CN107682203B - Security function deployment method based on service chain - Google Patents

Security function deployment method based on service chain Download PDF

Info

Publication number
CN107682203B
CN107682203B CN201711041932.0A CN201711041932A CN107682203B CN 107682203 B CN107682203 B CN 107682203B CN 201711041932 A CN201711041932 A CN 201711041932A CN 107682203 B CN107682203 B CN 107682203B
Authority
CN
China
Prior art keywords
link
service chain
deployed
function
requirement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711041932.0A
Other languages
Chinese (zh)
Other versions
CN107682203A (en
Inventor
于冰
于然
曾颖明
王斌
刘滋润
姚金利
郭敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201711041932.0A priority Critical patent/CN107682203B/en
Publication of CN107682203A publication Critical patent/CN107682203A/en
Application granted granted Critical
Publication of CN107682203B publication Critical patent/CN107682203B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0896Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a safety function deployment method based on a service chain, relating to the technical field of network safety. The invention provides a method for deploying a safety function service chain aiming at the safety service requirement of a user and the safety service chain arranged and issued by an upper layer, reasonably maps a plurality of safety service chains which arrive at the same time, reduces the network cost on the premise of meeting the functional requirement and the bandwidth requirement, and ensures the service quality.

Description

Security function deployment method based on service chain
Technical Field
The invention relates to the technical field of network security, in particular to a security function deployment method based on a service chain.
Background
Software Defined Networking (SDN), as an emerging network technology in recent years, brings new opportunities and challenges to network management. The basic idea is to separate network control and data forwarding from each other, and decouple the network control function and the data forwarding function. And a programming mode is adopted to realize a centralized management control function, so that the complexity of network management is simplified, and the development and innovation of the network are promoted. Fig. 1 depicts a three-level logical architecture diagram of an SDN, from top to bottom: an application layer, a control layer, and an infrastructure layer.
The SDN framework can flexibly compile various application services in an application layer through a programmable interface API of a control layer, and meets the differentiated and diversified application requirements of multiple tenants. The control layer located in the middle of the whole architecture is responsible for maintaining the global network topology, making a centralized scheduling strategy and issuing the scheduling strategy to the network equipment in the infrastructure layer through the southbound interface. The infrastructure layer at the bottom layer only needs to receive various instructions of the SDN control layer through a southbound interface (such as OpenFlow) to complete simple data processing and forwarding.
The SDN separates a control plane from a data plane, so that the complexity of hardware equipment can be reduced, and a centralized control method is adopted to facilitate the unified management of network equipment. In addition, global information of the network is mastered by the SDN controller, a more intelligent scheduling strategy can be formulated, and the network state can be better mastered and more quickly adjusted, so that the resource utilization efficiency is improved, the network management is simplified, and the network energy consumption cost is reduced. The rise of the SDN technology opens up a new implementation approach for resource management and load balancing based on a global network view.
Network Function Virtualization (NFV) technology extracts Network functions on traditional professional Network element devices, and runs on a general hardware platform in a virtualized and software form. The flexible loading, the deployment as required and the updating of the software network function are realized, the remote management and the maintenance are greatly convenient, and the Capital Expenditure (CAPEX) and the operation cost (OPEX) of a service provider are reduced.
The NFV technology establishes a one-to-one mapping relationship between computing resources, storage resources, and Network resources such as servers, storage devices, switches, and routers, and corresponding Virtual Network Functions (VNFs), so as to form a Virtual computing resource component, a Virtual storage resource component, a Virtual Network resource component, and the like. The invention mainly researches a virtual security resource component, which comprises: a virtual Network Address Translation (vNAT), a virtual FireWall (vFW), a virtual Intrusion Detection System (vfds), a virtual Intrusion Prevention System (vIPS), and the like, as shown in fig. 2.
With the continuous development of SDN technology and NFV technology, network control becomes more flexible and more extensible. SDN virtualizes and logically abstracts the underlying physical network by controlling forwarding separation, and guides forwarding traffic to automatically pass through virtual service nodes through an SDN controller, so that a flexible, convenient, and efficient service function can be implemented, and a sequence formed by such traffic passing through virtual service function nodes in sequence is referred to as a service chain, as shown in fig. 3.
Therefore, for the security service requirement of the user and the security service chain arranged and issued by the upper layer, an optimal path meeting the security service capability, the security function sequence and the resource requirement needs to be selected, which is a problem of the security function deployment (or referred to as a mapping problem) based on the service chain, as shown in fig. 4.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: a method for deploying a security function service chain is provided for the security service requirements of users and the security service chain arranged and issued by an upper layer. (II) technical scheme
In order to solve the technical problem, the invention provides a service chain-based security function deployment method, which comprises the following steps:
first, the underlying network topology is represented by a weighted graph GS=(VS,ES) In which V isSIs a physical node set composed of forwarding nodes and safety function nodes, VS=TS∪NS,TSSet of resource forwarding nodes, N, representing routes, etcSFor a set of security function nodes, e.g. firewallsSIs a set of links in the physical network,
Figure BDA0001450123620000031
presence attribute bandwidth capability, including link esUplink bandwidth capacity of B (e)s↑) And a downlink bandwidth capacity B (e)s↓),es=(vi,vj),viAnd vjFor link esThe two end points of (a) are,
Figure BDA0001450123620000032
if i<j, then is called by viFlow direction vjThe flow of (1) is uplink flow, the reverse is downlink flow, and the hop count hop (v)i,vj) Denotes viAnd vjThe transmission delay therebetween;
secondly, defining the set of R service chain requests arriving at the same time as phi ═ Q1,Q2,…,QRTherein service chaining requests
Figure BDA0001450123620000033
Represented as a directed sequence Qr=(qr,1,qr,2,…,qr,h-1,qr,h,qr,h+1,…,qr,H) Contains a total of H safety function requirements, q of whichr,h-1Is qr,hThe previous safety function requirement of qr,h+1Is qr,hThe latter safety function requirement of, from qr,hTo qr,h+1Is denoted as link (q)r,h,qr,h+1) The corresponding bandwidth is denoted bw (q)r,h,qr,h+1);
Thirdly, defining Nr(qr,h) Representing a chain of deployment services QrMedium safety function requirement qr,hPhysical node of, Nr(qr,h)∈NSEach security function requirement in the service chain can be deployed on only one physical security function node, using Lr(qr,h,qr,h+1) Representing a service chain QrMedium safety function requirement qr,hTo qr,h+1The traffic path therebetween, i.e. the link (q)r,h,qr,h+1) At GSThe deployment path on, defining the network cost generated by service chain deployment as:
Figure BDA0001450123620000034
and fourthly, in the service chain deployment process, dividing the deployment problem of each service chain into smaller sub-service chain deployment problems by adopting a divide-and-conquer method.
Preferably, in the fourth step, the division basis is: for service chain QrSafety function requirement q in (1)r,hIf in the underlying topology GSIn which only a single safety function existsEnergy node viCan provide qr,hFunctional requirement, i.e. functional requirement qr,hV can and can only be deployed on nodesiThen the function requirement q is setr,hDeployed at node viTo above, i.e. Nr(qr,h)=viAnd with qr,hPartitioning service chains Q for boundariesrAnd forming a sub-service chain, deploying the divided sub-service chains in sequence, and connecting the obtained deployment result of the sub-service chains and the routing result in sequence to obtain the deployment result of the service chain.
Preferably, in the fourth step, for each sub-service chain, the communication links are sorted according to the bandwidth requirement, and the links are deployed in sequence according to the order.
Preferably, in the fourth step, for each sub-service chain, the communication links are sorted according to the bandwidth requirement, and the deploying the links in sequence according to the order specifically includes:
if the link (q)r,h,qr,h+1) Of the two ends of (a) of (b) ofr,hAnd q isr,h+1None deployed, then mark link (q)r,h,qr,h+1) The flow is in an undetermined state, and the next flow is deployed; if the link (q)r,h,qr,h+1) Has been successfully deployed, link (q) is established to the linkr,h,qr,h+1) Deployment is performed, link (q) is selectedr,h,qr,h+1) If the other endpoint q is not yet deployedr,hBoth the former and latter security functions of (a) are deployed, then according to the endpoint qr,hPrevious safety function requirement qr,h-1And the latter safety function requirement qr,h+1At GsCan provide qr,hAmong the candidate nodes of the function, the link (q) satisfying the selectionr,h,qr,h+1) And link (q)r,h-1,qr,h) Taking a safety function physical node with two-section link bandwidth requirement and minimum two-section link network cost as qr,hThe deployment node of (2); if q isr,hThe former or latter security function of (a) is not deployed, and q can be providedr,hSelecting all candidate physical nodes of the function to satisfy link (q)r,h,qr,h+1) Bandwidth required, network cost bestSmall nodes and links are allocated and Q is determinedrThrough function qr,hAnother link (q) ofr,h-1,qr,h) Whether or not it is in a pending state, if the link is link (q)r,h-1,qr,h) In pending state, link (q) is mapped using the same methodr,h-1,qr,h) And the end point thereof is deployed and continuously judges to pass through the function qr,h-1Whether the unallocated link is in a pending state; if the link (q)r,h-1,qr,h) If not, the next link is deployed according to the sequence obtained by the bandwidth requirement sequencing until the service chain QrAll the function requirements and link requirements in the system are deployed and completed; if in the process of deployment, GsThe service chain fails to be deployed if it cannot provide the security functions required by the service chain or cannot meet the bandwidth requirements of the service chain.
(III) advantageous effects
The invention provides a method for deploying a safety function service chain aiming at the safety service requirement of a user and the safety service chain arranged and issued by an upper layer, reasonably maps a plurality of safety service chains which arrive at the same time, reduces the network cost on the premise of meeting the functional requirement and the bandwidth requirement, and ensures the service quality.
Drawings
Figure 1 is a typical architecture diagram for an SDN;
FIG. 2 is a diagram of a NAT implementation virtual secure resource component;
FIG. 3 is a schematic diagram of a service chain;
FIG. 4 is a schematic diagram of a service chain-based security function deployment, where a is an underlying security function network topology diagram and b is a schematic diagram of a security function service chain;
FIG. 5 is an exemplary diagram of an underlying network topology and service chaining requests; wherein a is an underlying network topology map, and b is a service chain request schematic diagram;
fig. 6 is an exemplary diagram of a service chain deployment result.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
A Security Service Function Chain (SSFC) is a group of ordered Security Function sets, and traffic sequentially passes through a plurality of Security Function nodes according to a specified policy to form a Security Service with a specified Function and sequence. Since each security function may be distributed with multiple security function components in the network, the deployment process of the security function service chain is the selection of the security function components and the routing process between them.
The invention provides a method for deploying a safety function service chain, which reasonably maps a plurality of safety service chains which arrive at the same time, reduces the network cost on the premise of meeting the functional requirements and bandwidth requirements, and ensures the service quality. The method comprises the following steps:
first, the underlying network topology is represented by a weighted graph GS=(VS,ES) In which V isSIs a physical node set composed of forwarding nodes and safety function nodes, VS=TS∪NS。TSSet of resource forwarding nodes, N, representing routes, etcSThe method is a set of security function nodes such as a firewall. ESIs a set of links in the physical network,
Figure BDA0001450123620000061
presence attribute bandwidth capability, including link esUplink bandwidth capacity of B (e)s↑) And a downlink bandwidth capacity B (e)s↓)。es=(vi,vj),viAnd vjFor link esTwo end points of (a).
Figure BDA0001450123620000062
If i<j, then is called by viFlow direction vjThe flow of (1) is uplink flow, and the reverse is downlink flow. Hop count hop (v)i,vj) Denotes viAnd vjThe transmission delay therebetween. For example, in FIG. 5(a), the underlying network topology GSComprising a total of 14 physical nodes, i.e. VS={v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11,v12,v13,v14}. Wherein the set of security function nodes NSAnd a set of forwarding nodes TSAre respectively NS={v1,v2,v3,v5,v6,v10,v11,v13}、TS={v4,v7,v8,v9,v12,v14}. The number next to each link represents the bandwidth (or bandwidth capacity) of the link, with the left side of the "/" being the upstream bandwidth capacity and the right side being the downstream bandwidth capacity. Link (v) in FIG. 5(a)1,v2) Has an upstream bandwidth capacity of 8Mbps and a downstream bandwidth capacity of 10Mbps, i.e., B ((v)1,v2))=8Mbps,B((v1,v2))=10Mbps,v1And v2Hop count hop (v) in between1,v2)=1。
Next, a set of R service chain requests arriving at the same time is defined as Φ ═ Q1,Q2,…,QRTherein service chaining requests
Figure BDA0001450123620000071
Represented as a directed sequence Qr=(qr,1,qr,2,…,qr,h-1,qr,h,qr,h+1,…,qr,H) And the system comprises H safety function requirements. Wherein q isr,h-1Is qr,hThe previous safety function requirement of qr,h+1Is qr,hThe latter safety function requirement of, from qr,hTo qr,h+1Is denoted as link (q)r,h,qr,h+1) The corresponding bandwidth is denoted bw (q)r,h,qr,h+1). Service chain request set Φ ═ { Q) as shown in fig. 5(b)1,Q2,Q3In which Q1=(FW,IDS,NAT),Q2=(NAT,LB,IPS),Q3(IDS, IPS, FW, NAT, LB). With Q1For example, Q1Contains 3 safety function requirements, and is sequentially a Firewall (FW)FW is the previous security function requirement of the IDS, Intrusion Detection (IDS) and Network Address Translation (NAT) is the latter security function requirement of the IDS. Bandwidth requirement bw (FW, IDS) corresponding to the link (FW, IDS) from the FW function to the IDS function is 4Mbps, and bandwidth requirement bw (IDS, NAT) corresponding to the link (IDS, NAT) from the IDS function to the NAT function is 3 Mbps. In the service chain deployment process, the in-sequence arrangement of the security functions and the bandwidth requirements among the security functions are both satisfied.
Thus, the service chain QrCan be regarded as that all safety function requirements and communication traffic between them are in the underlying network GSThe deployment problem. The third step defines Nr(qr,h) Representing a chain of deployment services QrMedium safety function requirement qr,hPhysical node of, Nr(qr,h)∈NSEach security function requirement in the service chain can and cannot only be deployed on one physical security function node. Using Lr(qr,h,qr,h+1) Representing a service chain QrMedium safety function requirement qr,hTo qr,h+1The traffic path therebetween, i.e. the link (q)r,h,qr,h+1) At GSA deployment path. The present invention not only takes into account the bandwidth requirements of the chain, but also takes into account the transmission delay into the network cost. Defining the network cost generated by service chain deployment as:
Figure BDA0001450123620000081
in order to minimize the network cost generated by deploying the security service chain, the invention takes the minimization of the network cost as the optimization target when the service chain is generated on the premise of meeting the bandwidth requirement of the service chain and successfully deploying the security function. The invention preferentially deploys the service chain with larger communication bandwidth facing to a plurality of service chain requests arriving at the same time, thereby avoiding bandwidth resources becoming service chain deployment bottleneck and simultaneously reducing network cost. Therefore, in the fourth step, in the service chain deployment process, a divide-and-conquer method is adopted to divide the deployment problem of each service chain into smaller sub-service chain deployment problems, so that the algorithm complexity is reduced. PartitioningThe basis is as follows: for service chain QrSafety function requirement q in (1)r,hIf in the underlying topology GSIn which only a unique security function node v existsiCan provide qr,hFunctional requirement, i.e. functional requirement qr,hV can and can only be deployed on nodesiThen the function requirement q is setr,hDeployed at node viUpper (i.e. N)r(qr,h)=vi) And with qr,hPartitioning service chains Q for boundariesrForming a sub-service chain. FIG. 5(b) service chain Q2LB function requirement in (1), G in FIG. 5(a)SIn only node v5Can provide LB function, therefore Q2LB function requirement in (1) can only be deployed in a node v5And bound Q by LB functional requirements2Split into two sub-service chains. And deploying the divided sub-service chains in sequence, and connecting the obtained deployment result of the sub-service chains and the routing result in sequence to obtain the deployment result of the service chain.
And for each sub-service chain, sequencing the communication links according to the bandwidth requirement, and sequentially deploying the links according to the sequence. If the link (q)r,h,qr,h+1) Of the two ends of (a) of (b) ofr,hAnd q isr,h+1None deployed, then mark link (q)r,h,qr,h+1) The flow is in an undetermined state, and the next flow is deployed; if the link (q)r,h,qr,h+1) Has been successfully deployed, link (q) is established to the linkr,h,qr,h+1) And (6) deploying. Selecting a Link (q)r,h,qr,h+1) Another endpoint (at q) not yet deployedr,hFor example, then qr,h+1Representing an endpoint that has been successfully deployed), if endpoint qr,hBoth the former and latter security functions of (a) are deployed, then according to the endpoint qr,hPrevious safety function requirement qr,h-1And the latter safety function requirement qr,h+1At GsCan provide qr,hAmong the candidate nodes of the function, the link (q) satisfying the selectionr,h,qr,h+1) And link (q)r,h-1,qr,h) Security function physics requiring bandwidth of two-segment link and minimizing network cost of two-segment linkNode as qr,hThe deployment node of (2); if q isr,hThe former or latter security function of (a) is not deployed, and q can be providedr,hSelecting all candidate physical nodes of the function to satisfy link (q)r,h,qr,h+1) Allocating nodes and links with minimum network cost and bandwidth requirement, and judging QrThrough function qr,hAnother link (q) ofr,h-1,qr,h) Whether it is in a pending state. If the link (q)r,h-1,qr,h) In pending state, link (q) is mapped using the same methodr,h-1,qr,h) And the end point thereof is deployed and continuously judges to pass through the function qr,h-1Whether the unassigned link is in a pending state. If the link (q)r,h-1,qr,h) If not, the next link is deployed according to the sequence obtained by the bandwidth requirement sequencing until the service chain QrAll the functional requirements and link requirements in (1) are deployed and completed. If in the process of deployment, GsThe service chain fails to be deployed if it cannot provide the security functions required by the service chain or cannot meet the bandwidth requirements of the service chain.
The following illustrates the process flow of the present invention.
Inputting: underlying security function network topology GS=(VS,ES) Service chain requests Q arriving at the same time1、Q2、Q3As shown in fig. 5;
and (3) outputting: a safety node deployment result of the service chain request and a routing result between nodes;
1. comparing service chaining requests Q1、Q2、Q3The maximum link bandwidth requirements (4 Mbps, 8Mbps and 10Mbps respectively) are arranged in descending order according to the maximum link bandwidth requirements and are arranged according to Q3、Q2、Q1The order of deployment of the service chains in turn.
2. For request Q3(IDS, IPS, FW, NAT, LB) due to the underlying topology GSWherein there is a unique FW function node (node v)1) And LB function node (node v)5) Then Q will be3FW and LB Functions in (1)The demands are respectively deployed at v1And v5Upper (i.e. N)3(q3,3)=v1,N3(q3,5)=v5) And dividing service chain Q by using FW and LB function requirements as boundaries3. Obtain a sub-service chain sequence Q3 1=(IDS,IPS,FW),Q3 2=(FW,NAT,LB)。
3. Deploying a chain of sub-services Q3 1Preferentially deploy Q3 1Links with large bandwidth requirements are deployed firstly, namely links (IDS, IPS) and then links (IPS, FW).
3.1 for the link (IDS, IPS) to be deployed, marking the link (IDS, IPS) as a pending state and deploying the next link (IPS, FW) because neither the IDS nor the IPS is deployed;
3.2 for Link (IPS, FW), FW has been successfully deployed at node v1IPS on service chain Q3 1The last functional requirement (IDS) in G is not yet deployedSTo select a node (referred to as a candidate node, i.e., v) that can provide IPS security functionality3,v6) Deploying a service chain Q3 1IPS requirements of (1); selecting and v among candidate nodes1The bandwidth capacity between the nodes can meet the bandwidth requirement bw (IPS, FW) of a link (IPS, FW), and the node with the minimum network cost between the IPS and the FW deploys the IPS requirement, namely the IPS is deployed at the node v6I.e. N3(q3,2)=v6,L3(q3,2,q3,3) Is v is6→v1(ii) a Determine a passing service chain Q3 1Whether another flow of the IPS function in question, i.e. link (IDS, IPS), is pending.
3.3 because the link (IDS, IPS) is in pending state, deploy the link (IDS, IPS) according to step 3.2 to get N3(q3,1)=v2,L3(q3,1,q3,2) Is v is2→v7→v6(ii) a Sub-service chain Q3 1The deployment is successful.
4. Deploying a chain of sub-services Q3 2Preferentially deploy Q3 2The link with the larger bandwidth requirement is arranged in the middle,namely, the link (FW, NAT) is deployed first, and the link (NAT, LB) is deployed later.
4.1 for Link (FW, NAT), FW has been successfully deployed at node v1NAT on service chain Q3 2Has been successfully deployed at node v5Then at GSCandidate node of middle NAT function (v)10,v11) The method selects a security function physical node which meets bandwidth requirements bw (FW, NAT) and bw (NAT, LB) of two links, and the total cost of the two link networks is minimum to deploy NAT, namely N3(q3,4)=v10,L3(q3,3,q3,5) Is v is1→v6→v10→v12→v13→v5(ii) a Sub-service chain Q3 2Successful deployment, service chain Q3The deployment is successful.
5. Deploying service chaining request Q2Split into sub-service chains Q according to step 2 ═ (NAT, LB, IPS)2 1=(NAT,LB),Q2 2(LB, IPS) and deploy LB functionality requirements at node v5To above, i.e. N2(q2,2)=v5
6. Deploying a chain of sub-services Q2 1If the LB function is successfully deployed and the NAT function is the first security function requirement, and the last security function requirement does not exist, the candidate node (v) of the NAT function is located10,v11) Is selected from5The bandwidth capacity between the nodes can meet the bandwidth requirement bw (NAT, LB) of the link (NAT, LB), and the node between the NAT and the LB with the minimum network cost deploys the NAT requirement, namely, the NAT is deployed at the node v11I.e. N2(q2,1)=v11,L2(q2,1,q2,2) Is v is11→v13→v5(ii) a Sub-service chain Q2 1The deployment is successful.
7. Deploying a chain of sub-services Q2 2Since the LB function has been successfully deployed and the IPS function is the last security function requirement, there is no next security function requirement, then at the candidate node (v) of the IPS function3,v6) Is selected from5The bandwidth capacity between the nodes can meet the bandwidth requirement bw (LB, IPS) of the link (LB, IPS), and the node with the minimum network cost between the LB and the IPS deploys the IPS requirement, that is, deploys the IPS at the node v3I.e. N2(q2,3)=v3,L2(q2,2,q2,3) Is v is5→v4→v3(ii) a Sub-service chain Q2 2The deployment is successful. Service chain Q2The deployment is successful.
8. Deploying service chaining request Q1(FW, IDS, NAT), according to step 2, deploy the FW function at node v1I.e. N1(q1,1)=v1。Q1Can not be continuously divided into sub-service chains, and Q is directly deployed1. Preferential deployment Q1Links with large bandwidth requirements are deployed firstly, namely link (FW, IDS) and then link (IDS, NAT).
8.1 for Link (FW, IDS), FW has been successfully deployed at node v1In the service chain Q, IDS1If the next functional requirement (NAT) in (1) is not yet deployed, then in GSTo select a node (referred to as a candidate node, i.e., v) that provides IDS security functionality2,v13) Deploying a service chain Q1IDS requirements in; selecting and v among candidate nodes1Bandwidth capacity between nodes can meet bandwidth requirement bw (FW, IDS) of link (FW, IDS), and the node with the minimum network cost between IDS and FW deploys IDS requirement, namely deploys IDS at node v2I.e. N1(q1,2)=v2,L1(q1,1,q1,2) Is v is1→v2(ii) a Determine a passing service chain Q1Whether another piece of traffic of the IDS function (i.e., link (IDS, NAT)) is pending.
8.2 Link (IDS, NAT) is not pending, then process Q sequentially1The next link in the set, i.e. link (IDS, NAT). Deploying a Link (IDS, NAT) according to step 8.1, obtaining N1(q1,3)=v11,L1(q1,2,q1,3) Is v is2→v3→v11(ii) a Service chain Q1The deployment is successful.
9. All services arrivingAnd after the chain request is deployed, finishing the algorithm and outputting a deployment result. Service chain Q1,Q2,Q3The deployment results are shown in FIG. 6, i.e., Q1:N1(q1,1)=v1,N1(q1,2)=v2,N1(q1,3)=v11Traffic routing L1Is v is1→v2→v3→v11;Q2:N2(q2,1)=v11,N2(q2,2)=v5,N2(q2,3)=v3Traffic routing L2Is v is11→v13→v5→v4→v3;Q3:N3(q3,1)=v2,N3(q3,2)=v6,N3(q3,3)=v1,N3(q3,4)=v10,N3(q3,5)=v5Traffic routing L3Is v is2→v7→v6→v1→v6→v10→v12→v13→v5
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (1)

1. A safety function deployment method based on a service chain is characterized by comprising the following steps:
first, the underlying network topology is represented by a weighted graph GS=(VS,ES) In which V isSIs a physical node set composed of forwarding nodes and safety function nodes, VS=TS∪NS,TSRepresenting a set of routing resource forwarding nodes, NSFor a firewall security function node set, ESIs a set of links in the physical network,
Figure FDA0002552732200000011
presence attribute bandwidth capability, including link esUplink bandwidth capacity of B (e)s↑) And a downlink bandwidth capacity B (e)s↓),es=(vi,vj),viAnd vjFor link esThe two end points of (a) are,
Figure FDA0002552732200000012
if i<j, then is called by viFlow direction vjThe flow of (1) is uplink flow, the reverse is downlink flow, and the hop count hop (v)i,vj) Denotes viAnd vjThe transmission delay therebetween;
secondly, defining the set of R service chain requests arriving at the same time as phi ═ Q1,Q2,…,QRTherein service chaining requests
Figure FDA0002552732200000013
Represented as a directed sequence Qr=(qr,1,qr,2,…,qr,h-1,qr,h,qr,h+1,…,qr,H) Contains a total of H safety function requirements, q of whichr,h-1Is qr,hThe previous safety function requirement of qr,h+1Is qr,hThe latter safety function requirement of, from qr,hTo qr,h+1Is denoted as link (q)r,h,qr,h+1) The corresponding bandwidth is denoted bw (q)r,h,qr,h+1);
Thirdly, defining Nr(qr,h) Representing a chain of deployment services QrMedium safety function requirement qr,hPhysical node of, Nr(qr,h)∈NSEach security function requirement in the service chain can be deployed on only one physical security function node, using Lr(qr,h,qr,h+1) Representing a service chain QrMedium safety function requirement qr,hTo qr,h+1The traffic path therebetween, i.e. the link (q)r,h,qr,h+1) At GSThe deployment path on, defining the network cost generated by service chain deployment as:
Figure FDA0002552732200000021
fourthly, in the service chain deployment process, dividing the deployment problem of each service chain into smaller sub-service chain deployment problems by adopting a divide-and-conquer method;
in the fourth step, the division basis is as follows: for service chain QrSafety function requirement q in (1)r,hIf in the underlying topology GSIn which only a unique security function node v existsiCan provide qr,hFunctional requirement, i.e. functional requirement qr,hV can and can only be deployed on nodesiThen the function requirement q is setr,hDeployed at node viTo above, i.e. Nr(qr,h)=viAnd with qr,hPartitioning service chains Q for boundariesrForming a sub-service chain, deploying the divided sub-service chains in sequence, and connecting the obtained deployment result of the sub-service chains and the routing result in sequence to obtain the deployment result of the service chain;
in the fourth step, for each sub-service chain, the communication links are sorted according to the bandwidth requirement, and the links are sequentially deployed according to the order, specifically:
if the link (q)r,h,qr,h+1) Of the two ends of (a) of (b) ofr,hAnd q isr,h+1None deployed, then mark link (q)r,h,qr,h+1) The flow is in an undetermined state, and the next flow is deployed; if the link (q)r,h,qr,h+1) Has been successfully deployed, link (q) is established to the linkr,h,qr,h+1) Deployment is performed, link (q) is selectedr,h,qr,h+1) If the other endpoint q is not yet deployedr,hBoth the former and latter security functions of (a) are deployed, then according to the endpoint qr,hPrevious safety function requirement qr,h-1And the latter safety function requirement qr,h+1At GsCan provide qr,hFunction(s)Of the candidate nodes of (1), a satisfied link (q) is selectedr,h,qr,h+1) And link (q)r,h-1,qr,h) Taking a safety function physical node with two-section link bandwidth requirement and minimum two-section link network cost as qr,hThe deployment node of (2); if q isr,hThe former or latter security function of (a) is not deployed, and q can be providedr,hSelecting all candidate physical nodes of the function to satisfy link (q)r,h,qr,h+1) Allocating nodes and links with minimum network cost and bandwidth requirement, and judging QrThrough function qr,hAnother link (q) ofr,h-1,qr,h) Whether or not it is in a pending state, if the link is link (q)r,h-1,qr,h) In pending state, link (q) is mapped using the same methodr,h-1,qr,h) And the end point thereof is deployed and continuously judges to pass through the function qr,h-1Whether the unallocated link is in a pending state; if the link (q)r,h-1,qr,h) If not, the next link is deployed according to the sequence obtained by the bandwidth requirement sequencing until the service chain QrAll the function requirements and link requirements in the system are deployed and completed; if in the process of deployment, GsThe service chain fails to be deployed if it cannot provide the security functions required by the service chain or cannot meet the bandwidth requirements of the service chain.
CN201711041932.0A 2017-10-30 2017-10-30 Security function deployment method based on service chain Active CN107682203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711041932.0A CN107682203B (en) 2017-10-30 2017-10-30 Security function deployment method based on service chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711041932.0A CN107682203B (en) 2017-10-30 2017-10-30 Security function deployment method based on service chain

Publications (2)

Publication Number Publication Date
CN107682203A CN107682203A (en) 2018-02-09
CN107682203B true CN107682203B (en) 2020-09-08

Family

ID=61143441

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711041932.0A Active CN107682203B (en) 2017-10-30 2017-10-30 Security function deployment method based on service chain

Country Status (1)

Country Link
CN (1) CN107682203B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718246B (en) * 2018-04-03 2021-03-16 华中科技大学 Resource scheduling method and system oriented to network function virtualization
CN108616425B (en) * 2018-04-28 2021-06-01 电子科技大学 Method for relieving cascade failure risk of service function chain
CN108881207B (en) * 2018-06-11 2020-11-10 中国人民解放军战略支援部队信息工程大学 Network security service realization method based on security service chain
CN109245932A (en) * 2018-09-20 2019-01-18 北京计算机技术及应用研究所 A kind of security function service chaining dispositions method
CN110022230B (en) * 2019-03-14 2021-03-16 北京邮电大学 Deep reinforcement learning-based service chain parallel deployment method and device
CN109831346B (en) * 2019-03-29 2020-04-07 电子科技大学 Method for deploying service function chain in network function virtualization environment
CN111800291B (en) * 2020-05-27 2021-07-20 北京邮电大学 Service function chain deployment method and device
CN111770070A (en) * 2020-06-22 2020-10-13 中国电子科技集团公司第五十四研究所 SDN-based security service chain aggregation deployment method
CN113225211B (en) * 2021-04-27 2022-09-02 中国人民解放军空军工程大学 Fine-grained service function chain extension method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065509A (en) * 2014-07-24 2014-09-24 大连理工大学 SDN multi-controller deployment method for reducing management load overhead
CN105242956A (en) * 2015-09-15 2016-01-13 中国人民解放军信息工程大学 Virtual function service chain deployment system and deployment method therefor
CN105706420A (en) * 2013-06-28 2016-06-22 瑞典爱立信有限公司 Method and system for enabling services chaining in a provider network
CN106506284A (en) * 2016-12-20 2017-03-15 北京工业大学 A kind of NFV business chain network estimation methods based on COST models
CN107124303A (en) * 2017-04-19 2017-09-01 电子科技大学 The service chaining optimization method of low transmission time delay

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9634867B2 (en) * 2014-05-02 2017-04-25 Futurewei Technologies, Inc. Computing service chain-aware paths
EP3121997B3 (en) * 2015-07-20 2024-04-10 Koninklijke KPN N.V. Service provisioning in a communication network
US10666516B2 (en) * 2016-04-04 2020-05-26 Avago Technologies International Sales Pte. Limited Constraint-based virtual network function placement

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105706420A (en) * 2013-06-28 2016-06-22 瑞典爱立信有限公司 Method and system for enabling services chaining in a provider network
CN104065509A (en) * 2014-07-24 2014-09-24 大连理工大学 SDN multi-controller deployment method for reducing management load overhead
CN105242956A (en) * 2015-09-15 2016-01-13 中国人民解放军信息工程大学 Virtual function service chain deployment system and deployment method therefor
CN106506284A (en) * 2016-12-20 2017-03-15 北京工业大学 A kind of NFV business chain network estimation methods based on COST models
CN107124303A (en) * 2017-04-19 2017-09-01 电子科技大学 The service chaining optimization method of low transmission time delay

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于子图同构的vEPC虚拟网络分层协同映射算法;刘彩霞等;《电子与信息学报》;20170208;全文 *

Also Published As

Publication number Publication date
CN107682203A (en) 2018-02-09

Similar Documents

Publication Publication Date Title
CN107682203B (en) Security function deployment method based on service chain
US11625154B2 (en) Stage upgrade of image versions on devices in a cluster
CN108260169B (en) QoS guarantee-based dynamic service function chain deployment method
Wang et al. A survey on data center networking for cloud computing
CN108494596B (en) Collaborative construction and SFC (Small form-factor computing) mapping method for dependency among multiple VNFs (virtual network configuration functions)
CN110662231A (en) Network slice resource adjusting method and system for 5G environment
EP3123677B1 (en) A method to provide elasticity in transport network virtualisation
US20150365314A1 (en) Controlling a Topology of a Network
CN109194577A (en) A kind of traffic engineering method and device of the Segment routing network based on partial deployment
CN104994033A (en) Method for guaranteeing QoS (quality of service) of SDN (software defined network) by means of dynamic resource management
WO2014000292A1 (en) Migration method, serving control gateway and system for virtual machine across data centres
CN103346979B (en) Flow distribution method and equipment in SPBM network
Farshin et al. A modified knowledge-based ant colony algorithm for virtual machine placement and simultaneous routing of NFV in distributed cloud architecture
CN108092895B (en) Software Defined Network (SDN) joint routing selection and network function deployment method
Yan et al. A survey of low-latency transmission strategies in software defined networking
CN105847146B (en) A method of it improving level distribution SDN and controls plane router efficiency
Celenlioglu et al. An SDN based intra-domain routing and resource management model
Kamboj et al. A qos-aware routing based on bandwidth management in software-defined iot network
Shirmarz et al. A novel flow routing algorithm based on non-dominated ranking and crowd distance sorting to improve the performance in SDN
Gomes et al. A bandwidth-feasibility algorithm for reliable virtual network allocation
Saxena et al. Review of SDN-based load-balancing methods, issues, challenges, and roadmap
Szymanski Low latency energy efficient communications in global-scale cloud computing systems
Tolba Organizing multipath routing in cloud computing environments
Masoud et al. Dynamic allocation of service function chains under priority dependency constraint
Xu et al. Coordinated resource allocation with VNFs precedence constraints in inter-datacenter networks over elastic optical infrastructure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant