CN105429870B - VXLAN security gateway devices under SDN environment and its application process - Google Patents

VXLAN security gateway devices under SDN environment and its application process Download PDF

Info

Publication number
CN105429870B
CN105429870B CN201510857787.8A CN201510857787A CN105429870B CN 105429870 B CN105429870 B CN 105429870B CN 201510857787 A CN201510857787 A CN 201510857787A CN 105429870 B CN105429870 B CN 105429870B
Authority
CN
China
Prior art keywords
vxlan
packet
data packets
security
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510857787.8A
Other languages
Chinese (zh)
Other versions
CN105429870A (en
Inventor
李伏琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ruihe Yuntu Technology Co Ltd
Original Assignee
Beijing Ruihe Yuntu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ruihe Yuntu Technology Co Ltd filed Critical Beijing Ruihe Yuntu Technology Co Ltd
Priority to CN201510857787.8A priority Critical patent/CN105429870B/en
Publication of CN105429870A publication Critical patent/CN105429870A/en
Application granted granted Critical
Publication of CN105429870B publication Critical patent/CN105429870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

An embodiment of the present invention provides the VXLAN security gateway devices and its application process under a kind of SDN environment.The device is arranged in two layers of physical switches, including:Network packet transceiver module, network packet logical process engine modules, OpenFlow flow table issue module and operation system network security border control module.Network packet transceiver module receives VXLAN data packets by packet receiving mouth, and is transferred to network packet logical process engine modules;Network packet logical process engine modules remove the packet header of VXLAN data packets, VXLAN data packets to removing packet header stamp VLAN labels, it is issued after module issues to corresponding interchanger flow table forwarding item in OpenFlow flow table, it will treated that VXLAN data packets are sent by network packet transceiver module.The device of the embodiment of the present invention need not be configured on multiple platforms such as three-tier switch, SDN controllers respectively, be can make full use of flexible management and control abilities of the SDN to network flow, can effectively be reduced the flow load of three layers of physical convergence layer.

Description

VXLAN security gateway devices under SDN environment and its application process
Technical field
The present invention relates under technical field of network security more particularly to a kind of SDN environment VXLAN security gateway devices and Its application process.
Background technology
With the maturation of data center's technology, computing resource is intended to the centralization of height, a large amount of traditional server It concentrates and is deployed in large-scale data center after being virtualized, this allows for the VLAN that network management becomes extremely complex, and traditional (Virtual Local Area Network, virtual LAN) quantity also tends to cannot meet the needs of using.
SDN (Software Defined Networks, software defined network) is exactly in this background, to solve to pass System exchange or based on routing network deployment bottleneck problem and grow up.SDN technologies are handed over by decoupling traditional network Control plane during changing and data plane realize the unified centralized management controlled forwarded, and can utilize such as The agreements such as Openflow carry out very flexible control to the forwarding of data, complicated to efficiently solve network management and configuration The problem of.
OpenFlow is one open, the agreement based on certain standard, it is defined how by (the control of a central module Device processed) control plane is configured and controlled.By using OpenFlow, the mode that policy distribution may be used in controller will In flow table issuance to the corresponding virtually or physically interchanger for supporting Openflow agreements so that receive the exchange function of the flow table It is enough that the transmission of data packet in a network is managed according to flow table.
OpenFlow controllers hand over flow table mounted on OpenFlow according to the physical topological structure of various streams and controller In changing planes, OpenFlow interchangers enter the flow of interchanger according to flow table processing.OpenFlow interchangers will be according to this stream Table is handled into flow therein all, if the entry in flow table not about certain specific stream is corresponding to it, data Package informatin can then be addressed to OpenFlow controllers, be handled it by OpenFlow controllers.OpenFlow controllers determine such as After the reason of where, just handled come convection current by corresponding operation measure in OpenFlow interchangers.It is any to enter exchange The data packet of machine is required for being matched with a certain particular value in 12 tuples of data head.According to Openflow codes and standards The difference that the difference and each SDN switch manufacturer that version is supported are realized, the configuration item that flow table is supported have in details Difference.
When realizing VXLAN agreements, the equipment by supporting VXLAN is needed, as virtual switch or physical switches are logical VXLAN tunneling terminations (VXLAN Tunnel End Point, VTEP) module is crossed using the distinctive packet header VXLAN to traditional two Layer Ether frame is packaged, the net with VNI (VxLAN Network Identifier, virtual network identifier) as VXLAN Network identifies ID, divides different logical network, uses the MAC and IP of the VTEP that source and destination connected as data new after encapsulating The MAC and IP of the source and destination of packet.
After applying VXLAN technologies, the data packet transmitted in interchanger just all becomes with VXLAN encapsulation format Data packet, and true original Ether frame then becomes the data payload in VXLAN data packets.This allows for traditional various nets Its network packet with the packet header VXLAN for being captured of the None- identifieds such as network safety equipment such as intruding detection system, fire wall.
In the large-scale data center environment built based on virtualization technology, VLAN cannot provide enough logical solving networks The problem of isolation boundary.VXLAN is usually realized in virtual switch, can also be realized in physical switches, no matter which kind of Implementation method has all been the format by the VXLAN data packets encapsulated in the network flow of physical switches internal transmission.In order to Management and control ability to complicated data center network, the SDN (Software based on OpenFlow agreements are preferably provided Defined Network, software defined network) technology is Networking Solutions & provisioned preferred when building data center.The prior art In a kind of basic network architectures schematic diagram based on VXLAN as shown in Figure 1, by support VXLAN and OpenFlow equipment structure At the architecture of data center network.And conventional security product because cannot directly support the data of VXLAN formats mostly Packet analysis, therefore can only be deployed in common non-VXLAN physical networks environment, by being deployed in three-layer network environment After VXLAN gateways remove VXLAN labels (ports VXLAN correspond to a VTEP module and are responsible for this work), tactful road is recycled By being forwarded on safety equipment.Cannot be accessed in double layer network environment is because VXLAN gateways are usually designed to VXLAN carries out the module executed in three-tier switch when L3 Switching.Therefore, the access way of this safety equipment needs net Network flow is first accumulated in three-tier switch, then with the granularity that VXLAN is forwarding, chooses whether to need specific VXLAN flows remove the conventional physical network environment that non-VXLAN is sent into after VXLAN is marked.
The shortcomings that above-mentioned basic network architectures in the prior art based on VXLAN is:Using virtualization technology as core Data center or cloud computing center in, when using isolation schemes of the VXLAN as business network logical boundary, due to tradition Most of physical security apparatus cannot support the parsing of VXLAN protocol formats, therefore will be unable to identify the net encapsulated based on VXLAN Network data packet, and if VXLAN is converted to common Ether frame, and general by the VXLAN gateways being deployed on three-tier switch The a series of problem such as performance and configuration flexibility is brought, and three generally can not be sent to not across the network flow of VXLAN Layer switch, safety equipment also just will be unable to the East and West direction flow between VXLAN and be monitored.
Invention content
An embodiment of the present invention provides the VXLAN security gateway devices and its application process under a kind of SDN environment, to realize Effective security management and control is carried out to network flow using SDN.
According to an aspect of the invention, there is provided the VXLAN security gateway devices under a kind of SDN environment, are arranged two In layer physical switches, the VXLAN security gateway devices specifically include:Network packet transceiver module, network packet are patrolled Collect processing engine modules, OpenFlow flow table issues module and operation system network security border control module;
The network packet transceiver module will for receiving the VXLAN data packets for needing security monitoring by packet receiving mouth The VXLAN data packets are transferred to the network packet logical process engine modules;By mouth of giving out a contract for a project by the network data Treated that VXLAN data packets are sent in network for packet logical process engine modules;
The network packet logical process engine modules, for for needing, by the VXLAN data packets of security monitoring, to tear open Except the packet header of the VXLAN data packets, configured according to the corresponding security boundary of the affiliated business virtual machine of VXLAN data packets Physical security apparatus port, the VXLAN data packets to removing packet header stamp VLAN and mark to obtain treated data packet, The OpenFlow flow table issues after module issues flow table forwarding item to corresponding interchanger, will described treated that data packet passes It is defeated by the network packet transceiver module;
The OpenFlow flow table issues module, is forwarded for providing corresponding flow table to treated the data packet , and flow table forwarding item is issued to corresponding interchanger.
Further, described device further includes:
Network packet sort module, for dividing the data packet received by the network packet transceiver module Class, by the data packet be divided into needs by the VXLAN data packets of security monitoring, need not by the VXLAN data packets of security monitoring, The vlan data packet detected by fire wall, and sorted result is submitted to network packet logical process engine and is carried out Processing.
Further, described device further includes:
The network packet format package module, for what is removed to the network packet logical process engine modules The packet header of VXLAN data packets is parsed, and is that index stores the packet header of VXLAN data packets with stream information, according to mesh Safety equipment corresponding VLAN ID VLAN labels are carried out to treated the data packet.
Further, described device further includes:
The secure device enrollment management module is registered for providing a user the access registration to physical security apparatus Content include port numbers in model, description and the be linked into physical switches of physical security apparatus.
Further, described device further includes:
Operation system network security border control module, for providing a user visual network security border control, Selection needs to carry out the specific business virtual machine of security monitoring inside a VXLAN, after completing security boundary and creating, for peace Full boundary selects chartered physical security apparatus.
Further, the network packet logical process engine modules, are additionally operable to for not needing security monitoring VXLAN data packets call the interface of giving out a contract for a project of network packet transceiver module directly to send the VXLAN data packets;It is right In the vlan data packet detected by fire wall, it is transferred to network packet format package module, calls the network number According to pack receiving and transmitting module give out a contract for a project interface by the network packet format package module return re-start VXLAN encapsulation after VXLAN data packets forward;
The network packet format package module is additionally operable to the vlan data packet for having been detected by fire wall, The packet header VXLAN is given for change by stream index information, and re-starts VXLAN encapsulation, and the VXLAN data packets after VXLAN is encapsulated pass It is defeated by the network packet logical process engine modules.
According to another aspect of the present invention, a kind of application side of the VXLAN security gateway devices under SDN environment is provided VXLAN security gateway devices are arranged in two layers of physical switches method, and the method specifically includes:
The VXLAN security gateway devices receive the VXLAN data packets for needing security monitoring by packet receiving mouth, for needing By the VXLAN data packets of security monitoring, the packet header of the VXLAN data packets is removed, according to the affiliated business of VXLAN data packets The port for the physical security apparatus that the corresponding security boundary of virtual machine is configured, the VXLAN data packets to removing packet header are stamped VLAN marks to obtain treated data packet;
Corresponding flow table is provided to treated the data packet and forwards item, and flow table forwarding item is issued to correspondence Interchanger;By giving out a contract for a project mouth, treated that data packet is transferred to the network packet transceiver module by described.
Further, the method further includes:
The VXLAN security gateway devices to the VXLAN data packets received by the network packet transceiver module into Row classification, by VXLAN data packets be divided into needs by the VXLAN data packets of security monitoring, need not be by the VXLAN numbers of security monitoring The vlan data packet detected according to packet, by fire wall.
Further, the method further includes:
The VXLAN security gateway devices parse the packet header of the VXLAN data packets of dismounting, and using stream information as rope Draw and store the packet header of VXLAN data packets, while treated to described according to the corresponding VLAN ID of purpose safety equipment Data packet carries out VLAN labels;
Provide a user the access registration to physical security apparatus, the content of registration include the model of physical security apparatus, Port numbers in description and be linked into physical switches:
Visual network security border control is provided a user, selects to need to carry out safe prison inside a VXLAN The specific business virtual machine of control selects chartered physical security apparatus after completing security boundary and creating for security boundary.
Further, the VXLAN security gateway devices are additionally operable to the VXLAN data packets for not needing security monitoring, Calling interface of giving out a contract for a project directly sends VXLAN data packets;For the vlan data packet detected by fire wall, pass through Stream index information gives the packet header VXLAN for change, and re-starts VXLAN encapsulation, after calling interface of giving out a contract for a project that will re-start VXLAN encapsulation VXLAN data packets forward.
Under the SDN environment of the embodiment of the present invention it can be seen from the technical solution that embodiments of the invention described above provide Existing mature and stable network security product can be effectively utilized in VXLAN security gateway devices, without the friendship at three layers respectively It changes planes, configured on multiple platforms such as SDN controllers, can make full use of flexible management and control abilities of the SDN to network flow, energy Enough flow loads for effectively reducing by three layers of physical convergence layer have centainly in VXLAN network environments and non-VXLAN network environments Versatility.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill of field, without having to pay creative labor, other are can also be obtained according to these attached drawings Attached drawing.
Fig. 1 is a kind of basic network architectures schematic diagram based on VXLAN in the prior art;
Fig. 2 is the network deployment topologies of the VXLAN security gateway devices under a kind of SDN environment provided in an embodiment of the present invention Schematic diagram;
Fig. 3 is the modular structure signal of the VXLAN security gateway devices under a kind of SDN environment provided in an embodiment of the present invention Figure;
Fig. 4 is that the VXLAN flow loads that a kind of logic-based security boundary provided in an embodiment of the present invention divides are supervised safely The process chart of prosecutor method;
Fig. 5 is the application scenarios schematic diagram of the safety equipment provided in an embodiment of the present invention based on security gateway.
Specific implementation mode
For ease of the understanding to the embodiment of the present invention, done further by taking several specific embodiments as an example below in conjunction with attached drawing Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
Performance issue and monitoring granularity problem, the present invention for the deployment scheme of existing safety equipment realize a kind of work Make the VXLAN security gateways being exclusively used in solving under the SDN environment of conventional physical safety equipment access in double layer network environment Device.The network deployment topologies schematic diagram of VXLAN security gateway devices under a kind of SDN environment provided in an embodiment of the present invention is such as Shown in Fig. 2, the VXLAN security gateway devices under the SDN environment of the embodiment of the present invention are arranged in two layers of physical switches, simultaneously The Network Security Devices such as intruding detection system, network firewall are also directly disposed and are connected in two layers of physical switches.It is above-mentioned VXLAN security gateway devices to VXLAN data packets carry out security monitoring process flow include:
Step 21, configuration needs the cellular logic boundary of the operation system monitored in the configuration interface of security gateway, i.e., The MAC of VXLAN ID of virtual machine, the IP address of virtual machine, virtual machine included in the system monitored required for specified Location.
The port of step 22, the physical switches that registered network safety equipment is connected in the configuration interface of security gateway Information.
Step 23, VXLAN security gateway devices are issued by two layers of physical switches that security gateway is connected to it OpenFlow flow table so that need the affiliated VXLAN flows of monitored operation system after entering two layers of physical switches, quilt It is forwarded to the data packet receiving port of security gateway.
Step 24, VXLAN security gateway devices are after receiving VXLAN data packets, the monitored object based on user configuration Cellular logic boundary, analyze the type of received VXLAN data packets.
Step 25 directly turns the VXLAN data packets that belongs to same VXLAN but need not monitor that packet receiving mouth receives Hair, and coordinate corresponding flow table strategy so that the VXLAN data packets sent out from the mouth of giving out a contract for a project of VXLAN security gateway devices are direct It is addressed to corresponding purpose equipment.
For the VXLAN data packets that the needs that packet receiving mouth receives are monitored, VXLAN security gateway devices are first by its VXLAN Whether head removes, and preserves, further according to carrying out bypass detection and decide whether to answer VXLAN data packets System specifies purpose safety equipment for VXLAN data packets, issues the physical switches that flow table is connected to it, and turn from mouth of giving out a contract for a project Hair treated VXLAN data packets.
The vlan data packet come is forwarded back to for the fire wall that belongs to that packet receiving mouth receives, security gateway is by vlan data packet VLAN labels remove, and give the packet header of the VXLAN encapsulation of the VXLAN data packets for change, after adding VXLAN encapsulation again, then from hair Packet mouth is sent.
The modular structure schematic diagrams of VXLAN security gateway devices under the SDN environment of the embodiment of the present invention as shown in figure 3, Include network packet transceiver module, network packet sort module, network packet logical process engine modules, network number Module, operation system network security border control module, safety equipment note are issued according to packet format package module, OpenFlow flow table The main modulars such as volume management module.
The network packet transceiver module, for by packet receiving mouth receive need security monitoring VXLAN data packets and The VXLAN data packets for being forwarded to destination host are needed after network firewall detects;And for will be by passing through by mouth of giving out a contract for a project The VXLAN data packets crossed after upper-layer service logical process are sent in network.
The network packet sort module will for classifying to the VXLAN data packets received by packet receiving mouth VXLAN data packets be divided into needs by the VXLAN data packets of security monitoring, need not by the VXLAN data packets of security monitoring, led to The VXLAN data packets of fire wall detection are crossed, and sorted result is submitted at network packet logical process engine Reason.
The network packet logical process engine modules are the kernel control module of security gateway, and the module is by basis The categorizing selection of data packet needs the service logic called to be handled, and for not needing the VXLAN data packets of security monitoring, adjusts It is directly transmitted it out with the interface of network packet transceiver module;For needing, by the VXLAN data packets of security monitoring, to adjust Its current VXLAN is recorded with network packet format package module and encapsulates packet header, and after the current packet header VXLAN is removed, according to The corresponding security boundary of the affiliated business virtual machine of VXLAN data packets that operation system network security border control module is provided The port of the safety equipment configured stamps corresponding VLAN and marks to obtain treated data packet, passes through OpenFlow flow table It issues after module issues flow table success to associated switch, then will treated number by the interface of network packet transceiver module It is forwarded according to packet;For the VXLAN data packets detected by fire wall, it is transferred to network packet format Encapsulation Moulds Block calls the interface of network packet transceiver module to re-start VXLAN envelopes by what network packet format package module returned VXLAN data packets after dress forward.
The network packet format package module, the packet header for the data packet to VXLAN formats are disassembled, and with Stream information is that index stores the packet header VXLAN, while being carried out to data packet according to the corresponding VLAN ID of purpose safety equipment VLAN is marked;For the VXLAN data packets detected by fire wall, the packet header VXLAN is given for change by stream index information, is laid equal stress on New to carry out VXLAN encapsulation, the VXLAN data packets after VXLAN is encapsulated are transferred to network packet logical process engine modules.
The OpenFlow flow table issues module, for from being extracted in VXLAN and be encapsulated into the data minus in VLAN It carries and corresponding flow table forwarding item is provided, and flow table is issued to corresponding interchanger.
The operation system network security border control module, for providing a user visual network security border tube Reason can select the specific business virtual machine for needing to carry out security monitoring, to provide fine-grained safety inside a VXLAN Border control, while reducing the load to network and the load to safety equipment.Can be after completing security boundary and creating Security boundary selects chartered physical security apparatus.
The secure device enrollment management module, for providing a user the access registration to physical security apparatus, mainly The content of registration includes the port numbers in model, description and the be linked into physical switches of physical security apparatus.
The VXLAN flow load method for safety monitoring that a kind of logic-based security boundary provided in an embodiment of the present invention divides Process flow as shown in figure 4, include following processing step:
Step 41, from packet receiving mouth received data packet.
Step 42 first determines whether that the encapsulation format of data packet is VXLAN or VLAN, if encapsulation format is VXLAN, base The load of VXLAN internal datas is taken out since load byte in the data frame format of VXLAN, then goes to solve with the format of standard Ether frame The data payload is analysed, the virtual machine in data payload source is determined by five-tuple, VXLAN, IP and MAC of the virtual machine to be monitored It is specified in operation system network security border control module by user, if virtual machine belongs in monitoring boundary, goes to 43, otherwise Go to 49;If the encapsulation format of outlier data packet is VLAN, 47 are gone to.
Step 43, using the MAC and IP of the affiliated virtual machine of data packet identified as index condition, all for source and destination Host in the same VXLAN, in order to prevent repeatedly security monitoring only use source address as index, not for source and destination Host in the same VXLAN, to index, stores the VXLAN of the data packet with the address of the virtual machine of affiliated current VXLAN Header packet information constitutes load mapping table.
The packet header VXLAN is removed in step 44, the parsing based on VXLAN packet encapsulation formats, and it is corresponding to take out loading section Original Ether frame.
Step 45, in user's registration safety equipment, need for each of safety equipment connection port on switches A VXLAN ID is specified, then needs monitored void in operation system network security border control module is each VXLAN When quasi- machine specifies safety equipment, just the corresponding safe VLAN of this virtual machine is specified simultaneously.After removing VXLAN encapsulation, need To be that the data packet stamp corresponding safe VLAN tag according to the virtual machine belonging to the data packet, the data that obtain that treated Packet.
Step 46, the label based on safe VLAN issue OpenFlow flow table, and stream is specified by the combination of port and VLAN Routing direction, the specified data packet with the VLAN tag sent out from mouth of giving out a contract for a project is forwarded to pair that safety equipment is connected It answers on port, the flow for specifying fire wall to export corresponding ports in flow table firewall class equipment belongs to the safe VLAN's It is forwarded to the packet receiving mouth of security gateway.
If step 47, data packet come from safe VLAN, illustrates that the data packet is to pass through serial safety equipment, such as prevent fires After wall monitoring, by the data packet of fire wall, need according to the MAC and IP of the data packet to be that index is found in mapping table loading The packet header VXLAN.
Step 48 removes VLAN tag for data packet, is packaged with the VXLAN taken out in load mapping table.
Step 49 is sent to data packet on network.
Embodiment two
Using virtualization technology as in the data center of core or cloud computing center, when use VXLAN as business network When the isolation scheme of logical boundary, since most of conventional physical safety equipment cannot support the parsing of VXLAN protocol formats, because This will be unable to identify the network packet encapsulated based on VXLAN, and if VXLAN gateways by being deployed on three-tier switch The a series of problem such as VXLAN is converted to common Ether frame, and will bring performance and configuration flexibility, and not across VXLAN Network flow generally can not be sent to three-tier switch, safety equipment also just will be unable between VXLAN East and West direction flow into Row monitoring.The device that the present invention is realized is deployed on access switch, by the parsing loaded to VXLAN, is utilized OpenFlow protocol realizations are a kind of selectively to be encapsulated based on VLAN needing monitored network flow be converted to Ether frame and the security gateway forwarded to physical security apparatus.
The device has included at least network packet transceiver module, network packet sort module, network packet logic Processing engine, network packet format package module, OpenFlow flow table issue module, operation system network security border control The main modulars such as module, secure device enrollment management module.
As shown in figure 5, the VM1 in virtualized server 1, VM2 belong to VXLAN5001, in virtualized server 2 VM2 belongs to VXLAN5002, and VM1 wants transmission data packet to VM3, the corresponding MAC Address of each VM and VTEP and IP address in Fig. 5 It has marked out and.The course of work of the function and whole system of modules is introduced with reference to actual embodiment.
Step 51, user has registered the essential information of network firewall equipment by secure device enrollment management module, and It is the packet receiving mouth of fire wall and mouth of giving out a contract for a project respectively to specify port 3 and port 4, and after the completion of registration, system can be that the equipment is automatic The ID number of safe VLAN of the distribution one for be identified when OpenFlow forwardings.
Step 52, user by operation system network security border control module, supervised by the flow needs for specifying VM1 Control, that is, need through fire wall, and the flow of VM2 be not required to it is to be monitored.And specify the network fire prevention registered in step 51 Wall is the safety equipment for monitoring VM1 flows.
Step 53, VM1 and VM2, will by issuing flow table to two layers of physical switches to VM3 transmission data packets The flow of VXLAN5001 is all forwarded to the packet receiving mouth of security gateway, i.e. port 1.
Step 54, network packet transceiver module receives the data packet for coming from VXLAN5001, by network packet point Generic module parses VXLAN data packets, is matched to the network packet for being respectively from VM1 and VM2.
Step 55, network packet logical process engine handles classification results, for coming from the network number of VM2 According to packet, because not in monitoring bounds, therefore directly sent by network packet transceiver module, two layers of physics are handed over Corresponding flow table item of changing planes, which is the data packet that port 2 is sent out, will be forwarded on the corresponding ports VTEP2.For coming from The VXLAN data packets of VM1 because belonging to the range for needing to monitor, therefore are given at network packet format package module Reason.
Step 56, network packet format package module parses the VXLAN data packets of VM1, and the packet header VXLAN is protected It deposits, and with MAC1, indexes of the IP1 as the packet header VXLAN.According to MAC1 and IP1 from business system network safety border control Module gets corresponding safe VLAN ID, and the encapsulation of VLAN format is carried out to removing the VXLAN data packets behind packet header, obtains To treated data packet.
Step 57, OpenFlow flow table issues module and is set according to the VLAN ID safety corresponding with the VLAN ID after encapsulation Standby port numbers issue flow table to two layers of physical switches, i.e., are the VLAN ID in the VXLAN data packets that port 2 is sent out Data packet will be forwarded to port 3, and in the data packet that port 4 is sent out, port will be forwarded to by being the data packet of the VLAN ID 1。
Step 58, treated data packet is sent out from port 2.
Step 59, data packet is forwarded to port 3 based on OpenFlow flow table rule, after the filtering by fire wall, It being sent back in physical switches by port 4, data packet will be forwarded to port 1 based on the flow table that step 57 is issued, and by Network packet transceiver module receives.
Step 510, network packet sort module identifies that the data packet comes from safe VLAN, is patrolled by network packet Volume processing engine is given the data packet to network packet format package module and is handled.Network packet format package module According to the MAC Address and IP address in data packet, the packet header VXLAN cached before is found, and removes VLAN encapsulation, with lookup To the packet header VXLAN the data packet is Resealed.
Step 511, the data packet after VXLAN is Resealed is sent to by network packet transceiver module in network, In the flow table flow table item of physical switches, the data packet sent out by port 2 will be forwarded to VTEP2 with VXLAN5001 On corresponding port, so as to complete the process of security monitoring and the forwarding of entire data packet.
One of ordinary skill in the art will appreciate that:Attached drawing is the schematic diagram of one embodiment, module in attached drawing or Flow is not necessarily implemented necessary to the present invention.
One of ordinary skill in the art will appreciate that:The module in equipment in embodiment can describe to divide according to embodiment It is distributed in the equipment of embodiment, respective change can also be carried out and be located in one or more equipment different from the present embodiment.On The module for stating embodiment can be merged into a module, can also be further split into multiple submodule.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer read/write memory medium In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
In conclusion the VXLAN security gateway devices under the SDN environment of the embodiment of the present invention pass through setting:Network data Pack receiving and transmitting module, network packet logical process engine modules, OpenFlow flow table issue module and operation system network security Border control module has following advantageous effect:
1) existing mature and stable network security product can effectively be utilized;
2) safe centralized management, without being configured on multiple platforms such as three-tier switch, SDN controllers respectively;
3) flexible management and control abilities of the SDN to network flow has been can make full use of;
4) stream of three layers of physical convergence layer can be effectively reduced in two layer physical networks by accessing physical security apparatus Amount load;
5) there is certain versatility in VXLAN network environments and non-VXLAN network environments;
6) East and West direction network flow can be monitored in the case where not forcing flow to be forwarded to three-tier switch.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto, Any one skilled in the art in the technical scope disclosed by the present invention, the change or replacement that can be readily occurred in, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims Subject to.

Claims (10)

1. the VXLAN security gateway devices under a kind of SDN environment, which is characterized in that it is arranged in two layers of physical switches, it is described VXLAN security gateway devices specifically include:Network packet transceiver module, network packet logical process engine modules, OpenFlow flow table issues module and operation system network security border control module;
The network packet transceiver module will be described for receiving the VXLAN data packets for needing security monitoring by packet receiving mouth VXLAN data packets are transferred to the network packet logical process engine modules;By giving out a contract for a project, mouth patrols the network packet Treated that VXLAN data packets are sent in network for volume processing engine modules;
The network packet logical process engine modules, for for needing, by the VXLAN data packets of security monitoring, to remove institute The packet header for stating VXLAN data packets, the object configured according to the corresponding security boundary of the affiliated business virtual machine of VXLAN data packets Manage the port of safety equipment, the VXLAN data packets to removing packet header stamp VLAN and mark to obtain treated data packet, described OpenFlow flow table issues after module issues flow table forwarding item to corresponding interchanger, and treated that data packet is transferred to by described The network packet transceiver module;
The OpenFlow flow table issues module, and item is forwarded for providing corresponding flow table to treated the data packet, and Flow table forwarding item is issued to corresponding interchanger.
2. the VXLAN security gateway devices under SDN environment according to claim 1, which is characterized in that described device is also wrapped It includes:
Network packet sort module, for classifying to the data packet received by the network packet transceiver module, By the data packet be divided into needs by the VXLAN data packets of security monitoring, need not by the VXLAN data packets of security monitoring, The vlan data packet detected by fire wall, and sorted result is submitted at network packet logical process engine Reason.
3. the VXLAN security gateway devices under SDN environment according to claim 2, which is characterized in that described device is also wrapped It includes:
Network packet format package module, the VXLAN numbers for being removed to the network packet logical process engine modules It is parsed according to the packet header of packet, and is that index stores the packet header of VXLAN data packets with stream information, set safely according to purpose Treated that data packet carries out VLAN labels to described by standby corresponding VLAN ID.
4. the VXLAN security gateway devices under SDN environment according to claim 3, which is characterized in that described device is also wrapped It includes:
Secure device enrollment management module, for providing a user the access registration to physical security apparatus, the content packet of registration Include the port numbers in model, description and the be linked into physical switches of physical security apparatus.
5. the VXLAN security gateway devices under SDN environment according to claim 4, which is characterized in that described device is also wrapped It includes:
Operation system network security border control module, for providing a user visual network security border control, one Selection needs to carry out the specific business virtual machine of security monitoring inside a VXLAN, is safe edge after completing security boundary and creating Boundary selects chartered physical security apparatus.
6. according to the VXLAN security gateway devices under claim 2 to 5 any one of them SDN environment, it is characterised in that:
The network packet logical process engine modules are additionally operable to the VXLAN data packets for not needing security monitoring, call The interface of giving out a contract for a project of network packet transceiver module directly sends the VXLAN data packets;For having passed through fire wall The vlan data packet of detection is transferred to network packet format package module, calls the hair of the network packet transceiver module Packet interface forwards the VXLAN data packets after VXLAN is encapsulated that re-start that the network packet format package module returns It goes out;
The network packet format package module is additionally operable to, for the vlan data packet detected by fire wall, pass through Stream index information gives the packet header VXLAN for change, and re-starts VXLAN encapsulation, and the VXLAN data packets after VXLAN is encapsulated are transferred to The network packet logical process engine modules.
7. a kind of application process of the VXLAN security gateway devices under SDN environment, which is characterized in that fill VXLAN security gateways It installs in two layers of physical switches, the method specifically includes:
The VXLAN security gateway devices receive the VXLAN data packets for needing security monitoring by packet receiving mouth, and needs are pacified The VXLAN data packets monitored entirely remove the packet header of the VXLAN data packets, virtual according to the affiliated business of VXLAN data packets The port for the physical security apparatus that the corresponding security boundary of machine is configured, the VXLAN data packets to removing packet header stamp VLAN marks Data packet of remembering that treated;
Corresponding flow table is provided to treated the data packet and forwards item, and flow table forwarding item is issued to corresponding friendship It changes planes;By giving out a contract for a project mouth, treated that data packet is transferred to network packet transceiver module by described.
8. the application process of the VXLAN security gateway devices under SDN environment according to claim 7, which is characterized in that institute The method of stating further includes:
The VXLAN security gateway devices divide the VXLAN data packets received by the network packet transceiver module Class, by VXLAN data packets be divided into needs by the VXLAN data packets of security monitoring, need not be by the VXLAN data of security monitoring Packet, the vlan data packet detected by fire wall.
9. the application process of the VXLAN security gateway devices under SDN environment according to claim 8, which is characterized in that institute The method of stating further includes:
The VXLAN security gateway devices parse the packet header of the VXLAN data packets of dismounting, and are that index will with stream information The packet header of VXLAN data packets is stored, while according to the corresponding VLAN ID of purpose safety equipment to treated the data Packet carries out VLAN labels;
The access registration to physical security apparatus is provided a user, the content of registration includes the model of physical security apparatus, description With the port numbers in be linked into physical switches:
Visual network security border control is provided a user, selects to need to carry out security monitoring inside a VXLAN Specific business virtual machine selects chartered physical security apparatus after completing security boundary and creating for security boundary.
10. the application process of the VXLAN security gateway devices under SDN environment according to claim 8 or claim 9, feature exist In:
The VXLAN security gateway devices are additionally operable to the VXLAN data packets for not needing security monitoring, call interface of giving out a contract for a project straight It connects and sends VXLAN data packets;For the vlan data packet detected by fire wall, given for change by stream index information The packet header VXLAN, and VXLAN encapsulation is re-started, call interface of giving out a contract for a project that will re-start the VXLAN data packets after VXLAN is encapsulated It forwards.
CN201510857787.8A 2015-11-30 2015-11-30 VXLAN security gateway devices under SDN environment and its application process Active CN105429870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510857787.8A CN105429870B (en) 2015-11-30 2015-11-30 VXLAN security gateway devices under SDN environment and its application process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510857787.8A CN105429870B (en) 2015-11-30 2015-11-30 VXLAN security gateway devices under SDN environment and its application process

Publications (2)

Publication Number Publication Date
CN105429870A CN105429870A (en) 2016-03-23
CN105429870B true CN105429870B (en) 2018-10-02

Family

ID=55507815

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510857787.8A Active CN105429870B (en) 2015-11-30 2015-11-30 VXLAN security gateway devices under SDN environment and its application process

Country Status (1)

Country Link
CN (1) CN105429870B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105939296B (en) * 2016-06-24 2019-11-12 杭州迪普科技股份有限公司 The processing method and processing device of message
CN106209557B (en) * 2016-06-30 2019-09-06 杭州迪普科技股份有限公司 Message forwarding method and device
CN107566237B (en) * 2016-06-30 2021-06-29 深圳市中兴通讯技术服务有限责任公司 Data message processing method and device
CN106534201B (en) * 2016-12-26 2019-01-29 杭州盈高科技有限公司 A kind of virtual machine risk under SDN environment quickly isolates method
CN108259294B (en) * 2017-02-28 2021-01-26 新华三技术有限公司 Message processing method and device
CN107733800A (en) * 2017-11-29 2018-02-23 郑州云海信息技术有限公司 A kind of SDN message transmitting method and its device
CN108833284B (en) * 2018-08-01 2021-04-06 郑州市景安网络科技股份有限公司 Communication method and device for cloud platform and IDC network
CN110839007B (en) * 2018-08-17 2022-09-13 中国移动通信有限公司研究院 Cloud network security processing method and device and computer storage medium
CN111404797B (en) * 2019-01-02 2022-02-11 中国移动通信有限公司研究院 Control method, SDN controller, SDN access point, SDN gateway and CE
CN110011927B (en) * 2019-03-19 2020-08-14 西安交通大学 SDN network-based traffic capturing method and system
CN110581792B (en) * 2019-09-20 2022-03-22 杭州迪普信息技术有限公司 Message transmission method and device
CN110838966B (en) * 2019-11-20 2022-03-01 紫光华山科技有限公司 Equipment connection control method and device
CN112737860B (en) * 2021-01-06 2023-06-20 浪潮云信息技术股份公司 Method for accessing VXLAN of bare metal server and computer readable medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9036639B2 (en) * 2012-11-29 2015-05-19 Futurewei Technologies, Inc. System and method for VXLAN inter-domain communications
US10097372B2 (en) * 2014-01-09 2018-10-09 Ciena Corporation Method for resource optimized network virtualization overlay transport in virtualized data center environments
CN104468384B (en) * 2014-12-22 2018-01-30 武汉绿色网络信息服务有限责任公司 A kind of system and method for realizing multi-priority services
CN104601472B (en) * 2015-02-04 2017-11-03 盛科网络(苏州)有限公司 The method and message handling system of VXLAN gateways distribution route are realized in the chips

Also Published As

Publication number Publication date
CN105429870A (en) 2016-03-23

Similar Documents

Publication Publication Date Title
CN105429870B (en) VXLAN security gateway devices under SDN environment and its application process
CN104253770B (en) Realize the method and apparatus of the distributed virtual switch system
CN104780088B (en) A kind of transmission method and equipment of service message
CN105765946B (en) Support the method and system of the service chaining in data network
CN104380658B (en) Flow classifier, business route flip-flop, the method and system of Message processing
CN104350467B (en) Elasticity for the cloud security using SDN carries out layer
CN104380667B (en) The method for routing and equipment of a kind of data message
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
CN103095546B (en) A kind of method, device and data center network processing message
CN104410541B (en) The method and device that VXLAN internal layer virtual machine traffics are counted in intermediary switch
CN104283756B (en) A kind of method and apparatus for realizing distributed multi-tenant virtual network
CN105634986B (en) A kind of interchanger implementation method and system
CN105812340B (en) A kind of method and apparatus of virtual network access outer net
CN104301251B (en) A kind of QoS processing methods, system and equipment
CN105051688B (en) Expanded mark networking
CN1875585B (en) Dynamic unknown L2 flooding control with MAC limits
CN107370642A (en) One kind is based on cloud platform multi-tenant network smoothness monitoring system and method
US10129182B2 (en) Methods and apparatus for providing services in distributed switch
CN103997513B (en) A kind of programmable virtual network service system
CN107911258A (en) A kind of realization method and system in the secure resources pond based on SDN network
EP3211858B1 (en) Networking method for datacenter network and datacenter network
CN109218053A (en) Implementation method, system and the storage medium of virtual data center
JP6248938B2 (en) Communication system, virtual network management apparatus, virtual network management method and program
CN106685826B (en) Switchboard stacked system, from equipment, exchange chip and processing protocol message method
CN107222353A (en) The unrelated software defined network virtual management platform of supported protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Li Fuqiong

Inventor before: Li De

Inventor before: Zhou Dong

Inventor before: Li Fuqiong

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant