CN106803807B - SDN network independent forwarding method based on multidimensional space superposition model - Google Patents
SDN network independent forwarding method based on multidimensional space superposition model Download PDFInfo
- Publication number
- CN106803807B CN106803807B CN201611160435.8A CN201611160435A CN106803807B CN 106803807 B CN106803807 B CN 106803807B CN 201611160435 A CN201611160435 A CN 201611160435A CN 106803807 B CN106803807 B CN 106803807B
- Authority
- CN
- China
- Prior art keywords
- forwarding
- information body
- space
- sdn network
- difference
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/14—Routing performance; Theoretical aspects
Abstract
The invention discloses an SDN network independent forwarding method based on a multi-dimensional space superposition model, which adopts the multi-dimensional space superposition model to treat nodes as a whole consisting of an input space, a forwarding function and an output space, obtains corresponding transformation operation by utilizing the difference calculation between the input space and the output space of adjacent nodes and stores the transformation operation into a strategy set, thereby constructing an independent forwarding path in the SDN network, ensuring that data flow is not maliciously guided in the network forwarding process and enhancing the safety of a network forwarding plane. The SDN independent forwarding method based on the multidimensional space superposition model can be widely applied to the field of information security.
Description
Technical Field
The invention relates to the field of information security, in particular to an SDN network independent forwarding method based on a multidimensional space superposition model.
Background
The SDN network is an innovation of a conventional network architecture, and separates control and forwarding of the network, and provides a centralized control plane for monitoring, configuring and managing the entire network. The SDN architecture includes an application layer, a control layer, and a forwarding layer. The physical entity corresponding to the forwarding layer is an SDN switch, and the physical entity corresponding to the control layer is an SDN controller. The SDN switch is responsible for high-speed forwarding of network data, and forwarding information stored in the SDN switch for making forwarding decisions comes from the SDN controller. And the SDN controller performs centralized unified management on all SDN switches in the network by controlling the southbound interface. At present, OpenFlow is an important southbound interface standard, and the position is high in the development process of SDN.
The OpenFlow v1.0 specification is the earliest protocol standard, and the design concept and the overall architecture of constructing SDN based on OpenFlow switches, OpenFlow controllers, and OpenFlow protocol are mentioned. The OpenFlow switch communicates with the remote controller by utilizing an OpenFlow protocol based on secure connection, wherein the flow table is a key component of the OpenFlow switch and is responsible for high-speed query and forwarding of the data packet. In addition, the OpenFlow switch needs to communicate with an external controller through a secure channel, and the secure channel transmits an OpenFlow protocol, which is responsible for transferring management and control information between the controller and the switch.
OpenFlow concentrates all control functions on a remote controller, and a switch is only responsible for simple and high-speed data forwarding locally, and the basis of data forwarding is a flow table. The OpenFlow protocol provides that the controller can actively or passively add, update, and delete flow entries in the flow table of the switch. Each flow table in the switch contains a series of flow table entries, each flow table entry contains a series of matching fields, counters and pointers for matching data packets; when the switch receives a data Packet, no matching item exists in the flow table, or the behavior specified in the flow table is 'sent to the controller', the data Packet is sent to the controller through a Packet-in message in an OpenFlow protocol; the controller generates a new flow entry by analyzing the content of the packet, and updates the flow entry in the switch by the flow entry modification message.
Interpretation of terms:
SDN network: the software defined network is a novel network architecture, adopts the design idea of separating control and forwarding, is divided into a control plane and a forwarding plane, and can realize the centralized control of the network state and support flexible software programming.
Data flow: data in the network is forwarded by taking a data packet as a unit, the data packet is composed of header information and load data, and a plurality of data packets belonging to the same network channel form a data stream.
"match-execute" mode: and if the head information of the data packet matches a certain flow table item, executing an action corresponding to the flow table item.
The switch comprises all network equipment in a matching-executing working mode, and for convenience of expression, the following forwarding nodes are synonymous with the switch; meanwhile, the above-mentioned "header information" is replaced with a more broadly-defined "body of information".
Independent forwarding: in the process of forwarding the data flow, the situation that the forwarding rule of the data flow intersects with the forwarding rules of other data flows does not occur, that is, the data flow logically has an independent forwarding path.
A multi-dimensional space: the header information of a data packet is simply regarded as a 0, 1 sequence, and if the header information length is L, an L-dimensional space H ═ {0, 1 }is defined on the basis of the header information length LLWhere {0, 1} denotes that the element in each dimension in space is 0 or 1. One packet may correspond to a point in H and one stream may correspond to a subspace in H.
Disclosure of Invention
In order to solve the technical problems, the invention aims to: the method for independently forwarding the data stream for guaranteeing the information security in the SDN based on the multidimensional space superposition model is provided.
The technical scheme adopted by the invention is as follows: an SDN network independent forwarding method based on a multidimensional space superposition model,
A. establishing a multidimensional space superposition model for nodes in the SDN network, wherein the node model comprises an input space, a forwarding function and an output space, and a header part of a data packet in the SDN network is used as an information body;
B. creating a target information body;
C. creating a source information body at a current node;
D. calculating a difference set of an outputable space of the current node model and an input space of a next node model connected with the outputable space;
E. calculating to obtain an information body with the minimum difference from the target information body in the difference set, and taking the information body as a source information body of the next node;
F. the transformation operation from the current node source information body to the next node source information body is stored into a strategy set;
G. entering a next node, repeatedly executing the step D to the step G until the difference set of the step D is empty or the information body obtained by calculation in the step E is the same as the target information body;
H. and creating a forwarding path through the strategy set to realize independent forwarding of the data packet.
Further, the step B further includes: system environment parameters, environment variables, and associated states are initialized.
The specific calculation step of calculating the message α 'with the smallest difference between the difference set and the target message in step E is to select the message α' in the difference set D 'so that the difference D' between the message α 'and the target message β is the smallest and D' < Dmin,dminTo set the difference threshold, then assign dmin=d′。
Further, d isminThe initial value is infinite.
Further, the difference d ' is the number of 1's in the result of exclusive-or operation of the body α ' with the destination body β.
Further, the forwarding function is configured to change a bit of a corresponding output port in the information body according to the output port number and forward the bit to the next node.
The invention has the beneficial effects that: the invention adopts a multidimensional space superposition model to regard the nodes as a whole consisting of an input space, a forwarding function and an output space, obtains corresponding transformation operation by utilizing the difference calculation between the input space and the output space of adjacent nodes and stores the transformation operation into a strategy set, thereby constructing an independent forwarding path in the SDN, ensuring that data flow is not guided maliciously in the network forwarding process and enhancing the security of a network forwarding plane.
Drawings
FIG. 1 is a flow chart of the steps of the method of the present invention;
FIG. 2 is a schematic diagram of a network forwarding plane of the method of the present invention;
FIG. 3 is a graph of the correspondence of nodes and their multidimensional spatial stacking models;
FIG. 4 is a schematic diagram of a data forwarding process in a multidimensional space superposition model;
FIG. 5 is a schematic view of step C of the present invention;
FIG. 6 is a schematic view of step D of the present invention;
FIG. 7 is a schematic view of step E of the present invention;
FIG. 8 is a schematic view of step F of the present invention;
fig. 9 is a network topology diagram and the independent forwarding paths therein according to an embodiment of the present invention.
Detailed Description
The characteristic that a control plane and a forwarding plane are separated in the SDN network increases the flexibility of the network, but the potential safety hazard of the network is increased when a virtual switch is introduced; for some data flows with higher security level requirements, except for data encryption at the network layer and above, one of the measures for enhancing security at the data link layer is to make them forward according to independent logical links, that is, to make the switches generate new forwarding rules for these data flows under the control of the controller without matching the existing rules in the current switches. On the basis, the invention provides an independent forwarding scheme based on a multidimensional space superposition model for some data streams with higher safety requirements, and the scheme can construct a safety path to enable the data streams to be forwarded according to independent logic links, thereby increasing the safety of a forwarding plane.
The following further describes embodiments of the present invention with reference to the accompanying drawings:
referring to fig. 1, a method for independently forwarding an SDN network based on a multidimensional space superposition model,
A. establishing a multidimensional space superposition model for nodes in the SDN network, wherein the node model comprises an input space, a forwarding function and an output space, and a header part of a data packet in the SDN network is used as an information body;
B. creating a target information body;
C. creating a source information body at a current node;
D. calculating a difference set of an outputable space of the current node model and an input space of a next node model connected with the outputable space;
E. calculating to obtain an information body with the minimum difference from the target information body in the difference set, and taking the information body as a source information body of the next node;
F. the transformation operation from the current node source information body to the next node source information body is stored into a strategy set;
G. entering a next node, repeatedly executing the step D to the step G until the difference set of the step D is empty or the information body obtained by calculation in the step E is the same as the target information body;
H. and creating a forwarding path through the strategy set to realize independent forwarding of the data packet.
The application scenario of the above steps a to H is a network forwarding plane composed of forwarding nodes working in matching-executing mode, and is used to construct a path for maintaining independent forwarding on the forwarding plane. In order to realize the point, firstly, a multidimensional space superposition model is established in the step A, a forwarding node in a network forwarding plane is regarded as a whole represented by an input space, a forwarding behavior and an output space, then mathematical set calculation is carried out on the abstract level, the calculated result is an information body sequence, and a data header is assembled according to the information body sequence, so that the matching domain existing in a flow table in a switch along the way can be avoided, and the appointed data flow is not matched with any existing forwarding rule. Therefore, the specified data stream can be effectively prevented from being introduced to other positions by the existing forwarding rule, so that the data packet is independently forwarded in the network, and the security is enhanced.
For example, fig. 2 is a network forwarding plane consisting of forwarding nodes operating in a "match-and-execute" mode, where the body of information is 4 bits. The process that the information body is 0000, the path is 1- >2- >3- >5 and finally the node 5 is reached is demonstrated in the figure. The boxes in the coordinates represent the matching domains of the node flow table, the boxes on the edges connecting the adjacent forwarding nodes represent the output information bodies modified by the operation defined by the action domain after being matched, and the action domain simultaneously specifies the output port number.
The relationship between the nodes and the corresponding multidimensional space superposition model in the step a is shown in fig. 3, wherein the nodes and the data packets are concrete above the dotted line in the graph, the data packets comprise header fields and data fields, and the abstract description model of the nodes and the data packets is below the dotted line. The model comprises an integral body represented by an input space, a forwarding function T () for describing forwarding behaviors and an output space; the header field portion of the packet is treated as a body of information, represented as a point in space.
The data forwarding process under the multidimensional space superposition model is shown in fig. 4: nodes a and B have deployed forwarding rules to support the forwarding of the data packet P, and the graph demonstrates the process on the spatial model when the data packet P is forwarded from node a to node B:
① since node A and node B have deployed forwarding rules to support the forwarding of packet P, the body of P is in the input space of node A;
②, the operation of the message body via the forwarding function of node A causes the message body to move in space;
③ after the forwarding function is processed, the port defined by the forwarding rule is forwarded into B, and since the information body is not changed in the process, the information body is located at the same coordinate position as A in the space of B;
④, the body is moved in space by manipulation of the forwarding function of the node B, and the subsequent forwarding process repeats ①②③④.
Further as a preferred embodiment, the step B creates a destination information body β.
Step B also includes the normal operation of creating the destination information body, i.e. initializing the system environment parameters, environment variables and related states.
Further preferably, in step C, a source information body is created at the current node. As shown in fig. 5, at ingress node NiInput space EiOutside creation of source info αiI.e. by
The specific implementation of step D is shown in FIG. 6, which is a computing node NiSpace P can be outputiNext node N connected theretoi+1Input space Ei+1The difference set D' of (a).
As shown in FIG. 7, in a further preferred embodiment, the step E of calculating the message α 'with the smallest difference between the difference set and the target message comprises the step of selecting the message α' in the difference set D 'such that the difference D' between the message α 'and the target message β is the smallest and D' < Dmin,dminTo set the difference threshold, then assign dmin=d′。
Further, in a preferred embodiment, d isminThe initial value is infinite.
In a further preferred embodiment, the difference d ' is the number of 1's in the result of exclusive-or operation between the information object α ' and the destination information object β.
As shown in fig. 8, further as a preferred embodiment, the step F stores the transformation operation from the current node source information body to the next node source information body into the policy set;
the step G is as follows: entering a next node, repeatedly executing the step D to the step G until the difference set of the step D is empty or the information body obtained by calculation in the step E is the same as the target information body;
the complete process of establishing independent forwarding paths according to steps a-H of the method of the invention is described with reference to fig. 9:
the figure shows a specific network topology structure, a forwarding plane has 8 forwarding nodes, each node has a preset port number, and is marked by numbers respectively, and the length of each information body is 8 fixed bits.
Further as a preferred embodiment, the forwarding function is configured to change a bit of a corresponding output port in the information body according to the output port number and forward the bit to the next node.
For example, 8 bits of the information body are divided into 4 areas, each of which has 2 bits and is sequentially marked as 0 area, 1 area, 2 areas, and 3 areas from right to left. Each forwarding node can change two bits of the corresponding region in the information body according to the output port number. For example, output port number 0 may modify either 1 or 2 bits in the 0 region.
Since the length of the information body is 8 bits, there are 256 flow table entries at most per forwarding node without considering wildcards. It is assumed that the number of the existing flow table entries in the forwarding node does not exceed half of the maximum value. N different flow table entries are randomly generated in each forwarding node, where n < 128.
Assume that the initial information volume is 00101100 and the destination information volume is 01110001. Starting from the number 0 forwarding node, the following results are obtained according to the previous calculation steps and the experiment of randomly generating n flow table entries for each forwarding node:
the corresponding message body sequence is: { 0010110000101101001000010011000101110001 }, the independent forwarding paths are represented by arrows in the network topology.
As shown in the topology structure diagram of fig. 9, starting from node 0, the algorithm can find out the existing independent forwarding paths by changing the source information body and the destination information body on the premise of the existence of a feasible solution; the length of the independent forwarding path found is related to the length of the body, the number of bits that can be modified per port, and the difference between the source body and the destination body. Generally, the longer the message body length, the smaller the number of bits that can be modified per port, and the greater the difference between the source message body and the destination message body, the longer the forwarding path corresponding to the policy set to be obtained.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. An SDN network independent forwarding method based on a multidimensional space superposition model is characterized by comprising the following steps:
A. establishing a multidimensional space superposition model for nodes in the SDN network, wherein the multidimensional space superposition model comprises an input space, a forwarding function and an output space, and a data packet header part in the SDN network is used as an information body;
B. creating a target information body;
C. creating a source information body at a current node;
D. calculating a difference set of an outputable space of the current node model and an input space of a next node model connected with the outputable space;
E. calculating to obtain an information body with the minimum difference from the target information body in the difference set, and taking the information body as a source information body of the next node;
F. the transformation operation from the current node source information body to the next node source information body is stored into a strategy set;
G. entering a next node, repeatedly executing the step D to the step G until the difference set of the step D is empty or the information body obtained by calculation in the step E is the same as the target information body;
H. and creating a forwarding path through the strategy set to realize independent forwarding of the data packet.
2. The SDN network independent forwarding method based on the multidimensional space superposition model, according to claim 1, is characterized in that: the step B further comprises the following steps: system environment parameters and environment variables are initialized.
3. The SDN network independent forwarding method based on the multidimensional space superposition model as claimed in claim 1, wherein the step E of calculating the message body α 'with the minimum difference between the difference set and the destination message body comprises the specific steps of selecting the message body α' in the difference set D 'so that the difference D' between the message body α 'and the destination message body β is minimum and D' < Dmin,dminTo set the difference threshold, then assign dmin=d′。
4. The SDN network independent forwarding method based on the multidimensional space superposition model, according to claim 3, is characterized in that: d isminThe initial value is infinite.
5. The SDN network independent forwarding method based on the multidimensional space superposition model as claimed in claim 3, wherein the difference d 'is the number of 1 in the result of XOR operation between the information body α' and the destination information body β.
6. The SDN network independent forwarding method based on the multidimensional space superposition model, according to claim 1, is characterized in that: and the forwarding function is used for changing the bit of the corresponding output port in the information body according to the output port number and forwarding the bit to the next node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160435.8A CN106803807B (en) | 2016-12-15 | 2016-12-15 | SDN network independent forwarding method based on multidimensional space superposition model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160435.8A CN106803807B (en) | 2016-12-15 | 2016-12-15 | SDN network independent forwarding method based on multidimensional space superposition model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106803807A CN106803807A (en) | 2017-06-06 |
| CN106803807B true CN106803807B (en) | 2020-05-05 |
Family
ID=58983880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611160435.8A Active CN106803807B (en) | 2016-12-15 | 2016-12-15 | SDN network independent forwarding method based on multidimensional space superposition model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106803807B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2675119A1 (en) * | 2011-02-07 | 2013-12-18 | Nec Corporation | Communication system, control device, communication node, and communication method |
| WO2014044055A1 (en) * | 2012-09-21 | 2014-03-27 | 华为技术有限公司 | Label switching path calculation method and label switching path calculation device |
| CN105873162A (en) * | 2016-06-20 | 2016-08-17 | 沈阳化工大学 | Wireless sensor network data flow rate shunting routing method based on multipath |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767773B (en) * | 2014-01-02 | 2019-07-16 | 中兴通讯股份有限公司 | A kind of information intelligent synchronous method and device |
| CN105007310A (en) * | 2015-06-30 | 2015-10-28 | 深圳走天下科技有限公司 | Information synchronization method, device and system |
| CN105553936B (en) * | 2015-12-01 | 2019-03-05 | 深圳市沛城电子科技有限公司 | Information processing method and device |
-
2016
- 2016-12-15 CN CN201611160435.8A patent/CN106803807B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2675119A1 (en) * | 2011-02-07 | 2013-12-18 | Nec Corporation | Communication system, control device, communication node, and communication method |
| WO2014044055A1 (en) * | 2012-09-21 | 2014-03-27 | 华为技术有限公司 | Label switching path calculation method and label switching path calculation device |
| CN105873162A (en) * | 2016-06-20 | 2016-08-17 | 沈阳化工大学 | Wireless sensor network data flow rate shunting routing method based on multipath |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106803807A (en) | 2017-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Aujla et al. | Adaptflow: Adaptive flow forwarding scheme for software-defined industrial networks | |
| CN103119900B (en) | Communication system, control appliance, node control method and node control program | |
| US20100175124A1 (en) | Methods and apparatus for implementing a search tree | |
| JP6271039B2 (en) | Path selection in hybrid networks | |
| US20140222996A1 (en) | Dynamically adjusting a set of monitored network properties using distributed learning machine feeback | |
| CN107204867A (en) | A kind of information transferring method, device and system | |
| Elsayed et al. | Differential evolution with automatic parameter configuration for solving the CEC2013 competition on real-parameter optimization | |
| Luo et al. | Flocking in target pursuit for multi-agent systems with partial informed agents | |
| CN104394083A (en) | Method for processing forwarding tablebody, method and device for forwarding message, and system for processing forwarding tablebody and forwarding message | |
| CN107003860A (en) | A kind of software defined network controller and its creation method | |
| CN104836749B (en) | A kind of SDN data planes carrier state forwarding processor | |
| US20170295071A1 (en) | Configuring the design of an industrial automation network | |
| Zheng et al. | Modeling and dynamics of networked evolutionary game with switched time delay | |
| EP2959379B1 (en) | Implementing specifications related to a network forwarding plane of an electronic device having forwarding functionality | |
| Sun et al. | Multi-group consensus via pinning control with non-linear heterogeneous agents | |
| CN106803807B (en) | SDN network independent forwarding method based on multidimensional space superposition model | |
| Hou et al. | Controllability and directionality in complex networks | |
| Fomicheva | Soft quantization of the production's knowledgebases for multi-agent systems | |
| Chuprikov et al. | General ternary bit strings on commodity longest-prefix-match infrastructures | |
| CN105515809A (en) | Software definition network realization method and main controller | |
| Jin et al. | Random consensus protocol in large-scale networks | |
| Yang et al. | Synchronization in time-varying networks of non-introspective agents without exchange of controller states | |
| CN108521376A (en) | Flow table design method based on attribute similarity in software defined network | |
| Ehresmann et al. | WLIMES, the wandering LIMES: towards a theoretical framework for wandering logic intelligence memory evolutive systems | |
| Zavlanos et al. | Dynamic assignment in distributed motion planning with limited information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |