CN107911258A - A kind of realization method and system in the secure resources pond based on SDN network - Google Patents
A kind of realization method and system in the secure resources pond based on SDN network Download PDFInfo
- Publication number
- CN107911258A CN107911258A CN201711479174.0A CN201711479174A CN107911258A CN 107911258 A CN107911258 A CN 107911258A CN 201711479174 A CN201711479174 A CN 201711479174A CN 107911258 A CN107911258 A CN 107911258A
- Authority
- CN
- China
- Prior art keywords
- target flow
- flow bag
- bag
- secure resources
- service chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
An embodiment of the present invention provides a kind of realization method and system in the secure resources pond based on SDN network, for improving the flexibility of the adaptability changed to network in secure resources pond and configuration.The gateway in the secure resources pond in the embodiment of the present invention employs SDN network framework, network equipment chain of command is separated with data surface in SDN network, security service chain is configured by SDN controllers, realize network to connection function by OVS interchangers, realize decoupling of the network to connection function and the drainage policing feature of secure resources pond service chaining, improve the adaptability that network is changed in secure resources pond, secondly, the various dimensions that drainage strategy in security service chain can be carried out by least two matching domain fields configure, and improve the flexibility of secure resources pond configuration.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of realization in the secure resources pond based on SDN network
Method and system.
Background technology
Secure resources pond is the set of physics or virtual secure functional unit, and the function of Security functional component can be including anti-
Wall with flues, VPN, load balancing, wide area network acceleration, internet behavior control, fort machine and intrusion detection/defence etc..With safety
The concept of resource pool is approved that the deployment case in secure resources pond also gradually increases by more and more users, safety money
During the deployment of source pond, the drainage in secure resources pond is crucial.
And the drainage method in secure resources pond main at present (as shown in Figure 1) is drained by policybased routing,
Wherein, it is that flow is guided to secure resources pond by policybased routing at client's core router to carry out for north-south flow
Detection, cleaning and encryption or decryption.Generally by one layer of virtual/physics route or two layers of virtual/thing in secure resources pond
Line of reasoning is by carrying out drainage procedure again, if two layers of virtual/physics is route (as shown in Figure 2), route is according to number for the first time
According to chartering family ID (IP network section, VLAN ID etc.), guide the secure resources pond routing gateway to different tenants (different flow
The second layer is route), by this gateway by policy routing realizing security service chain, that is, allow flow in order successively by not TongAn
Complete functional set.If only one layer virtual/physics is route (as shown in Figure 3), directly according to tenant ID, safety clothes are realized
Business chain.
The drainage method in this secure resources pond in existing scheme, mainly there is the drawbacks of following:In secure resources pond side,
Because network be all to the drainage policing feature of connection function and secure resources pond service chaining by secure resources pond routing gateway come
Realize, therefore the network butted part of the secure resources pond drainage method and security service chain drainage close-coupled, when user's
Network scenarios changes, it is necessary to when changing network butted part, and security service chain also will be according to the change of network butted part again
Deployment, could meet the drainage demand under new scene, poor to the adaptability of network change, and secondly, policybased routing is often mesh
Address route or source address configure in a dimension drainage strategy, gateway drain it is tactful dumb.
The content of the invention
An embodiment of the present invention provides a kind of realization method and system in the secure resources pond based on SDN network, for carrying
The adaptability and the flexibility of configuration that network is changed in high secure resources pond.
First aspect of the embodiment of the present invention provides a kind of implementation method in the secure resources pond based on SDN network, described
SDN network includes SDN controllers and OVS interchangers, it is characterised in that including:
OVS interchangers receive target flow bag and parse the matching domain field in the target flow bag, the target stream
Amount includes at least two matching domain fields;
The OVS interchangers are matched according to the matching domain field with the flow table being locally stored, to determine the mesh
The corresponding security service chain of flow bag is marked, the flow table is generated and sent to corresponding OVS interchangers by the SDN controllers,
The flow table indicates the matching domain field of preset type and the correspondence of security service chain, and the security service chain instruction corresponds to
Flow bag in a predetermined sequence pass through secure resources pond in preset quantity Security functional component;
If the matching domain field of the target flow bag matched with the flow table being locally stored it is unsuccessful, to the SDN control
Device processed asks the corresponding security service chain of matching domain field of the target flow bag;
The OVS interchangers carry out safe drainage according to security service chain to the target flow bag, to complete to described
The cleaning of target flow bag.
With reference to first aspect, in the first possible embodiment of first aspect, the matching domain field include but
It is not limited to:Interchanger inbound port, source MAC, target MAC (Media Access Control) address, ethernet type, Ethernet label, virtual LAN
VLAN priority, source IP, destination IP, IP agreement field, IP type of service, TCP/UDP source port numbers, TCP/UDP destination interfaces
Number.
The possible embodiment of with reference to first aspect the first, in second of possible embodiment of first aspect
In, the OVS interchangers carry out safe drainage according to security service chain to the target flow bag, including:
The OVS interchangers are by each security function group on the corresponding service chaining path ID of security service chain, service chaining path
The numbering and service chaining metadata of part are encapsulated into the target flow packet header and form NSH labels;
The OVS interchangers are presently according to service chaining path ID in the NSH labels and the target flow bag
The target flow bag is drained into next node by node location.
Second of possible embodiment with reference to first aspect, in the third possible embodiment of first aspect
In, when the targeted security functional unit in the secure resources pond cannot identify the NSH labels, the OVS interchangers lead to
Cross and act on behalf of NSH labels described in proxy function treatments, the proxy functions include:Pass through the targeted security in security service chain
The NSH labels are removed before functional unit, are exchanged when security service chain returns to the OVS from the targeted security functional unit
During machine, the NSH labels are added again for security service chain.
The third possible embodiment with reference to first aspect, in the 4th kind of possible embodiment of first aspect
In, before the OVS interchangers receive target flow bag and parse the matching domain field in the target flow bag, also wrap
Include:
When Customer Premises Network is provided with the core gateway with policybased routing, the OVS interchangers are from the core
Target flow bag is received in heart gateway, and network address NAT conversions are carried out to the IP address in the target flow bag, so that
IP address in the target flow bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network
When, the OVS interchangers receive target flow bag from the core gateway, and to the IP address in the target flow bag into
Row NAT is changed, so that the IP address in the target flow bag can be identified by the OVS interchangers.
The 4th kind of possible embodiment with reference to first aspect, in the 5th kind of possible embodiment of first aspect
In, the matching domain field further includes tenant ID, when multiple tenants use identical IP address, the OVS interchangers according to
The flow table being locally stored is matched, to determine the security service chain of tenant's flow bag using identical IP address.
With reference to first aspect, the first of first aspect is to the 5th kind of possible embodiment, the 6th of first aspect the
In the possible embodiment of kind, when the Security functional component in the secure resources pond is located in different physical hosts, OVS is handed over
Change planes and the transmission of flow bag is carried out by overlay tunnels, the overlay tunnels are used to isolate in the secure resources pond not
With the flow bag of tenant.
Second aspect of the embodiment of the present invention provides a kind of secure resources cell system based on SDN network, it is characterised in that
Including:
SDN controllers and secure resources pond, wherein,
The secure resources pond includes OVS interchangers and at least one Security functional component;
The OVS interchangers include layer 2 switching module, flow point generic module, communication module and forwarding module;
The layer 2 switching module is used to receive target flow bag;
The flow point generic module is used to parse the matching domain field in the target flow bag, and according to the matching domain word
Section is matched with the flow table being locally stored, to determine the corresponding security service chain of the target flow bag, the target flow
Include at least two matching domain fields, the flow table indicates that the matching domain field of preset type is corresponding with security service chain and closes
System, the security service chain indicate that corresponding flow bag passes through the safety of preset quantity in secure resources pond in a predetermined sequence
Functional unit;
If the matching domain field of the target flow bag matches unsuccessful, the communication module use with the flow table being locally stored
In the corresponding security service chain of matching domain field that the target flow bag is asked to the SDN controllers;
The forwarding module is used to carry out safe drainage to the target flow bag according to security service chain, to complete to institute
State the cleaning of target flow bag.
With reference to second aspect, in the first possible embodiment of second aspect, the matching domain field include but
It is not limited to:Interchanger inbound port, source MAC, target MAC (Media Access Control) address, ethernet type, Ethernet label, virtual LAN
VLAN priority, source IP, destination IP, IP agreement field, IP type of service, TCP/UDP source port numbers, TCP/UDP destination interfaces
Number.
With reference to the first possible embodiment of second aspect, in second of possible embodiment of second aspect
In, the flow point generic module includes resolution unit and tag unit, and the resolution unit is used to parse in the target flow bag
Matching domain field, and matched according to the matching domain field with the flow table being locally stored, to determine the target flow
Wrap corresponding security service chain;
The tag unit, for by each safe work(on the corresponding service chaining path ID of security service chain, service chaining path
The numbering and service chaining metadata of energy component are encapsulated into the target flow packet header and form NSH labels;
The forwarding module is used to be presently according to service chaining path ID in the NSH labels and the target flow bag
Node location the target flow bag is drained into next node, to realize that the target flow bag carries out safe drainage.
With reference to second of possible embodiment of second aspect, in the third possible embodiment of second aspect
In, the OVS interchangers further include proxy modules, when the targeted security functional unit in the secure resources pond cannot identify
During the NSH labels, the proxy modules handle the NSH labels by agent functionality, and the agent functionality includes:Pacifying
Full service chaining before the targeted security functional unit by removing the NSH labels, when security service chain is pacified from the target
When complete functional set returns to the OVS interchangers, the NSH labels are added again for security service chain.
With reference to the third possible embodiment of second aspect, in the 4th kind of possible embodiment of second aspect
In, the OVS interchangers further include OVN modules, when Customer Premises Network is provided with the core gateway with policybased routing,
The OVN modules be used for from the core gateway receive target flow bag, and to the IP address in the target flow bag into
Row network address NAT is changed, so that the IP address in the target flow bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network
When, the OVN modules are used to receive target flow bag from the core gateway, and to the IP address in the target flow bag
NAT conversions are carried out, so that the IP address in the target flow bag can be identified by the OVS interchangers.
With reference to the 4th kind of possible embodiment of second aspect, in the 5th kind of possible embodiment of second aspect
In, the matching domain field further includes tenant ID, described when multiple tenants use identical IP address, the resolution unit according to
Matched with the flow table being locally stored, to determine the security service chain of tenant's flow bag using identical IP address.
With reference to second aspect, the first of second aspect is to the 5th kind of possible embodiment, the 6th of second aspect the
In the possible embodiment of kind, when the Security functional component in the secure resources pond is located in different physical hosts, OVS is handed over
Change planes and the transmission of flow bag is carried out by overlay tunnels, the overlay tunnels are used to isolate in the secure resources pond not
With the flow bag of tenant.
As can be seen from the above technical solutions, the embodiment of the present invention has the following advantages:
The gateway in the secure resources pond in the embodiment of the present invention employs SDN network framework, network equipment control in SDN network
Face processed is separated with data surface, and security service chain is configured by SDN controllers, realizes that network to connection function, is realized by OVS interchangers
Decoupling of the network to connection function and the drainage policing feature of secure resources pond service chaining, improves secure resources pond to network change
Adaptability more, secondly, the drainage strategy in security service chain can be matched somebody with somebody by the various dimensions that at least two matching domain fields carry out
Put, improve the flexibility of secure resources pond configuration.
Brief description of the drawings
Fig. 1 is that the drainage method network in secure resources pond in the prior art disposes schematic diagram;
Fig. 2 shows for the network deployment drained in secure resources pond in the prior art by two layers of virtual/physics route implementing
It is intended to;
Fig. 3 shows for the network deployment drained in secure resources pond in the prior art by one layer of virtual/physics route implementing
It is intended to;
Fig. 4 is a kind of one embodiment of the implementation method in the secure resources pond based on SDN network in the embodiment of the present invention
Schematic diagram;
Fig. 5 is with the system architecture schematic diagram of route pattern deployment secure resource pool in the embodiment of the present invention;
Fig. 6 is to be illustrated in the embodiment of the present invention with the system architecture of gateway mode or transparent mode deployment secure resource pool
Figure;
Fig. 7 is an a kind of specific fortune of implementation method in the secure resources pond based on SDN network in the embodiment of the present invention
With OVS switch functions modular diagram in example;
Fig. 8 is a kind of one embodiment schematic diagram of the secure resources cell system based on SDN network in the embodiment of the present invention.
Embodiment
An embodiment of the present invention provides a kind of realization method and system in the secure resources pond based on SDN network, for carrying
The adaptability and the flexibility of configuration that network is changed in high secure resources pond.
In order to make those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Attached drawing, is clearly and completely described the technical solution in the embodiment of the present invention, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
Member's all other embodiments obtained without making creative work, should all belong to the model that the present invention protects
Enclose.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned attached drawing, "
Four " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use
Data can exchange in the appropriate case, so that the embodiments described herein can be with except illustrating or describing herein
Order beyond appearance is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that covering is non-exclusive
Include, be not necessarily limited to clearly arrange for example, containing the process of series of steps or unit, method, system, product or equipment
Those steps or unit gone out, but may include not list clearly or consolidate for these processes, method, product or equipment
The other steps or unit having.
In order to make it easy to understand, letter will be carried out to software defined network (Software Defined Network, SDN) below
Single to introduce, SDN is that the network of tradition closing is become an open environment, and programming can be realized just as computer, is created
The network virtualization layer being easily managed is built, network control is decoupled from physical infrastructure, allows third party's developing network application
Program controls the operation of network.OpenFlow technologies are to realize a kind of mode of SDN, it can allow user to define stream itself
Amount, and determine the transmission path of flow in a network.Based on OpenFlow technologies composition SDN network include SDN controllers,
SDN switch.Its SDN switch is core component, is made of OpenFlow agreements, escape way and flow table three parts.SDN is controlled
The stream rule of the capability report interchanger of device configuration SDN switch processed, is issued in the flow table of SDN switch.In this application
Only with one kind in SDN switch, i.e., illustrated exemplified by OVS interchangers, OVS interchangers are a kind of stable software of increasing income
SDN switch, also supports traditional network.
In order to make it easy to understand, the idiographic flow in the embodiment of the present invention is described below, referring to Fig. 4, of the invention
A kind of one embodiment of the implementation method in the secure resources pond based on SDN network may include in embodiment:
100th, OVS interchangers receive target flow bag and parse the matching domain field in target flow bag;
User can be by the north orientation API that SDN controllers provide, for example, RESTFUL API define the flow bag of itself
The security component of required process, SDN controllers pass through the north orientation API security components selected and its order, generation based on user
Corresponding flow bag forwarding rule, i.e. security service chain, the security service chain indicate corresponding flow bag in a predetermined sequence
By the Security functional component of preset quantity in secure resources pond.Wherein RESTFUL API refer to meet REST (English:
Representational State Transfer, abbreviation REST) framework pattern application programming interface API.
Each data packet contains specific feature field, that is, matching domain field, can be identified according to matching domain field each
Data packet simultaneously matches corresponding security service chain, and SDN controllers can be according to the matching domain field and security service chain of data packet
Correspondence construct corresponding flow table and be handed down to corresponding OVS interchangers.Specifically, available matching domain field includes
But it is not limited to:Interchanger inbound port, source MAC, target MAC (Media Access Control) address, ethernet type, Ethernet label, virtual LAN
VLAN priority, source IP, destination IP, IP agreement field, IP type of service, TCP/UDP source port numbers, TCP/UDP destination interfaces
Number, it is to be understood that specific matching domain field can carry out rational according to the change of the demand and procotol of user
Configuration, does not limit specifically herein.
Specifically, correspondence is established with security service chain using at least two matching domain fields at the same time in the application, can
To realize that security service chain and the various dimensions of flow bag match, the security service chain for improving secure resources pond uses and flow bag
Matched flexibility.
Matching domain field in it can parse target flow bag after OVS interchangers receive target flow bag, to carry out
Further processing.
200th, OVS interchangers are matched according to matching domain field with the flow table being locally stored, to determine the target stream
Amount wraps corresponding security service chain;
OVS interchangers are matched according to the corresponding matching domain field of target data bag with the flow table being locally stored, with true
The corresponding security service chain of the target flow bag is determined, if the matching domain field of target flow bag is matched with the flow table being locally stored
It is successful then perform step 400, if the matching domain field of target flow bag matches unsuccessful with the flow table being locally stored, perform step
Rapid 300.
300th, matching domain field corresponding safety clothes of the OVS interchangers to corresponding SDN controllers request target flow bag
Business chain;
If the matching domain field of target flow bag matched with the flow table being locally stored it is unsuccessful, to corresponding SDN control
The corresponding security service chain of device request target flow bag.Specific OVS interchangers can be by target data bag or by number of targets
Corresponding SDN controls are issued according to corresponding matching domain field is wrapped, to ask the corresponding safety of SDN controllers configuration target flow bag
Service chaining.
400th, OVS interchangers carry out safe drainage according to security service chain to target flow bag, to complete to the target
The cleaning of flow bag.
After the corresponding security service chain of target flow bag is determined, OVS interchangers can install security service chain
Forwarding rule target flow bag is subjected to safety is drained in corresponding security component and is cleaned.
Optionally, as a kind of possible embodiment, OVS interchangers are according to security service chain to the target flow bag
Safe drainage is carried out, can be included:
401st, OVS interchangers are by each security function group on the corresponding service chaining path ID of security service chain, service chaining path
The numbering and service chaining metadata of part are encapsulated into target flow packet header and form NSH labels;
User can define many kinds of security service chains in practice, each security service chain corresponds to a kind of data packet
Forward-path, can be one service chaining path ID of each path allocation, be by service chaining path ID, OVS interchanger
It can recognize that each security service chain corresponds to a kind of data packet forward-path, each service chaining may be needed into excessively multiple safety
Functional unit, for present node of the flow bag in service chaining that set the goal really in the repeating process between multiple security components
Position, OVS interchangers can will add label to identify the forwarding process of service chaining in target flow bag, specifically, safety clothes
The numbering of each Security functional component and service chaining metadata are encapsulated into mesh on the corresponding service chaining path ID of business chain, service chaining path
Mark flow packet header and form NSH labels, specific NSH labels can reasonably be set according to the demand of user, specifically this
Place does not limit.
Optionally, NSH can be realized by technologies such as the spare fields of IP bags, the specific fields of GRE/VXLAN.
402nd, OVS interchangers are presently according to service chaining path ID in the NSH labels and the target flow bag
The target flow bag is drained into next node by node location.
Target flow bag often returns to OVS interchangers, Ke Yigen afterwards into the security component crossed in service chaining
The node being presently according to service chaining path ID and target flow bag in the NSH labels of the data packet of return determines next safe work(
Energy node, and the target flow bag is drained into next node.
The gateway in the secure resources pond in the embodiment of the present invention employs SDN network framework, network equipment control in SDN network
Face processed is separated with data surface, and security service chain is configured by SDN controllers, realizes that network to connection function, is realized by OVS interchangers
Decoupling of the network to connection function and the drainage policing feature of secure resources pond service chaining, improves secure resources pond to network change
Adaptability more, secondly, the drainage strategy in security service chain can be matched somebody with somebody by the various dimensions that at least two matching domain fields carry out
Put, improve the flexibility of secure resources pond configuration.
It is to need to consider during deployment secure resource pool in practice on the basis of above-described embodiment
Customer Premises Network framework, Customer Premises Network may be provided with the core gateway with policybased routing, it is also possible to not set
Core gateway is put, and secure resources pond is not at same layer network with Customer Premises Network, under this network architecture, secure resources
Need to consider local IP and the address translation problem of external IP during the deployment in pond.
Specifically, when Customer Premises Network is provided with the core gateway with policybased routing, the OVS interchangers from
Target flow bag is received in the core gateway, and network address NAT conversions are carried out to the IP address in the target flow bag,
So that the IP address in the target flow bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network
When, the OVS interchangers receive target flow bag from the core gateway, and to the IP address in the target flow bag into
Row NAT is changed, so that the IP address in the target flow bag can be identified by the OVS interchangers.
On the basis of above-described embodiment, in practice, in same network, it is understood that there may be multiple tenants use phase
With the situation of IP address, in such a scenario, in order to realize that the flow bag of different tenants matches different security service chains
Function, a fields of the tenant ID as matching domain can be introduced, passing through SDN controllers, to set different tenant ID to correspond to different
Security service chain, when using being matched with the matching domain of tenant ID with the flow table being locally stored, you can realize use
Tenant's flow bag of identical IP address matches the function of different security service chains.
On the basis of above-described embodiment, in practice, when the Security functional component in the secure resources pond is located at
In different physical hosts, OVS interchangers carry out the transmission of flow bag by overlay tunnels, and the overlay tunnels are used for
Isolate the flow bag of different tenants in the secure resources pond.
It is understood that in various embodiments of the present invention, the size of the sequence number of above steps is not meant to
The priority of execution sequence, the execution sequence of each step should be determined with its function and internal logic, without tackling the embodiment of the present invention
Implementation process form any restriction.
For the ease of understanding below in conjunction with specifically with example to the peace based on SDN network in the embodiment of the present invention
The implementation method of full resource pool illustrates.
In practice, the demand of client is broadly divided into three classes during the deployment of secure resources pond:
Flow, can be guided to secure resources pond and be cleaned by the 1st, the physical router support policy routing function of client;
2nd, the route of client not support policy routing function, then need secure resources pond to be cleaned to flow,
It is also required to the function of secure resources pond implementation strategy route;
3rd, original physical security apparatus of client is transparent mode deployment, then needs secure resources pond to replace original thing
Equipment is managed, and needs secure resources pond to dispose in a transparent way, it is impossible to is drained using policybased routing.
These three demands correspond to the route pattern, gateway mode and transparent mode in secure resources pond respectively, now need safety
The drainage way of resource pool can deacclimatize the network deployment mode of different clients automatically.
Fig. 5, Fig. 6 and Fig. 7 are referred to, wherein, data center or private clound of the client traffic cloud for client local, carrying visitor
Family operation system.Outer net is the network beyond client traffic cloud, refers generally to Internet.WAN mouthfuls and LAN mouthfuls:Flowed for immigration
Amount, outer net flow enter router from WAN mouthfuls, then by LAN mouthfuls, into customer network;For situation flow, Intranet flow from
LAN enters router, then by WAN mouthfuls, into external network.
When secure resources pond is using route pattern deployment, the physical router support policy routing function of client, such as Fig. 5 institutes
Show, OVN module default gateway as secure resources pond in OVS interchanger identical with the deployment way of policybased routing, be responsible for
Docked with the core router of client.The core router of client will need the target flow bag by secure resources pond to be directed to
The default gateway (flow bag arrives first OVS interchangers, then to OVN modules) in secure resources pond.OVN modules carry out NAT to flow bag
Change and then the flow of cleaning to be detected is transmitted to OVS interchangers, OVS interchangers parse the matching in target flow bag
Domain field, and matched according to matching domain field with the flow table being locally stored, to determine the corresponding peace of the target flow bag
Full service chaining, and drainage is carried out according to security service chain and completes cleaning, flow bag returns to client's by OVN module forwards afterwards
Core router, completes the detection and/cleaning of a flow.
When secure resources pond is disposed using gateway mode, as shown in fig. 6, OVN modules in OVS interchangers replace visitor at this time
The core router at family.Secure resources pond and client traffic cloud can in same a double layer network, can also in different double layer networks,
OVN modules need implementation strategy routing function.If secure resources pond and client traffic cloud in same a double layer network, immigration flow from
Secure resources pond all needs not move through OVN moulds to client traffic cloud, or departure flow from client traffic cloud to secure resources pond
Block.If in different double layer networks, OVN modules are also the default gateway in secure resources pond at the same time, and gateway mode deteriorates to road at this time
By pattern, OVN modules realize the role of client's core router and secure resources pond default gateway at the same time.
When secure resources pond using transparent mode dispose, as shown in fig. 6, being common in the original physical security apparatus of client is
Bright pattern deployment, now replaces physical security apparatus by secure resources pond, but is not desired to change legacy network topology, at this time safety
Resource pool must access in a transparent mode.The security component and client traffic cloud in secure resources pond are in same a double layer network, flow
Bag comes OVS interchangers, and OVS interchangers parse the matching domain field in target flow bag, and according to matching domain field and local
The flow table of storage is matched, and to determine the corresponding security service chain of the target flow bag, and is carried out according to security service chain
Cleaning is completed in drainage, and flow bag returns to OVS interchangers and carries out virtual two layers of forwarding so that flow bag passes through WAN mouthfuls or LAN afterwards
Mouth forwards.
Specifically, as shown in fig. 7, OVS interchangers can include:OVN modules, virtual layer 2 switching module, flow point class mould
Block, security service chain drainage module, Proxy modules, overlay tunnels.
The function of OVN modules can include:In arp reply and generation, are answered, and generation hair ARP bags, run Routing Protocol, and three layers forward,
NAT is changed.Arp reply refers to the ARP request replied to self MAC, and ARP generations, which are answered, to be referred to reply to security component for security component
The ARP request of MAC.Generation hair ARP bags refer to that under gateway mode data packet is come after the detection and filtering of security service chain
To OVN modules, it is necessary to there is the MAC Address of next-hop, data packet can just forward, at this time the data cached bag of OVN modules, construction
ARP request inquires the MAC Address of next-hop, and ARP request is sent, and waits and receives ARP replies, then changes former data packet
Purpose MAC and source MAC, data packet is forwarded.Operation Routing Protocol refers to operation static state/dynamic routing protocol, with
Other routers exchange routing iinformations, form the route forwarding table of itself.Three layers of forwarding refer to carry out data packet according to routing table
Forwarding.NAT includes SNAT and DNAT functions.
Virtual layer 2 switching module function can include herein below:MAC address learning, two layers of forwarding, the envelope in LAN packet header
Dress/decapsulation.MAC address learning refers to the correspondence of the source MAC and switch port by data packet, establishes two layers and turns
Deliver.Two layers of forwarding refer to according to purpose MAC, inquire about two-layer retransmitting table, say that data packet is forwarded from correct switch port.
Encapsulation/the decapsulation in VLAN packet header refers to:Before data packet gives OVN modules, VLAN packet header is peeled off;In data packet by pacifying
Full service chaining, when coming this module again, VLAN packet header is added to data packet.
Flow point generic module is used to combine by flexible matching domain, and different quality of service requirement, and flow is divided
Class, and stamp NSH labels.The drainage of security service chain refers to the NSH labels according to the relevant forwarding strategy of service chaining and data packet,
Flow is forwarded to, flow is passed through the physical/virtual Security functional component pre-defined successively in order.Proxy is
Refer to the Security functional component for None- identified NSH labels, Proxy modules can first remove the NSH labels of data packet, be then forwarded to
Security functional component, when data packet is returned from Security functional component, can re-start flow point class or by proxy module handles
NSH labels add again.Overlay tunnels refer to Security functional component when on different physical hosts, different physical hosts
OVS can by overlay tunnelling functions carry out data packet transmission, herein tunnel be mainly used for isolating in secure resources pond
The flow of different tenants, overlay tunneling techniques herein are realized including VXLAN, GRE, STT, Geneve etc..
Specifically, the function of SDN controllers includes:North orientation API, ARP, NAT, SFC, router-level topology, topology, VLAN, net
Network information gathering, configuration, flow table are constructed and issued.North orientation API is generally RESTFUL API, for user interface or remote side administration
Layer calls.ARP refers mainly to ARP table maintenance, assists OVN to realize ARP correlation functions.NAT is used to assist OVN to realize SNAT and DNAT
Function.Router-level topology is used for realization the general and self-defined routing algorithm including shortest path.Topography module is used to store the whole network
Or local topology information.VLAN is used to assist OVS two-layer virtual Switching Modules to realize VLAN correlation functions.Network information gathering is used
In the status information for collecting bottom OVS, Security functional component.Configuration, flow table constructing module can be according to parameters and configuration/flow table mould
Plate, automatically generates configuration and flow table.Configuration, flow table issuance module select corresponding adapter, and configuration and flow table are converted to bottom
The form that layer equipment can identify, is issued.SFC includes service chaining definition, path computing, rule conflict detection, and calls
Topology, network information gathering, flow table construction and the function such as issue, it is also necessary to support that Security functional component migrates and other reasons are drawn
The dynamic additions and deletions of the service chaining risen change function.
Above-described embodiment retouches the implementation method in the secure resources pond based on SDN network in the embodiment of the present invention
State, the secure resources cell system based on SDN network in the embodiment of the present invention will be described below, referring to Fig. 8, this hair
A kind of one embodiment of the secure resources cell system based on SDN network may include in bright embodiment:
SDN controllers 70 and secure resources pond 80, wherein,
The secure resources pond 80 includes OVS interchangers 800 and at least one Security functional component 900;
The OVS interchangers 800 include layer 2 switching module 801, flow point generic module 802, communication module 803 and forwarding mould
Block 804;
The layer 2 switching module 801 is used to receive target flow bag;
The flow point generic module 802 is used to parse the matching domain field in the target flow bag, and according to the matching
Domain field is matched with the flow table being locally stored, to determine the corresponding security service chain of the target flow bag, the target
Flow bag includes at least two matching domain fields, and the flow table indicates the matching domain field of preset type and pair of security service chain
It should be related to, the security service chain indicates that corresponding flow bag passes through preset quantity in secure resources pond in a predetermined sequence
Security functional component;
If the matching domain field of the target flow bag matches unsuccessful, the communication module with the flow table being locally stored
803 are used to ask the corresponding security service chain of the matching domain field of the target flow bag to the SDN controllers 70;
The forwarding module 804 is used to carry out safe drainage to the target flow bag according to security service chain, to complete
Cleaning to the target flow bag.
Optionally, include but not limited to as a kind of possible embodiment, the matching domain field:Interchanger enters end
Mouth, source MAC, target MAC (Media Access Control) address, ethernet type, Ethernet label, virtual LAN VLAN priority, source IP, purpose
IP, IP agreement field, IP type of service, TCP/UDP source port numbers, TCP/UDP destination slogans.
Optionally, resolution unit 8021 and label are included as a kind of possible embodiment, the flow point generic module 802
Unit 8022, the resolution unit 8021 are used to parse the matching domain field in the target flow bag, and according to the matching
Domain field is matched with the flow table being locally stored, to determine the corresponding security service chain of the target flow bag;
The tag unit 8022, for will respectively pacify on the corresponding service chaining path ID of security service chain, service chaining path
The numbering and service chaining metadata of complete functional set are encapsulated into the target flow packet header and form NSH labels;
The forwarding module 804 is used for current according to service chaining path ID in the NSH labels and the target flow bag
The target flow bag is drained into next node by residing node location, is drawn with realizing that the target flow bag carries out safety
Stream.
Optionally, proxy modules 805 are further included, work as institute as a kind of possible embodiment, the OVS interchangers 800
When the NSH labels cannot be identified by stating the targeted security functional unit in secure resources pond, the proxy modules are by acting on behalf of work(
The NSH labels can be handled, the agent functionality includes:Gone before security service chain passes through the targeted security functional unit
It is safety clothes when security service chain returns to the OVS interchangers from the targeted security functional unit except the NSH labels
Business chain adds the NSH labels again.
Optionally, OVN modules 806 are further included, work as user as a kind of possible embodiment, the OVS interchangers 800
When side network settings have the core gateway with policybased routing, the OVN modules 806 are used to connect from the core gateway
Target flow bag is received, and network address NAT conversions are carried out to the IP address in the target flow bag, so that the target stream
IP address in amount bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network
When, the OVN modules 806 are used to receive target flow bag from the core gateway, and to the IP in the target flow bag
Address carries out NAT conversions, so that the IP address in the target flow bag can be identified by the OVS interchangers.
Optionally, as a kind of possible embodiment, the matching domain field further includes tenant ID, described to work as multiple rents
When family uses identical IP address, the resolution unit 8021 is matched according to the flow table being locally stored, to determine to use phase
With the security service chain of tenant's flow bag of IP address.
Optionally, as a kind of possible embodiment, when the Security functional component 900 in secure resources pond 80 is not positioned at
With physical host in, OVS interchangers 800 by overlay tunnels carry out flow bag transmission, overlay tunnels be used for every
The flow bag of tenants different from secure resources pond, overlay tunneling techniques herein include VXLAN, GRE, STT, Geneve
Deng realization.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the unit
Division, is only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be the indirect coupling by some interfaces, device or unit
Close or communicate to connect, can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separate, be shown as unit
The component shown may or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
In network unit.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units integrate in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use
When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially
The part to contribute in other words to the prior art or all or part of the technical solution can be in the form of software products
Embody, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment the method for the present invention
Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Embodiment is stated the present invention is described in detail, it will be understood by those of ordinary skill in the art that:It still can be to preceding
State the technical solution described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical solution.
Claims (14)
1. a kind of implementation method in the secure resources pond based on SDN network, the SDN network includes SDN controllers and OVS is handed over
Change planes, it is characterised in that including:
OVS interchangers receive target flow bag and parse the matching domain field in the target flow bag, the target flow bag
Including at least two matching domain fields;
The OVS interchangers are matched according to the matching domain field with the flow table being locally stored, to determine the target stream
Amount wraps corresponding security service chain, and the flow table is generated and sent to corresponding OVS interchangers by the SDN controllers, described
Flow table indicates the matching domain field of preset type and the correspondence of security service chain, and the security service chain indicates corresponding stream
Amount bag passes through the Security functional component of preset quantity in secure resources pond in a predetermined sequence;
If the matching domain field of the target flow bag matched with the flow table being locally stored it is unsuccessful, to the SDN controllers
Ask the corresponding security service chain of matching domain field of the target flow bag;
The OVS interchangers carry out safe drainage according to security service chain to the target flow bag, to complete to the target
The cleaning of flow bag.
2. according to the method described in claim 1, it is characterized in that,
The matching domain field includes but not limited to:Interchanger inbound port, source MAC, target MAC (Media Access Control) address, ethernet type,
Ethernet label, virtual LAN VLAN priority, source IP, destination IP, IP agreement field, IP type of service, TCP/UDP sources
Slogan, TCP/UDP destination slogans.
3. according to the method described in claim 2, it is characterized in that, the OVS interchangers according to security service chain to the mesh
Mark flow bag and carry out safe drainage, including:
The OVS interchangers are by each Security functional component on the corresponding service chaining path ID of security service chain, service chaining path
Numbering and service chaining metadata are encapsulated into the target flow packet header and form NSH labels;
The node that the OVS interchangers are presently according to service chaining path ID in the NSH labels and the target flow bag
The target flow bag is drained into next node by position.
4. according to the method described in claim 3, it is characterized in that,
When the targeted security functional unit in the secure resources pond cannot identify the NSH labels, the OVS interchangers lead to
Cross and act on behalf of NSH labels described in proxy function treatments, the proxy functions include:Pass through the targeted security in security service chain
The NSH labels are removed before functional unit, are exchanged when security service chain returns to the OVS from the targeted security functional unit
During machine, the NSH labels are added again for security service chain.
5. according to the method described in claim 3, it is characterized in that, receive target flow bag in the OVS interchangers and parse
Before matching domain field in the target flow bag, further include:
When Customer Premises Network is provided with the core gateway with policybased routing, the OVS interchangers are from the core net
The Central Shanxi Plain receives target flow bag, and carries out network address NAT conversions to the IP address in the target flow bag, so that described
IP address in target flow bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network,
The OVS interchangers receive target flow bag from the core gateway, and the IP address in the target flow bag is carried out
NAT is changed, so that the IP address in the target flow bag can be identified by the OVS interchangers.
6. according to the method described in claim 5, it is characterised in that
The matching domain field further includes tenant ID, when multiple tenants use identical IP address, the OVS interchangers according to
The flow table being locally stored is matched, to determine the security service chain of tenant's flow bag using identical IP address.
7. according to claim 1 to 6 any one of them method, it is characterised in that
When the Security functional component in the secure resources pond is located in different physical hosts, OVS interchangers pass through overlay
Tunnel carries out the transmission of flow bag, and the overlay tunnels are used to isolate the flow bag of different tenants in the secure resources pond.
A kind of 8. secure resources cell system based on SDN network, it is characterised in that including:
SDN controllers and secure resources pond, wherein,
The secure resources pond includes OVS interchangers and at least one Security functional component;
The OVS interchangers include layer 2 switching module, flow point generic module, communication module and forwarding module;
The layer 2 switching module is used to receive target flow bag;
The flow point generic module is used to parsing matching domain field in the target flow bag, and according to the matching domain field with
The flow table being locally stored is matched, to determine the corresponding security service chain of the target flow bag, the target flow bag
At least two matching domain fields are included, the flow table indicates the matching domain field of preset type and the correspondence of security service chain,
The security service chain indicates that corresponding flow bag passes through the safe work(of preset quantity in secure resources pond in a predetermined sequence
Can component;
If the matching domain field of the target flow bag matched with the flow table being locally stored it is unsuccessful, the communication module be used for
The SDN controllers ask the corresponding security service chain of matching domain field of the target flow bag;
The forwarding module is used to carry out safe drainage to the target flow bag according to security service chain, to complete to the mesh
Mark the cleaning of flow bag.
9. system according to claim 8, it is characterised in that
The matching domain field includes but not limited to:Interchanger inbound port, source MAC, target MAC (Media Access Control) address, ethernet type,
Ethernet label, virtual LAN VLAN priority, source IP, destination IP, IP agreement field, IP type of service, TCP/UDP sources
Slogan, TCP/UDP destination slogans.
10. system according to claim 9, it is characterised in that
The flow point generic module includes resolution unit and tag unit, and the resolution unit is used to parse in the target flow bag
Matching domain field, and matched according to the matching domain field with the flow table being locally stored, to determine the target flow
Wrap corresponding security service chain;
The tag unit, for by each security function group on the corresponding service chaining path ID of security service chain, service chaining path
The numbering and service chaining metadata of part are encapsulated into the target flow packet header and form NSH labels;
The forwarding module is used for the section being presently according to service chaining path ID in the NSH labels and the target flow bag
The target flow bag is drained into next node by point position, to realize that the target flow bag carries out safe drainage.
11. system according to claim 10, it is characterised in that the OVS interchangers further include proxy modules, work as institute
When the NSH labels cannot be identified by stating the targeted security functional unit in secure resources pond, the proxy modules are by acting on behalf of work(
The NSH labels can be handled, the agent functionality includes:Gone before security service chain passes through the targeted security functional unit
It is safety clothes when security service chain returns to the OVS interchangers from the targeted security functional unit except the NSH labels
Business chain adds the NSH labels again.
12. system according to claim 10, it is characterised in that the OVS interchangers further include OVN modules, work as user
When side network settings have the core gateway with policybased routing, the OVN modules are used to receive from the core gateway
Target flow bag, and network address NAT conversions are carried out to the IP address in the target flow bag, so that the target flow
IP address in bag can be identified by the OVS interchangers;
When user side is not provided with core gateway, and the secure resources pond is not at same layer network with Customer Premises Network,
The OVN modules be used for from the core gateway receive target flow bag, and to the IP address in the target flow bag into
Row NAT is changed, so that the IP address in the target flow bag can be identified by the OVS interchangers.
13. according to the system described in claim 11, it is characterised in that
The matching domain field further includes tenant ID, described when multiple tenants use identical IP address, the resolution unit root
Matched according to the flow table being locally stored, to determine the security service chain of tenant's flow bag using identical IP address.
14. the system according to any one of claim 8 to 13, it is characterised in that
When the Security functional component in the secure resources pond is located in different physical hosts, OVS interchangers pass through overlay
Tunnel carries out the transmission of flow bag, and the overlay tunnels are used to isolate the flow bag of different tenants in the secure resources pond.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711479174.0A CN107911258B (en) | 2017-12-29 | 2017-12-29 | SDN network-based security resource pool implementation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711479174.0A CN107911258B (en) | 2017-12-29 | 2017-12-29 | SDN network-based security resource pool implementation method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107911258A true CN107911258A (en) | 2018-04-13 |
| CN107911258B CN107911258B (en) | 2021-09-17 |
Family
ID=61872030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711479174.0A Active CN107911258B (en) | 2017-12-29 | 2017-12-29 | SDN network-based security resource pool implementation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107911258B (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881207A (en) * | 2018-06-11 | 2018-11-23 | 中国人民解放军战略支援部队信息工程大学 | Network safety service framework and its implementation based on security service chain |
| CN108965000A (en) * | 2018-07-12 | 2018-12-07 | 成都安恒信息技术有限公司 | A kind of private clound SDN drainage implementation method |
| CN109040101A (en) * | 2018-08-27 | 2018-12-18 | 北京安数云信息技术有限公司 | A method of different security services are used based on openflow protocol realization multi-tenant |
| CN109951353A (en) * | 2019-03-11 | 2019-06-28 | 北京启明星辰信息安全技术有限公司 | A kind of cloud platform flow rate testing methods and resource pool system |
| CN109981613A (en) * | 2019-03-11 | 2019-07-05 | 北京启明星辰信息安全技术有限公司 | A kind of flow rate testing methods and resource pool system for cloud environment |
| CN110768911A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Efficient flow guiding method, device, equipment, system and storage medium |
| CN110995744A (en) * | 2019-12-13 | 2020-04-10 | 深信服科技股份有限公司 | Message transmission method and device, software defined network switch and storage medium |
| CN111163004A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Service chain data processing method and device and computer equipment |
| CN111405014A (en) * | 2020-03-09 | 2020-07-10 | 联想(北京)有限公司 | Data processing method and device based on mobile edge computing MEC platform and storage medium |
| CN111800329A (en) * | 2020-06-28 | 2020-10-20 | 浪潮思科网络科技有限公司 | Message forwarding method, device and medium based on SDN and OVN |
| CN111988266A (en) * | 2019-05-24 | 2020-11-24 | 华为技术有限公司 | Method for processing message |
| CN112751781A (en) * | 2019-10-31 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Method, device and equipment for processing flow data and computer storage medium |
| CN112866019A (en) * | 2021-01-11 | 2021-05-28 | 科大讯飞股份有限公司 | Method for limiting bandwidth of elastic IP address, related equipment and readable storage medium |
| CN113300952A (en) * | 2021-04-14 | 2021-08-24 | 启明星辰信息技术集团股份有限公司 | Distributed drainage system for cloud security resource pool and drainage method thereof |
| CN113381879A (en) * | 2021-05-17 | 2021-09-10 | 浪潮思科网络科技有限公司 | SDN-based network deployment method and device |
| CN113595924A (en) * | 2021-06-28 | 2021-11-02 | 济南浪潮数据技术有限公司 | Two-layer drainage method, system and device based on openflow protocol |
| CN113904867A (en) * | 2021-10-30 | 2022-01-07 | 杭州迪普科技股份有限公司 | Traffic processing method and system for VXLAN two-layer networking |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
| CN114257473A (en) * | 2021-12-10 | 2022-03-29 | 北京天融信网络安全技术有限公司 | Method, device, equipment and medium for realizing multiple transparent bridges in resource pool |
| CN114584376A (en) * | 2022-03-04 | 2022-06-03 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
| CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115277308A (en) * | 2022-07-20 | 2022-11-01 | 杭州迪普科技股份有限公司 | Method and device for deploying SSLVPN equipment in cloud resource pool |
| CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
| CN115378868A (en) * | 2022-08-18 | 2022-11-22 | 中电云数智科技有限公司 | System and method for realizing message processing based on SNAT resource pool |
| CN115426313A (en) * | 2022-08-31 | 2022-12-02 | 中电云数智科技有限公司 | NAT optimization device and method based on OVN virtual machine network |
| CN115996136A (en) * | 2022-09-29 | 2023-04-21 | 华数云科技有限公司 | SDN-based cloud security capability implementation method in multi-tenant scene |
| CN114584376B (en) * | 2022-03-04 | 2024-04-26 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486227A (en) * | 2014-12-11 | 2015-04-01 | 武汉绿色网络信息服务有限责任公司 | System and method for achieving IPv6 flexible arrangement through VxLAN technique |
| US20150215231A1 (en) * | 2014-01-26 | 2015-07-30 | International Business Machines Corporation | Processing resource access request in network |
| CN105591934A (en) * | 2015-08-05 | 2016-05-18 | 杭州华三通信技术有限公司 | Flow table management method and device |
| CN105791153A (en) * | 2014-12-24 | 2016-07-20 | 中国电信股份有限公司 | Service traffic scheduling method and system, traffic controller and network edge device |
| CN105933225A (en) * | 2016-04-20 | 2016-09-07 | 上海斐讯数据通信技术有限公司 | Strategy routing method and system based on SDN |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
-
2017
- 2017-12-29 CN CN201711479174.0A patent/CN107911258B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150215231A1 (en) * | 2014-01-26 | 2015-07-30 | International Business Machines Corporation | Processing resource access request in network |
| CN104486227A (en) * | 2014-12-11 | 2015-04-01 | 武汉绿色网络信息服务有限责任公司 | System and method for achieving IPv6 flexible arrangement through VxLAN technique |
| CN105791153A (en) * | 2014-12-24 | 2016-07-20 | 中国电信股份有限公司 | Service traffic scheduling method and system, traffic controller and network edge device |
| CN105591934A (en) * | 2015-08-05 | 2016-05-18 | 杭州华三通信技术有限公司 | Flow table management method and device |
| CN105933225A (en) * | 2016-04-20 | 2016-09-07 | 上海斐讯数据通信技术有限公司 | Strategy routing method and system based on SDN |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881207A (en) * | 2018-06-11 | 2018-11-23 | 中国人民解放军战略支援部队信息工程大学 | Network safety service framework and its implementation based on security service chain |
| CN108881207B (en) * | 2018-06-11 | 2020-11-10 | 中国人民解放军战略支援部队信息工程大学 | Network security service realization method based on security service chain |
| CN108965000A (en) * | 2018-07-12 | 2018-12-07 | 成都安恒信息技术有限公司 | A kind of private clound SDN drainage implementation method |
| CN108965000B (en) * | 2018-07-12 | 2021-06-01 | 成都安恒信息技术有限公司 | Private cloud SDN drainage implementation method |
| CN110768911A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Efficient flow guiding method, device, equipment, system and storage medium |
| CN110768911B (en) * | 2018-07-27 | 2023-05-12 | 深信服科技股份有限公司 | Method, device, equipment, system and storage medium for efficient flow drainage |
| CN109040101A (en) * | 2018-08-27 | 2018-12-18 | 北京安数云信息技术有限公司 | A method of different security services are used based on openflow protocol realization multi-tenant |
| CN109951353A (en) * | 2019-03-11 | 2019-06-28 | 北京启明星辰信息安全技术有限公司 | A kind of cloud platform flow rate testing methods and resource pool system |
| CN109981613A (en) * | 2019-03-11 | 2019-07-05 | 北京启明星辰信息安全技术有限公司 | A kind of flow rate testing methods and resource pool system for cloud environment |
| CN109981613B (en) * | 2019-03-11 | 2021-10-22 | 北京启明星辰信息安全技术有限公司 | Flow detection method for cloud environment and resource pool system |
| CN111988266A (en) * | 2019-05-24 | 2020-11-24 | 华为技术有限公司 | Method for processing message |
| CN112751781A (en) * | 2019-10-31 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Method, device and equipment for processing flow data and computer storage medium |
| CN110995744B (en) * | 2019-12-13 | 2022-02-22 | 深信服科技股份有限公司 | Message transmission method and device, software defined network switch and storage medium |
| CN110995744A (en) * | 2019-12-13 | 2020-04-10 | 深信服科技股份有限公司 | Message transmission method and device, software defined network switch and storage medium |
| CN111163004A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Service chain data processing method and device and computer equipment |
| CN111405014B (en) * | 2020-03-09 | 2022-04-22 | 联想(北京)有限公司 | Data processing method and device based on mobile edge computing MEC platform and storage medium |
| CN111405014A (en) * | 2020-03-09 | 2020-07-10 | 联想(北京)有限公司 | Data processing method and device based on mobile edge computing MEC platform and storage medium |
| US11652781B2 (en) | 2020-03-09 | 2023-05-16 | Lenovo (Beijing) Co., Ltd. | Data processing method based on MEC platform, device, and storage medium |
| CN111800329A (en) * | 2020-06-28 | 2020-10-20 | 浪潮思科网络科技有限公司 | Message forwarding method, device and medium based on SDN and OVN |
| CN111800329B (en) * | 2020-06-28 | 2022-01-21 | 浪潮思科网络科技有限公司 | Message forwarding method, device and medium based on SDN and OVN |
| CN112866019A (en) * | 2021-01-11 | 2021-05-28 | 科大讯飞股份有限公司 | Method for limiting bandwidth of elastic IP address, related equipment and readable storage medium |
| CN113300952A (en) * | 2021-04-14 | 2021-08-24 | 启明星辰信息技术集团股份有限公司 | Distributed drainage system for cloud security resource pool and drainage method thereof |
| CN113300952B (en) * | 2021-04-14 | 2022-08-12 | 启明星辰信息技术集团股份有限公司 | Distributed drainage system for cloud security resource pool and drainage method thereof |
| CN113381879A (en) * | 2021-05-17 | 2021-09-10 | 浪潮思科网络科技有限公司 | SDN-based network deployment method and device |
| CN113595924B (en) * | 2021-06-28 | 2024-03-15 | 济南浪潮数据技术有限公司 | Two-layer drainage method, system and device based on openflow protocol |
| CN113595924A (en) * | 2021-06-28 | 2021-11-02 | 济南浪潮数据技术有限公司 | Two-layer drainage method, system and device based on openflow protocol |
| CN113904867B (en) * | 2021-10-30 | 2023-07-07 | 杭州迪普科技股份有限公司 | Flow processing method and system for VXLAN two-layer networking |
| CN113904867A (en) * | 2021-10-30 | 2022-01-07 | 杭州迪普科技股份有限公司 | Traffic processing method and system for VXLAN two-layer networking |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN114070639B (en) * | 2021-11-19 | 2024-04-23 | 北京天融信网络安全技术有限公司 | Message security forwarding method and device and network security equipment |
| CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
| CN114257473A (en) * | 2021-12-10 | 2022-03-29 | 北京天融信网络安全技术有限公司 | Method, device, equipment and medium for realizing multiple transparent bridges in resource pool |
| CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
| CN114584376B (en) * | 2022-03-04 | 2024-04-26 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
| CN114584376A (en) * | 2022-03-04 | 2022-06-03 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
| CN115277308B (en) * | 2022-07-20 | 2023-04-25 | 杭州迪普科技股份有限公司 | Cloud resource pool SSLVPN equipment deployment method and device |
| CN115277308A (en) * | 2022-07-20 | 2022-11-01 | 杭州迪普科技股份有限公司 | Method and device for deploying SSLVPN equipment in cloud resource pool |
| CN115378868B (en) * | 2022-08-18 | 2023-09-19 | 中电云数智科技有限公司 | System and method for realizing message processing based on SNAT resource pool |
| CN115378868A (en) * | 2022-08-18 | 2022-11-22 | 中电云数智科技有限公司 | System and method for realizing message processing based on SNAT resource pool |
| CN115426313A (en) * | 2022-08-31 | 2022-12-02 | 中电云数智科技有限公司 | NAT optimization device and method based on OVN virtual machine network |
| CN115426313B (en) * | 2022-08-31 | 2023-08-18 | 中电云数智科技有限公司 | NAT optimization device and method based on OVN virtual machine network |
| CN115996136A (en) * | 2022-09-29 | 2023-04-21 | 华数云科技有限公司 | SDN-based cloud security capability implementation method in multi-tenant scene |
| CN115996136B (en) * | 2022-09-29 | 2024-03-26 | 华数云科技有限公司 | SDN-based cloud security capability implementation method in multi-tenant scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107911258B (en) | 2021-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107911258A (en) | A kind of realization method and system in the secure resources pond based on SDN network | |
| CN107920023A (en) | A kind of realization method and system in secure resources pond | |
| CN103905283B (en) | Communication means and device based on expansible VLAN | |
| CN104780088B (en) | A kind of transmission method and equipment of service message | |
| CN104380658B (en) | Flow classifier, business route flip-flop, the method and system of Message processing | |
| CN108173694A (en) | The secure resources pond cut-in method and system of a kind of data center | |
| CN108199958A (en) | A kind of general secure resources pond service chaining realization method and system | |
| CN104639414B (en) | A kind of message forwarding method and equipment | |
| CN104410541B (en) | The method and device that VXLAN internal layer virtual machine traffics are counted in intermediary switch | |
| CN108293021A (en) | Dynamic data access at Border Gateway | |
| CN105337881B (en) | A kind of processing method of data message, service node and drainage point | |
| CN109716717A (en) | From software-defined network controller management virtual port channel switching equipment peer-to-peer | |
| CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
| CN104811382B (en) | The processing method and device of data packet | |
| CN104579727B (en) | A kind of method and apparatus for the network connection for managing network node | |
| CN106789542A (en) | A kind of implementation method of cloud data center security service chain | |
| CN105612719A (en) | Enhanced network virtualization using metadata in encapsulation header | |
| CN106233673A (en) | Network service inserts | |
| CN106713103A (en) | Method and system for virtual and physical network integration | |
| CN107404436A (en) | Communication means and device for virtual expansible LAN | |
| CN108234272A (en) | For the method and apparatus of the wire/wireless enterprise network architecture of fusion | |
| CN107770064A (en) | A kind of method of internetwork communication, equipment | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| CN106992917A (en) | Message forwarding method and device | |
| CN108092934A (en) | Safety service system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |