Ethernet ip message encapsulating method and Network Isolation and DHCP based on SDN are realized
Method
Technical field
The present invention relates to a kind of ethernet ip message encapsulating method based on SDN and Network Isolation and DHCP implementation methods,
Belong to ether network packet encapsulation field.
Background technology
Present Ethernet is more ripe to be applied in actual network, due to network Development history,
Present ether network packet has two addresses, and one is MAC Address, and another is ip addresses, and in two layers of repeating process
Middle IP address is inoperative, while in three layers of repeating process, the MAC Address of header is constantly modified, no
Two in a LAN need the network equipment communicated to be that need not obtain the MAC Address of intermediary network device.Also,
In the final jump of message, in addition it is also necessary to complete the transformation mapped message IP and MAC, the route or forwarding process of message are become
Complicate.Same two layers of head of message also have the VLAN TAG fields of 4 bytes, this field basic in being forwarded at three layers
It is also unconcerned.And because the planning to VLAND id fields in VLAN TAG is not long-range enough, cause present big by two
Isolation is carried out in layer and occurs in that the problem of vlan numbers are inadequate, and in order to solve vxlan the and nvgre methods of this problem proposition
Need to encapsulate message again, also result in message transmissions loss of efficiency.With the development of network technology, such as Fig. 1 TCP/
The standard that the layer models of IP tetra- come true, adds the appearance of SDN technologies, allows network technician or client can be more preferably according to oneself
Demand complete to the innovation of network and use.
The message format of wired ethernet is down packaged from level to level from upper strata, until the link layer in Fig. 1 is last
Change into physical bit and produce the network equipment, encapsulation process such as Fig. 2.
Four layer model link layers are the effects that some is responsible for being assembled into physical bit into data frame, and the part is
Data link layer, it is divided into two layers of MAC layer and LLC layer, and the major function of media access control sublayer includes the encapsulation of data frame/remove stage makeup and costume, frame
Addressing and identification, the reception and transmission of frame, the management of link, Error Control of frame etc.;LLC is in High-Level Data Link Control
(HDLC:High-Level Data-Link Control) on the basis of grow up, and used HDLC specifications subsets to bear
Blame to its serve upper layers.
The content of the invention
It is above-mentioned because two layers of head of message encapsulate the skill such as the forwarding process induced one complexity and efficiency of transmission reduction in order to solve
Art problem, the present invention proposes a kind of ethernet ip message encapsulating method and Network Isolation and DHCP implementation methods based on SDN.
A kind of ethernet ip message encapsulating method and Network Isolation and DHCP implementation methods based on SDN, including server
End packet receiving and server end are given out a contract for a project, and wherein server end packet receiving comprises the following steps:
Step 1: physical layer of device obtains physical signalling according to frame gap and guiding frame from transmission medium, and will be described
Physical signalling is converted to bit, gives data link layer;
Step 2: data link layer carries out original processing work in addition to MAC Address is recognized and is addressed, including it will compare
Message is handed into the processing of packet receiving function after special position binding and layout;
Step 3: analysis protocol stack recognizes message, according to new header format analytic message, the related message of message is obtained
Header, enters subsequent protocol stack if message DIP (purpose IP) is the address of the server, is route if not then passing through
Forward process flow;
Step 4: route produce after give data link layer perform except Ethernet encapsulate and mac addressing in addition to other
Handling process, according to header form, is transmitted to physical layer to handle;
Transferred Step 5: the bit of message data frame is converted into photosignal by physical layer according to original mode
Go;
Wherein server end, which is given out a contract for a project, comprises the following steps:
Step 1: adding TCP/UDP L4 header informations and trailer information after message data section is packaged first, then
Carry out IP encapsulation;
Step 2: IP encapsulated messages are carried out into route querying according to DIP, to choose exit port;
Carried out Step 3: giving data link layer by the message for finding exit port except Ethernet encapsulation and mac addressing
Other operations in addition;
Transferred Step 4: the bit of message data frame is converted into photosignal by physical layer according to original mode
Go.
The DHCP that IP address is obtained in the above method uses following methods:
Step 1: Controller determines position and the IP information of Dynamic Host Configuration Protocol server in topology, it is ensured that Servers-all
DHCP correlation discover or request message can be forwarded to the Dynamic Host Configuration Protocol server in respective range, i.e., Dynamic Host Configuration Protocol server is given tacit consent to
It should be that all devices that can be provided by it in the range of DHCP service are accessed, and prevent other people from pretending to be Dynamic Host Configuration Protocol server;
Step 2: user generates the public key and private key of oneself by RSA Algorithm first;User configuring static server IP
Location then enters below step three, otherwise into step 6;
Step 3: user's static configuration server ip address, then directly transmit DCHP request request messages to DHCP
Server, the SIP of message is 0.0.0.0, and DIP is 255.255.255.255, IP address of the message content comprising static configuration and
Public key;
Step 4: Dynamic Host Configuration Protocol server is received after message, record the public key and check whether the static IP of configuration is used;Such as
Really the IP address, if the IP address is not used by other equipment, is sent by using DHCP deny messages are then sent
DHCP ACK messages;The SIP of message is the IP address of Dynamic Host Configuration Protocol server, and purpose IP is 255.255.255.255;
Step 5: when receiving the DHCP DENY messages for being sent to oneself, the failure of server prompts user configuring, because
The IP address has been used, and reattempts to new IP address, is continued to go to step three and is applied, until true by Dynamic Host Configuration Protocol server
Recognize;Receive DHCP ACK messages and then point out configuration successful, and record the IP address of Dynamic Host Configuration Protocol server;Subsequently into step 10;
Step 6: when user's dynamic access IP address, then sending DHCP discover messages, the network equipment is then forwarded
To Dynamic Host Configuration Protocol server;DHCP discover messages SIP is 0.0.0.0, and DIP is 255.255.255.255, and message content is included
The IP address and public key of static configuration;
Step 7: Dynamic Host Configuration Protocol server is received after DHCP discover messages, selection is without occupied IP address, encapsulation
The server for there are DHCP demands is given into DHCP OFFER messages;The SIP of DHCP OFFER messages is the IP address of Dynamic Host Configuration Protocol server,
Destination address is 255.255.255.255;
Step 8: server is received after DHCP server DHCP OFFER messages, the address of Dynamic Host Configuration Protocol server is recorded,
Then the IP address is received;And DHCP request messages are sent, now the SIP of message is the IP, DIP that Dynamic Host Configuration Protocol server is provided
It is the IP address of Dynamic Host Configuration Protocol server;
Step 9: Dynamic Host Configuration Protocol server is received after the DHCP request messages of server, record the server IP and
Public key, and send DHCP ACK messages;The SIP of message is the IP address of Dynamic Host Configuration Protocol server, and purpose IP is available to server
IP address;
Recorded Step 10: public key and IP address are sent to controller by Dynamic Host Configuration Protocol server, so as to it is follow-up other
Equipment issues suitable access path when accessing the IP address;Because the equipment that Dynamic Host Configuration Protocol server distributes IP address belongs to a certain
In individual regional extent, even if so be not based on vlan three layer interface configuration of IP under new message encapsulation format, can also protect
Same section of IP is demonstrate,proved in adjacent ranges, so that being aggregated in for route is still effective during router-level topology.
After message enters data link layer, after message does not have VLAN ID in new method for packing, Openflow is handed over
Mechanism of the lookup less than then progress broadcast processing of original two layers of acquiescence need not be supported in changing planes, therefore is realized in the following way
Isolation and intercommunication:
Step 1: acquiescence Servers-all between can not by network access, after the good network of network equipments configuration,
Dynamic Host Configuration Protocol server configures its network and sends IP request messages;
Step 2: sending specific message to controller, controller generation full mesh topology figures record every clothes
The IP address of device of being engaged in and the port of the place network equipment;
Step 3: every server is reported to controller oneself safe class, it is divided into three classes:
A. acquiescence is the equipment that all devices can be accessed, it is adaptable to website or resource service as public service;
B. acquiescence only has the equipment that the part network segment can be accessed, it is adaptable to which the equipment of company or IDC Intranets carries out networking;
C. acquiescence could access oneself using the equipment only by oneself certification, such as can be RSA etc algorithm;
Step 4: Controller is collected into after the access level of equipment, corresponding rule is issued to each network route
In equipment, it is ensured that the intercommunication and isolation of each grade equipment;
Step 5: when c kind equipments have new equipment by certification in step 3, issuing new openflow rules and protecting
Demonstrate,prove its intercommunication with other network equipments;
Beneficial effects of the present invention:
1st, after the fields such as MAC and VID are cancelled, the message of same length can increase the content of data segment, so improve
Message mtu proportion shared by message data part, so as to improve the utilization ratio of link bandwidth;
2nd, after vlan fields are cancelled, Network Isolation can be redesigned based on SDN mechanism;So, because vlan Id exist
Number is not enough and can fundamentally be addressed the problem of induce one in big two layers, because the scheme such as vxlan and nvgre is multiple
Encapsulation can cause the low of link efficiency;
3rd, after MAC fields are cancelled, the network equipment no longer needs that MAC table is recorded and safeguarded, can so simplify
The handling process of the network equipment, reduces network device processing MAC related hardware facility to reduce cost;
4th, by the way of SDN is supported, new message format is easily parsed, it is former for conventional network equipment processing
The protocol massages and mutual message come will not functional property influence;
5th, using openflow interchangers, the transition of the forwarding scheme of new message can very easily be realized;And
Openflow interchangers are acted it is also possible that very easily mutual using the equipment and traditional equipment based on MAC of this scheme
It is logical;
6th, ARP the and RARP agreements of IPV4 and MAC demapping section can also be optimized in protocol stack, so can be with base
Complete trails is carried out in item of failing to be sold at auction to message to table look-up forwarding according to unified mode, without there is ARP to inquire about and corresponding mechanism again;
7th, new packaged type very easily can be run in conventional network equipment, easily be realized and existing network
Compatibility.
Brief description of the drawings
Fig. 1 is the layer model schematic diagrames of TCP/IP tetra- in background technology;
Fig. 2 is Ethernet encapsulation schematic diagram;
Fig. 3 is the Ethernet encapsulation schematic diagram after removal MAC in the present invention.
Embodiment
In order to simplify routing forwarding flow, the present invention proposes a kind of ethernet ip message encapsulating method and net based on SDN
Network is isolated and DHCP implementation methods, and the program is only limitted to the addressing of frame and identification work(not for the modification for this layer
Can remove, for server after packet receiving directly judge IP messages whether be the machine IP messages, if not then directly progress
Route, if so enters back into protocol stack and is handled.And interchanger is then to packet parsing since IP heads, then basis
The item of failing to be sold at auction of matching is forwarded;If being not matched to any item of failing to be sold at auction, configured and carried out according to corresponding table miss
Processing.The program has following feature:
1. after the fields such as MAC and VID are cancelled, the message of same length can increase the content of data segment, so improve
Message mtu proportion shared by message data part, so as to improve the utilization ratio of link bandwidth;
2. after vlan fields are cancelled, Network Isolation can be redesigned based on SDN mechanism;So, because vlanId exists
Number is not enough and can fundamentally be addressed the problem of induce one in big two layers, because the scheme such as vxlan and nvgre is multiple
Encapsulation can cause the low of link efficiency;
3. after MAC fields are cancelled, the network equipment no longer needs that MAC table is recorded and safeguarded, can so simplify
The handling process of the network equipment, reduces network device processing MAC related hardware facility to reduce cost;
4. by the way of SDN supports, new message format is easily parsed, it is former for conventional network equipment processing
The protocol massages and mutual message come will not functional property influence;
5. using openflow interchangers, the transition of the forwarding scheme of new message can be very easily realized;And
Openflow interchangers are acted it is also possible that very easily mutual using the equipment and traditional equipment based on MAC of this scheme
It is logical;
6. it is corresponding, ARP the and RARP agreements of IPV4 and MAC demapping section can also be optimized in protocol stack, this
Sample can carry out complete trails to message based on item of failing to be sold at auction and be tabled look-up forwarding according to unified mode, without having ARP inquiries and phase again
Answer mechanism;
7. new packaged type very easily can be run in conventional network equipment, easily realize and existing network
Compatibility.
The program includes in the packet receiving step of server end:
1. physical layer of device obtains physical signalling according to frame gap and guiding frame using existing method from transmission medium
After be converted to bit, give data link layer;
2. data link layer carries out all processing work in addition to MAC Address is recognized and is addressed, including bit is filled
Message is handed into the processing of packet receiving function after frame;
3. protocol stack recognizes analysis mode such as Fig. 3 of message, follow-up association is then entered if message DIP is the server
Stack is discussed, if not then walking to route forward process flow;
4. route is produce, give data link layer carry out except Ethernet is encapsulated and mac addressing in addition to other
Function;
5. and then the bit of message data frame is converted into photosignal according to original mode and forwarded by physical layer;
The program includes in the step of giving out a contract for a project of server end:
L4 header informations and the trailer information such as addition TCP/UDP, then carry out IP after 1. first message data section is packaged
Encapsulation;
2. message is subjected to route querying according to DIP, to choose exit port;
3. the message for finding exit port give data link layer carry out except Ethernet encapsulate and mac addressing in addition to its
His function;
4. and then the bit of message data frame is converted into photosignal according to original mode and forwarded by physical layer;
For the network equipment based on openflow standards there is no two layers of forwarding and the concept of three-layer routing, but according to
It is divided into two classes to network equipment port using scene:The port for needing the port of parsing and being parsed without MAC;Without MAC parsings
Port be mainly used in implement this programme network range inside, and need solve parsing MAC port be used for implement this programme encapsulation
Network the intercommunication of network is encapsulated with implementing traditional ethernet form;When the message that need not parse MC arrives or produced according to figure
3 pairs of messages are parsed, and the field for then obtaining parsing is matched to determine that message needs to hold with openflow list item
Capable action, even without the interaction for having ARP when having arrived the direct-connected route of final jump.When need solve parsing MAC port
, it is necessary to be parsed according to traditional Ethernet encapsulation format and encapsulated message when receiving or E-Packeting.I.e. when message is from need not
The port of MAC parsings enters, and is produced from the port for needing to parse, then need to add the MAC of a layer switch in itself to message
Address is as source address, and the physical address for equipment of giving a start is used as purpose MAC;And enter from the port for needing to parse, from need not
The port of MAC parsings is when producing, it is necessary to delete the source MAC and purpose MAC of header.And the source port and destination interface of message
During for a type, specially treated is made without the MAC situations to message.The availability for implementing this programme network has been achieved in that,
And the intercommunity of network is encapsulated with traditional ethernet form.
Newly proposing without under MAC Address message packaged type, the DHCP needs of work for obtaining IP address are improved, can be with
In the following way, to determine to be organically combined with follow-up forward-path:
1.Controller determines the information such as position and the IP of Dynamic Host Configuration Protocol server in topology, to ensure Servers-all
DHCP correlation discover or request message can be forwarded to the Dynamic Host Configuration Protocol server in respective range, i.e. Dynamic Host Configuration Protocol server acquiescence should
This is that all devices that can be provided by it in the range of DHCP service are accessed, and prevents other people from pretending to be Dynamic Host Configuration Protocol server;
2. the server of acquiescence access is all no IP, user generates public key and the private of oneself by RSA Algorithm first
Key;User configuring static ip address then enters below step 3, otherwise into step 6;
3. user with static configuration server ip address, then can directly transmit DCHP request request messages to DHCP
Server, the SIP of message is 0.0.0.0, and DIP is 255.255.255.255, IP address of the message content comprising static configuration and
Public key;
4.DHCP servers are received after message, are recorded the public key and are checked whether the static IP of configuration is used;If should
IP address by using DHCP deny messages are then sent, if the IP address is not used by other equipment, sends DHCP
ACK messages;The SIP of message is the IP address of Dynamic Host Configuration Protocol server, and purpose IP is 255.255.255.255;Because having used RSA
Certification, so the network equipment can broadcast the message, but the server for only sending request message correctly handles the message;
The DHCP DENY messages of oneself are sent to 5. receiving.Server can point out user configuring to fail, because the IP address
It has been used that, new IP address can be reattempted to, continued to go to step 3 and applied, confirmed until by Dynamic Host Configuration Protocol server;Receive
DHCP ACK messages then point out configuration successful, and record the IP address of Dynamic Host Configuration Protocol server;Subsequently into step 10;
6. when user's dynamic access IP address, then sending DHCP discover messages, the network equipment is then transmitted to DHCP
Server;DHCP discover messages SIP is 0.0.0.0, and DIP is 255.255.255.255, and message content is matched somebody with somebody comprising static state
The IP address and public key put;
7.DHCP servers are received after DHCP discover messages, and selection is packaged into DHCP without occupied IP address
OFFER messages give the server for having DHCP demands;The SIP of DHCP OFFER messages is the IP address of Dynamic Host Configuration Protocol server, destination
Location is 255.255.255.255;With the configuration flow of static ip address, because having used Revest-Shamir-Adleman Algorithm (RSA) authentication, the network equipment can be wide
The message is broadcast, but the server for only sending request message correctly handles the message;
8. server is received after DHCP server DHCP OFFER messages, the address of Dynamic Host Configuration Protocol server, Ran Houjie are recorded
By the IP address;And DHCP request messages are sent, now the SIP (source IP, SourceIP) of message is that Dynamic Host Configuration Protocol server is carried
The IP of confession, DIP are the IP address of Dynamic Host Configuration Protocol server;
9.DHCP servers are received after the DHCP request messages of server, record the IP and public key of the server,
And send DHCP ACK messages;The SIP of message is the IP address of Dynamic Host Configuration Protocol server, and purpose IP is with being available to the IP of server
Location;
Public key and IP address are sent to controller and recorded by 10.DHCP servers, so as to follow-up other equipment
Suitable access path is issued when accessing the IP address;Because the equipment that Dynamic Host Configuration Protocol server distributes IP address belongs to some area
In the range of domain, even if so being not based on vlan three layer interface configuration of IP under new message encapsulation format, it is also ensured that same
One section of IP is in adjacent ranges, so that being aggregated in for route is still effective during router-level topology.
After message does not have VLAN ID, need not be supported in openflow interchangers it is original two layers acquiescence lookups less than
The mechanism of broadcast processing is then carried out, it is necessary to realize isolation and intercommunication in the following way:
1. can not be by network access, after the good network of network equipments configuration between giving tacit consent to Servers-all, DHCP clothes
Business device configures its network and sends IP request messages,;
2. then sending specific message to controller, controller just generates the topological diagram of the whole network, record
The IP address of every server and the port of the place network equipment.Be not in thus that camouflage other equipment IP is pretended to be
Behavior;
3. every server is reported to controller oneself safe class, it is divided into three classes:
A. acquiescence is the equipment that all devices can be accessed, it is adaptable to website or resource service as public service;
B. acquiescence only has the equipment that same network segment can be accessed, it is adaptable to which the equipment of company or IDC Intranets carries out networking;
C. acquiescence could access oneself using the equipment only by oneself certification, such as can be RSA etc algorithm;
4.Controller is collected into after the access level of equipment, is issued corresponding rule and is arrived each networking routing device
On, it is ensured that the intercommunication and isolation of each grade equipment, and list item has aging mechanism;
5. when c kind equipments have new equipment by certification in 1 step, issue new openflow rules and ensure the two
Intercommunication;
So whole network can just be behaved, and realize the normal access and isolation of network, without considering further that vlan
Number it is inadequate the problem of, also to solve network in some safety problems, such as ARP deception etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention
It is interior.