CN107241283B - Cross-host tenant east-west network traffic mirror image acquisition method - Google Patents
Cross-host tenant east-west network traffic mirror image acquisition method Download PDFInfo
- Publication number
- CN107241283B CN107241283B CN201710367940.8A CN201710367940A CN107241283B CN 107241283 B CN107241283 B CN 107241283B CN 201710367940 A CN201710367940 A CN 201710367940A CN 107241283 B CN107241283 B CN 107241283B
- Authority
- CN
- China
- Prior art keywords
- flow
- acquisition
- tenant
- flow acquisition
- acquired
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
Abstract
The invention provides a cross-host tenant east-west network flow mirror image acquisition method, which comprises the following steps: 1) the flow acquisition control server generates flow acquisition configuration parameters corresponding to the tenants to be acquired according to the tenant names of the tenants to be acquired, network configuration information of the tenants acquired from the cloud service master control server and distribution information of virtual machines of the tenants on the physical host; 2) the flow acquisition control server issues the flow acquisition configuration parameters to a flow acquisition driving program through a flow acquisition Agent of the cloud service host; 3) and the flow acquisition driving program mirrors the acquisition flow specified by the flow acquisition configuration parameters and sends the acquisition flow of the mirror image to the flow acquisition Agent. The method can dynamically acquire the east-west network flow of the tenant on a Linux kernel driver layer according to the tenant name, the network configuration information of the tenant and the distribution information of the virtual machine of the tenant on the physical host.
Description
Technical Field
The invention relates to the field of communication technology security, in particular to a cross-host tenant east-west network traffic mirror image acquisition method.
Background
With the wide development of cloud computing services, due to the need for security, east-west network traffic in a cloud needs to be monitored, which requires mirroring of east-west network traffic of tenants in the cloud. To complete the mirror image of the network traffic in the east-west direction, the following functions need to be implemented:
1) network traffic of tenants is distinguished;
2) and effectively mirroring the network traffic of the tenant and transmitting the mirrored network traffic to a network data analysis center for analysis.
At present, network traffic mirroring is generally realized by adopting a light splitting or switch mirroring port mode. The light splitting refers to cloning light in the optical fiber through a light splitter, and in fact, the light in the optical fiber is copied through a lens; for example, the incident light is split into two beams, one beam has 70% of energy, and the other beam has 30% of energy, because the light is the carrier of the data, the light is duplicated, which means that the data transmitted by the network is duplicated. However, the optical splitter is generally used at an interface between a data center and an external network, that is, for collecting network traffic in the north-south direction.
The switch image port is configured on a switch, and data transmitted on one interface is copied to the image port, so that the copied data can be received at the image port. Because a tenant's virtual machines may be distributed across multiple physical hosts, network traffic may involve multiple racks, and thus it is not possible to determine which physical interfaces the tenant's network traffic relates to, and to mirror all switch ports. Therefore, the two ways are not applicable to the east-west network traffic of tenants in the cloud.
Disclosure of Invention
The invention aims to provide a cross-host tenant east-west network traffic mirror image acquisition method, which is characterized in that a tenant name needing traffic mirror image is set on a configuration interface based on the tenant's own tenant name so as to finish acquisition and analysis of the tenant network traffic.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a cross-host tenant east-west network traffic mirror image collection method comprises the following steps:
1) the flow acquisition control server generates flow acquisition configuration parameters corresponding to the tenants to be acquired according to the tenant names of the tenants to be acquired, network configuration information of the tenants acquired from the cloud service master control server and distribution information of virtual machines of the tenants on the physical host;
2) the flow acquisition control server issues the flow acquisition configuration parameters to a flow acquisition driving program through a flow acquisition Agent of the cloud service host;
3) and the flow acquisition driving program mirrors the acquisition flow specified by the flow acquisition configuration parameters and sends the acquisition flow of the mirror image to the flow acquisition Agent.
Further, the method steps further comprise: and the flow acquisition Agent sends the acquired flow of the mirror image to a flow analysis server, and the flow analysis server analyzes the acquired flow of the mirror image so as to verify the corresponding condition of the acquired flow and the tenant to be acquired according to an analysis result.
Further, the traffic collection configuration parameters in step 1) refer to the type and ID of the virtual network of the tenant.
Further, the traffic collection Agent in the step 2) is deployed on the cloud service host.
Further, the steps 2) and 3) specifically include the following steps:
a) the flow acquisition Agent receives a command of a flow acquisition control server and sets an identifier of flow of a tenant to be acquired in the flow acquisition configuration parameters into a flow acquisition driver;
b) the flow acquisition driving program receives a command of a flow acquisition Agent and configures flow acquisition configuration parameters of the tenant according to the flow identification of the tenant to be acquired;
c) and the flow acquisition driving program filters the network flow of the physical host according to the configured flow acquisition configuration parameters, mirrors the acquisition flow specified by the configured flow acquisition configuration parameters, and sends the acquisition flow of the mirror image to the flow acquisition Agent.
Further, the traffic collection driver in step 3) is deployed in a Linux kernel of the cloud service host.
Further, the traffic collection driver in step 3) sends the collected traffic of the mirror image to the traffic collection Agent in a manner of simulating TCP.
The invention has the beneficial effects that: the invention provides a cross-host tenant east-west network traffic mirror image acquisition method, which is realized by a software implementation scheme supporting dynamic configuration and more flexible cross-host tenant east-west traffic mirror image acquisition. Because the tenant's network data may be distributed across multiple network switches of the data center, the tenant's virtual machines are also dynamically distributed across the physical hosts. Because the mirror image port of the switch is limited, the network traffic of the tenant is acquired by adopting the method of the mirror image port of the switch, so that the network traffic and the specific tenant are difficult to correspond, and the method is not easy to realize; the optical splitting method is generally used on interfaces of a data center and an external network, namely for the acquisition of network traffic in the north-south direction; because of the large scale of network traffic between switches in a data center, the cost of analyzing and processing using optical spectroscopy is high. The method can dynamically acquire the east-west network flow of the tenant on a Linux kernel driver layer according to the tenant name, the network configuration information of the tenant and the distribution information of the virtual machine of the tenant on the physical host.
Drawings
Fig. 1 is a schematic diagram of an image collection method for east-west network traffic of a cross-host tenant according to the present invention.
Fig. 2 is a schematic diagram of network traffic mirroring implemented by the present invention.
Fig. 3 is a schematic diagram of a traffic collection driver simulating TCP according to the present invention.
Detailed Description
In order to make the aforementioned and other features and advantages of the invention more comprehensible, embodiments accompanied with figures are described in detail below.
The invention provides a cross-host tenant east-west network traffic mirror image acquisition method which is suitable for an acquisition system.
Referring to fig. 1, the traffic collection control server is configured to perform the following functions:
1) acquiring network configuration information of a tenant and distribution information of a virtual machine of the tenant on a physical host from a cloud service master control server;
2) receiving a tenant name of a tenant to be acquired from a system console, and generating a flow acquisition configuration parameter corresponding to the tenant according to the tenant name, network configuration information of the tenant and distribution information of a virtual machine of the tenant on a physical host;
the traffic collection configuration parameters refer to the type and ID of the virtual network of the tenant. If the virtual network type of the tenant is a VLAN (virtual local area network) network, the traffic collection configuration parameters corresponding to the tenant refer to the VLAN network and the VLAN id. If the virtual network type of the tenant is a VXLAN (extensible virtual local area network) network, the traffic collection configuration parameters corresponding to the tenant refer to the VXLAN network and a VXLAN ID.
3) And sending the flow acquisition configuration parameters to a flow acquisition Agent of a cloud service host related to tenant resources to complete the setting of flow mirror image parameters, and calling a flow acquisition driving program by the flow acquisition Agent according to the flow mirror image parameters to acquire the flow mirror images.
The flow acquisition Agent is deployed on the cloud service host and mainly completes the following functions:
1) receiving a command of a flow acquisition control server, and setting an identifier of flow of a tenant to be acquired in the flow acquisition configuration parameters into a flow acquisition driver;
2) and receiving the collection flow of the mirror image of the flow collection driving program, and sending the collection flow of the mirror image to a flow analysis server for analysis.
The flow acquisition driver is deployed in a Linux kernel of the cloud service host and mainly completes the following functions:
1) receiving a command of a flow acquisition Agent, and configuring flow acquisition configuration parameters of a tenant according to an identifier of flow of the tenant to be acquired;
2) filtering the network flow of the physical host according to the configured flow acquisition configuration parameters, and mirroring the acquisition flow specified by the configured flow acquisition configuration parameters;
3) and sending the collection flow of the mirror image to a flow collection Agent from the inside of the flow collection driving program.
The flow analysis server is used for receiving the acquired flow of the flow acquisition driving program mirror image sent by the flow acquisition Agent and analyzing the acquired flow, so that the corresponding situation of the acquired flow and the tenant to be acquired is verified according to the analysis result, and support is provided for subsequent acquired flow analysis.
The following embodiment is provided to better illustrate the method of the present invention, and the specific implementation of the method comprises the following steps:
1) and the traffic acquisition control server generates traffic acquisition configuration parameters corresponding to the tenant to be acquired according to the tenant name of the tenant to be acquired, the network configuration information of the tenant acquired from the cloud service master control server and the distribution information of the virtual machine of the tenant on the physical host.
The following is a specific form of network configuration information of the tenant. Currently, a virtual network of a tenant generally adopts a VLAN or VXLAN form, so that a function of mirroring tenant data can be completed only by mirroring data (traffic) of the corresponding VLAN or VXLAN.
Within the same cloud service range, the adopted virtual network forms are consistent, and if the cloud service adopts a VLAN network, the virtual networks adopted by all tenants are the VLAN network; if a VXLAN network is employed, then the virtual network employed by all tenants is a VXLAN network.
Table 1: network configuration information of tenant under VLAN network
Tenant ID | Network | VLAN ID |
Tenant 1 | Tenant1_network1 | 1010 |
Tenant 1 | Tenant1_network2 | 1011 |
Tenant 2 | Tenant2_network1 | 2020 |
Tenant 2 | Tenant2_network2 | 2021 |
Tenant 3 | Tenant3_network1 | 2301 |
Assuming that the cloud service deployment adopts a VLAN network, as shown in table 1, the traffic collection control service may obtain network configuration information of the following tenants:
the VLAN IDs corresponding to the network traffic of tenant 1 are 1010 and 1011;
the VLAN IDs corresponding to the network traffic of the tenant 2 are 2020 and 2021;
the VLAN ID corresponding to the network traffic of tenant 3 is 2031;
if the network of the cloud service employs a VXLAN network, then the corresponding ID is the VXLAN ID.
2) And the flow acquisition control server only issues the flow acquisition configuration parameters to the flow acquisition agent on the cloud service host related to the tenant according to the distribution information of the virtual machine of the tenant on the physical host, so as to complete the setting of the flow mirror image parameters.
3) And the flow acquisition agent receives a command of the flow acquisition control server, sets the identification of the flow of the tenant to be acquired into a flow acquisition driving program, calls the flow acquisition driving program according to the flow mirror image parameters and acquires the flow mirror image.
4) The flow acquisition driving program receives a command of a flow acquisition Agent and configures flow acquisition configuration parameters of the tenant according to the flow identification of the tenant to be acquired; and filtering the network traffic of the physical host according to the configured traffic collection configuration parameters, wherein the key implementation is to mount a filtering hook of a traffic collection driver in the netfilter to realize mirroring and collection of the network traffic. Referring to fig. 2, the filter Hook is a flow collection Hook in the figure. Netfilter is a standard network traffic handler for the Linux kernel, and other hooks in the figure are owned. The invention realizes the mirroring and collection of the network flow through the Netfilter.
The mirror image is realized by the following specific steps: realizing zero copy through the characteristics of the sk buffer, and mirroring the network traffic sent and received by the tenant by the traffic acquisition driver;
5) and the collection flow of the mirror image is sent to the flow collection Agent from the flow collection driving program. The realization process is as follows: as shown in fig. 3, in the traffic collection driver, a TCP protocol stack is implemented, and the traffic collection driver establishes a TCP connection with the traffic collection Agent deployed in the cloud service host operating system through TCP three-way handshake (for the traffic collection Agent, the TCP connection is a normal TCP connection, and normal TCP data transceiving can be performed on the TCP connection), and sends the collected data to the traffic collection Agent through the TCP connection.
The method has the advantages that the tenant information can be identified by using the TCP connection, so that the data of the tenant can be directly sent to the TCP connection, and the subsequent tenant data does not need to be provided with the tenant identification, thereby effectively saving the transmission cost; and the TCP is linked in a state, so that the receiving efficiency is high, and high-efficiency and reliable data transmission can be realized.
6) When the virtual network of the tenant or the virtual machine distribution of the tenant changes, the traffic collection control server updates the traffic collection configuration parameters of the traffic collection Agent on the relevant cloud service host.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and a person skilled in the art can make modifications or equivalent substitutions to the technical solution of the present invention without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (6)
1. A cross-host tenant east-west network traffic mirror image collection method comprises the following steps:
1) the flow acquisition control server generates flow acquisition configuration parameters corresponding to the tenants to be acquired according to the tenant names of the tenants to be acquired, network configuration information of the tenants acquired from the cloud service master control server and distribution information of virtual machines of the tenants on the physical host;
2) the flow acquisition control server issues the flow acquisition configuration parameters to a flow acquisition driving program through a flow acquisition Agent of the cloud service host;
3) the flow acquisition driving program mirrors the acquisition flow specified by the flow acquisition configuration parameters and sends the acquisition flow of the mirror image to the flow acquisition Agent, and the flow acquisition driving program comprises the following steps:
the flow acquisition driving program receives a command of a flow acquisition Agent and configures flow acquisition configuration parameters of the tenant according to the flow identification of the tenant to be acquired;
the flow acquisition driving program filters the network flow of the physical host according to the configured flow acquisition configuration parameters, mirrors the acquisition flow specified by the configured flow acquisition configuration parameters, and sends the acquisition flow of the mirror image to a flow acquisition Agent;
the flow collection driver is deployed in a Linux kernel of the cloud service host.
2. The method of claim 1, wherein the method steps further comprise: and the flow acquisition Agent sends the acquired flow of the mirror image to a flow analysis server, and the flow analysis server analyzes the acquired flow of the mirror image so as to verify the corresponding condition of the acquired flow and the tenant to be acquired according to an analysis result.
3. The method of claim 1, wherein the traffic collection configuration parameters in step 1) refer to a type and an ID of a virtual network of a tenant.
4. The method of claim 1, wherein the traffic collection Agent in step 2) is deployed on a cloud service host.
5. The method according to claim 1, wherein step 2) comprises in particular the steps of:
and the flow acquisition Agent receives a command of the flow acquisition control server and sets the flow identification of the tenant to be acquired in the flow acquisition configuration parameters into a flow acquisition driver.
6. The method according to claim 1, wherein the traffic collection driver in step 3) sends the mirrored collection traffic to the traffic collection Agent by simulating TCP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710367940.8A CN107241283B (en) | 2017-05-23 | 2017-05-23 | Cross-host tenant east-west network traffic mirror image acquisition method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710367940.8A CN107241283B (en) | 2017-05-23 | 2017-05-23 | Cross-host tenant east-west network traffic mirror image acquisition method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107241283A CN107241283A (en) | 2017-10-10 |
CN107241283B true CN107241283B (en) | 2020-06-05 |
Family
ID=59985661
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710367940.8A Expired - Fee Related CN107241283B (en) | 2017-05-23 | 2017-05-23 | Cross-host tenant east-west network traffic mirror image acquisition method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107241283B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109785606A (en) * | 2019-02-02 | 2019-05-21 | 中能瑞通(北京)科技有限公司 | A kind of power information acquisition system acquisition quality analysis method and device |
CN113709017B (en) * | 2021-08-17 | 2022-10-04 | 中盈优创资讯科技有限公司 | Method and device for acquiring virtualization traffic |
CN114006839B (en) * | 2021-09-27 | 2023-06-23 | 中盈优创资讯科技有限公司 | Flow acquisition method and device based on eBPF |
CN114285667B (en) * | 2021-12-30 | 2023-06-02 | 湖南泛联新安信息科技有限公司 | Real-time acquisition system and method for network target range flow |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105245504A (en) * | 2015-09-10 | 2016-01-13 | 北京汉柏科技有限公司 | North-south flow safety protection system in cloud computing network |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9602334B2 (en) * | 2013-01-22 | 2017-03-21 | International Business Machines Corporation | Independent network interfaces for virtual network environments |
CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
CN105591833A (en) * | 2014-11-26 | 2016-05-18 | 中国银联股份有限公司 | Flow-acquiring method based on rule engine |
CN106375384B (en) * | 2016-08-28 | 2019-06-18 | 北京瑞和云图科技有限公司 | The management system and control method of image network flow in a kind of virtual network environment |
CN106100999B (en) * | 2016-08-28 | 2019-05-24 | 北京瑞和云图科技有限公司 | Image network flow control methods in a kind of virtualized network environment |
CN106452856A (en) * | 2016-09-28 | 2017-02-22 | 杭州鸿雁智能科技有限公司 | Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function |
-
2017
- 2017-05-23 CN CN201710367940.8A patent/CN107241283B/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105245504A (en) * | 2015-09-10 | 2016-01-13 | 北京汉柏科技有限公司 | North-south flow safety protection system in cloud computing network |
Also Published As
Publication number | Publication date |
---|---|
CN107241283A (en) | 2017-10-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107241283B (en) | Cross-host tenant east-west network traffic mirror image acquisition method | |
WO2017162011A1 (en) | Network element performance data processing method and device, and nms | |
CN111371640B (en) | SDN controller-based traffic collection analysis method and system | |
US20130054521A1 (en) | Method and device for automactic migration of system configuration item | |
CN106911648B (en) | Environment isolation method and equipment | |
CN105867837A (en) | Method, equipment and system for updating configurations of clients in distributed high-speed cache systems | |
CN110138876B (en) | Task deployment method, device, equipment and platform | |
CN113742031B (en) | Node state information acquisition method and device, electronic equipment and readable storage medium | |
CN108028827A (en) | The management method and device of certificate in network function virtualization architecture | |
CN102752215B (en) | Processing method for VDP (vertical data processing) request messages and edge switch | |
WO2014023160A1 (en) | Forwarding packet in stacking system | |
CN105243012A (en) | Linux based cluster network performance evaluating method | |
CN112351106B (en) | Service grid platform containing event grid and communication method thereof | |
CN105607606A (en) | Data acquisition device and data acquisition method based on double-mainboard framework | |
CN107547277B (en) | Method for realizing virtualization control board and network communication equipment | |
CN108900603A (en) | A kind of server discovery methods, devices and systems | |
CN102393887B (en) | Application centralized management system and method based on Linux security module (LSM) mechanism | |
CN106657360A (en) | Synchronization method and system for NIS servers under Linux system | |
CN106571943A (en) | Distributed-type configuration cluster capacity-expanding method and device | |
US7830880B2 (en) | Selective build fabric (BF) and reconfigure fabric (RCF) flooding | |
CN110795212B (en) | Main/standby main control configuration synchronization method and device based on frame type equipment | |
US11108637B1 (en) | Wireless relay consensus for mesh network architectures | |
CN103765837B (en) | The message processing method of multi-CPU and system, crosspoint, veneer | |
CN103379151A (en) | Method, device and system for flux exchange | |
CN110248261B (en) | Scheduling processing method and device and transmission processing method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200605 |