CN107104963B - Trusted controller framework and its operating method towards cloud environment multi-tenant network - Google Patents

Trusted controller framework and its operating method towards cloud environment multi-tenant network Download PDF

Info

Publication number
CN107104963B
CN107104963B CN201710273734.0A CN201710273734A CN107104963B CN 107104963 B CN107104963 B CN 107104963B CN 201710273734 A CN201710273734 A CN 201710273734A CN 107104963 B CN107104963 B CN 107104963B
Authority
CN
China
Prior art keywords
domain
network
tenant
tenant network
administrator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710273734.0A
Other languages
Chinese (zh)
Other versions
CN107104963A (en
Inventor
金海�
代炜琦
万鹏飞
邹德清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201710273734.0A priority Critical patent/CN107104963B/en
Publication of CN107104963A publication Critical patent/CN107104963A/en
Application granted granted Critical
Publication of CN107104963B publication Critical patent/CN107104963B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The invention discloses a kind of trusted controller frameworks towards cloud environment multi-tenant network, comprising: proposes a kind of security specification that tenant network is abstract, it, which specifies the tenant network under multi-tenant environment, should meet demand for security;A general SDN tenant network controller architecture is proposed according to security specification, can be improved the safety of multi-tenant network management;It proposes a new network management authority models, the network legal power of cloud management person is isolated, prevent cloud management person from abusing permission attack tenant network, while assigning the necessary network legal power of TN administrator and managing independently for tenant network;In the present invention, controller can use safety equipment real time monitoring network state by malicious attack or distort, while TN administrator and cloud management person can verify whether network is in a safe condition to controller.The present invention is suitable for multi-tenant cloud network, can prevent the cloud management person of malice from endangering tenant network safety and privacy.

Description

Trusted controller framework and its operating method towards cloud environment multi-tenant network
Technical field
The invention belongs to cloud environment multi-tenant network safety fileds, more particularly to one kind towards cloud environment multi-tenant network Trusted controller framework and its operating method.
Background technique
With cloud continuous development and be becoming better and approaching perfection day by day, many enterprises are one after another contracted out to the IT infrastructure of oneself IaaS cloud provider is to save cost.From the point of view of cloud provider, these IT infrastructure being outsourced all are virtual bases Infrastructure, including virtual machine and the virtual network facilities.The IT infrastructure that we are contracted out to cloud provider one Do tenant network (Tenant Network, abbreviation TN).In order to service multiple tenants, IaaS provider needs physics Cloud network is virtualized into multiple virtual TN.
Software defined network (Software-defined Network, abbreviation SDN) is because of its network decision service (control Layer) and the characteristics of data forwarding capability phase (data Layer) separation, and it is increasingly used in cloud environment, to facilitate cloud network Management, but its autonomous management that can not achieve TN.In order to realize network virtualization and cloud tenant network is facilitated to manage independently have People proposes virtual software and defines network (Virtualized SDN, abbreviation vSDN) technology, i.e., between data Layer and control layer It introduces SDN manager (SDN Hypervisor), the physical network of bottom is mapped to multiple virtual networks, each virtual net by it Network corresponds to a tenant network, has special vSDN controller to manage independently for TN administrator.
However, there are following technical problems for existing vSDN technology: firstly, violate principle of least privilege, i.e. SDN management Device provides excessive network privileges for cloud management person, it means that either cloud management person itself becomes internal attacker, also It is management terminal used in him by malicious intrusions, can all threatens the safety of all tenant networks;Secondly, it is former to violate responsibility separation Then, i.e. vSDN controller is originally by TN administrator using to manage tenant network, and is distributed by cloud management person, so that vSDN is controlled The integrality of device processed is subject to the destruction of malice cloud management person.
Summary of the invention
Aiming at the above defects or improvement requirements of the prior art, the present invention provides one kind towards cloud environment multi-tenant network Trusted controller framework and its operating method, it is intended that solving to violate least privilege present in existing vSDN technology The problem of with responsibility separation principle, at the same the present invention guarantee cloud tenant network autonomous management while, improve its safety and Efficiency.
To achieve the above object, according to one aspect of the present invention, it provides a kind of towards cloud environment multi-tenant network Trusted controller framework, including cloud management person domain, multiple TN administrators domain and control domain, cloud management person domain and external cloud Administrator's communication connection, TN administrator domain and external TN administrator communicate to connect, control domain and cloud management person domain, TN administrator Domain and data Layer communication connection, control domain includes network controller and TN manager, network controller for receive from The networking command in cloud management person domain and TN administrator domain is transmitted to TN manager, TN management after handling the networking command Device is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including network legal power monitor, uses In the permission for distinguishing and being isolated cloud management person and TN administrator, and using actual situation mapping table to the networking command from control domain After being converted, which is sent to corresponding tenant network, TN manager is also used to receive tenant's net from data Layer The status information of network, and status information is forwarded to cloud management domain and tenant's management domain, cloud management person domain for run from The cloud management application program of cloud management person, to realize the management to entire cloud network, and for starting control domain and TN administrator Domain, TN administrator domain, which is used to run, manages application program from the TN of TN administrator, to realize the management to tenant network.
Preferably, all in user domain, cloud management person domain is in privileged domain for control domain and TN administrator domain.
Preferably, actual situation mapping table is set in the memory of controller architecture, for recording in each tenant network The mapping relations between real resource in virtual resource and data Layer, wherein virtual resource include virtual interchanger, port, Flow table, group table, gauge table, real resource includes actual interchanger, port, flow table, group table, gauge table.
Preferably, controller architecture of the invention further comprises that network-driven domain and TN construct domain, wherein network-driven Domain is used to provide the communication connection between external cloud management person and cloud management person domain and TN administrator and TN administrator domain, TN constructs domain and is used for credible building network-driven domain, control domain and TN administrator domain.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, can obtain down and show Beneficial effect:
(1) controller architecture of the invention, which can solve, violates principle of least privilege present in the existing vSDN network architecture and asks Topic: since the present invention is using network legal power monitor in control domain, distinguish and be isolated cloud management person and TN administrator Network legal power, therefore can be effectively prevented that cloud management person itself is attacked or management terminal used in him is by malicious intrusions institute Caused by attack TN safety problem.
(2) controller architecture of the invention, which can solve, violates responsibility separation principle present in the existing vSDN network architecture and asks Topic: since present invention employs sequence startings and integrity verification, which ensure that the boot sequence in each domain and starting in framework Integrality, therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(3) versatility of the invention is good: (being not necessarily firstly, the present invention can be suitable for any multi-tenant network environment Cloud environment), the developer of any multi-tenant network can illustrate on-premise network according to the demand for security and extend as needed New demand for security;Secondly, to be not limited to some specific for the multi-tenant network controller framework proposed by the present invention based on SDN SDN controller and virtual platform, the SDN controller (such as Floodlight, Ryu etc.) and virtualization frame of current any commercialization Structure (such as Xen and KVM etc.) can be easy to expand on the framework.
(4) expense of the invention is low: TN manages application program, controller and SDN management under original vSDN framework Device is located at different hosts, and frequent network communication can bring no small communication overhead.And the present invention manages controller and TN Device is placed on the same control domain, and TN management application program is placed in cloud, is effectively reduced frequent network communication band The expense come.
It is another aspect of this invention to provide that providing a kind of trusted controller framework towards cloud environment multi-tenant network Operating method, comprising the following steps:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;
(2) cloud management person domain utilizes the tenant network after receiving the tenant network request to create from new tenant System kernel in request to create is that the tenant creates TN administrator domain, while control domain is according in the tenant network request to create Network demand create corresponding tenant network, distribute network identity for the tenant network, and by the virtual money in tenant network The mapping relations between real resource in source and data Layer are recorded in the actual situation mapping table of its TN manager;
(3) TN administrator domain starts, and TN administrator is waited to log in;
(4) TN administrator domain is run after TN administrator logs in manages application program from the TN of the TN administrator, with Networking command is generated, and sends control domain for the networking command;
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met Permission is then transferred to step (6), and otherwise refusal executes the networking command;
(6) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from TN pipe after data Layer has handled all-network order etc. The TN of reason person discharges request;
(8) cloud management person domain is recycled virtual in tenant network after receiving the TN release request from TN administrator Resource, and destroy TN administrator domain;
(9) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network Mapping relations between real resource, and corresponding networking command is deleted from data Layer.
Preferably, the method for the present invention further comprises after above-mentioned steps (3), before step (4), and TN administrator domain connects The integrality verification request from TN administrator is received, and TN pipe is sent for its log information according to the integrality verification request The step of reason person.
Preferably, step (5) is specifically, network monitor is by checking that the network legal power in permission monitor judges net Whether resource, operation and the executor three of network order match to realize the judgement for whether meeting the networking command permission.
It is another aspect of this invention to provide that providing a kind of trusted controller framework towards cloud environment multi-tenant network Operating method, comprising the following steps:
(1) cloud management person domain, TN building domain, network-driven domain and control domain successively credible starting;Wherein in credible starting In the process, it is measured by safety equipment and records each domain start-up course;
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;;
(3) cloud management person domain is after receiving the TN request to create from new tenant by the tenant network request to create In system kernel be transmitted to TN building domain, while control domain according in the tenant network request to create network demand creation pair The tenant network answered distributes network identity for the tenant network, and by the reality in the virtual resource and data Layer in tenant network Mapping relations between the resource of border are recorded in the actual situation mapping table of its TN manager;
(4) it is the credible creation TN administrator of the tenant that TN, which constructs domain and utilizes the system kernel received from cloud management person domain, Domain.
(5) the credible starting in TN administrator domain, and wait the checking request from TN administrator;
(6) network-driven domain forwards it to TN administrator domain, TN after receiving the checking request from TN administrator Log information in safety equipment is transmitted to TN administrator by network-driven domain by administrator domain, and TN administrator is waited to send The whether matched notice of log information operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (7), authentication failed is otherwise indicated, refusal logs in TN administrator domain.
(7) TN administrator domain waits the TN administrator's log on request forwarded by network-driven domain;
(8) TN administrator domain sends checking request to control domain after receiving TN administrator's log on request;
(9) the correlation log information in safety equipment is transmitted to by control domain after the checking request for receiving TN administrator Log information is transmitted to TN administrator by network-driven domain by TN administrator domain, and TN administrator is waited to send log information The whether matched notice of operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (10);Otherwise It indicates authentication failed, error message is reported to cloud management person and TN administrator.
(10) operation of TN administrator domain manages application program from the TN of the TN administrator, to generate networking command, and Control domain is sent by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met Permission is then transferred to step (12), and otherwise refusal executes the networking command;
(12) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from TN after data Layer has handled all-network order etc. The TN of administrator discharges request;
(14) void in tenant network is recycled in cloud management person domain after receiving the TN release request from TN administrator Quasi- resource, and domain is constructed by TN and destroys TN administrator domain;
(15) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
Preferably, step (1) includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) TN controller node, and start-up loading manager is notified to load Xen virtual machine monitor;
(1-2) start-up loading manager starts to load the kernel and disk mirroring of Xen virtual machine monitor, cloud management person domain And the kernel and disk mirroring in TN building domain, and the metric of Xen virtual machine monitor and TN building domain is expanded into hardware In the platform configuration register of credible platform module.
(1-3) Xen virtual machine monitor starts cloud management person domain and TN constructs domain, and dispatches cloud management person domain and enter operation State;
(1-4) cloud management person domain wakes up TN and constructs domain, further starts control domain and network-driven domain by TN building domain, and The metric of control domain and network-driven domain is expanded in the platform configuration register of hardware credible platform module.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, can obtain down and show Beneficial effect:
(1) the method for the present invention can solve and violate principle of least privilege problem present in the existing vSDN network architecture: due to The present invention is using network legal power monitor in control domain, distinguishes and be isolated the network weight of cloud management person and TN administrator Limit, therefore can be effectively prevented that cloud management person itself is attacked or management terminal used in him is attacked caused by malicious intrusions Hit the safety problem of TN.
(2) the method for the present invention, which can solve, violates responsibility separation principle problem present in the existing vSDN network architecture: due to Present invention employs sequence startings and integrity verification, which ensure that the boot sequence in each domain and starting integrality in framework, Therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(3) the method for the present invention can solve and violate principle of least privilege problem present in the existing vSDN network architecture: due to Present invention employs step (11) and step (12), the legitimacy of cloud management person and TN administrator are had checked, therefore can be had Effect prevents that cloud management person itself from being attacked or management terminal used in him is attacked the safety of TN caused by malicious intrusions and asked Topic.
(4) the method for the present invention, which can solve, violates responsibility separation principle problem present in the existing vSDN network architecture: due to Present invention employs steps (1) and step (5) to arrive step (9), which ensure that the boot sequence in each domain and starting in framework Integrality, therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(5) versatility of the invention is good: (being not necessarily firstly, the present invention can be suitable for any multi-tenant network environment Cloud environment), the developer of any multi-tenant network can illustrate on-premise network according to the demand for security and extend as needed New demand for security;Secondly, to be not limited to some specific for the multi-tenant network controller framework proposed by the present invention based on SDN SDN controller and virtual platform, the SDN controller (such as Floodlight, Ryu etc.) and virtualization frame of current any commercialization Structure (such as Xen and KVM etc.) can be easy to expand on the framework.
(6) expense of the invention is low: under original vSDN framework, TN manages application program, controller and SDN management Device is located at different hosts, and frequent network communication can bring no small communication overhead.And the present invention manages controller and TN Device is placed on the same control domain, and TN management application program is placed in cloud, is effectively reduced frequent network communication band The expense come.
Detailed description of the invention
Fig. 1 is the frame of the trusted controller framework towards cloud environment multi-tenant network according to an embodiment of the present invention Composition.
Fig. 2 is the trusted controller framework towards cloud environment multi-tenant network of another embodiment according to the present invention Architecture diagram.
Fig. 3 is the behaviour of the trusted controller framework towards cloud environment multi-tenant network according to an embodiment of the present invention Make method flow diagram.
Fig. 4 is the trusted controller framework towards cloud environment multi-tenant network of another embodiment according to the present invention Flow chart.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as in addition, technical characteristic involved in the various embodiments of the present invention described below Not constituting a conflict with each other can be combined with each other.
Final goal of the invention is to realize the secure and trusted management of multi-tenant network under cloud environment, to reduce malice cloud pipe Reason person abuses permission and attacks tenant network.It is given below that the present invention is based on the specific implementations of Xen virtual platform and Ryu controller Scheme.
As shown in Figure 1 the present invention trusted controller framework towards cloud environment multi-tenant network include cloud management person domain, it is more A tenant network administrator domain (Tenant Network, hereinafter referred to as TN) and control domain, cloud management person domain and external cloud Administrator's communication connection, TN administrator domain and external TN administrator communicate to connect, control domain and cloud management person domain, TN administrator Domain and data Layer communication connection.
Control domain and TN administrator domain are all in user domain (being the domU of Xen in the present invention), and at cloud management person domain In privileged domain (being the dom0 of Xen in the present invention).
Control domain includes network controller (what is be used in the present invention is Ryu controller) and TN manager (TN_ Hypervisor), wherein network controller is for receiving the networking command from cloud management person domain and TN administrator domain, to this Networking command is transmitted to TN manager after being handled.In the present invention, TN administrator domain and cloud management person domain are to pass through control domain The REST api interface of offer sends networking command to control domain.
TN manager is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including network Permission monitor, for distinguishing and being isolated the permission of cloud management person and TN administrator, and using actual situation mapping table to from control After the networking command in domain processed is converted, which is sent to corresponding tenant network.
Specifically, actual situation mapping table is in the memory of controller architecture, to record the void in each tenant network Quasi- resource (including virtual interchanger, port, flow table, group table, gauge table) and the real resource in data Layer are (including actual Interchanger, port, flow table, group table, gauge table) between mapping relations.Have this actual situation mapping table, each tenant network it Between Internet resources obtained stringent isolation because control domain is apparent from each tenant network occupied network money Source, to forbid the unauthorized access (such as a TN administrator manipulate another tenant network Internet resources) of TN administrator.
Permission monitor includes that three classes network legal power is as follows:
Network divides permission: as shown in table 1 below, cloud management person should possess the power that Internet resources are divided into tenant network Limit, and tenant network can then be drawn and be divided into sub-network on demand by TN administrator.In addition, cloud management haves no right to configure tenant network Internal networking structure.When TN administrator applies for resources of virtual machine, cloud management person only simply distributes to resources of virtual machine TN administrator determines how to use these resources by TN administrator.
Table 1
Routed path permission: as shown in table 2 below, routed path can be divided into physics routed path and virtual machine routed path two Kind.TN administrator possesses the permission that virtual flow-line path is configured or checked inside tenant network, and cloud management person then forbids Any physics routed path is configured, because virtual flow-line path has finally all been mapped to one or more of physical pathways, this meaning Taste malice cloud management person can distort routed path attack tenant network.In addition, cloud management person should also forbid checking object Routed path is managed, because he may abuse these routing iinformations attack tenant network.Such as, it is assumed that cloud management person knows two Physical pathway between virtual machine have passed through an interchanger, then the cloud management person of malice, which can then manipulate, directly publishes in instalments the friendship Virtual machine on changing planes, and then listen to or distort the data packet by the interchanger.In the present invention, only control domain is had the right Physics routed path is checked in configuration.
Table 2
Network bandwidth permission: it is as shown in table 3 below, TN administrator have permission configuration and check bandwidth inside tenant network and Flow, and cloud management person then can only configure the maximum bandwidth of each tenant network and check the total flow of each tenant network.
Resource Operation Executor
The maximum bandwidth of TN Configuration Cloud management person
The maximum stream flow of TN It checks Cloud management person
TN internal bandwidth Configuration TN administrator
TN inner stream flow It checks TN administrator
Table 3
TN manager is also used to receive the status information of tenant network from data Layer, and status information is forwarded to cloud management Domain and tenant's management domain.
Cloud management person domain is used to run the cloud management application program (cloud App) from cloud management person, to realize to entire The management of cloud network, and for starting control domain and TN administrator domain.
TN administrator domain, which is used to run, manages application program (TN App) from the TN of TN administrator, to realize to tenant The management of network.
Unlike cloud management person domain, TN administrator domain do not need one complete network operating system of operation (such as Ryu network controller), it is only necessary to the operating system of a lightweight is run to support TN to manage application program;In addition, TN Management application program operates in cloud rather than in the local computing of TN administrator.From safety considerations, cloud is by professional peace Full personal protection, TN management application program, which operates in, reduces security risk in cloud;Finally, considering from performance perspective, TN management Application program needs frequently interacted with control domain, TN manage application program operate in cloud reduce to a certain extent it is logical Believe expense.
Compared with traditional vSDN system architecture, network controller, TN monitor are put into the same control domain by the present invention In domain, it is advantageous that the efficiency of intra-area communication is more high-efficient than inter-domain communication.
As shown in Fig. 2, as it is further preferred that trusted controller framework of the present invention towards cloud environment multi-tenant network It may also include network-driven domain and TN building domain.
Network-driven domain is used to provide external cloud management person and cloud management person domain and TN administrator and TN administrator domain Between communication connection.Because network-driven service is only supported in network-driven domain, it only needs to run a lightweight behaviour Make system (such as Mini OS) and necessary library.
TN constructs domain and is used for credible building network-driven domain, control domain and TN administrator domain.
In the present invention, TN construct domain with the present invention trusted controller framework towards cloud environment multi-tenant network on it is hard Part credible platform module (Trusted platform module, abbreviation TPM) interaction, and run a user class demons For realizing virtualization TPM (Virtualized TPM, abbreviation vTPM), this distinguishes control domain and TN administrator domain Use respective vTPM.It is worth noting that control domain is prohibited directly to interact with hardware TPM, and all TPM operations, including Hardware TPM and vTPM operation are all executed by TN building domain.
As shown in figure 3, an implementation according to the present invention, the present invention it is above-mentioned towards cloud environment multi-tenant network can Believe controller architecture operating method the following steps are included:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;Tool For body, needed in tenant network request to create comprising system kernel needed for creation TN administrator domain and the network of the tenant Ask (quantity and network bandwidth including virtual machine etc.);
(2) cloud management person domain utilizes the tenant network after receiving the tenant network request to create from new tenant System kernel in request to create is that the tenant creates TN administrator domain, while control domain is according in the tenant network request to create Network demand create corresponding tenant network, distribute network identity for the tenant network, and by the virtual money in tenant network The mapping relations between real resource in source and data Layer are recorded in the actual situation mapping table of its TN manager;
(3) TN administrator domain starts, and TN administrator is waited to log in;
(4) TN administrator domain is run after TN administrator logs in manages application program from the TN of the TN administrator, with Networking command is generated, and sends control domain for the networking command;
It is further preferred that method of the invention may additionally include above-mentioned steps (3) after, before step (4), TN management Member domain receives the integrality verification request from TN administrator, and is sent its log information according to the integrality verification request The step of to TN administrator.
It is further preferred that above-mentioned step (4) can also be replaced by, control domain logs in TN administrator domain in TN administrator The integrality verification request from TN administrator is received afterwards, and is sent its log information to according to the integrality verification request TN administrator, TN administrator domain, which is run, manages application program from the TN of the TN administrator, to generate networking command, and should Networking command is sent to the step of control domain.
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met Permission is then transferred to step (6), and otherwise refusal executes the networking command;
Specifically, network monitor be by check above-mentioned table 1, table 2, table 3 judge networking command resource, operation and Whether executor three matches to realize the judgement for whether meeting the networking command permission, for example, if some network is ordered The resource of order is that sub-network divides, and operation is configuration, and executor is TN administrator, then it meets network legal power;If some net The resource of network order is that sub-network divides, and operation is configuration, and executor is cloud management person, then it does not meet network legal power;
(6) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from TN pipe after data Layer has handled all-network order etc. The TN of reason person discharges request;
(8) cloud management person domain is recycled virtual in tenant network after receiving the TN release request from TN administrator Resource, and destroy TN administrator domain;
(9) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network Mapping relations between real resource, and corresponding networking command is deleted from data Layer.
As shown in figure 4, according to another implementation of the invention, the trusted controller towards cloud environment multi-tenant network The operating method of framework the following steps are included:
(1) cloud management person domain, TN building domain, network-driven domain and control domain successively credible starting;
In credible start-up course, each domain start-up course is measured by safety equipment and recorded, guarantees that these being capable of sequence Starting, in the present embodiment, safety equipment is credible platform module (Trusted platform module, abbreviation TPM).
This step specifically includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) TN controller node, and notify start-up loading manager (bootloader) Xen virtual machine monitor is loaded.
(1-2) bootloader start load Xen virtual machine monitor, cloud management person domain kernel and disk mirroring and TN constructs the kernel and disk mirroring in domain, and the metric of Xen virtual machine monitor and TN building domain is expanded to the platform of TPM In configuration register (Platform Configuration Register, abbreviation PCR).
(1-3) Xen virtual machine monitor starts cloud management person domain and TN constructs domain, and dispatches cloud management person domain and enter operation State.
(1-4) cloud management person domain wakes up TN and constructs domain, further starts control domain and network-driven domain by TN building domain, and The metric of control domain and network-driven domain is expanded in the PCR of TPM.
It is emphasized that control domain should complete starting before network-driven domain.Because network-driven domain is mainly born The communication of duty and cloud external network.If network-driven domain starts prior to control domain, control domain will face many unnecessary Security risk.For example, the cloud management person of malice can log on to cloud management person domain and distort the disk mirroring of control domain.It can be seen that making It is very necessary for removing the boot sequence for recording each domain with TPM.Once some domain start completion, it will load related software Program (such as controller service in control domain) and data (such as actual situation map information in TN monitor).In order to further Trust authentication, these software programs and corresponding data can also be measured and be expanded in the related PCR of vTPM.
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;Specifically, renting Include network demand (including the void of system kernel and the tenant needed for creation TN administrator domain in the request of family network creation The quantity of quasi- machine and network bandwidth etc.);
(3) cloud management person domain is after receiving the TN request to create from new tenant by the tenant network request to create In system kernel be transmitted to TN building domain, while control domain according in the tenant network request to create network demand creation pair The tenant network answered distributes network identity for the tenant network, and by the virtual resource in tenant network (including virtual exchange Machine, port, flow table, group table, gauge table) with real resource (including actual interchanger, port, flow table, the group in data Layer Table, gauge table) between mapping relations be recorded in the actual situation mapping table of its TN manager;
(4) it is the credible creation TN administrator of the tenant that TN, which constructs domain and utilizes the system kernel received from cloud management person domain, Domain.
(5) the credible starting in TN administrator domain, and wait the checking request from TN administrator;
TN administrator domain after actuation, will load relevant software programs (such as TN manage application program) and data (such as The data that TN management application program is used), these software programs and corresponding data can also be measured and expand to vTPM In related PCR.
(6) network-driven domain forwards it to TN administrator domain, TN after receiving the checking request from TN administrator Log information in safety equipment is transmitted to TN administrator by network-driven domain by administrator domain, and TN administrator is waited to send The whether matched notice of log information operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (7), authentication failed is otherwise indicated, refusal logs in TN administrator domain.
(7) TN administrator domain waits the TN administrator's log on request forwarded by network-driven domain;
(8) TN administrator domain sends checking request to control domain after receiving TN administrator's log on request;
(9) the correlation log information in safety equipment is transmitted to by control domain after the checking request for receiving TN administrator Log information is transmitted to TN administrator by network-driven domain by TN administrator domain, and TN administrator is waited to send log information The whether matched notice of operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (10);Otherwise It indicates authentication failed, error message is reported to cloud management person and TN administrator.
(10) operation of TN administrator domain manages application program from the TN of the TN administrator, to generate networking command, and Control domain is sent by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met Permission is then transferred to step (12), and otherwise refusal executes the networking command;
Specifically, network monitor be by check above-mentioned table 1, table 2, table 3 judge networking command resource, operation and Whether executor three matches to realize the judgement for whether meeting the networking command permission, for example, if some network is ordered The resource of order is that sub-network divides, and operation is configuration, and executor is TN administrator, then it meets network legal power;If some net The resource of network order is that sub-network divides, and operation is configuration, and executor is cloud management person, then it does not meet network legal power;
(12) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from TN after data Layer has handled all-network order etc. The TN of administrator discharges request;
(14) void in tenant network is recycled in cloud management person domain after receiving the TN release request from TN administrator Quasi- resource, and domain is constructed by TN and destroys TN administrator domain;
(15) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include Within protection scope of the present invention.

Claims (9)

1. a kind of trusted controller framework towards cloud environment multi-tenant network, including cloud management person domain, multiple tenant network pipes Reason person domain and control domain, which is characterized in that
Cloud management person domain and external cloud management person communicate to connect, tenant network administrator domain and external tenant network administrator Communication connection, control domain and cloud management person domain, tenant network administrator domain and data Layer communicate to connect;
Control domain includes network controller and tenant network manager, network controller for receiving from cloud management person domain and The networking command in tenant network administrator domain, is transmitted to tenant network manager after handling the networking command;
Tenant network manager is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including net Network permission monitor for distinguishing and being isolated the permission of cloud management person and tenant network administrator, and uses actual situation mapping table pair After being converted from the networking command of control domain, which is sent to corresponding tenant network;
Tenant network manager is also used to receive the status information of tenant network from data Layer, and status information is forwarded to cloud pipe Manage domain and tenant's management domain;
Cloud management person domain is used to run the cloud management application program from cloud management person, to realize the pipe to entire cloud network Reason, and for starting control domain and tenant network administrator domain;
Tenant network administrator domain is used to run the tenant network management application program from tenant network administrator, to realize Management to tenant network.
2. trusted controller framework according to claim 1, which is characterized in that control domain and tenant network administrator domain are all In user domain, cloud management person domain is in privileged domain.
3. trusted controller framework according to claim 1, which is characterized in that actual situation mapping table is to be set to controller bay In the memory of structure, closed for recording the mapping between the real resource in the virtual resource and data Layer in each tenant network System, wherein virtual resource includes virtual interchanger, port, flow table, group table, gauge table, and real resource includes actual exchange Machine, port, flow table, group table, gauge table.
4. trusted controller framework according to claim 1, which is characterized in that further comprise network-driven domain and tenant Network struction domain, wherein network-driven domain is used to provide external cloud management person and cloud management person domain and tenant network management Communication connection between member and tenant network administrator domain, tenant network construct domain for credible building network-driven domain, control Domain and tenant network administrator domain.
5. a kind of operating method of the trusted controller framework towards cloud environment multi-tenant network, which is characterized in that including following Step:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;
(2) cloud management person domain is created after receiving the tenant network request to create from new tenant using the tenant network System kernel in request is that the tenant creates tenant network administrator domain, while control domain is according to the tenant network request to create In network demand create corresponding tenant network, distribute network identity for the tenant network, and will be virtual in tenant network The mapping relations between real resource in resource and data Layer are recorded in the actual situation mapping table of its tenant network manager;
(3) tenant network administrator domain starts, and tenant network administrator is waited to log in;
(4) tenant network administrator domain runs the tenant from tenant network administrator after tenant network administrator logs in Network-management application to generate networking command, and sends control domain for the networking command;
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if meeting permission Step (6) are then transferred to, otherwise refusal executes the networking command;
(6) control domain checks the actual situation mapping table safeguarded in tenant network manager according to the networking command, by networking command In virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from tenant network after data Layer has handled all-network order etc. The tenant network of administrator discharges request;
(8) tenant network is recycled after receiving the tenant network release request from tenant network administrator in cloud management person domain In virtual resource, and destroy tenant network administrator domain;
(9) control domain is deleted in the actual situation mapping table of tenant network manager in the virtual resource and data Layer in tenant network Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
6. operating method according to claim 5, which is characterized in that further comprise after above-mentioned steps (3), step (4) before, tenant network administrator domain receives the integrality verification request from tenant network administrator, and complete according to this The step of its log information is sent tenant network administrator by property checking request.
7. operating method according to claim 5, which is characterized in that step (5) is specifically, network monitor is by looking into The network legal power seen in permission monitor judge resource, operation and the executor three of networking command whether match realize for Whether the networking command meets the judgement of permission.
8. a kind of operating method of the trusted controller framework towards cloud environment multi-tenant network, which is characterized in that including following Step:
(1) cloud management person domain, tenant network building domain, network-driven domain and control domain successively credible starting;Wherein opened credible During dynamic, measured by safety equipment and record each domain start-up course;
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;
(3) cloud management person domain asks tenant network creation after receiving the tenant network request to create from new tenant System kernel in asking is transmitted to tenant network building domain, while control domain is according to the network need in the tenant network request to create The corresponding tenant network of creation is sought, distributes network identity for the tenant network, and by the virtual resource and data in tenant network The mapping relations between real resource in layer are recorded in the actual situation mapping table of its tenant network manager;
(4) it is the credible creation tenant network of the tenant that tenant network building domain, which utilizes the system kernel received from cloud management person domain, Administrator domain;
(5) the credible starting in tenant network administrator domain, and wait the checking request from tenant network administrator;
(6) network-driven domain forwards it to tenant network management after receiving the checking request from tenant network administrator Member domain, the log information in safety equipment is transmitted to tenant network management by network-driven domain by tenant network administrator domain Member, and whether tenant network administrator is waited to send log information operation log corresponding with tenant network administrator matched logical Know, successful match is indicated if receiving, go to step (7), otherwise indicate authentication failed, refusal logs in tenant network administrator Domain;
(7) tenant network administrator domain waits the tenant network administrator's log on request forwarded by network-driven domain;
(8) tenant network administrator domain sends checking request to control domain after receiving tenant network administrator's log on request;
(9) control domain forwards the correlation log information in safety equipment after the checking request for receiving tenant network administrator Tenant network administrator domain is given, log information is transmitted to by tenant network administrator by network-driven domain, and wait tenant's net Network administrator sends the log information whether matched notice of operation log corresponding with tenant network administrator, indicates if receiving Successful match goes to step (10);Otherwise it indicates authentication failed, error message is reported to cloud management person and tenant network management Member;
(10) operation of tenant network administrator domain manages application program from the tenant network of tenant network administrator, with life Control domain is sent at networking command, and by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if meeting permission Step (12) are then transferred to, otherwise refusal executes the networking command;
(12) control domain checks the actual situation mapping table safeguarded in tenant network manager according to the networking command, by networking command In virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from tenant's net after data Layer has handled all-network order etc. The tenant network of network administrator discharges request;
(14) tenant's net is recycled after receiving the tenant network release request from tenant network administrator in cloud management person domain Virtual resource in network, and domain is constructed by tenant network and destroys tenant network administrator domain;
(15) control domain deletes the virtual resource and data Layer in tenant network in the actual situation mapping table of tenant network manager In real resource between mapping relations, and corresponding networking command is deleted from data Layer.
9. operating method according to claim 8, which is characterized in that step (1) includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) tenant network controller node, and start-up loading manager is notified to add Carry Xen virtual machine monitor;
(1-2) start-up loading manager start load Xen virtual machine monitor, cloud management person domain kernel and disk mirroring and Tenant network constructs the kernel and disk mirroring in domain, and the metric of Xen virtual machine monitor and tenant network building domain is expanded In the platform configuration register for opening up hardware credible platform module;
(1-3) Xen virtual machine monitor starts cloud management person domain and tenant network constructs domain, and dispatches cloud management person domain and enter fortune Row state;
(1-4) cloud management person domain wakes up tenant network and constructs domain, further starts control domain and network by tenant network building domain Domain is driven, and the metric of control domain and network-driven domain is expanded to the platform configuration register of hardware credible platform module In.
CN201710273734.0A 2017-04-25 2017-04-25 Trusted controller framework and its operating method towards cloud environment multi-tenant network Active CN107104963B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710273734.0A CN107104963B (en) 2017-04-25 2017-04-25 Trusted controller framework and its operating method towards cloud environment multi-tenant network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710273734.0A CN107104963B (en) 2017-04-25 2017-04-25 Trusted controller framework and its operating method towards cloud environment multi-tenant network

Publications (2)

Publication Number Publication Date
CN107104963A CN107104963A (en) 2017-08-29
CN107104963B true CN107104963B (en) 2019-05-31

Family

ID=59657308

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710273734.0A Active CN107104963B (en) 2017-04-25 2017-04-25 Trusted controller framework and its operating method towards cloud environment multi-tenant network

Country Status (1)

Country Link
CN (1) CN107104963B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412866B (en) * 2018-12-04 2020-07-28 中国科学院信息工程研究所 Active detection method for multi-tenant cloud platform security isolation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571821A (en) * 2012-02-22 2012-07-11 浪潮电子信息产业股份有限公司 Cloud security access control model
CN104272702A (en) * 2012-05-10 2015-01-07 思科技术公司 Method and apparatus for supporting access control lists in a multi-tenant environment
CN105554015A (en) * 2015-12-31 2016-05-04 北京轻元科技有限公司 Management network and method for multi-tenant container cloud computing system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571821A (en) * 2012-02-22 2012-07-11 浪潮电子信息产业股份有限公司 Cloud security access control model
CN104272702A (en) * 2012-05-10 2015-01-07 思科技术公司 Method and apparatus for supporting access control lists in a multi-tenant environment
CN105554015A (en) * 2015-12-31 2016-05-04 北京轻元科技有限公司 Management network and method for multi-tenant container cloud computing system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《The Study on Configuration of Multi-Tenant》;Y. Y. Shin等;《16th International Conference on Advanced Communication Technology》;20140228;全文
《云计算执行环境可信构建关键技术研究》;代炜琦;《信息科技缉》;20160730

Also Published As

Publication number Publication date
CN107104963A (en) 2017-08-29

Similar Documents

Publication Publication Date Title
US9531753B2 (en) Protected application stack and method and system of utilizing
US10999328B2 (en) Tag-based policy architecture
US11122129B2 (en) Virtual network function migration
Ujcich et al. Cross-app poisoning in software-defined networking
JP6022718B2 (en) Configuration and validation by trusted providers
US20180173549A1 (en) Virtual network function performance monitoring
US20180341768A1 (en) Virtual machine attestation
Almutairy et al. A taxonomy of virtualization security issues in cloud computing environments
US10169594B1 (en) Network security for data storage systems
Sundararajan et al. Preventing Insider attacks in the Cloud
US11601434B1 (en) System and method for providing a dynamically reconfigurable integrated virtual environment
Zhai et al. CQSTR: Securing cross-tenant applications with cloud containers
Majhi et al. A study on security vulnerability on cloud platforms
Hoang et al. Security of software-defined infrastructures with SDN, NFV, and cloud computing technologies
TaheriMonfared et al. Handling compromised components in an IaaS cloud installation
Zhan et al. CIADL: cloud insider attack detector and locator on multi-tenant network isolation: an OpenStack case study
CN107104963B (en) Trusted controller framework and its operating method towards cloud environment multi-tenant network
Oliver et al. Experiences in trusted cloud computing
Lauer et al. Bootstrapping trust in a" trusted" virtualized platform
US11709724B2 (en) Distributed application execution for cloud computing
Zou et al. Building Automated Trust Negotiation architecture in virtual computing environment
Ver Dynamic load balancing based on live migration of virtual machines: Security threats and effects
Arab Virtual machines live migration
US20190319931A1 (en) Secret information distribution method and device
TaheriMonfared Securing the IaaS service model of cloud computing against compromised components

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant