CN108833282A - Data forwarding method, system, device and SDN switch - Google Patents

Data forwarding method, system, device and SDN switch Download PDF

Info

Publication number
CN108833282A
CN108833282A CN201810659380.8A CN201810659380A CN108833282A CN 108833282 A CN108833282 A CN 108833282A CN 201810659380 A CN201810659380 A CN 201810659380A CN 108833282 A CN108833282 A CN 108833282A
Authority
CN
China
Prior art keywords
data packet
sent
proxy server
sdn switch
receiving end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810659380.8A
Other languages
Chinese (zh)
Inventor
汪利福
王泽�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yun Shu Network Technology Co Ltd
Original Assignee
Beijing Yun Shu Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yun Shu Network Technology Co Ltd filed Critical Beijing Yun Shu Network Technology Co Ltd
Priority to CN201810659380.8A priority Critical patent/CN108833282A/en
Publication of CN108833282A publication Critical patent/CN108833282A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • H04L49/3009Header conversion, routing tables or routing tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, belongs to Internet technical field.This method receives the data packet that transmitting terminal is sent to receiving end by SDN switch,Then SDN switch sends data packets to proxy server,So that the proxy server judges whether the data packet is Attacking Packets,When it is Attacking Packets that proxy server, which judges the data packet not,,Obtain the data packet that the proxy server is sent,Then the data packet is sent to the receiving end according to the destination address by the SDN switch,So that the receiving end obtains the address of the transmitting terminal from the data packet,Thus,SDN switch is carrying out that the content in data packet need not be changed when data packet forwarding,Receiving end can obtain the address information of transmitting terminal from received data packet,So as to be traced to transmitting terminal,The operation such as statistics or analysis,Improve the reliability traced to data packet.

Description

Data forwarding method, system, device and SDN switch
Technical field
The present invention relates to Internet technical fields, in particular to a kind of data forwarding method, system, device and SDN Interchanger.
Background technique
Seven layer network protectiving schemes are typically all that the method based on agency is realized, request arrives first at proxy server, by It is forwarded to destination server again after proxy server filtering query-attack.In traditional layer transparent Proxy Method, user terminal Do not know and judge whether data packet needs to act on behalf of after the presence of proxy server, proxy server receive request, if so, by generation Reason server forwards the data to destination server, then the data forwarding that destination server is returned is acted on behalf of to user terminal Server carries out the transfer and interaction of data packet as intermediate equipment between user terminal and destination server.
And in traditional transparent proxy method, it is necessary to be disposed and be configured by certain network topology to meet agency's clothes Business device carries out the function of interim data.Its proxy server in the source address that needed when data packet forwarding in data packet and Destination address is changed, i.e., when user terminal sends data packet to destination server, the source address in the data packet is to use The address of family terminal, destination address is the address of proxy server, and proxy server sends data packets to destination server When, the source address in data packet need to be changed to the address of proxy server by proxy server, and destination address is changed to destination server Address the address that source address is proxy server, institute can only be obtained from data packet so destination server receives data packet It not can know that the data packet is sent from which user terminal with destination server, to can not carry out to user terminal Retrospect also the operation such as can not be counted or be analyzed to the user terminal for sending data packet.
Summary of the invention
In view of this, be designed to provide a kind of data forwarding method, system, device and the SDN of the embodiment of the present invention are handed over It changes planes, to improve the above problem.
In a first aspect, the embodiment of the invention provides a kind of data forwarding method, the method includes:
SDN switch receives the data packet that transmitting terminal is sent to receiving end, includes source address and purpose in the data packet Address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The data packet is sent to proxy server by the SDN switch, so that described in proxy server judgement Whether data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains institute State the data packet of proxy server transmission;
The data packet is sent to the receiving end according to the destination address by the SDN switch, so that described connect Receiving end obtains the address of the transmitting terminal from the data packet.
Further, the SDN switch obtains transmitting terminal and is sent to after the data packet of receiving end, the SDN exchange The data packet is sent to proxy server by machine, so that the proxy server judges whether the data packet is attack data Packet detection, it is described before obtaining the proxy server to judge the data packet or not sent when being Attacking Packets Method further includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, then follow the steps:The data packet is sent to proxy server by the SDN switch, so that institute It states proxy server and judges whether the data packet is Attacking Packets detection, obtain the proxy server and judge the data The data packet that packet is sent when not being Attacking Packets.
Further, the SDN switch obtains transmitting terminal and is sent to after the data packet of receiving end, the SDN exchange The data packet is sent to proxy server by machine, so that the proxy server judges whether the data packet is attack data Packet detection, it is described before obtaining the proxy server to judge the data packet or not sent when being Attacking Packets Method further includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, the SDN switch sends inquiry message to SDN controller;
The SDN switch receives the forward rule sent from the SDN controller according to the inquiry message, described The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by forward rule;
The data packet is sent to proxy server according to the forward rule by the SDN switch, so that the generation Reason server judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges the data packet not The data packet sent when being Attacking Packets.
Further, the data packet is sent to the receiving end according to the destination address by the SDN switch, with The receiving end is set to obtain the address of the transmitting terminal from the data packet, including:
The data packet is sent to the reception according to default forward mode according to destination address by the SDN switch End, so that the receiving end obtains the address of the transmitting terminal from the data packet.
Second aspect, the embodiment of the invention provides a kind of data forwarding system, the data forwarding system includes sending End, SDN switch, proxy server and receiving end, the transmitting terminal and the SDN switch communicate to connect, and the SDN is handed over It changes planes and is connect with the proxy server communication, the SDN switch and the receiving end communicate to connect;
The transmitting terminal includes source address and destination in the data packet for sending data packet to the receiving end Location, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server is sentenced for judging whether the data packet is Attacking Packets in the proxy server When the data packet of breaking is not Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that The receiving end obtains the address of the transmitting terminal from the data packet.
The third aspect, the embodiment of the invention provides a kind of data forwarding devices, run on SDN switch, described device Including:
Packet-receiving module, the data packet for being sent to receiving end for receiving transmitting terminal include source in the data packet Address and destination address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
First forwarding module, for the data packet to be sent to proxy server, so that the proxy server judges Whether the data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, is obtained The data packet for taking the proxy server to send;
Second forwarding module, for the data packet to be sent to the receiving end according to the destination address, so that institute State the address that receiving end obtains the transmitting terminal from the data packet.
Further, described device further includes:
Agent Markup detection module when to be, is executed for judging whether carry Agent Markup in the data packet Step performed by second forwarding module.
Further, described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, to SDN controller sends inquiry message;
Forward rule receiving module, for receiving the forwarding sent from the SDN controller according to the inquiry message The data packet for carrying the Agent Markup is sent to the agency for the SDN switch and taken by rule, the forward rule Business device;
First forwarding module, specifically for the data packet is sent to agency service according to the forward rule Device obtains the proxy server and sentences so that the proxy server judges whether the data packet is Attacking Packets detection Break the data packet sent when the data packet is not Attacking Packets.
Further, second forwarding module, being specifically used for will be described according to default forward mode according to destination address Data packet is sent to the receiving end, so that the receiving end obtains the address of the transmitting terminal from the data packet.
Fourth aspect, the embodiment of the present invention provide a kind of SDN switch, including processor and memory, the storage Device is stored with computer-readable instruction fetch, and when the computer-readable instruction fetch is executed by the processor, operation is such as above-mentioned The step in the method that first aspect provides.
The beneficial effect of the embodiment of the present invention is:
The embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, and this method passes through SDN and hands over It changes planes and receives the data packet that transmitting terminal is sent to receiving end, include source address and destination address, the source in the data packet Location is the address of the transmitting terminal, and the destination address is the address of the receiving end, and then the SDN switch is by the number It is sent to proxy server according to packet, so that the proxy server judges whether the data packet is Attacking Packets, described Proxy server judges the data packet not when being Attacking Packets, obtains the data packet that the proxy server is sent, then The data packet is sent to the receiving end according to the destination address by the SDN switch, so that the receiving end is from institute The address that the transmitting terminal is obtained in data packet is stated, SDN switch need not change data packet when carrying out data packet forwarding as a result, In content, receiving end can obtain the address information of transmitting terminal from received data packet, so as to be traced to transmitting terminal, The operation such as statistics or analysis, improves the reliability traced to data packet.
Other features and advantages of the present invention will be illustrated in subsequent specification, also, partly be become from specification It is clear that by implementing understanding of the embodiment of the present invention.The objectives and other advantages of the invention can be by written theory Specifically noted structure is achieved and obtained in bright book, claims and attached drawing.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this A little attached drawings obtain other relevant attached drawings.
Fig. 1 is the structural block diagram of data forwarding system in the prior art;
Fig. 2 is a kind of structural block diagram of data forwarding system provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural block diagram that can be applied to the electronic equipment in the embodiment of the present application;
Fig. 4 is a kind of flow chart of data forwarding method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural block diagram of data forwarding device provided in an embodiment of the present invention;
Fig. 6 is a kind of structural block diagram of SDN switch provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Usually exist The component of the embodiment of the present invention described and illustrated in attached drawing can be arranged and be designed with a variety of different configurations herein.Cause This, is not intended to limit claimed invention to the detailed description of the embodiment of the present invention provided in the accompanying drawings below Range, but it is merely representative of selected embodiment of the invention.Based on the embodiment of the present invention, those skilled in the art are not doing Every other embodiment obtained under the premise of creative work out, shall fall within the protection scope of the present invention.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.Meanwhile of the invention In description, term " first ", " second " etc. are only used for distinguishing description, are not understood to indicate or imply relative importance.
Fig. 1 is the structural block diagram of data forwarding system in the prior art, in all-transparent Proxy Signature Scheme in the prior art, Source address and destination address in data packet is on proxy server, for example, user terminal IP address is CIP, user terminal Port is CPORT, and the IP address of proxy server is VIP, and proxy server port is VPORT, the IP address of destination server For RIP, destination server port is RPORT.The process of user terminal access destination server is as follows:
1, user terminal sends TCP/IP data packet to proxy server, and data packet format is:
CIP:CPORT→VIP:VPORT
2, after proxy server receives user terminal data packet, changing data packet format is
VIP:VPORT→RIP:RPORT is sent to destination server
3, after destination server receives Proxy Data packet, request is returned to, data packet format is:
RIP:RPORT→VIP:VPORT
4, after proxy server receives data packet, user terminal is returned to, data packet format is:
VIP:VPORT→CIP:CPORT
So the destination address for the data packet that proxy server receives is necessary for the IP address of proxy server, it is necessary to be The address for the network interface card that can locally monitor;The source address for the data packet that proxy server is sent out is with being necessary for the IP of proxy server Location, it is also necessary to for the address of the local network interface card that can be monitored.The source address received in proxy server is only proxy server Address, so, destination server can not receive the address and port of user terminal, thus can not be traced to the source user terminal, The operation such as statistics or analysis, in order to avoid the above problem, the embodiment of the invention provides a kind of data forwarding methods.
Defect present in the above scheme in the prior art, is that inventor is obtaining after practicing and carefully studying As a result, therefore, the solution that the discovery procedure of the above problem and hereinafter the embodiment of the present application are proposed regarding to the issue above Scheme all should be the contribution that inventor makes the application during the application.
Referring to figure 2., Fig. 2 is a kind of structural block diagram of data forwarding system provided in an embodiment of the present invention, the data Repeater system includes transmitting terminal, SDN switch, proxy server and receiving end, and the transmitting terminal can be user terminal or mesh Server, the receiving end may be user terminal or destination server, and transmitting terminal and receiving end are opposite both ends, i.e., When transmitting terminal is user terminal, receiving end is purpose server, and when transmitting terminal is purpose server, receiving end is that user is whole End, the communication between transmitting terminal and receiving end are sent by data packet, which is forwarded by SDN switch, Data packet is Attacking Packets in order to prevent, so proxy server can carry out attack detecting to the data packet, in the data packet When not being Attacking Packets, receiving end is just sent data packets to by SDN switch.
SDN switch is the interchanger in SDN network, according to the needs of usage scenario, the exchange of SDN switch Function can use software or hardware realization, wherein the SDN switch of software realization usually with virtualization Hypervisor phase Integration, hard-wired interchanger can then support the networking based on hardware device, additionally it is possible to meet SDN network and traditional network Mixed networking demand.
Its institute with general switch of SDN switch is functional, and special function is to support OpenFlow agreement, SDN switch can be controlled and be managed by SDN controller.It is by being inputted on SDN controller for SDN switch Flow table issues rule to SDN switch, then the data packet Jing Guo SDN switch is just forwarded according to these flow table rules, and passes The interchanger of system is all that oneself determines how to forward after receiving data packet, for example, such as IP address is 172.16.1.88 hair one A data packet is 172.16.1.89 to IP address, after conventional switch receives, is directly viewable oneself internal flow table, looks at IP Address is the receiving end of 172.16.1.89 at which, is then sent, and SDN switch is also first to look for oneself internal first Flow table (but this flow table is that SDN controller issues, and is that oneself is generated unlike general switch), if so, so The forwarding of data packet is just done by flow table, if it is not, sending information to SDN controller, inquires how the SDN controller is located Manage this data packet.
There is the definition of standard and relatively easy in the group Chengdu of forwarding table or routing table in conventional switch or router Format, such as Layer 2 switch forwarding table is exactly the mapping relations of a device port and MAC Address, therefore is very suitable to adopt It is efficiently realized with static specific integrated circuit, and forwarding table used in the forwarding decision in SDN switch may have Extremely complex composed structure, the length of each list item and matching domain wherein included be all by taking OpenFlow as an example, in flow table It is that can customize and revocable format.
And SDN switch can realize the function of drainage, i.e., data packet is directly drained to agency's clothes after receiving data packet Business device carries out attack protection detection, so that the data packet that transmitting terminal is sent to receiving end is the data packet of normal legal, ensure that net The safety of network transmission.
Proxy server is a kind of important server security function, also referred to as network agent, is a kind of special network clothes Business allows a user terminal to carry out indirect company with another network terminal (generally server) by this service It connects.
Referring to figure 3., Fig. 3 shows a kind of structural block diagram of electronic equipment 100 that can be applied in the embodiment of the present application. Electronic equipment 100 may include data forwarding device, memory 101, storage control 102, processor 103, Peripheral Interface 104。
The memory 101, storage control 102, processor 103, each element of Peripheral Interface 104 between each other directly or It is electrically connected indirectly, to realize the transmission or interaction of data.For example, these elements between each other can be logical by one or more It interrogates bus or signal wire is realized and is electrically connected.The data forwarding device includes that at least one can be with software or firmware (firmware) form is stored in the memory 101 or is solidificated in the operating system of the data forwarding device Software function module in (operating system, OS).The processor 103 is used to execute to store in memory 101 Executable module, such as software function module or computer program that the data forwarding device includes.
Wherein, memory 101 may be, but not limited to, random access memory (Random Access Memory, RAM), read-only memory (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only Memory, PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM), Electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read-Only Memory, EEPROM) etc.. Wherein, memory 101 is for storing program, and the processor 103 executes described program after receiving and executing instruction, aforementioned Method performed by the server that the stream process that any embodiment of the embodiment of the present invention discloses defines can be applied to processor 103 In, or realized by processor 103.
Processor 103 can be a kind of IC chip, the processing capacity with signal.Above-mentioned processor 103 can To be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;Can also be digital signal processor (DSP), specific integrated circuit (ASIC), Ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hard Part component.It may be implemented or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor It can be microprocessor or the processor 103 be also possible to any conventional processor etc..
Various input/output devices are couple processor 103 and memory 101 by the Peripheral Interface 104.Some In embodiment, Peripheral Interface 104, processor 103 and storage control 102 can be realized in one single chip.Other one In a little examples, they can be realized by independent chip respectively.
Various input/output devices are couple processor 103 and memory 101 by the Peripheral Interface 104.Some In embodiment, Peripheral Interface 104, processor 103 and storage control 102 can be realized in one single chip.Other one In a little examples, they can be realized by independent chip respectively.
It is appreciated that structure shown in Fig. 3 is only to illustrate, the electronic equipment 100 may also include more than shown in Fig. 3 Perhaps less component or with the configuration different from shown in Fig. 3.Each component shown in Fig. 3 can use hardware, software Or combinations thereof realize.
Referring to figure 4., Fig. 4 is a kind of flow chart of data forwarding method provided in an embodiment of the present invention, and the method is answered For SDN switch, described method includes following steps:
Step S110:SDN switch receives the data packet that transmitting terminal is sent to receiving end.
For the convenience of description, using transmitting terminal as user terminal in the embodiment of the present invention, receiving end be for destination service into Row description.
It include source address and destination in the data packet if user terminal will send a data packet to destination server Location, the source address are the address of the transmitting terminal (such as user terminal), and the destination address is the receiving end (purpose service The address of device).For example, the IP address of the user terminal is 10.1.1.1, MAC Address 02:42:79:9d:01:3d, purpose The IP address of server is 10.1.1.2, MAC Address 02:42:79:9d:01:3c, the then source address for including in data packet are Source IP:And source MAC 10.1.1.1:02:42:79:9d:01:3d, destination address are purpose IP:10.1.1.2, purpose MAC:02: 42:79:9d:01:3c。
Step S120:The data packet is sent to proxy server by the SDN switch, so that the proxy server Judge whether the data packet is Attacking Packets, judges that the data packet is not Attacking Packets in the proxy server When, obtain the data packet that the proxy server is sent.
Step S130:The data packet is sent to the receiving end according to the destination address by the SDN switch, with The receiving end is set to obtain the address of the transmitting terminal from the data packet.
Some forward rules are pre-defined on the SDN server, in order to carry out attack protection detection, control to data packet Device processed can issue forward rule to SDN server, that is, be drained to proxy server progress attack protection inspection after getting data packet It surveys, then proxy server detects whether the data packet is Attacking Packets after receiving the data packet, if the data packet is to attack Data packet is hit, then has been likely to contain attack information in the data packet, proxy server includes in detecting the data packet After attacking information, the data packet is determined for Attacking Packets, if the data packet is Attacking Packets, proxy server sends logical Know information inform the SDN switch data packet be Attacking Packets, be not transmitted to receiving end, then SDN switch can directly by The data packet is abandoned, if the data packet is not Attacking Packets, the data packet after proxy server will test is sent To SDN switch, then the data packet directly can be forwarded to receiving end by SDN switch.
SDN switch will not change the content in data packet when carrying out data forwarding, for example, SDN switch is obtaining When to the data packet sent from transmitting terminal, proxy server is forwarded it to, if transmitting terminal IP is CIP, transmitting terminal port is CPORT, receiving end IP are RIP, and receiving end port is RPORT, and the data packet format that transmitting terminal is sent is CIP:CPORT→RIP: RPORT, indicates the destination address sent from source address, and SDN switch delivers a packet to the data packet lattice of proxy server Formula is:CIP:CPORT→RIP:RPORT, the format that SDN switch sends data packets to receiving end are:CIP:CPORT→ RIP:RPORT, so the source address for the data packet that proxy server receives, source port or destination address, destination port are not On proxy server, the IP for not needing source address or destination address is bundled on local network interface card, really realizes all-transparent agency, The source address for the data packet that receiving end receives is also the address of transmitting terminal, rather than the address of SDN switch, thus convenient to source Address is for statistical analysis.
So in embodiments of the present invention, source address and destination address in data packet be not in proxy server or SDN On interchanger, proxy server or SDN switch do not change any content in data packet and realize between transmitting terminal and receiving end Communication attack traffic is carried out on proxy server by using SDN switch by flow lead to proxy server Cleaning, then by normal discharge be transmitted to that receiving end receiving end receives be true transmitting terminal request, rather than proxy server Request.User terminal and destination server do not need to carry out the formal variation of any network topology, i.e. receiving end can be from number According to the address for being directly obtained transmitting terminal in packet, so as to be counted to transmitting terminal, the operation such as traceability.
In addition, as an implementation, SDN switch can also be achieved the general forwarding capability of data, and some data Packet may not be needed agency service, then can also be made whether that agency service is needed to detect to data, if the data packet needs When carrying out agency service, then transmitting terminal can add corresponding identification information when sending the data packet in the packet, and mark should Data packet needs to carry out agency service, i.e. attack protection detects, and identification information can be Agent Markup, then the SDN switch When receiving the data packet of transmitting terminal transmission, judges whether carry Agent Markup in the data packet, when to be, then hold Row step S120.
As an implementation, if not carrying out relevant configuration to SDN switch in advance, agency's mark will such as be carried The data packet of label is forwarded to proxy server and carries out attack protection detection, then SDN switch carries Agent Markup receiving After data packet, if the SDN switch can not know how to be handled the data packet, one can be sent to SDN controller and ask Ask information, then SDN controller can issue a forward rule to SDN switch according to the inquiry message, and the forward rule is institute It states SDN switch and the data packet for carrying the Agent Markup is sent to the proxy server, i.e., informing SDN switch will The data packet for carrying Agent Markup is sent to proxy server, so pressing after SDN switch receives the forward rule Proxy server is sent data packets to according to the forward rule.
In addition, the safety and precise transmission in order to guarantee data, the SDN switch can also be according to destination addresses according to default The data packet is sent to the receiving end by forward mode, so that the receiving end obtains the transmission from the data packet The address at end.
The data exchange mode of SDN switch determines that it forwards delay caused by the speed of data packet and exchange process (i.e. SDN switch receives the time of data packet in a port and sends the time difference of the data packet in another port).
In practical applications, the forwarding of data packet is both wished to have alap forward delay to promote data transporting Can, and want to verify data in repeating process, to guarantee the reliability of information transmission.
The data exchange mode of SDN switch can also have straight-through, scrappy, store the multiple choices such as forwarding.
Direct mode operation:SDN switch only carries out reception and analysis to the information of preceding 6 bytes of data frame, and by data In the rest part direct shearing to exit port of frame.This is because preceding 6 bytes of data frame contain the purpose of the data frame MAC Address, this has been enough to make forwarding decision for interchanger.Direct mode operation has the smallest forward delay, but it is not Check the integrality of data, it is thus possible to " rascal " that can result in ethernet collision can be forwarded, to generate network Integrity problem.
Scrappy tablet mode:SDN switch is received and is parsed to preceding 64 bytes of data frame first, then is turned Why hair, select the length of 64 bytes, be as experience show that in ethernet networks, most " rascal " can be at this It is detected in the treatment process of a little bytes.This mode is although it is possible to cause minimal amount of " rascal " missing inspection, but it is right The overall performance of network influences less, therefore " fast-forwarding " is otherwise known as in many application scenarios.
Store and forward message mode:SDN switch needs are received and are parsed to the content of entire data frame, and Develop Data The operation such as integrity check of frame, effectively to avoid the occurrence of mistake.
So, in order to guarantee the safe transmission of data, the default forward mode of SDN switch is in the embodiment of the present invention Store and forward message mode, SDN switch, will according to store and forward message mode after receiving the data packet that proxy server sends over Data packet is sent to receiving end, thus under store and forward message mode, after SDN switch can test to the integrality of data packet It retransmits, ensure that the complete and safe of data.
Referring to figure 2., the data forwarding system in Fig. 2 includes transmitting terminal, SDN switch, proxy server and reception End, the transmitting terminal and the SDN switch communicate to connect, and the SDN switch is connect with the proxy server communication, institute It states SDN switch and the receiving end communicates to connect, above-mentioned data forwarding method is applied in the data forwarding system.
The transmitting terminal includes source address and destination in the data packet for sending data packet to the receiving end Location, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server is sentenced for judging whether the data packet is Attacking Packets in the proxy server When the data packet of breaking is not Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that The receiving end obtains the address of the transmitting terminal from the data packet.
Referring to figure 5., Fig. 5 is a kind of structural block diagram of data forwarding device 200 provided in an embodiment of the present invention, the device It runs in above-mentioned SDN switch, described device includes:
Packet-receiving module 210, the data packet for being sent to receiving end for receiving transmitting terminal include in the data packet Source address and destination address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
First forwarding module 220, for the data packet to be sent to proxy server, so that the proxy server is sentenced Whether the data packet of breaking is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, Obtain the data packet that the proxy server is sent;
Second forwarding module 230, for the data packet to be sent to the receiving end according to the destination address, so that The receiving end obtains the address of the transmitting terminal from the data packet.
As an implementation, described device further includes:
Agent Markup detection module when to be, is executed for judging whether carry Agent Markup in the data packet Step performed by second forwarding module 230.
As an implementation, described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, to SDN controller sends inquiry message;
Forward rule receiving module, for receiving the forwarding sent from the SDN controller according to the inquiry message The data packet for carrying the Agent Markup is sent to the agency for the SDN switch and taken by rule, the forward rule Business device;
First forwarding module 220, specifically for the data packet is sent to agency's clothes according to the forward rule Business device obtains the proxy server so that the proxy server judges whether the data packet is Attacking Packets detection The data packet sent when to judge the data packet not be Attacking Packets.
As an implementation, second forwarding module 230 is specifically used for according to destination address according to default forwarding The data packet is sent to the receiving end by mode, so that the receiving end obtains the transmitting terminal from the data packet Address.
Fig. 6 is please referred to, Fig. 6 is a kind of structural block diagram of SDN switch provided in an embodiment of the present invention, the SDN switch May include:At least one processor 410, such as CPU, at least one communication interface 420, at least one processor 430 and extremely A few communication bus 440.Wherein, communication bus 440 is for realizing the direct connection communication of these components.Wherein, of the invention The communication interface 420 of equipment is used to carry out the communication of signaling or data with other node devices in embodiment.Memory 430 can be with It is high speed RAM memory, is also possible to non-labile memory (non-volatile memory), for example, at least a magnetic Disk storage.Memory 430 optionally can also be that at least one is located remotely from the storage device of aforementioned processor.Memory It is stored with computer-readable instruction fetch in 430, and has computer-readable instruction fetch luck in the execution memory 430 of processor 410 Step in the above-mentioned data forwarding method of row.
It is apparent to those skilled in the art that for convenience and simplicity of description, the device of foregoing description Or the specific work process of system, it no longer can excessively be repeated herein with reference to the corresponding process in preceding method.
In conclusion the embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, this method Transmitting terminal is received by SDN switch and is sent to the data packet of receiving end, includes source address and destination address in the data packet, The source address is the address of the transmitting terminal, and the destination address is the address of the receiving end, then the SDN switch The data packet is sent to proxy server, so that the proxy server judges whether the data packet is attack data Packet obtains the number that the proxy server is sent when it is Attacking Packets that the proxy server, which judges the data packet not, According to packet, then the data packet is sent to the receiving end according to the destination address by the SDN switch, so that described connect Receiving end obtains the address of the transmitting terminal from the data packet, and SDN switch need not change when carrying out data packet forwarding as a result, Become the content in data packet, receiving end can obtain the address information of transmitting terminal from received data packet, so as to transmitting terminal It the operation such as traced, counted or is analyzed, improve the reliability traced to data packet.
In several embodiments provided herein, it should be understood that disclosed device and method can also pass through Other modes are realized.The apparatus embodiments described above are merely exemplary, for example, flow chart and block diagram in attached drawing Show the device of multiple embodiments according to the present invention, the architectural framework in the cards of method and computer program product, Function and operation.In this regard, each box in flowchart or block diagram can represent the one of a module, section or code Part, a part of the module, section or code, which includes that one or more is for implementing the specified logical function, to be held Row instruction.It should also be noted that function marked in the box can also be to be different from some implementations as replacement The sequence marked in attached drawing occurs.For example, two continuous boxes can actually be basically executed in parallel, they are sometimes It can execute in the opposite order, this depends on the function involved.It is also noted that every in block diagram and or flow chart The combination of box in a box and block diagram and or flow chart can use the dedicated base for executing defined function or movement It realizes, or can realize using a combination of dedicated hardware and computer instructions in the system of hardware.
In addition, each functional module in each embodiment of the present invention can integrate one independent portion of formation together Point, it is also possible to modules individualism, an independent part can also be integrated to form with two or more modules.
It, can be with if the function is realized and when sold or used as an independent product in the form of software function module It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), arbitrary access are deposited The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic or disk.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.It should be noted that:Similar label and letter exist Similar terms are indicated in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, are then not required in subsequent attached drawing It is further defined and explained.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.

Claims (10)

1. a kind of data forwarding method, which is characterized in that the method includes:
SDN switch receives transmitting terminal and is sent to the data packet of receiving end, includes source address and destination address in the data packet, The source address is the address of the transmitting terminal, and the destination address is the address of the receiving end;
The data packet is sent to proxy server by the SDN switch, so that the proxy server judges the data Whether packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains the generation Manage the data packet that server is sent;
The data packet is sent to the receiving end according to the destination address by the SDN switch, so that the receiving end The address of the transmitting terminal is obtained from the data packet.
2. the method according to claim 1, wherein the SDN switch, which obtains transmitting terminal, is sent to receiving end Data packet after, the data packet is sent to proxy server by the SDN switch so that the proxy server judge Whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not Attacking Packets When the data packet that sends before, the method also includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, then follow the steps:The data packet is sent to proxy server by the SDN switch, so that the generation Reason server judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges the data packet not The data packet sent when being Attacking Packets.
3. the method according to claim 1, wherein the SDN switch, which obtains transmitting terminal, is sent to receiving end Data packet after, the data packet is sent to proxy server by the SDN switch so that the proxy server judge Whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not Attacking Packets When the data packet that sends before, the method also includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, the SDN switch sends inquiry message to SDN controller;
The SDN switch receives the forward rule sent from the SDN controller according to the inquiry message, the forwarding The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by rule;
The data packet is sent to proxy server according to the forward rule by the SDN switch, so that the agency takes Business device judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not attacked The data packet sent when hitting data packet.
4. the method according to claim 1, wherein the SDN switch will be described according to the destination address Data packet is sent to the receiving end, so that the receiving end obtains the address of the transmitting terminal from the data packet, including:
The data packet is sent to the receiving end according to default forward mode according to destination address by the SDN switch, with The receiving end is set to obtain the address of the transmitting terminal from the data packet.
5. a kind of data forwarding system, which is characterized in that the data forwarding system includes transmitting terminal, SDN switch, agency's clothes Business device and receiving end, the transmitting terminal and the SDN switch communicate to connect, the SDN switch and the agency service Device communication connection, the SDN switch and the receiving end communicate to connect;
The transmitting terminal includes source address and destination address, institute in the data packet for sending data packet to the receiving end The address that source address is the transmitting terminal is stated, the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server judges institute in the proxy server for judging whether the data packet is Attacking Packets When to state data packet not be Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that described Receiving end obtains the address of the transmitting terminal from the data packet.
6. a kind of data forwarding device, which is characterized in that run on SDN switch, described device includes:
Packet-receiving module, the data packet for being sent to receiving end for receiving transmitting terminal include source address in the data packet And destination address, the source address are the address of the transmitting terminal, the destination address is the address of the receiving end;
First forwarding module, for the data packet to be sent to proxy server, so that described in proxy server judgement Whether data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains institute State the data packet of proxy server transmission;
Second forwarding module, for the data packet to be sent to the receiving end according to the destination address, so that described connect Receiving end obtains the address of the transmitting terminal from the data packet.
7. device according to claim 6, which is characterized in that described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, described in execution Step performed by second forwarding module.
8. device according to claim 6, which is characterized in that described device further includes:
Agent Markup detection module when to be, is controlled for judging whether carry Agent Markup in the data packet to SDN Device processed sends inquiry message;
Forward rule receiving module, for receiving the forward rule sent from the SDN controller according to the inquiry message, The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by the forward rule;
First forwarding module, specifically for the data packet is sent to proxy server according to the forward rule, with So that the proxy server is judged whether the data packet is Attacking Packets detection, obtains described in the proxy server judgement The data packet that data packet is sent when not being Attacking Packets.
9. device according to claim 6, which is characterized in that second forwarding module is specifically used for according to destination The data packet is sent to the receiving end according to default forward mode by location, so that the receiving end is obtained from the data packet Take the address of the transmitting terminal.
10. a kind of SDN switch, which is characterized in that including processor and memory, the memory is stored with computer can Instruction is read, when the computer-readable instruction fetch is executed by the processor, is run as described in claim any one of 1-4 Step in method.
CN201810659380.8A 2018-06-22 2018-06-22 Data forwarding method, system, device and SDN switch Pending CN108833282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810659380.8A CN108833282A (en) 2018-06-22 2018-06-22 Data forwarding method, system, device and SDN switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810659380.8A CN108833282A (en) 2018-06-22 2018-06-22 Data forwarding method, system, device and SDN switch

Publications (1)

Publication Number Publication Date
CN108833282A true CN108833282A (en) 2018-11-16

Family

ID=64138149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810659380.8A Pending CN108833282A (en) 2018-06-22 2018-06-22 Data forwarding method, system, device and SDN switch

Country Status (1)

Country Link
CN (1) CN108833282A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099115A (en) * 2019-04-30 2019-08-06 湖南麒麟信安科技有限公司 A kind of load-balancing method and system of transparent scheduling forwarding
CN113225376A (en) * 2021-03-29 2021-08-06 桂林电子科技大学 Ethernet frame and SDN data frame adapting method based on FPGA

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616129A (en) * 2008-06-27 2009-12-30 成都市华为赛门铁克科技有限公司 The methods, devices and systems of anti-network attack flow overload protection
US20140328350A1 (en) * 2013-05-03 2014-11-06 Alcatel-Lucent Usa, Inc. Low-cost flow matching in software defined networks without tcams
CN105490945A (en) * 2014-09-15 2016-04-13 上海贝尔股份有限公司 Method and device for controlling data transmission in control plane
CN106685923A (en) * 2016-11-25 2017-05-17 合肥海亚信息科技有限公司 Linux network firewall-based design system
CN107135166A (en) * 2017-04-07 2017-09-05 上海斐讯数据通信技术有限公司 A kind of flow management system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616129A (en) * 2008-06-27 2009-12-30 成都市华为赛门铁克科技有限公司 The methods, devices and systems of anti-network attack flow overload protection
US20140328350A1 (en) * 2013-05-03 2014-11-06 Alcatel-Lucent Usa, Inc. Low-cost flow matching in software defined networks without tcams
CN105490945A (en) * 2014-09-15 2016-04-13 上海贝尔股份有限公司 Method and device for controlling data transmission in control plane
CN106685923A (en) * 2016-11-25 2017-05-17 合肥海亚信息科技有限公司 Linux network firewall-based design system
CN107135166A (en) * 2017-04-07 2017-09-05 上海斐讯数据通信技术有限公司 A kind of flow management system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭振建: "《SDN技术及应用》", 30 September 2017, 西安电子科技大学出版社 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099115A (en) * 2019-04-30 2019-08-06 湖南麒麟信安科技有限公司 A kind of load-balancing method and system of transparent scheduling forwarding
CN110099115B (en) * 2019-04-30 2022-02-22 湖南麒麟信安科技股份有限公司 Load balancing method and system for transparent scheduling forwarding
CN113225376A (en) * 2021-03-29 2021-08-06 桂林电子科技大学 Ethernet frame and SDN data frame adapting method based on FPGA

Similar Documents

Publication Publication Date Title
WO2022017249A1 (en) Programmable switch, traffic statistics method, defense method, and packet processing method
CN105745870B (en) Extend operation from for detecting the serial multistage filter flowed greatly removal nose filter to remove stream to realize
CN109787859B (en) Intelligent speed limiting method and device based on network congestion detection and storage medium
CN108702326A (en) Inspection software defines network(SDN)In control plane cycle mechanism
CN108259425A (en) The determining method, apparatus and server of query-attack
CN105474602A (en) Method, device and equipment of identifying attack flow in software defined network
US7701934B2 (en) System and method for managing devices within a private network via a public network
US10623278B2 (en) Reactive mechanism for in-situ operation, administration, and maintenance traffic
CN109240796A (en) Virtual machine information acquisition methods and device
US20160057043A1 (en) Diagnostic routing system and method for a link access group
CN111064668B (en) Method and device for generating routing table entry and related equipment
CN102325079B (en) Message transmission method and egress router
US11108812B1 (en) Data plane with connection validation circuits
CN108833282A (en) Data forwarding method, system, device and SDN switch
CN107690004A (en) The processing method and processing device of address analysis protocol message
CN106878106A (en) A kind of accessible detecting method and device
CN109327558A (en) Address management method and device
US20130305090A1 (en) Test configuration resource manager
CN110855566B (en) Method and device for dragging upstream flow
CN112532468B (en) Network measurement system, method, device and storage medium
CN107634971A (en) A kind of method and device for detecting flood attack
CN115514683B (en) Packet loss reason determining method, device, exchange chip and storage medium
CN108460044A (en) The treating method and apparatus of data
CN110198315A (en) A kind of method and device of Message processing
CN113890858B (en) PMTU detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181116