CN104811338A - Communication channel self-configuration method and system facing control layer and data layer of SDN (Software Defined Network) - Google Patents

Communication channel self-configuration method and system facing control layer and data layer of SDN (Software Defined Network) Download PDF

Info

Publication number
CN104811338A
CN104811338A CN201510181648.8A CN201510181648A CN104811338A CN 104811338 A CN104811338 A CN 104811338A CN 201510181648 A CN201510181648 A CN 201510181648A CN 104811338 A CN104811338 A CN 104811338A
Authority
CN
China
Prior art keywords
equipment
controller
sdn
information
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510181648.8A
Other languages
Chinese (zh)
Other versions
CN104811338B (en
Inventor
于金萍
毕经平
胡成臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201510181648.8A priority Critical patent/CN104811338B/en
Publication of CN104811338A publication Critical patent/CN104811338A/en
Application granted granted Critical
Publication of CN104811338B publication Critical patent/CN104811338B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a communication channel self-configuration method facing a control layer and a data layer of an SDN (Software Defined Network). Through a self-configuration management step, a white list generated based on authorized USB flash disk in the SDN is used for finishing mutual authentication between a controller of the control layer and equipment of the data layer to establish a safety communication channel between the controller and the equipment.

Description

A kind of key-course towards SDN and data Layer communication port self-configuration method and system thereof
Technical field
The invention belongs to technical field of computer network management, is a kind of method of automatic configuration of the communication port for SDN (Software DefinedNetwork is called for short SDN) network-based control layer and data Layer.
Background technology
Along with the fast development of the emerging services such as cloud computing, large data, the change of network is very urgent, and under such trend, the development space of SDN technology will be more and more extensive.Because SDN adds in their network by increasing enterprise and operator's selection, the demand based on the large scale network of SDN structure will constantly increase.But the cost of construction SDN in earlier stage input by (before SDN function completes), manpower will obviously hinder the popularization of SDN.Shoot off and carry out the necessary cost that device upgrade (by legacy network devices to supporting the equipment of SDN) spends, carry out SDN functional configuration, the cost of labor that particularly configuration of the communication port of SDN key-course and data Layer spends also can be multiplied along with the increase of network size.Worse, the mistake that manual configuration produces has had a strong impact on the performance of network.In order to solve the problem such as poor efficiency, high cost, low reliability of the communication port of manual configuration key-course and data Layer, the present invention is directed to the SDN of Single Controller, propose to generate the key-course of white list and the communication port self-configuring technology of data Layer based on mandate USB flash disk.By mandate USB flash disk is inserted on legal equipment, collect all information that will add the equipment of network, form white list, controller just according to the legitimacy of this list judgment device, can determine whether allow equipment to enter network afterwards, under normal operation, can effectively prevent adding of illegality equipment, thus ensure that the safety of network, simultaneously due to without the need to configuring every platform equipment one by one, the efficiency that whole SDN is built can be improved, also reduce the cost of construction network simultaneously.
Software defined network (Software Defined Network, be called for short SDN) be that a kind of new network proposed by Clean Slate seminar of Stanford Univ USA innovates framework, its basic framework as shown in Figure 1, comprise three layers: the superiors are application layer (Application Layer), be made up of the application of the terminal use using SDN communication service; Centre is key-course (Control Layer), comprises the network monitoring function that one or more controller provides comprehensive, and provides the interface of operational network for application layer; The bottom is facility layer (Infrastructure Layer, also referred to as data Layer), (escape way Secure Channel is generally called by communication port, current mainly OpenFlow protocol realization) carry out alternately, completing basic message switching and forwarding capability with key-course.The core technology of SDN comprises: separated network equipment key-course and data Layer, realize control plane centralization, support programmable networks, this three technology complements each other, final realization to the flexible control of network, and provides good platform for the innovation of core network and application.Particularly, along with the burning hot development of the emerging service being representative with cloud computing, large data, existing network framework cannot meet the new demand that cloud computing, large data etc. are brought, under this trend, network is changed has become inevitable, and SDN is just the wherein representative and the most approved innovative network architecture of most.Thus, increasing manufacturer (comprising Cisco, Huawei, VMware etc.) puts in the camp of SDN, also has increasing operator (as telecommunications, UNICOM etc.) to attempt SDN to be applied in their network.
The communication port (i.e. escape way Secure Channel) of key-course and data Layer realizes the centralized control of SDN, the key of programmable features, is to control the basis with data separating.Although SDN makes network management become more flexibly, quick, automation, but these advantages are all could realize after the communication port of key-course and data Layer is correctly set up.And the communication port of key-course and data Layer will be set up, usually need manual being configured one by one to the equipment of data Layer, along with the increase of equipment scale, workload will be multiplied, and take time and effort; In addition, because manual work accuracy rate cannot ensure, easily cause network failure, reduce the performance of network.These problems have had a strong impact on the efficiency of large scale network application SDN technology.Self-configuring technology is the optimal selection solving manual configuration problem, but, traditional IP self-configuring technical concerns be the allocation problem of IP address of equipment, and be not suitable for the self-configuring of the escape way of SDN, because the content comprised in the layoutprocedure of escape way is far away more than configuration device IP address, it needs the safety certification work first completed between the equipment of controller and its management, network is entered to prevent illegality equipment, because illegal equipment and can utilize the leak of OpenFlow agreement to attack controller and other equipment by ddos attack, thus destroy the fail safe of whole network, only after certification is passed through, just can carry out the configuration effort of escape way.Authorize USB flash disk that controller can be replaced to collect the information of legitimate device (maybe will add the equipment of network), form white list, and be stored in controller, because required manual operation plugs USB flash disk exactly, and without the need to being configured on individual device, time saving and energy saving, the efficiency of building SDN can be significantly improved.
Be " Automatic software defined network configuring method in denomination of invention, involves obtaining starting time of main controller and destination IP address ofdistribution controller by switch controller, and indicating message by switch " (publication number CN103618621-A) prior art in, disclose a kind of switch obtains the controller be assigned with object IP by switch controller, thus carry out the configuration of communication port, but do not have to consider the certification to switch legitimacy, mutual certification between controller and switch is not carried out to ensure the fail safe of communication port yet.
Be " SDN cloud computing and virtualizing method in denomination of invention, involvesreceiving agency Flow Visor information by controller, connecting open flowswitcher with controller, and controlling open flow protocol transmitting process bycontroller " (publication number CN103905523-A) prior art in, disclose the FlowVisor receives information problem under a kind of SDN cloud computing and virtualized environment, the connectivity problem of controller and switch and OpenFlow agreement propagation problem, but do not solve the mutual certification of key-course and data Layer in SDN process of construction, the problem of Path Setup.
Be " Network configuration method in denomination of invention, involves sending node tomaster controller, so that master controller configures control rule corresponding tonode type for node according to node type, and sending control rule to node " (publication number WO2014179923-A1) prior art in, disclosing a kind of load condition according to controller is switch dispensing controller, and at data plane configuration correspondingly control plane, thus reach allocative efficiency optimization, and meet the demand of network performance.But this invention does not carry out certification to the legitimacy of switch, inapplicable in networking initial stage and network reconnection process.
At SNBI (the Secure Network BootstrappingInfrastructure of open source projects OpenDaylight, secure network guide infrastructure) project prior art in, disclose a kind of SNBI equipment and control device towards SDN automatically to find, automatic IP address allocation and the method automatically set up safe IP and be connected, but the authentication measures of the method is only applicable to known network device information and the fixing situation of facility information, in addition, because SNBI does not provide a kind of solution of equipment information collection, so extensive SDN construction can not be applicable to completely, particularly in network reconnection process, facility information the unknown (need be collected by acquisition scheme) and the situation of dynamic change.
At name of document be: " Silva Delgado; Mendez Penuela; Morales Medina; RuedaRodriguez; ' Automatic network reconfiguration because of security events '; in2014IEEE Colombian Conference on Communications and Computing (COLCOM), 2014.06 ", in prior art, disclose a kind of SDN of utilization technology and automatically reshuffle network to tackle the method for security threat.But the method only just can use after SDN has been set up completely, do not solve the mutual certification of key-course and data Layer in SDN process of construction, the problem of Path Setup.
Summary of the invention
The object of the present invention is to provide a kind of key-course towards SDN and data Layer communication port self-configuration method and system thereof, for solving in current extensive SDN, manual configuration key-course and data Layer communication port take time and effort, the problem of poor reliability.
For reaching above-mentioned purpose, the present invention proposes a kind of key-course towards SDN and data Layer communication port self-configuration method, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, described method, comprising:
Self-configuring management process: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of described controller and described equipment, set up the secured communication channel between described controller and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, described self-configuring management process, comprising:
White list generation step: the information of being collected the legitimate device of all networks to be added by described mandate USB flash disk forms white list, the signing messages of described controller, while collection legitimate device information, is stored in described legitimate device by described mandate USB flash disk;
Authenticating step: complete the identity legitimacy certification of described controller to described equipment based on described white list, the signature based on described controller completes the identity legitimacy certification of described equipment to described controller;
Passage configuration step: for having completed the described controller of identity legitimacy certification and described equipment in described authenticating step, complete self-configuring, sets up by the secured communication channel between the described controller of authentication and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, described self-configuring management process, also comprises:
Automatically terminate passage step: based on the facility information to be deleted collected in described mandate USB flash disk, in the described white list of described controller, delete described device id to be deleted, and remove communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, described white list generation step, comprising:
Information interaction step: described mandate USB flash disk reads the identification information of described equipment, and described equipment identification information is joined in the list of described white list, the signing messages of described controller is added in described equipment simultaneously;
Add information Step: add in the white list of described controller by described mandate USB flash disk by the identification information of described equipment, when in SDN during newly added equipment, perform described information interaction step, the information of described newly added equipment is added in the white list of described controller, and the signing messages of described controller is added in described equipment, to realize the certification between described controller and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, described authenticating step, comprising:
Tentatively build connection step: when described equipment adds SDN for the first time, described equipment can carry out identity information broadcast in SDN, by neighbor uni-cast, other equipment in network find that the backward described controller of the identity information of described equipment is reported;
Equipment identities authenticating step: described controller sends request the message of device credential information to described equipment, the signature of controller described in described device authentication, be verified rear response credential information, described controller checks described credential information whether in white list, if, then the identity legitimacy of described equipment is verified, otherwise, described equipment identities legitimate verification failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, described passage configuration step, comprising:
Message request forwarding step: the described equipment that described controller passes through to authentication sends invitation message;
Power on request information forwarding step: the described invitation message that described equipment receives, verify the signature of described controller, be verified rear described equipment and generate PKI for communicating and private key, and send power on request information to described controller, provide the signature of a certificate, described certificate and the PKI of described equipment to described controller;
Power on request information answer step: described controller receives described certificate, the signature of described certificate and the PKI of described equipment, and send start response message to described equipment, the communication port of safety set up by described equipment and described controller.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration method, in described power on request information answer step, described controller is described equipment distributing IP address by the described secured communication channel set up, to realize the unique identification to described equipment.
The present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, adopt as described in towards the key-course of SDN and data Layer communication port self-configuration method, described system, comprising:
Self-configuring administration module: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of described controller and described equipment, set up the secured communication channel between described controller and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, described self-configuring administration module, comprising:
White list generation module: the information of being collected the legitimate device of all networks to be added by described mandate USB flash disk forms white list, the signing messages of described controller, while collection legitimate device information, is stored in described legitimate device by described mandate USB flash disk;
Authentication module: complete the identity legitimacy certification of described controller to described equipment based on described white list, the signature based on described controller completes the identity legitimacy certification of described equipment to described controller;
Passage configuration module: for having completed the described controller of identity legitimacy certification and described equipment in described authenticating step, complete self-configuring, sets up by the secured communication channel between the described controller of authentication and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, described self-configuring administration module, also comprises:
Automatically terminate channel module: based on the facility information to be deleted collected in described mandate USB flash disk, in the described white list of described controller, delete described device id to be deleted, and remove communication port.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, described white list generation module, comprising:
Information interaction module: described mandate USB flash disk reads the identification information of described equipment, and described equipment identification information is joined in the list of described white list, the signing messages of described controller is added in described equipment simultaneously;
Add information module: add in the white list of described controller by described mandate USB flash disk by the identification information of described equipment, when in SDN during newly added equipment, perform described information interaction step, the information of described newly added equipment is added in the white list of described controller, and the signing messages of described controller is added in described equipment, to realize the certification between described controller and described equipment.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, described authentication module, comprising:
Tentatively build gang mould block: when described equipment adds SDN for the first time, described equipment can carry out identity information broadcast in SDN, by neighbor uni-cast, other equipment in network find that the backward described controller of the identity information of described equipment is reported;
Equipment identities authentication module: described controller sends request the message of device credential information to described equipment, the signature of controller described in described device authentication, be verified rear response credential information, described controller checks described credential information whether in white list, if, then the identity legitimacy of described equipment is verified, otherwise, described equipment identities legitimate verification failure.
The above-mentioned key-course towards SDN and data Layer communication port self-configuration system, described passage configuration module, comprising:
Message request sending module: the described equipment that described controller passes through to authentication sends invitation message;
Power on request information sending module: the described invitation message that described equipment receives, verify the signature of described controller, be verified rear described equipment and generate PKI for communicating and private key, and send power on request information to described controller, provide the signature of a certificate, described certificate and the PKI of described equipment to described controller;
Power on request information answer module: described controller receives described certificate, the signature of described certificate and the PKI of described equipment, and send start response message to described equipment, the communication port of safety set up by described equipment and described controller.
Compared with prior art, the beneficial effect that the present invention has is: the automatic technology scheme that the communication port achieving a kind of key-course and data Layer configures.
The present invention is by generating white list method based on the equipment of mandate USB flash disk, based on the new equipment authentication techniques of white list, based on the key-course of white list and the self-configuring technology of data Layer communication port, the technology such as technology are automatically terminated based on the key-course of white list and data Layer communication port, can the automatic configuration of the communication port of key-course and data Layer be realized simply, efficiently and automatically terminate work, reduce the cost of extensive SDN construction and reconstruction, make changed network topology more flexible.
Accompanying drawing explanation
Fig. 1 is prior art SDN configuration diagram;
Fig. 2 is the present invention towards the key-course of SDN and data Layer network communication channel self-configuration method schematic flow sheet;
Fig. 3 is key-course of the present invention and data Layer communication port self-configuration method detailed process schematic diagram;
Fig. 4 is the inventive method specific embodiment scene schematic diagram;
Fig. 5 is the present invention towards the key-course of SDN and data Layer communication port self-configuration system structural representation;
Fig. 6 is key-course of the present invention and data Layer communication port self-configuration system detailed construction schematic diagram.
Wherein, Reference numeral:
1 self-configuring administration module
11 white list generation module 12 authentication modules
13 passage configuration modules 14 automatically terminate channel module
111 information interaction modules 112 add information module
121 tentatively build gang mould block 122 equipment identities authentication module
131 message request sending module 132 power on request information sending module
133 power on request information answer modules
S11 ~ S14, S111 ~ S112, S121 ~ S122, S131 ~ S133: the administration step of various embodiments of the present invention
Embodiment
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
The present invention is for solving in current extensive SDN, and manual configuration key-course and data Layer communication port take time and effort, the problems such as poor reliability.For the problems referred to above, the present invention proposes to generate the key-course towards single controller SDN of white list and the self-configuring technology of data Layer communication port based on mandate USB flash disk.The technological side of this invention, to the SDN environment only having a controller, based on the information of authorizing USB flash disk to collect legitimate device, and forms white list, contributes to the mutual certification realizing key-course equipment and data Layer equipment room; After certification is passed through, the communication port self-configuring process of key-course and data Layer can be carried out.This technology significantly reduces the manual work in SDN construction (particularly build at the beginning of network and rebuild) process, improves efficiency and the reliability of netconfig job.
As shown in Figure 2, the invention provides a kind of key-course towards SDN and data Layer communication port self-configuration method, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, described method, comprising:
Self-configuring management process S1: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of controller and equipment, set up the secured communication channel between controller and equipment.
Wherein, self-configuring management process S1, comprising:
White list generation step S11: form white list by the information of authorizing USB flash disk to collect the legitimate device of all networks to be added, authorizes USB flash disk while collection legitimate device information, is stored in legitimate device by the signing messages of controller;
Authenticating step S12: complete the identity legitimacy certification of controller to equipment based on white list, based on the signature finishing equipment of controller to the identity legitimacy certification of controller;
Passage configuration step S13: for the controller and the equipment that have completed identity legitimacy certification in authenticating step, complete self-configuring, sets up by the secured communication channel between the controller of authentication and equipment.
Automatically terminate passage step S14: based on authorizing the facility information to be deleted collected in USB flash disk, in the white list of controller, deleting device id to be deleted, and remove communication port.
Wherein, as shown in Figure 3, white list generation step S11, comprising:
Information interaction step S111: the identification information of authorizing USB flash disk fetch equipment, and equipment identification information is joined in the list of white list, the signing messages of controller is added in described equipment simultaneously;
Add information Step S112: add in the white list of controller by authorizing USB flash disk by the identification information of equipment, when in SDN during newly added equipment, perform information interaction step, the information of newly added equipment is added in the white list of controller, and the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in Figure 3, authenticating step S12, comprising:
Tentatively build connection step S121: when equipment adds SDN for the first time, equipment can carry out identity information broadcast in SDN, and other equipment in network are by reporting to controller after the identity information of neighbor uni-cast discovering device;
Equipment identities authenticating step S122: controller sends request the message of device credential information to equipment, the signature of device authentication controller, be verified rear response credential information, controller checks credential information whether in white list, if, then the identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in Figure 3, passage configuration step S13, comprising:
Message request forwarding step S131: the equipment that controller passes through to authentication sends invitation message;
Power on request information forwarding step S132: the described invitation message that equipment receives, the signature of access control device, be verified rear equipment to generate for the PKI that communicates and private key, and send power on request information to controller, the PKI of certificate, certificate signature and an equipment is provided to controller;
Power on request information answer step S133: controller receives the PKI of certificate, certificate signature and equipment, and send start response message to equipment, the communication port of safety set up by equipment and control device; Controller is equipment distributing IP address by the secured communication channel set up, to realize the unique identification to equipment.
Below in conjunction with the drawings and specific embodiments, the present invention is described further.
In actual applications, as shown in Figure 4, the scene of network is a controller and multiple equipment needing to add network in the present invention.In order to realize the self-configuring of key-course and data Layer communication port, need in controller and equipment, to increase the new module (Auto-Configuration Management) for self-configuring management, to complete the work of self-configuring.Simultaneously, need to realize one in advance and authorize USB flash disk, for collecting device information, for generating white list and sweep equipment, two class methods are had: a class is the program for expanding white list in mandate USB flash disk, mainly collect the information that will add the equipment of network, added in the white list of controller; Another kind of is program for reducing white list, mainly collects the information of the equipment that will delete, it is deleted from the white list of controller.By the mode of authorizing USB flash disk to generate white list, without the need to key management and the pre-provisioning procedure of complexity, simultaneously without the need to the manual operation of complexity, thus realize the automatic configuration of key-course and data Layer communication port simply, efficiently.
The specific embodiment of the invention, generates white list method based on authorizing the equipment of USB flash disk.In order to ensure the legitimacy of the equipment adding network, make it can communicate with controller, prevent illegality equipment from entering network simultaneously, and cause potential Cyberthreat, before networking, first use authority USB flash disk goes to collect all information that will add the legitimate device of network and forms white list, makes controller can judge to add according to white list the legitimacy of equipment.
USB flash disk is authorized to have the super-ordinate right of global network, can be mutual by the module (Auto-Configuration Management) managed with the self-configuring on equipment, the information of fetch equipment, mainly can the information of marking equipment, as MAC Address, the id informations such as 802.1AR voucher, and the information read is joined in the list of white list; Authorize USB flash disk to be stored into by the signing messages of controller in the self-configuring administration module on equipment simultaneously.After the information of authorizing USB flash disk to collect all devices forms complete white list, USB flash disk inserting controller will be authorized, just list can be added in the white list of controller.In subsequent process, if need to add equipment in network, only need mandate USB flash disk to insert on new equipment to collect information, then will authorize on USB flash disk inserting controller, and the up-to-date information collected be added to the white list of controller.
The mutual certification of controller and equipment is completed as medium.Only have the equipment of authorizing USB flash disk to insert just to be considered to legitimate device, and without the need to doing any process to equipment, authorize USB flash disk as long as insert.Afterwards, often when a new device joins the network, all through verification process, the mutual certification of controller and switch can be completed.
The specific embodiment of the invention, based on the new equipment authentication techniques of white list.Through above-mentioned white list method for building up, after storing the white list of legitimate device in the controller, through following steps, the certification work to new equipment can be completed.
1) after new equipment adds network, to its information of Web broadcast;
2) by neighbor uni-cast, the device discovery of current network newly adds the equipment of network, and is reported to controller;
3) controller is to its credential information of new-device request;
4) if the signature verification of controller is passed through, new equipment sends credential information to controller, and controller checks this voucher whether inside its white list, if, then send Invite information to new equipment, invite it to add network; Otherwise, send Reject information, joining request of refusal new equipment;
The specific embodiment of the invention, based on the key-course of white list and the self-configuring technology of data Layer communication port.Complete through above-mentioned step the legitimacy that controller have authenticated new equipment, now, controller and new equipment carry out alternately, completing the configuration of key-course and data Layer communication port.The key step of its layoutprocedure comprises:
1) controller sends Invite message to the equipment newly authenticated.
2) new equipment receives Invite information, first whether the signature of access control device is legal, if the verification passes, equipment generates for the PKI that communicates and private key, and send " Boot strap request " information to controller, to provide PKCS10, a PKCS10_signature (signature) and its PKI to controller.
3) controller receives message, " Boot strap reply " information is sent to equipment, wherein comprise the certificate of the management domain (equipment managed by controller forms) of controller, now, equipment has just become a member in this territory, and safe communication port can be set up with controller, and by this passage, controller can carry out unique identification equipment for equipment distributing IP.
4) now, equipment can communicate with controller, and the strategy decision according to this controller or upper layer application operates the process of the network flow through this equipment.
The specific embodiment of the invention, automatically terminates technology based on the key-course of white list and data Layer communication port.In network actual moving process, usually can occur because equipment fault or network topology adjust and delete the situation of certain equipment, now, the key-course therewith communication port of the data Layer of equipment also needs to delete.Unit deletion under white list pattern can be adopted and be realized in two ways: delete from controller end and delete from equipment end.
Delete from controller end, normally direct basis ID sweep equipment, namely directly this ID to be deleted from the white list that controller stores, so it is crucial that determine the physical equipment that device id is corresponding.The most direct, the most clumsy method adopts the confirmation of authorizing a USB flash disk switch.But the usual efficiency of this method is all very low, in order to raise the efficiency, the network topology that can store according to controller end finds the position of physical equipment, then at physical layer, along network connectivity, corresponding physical equipment is found, removed, thus removed the communication port of key-course and data Layer.
From equipment end sweep equipment, may be the equipment failure caused because of reasons such as equipment faults, key finds the ID of equipment, and it deleted from the white list of controller.The method adopted is: first insert on the equipment that will delete by the program (or mandate USB flash disk of another concrete management unit deletion) being responsible for deleting in mandate USB flash disk, by the id information of the mutual fetch equipment of module (Auto-ConfigurationManagement) managed with the self-configuring of equipment, then by USB flash disk inserting controller, controller end program deletes the ID of corresponding equipment in its white list.But, sometimes the equipment deleted possibly cannot be opened, namely the module (Auto-ConfigurationManagement) that manages of the self-configuring of use authority USB flash disk and equipment facility information cannot be obtained alternately, now, first can collect the information of available devices, then with the white list of controller end, deduct the list of the ID composition of available devices, just can obtain the ID of disabling devices, its white list from controller end be deleted the communication port can removing key-course and data Layer.
In addition, the present invention also provides a kind of key-course towards SDN and data Layer communication port self-configuration system, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, adopt as mentioned above towards key-course and the data Layer communication port self-configuration method of SDN, as shown in Figure 5, described system, comprising:
Self-configuring administration module 1: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of controller and equipment, set up the secured communication channel between controller and equipment.
Wherein, as shown in Figure 5, self-configuring administration module 1, comprising:
White list generation module 11: form white list by the information of authorizing USB flash disk to collect the legitimate device of all networks to be added, authorizes USB flash disk while collection legitimate device information, is stored in legitimate device by the signing messages of controller;
Authentication module 12: complete the identity legitimacy certification of controller to equipment based on white list, based on the signature finishing equipment of controller to the identity legitimacy certification of controller;
Passage configuration module 13: for the controller and the equipment that have completed identity legitimacy certification in authenticating step, complete self-configuring, sets up by the secured communication channel between the controller of authentication and equipment.
Automatically terminate channel module 14: based on authorizing the facility information to be deleted collected in USB flash disk, in the white list of controller, deleting device id to be deleted, and remove communication port.
Wherein, as shown in Figure 6, white list generation module 11, comprising:
Information interaction module 111: the identification information of authorizing USB flash disk fetch equipment, and equipment identification information is joined in the list of white list, the signing messages of controller is added in described equipment simultaneously;
Add information module 112: add in the white list of controller by authorizing USB flash disk by the identification information of equipment, when in SDN during newly added equipment, perform information interaction step, the information of newly added equipment is added in the white list of controller, and the signing messages of controller is added in equipment, to realize the certification between controller and equipment.
Wherein, as shown in Figure 6, authentication module 12, comprising:
Tentatively build gang mould block 121: when equipment adds SDN for the first time, equipment can carry out identity information broadcast in SDN, and other equipment in network are by reporting to controller after the identity information of neighbor uni-cast discovering device;
Equipment identities authentication module 122: controller sends request the message of device credential information to equipment, the signature of device authentication controller, be verified rear response credential information, controller checks credential information whether in white list, if, then the identity legitimacy of equipment is verified, otherwise, the failure of equipment identities legitimate verification.
Wherein, as shown in Figure 6, passage configuration module 13, comprising:
Message request sending module 131: the equipment that controller passes through to authentication sends invitation message;
Power on request information sending module 132: the described invitation message that equipment receives, the signature of access control device, be verified rear equipment to generate for the PKI that communicates and private key, and send power on request information to controller, the PKI of certificate, certificate signature and an equipment is provided to controller;
Power on request information answer module 133: controller receives the PKI of certificate, certificate signature and equipment, and send start response message to equipment, the communication port of safety set up by equipment and control device; Controller is equipment distributing IP address by the secured communication channel set up, to realize the unique identification to equipment.
In sum, the present invention is by simply plugging operation, and the information of authorizing USB flash disk to have collected all legitimate device forms white list, and controller can verify the legitimacy of new equipment accordingly.Operation simplifies the work of networking simply, improves the efficiency of networking; In addition, controller of the present invention can according to white list certification new equipment, and whole process fully automatically realizes, without the need to artificial participation, simple, efficient, is conducive to building SDN efficiently.Again, present invention achieves the automatic process of establishing of key-course and data Layer passage, do not need artificial participation, thus reduce the cost of networking, improve the efficiency of networking simultaneously.Finally, the key-course of present device white list and automatically terminating without the need to any manual configuration of data Layer communication port, significantly improve the efficiency that key-course contacts with the communication port of data Layer.
Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection range that all should belong to the claim appended by the present invention.

Claims (13)

1., towards key-course and the data Layer communication port self-configuration method of SDN, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, it is characterized in that, described method, comprising:
Self-configuring management process: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of described controller and described equipment, set up the secured communication channel between described controller and described equipment.
2., according to claim 1 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, described self-configuring management process, comprising:
White list generation step: the information of being collected the legitimate device of all networks to be added by described mandate USB flash disk forms white list, the signing messages of described controller, while collection legitimate device information, is stored in described legitimate device by described mandate USB flash disk;
Authenticating step: complete the identity legitimacy certification of described controller to described equipment based on described white list, the signature based on described controller completes the identity legitimacy certification of described equipment to described controller;
Passage configuration step: for having completed the described controller of identity legitimacy certification and described equipment in described authenticating step, complete self-configuring, sets up by the secured communication channel between the described controller of authentication and described equipment.
3., according to claim 2 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, described self-configuring management process, also comprises:
Automatically terminate passage step: based on the facility information to be deleted collected in described mandate USB flash disk, in the described white list of described controller, delete described device id to be deleted, and remove communication port.
4., according to claim 2 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, described white list generation step, comprising:
Information interaction step: described mandate USB flash disk reads the identification information of described equipment, and described equipment identification information is joined in the list of described white list, the signing messages of described controller is added in described equipment simultaneously;
Add information Step: add in the white list of described controller by described mandate USB flash disk by the identification information of described equipment, when in SDN during newly added equipment, perform described information interaction step, the information of described newly added equipment is added in the white list of described controller, and the signing messages of described controller is added in described equipment, to realize the certification between described controller and described equipment.
5., according to claim 2 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, described authenticating step, comprising:
Tentatively build connection step: when described equipment adds SDN for the first time, described equipment can carry out identity information broadcast in SDN, by neighbor uni-cast, other equipment in network find that the backward described controller of the identity information of described equipment is reported;
Equipment identities authenticating step: described controller sends request the message of device credential information to described equipment, the signature of controller described in described device authentication, be verified rear response credential information, described controller checks described credential information whether in white list, if, then the identity legitimacy of described equipment is verified, otherwise, described equipment identities legitimate verification failure.
6., according to claim 2 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, described passage configuration step, comprising:
Message request forwarding step: the described equipment that described controller passes through to authentication sends invitation message;
Power on request information forwarding step: the described invitation message that described equipment receives, verify the signature of described controller, be verified rear described equipment and generate PKI for communicating and private key, and send power on request information to described controller, provide the signature of a certificate, described certificate and the PKI of described equipment to described controller;
Power on request information answer step: described controller receives described certificate, the signature of described certificate and the PKI of described equipment, and send start response message to described equipment, the communication port of safety set up by described equipment and described controller.
7. according to claim 6 towards key-course and the data Layer communication port self-configuration method of SDN, it is characterized in that, in described power on request information answer step, described controller is described equipment distributing IP address by the described secured communication channel set up, to realize the unique identification to described equipment.
8. the key-course towards SDN and data Layer communication port self-configuration system, for setting up communication port being between the controller of key-course and the equipment being in data Layer in SDN, adopt according to any one of claim 1-7 towards the key-course of SDN and data Layer communication port self-configuration method, it is characterized in that, described system, comprising:
Self-configuring administration module: based on the white list of authorizing USB flash disk to be formed, after completing the mutual certification of described controller and described equipment, set up the secured communication channel between described controller and described equipment.
9., according to claim 8 towards key-course and the data Layer communication port self-configuration system of SDN, it is characterized in that, described self-configuring administration module, comprising:
White list generation module: the information of being collected the legitimate device of all networks to be added by described mandate USB flash disk forms white list, the signing messages of described controller, while collection legitimate device information, is stored in described legitimate device by described mandate USB flash disk;
Authentication module: complete the identity legitimacy certification of described controller to described equipment based on described white list, the signature based on described controller completes the identity legitimacy certification of described equipment to described controller;
Passage configuration module: for having completed the described controller of identity legitimacy certification and described equipment in described authenticating step, complete self-configuring, sets up by the secured communication channel between the described controller of authentication and described equipment.
10., according to claim 9 towards key-course and the data Layer communication port self-configuration system of SDN, it is characterized in that, described self-configuring administration module, also comprises:
Automatically terminate channel module: based on the facility information to be deleted collected in described mandate USB flash disk, in the described white list of described controller, delete described device id to be deleted, and remove communication port.
11. according to claim 9 towards key-course and the data Layer communication port self-configuration system of SDN, and it is characterized in that, described white list generation module, comprising:
Information interaction module: described mandate USB flash disk reads the identification information of described equipment, and described equipment identification information is joined in the list of described white list, the signing messages of described controller is added in described equipment simultaneously;
Add information module: add in the white list of described controller by described mandate USB flash disk by the identification information of described equipment, when in SDN during newly added equipment, perform described information interaction step, the information of described newly added equipment is added in the white list of described controller, and the signing messages of described controller is added in described equipment, to realize the certification between described controller and described equipment.
12. according to claim 9 towards key-course and the data Layer communication port self-configuration system of SDN, and it is characterized in that, described authentication module, comprising:
Tentatively build gang mould block: when described equipment adds SDN for the first time, described equipment can carry out identity information broadcast in SDN, by neighbor uni-cast, other equipment in network find that the backward described controller of the identity information of described equipment is reported;
Equipment identities authentication module: described controller sends request the message of device credential information to described equipment, the signature of controller described in described device authentication, be verified rear response credential information, described controller checks described credential information whether in white list, if, then the identity legitimacy of described equipment is verified, otherwise, described equipment identities legitimate verification failure.
13. according to claim 9 towards key-course and the data Layer communication port self-configuration system of SDN, and it is characterized in that, described passage configuration module, comprising:
Message request sending module: the described equipment that described controller passes through to authentication sends invitation message;
Power on request information sending module: the described invitation message that described equipment receives, verify the signature of described controller, be verified rear described equipment and generate PKI for communicating and private key, and send power on request information to described controller, provide the signature of a certificate, described certificate and the PKI of described equipment to described controller;
Power on request information answer module: described controller receives described certificate, the signature of described certificate and the PKI of described equipment, and send start response message to described equipment, the communication port of safety set up by described equipment and described controller.
CN201510181648.8A 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system Expired - Fee Related CN104811338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510181648.8A CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510181648.8A CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Publications (2)

Publication Number Publication Date
CN104811338A true CN104811338A (en) 2015-07-29
CN104811338B CN104811338B (en) 2018-02-06

Family

ID=53695849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510181648.8A Expired - Fee Related CN104811338B (en) 2015-04-16 2015-04-16 A kind of key-course towards SDN and data Layer communication port self-configuration method and its system

Country Status (1)

Country Link
CN (1) CN104811338B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713263A (en) * 2016-11-18 2017-05-24 上海红阵信息科技有限公司 System and method for on-demand dynamic authentication and connection of users in local area network
CN110719301A (en) * 2019-11-19 2020-01-21 武汉思普崚技术有限公司 Attack defense method and system for flow adaptive scheduling

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077053A2 (en) * 2002-03-13 2003-09-18 M-Systems Flash Disk Pioneers Ltd. Personal portable storage medium
CN101009556A (en) * 2007-01-08 2007-08-01 中国信息安全产品测评认证中心 Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077053A2 (en) * 2002-03-13 2003-09-18 M-Systems Flash Disk Pioneers Ltd. Personal portable storage medium
CN101009556A (en) * 2007-01-08 2007-08-01 中国信息安全产品测评认证中心 Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DOMINIK SAMOCIUK: "Secure Communication Between OpenFlow Switches and Controllers", 《AFIN 2015:THE SEVENTH INTERNATIONAL CONFERENCE ON ADVANCES IN FUTURE INTERNET》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713263A (en) * 2016-11-18 2017-05-24 上海红阵信息科技有限公司 System and method for on-demand dynamic authentication and connection of users in local area network
CN106713263B (en) * 2016-11-18 2018-07-13 上海红阵信息科技有限公司 The system and method for the on-demand dynamic authentication connection of user in LAN
CN110719301A (en) * 2019-11-19 2020-01-21 武汉思普崚技术有限公司 Attack defense method and system for flow adaptive scheduling

Also Published As

Publication number Publication date
CN104811338B (en) 2018-02-06

Similar Documents

Publication Publication Date Title
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
US8577044B2 (en) Method and apparatus for automatic and secure distribution of an asymmetric key security credential in a utility computing environment
CN102123050B (en) Network terminal management method
CN109474508B (en) VPN networking method, VPN networking system, VPN master node equipment and VPN master node medium
CN107438016A (en) Network management, equipment, system and storage medium
WO2004051927A1 (en) Method and system for cluster managing of network facilities
CN111147526B (en) Security authentication method for realizing multi-cloud control across public network
CN101951325A (en) Network terminal configuration system based on automatic discovery and configuration method thereof
CN104618522B (en) The method and Ethernet access equipment that IP address of terminal automatically updates
US9825759B2 (en) Secure service management in a communication network
CN106162387B (en) Authentication registration method, device and system of optical access module
US9118588B2 (en) Virtual console-port management
CN114465723B (en) Quantum encryption communication system and method based on software defined network and slice
CN104811338A (en) Communication channel self-configuration method and system facing control layer and data layer of SDN (Software Defined Network)
CN104917750B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN103763119A (en) Telnet/SSH-based network terminal management method
CN111885436B (en) Distribution network automatic communication system based on EPON technology
CN103841537A (en) Control system and method using family gateway to deploy WLAN metropolitan area network
CN105337766A (en) Network element automatic discovery method and system based on DHCP
CN103716178A (en) Real-time reporting system network terminal management method
CN103716179A (en) Telnet/SSH-based network terminal management method
CN115361125A (en) VPN network system based on quantum key technology
Eckert et al. An Autonomic Control Plane (ACP) draft-ietf-anima-autonomic-control-plane-24
CN101227309B (en) Next generation network multicast business admitting control method
CN103763120A (en) Network terminal management method based on SNMP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180206

Termination date: 20200416

CF01 Termination of patent right due to non-payment of annual fee