenant states, search a data storage unit and the like, so that data storage isolation, data processing isolation and traffic statistics isolation of multiple tenants are realized.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.

The tenant isolation service method and device provided by the application are introduced in detail, a specific example is applied in the description to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping understanding the method and a core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

The various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in an electronic device according to embodiments of the application. The present application may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present application may be stored on a computer readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website, or provided on a carrier signal, or provided in any other form.

For example, fig. 6 illustrates an electronic device that may implement a method according to the present application. The electronic device can be a PC, a mobile terminal, a personal digital assistant, a tablet computer and the like. The electronic device conventionally comprises a processor 610 and a memory 620 and program code 630 stored on said memory 620 and executable on the processor 610, said processor 610 implementing the method described in the above embodiments when executing said program code 630. The memory 620 may be a computer program product or a computer readable medium. The memory 620 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. The memory 620 has a storage space 6201 for program code 630 of a computer program for performing any of the method steps described above. For example, the storage space 6201 for the program code 630 may include respective computer programs for implementing various steps in the above methods, respectively. The program code 630 is computer readable code. The computer programs may be read from or written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. The computer program comprises computer readable code which, when run on an electronic device, causes the electronic device to perform the method according to the above embodiments.

The embodiment of the present application further discloses a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the tenant isolation service method according to the first embodiment of the present application.

Such a computer program product may be a computer-readable storage medium that may have memory segments, memory spaces, etc. arranged similarly to the memory 620 in the electronic device shown in fig. 6. The program code may be stored compressed in the computer readable storage medium, for example, in a suitable form. The computer readable storage medium is typically a portable or fixed storage unit as described with reference to fig. 7. Typically, the storage unit comprises computer readable code 630', said computer readable code 630' being code read by a processor, which when executed by the processor implements the steps of the method described above.

Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, it is noted that instances of the word "in one embodiment" are not necessarily all referring to the same embodiment.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present application.

Claims

1. A tenant isolation service method is applied to a network virtual switching system, and is characterized in that the network virtual switching system comprises: an access network element and a virtualized terminal equipment network element, the method comprising:

the access network element analyzes the received SRv6 protocol message to obtain tenant identification information, wherein the tenant identification information comprises the following information planned for the tenant in advance: SID and Qinq information, the SID comprising: LAN side SID or WAN side SID;

2. The method of claim 1, wherein the step of the access network element analyzing the received SRv6 protocol packet to obtain the tenant identification information comprises:

the access network element analyzes the last hop IP address of the message header of the received SRv6 protocol message to obtain SID, and analyzes the original message of the SRv6 protocol message to obtain a tenant private network VLAN identification and an operator network VLAN identification;

and using the SID, the tenant private network VLAN identification and the operator network VLAN identification as tenant identification information carried in the SRv6 protocol message.

3. The method of claim 2, wherein the access network element parses the last hop IP address of the header of the received SRv6 protocol packet to obtain the SID, which includes any one of the following methods:

the access network element analyzes a message header of a received SRv6 protocol message, and addresses an address bit obtained by a Function field of a tenant in a last-hop IP address carried in the message header by using a preset network identifier of the tenant as an SID.

4. The method according to any one of claims 1 to 3, wherein the step of transmitting, by the access network element, the message body and the tenant identification information corresponding to the SRv6 protocol packet to the determined virtualized terminal device network element includes:

5. The method according to any one of claims 1 to 3, wherein before the access network element parses the received SRv6 protocol packet and obtains the tenant identification information, the method further comprises:

storing a message forwarding table in the access network element, wherein an index key of the message forwarding table is: the LAN side SID or WAN side SID of the corresponding tenant, and Qinq information, the value is: a message forwarding mechanism carrying a network element identifier of the virtualized terminal equipment;

6. The method according to any one of claims 1 to 3, wherein the step of searching, by the virtualized terminal device network element, the tenant configuration information matched with the tenant identification information according to the tenant identification information comprises:

7. The method of claim 6, wherein the determining, by the virtualized terminal device network element, an index key according to the tenant identification information, querying a preconfigured tenant configuration information table, and determining tenant configuration information matching the tenant identification information comprises:

8. The method according to any one of claims 1 to 3, wherein the step of executing, by the virtualized terminal device network element, the network service matched with the packet body for the corresponding tenant identification information according to the found tenant configuration information includes:

9. A tenant isolation service device is applied to a network virtual switching system, and the network virtual switching system comprises: an access network element and a virtualized terminal equipment network element, the apparatus comprising:

a tenant identification information acquisition module, configured to analyze the received SRv6 protocol packet through the access network element to obtain tenant identification information, where the tenant identification information includes information that is planned for a tenant in advance: SID and Qinq information, the SID comprising: LAN-side SID or WAN-side SID;

an information transmission module, configured to transmit the message body and the tenant identification information corresponding to the SRv6 protocol message to the determined virtualized terminal device network element through the access network element;

10. An electronic device comprising a memory, a processor, and program code stored on the memory and executable on the processor, wherein the processor implements the tenant isolation service method of any of claims 1 through 8 when executing the program code.

11. A computer readable storage medium having stored thereon program code, characterized in that the program code when executed by a processor implements the steps of the tenant isolation service method of any of claims 1 to 8.