CN106612266B - Network forwarding method and equipment - Google Patents

Network forwarding method and equipment Download PDF

Info

Publication number
CN106612266B
CN106612266B CN201510706600.4A CN201510706600A CN106612266B CN 106612266 B CN106612266 B CN 106612266B CN 201510706600 A CN201510706600 A CN 201510706600A CN 106612266 B CN106612266 B CN 106612266B
Authority
CN
China
Prior art keywords
network
message
intranet
mailbox
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510706600.4A
Other languages
Chinese (zh)
Other versions
CN106612266A (en
Inventor
张军伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510706600.4A priority Critical patent/CN106612266B/en
Publication of CN106612266A publication Critical patent/CN106612266A/en
Application granted granted Critical
Publication of CN106612266B publication Critical patent/CN106612266B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides a network forwarding method and equipment, the application utilizes a mailbox message mechanism of a safety network card, the consumption of a CPU is reduced, a message transmission channel between a virtual gateway and a virtual machine is realized, high network forwarding performance is obtained, logic control is performed through software, the virtual gateway is responsible for the transmission of network messages between each virtual machine and a physical switch, and the network safety can be controlled.

Description

Network forwarding method and equipment
Technical Field
The present application relates to the field of computers, and in particular, to a network forwarding method and device.
Background
At present, in traditional open source software, network messages are forwarded between a virtual machine and a physical switch, and the performance generally has a bottleneck of about 1-2 Mpps.
There are two broad categories of existing virtualized network management:
1. a mode of a virtual network card (vhost + virtioet) is used, the mode is to manage the network in a software mode, and the forwarding performance is low;
2. the network message is directly transmitted to a physical switch by using a Single-Root I/O Virtualization (SRIOV) mode, and the mode manages the network by using a hardware mode, can approach the line speed, but cannot access and control the content of the network message, and is only suitable for internal use.
Disclosure of Invention
An object of the present application is to provide a network forwarding method and device, which solve the problems that the forwarding performance of network packets between a virtual machine and a physical switch in a virtualized network is low and security control cannot be performed.
According to an aspect of the present application, a network forwarding method is provided, where the method includes:
and the virtual gateway is responsible for the transmission of the network messages between each virtual machine and the physical switch by utilizing a mailbox message mechanism of the safety network card.
Further, in the above method, the mailbox message mechanism using the secure network card includes:
distributing an intranet mailbox channel which can only communicate with a virtual gateway for each virtual machine by using a mailbox message mechanism of a safety network card;
and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card.
Further, in the above method, after allocating an intranet mailbox channel that can only communicate with the virtual gateway to each virtual machine, the method further includes:
and setting the bandwidth of the corresponding intranet mailbox channel according to the configuration of each virtual machine.
Further, in the above method, allocating an intranet mailbox channel that can only communicate with the virtual gateway to each virtual machine by using a mailbox message mechanism of the secure network card, includes:
and prohibiting direct communication between the virtual machines through the mailbox channel, and setting that each virtual machine only receives the network message from the virtual gateway.
Further, in the above method, the virtual gateway is responsible for transmission of the network packet between each virtual machine and the physical switch, and the method includes:
the virtual gateway receives network messages from each virtual machine through the intranet mailbox channel and forwards the network messages to a physical switch through the extranet mailbox channel; and/or
And the virtual gateway receives the network message from the physical switch through the external network mailbox channel and forwards the network message to the corresponding virtual machine through the internal network mailbox channel.
Further, in the above method, the receiving, by the virtual gateway, a network packet from each virtual machine through the intranet mailbox channel, and forwarding the network packet to the physical switch through the extranet mailbox channel includes:
the virtual gateway receives the intranet messages sent from the virtual machine through each intranet mailbox channel, analyzes the intranet messages and carries out access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel.
Further, in the above method, the intranet packet includes a vlan number corresponding to the virtual gateway, and all intranet packets use the same vlan number in a unified manner, and the vlan number is not used by the physical switch.
Further, in the above method, the virtual gateway receiving a network packet from a physical switch through the external network mailbox channel and forwarding the network packet to a corresponding virtual machine through the internal network mailbox channel includes:
the virtual gateway receives the external network message from the physical switch through the external network mailbox channel, then checks the access control of the external network message,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel.
According to another aspect of the present application, there is also provided a network forwarding apparatus, wherein the apparatus includes:
and the virtual gateway is used for utilizing a mailbox message mechanism of the safety network card to be responsible for the transmission of the network messages between each virtual machine and the physical switch.
Further, in the above device, the device further includes:
the configuration device is used for allocating an intranet mailbox channel which can only communicate with the virtual gateway to each virtual machine by utilizing a mailbox message mechanism of the safety network card; and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card.
Further, in the above device, the configuration device is further configured to set a bandwidth of the intranet mailbox channel corresponding to each virtual machine according to the configuration of each virtual machine.
Further, in the above device, the configuration device is configured to prohibit direct communication between the virtual machines through the mailbox channel, and set that each virtual machine only receives the network packet from the virtual gateway.
Further, in the above device, the virtual gateway is configured to receive a network packet from each virtual machine through the intranet mailbox channel, and forward the network packet to a physical switch through the extranet mailbox channel; and/or
And the virtual gateway is used for receiving the network message from the physical switch through the external network mailbox channel and forwarding the network message to the corresponding virtual machine through the internal network mailbox channel.
Further, in the above device, the virtual gateway is configured to receive an intranet packet sent from the virtual machine through each intranet mailbox channel, parse the intranet packet, and perform access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel.
Further, in the above device, the intranet packet includes a vlan number corresponding to the virtual gateway, and all the intranet packets use the same vlan number in a unified manner, and the vlan number is not used by the physical switch.
Further, in the above device, the virtual gateway is configured to perform an access control check on an external network packet after receiving the external network packet from a physical switch through the external network mailbox channel,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel.
Compared with the prior art, the method and the device have the advantages that the mailbox message mechanism of the safety network card is utilized, the consumption of a CPU is reduced, the message transmission channel between the virtual gateway and the virtual machine is realized, high network forwarding performance is obtained, logic control is performed through software, the virtual gateway is responsible for the transmission of the network messages between each virtual machine and the physical switch, and the network safety can be controlled.
Furthermore, the virtual gateway is provided with two mailbox channels, one is an intranet mailbox channel used for communicating with the internal virtual machine of the server, the other is an external network mailbox channel connected with an external physical switch for communication, each virtual machine can only communicate with the virtual machine through the intranet mailbox channel, and therefore all network flow entering and exiting the virtual machine is processed through the virtual gateway.
Furthermore, in order to guarantee fairness of each intranet mailbox channel, specific bandwidth is limited for each channel, and the bandwidth value is matched with specific configuration of each virtual machine.
Further, in order to prevent detection and attack of malicious users, direct communication between the virtual machines through mailbox channels is forbidden in the application, because no limitation exists between the mailbox channels of the default network card, the direct mailbox channels between the virtual machines are forbidden by using a message filtering rule, and it is ensured that each virtual machine is set on the server to only receive network messages from the virtual gateway, and other network messages are directly discarded and cannot be sent to the virtual machine associated with the mailbox channels.
Furthermore, the physical switch is enabled to reserve a virtual local area network number for message transmission between the virtual machine and the virtual gateway so as to serve as safety isolation, all flows of the virtual machine cannot directly flow to the physical switch, the flows of the virtual machine are transmitted through the virtual gateway, thousands of virtual local area network numbers are reserved because the virtual local area network numbers are used by the physical switch at present and only hundreds of virtual local area network numbers are used by the physical switch at present, and therefore, the virtual local area network number is reserved for message transmission between the virtual machine and the virtual gateway, and the current network configuration cannot be influenced while the network forwarding safety is improved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a schematic diagram of a network forwarding method in accordance with an aspect of the subject application;
FIG. 2 shows a block diagram of an 82599 trillion network card from Intel;
FIG. 3 illustrates a schematic diagram of a network forwarding method according to a preferred embodiment of the present application;
fig. 4 shows a schematic diagram of a network forwarding method according to another preferred embodiment of the present application;
fig. 5 shows a schematic diagram of a network forwarding method according to yet another preferred embodiment of the present application;
fig. 6 illustrates a block diagram of a network forwarding device in accordance with another aspect of the subject application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
According to an aspect of the present application, there is provided a network forwarding method, as shown in fig. 1, the method including:
and the Virtual Gateway (VGW) is responsible for the transmission of network messages between each Virtual Machine (VM) and the physical Switch (SW) by utilizing a mailbox message mechanism of the security network card. The embodiment utilizes the hardware mailbox message mechanism, reduces the consumption of a CPU, realizes a message transmission channel between a virtual gateway and a virtual machine, obtains high network forwarding performance, performs logic control through software, ensures the transmission of network messages between each virtual machine and a physical switch by the virtual gateway, and can also realize the control of network safety. Specifically, the secure network card may be an 82599 trillion network card of intel (intel) as shown in fig. 2, where the 82599 trillion network card of intel includes a virtual mailbox memory (VBMBMEN), a group of hardware pairs in the trillion network card (pfmailboxx), and a mailbox seen by a virtual machine (VF)0~VFn) And a forwarding module (PFMBICR).
In a preferred embodiment of the network forwarding method of the present application, the mailbox message mechanism using the secure network card includes:
distributing an intranet mailbox channel which can only communicate with a virtual gateway for each virtual machine by using a mailbox message mechanism of a safety network card;
and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card. The virtual gateway is provided with two mailbox channels, one is an intranet mailbox channel used for communicating with the internal virtual machine of the server, the other is an external network mailbox channel connected with an external physical switch for communication, and the virtual gateway is used for forwarding the flow sent from the virtual machine to the physical switch and receiving the flow sent from the physical switch to the virtual machine.
In a preferred embodiment of the network forwarding method of the present application, after allocating an intranet mailbox channel that can only communicate with a virtual gateway to each virtual machine, the method further includes:
and setting the bandwidth of the corresponding intranet mailbox channel according to the configuration of each virtual machine. Here, in order to ensure fairness of each intranet mailbox channel, a specific bandwidth may be limited for each channel, and this bandwidth value matches with a specific configuration of each virtual machine.
In a preferred embodiment of the network forwarding method of the present application, as shown in fig. 3, allocating an intranet mailbox channel that can only communicate with a virtual gateway to each virtual machine by using a mailbox message mechanism of a secure network card includes:
and prohibiting direct communication between the virtual machines through the mailbox channel, and setting that each virtual machine only receives the network message from the virtual gateway. In order to prevent detection and attack of malicious users, direct communication between the virtual machines through the mailbox channels is forbidden, because no limitation exists between the mailbox channels of the default network card, the message filtering rule is used to limit the direct mailbox channels between the virtual machines, and it is ensured that each virtual machine is set on the server to only receive network messages from the virtual gateway, and other network messages are directly discarded and cannot be sent to the virtual machine associated with the mailbox channels.
In a preferred embodiment of the network forwarding method of the present application, the virtual gateway is responsible for transmission of the network packet between each virtual machine and the physical switch, and the method includes:
the virtual gateway receives network messages from each virtual machine through the intranet mailbox channel and forwards the network messages to a physical switch through the extranet mailbox channel; and/or
And the virtual gateway receives the network message from the physical switch through the external network mailbox channel and forwards the network message to the corresponding virtual machine through the internal network mailbox channel.
In a preferred embodiment of the network forwarding method of the present application, as shown in fig. 4, the receiving, by the virtual gateway, a network packet from each virtual machine through the intranet mailbox channel, and forwarding the network packet to a physical switch through the extranet mailbox channel includes:
the virtual gateway receives the intranet messages sent from the virtual machine through each intranet mailbox channel, analyzes the intranet messages and carries out access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel. Specifically, a network message sent by each virtual machine can be automatically encapsulated by the head of a virtual local area network (Vlan) through an intranet mailbox channel to generate an intranet message and forwarded to the intranet mailbox channel, the intranet message is analyzed by a virtual gateway and a corresponding access control strategy is checked, and if the intranet message is illegal, if a destination IP is in a blacklist, the intranet message is directly discarded; otherwise, the virtual gateway will strip the head of the internal network message first, and then encapsulate it into a new external network message, and send it directly to the physical switch through the external network mailbox channel.
In a preferred embodiment of the network forwarding method of the present application, the intranet packet includes a virtual local area network number (vlan id) corresponding to the virtual gateway, and all the intranet packets uniformly use the same vlan id, and the vlan id is not used by the physical switch. Specifically, because the default traffic isolation of the security network cards such as the security network cards of intel 82599 is performed through the vlan number, the vlan number used by the virtual machine network should not be used on the physical switch, in this embodiment, it is necessary for the physical switch to reserve one vlan number for packet transmission between the virtual machine and the virtual gateway, so as to serve as the security isolation, and it is ensured that all the traffic of the virtual machine does not directly flow to the physical switch, and the traffic of the virtual machine is transmitted through the virtual gateway.
In a preferred embodiment of the network forwarding method of the present application, as shown in fig. 5, the virtual gateway receives a network packet from a physical switch through the external network mailbox channel, and forwards the network packet to a corresponding virtual machine through the internal network mailbox channel, including:
the virtual gateway receives the external network message from the physical switch through the external network mailbox channel, then checks the access control of the external network message,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel. Specifically, for each network message which needs to be sent to the virtual machine from the physical switch, the whole server is only externally exposed with a network port of one virtual gateway, so all the network messages are sent to the virtual gateway by default, after the virtual gateway receives the external network message from the physical switch through the external network mailbox channel, the virtual gateway firstly checks access control, and if the external network message is not directly discarded; for legal access, the outer network message is encapsulated into an inner network message sent to the correct virtual machine by the virtual gateway, and the inner network message is delivered to the network card and sent to the virtual machine of the destination through the inner network mailbox channel.
On a public cloud platform, security and performance are two contradictory topics. Software-based schemes can achieve high security, but performance is difficult to guarantee. The full hardware solution is contrary to the performance, but the security is poor. The method and the device realize the high-safety and high-performance network forwarding scheme by using hardware to process data flow and using software to perform logic control, for example, by combining a mailbox message mechanism and a message filtering mechanism of a safety network card and virtual local area network serial number shunting, thereby achieving the same safety of the software on the basis of sacrificing minimum performance.
As shown in fig. 1 and 6, according to another aspect of the present application, there is also provided a network forwarding apparatus 100, including:
the virtual gateway 1 is used for utilizing a mailbox message mechanism of the security network card to take charge of the transmission of network messages between each virtual machine and the physical switch. The embodiment utilizes the hardware mailbox message mechanism, reduces the consumption of a CPU, realizes a message transmission channel between a virtual gateway and a virtual machine, obtains high network forwarding performance, performs logic control through software, ensures the transmission of network messages between each virtual machine and a physical switch by the virtual gateway, and can also realize the control of network safety. Specifically, the secure network card may be an 82599 trillion network card of intel (intel) as shown in fig. 2, where the 82599 trillion network card of intel includes a virtual mailbox memory (VBMBMEN), a group of hardware pairs in the trillion network card (pfmailboxx), and a mailbox seen by a virtual machine (VF)0~VFn) And a forwarding module (PFMBICR).
As shown in fig. 6, in a preferred embodiment of the network forwarding device of the present application, the device further includes:
the configuration device 2 is used for allocating an intranet mailbox channel which can only communicate with the virtual gateway to each virtual machine by utilizing a mailbox message mechanism of the safety network card; and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card. The virtual gateway is provided with two mailbox channels, one is an intranet mailbox channel used for communicating with the internal virtual machine of the server, the other is an external network mailbox channel connected with an external physical switch for communication, and the virtual gateway is used for forwarding the flow sent from the virtual machine to the physical switch and receiving the flow sent from the physical switch to the virtual machine.
In a preferred embodiment of the network forwarding device of the present application, the configuration device 2 is further configured to set a bandwidth of the intranet mailbox channel corresponding to each virtual machine according to the configuration of each virtual machine. Here, in order to ensure fairness of each intranet mailbox channel, a specific bandwidth may be limited for each channel, and this bandwidth value matches with a specific configuration of each virtual machine.
In a preferred embodiment of the network forwarding device of the present application, as shown in fig. 3, the configuration device 2 is configured to prohibit direct communication between the virtual machines through a mailbox channel, and set that each virtual machine only receives a network packet from a virtual gateway. In order to prevent detection and attack of malicious users, direct communication between the virtual machines through the mailbox channels is forbidden, because no limitation exists between the mailbox channels of the default network card, the message filtering rule is used to limit the direct mailbox channels between the virtual machines, and it is ensured that each virtual machine is set on the server to only receive network messages from the virtual gateway, and other network messages are directly discarded and cannot be sent to the virtual machine associated with the mailbox channels.
In a preferred embodiment of the network forwarding device of the present application, the virtual gateway 1 is configured to receive a network packet from each virtual machine through the intranet mailbox channel, and forward the network packet to a physical switch through the extranet mailbox channel; and/or
The virtual gateway 1 is configured to receive a network packet from a physical switch through the external network mailbox channel, and forward the network packet to a corresponding virtual machine through the internal network mailbox channel.
In a preferred embodiment of the network forwarding device of the present application, as shown in fig. 4, the virtual gateway 1 is configured to receive an intranet packet sent from the virtual machine through each intranet mailbox channel, parse the intranet packet, and perform access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel. Specifically, a network message sent by each virtual machine can be automatically encapsulated by the head of a virtual local area network (Vlan) through an intranet mailbox channel to generate an intranet message and forwarded to the intranet mailbox channel, the intranet message is analyzed by a virtual gateway and a corresponding access control strategy is checked, and if the intranet message is illegal, if a destination IP is in a blacklist, the intranet message is directly discarded; otherwise, the virtual gateway will strip the head of the internal network message first, and then encapsulate it into a new external network message, and send it directly to the physical switch through the external network mailbox channel.
In a preferred embodiment of the network forwarding device of the present application, the intranet packet includes a vlan number corresponding to the virtual gateway, and all intranet packets uniformly use the same vlan number, and the vlan number is not used by the physical switch. Specifically, because the default traffic isolation of the security network cards such as the security network cards of intel 82599 is performed through the vlan number, the vlan number used by the virtual machine network should not be used on the physical switch, in this embodiment, it is necessary for the physical switch to reserve one vlan number for packet transmission between the virtual machine and the virtual gateway, so as to serve as the security isolation, and it is ensured that all the traffic of the virtual machine does not directly flow to the physical switch, and the traffic of the virtual machine is transmitted through the virtual gateway.
In a preferred embodiment of the network forwarding device of the present application, as shown in fig. 5, the virtual gateway is configured to perform an access control check on an external network packet after receiving the external network packet from a physical switch through the external network mailbox channel,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel. Specifically, for each network message which needs to be sent to the virtual machine from the physical switch, the whole server is only externally exposed with a network port of one virtual gateway, so all the network messages are sent to the virtual gateway by default, after the virtual gateway receives the external network message from the physical switch through the external network mailbox channel, the virtual gateway firstly checks access control, and if the external network message is not directly discarded; for legal access, the outer network message is encapsulated into an inner network message sent to the correct virtual machine by the virtual gateway, and the inner network message is delivered to the network card and sent to the virtual machine of the destination through the inner network mailbox channel.
On a public cloud platform, security and performance are two contradictory topics. Software-based schemes can achieve high security, but performance is difficult to guarantee. The full hardware solution is contrary to the performance, but the security is poor. The method and the device realize the high-safety and high-performance network forwarding scheme by using hardware to process data flow and using software to perform logic control, for example, by combining a mailbox message mechanism and a message filtering mechanism of a safety network card and virtual local area network serial number shunting, thereby achieving the same safety of the software on the basis of sacrificing minimum performance.
In summary, the application utilizes the mailbox message mechanism of the security network card, reduces the consumption of the CPU, realizes the message transmission channel between the virtual gateway and the virtual machine, obtains high network forwarding performance, performs logic control through software, and enables the virtual gateway to be responsible for the transmission of network messages between each virtual machine and the physical switch, and can also achieve network security control.
Furthermore, the virtual gateway is provided with two mailbox channels, one is an intranet mailbox channel used for communicating with the internal virtual machine of the server, the other is an external network mailbox channel connected with an external physical switch for communication, each virtual machine can only communicate with the virtual machine through the intranet mailbox channel, and therefore all network flow entering and exiting the virtual machine is processed through the virtual gateway.
Furthermore, in order to guarantee fairness of each intranet mailbox channel, specific bandwidth is limited for each channel, and the bandwidth value is matched with specific configuration of each virtual machine.
Further, in order to prevent detection and attack of malicious users, direct communication between the virtual machines through mailbox channels is forbidden in the application, because no limitation exists between the mailbox channels of the default network card, the direct mailbox channels between the virtual machines are forbidden by using a message filtering rule, and it is ensured that each virtual machine is set on the server to only receive network messages from the virtual gateway, and other network messages are directly discarded and cannot be sent to the virtual machine associated with the mailbox channels.
Furthermore, the physical switch is enabled to reserve a virtual local area network number for message transmission between the virtual machine and the virtual gateway so as to serve as safety isolation, all flows of the virtual machine cannot directly flow to the physical switch, the flows of the virtual machine are transmitted through the virtual gateway, thousands of virtual local area network numbers are reserved because the virtual local area network numbers are used by the physical switch at present and only hundreds of virtual local area network numbers are used by the physical switch at present, and therefore, the virtual local area network number is reserved for message transmission between the virtual machine and the virtual gateway, and the current network configuration cannot be influenced while the network forwarding safety is improved.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
It should be noted that the present invention may be implemented in software and/or in a combination of software and hardware, for example, as an Application Specific Integrated Circuit (ASIC), a general purpose computer or any other similar hardware device. In one embodiment, the software program of the present invention may be executed by a processor to implement the steps or functions described above. Also, the software programs (including associated data structures) of the present invention can be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Further, some of the steps or functions of the present invention may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present invention can be applied as a computer program product, such as computer program instructions, which when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. Program instructions which invoke the methods of the present invention may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to embodiments of the invention as described above.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (14)

1. A network forwarding method, wherein the method comprises:
the virtual gateway is responsible for the transmission of network messages between each virtual machine and the physical switch by utilizing a mailbox message mechanism of the safety network card;
the mailbox message mechanism using the safety network card comprises:
distributing an intranet mailbox channel which can only communicate with a virtual gateway for each virtual machine by using a mailbox message mechanism of a safety network card;
and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card.
2. The method of claim 1, wherein after allocating an intranet mailbox channel that can only communicate with the virtual gateway to each virtual machine, the method further comprises:
and setting the bandwidth of the corresponding intranet mailbox channel according to the configuration of each virtual machine.
3. The method of claim 1, wherein allocating an intranet mailbox channel for each virtual machine to communicate with only the virtual gateway by using a mailbox message mechanism of the security network card comprises:
and prohibiting direct communication between the virtual machines through the mailbox channel, and setting that each virtual machine only receives the network message from the virtual gateway.
4. The method of any one of claims 1 to 3, wherein the transmission of network messages between each virtual machine and the physical switch is handled by a virtual gateway, comprising:
the virtual gateway receives network messages from each virtual machine through the intranet mailbox channel and forwards the network messages to a physical switch through the extranet mailbox channel; or
And the virtual gateway receives the network message from the physical switch through the external network mailbox channel and forwards the network message to the corresponding virtual machine through the internal network mailbox channel.
5. The method of claim 4, wherein the virtual gateway receiving network messages from each virtual machine through the intranet mailbox channel and forwarding the network messages to a physical switch through the extranet mailbox channel comprises:
the virtual gateway receives the intranet messages sent from the virtual machine through each intranet mailbox channel, analyzes the intranet messages and carries out access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel.
6. The method according to claim 5, wherein the intranet packet includes a VLAN number corresponding to the virtual gateway, and all intranet packets use the same VLAN number uniformly, and the VLAN number is not used by the physical switch.
7. The method of claim 4, wherein the virtual gateway receiving network messages from a physical switch through the external network mailbox channel and forwarding network messages to a corresponding virtual machine through the internal network mailbox channel comprises:
the virtual gateway receives the external network message from the physical switch through the external network mailbox channel, then checks the access control of the external network message,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel.
8. A network forwarding device, wherein the device comprises:
the virtual gateway is used for utilizing a mailbox message mechanism of the safety network card to be responsible for the transmission of network messages between each virtual machine and the physical switch;
wherein the apparatus further comprises:
the configuration device is used for allocating an intranet mailbox channel which can only communicate with the virtual gateway to each virtual machine by utilizing a mailbox message mechanism of the safety network card; and allocating an external network mailbox channel communicated with the physical switch for the virtual gateway by utilizing a mailbox message mechanism of the safety network card.
9. The apparatus according to claim 8, wherein the configuration device is further configured to set a bandwidth of the intranet mailbox channel corresponding to each virtual machine according to the configuration of the virtual machine.
10. The apparatus according to claim 8, wherein the configuration device is configured to prohibit direct communication between the virtual machines through the mailbox channel, and to set each virtual machine to receive only the network packet from the virtual gateway.
11. The apparatus of any one of claims 8 to 10,
the virtual gateway is used for receiving network messages from each virtual machine through the intranet mailbox channel and forwarding the network messages to a physical switch through the extranet mailbox channel; or
And the virtual gateway is used for receiving the network message from the physical switch through the external network mailbox channel and forwarding the network message to the corresponding virtual machine through the internal network mailbox channel.
12. The apparatus according to claim 11, wherein the virtual gateway is configured to receive an intranet packet sent from the virtual machine through each intranet mailbox channel, parse the intranet packet, and perform an access control check,
if the intranet message is illegal, discarding the intranet message;
if the intranet message is legal, the virtual gateway encapsulates the intranet message into an extranet message again, and sends the extranet message to the physical switch through the extranet mailbox channel.
13. The apparatus according to claim 12, wherein the intranet packet includes a vlan number corresponding to the virtual gateway, and all intranet packets share the same vlan number, and the vlan number is not used by the physical switch.
14. The apparatus of claim 11, wherein the virtual gateway is configured to check for access control on an external network packet after receiving the external network packet from a physical switch through the external network mailbox channel,
if the external network message is illegal, discarding the external network message;
and if the outer network message is legal, repackaging the outer network message into an inner network message sent to the corresponding virtual machine, and sending the inner network message to the corresponding virtual machine through the inner network mailbox channel.
CN201510706600.4A 2015-10-27 2015-10-27 Network forwarding method and equipment Active CN106612266B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510706600.4A CN106612266B (en) 2015-10-27 2015-10-27 Network forwarding method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510706600.4A CN106612266B (en) 2015-10-27 2015-10-27 Network forwarding method and equipment

Publications (2)

Publication Number Publication Date
CN106612266A CN106612266A (en) 2017-05-03
CN106612266B true CN106612266B (en) 2020-05-08

Family

ID=58614219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510706600.4A Active CN106612266B (en) 2015-10-27 2015-10-27 Network forwarding method and equipment

Country Status (1)

Country Link
CN (1) CN106612266B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912836B (en) * 2019-11-14 2023-05-30 优刻得科技股份有限公司 Method for forwarding data by forwarding device, control device, storage medium and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960330A (en) * 2006-09-26 2007-05-09 北京大学 Method and equipment in use for communication connection of redirecting network
CN101788973A (en) * 2010-01-12 2010-07-28 深圳市同洲电子股份有限公司 Method for communication between dual processors
CN103607449A (en) * 2013-11-18 2014-02-26 中国联合网络通信集团有限公司 Method, device and system for enterprise internal network physical machine to visit cloud storage virtual machine
CN104115453A (en) * 2013-12-31 2014-10-22 华为技术有限公司 Method and device for achieving virtual machine communication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9306906B2 (en) * 2013-03-25 2016-04-05 Salesforce.Com, Inc. Systems and methods for utilizing uni-directional inter-host communication in an air gap environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960330A (en) * 2006-09-26 2007-05-09 北京大学 Method and equipment in use for communication connection of redirecting network
CN101788973A (en) * 2010-01-12 2010-07-28 深圳市同洲电子股份有限公司 Method for communication between dual processors
CN103607449A (en) * 2013-11-18 2014-02-26 中国联合网络通信集团有限公司 Method, device and system for enterprise internal network physical machine to visit cloud storage virtual machine
CN104115453A (en) * 2013-12-31 2014-10-22 华为技术有限公司 Method and device for achieving virtual machine communication

Also Published As

Publication number Publication date
CN106612266A (en) 2017-05-03

Similar Documents

Publication Publication Date Title
WO2023087938A1 (en) Data processing method, programmable network card device, physical server, and storage medium
CN111095901B (en) Service operation linking method, device, system, and readable storage medium
CN113326228B (en) Message forwarding method, device and equipment based on remote direct data storage
US10078527B2 (en) Securing a managed forwarding element that operates within a data compute node
EP3353997B1 (en) Technologies for offloading data object replication and service function chain management
US10084647B2 (en) Data forwarding to server via virtual network card or to external network via network interface, based on fusion descriptor
DE102019129622A1 (en) EXTENDABLE INTEGRITY-PROTECTED CONNECTION FOR SECURE ACCELERATOR COMMUNICATION
US20220321566A1 (en) Optimized data-over-cable service interface specifications filter processing for batches of data packets using a single access control list lookup
CN102098227B (en) Packet capture method and kernel module
CN110768884B (en) VXLAN message encapsulation and policy execution method, equipment and system
US10616105B1 (en) Extending virtual routing and forwarding using source identifiers
US10397353B2 (en) Context enriched distributed logging services for workloads in a datacenter
EP4258597A1 (en) Packet processing method, device, system, and storage medium
US20170187547A1 (en) Storage cluster management proxy
CN111064750A (en) Network message control method and device of data center
US10554513B2 (en) Technologies for filtering network packets on ingress
CN114697387B (en) Data packet transmission method, device and storage medium
CN106612266B (en) Network forwarding method and equipment
US11706133B2 (en) Inband group-based network policy using SRV6
US20080002586A1 (en) End-point based tamper resistant congestion management
CN105283864A (en) Governing bare metal guests
KR20230156262A (en) System and method for machine learning based malware detection
CN104219160A (en) Method and device for generating input parameter
US10673801B2 (en) Dynamic communication session management
US11283768B1 (en) Systems and methods for managing connections

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230605

Address after: Room 1-2-A06, Yungu Park, No. 1008 Dengcai Street, Sandun Town, Xihu District, Hangzhou City, Zhejiang Province

Patentee after: Aliyun Computing Co.,Ltd.

Address before: Box 847, four, Grand Cayman capital, Cayman Islands, UK

Patentee before: ALIBABA GROUP HOLDING Ltd.