CN107104963B - Trusted controller framework and its operating method towards cloud environment multi-tenant network - Google Patents
Trusted controller framework and its operating method towards cloud environment multi-tenant network Download PDFInfo
- Publication number
- CN107104963B CN107104963B CN201710273734.0A CN201710273734A CN107104963B CN 107104963 B CN107104963 B CN 107104963B CN 201710273734 A CN201710273734 A CN 201710273734A CN 107104963 B CN107104963 B CN 107104963B
- Authority
- CN
- China
- Prior art keywords
- domain
- network
- tenant
- tenant network
- administrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Abstract
The invention discloses a kind of trusted controller frameworks towards cloud environment multi-tenant network, comprising: proposes a kind of security specification that tenant network is abstract, it, which specifies the tenant network under multi-tenant environment, should meet demand for security;A general SDN tenant network controller architecture is proposed according to security specification, can be improved the safety of multi-tenant network management;It proposes a new network management authority models, the network legal power of cloud management person is isolated, prevent cloud management person from abusing permission attack tenant network, while assigning the necessary network legal power of TN administrator and managing independently for tenant network;In the present invention, controller can use safety equipment real time monitoring network state by malicious attack or distort, while TN administrator and cloud management person can verify whether network is in a safe condition to controller.The present invention is suitable for multi-tenant cloud network, can prevent the cloud management person of malice from endangering tenant network safety and privacy.
Description
Technical field
The invention belongs to cloud environment multi-tenant network safety fileds, more particularly to one kind towards cloud environment multi-tenant network
Trusted controller framework and its operating method.
Background technique
With cloud continuous development and be becoming better and approaching perfection day by day, many enterprises are one after another contracted out to the IT infrastructure of oneself
IaaS cloud provider is to save cost.From the point of view of cloud provider, these IT infrastructure being outsourced all are virtual bases
Infrastructure, including virtual machine and the virtual network facilities.The IT infrastructure that we are contracted out to cloud provider one
Do tenant network (Tenant Network, abbreviation TN).In order to service multiple tenants, IaaS provider needs physics
Cloud network is virtualized into multiple virtual TN.
Software defined network (Software-defined Network, abbreviation SDN) is because of its network decision service (control
Layer) and the characteristics of data forwarding capability phase (data Layer) separation, and it is increasingly used in cloud environment, to facilitate cloud network
Management, but its autonomous management that can not achieve TN.In order to realize network virtualization and cloud tenant network is facilitated to manage independently have
People proposes virtual software and defines network (Virtualized SDN, abbreviation vSDN) technology, i.e., between data Layer and control layer
It introduces SDN manager (SDN Hypervisor), the physical network of bottom is mapped to multiple virtual networks, each virtual net by it
Network corresponds to a tenant network, has special vSDN controller to manage independently for TN administrator.
However, there are following technical problems for existing vSDN technology: firstly, violate principle of least privilege, i.e. SDN management
Device provides excessive network privileges for cloud management person, it means that either cloud management person itself becomes internal attacker, also
It is management terminal used in him by malicious intrusions, can all threatens the safety of all tenant networks;Secondly, it is former to violate responsibility separation
Then, i.e. vSDN controller is originally by TN administrator using to manage tenant network, and is distributed by cloud management person, so that vSDN is controlled
The integrality of device processed is subject to the destruction of malice cloud management person.
Summary of the invention
Aiming at the above defects or improvement requirements of the prior art, the present invention provides one kind towards cloud environment multi-tenant network
Trusted controller framework and its operating method, it is intended that solving to violate least privilege present in existing vSDN technology
The problem of with responsibility separation principle, at the same the present invention guarantee cloud tenant network autonomous management while, improve its safety and
Efficiency.
To achieve the above object, according to one aspect of the present invention, it provides a kind of towards cloud environment multi-tenant network
Trusted controller framework, including cloud management person domain, multiple TN administrators domain and control domain, cloud management person domain and external cloud
Administrator's communication connection, TN administrator domain and external TN administrator communicate to connect, control domain and cloud management person domain, TN administrator
Domain and data Layer communication connection, control domain includes network controller and TN manager, network controller for receive from
The networking command in cloud management person domain and TN administrator domain is transmitted to TN manager, TN management after handling the networking command
Device is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including network legal power monitor, uses
In the permission for distinguishing and being isolated cloud management person and TN administrator, and using actual situation mapping table to the networking command from control domain
After being converted, which is sent to corresponding tenant network, TN manager is also used to receive tenant's net from data Layer
The status information of network, and status information is forwarded to cloud management domain and tenant's management domain, cloud management person domain for run from
The cloud management application program of cloud management person, to realize the management to entire cloud network, and for starting control domain and TN administrator
Domain, TN administrator domain, which is used to run, manages application program from the TN of TN administrator, to realize the management to tenant network.
Preferably, all in user domain, cloud management person domain is in privileged domain for control domain and TN administrator domain.
Preferably, actual situation mapping table is set in the memory of controller architecture, for recording in each tenant network
The mapping relations between real resource in virtual resource and data Layer, wherein virtual resource include virtual interchanger, port,
Flow table, group table, gauge table, real resource includes actual interchanger, port, flow table, group table, gauge table.
Preferably, controller architecture of the invention further comprises that network-driven domain and TN construct domain, wherein network-driven
Domain is used to provide the communication connection between external cloud management person and cloud management person domain and TN administrator and TN administrator domain,
TN constructs domain and is used for credible building network-driven domain, control domain and TN administrator domain.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, can obtain down and show
Beneficial effect:
(1) controller architecture of the invention, which can solve, violates principle of least privilege present in the existing vSDN network architecture and asks
Topic: since the present invention is using network legal power monitor in control domain, distinguish and be isolated cloud management person and TN administrator
Network legal power, therefore can be effectively prevented that cloud management person itself is attacked or management terminal used in him is by malicious intrusions institute
Caused by attack TN safety problem.
(2) controller architecture of the invention, which can solve, violates responsibility separation principle present in the existing vSDN network architecture and asks
Topic: since present invention employs sequence startings and integrity verification, which ensure that the boot sequence in each domain and starting in framework
Integrality, therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(3) versatility of the invention is good: (being not necessarily firstly, the present invention can be suitable for any multi-tenant network environment
Cloud environment), the developer of any multi-tenant network can illustrate on-premise network according to the demand for security and extend as needed
New demand for security;Secondly, to be not limited to some specific for the multi-tenant network controller framework proposed by the present invention based on SDN
SDN controller and virtual platform, the SDN controller (such as Floodlight, Ryu etc.) and virtualization frame of current any commercialization
Structure (such as Xen and KVM etc.) can be easy to expand on the framework.
(4) expense of the invention is low: TN manages application program, controller and SDN management under original vSDN framework
Device is located at different hosts, and frequent network communication can bring no small communication overhead.And the present invention manages controller and TN
Device is placed on the same control domain, and TN management application program is placed in cloud, is effectively reduced frequent network communication band
The expense come.
It is another aspect of this invention to provide that providing a kind of trusted controller framework towards cloud environment multi-tenant network
Operating method, comprising the following steps:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;
(2) cloud management person domain utilizes the tenant network after receiving the tenant network request to create from new tenant
System kernel in request to create is that the tenant creates TN administrator domain, while control domain is according in the tenant network request to create
Network demand create corresponding tenant network, distribute network identity for the tenant network, and by the virtual money in tenant network
The mapping relations between real resource in source and data Layer are recorded in the actual situation mapping table of its TN manager;
(3) TN administrator domain starts, and TN administrator is waited to log in;
(4) TN administrator domain is run after TN administrator logs in manages application program from the TN of the TN administrator, with
Networking command is generated, and sends control domain for the networking command;
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met
Permission is then transferred to step (6), and otherwise refusal executes the networking command;
(6) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command
Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from TN pipe after data Layer has handled all-network order etc.
The TN of reason person discharges request;
(8) cloud management person domain is recycled virtual in tenant network after receiving the TN release request from TN administrator
Resource, and destroy TN administrator domain;
(9) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network
Mapping relations between real resource, and corresponding networking command is deleted from data Layer.
Preferably, the method for the present invention further comprises after above-mentioned steps (3), before step (4), and TN administrator domain connects
The integrality verification request from TN administrator is received, and TN pipe is sent for its log information according to the integrality verification request
The step of reason person.
Preferably, step (5) is specifically, network monitor is by checking that the network legal power in permission monitor judges net
Whether resource, operation and the executor three of network order match to realize the judgement for whether meeting the networking command permission.
It is another aspect of this invention to provide that providing a kind of trusted controller framework towards cloud environment multi-tenant network
Operating method, comprising the following steps:
(1) cloud management person domain, TN building domain, network-driven domain and control domain successively credible starting;Wherein in credible starting
In the process, it is measured by safety equipment and records each domain start-up course;
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;;
(3) cloud management person domain is after receiving the TN request to create from new tenant by the tenant network request to create
In system kernel be transmitted to TN building domain, while control domain according in the tenant network request to create network demand creation pair
The tenant network answered distributes network identity for the tenant network, and by the reality in the virtual resource and data Layer in tenant network
Mapping relations between the resource of border are recorded in the actual situation mapping table of its TN manager;
(4) it is the credible creation TN administrator of the tenant that TN, which constructs domain and utilizes the system kernel received from cloud management person domain,
Domain.
(5) the credible starting in TN administrator domain, and wait the checking request from TN administrator;
(6) network-driven domain forwards it to TN administrator domain, TN after receiving the checking request from TN administrator
Log information in safety equipment is transmitted to TN administrator by network-driven domain by administrator domain, and TN administrator is waited to send
The whether matched notice of log information operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step
(7), authentication failed is otherwise indicated, refusal logs in TN administrator domain.
(7) TN administrator domain waits the TN administrator's log on request forwarded by network-driven domain;
(8) TN administrator domain sends checking request to control domain after receiving TN administrator's log on request;
(9) the correlation log information in safety equipment is transmitted to by control domain after the checking request for receiving TN administrator
Log information is transmitted to TN administrator by network-driven domain by TN administrator domain, and TN administrator is waited to send log information
The whether matched notice of operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (10);Otherwise
It indicates authentication failed, error message is reported to cloud management person and TN administrator.
(10) operation of TN administrator domain manages application program from the TN of the TN administrator, to generate networking command, and
Control domain is sent by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met
Permission is then transferred to step (12), and otherwise refusal executes the networking command;
(12) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command
Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from TN after data Layer has handled all-network order etc.
The TN of administrator discharges request;
(14) void in tenant network is recycled in cloud management person domain after receiving the TN release request from TN administrator
Quasi- resource, and domain is constructed by TN and destroys TN administrator domain;
(15) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network
Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
Preferably, step (1) includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) TN controller node, and start-up loading manager is notified to load
Xen virtual machine monitor;
(1-2) start-up loading manager starts to load the kernel and disk mirroring of Xen virtual machine monitor, cloud management person domain
And the kernel and disk mirroring in TN building domain, and the metric of Xen virtual machine monitor and TN building domain is expanded into hardware
In the platform configuration register of credible platform module.
(1-3) Xen virtual machine monitor starts cloud management person domain and TN constructs domain, and dispatches cloud management person domain and enter operation
State;
(1-4) cloud management person domain wakes up TN and constructs domain, further starts control domain and network-driven domain by TN building domain, and
The metric of control domain and network-driven domain is expanded in the platform configuration register of hardware credible platform module.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, can obtain down and show
Beneficial effect:
(1) the method for the present invention can solve and violate principle of least privilege problem present in the existing vSDN network architecture: due to
The present invention is using network legal power monitor in control domain, distinguishes and be isolated the network weight of cloud management person and TN administrator
Limit, therefore can be effectively prevented that cloud management person itself is attacked or management terminal used in him is attacked caused by malicious intrusions
Hit the safety problem of TN.
(2) the method for the present invention, which can solve, violates responsibility separation principle problem present in the existing vSDN network architecture: due to
Present invention employs sequence startings and integrity verification, which ensure that the boot sequence in each domain and starting integrality in framework,
Therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(3) the method for the present invention can solve and violate principle of least privilege problem present in the existing vSDN network architecture: due to
Present invention employs step (11) and step (12), the legitimacy of cloud management person and TN administrator are had checked, therefore can be had
Effect prevents that cloud management person itself from being attacked or management terminal used in him is attacked the safety of TN caused by malicious intrusions and asked
Topic.
(4) the method for the present invention, which can solve, violates responsibility separation principle problem present in the existing vSDN network architecture: due to
Present invention employs steps (1) and step (5) to arrive step (9), which ensure that the boot sequence in each domain and starting in framework
Integrality, therefore malice cloud management person can be effectively prevented and destroy the relevant network state integrality of TN.
(5) versatility of the invention is good: (being not necessarily firstly, the present invention can be suitable for any multi-tenant network environment
Cloud environment), the developer of any multi-tenant network can illustrate on-premise network according to the demand for security and extend as needed
New demand for security;Secondly, to be not limited to some specific for the multi-tenant network controller framework proposed by the present invention based on SDN
SDN controller and virtual platform, the SDN controller (such as Floodlight, Ryu etc.) and virtualization frame of current any commercialization
Structure (such as Xen and KVM etc.) can be easy to expand on the framework.
(6) expense of the invention is low: under original vSDN framework, TN manages application program, controller and SDN management
Device is located at different hosts, and frequent network communication can bring no small communication overhead.And the present invention manages controller and TN
Device is placed on the same control domain, and TN management application program is placed in cloud, is effectively reduced frequent network communication band
The expense come.
Detailed description of the invention
Fig. 1 is the frame of the trusted controller framework towards cloud environment multi-tenant network according to an embodiment of the present invention
Composition.
Fig. 2 is the trusted controller framework towards cloud environment multi-tenant network of another embodiment according to the present invention
Architecture diagram.
Fig. 3 is the behaviour of the trusted controller framework towards cloud environment multi-tenant network according to an embodiment of the present invention
Make method flow diagram.
Fig. 4 is the trusted controller framework towards cloud environment multi-tenant network of another embodiment according to the present invention
Flow chart.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as in addition, technical characteristic involved in the various embodiments of the present invention described below
Not constituting a conflict with each other can be combined with each other.
Final goal of the invention is to realize the secure and trusted management of multi-tenant network under cloud environment, to reduce malice cloud pipe
Reason person abuses permission and attacks tenant network.It is given below that the present invention is based on the specific implementations of Xen virtual platform and Ryu controller
Scheme.
As shown in Figure 1 the present invention trusted controller framework towards cloud environment multi-tenant network include cloud management person domain, it is more
A tenant network administrator domain (Tenant Network, hereinafter referred to as TN) and control domain, cloud management person domain and external cloud
Administrator's communication connection, TN administrator domain and external TN administrator communicate to connect, control domain and cloud management person domain, TN administrator
Domain and data Layer communication connection.
Control domain and TN administrator domain are all in user domain (being the domU of Xen in the present invention), and at cloud management person domain
In privileged domain (being the dom0 of Xen in the present invention).
Control domain includes network controller (what is be used in the present invention is Ryu controller) and TN manager (TN_
Hypervisor), wherein network controller is for receiving the networking command from cloud management person domain and TN administrator domain, to this
Networking command is transmitted to TN manager after being handled.In the present invention, TN administrator domain and cloud management person domain are to pass through control domain
The REST api interface of offer sends networking command to control domain.
TN manager is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including network
Permission monitor, for distinguishing and being isolated the permission of cloud management person and TN administrator, and using actual situation mapping table to from control
After the networking command in domain processed is converted, which is sent to corresponding tenant network.
Specifically, actual situation mapping table is in the memory of controller architecture, to record the void in each tenant network
Quasi- resource (including virtual interchanger, port, flow table, group table, gauge table) and the real resource in data Layer are (including actual
Interchanger, port, flow table, group table, gauge table) between mapping relations.Have this actual situation mapping table, each tenant network it
Between Internet resources obtained stringent isolation because control domain is apparent from each tenant network occupied network money
Source, to forbid the unauthorized access (such as a TN administrator manipulate another tenant network Internet resources) of TN administrator.
Permission monitor includes that three classes network legal power is as follows:
Network divides permission: as shown in table 1 below, cloud management person should possess the power that Internet resources are divided into tenant network
Limit, and tenant network can then be drawn and be divided into sub-network on demand by TN administrator.In addition, cloud management haves no right to configure tenant network
Internal networking structure.When TN administrator applies for resources of virtual machine, cloud management person only simply distributes to resources of virtual machine
TN administrator determines how to use these resources by TN administrator.
Table 1
Routed path permission: as shown in table 2 below, routed path can be divided into physics routed path and virtual machine routed path two
Kind.TN administrator possesses the permission that virtual flow-line path is configured or checked inside tenant network, and cloud management person then forbids
Any physics routed path is configured, because virtual flow-line path has finally all been mapped to one or more of physical pathways, this meaning
Taste malice cloud management person can distort routed path attack tenant network.In addition, cloud management person should also forbid checking object
Routed path is managed, because he may abuse these routing iinformations attack tenant network.Such as, it is assumed that cloud management person knows two
Physical pathway between virtual machine have passed through an interchanger, then the cloud management person of malice, which can then manipulate, directly publishes in instalments the friendship
Virtual machine on changing planes, and then listen to or distort the data packet by the interchanger.In the present invention, only control domain is had the right
Physics routed path is checked in configuration.
Table 2
Network bandwidth permission: it is as shown in table 3 below, TN administrator have permission configuration and check bandwidth inside tenant network and
Flow, and cloud management person then can only configure the maximum bandwidth of each tenant network and check the total flow of each tenant network.
Resource | Operation | Executor |
The maximum bandwidth of TN | Configuration | Cloud management person |
The maximum stream flow of TN | It checks | Cloud management person |
TN internal bandwidth | Configuration | TN administrator |
TN inner stream flow | It checks | TN administrator |
Table 3
TN manager is also used to receive the status information of tenant network from data Layer, and status information is forwarded to cloud management
Domain and tenant's management domain.
Cloud management person domain is used to run the cloud management application program (cloud App) from cloud management person, to realize to entire
The management of cloud network, and for starting control domain and TN administrator domain.
TN administrator domain, which is used to run, manages application program (TN App) from the TN of TN administrator, to realize to tenant
The management of network.
Unlike cloud management person domain, TN administrator domain do not need one complete network operating system of operation (such as
Ryu network controller), it is only necessary to the operating system of a lightweight is run to support TN to manage application program;In addition, TN
Management application program operates in cloud rather than in the local computing of TN administrator.From safety considerations, cloud is by professional peace
Full personal protection, TN management application program, which operates in, reduces security risk in cloud;Finally, considering from performance perspective, TN management
Application program needs frequently interacted with control domain, TN manage application program operate in cloud reduce to a certain extent it is logical
Believe expense.
Compared with traditional vSDN system architecture, network controller, TN monitor are put into the same control domain by the present invention
In domain, it is advantageous that the efficiency of intra-area communication is more high-efficient than inter-domain communication.
As shown in Fig. 2, as it is further preferred that trusted controller framework of the present invention towards cloud environment multi-tenant network
It may also include network-driven domain and TN building domain.
Network-driven domain is used to provide external cloud management person and cloud management person domain and TN administrator and TN administrator domain
Between communication connection.Because network-driven service is only supported in network-driven domain, it only needs to run a lightweight behaviour
Make system (such as Mini OS) and necessary library.
TN constructs domain and is used for credible building network-driven domain, control domain and TN administrator domain.
In the present invention, TN construct domain with the present invention trusted controller framework towards cloud environment multi-tenant network on it is hard
Part credible platform module (Trusted platform module, abbreviation TPM) interaction, and run a user class demons
For realizing virtualization TPM (Virtualized TPM, abbreviation vTPM), this distinguishes control domain and TN administrator domain
Use respective vTPM.It is worth noting that control domain is prohibited directly to interact with hardware TPM, and all TPM operations, including
Hardware TPM and vTPM operation are all executed by TN building domain.
As shown in figure 3, an implementation according to the present invention, the present invention it is above-mentioned towards cloud environment multi-tenant network can
Believe controller architecture operating method the following steps are included:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;Tool
For body, needed in tenant network request to create comprising system kernel needed for creation TN administrator domain and the network of the tenant
Ask (quantity and network bandwidth including virtual machine etc.);
(2) cloud management person domain utilizes the tenant network after receiving the tenant network request to create from new tenant
System kernel in request to create is that the tenant creates TN administrator domain, while control domain is according in the tenant network request to create
Network demand create corresponding tenant network, distribute network identity for the tenant network, and by the virtual money in tenant network
The mapping relations between real resource in source and data Layer are recorded in the actual situation mapping table of its TN manager;
(3) TN administrator domain starts, and TN administrator is waited to log in;
(4) TN administrator domain is run after TN administrator logs in manages application program from the TN of the TN administrator, with
Networking command is generated, and sends control domain for the networking command;
It is further preferred that method of the invention may additionally include above-mentioned steps (3) after, before step (4), TN management
Member domain receives the integrality verification request from TN administrator, and is sent its log information according to the integrality verification request
The step of to TN administrator.
It is further preferred that above-mentioned step (4) can also be replaced by, control domain logs in TN administrator domain in TN administrator
The integrality verification request from TN administrator is received afterwards, and is sent its log information to according to the integrality verification request
TN administrator, TN administrator domain, which is run, manages application program from the TN of the TN administrator, to generate networking command, and should
Networking command is sent to the step of control domain.
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met
Permission is then transferred to step (6), and otherwise refusal executes the networking command;
Specifically, network monitor be by check above-mentioned table 1, table 2, table 3 judge networking command resource, operation and
Whether executor three matches to realize the judgement for whether meeting the networking command permission, for example, if some network is ordered
The resource of order is that sub-network divides, and operation is configuration, and executor is TN administrator, then it meets network legal power;If some net
The resource of network order is that sub-network divides, and operation is configuration, and executor is cloud management person, then it does not meet network legal power;
(6) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command
Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from TN pipe after data Layer has handled all-network order etc.
The TN of reason person discharges request;
(8) cloud management person domain is recycled virtual in tenant network after receiving the TN release request from TN administrator
Resource, and destroy TN administrator domain;
(9) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network
Mapping relations between real resource, and corresponding networking command is deleted from data Layer.
As shown in figure 4, according to another implementation of the invention, the trusted controller towards cloud environment multi-tenant network
The operating method of framework the following steps are included:
(1) cloud management person domain, TN building domain, network-driven domain and control domain successively credible starting;
In credible start-up course, each domain start-up course is measured by safety equipment and recorded, guarantees that these being capable of sequence
Starting, in the present embodiment, safety equipment is credible platform module (Trusted platform module, abbreviation TPM).
This step specifically includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) TN controller node, and notify start-up loading manager
(bootloader) Xen virtual machine monitor is loaded.
(1-2) bootloader start load Xen virtual machine monitor, cloud management person domain kernel and disk mirroring and
TN constructs the kernel and disk mirroring in domain, and the metric of Xen virtual machine monitor and TN building domain is expanded to the platform of TPM
In configuration register (Platform Configuration Register, abbreviation PCR).
(1-3) Xen virtual machine monitor starts cloud management person domain and TN constructs domain, and dispatches cloud management person domain and enter operation
State.
(1-4) cloud management person domain wakes up TN and constructs domain, further starts control domain and network-driven domain by TN building domain, and
The metric of control domain and network-driven domain is expanded in the PCR of TPM.
It is emphasized that control domain should complete starting before network-driven domain.Because network-driven domain is mainly born
The communication of duty and cloud external network.If network-driven domain starts prior to control domain, control domain will face many unnecessary
Security risk.For example, the cloud management person of malice can log on to cloud management person domain and distort the disk mirroring of control domain.It can be seen that making
It is very necessary for removing the boot sequence for recording each domain with TPM.Once some domain start completion, it will load related software
Program (such as controller service in control domain) and data (such as actual situation map information in TN monitor).In order to further
Trust authentication, these software programs and corresponding data can also be measured and be expanded in the related PCR of vTPM.
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;Specifically, renting
Include network demand (including the void of system kernel and the tenant needed for creation TN administrator domain in the request of family network creation
The quantity of quasi- machine and network bandwidth etc.);
(3) cloud management person domain is after receiving the TN request to create from new tenant by the tenant network request to create
In system kernel be transmitted to TN building domain, while control domain according in the tenant network request to create network demand creation pair
The tenant network answered distributes network identity for the tenant network, and by the virtual resource in tenant network (including virtual exchange
Machine, port, flow table, group table, gauge table) with real resource (including actual interchanger, port, flow table, the group in data Layer
Table, gauge table) between mapping relations be recorded in the actual situation mapping table of its TN manager;
(4) it is the credible creation TN administrator of the tenant that TN, which constructs domain and utilizes the system kernel received from cloud management person domain,
Domain.
(5) the credible starting in TN administrator domain, and wait the checking request from TN administrator;
TN administrator domain after actuation, will load relevant software programs (such as TN manage application program) and data (such as
The data that TN management application program is used), these software programs and corresponding data can also be measured and expand to vTPM
In related PCR.
(6) network-driven domain forwards it to TN administrator domain, TN after receiving the checking request from TN administrator
Log information in safety equipment is transmitted to TN administrator by network-driven domain by administrator domain, and TN administrator is waited to send
The whether matched notice of log information operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step
(7), authentication failed is otherwise indicated, refusal logs in TN administrator domain.
(7) TN administrator domain waits the TN administrator's log on request forwarded by network-driven domain;
(8) TN administrator domain sends checking request to control domain after receiving TN administrator's log on request;
(9) the correlation log information in safety equipment is transmitted to by control domain after the checking request for receiving TN administrator
Log information is transmitted to TN administrator by network-driven domain by TN administrator domain, and TN administrator is waited to send log information
The whether matched notice of operation log corresponding with TN administrator, successful match is indicated if receiving, goes to step (10);Otherwise
It indicates authentication failed, error message is reported to cloud management person and TN administrator.
(10) operation of TN administrator domain manages application program from the TN of the TN administrator, to generate networking command, and
Control domain is sent by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if met
Permission is then transferred to step (12), and otherwise refusal executes the networking command;
Specifically, network monitor be by check above-mentioned table 1, table 2, table 3 judge networking command resource, operation and
Whether executor three matches to realize the judgement for whether meeting the networking command permission, for example, if some network is ordered
The resource of order is that sub-network divides, and operation is configuration, and executor is TN administrator, then it meets network legal power;If some net
The resource of network order is that sub-network divides, and operation is configuration, and executor is cloud management person, then it does not meet network legal power;
(12) control domain checks the actual situation mapping table safeguarded in TN manager according to the networking command, will be in networking command
Virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from TN after data Layer has handled all-network order etc.
The TN of administrator discharges request;
(14) void in tenant network is recycled in cloud management person domain after receiving the TN release request from TN administrator
Quasi- resource, and domain is constructed by TN and destroys TN administrator domain;
(15) control domain is deleted in the actual situation mapping table of TN manager in the virtual resource and data Layer in tenant network
Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to
The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include
Within protection scope of the present invention.
Claims (9)
1. a kind of trusted controller framework towards cloud environment multi-tenant network, including cloud management person domain, multiple tenant network pipes
Reason person domain and control domain, which is characterized in that
Cloud management person domain and external cloud management person communicate to connect, tenant network administrator domain and external tenant network administrator
Communication connection, control domain and cloud management person domain, tenant network administrator domain and data Layer communicate to connect;
Control domain includes network controller and tenant network manager, network controller for receiving from cloud management person domain and
The networking command in tenant network administrator domain, is transmitted to tenant network manager after handling the networking command;
Tenant network manager is used to that data Layer to be abstracted into multiple virtual tenant networks using actual situation mapping table, and including net
Network permission monitor for distinguishing and being isolated the permission of cloud management person and tenant network administrator, and uses actual situation mapping table pair
After being converted from the networking command of control domain, which is sent to corresponding tenant network;
Tenant network manager is also used to receive the status information of tenant network from data Layer, and status information is forwarded to cloud pipe
Manage domain and tenant's management domain;
Cloud management person domain is used to run the cloud management application program from cloud management person, to realize the pipe to entire cloud network
Reason, and for starting control domain and tenant network administrator domain;
Tenant network administrator domain is used to run the tenant network management application program from tenant network administrator, to realize
Management to tenant network.
2. trusted controller framework according to claim 1, which is characterized in that control domain and tenant network administrator domain are all
In user domain, cloud management person domain is in privileged domain.
3. trusted controller framework according to claim 1, which is characterized in that actual situation mapping table is to be set to controller bay
In the memory of structure, closed for recording the mapping between the real resource in the virtual resource and data Layer in each tenant network
System, wherein virtual resource includes virtual interchanger, port, flow table, group table, gauge table, and real resource includes actual exchange
Machine, port, flow table, group table, gauge table.
4. trusted controller framework according to claim 1, which is characterized in that further comprise network-driven domain and tenant
Network struction domain, wherein network-driven domain is used to provide external cloud management person and cloud management person domain and tenant network management
Communication connection between member and tenant network administrator domain, tenant network construct domain for credible building network-driven domain, control
Domain and tenant network administrator domain.
5. a kind of operating method of the trusted controller framework towards cloud environment multi-tenant network, which is characterized in that including following
Step:
(1) cloud management person domain and control domain starting, and wait the tenant network request to create to be received from new tenant;
(2) cloud management person domain is created after receiving the tenant network request to create from new tenant using the tenant network
System kernel in request is that the tenant creates tenant network administrator domain, while control domain is according to the tenant network request to create
In network demand create corresponding tenant network, distribute network identity for the tenant network, and will be virtual in tenant network
The mapping relations between real resource in resource and data Layer are recorded in the actual situation mapping table of its tenant network manager;
(3) tenant network administrator domain starts, and tenant network administrator is waited to log in;
(4) tenant network administrator domain runs the tenant from tenant network administrator after tenant network administrator logs in
Network-management application to generate networking command, and sends control domain for the networking command;
(5) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if meeting permission
Step (6) are then transferred to, otherwise refusal executes the networking command;
(6) control domain checks the actual situation mapping table safeguarded in tenant network manager according to the networking command, by networking command
In virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(7) cloud management person domain and control domain are to be received from tenant network after data Layer has handled all-network order etc.
The tenant network of administrator discharges request;
(8) tenant network is recycled after receiving the tenant network release request from tenant network administrator in cloud management person domain
In virtual resource, and destroy tenant network administrator domain;
(9) control domain is deleted in the actual situation mapping table of tenant network manager in the virtual resource and data Layer in tenant network
Real resource between mapping relations, and corresponding networking command is deleted from data Layer.
6. operating method according to claim 5, which is characterized in that further comprise after above-mentioned steps (3), step
(4) before, tenant network administrator domain receives the integrality verification request from tenant network administrator, and complete according to this
The step of its log information is sent tenant network administrator by property checking request.
7. operating method according to claim 5, which is characterized in that step (5) is specifically, network monitor is by looking into
The network legal power seen in permission monitor judge resource, operation and the executor three of networking command whether match realize for
Whether the networking command meets the judgement of permission.
8. a kind of operating method of the trusted controller framework towards cloud environment multi-tenant network, which is characterized in that including following
Step:
(1) cloud management person domain, tenant network building domain, network-driven domain and control domain successively credible starting;Wherein opened credible
During dynamic, measured by safety equipment and record each domain start-up course;
(2) the tenant network request to create to be received from new tenant such as cloud management domain and control domain;
(3) cloud management person domain asks tenant network creation after receiving the tenant network request to create from new tenant
System kernel in asking is transmitted to tenant network building domain, while control domain is according to the network need in the tenant network request to create
The corresponding tenant network of creation is sought, distributes network identity for the tenant network, and by the virtual resource and data in tenant network
The mapping relations between real resource in layer are recorded in the actual situation mapping table of its tenant network manager;
(4) it is the credible creation tenant network of the tenant that tenant network building domain, which utilizes the system kernel received from cloud management person domain,
Administrator domain;
(5) the credible starting in tenant network administrator domain, and wait the checking request from tenant network administrator;
(6) network-driven domain forwards it to tenant network management after receiving the checking request from tenant network administrator
Member domain, the log information in safety equipment is transmitted to tenant network management by network-driven domain by tenant network administrator domain
Member, and whether tenant network administrator is waited to send log information operation log corresponding with tenant network administrator matched logical
Know, successful match is indicated if receiving, go to step (7), otherwise indicate authentication failed, refusal logs in tenant network administrator
Domain;
(7) tenant network administrator domain waits the tenant network administrator's log on request forwarded by network-driven domain;
(8) tenant network administrator domain sends checking request to control domain after receiving tenant network administrator's log on request;
(9) control domain forwards the correlation log information in safety equipment after the checking request for receiving tenant network administrator
Tenant network administrator domain is given, log information is transmitted to by tenant network administrator by network-driven domain, and wait tenant's net
Network administrator sends the log information whether matched notice of operation log corresponding with tenant network administrator, indicates if receiving
Successful match goes to step (10);Otherwise it indicates authentication failed, error message is reported to cloud management person and tenant network management
Member;
(10) operation of tenant network administrator domain manages application program from the tenant network of tenant network administrator, with life
Control domain is sent at networking command, and by the networking command;
(11) whether control domain is to meet permission using the networking command that the judgement of its network monitor receives, if meeting permission
Step (12) are then transferred to, otherwise refusal executes the networking command;
(12) control domain checks the actual situation mapping table safeguarded in tenant network manager according to the networking command, by networking command
In virtual resource be converted to real resource, and send data Layer for the networking command after conversion;
(13) cloud management person domain and control domain are to be received from tenant's net after data Layer has handled all-network order etc.
The tenant network of network administrator discharges request;
(14) tenant's net is recycled after receiving the tenant network release request from tenant network administrator in cloud management person domain
Virtual resource in network, and domain is constructed by tenant network and destroys tenant network administrator domain;
(15) control domain deletes the virtual resource and data Layer in tenant network in the actual situation mapping table of tenant network manager
In real resource between mapping relations, and corresponding networking command is deleted from data Layer.
9. operating method according to claim 8, which is characterized in that step (1) includes following sub-step:
The metric of the BIOS initialization hardware TPM of (1-1) tenant network controller node, and start-up loading manager is notified to add
Carry Xen virtual machine monitor;
(1-2) start-up loading manager start load Xen virtual machine monitor, cloud management person domain kernel and disk mirroring and
Tenant network constructs the kernel and disk mirroring in domain, and the metric of Xen virtual machine monitor and tenant network building domain is expanded
In the platform configuration register for opening up hardware credible platform module;
(1-3) Xen virtual machine monitor starts cloud management person domain and tenant network constructs domain, and dispatches cloud management person domain and enter fortune
Row state;
(1-4) cloud management person domain wakes up tenant network and constructs domain, further starts control domain and network by tenant network building domain
Domain is driven, and the metric of control domain and network-driven domain is expanded to the platform configuration register of hardware credible platform module
In.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710273734.0A CN107104963B (en) | 2017-04-25 | 2017-04-25 | Trusted controller framework and its operating method towards cloud environment multi-tenant network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710273734.0A CN107104963B (en) | 2017-04-25 | 2017-04-25 | Trusted controller framework and its operating method towards cloud environment multi-tenant network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107104963A CN107104963A (en) | 2017-08-29 |
CN107104963B true CN107104963B (en) | 2019-05-31 |
Family
ID=59657308
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710273734.0A Active CN107104963B (en) | 2017-04-25 | 2017-04-25 | Trusted controller framework and its operating method towards cloud environment multi-tenant network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107104963B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109412866B (en) * | 2018-12-04 | 2020-07-28 | 中国科学院信息工程研究所 | Active detection method for multi-tenant cloud platform security isolation |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
CN104272702A (en) * | 2012-05-10 | 2015-01-07 | 思科技术公司 | Method and apparatus for supporting access control lists in a multi-tenant environment |
CN105554015A (en) * | 2015-12-31 | 2016-05-04 | 北京轻元科技有限公司 | Management network and method for multi-tenant container cloud computing system |
-
2017
- 2017-04-25 CN CN201710273734.0A patent/CN107104963B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
CN104272702A (en) * | 2012-05-10 | 2015-01-07 | 思科技术公司 | Method and apparatus for supporting access control lists in a multi-tenant environment |
CN105554015A (en) * | 2015-12-31 | 2016-05-04 | 北京轻元科技有限公司 | Management network and method for multi-tenant container cloud computing system |
Non-Patent Citations (2)
Title |
---|
《The Study on Configuration of Multi-Tenant》;Y. Y. Shin等;《16th International Conference on Advanced Communication Technology》;20140228;全文 |
《云计算执行环境可信构建关键技术研究》;代炜琦;《信息科技缉》;20160730 |
Also Published As
Publication number | Publication date |
---|---|
CN107104963A (en) | 2017-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9531753B2 (en) | Protected application stack and method and system of utilizing | |
US10999328B2 (en) | Tag-based policy architecture | |
US11122129B2 (en) | Virtual network function migration | |
Ujcich et al. | Cross-app poisoning in software-defined networking | |
JP6022718B2 (en) | Configuration and validation by trusted providers | |
US20180173549A1 (en) | Virtual network function performance monitoring | |
US20180341768A1 (en) | Virtual machine attestation | |
Almutairy et al. | A taxonomy of virtualization security issues in cloud computing environments | |
US10169594B1 (en) | Network security for data storage systems | |
Sundararajan et al. | Preventing Insider attacks in the Cloud | |
US11601434B1 (en) | System and method for providing a dynamically reconfigurable integrated virtual environment | |
Zhai et al. | CQSTR: Securing cross-tenant applications with cloud containers | |
Majhi et al. | A study on security vulnerability on cloud platforms | |
Hoang et al. | Security of software-defined infrastructures with SDN, NFV, and cloud computing technologies | |
TaheriMonfared et al. | Handling compromised components in an IaaS cloud installation | |
Zhan et al. | CIADL: cloud insider attack detector and locator on multi-tenant network isolation: an OpenStack case study | |
CN107104963B (en) | Trusted controller framework and its operating method towards cloud environment multi-tenant network | |
Oliver et al. | Experiences in trusted cloud computing | |
Lauer et al. | Bootstrapping trust in a" trusted" virtualized platform | |
US11709724B2 (en) | Distributed application execution for cloud computing | |
Zou et al. | Building Automated Trust Negotiation architecture in virtual computing environment | |
Ver | Dynamic load balancing based on live migration of virtual machines: Security threats and effects | |
Arab | Virtual machines live migration | |
US20190319931A1 (en) | Secret information distribution method and device | |
TaheriMonfared | Securing the IaaS service model of cloud computing against compromised components |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |