CN104394090A - SDN (Software Defined Networking) controller classifying network flows through DPI (Deep Packet Inspection) data package - Google Patents

SDN (Software Defined Networking) controller classifying network flows through DPI (Deep Packet Inspection) data package Download PDF

Info

Publication number
CN104394090A
CN104394090A CN201410645536.9A CN201410645536A CN104394090A CN 104394090 A CN104394090 A CN 104394090A CN 201410645536 A CN201410645536 A CN 201410645536A CN 104394090 A CN104394090 A CN 104394090A
Authority
CN
China
Prior art keywords
stream
packet
dpi
protocol
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410645536.9A
Other languages
Chinese (zh)
Other versions
CN104394090B (en
Inventor
李云春
付容
曹凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201410645536.9A priority Critical patent/CN104394090B/en
Publication of CN104394090A publication Critical patent/CN104394090A/en
Application granted granted Critical
Publication of CN104394090B publication Critical patent/CN104394090B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses an SDN (Software Defined Networking) controller classifying network flows through a DPI (Deep Packet Inspection) data package. According to the SDN controller classifying the network flows through the DPI data package, a DPI module which adopts a parallel processing mode is added to the existing SDN controller; the DPI module comprises a message header removing module, a package-flow conversion module, a grouping thread scheduling module, a plurality of thread modules and a flow table construction module; the flow table construction module comprises a protocol table and a flow table which exist in tabular forms; the data package is obtained by modifying an OpenFlow protocol to achieve communication between the controller and a network switch; follow-up data package forwarding is controlled through grouping scheduling of flow connection and issuing of the data package into a processing thread and issuing of the flow table to the switch through regex match. The SDN controller classifying the network flows through the DPI data package can achieve well DPI deployment under the SDN network, reduces the data package processing speed and improves the handling capacity.

Description

A kind of DPI of employing carries out the SDN controller of network flow classification to packet
Technical field
The present invention relates to a kind of SDN controller, more particularly, refer to that a kind of deep packet inspection technical that utilizes is to carry out the SDN controller of packet Fast Classification, particularly based on the implementation of the deep packet inspection technical under SDN framework, and is optimized in packet scheduling and stream table issue.
Background technology
The 1st printing September in 2013, Electronic Industry Press, " SDN core technology dissects and actual combat guide " Lei Baohua etc. writes.In SDN core technology system figure disclosed in the 15th page of Fig. 1-6 (being designated as Fig. 1), describe, on each level of SDN framework, all there is a lot of core technology, its target is separation controlling layer face and forwarding plane effectively, support that the unified of centralization in logic controls, development interface etc. is flexibly provided.Wherein, key-course is the core of whole SDN, and the southbound interface in system and northbound interface are also named centered by it.Packet (Packet, also referred to as message) is sent to control plane by a Packet_in message by forwarding plane.SDN (Sofeware Defined Networking, software defined network) be a kind of emerging network architecture based on software and technology, its maximum feature is to have the control plane of loose coupling and datum plane, support that the network state of centralization controls, realize transparent to upper layer application of bottom-layer network facility.Name as SDN sayed, it has software programmability flexibly, make the automatic management of network and control ability obtain unprecedented lifting, effectively can solve that the resource extent expansion that current network systems will face is limited, networking flexibility is poor, be difficult to meet the problems such as business demand fast.
The 1st printing in October, 2013 Beijing, People's Telecon Publishing House publishes and distributes, and " net flow assorted method and practice " Wang Lidong, Qian Liping edits.In the 116th page, its concept of DPI (Deep PacketInspection) deep-packet detection comes from bag and detects, why be called the degree of depth, because early stage packet inspection method mainly detects IP packet header and TCP/UDP packet header, and DPI method not only detects the packet header of individual data bag, also can detect the part or all of payload content of packet, generally at least to detect and can deserve to be called deep-packet detection more than the payload content of 64 bytes, matching technique then requires the floating Keywords matching supporting to be arranged in load on-fixed deviation post starting point.
May there be three kinds of situations the position of DPI in SDN:
(1) be embedded into application layer: DPI software can be embedded into network application layer as other network applications, but the bottleneck doing deep-packet detection like this may be present in the length of communication path.Because to be DPI, then node needs bag then to deliver to application layer through controller transmission.Consider delay factor, this kind of DPI deployment way is preferably applied to the insensitive application of time delay, as statistical analysis.
(2) be embedded into key-course: DPI software can be embedded in SDN controller, classified information can be used for intelligent network deployment and is also transferred to application layer for use by north orientation API.Node is submitted to SDN controller first non-NULL bag and is used for doing L4 to L7 analysis.Even if but like this, still have the flow needs being probably not more than 10% to transmit between SDN controller and Switch and could realize DPI.
(3) data Layer is embedded into: network node also can run DPI software, predefined strategy can be applied directly to and be sent to SDN controller and network application after obtaining APP ID and metadata (metadata), and accept the control information that return information returned by SDN controller, node is corresponding Action (instruction), and other streams of identical type like this do not need to be DPI again.This implementation postpones minimum, but cost is the highest, because based on the matching algorithm of state machine due to its multi-mode matching characteristic, fast processing speed, compatible with the perfection of regular expression, become the matching algorithm that research is the hottest now gradually.Research shows, DPI performance depends on pattern matching speed.
Network flow, within a period of time, the unidirectional message flow transmitted between a source IP address and object IP address, all messages have identical source port number srcPort, destination slogan dstPort, protocol number tran, source IP address srcIP and object IP address dstIP, and namely five-tuple content is identical.
The SDN controller of current design does not have and carries out traffic classification to network flow, can not control, therefore can not be applied to the network service based on traffic classification to network packet.
Summary of the invention
Carry out traffic classification in order to realize SDN controller to the packet that the network equipment received exports, the present invention devises a kind of DPI of employing framework carries out traffic classification SDN controller to packet.
The connection level that the object of this invention is to provide a kind of deep packet inspection technical based on software defined network framework walks abreast deployment way, realizes carrying out quick traffic classification to network packet.The SDN controller based on DPI of the present invention's design adds DPI module in existing SDN controller, described DPI module adopts parallel processing manner, namely by amendment OpenFlow agreement, to communicate with the network switch based on the SDN controller of DPI and obtain packet, based on connect packet scheduling by packet delivery to processing threads, do canonical coupling, and issue stream and show switch to control the forwarding of follow-up data bag.The good DPI that the SDN controller based on DPI of the present invention's design can realize under SDN disposes, and reduces processing data packets speed, promotes throughput.
The present invention devises a kind of DPI of employing carries out network flow classification SDN controller to packet, be in existing SDN controller, add the DPI module adopting parallel processing manner, described DPI module includes message header module, bag-stream translation module, grouping thread scheduling module, multiple threading models and stream table and builds module; Described stream table builds in module and includes the protocol tables and stream table that exist in a tabular form;
Remove OFPAK protocol data bag OFPAK={ (head, the op of message header module for receiving 1), (head, op 2) ..., (head, op z) carry out removal OpenFlow protocol header head, obtain raw data packets OP={op 1, op 2..., op z;
Bag-stream translation module is to any one packet op received zcarry out the pickup of identical five-tuple content, find out described any one packet op zthe stream of corresponding stream connects ct b;
Grouping thread scheduling module is according to thread weight qw cfor connecting ct to described stream bprocess, obtain meeting described ct bprocessing threads;
qw C = LEN min + fle n B len C + fle n B g ( B , C ) ;
Multiple threading models connects ct from the stream received bin extract packet op z, then adopt regular expression method to described packet op zprocess, export described packet op zthe protocol information PR carried and pattern information RE;
Stream table builds module and includes protocol tables and stream table; Described protocol tables is that the protocol information PR received and pattern information RE is inserted continuous item according to protocol tables form, obtains protocol results; Then associative mode name PA is obtained to protocol results application strategy table cTthe PB that performs an action cT, finally will perform an action PB cTinsert in the instruction items of stream table;
Writing stream table is the action protocol information PR received and pattern information RE being inserted continuous item according to stream sheet form, and then obtains stream table, then stream table is exported to the network equipment.
Advantage of the present invention:
1. during DPI is deployed in SDN framework key-course by the present invention, then traffic classification Information Availability is disposed in intelligent network and is also transferred to application layer for use by north orientation API.
2. the present invention is by change OpenFlow agreement, DPI can be disposed at SDN key-course, and without the need at respective switch node deployment DPI, reduce costs.
3. connect (connection-level) parallel DPI method based on stream in the present invention and make each processing threads load balancing, the packet scheduling of data flow, more in conjunction with actual flow feature, improves the hit rate of common rule collection.
4. utilize the multithreading of many packets to process in processing data packets module simultaneously, according to data flow principle of locality Scheduling Flow, can network data bag faster, improve the processing speed of SDN controller traffic classification, increase throughput of system.
Accompanying drawing explanation
Fig. 1 is the system assumption diagram of traditional SDN controller.
Fig. 2 is the structured flowchart based on DPI module in the SDN controller of DPI of the present invention.
Fig. 3 is DPI block flow diagram of the present invention.
Fig. 4 is the flow chart of bag-stream translation of the present invention and grouping thread scheduling.
Fig. 5 is the flow chart that in the present invention, stream table builds.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Shown in Figure 1, the present invention is that a kind of DPI of employing carries out the SDN controller of network flow classification to packet, should be add DPI module in existing SDN controller based on the SDN controller of DPI, described DPI module adopts parallel processing manner, namely by amendment OpenFlow agreement, to communicate with the network switch based on the SDN controller of DPI and obtain packet, based on the packet scheduling connected, packet delivery is done canonical coupling to processing threads, and issue stream and show switch to control the forwarding of follow-up data bag.
Shown in Figure 2, in the present invention, DPI module includes message header module, bag-stream translation module, grouping thread scheduling module, multiple threading models (the first threading models, the second threading models, C threading models) and stream table and builds module, and described stream table builds in module and includes the protocol tables and stream table that exist in a tabular form.First threading models, the second threading models are identical with the structure of C threading models.
In order to understand the present invention and advantage thereof better, below in conjunction with accompanying drawing and concrete example, the present invention will be further described in detail.
(1) message header module is gone
Remove OFPAK protocol data bag OFPAK={ (head, the op of message header module for receiving 1), (head, op 2) ..., (head, op z) carry out removal OpenFlow protocol header head, obtain raw data packets OP={op 1, op 2..., op z.
Op 1represent first packet eliminating OpenFlow protocol header;
Op 2represent second packet eliminating OpenFlow protocol header;
Op zrepresent last packet eliminating OpenFlow protocol header, in order to general knowledge illustrates, op zalso referred to as any one packet, Z represents the identification number of packet.
In the present invention, any one packet op zinclude the five-tuple content op of source port number srcPort, destination slogan dstPort, protocol number tran, source IP address srcIP and object IP address dstIP z={ srcPort, dstPort, tran, srcIP, dstIP}.
(2) bag-stream translation module
Bag-stream translation module is to any one packet op received zcarry out the pickup of identical five-tuple content, find out described any one packet op zthe stream of corresponding stream connects ct b.
In the present invention, have multiple stream and connect in SDN controller, described stream connects employing aggregate form and is expressed as CT={ct 1, ct 2..., ct b, ct 1represent that the Article 1 stream in SDN controller connects, ct 2represent that the Article 2 stream in SDN controller connects, ct brepresent that the last item stream in SDN controller connects, in order to general knowledge illustrates, ct bconnect also referred to as any stream, B represents the identification number that stream connects.Described any stream connects ct bin include stream connection identifier ID, the number packetnum of packet, length flen, source IP address srcIP that stream connects, object IP address dstIP, source port number srcPort, destination slogan dstPort and protocol number tran, adopt aggregate form to be expressed as ct b={ ID, packetnum, flen, srcIP, srcPort, dstIP, dstPort, tran}.
In the present invention, multiple raw data packets OP={op may be there is in SDN controller 1, op 2..., op zcorresponding same stream connection ct b, also may a packet op za corresponding stream connects ct b.
In the present invention, each stream connects ct bthe length flen that a corresponding stream connects b, stream connecting length adopts aggregate form to be expressed as FLEN={flen 1, flen 2..., flen b, flen 1represent ct 1length, flen 2represent ct 2length, flen brepresent ct blength.
(3) grouping thread scheduling module
Grouping thread scheduling module is used for connecting ct to any stream baccording to thread weight qw cprocess, obtain meeting described ct bprocessing threads.
In the present invention, wherein LEN minfor task queue length LEN={ len 1, len 2..., len cin minimum value, g (B, C) is fixing hash function, then g ( B , C ) = ( a · ( ( a · C + b ) ⊕ B ) + b ) mod 2 31 , Constant a=1103515245, constant b=12345.
In the present invention, SDN controller includes multiple thread MT={mt 1, mt 2..., mt c, and each thread mt ca corresponding task queue qe c, each task queue qe ca corresponding task queue length len c.Each thread mt in SDN controller ca corresponding thread weight qw c.
Thread adopts aggregate form to be expressed as MT={mt 1, mt 2..., mt c, mt 1represent first processing threads, mt 2represent second processing threads, mt crepresent last processing threads, conveniently hereafter illustrate, mt calso referred to as any one processing threads, C represents the identification number of processing threads.
Task queue adopts aggregate form to be expressed as QE={qe 1, qe 2..., qe c, qe 1represent mt 1corresponding task queue, qe 2represent mt 2corresponding task queue, qe cexpress mt ccorresponding task queue.
Task queue length adopts aggregate form to be expressed as LEN={len 1, len 2..., len c, len 1represent qe 1length, len 2represent qe 2length, len crepresent qe clength.
Thread weight adopts aggregate form to be expressed as QW={qw 1, qw 2..., qw c, qw 1represent mt 1corresponding thread weight, qw 2represent mt 2corresponding thread weight, qw cexpress mt ccorresponding thread weight.
(4) threading models
Threading models first aspect connects ct for receiving stream b;
Threading models second aspect connects ct from stream bin extract packet op z;
The threading models third aspect adopts regular expression method to packet op zprocess, export described packet op zthe protocol information PR carried and pattern information RE.
In the present invention, regular expression method please refer to " net flow assorted method and practice " Wang Lidong, Qian Liping chief editor, October in 2013 the 1st edition, the content of 125-132 page.
In the present invention, all stream connects CT={ct 1, ct 2..., ct bcorresponding protocol information is designated as PR={pr 1, pr 2..., pr b, pr 1represent ct 1protocol information, pr 2represent ct 2protocol information, pr brepresent ct bprotocol information.
In the present invention, all stream connects CT={ct 1, ct 2..., ct bcorresponding pattern information is designated as RE={re 1, re 2..., re f, re 1represent first pattern information, re 2represent second pattern information, re frepresent last pattern information, conveniently hereafter illustrate, re falso referred to as any one pattern information, the identification number of F intermediate scheme information.
(5) stream table builds module
In the present invention, stream table builds module and includes protocol tables and stream table; Described protocol tables is that the protocol information PR received and pattern information RE is inserted continuous item according to protocol tables form, obtains protocol results; Then associative mode name PA is obtained to protocol results application strategy table cTthe PB that performs an action cT, finally will perform an action PB cTinsert in the instruction items of stream table.
In the present invention, writing stream table is the action protocol information PR received and pattern information RE being inserted continuous item according to stream sheet form, and then obtains stream table, then stream table is exported to the network equipment.
(1) protocol results
Identification number ID CT Schema name PA CT
In the present invention, which stream is protocol results indicate and belong to which schema name (with reference to " net flow assorted method and practice " Wang Lidong, Qian Liping chief editor, October in 2013 the 1st edition, the L7-Filter pattern of 126-132 page is summed up).
(2) Policy Table
Schema name PA CT Perform an action PB CT
In the present invention, Policy Table is used to restriction mode name PA cTthe process means whether corresponding stream forwards, abandons, namely perform an action PB cT.
(3) tableau format is flowed as follows:
The stream table main body quoted in the present invention please refer to " SDN core technology dissects and actual combat guide ", and the 42nd page of content, " Cookie " explanatory notes is be stored in the data on user local terminal.Difference is: add " mark ", and described " mark " refers to whether the flow entered in switch is sent to controller, is a kind of appointment being labeled as transmission or not transmitting.
A kind of DPI of employing that the present invention proposes carries out the SDN controller of network flow classification to packet, it receives the OpenFlow packet sent from multiple switch (i.e. the network equipment), switch will not have the packet of corresponding stream table as data encapsulation in OpenFlow protocol data bag, remove OpenFlow protocol header, obtain raw data packets, and preliminary treatment is carried out to it; Utilize five-tuple information by packet encapsulation for stream connects to set up stream, if current stream connects for new, then be its allocation space and added to connect queue CT, and calling data packet scheduling program is distributed to the selected processing threads MT of system, enters in MT processing queue.Stream table builds collects all MT results, connects obtain according to the schema name after its process the Policy Table that associates to each stream, then utilize abandon, corresponding instruction field is changed in the mode convection current table such as forwarding, and issue stream and show all switches.
In the present invention, DPI technology is significant under SDN framework.Be mainly manifested in the following aspects:
(1) SDN and DPI combine with technique can realize centralized policy and security control.The DPI technology improved can provide the detailed data of network state and flow for SDN controller.Network just can be regarded as an overall resource by such SDN, instead of a series of individual equipment (as switch, fail safe and other 4-7 layer element).DPI can provide information to help for all correlation functions (controller, strategy, fail safe etc.), instead of the system of each performance equipment at present has its exclusive DPI technology separately.
(2) DPI and SDN combine with technique is to improve internet security.DPI technology is guaranteed that IT keeper and security officer can formulate and is hit Malware and other strategy threatened, and it is implemented in all levels, comprises application layer and client layer.The combination of DPI and SDN technology can make network security spread over whole network, and is not only specific end points, such as fire compartment wall.
(3) DPI and SDN combine with technique can apply large data in network management.DPI plays important role providing in key message for network health and performance.DPI technology in conjunction with SDN will lead the automated network that current network moves towards more manageable, safer, operation cost is lower.
embodiment 1
Below provide one embodiment of the present of invention, the process (as shown in Fig. 3, Fig. 4, Fig. 5) of data packet dispatching of the present invention is described, concrete data packet dispatching step is as follows:
S1 step: support that the switch of OpenFlow agreement receives the data envelope sent from equipment in network and dresses up OpenFlow protocol data bag and be designated as OFPAK={ (head, op 1), (head, op 2) ..., (head, op z), then by OFPAK={ (head, op 1), (head, op 2) ..., (head, op z) controller that sends to the present invention to improve, namely based on the SDN controller of DPI;
S2 step: based in the SDN controller of DPI, by OFPAK={ (head, op 1), (head, op 2) ..., (head, op z) in each protocol data bag packet header remove, obtain OP={op 1, op 2..., op z;
According to any one packet op zfive-tuple information, the connection belonging to packet obtaining having identical five-tuple information is designated as CT={ct 1, ct 2..., ct b, and B≤Z, wherein ct b={ ID, packetnum, flen, srcIP, srcPort, dstIP, dstPort, tran};
ID represents connection identifier number;
Packetnum represents the number of packet;
Flen represents the length of connection;
SrcIP represents source IP address;
DstIP represents object IP address;
SrcPort represents source port number;
DstPort represents destination slogan;
Tran represents transport layer protocol;
According to ID, stream CT is distributed to the processing threads of processing data packets module
MT={mt 1, mt 2..., mt c, connect CT and enter in MT operation queue, calculate corresponding task queue QE={q 1, q 2..., q dlength LEN={ len 1, len 2..., len e.
Show in Fig. 4 that the step concrete with grouping thread scheduling module about bag-stream translation module in step S2 is as follows:
S201: obtain raw data packets op from step S1 zafter, extract packet op zhead five-tuple information srcPort, dstPort, tran, srcIP, dstIP; Described five-tuple comprises source IP address, source port, object IP address, destination interface and transport layer protocol; Then this packet op is found according to five-tuple information zthe stream connection ct that information is corresponding b;
S202: judge to flow the entry ct whether depositing the stream connection identifier generated in step s 201 in connection table CT bif there is this stream and connected entry ct b, then proceed to and perform step S203, if there is not this mark stream in stream connection table to connect entry, proceed to and perform step S204;
S203: packet information is added to corresponding stream in stream connection table and connect entry ct bunder, store packet information and complete, proceed to and perform step S205;
S204: the entry setting up this connection identifier in stream connects, and preserve this stream link information, proceed to and perform step S205;
S205: the task queue length LEN obtaining current all processing threads MT, to each mt c, obtain minimum task length LEN min, current mt ctask queue length len cbe connected ct bdata packet length information flen b, proceed to and perform step S206;
S206: according to thread weight calculate current mt cweight qw c, select the thread mt with weight limit c, proceed to and perform step S207;
S207:, will ct be connected bjoin the thread mt with weight limit ctask queue qe cin, proceed to and perform step S3;
S3 step: processing threads MT is fech connection ct from operation queue b, obtain all packet OP={op in connection 1, op 2..., op z, by packet op zthe rule set RE={re of application layer data and system 1, re 2..., re fprotocol detection is carried out by canonical coupling, obtain connecting schema name corresponding to CT.Affiliated for connection protocol results PR is delivered to stream table and issues module.
Show in Fig. 5 that the protocol detection step concrete about processing data packets module in step S3 is as follows:
S301: processing threads mt cobtain the connection ct in its task queue b, obtain mt cin all packet OP={op 1, op 2..., op z, perform step 302;
S302: judge ct btransport layer protocol tran field whether be belong to TCP, UDP or ICMP, if three not, then abandon this stream connect; If belong to one of them, then enter step S304;
S304: judge ct bthe number packetnum of bag whether be greater than 10, if packetnum > 10, then abandon this stream and connect, if packetnum≤10, then enter step S306;
S306: obtain packet op zapplication layer data enter step S307;
S307: get a regular re from rule set RE f, compiled and entered step S308;
S308: by the re after compiling fand op zapplication layer data carries out canonical coupling, if result is not for mate, then enters step S307, if can mate, then enters step S309;
S309: by protocol results with result set PR={pr 1, pr 2..., pr bform returns to stream table and issues module, and carry out stream list processing.
S4 step: stream table issues module and receives all processing threads MT protocol detection result PR, according to the Policy Table of protocol results PR and default, obtains the PB that performs an action of current stream cT, will perform an action PB cTinsert in the instruction items of stream table, insert 1 in the tag field of stream table, and issue stream and show all switches.

Claims (6)

1. one kind adopts DPI to carry out the SDN controller of network flow classification to packet, be in existing SDN controller, add the DPI module adopting parallel processing manner, it is characterized in that: DPI module includes message header module, bag-stream translation module, grouping thread scheduling module, multiple threading models and stream table and builds module; Described stream table builds in module and includes the protocol tables and stream table that exist in a tabular form;
Remove OFPAK protocol data bag OFPAK={ (head, the op of message header module for receiving 1), (head, op 2) ..., (head, op z) carry out removal OpenFlow protocol header head, obtain raw data packets OP={op 1, op 2..., op z;
Bag-stream translation module is to any one packet op received zcarry out the pickup of identical five-tuple content, find out described any one packet op zthe stream of corresponding stream connects ct b;
Grouping thread scheduling module is according to thread weight qw cfor connecting ct to described stream bprocess, obtain meeting described ct bprocessing threads;
qw C = LEN min + flen B len C + flen B g ( B , C ) ;
Multiple threading models connects ct from the stream received bin extract packet op z, then adopt regular expression method to described packet op zprocess, export described packet op zthe protocol information PR carried and pattern information RE;
Stream table builds module and includes protocol tables and stream table; Described protocol tables is that the protocol information PR received and pattern information RE is inserted continuous item according to protocol tables form, obtains protocol results; Then associative mode name PA is obtained to protocol results application strategy table cTthe PB that performs an action cT, finally will perform an action PB cTinsert in the instruction items of stream table;
Writing stream table is the action protocol information PR received and pattern information RE being inserted continuous item according to stream sheet form, and then obtains stream table, then stream table is exported to the network equipment.
2. a kind of DPI of employing according to claim 1 carries out the SDN controller of network flow classification to packet, it is characterized in that: the process of SDN controller to data packet dispatching based on DPI has four steps;
S1 step: support that the switch of OpenFlow agreement receives the data envelope sent from equipment in network and dresses up OpenFlow protocol data bag and be designated as OFPAK={ (head, op 1), (head, op 2) ..., (head, op z), and by OFPAK={ (head, op 1), (head, op 2) ..., (head, op z) send to SDN controller based on DPI;
S2 step: based in the SDN controller of DPI, by OFPAK={ (head, op 1), (head, op 2) ..., (head, op z) in packet header of each protocol data bag remove, realize going the process of message header, obtain OP={op 1, op 2..., op z;
S3 step: based in the SDN controller of DPI, any processing threads can take out stream and connect ct from operation queue b, obtain all packet OP={op in connection 1, op 2..., op z, by packet op zthe rule set RE={re of application layer data and system 1, re 2..., re fprotocol detection is carried out by canonical coupling, obtain all stream and connect schema name corresponding to CT, belonging to being connected by stream, protocol results PR is delivered to protocol tables;
S4 step: protocol tables, according to the protocol detection result PR of all processing threads received, according to the Policy Table of protocol results PR and default, obtains the PB that performs an action of current stream cT, will perform an action PB cTinsert in the instruction items of stream table, complete and write stream table, and then obtain the stream table needing to be handed down to the network equipment.
3. a kind of DPI of employing according to claim 2 carries out the SDN controller of network flow classification to packet, it is characterized in that the step concrete with grouping thread scheduling module about bag-stream translation module in step S2 is as follows:
S201 step: obtain raw data packets op from step S1 zafter, extract packet op zhead five-tuple information srcPort, dstPort, tran, srcIP, dstIP; Described five-tuple comprises source IP address, source port, object IP address, destination interface and transport layer protocol; Then this packet op is found according to five-tuple information zthe stream connection ct that information is corresponding b;
S202 step: judge to flow the entry ct whether depositing the stream connection identifier generated in step s 201 in connection table CT bif there is this stream and connected entry ct b, then proceed to and perform step S203, if there is not this mark stream in stream connection table to connect entry, proceed to and perform step S204;
S203 step: packet information is added to corresponding stream in stream connection table and connect entry ct bunder, store packet information and complete, proceed to and perform step S205;
S204 step: the entry setting up this connection identifier in stream connects, and preserve this stream link information, proceed to and perform step S205;
S205 step: the task queue length LEN obtaining current all processing threads MT, to each mt c, obtain minimum task length LEN min, current mt ctask queue length len cbe connected ct bdata packet length information flen b, proceed to and perform step S206;
S206 step: according to thread weight qw C = LEN min + flen B len C + flen B g ( B , C ) Calculate current mt cweight qw c, select the thread mt with weight limit c, proceed to and perform step S207;
S207 step:, will ct be connected bjoin the thread mt with weight limit ctask queue qe cin, proceed to and perform step S3.
4. a kind of DPI of employing according to claim 2 carries out the SDN controller of network flow classification to packet, it is characterized in that the protocol detection step concrete about processing data packets module in step S3 is as follows:
S301 step: processing threads mt cobtain the connection ct in its task queue b, obtain mt cin all packet OP={op 1, op 2..., op z, perform step 302;
S302 step: judge ct btransport layer protocol tran field whether be belong to TCP, UDP or ICMP, if three not, then abandon this stream connect; If belong to one of them, then enter step S304;
S304 step: judge ct bthe number packetnum of bag whether be greater than 10, if packetnum > 10, then abandon this stream and connect, if packetnum≤10, then enter step S306;
S306 step: obtain packet op zapplication layer data enter step S307;
S307 step: get a regular re from rule set RE f, compiled and entered step S308;
S308 step: by the re after compiling fand op zapplication layer data carries out canonical coupling, if result is not for mate, then enters step S307, if can mate, then enters step S309;
S309 step: by protocol results with result set PR={pr 1, pr 2..., pr bform returns to stream table and issues module, and carry out stream list processing.
5. a kind of DPI of employing according to any one of Claims 1-4 carries out the SDN controller of network flow classification to packet, it is characterized in that: build Policy Table in module at stream table and be used to restriction mode name PA cTthe process means whether corresponding stream forwards, abandons, namely perform an action PB cT.
6. a kind of DPI of employing according to any one of Claims 1-4 carries out the SDN controller of network flow classification to packet, it is characterized in that the table format of stream table is:
CN201410645536.9A 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet Active CN104394090B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410645536.9A CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410645536.9A CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Publications (2)

Publication Number Publication Date
CN104394090A true CN104394090A (en) 2015-03-04
CN104394090B CN104394090B (en) 2017-08-25

Family

ID=52611926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410645536.9A Active CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Country Status (1)

Country Link
CN (1) CN104394090B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429820A (en) * 2015-11-05 2016-03-23 武汉烽火网络有限责任公司 Deep packet detection system and method based on software defined network
CN105447077A (en) * 2015-11-04 2016-03-30 清华大学 Query word extraction method and system based on OpenFlow
CN105516016A (en) * 2015-11-25 2016-04-20 北京航空航天大学 Flow-based data packet filtering system and data packet filtering method by using Tilera multi-core accelerator card
CN105704058A (en) * 2016-05-03 2016-06-22 南京大学 Access network flow scheduling system and method based on content
CN106330603A (en) * 2016-08-22 2017-01-11 上海国云信息科技有限公司 Connection detection method and system, client side, and DPI equipment
CN106972985A (en) * 2017-03-29 2017-07-21 网宿科技股份有限公司 Accelerate the method and DPI equipment of the processing of DPI device datas and forwarding
CN107544855A (en) * 2017-10-11 2018-01-05 江苏电力信息技术有限公司 A kind of method for quickly being analyzed and processed using multithreading and distributing data
CN109412893A (en) * 2018-10-23 2019-03-01 新华三信息安全技术有限公司 A kind of message back method and device
CN110138678A (en) * 2018-02-08 2019-08-16 华为技术有限公司 Data transfer control method and device and web-transporting device and storage medium
CN117119462A (en) * 2023-10-25 2023-11-24 北京派网科技有限公司 Security audit system and method of 5G mobile communication network based on distributed dip engine heterogeneous diagram architecture

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023800A (en) * 2012-11-29 2013-04-03 北京航空航天大学 Method for scheduling traffic under multi-core network processor by traffic chart mapping scheduling strategy
US8448238B1 (en) * 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
CN103326884A (en) * 2013-05-30 2013-09-25 烽火通信科技股份有限公司 Service flow aware system and method combining flow detection and package detection in SDN
CN103346922A (en) * 2013-07-26 2013-10-09 电子科技大学 Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN103607348A (en) * 2013-11-27 2014-02-26 北京邮电大学 Virtual network flow classifying method based on OpenFlow protocol

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023800A (en) * 2012-11-29 2013-04-03 北京航空航天大学 Method for scheduling traffic under multi-core network processor by traffic chart mapping scheduling strategy
US8448238B1 (en) * 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
CN103326884A (en) * 2013-05-30 2013-09-25 烽火通信科技股份有限公司 Service flow aware system and method combining flow detection and package detection in SDN
CN103346922A (en) * 2013-07-26 2013-10-09 电子科技大学 Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN103607348A (en) * 2013-11-27 2014-02-26 北京邮电大学 Virtual network flow classifying method based on OpenFlow protocol

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447077A (en) * 2015-11-04 2016-03-30 清华大学 Query word extraction method and system based on OpenFlow
CN105429820A (en) * 2015-11-05 2016-03-23 武汉烽火网络有限责任公司 Deep packet detection system and method based on software defined network
CN105429820B (en) * 2015-11-05 2018-10-09 武汉烽火网络有限责任公司 Deep-packet detection system based on software defined network and method
CN105516016A (en) * 2015-11-25 2016-04-20 北京航空航天大学 Flow-based data packet filtering system and data packet filtering method by using Tilera multi-core accelerator card
CN105516016B (en) * 2015-11-25 2018-05-11 北京航空航天大学 A kind of packet filtering system and packet filtering method based on stream using Tilera multinuclears accelerator card
CN105704058B (en) * 2016-05-03 2019-04-12 南京大学 Access net stream scheduling system and its dispatching method based on content
CN105704058A (en) * 2016-05-03 2016-06-22 南京大学 Access network flow scheduling system and method based on content
CN106330603A (en) * 2016-08-22 2017-01-11 上海国云信息科技有限公司 Connection detection method and system, client side, and DPI equipment
CN106972985A (en) * 2017-03-29 2017-07-21 网宿科技股份有限公司 Accelerate the method and DPI equipment of the processing of DPI device datas and forwarding
CN106972985B (en) * 2017-03-29 2020-09-18 网宿科技股份有限公司 Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
CN107544855A (en) * 2017-10-11 2018-01-05 江苏电力信息技术有限公司 A kind of method for quickly being analyzed and processed using multithreading and distributing data
CN110138678A (en) * 2018-02-08 2019-08-16 华为技术有限公司 Data transfer control method and device and web-transporting device and storage medium
CN109412893A (en) * 2018-10-23 2019-03-01 新华三信息安全技术有限公司 A kind of message back method and device
CN117119462A (en) * 2023-10-25 2023-11-24 北京派网科技有限公司 Security audit system and method of 5G mobile communication network based on distributed dip engine heterogeneous diagram architecture
CN117119462B (en) * 2023-10-25 2024-01-26 北京派网科技有限公司 Security audit system and method of 5G mobile communication network based on distributed DPI engine heterogeneous diagram architecture

Also Published As

Publication number Publication date
CN104394090B (en) 2017-08-25

Similar Documents

Publication Publication Date Title
CN104394090A (en) SDN (Software Defined Networking) controller classifying network flows through DPI (Deep Packet Inspection) data package
US9319241B2 (en) Flow-based packet transport device and packet management method thereof
CN103716208B (en) Support network management, system, interchanger and the network of elephant stream
CN106341330A (en) Topology discovery method and system of SDN controller
CN104012063A (en) Controller for flexible and extensible flow processing in software-defined networks
CN103346922A (en) Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN102377640B (en) Message processing apparatus, message processing method and preprocessor
CN103401774A (en) Message forwarding method and equipment based on stacking system
CN104320358A (en) QoS (Quality of Service) business control method in power telecommunication net
CN109495391A (en) A kind of security service catenary system and data packet matched retransmission method based on SDN
CN104836753A (en) Software-defined networking (SDN) data plane strip state exchange device, SDN exchange system and SDN data plane strip state forwarding and processing method
CN104518984A (en) SDN controller for carrying out traffic classification on data package based on multiple classifiers
CN103581274B (en) Message forwarding method and device in stacking system
CN101674242B (en) Service message sending control method and device
CN102811176B (en) A kind of data flow control method and device
CN104468403B (en) A kind of SDN controllers for carrying out network flow classification to packet based on NACC
CN106656905A (en) Firewall cluster realization method and apparatus
CN102739518A (en) Flow load sharing method and equipment
CN108540559A (en) A kind of SDN controllers for supporting IPSec VPN load balancing
KR101841026B1 (en) Service function chaining network system for path optimization
CN107733813A (en) Message forwarding method and device
CN108337179A (en) Link flow control method and device
CN104836749A (en) Software-defined networking (SDN) data plane strip state forwarding processor
CN103929778B (en) Data staging transmission method
CN103441943B (en) A kind of traffic messages control method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant