CN107689942A - Method for processing business and device - Google Patents

Method for processing business and device Download PDF

Info

Publication number
CN107689942A
CN107689942A CN201610635788.2A CN201610635788A CN107689942A CN 107689942 A CN107689942 A CN 107689942A CN 201610635788 A CN201610635788 A CN 201610635788A CN 107689942 A CN107689942 A CN 107689942A
Authority
CN
China
Prior art keywords
business
level
controller
information
interchanger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201610635788.2A
Other languages
Chinese (zh)
Inventor
张丽晖
张岩
赵艳杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610635788.2A priority Critical patent/CN107689942A/en
Publication of CN107689942A publication Critical patent/CN107689942A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a kind of method for processing business and device, wherein, the processing method includes:Controller generates business-level information according to specified requirements, the controller issues the business-level information to interchanger, wherein, the business-level information is used to indicate the business-level corresponding to the business of software defined network SDN systems support, and different stage corresponds to different business processing modes.Using above-mentioned technical proposal; solve in correlation technique; safeguard protection can only be carried out to SDN controllers by external detection equipment, under some special scenes; the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided; and then the comprehensive safeguard protection to SDN controllers can be realized, reach the effect of general, high efficiency smart SDN control surface controller safeguard protections.

Description

Method for processing business and device
Technical field
The present invention relates to the communications field, in particular to a kind of method for processing business and device.
Background technology
Complicated, the operation with the legacy network institutional framework based on procotol (Internet Protocol, abbreviation IP) Maintenance cost is high, is increasingly difficult to meet flexibility of the emerging service to network, the requirement of autgmentability, therefore software defined network Network (Software Defined Network, abbreviation SDN) technology is arisen at the historic moment.SDN has redefined the network architecture, by network Application, control plane and data biography aspect are divided into, realizes Network Programmable.
In the network architecture based on SDN technologies, the specific forward-path and forwarding strategy of packet in a network are logical The control of SDN controllers is crossed, forward-path of packet and forwarding strategy etc. are passed through into open flow agreements, hair by SDN controllers The exchange group of SDN frameworks is sent to, the cloud service forwarded the packet to by the interchanger in exchange group in cloud data center Device.SDN framework realizes the concentration of Network Management Function in traditional network architecture, is the revolutionary character to traditional network architecture Innovation.This innovation the flexibility of run etc., it is distinctive also make it that the safety problem in SDN is presented except bringing management Feature.
By the analysis of prior art, the emphasis of the safeguard protection for SDN relatively concentrates on the peace of data forwarding aspect Complete to take precautions against, security kernel module needs to undertake the real-time monitoring of network state and the effect of attack detecting here, its main mesh Be to SDN repeating data carry out security protection, the difficulty of implementation is complex, operable when real network is disposed Property is little.In addition, also partial monopoly proposes the safeguard protection of chain of command, but it solve only some specific specific business Attack Scenarios, do not have the versatility for adapting to the protection of more scene various attacks, and this protection for chain of command is Static protection, realized by adding intrusion detection device.
SDN frameworks are analyzed, the chain of command of centralization carries all controlling streams in network environment on SDN controllers, is The organ of whole network service, its security are directly related to the availability, reliability and Information Security of network service, It is that SDN is primarily solved the problems, such as safely.It is well known that the attack type of chain of command is numerous, such as various distributed blocking service attacks (Distributed Denial of Service, abbreviation DDOS) is attacked, and is illustrated:Controller needs to build with external equipment Vertical normal transmission control protocol (Transmission Control Protocol, abbreviation TCP) connection, and attacker can be with The SYN flooding attacks that port is intercepted by identical TCP destroy normal TCP connections, so as to reach attack device resource Purpose.
For that in correlation technique, can only be carried out by external detection equipment or to SDN controllers under some special scenes Safeguard protection, the chain of command security protection technology problem being applicable under various Attack Scenarios can not be provided, not yet propose effective solution Certainly scheme.
The content of the invention
The embodiments of the invention provide a kind of method for processing business and device, at least to solve to pass through in correlation technique External detection equipment carries out safeguard protection under some special scenes to SDN controllers, can not provide applicable various attack fields The technical problem of chain of command safeguard protection under scape.
According to an aspect of the invention, there is provided a kind of method for processing business, including:
Controller generates business-level information according to specified requirements, wherein, the business-level information is used to indicate SDN systems The business-level united corresponding to the business supported, the business-level comprise at least:First level, second level, third level, Different stage corresponds to different business processing modes;
The controller issues the business-level information to interchanger, wherein, the business-level information is used to indicate The interchanger according to the business-level information to being sent to the business of the controller, perform with the business belonging to level Not corresponding business processing mode.
Alternatively, controller generates business-level information according to specified requirements, including:
The controller obtains the characteristic information of business;
Business-level information is generated according to the characteristic information.
Alternatively, the characteristic information comprises at least one below:The five-tuple information of data message, the chain of data message The device port information that road floor information, data message receive.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd The business of rank, indicate that the interchanger performs and abandon operation.
Alternatively, before the controller issues the business-level information to interchanger, methods described also includes:
The business-level information of generation is converted into the flow table for carrying the business-level information by the controller.
According to another aspect of the present invention, a kind of business processing processing method is additionally provided, including:
Interchanger receives the business-level information that controller issues, wherein, the business-level information is used to indicate software The business-level corresponding to the business that network SDN systems are supported is defined, the business-level comprises at least:First level, second Rank, third level, different stage correspond to different business processing modes;
The interchanger, to being sent to the business of the controller, performs and the industry according to the business-level information Business processing mode corresponding to rank belonging to business.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd The business of rank, the interchanger, which performs, abandons operation.
Alternatively, the interchanger performs according to the business-level information to being sent to the business of the controller Business processing mode corresponding with the affiliated rank of the business, including:
The interchanger determines to be sent to the affiliated rank of the business of the controller according to the business-level information;
The interchanger performs and affiliated rank according to the affiliated rank of determination to the business for being sent to the controller Corresponding business processing mode.
According to another aspect of the present invention, a kind of business processing device is additionally provided, applied to controller, including:
Generation module, for generating business-level information according to specified requirements, wherein, the business-level information is used to refer to Show the business-level corresponding to the business that software defined network SDN systems are supported, the business-level comprises at least:The first order Not, second level, third level, different stage correspond to different business processing modes;
Module is issued, for issuing the business-level information to interchanger, wherein, the business-level information is used to refer to Show the interchanger according to the business-level information to being sent to the business of the controller, perform with the business belonging to Business processing mode corresponding to rank.
According to another aspect of the present invention, a kind of business processing device is additionally provided, applied to interchanger, including:
Receiving module, the business-level information issued for receiving controller, wherein, the business-level information is used to refer to Show the business-level corresponding to the business that software defined network SDN systems are supported, the business-level comprises at least:The first order Not, second level, third level, different stage correspond to different business processing modes;
Execution module, for being sent to the business of the controller, being performed according to the business-level information and institute State business processing mode corresponding to the affiliated rank of business.
By the present invention, SDN controllers can be dynamically generated business-level information according to specified requirements, and interchanger can So that all business of controller will be sent to according to business-level information, different business is performed according to different business-levels Processing mode, so as to without by external detection equipment, solving in correlation technique, can only by external detection equipment, at certain Safeguard protection is carried out to SDN controllers under a little special scenes, the chain of command being applicable under various Attack Scenarios can not be provided and protected safely The technical problem of shield, and then the general comprehensive safeguard protection to SDN controllers can be realized, reach general, high efficiency smart SDN control surface controller safeguard protections effect.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the basic structure model figure of SDN systems in correlation technique;
Fig. 2 is the flow chart (one) of the method for processing business of the embodiment of the present invention;
Fig. 3 is the flow chart (two) of the method for processing business of the embodiment of the present invention;
Fig. 4 is the structured flowchart (one) of business processing device according to embodiments of the present invention;
Fig. 5 is the structured flowchart (two) of business processing device according to embodiments of the present invention;
Fig. 6 is the structured flowchart according to preferred embodiment of the present invention SDN controller protection device;
Fig. 7 is the SDN controller secure list list item schematic diagrames according to the embodiment of the present invention;
Fig. 8 is the flow chart of the method for processing business of the preferred embodiment of the present invention;
Fig. 9 is the flow chart of the method for processing business of the preferred embodiment of the present invention.
Embodiment
Describe the present invention in detail below with reference to accompanying drawing and in conjunction with the embodiments.It should be noted that do not conflicting In the case of, the feature in embodiment and embodiment in the application can be mutually combined.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.
It should be noted that embodiments of the invention are operated in software defined network SDN systems, in order to The technical scheme of following examples is better understood from, the embodiment of the present invention simply introduces SDN systems in lower correlation technique herein Basic structure model figure, as shown in figure 1, SDN systems include network application layer 10, SDN controllers 12 and SDN switch 14, its In, SDN controllers realize two-way communication by northbound interface and network application layer, and SDN controllers are handed over by southbound interface and SDN Change planes and realize two-way communication.
Embodiment 1
In the present embodiment from the angle of controller, there is provided a kind of method for processing business.Fig. 2 is implementation of the present invention The flow chart (one) of the method for processing business of example, as shown in Fig. 2 this method comprises the following steps:
Step S202, controller generate business-level information according to specified requirements, wherein, business-level information is used to indicate The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second Rank, third level, different stage correspond to different business processing modes;
Step S204, controller to interchanger issuing service class information, wherein, business-level information be used for indicate exchange Machine, to being sent to the business of controller, performs business processing side corresponding with the affiliated rank of business according to business-level information Formula.
By above-mentioned each step, SDN controllers can be dynamically generated business-level information according to specified requirements, hand over All business of controller can will be sent to according to business-level information by changing planes, and difference is performed according to different business-levels Business processing mode, so as to without by external detection equipment, solve in correlation technique, can only be set by external detection It is standby or be limited to support under some special scenes carry out safeguard protection to SDN controllers, applicable various attack can not be provided The technical problem for the chain of command safeguard protection hit under scene, and then can realize and the general comprehensive safety of SDN controllers is protected Shield.
Alternatively, the business of the embodiment of the present invention can be sent by the form of data message, now step S202 It can be achieved through the following technical solutions:Controller obtains the characteristic information of business, and generates business-level according to characteristic information Information.It should be noted that characteristic information here can be the five-tuple information of data message or the link layer of data message The device port information that information and data message receive.The five-tuple information of IP datagram text can be derived from:IP source address, IP destination addresses, IP protocol number, transport layer source port, transport layer destination interface;The chain of non-IP datagram text can also be derived from Road floor information:The data such as purpose MAC, source MAC, Ether protocoll number, in specific implementation process, the feature letter of the embodiment of the present invention Breath can be adjusted flexibly as needed, and the embodiment of the present invention is not construed as limiting to this.
Alternatively, interchanger performs different business processing modes according to business-level information mainly includes following several feelings Condition:Interchanger is performed to the business of third level and abandons operation, and the business of first level and second level is performed and send operation. Wherein, priority of the priority higher than the business for sending second level of the business of first level is sent, in interchanger and control Sent on device processed for the priority query that first level traffic assignments are higher on passage, be that the traffic assignments of second level are relatively low excellent First level queue, ensure that first level business is sent on preferential;For first level traffic assignments on send band to be wider than second level Business, ensure first level business take high bandwidth channel processing.
It should be noted that business-level here is not limited to three kinds, can be two kinds, four kinds, a variety of differences such as five kinds Priority level.This sentences two kinds of ranks and four kinds of ranks illustrate:If business-level information instruction business-level includes Two kinds of ranks, for example, the business of second level, directly using operation is abandoned, the preferred high bandwidth of business of first level is sent;Such as Fruit business-level information instruction business-level includes four kinds of ranks, for example, limit priority is performed for the business of first level, Ensure maximum bandwidth, directly on send controller, the service priority of second level is higher than third level, but second level On send bandwidth to be less than third level, the business of fourth level directly performs discarding operation, and the rank of business is smaller, and degree of belief is got over Height, rank is bigger, and degree of belief is lower.
Alternatively, for controller to before interchanger issuing service class information, controller can be by the business-level of generation Information is converted into the flow table for carrying business-level information, and the flow table then is issued into interchanger by open flow agreements. When interchanger receives the data message that destination is controller, unified to match above-mentioned flow table, the action in flow table refers to Show, complete data message on send or abandon.
By such scheme, all chain of command business that controller is supported or do not supported can be by specifying bar Part defines service feature, is converted into flow table and is issued to interchanger, on switches can be finely and exactly to controller It is there is chain of command business to perform security strategy more.
Embodiment 2
In order to improve above-mentioned technical proposal, in the present embodiment from the angle of interchanger, a kind of business is additionally provided Processing method.Fig. 3 is the flow chart (two) of the method for processing business of the embodiment of the present invention, as shown in figure 3, this method is including as follows Step:
Step S302, interchanger receive the business-level information that controller issues, wherein, business-level information is used to indicate The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second Rank, third level, different stage correspond to different business processing modes;
Step S304, interchanger according to business-level information to being sent to the business of controller, perform with business belonging to Business processing mode corresponding to rank.
By above-mentioned each step, interchanger receives the business-level information that controller issues, and is believed according to business-level The business to being sent to controller is ceased, performs business processing mode corresponding with the affiliated rank of business, so as to without by outer Portion's detection device, is solved in correlation technique, can only by external detection equipment, under some special scenes to SDN controllers Static safeguard protection is carried out, the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided, and then The general comprehensive safeguard protection to SDN controllers can be realized.
Alternatively, interchanger performs different business processing modes according to business-level information mainly includes following several feelings Condition:Interchanger is performed to the business of third level and abandons operation, and the business of first level and second level is performed and send operation. Wherein, the priority of the business of first level higher than second level business priority, and the business of first level on give Band is wider than the business of second level.
It should be noted that business-level here is not limited to three kinds, can be two kinds, four kinds, a variety of differences such as five kinds Priority level.
Rapid S304 can have a variety of implementations, and in an optional example, step S304 can pass through following technical side Case is realized:Interchanger determines to be sent to the affiliated rank of the business of controller according to business-level information;Interchanger is according to really Fixed affiliated rank performs business processing mode corresponding with affiliated rank to the business for being sent to controller.
Alternatively, for controller to before interchanger issuing service class information, controller can be by the business-level of generation Information is converted into the flow table for carrying business-level information, and interchanger is handed down to by open flow agreements.When interchanger receives It is unified to match above-mentioned flow table during to the data message that destination is controller, message is encapsulated according to the matching result of flow table Open flow packet is passed in packet_in, and the operation to different pieces of information message is performed according to the instruction of flow table.
By such scheme, all chain of command business that controller is supported or do not supported can be by specifying bar Part defines service feature, is converted into flow table and is issued to interchanger, on switches can be finely and exactly to controller It is there is chain of command business to perform security strategy more.
The other technologies main points of the present embodiment are similar to Example 1, and here is omitted.
Embodiment 3
A kind of business processing device is additionally provided in the present embodiment, and applied to controller, the device is above-mentioned for realizing Embodiment and preferred embodiment, repeating no more for explanation was carried out.As used below, term " module " can be real The combination of the software and/or hardware of existing predetermined function.Although device described by following examples is preferably realized with software, But hardware, or the realization of the combination of software and hardware is also what may and be contemplated.
Fig. 4 is the structured flowchart (one) of business processing device according to embodiments of the present invention, as shown in figure 4, the device bag Include:
Generation module 40, for generating business-level information according to specified requirements, wherein, business-level information is used to indicate The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second Rank, third level, different stage correspond to different business processing modes;
Module 42 is issued, for issuing the business-level information to interchanger, wherein, business-level information is used to indicate Interchanger, to being sent to the business of controller, performs business processing corresponding with the affiliated rank of business according to business-level information Mode.
By the comprehensive function of above-mentioned modules, SDN controllers can be dynamically generated service level according to specified requirements Other information, interchanger can will be sent to all business of controller according to business-level information, according to different service levels Different business processing modes is not performed, so as to without by external detection equipment, it is possible to realize the spirit to SDN controllers Living, comprehensive, dynamic safeguard protection, avoid in correlation technique can only by external detection equipment, under some special scenes Safeguard protection is carried out to SDN controllers, the technical problem for the chain of command safeguard protection being applicable under various Attack Scenarios can not be provided, And then the general comprehensive safeguard protection to SDN controllers can be realized.
Alternatively, generation module 40, for obtaining the characteristic information of business;Business-level is generated according to the characteristic information Information.
In embodiments of the present invention, the characteristic information comprises at least one below:The five-tuple information of data message, number According to the link layer information of message.
Wherein, the priority of the business of first level is higher than the priority of the business of second level, for the third level Other business, indicate that the interchanger performs and abandon operation.
Embodiment 4
In order to improve above-mentioned technical proposal, the present embodiment additionally provides a kind of business processing device, applied to interchanger.Figure 5 be the structured flowchart (two) of business processing device according to embodiments of the present invention, as shown in figure 5, the device includes:
Receiving module 50, the business-level information issued for receiving controller, wherein, business-level information is used to indicate The business-level corresponding to business that software defined network SDN systems are supported, business-level comprise at least:First level, second Rank, third level, different stage correspond to different business processing modes;
Execution module 52, for being sent to the business of controller, performed according to business-level information with business belonging to Business processing mode corresponding to rank.
By the comprehensive function of above-mentioned modules, SDN controllers can be dynamically generated service level according to specified requirements Other information, interchanger can will be sent to all business of controller according to business-level information, according to different service levels Different business processing modes is not performed, so as to without by external detection equipment, it is possible to realize the spirit to SDN controllers Living, comprehensive, dynamic safeguard protection, avoid in correlation technique can only by external detection equipment, under some special scenes The technical problem of static safeguard protection is carried out to SDN controllers.
Alternatively, the priority of the business of first level is higher than the priority of the business of second level, for the described 3rd The business of rank, the interchanger, which performs, abandons operation.
Alternatively, execution module 52, for being determined to be sent to the industry of the controller according to the business-level information The affiliated rank of business;The interchanger business for being sent to the controller is performed according to the affiliated rank of determination with it is affiliated Business processing mode corresponding to rank.
In order to be better understood from above-mentioned business processing flow, above-mentioned technical proposal is solved below in conjunction with preferred embodiment Explanation is released, but is not used in the restriction embodiment of the present invention.
Preferred embodiment 1
First level, second level and the third level referred in above-described embodiment, can correspond respectively to white list, ash List and blacklist.For blacklist table, its execution action is abandons, and for gray list table, its execution action is low priority, Sent in low bandwidth, for white list table, its execution action is high priority, is sent in high bandwidth guarantee.All business it is black, white, Gray list is using business dynamic creation and deployment, and do not need manual intervention upon execution.
The embodiment of the present invention by the white list of dynamic generation safeguard protection, gray list, blacklist on SDN controllers, These security strategy entries are generated as reference format flow table on SDN controllers, by open flow agreements, by flow table issuance To SDN switch, SDN switch receives data traffic, determines when being the message for needing to terminate on the controller, matching stream Table, according to the action of flow table, implement the protection to controller.
Fig. 6 is according to the structured flowchart of preferred embodiment of the present invention SDN controller protection device, based on Fig. 6, SDN Network controller protection scheme can be realized by following steps:
Step S602:SDN controller secures management module 101 is responsible for finishing service blacklist, white list, gray list list item Foundation;
Step S604:SDN controller secures are then managed mould by SDN controller flow tables management module 102 according to flow table specification Blacklist, white list, the gray list list item of block generation are converted to flow table (" safe flow table is sent in agreement "), and pass through open Flow agreements, by flow table issuance to SDN switch forwarding module;
Step S606:SDN switch forwarding module 103 applies this " safe flow table is sent in agreement ", when reception datagram Text is simultaneously judged when terminating on the controller, is searched " safe flow table is sent in agreement ", by the result of flow stream searching (including:Lose Abandon/above send, priority, bandwidth), perform the safeguard protection to control surface controller.
It is more general using the method for the invention and device, it is not limited to certain a kind of or a few class chain of command industry The safeguard protection of business, but to controller support all chain of command business provide pervasive solution, can flexibly and General service security strategy is accurately disposed on the controller, has reached the SDN control surface controller safeguard protections of high efficiency smart Effect.
Preferred embodiment 2
In order to improve above-mentioned technical proposal, the present embodiment additionally provides a kind of method for processing business, and Fig. 7 is of the invention preferred The exemplary plot of the safe list of embodiment, Fig. 8 is the flow chart of the method for processing business of the preferred embodiment of the present invention, such as Fig. 7,8 Shown, this method comprises the following steps:
Step S802:SDN controllers are controlled the business configuration in face, when carrying out protocol configuration on the controller, i.e., dynamic State generates the gray list list item of agreement according to the configuration of controller, by taking bgp protocol as an example, when be configured with BGP business it is enabled after, Can according to BGP protocol characteristic code (as shown in fig. 7, protocol number 6, TCP destination slogan 179) generate corresponding to grey name It is single, action corresponding to gray list list item above to give, distribute relatively low priority and on send bandwidth;
Step S804:According to business configuration dynamic generation blacklist, the implementation of general business has certain SDN controllers Constraints, such as only allow some port to access, then blacklist table can be generated to the service feature code under other ports , while can also be by the static configuration filtering rule of O&M requirement, generation needs the blacklist list item filtered, blacklist table Action corresponding to is discarding;
Step S806:SDN controllers carry out dynamic protocol with external equipment and interacted, during protocol interaction, dynamic Agreement white list list item is generated, such as when remote equipment initiation and the BGP establishment of connections of controller, when bgp neighbor is created as After work(, controller get agreement condition code (as shown in fig. 7, protocol number 6, TCP destination interface 179, TCP source port, IP destination address, IP source address), controller agreement white list, white list list item according to corresponding to generating these condition codes Corresponding action above to give, the higher priority of distribution and on send bandwidth;
Step S808:Black, the white, gray list that SDN controllers are generated business, according to open flow protocol format, Be converted to " safe flow table is sent in agreement " flow table structure;
Step S810:" safe flow table is sent in agreement " by southbound interface, is issued a notice and exchanged to SDN by SDN controllers Machine;
Step S812:SDN switch stores and write " safe flow table is sent in agreement " that security control is above sent in this confession, when Interchanger receives data message, and judges that the datagram is when sending controller on needing, to perform inquiry and " secure flows are sent in agreement The action of table " flow table, gone to match flow table according to message characteristic code;
Step S814:Message is encapsulated in open flow packet_in by SDN switch according to flow table matching result, On give controller, for blacklist list item, abandon;For gray list list item, using being sent in low priority low bandwidth, for white List list item, then using controller is sent in high priority high bandwidth, the safeguard protection that business is trusted on controller is effectively ensured.
Preferred embodiment 3
In order to improve above-mentioned technical proposal, the present embodiment additionally provides the action processing after a kind of business hit black and white lists Method, Fig. 9 are the flow charts of the method for processing business of the preferred embodiment of the present invention, as shown in figure 9, this method includes following step Suddenly:
Step S902:Interchanger is above to send the business of controller to define different priority levels on passage in upper send:In vain The highest priority of list, is dispatched at first;The priority of gray list is relatively low, and dispatching priority is less than white list, blacklist Priority it is minimum, without scheduling;Actual embodiment can carry out more fine granularity according to the demand of the priority on passage Classification, such as be all gray list, different priority can be marked off;
Step S904:Interchanger is that the business for above sending controller send definition on passage to distribute different bandwidth upper:Example Such as, equally it is bgp protocol, the bandwidth of BGP white list distribution, which can reach, send 1000 messages on each port each second, The bandwidth of BGP gray lists distribution is restricted to send 100 messages on each port each second;By limiting bandwidth allocation, effectively Sent on a large amount of distrust messages of prevention;
Step S906:The openflow processing queues of interchanger are that the message for above sending controller divides different priority, Message for sending controller in needs termination, after being sent on the black-white-gray different priorities that passage is sent on interchanger, is arrived Openflow up to interchanger is handled, it is necessary to by openflow protocol encapsulation packet_in message messages, is sent to controller, It is same to distinguish black and white gray list in the openflow processing of interchanger, different priority queries is divided, ensures controller letter The message appointed enters the high-priority queue of openflow processing, preferentially encapsulates openflow, is sent to controller, and controller is believed Appoint the low message of rank then to enter openflow processing lower priority queues, encapsulate openflow's with relatively low priority Packet_in, it is sent to controller;
Step S908:SDN controllers send the report of controller by receiving openflow packet_in messages in reception Text carries out equipment processing, is exactly based on and send priority on passage to divide and bandwidth allocation on interchanger, and interchanger The queue of openflow processing priorities divides, and the safeguard protection of controller has been effectively ensured.
In summary, the embodiment of the present invention has reached following technique effect:Solve in correlation technique, outside can only be passed through Detection device, the technical problem of safeguard protection static to the progress of SDN controllers under some special scenes, and then can realize Flexible, comprehensive, dynamic safeguard protection to SDN controllers.
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can The program code performed by method for processing business provided for preservation above-described embodiment one.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
S1, business-level information is generated according to specified requirements;
S2, the business-level information is issued to interchanger, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, different stage correspond to different business processing modes.
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can The program code for performing following steps to be arranged to storage to be used for:
S1, the business-level information that controller issues is received, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level, Third level, different stage correspond to different business processing modes;
S2, according to the business-level information to being sent to the business of the controller, perform with the business belonging to Business processing mode corresponding to rank.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, it may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, is only A kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer Equipment (can be personal computer, server or network equipment etc.) perform each embodiment methods described of the present invention whole or Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, RandomAccess Memory), mobile hard disk, magnetic disc or CD etc. are various can be with Jie of store program codes Matter.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should be included in the scope of the protection.

Claims (10)

  1. A kind of 1. method for processing business, it is characterised in that including:
    Controller generates business-level information according to specified requirements, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level, Third level, different stage correspond to different business processing modes;
    The controller issues the business-level information to interchanger, wherein, the business-level information is described for indicating Interchanger, to being sent to the business of the controller, performs and the affiliated rank pair of the business according to the business-level information The business processing mode answered.
  2. 2. method for processing business according to claim 1, it is characterised in that controller generates service level according to specified requirements Other information, including:
    The controller obtains the characteristic information of business;
    Business-level information is generated according to the characteristic information.
  3. 3. method for processing business according to claim 2, it is characterised in that the characteristic information comprise at least it is following it One:The device port information that the five-tuple information of data message, the link layer information of data message, data message receive.
  4. 4. method for processing business according to claim 1, it is characterised in that
    The priority of the business of first level higher than the business of second level priority, for the business of the third level, Indicate that the interchanger performs and abandon operation.
  5. 5. method for processing business according to claim 1, it is characterised in that the controller issues the industry to interchanger Before class information of being engaged in, methods described also includes:
    The business-level information of generation is converted into the flow table for carrying the business-level information by the controller.
  6. A kind of 6. method for processing business, it is characterised in that including:
    Interchanger receives the business-level information that controller issues, wherein, the business-level information is used to indicate software definition The business-level corresponding to business that network SDN systems are supported, the business-level comprise at least:First level, second level, Third level, different stage correspond to different business processing modes;
    The interchanger, to being sent to the business of the controller, performs and the business institute according to the business-level information Belong to business processing mode corresponding to rank.
  7. 7. method for processing business according to claim 6, it is characterised in that methods described also includes:
    The priority of the business of first level higher than the business of second level priority, for the business of the third level, The interchanger, which performs, abandons operation.
  8. 8. method for processing business according to claim 6, it is characterised in that the interchanger is believed according to the business-level The business to being sent to the controller is ceased, performs business processing mode corresponding with the affiliated rank of the business, including:
    The interchanger determines to be sent to the affiliated rank of the business of the controller according to the business-level information;
    The interchanger performs corresponding with affiliated rank according to the affiliated rank of determination to the business for being sent to the controller Business processing mode.
  9. A kind of 9. business processing device, applied to controller, it is characterised in that including:
    Generation module, for generating business-level information according to specified requirements, wherein, the business-level information is soft for indicating Part defines the business-level corresponding to the business of network SDN systems support, and the business-level comprises at least:First level, Two ranks, third level, different stage correspond to different business processing modes;
    Module is issued, for issuing the business-level information to interchanger, wherein, the business-level information is used to indicate institute Interchanger is stated according to the business-level information to being sent to the business of the controller, is performed and the affiliated rank of the business Corresponding business processing mode.
  10. A kind of 10. business processing device, applied to interchanger, it is characterised in that including:
    Receiving module, the business-level information issued for receiving controller, wherein, the business-level information is soft for indicating Part defines the business-level corresponding to the business of network SDN systems support, and the business-level comprises at least:First level, Two ranks, third level, different stage correspond to different business processing modes;
    Execution module, for, to being sent to the business of the controller, being performed and the industry according to the business-level information Business processing mode corresponding to rank belonging to business.
CN201610635788.2A 2016-08-04 2016-08-04 Method for processing business and device Withdrawn CN107689942A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610635788.2A CN107689942A (en) 2016-08-04 2016-08-04 Method for processing business and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610635788.2A CN107689942A (en) 2016-08-04 2016-08-04 Method for processing business and device

Publications (1)

Publication Number Publication Date
CN107689942A true CN107689942A (en) 2018-02-13

Family

ID=61151767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610635788.2A Withdrawn CN107689942A (en) 2016-08-04 2016-08-04 Method for processing business and device

Country Status (1)

Country Link
CN (1) CN107689942A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108712374A (en) * 2018-04-03 2018-10-26 郑州云海信息技术有限公司 A kind of request control method, controller and electronic equipment
CN109495295A (en) * 2018-10-31 2019-03-19 电子科技大学 A kind of intelligent management-control method of access
WO2019192394A1 (en) * 2018-04-02 2019-10-10 Huawei Technologies Co., Ltd. Dynamic negotiation models in software-defined networks
CN110868392A (en) * 2019-09-23 2020-03-06 深圳供电局有限公司 Block chain safety control method and device based on SDN and block chain network
CN112688882A (en) * 2021-03-11 2021-04-20 广东省新一代通信与网络创新研究院 Network flow control method and system based on equipment trust

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618679A (en) * 2013-11-25 2014-03-05 上海华为技术有限公司 Service quality control method, device and system
CN104243350A (en) * 2014-07-14 2014-12-24 国家电网公司 Method and system for processing service flows of power converter
CN104735000A (en) * 2013-12-23 2015-06-24 中兴通讯股份有限公司 OpenFlow signaling control method and device
CN105553880A (en) * 2015-12-24 2016-05-04 北京邮电大学 Date processing method and device in software-defined networking
CN105656799A (en) * 2016-01-08 2016-06-08 浪潮集团有限公司 Scheduling method based on business features in SDN network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618679A (en) * 2013-11-25 2014-03-05 上海华为技术有限公司 Service quality control method, device and system
CN104735000A (en) * 2013-12-23 2015-06-24 中兴通讯股份有限公司 OpenFlow signaling control method and device
CN104243350A (en) * 2014-07-14 2014-12-24 国家电网公司 Method and system for processing service flows of power converter
CN105553880A (en) * 2015-12-24 2016-05-04 北京邮电大学 Date processing method and device in software-defined networking
CN105656799A (en) * 2016-01-08 2016-06-08 浪潮集团有限公司 Scheduling method based on business features in SDN network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019192394A1 (en) * 2018-04-02 2019-10-10 Huawei Technologies Co., Ltd. Dynamic negotiation models in software-defined networks
US10938675B2 (en) 2018-04-02 2021-03-02 Futurewei Technologies, Inc. Dynamic negotiation models in software-defined networks
CN108712374A (en) * 2018-04-03 2018-10-26 郑州云海信息技术有限公司 A kind of request control method, controller and electronic equipment
CN109495295A (en) * 2018-10-31 2019-03-19 电子科技大学 A kind of intelligent management-control method of access
CN110868392A (en) * 2019-09-23 2020-03-06 深圳供电局有限公司 Block chain safety control method and device based on SDN and block chain network
CN112688882A (en) * 2021-03-11 2021-04-20 广东省新一代通信与网络创新研究院 Network flow control method and system based on equipment trust

Similar Documents

Publication Publication Date Title
Nguyen et al. Search: A collaborative and intelligent nids architecture for sdn-based cloud iot networks
CN107689942A (en) Method for processing business and device
Islam et al. Distblacknet: A distributed secure black sdn-iot architecture with nfv implementation for smart cities
CN101013962B (en) Integrated security switch
EP3206356B1 (en) Controlling transmission security of industrial communications flow in a sdn architecture
US9621463B2 (en) System and method for context aware network
CN103428094A (en) Method and device for packet transmitting in Open Flow system
ES2663410T3 (en) A network controller and a computerized method implemented to automatically define forwarding rules to configure a computer network interconnect device
Akhunzada et al. Toward secure software defined vehicular networks: Taxonomy, requirements, and open issues
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
CN107819742B (en) System architecture and method for dynamically deploying network security service
CN105791214B (en) Method and equipment for converting RapidIO message and Ethernet message
CN105306368B (en) A kind of transmission method and device of data message
CN104092684B (en) A kind of OpenFlow agreements support VPN method and apparatus
CN105471907A (en) Openflow based virtual firewall transmission control method and system
EP2446592A2 (en) Method and apparatus for simulating ip multinetting
CN103973673A (en) Virtual firewall partitioning method and equipment
CN100446509C (en) Method for realizing re-oriented message correctly repeat and first-part and second-part
CN104160735A (en) Packet processing method, forwarder, packet processing device and packet processing system
CN101141396B (en) Packet processing method and network appliance
CN102158422A (en) Message forwarding method and equipment for layer 2 ring network
Odi et al. The proposed roles of VLAN and inter-VLAN routing in effective distribution of network services in Ebonyi State University
CN103346950A (en) Sharing method and device of load between user service boards of rack-mounted wireless controller
CN100393047C (en) Intrusion detecting system and network apparatus linking system and method
US10284426B2 (en) Method and apparatus for processing service node ability, service classifier and service controller

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20180213