CN106301861B - Conflict detection method, device and controller - Google Patents

Conflict detection method, device and controller Download PDF

Info

Publication number
CN106301861B
CN106301861B CN201510313546.7A CN201510313546A CN106301861B CN 106301861 B CN106301861 B CN 106301861B CN 201510313546 A CN201510313546 A CN 201510313546A CN 106301861 B CN106301861 B CN 106301861B
Authority
CN
China
Prior art keywords
policy
time
service
conflict
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510313546.7A
Other languages
Chinese (zh)
Other versions
CN106301861A (en
Inventor
黄旗明
周靖
于魁飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhigu Ruituo Technology Services Co Ltd
Original Assignee
Beijing Zhigu Ruituo Technology Services Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhigu Ruituo Technology Services Co Ltd filed Critical Beijing Zhigu Ruituo Technology Services Co Ltd
Priority to CN201510313546.7A priority Critical patent/CN106301861B/en
Publication of CN106301861A publication Critical patent/CN106301861A/en
Application granted granted Critical
Publication of CN106301861B publication Critical patent/CN106301861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning

Abstract

The embodiment of the application provides a conflict detection method, a conflict detection device and a controller. The method comprises the following steps: determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time and the duration of the first protection time is less than that of the first service time; detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy. The embodiment of the application provides a scheme for detecting conflicts.

Description

Conflict detection method, device and controller
Technical Field
The embodiment of the application relates to the technical field of networks, in particular to a conflict detection method, a conflict detection device and a controller.
Background
Compared with a traditional Network structure, a large number of strategies can be generated in a Network due to the programmable characteristic of a Software Defined Network (SDN for short), and the strategies have the characteristics of large quantity, wide variety and the like, so that the strategy conflict is a problem which cannot be ignored, and therefore conflict detection and conflict processing need to be performed on the strategies.
In the conflict detection of the policies, the service time of the policies is usually used as the time period participating in the conflict detection, and the service time of some policies is longer, so that the detection amount of the conflict detection is larger, and the operation effect of the network is influenced.
Disclosure of Invention
In view of the above, an object of the embodiments of the present application is to provide a scheme for collision detection.
To achieve the above object, according to a first aspect of embodiments of the present application, there is provided a collision detection method, including:
determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time and the duration of the first protection time is less than that of the first service time;
detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the determining, according to at least a first service time of a first policy, a first guard time of the first policy includes:
and determining a first protection time of the first policy at least according to a first service time of the first policy, at least one stability parameter of a network environment applied by the first policy, and at least one importance parameter of at least one event or service corresponding to the first policy.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a second possible implementation of the first aspect, the determining a first protection time of the first policy according to at least a first service time of the first policy, at least one stability parameter of a network environment to which the first policy applies, and at least one importance parameter of at least one event or service corresponding to the first policy includes:
determining a coefficient based at least on the at least one stability parameter and the at least one importance parameter, the coefficient being less than 1;
determining that a duration of the first guard time is equal to a product of a duration of the first service time and the coefficient;
and determining the first protection time at least according to the starting moment of the first service time and the duration of the first protection time.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a third possible implementation manner of the first aspect, the at least one stability parameter includes: at least one first parameter for identifying the stability of at least one network device involved in the first policy, a second parameter for identifying the frequency of generation of new policies in the network segment to which the first policy applies.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, a starting time of the first protection time is the same as a starting time of the first service time.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a fifth possible implementation of the first aspect, after the detecting whether the first policy conflicts with at least one other policy, the method further includes:
and executing the first strategy in response to the detection result being no conflict or the detection result being conflict but determining to execute the first strategy according to a conflict processing rule.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a sixth possible implementation of the first aspect, the executing the first policy includes:
configuring the first policy on at least one network device involved in the first policy.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a seventh possible implementation of the first aspect, after the detecting whether the first policy conflicts with at least one other policy, the method further includes:
and in response to the detection result being a conflict, determining not to execute the first policy and executing a second policy replacing the first policy according to a conflict handling rule, and deactivating the first policy.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in an eighth possible implementation of the first aspect, the deactivating the first policy includes:
and in response to the end time of the first protection time being later than the end time of a second protection time of the second strategy, modifying the start time of the first protection time to be the end time of the second protection time.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a ninth possible implementation of the first aspect, the deactivating the first policy includes:
terminating the first policy in response to an end time of the first guard time not being later than an end time of a second guard time of the second policy.
With reference to the first aspect or any one of the foregoing possible implementations of the first aspect, in a tenth possible implementation of the first aspect, the conflict handling rule includes: and executing the policy with the highest priority in the plurality of mutually conflicting policies.
To achieve the above object, according to a second aspect of embodiments of the present application, there is provided a collision detection apparatus including:
the determining module is used for determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time, and the duration of the first protection time is less than that of the first service time;
a detection module to detect whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the determining module is specifically configured to:
and determining a first protection time of the first policy at least according to a first service time of the first policy, at least one stability parameter of a network environment applied by the first policy, and at least one importance parameter of an event or service corresponding to the first policy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a second possible implementation of the second aspect, the determining module includes:
a first determining unit for determining a coefficient at least according to the at least one stability parameter and the at least one importance parameter, the coefficient being smaller than 1;
a second determination unit configured to determine that a duration of the first guard time is equal to a product of a duration of the first service time and the coefficient;
a third determining unit, configured to determine the first protection time at least according to a starting time of the first service time and a duration of the first protection time.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a third possible implementation of the second aspect, the at least one stability parameter includes: at least one first parameter for identifying the stability of at least one network device involved in the first policy, a second parameter for identifying the frequency of generation of new policies in the network segment to which the first policy applies.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a fourth possible implementation of the second aspect, a starting time of the first protection time is the same as a starting time of the first service time.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a fifth possible implementation of the second aspect, the apparatus further includes:
and the execution module is used for responding to the detection result that the first strategy is not conflicted or the detection result is conflicted but is determined to be executed according to the conflict processing rule, and executing the first strategy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a sixth possible implementation of the second aspect, the execution module is specifically configured to: and in response to the detection result being non-conflict or the detection result being conflict but determining to execute the first policy according to a conflict processing rule, configuring the first policy on at least one network device involved in the first policy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a seventh possible implementation of the second aspect, the apparatus further includes:
and the deactivation module is used for responding to the detection result that the first strategy is not executed and executing a second strategy replacing the first strategy according to the conflict processing rule and deactivating the first strategy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in an eighth possible implementation of the second aspect, the deactivation module is specifically configured to: and in response to the detection result that the strategy is a conflict, determining not to execute the first strategy and execute a second strategy replacing the first strategy according to a conflict processing rule, and modifying the starting time of the first protection time to the ending time of the second protection time, wherein the ending time of the first protection time is later than the ending time of the second protection time of the second strategy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a ninth possible implementation of the second aspect, the deactivation module is specifically configured to: and in response to the detection result that the strategy is a conflict, determining not to execute the first strategy and execute a second strategy replacing the first strategy according to a conflict processing rule, and terminating the first strategy when the ending time of the first protection time is not later than the ending time of the second protection time of the second strategy.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a tenth possible implementation of the second aspect, the conflict handling rule includes: and executing the policy with the highest priority in the plurality of mutually conflicting policies.
To achieve the above object, according to a third aspect of embodiments of the present application, there is provided a controller including:
a communication interface for communicating with a plurality of network devices governed by the controller;
a memory to store instructions;
a processor to execute the memory-stored instructions, the instructions to cause the processor to:
determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time and the duration of the first protection time is less than that of the first service time;
detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy;
determining to execute at least one strategy according to the detection result and/or the conflict processing rule;
and configuring the at least one policy to at least one network device involved in the at least one policy through the communication interface.
At least one of the above technical solutions has the following beneficial effects:
the method and the device for detecting the conflict determine first protection time of a first strategy according to at least the first service time of the first strategy, and detect whether the first strategy conflicts with at least one other strategy only in the first protection time of the first strategy, so that a scheme for detecting the conflict is provided, and the strategy participates in the conflict detection only in a protection time shorter than the service time of the strategy, so that the detection amount of the conflict detection is reduced, and the network operation efficiency is improved.
Drawings
Fig. 1 is a schematic flowchart of an embodiment of a collision detection method provided in the present application;
fig. 2 is a schematic structural diagram of an embodiment of a collision detection apparatus provided in the present application;
FIGS. 3-5 are schematic structural diagrams of an implementation manner of the embodiment shown in FIG. 2;
FIG. 6 is a schematic structural diagram of an embodiment of a controller provided in the present application;
fig. 7 is a schematic structural diagram of an implementation manner of the embodiment shown in fig. 6.
Detailed Description
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 1 is a schematic flowchart of an embodiment of a collision detection method provided in the present application. As shown in fig. 1, the present embodiment includes:
110. determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time and the duration of the first protection time is less than the duration of the first service time.
For example, the collision detection apparatus according to an embodiment of the collision detection apparatus provided by the present application, or the controller according to an embodiment of the controller provided by the present application, as an execution main body of the present embodiment, executes 110 to 120.
In this embodiment, the first policy may be any policy, and does not refer to a certain policy, and the "first" is only to distinguish other policies mentioned in this embodiment.
In this embodiment, the first service time is a service time of the first policy, and the "first" is only to distinguish service times of other policies mentioned in this embodiment; the first guard time is the guard time of the first policy, and "first" is only to distinguish the guard time of the other policies mentioned in this embodiment.
In this embodiment, the first protection time is included in the first service time, which means that the starting time of the first protection time is not earlier than the starting time of the first service time, and the ending time of the first protection time is not later than the ending time of the first service time. Wherein a starting time of the first protection time is optionally the same as or different from a starting time of the first service time.
120. Detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
In this embodiment, the detecting whether the first policy conflicts with at least one other policy only within the first protection time of the first policy means that whether the first policy conflicts with at least one other policy is not detected outside the first protection time, that is, the first policy does not participate in the conflict detection outside the first protection time.
In this embodiment, the at least one other policy may optionally be applied to the same network segment as the first policy, or involve the same network device as the first policy. For example, there are four policies A, B, C, D in the network segment to which the first policy applies, and it is detected whether the first policy conflicts with the four policies A, B, C, D, or, since the first policy relates to network devices S1 and S2, policy a relates to network devices S1 and S2, policy B relates to network devices S2 and S3, policy C relates to network devices S3 and S4, and policy D relates to network device S1, it is detected whether the first policy conflicts with policy A, B, D.
In this embodiment, the at least one other policy is optionally within a respective guard time when executed 120.
The embodiment provides a scheme for detecting conflict by determining the first protection time of a first policy at least according to the first service time of the first policy and detecting whether the first policy conflicts with at least one other policy only within the first protection time of the first policy, and the policy participates in conflict detection only within a protection time shorter than the service time of the policy, so that the detection amount of conflict detection is reduced, and the network operation efficiency is improved.
The method of the present embodiment is further described below in some alternative implementations.
In this embodiment, there are various implementations of 110.
In an optional implementation manner, the determining a first protection time of a first policy according to at least a first service time of the first policy includes:
and determining a first protection time of the first policy at least according to a first service time of the first policy, at least one stability parameter of a network environment applied by the first policy, and at least one importance parameter of at least one event or service corresponding to the first policy.
Wherein the at least one stability parameter is used to identify the stability of the network environment, the network environment comprising a hardware environment and a software environment. Generally, the higher the stability of the network environment, i.e. the more stable the network environment, the longer the duration of the first protection time; the lower the stability of the network environment, i.e., the more unstable the network environment, the smaller the duration of the first guard time.
Wherein the at least one importance parameter is used to identify the importance of the at least one Event (Event) or Service (Service). Generally, the higher the importance of the at least one event or service, i.e. the more important the at least one event or service, the greater the duration of the first guard time; the lower the importance of the at least one event or service, i.e. the less important the at least one event or service, the smaller the duration of the first guard time.
Wherein each importance parameter is used for identifying the importance of an event or service corresponding to the first policy, and correspondingly, the at least one importance parameter corresponds to the at least one event or service in a one-to-one manner.
Generally, one policy may correspond to one or more events or services, and when one policy corresponds to a plurality of events or services, optionally, the policy is decomposed according to the plurality of events or services to obtain a plurality of sub-policies, where each sub-policy corresponds to one event or service. Correspondingly, the first policy in this embodiment may optionally be a sub-policy obtained by decomposing a policy corresponding to a plurality of events or services, and only corresponds to one event or service.
In this implementation, optionally, the determining a first protection time of the first policy according to at least a first service time of the first policy, at least one stability parameter of a network environment to which the first policy is applied, and at least one importance parameter of at least one event or service corresponding to the first policy includes:
determining a coefficient based at least on the at least one stability parameter and the at least one importance parameter, the coefficient being less than 1;
determining that a duration of the first guard time is equal to a product of a duration of the first service time and the coefficient;
and determining the first protection time at least according to the starting moment of the first service time and the duration of the first protection time.
Wherein the starting time of the first protection time is the same as or different from the starting time of the first service time. For example, the administrator may set a rule that takes the start time of the service time of each policy as the start time of the protection time of the policy. For another example, when a policy is generated, the administrator may dynamically set a starting time of the protection time of the policy according to the network environment to which the policy is applied and at least one event or service corresponding to the policy.
For example, the service time of a policy is from 12:00 at noon of 6/1/2010 to 22:00 at night of 6/1/2010, that is, the duration of the service time is 10 hours, and assuming that the determined coefficient is 0.9, the duration of the protection time of the policy may be determined to be 0.9 × 10 — 9 hours, and if the starting time of the protection time of the policy is the same as the starting time of the service time of the policy, the protection time of the policy may be determined to be from 12:00 at noon of 1/2010 to 21:00 at night of 1/2010.
In this implementation, optionally, the at least one stability parameter includes, but is not limited to: at least one first parameter for identifying the stability of at least one network device involved in the first policy, a second parameter for identifying the frequency of generation of new policies in the network segment to which the first policy applies.
The at least one network device involved in the first policy refers to at least one network device that is to configure the first policy, and may also be referred to as at least one network device involved in an event or service corresponding to the first policy.
Wherein each first parameter is used for identifying the stability of one of the at least one network device involved in the first policy, and correspondingly, the at least one first parameter corresponds to the at least one network device one to one.
The services, policies, and network devices involved in policies are described below by way of a few examples.
1. A service setting firewall to prevent connection of hosts with specific addresses, such as 128.172.10.56-128.172.10.150, to extranet;
the policy corresponding to this service is as follows:
Set Firewall_1,Firewall_2,Firewall_3
{If:IP in 128.172.10.56~128.172.10.150
Then:Reject}
the strategy relates to three network devices, specifically: firewall No. 1 (Firewall _1), Firewall No. 2 (Firewall _2), and Firewall No. 3 (Firewall _ 3).
2. One service sets the gateway to set the network rate of user 128.171.10.47 to 10 megabits per second (Mb/s);
the policy corresponding to this service is as follows:
Set Gateway_2
{If:IP=128.171.10.47
Then:Rate=10M}
the policy relates to one network device, Gateway 2 (Gateway 2).
3. A service adds new flow entries for all switches to establish a VPN tunnel between the local 128.172.10.0 and the remote 176.121.11.0;
the policy corresponding to this service is as follows:
Set Switch_1
{Add new Flowtable Entry:
If:Source IP in 176.121.11.0
Then:Transfer to Port_1
If:Destination IP in 176.121.11.0
Then:Transfer to Port_3}
Set Switch_2
{Add new Flowtable Entry:
If:Source IP in 176.121.11.0
Then:Transfer to Port_1
If:Destination IP in 176.121.11.0
Then:Transfer to Port_5}
the policy relates to a plurality of network devices, specifically to all switches in a network segment to which the service is applied, and includes: switch No. 1 (Switch _1), Switch No. 2 (Switch _2), etc.
4. A service is that a virtualization manager slices the switches 5, 6 and 7 into 10 virtual switches;
the policy corresponding to this service is as follows:
Set Virtualization
{Slice Switch_5,Switch_6,Switch_7into 10V_Switches}
the strategy relates to three network devices, specifically: switch No. 5 (Switch _5), Switch No. 6 (Switch _6), and Switch No. 7 (Switch _ 7).
5. One service is to repair the link error caused by the damage of the 11 # exchanger and avoid the node when forwarding the route;
the policy corresponding to this service is as follows:
Set Switch_1
{Add new Flowtable Entry}
Set Switch_10
{Add new Flowtable Entry}
Set Switch_12
{Add new Flowtable Entry}
the policy relates to a plurality of network devices, specifically to all switches except switch No. 11 in a network segment to which the service is applied, including: switch No. 1 (Switch _1), …, Switch No. 10 (Switch _10), Switch No. 12 (Switch _12), etc.
The network segment to which the first policy applies refers to a network segment to which at least one network device related to the first policy belongs. In SDN, the network segments typically include at least one controller governed range.
In this implementation, optionally, each first parameter is a ratio of an average time interval during which the corresponding network device needs to be maintained, repaired, or virtualized to a maximum historical average time interval during which the same type of network device in the network needs to be maintained, repaired, or virtualized, and is seqtTo representAnd, if seqt>1, then take seqt1. The second parameter is the Current Frequency of New Policies of the network segment, i.e. the ratio of the number of New Policies generated in the network segment in unit time within the Current period of time (e.g. within 24 hours) to the generation rate of the historical New Policies of the network segment, and f is usednpIs represented by, and, if fnp<1, then take fnp1. Taking the first policy corresponding to an event or service as an example, the at least one importance parameter is a ratio of a priority of the event or service to a highest possible priority, peAnd (4) showing.
Based on the above parameters, the inventors propose an alternative formula for calculating the coefficient W as follows:
Figure BDA0000734358910000131
wherein, min { s }eqtDenotes the minimum value of the at least one first parameter, a, b, c are constant coefficients, and a + b is 1, 0<c<1. It should be noted that if it is ensured that W is less than 1, optionally, a + b<For example, a + b is 0.99, and the following description will be given by taking a + b as 1.
How to use formula (1) and the effect of formula (1) is explained in a specific scenario below.
In one possible scenario, where there is a service that sets a firewall to block connection of hosts with specific addresses to extranets, the specific addresses being all addresses in the range of 128.172.10.56 to 128.172.10.150, and the service has a duration of 10 days, a policy is generated for the service as follows:
Set Firewall_1,Firewall_2,Firewall_3
{If:IP in 128.172.10.56~128.172.10.150
Then:Reject}
the service time duration of the policy is 10 days, and the policy relates to three network devices, specifically: firewall No. 1, firewall No. 2, and firewall No. 3.
Suppose No. 1 FallFire wall, No. 2 firewall and No. 3 firewall corresponding seqtSequentially 0.93, 0.97 and 1, and taking the minimum value min { s }eqt0.93. Since the service is related to network security, the priority of the service is high and 6, while the highest possible priority is 7, so pe0.86. The new strategy generation rate of the network segment applied by the strategy in the current 24 hours is 1.7/hour, the historical new strategy generation rate of the network segment is 1.2/hour, so fnp1.42. Assuming that a, b, and c in equation (1) are 0.5, and 0.5, respectively, W is 0.74 according to equation (1), and accordingly, the duration of the guard time of the policy is: 0.74 × 10 ═ 7.4 days.
According to the prior art scheme, the policy has 10 days to participate in the collision detection, and the time period for the policy to participate in the collision detection is shortened to 7.4 days by adopting the method of the embodiment. This strategy avoids collision detection with a 26% probability after the method of the present embodiment is employed, compared to prior art solutions. S corresponding to three network devices related to the strategy by carefully looking at all parameterseqtAll approach to 1, which shows that the network devices involved in the policy are all relatively stable; the priority of the service is 6, which is next to the highest priority 7, and indicates that the priority of the service is higher; the current new strategy generation rate of the network segment applied by the strategy is high, but the influence of the strategy is reduced after the strategy is corrected by the correction coefficient c being 0.5. The W obtained finally is 0.74, which is a large factor. It can be seen that for this kind of security-related service, on the one hand, the duration of the protection time is shortened by 26% compared to the service time, which improves the efficiency of the network operation, and on the other hand, the protection time, which is 74% of the service time, enables it to participate well in collision detection, which is not much affected by the security service.
In the above scenario, if the service is a non-security related service, such as a normal service, with a lower priority, say 3, then peWhen the other parameters are not changed, W is 0.56 according to equation (1), and accordingly, the duration of the guard time is 5.6 days. The time for the policy to participate in conflict detection is significant compared to the 10 days of service timeObviously reduces the operation cost and obviously improves the network operation efficiency. In addition, in an extreme case, if the priority of the service is 1, p iseIf the other parameters are not changed, W is 0.44 according to equation (1). Comparing the two cases, the influence of the change of the priority of the simple service on W is limited due to the constant coefficients a and b, and the specific influence effect can be determined by the constant coefficients a and b. In the case that the priority of the service is 1, W is 0.44, which means that the protection time of an unimportant service is less than half of the service time of the unimportant service, and the number of times that the policy participates in collision detection is greatly reduced, thereby improving the network operation efficiency.
In the above scenario, if the current new policy generation rate is increased, for example, the current new policy generation rate in 24 hours is 3/hour, and the historical new policy generation rate is 1.2/hour, so fnpIf the other parameters are not changed, W may be 0.51 according to equation (1). It can be seen that although the service is a security-related service and has a higher priority, the duration of the protection time is shortened when the generation rate of the current new policy in the network segment to which the policy is applied becomes high. If only the effect of the current new strategy generation rate on W is considered, i.e. min s is assumedeqt}=1,pe=1,fnpWhen c is 0.42, W is 0.83 if c is 0.5, and W is 0.70 if c is 1, it can be seen that when the number of new policies currently generated in the network segment is large, that is, when the total number of policies in the network increases, the duration of the guard time is correspondingly shortened, thereby reducing the detection amount of collision detection and improving the efficiency of network operation.
In this embodiment, there may be a plurality of detection results detected in 120, and accordingly, different subsequent processes may be possible based on different detection results.
In an optional implementation manner, after detecting whether the first policy conflicts with at least one other policy, the method further includes:
and executing the first strategy in response to the detection result being no conflict or the detection result being conflict but determining to execute the first strategy according to a conflict processing rule.
Wherein the conflict handling rule may be preset. In one possible scenario, the conflict handling rule may only consider the priority of the policy, and optionally the conflict handling rule is the highest priority policy of the policies that execute the conflict.
When the conflict handling rule is a policy with the highest priority among a plurality of policies that conflict with each other, the detection result being a conflict but determining to execute the first policy according to the conflict handling rule means that the priority of the first policy is higher than the priorities of all other policies that conflict with the first policy.
Wherein the meaning of executing the first policy is different for different execution subjects. For example, if the executing entity of this embodiment is a controller that manages at least one network device involved in the first policy or a conflict detection apparatus disposed in the controller, the executing the first policy specifically configures the first policy to the at least one network device, specifically configures the content of the first policy to the at least one network device in a machine language; if the execution subject of this embodiment is any one of the at least one network device related to the first policy or a collision detection apparatus set in the network device, the executing the first policy specifically is to execute an operation required by the first policy on a packet.
It should be noted that the first policy may participate in collision detection more than once in the first protection time, and the first policy may not be executed by the at least one network device until the end time of the first protection time is reached only when the detection result of each collision detection in the first protection time is no collision or the detection result is a collision but the execution of the first policy is still determined according to the collision processing rule.
In this implementation, one possible scenario is that the end time of the first guard time is earlier than the end time of the first service time.
In this scenario, if the first policy is executed by the at least one network device until the end time of the first protection time is reached, the at least one network device may process the first policy in multiple ways within a time period from the end time of the first protection time to the end time of the first service time.
Since the first policy does not participate in collision detection outside the first protection time, in order to avoid the first policy from colliding with a new policy outside the first protection time, optionally, for any of the at least one network device, after executing the first policy until the end time of the first protection time arrives, optionally continuing to execute the first policy until the end time of the first service time arrives unless a new policy collides with the first policy.
The new policy is configured to the network device after the end time of the first protection time is reached, if the new policy conflicts with the first policy, the network device receives a hardware alarm after the new policy is configured, and the network device determines that the new policy conflicts with the first policy according to the alarm and accordingly terminates the first policy.
Conversely, if no new policy is configured to the network device or a new policy is configured to the network device but no hardware alarm is received within a time period from the end time of the first protection time to the end time of the first service time, the network device may continue to execute the first policy for the first service time and terminate the first policy after the end time of the first service time is reached.
In yet another optional implementation manner, after detecting whether the first policy conflicts with at least one other policy, the method further includes:
and in response to the detection result being a conflict, determining to execute a second policy which does not execute the first policy and replaces the first policy according to a conflict processing rule, and deactivating the first policy.
Wherein the conflict handling rule may be preset. In one possible scenario, the conflict handling rule may only consider the priority of the policy, and optionally the conflict handling rule is the highest priority policy of the policies that execute the conflict.
Wherein a second policy, which replaces the first policy, may be different according to the conflict handling rule.
When the conflict handling rule is a policy having a highest priority among a plurality of policies that conflict with each other, the detection result being a conflict but determining not to execute the first policy and to execute a second policy that replaces the first policy according to the conflict handling rule means that the second policy conflicts with the first policy and the priority of the second policy is higher than the priority of the first policy.
In this implementation, in order to reduce the service loss caused by the collision handling, optionally deactivating the first policy includes:
and in response to the end time of the first protection time being later than the end time of a second protection time of the second strategy, modifying the start time of the first protection time to be the end time of the second protection time.
That is, the first policy is deactivated for a period of time from a start time of the first guard time determined in 110 to an end time of the second guard time. Further, 120 is performed again based on the modified first guard time.
On the contrary, if the end time of the first guard time is not later than the end time of the second guard time of the second policy, another processing method may be used. Optionally, deactivating the first policy comprises:
terminating the first policy in response to an end time of the first guard time not being later than an end time of a second guard time of the second policy.
The terminating of the first policy may optionally be deleting the first policy, specifically, the deleting may be deleting immediately after the end time of the first protection time is determined to be not later than the end time of the second protection time of the second policy, or deleting after the end of the first service time.
Combining the two implementation manners, for example, there are four policies, which are respectively denoted as policy a, policy B, policy C, and policy D, if policy a is used as the first policy, it is detected in 120 whether policy a conflicts with policy B, policy C, and policy D, if policy a does not conflict with any of policy B, policy C, and policy D, policy a is executed, if policy a conflicts with policy B and policy D at the same time, priorities of policy a, policy B, and policy D are compared, if policy a has the highest priority, policy a is determined to be executed, if policy B or policy D has the highest priority, policy B or policy D is determined to be executed and policy a is not executed, that is, policy B or policy D is the second policy.
Fig. 2 is a schematic structural diagram of an embodiment of a collision detection apparatus provided in the present application. As shown in fig. 2, the collision detection apparatus 200 includes:
a determining module 21, configured to determine a first protection time of a first policy according to at least a first service time of the first policy, where the first protection time is included in the first service time and a duration of the first protection time is smaller than a duration of the first service time;
a detecting module 22, configured to detect whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
In this embodiment, the collision detection apparatus 200 may be disposed in any network device in the form of software and/or hardware, for example, in a controller or any network device managed by the controller.
In this embodiment, the first policy may be any policy, and does not refer to a certain policy, and the "first" is only to distinguish other policies mentioned in this embodiment.
In this embodiment, the first service time is a service time of the first policy, and the "first" is only to distinguish service times of other policies mentioned in this embodiment; the first guard time is the guard time of the first policy, and "first" is only to distinguish the guard time of the other policies mentioned in this embodiment.
In this embodiment, the first protection time is included in the first service time, which means that the starting time of the first protection time is not earlier than the starting time of the first service time, and the ending time of the first protection time is not later than the ending time of the first service time. Wherein a starting time of the first protection time is optionally the same as or different from a starting time of the first service time.
In this embodiment, the detecting module 22 detects whether the first policy conflicts with at least one other policy only within the first protection time of the first policy, which means that the detecting module 22 does not detect whether the first policy conflicts with at least one other policy outside the first protection time, that is, the first policy does not participate in the conflict detection outside the first protection time.
In this embodiment, the at least one other policy may optionally be applied to the same network segment as the first policy, or involve the same network device as the first policy. For example, there are four policies A, B, C, D in the network segment to which the first policy applies, and it is detected whether the first policy conflicts with the four policies A, B, C, D, or, since the first policy relates to network devices S1 and S2, policy a relates to network devices S1 and S2, policy B relates to network devices S2 and S3, policy C relates to network devices S3 and S4, and policy D relates to network device S1, it is detected whether the first policy conflicts with policy A, B, D.
In this embodiment, the at least one other policy is optionally within a respective guard time upon detection by the detection module 22.
The conflict detection device of the embodiment determines the first protection time of a first policy by a determination module at least according to the first service time of the first policy, and the detection module detects whether the first policy conflicts with at least one other policy only in the first protection time of the first policy, so that a conflict detection scheme is provided.
The collision detection apparatus 200 of the present embodiment is further described below by some alternative implementations.
In this embodiment, the determining module 21 has multiple implementation manners.
In an alternative implementation, the determining module 21 is specifically configured to:
and determining a first protection time of the first policy at least according to a first service time of the first policy, at least one stability parameter of a network environment applied by the first policy, and at least one importance parameter of an event or service corresponding to the first policy.
In this implementation, optionally, as shown in fig. 3, the determining module 21 includes:
a first determining unit 211, configured to determine a coefficient according to at least the at least one stability parameter and the at least one importance parameter, where the coefficient is smaller than 1;
a second determining unit 212, configured to determine that the duration of the first guard time is equal to a product of the duration of the first service time and the coefficient;
a third determining unit 213, configured to determine the first protection time according to at least a start time of the first service time and a duration of the first protection time.
Wherein the starting time of the first protection time is the same as or different from the starting time of the first service time.
In this implementation, optionally, the at least one stability parameter includes: at least one first parameter for identifying the stability of at least one network device involved in the first policy, a second parameter for identifying the frequency of generation of new policies in the network segment to which the first policy applies.
The detailed description of the implementation manner refers to the corresponding description in the embodiment of the collision detection method provided by the present application.
In this embodiment, the detection result of the detection module 22 may be various, and accordingly, different subsequent processes may be possible based on different detection results.
In an alternative implementation, as shown in fig. 4, the collision detection apparatus 200 further includes:
and the executing module 23 is configured to execute the first policy in response to that the detection result of the detecting module 22 is no conflict, or that the detection result of the detecting module 22 is conflict but determines to execute the first policy according to a conflict handling rule.
Wherein the conflict handling rule may be preset. In one possible scenario, the conflict handling rule may only consider the priority of the policy, and optionally the conflict handling rule is the highest priority policy of the policies that execute the conflict.
Wherein the meaning of the execution of said first policy by the execution module 23 is different when the conflict detection apparatus 200 is provided in different bodies. For example, if the conflict detection apparatus 200 is disposed in a controller that manages at least one network device involved in the first policy, the execution module 23 is specifically configured to: and in response to the detection result of the detection module 22 being non-conflict or the detection result of the detection module 22 being conflict but determining to execute the first policy according to the conflict handling rule, configuring the first policy on the at least one network device. If the conflict detection apparatus 200 is disposed in any network device of the at least one network device related to the first policy, the execution module 23 is specifically configured to: and in response to that the detection result of the detection module 22 is not in conflict, or that the detection result of the detection module 22 is in conflict but determines to execute the first policy according to the conflict processing rule, executing the operation required by the first policy on the packet.
The detailed description of the implementation manner refers to the corresponding description in the embodiment of the collision detection method provided by the present application.
In yet another alternative implementation, as shown in fig. 5, the collision detection apparatus 200 further includes:
a deactivating module 24, configured to deactivate the first policy in response to the detection result of the detecting module 22 being a conflict and determining not to execute the first policy and to execute a second policy instead of the first policy according to a conflict handling rule.
Wherein the conflict handling rule may be preset. In one possible scenario, the conflict handling rule may only consider the priority of the policy, and optionally the conflict handling rule is the highest priority policy of the policies that execute the conflict.
In this implementation, in order to reduce the service loss caused by the collision handling, optionally, the deactivation module 24 is specifically configured to: and in response to the detection result that the strategy is a conflict, determining not to execute the first strategy and execute a second strategy replacing the first strategy according to a conflict processing rule, and modifying the starting time of the first protection time to the ending time of the second protection time, wherein the ending time of the first protection time is later than the ending time of the second protection time of the second strategy.
On the contrary, if the end time of the first guard time is not later than the end time of the second guard time of the second policy, another processing method may be used. Optionally, the deactivation module 24 is specifically configured to: and in response to the detection result that the strategy is a conflict, determining not to execute the first strategy and execute a second strategy replacing the first strategy according to a conflict processing rule, and terminating the first strategy when the ending time of the first protection time is not later than the ending time of the second protection time of the second strategy.
The detailed description of the implementation manner refers to the corresponding description in the embodiment of the collision detection method provided by the present application.
Fig. 6 is a schematic structural diagram of an embodiment of a controller provided in the present application. As shown in fig. 6, the controller 600 includes:
a communication interface 61 for communicating with a plurality of network devices governed by the controller 600;
a memory 62 for storing instructions;
a processor 63 for executing instructions stored by the memory 62, the instructions causing the processor 63 to:
determining a first protection time of a first strategy according to at least a first service time of the first strategy, wherein the first protection time is contained in the first service time and the duration of the first protection time is less than that of the first service time;
detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy;
determining to execute at least one strategy according to the detection result and/or the conflict processing rule;
the at least one policy is configured via the communication interface 61 to at least one network device involved in the at least one policy.
Wherein, the determining to execute at least one policy according to the detection result and/or the conflict processing rule includes: determining to execute at least one strategy in response to the detection result being non-conflict; or, in response to the detection result being a conflict, determining to execute at least one policy according to the conflict handling rule.
In this embodiment, the Memory 62 may optionally include a Random-Access Memory (RAM), and may optionally further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
In this embodiment, the instructions are optionally stored in the memory 62 in the form of a program.
In this embodiment, the processor 63 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to perform the above operations. The instructions enable the processor 63 to perform the above operations with reference to the corresponding descriptions in the above embodiments of the collision detection method, which are not described herein again.
In an alternative implementation, as shown in fig. 7, the user equipment 600 further includes: a communication bus 64. The communication interface 61, the memory 62 and the processor 63 complete communication and control with each other through the communication bus 64.
The effective effect of this embodiment refers to the corresponding description in the embodiment of the collision detection method provided in this application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only for illustrating the invention and are not to be construed as limiting the invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention, therefore, all equivalent technical solutions also belong to the scope of the invention, and the scope of the invention is defined by the claims.

Claims (9)

1. A method of collision detection, the method comprising:
determining a first protection time of the first policy according to at least a first service time of the first policy, at least one stability parameter of a network environment to which the first policy applies, and at least one importance parameter of at least one event or service corresponding to the first policy, wherein the first protection time is included in the first service time and the duration of the first protection time is less than that of the first service time;
detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
2. The method of claim 1, wherein the at least one stability parameter comprises: at least one first parameter for identifying the stability of at least one network device involved in the first policy, a second parameter for identifying the frequency of generation of new policies in the network segment to which the first policy applies.
3. The method according to claim 1 or 2, wherein the starting time of the first guard time is the same as the starting time of the first service time.
4. The method of claim 1 or 2, wherein after detecting whether the first policy conflicts with at least one other policy, further comprising:
and executing the first strategy in response to the detection result being no conflict or the detection result being conflict but determining to execute the first strategy according to a conflict processing rule.
5. The method of claim 1 or 2, wherein after detecting whether the first policy conflicts with at least one other policy, further comprising:
and in response to the detection result being a conflict, determining not to execute the first policy and executing a second policy replacing the first policy according to a conflict handling rule, and deactivating the first policy.
6. The method of claim 5, wherein deactivating the first policy comprises:
and in response to the end time of the first protection time being later than the end time of a second protection time of the second strategy, modifying the start time of the first protection time to be the end time of the second protection time.
7. The method according to any one of claims 4 to 6, wherein the conflict handling rule comprises: and executing the policy with the highest priority in the plurality of mutually conflicting policies.
8. An apparatus for collision detection, the apparatus comprising:
a determining module, configured to determine a first protection time of the first policy according to at least a first service time of the first policy, at least one stability parameter of a network environment to which the first policy is applied, and at least one importance parameter of at least one event or service corresponding to the first policy, where the first protection time is included in the first service time and a duration of the first protection time is less than a duration of the first service time;
a detection module to detect whether the first policy conflicts with at least one other policy only within a first guard time of the first policy.
9. A controller, characterized in that the controller comprises:
a communication interface for communicating with a plurality of network devices governed by the controller;
a memory to store instructions;
a processor to execute the memory-stored instructions, the instructions to cause the processor to:
determining a first protection time of the first policy according to at least a first service time of the first policy, at least one stability parameter of a network environment to which the first policy applies, and at least one importance parameter of at least one event or service corresponding to the first policy, wherein the first protection time is included in the first service time and the duration of the first protection time is less than that of the first service time;
detecting whether the first policy conflicts with at least one other policy only within a first guard time of the first policy;
determining to execute at least one strategy according to the detection result and/or the conflict processing rule;
and configuring the at least one policy to at least one network device involved in the at least one policy through the communication interface.
CN201510313546.7A 2015-06-09 2015-06-09 Conflict detection method, device and controller Active CN106301861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510313546.7A CN106301861B (en) 2015-06-09 2015-06-09 Conflict detection method, device and controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510313546.7A CN106301861B (en) 2015-06-09 2015-06-09 Conflict detection method, device and controller

Publications (2)

Publication Number Publication Date
CN106301861A CN106301861A (en) 2017-01-04
CN106301861B true CN106301861B (en) 2020-06-23

Family

ID=57660144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510313546.7A Active CN106301861B (en) 2015-06-09 2015-06-09 Conflict detection method, device and controller

Country Status (1)

Country Link
CN (1) CN106301861B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115952496B (en) * 2023-02-14 2023-06-20 鹏城实验室 Defending method, defending device, defending equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8180922B2 (en) * 2003-11-14 2012-05-15 Cisco Technology, Inc. Load balancing mechanism using resource availability profiles
CN101867825A (en) * 2010-06-25 2010-10-20 中国传媒大学 Device for circularly monitoring multi-channel video and method thereof
WO2013030626A1 (en) * 2011-08-31 2013-03-07 Nokia Corporation Method and apparatus for privacy policy management
US20140075124A1 (en) * 2012-09-07 2014-03-13 International Business Machines Corporation Selective Delaying of Write Requests in Hardware Transactional Memory Systems
CN103681402B (en) * 2013-11-29 2016-04-27 上海华力微电子有限公司 A kind of Cargo Inspection of jumping automatically examining system
CN104363159B (en) * 2014-07-02 2018-04-06 北京邮电大学 A kind of opening virtual network constructing system and method based on software defined network

Also Published As

Publication number Publication date
CN106301861A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
US11025667B2 (en) System and method for applying a plurality of interconnected filters to protect a computing device from a distributed denial-of-service attack
US7936670B2 (en) System, method and program to control access to virtual LAN via a switch
CN108768879B (en) Method and device for adjusting policy priority
EP3032798B1 (en) Processing method and apparatus for preventing packet attack
US20130163596A1 (en) Method, apparatus, and network device for processing layer 2 network loop
CN109525601B (en) Method and device for isolating transverse flow between terminals in intranet
US10193890B2 (en) Communication apparatus to manage whitelist information
US8824297B2 (en) Adaptive storm control
CN112187740B (en) Network access control method and device, electronic equipment and storage medium
EP3832960B1 (en) Establishment of fast forwarding table
US10530681B2 (en) Implementing forwarding behavior based on communication activity between a controller and a network device
US9025432B2 (en) Optimization for trill LAN hellos
US10944695B2 (en) Uplink port oversubscription determination
CN110022236B (en) Message forwarding method and device
CN106301861B (en) Conflict detection method, device and controller
JP2014216793A (en) Communication device, address learning method, and address learning program
US9667595B2 (en) Selectively using network address translated mapped addresses based on their prior network reachability
WO2017000861A1 (en) Method and apparatus for learning mac address in virtual local area network of switch
US9065756B2 (en) System and method for providing fast and efficient flushing of a forwarding database in a network processor
EP3026862B1 (en) Routing loop determining method
US20150236946A1 (en) Operating on a network with characteristics of a data path loop
CN110365667B (en) Attack message protection method and device and electronic equipment
JPWO2019123523A1 (en) Communication device, communication system, communication control method, program
US20170048128A1 (en) Locating traffic origin in a network
US20150236911A1 (en) Detecting characteristics of a data path loop on a network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant