CN107689942A - Method for processing business and device - Google Patents
Method for processing business and device Download PDFInfo
- Publication number
- CN107689942A CN107689942A CN201610635788.2A CN201610635788A CN107689942A CN 107689942 A CN107689942 A CN 107689942A CN 201610635788 A CN201610635788 A CN 201610635788A CN 107689942 A CN107689942 A CN 107689942A
- Authority
- CN
- China
- Prior art keywords
- business
- level
- controller
- information
- interchanger
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of method for processing business and device, wherein, the processing method includes:Controller generates business-level information according to specified requirements, the controller issues the business-level information to interchanger, wherein, the business-level information is used to indicate the business-level corresponding to the business of software defined network SDN systems support, and different stage corresponds to different business processing modes.Using above-mentioned technical proposal; solve in correlation technique; safeguard protection can only be carried out to SDN controllers by external detection equipment, under some special scenes; the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided; and then the comprehensive safeguard protection to SDN controllers can be realized, reach the effect of general, high efficiency smart SDN control surface controller safeguard protections.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of method for processing business and device.
Background technology
Complicated, the operation with the legacy network institutional framework based on procotol (Internet Protocol, abbreviation IP)
Maintenance cost is high, is increasingly difficult to meet flexibility of the emerging service to network, the requirement of autgmentability, therefore software defined network
Network (Software Defined Network, abbreviation SDN) technology is arisen at the historic moment.SDN has redefined the network architecture, by network
Application, control plane and data biography aspect are divided into, realizes Network Programmable.
In the network architecture based on SDN technologies, the specific forward-path and forwarding strategy of packet in a network are logical
The control of SDN controllers is crossed, forward-path of packet and forwarding strategy etc. are passed through into open flow agreements, hair by SDN controllers
The exchange group of SDN frameworks is sent to, the cloud service forwarded the packet to by the interchanger in exchange group in cloud data center
Device.SDN framework realizes the concentration of Network Management Function in traditional network architecture, is the revolutionary character to traditional network architecture
Innovation.This innovation the flexibility of run etc., it is distinctive also make it that the safety problem in SDN is presented except bringing management
Feature.
By the analysis of prior art, the emphasis of the safeguard protection for SDN relatively concentrates on the peace of data forwarding aspect
Complete to take precautions against, security kernel module needs to undertake the real-time monitoring of network state and the effect of attack detecting here, its main mesh
Be to SDN repeating data carry out security protection, the difficulty of implementation is complex, operable when real network is disposed
Property is little.In addition, also partial monopoly proposes the safeguard protection of chain of command, but it solve only some specific specific business
Attack Scenarios, do not have the versatility for adapting to the protection of more scene various attacks, and this protection for chain of command is
Static protection, realized by adding intrusion detection device.
SDN frameworks are analyzed, the chain of command of centralization carries all controlling streams in network environment on SDN controllers, is
The organ of whole network service, its security are directly related to the availability, reliability and Information Security of network service,
It is that SDN is primarily solved the problems, such as safely.It is well known that the attack type of chain of command is numerous, such as various distributed blocking service attacks
(Distributed Denial of Service, abbreviation DDOS) is attacked, and is illustrated:Controller needs to build with external equipment
Vertical normal transmission control protocol (Transmission Control Protocol, abbreviation TCP) connection, and attacker can be with
The SYN flooding attacks that port is intercepted by identical TCP destroy normal TCP connections, so as to reach attack device resource
Purpose.
For that in correlation technique, can only be carried out by external detection equipment or to SDN controllers under some special scenes
Safeguard protection, the chain of command security protection technology problem being applicable under various Attack Scenarios can not be provided, not yet propose effective solution
Certainly scheme.
The content of the invention
The embodiments of the invention provide a kind of method for processing business and device, at least to solve to pass through in correlation technique
External detection equipment carries out safeguard protection under some special scenes to SDN controllers, can not provide applicable various attack fields
The technical problem of chain of command safeguard protection under scape.
According to an aspect of the invention, there is provided a kind of method for processing business, including:
Controller generates business-level information according to specified requirements, wherein, the business-level information is used to indicate SDN systems
The business-level united corresponding to the business supported, the business-level comprise at least:First level, second level, third level,
Different stage corresponds to different business processing modes;
The controller issues the business-level information to interchanger, wherein, the business-level information is used to indicate
The interchanger according to the business-level information to being sent to the business of the controller, perform with the business belonging to level
Not corresponding business processing mode.
Alternatively, controller generates business-level information according to specified requirements, including:
The controller obtains the characteristic information of business;
Business-level information is generated according to the characteristic information.
Alternatively, the characteristic information comprises at least one below:The five-tuple information of data message, the chain of data message
The device port information that road floor information, data message receive.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd
The business of rank, indicate that the interchanger performs and abandon operation.
Alternatively, before the controller issues the business-level information to interchanger, methods described also includes:
The business-level information of generation is converted into the flow table for carrying the business-level information by the controller.
According to another aspect of the present invention, a kind of business processing processing method is additionally provided, including:
Interchanger receives the business-level information that controller issues, wherein, the business-level information is used to indicate software
The business-level corresponding to the business that network SDN systems are supported is defined, the business-level comprises at least:First level, second
Rank, third level, different stage correspond to different business processing modes;
The interchanger, to being sent to the business of the controller, performs and the industry according to the business-level information
Business processing mode corresponding to rank belonging to business.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd
The business of rank, the interchanger, which performs, abandons operation.
Alternatively, the interchanger performs according to the business-level information to being sent to the business of the controller
Business processing mode corresponding with the affiliated rank of the business, including:
The interchanger determines to be sent to the affiliated rank of the business of the controller according to the business-level information;
The interchanger performs and affiliated rank according to the affiliated rank of determination to the business for being sent to the controller
Corresponding business processing mode.
According to another aspect of the present invention, a kind of business processing device is additionally provided, applied to controller, including:
Generation module, for generating business-level information according to specified requirements, wherein, the business-level information is used to refer to
Show the business-level corresponding to the business that software defined network SDN systems are supported, the business-level comprises at least:The first order
Not, second level, third level, different stage correspond to different business processing modes;
Module is issued, for issuing the business-level information to interchanger, wherein, the business-level information is used to refer to
Show the interchanger according to the business-level information to being sent to the business of the controller, perform with the business belonging to
Business processing mode corresponding to rank.
According to another aspect of the present invention, a kind of business processing device is additionally provided, applied to interchanger, including:
Receiving module, the business-level information issued for receiving controller, wherein, the business-level information is used to refer to
Show the business-level corresponding to the business that software defined network SDN systems are supported, the business-level comprises at least:The first order
Not, second level, third level, different stage correspond to different business processing modes;
Execution module, for being sent to the business of the controller, being performed according to the business-level information and institute
State business processing mode corresponding to the affiliated rank of business.
By the present invention, SDN controllers can be dynamically generated business-level information according to specified requirements, and interchanger can
So that all business of controller will be sent to according to business-level information, different business is performed according to different business-levels
Processing mode, so as to without by external detection equipment, solving in correlation technique, can only by external detection equipment, at certain
Safeguard protection is carried out to SDN controllers under a little special scenes, the chain of command being applicable under various Attack Scenarios can not be provided and protected safely
The technical problem of shield, and then the general comprehensive safeguard protection to SDN controllers can be realized, reach general, high efficiency smart
SDN control surface controller safeguard protections effect.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair
Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the basic structure model figure of SDN systems in correlation technique;
Fig. 2 is the flow chart (one) of the method for processing business of the embodiment of the present invention;
Fig. 3 is the flow chart (two) of the method for processing business of the embodiment of the present invention;
Fig. 4 is the structured flowchart (one) of business processing device according to embodiments of the present invention;
Fig. 5 is the structured flowchart (two) of business processing device according to embodiments of the present invention;
Fig. 6 is the structured flowchart according to preferred embodiment of the present invention SDN controller protection device;
Fig. 7 is the SDN controller secure list list item schematic diagrames according to the embodiment of the present invention;
Fig. 8 is the flow chart of the method for processing business of the preferred embodiment of the present invention;
Fig. 9 is the flow chart of the method for processing business of the preferred embodiment of the present invention.
Embodiment
Describe the present invention in detail below with reference to accompanying drawing and in conjunction with the embodiments.It should be noted that do not conflicting
In the case of, the feature in embodiment and embodiment in the application can be mutually combined.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, "
Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use
Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or
Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or the intrinsic other steps of equipment or unit.
It should be noted that embodiments of the invention are operated in software defined network SDN systems, in order to
The technical scheme of following examples is better understood from, the embodiment of the present invention simply introduces SDN systems in lower correlation technique herein
Basic structure model figure, as shown in figure 1, SDN systems include network application layer 10, SDN controllers 12 and SDN switch 14, its
In, SDN controllers realize two-way communication by northbound interface and network application layer, and SDN controllers are handed over by southbound interface and SDN
Change planes and realize two-way communication.
Embodiment 1
In the present embodiment from the angle of controller, there is provided a kind of method for processing business.Fig. 2 is implementation of the present invention
The flow chart (one) of the method for processing business of example, as shown in Fig. 2 this method comprises the following steps:
Step S202, controller generate business-level information according to specified requirements, wherein, business-level information is used to indicate
The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second
Rank, third level, different stage correspond to different business processing modes;
Step S204, controller to interchanger issuing service class information, wherein, business-level information be used for indicate exchange
Machine, to being sent to the business of controller, performs business processing side corresponding with the affiliated rank of business according to business-level information
Formula.
By above-mentioned each step, SDN controllers can be dynamically generated business-level information according to specified requirements, hand over
All business of controller can will be sent to according to business-level information by changing planes, and difference is performed according to different business-levels
Business processing mode, so as to without by external detection equipment, solve in correlation technique, can only be set by external detection
It is standby or be limited to support under some special scenes carry out safeguard protection to SDN controllers, applicable various attack can not be provided
The technical problem for the chain of command safeguard protection hit under scene, and then can realize and the general comprehensive safety of SDN controllers is protected
Shield.
Alternatively, the business of the embodiment of the present invention can be sent by the form of data message, now step S202
It can be achieved through the following technical solutions:Controller obtains the characteristic information of business, and generates business-level according to characteristic information
Information.It should be noted that characteristic information here can be the five-tuple information of data message or the link layer of data message
The device port information that information and data message receive.The five-tuple information of IP datagram text can be derived from:IP source address,
IP destination addresses, IP protocol number, transport layer source port, transport layer destination interface;The chain of non-IP datagram text can also be derived from
Road floor information:The data such as purpose MAC, source MAC, Ether protocoll number, in specific implementation process, the feature letter of the embodiment of the present invention
Breath can be adjusted flexibly as needed, and the embodiment of the present invention is not construed as limiting to this.
Alternatively, interchanger performs different business processing modes according to business-level information mainly includes following several feelings
Condition:Interchanger is performed to the business of third level and abandons operation, and the business of first level and second level is performed and send operation.
Wherein, priority of the priority higher than the business for sending second level of the business of first level is sent, in interchanger and control
Sent on device processed for the priority query that first level traffic assignments are higher on passage, be that the traffic assignments of second level are relatively low excellent
First level queue, ensure that first level business is sent on preferential;For first level traffic assignments on send band to be wider than second level
Business, ensure first level business take high bandwidth channel processing.
It should be noted that business-level here is not limited to three kinds, can be two kinds, four kinds, a variety of differences such as five kinds
Priority level.This sentences two kinds of ranks and four kinds of ranks illustrate:If business-level information instruction business-level includes
Two kinds of ranks, for example, the business of second level, directly using operation is abandoned, the preferred high bandwidth of business of first level is sent;Such as
Fruit business-level information instruction business-level includes four kinds of ranks, for example, limit priority is performed for the business of first level,
Ensure maximum bandwidth, directly on send controller, the service priority of second level is higher than third level, but second level
On send bandwidth to be less than third level, the business of fourth level directly performs discarding operation, and the rank of business is smaller, and degree of belief is got over
Height, rank is bigger, and degree of belief is lower.
Alternatively, for controller to before interchanger issuing service class information, controller can be by the business-level of generation
Information is converted into the flow table for carrying business-level information, and the flow table then is issued into interchanger by open flow agreements.
When interchanger receives the data message that destination is controller, unified to match above-mentioned flow table, the action in flow table refers to
Show, complete data message on send or abandon.
By such scheme, all chain of command business that controller is supported or do not supported can be by specifying bar
Part defines service feature, is converted into flow table and is issued to interchanger, on switches can be finely and exactly to controller
It is there is chain of command business to perform security strategy more.
Embodiment 2
In order to improve above-mentioned technical proposal, in the present embodiment from the angle of interchanger, a kind of business is additionally provided
Processing method.Fig. 3 is the flow chart (two) of the method for processing business of the embodiment of the present invention, as shown in figure 3, this method is including as follows
Step:
Step S302, interchanger receive the business-level information that controller issues, wherein, business-level information is used to indicate
The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second
Rank, third level, different stage correspond to different business processing modes;
Step S304, interchanger according to business-level information to being sent to the business of controller, perform with business belonging to
Business processing mode corresponding to rank.
By above-mentioned each step, interchanger receives the business-level information that controller issues, and is believed according to business-level
The business to being sent to controller is ceased, performs business processing mode corresponding with the affiliated rank of business, so as to without by outer
Portion's detection device, is solved in correlation technique, can only by external detection equipment, under some special scenes to SDN controllers
Static safeguard protection is carried out, the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided, and then
The general comprehensive safeguard protection to SDN controllers can be realized.
Alternatively, interchanger performs different business processing modes according to business-level information mainly includes following several feelings
Condition:Interchanger is performed to the business of third level and abandons operation, and the business of first level and second level is performed and send operation.
Wherein, the priority of the business of first level higher than second level business priority, and the business of first level on give
Band is wider than the business of second level.
It should be noted that business-level here is not limited to three kinds, can be two kinds, four kinds, a variety of differences such as five kinds
Priority level.
Rapid S304 can have a variety of implementations, and in an optional example, step S304 can pass through following technical side
Case is realized:Interchanger determines to be sent to the affiliated rank of the business of controller according to business-level information;Interchanger is according to really
Fixed affiliated rank performs business processing mode corresponding with affiliated rank to the business for being sent to controller.
Alternatively, for controller to before interchanger issuing service class information, controller can be by the business-level of generation
Information is converted into the flow table for carrying business-level information, and interchanger is handed down to by open flow agreements.When interchanger receives
It is unified to match above-mentioned flow table during to the data message that destination is controller, message is encapsulated according to the matching result of flow table
Open flow packet is passed in packet_in, and the operation to different pieces of information message is performed according to the instruction of flow table.
By such scheme, all chain of command business that controller is supported or do not supported can be by specifying bar
Part defines service feature, is converted into flow table and is issued to interchanger, on switches can be finely and exactly to controller
It is there is chain of command business to perform security strategy more.
The other technologies main points of the present embodiment are similar to Example 1, and here is omitted.
Embodiment 3
A kind of business processing device is additionally provided in the present embodiment, and applied to controller, the device is above-mentioned for realizing
Embodiment and preferred embodiment, repeating no more for explanation was carried out.As used below, term " module " can be real
The combination of the software and/or hardware of existing predetermined function.Although device described by following examples is preferably realized with software,
But hardware, or the realization of the combination of software and hardware is also what may and be contemplated.
Fig. 4 is the structured flowchart (one) of business processing device according to embodiments of the present invention, as shown in figure 4, the device bag
Include:
Generation module 40, for generating business-level information according to specified requirements, wherein, business-level information is used to indicate
The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second
Rank, third level, different stage correspond to different business processing modes;
Module 42 is issued, for issuing the business-level information to interchanger, wherein, business-level information is used to indicate
Interchanger, to being sent to the business of controller, performs business processing corresponding with the affiliated rank of business according to business-level information
Mode.
By the comprehensive function of above-mentioned modules, SDN controllers can be dynamically generated service level according to specified requirements
Other information, interchanger can will be sent to all business of controller according to business-level information, according to different service levels
Different business processing modes is not performed, so as to without by external detection equipment, it is possible to realize the spirit to SDN controllers
Living, comprehensive, dynamic safeguard protection, avoid in correlation technique can only by external detection equipment, under some special scenes
Safeguard protection is carried out to SDN controllers, the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided,
And then the general comprehensive safeguard protection to SDN controllers can be realized.
Alternatively, generation module 40, for obtaining the characteristic information of business;Business-level is generated according to the characteristic information
Information.
In embodiments of the present invention, the characteristic information comprises at least one below:The five-tuple information of data message, number
According to the link layer information of message.
Wherein, the priority of the business of first level is higher than the priority of the business of second level, for the third level
Other business, indicate that the interchanger performs and abandon operation.
Embodiment 4
In order to improve above-mentioned technical proposal, the present embodiment additionally provides a kind of business processing device, applied to interchanger.Figure
5 be the structured flowchart (two) of business processing device according to embodiments of the present invention, as shown in figure 5, the device includes:
Receiving module 50, the business-level information issued for receiving controller, wherein, business-level information is used to indicate
The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second
Rank, third level, different stage correspond to different business processing modes;
Execution module 52, for being sent to the business of controller, performed according to business-level information with business belonging to
Business processing mode corresponding to rank.
By the comprehensive function of above-mentioned modules, SDN controllers can be dynamically generated service level according to specified requirements
Other information, interchanger can will be sent to all business of controller according to business-level information, according to different service levels
Different business processing modes is not performed, so as to without by external detection equipment, it is possible to realize the spirit to SDN controllers
Living, comprehensive, dynamic safeguard protection, avoid in correlation technique can only by external detection equipment, under some special scenes
The technical problem of static safeguard protection is carried out to SDN controllers.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd
The business of rank, the interchanger, which performs, abandons operation.
Alternatively, execution module 52, for being determined to be sent to the industry of the controller according to the business-level information
The affiliated rank of business;The interchanger business for being sent to the controller is performed according to the affiliated rank of determination with it is affiliated
Business processing mode corresponding to rank.
In order to be better understood from above-mentioned business processing flow, above-mentioned technical proposal is solved below in conjunction with preferred embodiment
Explanation is released, but is not used in the restriction embodiment of the present invention.
Preferred embodiment 1
First level, second level and the third level referred in above-described embodiment, can correspond respectively to white list, ash
List and blacklist.For blacklist table, its execution action is abandons, and for gray list table, its execution action is low priority,
Sent in low bandwidth, for white list table, its execution action is high priority, is sent in high bandwidth guarantee.All business it is black, white,
Gray list is using business dynamic creation and deployment, and do not need manual intervention upon execution.
The embodiment of the present invention by the white list of dynamic generation safeguard protection, gray list, blacklist on SDN controllers,
These security strategy entries are generated as reference format flow table on SDN controllers, by open flow agreements, by flow table issuance
To SDN switch, SDN switch receives data traffic, determines when being the message for needing to terminate on the controller, matching stream
Table, according to the action of flow table, implement the protection to controller.
Fig. 6 is according to the structured flowchart of preferred embodiment of the present invention SDN controller protection device, based on Fig. 6, SDN
Network controller protection scheme can be realized by following steps:
Step S602:SDN controller secures management module 101 is responsible for finishing service blacklist, white list, gray list list item
Foundation;
Step S604:SDN controller secures are then managed mould by SDN controller flow tables management module 102 according to flow table specification
Blacklist, white list, the gray list list item of block generation are converted to flow table (" safe flow table is sent in agreement "), and pass through open
Flow agreements, by flow table issuance to SDN switch forwarding module;
Step S606:SDN switch forwarding module 103 applies this " safe flow table is sent in agreement ", when reception datagram
Text is simultaneously judged when terminating on the controller, is searched " safe flow table is sent in agreement ", by the result of flow stream searching (including:Lose
Abandon/above send, priority, bandwidth), perform the safeguard protection to control surface controller.
It is more general using the method for the invention and device, it is not limited to certain a kind of or a few class chain of command industry
The safeguard protection of business, but to controller support all chain of command business provide pervasive solution, can flexibly and
General service security strategy is accurately disposed on the controller, has reached the SDN control surface controller safeguard protections of high efficiency smart
Effect.
Preferred embodiment 2
In order to improve above-mentioned technical proposal, the present embodiment additionally provides a kind of method for processing business, and Fig. 7 is of the invention preferred
The exemplary plot of the safe list of embodiment, Fig. 8 is the flow chart of the method for processing business of the preferred embodiment of the present invention, such as Fig. 7,8
Shown, this method comprises the following steps:
Step S802:SDN controllers are controlled the business configuration in face, when carrying out protocol configuration on the controller, i.e., dynamic
State generates the gray list list item of agreement according to the configuration of controller, by taking bgp protocol as an example, when be configured with BGP business it is enabled after,
Can according to BGP protocol characteristic code (as shown in fig. 7, protocol number 6, TCP destination slogan 179) generate corresponding to grey name
It is single, action corresponding to gray list list item above to give, distribute relatively low priority and on send bandwidth;
Step S804:According to business configuration dynamic generation blacklist, the implementation of general business has certain SDN controllers
Constraints, such as only allow some port to access, then blacklist table can be generated to the service feature code under other ports
, while can also be by the static configuration filtering rule of O&M requirement, generation needs the blacklist list item filtered, blacklist table
Action corresponding to is discarding;
Step S806:SDN controllers carry out dynamic protocol with external equipment and interacted, during protocol interaction, dynamic
Agreement white list list item is generated, such as when remote equipment initiation and the BGP establishment of connections of controller, when bgp neighbor is created as
After work(, controller get agreement condition code (as shown in fig. 7, protocol number 6, TCP destination interface 179, TCP source port,
IP destination address, IP source address), controller agreement white list, white list list item according to corresponding to generating these condition codes
Corresponding action above to give, the higher priority of distribution and on send bandwidth;
Step S808:Black, the white, gray list that SDN controllers are generated business, according to open flow protocol format,
Be converted to " safe flow table is sent in agreement " flow table structure;
Step S810:" safe flow table is sent in agreement " by southbound interface, is issued a notice and exchanged to SDN by SDN controllers
Machine;
Step S812:SDN switch stores and write " safe flow table is sent in agreement " that security control is above sent in this confession, when
Interchanger receives data message, and judges that the datagram is when sending controller on needing, to perform inquiry and " secure flows are sent in agreement
The action of table " flow table, gone to match flow table according to message characteristic code;
Step S814:Message is encapsulated in open flow packet_in by SDN switch according to flow table matching result,
On give controller, for blacklist list item, abandon;For gray list list item, using being sent in low priority low bandwidth, for white
List list item, then using controller is sent in high priority high bandwidth, the safeguard protection that business is trusted on controller is effectively ensured.
Preferred embodiment 3
In order to improve above-mentioned technical proposal, the present embodiment additionally provides the action processing after a kind of business hit black and white lists
Method, Fig. 9 are the flow charts of the method for processing business of the preferred embodiment of the present invention, as shown in figure 9, this method includes following step
Suddenly:
Step S902:Interchanger is above to send the business of controller to define different priority levels on passage in upper send:In vain
The highest priority of list, is dispatched at first;The priority of gray list is relatively low, and dispatching priority is less than white list, blacklist
Priority it is minimum, without scheduling;Actual embodiment can carry out more fine granularity according to the demand of the priority on passage
Classification, such as be all gray list, different priority can be marked off;
Step S904:Interchanger is that the business for above sending controller send definition on passage to distribute different bandwidth upper:Example
Such as, equally it is bgp protocol, the bandwidth of BGP white list distribution, which can reach, send 1000 messages on each port each second,
The bandwidth of BGP gray lists distribution is restricted to send 100 messages on each port each second;By limiting bandwidth allocation, effectively
Sent on a large amount of distrust messages of prevention;
Step S906:The openflow processing queues of interchanger are that the message for above sending controller divides different priority,
Message for sending controller in needs termination, after being sent on the black-white-gray different priorities that passage is sent on interchanger, is arrived
Openflow up to interchanger is handled, it is necessary to by openflow protocol encapsulation packet_in message messages, is sent to controller,
It is same to distinguish black and white gray list in the openflow processing of interchanger, different priority queries is divided, ensures controller letter
The message appointed enters the high-priority queue of openflow processing, preferentially encapsulates openflow, is sent to controller, and controller is believed
Appoint the low message of rank then to enter openflow processing lower priority queues, encapsulate openflow's with relatively low priority
Packet_in, it is sent to controller;
Step S908:SDN controllers send the report of controller by receiving openflow packet_in messages in reception
Text carries out equipment processing, is exactly based on and send priority on passage to divide and bandwidth allocation on interchanger, and interchanger
The queue of openflow processing priorities divides, and the safeguard protection of controller has been effectively ensured.
In summary, the embodiment of the present invention has reached following technique effect:Solve in correlation technique, outside can only be passed through
Detection device, the technical problem of safeguard protection static to the progress of SDN controllers under some special scenes, and then can realize
Flexible, comprehensive, dynamic safeguard protection to SDN controllers.
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can
The program code performed by method for processing business provided for preservation above-described embodiment one.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group
In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
S1, business-level information is generated according to specified requirements;
S2, the business-level information is issued to interchanger, wherein, the business-level information is used to indicate software definition
The business-level corresponding to business that network SDN systems are supported, different stage correspond to different business processing modes.
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can
The program code for performing following steps to be arranged to storage to be used for:
S1, the business-level information that controller issues is received, wherein, the business-level information is used to indicate software definition
The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level,
Third level, different stage correspond to different business processing modes;
S2, according to the business-level information to being sent to the business of the controller, perform with the business belonging to
Business processing mode corresponding to rank.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment
The part of detailed description, it may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through
Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, is only
A kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or
Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual
Between coupling or direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module
Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use
When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially
The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer
Equipment (can be personal computer, server or network equipment etc.) perform each embodiment methods described of the present invention whole or
Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, RandomAccess Memory), mobile hard disk, magnetic disc or CD etc. are various can be with Jie of store program codes
Matter.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area
For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies
Change, equivalent substitution, improvement etc., should be included in the scope of the protection.
Claims (10)
- A kind of 1. method for processing business, it is characterised in that including:Controller generates business-level information according to specified requirements, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level, Third level, different stage correspond to different business processing modes;The controller issues the business-level information to interchanger, wherein, the business-level information is described for indicating Interchanger, to being sent to the business of the controller, performs and the affiliated rank pair of the business according to the business-level information The business processing mode answered.
- 2. method for processing business according to claim 1, it is characterised in that controller generates service level according to specified requirements Other information, including:The controller obtains the characteristic information of business;Business-level information is generated according to the characteristic information.
- 3. method for processing business according to claim 2, it is characterised in that the characteristic information comprise at least it is following it One:The device port information that the five-tuple information of data message, the link layer information of data message, data message receive.
- 4. method for processing business according to claim 1, it is characterised in thatThe priority of the business of first level higher than the business of second level priority, for the business of the third level, Indicate that the interchanger performs and abandon operation.
- 5. method for processing business according to claim 1, it is characterised in that the controller issues the industry to interchanger Before class information of being engaged in, methods described also includes:The business-level information of generation is converted into the flow table for carrying the business-level information by the controller.
- A kind of 6. method for processing business, it is characterised in that including:Interchanger receives the business-level information that controller issues, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level, Third level, different stage correspond to different business processing modes;The interchanger, to being sent to the business of the controller, performs and the business institute according to the business-level information Belong to business processing mode corresponding to rank.
- 7. method for processing business according to claim 6, it is characterised in that methods described also includes:The priority of the business of first level higher than the business of second level priority, for the business of the third level, The interchanger, which performs, abandons operation.
- 8. method for processing business according to claim 6, it is characterised in that the interchanger is believed according to the business-level The business to being sent to the controller is ceased, performs business processing mode corresponding with the affiliated rank of the business, including:The interchanger determines to be sent to the affiliated rank of the business of the controller according to the business-level information;The interchanger performs corresponding with affiliated rank according to the affiliated rank of determination to the business for being sent to the controller Business processing mode.
- A kind of 9. business processing device, applied to controller, it is characterised in that including:Generation module, for generating business-level information according to specified requirements, wherein, the business-level information is soft for indicating Part defines the business-level corresponding to the business of network SDN systems support, and the business-level comprises at least:First level, Two ranks, third level, different stage correspond to different business processing modes;Module is issued, for issuing the business-level information to interchanger, wherein, the business-level information is used to indicate institute Interchanger is stated according to the business-level information to being sent to the business of the controller, is performed and the affiliated rank of the business Corresponding business processing mode.
- A kind of 10. business processing device, applied to interchanger, it is characterised in that including:Receiving module, the business-level information issued for receiving controller, wherein, the business-level information is soft for indicating Part defines the business-level corresponding to the business of network SDN systems support, and the business-level comprises at least:First level, Two ranks, third level, different stage correspond to different business processing modes;Execution module, for, to being sent to the business of the controller, being performed and the industry according to the business-level information Business processing mode corresponding to rank belonging to business.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610635788.2A CN107689942A (en) | 2016-08-04 | 2016-08-04 | Method for processing business and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610635788.2A CN107689942A (en) | 2016-08-04 | 2016-08-04 | Method for processing business and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107689942A true CN107689942A (en) | 2018-02-13 |
Family
ID=61151767
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610635788.2A Withdrawn CN107689942A (en) | 2016-08-04 | 2016-08-04 | Method for processing business and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107689942A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108712374A (en) * | 2018-04-03 | 2018-10-26 | 郑州云海信息技术有限公司 | A kind of request control method, controller and electronic equipment |
CN109495295A (en) * | 2018-10-31 | 2019-03-19 | 电子科技大学 | A kind of intelligent management-control method of access |
WO2019192394A1 (en) * | 2018-04-02 | 2019-10-10 | Huawei Technologies Co., Ltd. | Dynamic negotiation models in software-defined networks |
CN110868392A (en) * | 2019-09-23 | 2020-03-06 | 深圳供电局有限公司 | Block chain safety control method and device based on SDN and block chain network |
CN112688882A (en) * | 2021-03-11 | 2021-04-20 | 广东省新一代通信与网络创新研究院 | Network flow control method and system based on equipment trust |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103618679A (en) * | 2013-11-25 | 2014-03-05 | 上海华为技术有限公司 | Service quality control method, device and system |
CN104243350A (en) * | 2014-07-14 | 2014-12-24 | 国家电网公司 | Method and system for processing service flows of power converter |
CN104735000A (en) * | 2013-12-23 | 2015-06-24 | 中兴通讯股份有限公司 | OpenFlow signaling control method and device |
CN105553880A (en) * | 2015-12-24 | 2016-05-04 | 北京邮电大学 | Date processing method and device in software-defined networking |
CN105656799A (en) * | 2016-01-08 | 2016-06-08 | 浪潮集团有限公司 | Scheduling method based on business features in SDN network |
-
2016
- 2016-08-04 CN CN201610635788.2A patent/CN107689942A/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103618679A (en) * | 2013-11-25 | 2014-03-05 | 上海华为技术有限公司 | Service quality control method, device and system |
CN104735000A (en) * | 2013-12-23 | 2015-06-24 | 中兴通讯股份有限公司 | OpenFlow signaling control method and device |
CN104243350A (en) * | 2014-07-14 | 2014-12-24 | 国家电网公司 | Method and system for processing service flows of power converter |
CN105553880A (en) * | 2015-12-24 | 2016-05-04 | 北京邮电大学 | Date processing method and device in software-defined networking |
CN105656799A (en) * | 2016-01-08 | 2016-06-08 | 浪潮集团有限公司 | Scheduling method based on business features in SDN network |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019192394A1 (en) * | 2018-04-02 | 2019-10-10 | Huawei Technologies Co., Ltd. | Dynamic negotiation models in software-defined networks |
US10938675B2 (en) | 2018-04-02 | 2021-03-02 | Futurewei Technologies, Inc. | Dynamic negotiation models in software-defined networks |
CN108712374A (en) * | 2018-04-03 | 2018-10-26 | 郑州云海信息技术有限公司 | A kind of request control method, controller and electronic equipment |
CN109495295A (en) * | 2018-10-31 | 2019-03-19 | 电子科技大学 | A kind of intelligent management-control method of access |
CN110868392A (en) * | 2019-09-23 | 2020-03-06 | 深圳供电局有限公司 | Block chain safety control method and device based on SDN and block chain network |
CN112688882A (en) * | 2021-03-11 | 2021-04-20 | 广东省新一代通信与网络创新研究院 | Network flow control method and system based on equipment trust |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Nguyen et al. | Search: A collaborative and intelligent nids architecture for sdn-based cloud iot networks | |
CN107689942A (en) | Method for processing business and device | |
Islam et al. | Distblacknet: A distributed secure black sdn-iot architecture with nfv implementation for smart cities | |
CN101013962B (en) | Integrated security switch | |
EP3206356B1 (en) | Controlling transmission security of industrial communications flow in a sdn architecture | |
US9621463B2 (en) | System and method for context aware network | |
CN103428094A (en) | Method and device for packet transmitting in Open Flow system | |
ES2663410T3 (en) | A network controller and a computerized method implemented to automatically define forwarding rules to configure a computer network interconnect device | |
Akhunzada et al. | Toward secure software defined vehicular networks: Taxonomy, requirements, and open issues | |
CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
CN107819742B (en) | System architecture and method for dynamically deploying network security service | |
CN105791214B (en) | Method and equipment for converting RapidIO message and Ethernet message | |
CN105306368B (en) | A kind of transmission method and device of data message | |
CN104092684B (en) | A kind of OpenFlow agreements support VPN method and apparatus | |
CN105471907A (en) | Openflow based virtual firewall transmission control method and system | |
EP2446592A2 (en) | Method and apparatus for simulating ip multinetting | |
CN103973673A (en) | Virtual firewall partitioning method and equipment | |
CN100446509C (en) | Method for realizing re-oriented message correctly repeat and first-part and second-part | |
CN104160735A (en) | Packet processing method, forwarder, packet processing device and packet processing system | |
CN101141396B (en) | Packet processing method and network appliance | |
CN102158422A (en) | Message forwarding method and equipment for layer 2 ring network | |
Odi et al. | The proposed roles of VLAN and inter-VLAN routing in effective distribution of network services in Ebonyi State University | |
CN103346950A (en) | Sharing method and device of load between user service boards of rack-mounted wireless controller | |
CN100393047C (en) | Intrusion detecting system and network apparatus linking system and method | |
US10284426B2 (en) | Method and apparatus for processing service node ability, service classifier and service controller |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180213 |