CN106685903A - Data transmission method based on SDN, SDN controller and SDN system - Google Patents
Data transmission method based on SDN, SDN controller and SDN system Download PDFInfo
- Publication number
- CN106685903A CN106685903A CN201510762339.XA CN201510762339A CN106685903A CN 106685903 A CN106685903 A CN 106685903A CN 201510762339 A CN201510762339 A CN 201510762339A CN 106685903 A CN106685903 A CN 106685903A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- transmission
- sdn
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a data transmission method based on a SDN, a SDN controller and a SDN system. The method comprises the following steps that the SDN controller receives an encryption data notification message sent by a management platform and determines whether transmitted data needs to be encrypted based on the encryption data notification message; if the transmitted data needs to be encrypted, a forwarding route of the data which needs to be transmitted in an encryption mode is calculated and the forwarding route passes through encryption equipment; and if the transmitted data does not need to be encrypted, a forwarding route of the data which does not need to be transmitted in the encryption mode is calculated and the forwarding route does not pass through the encryption equipment. By using the data transmission method based on the SDN, the SDN controller and the SDN system, only important data which needs to be encrypted can be transmitted in the encryption mode and the non-important data which does not need to be encrypted is not processed by the encryption equipment; data processing cost and time delay caused by processing are reduced; based on a network path, the data is classified and processed; and complex data classification analysis is reduced and a resource utilization rate is increased.
Description
Technical field
The present invention relates to technical field of data transmission, more particularly to a kind of data biography based on SDN
Transmission method, SDN controllers and SDN systems.
Background technology
With the extensive application of Intel Virtualization Technology, IT resources will become as the same base runed of water power
Infrastructure, used as the supporting body of important cloud infrastructure, its resource management becomes cloud data center
Important research topic.Mixed cloud has merged public cloud and private clound, is the master of cloud computing in recent years
Want pattern and developing direction.For security consideration, most of enterprise is more willing to place the data in private
In having cloud, but while and wish that the abundant cheap IT resources of public cloud can be obtained, this
In the case of mixed cloud more and more adopted, it by public cloud and private clound carry out mixing and
Match somebody with somebody, to obtain optimal effect, this personalized solution has reached and not only save money but also safety
Purpose.It can both utilize the safety of private clound, and internal significant data is stored in into local data
Center;The computing resource of public cloud can also be used simultaneously, more efficiently and rapidly complete work, phase
It is all more perfect than private clound or public cloud.
However, the connection and data transfer between private clound and public cloud, into the new of industry research
Focus.If before being transmitted between data center, all data calculated by all kinds of encryptions
Method is encrypted, and by modes such as tunnels safe transmission is carried out, and such as Amazon cloud service is based primarily upon
VPN realizes across data center interconnection;The interconnection cloud (InterCloud) that Cisco proposes is at cloud two ends
All transmission datas are encrypted respectively, these solutions to the data that need not encrypt plus
It is close, waste the resource of correlation.As the scale of cloud data increases, the data encryption distinguished is not added with
Mode, to encryption device greatly burden is brought, and becomes the extension bottleneck point of system.
The content of the invention
In view of this, the invention solves the problems that a technical problem be to provide it is a kind of based on SDN's
Data transmission method, SDN controllers and SDN systems, the data that needs can be encrypted
It is encrypted transmission.
A kind of data transmission method based on SDN, including:Software defined network SDN controllers
Receive the encryption data notification message of management platform transmission;SDN is notified based on the encryption data
Message judges whether the data transmitted need encryption, if it is, calculate needing encrypted transmission
The forwarding route of data, and make the forwarding be routed across encryption device.
According to one embodiment of present invention, further, if it is determined that the data of transmission need not
Encryption, then calculate the forwarding route of the data for not needing encrypted transmission, and makes this forwarding route not
Through encryption device.
According to one embodiment of present invention, further, the encryption data notification message is carried
Information include:Transmission needs transmission facility information, vlan the or vxlan information of encryption data;
Wherein, the transmission facility information includes:The IP address or end of physical server or virtual machine
Mouthful.
According to one embodiment of present invention, further, the SDN is based on the encryption number
Judge whether the data transmitted need encryption to include according to notification message:Notified according to the encryption data
Message, the SDN controllers transmission is needed the transmission facility information of encryption data, vlan or
Vxlan information is encrypted label for labelling;The SDN controllers are based on when router-level topology is carried out
The encryption label judges whether the data transmitted need encryption.
According to one embodiment of present invention, further, described calculating needs encrypted transmission
The forwarding route of data, and the forwarding is routed across encryption device and is included:The SDN controls
Device processed parse from the packet for receiving send the packet transmission facility information,
Vlan or vxlan information;The transmission facility information includes:Physical server or virtual machine
IP address or port;The SDN controllers judge the transmission equipment letter for sending the packet
Whether breath, vlan or vxlan information are labeled with encrypting label, if it is, SDN controls
Device processed is routed, and the forwarding for making the packet is routed across encryption device, and will route
Information is sent to the transmission equipment;It is encrypted when the packet is through the encryption device
Process.
According to one embodiment of present invention, further, including:The SDN controllers are sentenced
The transmission facility information of the disconnected packet does not mark encryption label, then the SDN controllers
It is routed, the forwarding for making the packet is route without encryption device.
According to one embodiment of present invention, further, the transmission equipment of the packet,
Vlan or vxlan belong to the first cloud data center or the first cloud service provider, receive the data
The target device of bag, target vlan or vxlan belongs to the second cloud data center or the second cloud service is carried
For business.
According to one embodiment of present invention, further, the SDN controllers are route
Selection includes:The SDN is selected using distance vector route selection algorithm or Link State route
Algorithm carries out path computing.
A kind of software defined network SDN controllers, including:Encryption information receiving unit, is used for
Receive the encryption data notification message that management platform sends;Route planning unit, for based on described
Encryption data notification message judges whether the data transmitted need encryption, if it is, calculate needing
The forwarding route of the data of encrypted transmission is wanted, and makes the forwarding be routed across encryption device.
According to one embodiment of present invention, further, the route planning unit, is additionally operable to
If it is determined that transmission data need not encrypt, then calculate do not need encrypted transmission data turn
Route is sent out, and makes this forwarding route without encryption device.
According to one embodiment of present invention, further, the encryption data notification message is carried
Information include:Transmission needs transmission facility information, vlan the or vxlan information of encryption data;
Wherein, the transmission facility information includes:The IP address or end of physical server or virtual machine
Mouthful.
According to one embodiment of present invention, further, including:Encryption label for labelling unit,
For according to the encryption data notification message, needing the transmission equipment of encryption data to believe transmission
Breath, vlan or vxlan information are encrypted label for labelling;The route planning unit, is additionally operable to
Judge whether the data transmitted need encryption based on the encryption label when router-level topology is carried out.
According to one embodiment of present invention, further, the route planning unit, including:
Information extraction modules, for parsing from the packet for receiving the packet is sent
Send facility information, vlan or vxlan information;The transmission facility information includes:Physical services
The IP address or port of device or virtual machine;Routing selecting module, for judging to send the number
Whether it is labeled with encrypting label according to the transmission facility information of bag, vlan or vxlan information, if
It is then to be routed, the forwarding for making the packet is routed across encryption device, and by road
The transmission equipment is sent to by information;Wherein, when the packet is through the encryption device
It is encrypted.
According to one embodiment of present invention, further, the routing selecting module, is additionally operable to
The transmission facility information for judging the packet does not mark encryption label, then the SDN controls
Device is routed, and the forwarding for making the packet is route without encryption device.
According to one embodiment of present invention, further, the transmission equipment of the packet,
Vlan or vxlan belong to the first cloud data center or the first cloud service provider, receive the data
The target device of bag, target vlan or vxlan belongs to the second cloud data center or the first cloud service is carried
For business.
According to one embodiment of present invention, further, the routing selecting module, is additionally operable to
Path computing is carried out using distance vector route selection algorithm or link state routing algorithm.
A kind of SDN systems, including:Management platform, SDN controllers as above.
The present invention based on the data transmission method of SDN, SDN controllers and SDN systems, can
Transmission is only encrypted to the significant data that needs are encrypted, and without the need for the insignificant data of encryption
Then can process without encryption device, reduce data processing cost and process cause when
Prolong, improve the utilization rate of network, by the SDN controller concentrated, based on network path
Classification process is carried out to data, the data classification analysis of complexity is reduced, the utilization of resource is lifted
Rate.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will
The accompanying drawing to be used needed for embodiment or description of the prior art is briefly described, it is aobvious and easy
Insight, drawings in the following description are only some embodiments of the present invention, common for this area
For technical staff, without having to pay creative labor, can be with according to these accompanying drawings
Obtain other accompanying drawings.
Fig. 1 is that the flow process of one embodiment of the data transmission method based on SDN of the present invention is shown
It is intended to;
Fig. 2 is the application scenarios schematic diagram of the data transmission method based on SDN of the present invention;
Fig. 3 is the module diagram of one embodiment of the SDN controllers according to the present invention;
Fig. 4 is the route planning unit in the one embodiment according to the SDN controllers of the present invention
Module diagram.
Specific embodiment
The present invention is described more fully with reference to the accompanying drawings, wherein illustrating the example of the present invention
Property embodiment.Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the skill in the embodiment of the present invention
Art scheme is clearly and completely described, it is clear that described embodiment is only the present invention one
Section Example, rather than the embodiment of whole.Based on the embodiment in the present invention, this area is general
The every other embodiment that logical technical staff is obtained under the premise of creative work is not made, all
Belong to the scope of protection of the invention.With reference to each figure and embodiment to technical scheme
Carry out many descriptions.
Software defined network SDN (Software Defined Network) is a kind of new network
Innovation framework, with the characteristics such as control forwarding separation, centralized Control, open programmable, Neng Goushi
Existing data center network virtualization, carries multi-tenant." first ", " second " hereinafter etc. is to retouch
State and distinguish, not other special implications.
Fig. 1 is that the flow process of one embodiment of the data transmission method based on SDN of the present invention is shown
It is intended to, as shown in Figure 1:
Step 101, SDN controllers receive the encryption data notification message of management platform transmission.
Step 102, SDN judges whether the data transmitted need to add based on encryption data notification message
It is close.
Step 103, if it is, the forwarding route of the data for needing encrypted transmission is calculated, and
Forwarding is set to be routed across encryption device.
If it is determined that the data of transmission need not be encrypted, then the data for not needing encrypted transmission are calculated
Forwarding route, and make this forwarding route without encryption device.Management platform in the present invention can
Think the management platform of data center, can be cloud management platform or data management platform etc..
Before being transmitted between data center, in order to protect private clound in data safety, greatly
Part system can be encrypted all data by all kinds of AESs, be entered by modes such as tunnels
Row safe transmission, the encryption of data of this transmission to encrypting wastes the money of correlation
Source.As the scale of cloud data increases, the data encryption mode distinguished is not added with, gives encryption device band
Carry out great burden, become the extension bottleneck point of system.
The data transmission method based on SDN of the present invention, by SDN Centralized Controller, presses
According to configuration strategy, it would be desirable to which encryption and the data that need not be encrypted are carried out through different forward-paths
Transmission, and the method that whole story end carries out respectively encryption and decryption is transmitted in data center, can effectively lift biography
Defeated efficiency, reduces calamity for cost.
In one embodiment, the information that encryption data notification message is carried includes:Sending needs to add
Transmission facility information, vlan or vxlan information of ciphertext data etc..Sending facility information includes:Thing
IP address or port of reason server or virtual machine etc..According to encryption data notification message,
SDN controllers need the transmission facility information of encryption data, vlan or vxlan information to enter transmission
Row encryption label for labelling, SDN controllers judge transmission when router-level topology is carried out based on encryption label
Data whether need encryption.
In one embodiment, SDN controllers parse transmission data from the packet for receiving
The transmission facility information of bag, vlan or vxlan information.Sending facility information includes:Physical services
The IP address or port of device or virtual machine.
SDN controllers judge that sending the transmission facility information of packet, vlan or vxlan information is
It is no to be labeled with encrypting label, if it is, SDN controllers are routed, make packet
Forwarding be routed across encryption device, and routing iinformation is sent into transmission equipment.As packet Jing
It is encrypted when crossing encryption device.Encryption label can notify SDN controls by management platform
Device, for example, which vlan, vxlan needs encryption or does not encrypt.
When SDN controllers judge that the transmission facility information of packet, vlan or vxlan information do not have
When having mark encryption label, then SDN controllers are routed, and make the forwarding road of packet
By without encryption device.
The transmission equipment of packet, vlan or vxlan may belong to the first cloud data center or first
Cloud service provider, note:Such as Amazon and Microsoft, Baidu and Tengxun.The mesh of receiving data bag
Marking device, target vlan or vxlan may belong to the second cloud data center or the second cloud service is provided
Business, it is possible to achieve the transmission between data center.SDN using distance vector route selection algorithm or
Link state routing algorithm etc. carries out path computing.
The data transmission method based on SDN in above-described embodiment, is being transmitted across across data center
Whether Cheng Zhong, the classification for configuring route to realize data by SDN controllers is encrypted, in data
In the classification of encryption, can be according to encryption requirements, selection port, IP, even vlan clusters etc.
One or more server (virtual machine) node, management platform and SDN controllers can be cooperateed with
Work, completes the encryption of classification on demand of data.
In data moving process, transmission data is encrypted as required and need not be encrypted difference
Path selection is carried out, Path selection is realized by SDN controllers, such that it is able to by the network concentrated
Control platform, is more efficiently carried out the data transfer between data center point according to encryption requirements
Class process.
As shown in Fig. 2 (can be creation data center or enterprise's private clound in former data center
Data center) in, using central controlled SDN, the controller of the SDN can have
The transmission path of effect control data center interior nodes.Management platform or system (can be that cloud management is put down
Platform or data management platform) and SDN controller can be with direction communication.
To the data transmitted between data center, data center management platform can be according to actual industry
The corresponding strategy of needs setting of business, it is stipulated which data needs to be encrypted, which data can be with
Without encryption.The enforcement of encryption policy is then performed by SDN controllers, is added for carrying
Related data forwarding paths can be set to encryption device by the data of close requirement, SDN controllers
On, conversely, for the data transfer without security requirements, then it is set on forward-path directly
On forwarding unit.
SDN controllers perform data classify when, generally with data flow as base unit, Ke Yixuan
Select from a physical server or a virtual machine when across data center backup, by all data
All through encryption device, this generally can be using the IP of physical server or virtual machine as classification
Label.
The physical server or a part of business datum of virtual machine can also be selected to be encrypted,
Then generally section ports data can be carried out classification encryption.In large-scale data-center applications field
Under scape, can be with a vlan, or a vxlan is tag along sort, will some vlan
Or the Backup Data of all nodes in vxlan is all encrypted or does not encrypt.
Encrypt label and identify for a kind of, can be character or numerical value of setting etc..Encryption label
Setting depends primarily on the scale of system, under large scale scene, it will usually using larger particle
Degree, such as vlan or vxlan, and need under the application scenarios of fine-grained management, then may use
Manage to the encrypted transmission with port as granularity.
In the classification encrypted transmission of data center, existing cloud resource pool is used mostly whole numbers
According to encryption mode, including to back up data or business between lateral communications data, for example
Core data, daily record data in certain large business system etc.;And large-scale business platform is each
Individual module may be deployed in different data centers, and in network side, these data are generally all not added with
That what is distinguished carries out identical process, i.e., all encrypt or all do not encrypt.
Using the data transmission method based on SDN of the present invention, set according to encryption label,
In across data center data transfer, according to the path planning that encryption requirements are transmitted.First, manage
Platform notifies SDN controllers, and certain needs whether the data on flows being transmitted needs to carry out to add
It is close, after SDN controllers have notice, corresponding data are identified, for example identify this virtual
The transmission data of certain port of machine needs to proceed through certain encryption device.
Then, SDN controllers are in the transmission flow table for returning to virtual machine, the route of data on flows
Certain encryption device is had to pass through, corresponding encryption device is selected.When virtual machine is needed through certain
When related data transfer is initiated in port, according to normal network service flow process, the net of the virtual machine
Network proxy module first to SDN controllers request forwarding route, SDN controllers receive route please
After asking, inquire about whether this port of the virtual machine there are the security requirements of correlation, if it has, then pressing
According to corresponding encryption device as gateway node strategy, the Route Selection knot of encryption device is returned through
Really.If it is not, according to the Route Selection for directly being forwarded, returning to the network of virtual machine
Proxy module.
In one embodiment, it is assumed that have three different server clusters in system, respectively to void
The data of totally three carry out classification encrypted transmission for plan machine A and virtual machine B, physical machine C, D, E,
From data center X encrypted backups to data center Y, have in addition encryption device a, encryption device b,
Encryption device c.Node A, B, C, D, E are under the management of a SDN controller.
Assume that system manager passes through data center management platform, it is desirable to all numbers to virtual machine A
According to the encryption for carrying out a types, that is, all data for requiring the virtual machine A in data center X are all passed through
After encryption device a, ciphertext could be transferred to data center Y.Therefore, data center management platform
Notify that SDN controllers, SDN controllers then notify its routing selecting module, it is desirable to by virtual machine A
All data all through encryption device a, simply, the egress gateways of virtual machine A can be arranged
For the IP address of equipment a.
In one case, it is assumed that system manager passes through data center management platform, it is desirable to void
The data of plan machine B 500 ports out carry out the encryption of b types, that is, in requiring data center X
Ciphertext could be transferred to data center by all data of virtual machine B all after encryption device b
Y.Therefore, data center management platform notifies that SDN controllers, SDN controllers then notify its road
By selecting module, it is desirable to by the data of virtual machine B 500 ports out all through encryption device b,
Simply, data route requests setting that can be by virtual machine B in 500 ports has to pass through equipment b
IP address.
In another case, it is assumed that system manager passes through data center management platform, it is desirable to right
Physical machine C, D, E all data out carry out the encryption of c types, that is, require data center X
In physical machine C, D, all data of E all after encryption device c, ciphertext could be transmitted
To data center Y.Physical machine C, D, E are assumed all in a vlan 100, therefore, data
Central management platform notifies that SDN controllers, SDN controllers then notify its routing selecting module,
Ask all data out of vlan 100 all through encryption device c, simply, can be by vlan
100 gateway is set to the IP address of equipment c.
As shown in figure 3, the present invention provides a kind of software defined network SDN controllers.Plus secret letter
Breath receiving unit 31 receives the encryption data notification message that management platform sends.Route planning unit
32 judge whether the data transmitted need encryption based on encryption data notification message, if it is, meter
The forwarding route of the data for needing encrypted transmission is calculated, and makes forwarding be routed across encryption device.Such as
Fruit route planning unit 32 judges that the data of transmission need not be encrypted, then calculating to encrypt
The forwarding route of the data of transmission, and this forwarding route is made without encryption device.
Encryption label for labelling unit 33 needs to encrypt number according to encryption data notification message to transmission
According to transmission facility information, vlan or vxlan information be encrypted label for labelling;Route planning list
Unit 32 judges whether the data transmitted need encryption when router-level topology is carried out based on encryption label.
As shown in figure 4, route planning unit includes:Information extraction modules 41 and Route Selection mould
Block 42.Information extraction modules 41 parse the transmission for sending packet from the packet for receiving
Facility information, vlan or vxlan information.Sending facility information includes:Physical server or void
The IP address of plan machine or port.
Routing selecting module 42 judges transmission facility information, the vlan or vxlan for sending packet
Whether information is labeled with encrypting label, if it is, being routed, makes the forwarding of packet
Encryption device is routed across, and routing iinformation is sent into transmission equipment.When packet is through encrypting
It is encrypted during equipment.
Routing selecting module 42 judges the transmission facility information of packet, vlan or vxlan information
Encryption label is not marked, then SDN controllers are routed, make the forwarding road of packet
By without encryption device.Routing selecting module 42 is using distance vector route selection algorithm or chain
Line state route selection algorithm etc. carries out path computing.
In one embodiment, the present invention provides a kind of SDN systems, including:Management platform,
As above SDN controllers.
Above-described embodiment provide based on the data transmission method of SDN, SDN controllers and SDN systems
System, can classify to whether data encrypt, the significant data that only can be encrypted to needs
Transmission is encrypted, and then can be processed without encryption device without the need for the insignificant data of encryption,
Reduce the processing cost of data and process the time delay for causing, improve the utilization rate of network;Pass through
Data are carried out classification process by the SDN controllers of concentration based on network path, reduce complexity
Data classification analysis, lifts the utilization rate of resource.
The method of the present invention and system may be achieved in many ways.For example, can pass through soft
Part, hardware, firmware or software, hardware, firmware any combinations come realize the present invention side
Method and system.It is of the invention for said sequence the step of method merely to illustrating
The step of method, is not limited to order described in detail above, unless specifically stated otherwise.
Additionally, in certain embodiments, also the present invention can be embodied as recording journey in the recording medium
Sequence, these programs include the machine readable instructions for realizing the method according to the invention.Cause
And, the record that the present invention also covers storage for performing the program of the method according to the invention is situated between
Matter.
Description of the invention is given for the sake of example and description, and is not exhaustively
Or the form disclosed in limiting the invention to.Many modifications and variations are for the common skill of this area
It is obvious for art personnel.It is to more preferably illustrate the principle of the present invention to select and describe embodiment
And practical application, and one of ordinary skill in the art is made it will be appreciated that the present invention is suitable so as to design
In the various embodiments with various modifications of special-purpose.
Claims (16)
1. a kind of data transmission method based on SDN, it is characterised in that include:
Software defined network SDN controllers receive the encryption data of management platform transmission and notify to disappear
Breath;
The SDN judges whether the data transmitted need to add based on the encryption data notification message
It is close, if it is, calculating the forwarding route of the data for needing encrypted transmission, and make this forwarding road
By through encryption device.
2. the method for claim 1, it is characterised in that include:
If it is determined that the data of transmission need not be encrypted, then the SDN is calculated need not encrypt
The forwarding route of the data of transmission, and this forwarding route is made without encryption device.
3. method as claimed in claim 1 or 2, it is characterised in that include:
The information that the encryption data notification message is carried includes:Transmission needs the transmission of encryption data
Facility information, vlan or vxlan information;
Wherein, the transmission facility information includes:The IP address of physical server or virtual machine
Or port.
4. method as claimed in claim 3, it is characterised in that the SDN based on described plus
Ciphertext data notification message judges whether the data transmitted need encryption to include:
According to the encryption data notification message, the SDN controllers need to encrypt number to transmission
According to transmission facility information, vlan or vxlan information be encrypted label for labelling;
The SDN controllers judge transmission when router-level topology is carried out based on the encryption label
Whether data need encryption.
5. method as claimed in claim 4, it is characterised in that described calculating needs encryption
The forwarding route of the data of transmission, and this forwarding is routed across encryption device and is included:
The SDN controllers parse the transmission packet from the packet for receiving
Transmission facility information, vlan or vxlan information;The transmission facility information includes:Physics takes
IP address or the port of business device or virtual machine;
The SDN controllers judge to send the transmission facility information of the packet, vlan or
Whether vxlan information is labeled with encrypting label, if it is, the SDN controllers are route
Select, the forwarding for making the packet is routed across encryption device, and routing iinformation is sent into institute
State transmission equipment;It is encrypted when the packet is through the encryption device.
6. method as claimed in claim 5, it is characterised in that include:
The SDN controllers judge that the transmission facility information of the packet is not marked plus secret mark
Sign, then the SDN controllers are routed, make the packet forwarding route without
Cross encryption device.
7. method as claimed in claim 5, it is characterised in that:
The transmission equipment of the packet, vlan or vxlan belong to the first cloud data center or first
Cloud service provider, target device, target vlan or the vxlan for receiving the packet belongs to the
Two cloud data centers or the second cloud service provider.
8. method as claimed in claim 5, it is characterised in that the SDN controllers are carried out
Route Selection includes:
The SDN is entered using distance vector route selection algorithm or link state routing algorithm
Row path computing.
9. a kind of software defined network SDN controllers, it is characterised in that include:
Encryption information receiving unit, for receiving the encryption data notification message of management platform transmission;
Route planning unit, for judging that the data transmitted are based on the encryption data notification message
It is no to need encryption, if it is, calculating the forwarding route of the data for needing encrypted transmission, and make
This forwarding is routed across encryption device.
10. SDN controllers as claimed in claim 9, it is characterised in that include:
The route planning unit, is additionally operable to if it is determined that the data transmitted need not be encrypted, then count
The forwarding route of the data for not needing encrypted transmission is calculated, and this forwarding route is set without encryption
It is standby.
The 11. SDN controllers as described in claim 9 or 10, it is characterised in that include:
The information that the encryption data notification message is carried includes:Transmission needs the transmission of encryption data
Facility information, vlan or vxlan information;
Wherein, the transmission facility information includes:The IP address of physical server or virtual machine
Or port.
12. SDN controllers as claimed in claim 11, it is characterised in that include:
Encryption label for labelling unit, for according to the encryption data notification message, needing to sending
The transmission facility information of encryption data, vlan or vxlan information are encrypted label for labelling;
The route planning unit, is additionally operable to sentence based on the encryption label when router-level topology is carried out
Whether the defeated data of stealpass need encryption.
13. SDN controllers as claimed in claim 11, it is characterised in that:
The route planning unit, including:
Information extraction modules, for parsing from the packet for receiving the data are sent
The transmission facility information of bag, vlan or vxlan information;The transmission facility information includes:Physics
The IP address or port of server or virtual machine;
Routing selecting module, for judge to send the transmission facility information of the packet, vlan or
Whether vxlan information is labeled with encrypting label, if it is, being routed, makes the number
Encryption device is routed across according to the forwarding of bag, and routing iinformation is sent into the transmission equipment;
Wherein, it is encrypted when the packet is through the encryption device.
14. SDN controllers as claimed in claim 13, it is characterised in that:
The routing selecting module, is additionally operable to judge that the transmission facility information of the packet is not marked
Note encrypts label, then the SDN controllers are routed, and make the forwarding of the packet
Route is without encryption device.
15. SDN controllers as claimed in claim 13, it is characterised in that:
The routing selecting module, is additionally operable to using distance vector route selection algorithm or Link State
Route selection algorithm carries out path computing.
A kind of 16. SDN systems, it is characterised in that:
Including:Management platform, the SDN controls as described in claim 9 to 15 any one
Device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510762339.XA CN106685903B (en) | 2015-11-10 | 2015-11-10 | SDN-based data transmission method, SDN controller and SDN system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510762339.XA CN106685903B (en) | 2015-11-10 | 2015-11-10 | SDN-based data transmission method, SDN controller and SDN system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106685903A true CN106685903A (en) | 2017-05-17 |
| CN106685903B CN106685903B (en) | 2021-04-09 |
Family
ID=58863896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510762339.XA Active CN106685903B (en) | 2015-11-10 | 2015-11-10 | SDN-based data transmission method, SDN controller and SDN system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106685903B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108073820A (en) * | 2017-11-27 | 2018-05-25 | 北京传嘉科技有限公司 | Security processing, device and the mobile terminal of data |
| CN109818918A (en) * | 2017-11-21 | 2019-05-28 | 丛林网络公司 | The workload of policy-driven based on software defined network encryption policy starts |
| CN109981221A (en) * | 2019-03-26 | 2019-07-05 | 南京罗拉穿云物联网科技有限公司 | Industrial DTU data preprocessing method and device |
| CN110875913A (en) * | 2018-09-03 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Data transmission method and system |
| CN111526080A (en) * | 2020-05-07 | 2020-08-11 | 网经科技(苏州)有限公司 | Method for gateway VXLAN to select encrypted data transmission |
| US11216309B2 (en) | 2019-06-18 | 2022-01-04 | Juniper Networks, Inc. | Using multidimensional metadata tag sets to determine resource allocation in a distributed computing environment |
| US11323487B1 (en) | 2017-11-21 | 2022-05-03 | Juniper Networks, Inc. | Scalable policy management for virtual networks |
| CN114679326A (en) * | 2022-03-30 | 2022-06-28 | 晨贝(天津)技术有限公司 | Method, device and storage medium for forwarding service message |
| US11418546B1 (en) | 2018-06-29 | 2022-08-16 | Juniper Networks, Inc. | Scalable port range management for security policies |
| US11700236B2 (en) | 2020-02-27 | 2023-07-11 | Juniper Networks, Inc. | Packet steering to a host-based firewall in virtualized environments |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
| CN104935594A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Message processing method based on virtual extensible local area network tunnel and device |
-
2015
- 2015-11-10 CN CN201510762339.XA patent/CN106685903B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
| CN104935594A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Message processing method based on virtual extensible local area network tunnel and device |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109818918B (en) * | 2017-11-21 | 2022-01-25 | 瞻博网络公司 | Policy driven workload initiation based on software defined network encryption policy |
| CN109818918A (en) * | 2017-11-21 | 2019-05-28 | 丛林网络公司 | The workload of policy-driven based on software defined network encryption policy starts |
| US11323487B1 (en) | 2017-11-21 | 2022-05-03 | Juniper Networks, Inc. | Scalable policy management for virtual networks |
| CN108073820A (en) * | 2017-11-27 | 2018-05-25 | 北京传嘉科技有限公司 | Security processing, device and the mobile terminal of data |
| US11418546B1 (en) | 2018-06-29 | 2022-08-16 | Juniper Networks, Inc. | Scalable port range management for security policies |
| CN110875913A (en) * | 2018-09-03 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Data transmission method and system |
| US11962495B2 (en) | 2018-09-03 | 2024-04-16 | Alibaba Group Holding Limited | Data transmission method and system |
| CN109981221A (en) * | 2019-03-26 | 2019-07-05 | 南京罗拉穿云物联网科技有限公司 | Industrial DTU data preprocessing method and device |
| US11216309B2 (en) | 2019-06-18 | 2022-01-04 | Juniper Networks, Inc. | Using multidimensional metadata tag sets to determine resource allocation in a distributed computing environment |
| US11700236B2 (en) | 2020-02-27 | 2023-07-11 | Juniper Networks, Inc. | Packet steering to a host-based firewall in virtualized environments |
| CN111526080B (en) * | 2020-05-07 | 2022-03-11 | 网经科技(苏州)有限公司 | Method for gateway VXLAN to select encrypted data transmission |
| CN111526080A (en) * | 2020-05-07 | 2020-08-11 | 网经科技(苏州)有限公司 | Method for gateway VXLAN to select encrypted data transmission |
| CN114679326A (en) * | 2022-03-30 | 2022-06-28 | 晨贝(天津)技术有限公司 | Method, device and storage medium for forwarding service message |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106685903B (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106685903A (en) | Data transmission method based on SDN, SDN controller and SDN system | |
| US10819564B2 (en) | Network hub site redundancy and failover | |
| Sun et al. | A reliability-aware approach for resource efficient virtual network function deployment | |
| CN107819742B (en) | System architecture and method for dynamically deploying network security service | |
| CN105553849B (en) | A kind of traditional IP and SPTN network intercommunication method and system | |
| CN109818918A (en) | The workload of policy-driven based on software defined network encryption policy starts | |
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN103703722B (en) | The method and apparatus of fault detection conversation of booting on P2MP tunnels | |
| CN102845035B (en) | The method on identifying purpose ground in virtual environment | |
| AU2020384311B2 (en) | Secure artificial intelligence model training and registration system | |
| CN107078921A (en) | The method and system for characterizing, monitoring and controlling for the Network that strategy is driven based on commercial intention | |
| CN102291455B (en) | Distributed cluster processing system and message processing method thereof | |
| CN107409066A (en) | For automatic detection and the system and method for configuration server uplink network interface | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| CN105610710A (en) | Methods and apparatus for standard protocol validation mechanisms deployed over switch fabric system | |
| CN107750357A (en) | Data handling system with hardware-accelerated plane and software plane | |
| CN102884763A (en) | Cross-data-center virtual machine migration method, service control gateway and cross-data-center virtual machine migration | |
| CN104247341B (en) | The dynamic optimization method of distribution switch and its multicast tree hierarchical structure | |
| US11799972B2 (en) | Session management in a forwarding plane | |
| CN106656905A (en) | Firewall cluster realization method and apparatus | |
| CN104704772A (en) | Communication system, virtual network management apparatus, virtual network management method and program | |
| CN108471389A (en) | A kind of switch system based on service function chain | |
| CN104468408A (en) | Method for adjusting dynamically service bandwidth and control center server | |
| CN103346950B (en) | Between a kind of rack wireless controller customer service plate, method and device are shared in load equally | |
| Liu et al. | Challenges of traditional networks and development of programmable networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |