CN108809797B - VPN control device, software-defined VPN implementation system and method - Google Patents
VPN control device, software-defined VPN implementation system and method Download PDFInfo
- Publication number
- CN108809797B CN108809797B CN201810837005.8A CN201810837005A CN108809797B CN 108809797 B CN108809797 B CN 108809797B CN 201810837005 A CN201810837005 A CN 201810837005A CN 108809797 B CN108809797 B CN 108809797B
- Authority
- CN
- China
- Prior art keywords
- vpn
- control
- script
- management
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5003—Managing SLA; Interaction between SLA and QoS
Abstract
The invention provides a VPN control device, a software-defined VPN implementation system and a method, comprising the following steps: an application plane, a control plane, and a data plane; the control plane is provided with a VPN control device; the controller is used for carrying out centralized, remote and real-time control on the VPN service and the VPN terminal, and one-key deployment, dynamic configuration, flexible management and remote maintenance of the VPN solution are realized. The controller is used for carrying out centralized, remote and real-time control on the VPN service and the VPN terminal, and one-key deployment, dynamic configuration, flexible management and remote maintenance of the VPN solution are realized. After the application, the method has obvious effect, and supports: the multi-element heterogeneous network equipment is controlled, managed and maintained in a centralized, remote and real-time manner; one-key deployment, dynamic configuration and flexible change of the VPN service of the multi-element heterogeneous network equipment; software defines a safe access application scene and a solution; software defines a secure interconnection application scenario and solution.
Description
Technical Field
The invention relates to the field of virtual private network secure communication, in particular to a VPN control device, a software-defined VPN implementation system and a software-defined VPN implementation method.
Background
As a mature Network security communication technology, a Virtual Private Network (VPN) is widely applied to the fields of cloud computing, mobile cloud computing, and edge computing to provide access control, identity authentication, and data encryption for Network devices. With the rapid development of the internet, the complexity of network topology, the diversity of network devices and the diversity of network applications bring great troubles to the deployment, configuration, management and maintenance of the VPN. From the complexity of network topology, the VPN is deployed in complex network topologies such as government affairs network, enterprise network, education network, industrial internet and mobile internet; from the diversity of network devices, the VPN works on heterogeneous network devices such as servers, gateways, routers, computers, tablets, mobile terminals, and the like; from the diversity of network applications, VPNs are applied to diverse network communications such as secure access, secure interconnection, secure convergence, and the like.
Aiming at the problems of complex deployment, complex configuration, difficult management and difficult maintenance of the traditional VPN, the related research work can be mainly divided into two types: firstly, based on the idea of a traditional Software-defined Networking (SDN), a VPN component is embedded in a network switch with Software definition capability, and a VPN function is started through a control channel between a central controller and the network switch, and currently published domestic and foreign documents only include an MLPS VPN based on the SDN; secondly, based on the design idea of the ad-hoc wireless network, the traditional centralized VPN is decentralized and then is designed into a P2P VPN without a center, self-organization and dynamic topology. However, the existing work has limitations in terms of equipment deployment, operating environment and application scenarios, and first, software defined MLPS VPN requires support of a dedicated SDN network switch, and equipment deployment has limitations; secondly, the MLPSVPN is a two-layer VPN of a carrier level, is not suitable for a common mobile terminal and a computer terminal, and has limitation on the operation environment; third, the P2P VPN, although it simplifies the deployment and configuration of VPNs, increases the management and operation and maintenance costs and has limitations in application scenarios.
Disclosure of Invention
In order to overcome the above-mentioned deficiencies in the prior art, the present invention provides a VPN control apparatus comprising: the system comprises a management channel message interface, a management message analyzer, a control script generator, a control channel message interface, a file read-write interface, a management message configuration module and a script template module;
the management channel message interface is used for providing a connection port between the VPN control device and the application plane and providing a communication port between the connection port and the management message analyzer;
the management message parser is connected with the control script generator and is also connected with the management message configuration module through a file read-write interface;
the control script generator is also connected with the script template module through a file read-write interface;
the management message analyzer performs data information verification on the received data information according to a preset verification code, analyzes the data after the verification is passed, performs information extraction based on preset key information, splices the extracted information with preset information configured by the management message configuration module, and transmits the spliced information to the control script generator;
the control script generator is used for acquiring the script template from the script template module, reading the script template information, matching the spliced information transmitted by the management message parser, and matching the spliced information into the script template to form script information; the control script generator is connected with the control channel message interface and transmits the script information to the data plane through the control channel message interface.
A software-defined VPN implementation system having a VPN control means, comprising: an application plane, a control plane, and a data plane; the control plane is provided with a VPN control device;
the application plane is in communication connection with the control plane through a management channel message interface of the VPN control device;
the data plane is in communication connection with the control plane through a control channel message interface of the VPN control device;
the application plane is used for providing an operation and visual interface for a network administrator, providing a visual interface and friendly operation for centralized control and remote management of VPN network equipment, and supporting link management, protocol management, routing management, forwarding management, bandwidth management and QoS management;
the control plane is used as a controller of data communication and data processing of the system, provides verification, analysis, extraction and splicing of metadata of a link, a protocol, a route, forwarding, bandwidth and QoS (quality of service), generates a configurable network rule and outputs an executable script;
the data plane is used as a data communication plane between the VPN client and the VPN server, and a VPNC and VPNS communication link, a communication protocol, a routing rule, a forwarding rule, a bandwidth rule and a QoS rule are selected according to a script received from the control plane.
In the invention, the control plane is also used for expanding the system network rules by utilizing the preset information configured by the script template and the management message configuration module, thereby ensuring the compatibility of the network rules in the multi-element heterogeneous network equipment.
In the invention, a management channel message interface of a VPN control device is configured as a management channel;
the management channel is used for providing a data interaction interface of an application plane and a control plane, and the interface supports real-time communication based on message middleware and non-real-time communication based on a database.
In the invention, a control channel message interface of a VPN control device is configured as a control channel;
the control channel is used for providing a script interaction interface of the control plane and the data plane, and the interface guarantees the issuing of the execution script and the returning of the execution result based on the SSL protocol.
In the invention, the data information transmitted through the control channel is in a VPN control message format;
the VPN control message format is JSON format, and comprises: message id, message type, message content, message time, and message authentication code.
In the invention, id is the unique identification of the control message.
In the present invention, the data information transmitted through the control channel includes: the method comprises the steps of starting a VPNS instruction, closing the VPNS instruction, starting the VPNC instruction, closing the VPNC instruction, adding a routing rule instruction, deleting the routing rule instruction, adding a forwarding rule instruction, deleting the forwarding rule instruction, adding a bandwidth rule instruction, deleting the bandwidth rule instruction, adding a QoS rule instruction and deleting the QoS rule instruction.
A software defined VPN implementation method with a VPN control device comprises the following steps:
generating VPN configuration, supporting communication protocol diversity, network equipment heterogeneity and communication link customization;
step two, executing a VPN script, and supporting VPNS and VPNC service one-key deployment and change;
and step three, executing a network configuration script, supporting flexible configuration of VPN routing rules and forwarding rules of different application scenes, and supporting on-demand customization of VPN bandwidth rules and QoS rules of different service modes.
In the invention, the first step further comprises: selecting a VPN communication protocol, checking the model and the system of network equipment, selecting a VPN template, selecting VPNS and VPNC resource nodes, and generating VPNS and VPNC configuration and execution scripts;
the second step further comprises: issuing VPNS configuration and starting scripts, starting VPNS, returning VPNS starting results, issuing VPNC configuration and starting scripts, starting VPNC, and returning VPNC starting results;
the third step also comprises: selecting a routing, forwarding, broadband and QoS rule template and generating a configuration script;
issuing a forwarding, bandwidth and QoS rule configuration script;
executing the forwarding, bandwidth and QoS rule scripts;
returning the execution results of the forwarding, bandwidth and QoS rule script;
issuing a routing rule configuration script;
executing the routing rule script;
and returning the execution result of the routing rule script.
According to the technical scheme, the invention has the following advantages:
the software-defined VPN can utilize the controller to perform centralized, remote and real-time control on VPN services and VPN terminals, and realizes one-key deployment, dynamic configuration, flexible management and remote maintenance of a VPN solution. The controller is used for carrying out centralized, remote and real-time control on the VPN service and the VPN terminal, and one-key deployment, dynamic configuration, flexible management and remote maintenance of the VPN solution are realized. After the application, the method has remarkable effects, such as that the invention supports: the multi-element heterogeneous network equipment is controlled, managed and maintained in a centralized, remote and real-time manner; one-key deployment, dynamic configuration and flexible change of the VPN service of the multi-element heterogeneous network equipment; communication links, communication protocols, and network configurations (routing, forwarding, bandwidth, QoS, etc.) for the software-defined VPN service; software defines a safe access application scene and a solution; software defines a safe interconnection application scene and a solution; software defines a secure convergence application scenario and solution.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings used in the description will be briefly introduced, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a VPN control apparatus;
fig. 2 is a schematic diagram of an embodiment of a VPN control apparatus;
fig. 3 is a schematic diagram of a software-defined VPN implementation system having a VPN control device;
fig. 4 is a schematic diagram of an embodiment of a software-defined VPN implementation system having a VPN control device;
fig. 5 is a flowchart of a software defined VPN implementation method with a VPN control device;
fig. 6 is a flowchart of an embodiment of a method for implementing a software-defined VPN with a VPN control device.
Detailed Description
The present invention provides a VPN control device, as shown in fig. 1 and 2, comprising: the system comprises a management channel message interface 1, a management message parser 2, a control script generator 3, a control channel message interface 5, a file read-write interface 4, a management message configuration module 6 and a script template module 7;
the management channel message interface 1 is used for providing a connection port between the VPN control device and the application plane and for transmitting data information received by the connection port to the management message parser 2.
The management message analyzer 2 is connected with the control script generator 3 and is also connected with the management message configuration module 6 through a file read-write interface 4; the control script generator 3 is also connected with the script template module through a file read-write interface 4;
the management message analyzer 2 performs data information verification on the received data information according to a preset verification code, analyzes the data after the verification is passed, extracts information based on preset key information, splices the extracted information with preset information configured by the management message configuration module 6, and transmits the spliced information to the control script generator 3;
the control script generator 3 is used for acquiring the script template from the script template module 7, reading the script template information, matching the spliced information transmitted by the management message parser 2, and matching the spliced information into the script template to form script information; the control script generator 3 is connected with the control channel message interface 5, and the control script generator 3 transmits the script information to the data plane through the control channel message interface 5.
The present invention also provides a software-defined VPN implementation system having a VPN control apparatus, as shown in fig. 3 and 4, including: an application plane 11, a control plane 12, and a data plane 13; the control plane 12 is provided with a VPN control device;
the application plane 11 is in communication connection with the control plane 12 through a management channel message interface of the VPN control device; the data plane 13 is in communication connection with the control plane 12 through a control channel message interface of the VPN control device; the application plane 11 is used for providing an operation and visual interface for a network administrator, providing a visual interface and friendly operation for centralized control and remote management of the VPN network equipment, and supporting link management, protocol management, route management, forwarding management, bandwidth management and QoS management; the control plane 12 is used as a controller for data communication and data processing of the system, and provides verification, parsing, extraction and splicing of link, protocol, routing, forwarding, bandwidth and QoS metadata, generates configurable network rules, and outputs executable scripts; the data plane 13 is used as a VPN client and VPN server data communication plane, and selects a VPNC and VPNs communication link, a communication protocol, a routing rule, a forwarding rule, a bandwidth rule, and a QoS rule according to a scenario received from the control plane 12.
The invention can carry out remote centralized control on the VPN terminal, flexibly, quickly and effectively carry out VPN deployment, configuration, management and maintenance, and specifically comprises the following steps: software-defined VPN communication links, communication protocols, routing rules, forwarding rules, bandwidth rules, Quality of Service (QoS) rules, etc. The software-defined VPN provided by the invention is suitable for a cross-platform operating system, is suitable for multiple heterogeneous network equipment such as a server, a gateway, a router, a computer, a tablet, a mobile terminal and the like, can be widely applied to the fields of safety communication such as safety access, safety interconnection, safety convergence and the like, and has wide application prospect.
The invention mainly solves the following problems: the multi-element heterogeneous network equipment is controlled, managed and maintained in a centralized, remote and real-time manner; one-key deployment, dynamic configuration and flexible change of the VPN service of the multi-element heterogeneous network equipment; the software defined method of communication link, communication protocol, network configuration (routing, forwarding, bandwidth, QoS, etc.) of the virtual overlay network carried on the multi-element heterogeneous network device.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions of the present invention will be clearly and completely described below with reference to specific embodiments and drawings. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the scope of protection of this patent.
In the embodiment provided by the invention, the software definition thought is used for reference, the implementation method of the software defined VPN is provided, the controller is used for carrying out centralized, remote and real-time control on the VPN service and the VPN terminal, and the one-key deployment, dynamic configuration, flexible management and remote maintenance of the VPN solution are realized. Meanwhile, the method for realizing the software-defined VPN is suitable for multiple heterogeneous network equipment, and comprises a software system and a software-defined VPN hardware device which are suitable for a server, a gateway, a router, a computer, a tablet and a mobile terminal. In summary, the differences between the software-defined VPN and the conventional VPN in the present invention can be summarized as table 1.
TABLE 1 Difference between software-defined VPNs and traditional VPNs
The invention provides a software-defined VPN service mode and a management method based on a forwarding and control separation idea of an SDN (software defined network), so as to reduce the complexity of the operation of deployment, configuration, management, operation and maintenance and the like of a multi-element VPN network device in a heterogeneous network environment.
The whole framework is divided into three planes and two channels from top to bottom, wherein the three planes are an application plane, a control plane and a data plane, and the two interfaces are divided into a management channel and a control channel, which are specifically as follows:
application plane: the method is oriented to network administrators, provides a visual interface and friendly operation for centralized control and remote management of VPN network equipment, supports link management, protocol management, routing management, forwarding management, bandwidth management, QoS management and the like, and reduces the threshold of traditional field command line management.
Managing the channel: and providing a data interaction interface of an application plane and a control plane, wherein the interface supports real-time communication based on message middleware and non-real-time communication based on a database, and the actual definition of the interface can be determined according to the real-time response requirement of the service.
A control plane: the 'brain' of the software defined VPN takes a controller as a main body, provides verification, analysis, extraction and splicing of metadata such as links, protocols, routing, forwarding, bandwidth and QoS (quality of service), generates configurable network rules and outputs an executable script. In addition, the controller ensures the compatibility of the network rules in the multiple heterogeneous network devices by utilizing the expandability of the template.
A control channel: and providing a script interaction interface of a control plane and a data plane, wherein the interface ensures the safety, confidentiality and integrity of the issuing of the execution script and the returning of the execution result based on an SSL protocol.
A data plane: as a VPN client (VPNC) and VPN Server (VPNs) data communication plane, a VPNC and VPNs communication link, a communication protocol, a routing rule, a forwarding rule, a bandwidth rule, and a QoS rule can be flexibly selected according to a script received from a control plane.
Compared with the traditional VPN implementation mode, the software-defined VPN provides one-key deployment, dynamic configuration, flexible management and remote maintenance for implementing the VPN solution. Compared with the design idea of the SDN, the software-defined VPN defines an overlay network on the existing network topology and does not replace the existing network equipment with the SDN switch, so that the method has the characteristics of low cost and easiness in implementation.
The VPN control device mainly comprises a management channel message interface, a management message analyzer, a control script generator, a control channel message interface, a file read-write interface and a plurality of configuration and template files.
In the embodiment provided by the invention, the control plane is also used for expanding the system network rules by utilizing the preset information configured by the script template and the management message configuration module, and ensuring the compatibility of the network rules in the multi-element heterogeneous network equipment.
A management channel message interface of the VPN control device is configured as a management channel; the management channel is used for providing a data interaction interface of an application plane and a control plane, and the interface supports real-time communication based on message middleware and non-real-time communication based on a database.
In the embodiment provided by the invention, a control channel message interface of the VPN control device is configured as a control channel; the control channel is used for providing a script interaction interface of the control plane and the data plane, and the interface guarantees the issuing of the execution script and the returning of the execution result based on the SSL protocol.
And the management channel message interface receives a VPN control command message sent by the application plane, and the management message analyzer sequentially performs verification, analysis, extraction and splicing on the metadata. And meanwhile, the control script generator matches and reads the corresponding template file according to the equipment model and the system version of the VPN network equipment, replaces the content of the spliced data in a parameter transmission mode, calculates the checksum, transmits the script to the VPN network equipment through a control channel message interface, and waits for a returned execution result.
In the embodiment provided by the invention, the data information transmitted through the control channel is in a VPN control message format; the VPN control message format is JSON format, and comprises: message id, message type, message content, message time, and message authentication code.
VPN control messages fall into two broad categories: the controller sends a downstream control message to the VPNS/VPNC and receives an upstream control message of the VPNS/VPNC, and both messages are in JSON format and are respectively shown as follows.
The controller sends a downstream control message to the VPNS/VPNC and the controller receives an upstream control message of the VPNS/VPNC.
id is the unique identification of the control message, type and content are the message type and the message content respectively, result is the message execution result, time is the message time, mac is the message authentication code obtained by calculating the message, and the message integrity is ensured.
In the embodiment provided by the present invention, the data information transmitted through the control channel includes: the method comprises the steps of starting a VPNS instruction, closing the VPNS instruction, starting the VPNC instruction, closing the VPNC instruction, adding a routing rule instruction, deleting the routing rule instruction, adding a forwarding rule instruction, deleting the forwarding rule instruction, adding a bandwidth rule instruction, deleting the bandwidth rule instruction, adding a QoS rule instruction and deleting the QoS rule instruction.
The specific format of the message type and the message content is shown in table 2.
Table 2 VPN control message content table
The italic part in the message content of table 2 is the specific parameter of the shell script content, which needs to be given by the VPN control device according to the actual VPNs/VPNC configuration. The vpns.conf and vpnc.conf are configuration files of the VPNS and the VPNC respectively, destination is a destination network address (or address field), interface is a network card interface, source is a source network address (or address field), bandwidth is bandwidth, id is rule identification, and port is a port number.
In the embodiment provided by the invention, the intelligent equipment is interconnected and intercommunicated: due to the difference of various factors such as the equipment type, the operating system, the network environment, the communication protocol and the like, the intelligent equipment has the technical bottleneck of network interconnection and data intercommunication. By utilizing the VPN technology, a virtual local area network can be constructed on an internet public link, so that the data communication among intelligent devices breaks through the internal and external network limitations of heterogeneous networks such as a local area network, a metropolitan area network, a wide area network and the like. The software-defined VPN provided by the invention can flexibly, efficiently and conveniently realize interconnection and intercommunication of intelligent equipment, and a user does not need to configure, manage and maintain the VPNS and the VPNC in person, and only needs to configure as required by using a management system of a software-defined VPN application plane.
In the embodiment provided by the present invention, example 1: the intelligent equipment creates a virtual local area network;
solution 1: the user creates a network group in the management system, and adds intelligent equipment in the group, so that all the configurations of the user can be completed. The controller selects VPNS resources and VPNC terminals, generates control messages for starting VPNS and VPNC, and sequentially starts VPNS and VPNC to realize intelligent equipment interconnection.
In the embodiment provided by the present invention, the first and second substrates,
example 2: adding new intelligent equipment into virtual local area network
Solution 2: the user selects network grouping in the management system, and adds new intelligent equipment in the grouping, so that the equipment can be interconnected with the original intelligent equipment. The controller inquires VPNS resources belonging to the network group, generates a VPNC starting control message, and starts the newly-added intelligent equipment VPNC to realize the addition of the newly-added intelligent equipment into the virtual local area network.
In the embodiment provided by the present invention, the first and second substrates,
example 3: intelligent equipment exits from virtual local area network
Solution 3: the user selects the network grouping in the management system, and deletes the intelligent equipment in the grouping, so that the equipment can quit the original virtual local area network. The controller generates a VPNC closing control message, and closes the VPNC of the intelligent equipment to realize exiting of the VPNC from the virtual local area network.
The present invention also provides a software-defined VPN implementation method having a VPN control apparatus, as shown in fig. 5 and 6, the method includes:
generating VPN configuration, supporting communication protocol diversity, network equipment heterogeneity and communication link customization;
step two, executing a VPN script, and supporting VPNS and VPNC service one-key deployment and change;
and step three, executing a network configuration script, supporting flexible configuration of VPN routing rules and forwarding rules of different application scenes, and supporting on-demand customization of VPN bandwidth rules and QoS rules of different service modes.
In the method, the first step further comprises the following steps: selecting a VPN communication protocol, checking the model and the system of network equipment, selecting a VPN template, selecting VPNS and VPNC resource nodes, and generating VPNS and VPNC configuration and execution scripts;
the second step further comprises: issuing VPNS configuration and starting scripts, starting VPNS, returning VPNS starting results, issuing VPNC configuration and starting scripts, starting VPNC, and returning VPNC starting results;
the third step also comprises: selecting a routing, forwarding, broadband and QoS rule template and generating a configuration script;
issuing a forwarding, bandwidth and QoS rule configuration script;
executing the forwarding, bandwidth and QoS rule scripts;
returning the execution results of the forwarding, bandwidth and QoS rule script;
issuing a routing rule configuration script;
executing the routing rule script;
and returning the execution result of the routing rule script.
The VPN control flow involves three parties, namely, a controller device, a VPNs device and a VPNC device, and is a detailed flow of 17 steps in total, as shown in fig. 3. Overall, the process can be divided into three stages: the first stage, step 1-4, produce VPN configuration, support the diversity of communication protocol, network equipment isomerism and communication link can be customized; the second stage, step 5-10, carry out VPN script, support VPNS and VPNC service one key to dispose, change fast; and the third stage, steps 11-17, executing a network configuration script, supporting flexible configuration of VPN routing rules and forwarding rules of different application scenes, and supporting on-demand customization of VPN bandwidth rules and QoS rules of different service modes.
The software-defined VPN can utilize the controller to perform centralized, remote and real-time control on VPN services and VPN terminals, and realizes one-key deployment, dynamic configuration, flexible management and remote maintenance of a VPN solution. The controller is used for carrying out centralized, remote and real-time control on the VPN service and the VPN terminal, and one-key deployment, dynamic configuration, flexible management and remote maintenance of the VPN solution are realized. After the application, the method has remarkable effects, such as that the invention supports: the multi-element heterogeneous network equipment is controlled, managed and maintained in a centralized, remote and real-time manner; one-key deployment, dynamic configuration and flexible change of the VPN service of the multi-element heterogeneous network equipment; communication links, communication protocols, and network configurations (routing, forwarding, bandwidth, QoS, etc.) for the software-defined VPN service; software defines a safe access application scene and a solution; software defines a safe interconnection application scene and a solution; software defines a secure convergence application scenario and solution.
The practical scope of the invention includes: secure access to mobile offices of enterprises, businesses, government affairs, and the like; the safety interconnection of information intercommunication of smart cities, smart traffic, smart medical treatment and the like; and the safety convergence of mass data such as edge network equipment, core backbone network equipment, a data center, a cloud computing platform and the like. Therefore, the invention has wide application prospect.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (5)
1. A VPN control apparatus, comprising: the system comprises a management channel message interface, a management message analyzer, a control script generator, a control channel message interface, a file read-write interface, a management message configuration module and a script template module;
the management channel message interface is used for providing a connection port between the VPN control device and the application plane and transmitting data information received by the connection port to the management message analyzer;
the management message parser is connected with the control script generator and is also connected with the management message configuration module through a file read-write interface;
the control script generator is also connected with the script template module through a file read-write interface;
the management message analyzer performs data information verification on the received data information according to a preset verification code, analyzes the data after the verification is passed, performs information extraction based on preset key information, splices the extracted information with preset information configured by the management message configuration module, and transmits the spliced information to the control script generator;
the control script generator is used for acquiring the script template from the script template module, reading the script template information, matching the spliced information transmitted by the management message parser, and matching the spliced information into the script template to form script information; the control script generator is connected with the control channel message interface and transmits the script information to the data plane through the control channel message interface.
2. A software-defined VPN implementation system having a VPN control apparatus, comprising: an application plane, a control plane, and a data plane; the control plane is provided with a VPN control device;
the application plane is in communication connection with the control plane through a management channel message interface of the VPN control device;
the data plane is in communication connection with the control plane through a control channel message interface of the VPN control device;
the application plane is used for providing an operation and visual interface for a network administrator, providing a visual interface and friendly operation for centralized control and remote management of VPN network equipment, and supporting link management, protocol management, routing management, forwarding management, bandwidth management and QoS management;
the control plane is used as a controller of data communication and data processing of the system, provides verification, analysis, extraction and splicing of metadata of a link, a protocol, a route, forwarding, bandwidth and QoS (quality of service), generates a configurable network rule and outputs an executable script;
the controller ensures the compatibility of the network rules in the multi-element heterogeneous network equipment by utilizing the expandability of the template;
the control channel provides a script interaction interface of a control plane and a data plane, and the script interaction interface guarantees the safety, confidentiality and integrity of the issuing of the execution script and the returning of the execution result based on an SSL protocol;
the VPN control device consists of a management channel message interface, a management message analyzer, a control script generator, a control channel message interface, a file read-write interface and a plurality of configuration and template files;
the control plane is also used for expanding the system network rules by utilizing the preset information configured by the script template and the management message configuration module, and ensuring the compatibility of the network rules in the multi-element heterogeneous network equipment;
a management channel message interface of the VPN control device is configured as a management channel; the management channel is used for providing a data interaction interface of an application plane and a control plane, the data interaction interface supports real-time communication based on message middleware and supports non-real-time communication based on a database;
a management channel message interface receives a VPN control command message sent by an application plane, and a management message analyzer sequentially performs verification, analysis, extraction and splicing on metadata;
meanwhile, the control script generator matches and reads the corresponding template file according to the equipment model and the system version of the VPN network equipment, replaces the content of the spliced data in a parameter transmission mode, calculates the check sum, transmits the script to the VPN network equipment through a control channel message interface, and waits for a returned execution result;
the data plane is used as a data communication plane between the VPN client and the VPN server, and selects a VPNC and VPNS communication link, a communication protocol, a routing rule, a forwarding rule, a bandwidth rule and a QoS rule according to a script received from the control plane; the data information transmitted through the control channel is in a VPN control message format;
the VPN control message format is JSON format, and comprises: message id, message type, message content, message time, and message authentication code.
3. The software-defined VPN implementation system with a VPN control device of claim 2,
id is the unique identification of the control message.
4. The software-defined VPN implementation system with a VPN control device of claim 3,
the data information transmitted through the control channel includes: the method comprises the steps of starting a VPNS instruction, closing the VPNS instruction, starting the VPNC instruction, closing the VPNC instruction, adding a routing rule instruction, deleting the routing rule instruction, adding a forwarding rule instruction, deleting the forwarding rule instruction, adding a bandwidth rule instruction, deleting the bandwidth rule instruction, adding a QoS rule instruction and deleting the QoS rule instruction.
5. A software-defined VPN implementation method, which is implemented based on the software-defined VPN implementation system of claim 2, characterized in that the method comprises:
the first step comprises the following steps: selecting a VPN communication protocol, checking the model and the system of network equipment, selecting a VPN template, selecting VPNS and VPNC resource nodes, and generating VPNS and VPNC configuration and execution scripts;
the second step comprises the following steps: issuing VPNS configuration and starting scripts, starting VPNS, returning VPNS starting results, issuing VPNC configuration and starting scripts, starting VPNC, and returning VPNC starting results;
the third step comprises: selecting a routing, forwarding, broadband and QoS rule template and generating a configuration script;
issuing a forwarding, bandwidth and QoS rule configuration script;
executing the forwarding, bandwidth and QoS rule scripts;
returning the execution results of the forwarding, bandwidth and QoS rule script;
issuing a routing rule configuration script;
executing the routing rule script;
and returning the execution result of the routing rule script.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810837005.8A CN108809797B (en) | 2018-07-26 | 2018-07-26 | VPN control device, software-defined VPN implementation system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810837005.8A CN108809797B (en) | 2018-07-26 | 2018-07-26 | VPN control device, software-defined VPN implementation system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108809797A CN108809797A (en) | 2018-11-13 |
| CN108809797B true CN108809797B (en) | 2020-09-08 |
Family
ID=64078204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810837005.8A Active CN108809797B (en) | 2018-07-26 | 2018-07-26 | VPN control device, software-defined VPN implementation system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108809797B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474506A (en) * | 2018-11-15 | 2019-03-15 | 中国联合网络通信集团有限公司 | Establish the method and device of Virtual Private Network vpn service |
| CN110611607B (en) * | 2019-10-08 | 2021-10-19 | 深信服科技股份有限公司 | Tunnel connection method, control device, storage medium and apparatus |
| CN111314355B (en) * | 2020-02-20 | 2022-09-30 | 深信服科技股份有限公司 | Authentication method, device, equipment and medium of VPN (virtual private network) server |
| CN111404738B (en) * | 2020-03-10 | 2023-05-30 | 中国电信集团工会上海市委员会 | Flow table and configuration hot modification method of network controller |
| CN111711557B (en) * | 2020-08-18 | 2020-12-04 | 北京赛宁网安科技有限公司 | Remote access system and method for network target range users |
| CN112243206A (en) * | 2020-11-05 | 2021-01-19 | 燕山大学 | Industrial-site-oriented wireless network visual configuration system and method |
| CN114157532A (en) * | 2021-11-24 | 2022-03-08 | 浙江中控技术股份有限公司 | Remote control method, system, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105357099A (en) * | 2015-12-18 | 2016-02-24 | 南京优速网络科技有限公司 | Implementation method of VPN (virtual private network) on basis of SDN (software defined network) |
| CN107026784A (en) * | 2017-06-13 | 2017-08-08 | 电子科技大学 | A kind of remote dummy private network gateway apparatus and implementation method |
| CN107637031A (en) * | 2015-07-06 | 2018-01-26 | 华为技术有限公司 | Path-calculating element central controller (PCECC) for Network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9985799B2 (en) * | 2014-09-05 | 2018-05-29 | Alcatel-Lucent Usa Inc. | Collaborative software-defined networking (SDN) based virtual private network (VPN) |
| US10637889B2 (en) * | 2015-07-23 | 2020-04-28 | Cisco Technology, Inc. | Systems, methods, and devices for smart mapping and VPN policy enforcement |
| US10567347B2 (en) * | 2015-07-31 | 2020-02-18 | Nicira, Inc. | Distributed tunneling for VPN |
-
2018
- 2018-07-26 CN CN201810837005.8A patent/CN108809797B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107637031A (en) * | 2015-07-06 | 2018-01-26 | 华为技术有限公司 | Path-calculating element central controller (PCECC) for Network |
| CN105357099A (en) * | 2015-12-18 | 2016-02-24 | 南京优速网络科技有限公司 | Implementation method of VPN (virtual private network) on basis of SDN (software defined network) |
| CN107026784A (en) * | 2017-06-13 | 2017-08-08 | 电子科技大学 | A kind of remote dummy private network gateway apparatus and implementation method |
Non-Patent Citations (3)
| Title |
|---|
| "SDxVPN: A software-defined solution for VPN service providers";Mirkhanzadeh B , Taheriy N , Khorsandi S .;《IEEE/IFIP Network Operations and Management Symposium. IEEE, 2016》;20160430;全文 * |
| "基于SDN架构的MPLS VPN的设计与实现";欧阳翅;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160315(第3(2016年)期);全文 * |
| "基于SDN的VPN统一管理技术研究与实现";尹婷;《中国优秀硕士学位论文全文数据库 信息科技辑》;20161215(第12(2016年)期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108809797A (en) | 2018-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108809797B (en) | VPN control device, software-defined VPN implementation system and method | |
| Sosinsky | Networking bible | |
| CN109150685B (en) | Intelligent interconnection method and system for heterogeneous network | |
| US20160301603A1 (en) | Integrated routing method based on software-defined network and system thereof | |
| CN110572460B (en) | Data transmission method and device based on block chain system and computer equipment | |
| Aguado et al. | Virtual network function deployment and service automation to provide end-to-end quantum encryption | |
| CN108289061B (en) | Service chain topology system based on SDN | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| CN102420765B (en) | Method and device for determining physical link between switchboard and terminal | |
| CN113612807B (en) | Distributed firewall definition method and system | |
| CN110971438A (en) | Method and device for configuring data | |
| US11805011B2 (en) | Bulk discovery of devices behind a network address translation device | |
| WO2021098824A1 (en) | Network slice creation method, basic network controller, system, and storage medium | |
| CN112911001A (en) | Cloud VPN and enterprise network automatic networking scheme | |
| CN112804112B (en) | Multi-cloud access method in SD-WAN (secure digital-Wide area network) network environment | |
| CN109150829B (en) | Software-defined cloud network trusted data distribution method, readable storage medium and terminal | |
| CN114422160B (en) | Virtual firewall setting method and device, electronic equipment and storage medium | |
| CN104796340A (en) | Multicast data transmission method and device | |
| CN108900603A (en) | A kind of server discovery methods, devices and systems | |
| CN103401791A (en) | Method and equipment for identifying boundary port | |
| CN114979139A (en) | Management system and method of heterogeneous virtual gateway in edge computing scene | |
| CN108900518A (en) | Believable software definition cloud network data distribution systems | |
| CN103475506A (en) | Multi-equipment management control method and multi-equipment management control system | |
| CN112822054A (en) | Remote management method and system for multiple related devices by using same network element | |
| Wang et al. | A SDN-based heterogeneous networking scheme for profinet and Modbus Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |