CN108293019A - 流表处理方法及装置 - Google Patents

流表处理方法及装置 Download PDF

Info

Publication number
CN108293019A
CN108293019A CN201680068616.XA CN201680068616A CN108293019A CN 108293019 A CN108293019 A CN 108293019A CN 201680068616 A CN201680068616 A CN 201680068616A CN 108293019 A CN108293019 A CN 108293019A
Authority
CN
China
Prior art keywords
flow table
secure group
message
match
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201680068616.XA
Other languages
English (en)
Other versions
CN108293019B (zh
Inventor
苑威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN108293019A publication Critical patent/CN108293019A/zh
Application granted granted Critical
Publication of CN108293019B publication Critical patent/CN108293019B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种流表处理方法,该方法运用于软件定义网络SDN,SDN控制器确定M个虚拟机端口加入安全组后,生成第一匹配流表集与第二匹配流表集和该安全组的动作流表,第一匹配流表集和第二匹配流表集配合实现该安全组的匹配,该安全组的动作流表包括与该安全组匹配成功的报文的报文动作。本申请提供的方法降低了实现安全组匹配的流表的复杂程度,提升了安全组的匹配效率。

Description

PCT国内申请,说明书已公开。

Claims (18)

  1. PCT国内申请,权利要求书已公开。
CN201680068616.XA 2016-03-09 2016-03-09 流表处理方法及装置 Active CN108293019B (zh)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/075982 WO2017152396A1 (zh) 2016-03-09 2016-03-09 流表处理方法及装置

Publications (2)

Publication Number Publication Date
CN108293019A true CN108293019A (zh) 2018-07-17
CN108293019B CN108293019B (zh) 2020-06-02

Family

ID=59788967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680068616.XA Active CN108293019B (zh) 2016-03-09 2016-03-09 流表处理方法及装置

Country Status (4)

Country Link
US (1) US10715492B2 (zh)
EP (2) EP3522460B1 (zh)
CN (1) CN108293019B (zh)
WO (1) WO2017152396A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031056A (zh) * 2019-12-20 2020-04-17 紫光云(南京)数字技术有限公司 一种在安全组中实现安全域功能的方法
CN111131071A (zh) * 2019-12-19 2020-05-08 紫光云技术有限公司 基于OpenStack实现云主机安全组规则优先级的实现方法及系统
WO2022252634A1 (zh) * 2021-05-31 2022-12-08 平安科技(深圳)有限公司 数据流传输方法、装置、计算机设备及存储介质
CN116015827A (zh) * 2022-12-15 2023-04-25 北京秒如科技有限公司 一种实现安全组流表最小化的方法

Families Citing this family (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10749711B2 (en) 2013-07-10 2020-08-18 Nicira, Inc. Network-link method useful for a last-mile connectivity in an edge-gateway multipath system
US10454714B2 (en) 2013-07-10 2019-10-22 Nicira, Inc. Method and system of overlay flow control
US10498652B2 (en) 2015-04-13 2019-12-03 Nicira, Inc. Method and system of application-aware routing with crowdsourcing
US10425382B2 (en) 2015-04-13 2019-09-24 Nicira, Inc. Method and system of a cloud-based multipath routing protocol
US10135789B2 (en) 2015-04-13 2018-11-20 Nicira, Inc. Method and system of establishing a virtual private network in a cloud service for branch networking
US10506037B2 (en) * 2016-12-13 2019-12-10 Alcatel Lucent Discovery of ingress provider edge devices in egress peering networks
US10992558B1 (en) 2017-11-06 2021-04-27 Vmware, Inc. Method and apparatus for distributed data network traffic optimization
US11252079B2 (en) 2017-01-31 2022-02-15 Vmware, Inc. High performance software-defined core network
US11706127B2 (en) 2017-01-31 2023-07-18 Vmware, Inc. High performance software-defined core network
US10992568B2 (en) 2017-01-31 2021-04-27 Vmware, Inc. High performance software-defined core network
US20180219765A1 (en) 2017-01-31 2018-08-02 Waltz Networks Method and Apparatus for Network Traffic Control Optimization
US11121962B2 (en) 2017-01-31 2021-09-14 Vmware, Inc. High performance software-defined core network
US20200036624A1 (en) 2017-01-31 2020-01-30 The Mode Group High performance software-defined core network
US10778528B2 (en) 2017-02-11 2020-09-15 Nicira, Inc. Method and system of connecting to a multipath hub in a cluster
US10523539B2 (en) 2017-06-22 2019-12-31 Nicira, Inc. Method and system of resiliency in cloud-delivered SD-WAN
US11516049B2 (en) 2017-10-02 2022-11-29 Vmware, Inc. Overlay network encapsulation to forward data message flows through multiple public cloud datacenters
US10959098B2 (en) 2017-10-02 2021-03-23 Vmware, Inc. Dynamically specifying multiple public cloud edge nodes to connect to an external multi-computer node
US11115480B2 (en) 2017-10-02 2021-09-07 Vmware, Inc. Layer four optimization for a virtual network defined over public cloud
US11089111B2 (en) 2017-10-02 2021-08-10 Vmware, Inc. Layer four optimization for a virtual network defined over public cloud
US10999165B2 (en) 2017-10-02 2021-05-04 Vmware, Inc. Three tiers of SaaS providers for deploying compute and network infrastructure in the public cloud
US10999100B2 (en) 2017-10-02 2021-05-04 Vmware, Inc. Identifying multiple nodes in a virtual network defined over a set of public clouds to connect to an external SAAS provider
US11223514B2 (en) 2017-11-09 2022-01-11 Nicira, Inc. Method and system of a dynamic high-availability mode based on current wide area network connectivity
CN108306822A (zh) * 2018-01-08 2018-07-20 国网江苏省电力有限公司 一种适用于软件定义网络的流表合并方法
US10476699B2 (en) * 2018-01-31 2019-11-12 Hewlett Packard Enterprise Development Lp VLAN to VXLAN translation using VLAN-aware virtual machines
CN110300060B (zh) * 2018-03-23 2022-06-07 北京京东尚科信息技术有限公司 用于软件定义网络的通信方法和装置
US11212238B2 (en) 2019-08-27 2021-12-28 Vmware, Inc. Providing recommendations for implementing virtual networks
US11611507B2 (en) 2019-10-28 2023-03-21 Vmware, Inc. Managing forwarding elements at edge nodes connected to a virtual network
US11405426B2 (en) * 2019-11-04 2022-08-02 Salesforce.Com, Inc. Comparing network security specifications for a network to implement a network security policy for the network
US11489783B2 (en) 2019-12-12 2022-11-01 Vmware, Inc. Performing deep packet inspection in a software defined wide area network
US11394640B2 (en) 2019-12-12 2022-07-19 Vmware, Inc. Collecting and analyzing data regarding flows associated with DPI parameters
US11438789B2 (en) 2020-01-24 2022-09-06 Vmware, Inc. Computing and using different path quality metrics for different service classes
CN111586025B (zh) * 2020-04-30 2021-03-23 广州市品高软件股份有限公司 一种基于sdn的sdp安全组实现方法及安全系统
US11245641B2 (en) 2020-07-02 2022-02-08 Vmware, Inc. Methods and apparatus for application aware hub clustering techniques for a hyper scale SD-WAN
US11709710B2 (en) 2020-07-30 2023-07-25 Vmware, Inc. Memory allocator for I/O operations
US11444865B2 (en) 2020-11-17 2022-09-13 Vmware, Inc. Autonomous distributed forwarding plane traceability based anomaly detection in application traffic for hyper-scale SD-WAN
US11575600B2 (en) 2020-11-24 2023-02-07 Vmware, Inc. Tunnel-less SD-WAN
US11601356B2 (en) 2020-12-29 2023-03-07 Vmware, Inc. Emulating packet flows to assess network links for SD-WAN
CN116783874A (zh) 2021-01-18 2023-09-19 Vm维尔股份有限公司 网络感知的负载平衡
US11979325B2 (en) 2021-01-28 2024-05-07 VMware LLC Dynamic SD-WAN hub cluster scaling with machine learning
US12009987B2 (en) 2021-05-03 2024-06-11 VMware LLC Methods to support dynamic transit paths through hub clustering across branches in SD-WAN
US11582144B2 (en) 2021-05-03 2023-02-14 Vmware, Inc. Routing mesh to provide alternate routes through SD-WAN edge forwarding nodes based on degraded operational states of SD-WAN hubs
US11729065B2 (en) 2021-05-06 2023-08-15 Vmware, Inc. Methods for application defined virtual network service among multiple transport in SD-WAN
CN115514813A (zh) * 2021-06-04 2022-12-23 益思芯科技(上海)有限公司 一种网络转发设备及方法
US12015536B2 (en) 2021-06-18 2024-06-18 VMware LLC Method and apparatus for deploying tenant deployable elements across public clouds based on harvested performance metrics of types of resource elements in the public clouds
US11489720B1 (en) 2021-06-18 2022-11-01 Vmware, Inc. Method and apparatus to evaluate resource elements and public clouds for deploying tenant deployable elements based on harvested performance metrics
US12047282B2 (en) 2021-07-22 2024-07-23 VMware LLC Methods for smart bandwidth aggregation based dynamic overlay selection among preferred exits in SD-WAN
US11375005B1 (en) 2021-07-24 2022-06-28 Vmware, Inc. High availability solutions for a secure access service edge application
US11943146B2 (en) 2021-10-01 2024-03-26 VMware LLC Traffic prioritization in SD-WAN
US11909815B2 (en) 2022-06-06 2024-02-20 VMware LLC Routing based on geolocation costs
CN116248588A (zh) * 2022-12-28 2023-06-09 天翼云科技有限公司 一种针对网卡的数据包的流表规则卸载方法和装置
CN116074250B (zh) * 2023-02-23 2023-08-22 阿里巴巴(中国)有限公司 流表处理方法、系统、设备和存储介质
US12034587B1 (en) 2023-03-27 2024-07-09 VMware LLC Identifying and remediating anomalies in a self-healing network
US12057993B1 (en) 2023-03-27 2024-08-06 VMware LLC Identifying and remediating anomalies in a self-healing network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102625184A (zh) * 2002-11-01 2012-08-01 索尼株式会社 流处理系统和流处理方法
CN103164647A (zh) * 2013-02-28 2013-06-19 华为技术有限公司 一种网络安全组的访问控制方法和安全计算机
CN104394080A (zh) * 2014-11-28 2015-03-04 杭州华三通信技术有限公司 实现安全组功能的方法及装置
US20150139238A1 (en) * 2013-11-18 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Multi-tenant isolation in a cloud environment using software defined networking
US20150150087A1 (en) * 2013-11-27 2015-05-28 Vmware, Inc. Dynamic expression evaluation based grouping of vm objects for networking and security services in a virtualized computing system
US20160065618A1 (en) * 2014-09-02 2016-03-03 Symantec Corporation Method and Apparatus for Automating Security Provisioning of Workloads

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104007997A (zh) * 2013-02-22 2014-08-27 中兴通讯股份有限公司 虚拟机安全组的配置方法及装置
CN104580027B (zh) 2013-10-25 2018-03-20 新华三技术有限公司 一种OpenFlow报文转发方法及设备
CN103581183B (zh) * 2013-10-30 2017-01-04 华为技术有限公司 一种虚拟化安全隔离方法与装置
JP6268943B2 (ja) * 2013-11-06 2018-01-31 富士通株式会社 情報処理システム,スイッチ装置及び情報処理システムの制御方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102625184A (zh) * 2002-11-01 2012-08-01 索尼株式会社 流处理系统和流处理方法
CN103164647A (zh) * 2013-02-28 2013-06-19 华为技术有限公司 一种网络安全组的访问控制方法和安全计算机
US20150139238A1 (en) * 2013-11-18 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Multi-tenant isolation in a cloud environment using software defined networking
US20150150087A1 (en) * 2013-11-27 2015-05-28 Vmware, Inc. Dynamic expression evaluation based grouping of vm objects for networking and security services in a virtualized computing system
US20160065618A1 (en) * 2014-09-02 2016-03-03 Symantec Corporation Method and Apparatus for Automating Security Provisioning of Workloads
CN104394080A (zh) * 2014-11-28 2015-03-04 杭州华三通信技术有限公司 实现安全组功能的方法及装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Dragonflow security groups at scale", 《HTTP://GALSAGIE.GITHUB.IO/2015/12/28/DRAGONFLOW- SECURITY-GROUPS/》 *
GREG STABLER: "Elastic IP and security groups implementation using openflow", 《PROCEEDINGS OF THE 6TH INTERNATIONAL WORKSHOP ON VIRTUALIZATION TECHNOLOGIES IN DISTRIBUTED COMPUTING》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131071A (zh) * 2019-12-19 2020-05-08 紫光云技术有限公司 基于OpenStack实现云主机安全组规则优先级的实现方法及系统
CN111031056A (zh) * 2019-12-20 2020-04-17 紫光云(南京)数字技术有限公司 一种在安全组中实现安全域功能的方法
CN111031056B (zh) * 2019-12-20 2021-10-12 紫光云(南京)数字技术有限公司 一种在安全组中实现安全域功能的方法
WO2022252634A1 (zh) * 2021-05-31 2022-12-08 平安科技(深圳)有限公司 数据流传输方法、装置、计算机设备及存储介质
CN116015827A (zh) * 2022-12-15 2023-04-25 北京秒如科技有限公司 一种实现安全组流表最小化的方法
CN116015827B (zh) * 2022-12-15 2024-06-04 北京秒如科技有限公司 一种实现安全组流表最小化的方法

Also Published As

Publication number Publication date
EP3522460B1 (en) 2021-12-01
CN108293019B (zh) 2020-06-02
WO2017152396A1 (zh) 2017-09-14
EP3249862B1 (en) 2019-01-09
EP3522460A1 (en) 2019-08-07
EP3249862A4 (en) 2018-02-28
US20190020627A1 (en) 2019-01-17
EP3249862A1 (en) 2017-11-29
US10715492B2 (en) 2020-07-14

Similar Documents

Publication Publication Date Title
CN108293019A (zh) 流表处理方法及装置
US11902367B2 (en) Coordinating inter-region operations in provider network environments
US10659358B2 (en) Method and apparatus for advanced statistics collection
US8478902B1 (en) Virtual gateway router
TWI583151B (zh) 實施及管理虛擬網路的系統與方法
KR20150038323A (ko) 폴리시 기반 데이터센터 네트워크 자동화를 제공하는 시스템 및 방법
CN107733795B (zh) 以太网虚拟私有网络evpn与公网互通方法及其装置
CN106209553A (zh) 报文处理方法、设备及系统
US20170288998A1 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
CN106302320A (zh) 用于对用户的业务进行授权的方法、装置及系统
CN111698346A (zh) 一种专线网络地址转换方法、装置、专线网关及存储介质
EP4132197A1 (en) Communication method and related device
US11582067B2 (en) Systems and methods for providing network connectors
CN108512737B (zh) 一种数据中心ip层互联的方法和sdn控制器
CN116566830A (zh) 一种网络配置方法、装置、系统、边缘设备及存储介质
CN115002029A (zh) 一种流量转发方法、装置、设备及存储介质
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
Cisco Configuring IBM Channel Attach
CN117201135B (zh) 业务随行方法、装置、计算机设备及存储介质
Nakamura et al. Exploiting SRv6 for Stateless and Per-Connection-Consistent Load Balancing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220301

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.