CN104394090B - A kind of use DPI carries out the SDN controllers of network flow classification to packet - Google Patents

A kind of use DPI carries out the SDN controllers of network flow classification to packet Download PDF

Info

Publication number
CN104394090B
CN104394090B CN201410645536.9A CN201410645536A CN104394090B CN 104394090 B CN104394090 B CN 104394090B CN 201410645536 A CN201410645536 A CN 201410645536A CN 104394090 B CN104394090 B CN 104394090B
Authority
CN
China
Prior art keywords
packet
stream
dpi
protocol
flow table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410645536.9A
Other languages
Chinese (zh)
Other versions
CN104394090A (en
Inventor
李云春
付容
曹凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201410645536.9A priority Critical patent/CN104394090B/en
Publication of CN104394090A publication Critical patent/CN104394090A/en
Application granted granted Critical
Publication of CN104394090B publication Critical patent/CN104394090B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the SDN controllers that a kind of use DPI carries out network flow classification to packet, it is that the DPI modules using parallel processing manner are added in existing SDN controllers, DPI modules include message head module, bag-stream modular converter, packet thread scheduling module, multiple threading models and flow table and build module;The flow table, which is built in module, includes the agreement table existed in a tabular form and flow table.The controller that the present invention is designed is communicated with the network switch by changing OpenFlow protocol realizations and obtains packet, on the one hand the packet scheduling that application stream is connected, on the other hand processing thread is given by packet delivery using canonical matching, finally issues flow table to interchanger to control the forwarding of follow-up data bag.The SDN controllers based on DPI that the present invention is designed can realize the preferable DPI deployment under SDN, reduce processing data packets speed, lift handling capacity.

Description

A kind of use DPI carries out the SDN controllers of network flow classification to packet
Technical field
The present invention relates to a kind of SDN controllers, more particularly, refer to that one kind enters line number using deep packet inspection technical According to the SDN controllers of bag Fast Classification, the implementation for the deep packet inspection technical being based particularly under SDN frameworks, and dividing Optimized in terms of group scheduling and flow table issuance.
Background technology
The 1st printing of September in 2013, Electronic Industry Press,《SDN core technologies are dissected and actual combat guide》Lei Baohua etc. Write.(Fig. 1 is designated as in the system figure of SDN core technologies disclosed in Fig. 1-6 of page 15), describes each layer in SDN frameworks All there are many core technologies, its target is to efficiently separate control plane and forwarding plane on secondary, support centralization in logic Be uniformly controlled that there is provided flexible development interface etc..Wherein, key-course be southbound interface in whole SDN core, system with Northbound interface is also to be named centered on it.Forwarding plane is by a Packet_in message by packet (Packet, also referred to as message) is sent to control plane.SDN (Sofeware Defined Networking, software defined network Network) it is a kind of emerging network architecture and technology based on software, the characteristics of its is maximum is the control plane with loose coupling With datum plane, support the network state control of centralization, realize bottom-layer network facility to the transparent of upper layer application.As SDN Name sayed that it has flexible software programmability so that the automatic management of network and control ability are obtained unprecedentedly Lifting, can efficiently solve that the resource extent extension that current network systems to be faced is limited, networking flexibility is poor, be difficult to The problems such as quickly meeting business demand.
The 1st printing in October, 2013 Beijing, People's Telecon Publishing House is published and distributed,《Net flow assorted method and reality Trample》Wang Lidong, Qian Liping are edited.In page 116, its concept of DPI (Deep Packet Inspection) deep-packet detections Come from bag detection, why referred to as depth, is due to that the packet inspection method of early stage predominantly detects IP packet header and TCP/UDP bags Head, and DPI methods not only detect the packet header of single packet, and also the part or all of payload content of packet can be examined Survey, generally at least to detect that the payload content more than 64 bytes can deserve to be called deep-packet detection, in matching technique On then require support be located at load in on-fixed deviation post starting point floating Keywords matching.
Positions of the DPI in SDN may have three kinds of situations:
(1) it is embedded into application layer:DPI softwares can be embedded into network application layer as other network applications, but so The bottleneck for doing deep-packet detection is likely to be present in the length of communication path.Because to be DPI, then node is needed bag by control Device transmission processed is then delivered to application layer.In view of delay factor, this kind of DPI deployment way is preferably applied to insensitive to being delayed Using such as statistical analysis.
(2) it is embedded into key-course:DPI softwares can be embedded into SDN controllers, and classification information can be used for intelligent network portion Administration can also be transferred to application layer to use by north orientation API.First non-NULL bag is submitted to SDN controllers and is used for doing by node L4 to L7 is analyzed.Even if so, still thering is the flow for being probably not more than 10% to need to transmit between SDN controllers and Switch DPI could be realized.
(3) it is embedded into data Layer:Network node can also run DPI softwares, obtain APP ID and metadata (first numbers According to) after can be applied directly to pre-defined strategy and be sent to SDN controllers and network application, and receive return information The control information returned by SDN controllers, node does corresponding Action (instruction), and other streams of such same type need not DPI is again.This implementation delay is minimum, but cost highest, because the matching algorithm based on state machine is due to its multi-mode It is matching properties, quick processing speed, perfect compatible with regular expression, it is increasingly becoming the most hot matching of research now and calculates Method.Research shows that DPI performances depend on pattern matching speed.
Network flow, within a period of time, the unidirectional message flow that is transmitted between source IP address and purpose IP address owns Message has identical source port number srcPort, destination slogan dstPort, protocol number tran, source IP address srcIP and mesh IP address dstIP, i.e. five-tuple content is identical.
The SDN controllers designed at present do not have carries out traffic classification to network flow, and network packet can not be carried out Control, therefore may not apply to the network service based on traffic classification.
The content of the invention
In order to realize that the packet of network equipment output of the SDN controllers to receiving carries out flow point class, present invention design A kind of use DPI frameworks carry out the SDN controllers of flow point class to packet.
It is an object of the invention to provide a kind of connection of deep packet inspection technical based on software defined network framework level simultaneously Row deployment way, realizes and carries out quick flow point class to network packet.The SDN controllers based on DPI that the present invention is designed be DPI modules are added in existing SDN controllers, the DPI modules use parallel processing manner, i.e., by changing OpenFlow associations View, SDN controllers and network switch communication based on DPI obtain packet, and the packet scheduling based on connection divides packet Processing thread is issued, canonical matching is done, and issue flow table to interchanger to control the forwarding of follow-up data bag.What the present invention was designed SDN controllers based on DPI can realize the preferable DPI deployment under SDN, reduce processing data packets speed, lifting is gulped down The amount of telling.
The present invention devises the SDN controllers that a kind of use DPI carries out network flow classification to packet, is in existing SDN Add the DPI modules using parallel processing manner in controller, described DPI modules include message head module, bag- Flow modular converter, packet thread scheduling module, multiple threading models and flow table and build module;The flow table, which builds module, to be included There are the agreement table existed in a tabular form and flow table;
Message head module is gone to be used for OFPAK protocol data bag OFPAK={ (head, the op that will be received1),(head, op2),…,(head,opZ) OpenFlow protocol header head are removed, obtain raw data packets OP={ op1,op2,…, opZ};
Bag-stream modular converter is to any one packet op for receivingZThe pickup of identical five-tuple content is carried out, is looked for Go out any one packet opZThe stream connection ct of corresponding streamB
Thread scheduling module is grouped according to thread weight qwCFor to the stream connection ctBHandled, obtain meeting institute State ctBProcessing thread;
Multiple threading models connect ct from the stream receivedBIn extract packet opZ, then using regular expression side Method is to the packet opZHandled, export the packet opZThe protocol information PR and pattern information RE of carrying;
Flow table builds module and includes agreement table and flow table;The agreement table is the protocol information PR and pattern that will be received Information RE inserts continuous item according to agreement sheet form, obtains protocol results;Then correspondence is obtained to protocol results application strategy table Schema name PACTExecution action PBCT, execution is finally acted into PBCTIn the instruction items for inserting flow table;
It is that the protocol information PR and pattern information RE that will receive insert the action of continuous item according to flow table form to write flow table, And then flow table is obtained, then flow table is exported to the network equipment.
Advantages of the present invention:
1. the present invention by DPI be deployed in the key-course in SDN frameworks then traffic classification information can be used for intelligent network Deployment can also be transferred to application layer to use by north orientation API.
2. the present invention is by changing OpenFlow agreements so that DPI can be disposed in SDN key-courses, without at each Telephone net node disposes DPI, reduces cost.
3. each is caused to handle threads load based on the parallel DPI methods of stream connection (connection-level) in the present invention Equilibrium, the packet scheduling of data flow more combines actual flow feature, improves the hit rate of common rule collection.
4. handled, adjusted according to data flow principle of locality simultaneously using the multithreading of many packets in processing data packets module Degree stream, can network data bag faster, improve the processing speed of SDN controller traffic classifications, increase throughput of system.
Brief description of the drawings
Fig. 1 is the system assumption diagram of traditional SDN controllers.
Fig. 2 is the structured flowchart of DPI modules in the SDN controllers based on DPI of the invention.
Fig. 3 is the DPI block flow diagrams of the present invention.
Fig. 4 is that the flow chart with packet thread scheduling is changed in bag-circulation of the present invention.
Fig. 5 is the flow chart of flow table structure in the present invention.
Embodiment
Below in conjunction with drawings and examples, the present invention is described in further detail.
Shown in Figure 1, the present invention is the SDN controllers that a kind of use DPI carries out network flow classification to packet, the base It is that DPI modules are added in existing SDN controllers in DPI SDN controllers, the DPI modules use parallel processing manner, I.e. by changing OpenFlow agreements, SDN controllers and network switch communication based on DPI obtain packet, based on connection Packet scheduling packet delivery is done into canonical matching to processing thread, and issue flow table to interchanger to control follow-up data bag Forwarding.
Shown in Figure 2, in the present invention, DPI modules include message head module, bag-stream modular converter, packet Thread scheduling module, multiple threading models (first thread module, the second threading models, C threading models) and flow table build mould Block, the flow table, which is built in module, includes the agreement table existed in a tabular form and flow table.First thread module, the second thread Module is identical with the structure of C threading models.
For a better understanding of the present invention and its advantage, below in conjunction with the accompanying drawings and specific example is done to the present invention into one Step detailed description.
(1) message head module is removed
Message head module is gone to be used for OFPAK protocol data bag OFPAK={ (head, the op that will be received1),(head, op2),…,(head,opZ) OpenFlow protocol header head are removed, obtain raw data packets OP={ op1,op2,…, opZ}。
op1Expression eliminates first packet of OpenFlow protocol headers;
op2Expression eliminates second packet of OpenFlow protocol headers;
opZExpression eliminates last packet of OpenFlow protocol headers, for the general property known explanation, opZAlso referred to as appoint One packet of meaning, Z represents the identification number of packet.
In the present invention, any one packet opZInclude source port number srcPort, destination slogan dstPort, Protocol number tran, source IP address srcIP and purpose IP address dstIP five-tuple content opZ=srcPort, dstPort, tran,srcIP,dstIP}。
(2) bag-stream modular converter
Bag-stream modular converter is to any one packet op for receivingZThe pickup of identical five-tuple content is carried out, is looked for Go out any one packet opZThe stream connection ct of corresponding streamB
In the present invention, multiple stream connections are there are in SDN controllers, the stream connection is expressed as using aggregate form CT={ ct1,ct2,…,ctB, ct1Represent first stream connection in SDN controllers, ct2Represent second in SDN controllers Bar stream is connected, ctBThe last item stream connection in SDN controllers is represented, for the general property known explanation, ctBAlso referred to as any one stream Connection, B represents the identification number of stream connection.Any one described stream connection ctBIn include stream connection identifier ID, packet Number packetnum, stream connection length flen, source IP address srcIP, purpose IP address dstIP, source port number SrcPort, destination slogan dstPort and protocol number tran, ct is expressed as using aggregate formB=ID, packetnum, flen,srcIP,srcPort,dstIP,dstPort,tran}。
In the present invention, multiple raw data packets OP={ op are there may be in SDN controllers1,op2,…,opZCorrespondence is together One stream connection ctB, it is also possible to a packet opZOne stream connection ct of correspondenceB
In the present invention, each stream connection ctBThe length flen of one stream connection of correspondenceB, stream connecting length is using set Form is expressed as FLEN={ flen1,flen2,…,flenB, flen1Represent ct1Length, flen2Represent ct2Length, flenBRepresent ctBLength.
(3) it is grouped thread scheduling module
Being grouped thread scheduling module is used for any one stream connection ctBAccording to thread weight qwCHandled, accorded with Close the ctBProcessing thread.
In the present invention,Wherein LENminFor task queue length LEN={ len1, len2,…,lenCIn minimum value, g (B, C) is fixed hash function, then Constant a=1103515245, constant b=12345.
In the present invention, SDN controllers include multiple thread MT={ mt1,mt2,…,mtC, and each thread mtCOne task queue qe of correspondenceC, each task queue qeCOne task queue length len of correspondenceC.In SDN controllers Each thread mtCOne thread weight qw of correspondenceC
Thread is expressed as MT={ mt using aggregate form1,mt2,…,mtC, mt1Represent first processing thread, mt2Generation Second processing thread of table, mtCLast processing thread is represented, is illustrated below for convenience, mtCAlso referred to as at any one Thread is managed, C represents to handle the identification number of thread.
Task queue is expressed as QE={ qe using aggregate form1,qe2,…,qeC, qe1Represent mt1Corresponding task team Row, qe2Represent mt2Corresponding task queue, qeCExpress mtCCorresponding task queue.
Task queue length is expressed as LEN={ len using aggregate form1,len2,…,lenC, len1Represent qe1Length Degree, len2Represent qe2Length, lenCRepresent qeCLength.
Thread weight is expressed as QW={ qw using aggregate form1,qw2,…,qwC, qw1Represent mt1Corresponding thread power Weight, qw2Represent mt2Corresponding thread weight, qwCExpress mtCCorresponding thread weight.
(4) threading models
Threading models first aspect is used for receiving stream and connects ctB
Threading models second aspect connects ct from streamBIn extract packet opZ
The threading models third aspect is using regular expression method to packet opZHandled, export the packet opZThe protocol information PR and pattern information RE of carrying.
In the present invention, regular expression method refer to《Net flow assorted method and practice》Wang Lidong, Qian Liping Chief editor, October the 1st edition in 2013, the 125-132 pages of content.
In the present invention, all stream connection CT={ ct1,ct2,…,ctBCorresponding protocol information is designated as PR={ pr1, pr2,…,prB, pr1Represent ct1Protocol information, pr2Represent ct2Protocol information, prBRepresent ctBProtocol information.
In the present invention, all stream connection CT={ ct1,ct2,…,ctBCorresponding pattern information is designated as RE={ re1, re2,…,reF, re1Represent first pattern information, re2Represent second pattern information, reFRepresent last pattern letter Breath, is illustrated below, re for convenienceFAlso referred to as any one pattern information, the identification number of F intermediate scheme information.
(5) flow table builds module
In the present invention, flow table structure module includes agreement table and flow table;The agreement table is the agreement that will be received Information PR and pattern information RE insert continuous item according to agreement sheet form, obtain protocol results;Then to protocol results application plan Sketch form obtains associative mode name PACTExecution action PBCT, execution is finally acted into PBCTIn the instruction items for inserting flow table.
In the present invention, it is that the protocol information PR and pattern information RE that will be received insert phase according to flow table form to write flow table The action of item is closed, and then obtains flow table, then exports flow table to the network equipment.
(1) protocol results
Identification number IDCT Schema name PACT
In the present invention, protocol results indicate which stream belong to which schema name (reference《Net flow assorted method With practice》Wang Lidong, Qian Liping are edited, and in October, 2013, the L7-Filter patterns of the 1st edition, the 126-132 pages were summarized).
(2) Policy Table
Schema name PACT Execution acts PBCT
In the present invention, Policy Table is for restriction mode name PACTThe processing hand whether corresponding stream forwards, abandons Section, i.e. execution action PBCT
(3) stream tableau format is as follows:
The flow table main body quoted in the present invention refer to《SDN core technologies are dissected and actual combat guide》, the content of page 42, " Cookie " explanatory notes is the data being stored on user local terminal.Difference is:Add " mark ", " mark " Refer to enter interchanger in flow whether be sent to controller, be it is a kind of mark be or do not transmit specify.
A kind of use DPI proposed by the present invention carries out the SDN controllers of network flow classification to packet, and it is received from many The OpenFlow packets of individual interchanger (i.e. the network equipment) delivering, interchanger regard the packet without correspondence flow table as data It is encapsulated in OpenFlow protocol data bags, removes OpenFlow protocol headers, obtain raw data packets, and it is located in advance Reason;Using five-tuple information by packet encapsulation for stream to set up stream connection, if current stream be connected as it is new, it is empty for its distribution Between and be added into connection queue CT, and call packet scheduler to assign them to the selected processing thread MT of system, enter Enter in MT processing queues.Flow table, which is built, collects all MT results, and each stream connection is obtained according to the schema name after its processing To the Policy Table of association, then corresponding instruction field in flow table is modified using modes such as discarding, forwardings, and issue stream Table is to all interchangers.
In the present invention, DPI technologies are significant under SDN framework.It is mainly manifested in the following aspects:
(1) combination of SDN and DPI technologies can realize centralized policy and security control.Improved DPI technologies can be SDN Controller provides network state and the detailed data of flow.So SDN can just regard network as the resource of one entirety, and It is not a series of individual equipments (such as interchanger, security and other 4-7 layers of element).DPI can be (the control of all correlation functions Device, strategy, security etc.) information help is provided, rather than the system of each performance equipment each possesses its exclusive DPI skill at present Art.
(2) DPI and SDN technologies combine to improve internet security.DPI technologies ensure that IT keepers and security officer can be with Strike Malware and the strategy of other threats are formulated, and it is implemented in all levels, including application layer and client layer.DPI Combination with SDN technologies can make network security spread over whole network, and not exclusively specific end points, such as fire wall.
(3) DPI and SDN technologies are combined can apply big data in terms of network management.DPI is for network health and performance Important role is play in terms of key message is provided.With reference to SDN DPI technologies current network trend will be led to be easier to manage The lower automated network of reason, safer, operation cost.
Embodiment 1
One embodiment of the present of invention given below, illustrates the process of data packet dispatching of the present invention (such as Fig. 3, Fig. 4, Fig. 5 institute Show), specific data packet dispatching step is as follows:
S1 steps:The interchanger of OpenFlow agreements is supported to receive the data envelope sent from equipment in network and dress up OpenFlow protocol data bags are designated as OFPAK={ (head, op1),(head,op2),…,(head,opZ), then by OFPAK ={ (head, op1),(head,op2),…,(head,opZ) it is sent to improved controller of the invention, the i.e. SDN based on DPI Controller;
S2 steps:In the SDN controllers based on DPI, by OFPAK={ (head, op1),(head,op2),…, (head,opZ) in each protocol data bag packet header remove, obtain OP={ op1,op2,…,opZ};
According to any one packet opZFive-tuple information, obtain belonging to the packet with identical five-tuple information Connection be designated as CT={ ct1,ct2,…,ctB, and B≤Z, wherein ctB=ID, packetnum, flen, srcIP, srcPort,dstIP,dstPort,tran};
ID represents connection identifier number;
Packetnum represents the number of packet;
Flen represents the length of connection;
SrcIP represents source IP address;
DstIP represents purpose IP address;
SrcPort represents source port number;
DstPort represents destination slogan;
Tran represents transport layer protocol;
Stream CT is distributed to the processing thread of processing data packets module according to ID
MT={ mt1,mt2,…,mtC, connection CT enters in MT operation queues, calculates correspondence task queue QE={ q1, q2,…,qDLength LEN={ len1,len2,…,lenE}。
The step specific with packet thread scheduling module on bag-stream modular converter in Fig. 4 in displaying step S2 is such as Under:
S201:Raw data packets op is obtained from step S1ZAfterwards, packet op is extractedZHead five-tuple information srcPort, dstPort,tran,srcIP,dstIP;The five-tuple include source IP address, source port, purpose IP address, destination interface and Transport layer protocol;Then packet op is found according to five-tuple informationZThe corresponding stream connection ct of informationB
S202:Judge to whether there is the entry ct for flowing connection identifier generated in step S201 in stream connection table CTBIf, There is stream connection entry ctB, then execution step S203 is transferred to, if the mark stream connection strap is not present in stream connection table Mesh, is transferred to execution step S204;
S203:Packet information is added to correspondence stream connection entry ct in stream connection tableBUnder, data storage package informatin Complete, be transferred to execution step S205;
S204:The entry of the connection identifier is set up in stream connection, and preserves the stream link information, execution step is transferred to S205;
S205:Current all processing thread MT task queue length LEN is obtained, to each mtC, obtain minimum task long Spend LENmin, current mtCTask queue length lenCWith connection ctBData packet length information flenB, it is transferred to execution step S206;
S206:According to thread weightCalculate current mtCWeight qwC, choosing Select the thread mt with weight limitC, it is transferred to execution step S207;
S207:, ct will be connectedBIt is added to the thread mt with weight limitCTask queue qeCIn, it is transferred to execution step S3;
S3 steps:Processing thread MT takes out connection ct from operation queueB, all packet OP={ op in being connected1, op2,…,opZ, by packet opZRule set RE={ the re of application layer data and system1,re2,…,reFWith canonical matching come Protocol detection is carried out, the corresponding schema names of connection CT are obtained.Protocol results PR belonging to connection is delivered to flow table issuance module.
Shown in Fig. 5 as follows on the specific protocol detection step of processing data packets module in step S3:
S301:Handle thread mtCObtain the connection ct in its task queueB, obtain mtCIn all packet OP={ op1, op2,…,opZ, perform step 302;
S302:Judge ctBTransport layer protocol tran fields whether be to belong to TCP, UDP or ICMP, if three is not It is then to abandon stream connection;If belonging to one of them, into step S304;
S304:Judge ctBBag number packetnum whether be more than 10, if packetnum > 10, abandon the stream Connection, if packetnum≤10, into step S306;
S306:Obtain packet opZApplication layer data enter step S307;
S307:A rule re is taken from rule set REF, it is compiled into step S308;
S308:By the re after compilingFAnd opZApplication layer data carries out canonical matching, if result enters step to mismatch Rapid S307, if can match, into step S309;
S309:By protocol results with result set PR={ pr1,pr2,…,prBForm returns to flow table issuance module, go forward side by side The processing of row flow table.
S4 steps:Flow table issuance module receives all processing thread MT protocol detection result PR, according to protocol results PR and The Policy Table of default, the execution action PB currently flowedCT, execution is acted into PBCTIn the instruction items for inserting flow table, by 1 In the tag field for inserting flow table, and flow table is issued to all interchangers.

Claims (4)

1. a kind of use DPI carries out the SDN controllers of network flow classification to packet, added in existing SDN controllers Using the DPI modules of parallel processing manner, it is characterised in that:DPI modules include message head module, bag-circulation mold changing Block, packet thread scheduling module, multiple threading models and flow table build module;The flow table, which is built in module, to be included with form Agreement table and flow table that form is present;
Message head module is gone to be used for OpenFlow protocol data bag OFPAK={ (head, the op that will be received1),(head, op2),…,(head,opZ) OpenFlow protocol header head are removed, obtain raw data packets OP={ op1,op2,…, opZ};
op1Expression eliminates first packet of OpenFlow protocol headers;
op2Expression eliminates second packet of OpenFlow protocol headers;
opZExpression eliminates last packet of OpenFlow protocol headers, opZAlso referred to as any one packet, Z is represented The identification number of packet;
Bag-stream modular converter is to any one packet op for receivingZThe pickup of identical five-tuple content is carried out, is found out described Any one packet opZThe stream connection ct of corresponding streamB
Thread scheduling module is grouped according to thread weight qwCFor to the stream connection ctBHandled, obtain meeting the ctB Processing thread;
Wherein LENminFor task queue length LEN={ len1,len2,…,lenC} In minimum value, g (B, C) is fixed hash function, thenOften Number a=1103515245, constant b=12345;Flow connecting length FLEN={ flen1,flen2,…,flenBIn flen1Represent ct1Length, flen2Represent ct2Length, flenBRepresent ctBLength;
Multiple threading models connect ct from the stream receivedBIn extract packet opZ, then using regular expression method pair The packet opZHandled, export the packet opZThe protocol information PR and pattern information RE of carrying;
Flow table builds module and includes agreement table and flow table;The agreement table is the protocol information PR and pattern information that will be received RE inserts continuous item according to agreement sheet form, obtains protocol results;Then associative mode is obtained to protocol results application strategy table Name PACTExecution action PBCT, execution is finally acted into PBCTIn the instruction items for inserting flow table;
It is that the protocol information PR and pattern information RE that will receive insert the action of continuous item according to flow table form to write flow table, and then Flow table is obtained, then exports flow table to the network equipment.
2. a kind of use DPI according to claim 1 carries out the SDN controllers of network flow classification, its feature to packet It is:SDN controllers based on DPI have four steps to the process of data packet dispatching;
S1 steps:The interchanger of OpenFlow agreements is supported to receive the data envelope sent from equipment in network and dress up OpenFlow protocol data bags are designated as OFPAK={ (head, op1),(head,op2),…,(head,opZ), and by OFPAK= {(head,op1),(head,op2),…,(head,opZ) it is sent to the SDN controllers based on DPI;
S2 steps:In the SDN controllers based on DPI, by OFPAK={ (head, op1),(head,op2),…,(head, opZ) in packet header of each protocol data bag remove, realize and go the processing of message header, obtain OP={ op1,op2,…,opZ};
op1Expression eliminates first packet of OpenFlow protocol headers;
op2Expression eliminates second packet of OpenFlow protocol headers;
opZExpression eliminates last packet of OpenFlow protocol headers, opZAlso referred to as any one packet, Z is represented The identification number of packet;
S3 steps:In the SDN controllers based on DPI, any one processing thread can take out stream connection ct from operation queueB, All packet OP={ op in being connected1,op2,…,opZ, by packet opZThe rule set RE of application layer data and system ={ re1,re2,…,reFProtocol detection is carried out with canonical matching, the corresponding schema names of all stream connection table CT are obtained, will be flowed The affiliated protocol information PR of connection table is delivered to agreement table;re1Represent first pattern information, re2Second pattern information is represented, reFRepresent last pattern information, reFAlso referred to as any one pattern information, the identification number of F intermediate scheme information;
S4 steps:Agreement table is set according to the protocol information PR of all processing threads received according to protocol information PR and system Fixed Policy Table, the execution action PB currently flowedCT, execution is acted into PBCTIn the instruction items for inserting flow table, stream is write in completion Table, and then obtain needing the flow table for being handed down to the network equipment;
The step specific with packet thread scheduling module on bag-stream modular converter in step s 2 is as follows:
S201 steps:Raw data packets op is obtained from step S1ZAfterwards, packet op is extractedZHead five-tuple information srcPort, dstPort,tran,srcIP,dstIP;The five-tuple include source IP address, source port, purpose IP address, destination interface and Transport layer protocol;Then packet op is found according to five-tuple informationZThe corresponding stream connection ct of informationB
S202 steps:Judge to whether there is in stream connection table CT the stream connection ct generated in step S201BIf existing should Stream connection ctB, then execution step S203 is transferred to, if stream connection is not present in stream connection table, execution step S204 is transferred to;
S203 steps:Packet information is added to correspondence stream connection ct in stream connection tableBUnder, data storage package informatin is completed, It is transferred to execution step S205;
S204 steps:Stream connection is set up in stream connection, and preserves the information of stream connection, execution step S205 is transferred to;
S205 steps:Current all processing thread MT task queue length LEN is obtained, to each thread mtC, obtain minimum Task length LENmin, current mtCTask queue length lenCCt is connected with streamBData packet length information flenB, it is transferred to and holds Row step S206;
S206 steps:According to thread weightCalculate current mtCWeight qwC, selection tool There is the thread mt of weight limitC, it is transferred to execution step S207;Wherein LENminFor task queue length LEN={ len1,len2,…, lenCIn minimum value, g (B, C) is fixed hash function, then Constant a=1103515245, constant b=12345;Flow connecting length FLEN={ flen1,flen2,…,flenBIn flen1Table Show ct1Length, flen2Represent ct2Length, flenBRepresent ctBLength;
S207 steps:Stream is connected into ctBIt is added to the thread mt with weight limitCTask queue qeCIn, it is transferred to and performs step Rapid S3;
In step s3 as follows on the specific protocol detection step of processing data packets module:
S301 steps:Handle thread mtCObtain the stream connection ct in its task queueB, obtain mtCIn all packet OP= {op1,op2,…,opZ, perform step 302;
S302 steps:Judge stream connection ctBTransport layer protocol tran fields whether be to belong to TCP, UDP or ICMP, if three It is not then to abandon stream connection;If belonging to one of them, into step S304;
S304 steps:Judge stream connection ctBBag number packetnum whether be more than 10, if packetnum > 10, are abandoned The stream is connected, if packetnum≤10, into step S306;
S306 steps:Obtain packet opZApplication layer data enter step S307;
S307 steps:A rule re is taken from rule set REF, it is compiled into step S308;
S308 steps:By the re after compilingFAnd opZApplication layer data carries out canonical matching, if result enters step to mismatch Rapid S307, if can match, into step S309;
S309 steps:By protocol information PR={ pr1,pr2,…,prBFlow table structure module is returned to, and carry out flow table processing; pr1Represent ct1Protocol information, pr2Represent ct2Protocol information, prBRepresent ctBProtocol information.
3. the SDN that a kind of use DPI according to any one of claim 1 to 2 carries out network flow classification to packet is controlled Device, it is characterised in that:Policy Table is for restriction mode name PA in flow table builds moduleCTWhether corresponding stream forwards, loses The processing means abandoned, i.e. execution act PBCT
4. the SDN that a kind of use DPI according to any one of claim 1 to 2 carries out network flow classification to packet is controlled Device, it is characterised in that flow table is made up of matching domain, priority, counter, instruction, overtime timer, Cookie and mark.
CN201410645536.9A 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet Active CN104394090B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410645536.9A CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410645536.9A CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Publications (2)

Publication Number Publication Date
CN104394090A CN104394090A (en) 2015-03-04
CN104394090B true CN104394090B (en) 2017-08-25

Family

ID=52611926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410645536.9A Active CN104394090B (en) 2014-11-14 2014-11-14 A kind of use DPI carries out the SDN controllers of network flow classification to packet

Country Status (1)

Country Link
CN (1) CN104394090B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447077B (en) * 2015-11-04 2019-01-29 清华大学 Query word abstracting method and system based on OpenFlow
CN105429820B (en) * 2015-11-05 2018-10-09 武汉烽火网络有限责任公司 Deep-packet detection system based on software defined network and method
CN105516016B (en) * 2015-11-25 2018-05-11 北京航空航天大学 A kind of packet filtering system and packet filtering method based on stream using Tilera multinuclears accelerator card
CN105704058B (en) * 2016-05-03 2019-04-12 南京大学 Access net stream scheduling system and its dispatching method based on content
CN106330603A (en) * 2016-08-22 2017-01-11 上海国云信息科技有限公司 Connection detection method and system, client side, and DPI equipment
CN106972985B (en) * 2017-03-29 2020-09-18 网宿科技股份有限公司 Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
CN107544855A (en) * 2017-10-11 2018-01-05 江苏电力信息技术有限公司 A kind of method for quickly being analyzed and processed using multithreading and distributing data
CN110138678B (en) * 2018-02-08 2023-02-24 华为技术有限公司 Data transmission control method and device, network transmission equipment and storage medium
CN109412893B (en) * 2018-10-23 2020-06-19 新华三信息安全技术有限公司 Message playback method and device
CN117119462B (en) * 2023-10-25 2024-01-26 北京派网科技有限公司 Security audit system and method of 5G mobile communication network based on distributed DPI engine heterogeneous diagram architecture

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023800A (en) * 2012-11-29 2013-04-03 北京航空航天大学 Method for scheduling traffic under multi-core network processor by traffic chart mapping scheduling strategy
US8448238B1 (en) * 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
CN103326884A (en) * 2013-05-30 2013-09-25 烽火通信科技股份有限公司 Service flow aware system and method combining flow detection and package detection in SDN
CN103346922A (en) * 2013-07-26 2013-10-09 电子科技大学 Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN103607348A (en) * 2013-11-27 2014-02-26 北京邮电大学 Virtual network flow classifying method based on OpenFlow protocol

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023800A (en) * 2012-11-29 2013-04-03 北京航空航天大学 Method for scheduling traffic under multi-core network processor by traffic chart mapping scheduling strategy
US8448238B1 (en) * 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
CN103326884A (en) * 2013-05-30 2013-09-25 烽火通信科技股份有限公司 Service flow aware system and method combining flow detection and package detection in SDN
CN103346922A (en) * 2013-07-26 2013-10-09 电子科技大学 Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN103607348A (en) * 2013-11-27 2014-02-26 北京邮电大学 Virtual network flow classifying method based on OpenFlow protocol

Also Published As

Publication number Publication date
CN104394090A (en) 2015-03-04

Similar Documents

Publication Publication Date Title
CN104394090B (en) A kind of use DPI carries out the SDN controllers of network flow classification to packet
CN106341330A (en) Topology discovery method and system of SDN controller
CN108173761B (en) SDN and NFV fused resource optimization method
CN104982013B (en) A kind of method, equipment and the system of business routing
CN104158753B (en) Dynamic stream scheduling method and system based on software defined network
CN104580027B (en) A kind of OpenFlow message forwarding methods and equipment
CN104012063B (en) Controller for flexible and extensible flow processing in software-defined networks
CN103999430B (en) Forwarding element for flexible and extensible flow processing in software-defined networks
CN104348716B (en) A kind of message processing method and equipment
CN107566440A (en) The automatic discovery that is serviced in the network environment of software definition and automatic scalable
CN103825823B (en) Data forwarding method based on different priorities in software-defined network
CN108540559B (en) SDN controller supporting IPSec VPN load balancing
CN104518984B (en) A kind of SDN controllers for carrying out traffic classification to packet based on multiple classification device
CN103346922A (en) Controller for determining network state based on SDN (Software Defined Networking) and determination method thereof
CN108471389B (en) Switch system based on service function chain
CN110351286A (en) Link flood attack detects response mechanism in a kind of software defined network
CN103347013A (en) OpenFlow network system and method for enhancing programmable capability
CN105490962B (en) A kind of QoS management methods based on OpenFlow networks
CN104468403B (en) A kind of SDN controllers for carrying out network flow classification to packet based on NACC
CN108833299A (en) A kind of large scale network data processing method based on restructural exchange chip framework
CN103581274B (en) Message forwarding method and device in stacking system
CN106982149A (en) Message mirror-image method and network flow monitoring management system based on SDN
WO2020087523A1 (en) Network communication method and apparatus, and electronic device
CN106656905A (en) Firewall cluster realization method and apparatus
CN106550049B (en) A kind of Middleware portion arranging method, apparatus and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant